Active Directory L2 and L3 Interview Question and Answer

Article Index

1) Describe the FSMO (Flexible single master operation) and its roles.

Forest-wide operations master roles are Schema Master and Domain Naming Master.

Domain-wide master roles are Rid Master, PDC Emulator Master and Infrastructure Master.

RID - The domain controller assigned to allocate sequences of relative IDs to each domain controller in its domain. Whenever DC creates security principal object (user, group etc.) RID DC assigns the object a unique security ID (SID).

PDC Emulator - The PDC emulator handles password authentication requests involving passwords that have recently changed and not yet replicated. At any time, the PDC emulator master role can be assigned to only one domain controller in each domain.

Infrastructure master (IM) - The infrastructure is responsible for updating references from objects in its domain to objects in other domains. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.

Domain naming master - The domain naming master domain controller controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest.

Schema Master - The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest. regsvr32 schmmgmt.dll for register schema.

02)                What is Adprep.exe, What does Adprep.exe do?

Adprep.exe is a rollup of all previous versions of this tool. In other words, if you currently have domain controllers that run Windows Server 2003 and you want to add domain controllers that run Windows Server 2008 R2, you only have to run Adprep.exe from the Windows Server 2008 R2 OS disk.

Ø  It is not necessary to run the version from Windows Server 2008 because the version in Windows Server 2008 R2 includes all the changes from previous versions.

Ø  Beginning with Windows Server 2012, Adprep.exe is integrated into the AD DS installation process and runs automatically as needed.

What does ADprep Do - Adprep.exe has parameters that perform a variety of operations that help prepare an existing Active Directory environment.

Ø  Updating the Active Directory schema

Ø  Updating security descriptors

Ø  Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder

Ø  Creating new objects, as needed

Ø  Creating new containers, as needed

Below is the command parameter –

adprep /forestprep (Once for entire forest) - Must be run on the schema operations master for the forest.

Verify -

ADSIEdit.msc | Configuration | CN=ForestUpdates,  CN=ActiveDirectoryUpdate | Properties | revision - 2 (2K8), 5 (2K8R2), 11 (2K12), 15 (2K12R2)

Permission – Schema or Enterprise Admins, Domain Admins of the domain that hosts the schema master

adprep /domainprep (Once in each domain) - Run on the infrastructure operations master for the domain.


ADSIEdit.msc | Default naming context | CN=System, CN=DomainUpdates, CN=ActiveDirectoryUpdate | Properties | revision - 3 (2K8), 5 (2K8R2), 9 (2K12), 10 (2K12R2)

Permission - Domain Admins

Logs - C:\Windows\Debug\Adprep\Logs

03) Describe AD replication Model.

Multimaster replication - A replication model in which any domain controller accepts and replicates directory changes to any other domain controller. All domain controllers accept LDAP requests for changes to attributes of Active Directory objects for which they are authoritative, subject to security constraints that are in place. Each originating update is replicated to one or more other domain controllers, which record it as a replicated update.

Pull replication, which means that domain controllers request (pull) updates from replication partners. When an update occurs on a domain controller, it notifies its replication partner. The partner domain controller responds by requesting (pulling) the changes from the source domain controller.

Note: - The domain controller in which a change originates does not "push" the change unsolicited to other domain controllers.

State-based replication, which means that instead of storing a full change log, each directory partition replica stores per-object and per-attribute data to support replication.

Store-and-forward replication, which means that changes are not sent directly from one domain controller to all other domain controllers. Instead, a change is sent directly to only a subset of domain controllers. This subset of domain controllers is responsible for sending the change to other domain controllers, and so on, until the change has reached every domain controller.

Single-master replication - A type of replication where one domain controller is the master domain controller and operations are not permitted to occur at different places in a network at the same time. In Active Directory, one or more domain controllers can be assigned to perform single-master replication.

04) What is lingering object how it occurs in replication?

Objects that are deleted from the Active Directory service when the domain controller is offline can remain on the domain controller as lingering objects. Lingering objects can occur if a domain controller does not replicate for an interval of time that is longer than the tombstone lifetime (TSL). The domain controller then reconnects to the replication topology.

05)           What is LDAP

LDAP stands for Lightweight Directory Access Protocol. It is an application protocol used over an IP network to manage and access the distributed directory information service. The primary purpose of a directory service is to provide a systematic set of records, usually organized in a hierarchical structure.

