Are you attending a Windows SysAdmin interview and need real-world Active Directory questions and answers? I have compiled 35 Active Directory interview questions and answers.
Answer: Active Directory is a Microsoft directory service that stores information about objects in a network. AD also makes it easy for the stored data to be accessed by authorized users.
Additional Information: There are so many variations to the definition of AD. What is important is to mention that 1, it is a Microsoft Directory service. 2, it securely stores data about AD objects and controls access to these objects.
Answer: Users, Computers, Printers, Groups and Organizational units (OUs)
Additional Information: There are so many you can pick from. I have listed 5 below. However, you could chose from the list in the article in this link – Active Directory Objects List.
Answer: The 2 protocols used by AD are LDAP (Light Weight Directory Access Protocol). LDAP serves the purpose of querying or modifying objects in AD.
The second Active Directory protocol is Kerberos. It is used for AD authentication.
There are two parts to this AD interview question. One, name the 2 protocols used by AD. Two, explain the protocols.
Answer: A Domain Controller (DC) is a Windows Server running Active Directory Domain Services (AD DS). AD DS is installed on a Windows Server when it is promoted to a DC.
Answer 1: An AD Forest is a collection of interconnected AD Domains that trust each other.
Answer 2: The difference between an AD Domain and a Forest is that the Domain is part of the forest.
Additional Information: This question are two questions bundled into one question. When you attend an AD interview or any interview, it is important to Liston attentively to the questions and ensure you provide a complete answer.
The next set of Active Directory interview questions will focus on AD installation including installation requirements.
Answer: AD installation does not have specified minimum requirements. However, there are minimum installation requirements for Windows Server 2016. These minimum installation requirements are:
This question is very tricky. Why? Because there is no minimum requirements for installing AD. The minimum requirements specified is for installing Windows Server 2016.
Answer: For a DNS server to support Active Directory, the server must support the service (SRV) resource record type. Also, it must support the dynamic update protocol.
Additional Information: This question is testing your knowledge of DNS requirements for AD. It is important to note that to install AD, you require a DNS Server. However, you do not necessarily need to deploy a Microsoft DNS server. Hence, any server that meets the minimum AD requirements can support AD.
Answer: Server Manager
Additional Information: This question specifically asked about a GUI tool.
Answer: Active Directory Domain Services
Answer: No, you can no longer use DCPROMO to promote a Member Server to a Domain Controller. The feature was deprecated in Windows Server 2012 and moved to Server Manager.
Note: This question is testing your knowledge of changes in Windows Server features.
Though DCPROMO have been deprecated, you have another command line option. PowerShell! You can still promote a Server to DC using PowerShell. See Active Directory Questions relating to PowerShell later.
This section will cover Active Directory interview questions relating to AD infrastructure.
Answer: AD Schema defines object classes and their attributes. An example of an object is User. The User object has First Name, Last Name, Email, etc attributes.
Answer: External, Forest, Shortcut, and Realm trusts.
Additional Information: Forest Trusts allows 2 Active Directory Domains, to communicate with each other and share resources.
Answer: Active Directory Domains and Trusts
Answer: Repadmin
Additional Information: To get the command line options for Repadmin, type the command:
Repadmin /?
Run Repadmin command in a Domain Controller.
Answer: Active Directory Sites and Services
Answer: Schema Master, Domain Naming Master, RID Master, The PDC Emulator Master and Infrastructure Master.
Additional Information: FSMO may be pronounced FiSMO. So if you here name the 5 FiSMO , it is the same question. To read more about the FiSMO roles, read my tutorial Active Directory: Concepts, Installation & Administration (opens in a new window).
Answer: Multi-master AD operation means that all Domain Controllers have writable copies of the Active Directory database. This means that any DC can update the AD database and replicate the changes to other Domain Controllers.
On the other hand, a Single-master AD operation means that one DC is designated an operations role and only that DC can carry out that operation and update other DCs.
Additional Information: The reason for Single-master AD operation is the nature of the tasks that require Single-master operations. If two DCs were to perform these operations at the same time, it would lead to conflict. To learn more about FSMO roles, multi-master and single-master operations, read my Active Directory tutorial.
The Active Directions interview questions covered in this category are about service accounts. Also covered are managed service accounts, Service Principal Names and Kerberos delegation.
