Active Directory (AD) is a cornerstone of modern IT environments, providing critical services for user and resource management across enterprises. This article gives a list of interview questions and answers tailored for experienced candidates.
These questions cover advanced topics and real-world scenarios, designed to help you showcase your in-depth knowledge and practical experience with AD. Whether you’re aiming for a senior IT position or looking to sharpen your expertise, these questions will prepare you to confidently tackle any interview challenges related to Active Directory.
Active Directory Interview Questions and Answers for Experienced
1. What is Active Directory?
2. What are the different types of Active Directory partitions?
3. Explain the difference between Domain Local, Global, and Universal groups.
4. What is Group Policy in Active Directory?
5. How do you troubleshoot replication issues in Active Directory?
6. Explain the process of promoting a server to a domain controller.
7. What is SYSVOL in Active Directory?
8. How do you recover a deleted object in Active Directory?
9. Explain the purpose of FSMO roles.
10. What is LDAP? How is it related to Active Directory?
11. How do you migrate Active Directory to a new server?
12. Explain the concept of trusts in Active Directory.
13. What are Service Principal Names (SPNs) in Active Directory?
14. How do you monitor Active Directory performance?
15. Explain the process of upgrading the Active Directory schema.
16. What is a Global Catalog (GC) in Active Directory?
17. How do you delegate administrative control in Active Directory?
18. Explain the difference between authentication and authorization in Active Directory.
19. What is LDIFDE and how is it used in Active Directory?
20. How do you secure Active Directory against common attacks?
21. Explain the process of deploying Active Directory Certificate Services (AD CS).
22. What are Managed Service Accounts (MSAs) and Group Managed Service Accounts (gMSAs)?
23. How does Active Directory integrate with DNS?
24. What are the best practices for Active Directory backup and recovery?
25. Explain the concept of Group Policy Preferences (GPP).
26. What are the main components of Active Directory?
27. Explain the difference between a domain and a forest in Active Directory
28. What is a Group Policy Object (GPO), and how is it used?
29. Explain the difference between a Security Group and a Distribution Group.
30. What is FSMO (Flexible Single Master Operation), and what are the FSMO roles?
31. What is the difference between a child domain and a subdomain?
32. Explain the concept of Trust Relationships in Active Directory.
33. What is the purpose of an Organizational Unit (OU) in Active Directory?
34. How do you secure an Active Directory environment?
35. What is Active Directory Federation Services (AD FS)?
36. How does Active Directory handle password policies?
37. What is the difference between a roaming profile and a mandatory profile?
38. Explain the concept of Active Directory Sites and Site Links.
39. What is ADSI (Active Directory Service Interfaces)?
40. Explain the process of Domain Controller promotion.
41. What is the difference between an Attribute and an Object in Active Directory?
42. What is ADAC (Active Directory Administrative Center), and how is it different from ADUC?
43. Explain the concept of Fine-Grained Password Policies.
44. What is the Active Directory schema, and how would you extend it?
45. How would you plan and implement an Active Directory migration?
1. What is Active Directory?
Answer:
Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It authenticates and authorizes all users and computers in a Windows domain network, assigning and enforcing security policies for all devices and installing or updating software.
2. What are the different types of Active Directory partitions?
Answer:
Active Directory partitions include Schema, Configuration, Domain, and Application partitions. Each serves a specific role in managing directory data.
3. Explain the difference between Domain Local, Global, and Universal groups.
Answer:
- Domain Local groups: Assign permissions to resources within the same domain.
- Global groups: Provide access to resources in other trusted domains.
- Universal groups: Grant access to resources across all trusted domains.
4. What is Group Policy in Active Directory?
Answer:
Group Policy allows administrators to manage and control user and computer settings centrally through Group Policy Objects (GPOs) in Active Directory.
5. How do you troubleshoot replication issues in Active Directory?
Answer:
Use tools like Repadmin and Active Directory Sites and Services to check replication status, review event logs for errors, and ensure proper connectivity and DNS resolution between domain controllers.
6. Explain the process of promoting a server to a domain controller.
Answer:
Install the Active Directory Domain Services (AD DS) role, run the dcpromo command, and follow the wizard to configure the server as a domain controller.
7. What is SYSVOL in Active Directory?
Answer:
SYSVOL is a shared directory that stores the server copy of the domain’s public files like policies and scripts for Group Policy, which are replicated to all domain controllers in the domain.
