Active Directory Interview Questions

1. How can Active Directory be installed?

Ans. Active Directory can be installed in one of two ways:

1. By using the dcpromo.exe command.

2. By using the Configure the Server administrative tool.

2. How can Active Directory Installation be verified?

Ans. Active Directory installation can be Verify by checking for SRV and A records on the DNS server for the new domain controller.
3. In Which mode the Active Directory is installed initially?
Ans. Active Directory is initially installed in mixed mode; if you want to change it to native mode, you will have to do it manually.
4. Does the native mode support NT4 Domain Controller?
Ans. Once converted to native mode, a domain cannot revert to mixed mode to support NT 4 domain controllers.
5. How can Authoritative Restore be performed?
Ans. Authoritative restore can be Perform by booting the computer in Directory Services Repair Mode and running ntdsutil.exe.

. How can new sites be configured in Active Directory?

Ans. New sites are configured through Active Directory Sites and Services. After creating a new site, the following tasks must be
completed:

1. Add appropriate IP subnets to the site.

2. Install or move a domain controller or controllers into the site. Although a domain controller is not required for a site, it is
strongly recommended.
3. Connect the site to other sites with the appropriate site link.
4. Select a server to control and monitor licensing within the site.
5. All site links are bridged by default.
6. Site link bridges can be explicitly defined if a network is not fully routed.

7. How can Inbound Replication be configured?

Ans. Inbound replication can be configured through connection objects.

8. What is KCC and what is its function?

Ans. The KCC (Knowledge Consistency Checker) maintains schedules and settings for default site links and bridges. Administrator-
configured connection objects require manual configuration and maintenance.
9. When Cost is used?
Ans. Cost is used to determine which path to take between sites when multiple links exist.
10. What Information is kept in GC Servers?
Ans. Global Catalog (GC) servers maintain a read- only subset of information in the complete Active Directory database.

11. What is the Procedure of Configuring GC Server?

Ans. To configure a server as a GC server, use Active Directory Sites and Services. Select the desired domain controller, then right-
click on NTDS settings and choose properties. Check the box for Global Catalog.

12. How can Backup of AD System state data be taken?

Ans. The AD system state data backup can be taken by using windows 2000 backup utility.

13. When Authoritative restore is used?

Ans. Authoritative restore is used when you want your restored settings to overwrite existing AD settings on other domain controllers,
such as if an object (OU, user account, and so on) are accidentally deleted from the database.

14. When Non-Authoritative restore is used?

Ans. Non-Authoritative restore is use when you are restoring out-of-date information and want the restored data to be overwritten by
newer data stored in Active Directory on other domain controllers. For example, you would do this if you were recovering a DC from
a failed hard drive and restored the server.

15. What is Kerberos Trust?

Ans. All domains in a tree automatically establish two way trust relationships called Kerberos trusts. Trust relationships between
Windows 2000 domains and NT 4 domains must be configured manually, just as you would configure a trust relationship between two
NT 4 domains.

16. Does the Caching Server store editable copy of database?

Ans. Caching servers do not store an editable copy of the zone database. Active directory integrated zones can reside only on domain
controllers, not member servers or non-Windows 2000 servers of any kind (NT 4, Unix, and so on).

17. What should be checked if a user gets an error message Domain controller cannot be found while logging in?

Ans. If a user who is trying to log on gets an error that a Domain controller cannot be found, check for the presence of SRV records in
the DNS database for domain controllers.

18. What is the function of secure dynamic updates?

Ans. Secure dynamic updates allow only computers and users who have been given permission to update their records into the DNS
database. Secure dynamic update is supported only for Active Directory integrated zones.

19. How DNS Replication is accomplished?

Ans. DNS replication is accomplished through Active Directory replication for AD integrated zones and zone transfer for standard
zones.

20. Why should a reverse lookup zone be configured?

Ans. A reverse lookup zone must be configured in order to perform reverse lookup queries. Installing AD through Configure Your
Server does not create a reverse lookup zone in DNS.
How to Verify an Active Directory Installation in Windows Server 2003
SUMMARY

This step-by-step article describes how to verify an Active Directory

installation.

After you have performed an upgrade, you can verify the promotion
of a server to a domain controller by verifying the following items.
•
Default Containers

These are created automatically when the first domain is created.

Open the Active Directory Users and Computers Microsoft
Management Console (MMC), and then verify that the following
containers appear here:
• Computers
• Users
• ForeignSecurityPrincipals
Back to the top
•
Default Domain Controllers Organizational Unit
This holds the first domain controller and also serves as the default container for new Windows Server domain
controllers. Open Active Directory Users and Computers, and then verify that this organizational unit appears here.

Back to the top

•
Default-First-Site-Name
During the promotion of a server to domain controller, the Dcpromo.exe program determines the site that the domain
controller can become a member of. If the domain controller that is being created is the first in a new forest, a default site
named "Default-First-Site-Name" is created and the domain controller becomes a member of this site until the appropriate
subnets and sites are configured. You can verify this item by using Active Directory Sites and Services.

Back to the top

•
Active Directory Database
Your Ntds.dit file is the Active Directory database. Verify that it resides in the %Systemroot%\Ntds folder.

Back to the top

•
Global Catalog Server
By default, the first domain controller becomes a global catalog server. To verify this item:
a. Click Start, click Administrative Tools, and then click Active Directory Sites and Services.
b. Double-click Sites, expand Servers, and then select your domain controller.
c. Double-click the domain controller to expand the server contents.
d. Below the server, an NTDS Settings object is displayed. Right-click the object, and then click Properties.
e. On the General tab, make sure that the Global Catalog check box is selected (this is the default setting).
Back to the top
•
Root Domain
 The forest root is created when the first domain controller is installed. Verify your computer network identification in
My Computer. The Domain Name System (DNS) suffix of your computer should match the domain name that the domain
controller belongs to. Also, make sure that your computer registers the correct computer role. To verify this role, use the
net accounts command. The computer role should be "primary" or "backup," depending on whether the computer is the
first domain controller in the domain.

Back to the top

•
Shared System Volume
A Windows Server 2003 domain controller should have a shared system volume located in the %Systemroot
%\Sysvol\Sysvol folder. To verify this item, use the net share command. Active Directory also creates two standard
policies during the installation process: The Default Domain policy and the Default Domain Controllers policy (located in
the %Systemroot%\Sysvol\Domain\Policies folder). These policies are displayed as the following globally unique
identifiers (GUIDs):
{31B2F340-016D-11D2-945F-00C04FB984F9} -- representing the Default Domain policy
{6AC1786C-016F-11D2-945F-00C04fB984F9} -- representing the Default Domain Controllers policy

Back to the top

•
SRV Resource Records

You must have a DNS server installed and configured for Active
Directory and the associated client software to function correctly.
Microsoft recommends that you use Microsoft version of DNS
Server as your DNS server (this is bundled with Windows Server
2003). However, this version of DNS is not required. The DNS server
that you use must support the Service Resource Record (SRV RR)
Requests for Comments (RFC) 2052, and the dynamic update
protocol (RFC 2136). Use the DNS Manager MMC snap-in to verify
that the correct zones and resource records are created for each
DNS zone. Active Directory creates its SRV RRs in the following
folders:
• _Msdcs/Dc/_Sites/Default-first-site-name/_Tcp
• _Msdcs/Dc/_Tcp

In these locations, an SRV RR is displayed for the following

services:
• _kerberos
• _ldap
Back to the top