DevOps · K8s · Volleyball · Travel  •  DevOps · K8s · Volleyball · Travel  •  DevOps · K8s · Volleyball · Travel
Explore NY Stream

WINDOWS ADMIN INTERVIEW QUESTIONS

— ny_wk

WINDOWS ADMIN INTERVIEW QUESTIONS

This Windows Server administrator interview prep guide turns the usual scattered question dump into organized, technically correct answers across Active Directory, DNS, DHCP, Group Policy, file and print services, backup, networking, and troubleshooting. Use it to understand the why behind each answer, not just memorize a line.

Most interviews for a Windows Server administrator role mix conceptual depth with hands-on scenarios. Hiring managers want to know that you understand how the directory, name resolution, and policy layers actually fit together — and that you can reason through an outage at 2 a.m. The sections below are grouped the way real interviews flow, with representative questions and clear explanations. Where behavior changed between Windows Server 2012 R2, 2016, 2019, 2022, and 2025, that is called out so you do not give a dated answer.

Active Directory: the core of every Windows admin interview

Active Directory Domain Services (AD DS) is the single most-tested topic. Expect questions on logical structure, replication, FSMO roles, and trusts.

Explain the logical structure: forest, tree, domain, and OU

  • Forest — the top-level security and replication boundary. All domains in a forest share one schema and one global catalog configuration. The forest is the true security boundary in AD.
  • Tree — one or more domains sharing a contiguous DNS namespace (for example corp.example.com and sales.corp.example.com).
  • Domain — an administrative and replication unit holding users, groups, and computers. A domain is not a security boundary on its own; the forest is.
  • Organizational Unit (OU) — a container used to delegate administration and to link Group Policy. OUs are not security principals and you cannot assign permissions to resources based on OU membership.

What are FSMO roles and where do they live?

Flexible Single Master Operations (FSMO) roles are five operations that cannot be multi-master, so a single domain controller owns each at a time. Two are forest-wide and three are domain-wide.

RoleScopePurpose
Schema MasterForestOnly DC that can modify the AD schema.
Domain Naming MasterForestControls adding/removing domains and application partitions.
RID MasterDomainAllocates pools of relative IDs so each new SID is unique.
PDC EmulatorDomainPrimary time source, password-change priority, account-lockout processing, and default GPO editing target.
Infrastructure MasterDomainUpdates cross-domain object references (phantom records).

A common follow-up: the Infrastructure Master should not sit on a global catalog server in a multi-domain forest unless every DC is a GC, because a GC holds a partial copy of all objects and the role would never detect stale references. In a single-domain forest this concern is moot. Use netdom query fsmo to list role holders, and ntdsutil (or Move-ADDirectoryServerOperationMasterRole in PowerShell) to transfer or seize roles. Transfer when the old holder is online; seize only when it is permanently dead, and never bring the failed DC back without a metadata cleanup.

What is the global catalog?

The global catalog (GC) is a distributed data store holding a full copy of every object in its own domain plus a partial, read-only copy of objects from every other domain in the forest. It powers forest-wide searches and universal group membership resolution at logon. By default the first DC in a forest is a GC, and you should have at least one GC per site for fast logons.

How does AD replication work, and what is the tombstone lifetime?

AD uses multi-master replication: changes can occur on any writable DC and converge. Within a site, replication is near-immediate (change notification, ~15 seconds by default in modern releases); between sites it follows a schedule over site links built by the Knowledge Consistency Checker (KCC). Replication uses update sequence numbers (USNs) and version numbers to resolve conflicts — last writer wins by version, then timestamp, then GUID.

The tombstone lifetime is how long a deleted object is retained (as a tombstone) so the deletion replicates everywhere before garbage collection. Correction to a common interview myth: the default is 180 days on forests created with Windows Server 2003 SP1 and later (a true legacy 2003 RTM forest defaulted to 60 days). If a DC is offline longer than the tombstone lifetime, it must not be reconnected — doing so risks lingering objects; rebuild it instead. Use repadmin /replsummary and repadmin /showrepl to diagnose replication.