8. How do you recover a deleted object in Active Directory?
Answer:
Use the Active Directory Recycle Bin feature (if enabled) or perform an authoritative restore from a backup using tools like Windows Server Backup.
9. Explain the purpose of FSMO roles.
Answer:
FSMO (Flexible Single Master Operation) roles are specialized operations masters in Active Directory responsible for specific tasks like schema updates, domain naming, and handling password changes.
10. What is LDAP? How is it related to Active Directory?
Answer:
LDAP (Lightweight Directory Access Protocol) is an application protocol for accessing and maintaining directory services. Active Directory uses LDAP for communication and queries.
11. How do you migrate Active Directory to a new server?
Answer:
Prepare the new server with the same OS version, promote it as a domain controller, transfer FSMO roles, replicate data, decommission the old server, and verify the migration.
12. Explain the concept of trusts in Active Directory.
Answer:
Trusts establish relationships between domains to allow users in one domain to access resources in another. Trusts can be one-way or two-way and transitive or non-transitive.
13. What are Service Principal Names (SPNs) in Active Directory?
Answer:
SPNs are unique identifiers for services running on servers that use Kerberos authentication. They help clients locate a service instance in a network.
14. How do you monitor Active Directory performance?
Answer:
Use Performance Monitor (PerfMon) to monitor AD-related counters (e.g., LDAP binds/sec, replication latency), review event logs, and use tools like AD Replication Status Tool.
15. Explain the process of upgrading the Active Directory schema.
Answer:
Use the adprep command to extend the schema for compatibility with newer versions of Windows Server before installing or upgrading domain controllers.
16. What is a Global Catalog (GC) in Active Directory?
Answer:
A Global Catalog is a distributed data repository that contains a searchable, partial representation of all objects in every domain within a forest, facilitating forest-wide searches and user authentication.
17. How do you delegate administrative control in Active Directory?
Answer:
Use Active Directory Users and Computers (ADUC) or Active Directory Administrative Center (ADAC) to assign specific administrative tasks or permissions to users or groups.
18. Explain the difference between authentication and authorization in Active Directory.
Answer:
Authentication verifies the identity of users and computers attempting to access resources. Authorization determines the level of access or permissions granted to authenticated users.
19. What is LDIFDE and how is it used in Active Directory?
Answer:
LDIFDE (LDAP Data Interchange Format Data Exchange) is a command-line tool used to import and export data from Active Directory using LDIF files, allowing bulk modifications.
20. How do you secure Active Directory against common attacks?
Answer:
Implement strong password policies, enable multi-factor authentication, regularly patch and update systems, monitor and audit AD logs, and restrict administrative privileges.
21. Explain the process of deploying Active Directory Certificate Services (AD CS).
Answer:
Install AD CS role, configure certificate templates, issue certificates, and manage certificate revocation using Certificate Authority (CA) and Certificate Management Console.
22. What are Managed Service Accounts (MSAs) and Group Managed Service Accounts (gMSAs)?
Answer:
MSAs are domain accounts used to manage services on a single server, while gMSAs are designed for use in environments with multiple servers to centrally manage service account passwords.
23. How does Active Directory integrate with DNS?
Answer:
Active Directory relies on DNS for domain name resolution and service location (SRV) records to locate domain controllers and other AD-related services.
24. What are the best practices for Active Directory backup and recovery?
Answer:
Regularly back up system state data and AD databases, test backups periodically, use authoritative restores when needed, and ensure backups include critical system and configuration data.
25. Explain the concept of Group Policy Preferences (GPP).
Answer:
GPP extends Group Policy functionality by providing more flexible options to manage registry settings, mapped drives, scheduled tasks, and other preferences for users and computers.
26. What are the main components of Active Directory?
Answer: The main components of Active Directory are:
- Domain Controllers
- Organizational Units (OUs)
- Objects (users, groups, computers)
- Group Policy Objects (GPOs)
- Sites
- Domains
- Forests
- Trust Relationships
27. Explain the difference between a domain and a forest in Active Directory.
Answer:
A domain is a logical group of network objects (users, devices, groups) that share the same AD database. A forest is a collection of one or more domains that share a common schema, configuration, and global catalog.
28. What is a Group Policy Object (GPO), and how is it used?
Answer:
A Group Policy Object is a collection of settings that define what a system will look like and how it will behave for a defined group of users. GPOs are used to manage user and computer settings on a network.
