Active Directory Interview Questions and Answers
Freshers / Beginner level questions & answers
Ques 1. What is Active Directory?
Active Directory is a directory service developed by Microsoft for Windows domain networks. It authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software.
Example:
In a company, Active Directory is used to manage user accounts, computers, printers, and other resources efficiently.
Intermediate / 1 to 5 years experienced level questions & answers
Ques 2. Explain the difference between a domain and a workgroup.
A domain is a logical grouping of network objects (computers, users, devices) that share a centralized database and security policies, while a workgroup is a smaller, peer-to-peer network where each computer has its own security database.
Example:
A small office might use a workgroup, while a large enterprise typically employs a domain-based network using Active Directory.
Ques 3. What is LDAP and how does it relate to Active Directory?
LDAP (Lightweight Directory Access Protocol) is a protocol used to access and manage directory information. Active Directory uses LDAP for querying and modifying items like users, groups, and computers within the directory.
Example:
When a user logs in, the system uses LDAP to verify credentials and retrieve user information from Active Directory.
Ques 4. Explain the Global Catalog in Active Directory.
The Global Catalog is a distributed data repository in Active Directory that contains a searchable, partial representation of every object in the forest. It facilitates searches across domains and provides essential information during logon and resource access.
Example:
When searching for a user in a multi-domain environment, the Global Catalog helps locate the user without having to contact each domain separately.
Ques 5. What is Group Policy in Active Directory?
Group Policy is a feature in Active Directory that allows administrators to define and enforce policies for users and computers. These policies can control security settings, software installations, and other configurations.
Example:
Group Policy can be used to enforce password policies or deploy software updates to all computers in a domain.
Ques 6. How does Active Directory contribute to security in a network?
Active Directory enhances network security by providing a centralized authentication and authorization mechanism. It allows administrators to enforce security policies, control access to resources, and manage user permissions in a systematic way.
Example:
By defining Group Policies, administrators can ensure that all computers in the network comply with security standards.
Ques 7. How does Active Directory handle authentication and authorization?
Authentication is the process of verifying the identity of a user, while authorization involves granting or denying access to resources based on the user's permissions. Active Directory uses Kerberos authentication and access control lists (ACLs) for these purposes.
Example:
When a user logs in, Active Directory authenticates the user using Kerberos, then checks the user's permissions to determine access rights.
Ques 8. Explain the concept of Trust in Active Directory.
Trust in Active Directory establishes relationships between domains, allowing users in one domain to access resources in another. Trust can be one-way or two-way, and it defines the level of access and permissions granted between domains.
Example:
A company with multiple domains might establish a two-way trust to allow seamless resource access between the domains.
Ques 9. What is the purpose of the Kerberos protocol in Active Directory?
Kerberos is a network authentication protocol used by Active Directory to provide secure authentication for users and services. It uses tickets to verify the identity of users and services in a network environment.
Example:
When a user logs in, Active Directory issues a Kerberos ticket that can be used to access various network resources without requiring the user to re-enter credentials.
Ques 10. How does Active Directory support Group Nesting?
Group Nesting in Active Directory allows groups to be members of other groups. This feature simplifies the management of permissions by allowing administrators to assign permissions to a group rather than individual users.
Example:
Instead of assigning permissions to each user individually, administrators can add users to groups, and groups to other groups, to streamline access control.
Ques 11. What is the purpose of the Netlogon service in Active Directory?
The Netlogon service in Active Directory is responsible for various authentication and replication tasks. It registers domain controllers in DNS, replicates domain information between domain controllers, and handles secure channel communications.
Example:
When a user logs in, the Netlogon service ensures that the logon request is processed securely and that domain information is synchronized.
Ques 12. Explain the concept of Organizational Units (OUs) in Active Directory.
Organizational Units (OUs) are containers within domains that allow administrators to organize and apply Group Policies to sets of users, groups, and computers. OUs provide a way to delegate administrative authority within a domain.
Example:
An organization might have separate OUs for different departments, each with its own set of Group Policies and administrative permissions.
Ques 13. How does Active Directory handle DNS integration?
Active Directory relies heavily on DNS for name resolution and service location. It uses DNS to locate domain controllers, discover services, and perform various tasks related to directory services.
Example:
When a client needs to locate a domain controller, it queries DNS to find the necessary information about the domain and its services.
Experienced / Expert level questions & answers
Ques 14. What is the purpose of the RID Master in Active Directory?
The RID (Relative Identifier) Master is responsible for allocating unique RIDs to each domain controller in a domain. RIDs are used in the creation of security principals such as user and group accounts.
Example:
When a new user is created, the RID Master assigns a unique identifier to that user within the domain.
Ques 15. Explain the concept of Forest in Active Directory.
A Forest is the highest level of organizational structure in Active Directory and consists of one or more domains. Domains within a forest share a common schema, configuration, and global catalog. A forest is identified by a unique name and represents the security and administrative boundary for the organization.
Example:
A company with multiple subsidiaries might have a forest to represent the entire organization, with each subsidiary as a separate domain.
Ques 16. What is the PDC Emulator role in Active Directory?
The Primary Domain Controller (PDC) Emulator is a role in Active Directory that plays a crucial role in backward compatibility with older Windows NT systems. It acts as the primary time source for the domain and handles certain authentication requests.
