Top 30+ Active Directory Interview Questions and Answers

3.4K

Active Directory is a directory service developed by Microsoft in 1999 as part of Windows 2000. It was created to help businesses manage users, computers and other resources on a network. Originally built by Microsoft engineers, it quickly became a key tool in IT infrastructure. It plays a vital role in managing IT systems across many organizations. Top companies like Microsoft, IBM, Accenture, TCS, and Infosys actively hire professionals with Active Directory skills for key IT roles. In this blog, we have listed the top 30+ most asked Active Directory interview questions along with simple answers to help you prepare.

Fun Fact: Over 90% of Fortune 1000 companies rely on Microsoft Active Directory to manage their IT infrastructure and user access.

Active Directory Interview Questions for Freshers

Here are some commonly asked Active Directory interview questions and answers for freshers.

1. What is Active Directory? Why is it used?

Active Directory (AD) is a directory service by Microsoft. It helps manage users, devices, and permissions on a Windows network. It stores data as objects and allows IT admins to control access, apply policies, and organize resources.

2. What are the key components of Active Directory?

The main components are:

• Domain Services (AD DS): Stores user and computer information.
• Group Policy: Used for configuration and security settings.
• DNS: Helps locate domain controllers.
• Global Catalog: Allows forest-wide searches.
• Replication: Keeps data synced across domain controllers.

3. What is the difference between a domain and an organizational unit (OU)?

A domain is a boundary for security and administration. It contains users, groups, and computers. An OU is a container inside a domain. It helps organize objects and apply policies without affecting the whole domain.

4. What is Group Policy and how does it work?

Group Policy lets admins control settings for users and computers. It works through Group Policy Objects (GPOs) applied to sites, domains, or OUs. You can use it to apply rules like password policies or desktop restrictions.

5. What is LDAP and how does it interact with AD?

LDAP (Lightweight Directory Access Protocol) is used to read and modify items in Active Directory. Applications use it to search for users, check credentials, or get group info.

6. What is a domain controller?

A domain controller (DC) is a server that stores a copy of the AD database. It handles logins, verifies user credentials, and applies security rules across the domain. Most networks have more than one for backup.

Note: Freshers often come across basic-level Active Directory interview questions for interview like user account management, group policies, and domain concepts.

Active Directory Interview Questions for Experienced

Let’s go through some important Active Directory interview questions and answers for experienced professionals.

7. How does Active Directory replication work across sites?

Active Directory uses multi-master replication. Changes made on one Domain Controller (DC) are copied to others. In multi-site environments, it uses site links and schedules to control when and how data replicates. Inter-site replication is less frequent to reduce bandwidth usage.

8. What are FSMO roles and what is the function of each?

There are five FSMO roles:

• Schema Master: Handles schema changes.
• Domain Naming Master: Manages domain additions/removals.
• RID Master: Allocates RID pools to DCs.
• PDC Emulator: Syncs time, handles password changes, supports legacy systems.
• Infrastructure Master: Updates cross-domain object references.

9. What is the difference between a standard DC and a Read-Only Domain Controller (RODC)?

A standard DC can make and accept AD changes. An RODC holds a read-only copy of the AD database. It doesn’t store user passwords by default. It’s ideal for branch offices where security is a concern.

10. How do you troubleshoot user authentication issues in AD?

I usually start by checking event logs on the domain controller. I verify DNS settings and see if the user account is locked, expired, or disabled. I also confirm replication is working across all DCs.

11. What is a Global Catalog and how does it affect user logon?

A Global Catalog (GC) stores a partial copy of every object in the forest. During logon, it helps find universal group memberships. Without it, users might face slow logins or access problems in multi-domain setups.

12. How do you manage fine-grained password policies?

I use Password Settings Objects (PSOs) in the Active Directory Administrative Center. These let me apply different password rules to specific users or groups. It gives more control than the domain-wide policy. You must be in Windows Server 2008 or later to use them.

Active Directory L2 Interview Questions

These Active Directory L2 interview questions and answers are designed to test your troubleshooting skills at the support engineer level.

13. What is the purpose of tombstone lifetime in Active Directory?

Tombstone lifetime defines how long a deleted object stays in the directory before it’s permanently removed. The default is 60 days. It is used during replication to inform other domain controllers that the object was deleted.

14. How do you recover deleted AD objects?

Deleted objects can be restored using the Active Directory Recycle Bin if it is enabled. I open the AD Administrative Center, go to the Deleted Objects container, and restore the object. This keeps attributes intact without needing a backup.

