Active Directory (AD) Real Time Interview

Questions and Answers

What is Active Directory?

Active Directory (AD) is a directory service developed by Microsoft and used to store objects like
User, Computer, printer, Network information, It facilitate to manage your network effectively with
multiple Domain Controllers in different location with AD database, able to manage/change AD from
any Domain Controllers and this will be replicated to all other DCs, centralized Administration with
multiple geographical location and authenticates users and computers in a Windows domain

What is LDAP and how the LDAP been used on Active Directory(AD)?

LDAP (Lightweight Directory Access Protocol) is a directory service protocol provides a mechanism
to connect, query, and update the directories (Active Directory). LDAP directory service is based on
a client-server mode. The data model (data and namespace) of LDAP is similar to the X.500
directory service standards

Active Directory differs from X.500 directory. Yes, it uses LDAP as an access protocol and supports
X.500 information model without requiring systems to host the entire X.500 overhead. So we use to
get high level of interoperability for administering complex networks.

LDAP Naming path are used to access Active Directory Objects and includes below:
Distinguished Name

Relative Distinguished Name

Distinguished Name
Distinguished Name gives the complete path of the object

For example:

cn=Ganesh,ou=Consultants,ou=Users,dc=Domain,dc=com
Relative Distinguished Name
Relative Distinguished Name is the portion of the Distinguished Name that uniquely identifies the
object

cn=Ganesh
ou=Consultants
dc=Domain
And the keywords are

cn: Common Name

ou: Organizational Unit
dc: Domain Component
These are the three keywords mainly used in Active Directory LDAP. other directory systems often
use different keywords for their container objects (Directories like Sun one, Unix LDAP) Not in Active
Directory LDAP

l: Location
o: Organization
st: State/Province/Federal State
c: Country
The keyword organization (O) is often used as top level of a non-AD directory system instead of DC
keywords that always represent the top level in Active Directory environments.

Complete LDAP Paths

If you are running a VBscript, then not only the Distinguished Name (DN) of a directory object has to
be provided but a complete LDAP pathname with URL (Unified Resource Locator).

Two elements need to be added to the distinguished name, label of the LDAP protocol and the
server name to which you want to connect:

For example:

LDAP://server/distinguished-name
If the server name is not given it connect to local PC where the query runs

LDAP:// cn=Ganesh,ou=Consultants,ou=Users,dc=Domain,dc=com

What is Tree?
Tree is a hierarchical arrangement of windows Domain that share a contiguous name space

What is Domain?
Active Directory Domain Services is Microsofts Directory Server. It provides authentication and
authorization mechanisms as well as a framework within which other related services can be
deployed

What is Active Directory Domain Controller (DC)?

Domain Controller is the server which holds the AD database, All AD changes get replicated to other
DC and vise vase

What is Forest?
Forest consists of multiple Domains trees. The Domain trees in a forest do not form a contiguous
name space however share a common schema and global catalog (GC)

What is Schema?
Active directory schema is the set of definitions that define the kinds of object and the type of
information about those objects that can be stored in Active Directory

Active directory schema is Collection of object class and there attributes

Object Class = User

Attributes = first name, last name, email, and others

Can we restore a schema partition?

Straightforward answer is NO, Any change done in the schema cant be revert back by deletion or
restore, however we can deactivate the change (like attribute), there is no supported way of
restoring schema from the backup and you cant do authoritative restore of schema partition, the
only option is to do the forest
recovery

If its affected single DC then you can simply remove the DC by performing the metadata cleanup

Here are some of the alternatives for potential roll-back strategies:

1. Isolate schema master by disabling inbound/outbound replication, then perform the schema
update on the schema master, if something goes bad, blow up the schema master and repair the
rest of the forest (seize schema master on another DC and clean out the old schema master).

2. Shut down/stop replication on select DCs, may be 2 DC from each Domain and do the schema
upgrade, if something goes bad, kill all the DCs that were on-line and may have potentially replicated
the bad schema. Light up the DCs that were offline and repair/restore your forest. Please see the
best practice for schema change.