SYSVOL and the FRS vs. DFSR question

SYSVOL is a shared folder on every DC that stores logon scripts and the Group Policy templates, replicated to all DCs. Older domains replicated it with File Replication Service (FRS); modern domains use DFS Replication (DFSR), which is more efficient and resilient. FRS is fully deprecated and removed — Windows Server 2019 and later cannot be promoted into a domain still using FRS for SYSVOL. Migrate with dfsrmig before upgrading domain controllers.

Security group scopes and the AGDLP rule

Know the three group scopes and the recommended nesting strategy:

  • Domain Local — used to grant permissions to resources; can contain members from any domain.
  • Global — used to group users by role/department; members come from the same domain only.
  • Universal — spans the forest; membership is stored in the global catalog.

The best-practice nesting is AGDLP: put Accounts into Global groups, place those into Domain Local groups, then assign Permissions to the domain local group. This keeps permissions manageable as the org grows.

DNS and DHCP: name resolution and addressing

AD literally cannot function without DNS, so expect tight questioning here.

Why does Active Directory depend on DNS?

Clients and DCs locate domain services through SRV records (service-location records) registered in DNS under zones like _msdcs.domain.com. A client looking for a domain controller queries DNS for records such as _ldap._tcp.dc._msdcs.domain.com. Break DNS and logons, replication, and Group Policy all fail. For AD, use AD-integrated DNS zones so zone data replicates with the directory and supports secure dynamic updates.

Common record types you should be able to name

  • A / AAAA — host name to IPv4 / IPv6 address.
  • PTR — reverse lookup (IP to name), stored in a reverse zone.
  • CNAME — alias to another name.
  • MX — mail exchanger for a domain.
  • SRV — advertises services (the backbone of AD location).
  • NS / SOA — name servers for a zone and its start-of-authority metadata.

Forwarders vs. conditional forwarders vs. root hints

  • Forwarder — sends all external queries it cannot answer to a specific upstream DNS server (often the ISP or a public resolver).
  • Conditional forwarder — forwards queries for a specific domain to designated servers (useful for resolving a partner or merged domain).
  • Root hints — the fallback list of root servers used to resolve recursively when no forwarder is set.

DHCP scope, reservation, lease, and high availability

A scope is the range of IP addresses a DHCP server can hand out for a subnet, along with options like default gateway, DNS servers, and lease duration. A reservation ties a specific IP to a client's MAC address so it always gets the same address while still being managed by DHCP — different from a static IP set on the host itself. The lease is how long a client may use an address before renewing (it attempts renewal at 50% of the lease, the T1 timer).

The classic four-step handshake is DORA: Discover, Offer, Request, Acknowledge. For resilience, Windows Server 2012 introduced DHCP failover (hot-standby or load-balance modes between two servers sharing scope state) — this largely replaced the older 80/20 split-scope rule and is the modern best-practice answer. An exclusion range carves out addresses inside a scope you do not want leased (for static devices).

Group Policy: enforcing configuration at scale

What is Group Policy and how is it processed?

Group Policy centrally manages user and computer settings. A Group Policy Object (GPO) is linked to a site, domain, or OU and applies in that order — remembered as LSDOU: Local policy first, then Site, Domain, and OU (deepest OU last). Because later wins, the OU-linked GPO normally takes precedence over a conflicting domain GPO.

Inheritance, Block Inheritance, and Enforced

  • Block Inheritance — set on an OU to stop higher-level GPOs from flowing down.
  • Enforced (formerly "No Override") — set on a GPO link so it always applies and overrides Block Inheritance and any conflicting lower GPO. Enforced beats Block Inheritance — a frequently mixed-up point.
  • Security and WMI filtering — narrow which users/computers a GPO actually affects.

What does loopback processing do?

Loopback processing makes a computer apply the user settings based on the computer's OU rather than the user's OU. It is essential for shared machines like kiosks, RDS session hosts, and lab PCs where you want a consistent user experience regardless of who logs in. Replace mode discards the user's own GPOs; Merge mode combines them, with the computer-location user settings winning on conflict.

