Basics and Core Concepts (1–10)
Q1. What is Active Directory?
A1. Active Directory is Microsoft’s directory service that stores information about objects on the network and makes this information easy for administrators and users to find and use.
Q2. What is a domain in Active Directory?
A2. A domain is a logical group of network objects (computers, users, devices) that share the same AD database.
Q3. What is a forest?
A3. A forest is the topmost logical container in Active Directory that holds one or more domains and represents the security boundary.
Q4. What is a tree?
A4. A tree is a collection of one or more domains connected via a trust relationship in a contiguous namespace.
Q5. What is a Global Catalog?
A5. A Global Catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in the forest.
Q6. What is the difference between OU and a group?
A6. An Organizational Unit (OU) is a container used to organize objects within a domain, while a group is used to grant permissions to multiple users collectively.
Q7. What is the purpose of Sites and Services in AD?
A7. It controls replication traffic between domain controllers based on physical locations (sites) to optimize network traffic.
Q8. What is SYSVOL?
A8. SYSVOL is a shared directory that stores the server copy of domain public files such as group policy and login scripts.
Q9. What is a Domain Controller?
A9. A server that hosts Active Directory Domain Services (AD DS) and responds to authentication requests and directory queries.
Q10. What is a Trust Relationship?
A10. It is a link between two domains that allows users in one domain to access resources in another.
User/Computer Management (11–20)
Q11. How would you reset a locked-out user account?
A11. Open ADUC (Active Directory Users and Computers), locate the user, right-click and select “Reset Account” or unlock/reset their password.
Q12. How do you move users between OUs?
A12. Drag and drop the user from one OU to another in ADUC or use Move-ADObject in PowerShell.
Q13. How can you enforce a password policy for a specific group of users?
A13. Create a Fine-Grained Password Policy using Active Directory Administrative Center or PowerShell.
Q14. A user complains about slow login. What would you check?
A14. Check GPO processing time, network latency, profile size, and authentication server proximity.
Q15. How can you restrict user logon hours?
A15. In the user’s AD properties, under the “Account” tab, configure “Logon Hours.”
Q16. How do you disable a computer account?
A16. In ADUC, right-click the computer object and choose “Disable Account.”
Q17. How would you automate user creation in bulk?
A17. Use PowerShell scripting with New-ADUser command and CSV imports.
Q18. What tool do you use to edit Group Policy Objects (GPOs)?
A18. Group Policy Management Console (GPMC).
Q19. How can you force a Group Policy update on a computer?
A19. Run gpupdate /force on the user’s computer.
Q20. How do you check which GPOs are applied to a user/computer?
A20. Use gpresult /r or Resultant Set of Policy (RSoP) tool.
Backup and Recovery (21–30)
Q21. How do you backup Active Directory?
A21. Use Windows Server Backup or third-party tools to backup System State.
Q22. How do you restore a deleted AD user?
A22. If AD Recycle Bin is enabled, restore from there; otherwise, perform authoritative restore via ntdsutil.
Q23. What is an authoritative restore?
A23. A method to restore a deleted AD object and make it authoritative for replication.
Q24. What is a System State Backup?
A24. A backup that includes Active Directory database, SYSVOL, boot files, and registry.
Q25. How would you recover from a failed Domain Controller?
A25. Either rebuild the DC and promote it again or restore from a backup if critical.
Q26. How often should you backup Domain Controllers?
A26. Ideally daily, especially system state.
Q27. What is a tombstone in AD?
A27. A deleted object in AD that remains for a period (tombstone lifetime) before being permanently removed.
Q28. What is the default tombstone lifetime?
A28. 180 days (varies depending on the OS version).
Q29. What would happen if all DCs failed without a backup?
A29. You would lose the domain data unless another backup or replica domain controller exists.
Q30. Can you recover a domain without a System State backup?
A30. No, full recovery is impossible without System State; only rebuilding a new domain is possible.
Replication and FSMO Roles (31–40)
Q31. What are FSMO roles?
A31. Flexible Single Master Operations roles critical for AD operations.
Q32. Name the five FSMO roles.
A32. Schema Master, Domain Naming Master, RID Master, PDC Emulator, Infrastructure Master.
Q33. How do you find out which server holds FSMO roles?
A33. Run netdom query fsmo or use Get-ADForest and Get-ADDomain in PowerShell.
Q34. What is the purpose of the PDC Emulator?
A34. It manages time synchronization, password changes, and acts as a master for legacy clients.
Q35. What is AD replication?
A35. The process of copying AD objects from one Domain Controller to another to keep data consistent.
Q36. How can you manually trigger replication between DCs?
A36. Use repadmin /syncall or Active Directory Sites and Services.
Q37. How would you monitor replication health?
A37. Use repadmin /replsummary or dcdiag.
Q38. What causes AD replication issues?
A38. Network issues, DNS misconfiguration, time synchronization problems, or replication link failures.
Q39. What happens if two DCs are out of sync?
A39. Objects may appear missing or inconsistent; authentication failures may occur.
Q40. How would you seize a FSMO role?
A40. Use ntdsutil to forcibly seize if the current role holder is unavailable.
Advanced/Real-Life Troubleshooting (41–50)
Q41. What would you do if replication failed due to USN rollback?
A41. Demote and rebuild the affected DC; USN rollback is non-recoverable.
Q42. How do you fix DNS issues affecting AD?
A42. Ensure DCs point to correct internal DNS servers, fix zone records, or reinstall DNS server role if necessary.
Q43. A user’s account is locked frequently. How do you troubleshoot?
A43. Use Account Lockout and Management Tools to trace source computers causing lockouts.
Q44. How would you enable AD Recycle Bin?
A44. Through Active Directory Administrative Center or using PowerShell (Enable-ADOptionalFeature).
Q45. How do you troubleshoot slow replication?
A45. Check site link costs, replication schedule, and network latency.
Q46. You cannot log in to AD. What basic checks would you do?
A46. Check network connection, DNS settings, DC health (dcdiag), and trust relationships.
Q47. Can you demote a DC without being connected to other DCs?
A47. Yes, using dcpromo /forceremoval, then clean up metadata manually.
Q48. How do you transfer FSMO roles gracefully?
A48. Use Active Directory Users and Computers, AD Domains and Trusts, and AD Schema Snap-In or Move-ADDirectoryServerOperationMasterRole cmdlet in PowerShell.
Q49. How would you troubleshoot if a GPO is not applying?
A49. Check gpresult /r, verify security filtering, WMI filters, replication status, and DNS.
Q50. How do you check domain and forest functional levels?
A50. Use Active Directory Domains and Trusts console or Get-ADDomain | fl Name,DomainMode in PowerShell.