Ace Your Active Directory Interview: Essential Questions & Answers
This comprehensive guide prepares you for Active Directory interview questions of all levels. Learn the fundamentals of Active Directory, including domains, LDAP, group types (Domain Local, Global, Universal), and the critical Sysvol folder. Understand the differences between Enterprise Admin and Domain Admin groups, and explore key concepts like forests, domain trees, and the Active Directory schema. This guide also covers network protocols (ARP, Kerberos), Active Directory components, and administration tools. We explore advanced topics such as Active Directory replication, port numbers, managing trust relationships, and the roles of the RID Master and PDC Emulator. Prepare for in-depth questions on Windows Server 2012 features and Active Directory's overall structure. Become proficient in Active Directory concepts and confidently answer even the most challenging interview questions.
Most Asked Active Directory Interview Questions
What is Active Directory?
Active Directory (AD) is a directory service for Windows-based networks. Think of it as a central database storing information about users, computers, and other network resources. It manages and controls access to these resources across the entire network.
What is a Domain?
A domain is a collection of network resources shared by a group of users. Users log in once to the domain to access resources located on various servers within the network. The concept of a domain simplifies access to multiple computer resources using a single username and password.
Default Protocol for Directory Services
The default protocol for directory services is LDAP (Lightweight Directory Access Protocol).
Domain Local, Global, and Universal Groups
These group types differ in their scope and membership capabilities. Domain local groups are limited to the local domain, while global and universal groups can span multiple domains. Universal groups require a specific Active Directory mode (native mode in Windows Server 2003 and later).
The Sysvol Folder
The Sysvol folder stores copies of domain's public files, and it's used to distribute group policies and logon scripts to domain members. It facilitates replication of group policies across the domain controllers.
Creating Universal Groups
Creating new universal user groups requires that all domain controllers are running Windows Server 2003 or later in native mode.
What is a Forest in Active Directory?
A forest in Active Directory is a collection of domains that share a common schema (the blueprint for how data is organized). All domain controllers within a forest use the same schema, promoting consistency and simplified management.
Enterprise Admin Group vs. Domain Admin Group
| Enterprise Admin Group | Domain Admin Group |
|---|---|
| Full control over all domains within the forest. | Full control over a single domain. |
| Members are administrators on all domain controllers in the forest. | Members are administrators on all domain controllers, workstations, and member servers within the domain. |
ARP (Address Resolution Protocol) and ARP Cache Poisoning
ARP maps IP addresses to physical MAC addresses on a local network. ARP cache poisoning attacks manipulate the ARP cache to redirect network traffic maliciously.
Kerberos
Kerberos is a network authentication protocol that uses secret-key cryptography to provide secure authentication for client applications.
LSDOU (Local, Site, Domain, OU)
LSDOU describes the order of precedence for applying Group Policy settings in Active Directory. Local policies override Site policies, which override Domain policies, and finally Organizational Unit (OU) policies.
Active Directory Schema
The Active Directory Schema is the blueprint defining the structure and types of objects within an Active Directory environment. It dictates what kinds of information can be stored and how that information is organized.
Components of Active Directory Schema
The Active Directory Schema consists of:
- Objects: Represent real-world entities (users, computers, etc.).
- Classes: Categorize objects based on their properties.
- Attributes: Store specific data about objects (name, address, etc.).
New Features in Windows Server 2012 Active Directory
- Improved
dcpromowizard. - Enhanced Administrative Center.
- GUI-based Active Directory Recycle Bin.
- Simplified Fine-Grained Password Policies (FGPP).
- Windows PowerShell History Viewer.
System State Data
System state data includes the registry, startup and system files, the database, paging file, Active Directory information, the SYSVOL folder, and cluster service information.
Main Components of Active Directory
Active Directory has:
- Physical Structures: Domain controllers and sites.
- Logical Structures: Trees, forests, domains, and organizational units (OUs).
Tombstone Lifetime
Tombstone lifetime determines how long deleted objects are retained in Active Directory before being permanently removed.
