Active Directory L2 and L3 Interview Question and Answer

13) What is Active Directory Default Storage?

Active Directory Data base folder: - D:\WINDOWS\NTDS

Store active Directory log: - D:\WINDOWS\NTDS

SYSVOL By default Location: - D:\WINDOWS\SYSVOL

What is SYSVOL Folder?

SYSVOL:-The SYSVOL folder stores the server copy of domain public files. The contents of the SYSVOL folder are replicated to all domain controllers in the domain. It’s must be located on an NTFS Volume

14) Some Important ports for Active directory.

Default Dynamic Ports used for RPC traffic– 1025 to 5000 for Server 2003, And Port 49152 to 65535 for Server 2k8 and R2

LDAP – TCP and UDP 389


LDAP GC – TCP 3268


Kerberos – TCP and UDP 88

DNS – TCP and UDP 53

DHCP – UDP 67 for server, UDP 68 for client side

Windows Time – UDP (User Datagram Protocol) 123

DCOM, RPC, EPM (Group policy) – UDP Dynamic

Kerberos change/set password - TCP and UDP 464

Net Logon, NetBIOS Name Resolution – UDP 137

DFSN, NetBIOS Session Service, Net Logon – TCP 139

SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc – TCP and UDP 445

AD DS Web Services - TCP 9389

15) What data contains in System State backup in DC/AD Server?

Ø  Boot files, including the system files, and all files protected by Windows File Protection (WFP).

Ø  Active Directory (on a domain controller only).

Ø  Sysvol (on a domain controller only).

Ø  The registry.

Ø  Performance counters configuration information.

Ø  Component Services Class registration database.

Optional - Certificate Services (on certification authority only).

Cluster database (on a cluster node only).

16) What Fine-Grained Password and Account lockout policy in Active Directory?

This feature is introduced in Windows Server 2008. To store fine-grained password policies, includes two new object classes in the Active Directory Domain Services (AD DS) schema:

1) Password Settings Container, 2) Password Settings

In this feature you can create a new password and account lockout policy for group or user as well container specific.

17) How to find which DCs are holding which FSMO roles?

netdom query fsmo

18) Command to find out the logon server.

Command - "echo %logonserver%" -Or- "whoami" -Or- “net l”

Click here for details How to find the logon logon server in AD domain environment

19) How to find Global catalog server in forest?

Command - "dsquery server -domain -isgc"

20) What is tombstone lifetime and default value?

When an Active Directory (AD) object, such as a user or computer account, is deleted, the object actually remains in the directory for a period of time known as the tombstone lifetime.

Server 2000 and 2003 – 60 Days

Server 2003 SP1 and later till 2012 – 180 Days

How to Edit – Open adsiedit.msc, and browsing the Configuration partition for the AD forest. Navigate to CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration, DC=domain, DC=com. Right-click the CN=Directory Service object and select Properties. Look for the tombstone Lifetime value.

21) How to determine Schema version? And what version on server 2003/2008/2012?

Ø  Open ADSIEDIT.MSC and browse for Schema configuration.

Ø  Right click on “CN=Schema,CN=Configuration,DC=domain,DC=local” and go to properties.

Ø  Find attribute “object version” and its value

Ø  From registry - HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\SchemaVersion,

Ø  And search schema version.

Windows 2000 Server - 13

Windows 2003 RTM, SP1, SP2 - 30

Windows 2003 R2 - 31

Windows 2008 - 44

Windows 2008 R2 - 47

Windows Server 2012 Beta - 52

Windows Server 2012 - 56

Windows Server 2012 R2 - 69