Are you attending a Windows SysAdmin interview and need real-world Active Directory questions and answers? I have compiled 35 Active Directory interview questions and answers.
General Active Directory Interview Questions
Question 1: What is Active Directory?
Answer: Active Directory is a Microsoft directory service that stores information about objects in a network. AD also makes it easy for the stored data to be accessed by authorized users.
Additional Information: There are so many variations to the definition of AD. What is important is to mention that 1, it is a Microsoft Directory service. 2, it securely stores data about AD objects and controls access to these objects.
Question 2: Give 5 Examples of Ad Objects
Answer: Users, Computers, Printers, Groups and Organizational units (OUs)
Additional Information: There are so many you can pick from. I have listed 5 below. However, you could chose from the list in the article in this link – Active Directory Objects List.
Question 3: Name 2 Protocols Used by AD and Explain Them
Answer: The 2 protocols used by AD are LDAP (Light Weight Directory Access Protocol). LDAP serves the purpose of querying or modifying objects in AD.
The second Active Directory protocol is Kerberos. It is used for AD authentication.
There are two parts to this AD interview question. One, name the 2 protocols used by AD. Two, explain the protocols.
Question 4: What is a Domain Controller?
Answer: A Domain Controller (DC) is a Windows Server running Active Directory Domain Services (AD DS). AD DS is installed on a Windows Server when it is promoted to a DC.
Question 5: What is an Active Directory Forest? What is the difference between a Forest and a Domain?
Answer 1: An AD Forest is a collection of interconnected AD Domains that trust each other.
Answer 2: The difference between an AD Domain and a Forest is that the Domain is part of the forest.
Additional Information: This question are two questions bundled into one question. When you attend an AD interview or any interview, it is important to Liston attentively to the questions and ensure you provide a complete answer.
Active Directory Interview Questions (Installation)
The next set of Active Directory interview questions will focus on AD installation including installation requirements.
Question 6: What Are the Minimum Requirements for Installing AD in Windows Server 2016?
Answer: AD installation does not have specified minimum requirements. However, there are minimum installation requirements for Windows Server 2016. These minimum installation requirements are:
- 1.4Ghz 64-bit processor or faster
- 512MB of RAM or greater
- 32GB of disk space or greater
- Ethernet network adapter
This question is very tricky. Why? Because there is no minimum requirements for installing AD. The minimum requirements specified is for installing Windows Server 2016.
Question 7: To Install AD You Require a DNS Server. What Conditions Must the DNS Sever Meet to Support Active Directory?
Answer: For a DNS server to support Active Directory, the server must support the service (SRV) resource record type. Also, it must support the dynamic update protocol.
Additional Information: This question is testing your knowledge of DNS requirements for AD. It is important to note that to install AD, you require a DNS Server. However, you do not necessarily need to deploy a Microsoft DNS server. Hence, any server that meets the minimum AD requirements can support AD.
For more information read How DNS Support for Active Directory Works.
Question 8: What is the Name of the GUI Tool You Use to Promote a Windows Sever 2016 to a Domain Controller?
Answer: Server Manager
Additional Information: This question specifically asked about a GUI tool.
Question 9: What is the Name of the Role You Install in Server Manager to Promote a Server to a Domain Controller?
Answer: Active Directory Domain Services
Question 10: Can You Use DCPROMO to Promote a Windows Server to Domain Controller? Please Give Details.
Answer: No, you can no longer use DCPROMO to promote a Member Server to a Domain Controller. The feature was deprecated in Windows Server 2012 and moved to Server Manager.
Note: This question is testing your knowledge of changes in Windows Server features.
Though DCPROMO have been deprecated, you have another command line option. PowerShell! You can still promote a Server to DC using PowerShell. See Active Directory Questions relating to PowerShell later.
Active Directory Interview Questions (Infrastructure)
This section will cover Active Directory interview questions relating to AD infrastructure.
Question 11: What is Active Directory Schema
Answer: AD Schema defines object classes and their attributes. An example of an object is User. The User object has First Name, Last Name, Email, etc attributes.
Question 12: Name the 4 types of Forest Trusts You Can Create in AD?
Answer: External, Forest, Shortcut, and Realm trusts.
Additional Information: Forest Trusts allows 2 Active Directory Domains, to communicate with each other and share resources.