29. Explain the difference between a Security Group and a Distribution Group.
Answer:
A Security Group is used to assign permissions to shared resources and can be used for email distribution. A Distribution Group is used only for email distribution and cannot be used to assign permissions.
30. What is FSMO (Flexible Single Master Operation), and what are the FSMO roles?
Answer: FSMO roles are specialized domain controller roles used in Active Directory. The five FSMO roles are:
- Schema Master
- Domain Naming Master
- RID Master
- PDC Emulator
- Infrastructure Master
31. What is the difference between a child domain and a subdomain?
Answer:
A child domain is a separate domain that is created beneath a parent domain in the same forest. A subdomain is typically just a DNS naming convention and doesn’t imply a separate AD domain structure.
32. Explain the concept of Trust Relationships in Active Directory.
Answer:
Trust Relationships allow users in one domain to access resources in another domain. Trusts can be one-way or two-way, and can be established between domains in the same forest (implicit) or different forests (explicit).
33. What is the purpose of an Organizational Unit (OU) in Active Directory?
Answer:
OUs are used to organize objects within a domain, create a hierarchy, delegate administration, and apply group policies to specific sets of objects.
34. How do you secure an Active Directory environment?
Answer: Some ways to secure AD include:
- Implementing least privilege access
- Using strong password policies
- Enabling auditing and monitoring
- Regularly patching and updating systems
- Implementing multi-factor authentication
- Using Group Policy to enforce security settings
35. What is Active Directory Federation Services (AD FS)?
Answer: AD FS is a Microsoft Windows Server feature that provides single sign-on access to systems and applications located across organizational boundaries.
36. How does Active Directory handle password policies?
Answer:
Password policies in AD are typically managed through Group Policy. You can set requirements for password length, complexity, history, and account lockout settings.
37. What is the difference between a roaming profile and a mandatory profile?
Answer:
A roaming profile allows users to access their desktop and documents on any computer in the domain, and changes are saved. A mandatory profile is a pre-configured roaming profile that users cannot change permanently.
38. Explain the concept of Active Directory Sites and Site Links.
Answer:
Sites in AD represent the physical structure of your network. Site Links define the connectivity between sites for purposes of replication and client affinity.
39. What is ADSI (Active Directory Service Interfaces)?
Answer:
ADSI is a set of COM interfaces used to access the features of directory services from different network providers in a distributed computing environment.
40. Explain the process of Domain Controller promotion.
Answer: To promote a server to a Domain Controller:
- Install the Active Directory Domain Services role
- Run the Active Directory Domain Services Configuration Wizard
- Choose to add a domain controller to an existing domain or create a new domain
- Provide necessary information (credentials, paths for AD database, log files, and SYSVOL)
- Review options and complete the promotion
41. What is the difference between an Attribute and an Object in Active Directory?
Answer:
An Object in AD represents a single entity like a user, computer, or group. An Attribute is a characteristic or property of an object, such as a user’s email address or a computer’s operating system.
42. What is ADAC (Active Directory Administrative Center), and how is it different from ADUC?
Answer:
ADAC is a newer management console introduced in Windows Server 2008 R2. It provides a task-oriented interface for AD management. ADUC (Active Directory Users and Computers) is the traditional MMC snap-in for managing AD objects.
43. Explain the concept of Fine-Grained Password Policies.
Answer:
Fine-Grained Password Policies allow you to specify multiple password policies within a single domain. This feature enables you to define different password and account lockout policies for different sets of users in a domain.
44. What is the Active Directory schema, and how would you extend it?
Answer:
The AD schema defines all object types and their attributes that can be stored in Active Directory. To extend the schema, you would use tools like ADSI Edit or the Schema Management MMC snap-in to add new object classes or attributes.
45. How would you plan and implement an Active Directory migration?
Answer: Planning an AD migration involves:
- Assessing the current environment
- Defining the target environment
- Choosing a migration method (in-place upgrade, phased migration, or forest restructure)
- Planning for user, computer, and resource migration
- Testing the migration process
- Executing the migration
- Post-migration cleanup and optimization
These questions cover a range of topics that a candidate with 3+ years of experience in Active Directory should be familiar with. Remember to add info to your answers based on your specific experiences and the technologies you’ve worked with.
Learn More: Carrer Guidance
1. Tableau interview questions and answers
2. LWC interview questions and answers
3. Nodejs interview questions and answers
4. Flutter Interview Questions and Answers
5. Active Directory Interview Questions and Answers for Fresher