Active Directory Interview Questions for Beginners & Answers (2025)

Active directory just as the name suggests is a directory service. This directory service acts as a shared platform of information for organizing, managing, locating and administering the daily items and the network sources. This is developed by Microsoft solely for supporting the Windows operating systems. The active directory is found in the processes and services section of the windows server. A number of services associated with identity and as well as are based on a directory now come under one roof of active directory.

KCC is an acronym for Knowledge Consistency Checker. In Active directory, KCC component is responsible for generation replication topology between domain controllers.

Sysvol folder/directory refers to a location on the Windows Operating System (OS), where it stores the server's copy of public data and files for the domain. Sysvol is also known as SYSFOL.

Difference between Enterprise and Domain Admin groups in Active Directory

Enterprise Admin: In Enterprise Admin groups, members have full rights over all of the domains in the forest. This group is also a member of the Administrators group but on all domain controllers in the forest. You need to add users with caution as they get access to the forest completely. They can force shutdown from a remote system, profile system performance, take ownership of files and much more.

Domain Admin groups: In Domain Admin groups, members have complete control of the domain. On all domain controllers, domain workstations, domain member servers, they are members of the Administrators group. An administrator account is also a member of this group. One can adjust the memory quotas for a process, manage security log, restore files and directories and can do much more.

Their purpose is actually to enable the administrators to create new areas in the Active Directory so that data can be stored on DCs that they choose instead of allowing it on every DC in a domain. It is used when the user needs to determine which objects must exist within the Active Directory and what are the kinds of attributes that each can have.

Sites are used to deliver data through the online resources on the World Wide Web all over the world in an address allotted to the processed data and their presentation open to the users for access. They have User Generated Content and also User profiles to enhance communication on various extents.

It is a set of one or more of the domain trees and they do not form a contiguous namespace. The trees in the forest share a common schema, configuration, and the global catalog. They also exchange trust. The value of the tombstone lifetime attribute which is present in the Directory Service object in the configuration directory partition defines the tombstone lifetime value. The default value depends on the server’s operating system of the first DC in the forest.

It contains in itself the formal definitions of all the object class which can be easily made in the Active Directory Forest. The details of every attribute that can possibly exist in the Active Directory Forest are also included in it. It describes the rules of the types of objects that can be included in the Active Directory.

A domain controller is actually the main or the centerpiece of the Windows Active Directory.

Below is the list of ports that are used by Active Directory

• RPC endpoint mapper: port 135 TCP, UDP
• NetBIOS name service: port 137 TCP, UDP
• NetBIOS datagram service: port 138 UDP
• NetBIOS session service: port 139 TCP
• SMB over IP (Microsoft-DS): port 445 TCP, UDP
• LDAP: port 389 TCP, UDP
• LDAP over SSL: port 636 TCP
• Global catalog LDAP: port 3268 TCP
• Global catalog LDAP over SSL: port 3269 TCP
• Kerberos: port 88 TCP, UDP
• DNS: port 53 TCP, UDP
• WINS resolution: port 1512 TCP, UDP
• WINS replication: 42 TCP, UDP
• RPC: Dynamically-assigned ports TCP, unless restricted

The Active Directory database is stored in the active storage directory for example C:\Windows. The default location is %SystemRoot%NTDS. You can create a backup of the database using Windows Server Backup, Wbadmin.exe or PowerShell.

It is made up of multiple domains that share a common schema and the configuration. They also form a contiguous namespace too. With the help of trust relationships, domains are also linked together in a tree. Active Directory is actually a set of one or more trees.

RODC can be abbreviated as a read-only domain controller. RODC can be explained as a controller of the domain that has partitions of Active Directory Domain Services. But they only possess read-only partitions. RODC is readily available in the Windows server operating system version of the year 2008 and its further greater versions. It has mainly been designed to be used in branch offices that are not able to support their own domain controllers.

The subnet, popularly known as subnetwork can be understood as one of the logical subdivisions of the IP network. Now subnetting is the name given to procedures in which one single network is divided into two or more subnetworks. Now the system that is connected to a subnet is recognized or referred to with an identical and most important bit-group. This lies in the IP address of the respective system.

Steps to configure Universal Group Membership Caching in AD

• Open the Active Directory Sites and Services.
• Select the Site you wish to enable.
• Right-click the NTDS Site Settings object and click on properties.
• A window will pop-up on which on the Site settings Tab, enable the Universal Group Membership Caching option.
• Refresh the Cache from the field.
• Choose the site to refresh the cache every 8 hours.
• Click Apply, OK 
• it is done.

