I would like to share some of the Windows Active Directory Interview Questions and answers, will start with basic questions and continue with L1, L2, L3 level questions

Also Read: Windows Server Administrator Interview Questions and Answers (Links to an external site.)

What is Active Directory?

Active Directory (AD) is a directory service developed by Microsoft and used to store objects like User, Computer, Printer, Network information, It facilitates to manage your network effectively with multiple Domain Controllers in different location with AD database, able to manage/change AD from any Domain Controllers and this will be replicated to all other DC’s, centralized Administration with multiple geographical locations and authenticates users and computers in a Windows domain

What is LDAP and how the LDAP been used on Active Directory(AD)?

http://www.windowstricks.in/ldap-and-ldap-query (Links to an external site.)

What is Tree?

The tree is a hierarchical arrangement of windows Domain that share a contiguous namespace

What is Domain?

Active Directory Domain Services is Microsoft’s Directory Server. It provides authentication and authorization mechanisms as well as a framework within which other related services can be deployed

What is the Active Directory Domain Controller (DC)?

Domain Controller is the server which holds the AD database, All AD changes get replicated to other DC and vise vase

What is Forest?

Forest consists of multiple Domain trees. The Domain trees in a forest do not form a contiguous namespace however share a common schema and global catalog (GC)

What is Schema?

Active Directory schema is the set of definitions that define the kinds of object and the type of information about those objects that can be stored in Active Directory

Active Directory schema is Collection of object class and there attributes

Object Class = User

Attributes = first name, last name, email, and others

Can we restore a schema partition?

http://www.windowstricks.in/2014/01/can-i-restore-schema-partition.html (Links to an external site.)

Tell me about the FSMO roles?

Schema Master

Domain Naming Master

Infrastructure MasterRID Master

PDC

Schema Master and Domain Naming Master are the forest-wide roles and only available one on each Forest, Other roles are Domain-wide and one for each Domain

AD replication is multi-master replication and change can be done in any Domain Controller and will get replicated to others Domain Controllers, except above file roles, this will be flexible single master operations (FSMO), these changes only be done on dedicated Domain Controller so it’s single master replication

How to check which server holds which role?

Netdom query FSMO

Which FSMO role is the most important? And why?

An interesting question which role is most important out of 5 FSMO roles or if one role fails that will impact the end-user immediately Most armature administrators pick the Schema master role, not sure why maybe they though Schema is very critical to run the Active Directory

The correct answer is PDC, now the next question why? Will explain role by role what happens when an FSMO role holder fails to find the answer

Schema Master – Schema Master needed to update the Schema, we don’t update the schema daily right, when will update the Schema? While the time of operating system migration, installing a new Exchange version and any other application which requires extending the schema

So if are Schema Master Server is not available, we can’t able to update the schema and no way this will going to affect the Active Directory operation and the end-user

Schema Master needs to be online and ready to make a schema change, we can plan and have more time to bring back the Schema Master Server

Domain Naming Master – Domain Naming Master required to creating a new Domain and creating an application partition, Like Schema Master we don’t create Domain and application partition frequently

So if are Domain Naming Master Server is not available, we can’t able to create a new Domain and application partition, it may not affect the user, user event didn’t aware Domain Naming Master Server is down

Infrastructure Master – Infrastructure Master updates the cross-domain updates, what really updates between Domains? Whenever user login to Domain the TGT has been created with the list of access user got through group membership (user group membership details) it also contain the user membership details from trusted domain, Infrastructure Master keep this information up-to-date, it update reference information every 2 days by comparing its data with the Global Catalog (that’s why we don’t keep Infrastructure Master and GC in the same server)

In a single Domain and single Forest environment, there is no impact if the Infrastructure Master server is down

In a Multi-Domain and Forest environment, there will be impact and we have enough time to fix the issue before it affects the end-user

RID Master –Every DC is initially issued 500 RID’s from RID Master Server. RID’s are used to create a new object on Active Directory, all new objects are created with Security ID (SID) and RID is the last part of a SID. The RID uniquely identifies a security principal relative to the local or domain security authority that issued the SID

When it gets down to 250 (50%) it requests the second pool of RID’s from the RID master. If RID Master Server is not available the RID pools unable to be issued to DC’s and DC’s are only able to create a new object depends on the available RID’s, every DC has anywhere between 250 and 750 RIDs available, so no immediate impact

PDC – PDC required for Time sync, user login, password changes, and Trust, now you know why the PDC is important FSMO role holder to get back online, PDC role will impact the end-user immediately and we need to recover ASAP

The PDC emulator Primary Domain Controller for backward compatibility and it’s responsible for time synchronizing within a domain, also the password master. Any password change is replicated to the PDC emulator ASAP. If a login request fails due to a bad password the login request is passed to the PDC emulator to check the password before rejecting the login request.

