Active Directory Interview Questions and Answers

A domain controller is a server that hosts Active Directory. It authenticates users, applies Group Policy, and stores directory data. Every login request goes to a DC.

DCs also replicate data with each other. This ensures changes are available across the domain. Having multiple DCs improves availability and fault tolerance.

AD objects are entries stored in the directory. Common objects include users, computers, groups, and organizational units. Each object has attributes like name, SID, email, and group membership.

Admins manage access by modifying these attributes. For example, adding a user to a group grants permissions without touching the resource itself.

Authentication verifies identity. It answers who you are. Authorization controls access. It answers what you can do.

In AD, authentication happens during login. Authorization happens when accessing files, apps, or services.

LDAP is the protocol used to query and modify Active Directory. Tools like ADUC, PowerShell, and applications use LDAP in the background.

For example, when an app looks up a user email, it performs an LDAP query against a DC.

Active Directory Domain Services is Microsoft’s directory service for Windows networks. It provides a central place to manage users, computers, groups, and permissions. Without AD DS, each system would need local accounts and manual access control.

AD DS solves identity management at scale. Users log in once and access multiple resources. Admins manage security policies from a single point. This is why AD is still widely used in enterprises.

• A forest is the highest level in Active Directory. It defines the schema, configuration, and trust boundaries. All domains inside a forest trust each other by default.
• A domain exists inside a forest and is used to manage users, computers, and policies under a common namespace. It acts as an administrative and replication boundary.
• An OU (Organizational Unit) is a container inside a domain. It is used to organize objects, apply Group Policies, and delegate admin tasks. OUs are not security boundaries.

The Global Catalog (GC) stores a partial copy of objects from all domains in the forest. This allows users to search the directory and log in faster.

It is required when users belong to groups from different domains. In multi-domain forests, logons can fail if a GC is not available.

Sites represent physical locations like offices or data centers. Subnets map IP ranges to those sites.
Active Directory uses this information to direct clients to the closest domain controller.
Correct site and subnet design reduces login delays and controls replication traffic. Poor design leads to slow logons and replication issues.

A trust allows users from one domain to access resources in another domain. Trusts can be one-way or two-way. They are commonly used during mergers, acquisitions, or when separate forests need to share resources securely.

OUs are designed based on who manages the objects and which policies apply to them. User and computer objects are usually placed in separate OUs. This makes it easier to apply GPOs and delegate admin rights. Avoid deep or complex OU structures. A simple design is easier to manage and troubleshoot.

Kerberos is the default authentication protocol in Active Directory because it is secure and efficient. It uses ticket-based authentication and mutual verification between client and server. This reduces password exposure and improves overall authentication security.

NTLM is used when Kerberos cannot be used, such as with older systems or misconfigured environments. It does not support mutual authentication and is more vulnerable to relay and brute-force attacks. Modern AD environments try to restrict or disable NTLM wherever possible.

A Service Principal Name maps a service instance to a service account. Kerberos uses SPNs to identify which account a client should trust for a service. Incorrect or duplicate SPNs are a common cause of Kerberos authentication failures, especially with SQL and web services.

The double hop issue occurs when credentials cannot be passed from one server to another. Constrained delegation allows a service to forward credentials securely to specific services only. It is used in scenarios like web servers accessing backend databases on behalf of users.

Start by checking time synchronization, since Kerberos is sensitive to clock skew. Verify SPN configuration and ensure DNS is resolving correctly. Review event logs on clients and domain controllers to identify authentication errors.

A non-authoritative restore brings a domain controller back online and lets it pull updated data from other DCs. An authoritative restore marks restored objects as newer so they replicate out to other DCs. Authoritative restores are used when you need to recover deleted objects across the domain.

AD Recycle Bin allows administrators to restore deleted users, groups, and OUs without rebooting a domain controller. Restored objects keep most of their attributes and group memberships. It greatly reduces recovery time compared to traditional restores.

