10/12/2017 100 TOP ACTIVE DIRECTORY Interview Questions and Answers pdf 2017

Tag: 100 TOP ACTIVE DIRECTORY Interview Questions and Answers pdf
by iqatts on June 6, 2017

ACTIVE DIRECTORY Interview Questions withAnswers :-

1. Define what is Active Directory ?
Active Directory is a Meta Data. Active Directory is a data base which store a data base like your user information, computer
information and also other network object info. It has capabilities to manage and administor the complite Network which connect with
AD.

2. Define what is Active Directory Domain Services ?

In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and
Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS). The rest of this topic refers to AD
DS, but the information is also applicable to Active Directory.

3. Define what is domain ?

A domain is a set of network resources (applications, printers, and so forth) for a group of users. The user need only to log in to the
domain to gain access to the resources, which may be located on a number of different servers in the network. The domain is simply
your computer address not to confused with an URL. A domain address might look something like 211.170.469.

4. Define what is domain controller ?

A Domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.) within
the Windows Server domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of
computer resources with the use of a single username and password combination.

5. Define what is LDAP ?

Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making Active Directory widely
accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2.

ACTIVE DIRECTORY Interview Questions

6. Define what is KCC ?

KCC ( knowledge consistency checker ) It generates the replication topology by specifying Define what domain controllers will
replicate to which other domain controllers in the site. The KCC maintains a list of connections, called a replication topology, to other
domain controllers in the site. The KCC ensures that changes to any object are replicated to all site domain controllers and updates go
through no more than three connections. Also an administrator can configure connection objects..

7. Where is the AD database held ? Define what other folders are related to AD?
By default AD data base is stored in c:\windows\ntds\NTDS.DIT. SYSVOL & NETLOGON are other folders related to AD DS.

8. Define what is the SYSVOL folder?

System Volume (Sysvol) is a shared directory that stores the server copy of the domains public files that must be shared for common
access and replication throughout a domain. The term SYSVOL refers to a set of files and folders that reside on the local hard disk of
each domain controller in a domain and that are replicated by the File Replication service (FRS). Network clients access the contents of
the SYSVOL tree by using the NETLOGON and SYSVOL shared folders. Sysvol uses junction points-a physical location on a hard disk
that points to data that is located elsewhere on your disk or other storage device-to manage a single instance store.

9. Define what is the Netlogon folder in AD DS and Define what is it used for?
The NETLOGON share is pointing to %SystemRoot%\sysvol\sysvol\{DOMAIN}\scripts folder on DC, and its main purpose is for
storing logon scripts.

http://interviewquestionstutorials.com/tag/100-top-active-directory-interview-questions-and-answers-pdf/ 1/7
10/12/2017 100 TOP ACTIVE DIRECTORY Interview Questions and Answers pdf 2017

By default %SystemRoot%\sysvol\sysvol\{DOMAIN}\scripts is empty. When we are deployed any script via GPO that is the default
location for storing the script.

By default sysvol includes 2 folders, the scripts folder is shared with the name NETLOGON

1. Policies (Default location %SystemRoot%\Sysvol\Sysvol\domain_name\Policies)

2. Scripts (Default lcation %SystemRoot%\Sysvol\Sysvol\domain_name\Scripts)

10. Difference between Enterprise Admins and Domain Admins groups in AD ?

Enterprise Admins :

1. Members of this group have full control of all domains in the forest.
2. By default, this group is a member of the Administrators group on all domain controllers in the forest.
3. By default, the Administrator account is a member of this group.
4. Because this group has full control of the forest, add users with caution.

Domain Admins :

1. Members of this group have full control of the domain.

2. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain
member servers at the time they are joined to the domain.
3. By default, the Administrator account is a member of this group.
4. Because the group has full control in the domain, add users with caution.

11. Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server
2003 ?
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts
copies of the Active Directory.

12. I am trying to create a new universal user group. Why cant I ?

Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain
controllers be promoted to Windows Server 2003 Active Directory.

13. Define what is LSDOU ?

Its group policy inheritance model, where the policies are applied toLocal machines, Sites, Domains and Organizational Units.

