1) Mention what is Active Directory?

An active directory is a directory structure used on Micro-soft Windows based servers and computers to store data and information about
networks and domains.
2) Mention what are the new features in Active Directory (AD) of Windows server 2012?

dcpromo (Domain Controller Promoter) with improved wizard: It allows you to view all the steps and review the detailed results during

the installation process

Enhanced Administrative Center: Compared to the earlier version of active directory, the administrative center is well designed in

Windows 2012. The exchange management console is well designed

Recycle bin goes GUI: In windows server 12, there are now many ways to enable the active directory recycle bin through the GUI in the

Active Directory Administrative Center, which was not possible with the earlier version

Fine grained password policies (FGPP): In windows server 12 implementing FGPP is much easier compared to an earlier It allows you to

create different password policies in the same domain

Windows Power Shell History Viewer: You can view the Windows PowerShell commands that relates to the actions you execute in the

Active Directory Administrative Center UI

3) Mention which is the default protocol used in directory services?
The default protocol used in directory services is LDAP ( Lightweight Directory Access Protocol).
4) Explain the term FOREST in AD?
Forest is used to define an assembly of AD domains that share a single schema for the AD. All DCs in the forest share this schema and is
replicated in a hierarchical fashion among them.
5) Explain what is SYSVOL?
The SysVOL folder keeps the servers copy of the domains public files. The contents such as users, group policy, etc. of the sysvol folders are
replicated to all domain controllers in the domain.
6) Mention what is the difference between domain admin groups and enterprise admins group in AD?
Enterprise Admin Group

Domain Admin Group

Members of this group have complete control of all

Members of this group have complete control of the

domain

domains in the forest

group on all domain controllers, workstations and member

By default, this group belongs to the administrators

By default, this group is a member of the administrators

group on all domain controllers in the forest

servers at the time they are linked to the domain

As such this group has full control of the forest, add users

with caution

As such the group has full control in the domain, add

users with caution

7) Mention what system state data contains?

System state data contains

Contains startup files

Registry

Com + Registration Database

Memory page file

System files

AD information

SYSVOL Folder

Cluster service information

8) Mention what is Kerberos?

Kerberos is an authentication protocol for network. It is built to offer strong authentication for server/client applications by using secret-key
cryptography.
9) Explain where does the AD database is held? What other folders are related to AD?
AD database is saved in %systemroot%/ntds. In the same folder, you can also see other files; these are the main files controlling the AD
structures they are

dit

log

res 1.log

log

chk

10) Mention what is PDC emulator and how would one know whether PDC emulator is working or not?
PDC Emulators: There is one PDC emulator per domain, and when there is a failed authentication attempt, it is forwarded to PDC emulator. It
acts as a tie-breaker and it controls the time sync across the domain.
These are the parameters through which we can know whether PDC emulator is working or not.

Time is not syncing

Users accounts are not locked out

Windows NT BDCs are not getting updates

If pre-windows 2000 computers are unable to change their passwords

11) Mention what are lingering objects?

Lingering objects can exists if a domain controller does not replicate for an interval of time that is longer than the tombstone lifetime (TSL).
12) Mention what is TOMBSTONE lifetime?
Tombstone lifetime in an Active Directory determines how long a deleted object is retained in Active Directory. The deleted objects in Active
Directory is stored in a special object referred as TOMBSTONE. Usually, windows will use a 60- day tombstone lifetime if time is not set in the
forest configuration.
13) Explain what is Active Directory Schema?
Schema is an active directory component describes all the attributes and objects that the directory service uses to store data.
14) Explain what is a child DC?
CDC or child DC is a sub domain controller under root domain controller which share name space
15) Explain what is RID Master?
RID master stands for Relative Identifier for assigning unique IDs to the object created in AD.
16) Mention what are the components of AD?

Components of AD includes

Logical Structure: Trees, Forest, Domains and OU

Physical Structures: Domain controller and Sites

17) Explain what is Infrastructure Master?

