Active Directory Interview Questions with Answers

Introduction to Active Directory Interview Preparation

Microsoft Active Directory (AD) stands as a cornerstone of modern IT infrastructure,
serving as a comprehensive directory service that manages users, computers, and
other network resources within a Windows-based network.1 Its fundamental role
encompasses centralized authentication, ensuring that only authorized users and
devices can access network resources; authorization, which defines the level of
access granted to authenticated entities; and overall management of the network
environment.1 The ability to effectively manage Active Directory is a critical skill for IT
professionals, making thorough preparation for job interviews in this domain essential
for career advancement.1 This report aims to serve as a comprehensive resource for
individuals preparing for Active Directory-related job interviews, offering a structured
collection of frequently asked questions and detailed answers across various
experience levels and specialized areas. The content is organized to cover
fundamental concepts for beginners, more intricate details for intermediate
candidates, and complex scenarios for advanced professionals, alongside specific
sections focusing on troubleshooting, behavioral aspects, new features, security, and
related technologies.

Beginner Level Active Directory Interview Questions and

Answers
Fundamental Active Directory Concepts
What is Microsoft Active Directory?
Microsoft Active Directory is a directory service developed by Microsoft for Windows
domain networks.1 It acts as a centralized repository for managing network objects
such as user accounts, computer accounts, groups, and organizational units.1 The
primary purpose of Active Directory is to simplify network administration by providing
a single point of management for all network resources, including security settings
and access permissions.1 Key features of Active Directory include security and
authentication, allowing the network to verify the identity of users and computers 1;
simplified administration through a centralized location for managing network
resources 1; and providing authentication and authorization services to control access
to network resources.1

What is a domain in Active Directory?

In Active Directory, a domain represents a grouping of network resources that share a
common security perimeter.1 It is a fundamental administrative unit, acting as a logical
container for computers, users, and other resources that are managed by a single set
of administration tools and security policies.1 Users need only to log in to the domain
to gain access to the resources within it, regardless of the physical location of these
resources on the network.4 The domain also defines an administrative boundary,
meaning that administrative privileges within one domain do not automatically extend
to other domains.8

What is a domain controller?

A domain controller is a server that plays a crucial role in maintaining the security and
integrity of an Active Directory (AD) domain.2 It is responsible for authenticating and
authorizing all user and computer access to resources within the domain.1
Additionally, a domain controller enforces the security policies defined for the domain
and serves as a central point of administration.2 Domain controllers also replicate
Active Directory data to other domain controllers within the domain, ensuring
redundancy and availability of directory services.2

What is a forest in Active Directory?

When discussing Active Directory, the concept of a forest often arises. A forest
represents the highest level of organizational structure within Active Directory.1 It is a
collection of one or more domain trees that share a common schema, configuration,
and a global catalog.1 A forest can also be viewed as a security boundary, providing a
measure of security and isolation between different domains.1

What is an Organizational Unit (OU)?

An Organizational Unit (OU) is a container object within an Active Directory domain
that is used to organize users, computers, and other objects into logical groups.3 OUs
are crucial for simplifying the management of large numbers of objects by providing a
hierarchical structure within the domain.1 They are also essential for applying Group
Policy settings to specific sets of users or computers and for delegating administrative
control over portions of the directory.3

What is LDAP in Active Directory?

LDAP, which stands for Lightweight Directory Access Protocol, is the primary protocol
used to access and manipulate directory information in Active Directory.1 It acts as the
language that clients, such as computers and applications, use to communicate with
Active Directory servers to query and modify directory data.1 Active Directory uses
LDAP to interact with other directory services as well.1
What is Kerberos and how does it work in Active Directory?
Kerberos is a network authentication protocol that provides a secure method for
verifying the identity of users and services.1 It uses secret-key cryptography to
prevent eavesdropping and replay attacks, offering strong authentication for
client/server applications.1 In Active Directory, Kerberos is the default authentication
protocol used within a domain, providing a secure and efficient way for users and
computers to prove their identity to each other and to network services.1

What is DNS in Active Directory?

DNS, or Domain Name System, is a hierarchical naming system that translates
human-readable domain names into IP addresses that computers use to
communicate.1 Active Directory heavily relies on DNS for its proper functioning.12 It
uses DNS to locate domain controllers and other resources within a domain.1 For
instance, when a computer tries to join a domain or a user attempts to log in, the
computer queries the DNS server to find a domain controller.5 The integration of DNS
with Active Directory is crucial for ensuring seamless authentication and access to
network resources.24

Core Components and their Functions

What are the main components of Active Directory?
The main components of Active Directory include Domain Name System (DNS),
Lightweight Directory Access Protocol (LDAP), Kerberos, and Active Directory Domain
Services (AD DS).1 Other key components include the schema, which defines the
structure of the directory; organizational units (OUs), which are containers for
organizing objects; and the global catalog, which provides a searchable index of all
objects in the forest.1 The SYSVOL folder, which stores public domain files, is also a
critical component.1

What is Active Directory Domain Services (AD DS)?