14. Why doesnt LSDOU work under Windows NT ?

If the NTConfig.pol file exist, it has the highest priority among the numerous policies.

15. Define whats the number of permitted unsuccessful logons on Administrator account?

Unlimited. Remember, though, that its the Administrator account, not any account thats part of the Administrators group.

16. Define whats the difference between guest accounts in Server 2003 and other editions?
More restrictive in Windows Server 2003.

17. How many passwords by default are remembered when you check Enforce Password History Remembered?
Users last 6 passwords.

18. Can GC Server and Infrastructure place in single server If not explain why ?
As a general rule, the infrastructure master should be located on a nonglobal catalog domain controller that has a direct connection
object to some global catalog in the forest, preferably in the same Active Directory site. Because the global catalog server holds a partial
replica of every object in the forest, the infrastructure master, if placed on a global catalog server, will never update anything, because it
does not contain any references to objects that it does not hold.

http://interviewquestionstutorials.com/tag/100-top-active-directory-interview-questions-and-answers-pdf/ 2/7
10/12/2017 100 TOP ACTIVE DIRECTORY Interview Questions and Answers pdf 2017

But there are exceptions to this general rule. Two exceptions to the do not place the infrastructure master on a global catalog server
rule are:
Single domain forest:
In a forest that contains a single Active Directory domain, there are no phantoms, and so the infrastructure master has no work to do.
The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts
the global catalog or not.

Multidomain forest where every domain controller in a domain holds the global catalog:
If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work
for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain.

19. Define what Intrasite and Intersite Replication ?

Intrasite is the replication with in the same site & intersite the replication between sites.

20. Define what is lost & found folder in ADS ?

Its the folder where you can find the objects missed due to conflict.
Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didnt find the OU then it will put that in Lost
& Found Folder.

21. Define what is Garbage collection ?

Garbage collection is a housekeeping process that is designed to free space within the Active Directory database. In Windows 2000 and
in the original release version of Windows Server 2003, this process runs on every domain controller in the enterprise with a default
lifetime interval of 12 hours. You can change this interval by modifying the garbageCollPeriod attribute in the enterprise-wide DS
configuration object (NTDS).

22. Define what System State data contains ?

Contains Startup files,

Registry
Com + Registration Database
Memory Page file
System files
AD information
Cluster Service information
SYSVOL Folder

23. Define what is the Recommended Maximum Number of Domains in a Forest ?

For Windows 2000 Server, the recommended maximum number of domains in a forest is 800. For Windows Server 2003, the
recommended maximum number of domains when the forest functional level is set to Windows Server 2003 (also known as forest
functional level 2) is 1,200. This restriction is a limitation of multivalued, nonlinked attributes in Windows Server 2003.

24. Define what is the Recommended Maximum Number of Domain Controllers in a Domain ?
To ensure reliable recovery of SYSVOL, we recommend a limit of 1200 domain controllers per domain.

25. Active Directory Replication Topology Options

The Active Directory replication topologies typically utilized are:

Ring Topology: With intrasite replication, the KCC creates a ring topology that defines the replication paths within a site. In a
ring topology, each domain controller in a site has two inbound and outbound replication partners. The KCC creates the ring so
that there is no greater than three hops between domain controllers in a site.
Full Mesh Topology: This topology is typically utilized in small organizations where redundancy is extremely important and the
number of sites is quite small. A full mesh topology is quite expensive to manage and is not scalable.
Hub And Spoke Topology: This topology is typically implemented in large organizations where scalability is important and
redundancy is less important. In this topology, one or multiple hub sites exist that have slower WAN connections to multiple spoke
sites. The hub sites are usually connected to each other through high speed WAN connections.
http://interviewquestionstutorials.com/tag/100-top-active-directory-interview-questions-and-answers-pdf/ 3/7
10/12/2017 100 TOP ACTIVE DIRECTORY Interview Questions and Answers pdf 2017

Hybrid Topology: The hybrid topology is a combination of any of the above topologies.

ACTIVE DIRECTORY Questionspdf free download ::

26. Define what is SPN ?
A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. If you install multiple
instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have
multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of
the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its
host. services.