15. What is the SYSVOL folder and what does it contain?

The SYSVOL folder is shared on all domain controllers. It stores Group Policy templates and login scripts. These files are replicated between DCs using DFS Replication.

16. How do you use the “repadmin” tool to check AD health?

I run repadmin /replsummary to get an overview of replication status. It shows failures, last success times, and errors. I also use repadmin /showrepl to view inbound replication details per domain controller.

17. How do you handle replication conflicts between domain controllers?

First, I check for lingering objects or event log errors. Then, I use repadmin /removelingeringobjects if needed. I make sure all DCs are reachable, replication is working, and DNS settings are correct. If necessary, I perform metadata cleanup or restore from backup.

Active Directory L3 Interview Questions

This section covers advanced Active Directory L3 interview questions and answers that are ideal for senior roles.

18. What is the role of the Infrastructure Master and when can it be placed on a Global Catalog?

The Infrastructure Master updates cross-domain object references. In multi-domain forests, it should not run on a Global Catalog. But if all DCs are Global Catalogs, it is safe to place them together.

19. How do you migrate Active Directory from one domain to another?

Migration involves planning, using tools like ADMT (Active Directory Migration Tool), and testing. I first establish trust between domains, migrate users and groups, then migrate SID history. Cleanup comes last.

20. How would you audit privileged user actions in AD?

I enable advanced auditing via Group Policy. Then I monitor logs under “Directory Service Changes.” I also use tools like Microsoft Defender for Identity or third-party SIEM tools to track changes.

21. What is AdminSDHolder and how does it work?

AdminSDHolder protects high-privilege accounts like Domain Admins. Every 60 minutes, the SDProp process resets their ACLs to match AdminSDHolder. This stops accidental or malicious permission changes on critical accounts.

22. How would you secure Active Directory in a hybrid cloud environment?

I use conditional access policies, monitor sign-in logs, and restrict legacy auth. I also configure secure password policies, isolate admin accounts, and implement least privilege across both on-prem and cloud platforms like Azure AD.

Other Important Active Directory Interview Questions

This section includes additional interview questions and answers Active Directory professionals should know to strengthen their overall understanding and readiness.

Active Directory Admin Interview Questions

Here are some key Windows AD interview questions that are commonly asked for Active Directory Administrator roles.

23. How do you create and manage user accounts in AD?

I use the Active Directory Users and Computers (ADUC) console. I right-click the desired OU, choose “New > User,” and follow the wizard. For bulk tasks, I use PowerShell with New-ADUser and scripts to manage user properties.

24. How do you delegate administrative control in Active Directory?

I use the Delegation of Control Wizard in ADUC. It lets me assign specific permissions – like password reset or group management – to selected users or groups. This helps split responsibilities without giving full admin rights.

25. How do you apply and manage Group Policy Objects (GPOs)?

GPOs are managed through the Group Policy Management Console (GPMC). I create GPOs, link them to OUs, and use filters if needed. I run gpupdate /force and check rsop.msc or gpresult to verify applied settings.

26. What’s the difference between Security Groups and Distribution Groups?

Security Groups control access to resources and can be used in permissions and policies. Distribution Groups are for email only and cannot be used for security filtering. Security Groups have SIDs; Distribution Groups don’t.

Active Directory Replication Interview Questions

27. What tools do you use to diagnose replication issues in AD?

I use repadmin for checking replication status and errors. I also check event viewer logs on domain controllers. Tools like dcdiag and PowerShell cmdlets help me test replication and domain health.

28. What is Knowledge Consistency Checker (KCC)?

KCC is a built-in process that creates and maintains the replication topology. It runs every 15 minutes and adjusts replication links based on network changes or failures. It reduces manual work for admins.

29. How do you monitor inter-site replication traffic?

I monitor inter-site replication using repadmin /showrepl and replmon (on older systems). I also review replication schedules in Active Directory Sites and Services. For deeper analysis, I use Performance Monitor and third-party tools.

30. What are common causes of replication failure?

Replication can fail due to DNS misconfigurations, time sync issues, or broken site links. Network connectivity problems or outdated credentials also cause sync errors. I often find that firewall rules or lingering objects play a role too.

Active Directory Troubleshooting Interview Questions

Here are practical Active Directory troubleshooting interview questions and answers to help you prepare for problem-solving scenarios.

31. What would you do if users are facing slow logins across the network?

I first check DNS settings and if clients are using the correct domain controller. Then I review Group Policy processing time using gpresult /h and look for delays. Logon scripts and roaming profiles can also slow things down.