Active Directory Domain Services (AD DS) is the core service within Active Directory
that provides directory capabilities.1 It is responsible for managing user and computer
accounts, providing authentication and authorization services, and enforcing security
policies within a domain.1 AD DS stores directory data in a hierarchical structure,
allowing for efficient organization and management of network resources.1

What is the Active Directory Schema?

The Active Directory Schema is a dynamic directory component that defines all the
objects and attributes that the directory service uses to store data.4 It acts as a
blueprint, outlining the types of objects that can be created in an Active Directory
forest, the properties those objects can have, and the rules for creating and
manipulating them.3 The schema consists of schema objects, which are definitions of
classes and attributes.1

What is the Global Catalog and its function?

The Global Catalog is a distributed data repository that holds a partial replica of every
object in the forest.1 Its primary function is to enable users and applications to search
for objects across the entire forest without needing to know the specific domain
where the object resides.1 Global Catalog servers are also essential for universal
group membership and inter-domain group membership.8

What is the SYSVOL folder and what is its purpose?

The SYSVOL folder is a shared directory on each domain controller that stores the
domain's public files.4 The contents of the SYSVOL folder, such as Group Policy
objects, logon scripts, and other domain-wide data, are replicated to all domain
controllers in the domain.1 This ensures that all domain controllers have a consistent
set of policies and scripts, which are then applied to users and computers within the
domain.1

Basic Administrative Tasks

How do you create a new user account in Active Directory?
A new user account in Active Directory is typically created using the Active Directory
Users and Computers (ADUC) snap-in.6 The process involves opening ADUC,
navigating to the appropriate domain or OU, right-clicking, and selecting "New"
followed by "User".6 You will then be prompted to enter details such as the user's first
name, last name, username, and password.6 It is also important to assign the new user
account to an appropriate OU to ensure the correct Group Policy settings are
applied.6

How do you reset a user's password?

A user's password in Active Directory can be reset using several methods, including
the Active Directory Users and Computers (ADUC) console, the command line, or
PowerShell.7 In ADUC, you would locate the user account, right-click, and select
"Reset Password." You will then be asked to enter and confirm the new password.7 For
security reasons, it is often recommended to force the user to change the password
at their next logon.6
What is the difference between a user account and a computer account?
In Active Directory, a user account represents a person or other entity that can log on
to the network.6 It is used to authenticate the user and manage their access to
resources on the network.7 On the other hand, a computer account represents a
computer that is joined to a domain.6 It is used to authenticate the computer and
manage its access to network resources.7 Both user and computer accounts are
objects in Active Directory but have distinct attributes and functionalities.18

What is the difference between a Security Group and a Distribution Group?

Security Groups and Distribution Groups serve different primary purposes in Active
Directory.1 Security Groups are primarily used to assign permissions to shared
resources, such as files, folders, and printers.1 They can contain user accounts,
computer accounts, and other groups. Distribution Groups, on the other hand, are
mainly used for creating email distribution lists and cannot be directly assigned
permissions to resources.1 Security Groups have a Security Identifier (SID), while
Distribution Groups do not.3

Intermediate Level Active Directory Interview Questions and

Answers
Advanced Concepts
What is a trust relationship in Active Directory?
A trust relationship in Active Directory is a logical link established between two
domains or forests that allows users in one domain to access resources in another
domain.1 Trusts can be one-way, where access is granted from one domain to another
but not vice versa; or two-way, where reciprocal access is enabled.1 Trusts can also be
transitive, meaning the trust relationship extends to other trusted domains in a
hierarchy, or non-transitive, where the trust is limited to the two directly involved
domains.1 Forest trusts allow trust between entire forests, enabling seamless access
across multiple domain trees.1

What is Active Directory replication and why is it important?

Active Directory replication is the process by which changes made to the Active
Directory database on one domain controller are copied to all other domain
controllers within the same domain or forest.1 This process is crucial for several
reasons. Firstly, it ensures data consistency across the entire AD infrastructure, so
that any domain controller can provide up-to-date information.1 Secondly, it provides
high availability and fault tolerance; if one domain controller fails, others can continue
to provide directory services.1 Active Directory uses a multi-master replication model,
where changes can be made on any writable domain controller and are then
replicated to others.3

What are Flexible Single Master Operation (FSMO) roles?

