top of page
  • CyberBrew Team
    • Jun 15
    • 5 min read

Active Directory Interview Questions and Answer


Computers connected to Active Directory domain Controller

For those of you out there prepping for an interview, whether it be for help desk, technical support, system administration, etc., it never hurts to brush up on Active Directory even if you are already rather familiar with it. Active Directory has a ton of features, and parts to it that most people might not even be aware of but you may get hit by one of these one off questions in an interview, especially if the job description has Active Directory actually mentioned in it. Keep this post handy for a quick review right before that interview! A refresher never hurts and it can be pretty helpful to help you gauge where you stand with your on the fly Active Directory Knowledge.


Basic Active Directory Interview Questions

Question 1: What is Active Directory?

Answer: Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It provides a variety of network services, including:

  • Authentication and Authorization: It controls access to network resources by validating credentials and determining user permissions.

  • Centralized Management: Administrators can manage user accounts, groups, computers, and policies centrally.

  • Directory Services: It stores information about network resources and users, making it easier to manage and locate resources.


Question 2: What is a Domain Controller (DC)?


Answer: A Domain Controller is a server that runs Active Directory Domain Services (AD DS). It is responsible for authenticating and authorizing users and computers in a Windows domain, enforcing security policies, and managing access to resources. A domain can have multiple domain controllers for redundancy and load balancing.


Question 3: What are FSMO roles in Active Directory?


Answer: FSMO (Flexible Single Master Operations) roles are specialized domain controller tasks in AD. There are five FSMO roles, divided into two categories:

  • Forest-Wide Roles:

  1. Schema Master: Manages changes to the AD schema.

  2. Domain Naming Master: Controls the addition and removal of domains in the forest.

  • Domain-Wide Roles:

  1. RID Master: Allocates RID pools to domain controllers for assigning unique IDs to objects.

  2. PDC Emulator: Provides backward compatibility with Windows NT and handles password changes.

  3. Infrastructure Master: Maintains references to objects in other domains.


Intermediate Active Directory Interview Questions


Question 4: What is an OU (Organizational Unit) and how is it used?


Answer: An Organizational Unit (OU) is a container within Active Directory that can hold users, groups, computers, and other OUs. OUs help organize objects for administrative purposes, allowing for delegation of authority, application of group policies, and structured management. Administrators can assign specific permissions to OUs to control access and management.


Question 5: What is Group Policy in Active Directory?


Answer: Group Policy is a feature in Active Directory that allows administrators to manage the configuration of computers and users within the domain. Group Policies can be used to enforce security settings, install software, configure network settings, and more. They are applied to OUs, sites, or domains and can be managed through the Group Policy Management Console (GPMC).


Question 6: What is the Global Catalog?


Answer: The Global Catalog is a distributed data repository that contains a searchable, partial representation of every object in an Active Directory forest. It enables faster search queries and provides essential information about objects across all domains. The Global Catalog is hosted on domain controllers designated as Global Catalog servers.


Advanced Questions


Question 7: How does Kerberos authentication work in Active Directory?


Answer: Kerberos is the default authentication protocol in Active Directory. It uses tickets to authenticate users and services in a secure manner. The process involves:

  1. Authentication Service (AS) Request: The client sends a request to the Kerberos Key Distribution Center (KDC) for a Ticket Granting Ticket (TGT).

  2. AS Response: The KDC verifies the client and issues a TGT.

  3. Ticket Granting Service (TGS) Request: The client uses the TGT to request a service ticket for a specific resource.

  4. TGS Response: The KDC issues a service ticket.

  5. Service Request: The client presents the service ticket to the target service for access.


Question 8: What is the difference between a forest and a domain in Active Directory?


Answer: A domain is a logical grouping of objects (users, groups, computers) that share the same Active Directory database. Domains are used to manage and apply policies within a defined boundary.

