Read the most frequently asked 55 top Active Directory interview questions and answers for freshers and experienced job interview questions pdf
1. A ——————group is a group that contains the same users as an OU.
A. Operation
B. Administration
C. Primary
D. Shadow
Answer:- D
2. ACL stands for Access Control List
A. True
B. False
Answer:- A
3. How do you create a group by using Active Directory Users and Computers snap- in?
A. Left click the OU in which you want to create a group, select New, and choose Group.
B. Right click the OU in which you want to create a group, select New, and choose Group.
C. This can only be done in the registry editor.
D. You can create a group by typing MSCONFIG in the Run box.
Answer:- B
4. LDIFDE is a defragment tool in all versions of Windows Server.
A. False
B. True
Answer:- A
5. The Dsadd command –secgrp {yes | no} specifies group type: security (yes) or distribution (no).
A. False
B. True
Answer:- B
6. What option can you use to prevent deleting a group in Windows Server 2008?
A. You could prevent this by formatting the hard drive.
B. You can prevent deleting a group by restarting the computer.
C. Protect object from accidental deletion.
D. Use /noreboot to prevent deleting a group.
Answer:- C
7. There are two types of groups in Active Directory.
A. True
B. False
Answer:- A
8. What default group has the right to log on locally, start and stop services, perform backup and restore operations, format disks, create or delete shares, and even power down domain controllers?
A. Server Operators
B. Schema Admins
C. Enterprise Admins
D. Backup Operators
Answer:- A
9. How many group scopes are there in Active Directory?
A. Three
B. Zero
C. Ten
D. Five
Answer:- A
10. What is the basic syntax for Dsrm?
A. dsrm ObjectND.,,(subtree-(+exclude)) (+yesprompt) (*c)
B. dsrn ObjectDN. noprompt – c
C. dsrm ObjectDN…[-subtree [-exclude]] [-noprompt] [-c]
D. dsrm ObjectN…. [-subtree [-exclude]] [noprompt] [c-]
Answer:- B
11. Which is not one of the four divisions or container structures in Active Directory?
A. Forests
B. Domain
C. Webs
D. Organizational units
E. Sites
Answer:- C
12. What is a forest?
A. Physical groupings independent of the domain and OU structure. Sites distinguish between locations connected by low- and high-speed connections and are defined by one or more IP subnets.
B. The collection of every object, its attributes and attribute syntax in the Active Directory.
C. Containers in which domains can be grouped. They create a hierarchy for the domain and create the structure of the Active Directory’s company in geographical or organizational terms.
D. A collection of computers that share a common set of policies, a name and a database of their members.
Answer:- B
13. What do domain controllers do?
A. Store the database, maintain the policies and provide the authentication of domain logons.
B. Control granular settings in a domain environment.
C. Receive and relay domain commands
Answer:- A
14. What are Group Policy Objects?
A. A set of folder rules that determine where Outlook will save email messages.
B. Affords the capability for secure extension of network operations to the Web
C. They determine the hierarchy of a domain, which can fit the operational structure of an organization.
D. A collection of settings that define what a system will look like and how it will behave for a defined group of users.
Answer:- D
15. In Windows Server 2012 and Windows 8, Group Policy Objects give administrators the ability to select new Internet Explorer policies.
A. True
B. False
Answer:- A
16. Active Directory Rights Management Services is designed to give complete control of all documents stored in RMS-enabled applications.
A. True
B. False
Answer:- B
17. According to Jonathan Hassell, what is a good practice to follow with forest trusts?
A. Use shortcut trusts
B. Keep a current list of all trust relationships in the forest
C. Back up and ensure you have restore capability
D. All of the above
Answer:- D
18. According to Gary Olsen, domain controller load can be insufficient for the following reason(s):
A. Inefficient LDAP queries can put an unpredictable load on the DC.
B. The number of authenticated clients is unpredictable because multiple DCs share the load for clients in and out of the site.
C. Active Directory (AD) analysis and monitoring tools put additional load on the DC.
D. A and C only
E. A, B and C
Answer:- E
18. About how many settings are in a single Group Policy Object
A. 1,800
B. 3,200
C. 900
D. 5,000
Answer:- A
19. In what version of Windows did Microsoft adopt Kerberos as an authentication policy?
A. Windows NT
B. Windows Server 2003 R2
C. Windows Server 2000
D. Windows 2008
Answer:- C
20. Between Sites you can also choose to use ________ for replication, but only for changes in the Schema or Configuration.