Flexible Single Master Operation (FSMO) roles are specialized roles assigned to
specific domain controllers in an Active Directory domain or forest to handle tasks
that are best performed by a single master.3 There are five FSMO roles in total. Two
are forest-wide: the Schema Master, which controls all updates and modifications to
the schema, and the Domain Naming Master, which manages the addition and
removal of domains in the forest.3 The other three are domain-wide: the RID Master,
which allocates blocks of unique Relative IDs to each domain controller in the domain;
the PDC Emulator, which acts as the primary domain controller for older Windows NT
4.0 BDCs, handles password changes, and is the authoritative time source for the
domain; and the Infrastructure Master, which is responsible for updating
cross-domain group memberships and references.3

What is a Site in Active Directory and why is it important?

A Site in Active Directory represents a set of IP subnets that are connected by
high-speed, reliable network links.1 Sites are a crucial element in Active Directory
because they allow administrators to configure and manage replication traffic
between domain controllers based on the physical network topology.1 By defining
sites, you can ensure that replication occurs more frequently over fast links and less
frequently over slower WAN links, optimizing network bandwidth usage.1 Sites also
help clients to discover the nearest domain controllers and other services, improving
login times and overall network performance.1

Group Policy Management

What is Group Policy and how is it used in Active Directory?
Group Policy is a powerful feature of Active Directory that provides centralized
management and configuration of operating systems, applications, and user settings
in an AD environment.1 It allows administrators to define and control how programs,
network resources, and the operating system operate for users and computers in an
organization.3 Group Policies are applied to OUs, sites, domains, or local computers
and can be used to enforce security settings, install software, configure desktop
environments, and manage a wide range of other settings.1

Explain Group Policy Objects (GPOs), their scope, and inheritance.

Group Policy settings are contained within Group Policy Objects (GPOs), which are
collections of configuration settings that define a specific security policy or
operational behavior for users and computers.7 GPOs can be linked to different levels
within the Active Directory structure, including sites, domains, and organizational units
(OUs), which defines their scope of application.1 Group Policy inheritance follows a
specific order, known as LSDOU: Local, Site, Domain, and Organizational Unit.1 Policies
applied at a lower level (closer to the OU) override policies applied at higher levels.
Administrators can also block inheritance to prevent policies from parent containers
from applying to child containers, or enforce policies to ensure they are applied and
cannot be overridden by lower-level policies.1

What is Group Policy Loopback Processing?

Group Policy loopback processing is a feature that allows you to apply user-based
Group Policy settings to users based on the computer they log on to, rather than
based on their user account's location in Active Directory.12 This is particularly useful
in scenarios such as kiosk computers or terminal servers where you need to apply
specific user settings regardless of who logs in.12 There are two loopback processing
modes: Merge mode, where the user policies are merged with the computer policies,
with user policies usually taking precedence; and Replace mode, where only the user
policies associated with the computer are applied, overriding the user's own policies.12

Active Directory Recycle Bin and Object Recovery

What is the Active Directory Recycle Bin?
The Active Directory Recycle Bin is a feature introduced in Windows Server 2008 R2
that allows you to recover accidentally deleted Active Directory objects without having
to restore from a backup.1 When an object is deleted, it is not immediately removed
from the database but is instead moved to a special "Deleted Objects" container in a
recycled state.1 From there, it can be restored to its original location along with most
of its original attributes, provided this is done within the tombstone lifetime.1

How can you recover a deleted object from Active Directory?

To recover a deleted object from Active Directory, if the Active Directory Recycle Bin is
enabled, you can use the Active Directory Administrative Center or PowerShell
cmdlets.12 Using the Administrative Center, you navigate to the Deleted Objects
container, locate the deleted object, and then restore it. PowerShell provides cmdlets
like Get-ADObject -Filter {isDeleted -eq $True} -IncludeDeletedObjects to find
deleted objects and Restore-ADObject to restore them.21 If the Recycle Bin is not
enabled or the tombstone lifetime has expired, the primary method for recovery is to
perform an authoritative restore of Active Directory from a backup.12

What is the tombstone lifetime in Active Directory?

The tombstone lifetime in Active Directory determines the duration for which a deleted
object, referred to as a "tombstone," is retained in the Active Directory Domain
Services (AD DS) database before being permanently removed.1 When an object is
deleted, it is not immediately erased but is marked with a special attribute indicating
it's a tombstone.1 The default tombstone lifetime is typically 60 days, but this can be
configured at the forest level.1 This period allows for the recovery of accidentally
deleted objects if the Active Directory Recycle Bin is enabled.