Tel me about Active Directory Database and list the Active Directory Database files?

NTDS.DIT

EDB.Log

EDB.Chk

Res1.log and Res2.log

All AD changes didn’t write directly to NTDS.DIT database file, first write to EDB.Log and from the log file to the database, EDB.Chk used to track the database update from the log file, to know what changes are copied to the database file.

NTDS.DIT: NTDS.DIT is the AD database and stores all AD objects, the Default location is the %system root%\nrds\nrds.dit, Active Directory database engine is the extensible storage engine which is based on the Jet database

EDB.Log: EDB.Log is the transaction log file when EDB.Log is full, it is renamed to EDB Num.log where num is the increasing number starting from 1, like EDB1.Log

EDB.Che: EDB.Che is the checkpoint file used to trace the data not yet written to database file this indicates the starting point from which data is to be recovered from the log file in case if failure

Res1.log and Res2.log: Res is reserved transaction log file which provides the transaction log file enough time to shut down if the disk didn’t have enough space

What RAID configuration can be used in Domain Controllers?

http://www.windowstricks.in/2010/07/recommended-raid-configuration-and-disk.html (Links to an external site.)

Can we keep OS, log files, SYSVOL, AD database on same logical Disk?

http://www.windowstricks.in/2010/07/recommended-raid-configuration-and-disk.html (Links to an external site.)

AD Interview Questions (Part 2)

What is Active Directory Partitions?

Active Directory partition is how and where the AD information logically stored.

What are all the Active Directory Partitions?

Schema
Configuration
Domain
Application partition (Links to an external site.)

What is use Active Directory Partitions? And
How to find the Active Directory Partitions and their location?

Schema Partition – It stores details about objects and attributes. Replicates to all domain controllers in the Forest

DN location is CN=Schema,CN=Configuration,DC=Domainname, DC=com

Configuration Partition – It stores details about the AD configuration information like Site, site-link, subnet, and other replication topology information. Replicates to all domain controllers in the Forest

DN Location is CN=Configuration,DC=Domainname,DC=com

Domain Partitions – object information for a domain like a user, computer, group, printer, and other Domain-specific information. Replicates to all domain controllers within a domain

DN Location is DC=Domainname, DC=com

Application Partition (Links to an external site.)– information about applications in Active Directory. Like AD integrated DNS is used there are two application partitions for DNS zones – ForestDNSZones and DomainDNSZones, see more (Links to an external site.)

How to configure Active Directory Partitions?
You can only configure the Application partition manually to use with AD integrated applications, refer to this article for details on that

How to create a DNS zone in Application Directory Partition?

see on my previous article (Links to an external site.)

How to move the DNS zone from Domain Partition to Application partition?

see on my previous article (Links to an external site.)

How to take active directory backup?
System state backup will back up the Active Directory, NTbackup can be used to backup active directory

Active Directory restores types?
Authoritative restore
Non-authoritative restore

Non-authoritative restore of Active Directory
Non-authoritative restore restores the domain controller to its state at the time of backup and allows normal replication to overwrite restored domain controller with any changes that have occurred after the backup. After system state restores, domain controller queries its replication partners and get the changes after backup date, to ensure that the domain controller has an accurate and updated copy of the Active Directory database.
Non-authoritative restore is the default method for restoring Active Directory, just a restore of system state is non-authoritative restore and mostly we use this for Active Directory data loss or corruption.

How perform a non-authoritative restore?
Just start the domain controller in Directory Services Restore Mode and perform a system state restore from backup

Authoritative restore of Active Directory
An authoritative restore is the next step of the non-authoritative restore process. We have to do a non-authoritative restore before you can perform an authoritative restore. The main difference is that an authoritative restore has the ability to increment the version number of the attributes of all objects or an individual object in an entire directory, this will make it authoritative restore an object in the directory. This can be used to restore a single deleted user/group and event an entire OU.