Question 13: Name a GUI Tool You can Use to Create and Manage Trusts in AD?
Answer: Active Directory Domains and Trusts
Question 14: Name a Command Line Tool You Can Use to Manage AD Replication.
Answer: Repadmin
Additional Information: To get the command line options for Repadmin, type the command:
Repadmin /?
Run Repadmin command in a Domain Controller.
Question 15: What AD GUI Tool Can You Use to Configure Replication Between Two Domain Controllers?
Answer: Active Directory Sites and Services
Question 16: Name the 5 Flexible Single Master Operations (FSMO) Roles?
Answer: Schema Master, Domain Naming Master, RID Master, The PDC Emulator Master and Infrastructure Master.
Additional Information: FSMO may be pronounced FiSMO. So if you here name the 5 FiSMO , it is the same question. To read more about the FiSMO roles, read my tutorial Active Directory: Concepts, Installation & Administration (opens in a new window).
Question 17: What is the Difference Between Multi-Master and Singe-Mater AD Operations?
Answer: Multi-master AD operation means that all Domain Controllers have writable copies of the Active Directory database. This means that any DC can update the AD database and replicate the changes to other Domain Controllers.
On the other hand, a Single-master AD operation means that one DC is designated an operations role and only that DC can carry out that operation and update other DCs.
Additional Information: The reason for Single-master AD operation is the nature of the tasks that require Single-master operations. If two DCs were to perform these operations at the same time, it would lead to conflict. To learn more about FSMO roles, multi-master and single-master operations, read my Active Directory tutorial.
Active Directory Interview Questions (Configuration)
The Active Directions interview questions covered in this category are about service accounts. Also covered are managed service accounts, Service Principal Names and Kerberos delegation.
Question 18: What is the Difference Between Service Accounts and Managed Service Accounts?
Answer: A service account is a user account that is created to isolate a service or application. On the other hand, Managed service accounts are managed domain accounts that resolve limitations of the normal service account like password and SPN management.
Additional Information: Managed service accounts (MSAs) were introduced with Windows Server 2008 R2. MSAs resolve some of the challenges faced by administrators using the native service accounts to manage applications.
Specifically, MSAs provide the following solutions:
- Automatic password management (automatically updated every 30 days)
- Simplified Service Principal Name (SPN) management, including delegation of management to other administrators.
Question 19: Name 2 Limitations of Normal Service Accounts
Answer: Service Account Lockout and Service account password expiration.
Additional Information: If a service account is used by multiple applications and the password is changed, an administrator will be required to update the password on all the applications. However, if the administrator forgets to update it on one of the applications, the application will attempt to use the old password and in the process, may lock out the account.
Also, if a service account password was to expire, this will prevent the service account from running the application until the password is changed. So a service account password should be configured not to expire. This poses a significant security risk.
Question 20: Name 5 Benefits of Managed Service Accounts
Answer: The following are the benefits of Managed Service Accounts:
- Passwords changed automatically every 30 days.
- The password is randomly generated using 120 characters.
- MSAs are bound only to one computer.
- MSAs can be placed into groups. This provides a work-around to give them access to other resources on the network.
- Automatic Service Principal Name (SPN) registration.
Question 21: Name the Windows Tool You Use to Create Managed Service Accounts
Answer: Windows PowerShell
Question 22: What Is a Service Principal Name (SPNs)
Answer: A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service.
Additional Information: If multiple instances of a service are installed on computers throughout a forest, each instance must have its own SPN. A given service instance may have multiple SPNs if there are multiple names that clients might use for authentication.
Question 23: Name one GUI tool and a Command Line Tool You can Use to Create a Service Principal Name?
Answer 1 (GUI Tool): Active Directory Users and Computers
Answer 2 (Command Line Tool): Setspn
Question 24: What is Kerberos delegation?
Answer: Kerberos Delegation is permitting another computer or service to allow a Kerberos ticket to be created for another service on the originating user’s behalf.
Additional Information: Kerberos is a secure ticket-based protocol for authenticating a service request. It is integral to the Active Directory security structure.
Question 25: What is Universal Group Membership Caching (UGMC)?