Security Principles
Explain the purpose of Security Groups and how they are used for permissions.
Security Groups in Active Directory are used to assign permissions to shared
resources.1 Instead of assigning permissions directly to individual user accounts,
which can become cumbersome to manage, administrators can add user accounts to
a Security Group and then assign the necessary permissions to that group.1 This
simplifies administration, as you can manage access for multiple users by modifying
the membership of the group rather than changing permissions for each user
individually.1 Security Groups can be used to control access to various resources,
including file shares, printers, and even Active Directory objects themselves.1

What is Delegation of Control in Active Directory?

Delegation of Control in Active Directory is the process of granting specific
administrative tasks and permissions to users or groups without making them full
administrators of the domain or OU.6 This allows for a more granular approach to
managing Active Directory, enabling tasks such as resetting passwords, creating user
accounts, or managing group memberships to be performed by designated individuals
or teams without giving them overly broad administrative rights.6 Delegation of
Control is typically configured using the Delegation of Control Wizard in the Active
Directory Users and Computers snap-in, which guides administrators through the
process of selecting the tasks to delegate and the users or groups to whom these
tasks should be delegated.6

Explain the different types of Active Directory groups (Global, Domain Local,
Universal).
Active Directory supports three main types of groups, each with different scopes and
membership rules: Global Groups, Domain Local Groups, and Universal Groups.1
Global Groups are used to organize users who share similar job functions or roles
within the same domain. They can contain user accounts and other global groups
from their own domain and can be granted permissions to resources in any domain
within the forest.1 Domain Local Groups are used to grant permissions to resources
within their own domain. They can contain user accounts, global groups, and universal
groups from any domain in the forest, as well as computer accounts from their own
domain.1 Universal Groups are designed for granting access to resources across
multiple domains in a forest. They can contain user accounts, global groups, and other
universal groups from any domain in the forest.1 Universal groups require the forest
functional level to be set to Windows 2000 native mode or higher.8

Advanced Level Active Directory Interview Questions and

Answers
Complex Infrastructure Scenarios
Explain the considerations for managing a multi-domain forest.
Managing a multi-domain forest in Active Directory requires careful planning and
consideration of several factors.1 Trust relationships between domains are a primary
consideration, as they dictate how users from one domain can access resources in
another.1 The replication topology needs to be carefully designed to ensure efficient
and reliable replication of directory data across all domains, taking into account
network bandwidth and site links.1 The placement of Global Catalog servers is also
critical to allow users to efficiently search for resources across the entire forest.1
Furthermore, the assignment and management of FSMO roles need to be carefully
planned to ensure the stability and proper functioning of the forest.3 Centralized
administration and the delegation of administrative tasks across domains also require
careful consideration to maintain security and operational efficiency.6

What is a Read-Only Domain Controller (RODC) and what are its benefits?
A Read-Only Domain Controller (RODC) is a type of domain controller that hosts a
read-only copy of the Active Directory database.1 Unlike standard writable domain
controllers, RODCs do not allow any changes to the directory database to be made
locally.1 Any write operations must be forwarded to a writable domain controller.
RODCs offer several key benefits, particularly for deployment in branch offices or
locations with limited physical security.1 They enhance security by not storing sensitive
information like user passwords in their database by default, and if compromised, an
RODC cannot be used to make changes to the Active Directory.1 RODCs also reduce
replication traffic over WAN links as they only receive one-way replication of changes.1
Active Directory Performance Monitoring and Optimization
Advanced Active Directory roles often require the ability to monitor and optimize the
performance of the AD infrastructure. This involves using various tools such as
Performance Monitor to track key metrics like CPU utilization, memory usage, network
I/O, and disk activity on domain controllers. Analyzing event logs for replication errors,
DNS issues, or authentication problems is also crucial. Techniques for optimization
might include ensuring proper site link configuration for replication, optimizing the
placement of Global Catalog servers, and tuning Group Policy settings to minimize
processing time during logon. Regularly reviewing and optimizing the AD database
can also improve performance.

Disaster Recovery and Backup/Restore Strategies for Active Directory

A critical aspect of advanced Active Directory management is planning and
implementing effective disaster recovery and backup/restore strategies. This includes
understanding the importance of regular system state backups of all domain
controllers, which contain the Active Directory database and related files.12
Candidates should be able to explain the difference between authoritative and
non-authoritative restores and when each type of restore would be necessary.12 They
should also be familiar with the steps involved in planning and executing a full
recovery of Active Directory in various failure scenarios.1

Advanced Authentication and Authorization Mechanisms

Advanced Active Directory professionals should possess a deep understanding of
authentication and authorization mechanisms beyond basic user logins. This includes
a detailed knowledge of how Kerberos works, including the ticket granting process
and the role of the Key Distribution Center (KDC).1 They should also be familiar with
Service Principal Names (SPNs), which are unique identifiers for service instances that
are registered in Active Directory and are used for Kerberos authentication of
services.13 Understanding different authentication protocols like NTLM and their use
cases is also important.5

