DevOps · K8s · Volleyball · Travel  •  DevOps · K8s · Volleyball · Travel  •  DevOps · K8s · Volleyball · Travel
Explore NY Stream

Active Directory Interview Questions and Answers

— ny_wk

Active Directory Interview Questions and Answers

Active Directory shows up in almost every Windows sysadmin interview. Here's a clear set of common AD questions with answers you can actually explain — not just memorize.

What is Active Directory?

Active Directory (AD) is the directory service on Microsoft Windows servers that stores information about a network's objects — users, computers, groups, printers — and lets administrators manage and secure them centrally. It's the backbone of identity and access in a Windows domain.

What is a Domain Controller?

A Domain Controller (DC) is a server running Active Directory Domain Services. It authenticates users (logins), enforces security policies, and holds a copy of the directory database. Most environments run two or more DCs for redundancy.

What is a domain, tree, and forest?

  • Domain — a logical group of objects sharing a database and policies (e.g., corp.example.com).
  • Tree — one or more domains in a contiguous namespace, joined by trust.
  • Forest — the top-level container: one or more trees, sharing a common schema and global catalog. It's the security boundary of AD.

What is an OU (Organizational Unit)?

An OU is a container inside a domain used to organize objects (by department, location, etc.) and to apply Group Policy and delegate administration at a granular level.

What is Group Policy?

Group Policy (GPO) lets admins define and enforce settings — security, software, desktop config — across users and computers, applied at the site, domain, or OU level. It's how you manage thousands of machines consistently.

What is the Global Catalog?

The Global Catalog is a distributed data store holding a partial copy of every object in the forest, enabling fast forest-wide searches and logons.

What are FSMO roles?

Flexible Single Master Operation roles are five special DC roles that must be unique to avoid conflicts: Schema Master, Domain Naming Master (forest-wide), plus RID Master, PDC Emulator, and Infrastructure Master (per domain).

What protocol does AD use?

AD is built on LDAP for directory queries, uses Kerberos as its primary authentication protocol, and relies on DNS for locating services and DCs.

Key takeaways

  • AD is Windows' central directory for users, computers, and policies; DCs authenticate and hold the database.
  • Structure: domain → tree → forest; organize with OUs and manage with Group Policy.
  • The Global Catalog enables forest-wide search; FSMO roles are unique DC responsibilities.
  • AD relies on LDAP, Kerberos, and DNS.

Frequently asked questions

What's the difference between a domain and a forest?

A domain is a single administrative group of objects; a forest is the top-level boundary containing one or more domains/trees that share a schema and global catalog.

Why have more than one Domain Controller?

For redundancy and load — if one DC fails, others keep authenticating users and serving the directory.

What are FSMO roles for?

They're operations that must be handled by a single DC to avoid conflicts (e.g., schema changes, RID allocation, time sync via the PDC Emulator).

Which authentication protocol does AD use?

Primarily Kerberos, with LDAP for directory access and DNS for locating domain services.

Know what AD is, how domains/forests/OUs nest, what Group Policy and FSMO roles do, and the LDAP/Kerberos/DNS trio — and you'll handle the core of any AD interview.