1. Can you explain the difference between the logical and physical components of Active Directory?

Active Directory structure is divided into logical and physical components.

Logical Components include Forests, Domains, Domain Trees, and Organizational Units (OUs). These are used to organize resources (users, computers) to match the business structure, delegate administration, and apply policies.

Physical Components include Domain Controllers, Global Catalog servers, and Active Directory Sites. These define the physical topology of the network and control replication traffic and authentication efficiency.

2. What is the Global Catalog (GC) and why is it critical for a multi-domain environment?

The Global Catalog is a partial replica of every object in the forest. While it holds a full writable copy of objects for its own domain, it stores a read-only partial copy of objects from all other domains in the forest. It is critical because it facilitates forest-wide searches and is required for Universal Group membership caching during the authentication process. If a GC is unavailable, users belonging to Universal Groups might fail to authenticate.

3. What is the difference between a Tree and a Forest?

A Forest is the outermost boundary of the directory service. It represents a complete Active Directory instance and shares a common schema and configuration.

A Domain Tree is a collection of domains within that forest that share a contiguous namespace (e.g., prividha.com, sales.prividha.com). All domains in a tree (and the forest) are linked by two-way transitive trusts,.

4. How does Active Directory uniquely identify an object? Explain the difference between GUID and SID.

GUID (Globally Unique Identifier): This is a 128-bit value stored in the objectGUID attribute. It is unique not just in the domain but globally. The GUID never changes, even if the object is moved or renamed.

SID (Security Identifier): Stored in the objectSid attribute, this value is unique within its domain. It contains a domain identifier and a Relative ID (RID). If an object moves to a different domain, it gets a new SID, and the old one is stored in sIDHistory to maintain access to resources,.

5. What is the purpose of Active Directory Sites and Subnets?

AD Sites represent the physical topology of the network (e.g., a branch office). Subnets are IP address ranges assigned to these Sites. By defining these, AD ensures:

Replication Efficiency: Controlling bandwidth usage between locations.

Authentication: Directing clients to the nearest Domain Controller (DC) to prevent traffic from traversing slow WAN links.

Service Location: Helping users locate site-aware applications (like Exchange) nearby.

6. What are the FSMO roles and which ones are Forest-wide vs. Domain-wide?

Active Directory primarily operates as a multi-master database (where any domain controller can make changes), certain specific tasks must be handled by a single domain controller to prevent conflicts and maintain data integrity. These distinct roles are called FSMO roles.

There are five FSMO roles in total, categorized by their scope:

1. Forest-Wide Roles (One per Forest)

These roles appear only once in the entire Active Directory forest.

Schema Master: This is the only domain controller allowed to update the Active Directory schema (class and attribute definitions).

Domain Naming Master: This role is responsible for adding or removing domains to and from the forest.

2. Domain-Wide Roles (One per Domain)

These roles exist in every domain within the forest.

PDC Emulator (Primary Domain Controller): This is the most heavily used role. It acts as the master time source for the domain, handles password updates and account lockouts, and manages Group Policy edits.

RID Master (Relative Identifier): This role allocates pools of RIDs to domain controllers. These RIDs are required to generate unique Security Identifiers (SIDs) for new objects (like users and computers).

Infrastructure Master: This role is responsible for updating references (such as SIDs and Distinguished Names) for objects that are referenced from other domains.

7. Where should you place the PDC Emulator and why?

The PDC Emulator should be placed on the most reliable and powerful hardware (or virtual machine). It is the most resource-intensive role because it handles password changes, account lockouts, time synchronization for the domain, and Group Policy editing. In a multi-site environment, it should be placed near the site with the largest number of users to minimize latency,.

8. What is the “Time Skew” allowed in Kerberos, and which role manages time?

The default maximum allowable time skew (difference) between a client and a server is 5 minutes. If the difference is greater, authentication fails. The PDC Emulator in the forest root domain is the master time source. It syncs with an external source (like NIST), other DCs sync with the PDC, and clients sync with their authenticating DC.

9. What caution must be taken regarding the Infrastructure Master role placement?

You should generally not place the Infrastructure Master on a Global Catalog (GC) server unless every DC in the domain is a GC. If the Infrastructure Master is on a GC, it will never update cross-domain object references because the GC already holds a partial replica of all objects and assumes its data is up to date. (Note: This is less relevant if the AD Recycle Bin is enabled),.

10. What is the difference between Transferring and Seizing an FSMO role?

Transfer: A planned move of a role from one DC to another (e.g., for maintenance) where both DCs are online and synchronize the data gracefully.

Seize: A disaster recovery action performed when the original role holder is permanently offline (e.g., hardware failure). Once a role is seized, the old DC must never be brought back online to avoid data corruption (USN rollback),.

11. Why is DNS critical for Active Directory and what are SRV records?

AD cannot function without DNS. It relies on DNS to locate domain controllers and services. SRV (Service) records are specific DNS records that define the location (hostname and port) of servers for specific services (like LDAP, Kerberos, and GC). Without SRV records, clients cannot find a DC to authenticate against,.

12. Explain the difference between Recursive and Iterative DNS queries.

Recursive: The client asks the DNS server for a definitive answer (“Give me the IP or tell me it doesn’t exist”). The server takes the burden of finding the answer.

Iterative: The server responds with the best answer it has—either the IP or a referral to another DNS server that might know. The client (or requesting server) must then query that referral.

13. What is the difference between FRS and DFSR?

These are protocols used to replicate the SYSVOL folder (Group Policies/Scripts).

FRS (File Replication Service): The legacy protocol. It replicates the entire file even if a small change is made. It is deprecated in Server 2022.