Active Directory Troubleshooting Interview Questions and

Answers
Common Active Directory Issues and their Symptoms
Replication failures (using repadmin and dcdiag).
Replication failures are a common issue in Active Directory environments and can lead
to inconsistencies in directory data across domain controllers.1 Symptoms can include
inconsistencies in user accounts or group memberships, inability to log in to certain
domain controllers, or errors in the event logs related to replication.5 The repadmin
command-line tool is essential for diagnosing replication issues, allowing
administrators to check the replication status, view replication errors, and force
replication between domain controllers.1 The dcdiag tool can also be used to test the
overall health of domain controllers, including replication functionality.1

Authentication failures (checking event logs).

Authentication failures occur when users or computers are unable to verify their
identity with a domain controller.5 Symptoms include users being prompted for
credentials repeatedly, receiving "Access Denied" errors, or being unable to log in at
all.5 A primary step in troubleshooting authentication failures is to check the event
logs on the client machine and the domain controllers. On the client, the Security
event log may contain information about why the authentication failed. On the domain
controller, the Security event log will record authentication attempts and any
associated errors.1 Common causes of authentication failures include incorrect
passwords, account lockouts, time synchronization issues between the client and the
domain controller, and problems with Kerberos or NTLM authentication.5

DNS resolution problems (using nslookup, ipconfig).

DNS resolution problems can significantly impact Active Directory functionality, as AD
relies heavily on DNS for locating domain controllers and other services.1 Symptoms
can include inability to join a domain, slow logon times, and errors when trying to
access network resources.5 The nslookup command-line tool is invaluable for
diagnosing DNS issues, allowing you to query DNS servers to see if they are resolving
domain names to the correct IP addresses.5 The ipconfig /all command can be used to
check the DNS server settings configured on a client machine.5 Common causes of
DNS resolution problems in an AD environment include incorrect DNS server
configurations on clients or domain controllers, failures in DNS server operation, or
missing or incorrect DNS records for domain controllers (SRV records).21

Group Policy not applying (gpresult, gpupdate /force).

When Group Policy settings are not being applied to users or computers as expected,
it can lead to inconsistencies in system configuration and security.1 Symptoms can
vary depending on the policy that is not being applied, such as desktop settings not
being configured, software not being installed, or security restrictions not being
enforced.1 The gpresult /r command is used to display the Resultant Set of Policy
(RSoP) for a user or computer, showing which GPOs are being applied and if there are
any errors.22 The gpupdate /force command can be used to manually refresh Group
Policy settings on a client machine.22 Common causes for Group Policy not applying
include network connectivity issues preventing access to domain controllers, incorrect
GPO linking or scope configuration, and issues with Group Policy processing order or
inheritance.5

Account lockouts (checking lockout policies and event logs).

Account lockouts occur when a user attempts to log in with an incorrect password too
many times, as defined by the domain's account lockout policy.5 Symptoms include
the user being unable to log in and receiving a message indicating that their account
has been locked out.5 To troubleshoot account lockouts, administrators should first
check the domain's account lockout policy to understand the lockout threshold and
duration.5 The event logs on the domain controllers, particularly the Security event
log, should be examined for event IDs related to account lockouts (e.g., Event ID
4740).5 These logs can help identify the domain controller where the lockout occurred
and potentially the source of the failed login attempts.5 Tools like Account Lockout
Examiner (ALOEx) can also assist in pinpointing the source of lockouts in a
multi-domain controller environment.5

Troubleshooting Methodologies and Tools

Event Viewer.
Event Viewer is a crucial tool for troubleshooting Active Directory and related issues.1
It records system, security, and application events, providing valuable information
about the health and status of the operating system and installed services, including
Active Directory Domain Services.1 Administrators can use Event Viewer to look for
errors and warnings related to Active Directory replication, authentication, Group
Policy processing, and other AD-related operations.1 Filtering the logs by specific
event sources, such as "Directory Service" or "Kerberos," can help narrow down the
search for relevant information.1

Repadmin.
Repadmin is a command-line tool used to diagnose and monitor Active Directory
replication.1 It allows administrators to view the replication topology, check the status
of replication between domain controllers, force replication, and view replication
errors.1 Common repadmin commands include repadmin /showrepl to display the
replication status for each domain controller, repadmin /replsum to provide a summary
of replication health, and repadmin /syncall to initiate replication between all
replication partners.1
Dcdiag.
Dcdiag (Domain Controller Diagnostic Tool) is a command-line tool that analyzes the
state of domain controllers and reports any problems.1 It performs a series of tests to
verify various aspects of domain controller functionality, including DNS, replication,
authentication, and Group Policy.1 Running dcdiag with default parameters performs a
basic set of tests, while using specific switches allows for more targeted testing, such
as dcdiag /test:dns to test DNS-related issues or dcdiag /test:replication to focus on
replication problems.1

