Interview Questions: Active Directory

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is involved in centralized domain management and is essential for a network administrator’s role. Below is a curated list of potential interview questions with detailed answers that can help you prepare for your next AD-related interview.

Q1. What is Active Directory and why is it used?

Answer: Active Directory is a directory service implemented by Microsoft for Windows domain environments. It provides a centralized location for network administration and security, and it stores information about members of the domain, including devices and users, verifying their credentials and defining their access rights. AD is used to organize the company’s hierarchy, manage user accounts, and enforce security policies.

Q2. Can you explain the AD components such as forests, trees, and domains?

Answer:

  • Forest: A forest is the topmost level in an AD configuration that contains one or more trees, sharing a common global catalog, directory schema, logical structure, and directory configuration.
  • Tree: A tree is a collection of one or more domains and domain trees in a contiguous namespace linked in a transitive trust hierarchy.
  • Domain: A domain is the basic organizational structure of a Windows Server network and a logical group of network objects (like users, computers, and devices) that share the same AD database.

Q3. What is a domain controller?

Answer: A domain controller (DC) is a server that responds to security authentication requests within the Windows Server domain. It stores the user account information, authenticates users, enforces security policies, and replicates updates to other domain controllers in the network.

Q4. How does AD provide authentication and authorization?

Answer: AD provides authentication through a process called binding, where user credentials are verified against the directory’s information. Once authenticated, authorization is the process by which AD determines whether an authenticated user has the rights and permissions to access and perform operations on the network’s resources.

Q5. What is Group Policy in AD?

Answer: Group Policy is a feature in AD that allows network administrators to implement specific configurations for users and computers within the organization. These policies control the working environment of user accounts and computer accounts, providing centralized management and configuration of operating systems, applications, and users’ settings.

Q6. Can you describe the process of authentication in AD?

Answer: Authentication in AD typically uses the Kerberos protocol, where a ticket-granting ticket (TGT) is provided by the Key Distribution Center (KDC). The user’s credentials are submitted to the KDC, which then issues a TGT and session keys. The TGT is encrypted and can only be opened by the Domain Controller, ensuring secure authentication.

Q7. Explain the concept of Organizational Units in AD.

Answer: Organizational Units (OUs) are containers within a domain that represent the hierarchical, logical structures within the domain. They are used to group objects, such as users, groups, computers, and other OUs, and to apply Group Policies and delegate administrative control.

Q8. What is the Global Catalog in AD?

Answer: The Global Catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multi-domain AD forest. It is used to search for directory information across all domains within an AD forest. The Global Catalog facilitates domain-wide searches and logon processes across the forest.

Q9. How does replication work in Active Directory?

Answer: Replication in AD is the process by which the changes made to objects in the directory are synchronized between domain controllers. AD uses multi-master replication, which means any domain controller can accept changes. These changes are then propagated to other DCs using a replication topology.

Q10. What are the functional levels in AD?

Answer: AD functional levels determine the available Active Directory Domain Services (AD DS) domain or forest capabilities. They are defined by the lowest version of Windows Server operating systems running on the domain controllers in the domain or forest. Raising the functional level can enable additional features but also precludes the addition of domain controllers running older versions of Windows Server.

Q11. Can you explain the difference between LDAPS and LDAP?

Answer: LDAP (Lightweight Directory Access Protocol) is a protocol used to access and manage directory services over an IP network. LDAPS (LDAP over SSL/TLS) is a version of LDAP that is encrypted with SSL/TLS for enhanced security. LDAPS ensures that the communication between the LDAP client and server is encrypted and secure.

Q12. How would you perform a backup and recovery of Active Directory?

Answer: Backup and recovery of AD can be performed using Windows Server Backup or other third-party backup solutions. Regular backups should include system state data and the AD DS database. Recovery can be done using authoritative or non-authoritative restores, depending on whether you wish to restore the entire directory or a specific object, respectively.

Q13. What are Active Directory Partitions?