DFSR (Distributed File System Replication): The modern standard. It uses Remote Differential Compression (RDC) to replicate only the changed blocks of a file, making it much more efficient. It also has self-healing capabilities,.

14. How does Active Directory prevent replication loops? Explain USN and High Watermark Vector.

AD uses specific vectors to track changes:

USN (Update Sequence Number): A counter on each DC that increments with every write.

High Watermark Vector (HWMV): A table on a DC tracking the highest USN it has received from a specific replication partner (tracks “what I have received”).

Up-To-Dateness Vector (UTDV): Tracks the highest USN from every DC in the forest to prevent a DC from accepting an update it has already received via a different path (Propagation Dampening),.

15. What is a “Bridgehead Server”?

A Bridgehead Server is a specific Domain Controller designated to handle replication traffic entering or leaving a Site. The Knowledge Consistency Checker (KCC) automatically selects bridgehead servers to optimize inter-site replication, though they can be manually assigned if necessary.

16. What is the order of Group Policy processing (LSDOU)?

Group Policies are applied in the following order, where the last applied policy wins (overwrites conflicting settings):

1. Local Policy
2. Site Policy
3. Domain Policy
4. Organizational Unit (OU) Policy.

17. What is the “Central Store” for Group Policy?

The Central Store is a centralized folder created in the SYSVOL directory (\\domain\SYSVOL\domain\Policies\PolicyDefinitions). It stores the ADMX and ADML (administrative template) files. This ensures that all administrators editing GPOs see the same template versions, rather than relying on the local files on their individual workstations.

18. What is the difference between “Enforced” and “Block Inheritance” in GPO?

Block Inheritance: Configured on an OU to stop it from accepting settings from higher-level GPOs (Domain/Parent OU).

Enforced: Configured on a GPO link. It forces the policy to apply even if “Block Inheritance” is set on the OU. An Enforced policy takes the highest precedence,.

19. What are the benefits of using Managed Service Accounts (MSAs) and gMSAs?

They solve the security risk of manual service account management.

MSA (Managed Service Account): Ties a service account to a single computer. AD manages the password automatically (complex, 240-character), so admins don’t need to manually reset it.

gMSA (Group Managed Service Account): extends this capability to multiple servers (e.g., a web farm) behind a load balancer. It requires a Key Distribution Service (KDS) Root Key,.

20. What is the Active Directory Recycle Bin and how does it differ from a Tombstone?

When an object is deleted, it becomes a “Tombstone” (hidden, stripped of most attributes) for a set time (180 days default). Restoring a tombstone via authoritative restore loses attribute data (like group membership). The AD Recycle Bin (introduced in Server 2008 R2) preserves the deleted object with all its attributes for the Deleted Object Lifetime. This allows for a complete recovery without data loss or needing to reboot into Directory Services Restore Mode (DSRM),.

21. What is the “Protected Users” security group?

Introduced in Server 2012 R2, this group hardens security for high-privilege accounts. Members of this group cannot use NTLM authentication (must use Kerberos), cannot cache plain-text passwords, cannot be delegated (constrained or unconstrained), and have a strictly limited Kerberos TGT lifetime (4 hours). This mitigates credential theft attacks like Pass-the-Hash,.

22. Explain the concept of the Read-Only Domain Controller (RODC).

An RODC holds a read-only partition of the AD database. It is designed for locations with weak physical security (e.g., branch offices). It does not replicate passwords for users by default (except for the RODC computer account). If the RODC is stolen, the entire AD database is not compromised because it doesn’t hold the credentials for the rest of the domain (unless explicitly allowed via Password Replication Policy),.

23. What is Azure AD Connect and what are the main sign-in methods?

Azure AD Connect is the tool used to bridge on-premises AD with Azure Active Directory. The main sign-in methods are:

Password Hash Sync (PHS): Syncs a hash of the on-prem password hash to the cloud. Easiest to deploy.

Pass-Through Authentication (PTA): Validates passwords against on-prem AD via a lightweight agent (no hashes in the cloud).

Federation (AD FS): Redirects authentication to an on-prem AD FS server. Required for complex scenarios like smart cards,.

24. What is the difference between a Forest Trust and an External Trust?

Forest Trust: A transitive trust between two entire forests. It allows users in any domain in Forest A to access resources in any domain in Forest B (if allowed). It supports Kerberos and NTLM.

External Trust: A non-transitive trust between specific domains in different forests (or NT4 domains). It connects Domain A directly to Domain B but does not extend to other domains in those forests,.

25. What is the “AdminSDHolder” object and SDPROP?

This relates to protected groups (like Domain Admins). Every 60 minutes, a process called SDPROP runs on the PDC Emulator. It compares the Access Control List (ACL) of protected accounts against the ACL of the AdminSDHolder object. If the permissions differ (e.g., someone manually changed a Domain Admin’s permissions), SDPROP overwrites them with the AdminSDHolder’s ACL to ensure security consistency. This often prevents permission inheritance on admin accounts (Implicitly covered under privilege management concepts).

26. What happens during a user logon in Active Directory?

Expected concepts: Authentication flow knowledge. Kerberos, AS-REQ / AS-REP, TGT, service ticket, DNS SRV lookup, GC involvement (if universal groups).

27. What is SYSVOL and why is it important?

1.Stores GPOs and logon scripts

2.Must be identical on all DCs

3.Replicated using DFSR

4.Required for policy processing

28.What is a lingering object?

Correct answer:

Object deleted on one DC but not replicated to another within tombstone lifetime

Causes replication errors

Fixed using repadmin /removelingeringobjects