Nslookup.
Nslookup is a command-line tool used to query DNS servers.5 It can be used to verify
that DNS is resolving hostnames to the correct IP addresses and vice versa.5 In the
context of Active Directory troubleshooting, nslookup is useful for checking if domain
controllers are correctly registered in DNS with their IP addresses and SRV records.21
You can use nslookup to query for specific record types, such as A records (hostname
to IP address mapping) or SRV records (service location records used by AD clients to
find domain controllers and other services).21

Gpresult.
Gpresult is a command-line tool that displays the Resultant Set of Policy (RSoP) for a
specified user or computer.22 It shows which Group Policy Objects (GPOs) are being
applied, the settings within those GPOs that are taking effect, and any errors or
conflicts that might be preventing policies from being applied.22 This tool is very
helpful in troubleshooting scenarios where Group Policy is not being applied as
expected.22 By examining the output of gpresult, administrators can determine if a
GPO is being filtered out due to security group membership, WMI filters, or other
reasons.22

Gpupdate /force.
Gpupdate /force is a command-line command used to immediately refresh Group
Policy settings on a local computer.22 By default, Group Policy settings are updated
periodically in the background. However, in troubleshooting scenarios or when a
policy change needs to take effect immediately, gpupdate /force can be used to force
a refresh of all applicable Group Policy settings.22 This can help determine if a policy is
now being applied correctly after a change has been made on the domain controller.22

Scenario-Based Troubleshooting Questions with Step-by-Step Solutions

User unable to log in.
When a user is unable to log in to their domain account, the first step is to ensure that
the user is entering the correct username and password.7 Check if the Caps Lock key
is on. If the user has forgotten their password, it may need to be reset by an
administrator.7 If the password is correct, the next thing to check is the account status
in Active Directory Users and Computers. Ensure the account is not disabled or locked
out.5 If the account is locked out, it can be unlocked by an administrator. Also, verify
that the user's account is a member of the appropriate groups and that there are no
account expiration policies in place that might be preventing login.5 Network
connectivity issues between the user's computer and the domain controller can also
cause login failures, so it's important to check if the computer can communicate with
a domain controller (e.g., by pinging it by IP address and name).5 DNS resolution
problems can also lead to login issues, so verifying the client's DNS settings and the
ability to resolve the domain name is crucial.5 Finally, check the event logs on the
user's computer and the domain controllers for any error messages related to
authentication.5

Group Policy not applying to a specific OU.

When Group Policy is not applying to users or computers within a specific OU, the first
step is to verify that the GPO is actually linked to that OU.1 This can be done using the
Group Policy Management Console (GPMC). If the GPO is linked, check the scope of
the GPO to ensure that the security filtering and WMI filters are configured correctly
to include the target users or computers in the OU.1 Inheritance of Group Policies
might be blocked at the OU level or at a parent level, preventing the GPO from being
applied.1 Use the GPMC to check for any blocked inheritance settings. Also, the
processing order of GPOs (LSDOU) might be such that another GPO applied later is
overriding the settings in the GPO you expect to be applied.1 Using gpresult /r on an
affected user or computer can show which policies are being applied and if there are
any errors.22 Finally, ensure that the client machine can communicate with a domain
controller to retrieve and apply the Group Policy.5

Domain controller replication failing.

When domain controller replication is failing, the first step is to use the repadmin
/showrepl command on each domain controller to check the replication status with its
partners.1 Look for any errors reported, such as "Last attempt failed" or excessive
delays in replication. The repadmin /replsum command provides a summary of
replication health across the domain.1 Use dcdiag on each domain controller to
identify any general health issues, including DNS problems, which are a common
cause of replication failures.1 Ensure that DNS is configured correctly on all domain
controllers, pointing to themselves or other healthy DNS servers.1 Check network
connectivity between the domain controllers; firewalls might be blocking the ports
required for AD replication.1 If there are lingering objects, they might be preventing
replication; the repadmin /removelingeringobjects command can be used to remove
them.4 In some cases, replication issues might be caused by a domain controller being
offline for longer than the tombstone lifetime.1

Slow logon times.

