Active Directory Interview Questions and Answers

Active Directory (AD) is a Windows OS directory service that facilitates working with interconnected, complex and different network resources in a unified manner. Active Directory is a database that keeps track of all the user accounts and passwords in your organization. It allows you to store your user accounts and passwords in one protected location, improving your organization’s security. Active Directory is subdivided into one or more domains. A domain is a security boundary. Each domain is hosted by a server computer called a domain controller (DC). A domain controller manages all of the user accounts and passwords for a domain.

 It helps you organize your company’s users, computer and more. Your IT admin uses AD to organize your company’s complete hierarchy from which computers belong on which network, to what your profile picture looks like or which users have access to the storage room. Active Directory may not be the only directory service platform out there, but there is no doubt it has dominated the space and exists in almost every business network today. Although typically not the authoritative record of source for users, almost every user will end up getting AD credentials. Therefore, AD is normally treated as the most comprehensive database for account logon information on most networks. Furthermore, with such reliance on Active Directory, this directory will likely be the most robust in terms of availability and accurate in terms of account details. This makes it an ideal choice as an authentication service provider for ‘other systems’.

Some Active Directory Features are:

• Best Security
• Simplified and Flexible Administration
• Scalability and high availability
• Active Directory levels
• Privileged Access Management
• Azure AD Join
• Microsoft Passport
• Time Synchronization Improvements
• Group Membership Expiration
• Simple Programmatic Access
• Open standard support

AD is a state-wide authentication directory that supports enterprise systems. It provides contact information and scheduling integration, along with providing mechanisms for centralized desktop management. There are multiple Active Directory environments in use across the University of Tennessee campuses and institutes. The purpose of the Active Directory Project is to migrate all of these environments into a single AD forest, which will provide the following benefits:

• Single user name and password – NetID
• Password synced between AD and LDAP Directory Services
• Reduce overhead through standardization
• Improve services through centralized management capabilities
• Central storage provided for individuals and departments
• Backup and restoration services for central storage
• Server storage space for user documents
• Backed up data on Home and Departmental drives
• Lower departmental cost because infrastructure is managed and maintained by OIT
• Highly secured access to data through the cheap mlb jerseys usage of security policies. Thereby it improves the management of data. Improve workstation security
• Easily scalable. Supports millions of objects in a single domain.
• Unified access to resources by supporting a uniform naming convention.

Provide foundation for the following AD related services:

• Exchange
• SharePoint

LDAP is (Lightweight Directory Access Protocol) a set of protocols for accessing information directories. LDAP is based on the standards contained within the X.500 standard, but is significantly simpler. And unlike X.500, LDAP supports TCP/IP, which is necessary for any type of Internet access. Because it’s a simpler version of X.500, LDAP is sometimes called X.500-lite. LDAP was created as a simplified version of DAP. It is easier to implement, omits some of the lesser-used features of DAP, and runs over TCP/IP. As a result of these changes it is rapidly being adopted as the directory access protocol for most purposes, replacing the multitude of proprietary protocols previously used. LDAP and AD are both software implementations of directory services. They are also both hosted on-premises, in most cases.

Privileged Access Management (PAM) is a solution that helps organizations restrict privileged access within an existing Active Directory environment.

PAM accomplishes two goals:

• Re-establish control over a compromised Active Directory environment by maintaining a separate bastion environment that is known to be unaffected by malicious attacks.
• Isolate the use of privileged accounts to reduce the risk of those credentials being stolen.

PAM is sometimes confused with the broader category of Identity Management (IdM). There is some overlap, but the two subjects are separate and quite different. PAM is focused on privileged user access. Identity management concerns authenticating and authorizing any user who needs access to a system. A bank teller who logs into a banking application is authenticated by an IdM solution such as Microsoft Active Directory. Active Directory, which is based on the Lightweight Directory Access Protocol (LDAP) standard, is not well suited to PAM. It’s a great product. It’s just not meant to control privileged users. Not all devices with privileged user accounts integrate easily with Active Directory,

Active Directory Domain Services (AD DS) is a server role in Active Directory that allows admins to manage and store information about resources from a network, as well as application data, in a distributed database. AD DS can also help admins manage a network’s elements (computers and end users) and reorder them into a custom hierarchy. Active Directory Domain Services provide secure, structured, hierarchical data storage for objects in a network such as users, computers, printers, and services. Active Directory Domain Services provide support for locating and working with these objects.

