Active Directory L2 and L3 Interview Question and Answer

Article Index

1) Describe the FSMO (Flexible single master operation) and its roles.

Forest-wide operations master roles are Schema Master and Domain Naming Master.

Domain-wide master roles are Rid Master, PDC Emulator Master and Infrastructure Master.

RID - The domain controller assigned to allocate sequences of relative IDs to each domain controller in its domain. Whenever DC creates security principal object (user, group etc.) RID DC assigns the object a unique security ID (SID).

PDC Emulator - The PDC emulator handles password authentication requests involving passwords that have recently changed and not yet replicated. At any time, the PDC emulator master role can be assigned to only one domain controller in each domain.

Infrastructure master (IM) - The infrastructure is responsible for updating references from objects in its domain to objects in other domains. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.

Domain naming master - The domain naming master domain controller controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest.

Schema Master - The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest. regsvr32 schmmgmt.dll for register schema.

02)                What is Adprep.exe, What does Adprep.exe do?

Adprep.exe is a rollup of all previous versions of this tool. In other words, if you currently have domain controllers that run Windows Server 2003 and you want to add domain controllers that run Windows Server 2008 R2, you only have to run Adprep.exe from the Windows Server 2008 R2 OS disk.

Ø  It is not necessary to run the version from Windows Server 2008 because the version in Windows Server 2008 R2 includes all the changes from previous versions.

Ø  Beginning with Windows Server 2012, Adprep.exe is integrated into the AD DS installation process and runs automatically as needed.

What does ADprep Do - Adprep.exe has parameters that perform a variety of operations that help prepare an existing Active Directory environment.

Ø  Updating the Active Directory schema

Ø  Updating security descriptors

Ø  Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder

Ø  Creating new objects, as needed

Ø  Creating new containers, as needed

Below is the command parameter –

adprep /forestprep (Once for entire forest) - Must be run on the schema operations master for the forest.

Verify -

ADSIEdit.msc | Configuration | CN=ForestUpdates,  CN=ActiveDirectoryUpdate | Properties | revision - 2 (2K8), 5 (2K8R2), 11 (2K12), 15 (2K12R2)

Permission – Schema or Enterprise Admins, Domain Admins of the domain that hosts the schema master

adprep /domainprep (Once in each domain) - Run on the infrastructure operations master for the domain.


ADSIEdit.msc | Default naming context | CN=System, CN=DomainUpdates, CN=ActiveDirectoryUpdate | Properties | revision - 3 (2K8), 5 (2K8R2), 9 (2K12), 10 (2K12R2)

Permission - Domain Admins

Logs - C:\Windows\Debug\Adprep\Logs

03) Describe AD replication Model.

Multimaster replication - A replication model in which any domain controller accepts and replicates directory changes to any other domain controller. All domain controllers accept LDAP requests for changes to attributes of Active Directory objects for which they are authoritative, subject to security constraints that are in place. Each originating update is replicated to one or more other domain controllers, which record it as a replicated update.

Pull replication, which means that domain controllers request (pull) updates from replication partners. When an update occurs on a domain controller, it notifies its replication partner. The partner domain controller responds by requesting (pulling) the changes from the source domain controller.

Note: - The domain controller in which a change originates does not "push" the change unsolicited to other domain controllers.

State-based replication, which means that instead of storing a full change log, each directory partition replica stores per-object and per-attribute data to support replication.

Store-and-forward replication, which means that changes are not sent directly from one domain controller to all other domain controllers. Instead, a change is sent directly to only a subset of domain controllers. This subset of domain controllers is responsible for sending the change to other domain controllers, and so on, until the change has reached every domain controller.

Single-master replication - A type of replication where one domain controller is the master domain controller and operations are not permitted to occur at different places in a network at the same time. In Active Directory, one or more domain controllers can be assigned to perform single-master replication.