Slow logon times can be frustrating for users and often indicate an underlying issue
with Active Directory or the network infrastructure.5 Troubleshooting slow logons
involves examining several potential causes. First, check the network connectivity
between the client machine and the domain controllers; latency or network issues can
significantly impact logon times.5 DNS resolution is another critical factor; ensure the
client is using the correct DNS servers and can resolve the domain name and domain
controller names quickly.5 Group Policy processing can also contribute to slow logons.
Use gpresult /r to see which GPOs are being applied and how long they are taking to
process.22 Large logon scripts or roaming profiles can also increase logon times.
Check the size and complexity of logon scripts and the size of the user's roaming
profile.1 Profile corruption can also lead to slow logons, so creating a new temporary
profile for testing can help identify this issue.5 Finally, ensure that the domain
controllers themselves are not overloaded or experiencing performance issues (check
CPU, memory, and disk I/O).5 Examining the event logs on both the client and the
domain controllers can provide further clues about the cause of slow logons.5

Behavioral Interview Questions Relevant to Active Directory

Roles
Questions Assessing Problem-Solving Skills in AD Environments
Describe a time you had to troubleshoot a complex Active Directory issue. What
steps did you take?
This question aims to understand the candidate's problem-solving approach in a
real-world scenario. A good answer would involve describing the specific issue, the
initial symptoms, and the methodical steps taken to diagnose and resolve it [34, 28, 11, 18,
28 29 3 21 9 3 36 37 5 11 1
, , , , , , , , , ,