Export-VM command exports a virtual machine to disk. It creates a folder on a specified particular location and creates three sub-folders – Snapshots, Virtual Hard Disks, and the virtual Machines.

A Namespace is basically a set of signs that are used to identify and refer to objects of various kinds and ensures that all of a given set of objects have unique names so that they can be easily identified. They are also used to organize code into logical groups and to prevent name collisions.

It refers to the organization of the available data as a blueprint of how the construction of the database has happened wherein they are divided into database tables where there are relational databases.

Flat Namespaces can be used to find which are those libraries and executables other than predefined libraries and executables offer all symbols like functions and external variables. The libraries when loaded might depend on a symbol and that is why it can look in the Flat Namespace. After all the symbols are found, the library adds its own symbols in its list. The amount of possible collisions is one of the biggest advantages of this. The duty of dealing with the collision is given to the Operating System.

A hierarchical namespace is a naming scheme that allows the subdelegation of namespaces to third parties.

They have a possibility of scaling to extremely larger networks. When you add more objects to the overall namespace, finding of the unique names for them is done within the sub-namespace to which they accordingly belong. It is to be known that all the DNA namespaces are particularly hierarchical.

Computers, Users, ForeignSecurityPrincipals, Site,Domain and Organizational Unit are different types of containers in Active Directory.

Major Components of Active Directory are

• Domain
• Tree
• Forest
• Organizational Unit
• Site

Multi-master replication in Active Directory is a method to perform database replication and allow data to be stored by different user groups. It allows any member of the group to update the data.

All the members are specifically responsive to the client data queries. It allows the creation of multiple master servers which can be masters of multiple slaves.

In Windows NT network Primary Domain Controller (PDC) is a server that is used for maintaining a read-write directory of user security and account Information.

Gpupdate /force command is a policy of Windows to refresh or update your group policies by using a manual method. Although the archive Directory of our PC does it by unknown sometimes you may need to do force updates of group policies. In certain situation, you can use

> gpupdate /force

No matter if there are no changes in the group policies of the computer, this command will forcibly tell windows to the app for an update of GP settings. This not only forces the background refresh but it will also force the foreground refresh of the group policies.

If in case you only wanted to refresh your policies then use

> gpupdate 

It is a logical partition of an IP network into many different smaller size network segments. It is used to subdivide the large networks into smaller ones which will be more efficient sub-networks. The complete internet is composed of the many networks which are hosted and also run by many different organizations.

A unidirectional trust consists of a one-way outgoing trust that allows users in the remote domain to access resources in the local domain. Whereas Bi-Directional Trust is a two-way trust that can be thought of as a combination of two, opposite-facing one-way trusts, so that, the trusting and trusted domains both trust each other.

Generic Containers are the containers where for each container class, there are two Java-style iterator data types: one that provides read-only access and one that provides write-only access.

The data presented in the form of a hierarchy in the active directory.Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information.

The data is actually stored in a hierarchical fashion active directory. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information.

The RDN prefix used to construct the RDN for the new object that is inserted into the store. The different methods that it includes are:

• Equals(Object)
• GetHashCode()
• GetType()
• IsDefaultAttribute()
• Match(Object)
• MemberwiseClone()
• ToString()

OUs contain user objects therefore you can put a user in an OU to control who has administrative authority over that user. Whereas groups have a list of user objects therefore you can put a user in a group to control that user's access to resources.

dns is located in the %systemroot%\System32\Config folder, therefore you can use a text editor, such as Notepad, to view and identify SRV records associated with a domain controller.

Web I: Web Intelligence

DSS: Decision Support System

We hope your knowledge is enhanced by reading these questions. Stay tuned with us if you want to learn more interview questions on various topics.

The Kerberos Key Distribution Center (KDC) is a network service that supplies session tickets and temporary session keys to users and computers within an Active Directory domain. The KDC runs on each domain controller as part of Active Directory Domain Services (AD DS). The Kerberos authentication client is implemented as a security support provider (SSP) and can be accessed through the Security Support Provider Interface (SSPI). Initial user authentication is integrated with the Winlogon single sign-on architecture. The Kerberos Key Distribution Center (KDC) is integrated with other Windows Server security services running on the domain controller. The KDC uses the domain’s Active Directory service database as its account database. An Active Directory server is required for default Kerberos implementations.