A. Internet Message Access Protocol
B. Post Office Protocol
C. Simple Mail Transfer Protocol
D. E-mail
Answer:- C
21. Active Directory and a Windows-based file server are not required to implement ________ on client Windows computers.
A. Windows Registry
B. Internet Explorer
C. Windows 2000
D. Roaming user profile
Answer:- D
22. Authentication across this type of trust is Kerberos based (as opposed to ________).
A. LM hash
B. NTLM
C. Samba (software)
D. Integrated Windows Authentication
Answer:- B
23. Unlike earlier versions of Windows which used ________ to communicate, Active Directory is fully integrated with DNS and TCP/IP—indeed DNS is required.
A. NetBIOS
B. NetBIOS Frames protocol
C. Server Message Block
D. Ethernet
Answer:- A
24. Another option is to use ________ with its translucent overlay, which can extend entries in any remote LDAP server with additional attributes stored in a local database.
A. Mac OS X
B. Berkeley DB
C. Berkeley Software Distribution
D. OpenLDAP
Answer:- D
25. A different ‘cost’ can be given to each link (e.g., DS3, T1, ________ etc.) and the site link topology will be altered accordingly by the KCC.
A. OSI model
B. Integrated Services Digital Network
C. Universal Serial Bus
D. Physical Layer
Answer:- B
26. AGDLP (implementing ________ using nested groups)
A. Mandatory access control
B. Active Directory
C. Microsoft SQL Server
D. Role-based access control
Answer:- D
27. Active Directory is a technology created by ________ that provides a variety of network services, including:
A. Microsoft
B. Internet Explorer
C. Microsoft Office
D. Microsoft Windows
Answer:- A
28. ADAM is capable of running as a service, on computers running Microsoft ________ or Windows XP Professional.
A. Windows Server 2003
B. Windows Server 2008
C. Windows 2000
D. Microsoft Windows
Answer:- A
29. In ________, ADAM has been renamed AD LDS (Lightweight Directory Services).
A. Microsoft Windows
B. Windows Vista
C. Windows Server 2008
D. Windows 2000
Answer:- C
30. To which of the following Active Directory containers can Group Policies be applied?
A. sites
B. OUs
C. domains
D. all of the above
Answer:- D
31. To create a GPO for a domain or an organizational unit, you use either the Active Directory Users and Computers console or the ____.
A. Group Policy Maintenance console
B. Domain Policy Management console
C. Group Policy Management Console
D. Active Directory Sites and Services console
Answer:- C
32. For each GPO, there is a GPC container stored in the System\Policies folder in the _____.
A. Active Directory Domains and Trusts console
B. Active Directory GPO and Sites console
C. Active Directory Users and Computers console
D. Active Directory Group Policy console
Answer:- C
33. Each GPT folder is identified by the ____ for the GPO.
A. GPCID
B. GPTID
C. GPID
D. GUID
Answer:- D
34. Group Policy settings are divided into two categories: Computer Configuration settings and __________.
A. Policy Configuration settings
B. Organizational Configuration settings
C. Group Configuration settings
D. User Configuration settings
Answer:- D
35. Which of the following containers contains all Registry-based Group Policy settings, including settings for Windows Components, System, and Network?
A. Administrative Templates
B. Software Templates
C. Windows Templates
D. Logon Settings
Answer:- A
36. Which of the following is a function of the GPMC?
A. It can be used to link sites, search for sites, and to delegate Group Policy-related features.
B. It can be used to sign and encrypt all LDAP communications.
C. It provides administrators with the ability to back up, restore, import, and copy/paste GPOs, as well as to create, delete, and rename them.
D. It can be used to view all Group Policy management functions.
Answer:- C
37. Which of the following are exceptions to the order in which GPOs are processed?
A. The default order for processing Group policy settings is also affected by selecting the Enforced setting.
B. You can modify the default behavior by using the Block Inheritance option.
C. If a computer belongs to a workgroup, it processes only local GPOs.
D. all of the above
Answer:- D
38. when you configure loopback in ________ mode, the Computer Configuration GPO settings are appended to the default list of GPOs.