27. Define what is AD Certificate Services ?

Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing public key certificates used in
software security systems that employ public key technologies.

28. Define what is Active Directory Federation Services ?

Active Directory Federation Services (AD FS) simplifies access to systems and applications using a claims-based access (CBA)
authorization mechanism to maintain application security. AD FS supports Web single-sign-on (SSO) technologies that help
information technology (IT) organizations collaborate across organizational boundaries.

AD FS 2.0 is a downloadable Windows Server 2008 update that is the successor to AD FS 1.0, which was first delivered in Windows
Server 2003 R2, and AD FS 1.1, which was made available as a server role in Windows Server 2008 and Windows Server 2008 R2.
Previous versions of AD FS are referred to collectively as AD FS 1.x.

29. Define what is the Active Directory Management Gateway Service ?

Windows Server 2008 R2 introduces a web service interface for application accessibility to Active Directory (AD), and the Windows
Server 2008 R2 AD PowerShell cmdlets use this service.

ADMGS provides this web service interface for Windows Server 2003 SP2 and Windows Server 2008 domain controllers (DCs). The
service lets Server 2008 R2 AD PowerShell cmdlets and other applications work against the DCs with ADMGS installed.

30. Define what is Offline Domain Join ?

Windows Server 2008 R2 domain controllers include a new feature named Offline Domain Join. A new utility named Djoin.exe lets you
join a computer to a domain, without contacting a domain controller while completing the domain join operation, by obtaining a blob
from a Windows Server 2008 R2 domain controller at an earlier point in time. The computer is domain-joined when it first starts, so no
restart is needed as with a normal domain join.

31. Define what is AD Administrative Center ?

Active Directory Administrative Center provides network administrators with an enhanced Active Directory data management
experience and a rich graphical user interface (GUI). Administrators can use Active Directory Administrative Center to perform
common Active Directory object management tasks (such as user, computer, group, and organization units management) through both
data-driven and task-oriented navigation.

Administrators can use the enhanced Active Directory Administrative Center GUI to customize Active Directory Administrative Center
to suite their particular directory service administering requirements.

32. Define what is AD DS Best Practices Analyzer ?

Active Directory Domain Services (AD DS) Best Practices Analyzer (BPA) is a server management tool that can help you implement best
practices in the configuration of your Active Directory environment. AD DS BPA scans the AD DS server role as it is installed on your
Windows Server 2008 R2 domain controllers, and it reports best practice violations.

You can filter or exclude results from AD DS BPA reports that you do not need to see. You can also perform AD DS BPA tasks by using
either the Server Manager graphical user interface (GUI) or cmdlets in the Windows PowerShell command-line interface.

http://interviewquestionstutorials.com/tag/100-top-active-directory-interview-questions-and-answers-pdf/ 4/7
10/12/2017 100 TOP ACTIVE DIRECTORY Interview Questions and Answers pdf 2017

33. Define what is the Recommended Maximum Number of Users in a Group ?

For Windows 2000 Active Directory environments, the recommended maximum number of members in a group is 5,000. This
recommendation is based on the number of concurrent atomic changes that can be committed in a single database transaction.

Starting with Windows Server 2003, the ability to replicate discrete changes to linked multivalued properties was introduced as a
technology called Linked Value Replication (LVR). To enable LVR, you must increase the forest functional level to at least Windows
Server 2003 interim. Increasing the forest functional level changes the way that group membership (and other linked multivalued
attributes) is stored in the database and replicated between domain controllers. This allows the number of group memberships to
exceed the former recommended limit of 5,000 for Windows 2000 or Windows Server 2003 at a forest functional level of Windows
2000.

So far, testing in this area has yet to reveal any new recommended limits to the number of members in a group or any other linked
multivalued attribute. Production environments have been reported to exceed 4 million members, and Microsoft scalability testing
reached 500 million members.

34. What system state data contains?

1. Contains startup files

2. Registry
3. Com + Registration Database
4. Memory page file
5. System files
6. AD information
7. SYSVOL Folder
8. Cluster service information

35. Define what is Kerberos?

Kerberos is an authentication protocol for network. It is built to offer strong authentication for server/client applications by using
secret-key cryptography.

