Interview Prep
Interview Questions on Active Directory — LDAP, Kerberos, GPO, FSMO Roles, and What IT Infrastructure Interviews Actually Test
Active Directory is the backbone of enterprise IT. Every Windows-based organization uses AD. If you are interviewing for sysadmin, IT support, infrastructure, or cloud roles in India — AD questions are guaranteed.
Active Directory runs enterprise IT. If you manage Windows infrastructure, you need to know AD inside out.
AD in Indian IT Interviews
Active Directory is the backbone of enterprise IT. Every Windows-based organization — from banks to IT service companies — uses AD for user management, authentication, and access control. In India, sysadmin, IT support, and infrastructure roles at service companies like TCS, Infosys, HCL, and Wipro test AD knowledge extensively. Even cloud roles now require AD understanding because of hybrid identity (Azure AD Connect).
AD interviews test three things: conceptual understanding (domains, forests, FSMO roles), protocol knowledge (Kerberos, LDAP, DNS), and troubleshooting ability (replication failures, login issues, GPO problems). Freshers get basic concepts. Experienced candidates get real-world scenarios and disaster recovery questions.
This guide covers 10 Active Directory questions that actually get asked in Indian IT interviews — from fundamentals to production troubleshooting.
The first AD interview question is always: “What is Active Directory and what are its key components?” If you cannot explain Domain, Domain Controller, Forest, Tree, and OU — the interview is already over.
AD Basics & Architecture
Q1: What is Active Directory? What are the key components?
Active Directory = directory service for Windows networks Stores information about users, computers, groups, policies. Key Components: ┌─────────────────────────────────────────┐ │ Domain │ │ → Logical group of objects (users, │ │ computers, groups) │ │ → Example: company.com │ │ │ │ Domain Controller (DC) │ │ → Server running AD DS │ │ → Handles authentication │ │ → Stores AD database (NTDS.dit) │ │ │ │ Forest │ │ → Top-level container │ │ → Security boundary │ │ → Can contain multiple trees │ │ │ │ Tree │ │ → Collection of domains sharing │ │ contiguous namespace │ │ → Example: company.com, │ │ sales.company.com │ │ │ │ Organizational Unit (OU) │ │ → Container within a domain │ │ → Used to organize objects │ │ → Apply Group Policy (GPO) │ │ │ │ Sites │ │ → Physical network locations │ │ → Control replication traffic │ └─────────────────────────────────────────┘ Protocol: LDAP (Lightweight Directory Access Protocol) AD DS = Active Directory Domain Services Azure AD = cloud-based identity (different from on-prem AD)
Q2: What is a Domain Controller? What are FSMO roles?
Domain Controller (DC): - Server running Active Directory Domain Services - Handles all authentication requests - Stores the AD database (NTDS.dit) - Multiple DCs for redundancy (multi-master) FSMO = Flexible Single Master Operations 5 roles that ONLY ONE DC can hold at a time: Forest-Level (one per forest): ┌─────────────────────────────────────────┐ │ 1. Schema Master │ │ → Controls AD schema changes │ │ → If fails: can't modify schema │ │ │ │ 2. Domain Naming Master │ │ → Controls adding/removing domains │ │ → If fails: can't add new domains │ └─────────────────────────────────────────┘ Domain-Level (one per domain): ┌─────────────────────────────────────────┐ │ 3. RID Master │ │ → Allocates RID pools to DCs │ │ → If fails: can't create new objects │ │ (when RID pool exhausted) │ │ │ │ 4. PDC Emulator │ │ → Password changes replicate here │ │ → Time synchronization source │ │ → Account lockout processing │ │ → If fails: password changes slow, │ │ time sync issues │ │ │ │ 5. Infrastructure Master │ │ → Updates cross-domain references │ │ → If fails: group membership issues │ │ across domains │ └─────────────────────────────────────────┘ Check FSMO holders: netdom query fsmo
Q3: What is the difference between a Forest, Tree, and Domain?
Hierarchy:
Forest (security boundary)
├── Tree 1 (contiguous namespace)
│ ├── company.com (root domain)
│ ├── sales.company.com (child domain)
│ └── hr.company.com (child domain)
│
└── Tree 2 (different namespace)
├── subsidiary.in (root domain)
└── tech.subsidiary.in (child domain)
Forest:
- Top-level container in AD
- SECURITY BOUNDARY (trusts don't cross forests
unless explicitly configured)
- Shares: schema, configuration, global catalog
- One forest = one organization (usually)
Tree:
- Collection of domains with contiguous namespace
- company.com → sales.company.com → east.sales.company.com
- Automatic two-way transitive trust between domains
Domain:
- Logical group of objects
- Administrative boundary (not security boundary)
- Has its own security policies
- Minimum: one domain controller
Trust Relationships:
- Within a tree → automatic, two-way, transitive
- Between trees in same forest → tree root trust
- Between forests → forest trust (manual setup)
Key interview point:
Forest = security boundary
Domain = administrative boundaryAuthentication & Trusts
Q4: How does Kerberos authentication work in AD?