32. How do you troubleshoot account lockout issues?

I use the Account Lockout and Management Tools or check Event Viewer on the domain controller. I look for bad password attempts, often caused by saved credentials or scheduled tasks using old passwords.

33. What are typical signs of AD database corruption?

Frequent replication errors, unexpected reboots, or missing objects may point to corruption. The ntdsutil tool helps check and repair database integrity. I also monitor event logs for specific NTDS or Jet errors.

34. How do you check for and fix lingering objects?

Lingering objects appear when replication fails for a long time. I use repadmin /removelingeringobjects to detect and remove them. It is important to check system time and make sure all domain controllers are syncing properly.

Active Directory Interview Questions Asked At Top IT Companies

Here are commonly asked Windows Active Directory interview questions based on real interviews at leading IT companies.

TCS Active Directory Interview Questions

1. What are the prerequisites for joining a system to a domain?
2. How do you apply security settings using GPO?
3. How do you handle DNS issues in AD?
4. What is the function of the RID Master?
5. What is the impact of a broken trust relationship?

Capgemini Active Directory Interview Questions

1. What steps would you follow to demote a domain controller?
2. How do you identify replication latency?
3. What is the purpose of the Default Domain Policy?
4. How do you perform an authoritative restore?
5. How do you back up and restore Group Policy?

Cognizant Active Directory Interview Questions

1. How does AD authentication work with Kerberos?
2. What is the role of Netlogon?
3. How do you check FSMO role holders?
4. What is the difference between Domain Local, Global, and Universal Groups?
5. What’s the importance of the NTDS.dit file?

HCL Active Directory Interview Questions

1. What is the process for syncing time across domain controllers?
2. How do you implement restricted groups via GPO?
3. What happens when the SYSVOL folder stops replicating?
4. How do you troubleshoot DNS not resolving domain controllers?
5. How do you use “dcdiag” and what does it test?

Note: Active Directory interview questions and answers often cover topics like user account management, group policies, DNS and DHCP integration, replication issues, and troubleshooting scenarios within enterprise environments.

Microsoft Active Directory Interview Questions

1. Explain the role of Kerberos PAC in authentication.
2. How do you configure and secure RODCs?
3. How does Azure AD Join differ from traditional domain join?
4. What is the impact of stale DNS records on AD?
5. What is your approach to securing privileged accounts in AD?

Also Read - Top 75+ Windows Azure Interview Questions and Answers

Active Directory MCQs

Here are some important Active Directory questions for interview in MCQ form to help you test your knowledge.

1. Which protocol is primarily used to query Active Directory?

a) SMTP
b) SNMP
c) LDAP
d) POP3

Answer: c) LDAP

2. What is the default port for Kerberos authentication?

a) 53
b) 389
c) 88
d) 636

Answer: c) 88

3. The file that stores AD database is:

a) sysvol.dll
b) ntds.dit
c) ad.db
d) ad.xml

Answer: b) ntds.dit

4. Which FSMO role is responsible for schema updates?

a) PDC Emulator
b) Schema Master
c) Infrastructure Master
d) RID Master

Answer: b) Schema Master

5. Which of the following is not a type of AD group?

a) Domain Local
b) Enterprise
c) Global
d) Universal

Answer: b) Enterprise

6. What does the Global Catalog store?

a) Full database of all domains
b) DNS records only
c) Partial data from all domains
d) Group Policy settings

Answer: c) Partial data from all domains

7. What is the default tombstone lifetime in AD?

a) 30 days
b) 60 days
c) 90 days
d) 180 daysAnswer: b) 60 days

How to Prepare for Active Directory Interview?

Active Directory roles are in demand across IT support, systems, and network administration fields. Here are some tips to help you prepare for your interview:

• Review basic and advanced Active Directory questions for interview from trusted blogs or tech forums
• Practice with tools like ADUC, GPMC, and PowerShell
• Set up a test lab using VirtualBox or Hyper-V
• Understand how replication, FSMO roles, and Group Policy work
• Focus on hands-on tasks like user creation, OU setup, and applying GPOs
• Read recent case studies or Microsoft docs on AD updates

Wrapping Up

So, these are the 30+ most asked Active Directory interview questions and answers to help you get ready. We have covered questions for freshers as well as experienced professionals to make your preparation easier.

Looking for IT jobs including Active Directory job roles? Visit Hirist to find the top openings and apply today.

FAQs