Example:
If a user's password is changed, the PDC Emulator ensures that the change is replicated to all other domain controllers.
Ques 17. How does Active Directory support multi-master replication?
Active Directory uses multi-master replication, meaning that changes can be made on any domain controller, and those changes are then replicated to all other domain controllers. This ensures that no single domain controller becomes a bottleneck for changes.
Example:
If a user is added to a group on one domain controller, the change is replicated to all other domain controllers in the domain.
Ques 18. What is the Schema Master role in Active Directory?
The Schema Master is a role in Active Directory responsible for managing changes to the schema. It controls updates and modifications to the schema, which defines the structure and attributes of objects in the directory.
Example:
When a new attribute or object class is added, the Schema Master ensures that the change is replicated to all other domain controllers.
Ques 19. Explain the purpose of the Infrastructure Master role.
The Infrastructure Master is responsible for updating references from objects in its domain to objects in other domains. It ensures that cross-domain object references are kept up to date.
Example:
If a user in one domain is a member of a group in another domain, the Infrastructure Master updates the reference to the user's security identifier (SID).
Ques 20. What is the purpose of the Domain Naming Master role?
The Domain Naming Master is a role in Active Directory responsible for managing the addition and removal of domains in the forest. It ensures that domain names are unique within the forest.
Example:
When a new domain is added to the forest, the Domain Naming Master verifies that the domain name is unique across all domains in the forest.
Ques 21. What is the purpose of the Time Server role in Active Directory?
The Time Server role, or Windows Time service (W32Time), in Active Directory is responsible for synchronizing time across all domain-joined computers. It ensures that time-sensitive operations, such as authentication and replication, occur accurately.
Example:
Synchronized time is crucial for Kerberos authentication and maintaining consistency in distributed environments.
Ques 22. Explain the concept of Fine-Grained Password Policies in Active Directory.
Fine-Grained Password Policies allow administrators to define different password policies for different sets of users within a domain. This provides more flexibility in enforcing password requirements for various user groups.
Example:
Administrators can apply stricter password policies for privileged accounts while allowing less restrictive policies for other user accounts.
Ques 23. What is the purpose of the Read-Only Domain Controller (RODC) in Active Directory?
An RODC is a domain controller that holds a read-only copy of the Active Directory database. It enhances security by allowing organizations to deploy domain controllers in locations where physical security cannot be guaranteed.
Example:
In branch offices with limited physical security, an RODC can be deployed to provide authentication services without risking the exposure of sensitive information.
Ques 24. How does Active Directory handle tombstone objects?
Tombstone objects are deleted objects that are retained in Active Directory for a specific period before being permanently removed. This period is known as the tombstone lifetime. Tombstone objects help ensure proper replication of deletions across all domain controllers.
Example:
When an object is deleted, it becomes a tombstone, and all domain controllers eventually replicate the deletion to maintain consistency.
Ques 25. Explain the purpose of the Active Directory Recycle Bin feature.
The Active Directory Recycle Bin is a feature that allows administrators to restore deleted objects, including user accounts, groups, and OUs, without the need to perform authoritative or non-authoritative restores.
Example:
If an administrator accidentally deletes an important user account, it can be easily recovered using the Active Directory Recycle Bin.
Ques 26. What is the purpose of the Global Catalog in a multi-domain environment?
In a multi-domain environment, the Global Catalog provides a unified view of objects across all domains in the forest. It facilitates searches for objects without the need to contact each domain individually.
Example:
When searching for a user across multiple domains, the Global Catalog allows quick and efficient retrieval of information.
Ques 27. Explain the concept of Forest Functional Levels in Active Directory.
Forest Functional Levels define the set of features and capabilities available in an Active Directory forest. By raising the forest functional level, administrators can enable new features and retire older domain controllers that do not support the selected functional level.
Example:
Raising the forest functional level might enable features like the Active Directory Recycle Bin or advanced authentication mechanisms.
Ques 28. What is the purpose of the Site in Active Directory?
A Site in Active Directory represents a physical location in the network, such as an office or data center. Sites help optimize network traffic and replication by grouping domain controllers based on their physical proximity.
Example:
In a large organization with multiple offices, administrators can define sites to improve the efficiency of replication and authentication.
Ques 29. Explain the role of the Intersite Messaging service in Active Directory.
The Intersite Messaging service, also known as Knowledge Consistency Checker (KCC), is responsible for creating and maintaining the replication topology between sites. It ensures that changes are efficiently replicated between domain controllers in different sites.
Example:
In a multi-site environment, the Intersite Messaging service helps manage the flow of replication traffic between sites.
Ques 30. What is the purpose of the Active Directory Lightweight Directory Services (AD LDS)?
AD LDS is a role in Active Directory that provides a lightweight and flexible directory service. It is often used to store application-specific data, separate from the main Active Directory database, allowing applications to have their own schema and directory structure.
Example:
An organization might use AD LDS to store data for a custom application without affecting the main Active Directory schema.
Most helpful rated by users:
- What is Active Directory?
- Explain the difference between a domain and a workgroup.
- What is LDAP and how does it relate to Active Directory?