A. Replace
B. Merge
C. Default
D. Append
Answer:- B
39. In order to delegate permissions for a GPO, you must have the ___________ permission for the GPO.
A. Edit user, context, menu
B. Edit settings, delete, and modify security
C. Edit group, delete, modify user
D. none of the above
Answer:- B
40. The GPMC combines the functionality of the ACL Editor, Delegation Wizard, and Resultant Set of Policy tool.
A. True
B. False
Answer:- A
41. The GPT contains all of the Registry entries, as well as associated files and folders required to implement the various GPO functions.
A. True
B. False
Answer:- A
42. Administrative settings are used to determine the applications that will be distributed to computers or users via a GPO.
A. True
B. False
Answer:- B
43. The User Group Policy loopback processing mode is used when both the user account and the computer account are members of a Windows 2000 or later domain.
A. True
B. False
Answer:- A
44. You assign permissions to delegate administrative control over a GPO on the Delegation tab in the GPMC.
A. True
B. False
Answer:- A
45. Explain Active Directory?
“Active Directory is the directory service used in Windows 2000 Server and is the foundation of Windows 2000 distributed networks.”
The core of Active Directory is a combination of an LDAP server and MIT Kerberos 5 KDC running on a Windows 2000 server acting as a domain controller that work as a unit to provide authentication (“Who are you?”) and authorization (“What are you allowed to do?”) information within a group of interlinked systems.
Above and beyond that, the LDAP “face” of this structure behaves as an enterprise-wide distributed database that not only contains Windows-specific information but can be extended to incorporate user-defined data as well.
The AD is held together by DNS, which is used not only to locate specific machines within the AD but also to locate which functions of the AD are running on which domain controllers.
46. What is Forest?
The term “forest” is used to describe a collection of AD domains that share a single schema for the AD. All DC’s in the forest share this schema and it is replicated in a hierarchical fashion among them. The preferred model for Windows 2000 AD is to have an organization use a single forest that spans an entire enterprise.
While not an administrative block by themselves, forests are a major boundary in that only limited communication is available between forests. For example, it is difficult for a user in one forest to access a resource in another forest.
It is very difficult to integrate forests at this time because of potential problems reconciling schema differences between two forests.
47. What is Domains in Active Directory?
In Windows 2000, a domain defines both an administrative boundary and a security boundary for a collection of objects that are relevant to a specific group of users on a network. A domain is an administrative boundary because administrative privileges do not extend to other domains. It is a security boundary because each domain has a security policy that extends to all security accounts within the domain. Active Directory stores information about objects in one or more domains.
Domains can be organized into parent-child relationships to form a hierarchy. A parent domain is the domain directly superior in the hierarchy to one or more subordinate, or child, domains. A child domain also can be the parent of one or more child domains, as shown below.
48. What is Organizational Units?
OU’s have many of the attributes of an NT 4 domain. However, instead of requiring server resources to create and support, they are a logical construct within the Active Directory so an OU does not have to support and maintain a domain controller.
OU’s are created by an administrator of an AD domain and can be freely named (and renamed). The OU can then be populated objects of many types including computers, groups, printers, users and other sub-OU’s.
The real power of an OU is that once it is established, the administrator of its “parent” can delegate administrative authority — in total or in part — to any user or group that is in the AD.
When this happens, the designated user/group gains complete administrative authority over all objects in their OU and thus has all of the rights and abilities that a Windows NT domain administrator would have as well as some new ones such as the ability to further segment their OU into sub-OU’s and delegate authority over those sub-elements as they see fit.
49. What is the Group Policy?
Group Policy is one of the most exciting — and potentially complex — mechanisms that the Active Directory enables. Group policy allows a bundle of system and user settings (called a “Group Policy Object” or GPO) to be created by an administrator of a domain or OU and have it automatically pushed down to designated systems.
Group Policy can control everything from user interface settings such as screen background images to deep control settings in the client such as its TCP/IP configuration and authentication settings. There are currently over 500 controllable settings. Microsoft has provided some templates as well to provide a starting point for creating policy objects.