06) What is Global Catalog (GC)?

A domain controller that contains a partial replica of every domain in Active Directory. A global catalog holds a replica of every object in Active Directory, but with a limited number of each object’s attributes.

07) What is schema?

A description of the object classes and attributes stored in Active Directory is called schema.

08) What is the update sequence number (USN)?

An update sequence number (USN) is a 64-bit number in Active Directory that increases as changes occur. Local counters on every domain controller assign USNs. Whenever an object is changed, its USN is incremented. When replication occurs, only the version of the object with the greatest USN is retained.

Local counters for USNs are considered reliable because they never decrease or "run backward." USNs are also always unique, making it easier for domain controllers to never use the same USNS at the same time.

09) What is Knowledge Consistency Checker (KCC), and what is default interval time?

KCC (Knowledge consistency checker) is responsible for generating site replication topologies between domain controllers for the forest. The Knowledge Consistency Checker (KCC) is a built-in process that runs on all domain controllers and creates a connection object for each DC in AD. By default, the KCC runs at 15-minutes intervals and designates the replication routes between domain controllers. The KCC creates replication connections between domain controllers in the same site automatically. When you have more than one site, you configure links between the sites, and then KCC can create the connections automatically between the sites as well.

10) What is the ISTG? Who has that role by default?

For inter-site replication,  there will be a Bridgehead server to manage site-site replication. one domain controller per site has the responsibility of evaluating the inter-site replication topology and creating Active Directory Replication Connection objects for appropriate bridgehead servers within its site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology Generator (ISTG). ISTG is nothing but a KCC server(DC), which is responsible for reviewing the inter-site topology and creating inbound replication connection objects as necessary for bridgehead servers in the site in which it resides.

By Default the first Server has this role. If that server can no longer perform

this role then the next server with the highest GUID takes over the role of ISTG. The domain controller holding this role may not necessarily also be a bridgehead server.

11) What is the Bridgehead server?

A bridgehead server is a domain controller (DC) that functions as the primary route of Active Directory (AD) replication data moving into and out of sites. If you have more than one domain in your forest, you'll most likely have more than one bridgehead server.

12) What is ADDS dependencies services? And AD Replication Topology Dependencies and model?

Active Directory replication topology has the following dependencies:

Routable IP infrastructure -  The replication topology is dependent upon a routable IP infrastructure from which you can map IP subnet address ranges to site objects

DNS - The DNS resolves DNS names to IP addresses. AD replication topology requires that DNS is properly designed and deployed so that domain controllers can correctly resolve the DNS names of replication partners.

Net Logon service - Net Logon is required for DNS registrations.

RPC - AD replication requires IP connectivity and RPC to transfer updates between replication partners.

Intersite Messaging - Intersite Messaging is required for SMTP intersite replication.

ADDS dependencies:  -

Kerberos Key Distribution Center, Intersite Messaging, DNS Server, DFS Replication

13) What is Active Directory Default Storage?

Active Directory Data base folder: - D:\WINDOWS\NTDS

Store active Directory log: - D:\WINDOWS\NTDS

SYSVOL By default Location: - D:\WINDOWS\SYSVOL

What is SYSVOL Folder?

SYSVOL:-The SYSVOL folder stores the server copy of domain public files. The contents of the SYSVOL folder are replicated to all domain controllers in the domain. It’s must be located on an NTFS Volume

14) Some Important ports for Active directory.

Default Dynamic Ports used for RPC traffic– 1025 to 5000 for Server 2003, And Port 49152 to 65535 for Server 2k8 and R2

LDAP – TCP and UDP 389


LDAP GC – TCP 3268


Kerberos – TCP and UDP 88

DNS – TCP and UDP 53

DHCP – UDP 67 for server, UDP 68 for client side

Windows Time – UDP (User Datagram Protocol) 123

DCOM, RPC, EPM (Group policy) – UDP Dynamic

Kerberos change/set password - TCP and UDP 464

Net Logon, NetBIOS Name Resolution – UDP 137

DFSN, NetBIOS Session Service, Net Logon – TCP 139

SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc – TCP and UDP 445

AD DS Web Services - TCP 9389

15) What data contains in System State backup in DC/AD Server?