Tombstone lifetime defines how long deleted objects remain in Active Directory before being permanently removed. If a domain controller is offline longer than this period, it can cause serious replication issues. Keeping DCs healthy and connected prevents this problem.

The fastest method is using AD Recycle Bin to restore objects in bulk. If Recycle Bin is not available, an authoritative restore from backup may be required. Acting quickly is critical to prevent data loss and replication complications.

Regular system state backups of all domain controllers are essential. Backups should be stored securely and tested periodically in a non-production environment. Recovery procedures should be documented and rehearsed to reduce downtime during incidents.

Start by verifying the client is using the internal Active Directory DNS server. Test name resolution and confirm SRV records exist in DNS. Check domain controller health, time synchronization, and network connectivity to identify the root cause.

Active Directory relies on DNS to function correctly because all core services depend on name resolution. Clients use DNS to locate domain controllers for authentication, Group Policy processing, and directory queries. If DNS is misconfigured or unavailable, users cannot log in, replication between domain controllers fails, and Group Policies do not apply.

SRV records are special DNS records that advertise Active Directory services such as LDAP, Kerberos, and Global Catalog. Domain controllers automatically register these records in DNS. Clients query SRV records to discover which domain controller can provide the required service.

During logon, the client queries DNS for SRV records related to the domain. Based on site information and availability, the client selects the nearest domain controller. The client then connects to that domain controller for authentication and policy processing.

Public DNS servers do not contain Active Directory SRV records. As a result, clients cannot locate domain controllers. This leads to failed domain joins, login failures, and Group Policy issues.

FSMO roles exist because some Active Directory tasks cannot be safely handled by multiple domain controllers at the same time. Although AD supports multi-master replication, certain operations need a single authority to avoid conflicts. FSMO roles assign these critical tasks to specific domain controllers to maintain consistency and reliability.

The Schema Master controls changes to the Active Directory schema. The Domain Naming Master manages adding or removing domains in the forest. The RID Master allocates RID pools so every object gets a unique SID. The PDC Emulator handles time synchronization, password changes, and account lockouts. The Infrastructure Master updates references to objects from other domains.

When the PDC Emulator is unavailable, password changes may not replicate quickly, causing login issues. Time synchronization can fail, which breaks Kerberos authentication. Account lockouts and authentication requests may be slow or inconsistent until the role is restored.

A role transfer is a planned move where both domain controllers are online and communicating. A role seize is an emergency action used only when the original role holder is permanently unavailable. Seizing should be avoided unless the failed DC will never return to the domain.

FSMO roles should be placed on reliable domain controllers with good connectivity. The PDC Emulator is usually placed on a well-maintained DC because it handles time and authentication. In smaller environments, forest-wide roles are often kept on the same DC for simplicity.

AD DS is an on-premises directory service focused on Windows networks and local infrastructure. Microsoft Entra ID is a cloud-based identity service designed for SaaS applications and modern authentication. They serve different environments but often work together.

Microsoft Entra Domain Services provides managed domain services in the cloud without managing domain controllers. It is used when applications require LDAP or Kerberos but the organization wants to avoid running DCs in Azure.

Directory sync connects on-prem AD with Entra ID to keep identities consistent. Common issues include duplicate objects, attribute conflicts, and misconfigured filtering. Careful planning and monitoring are required to avoid sync errors.

Password sync copies password hashes to the cloud and is simpler to manage. Federation keeps authentication on-prem and adds complexity. Most organizations prefer password sync unless there are strict security or compliance requirements.

Troubleshooting must cover both on-prem and cloud components. Issues may originate in AD, sync services, or Entra ID. Logs from both environments are needed to fully diagnose authentication and access problems.

Common signs include inconsistent passwords, GPO failures, and login problems that occur only on certain DCs. Replication issues are detected by checking event logs and running replication health checks. Delayed updates between DCs are a key warning sign.