A significant advantage of group policy over the old NT-style policies is that the changes they make are reversed when the policy no longer applies to a system. In NT 4, once a policy was applied to a system, removing that policy did not by itself roll back the settings that it imposed on the client. With Windows 2000, when a specified policy no longer applies to a system it will revert to its previous state without administrative interference.
Multiple policies from different sources can be applied to the same object. For example, a domain might have one or more domain-wide policies that apply to all systems in the domain. Below that, systems in an OU can also have policy objects applied to it, and the OU can even be further divided into sub-OU’s with their own policies.
This can create a very complex web of settings so administrators must be very careful when creating these multiple layers of policy to make sure the end result — which is the union of all of the applicable policies with the “closest” policy taking priority in most cases — is correct for that system. In addition, because Group policy is checked and applied during the system boot process for machine settings and again during logon for user settings, it is recommended that GPO’s be applied to a computer from no more than five “layers” in the AD to keep reboot and/or login times from becoming unacceptably long.
50. What is Empty Root Domain?
The “empty root domain” is an AD design element that has become increasingly popular at organizations with decentralized IT authority such as universities.
The empty root domain acts as a placeholder for the root of Active Directory, and does not typically contain any users or resources that are not required to fulfill this roll [sic]. […] Only those privileges that have tree or forest-wide scope are restricted to the empty root domain administrators. Departmental administrators can work independently of other departments.
This politically neutral root domain provides a central source of authority and policy enforcement, and provides a single schema and global catalog that allows users to find resources anywhere in the university/district/state system. Individual IT departments retain a significant degree of independence and can control their own users and resources without having to worry that actions by administrators in other departments will disrupt their domain.
51. What is Mixed Mode?
Allows domain controllers running both Windows 2000 and earlier versions of Windows NT to co-exist in the domain. In mixed mode, the domain features from previous versions of Windows NT Server are still enabled, while some Windows 2000 features are disabled. Windows 2000 Server domains are installed in mixed mode by default. In mixed mode the domain may have Windows NT 4.0 backup domain controllers present. Nested groups are not supported in mixed mode.
52. What is Native Mode?
When all the domain controllers in a given domain are running Windows 2000 Server. This mode allows organizations to take advantage of new Active Directory features such as Universal groups, nested group membership, and inter-domain group membership.
53. What is LDAP?
LDAP is the directory service protocol that is used to query and update AD. LDAP naming paths are used to access AD objects and include the following:
• Distinguished names
• Relative Distinguished names
54. Minimum Requirement for Installing AD?
1. Windows Server, Advanced Server, Datacenter Server
2. Minimum Disk space of 200MB for AD and 50MB for log files
3. NTFS partition
4. TCP/IP Installed and Configured to use DNS
5. Administrative privilege for creating a domain in existing network
55. How will you verify whether the AD installation is proper?
1. Verify SRV Resource Records
After AD is installed, the DC will register SRV records in DNS when it restarts. We can check this using DNS MMC or nslookup command.
Using MMC
If the SRV records are registered, the following folders will be there in the domain folder in Forward Lookup Zone.
• msdes
• sites
• tcp
• adp
Using nslookup
nslookup
>ls –t SRV Domain
If the SRV records are properly created, they will be listed.
2. Verifying SYSVOL
If SYSVOL folder is not properly created data stores in SYSVOL such are scripts, GPO, etc will not be replicated between DCs.
First verify the following folder structure is created in SYSVOL
Domain
Staging
Staging areas
Sysvol
Then verify necessary shares are created.
net share
It should show two shares, NETLOGON and SYSVOL
3. Verifying Database and Log files
Make sure that the following files are there at %systemroot%\ntds Ntds.dit, Edb.*, Res*.log
55. Explain Active Directory schema?
The Active Directory schema is the set of definitions that defines the kinds of objects, and the types of information about those objects, that can be stored in Active Directory. The definitions are themselves stored as objects so that Active Directory can manage the schema objects with the same object management operations used for managing the rest of the objects in the directory.
There are two types of definitions in the schema: attributes and classes. Attributes and classes are also referred to as schema objects or metadata.
Attributes are defined separately from classes. Each attribute is defined only once and can be used in multiple classes. For example, the Description attribute is used in many classes, but is defined once in the schema, assuring consistency.