Answer: In Active Directory, partitions, or naming contexts, are sections of the AD database that hold different types of data. There are three main types of partitions:

  • Domain Partition: Stores all objects like users, groups, and computers for a domain and replicates this data to all domain controllers in the domain.
  • Configuration Partition: Contains configuration information about the AD forest that is replicated to all domain controllers within the forest.
  • Schema Partition: Holds schema objects, which define classes of objects and attributes within the forest; replicated to all domain controllers in the forest.

Additionally, there may be an Application Partition that stores data for applications and is only replicated to specific domain controllers.

Q14. How do you manage Active Directory with PowerShell?

Answer: Active Directory can be managed using PowerShell with the Active Directory module, which includes cmdlets for performing various AD administrative tasks such as creating users, modifying groups, managing computers, and more. PowerShell scripts allow for automation and more complex operations, enhancing productivity and reducing the potential for human error.

Q15. What is a Read-Only Domain Controller (RODC)?

Answer: A Read-Only Domain Controller (RODC) is a type of domain controller that contains a read-only copy of the Active Directory database. It is designed to be deployed in locations where physical security cannot be guaranteed, as it minimizes the risk of compromising AD. RODCs handle login requests but refer any write attempts back to a writable domain controller.

Q16. What is the SYSVOL folder in Active Directory?

Answer: The SYSVOL folder is a shared directory that stores the server copy of the domain’s public files, which are necessary for the Active Directory to function. It includes policies, scripts, and other files needed by Group Policy. The contents of the SYSVOL folder are replicated to all domain controllers in the domain.

Q17. How would you troubleshoot Active Directory issues?

Answer: Troubleshooting AD issues typically involves using various tools and methodologies such as:

  • Checking the Event Viewer for logs that might indicate the nature of the problem.
  • Using the dcdiag command-line tool to analyze the state and health of domain controllers.
  • Ensuring that DNS is functioning properly since AD relies heavily on DNS.
  • Verifying network connectivity.
  • Using the repadmin tool to check replication status.
  • Evaluating Group Policy issues with the gpresult command or the Group Policy Management Console.

Q18. How do you ensure Active Directory security?

Answer: Ensuring AD security involves multiple strategies, including:

  • Implementing Least Privilege Access controls.
  • Regularly applying security patches and updates.
  • Monitoring logs for suspicious activities.
  • Utilizing strong, complex passwords and account lockout policies to prevent brute force attacks.
  • Implementing multi-factor authentication.
  • Regularly auditing and reviewing permissions and Group Policy settings.
  • Securing domain controllers physically and logically.
  • Using secure protocols such as LDAPS when querying Active Directory over the network.

Q19. What are some common Active Directory Schema attributes?

Answer: Active Directory Schema attributes are definitions of the types of information that can be stored in AD. Some common attributes include:

  • cn (Common Name): The name of the object.
  • sn (Surname): The last name of a user.
  • givenName: The first name of a user.
  • sAMAccountName: The Security Accounts Manager (SAM) account name of the user, which must be unique within the domain.
  • userPrincipalName (UPN): The Internet-style login name for the user.
  • objectClass: Defines the type of object such as user, computer, or group.
  • mail: The email address of the user.

Q20. What are FSMO roles and why are they important?

Answer: FSMO (Flexible Single Master Operations) roles are specialized domain controller tasks in AD, which are critical for the smooth operation of the network’s directory. There are five FSMO roles:

  • Schema Master: Manages changes to the schema.
  • Domain Naming Master: Controls the addition or removal of domains in the forest.
  • Infrastructure Master: Maintains security identifiers and references between domains.
  • Relative ID (RID) Master: Allocates RID pools to domain controllers for creating AD objects.
  • PDC Emulator: Acts as a primary domain controller for backward compatibility; manages password changes and time synchronization within a domain.

Final Thoughts

FSMO roles are important because they ensure consistency and prevent conflicts in the directory for operations that are not suited for multi-master replication.

This set of questions and answers covers a wide range of topics within Active Directory and should provide a strong foundation for anyone preparing for a job interview related to AD administration or support.