Ø  Boot files, including the system files, and all files protected by Windows File Protection (WFP).

Ø  Active Directory (on a domain controller only).

Ø  Sysvol (on a domain controller only).

Ø  The registry.

Ø  Performance counters configuration information.

Ø  Component Services Class registration database.

Optional - Certificate Services (on certification authority only).

Cluster database (on a cluster node only).

16) What Fine-Grained Password and Account lockout policy in Active Directory?

This feature is introduced in Windows Server 2008. To store fine-grained password policies, includes two new object classes in the Active Directory Domain Services (AD DS) schema:

1) Password Settings Container, 2) Password Settings

In this feature you can create a new password and account lockout policy for group or user as well container specific.

17) How to find which DCs are holding which FSMO roles?

netdom query fsmo

18) Command to find out the logon server.

Command - "echo %logonserver%" -Or- "whoami" -Or- “net l”

Click here for details How to find the logon logon server in AD domain environment

19) How to find Global catalog server in forest?

Command - "dsquery server -domain -isgc"

20) What is tombstone lifetime and default value?

When an Active Directory (AD) object, such as a user or computer account, is deleted, the object actually remains in the directory for a period of time known as the tombstone lifetime.

Server 2000 and 2003 – 60 Days

Server 2003 SP1 and later till 2012 – 180 Days

How to Edit – Open adsiedit.msc, and browsing the Configuration partition for the AD forest. Navigate to CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration, DC=domain, DC=com. Right-click the CN=Directory Service object and select Properties. Look for the tombstone Lifetime value.

21) How to determine Schema version? And what version on server 2003/2008/2012?

Ø  Open ADSIEDIT.MSC and browse for Schema configuration.

Ø  Right click on “CN=Schema,CN=Configuration,DC=domain,DC=local” and go to properties.

Ø  Find attribute “object version” and its value

Ø  From registry - HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\SchemaVersion,

Ø  And search schema version.

Windows 2000 Server - 13

Windows 2003 RTM, SP1, SP2 - 30

Windows 2003 R2 - 31

Windows 2008 - 44

Windows 2008 R2 - 47

Windows Server 2012 Beta - 52

Windows Server 2012 - 56

Windows Server 2012 R2 - 69

22) What is NTDS.DIT and EDB.CHK? And why it’s used in active directory?

The NTDS.DIT is THE Active Directory database. This is used to store ALL active directory-specific information. The EDB.CHK file is the checkpoint file used when backing up the Active Directory database (this is very essential specially for efficient recovery of the database


23) What’s the difference between LDIFDE and CSVDE? Usage considerations?

CSVDE - Comma Separated Value Data Exchange, CSVDE is a command that can be used to import and export object within AD

LDIFDE - LDAP Data Interchange Format (LDIF) Data Exchange, LDIFDE can be used to edit and delete existing AD objects (not just users), while CSVDE can only import and export objects

24) How SYSVOL replicated and what is default location?

The SYSVOL shared folder stores the server copy of domain public files, like logon scripts and Group Policy object files under windows installation directory. The contents of the SYSVOL folder are replicated to all domain controllers in the domain. It’s must be located on an NTFS Volume.

Windows 2000 Server and Windows Server 2003 use File Replication Service (FRS) to

replicate SYSVOL, whereas Windows Server 2008 uses the newer DFS Replication service when in domains that use the Windows Server 2008 domain functional level, and FRS for domains that run older domain functional levels.

25) What are the Group Policy Processing Order ?

Group Policy is processed in the following order.

Local - The local Group Policy stored within Windows Server locally is processed first.

Site - Any GPOs that have been linked to the Active Directory Site are applied next.

Domain - Any GPOs that have been linked to the Active Directory Domain are applied next.

Organizational unit (OU) - Any GPOs that have been linked to the Active Directory Organizational Unit (OU) are applied next.

26) What is the step to change the forest functional level ?

To changing or upgrading the forest functional level, do it in below order.

  1. Check the application/software in your network environment, which support the upgraded functional level or not?

  2. Extend your schema (Run the command adprep /forestprep).

  3. Check all DC which is supported to the upgraded functional level or not?

  4. Raise your domain function level accordingly.

  5. Raise your forest functional level.

27) Few important commands

nltest / – To check all DC in domain

nltest /PARENTDOMAIN – To known the parent domain of this machine