Tel me about the FSMO roles?

Schema Master

Domain Naming Master

Infrastructure Master

RID Master

PDC

Schema Master and Domain Naming Master are forest wide role and only available one on each
Forest, Other roles are Domain wide and one for each Domain

AD replication is multi master replication and change can be done in any Domain Controller and will
get replicated to others Domain Controllers, except above file roles, this will be flexible single master
operations (FSMO), these changes only be done on dedicated Domain Controller so its
single master replication

How to check which server holds which role?

Netdom query FSMO
Which FSMO role is the most important? And why?

Interesting question which role is most important out of 5 FSMO roles or if one role fails that will
impact the end-user immediately

Most armature administrators pick the Schema master role, not sure why maybe they though
Schema is very critical to run the Active Directory

Correct answer is PDC, now the next question why? Will explain role by role what happens when a
FSMO role holder fails to find the answer

Schema Master Schema Master needed to update the Schema, we dont update the schema daily
right, when will update the Schema? While the time of operating system migration, installing new
Exchange version and any other application which requires extending the schema
So if are Schema Master Server is not available, we cant able to update the schema and no way
this will going to affect the Active Directory operation and the end-user

Schema Master needs to be online and ready to make a schema change, we can plan and have
more time to bring back the Schema Master Server

Domain Naming Master Domain Naming Master required to creating a new Domain and creating
an application partition, Like Schema Master we dont cerate Domain and application partition
frequently
So if are Domain Naming Master Server is not available, we cant able to create a new Domain and
application partition, it may not affect the user, user event didnt aware Domain Naming Master
Server is down

Infrastructure Master Infrastructure Master updates the cross domain updates, what really
updates between Domains? Whenever user login to Domain the TGT has been created with the list
of access user got through group membership (user group membership details) it also contain the
user membership details from trusted domain, Infrastructure Master keep this information up-to-date,
it update reference information every 2 days by comparing its data with the Global Catalog (thats
why we dont keep Infrastructure Master and GC in same server)
In a single Domain and single Forest environment there is no impact if the Infrastructure
Master server is down

In a Multi Domain and Forest environment, there will be impact and we have enough time to fix the
issue before it affect the end-user

RID Master Every DC is initially issued 500 RIDs from RID Master Server. RIDs are used to
create a new object on Active Directory, all new objects are created with Security ID (SID) and RID
is the last part of a SID. The RID uniquely identifies a security principal relative to the local or domain
security authority that issued the SID
When it gets down to 250 (50%) it requests a second pool of RIDs from the RID master. If RID
Master Server is not available the RID pools unable to be issued to DCs and DCs are only able to
create a new object depends on the available RIDs, every DC has anywhere between 250 and 750
RIDs available, so no immediate impact
PDC PDC required for Time sync, user login, password changes and Trust, now you know why the
PDC is important FSMO role holder to get back online, PDC role will impact the end-user
immediately and we need to recover ASAP
The PDC emulator Primary Domain Controller for backwards compatibility and its responsible for
time synchronizing within a domain, also the password master. Any password change is replicated
to the PDC emulator ASAP. If a logon request fails due to a bad password the logon request is
passed to the PDC emulator to check the password before rejecting the login request.

Tel me about Active Directory Database and list the Active Directory Database files?
NTDS.DIT

EDB.Log

EDB.Che

Res1.log and Res2.log

All AD changes didnt write directly to NTDS.DIT database file, first write to EDB.Log and from log
file to database, EDB.Che used to track the database update from log file, to know what changes are
copied to database file.