Dcdiag is used to test overall domain controller health, including DNS and services. Repadmin is used to check replication status and identify failures. These tools are run regularly to catch issues before they impact users.

SYSVOL is a shared folder that stores Group Policy files and logon scripts. It must replicate correctly across all domain controllers so users receive consistent policies. If SYSVOL is broken, GPOs fail to apply and scripts do not run.

Active Directory uses a multi-master replication model where all domain controllers can accept changes. These changes are replicated to other DCs to keep directory data consistent. Replication ensures users can authenticate and access resources from any DC.

A connection object defines a replication path between two domain controllers. It tells AD which DCs should replicate with each other. These objects are created automatically but can be modified for custom replication needs.

In-site replication happens frequently and assumes fast network connections. Inter-site replication is scheduled and optimized to reduce bandwidth usage. Sites matter because they control replication behavior and ensure clients use the nearest domain controller.

Start by checking DNS configuration and confirming clients use the correct internal DNS servers. Verify site and subnet mapping, then check domain controller availability in that site. Finally, review replication status to ensure credentials and policies are up to date.

Check that the GPO is linked to the correct OU and is enabled. Verify security filtering and inheritance settings. Confirm SYSVOL replication and use tools like gpresult to identify where processing is failing.

This usually indicates a replication issue between domain controllers. The password change has not replicated yet. Replication health and connectivity between DCs should be checked immediately.

Verify the client’s DNS settings and ensure it points to the AD DNS server. Test name resolution and confirm SRV records exist. Network connectivity and firewall rules are also checked.

Check site links, schedules, and costs first. Verify network connectivity between sites and ensure required ports are open. Use replication tools to identify which DCs are failing and why.

Confirm whether the DC is truly offline or just unreachable. Assess which roles it holds and the impact on authentication. Ensure other DCs are healthy, then decide whether to restore, rebuild, or seize roles if needed.

Review DNS response times and DC performance. Check the number and complexity of GPOs applied during logon. Verify site configuration and look for replication delays or network latency.

LDAP signing and channel binding protect authentication traffic from tampering and man-in-the-middle attacks. They ensure clients and servers verify each other securely. Many organizations enforce these settings to meet modern security standards.

The biggest risks include over-privileged accounts, weak credentials, and lateral movement after compromise. Domain Admin accounts are frequent targets. Poor monitoring and outdated security settings increase the attack surface.

Admins should use separate accounts for daily work and privileged tasks. Privileged Access Workstations or hardened admin systems should be used for administrative actions. Domain Admin usage should be minimal and closely monitored.

Fine-grained password policies are applied using Password Settings Objects. They allow different password rules for specific users or groups, such as service accounts or admins. They are useful when stricter security is required without impacting all users.

Global groups are used to group users based on roles or departments and are typically placed inside permissions groups. Domain Local groups are used to assign permissions to resources like file shares or applications within a domain. Universal groups are used in multi-domain environments to group users from different domains, but they should be used carefully because they increase replication traffic.

Security groups are used for access control and permissions across resources such as files, applications, and GPO filtering. Distribution groups are used only for email distribution and cannot be assigned permissions. In most admin scenarios, security groups are preferred because they serve both access and email needs.

Delegation allows you to grant limited administrative rights without giving full Domain Admin access. It is commonly used to allow helpdesk staff to reset passwords or manage specific OUs. Safe delegation is done using the Delegation of Control Wizard, which ensures permissions are scoped correctly and reduces the risk of privilege abuse.

Service accounts are used by applications and services to authenticate against AD. Group Managed Service Accounts automatically manage password rotation and SPNs, reducing manual effort and security risks. They are preferred because they eliminate hardcoded passwords and lower the risk of credential theft.

Least privilege means administrators are given only the permissions required to perform their tasks. This is implemented by separating admin roles, using delegation instead of broad privileges, and avoiding daily use of high-privilege accounts. It reduces the impact of compromised credentials.