Infrastructure Master is accountable for updating information about the user and group and global catalogue.
18) What is sites ? What are they used for ?
One or more well-connected (highly reliable and fast) TCP/IP subnets.
A site allows administrators to configure Active Directory access and replication topology to take advantage of the physical
network.
A Site object in Active Directory represents a physical geographic location that hosts networks. Sites contain objects called Subnets.
Sites can be used to Assign Group Policy Objects, facilitate the discovery of resources, manage active directory replication, and manage network
link traffic.
Sites can be linked to other Sites. Site-linked objects may be assigned a cost value that represents the speed, reliability, availability, or other real
property of a physical resource. Site Links may also be assigned a schedule.
19) Trying to look at the Schema, how can I do that ?
register schmmgmt.dll using this command
c:\windows\system32>regsvr32 schmmgmt.dll
Open mmc --> add snapin --> add Active directory schema
name it as schema.msc
Open administrative tool --> schema.msc
20) What is the port no of Kerbrose ?
88
21) What is the port no of Global catalog ?
3268
22) What is the port no of LDAP ?
389
23) Explain Active Directory Schema ?
Windows 2000 and Windows Server 2003 Active Directory uses a database set of rules called "Schema". The Schema is defines as the formal
definition of all object classes, and the attributes that make up those object classes, that can be stored in the directory. As mentioned earlier, the
Active Directory database includes a default Schema, which defines many object classes, such as users, groups, computers, domains,
organizational units, and so on.
These objects are also known as "Classes". The Active Directory Schema can be dynamically extensible, meaning that you can modify the
schema by defining new object types and their attributes and by defining new attributes for existing objects. You can do this either with the
Schema Manager snap-in tool included with Windows 2000/2003 Server, or programmatically.
24) How can you forcibly remove AD from a server, and what do you do later? ? Can I get user passwords from the
AD database?

Dcpromo /forceremoval , an administrator can forcibly remove Active Directory and roll back the system without having to
contact or replicate any locally held changes to another DC in the forest. Reboot the server then After you use the dcpromo
/forceremoval command, all the remaining metadata for the demoted DC is not deleted on the surviving domain controllers,
and therefore you must manually remove it by using the NTDSUTIL command.
In the event that the NTDS Settings object is not removed correctly you can use the Ntdsutil.exe utility to manually remove the NTDS Settings
object. You will need the following tool: Ntdsutil.exe, Active Directory Sites and Services, Active Directory Users and Computers
25) What are the FSMO roles? Who has them by default? What happens when each one fails?
Flexible Single Master Operation (FSMO) role. Currently there are five FSMO roles:
Schema master
Domain naming master
RID master
PDC emulator
Infrastructure master
26) What is domain tree ?
Domain Trees: A domain tree comprises several domains that share a common schema and configuration, forming a contiguous namespace.
Domains in a tree are also linked together by trust relationships. Active Directory is a set of one or more trees.
Trees can be viewed two ways. One view is the trust relationships between domains. The other view is the namespace of the domain tree.
27) What is forests ?
A collection of one or more domain trees with a common schema and implicit trust relationships between them. This arrangement would be used if
you have multiple root DNS addresses.
28) How to Select the Appropriate Restore Method ?
You select the appropriate restore method by considering:
Circumstances and characteristics of the failure. The two major categories of failure, From an Active Directory perspective, are Active Directory
data corruption and hardware failure.
Active Directory data corruption occurs when the directory contains corrupt data that has been replicated to all domain controllers or when a large
portion of the Active Directory hierarchy has been changed accidentally (such as deletion of an OU) and this change has replicated to other
domain controllers.
29) Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in
Server 2003?
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship
that hosts copies of the Active Directory.
30) What is Global Catalog?
The Global Catalog authenticates network user logons and fields inquiries about objects across a forest or tree. Every domain has at least one GC
that is hosted on a domain controller. In Windows 2000, there was typically one GC on every site in order to prevent user logon failures across the
network.
31) How long does it take for security changes to be replicated among the domain controllers?
Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies,
changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA).
32) When should you create a forest?
Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often