NTDS.DIT: NTDS.DIT is the AD database and store all AD objects, Default location is the %system
root%\nrds\nrds.dit, Active Directory database engine is the extensible storage engine which us
based on the Jet database
EDB.Log: EDB.Log is the transaction log file when EDB.Log is full, it is renamed to EDB Num.log
where num is the increasing number starting from 1, like EDB1.Log
EDB.Che: EDB.Che is the checkpoint file used to trace the data not yet written to database file this
indicate the starting point from which data is to be recovered from the log file in case if failure
Res1.log and Res2.log: Res is reserved transaction log file which provide the transaction log file
enough time to shutdown if the disk didnt have enough space

What RAID configuration can be used in Domain Controllers?

Redundant array of independent disks (RAID) can be used for fault tolerant and to prevent single
disk failures, if you have more then 1000 users accessing the domain controller then , place the log
files on one RAID 1 array and keep the SYSVOL shared folder and the database together on a
separate RAID 1 array.

If you have less then 1000 users accessing the domain controller then you can place all the
components in a single RAID 1 array, components are OS, log files, SYSVOL, Database

Disk Space Recommendations for active directory installation

Domain controller requires available free disk space for OS, log files, SYSVOL, database.

Follow the below procedure to calculate the disk space requirement for domain controller (active
directory installation)

On the drive that will contain the Active Directory database, Ntds.dit, provide 0.4 gigabytes (GB) of
storage for each 1,000 users. For example, for a forest with two domains (domain A, domain B), with
10,000 and 5,000 users respectively, provide a minimum of 4 GB of disk space for each domain
controller that hosts domain A and a minimum of 2 GB of disk space for each domain controller that
hosts domain B.
 On the drive containing the Active Directory log files, provide at least 500 MB of available space.

On the drive containing the SYSVOL shared folder, provide at least 500 MB of available space. If
you have more number of policy and large logon scripts then you require more then 500 MB, how
ever 500 MB is minimum requirement

On the drive containing the Windows Server 2003 operating system files, to run setup, provide at
least 1.25 GB to 2 GB of available space.
Can we keep OS, log files, SYSVOL, AD database on same logical Disk?

What is Active Directory Partitions?

Active Directory partition is how and where the AD information logically stored.

What are all the Active Directory Partitions?

Schema
Configuration
Domain

Application Partition

How to move the DNS zone from Domain Partition to Application partition

After the implementation of the Application directory partition, you can move the DNS zones from
Domain Partition to Application partition, before that you have to have full understanding
of Application directory partition, like the different types of Active Directory Zone Replication scopes
and which one suitable for the requirement
Procedure it very simple however proper planning is require to move the DNS zones from Domain
Partition to Application directory partition
1. Take the backup of the Zone which you going to move, it can be useful for role back

2. Right click the Zone which you going to move and select the properties
3. In Replication, it will be showing the current replication scope you can change the scope by
clicking the change button

4. It will open the change Zone Replication Scope

5. You can select the Zone Replication Scope as per the requirement.

For Forest-wide DNS application directory partition you have to select the first option

To all DNS servers in the Active Directory forest domain.com

For Domain-wide DNS application directory partition you have to select the second option

To all DNS servers in the Active Directory Domain domain.com

For Domain partition you have to select the third option (Active directory integrated zone)
 To all Domain controllers in the Active Directory Domain domain.com

For Custom DNS application directory partition you have to select the last option, this can be
selectable if you have any Custom DNS application directory partition

To all Domain controllers specified scope of the following application directory partition

How to create DNS zone in DNS Application Directory Partition

Windows 2003 have a Application Directory Partition feature, you can create DNS zone on the
Application Directory Partition to get the advantage of Application Directory Partition, its like a
normal zone creation except the selection of Active Directory Zone Replication scope
1. Open the DNS console

2. 2. Go to forward Lookup Zones or Reverse Lookup Zones , then Right zone and select
the New Zone
3. Click Next and select the Zone Type
4. Select the Active Directory Zone Replication scope

Active Directory Zone Replication scope

To create zone in Forest-wide DNS application directory partition you have to select the first option

To all DNS servers in the Active Directory forest domain.com

To create zone in Domain-wide DNS application directory partition you have to select the second
option

To all DNS servers in the Active Directory Domain domain.com

To create zone in Domain partition you have to select the third option (Active directory integrated
zone)
 To all Domain controllers in the Active Directory Domain domain.com

To create zone in Custom DNS application directory partition you have to select the last option, this
can be selectable if you have any Custom DNS application directory partition
To all Domain controllers specified scope of the following application directory partition

You can select any one form the list and click Next

5. Finish

What is use Active Directory Partitions? And How to find the Active Directory Partitions and
there location?