A forest is a collection of one or more domains that share a common schema, configuration, and Global Catalog. Forests represent the top level of the Active Directory structure and can contain multiple domains with trust relationships between them.


Question 9: How do you perform an authoritative restore in Active Directory?


Answer: An authoritative restore is used to recover deleted objects and replicate them across all domain controllers. Steps to perform an authoritative restore include:

  1. Reboot into Directory Services Restore Mode (DSRM): Restart the domain controller and press F8 to boot into DSRM.

  2. Restore from Backup: Use the wbadmin command or another backup tool to restore the AD database from a backup.

  3. Mark Objects as Authoritative: Use the ntdsutil tool to mark the restored objects as authoritative. csharp Copy code ntdsutil activate instance ntds authoritative restore restore object <object-DN>

  4. Reboot Normally: Restart the domain controller normally to replicate the authoritative changes.


Question 10: What is LDAP and how is it used in Active Directory?


Answer: LDAP (Lightweight Directory Access Protocol) is a protocol used to access and manage directory information services. In Active Directory, LDAP is used to query and update the directory, authenticate users, and perform directory searches. AD uses LDAP to communicate between clients and domain controllers, and it supports various LDAP operations like search, modify, add, and delete.


Active Directory Scenario-Based Interview Questions


Question 11: How would you troubleshoot a user who is unable to log in to the domain?

Answer: To troubleshoot a login issue, follow these steps:

  1. Check User Account Status: Ensure the account is not disabled or locked.

  2. Verify Credentials: Confirm the user is entering the correct username and password.

  3. Check Group Membership: Ensure the user is part of the necessary security groups.

  4. Review Account Properties: Check if the account is expired or if there are any login restrictions.

  5. Examine Network Connectivity: Ensure the client machine can reach a domain controller.

  6. Inspect Domain Controller: Verify the domain controller is operational and not experiencing issues.

  7. Review Event Logs: Look for relevant events in the Security and System logs on the domain controller.


]Question 12: What steps would you take to migrate Active Directory to a new server?

Answer: To migrate Active Directory to a new server:

  1. Install Active Directory Domain Services (AD DS): Set up the new server and install AD DS.

  2. Promote the New Server to a Domain Controller: Use the AD DS Configuration Wizard to promote the new server.

  3. active-directory-interview-questions-and-answer Transfer FSMO Roles: Use the ntdsutil tool or Active Directory Users and Computers to transfer FSMO roles to the new server.

  4. Update DNS Settings: Ensure DNS records are updated to point to the new server.

  5. Demote the Old Server: Use the AD DS Configuration Wizard to demote the old server.

  6. Verify Replication: Check that AD replication is functioning correctly and that all objects are synchronized.


Question 13: How can you enforce password policies in Active Directory?


Answer: Password policies in Active Directory can be enforced through Group Policy:

  1. Open Group Policy Management: Go to the Group Policy Management Console (GPMC).

  2. Edit Default Domain Policy: Right-click the Default Domain Policy and select “Edit”.

  3. Navigate to Password Policies: Go to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy.

  4. Configure Settings: Set policies for password length, complexity, expiration, and history.

  5. Apply and Refresh: Apply the changes and use gpupdate /force to refresh Group Policy on the domain controllers.

11 views2 comments

2 Comments

Emily DeFrance
Emily DeFrance
Jun 27

How would you secure your domain controller ??

Like
CyberBrewTom
Jun 27
Replying to

First and foremost, assuming it's a physical sever hosting Active Directory make sure that it's physically secure, for example only authorized personel should have access to the server room this is located in. It's easy to overlook physical security but it can be the quickest way for a server to be disrupted. Next would look to focus on logically securing the server itself. Strong administrative controls regarding the accounts that actually have access to make changes on the server. Think like strong password complexity requirements, MFA, so and so forth. Next, to keep up with the security of t the server it is very important to keep up to date with vulnerabilities of any of the services on the AD…

Like
bottom of page