Microsoft Active Directory Lightweight Directory Services (AD LDS) is an independent mode of Active Directory that provides dedicated directory services for applications. Although AD LDS independently provides directory storage and access for applications, AD LDS uses the same standard application programming interfaces (APIs) as Active Directory to manage and access the application data. The resulting conceptual and programming compatibility makes AD LDS ideal for applications that require directory services, but do not require the complete infrastructure features of Active Directory.

AD LDS does not include directory services for the Windows operating system, so it concentrates on the requirements of specific applications. If AD LDS operates in an Active Directory environment, it can use Active Directory for authentication. Because AD LDS does not support the Messaging Application Programming Interface, Microsoft Exchange cannot use AD LDS.

Active Directory Certificate Services (AD CS) establishes an on-premises public key infrastructure. It can create, validate and revoke public key certificates for internal uses of an organization. AD CS is the “Server Role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization. These certificates can be used to encrypt files (when used with Encrypting File System), emails (per S/MIME standard), and network traffic (when used by virtual private networks, Transport Layer Security protocol or IPSec protocol).

Active Directory Federation Services (AD FS) is a feature of the Windows Server operating system (OS) that extends end users’ single sign-on (SSO) access to applications and systems outside the corporate firewall. AD FS is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet. When a user needs to access a Web application from one of its federation partners, the user’s own organization is responsible for authenticating the user and providing identity information in the form of “claims” to the partner that hosts the Web application. The hosting partner uses its trust policy to map the incoming claims to claims that are understood by its Web application, which uses the claims to make authorization decisions.

Monitoring the distributed Active Directory service and the services that it relies upon helps maintain consistent directory data and the needed level of service throughout the forest. AD monitoring is the combination of several techniques and methodologies aimed at reducing and resolving the problems that exist within an enterprise class network directory.  Most large organizations with many domains or remote physical sites require an automated monitoring system such as Microsoft Operations Manager 2000 (MOM) to monitor important indicators. An automated monitoring system provides the necessary consolidation and timely problem resolution to administer Active Directory successfully. (see Microsoft Doc)

Active Directory Rights Management Services (AD RMS) is a Microsoft Windows security tool that provides persistent data protection by enforcing data access policies. For documents to be protected with AD RMS, the application the document is associated with must be RMS-aware. AD RMS, known as Rights Management Services or RMS before Windows Server 2008 .RMS is a server software for information rights management shipped with Windows Server. It uses encryption and a form of selective functionality denial for limiting access to documents such as corporate e-mails, Microsoft Word documents, and web pages, and the operations authorized users can perform on them

AD management (Active Directory management) is the process of managing and monitoring the operations of the Active Directory service that is mostly found in Windows Server operating systems. AD management is part of the server or network monitoring and management processes, which ensure that Active Directory is behaving as required.

• Schema
• Configuration
• Domain
• Application partition

Domain controllers and Sites. Domain controllers are physical computers which is running Windows Server operating system and Active Directory data base. Sites are a network segment based on geographical location and which contains multiple domain controllers in each site

A domain is a management boundary. Domains are part of a forest. The first domain in a forest is known as the forest root domain. In many small and medium organizations (and even some large ones), you will only find a single domain in a single forest. The forest root domain defines the default namespace for the forest.

Infrastructure Master is accountable for updating information about the user and group and global catalogue.

The server that responds to user requests for access to the domain is called the Domain Controller or DC. The Domain Controller allows a user to gain access to the resources within the domain through the use of a single username and password.

A forest is a security boundary. Objects in separate forests are not able to interact with each other, unless the administrators of each separate forest create a trust between them. For example, an Enterprise Administrator account for domain1.com, which is normally the most privileged account of a forest, will have, no permissions at all in a second forest named domain2.com, even if those forests exist within the same LAN, unless there is a trust in place.

