Active Directory Interview Preparation Guide
Download PDF

Active Directory Interview Questions and Answers will guide us now that Active Directory is a technology created by Microsoft that provides a variety of network services, including LDAP-like directory services, Kerberos-based authentication, DNS-based naming and other network information, Central location for network administration and delegation, Information security and single sign-on for user access to networked based resources so learn more by this Active Directory Interview Questions Answer

146 Active Directory Questions and Answers:

1 :: Explain Active Directory?

"Active Directory is the directory service used in Windows 2000 Server and is the foundation of Windows 2000 distributed networks."

The core of Active Directory is a combination of an LDAP server and MIT Kerberos 5 KDC running on a Windows 2000 server acting as a domain controller that work as a unit to provide authentication ("Who are you?") and authorization ("What are you allowed to do?") information within a group of interlinked systems.

Above and beyond that, the LDAP "face" of this structure behaves as an enterprise-wide distributed database that not only contains Windows-specific information but can be extended to incorporate user-defined data as well.

The AD is held together by DNS, which is used not only to locate specific machines within the AD but also to locate which functions of the AD are running on which domain controllers.

2 :: What is Forest?

The term "forest" is used to describe a collection of AD domains that share a single schema for the AD. All DC's in the forest share this schema and it is replicated in a hierarchical fashion among them. The preferred model for Windows 2000 AD is to have an organization use a single forest that spans an entire enterprise.

While not an administrative block by themselves, forests are a major boundary in that only limited communication is available between forests. For example, it is difficult for a user in one forest to access a resource in another forest.

It is very difficult to integrate forests at this time because of potential problems reconciling schema differences between two forests.

3 :: What is Domains in Active Directory?

In Windows 2000, a domain defines both an administrative boundary and a security boundary for a collection of objects that are relevant to a specific group of users on a network. A domain is an administrative boundary because administrative privileges do not extend to other domains. It is a security boundary because each domain has a security policy that extends to all security accounts within the domain. Active Directory stores information about objects in one or more domains.

Domains can be organized into parent-child relationships to form a hierarchy. A parent domain is the domain directly superior in the hierarchy to one or more subordinate, or child, domains. A child domain also can be the parent of one or more child domains, as shown below.

4 :: What is Organizational Units?

OU's have many of the attributes of an NT 4 domain. However, instead of requiring server resources to create and support, they are a logical construct within the Active Directory so an OU does not have to support and maintain a domain controller.

OU's are created by an administrator of an AD domain and can be freely named (and renamed). The OU can then be populated objects of many types including computers, groups, printers, users and other sub-OU's.

The real power of an OU is that once it is established, the administrator of its "parent" can delegate administrative authority -- in total or in part -- to any user or group that is in the AD.

When this happens, the designated user/group gains complete administrative authority over all objects in their OU and thus has all of the rights and abilities that a Windows NT domain administrator would have as well as some new ones such as the ability to further segment their OU into sub-OU's and delegate authority over those sub-elements as they see fit.

5 :: What is the Group Policy?

Group Policy is one of the most exciting -- and potentially complex -- mechanisms that the Active Directory enables. Group policy allows a bundle of system and user settings (called a "Group Policy Object" or GPO) to be created by an administrator of a domain or OU and have it automatically pushed down to designated systems.

Group Policy can control everything from user interface settings such as screen background images to deep control settings in the client such as its TCP/IP configuration and authentication settings. There are currently over 500 controllable settings. Microsoft has provided some templates as well to provide a starting point for creating policy objects.

A significant advantage of group policy over the old NT-style policies is that the changes they make are reversed when the policy no longer applies to a system. In NT 4, once a policy was applied to a system, removing that policy did not by itself roll back the settings that it imposed on the client. With Windows 2000, when a specified policy no longer applies to a system it will revert to its previous state without administrative interference.

Multiple policies from different sources can be applied to the same object. For example, a domain might have one or more domain-wide policies that apply to all systems in the domain. Below that, systems in an OU can also have policy objects applied to it, and the OU can even be further divided into sub-OU's with their own policies.

This can create a very complex web of settings so administrators must be very careful when creating these multiple layers of policy to make sure the end result -- which is the union of all of the applicable policies with the "closest" policy taking priority in most cases -- is correct for that system. In addition, because Group policy is checked and applied during the system boot process for machine settings and again during logon for user settings, it is recommended that GPO's be applied to a computer from no more than five "layers" in the AD to keep reboot and/or login times from becoming unacceptably long.

6 :: What is Empty Root Domain?

The "empty root domain" is an AD design element that has become increasingly popular at organizations with decentralized IT authority such as universities.

The empty root domain acts as a placeholder for the root of Active Directory, and does not typically contain any users or resources that are not required to fulfill this roll [sic]. [...] Only those privileges that have tree or forest-wide scope are restricted to the empty root domain administrators. Departmental administrators can work independently of other departments.

This politically neutral root domain provides a central source of authority and policy enforcement, and provides a single schema and global catalog that allows users to find resources anywhere in the university/district/state system. Individual IT departments retain a significant degree of independence and can control their own users and resources without having to worry that actions by administrators in other departments will disrupt their domain.

7 :: What is Mixed Mode?

Allows domain controllers running both Windows 2000 and earlier versions of Windows NT to co-exist in the domain. In mixed mode, the domain features from previous versions of Windows NT Server are still enabled, while some Windows 2000 features are disabled. Windows 2000 Server domains are installed in mixed mode by default. In mixed mode the domain may have Windows NT 4.0 backup domain controllers present. Nested groups are not supported in mixed mode.

8 :: What is Native Mode?

When all the domain controllers in a given domain are running Windows 2000 Server. This mode allows organizations to take advantage of new Active Directory features such as Universal groups, nested group membership, and inter-domain group membership.

9 :: What is LDAP?

LDAP is the directory service protocol that is used to query and update AD. LDAP naming
paths are used to access AD objects and include the following:
• Distinguished names
• Relative Distinguished names

10 :: Minimum Requirement for Installing AD?

1. Windows Server, Advanced Server, Datacenter Server
2. Minimum Disk space of 200MB for AD and 50MB for log files
3. NTFS partition
4. TCP/IP Installed and Configured to use DNS
5. Administrative privilege for creating a domain in existing network