Works cited

1.​ Top Active Directory Interview Questions & Answers [PDF] - Whizlabs, accessed
on March 31, 2025,
https://www.whizlabs.com/blog/active-directory-interview-questions/
2.​ Microsoft Active Directory Interview Questions - Whizlabs, accessed on March 31,
2025,
https://www.whizlabs.com/blog/wp-content/uploads/2022/10/Microsoft-Active-Di
rectory-Interview-Questions-PDF.pdf
3.​ Active Directory Interview Questions - Top 50+ Questions and Answers for 2024
- GeeksforGeeks, accessed on March 31, 2025,
https://www.geeksforgeeks.org/active-directory-interview-questions/
4.​ Top 25 Active Directory Interview Questions and Answers - Shine, accessed on
March 31, 2025,
https://www.shine.com/blog/active-directory-interview-questions
5.​ active directory engineer Interview Questions and Answers - HelloIntern.in - Blog,
accessed on March 31, 2025,
https://hellointern.in/blog/active-directory-engineer-interview-questions-and-ans
wers-26473
6.​ active directory administrator Interview Questions and Answers - HelloIntern.in -
Blog, accessed on March 31, 2025,
https://hellointern.in/blog/active-directory-administrator-interview-questions-an
d-answers-11986
7.​ Top 20 Active Directory Interview Questions and Answers - YouTube, accessed
on March 31, 2025, https://m.youtube.com/watch?v=PXzRDCK5tiM
8.​ Active Directory Interview Questions & Answers Flashcards - Quizlet, accessed
on March 31, 2025,
https://quizlet.com/256858952/active-directory-interview-questions-answers-flas
h-cards/
9.​ active directory specialist Interview Questions and Answers - HelloIntern.in -
Blog, accessed on March 31, 2025,
https://hellointern.in/blog/active-directory-specialist-interview-questions-and-an
swers-6698
10.​Top 50 MCSE Interview Questions and Answers 2025 - Attari Classes, accessed
on March 31, 2025,
https://attariclasses.in/blog/top-50-mcse-interview-questions-and-answers
11.​ active directory systems administrator Interview Questions and Answers -
HelloIntern.in, accessed on March 31, 2025,
https://hellointern.in/blog/active-directory-systems-administrator-interview-ques
tions-and-answers-33435
12.​Top 50+ Active Directory Interview questions with answers (2025) -
YourComputer.in, accessed on March 31, 2025,
https://www.yourcomputer.in/active-directory-interview-questions-with-answers
/
13.​Top 100 Active Directory Interview Questions and Answers - 2023 -
TechnoparkJobs, accessed on March 31, 2025,
https://blog.technoparkjobs.com/blog-detail/top-100-active-directory-interview-
questions-and-answers
14.​Top 20 Active Directory Interview Questions and Answers - YouTube, accessed
on March 31, 2025, https://www.youtube.com/watch?v=PXzRDCK5tiM
15.​▷ Top 20+ Windows Server Interview Questions and Answers 2025 - MindMajix,
accessed on March 31, 2025,
https://mindmajix.com/windows-server-interview-questions
16.​AD Interview Questions | PDF | Active Directory | Group Policy - Scribd, accessed
on March 31, 2025,
https://www.scribd.com/document/722672230/AD-Interview-Questions
17.​Top 65 Windows Server Interview Questions - Testprep Training Blog, accessed
on March 31, 2025,
https://www.testpreptraining.com/blog/top-65-windows-server-interview-questi
ons/
18.​active directory architect Interview Questions and Answers - HelloIntern.in - Blog,
accessed on March 31, 2025,
https://hellointern.in/blog/active-directory-architect-interview-questions-and-an
swers-78717
19.​Top 45 System Admin Interview Questions and Answers - 2025 - Great Learning,
accessed on March 31, 2025,
https://www.mygreatlearning.com/blog/system-administration-interview-questio
ns/
20.​30 Windows System Administrator Interview Questions - iScalePro, accessed on
March 31, 2025,
https://www.iscalepro.com/post/windows-system-administrator-interview-questi
ons/
21.​Top 10 Active Directory Interview Questions and Answers [Updated 2024],
accessed on March 31, 2025,
https://mockinterviewpro.com/interview-questions/active-directory/
22.​IT HelpDesk Position AD Technical Questions : r/activedirectory - Reddit,
accessed on March 31, 2025,
https://www.reddit.com/r/activedirectory/comments/1dbbz1o/it_helpdesk_positio
n_ad_technical_questions/
23.​Windows Server Interview Questions and Answers - Cloud Foundation, accessed
on March 31, 2025,
https://cloudfoundation.com/blog/windows-server-interview-questions-and-ans
wers/
24.​Interview Question on AD - TechExams Community, accessed on March 31, 2025,
https://community.infosecinstitute.com/discussion/39234/interview-question-on-
ad
25.​Daniel Petri's MCSE & System Administrator Job Interview Questions – Part 3 –
Exchange Server 2003, accessed on March 31, 2025,
https://petri.com/mcse-system-administrator-exchange-interview-questions/
26.​Windows Server Interview Questions [2] - CSL Academy | CISCO, Microsoft,
Linux, Juniper, Asterisk, MikroTik, CCNA Training in Bangladesh, accessed on
March 31, 2025,
https://csl.academy/job-interview-question/windows-server-interview-questions
-2/
27.​Top 40+ Azure Active Directory interview questions and answers -
 Office365Concepts, accessed on March 31, 2025,
https://office365concepts.com/azure-active-directory-interview-questions/
28.​2025 Windows System Administrator Interview Questions & Answers (Top
Ranked) - Teal, accessed on March 31, 2025,
https://www.tealhq.com/interview-questions/windows-system-administrator
29.​The 25 Most Common Entry Level System Administrators Interview Questions,
accessed on March 31, 2025,
https://www.finalroundai.com/blog/entry-level-system-administrator-interview-q
uestions
30.​I don't understand how to answer this question about Active Directory -
Microsoft Q&A, accessed on March 31, 2025,
https://learn.microsoft.com/en-us/answers/questions/1007929/i-dont-understand
-how-to-answer-this-question-abou
31.​DHCP Interview Questions and Answers | Basic and Advnaced Levels - myTectra,
accessed on March 31, 2025,
https://www.mytectra.com/interview-question/dhcp-interview-questions-and-an
swers
32.​Top 25 DHCP Interview Questions and Answers (2025) - PyNet Labs, accessed on
March 31, 2025,
https://www.pynetlabs.com/dhcp-interview-questions-and-answers/
33.​Live Interview Questions & Answers ! Windows Server Active Directory ! Become
System Admin - YouTube, accessed on March 31, 2025,
https://www.youtube.com/watch?v=7mvcOInQgrg
34.​▷Top 40 Azure Active Directory Interview Questions and Answers 2025 -
MindMajix, accessed on March 31, 2025,
https://mindmajix.com/azure-active-directory-interview-questions
35.​Behavioral Interview Questions, accessed on March 31, 2025,
https://www.hr.utah.edu/forms/lib/Behavioral_Interview_Questions.pdf
36.​35 Behavioral Interview Questions and How to Answer Them - Built In, accessed
on March 31, 2025, https://builtin.com/articles/behavioral-interview-questions
37.​16 most-asked behavioral interview questions (+ answers) - IGotAnOffer,
accessed on March 31, 2025,
https://igotanoffer.com/blogs/tech/behavioral-interview-questions
38.​The 25 Most Common Windows System Administrators Interview Questions -
Final Round AI, accessed on March 31, 2025,
https://www.finalroundai.com/blog/windows-system-administrator-interview-que
stions
39.​Active Directory Issue - Microsoft Q&A, accessed on March 31, 2025,
https://learn.microsoft.com/en-us/answers/questions/2200274/active-directory-is
sue?forum=windowserver-all&referrer=answers
40.​Top DHCP Interview Questions And Answers - GoLogica, accessed on March 31,
2025,
https://www.gologica.com/elearning/top-dhcp-interview-questions-and-answers
/