Schema Partition It store details about objects and attributes. Replicates to all domain controllers
in the Forest
DN location is CN=Schema,CN=Configuration,DC=Domainname, DC=com

Configuration Partition It store details about the AD configuration information like, Site, site-link,
subnet and other replication topology information. Replicates to all domain controllers in the Forest
DN Location is CN=Configuration,DC=Domainname,DC=com

Domain Partitions object information for a domain like user, computer, group, printer and other
Domain specific information. Replicates to all domain controllers within a domain
DN Location is DC=Domainname,DC=com

Application Partition information about applications in Active Directory. Like AD integrated DNS
is used there are two application partitions for DNS zones ForestDNSZones and
DomainDNSZones, see more

How to configure Active Directory Partitions?

You can only configure the Application partition manually to use with AD integrated applications,
refer to this article for details on that

How to take active directory backup?

System state backup will backup the Active Directory, NTbackup can be used to backup active
directory

Active Directory restores types?

Authoritative restore
Non-authoritative restore

Non-authoritative restore of Active Directory

Non-authoritative restore is restore the domain controller to its state at the time of backup, and
allows normal replication to overwrite restored domain controller with any changes that have
occurred after the backup. After system state restore, domain controller queries its replication
partners and get the changes after backup date, to ensure that the domain controller has an
accurate and updated copy of the Active Directory database.
Non-authoritative restore is the default method for restoring Active Directory, just a restore of system
state is non-authoritative restore and mostly we use this for Active Directory data loss or corruption.

How perform a non-authoritative restore?

Just start the domain controller in Directory Services Restore Mode and perform system state
restore from backup

Authoritative restore of Active Directory

An authoritative restore is next step of the non-authoritative restore process. We have do non-
authoritative restore before you can perform an authoritative restore. The main difference is that an
authoritative restore has the ability to increment the version number of the attributes of all objects or
an individual object in an entire directory, this will make it authoritative restore an object in the
directory. This can be used to restore a single deleted user/group and event an entire OU.
In a non-authoritative restore, after a domain controller is back online, it will contact its replication
partners to determine any changes since the time of the last backup. However the version number of
the object attributes that you want to be authoritative will be higher than the existing version numbers
of the attribute, the object on the restored domain controller will appear to be more recent and
therefore, restored object will be replicated to other domain controllers in the Domain

How perform a non-authoritative restore?

Unlike a non-authoritative restore, an authoritative restores need to Ntdsutil.exe to increment the

version number of the object attributes

What are Active Directory Partitions can be restored?

You can authoritatively restore only objects from configuration and domain partition. Authoritative
restores of schema-naming contexts are not supported.

How many domain controllers need to back up? Or which domain controllers to back up?

Minimum requirement is to back up two domain controllers in each domain, one should be an
operations master role holder DC, no need to backup RID Master (relative ID) because RID master
should not be restored

Can we restore backup of domain controller to other/different domain controller?

Backup of one domain controller cant be restoring to other domain controller, should be restored to
same domain controller

Sysvol Interview Questions and Answers

What is the SYSVOL folder and why its used?

The Sysvol folder on a Windows domain controller is used to stores domains Group Policy settings,
default profiles and logon/logoff/startup/shutdown scripts, which is available in C:\Windows\SYSVOL
directory in all domain controllers within the Domain
What is NETLOGON folder?

Netlogon folder contain logon/logoff/startup/shutdown scripts which is inside the Sysvol folder