36. Where does the AD database is held? Define what other folders are related to AD?
AD database is saved in %systemroot%/ntds. In the same folder, you can also see other files; these are the main files controlling the AD
structures they are

dit
log
res 1.log
log
chk

37. Define what is PDC emulator and how would one know whether PDC emulator is working or not?
PDC Emulators: There is one PDC emulator per domain, and when there is a failed authentication attempt, it is forwarded to PDC
emulator. It acts as a tie-breaker and it controls the time sync across the domain.

These are the parameters through which we can know whether PDC emulator is working or not.

Time is not syncing

Users accounts are not locked out
Windows NT BDCs are not getting updates
If pre-windows 2000 computers are unable to change their passwords

38. Define what are lingering objects?

Lingering objects can exists if a domain controller does not replicate for an interval of time that is longer than the tombstone lifetime
(TSL).

http://interviewquestionstutorials.com/tag/100-top-active-directory-interview-questions-and-answers-pdf/ 5/7
10/12/2017 100 TOP ACTIVE DIRECTORY Interview Questions and Answers pdf 2017

39. Define what is TOMBSTONE lifetime?

Tombstone lifetime in an Active Directory determines how long a deleted object is retained in Active Directory. The deleted objects in
Active Directory is stored in a special object referred as TOMBSTONE. Usually, windows will use a 60- day tombstone lifetime if time is
not set in the forest configuration.

40. Define what is Active Directory Schema?

Schema is an active directory component describes all the attributes and objects that the directory service uses to store data.

41. Define what is a child DC?

CDC or child DC is a sub domain controller under root domain controller which share name space

42. Define what is RID Master?

RID master stands for Relative Identifier for assigning unique IDs to the object created in AD.

43. Define what are the components of AD?

Components of AD includes

1. Logical Structure: Trees, Forest, Domains and OU

2. Physical Structures: Domain controller and Sites

44. Define what is Infrastructure Master?

Infrastructure Master is accountable for updating information about the user and group and global catalogue.

45. How many types of replication in Active Directory?

Active Directory Intrasite Replication

Intrasite replication in Active Directory takes place between domain controllers within the same site. This makes intrasite replication an
uncomplicated process. When changes are made to the replica of Active Directory on one particular domain controller, the domain
controller contacts the remainder of the domain controllers within the site. The domain controller checks the information it contains
against information hosted by the other domain controllers. To perform this analysis, the domain controller utilizes logical sequence
numbers. Intrasite replication utilizes the Remote Procedure Call (RPC) protocol to convey replication data over fast, reliable network
connections. With intrasite replication, replication data is not compressed.

Active Directory Intersite Replication

Intersite replication takes place between sites. Intersite replication can utilize either RPC over IP or SMTP to convey replication data.
This type of replication has to be manually configured. Intersite replication occurs between two domain controllers that are called
bridgeheads or bridgehead servers. The role of a bridgehead server (BS) is assigned to at least one domain controller in a site. A BS in
one site deals with replicating changes with other BSs in different sites. You can configure multiple bridgehead servers in a site. It is
only these BSs that replicate data with domain controllers in different domains by performing intersite replication with its BS partners.
With intersite replication, packets are compressed to save bandwidth. This places additional CPU load on domain controllers assigned
the BS role. BSs should therefore be machines that have enough speed and processors to perform replication. Intersite replication takes
place over site links by a polling method which is every 180 minutes by default.

ACTIVE DIRECTORYFaqs ::
{ Add a Comment (http://interviewquestionstutorials.com/active-directory-job-interview-questions-answers/#respond) }

2017 Interview Questions and Answers - Tutorials - Developed by Interview Questions Tutorials (http://interviewquestionstutorials.com/)

http://interviewquestionstutorials.com/tag/100-top-active-directory-interview-questions-and-answers-pdf/ 6/7
10/12/2017 100 TOP ACTIVE DIRECTORY Interview Questions and Answers pdf 2017

http://interviewquestionstutorials.com/tag/100-top-active-directory-interview-questions-and-answers-pdf/ 7/7