Kerberos = default authentication protocol in AD Uses tickets instead of sending passwords over network. Step-by-step flow: 1. User logs in → sends credentials to KDC (Key Distribution Center = runs on DC) 2. KDC verifies → issues TGT (Ticket Granting Ticket) TGT = "proof you are authenticated" 3. User wants to access file server → sends TGT to KDC, requests service ticket 4. KDC issues Service Ticket (specific to that file server) 5. User presents Service Ticket to file server → access granted Diagram: User ──credentials──→ KDC (DC) User ←────TGT────── KDC User ──TGT + request──→ KDC User ←──Service Ticket── KDC User ──Service Ticket──→ File Server ✓ Key Components: - KDC → Key Distribution Center (on every DC) - TGT → Ticket Granting Ticket (valid ~10 hours) - Service Ticket → access to specific resource - Session Key → encrypts communication Why Kerberos over NTLM: - Kerberos: mutual authentication, ticket-based - NTLM: challenge-response, weaker, legacy - Kerberos: does NOT send password hash over network - NTLM: vulnerable to pass-the-hash attacks
Q5: What are AD trust relationships? What are the types?
Trust = allows users in one domain to access resources in another domain. Trust Types: ┌──────────────────┬──────────────────────────┐ │ One-Way Trust │ A trusts B │ │ │ B users → access A │ │ │ A users → cannot access B │ ├──────────────────┼──────────────────────────┤ │ Two-Way Trust │ A trusts B, B trusts A │ │ │ Both can access each other│ ├──────────────────┼──────────────────────────┤ │ Transitive │ A trusts B, B trusts C │ │ │ → A trusts C (automatic) │ ├──────────────────┼──────────────────────────┤ │ Non-Transitive │ A trusts B, B trusts C │ │ │ → A does NOT trust C │ ├──────────────────┼──────────────────────────┤ │ Forest Trust │ Between two forests │ │ │ Can be one-way or two-way│ ├──────────────────┼──────────────────────────┤ │ External Trust │ Between domains in │ │ │ different forests │ │ │ Non-transitive │ ├──────────────────┼──────────────────────────┤ │ Shortcut Trust │ Speeds up authentication │ │ │ between child domains │ │ │ in same forest │ └──────────────────┴──────────────────────────┘ Default trusts: - Parent-child → two-way transitive (automatic) - Tree root → two-way transitive (automatic) - Forest/external → must be created manually
Q6: What is LDAP? How is it used in AD?
LDAP = Lightweight Directory Access Protocol Protocol used to query and modify AD objects. Ports: - 389 → LDAP (unencrypted) - 636 → LDAPS (SSL/TLS encrypted) - 3268 → Global Catalog - 3269 → Global Catalog SSL LDAP Query Syntax: # Find all users in IT department (& (objectClass=user)(department=IT)) # Find disabled accounts (& (objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)) # Find all computers (objectClass=computer) Distinguished Name (DN) format: CN=John Smith,OU=IT,OU=Employees,DC=company,DC=com Components: CN = Common Name (object name) OU = Organizational Unit DC = Domain Component DN = full path to object LDAP Operations: - Bind → authenticate to directory - Search → query objects - Add → create new object - Modify → change attributes - Delete → remove object Tools: - ldp.exe (Windows built-in) - ADSIEdit (advanced AD editing) - PowerShell: Get-ADUser -LDAPFilter "(department=IT)"
Group Policy (GPO)
Q7: What is Group Policy? How does GPO processing work?
Group Policy = centralized management of user and computer settings across the domain. GPO Processing Order (LSDOU): ┌─────────────────────────────────────────┐ │ 1. Local Policy (on the machine) │ │ 2. Site Policy (AD site) │ │ 3. Domain Policy (domain-wide) │ │ 4. OU Policy (organizational unit)│ │ └── Child OU Policy │ └─────────────────────────────────────────┘ LAST applied WINS (OU overrides Domain) Example: Local: password min 6 chars Domain: password min 8 chars OU (IT): password min 12 chars → IT users get 12 char minimum Key Commands: gpupdate /force → force policy refresh gpresult /r → see applied policies rsop.msc → Resultant Set of Policy Special Settings: Block Inheritance → OU ignores parent GPOs Enforce (No Override) → parent GPO cannot be blocked by child OUs GPO contains two parts: - Computer Configuration → applies at boot - User Configuration → applies at login Common GPO uses: - Password policies - Software deployment - Drive mappings - Desktop restrictions - Security settings - Firewall rules
Q8: What is the difference between a Security Group and a Distribution Group?