How do you refresh and troubleshoot GPOs?

Background refresh happens roughly every 90 minutes (plus a random offset) for clients, every 5 minutes for DCs. Force it with gpupdate /force. Diagnose with gpresult /r or gpresult /h report.html to see the Resultant Set of Policy (RSoP) — which GPOs applied, which were filtered, and why. Authoring and reporting are done in the Group Policy Management Console (GPMC).

File and print services

Share vs. NTFS permissions — which one wins?

When a user accesses a file over the network, both share and NTFS permissions apply and the most restrictive (effective) permission wins. NTFS permissions also apply to local access, while share permissions do not. Best practice: leave share permissions broad (for example, Authenticated Users — Change or Full Control) and control real access precisely with NTFS. Remember that an explicit Deny overrides Allow.

What are DFS Namespaces and DFS Replication?

  • DFS Namespaces (DFS-N) presents shares from multiple servers under one logical path (for example \\corp\shares\finance) so users do not care which server hosts the data.
  • DFS Replication (DFS-R) keeps folder targets in sync using remote differential compression, enabling redundancy and branch-office caching.

Useful file-service features to mention

  • Shadow Copies (VSS) let users restore Previous Versions of files without a full backup restore.
  • File Server Resource Manager (FSRM) enforces quotas, file-type screening, and reporting.
  • Print Management deploys printers via GPO; modern environments increasingly favor direct-IP or cloud print since the legacy Windows print spooler has been a security focus.

Backup and restore

How do you back up and restore Active Directory?

AD is protected by a System State backup (which includes the AD database ntds.dit, SYSVOL, registry, and boot files), taken with Windows Server Backup or enterprise tooling. Two restore types are essential to distinguish:

  • Non-authoritative restore — the DC is restored and then receives newer changes from replication partners. Use this to rebuild a failed DC.
  • Authoritative restore — you mark specific objects (in Directory Services Restore Mode, DSRM, using ntdsutil) so they replicate out to all other DCs, undoing an accidental deletion across the domain.

Modern releases also offer the AD Recycle Bin (enabled forest-wide, irreversible once on) to restore deleted objects with their attributes intact — often the faster, cleaner answer than an authoritative restore for simple deletions.

Backup types and the 3-2-1 rule

TypeWhat it copiesArchive bit
FullEverythingCleared
IncrementalChanges since the last backup of any typeCleared
DifferentialChanges since the last full backupNot cleared

Incrementals restore slowest (full + every incremental) but back up fastest; differentials restore faster (full + latest differential) but grow larger over time. Cite the 3-2-1 rule: three copies, on two media types, with one off-site — and add an immutable/offline copy as ransomware defense. Always emphasize testing restores, not just running backups.

What does RAID give you, and is it a backup?

RAID is redundancy, not backup. RAID 1 mirrors, RAID 5 stripes with single parity (survives one disk loss), RAID 6 uses double parity (survives two), and RAID 10 mirrors then stripes for performance plus fault tolerance. None of them protect against deletion, corruption, or ransomware — you still need real backups. On modern Windows, Storage Spaces provides software-defined resiliency as an alternative to hardware RAID.

Networking fundamentals

Subnetting, gateways, and the basics

Be ready to explain a subnet mask (for example /24 = 255.255.255.0 = 254 usable hosts), the role of the default gateway, and the difference between public and private (RFC 1918) address ranges. Know APIPA (169.254.x.x) means a client failed to reach DHCP — an instant troubleshooting signal.

TCP/IP, DNS, and ports

Mention the layered model and key ports: DNS 53, DHCP 67/68, HTTP 80 / HTTPS 443, RDP 3389, Kerberos 88, LDAP 389 / LDAPS 636, SMB 445. AD authentication uses Kerberos as the default protocol, with NTLM as a legacy fallback that should be minimized for security.

What is NIC teaming?

NIC teaming (Load Balancing/Failover, built into Windows Server since 2012) combines multiple network adapters for bandwidth aggregation and fault tolerance. In Hyper-V and software-defined networking scenarios, Switch Embedded Teaming (SET) is the modern recommended approach.