Answer: UGMC is a process where a Domain Controller (with UGMC enabled) retrieves Universal Group Membership information from a Global Catalog server. This happens when a user logs on to the domain for the first time. The DC then caches the information.
On subsequent logon requests by the same user, the domain controller (with UGMC enabled) uses cached universal group memberships. It means that the DC does not have to contact a global catalog server.
Additional Information: In a multi-domain forest, when a user logs on to a domain, a global catalog server must be contacted to determine the universal group memberships of the user. A universal group can contain users from other domains. It can be applied to access control lists (ACLs) on objects in all domains in the forest.
Therefore, during a logon session universal group memberships must be ascertained so that the user is granted the appropriate access. Access is granted both in the domain the user is logging into and in other domains.
Only global catalog servers store the memberships of all universal groups in the forest. Therefore, if a global catalog server is not available in the site when a user logs on to a domain, the domain controller must contact a global catalog server in another site. If the link between the sites ina slow WAN link, this can potentially slow down the login session. Thus, the need for UGMC.
Active Directory Interview Questions (Maintenance)
These Active Directory interview questions cover AD maintenance like transferring or seizing FSMO roles, backup and restore AD and SYSVOL and more.
Question 26: Name one Tool You Can Use to Transfer and Seize FSMO Roles
Answer: ntdsutil
Additional Information: There is no option to seize a FSMO role from a GUI tool like Active Directory Users and Computers. You can only seize FSMO roles using ntdsutil. However, FSMO role transfer can be accomplished with either a GUI tool or ntdsutil utility.
Question 27: List the Items Backed Up When You Perform a System State Backup of a DC.
Answer: A DC system state backup copies the following:
- Registry.
- COM+ Class Registration database.
- Boot files.
- Active Directory database (Ntds.dit) file and log files.
- SYSVOL directory.
Additional Information: Depending on roles installed on the DC, the following additional files may be included in a DC system state backup:
- Active Directory Certificate Services (AD CS) database.
- Cluster service information.
- Microsoft Internet Information Services (IIS) meta directory.
- System files under Windows Resource Protection.
Question 28: If AD partitions are not Backed Up with sufficient frequency, What Event ID is Logged?
Answer: Event ID 2089
Additional Information: After performing an initial Active Directory backup on a domain controller, Event ID 2089 provides warnings about the backup status of each directory partition that a domain controller stores. This includes application directory partitions.
Question 29: What is The Default Tombstone Lifetime for Windows Server 2016?
Answer: 180 days.
Question 30: What AD Tool Can You Use to View and Modify the Tombstone Lifetime?
Answer: ADSI Edit
Question 31: What is the Difference Between Authoritative and Non-Authoritative Restore?
Answer: Authoritative restore does not allow replication to overwrite the restored deletions. Instead, the restored objects replicate authoritatively to the other domain controllers in the domain.
On the other hand, non-authoritative allows Active Directory replication to update the restored domain controller to the current state of AD DS.
Question 32: Most AD Maintenance Tasks Are Performed with AD DS online. Name 2 AD Maintenance Tasks that Require You to Take AD DS Offline to perform the Tasks?
Answers: Offline AD database Defragmentation and AD DS database relocation.
Active Directory Interview Questions (PowerShell)
Windows PowerShell Skills have become a critical requirement for most Windows Admin jobs. This includes Active Directory Administration. The last set of Active Directory Interview Questions covers managing AD with PowerShell.
Question 33: What PowerShell command do You Use To Retrieve AD Users?
Answer: Get-ADUser
Question 34: What PowerShell Command Can You Run to Promote a Windows Server to a DC?
Answer: Add-WindowsFeature -name ad-domain-services –IncludeManagementTools –Restart
Additional Information: The IncludeManagementTools parameter includes all AD admin tools while the Restart parameter will force a reboot after AD DS installation. To learn more about PowerShell commands, read 18 Powershell Commands Every Windows Admin Should Know.
Question 35: What PowerShell Command Can You Use to Update An Existing AD User?
Answer: Set-ADUser
There you have them. 35 Active Directory interview questions and answers.
Conclusion
I hope you found this itechguide helpful. If you found it helpful, kindly spare 2 minutes to share your experience with our community using the comment form at the bottom of this page.
Alternatively, you can respond to the “Was this page helpful?” question below.
Good luck with your interview
