Active Directory Interview Questions
1. What’s the difference between local, global and universal groups? Domain local groups assign access permissions to global domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains.
2. I am trying to create a new universal user group. Why can’t I? Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.
3. What is LSDOU? It’s group policy inheritance model, where the policies are applied toLocal machines, Sites, Domains and Organizational Units.
4. Where are group policies stored? %SystemRoot%System32\GroupPolicy
5. What is GPT and GPC? Group policy template and group policy container.
6. Where is GPT stored? %SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID
7. You change the group policies, and now the computer and user settings are in conflict. Which one has the highest priority? The computer settings take priority.
8. How can you restrict running certain applications on a machine? Via group policy, security settings for the group, then Software Restriction Policies.
9. How frequently is the client policy refreshed? 90 minutes.
10. You want to create a new group policy but do not wish to inherit. Make sure you check Block inheritance among the options when creating the policy.
11. What hidden shares exist on Windows Server 2003 installation? Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.
12. How many passwords by default are remembered when you check "Enforce Password History Remembered"? User’s last 6 passwords.
13. What are the 5 FSMO roles?
Schema Master: The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.
Domain naming master: The domain naming master domain controller controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest.
Infrastructure Master: The infrastructure is responsible for updating references from objects in its domain to objects in other domains. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.
Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. At any one time, there can be only one domain controller acting as the RID master in the domain.
PDC Emulator: The PDC emulator is a domain controller that advertises itself as the primary domain controller (PDC) to workstations, member servers, and domain controllers that are running earlier versions of Windows. For example, if the domain contains computers that are not running Microsoft Windows XP Professional or Microsoft Windows 2000 client software, or if it contains Microsoft Windows NT backup domain controllers, the PDC emulator master acts as a Windows NT PDC. It is also the Domain Master Browser, and it handles password discrepancies. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.
14. How do you transfer the roles? For the schema master first register the regsvr32 schmmgmt.dll, then add the Active Directory Schema snap-in in to an MMC.
Transfer the Domain Naming Master Role, go to Active Directory Domains and Trusts and Right-click Active Directory Domains and Trusts and then click Operations Master.
Transferring the RID Master, PDC Emulator, and Infrastructure Master Roles start ADCU and in the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master.
15. Where is the AD database held? %systemroot%/ntds
16. What is a sysvol folder? The sysvol is a shared folder that shared between all other DC’s within a domain, it contains things like GPO’s, NETLOGON folder and system policies. It also must be stored on NTFS
17. What are AD application partitions? Application Directory Partition is a partition space in Active Directory which an application can use to store that application specific data. This partition is then replicated only to some domain controllers for redundancy reasons. The application directory partition can contain any type of data except security principles (users, computers, groups)
18. What is the Global Catalog? The global catalog contains a complete replica of all objects in Active Directory for its Host domain, it also stores a partial, read-only replica of all other domains directory partitions in the forest.
19. Why not make all DCs in a large forest as GCs? The reason that all DCs are not is that in large forests the DCs would all have to hold a reference to every object in the entire forest which could be quite large and and in return prove a replication burden.
20. What is an AD site? A Site object in AD represents a physical geographic location that hosts networks. Sites contain subnets and sites can be used to assign Group Policy Objects. Sites can be linked to other Sites by a cost value that represents the speed, reliability, availability, or other real property of a physical resource.