Flexible single master operation is a specialized domain controller (DC) set of tasks, used where standard data transfer and update methods are inadequate. AD normally relies on multiple peer DCs, each with a copy of the AD database, being synchronized by multi-master replication

KCC (knowledge consistency checker) is used to generate replication topology for inter site replication and for intra-site replication. Within a site replication traffic is done via remote procedure calls over Ip, while between sites it is done through either RPC or SMTP.

ADSI Edit is an LDAP editor for managing objects in Active Directory. This Active Directory tool lets you view objects and attributes that are not exposed in the Active Directory Management Console.

Active directory schema is the set of definitions that define the kinds of object and the type of information about those objects that can be stored in Active Directory

Active directory schema is Collection of object class and their attributes

Object Class = User

Attributes = first name, last name, email, and others

Kerberos is an authentication protocol for network. It is built to offer strong authentication for server/client applications by using secret-key cryptography

Member server is a server role defined by Microsoft Active Directory (AD), a service that runs on the Windows 2000 and Windows Server 2003 operating systems. A member server belongs to a domain but is not the domain controller. It can function as a file server, database server, application server, firewall, remote access server and certificate server. The domain controller is responsible for authenticating security requests such as logins and permission checking.

SYSVOL is a folder that exists on all domain controllers. It is the repository for all of the active directory files. It stores all the important elements of the Active Directory group policy. The File Replication Service or FRS allows the replication of the SYSVOL folder among domain controllers. Logon scripts and policies are delivered to each domain user via SYSVOL. SYSVOL stores all of the security related information of the AD.

Adsiedit.msc is a low-level editing tool for Active Directory. Adsiedit.msc is a Microsoft Management Console snap-in with a graphical user interface that allows administrators to accomplish simple tasks like adding, editing and deleting objects with a directory service. The Adsiedit.msc uses Application Programming Interfaces to access the Active Directory. Since Adsiedit.msc is a Microsoft Management Console snap-in, it requires access MMC and a connection to an Active Directory environment to function correctly.

Lingering objects can exist if a domain controller does not replicate for an interval of time that is longer than the tombstone lifetime (TSL).

Enterprise Admin Group: Members of this group have complete control of all domains in the forest by default, this group belongs to the administrators group on all domain controllers in the forest as such this group has full control of the forest, add users with caution

Domain Admin Group: Members of this group have complete control of the domain By default, this group is a member of the administrators group on all domain controllers, workstations and member servers at the time they are linked to the domain As such the group has full control in the domain, add users with caution

The database is stored within the windows NTDS directory. You could create a backup of the database by creating a backup of the System State data using the default NTBACKUP tool provided by windows or by Symantec’s NetBackup. The System State Backup will create a backup of the local registry, the Boot files, the COM+, the NTDS.DIT file as well as the SYSVOL folder.

Domain controllers and Sites. Domain controllers are physical computers which is running Windows Server operating system and Active Directory data base. Sites are a network segment based on geographical location and which contains multiple domain controllers in each site.

Role seizure is the action of assigning an operations master role to a new domain controller without the support of the existing role holder (generally because it is offline due to a hardware failure). During role seizure, a new domain controller assumes the operations master role without communicating with the existing role holder. Role seizure can be done using repadmin.exe and Ntdsutil.exe commands.

Allows domain controllers running both Windows 2000 and earlier versions of Windows NT to co-exist in the domain. In mixed mode, the domain features from previous versions of Windows NT Server are still enabled, while some Windows 2000 features are disabled. Windows 2000 Server domains are installed in mixed mode by default. In mixed mode the domain may have Windows NT 4.0 backup domain controllers present. Nested groups are not supported in mixed mode.

Organization Unit is a container object in which you can keep objects such as user accounts, groups, computer, and printer. Applications and other (OU). In organization unit you can assign specific permission to the users. Organization unit can also be used to create departmental limitation.

Group Policy is one of the most exciting — and potentially complex — mechanisms that the Active Directory enables. Group policy allows a bundle of system and user settings (called a “Group Policy Object” or GPO) to be created by an administrator of a domain or OU and have it automatically pushed down to designated systems.

Group Policy can control everything from user interface settings such as screen background images to deep control settings in the client such as its TCP/IP configuration and authentication settings. There are currently over 500 controllable settings. Microsoft has provided some templates as well to provide a starting point for creating policy objects.

(Microsoft doc)