In a non-authoritative restore, after a domain controller is back online, it will contact its replication partners to determine any changes since the time of the last backup. However, the version number of the object attributes that you want to be authoritative will be higher than the existing version numbers of the attribute, the object on the restored domain controller will appear to be more recent and therefore, the restored object will be replicated to other domain controllers in the Domain

How perform a non-authoritative restore?
Unlike a non-authoritative restore, an authoritative restores need to Ntdsutil.exe to increment the version number of the object attributes

What are Active Directory Partitions can be restored?
You can authoritatively restore only objects from the configuration and domain partition. Authoritative restores of schema-naming contexts are not supported.

How many domain controllers need to back up? Or which domain controllers to back up?
The minimum requirement is to back up two domain controllers in each domain, one should be an operations master role holder DC, no need to backup RID Master (relative ID) because RID master should not be restored

Can we restore the backup of the domain controller to other/different domain controller?
Backup of one domain controller can’t be restored to another domain controller, should be restored to the same domain controller

Sysvol Interview Questions and Answers

I would like to share the collection of Sysvol and FRS Interview questions and answers this will be asked on Windows Active Directory administrator job interview

What is the SYSVOL folder and why it’s used?

The Sysvol folder on a Windows domain controller is used to stores domain’s Group Policy settings, default profiles and login/logoff/startup/shutdown scripts, which is available in C:\Windows\SYSVOL directory in all domain controllers within the Domain

What is the NETLOGON folder?

Netlogon folder contain login/logoff/startup/shutdown scripts which is inside the Sysvol folder

What is junctions point?

Check more about Sysvol Junction point (Links to an external site.)

What other folders in Sysvol and Sysvol folder structure/ Contents?

Check more about: netlogon and sysvol folder location (Links to an external site.)

How policies get replicated from one DC to other DC?

Check more about: how sysvol replication works (Links to an external site.)

What is the Difference between FRS and DFS-R?

Check more about: Difference between FRS and DFSR (Links to an external site.)

How to Force sysvol replication?

Check more about force sysvol replication on Windows 2003 (Links to an external site.) and force sysvol replication on Windows 2008 and windows server 2012 (Links to an external site.)

What is the Sysvol Replication change in Windows 2008?

Check more about sysvol replication change on windows 2012 (Links to an external site.)

Any Sysvol issues which you have faced in your environment?

USN journal wrap Error on sysvol (Links to an external site.)

Morphed folder on Sysvol (Links to an external site.)

FRS replication issues –

Sysvol share not sharing – Maybe a replication issue, please event log got more information

Tel me about Non-authoritative restore of SYSVOL or D2 restore

D2 is the default method for restoring SYSVOL and occurs automatically when you do a non-authoritative restore of the Active Directory

When you non-authoritatively restore the SYSVOL, the local copy of SYSVOL on the restored domain controller is compared with that of its replication partners. After the domain controller restarts, it replicates any necessary changes, bringing it up-to-date with the other domain controllers within the domain.
Tel me about Authoritative restore of SYSVOL or D4 restore

IN D4 restore a copy of SYSVOL that is restored from backup is authoritative for the domain. After the necessary configurations have been made, Active Directory marks the local SYSVOL as authoritative and it is replicated to the other domain controllers within the domain.

How to D2 and D4 restore?

Enable BurFlags registry to D2 or D4

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
BurFlags

D2, for nonauthoritative mode, restore
D4, for an authoritative mode, restore

Active Directory real time issues and solutions

By ganesamoorthy s (Links to an external site.) | June 9, 20154 Comments (Links to an external site.)

As an Windows AD Administrator I have many Active Directory real time issues and solutions, we have seen the questions like, Tel me about 2 real time issues which you have faced in your current Active Directory environment, share one or two challenging issues which you have worked and resolved, Tel me most challenging issues you recently involved

Many of my blog readers are asked to share couple of real time scenarios from my past experience to preparing for an Windows and Active Directory interview, list of articles from my previous post, read and understand to face the interview confidently