Two types of groups in AD: Security Group: ┌─────────────────────────────────────────┐ │ Used for: permissions and access control│ │ Can be used in ACLs (Access Control │ │ Lists) on files, folders, shares │ │ Can also be used for email distribution │ │ Example: "IT-Admins" group with access │ │ to server room shared folder │ └─────────────────────────────────────────┘ Distribution Group: ┌─────────────────────────────────────────┐ │ Used for: email distribution lists ONLY │ │ CANNOT be used for permissions │ │ Used by Exchange/Outlook │ │ Example: "All-Marketing" email list │ └─────────────────────────────────────────┘ Group Scopes: ┌──────────────┬──────────────────────────┐ │ Domain Local │ Used in same domain only │ │ │ Can contain users from │ │ │ any domain in forest │ ├──────────────┼──────────────────────────┤ │ Global │ Can be used in any domain│ │ │ Contains users from same │ │ │ domain only │ ├──────────────┼──────────────────────────┤ │ Universal │ Can be used anywhere │ │ │ Can contain users from │ │ │ any domain in forest │ │ │ Stored in Global Catalog │ └──────────────┴──────────────────────────┘ AGDLP Strategy (best practice): A → Accounts (users) G → Global groups (organize by role) DL → Domain Local groups (assign permissions) P → Permissions (on resources) User → Global Group → Domain Local Group → Permission
AD troubleshooting is where interviews separate helpdesk operators from real infrastructure engineers.
Troubleshooting & Scenarios
Q9: A user cannot log in. How do you troubleshoot?
Systematic troubleshooting checklist: Step 1: Check the account ┌─────────────────────────────────────────┐ │ □ Account locked out? │ │ → AD Users & Computers → Properties │ │ → Account tab → Unlock │ │ │ │ □ Password expired? │ │ → Check password expiration date │ │ → Reset if needed │ │ │ │ □ Account disabled? │ │ → Enable the account │ │ │ │ □ Account expired? │ │ → Check "Account expires" field │ └─────────────────────────────────────────┘ Step 2: Check connectivity ┌─────────────────────────────────────────┐ │ □ Can machine reach Domain Controller? │ │ → ping dc01.company.com │ │ │ │ □ DNS working? │ │ → nslookup company.com │ │ → DNS must point to DC │ │ │ │ □ Network cable / WiFi connected? │ │ → ipconfig /all │ └─────────────────────────────────────────┘ Step 3: Check Kerberos / authentication ┌─────────────────────────────────────────┐ │ □ Time sync issue? (Kerberos needs │ │ <5 min difference with DC) │ │ → w32tm /query /status │ │ │ │ □ Kerberos ticket issues? │ │ → klist (view tickets) │ │ → klist purge (clear tickets) │ └─────────────────────────────────────────┘ Diagnostic Tools: dcdiag → DC health check nltest /dsgetdc: → find domain controller nslookup → DNS resolution Event Viewer → Security & System logs Account Lockout Tools → find lockout source
Q10: What is AD replication? How do you troubleshoot replication failures?
AD Replication = syncing AD database between DCs
Multi-master: changes can be made on ANY DC.
How it works:
┌──────────┐ replication ┌──────────┐
│ DC01 │ ←──────────────→ │ DC02 │
│ (Site A) │ │ (Site A) │
└──────────┘ └──────────┘
↕ inter-site replication
┌──────────┐
│ DC03 │
│ (Site B) │
└──────────┘
KCC (Knowledge Consistency Checker):
- Automatic process on each DC
- Creates replication topology
- Ensures all DCs can reach each other
Intra-site replication:
- Within same site
- Near-instant (15 seconds default)
- Uses RPC over IP
Inter-site replication:
- Between sites
- Scheduled (default: every 180 minutes)
- Uses SMTP or RPC over IP
- Compressed to save bandwidth
Troubleshooting Commands:
repadmin /replsummary → overview of all DCs
repadmin /showrepl DC01 → replication status
repadmin /syncall → force sync all
dcdiag /test:replications → test replication
Common Replication Issues:
1. DNS failure → DCs can't find each other
Fix: verify DNS records, restart DNS service
2. Network issues → firewall blocking ports
Ports needed: 135, 389, 636, 3268, 445, 88
3. USN Rollback → DC restored from old backup
Fix: demote and re-promote the DC
(NEVER restore DC from old snapshot)
4. Lingering objects → deleted objects still exist
Fix: repadmin /removelingeringobjectsHow to Prepare
Active Directory Interview — Priority by Role
Sysadmin / IT Support
- • User & group management
- • GPO creation & troubleshooting
- • Account lockout resolution
- • Password policies
- • Basic LDAP queries
Infrastructure Engineer
- • FSMO roles & transfer/seize
- • Replication topology & troubleshooting
- • Sites & subnets configuration
- • Disaster recovery & backup
- • Forest & domain design
Cloud / Hybrid Engineer
- • Azure AD Connect setup
- • Hybrid identity (sync vs federation)
- • Conditional Access policies
- • SSO & MFA configuration
- • Migration to Azure AD
Practice Active Directory Interview Questions with AI
Get asked real Active Directory interview questions — domain controllers, Kerberos, GPO, replication, and troubleshooting scenarios. Practice explaining architecture and walking through diagnostic steps.
Free · AI-powered feedback · Active Directory questions