Answer: A service account is a user account that is created to isolate a service or application. On the other hand, Managed service accounts are managed domain accounts that resolve limitations of the normal service account like password and SPN management.
Additional Information: Managed service accounts (MSAs) were introduced with Windows Server 2008 R2. MSAs resolve some of the challenges faced by administrators using the native service accounts to manage applications.
Specifically, MSAs provide the following solutions:
Answer: Service Account Lockout and Service account password expiration.
Additional Information: If a service account is used by multiple applications and the password is changed, an administrator will be required to update the password on all the applications. However, if the administrator forgets to update it on one of the applications, the application will attempt to use the old password and in the process, may lock out the account.
Also, if a service account password was to expire, this will prevent the service account from running the application until the password is changed. So a service account password should be configured not to expire. This poses a significant security risk.
Answer: The following are the benefits of Managed Service Accounts:
Answer: Windows PowerShell
Answer: A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service.
Additional Information: If multiple instances of a service are installed on computers throughout a forest, each instance must have its own SPN. A given service instance may have multiple SPNs if there are multiple names that clients might use for authentication.
Answer 1 (GUI Tool): Active Directory Users and Computers
Answer 2 (Command Line Tool): Setspn
Answer: Kerberos Delegation is permitting another computer or service to allow a Kerberos ticket to be created for another service on the originating user’s behalf.
Additional Information: Kerberos is a secure ticket-based protocol for authenticating a service request. It is integral to the Active Directory security structure.
Answer: UGMC is a process where a Domain Controller (with UGMC enabled) retrieves Universal Group Membership information from a Global Catalog server. This happens when a user logs on to the domain for the first time. The DC then caches the information.
On subsequent logon requests by the same user, the domain controller (with UGMC enabled) uses cached universal group memberships. It means that the DC does not have to contact a global catalog server.
Additional Information: In a multi-domain forest, when a user logs on to a domain, a global catalog server must be contacted to determine the universal group memberships of the user. A universal group can contain users from other domains. It can be applied to access control lists (ACLs) on objects in all domains in the forest.
Therefore, during a logon session universal group memberships must be ascertained so that the user is granted the appropriate access. Access is granted both in the domain the user is logging into and in other domains.
Only global catalog servers store the memberships of all universal groups in the forest. Therefore, if a global catalog server is not available in the site when a user logs on to a domain, the domain controller must contact a global catalog server in another site. If the link between the sites ina slow WAN link, this can potentially slow down the login session. Thus, the need for UGMC.
These Active Directory interview questions cover AD maintenance like transferring or seizing FSMO roles, backup and restore AD and SYSVOL and more.
Answer: ntdsutil
Additional Information: There is no option to seize a FSMO role from a GUI tool like Active Directory Users and Computers. You can only seize FSMO roles using ntdsutil. However, FSMO role transfer can be accomplished with either a GUI tool or ntdsutil utility.
Answer: A DC system state backup copies the following:
Additional Information: Depending on roles installed on the DC, the following additional files may be included in a DC system state backup:
Answer: Event ID 2089
Additional Information: After performing an initial Active Directory backup on a domain controller, Event ID 2089 provides warnings about the backup status of each directory partition that a domain controller stores. This includes application directory partitions.
Answer: 180 days.
Answer: ADSI Edit
Answer: Authoritative restore does not allow replication to overwrite the restored deletions. Instead, the restored objects replicate authoritatively to the other domain controllers in the domain.
On the other hand, non-authoritative allows Active Directory replication to update the restored domain controller to the current state of AD DS.
Answers: Offline AD database Defragmentation and AD DS database relocation.
Windows PowerShell Skills have become a critical requirement for most Windows Admin jobs. This includes Active Directory Administration. The last set of Active Directory Interview Questions covers managing AD with PowerShell.
Answer: Get-ADUser
Answer: Add-WindowsFeature -name ad-domain-services –IncludeManagementTools –Restart
Additional Information: The IncludeManagementTools parameter includes all AD admin tools while the Restart parameter will force a reboot after AD DS installation. To learn more about PowerShell commands, read 18 Powershell Commands Every Windows Admin Should Know.
Answer: Set-ADUser
There you have them. 35 Active Directory interview questions and answers.
I hope you found this itechguide helpful. If you found it helpful, kindly spare 2 minutes to share your experience with our community using the comment form at the bottom of this page.
Alternatively, you can respond to the “Was this page helpful?” question below.
Good luck with your interview