Child Domain Controller (CDC)
A CDC is a domain controller within a child domain of a larger domain tree.
APIPA (Automatic Private IP Addressing)
APIPA automatically assigns temporary IP addresses to computers that can't obtain an IP address from a DHCP server.
RID Master
The RID (Relative Identifier) Master assigns unique identifiers to new objects created in Active Directory.
Infrastructure Master
The Infrastructure Master updates references between objects in the local domain and objects in other domains.
Organizational Units (OUs)
OUs are containers used to organize and manage users, computers, and other objects in Active Directory. They enable granular control over policies and security.
Active Directory Recycle Bin
The Active Directory Recycle Bin allows for the recovery of accidentally deleted objects.
Domain Trees and Forests
A domain tree is a hierarchical collection of domains sharing a common namespace. A forest is a collection of one or more domain trees.
Active Directory Forests and Trees
A domain tree is a group of domains sharing a common namespace (e.g., `sales.example.com` and `marketing.example.com` are in the same tree). A forest is a collection of one or more domain trees. Forests are named after the first domain created within them.
Replication in Active Directory
Replication in Active Directory ensures data consistency across the network. It improves availability, performance, and data protection by distributing data across multiple domain controllers.
Active Directory Ports
| Service | Port(s) |
|---|---|
| RPC Endpoint Mapper | 135 TCP, UDP |
| NetBIOS Name Service | 137 TCP, UDP |
| NetBIOS Datagram Service | 138 UDP |
| NetBIOS Session Service | 139 TCP |
| SMB over IP (Microsoft-DS) | 445 TCP, UDP |
| LDAP | 389 TCP, UDP |
| LDAP over SSL | 636 TCP |
| Global Catalog LDAP | 3268 TCP |
| Global Catalog LDAP over SSL | 3269 TCP |
| Kerberos | 88 TCP, UDP |
| DNS | 53 TCP, UDP |
| WINS Resolution | 1512 TCP, UDP |
| WINS Replication | 42 TCP, UDP |
| RPC | Dynamically-assigned ports TCP, unless restricted |
Tools for Editing Active Directory
adsiedit.msc is a command-line tool providing low-level access to Active Directory. It's used for managing objects and attributes.
Managing Trust Relationships from the Command Prompt
The netdom.exe command-line tool is used to manage trust relationships and other aspects of Active Directory.
SID (Security Identifier)
A SID is a unique identifier used to represent users, groups, and other security principals within Active Directory.
PDC Emulator
The PDC (Primary Domain Controller) emulator acts as the time synchronization authority for the domain and handles certain authentication functions. You can check its functionality by verifying time synchronization, user account lockouts, updates to older BDCs (Backup Domain Controllers), and password changes on pre-Windows 2000 computers.
Active Directory Schema
The Active Directory Schema defines the structure and types of objects within an Active Directory network.
Components of Active Directory Schema
The Active Directory Schema comprises:
- Objects: Represent resources (users, computers).
- Classes: Group attributes into categories.
- Attributes: Store specific data about objects.
New Features in Windows Server 2012 Active Directory
- Improved
dcpromowizard. - Enhanced Administrative Center.
- GUI-based Active Directory Recycle Bin.
- Simplified Fine-Grained Password Policies (FGPP).
- Windows PowerShell History Viewer.
System State Data
System state data includes the registry, startup files, system files, database, paging file, Active Directory information, the SYSVOL folder, and cluster service information.
Main Components of Active Directory
Active Directory's main components are:
- Physical Structures: Domain controllers and sites.
- Logical Structures: Trees, forests, domains, and organizational units (OUs).
Tombstone Lifetime
Tombstone lifetime defines how long deleted objects are kept in Active Directory before permanent removal.
Child Domain Controller (CDC)
A CDC is a domain controller within a subdomain.
APIPA (Automatic Private IP Addressing)
APIPA automatically assigns temporary IP addresses when a DHCP server is unavailable.
RID Master
The RID Master assigns unique IDs to Active Directory objects.