give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and
joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security
restrictions.
33) Describe the process of working with an external domain name ?
If it is not possible for you to configure your internal domain as a subdomain of your external domain, use a stand-alone internal domain. This way,
your internal and external domain names are unrelated. For example, an organization that uses the domain name contoso.com for their external
namespace uses the name corp.internal for their internal namespace.
The advantage to this approach is that it provides you with a unique internal domain name. The disadvantage is that this configuration requires
you to manage two separate namespaces. Also, using a stand-alone internal domain that is unrelated to your external domain might create
confusion for users because the namespaces do not reflect a relationship between resources within and outside of your network.
In addition, you might have to register two DNS names with an Internet name authority if you want to make the internal domain publicly accessible.
34) How do you view all the GCs in the forest?
C:\>repadmin /showreps
domain_controller
OR
You can use Replmon.exe for the same purpose.
OR
AD Sites and Services and nslookup gc._msdcs.
To find the in GC from the command line you can try using DSQUERY command.
dsquery server -isgc to find all the GCs in the forest
you can try dsquery server -forest -isgc.
35) What are the physical components of Active Directory ?
Domain controllers and Sites. Domain controllers are physical computers which is running Windows Server operating system and Active Directory
data base. Sites are a network segment based on geographical location and which contains multiple domain controllers in each site.
36) What are the logical components of Active Directory ?
Domains, Organizational Units, trees and forests are logical components of Active Directory.
37) What are the Active Directory Partitions ?
Active Directory database is divided into different partitions such as Schema partition, Domain partition, and Configuration partition. Apart from
these partitions, we can create Application partition based on the requirement.
38) What is group nesting ?
Adding one group as a member of another group is called 'group nesting'. This will help for easy administration and reduced replication traffic.
39) What is the feature of Domain Local Group ?
Domain local groups are mainly used for granting access to network resources.A Domain local group can contain accounts from any domain,
global groups from any domain and universal groups from any domain. For example, if you want to grant permission to a printer located at Domain
A, to 10 users from Domain B, then create a Global group in Domain B and add all 10 users into that Global group. Then, create a Domain local
group at Domain A, and add Global group of Domain B to Domain local group of Domain A, then, add Domain local group of Domain A to the
printer(of Domain A) security ACL.
40) How will you take Active Directory backup ?

Active Directory is backed up along with System State data. System state data includes Local registry, COM+, Boot files, NTDS.DIT and SYSVOL
folder. System state can be backed up either using Microsoft's default NTBACKUP tool or third party tools such as Symantech NetBackup, IBM
Tivoli Storage Manager etc.
41) What is Lost and Found Container ?
In multimaster replication method, replication conflicts can happen. Objects with replication conflicts will be stored in a container called 'Lost and
Found' container. This container also used to store orphaned user accounts and other objects.
42) Do we use clustering in Active Directory ? Why ?
No one installs Active Directory in a cluster. There is no need of clustering a domain controller. Because Active Directory provides total
redundancy with two or more servers.
43) What is Active Directory Recycle Bin ?
Active Directory Recycle bin is a feature of Windows Server 2008 AD. It helps to restore accidentally deleted Active Directory objects without using
a backed up AD database, rebooting domain controller or restarting any services.
44) What is RODC ? Why do we configure RODC ?
Read only domain controller (RODC) is a feature of Windows Server 2008 Operating System. RODC is a read only copy of Active Directory
database and it can be deployed in a remote branch office where physical security cannot be guaranteed. RODC provides more improved security
and faster log on time for the branch office.
> How do you check currently forest and domain functional levels? Say both GUI and Command line.
To find out forest and domain functional levels in GUI mode, open ADUC, right click on the domain name and take properties. Both domain and
forest functional levels will be listed there. TO find out forest and domain functional levels, you can use DSQUERY command.
> Which version of Kerberos is used for Windows 2000/2003 and 2008 Active Directory ?
All versions of Windows Server Active Directory use Kerberos 5.
> Name few port numbers related to Active Directory ?
Kerberos 88, LDAP 389, DNS 53, SMB 445
> What is an FQDN ?
FQDN can be expanded as Fully Qualified Domain Name.It is a hierarchy of a domain name system which points to a device in the domain at its
left most end. For example in system.
> Have you heard of ADAC ?
ADAC- Active Directory Administrative Center is a new GUI tool came with Windows Server 2008 R2, which provides enhanced data management
experience to the admin. ADAC helps administrators to perform common Active Directory object management task across multiple domains with
the same ADAC instance.
> How many objects can be created in Active Directory? (both 2003 and 2008)
As per Microsoft, a single AD domain controller can create around 2.15 billion objects during its lifetime.
> explain the process between a user providing his Domain credential to his workstation and the desktop being loaded? Or how the AD
authentication works ?
When a user enters a user name and password, the computer sends the user name to the KDC. The KDC contains a master database of unique
long term keys for every principal in its realm. The KDC looks up the user's master key (KA), which is based on the user's password. The KDC
then creates two items: a session key (SA) to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a second copy of the SA,
the user name, and an expiration time. The KDC encrypts this ticket by using its own master key (KKDC), which only the KDC knows. The client
computer receives the information from the KDC and runs the user's password through a one-way hashing function, which converts the password