Troubleshooting: the scenario round

Interviewers love open-ended outage questions. Show a structured method: define the problem, check what changed, work the layers from physical to application, isolate, fix, and document.

"A user cannot log in to the domain" — how do you approach it?

  1. Confirm scope: one user, one machine, or many? That instantly narrows it.
  2. Check the account: locked out, disabled, expired password, or logon-hour restriction (Get-ADUser -Identity user -Properties LockedOut).
  3. Check the client's DNS settings — if it points at the wrong server it cannot find a DC. This is the single most common root cause.
  4. Verify a DC is reachable and time is in sync (Kerberos fails if clock skew exceeds 5 minutes).
  5. Test the secure channel with Test-ComputerSecureChannel -Repair if the machine account broke.

Essential troubleshooting commands

  • ping and tracert — reachability and path. Note: ICMP may be firewalled, so a failed ping is not always a real outage.
  • nslookup — verify DNS resolution and which server answered.
  • ipconfig /all, /flushdns, /registerdns — inspect and reset client DNS state.
  • dcdiag — the domain controller health checker.
  • repadmin /replsummary — replication health across DCs.
  • Get-EventLog / Event Viewer — the Directory Service, DNS Server, and System logs.

A note on PowerShell

Modern Windows admin work is increasingly PowerShell-driven. Be comfortable with the ActiveDirectory module (Get-ADUser, New-ADUser, Get-ADComputer, Search-ADAccount -LockedOut) and basic remoting (Enter-PSSession, Invoke-Command). Familiarity with Server Core and Windows Admin Center signals you can manage GUI-less, scalable deployments — the direction Microsoft has pushed since Windows Server 2016.

Version-specific changes worth knowing

  • Server 2012 R2 — DHCP failover, NIC teaming, and Storage Spaces matured here.
  • Server 2016 — Nano Server (later refocused), Storage Spaces Direct, Shielded VMs, and a stronger Server Core focus.
  • Server 2019 — FRS no longer supported for SYSVOL; Windows Admin Center; System Insights.
  • Server 2022 — Secured-core server, SMB over QUIC, TLS 1.3, and hardware-rooted security.
  • Server 2025 — hotpatching for on-prem, improved Active Directory database optimization (32k page size option), and tighter cloud/Azure Arc integration.

Key Takeaways

  • The forest is the security boundary, not the domain — a frequently corrected interview point.
  • Know all five FSMO roles, their scope, and the difference between transfer and seize.
  • DNS underpins AD; most logon and replication failures trace back to bad client DNS settings.
  • For Group Policy, remember LSDOU order and that Enforced beats Block Inheritance.
  • RAID is not backup, and a backup you have never test-restored is not a backup either.

Frequently Asked Questions

What is the difference between transferring and seizing an FSMO role?

You transfer a role gracefully when the current holder is online and reachable — both DCs agree on the handoff. You seize a role only when the holder has failed permanently and will never return; after seizing you must fully decommission and metadata-clean the dead DC so it is never reintroduced.

Why must clocks be synchronized in an Active Directory domain?

AD uses Kerberos, which is time-sensitive to prevent replay attacks. If a client's clock differs from the DC by more than the allowed skew (5 minutes by default), authentication fails. The PDC Emulator is the authoritative time source for the domain, so it should sync to a reliable external NTP server.

What happens if a domain controller is offline longer than the tombstone lifetime?

It may hold references to objects that have since been deleted and garbage-collected elsewhere. Reconnecting it can reintroduce lingering objects and cause replication errors. The correct action is to not bring it back — demote it cleanly (or remove it with metadata cleanup) and rebuild a fresh DC.

How do I prepare for the hands-on scenario questions?

Build a small lab with one or two DCs, DNS, DHCP, and a client VM, then deliberately break things — wrong client DNS, a stopped service, a misapplied GPO — and fix them using dcdiag, repadmin, gpresult, and Event Viewer. Walking an interviewer through your real troubleshooting method beats reciting definitions.

For more practical IT, server, and tech-career walkthroughs, subscribe to @explorenystream on YouTube.