into the user's KA. The client computer now has a session key and a TGT so that it can securely communicate with the KDC. The client is now
authenticated to the domain and is ready to access other resources in the domain by using the Kerberos protocol.
> What Is Urgent Replication And When Is It Used ?
You probably know how Active Directory core replication works. When theres an object changed, the source DC, the one that serviced the change
request, notifies its direct replication neighbours that there was a change to some object. The neighbors then start the replication process by
requesting the changes made since the last replication.
Important to know is, that there is a notification delay between the actual change to the objects in the directory and the notification sent to the
replication partners. Server 2003 DCs wait 15 seconds before they fire out the change notification. This delay is there to only send one change
notification once the change transaction to the object is done. If there are multiple changes made to an object, lets say the phone number, the
home town and the employeeID of a user and the changes were made in 1 second delay each, we only send one change notification for those
three changes. If there was no notification delay and we waited a second between the changes to a users attributes, the source DC were
sending three change notifications to its partners. Too much traffic there! Note that the default change notificaction delay in Windows 2000 was 5
minutes (the numbers may differ depending on installation type (upgrade from 2000 to 2003, forest functional level, ).
Given that fact, one can think of several scenarios which may lead to problem since the change to the directory is not replicated right away: user
Password changes, user lockout, Password Policy changed,
For this reason, theres urgent replication. Urgent replication works in the same way normal replication does, but has no notification delay of a
few seconds/minutes. That makes urgent changes that need to be distributed thrughout the sites and DCs to get more quickly to all edges.
Urgent replication takes place in the following cases:
The Password Policy or account lockout policy of a domain has changed
The LSA secret has changed (thats used for the secure channels between machines and DCs and trusts)
a user or computer is locked out due to a failed logon attempt (in this case, the urgent replication is used to notify the DC with the
PDC emulator role first and then to all others)
the RID master has changed
So if one of the mentioned events take place, urgent replication takes place and theres no notification delay prior to change notification of
neighbour DCs.
> Which FSMO role directly impacting the consistency of Group Policy ?
PDC Emulator.
> I want to promote a new additional Domain Controller in an existing domain. Which are the groups I should be a member of ?
You should be a member of Enterprise Admins group or the Domain Admins group. Also you should be member of local Administrators group of
the member server which you are going to promote as additional Domain Controller.
> Tell me one easiest way to check all the 5 FSMO roles ?
Use netdom query /domain:YourDomain FSMO command. It will list all the FSMO role handling domain controllers.
>What is Realm trust ?
Use realm trusts to form a trust relationship between a non-Windows Kerberos realm and an Active Directory domain.