Interview questions on Active Directory

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Folks,

I am looking for some tough interview questions on AD. Please send them in..

Regards,

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

What is Active directory & how does it relate to everyday use for an IT administrator?

I could tell you the answer but thought it best to see what you think it is.

 

Your AD becomes corrupted. How do you restore it?
Someone accidenally removes a group from AD. Before the group can be restored, some users are added. How do you restore the group while retaining the users?
What is the order of GPO inheritance?
Where would you apply a password policy?
What are the five FSMO (please, don't pronounce it Eff-Ess-Emm-Oh) roles and what are they for?
What is the purpose of an AD site?
How many BDCs are required for normal AD operation (can you spot the trick)?
What is a transitive trust?
Why would you create a shortcut trust?

My brain works best at 3am.

 

This really depends on the level of job. For instance, although my previous job was working with AD all day every day, it was admin level work in AD, so I wouldnt ask any of the questions that BM suggested. Asking a low level user of the AD infrastructure a high level question is useless and irrelevant.

If you are looking for questions to prepare for an upcoming interview, tell us what the role is, and we might be better suited to tailor the sort of questions you will get. If you are looking to set questions for a job you are looking to fill, then again, tailor the questions to the job requirements.

 

I agree... but SB didn't mention what level of questions he was after. ;)

 

Its associate System Admin position, not too high end

 

Nice questions mate..
By the way, there are no PDCs in Active Directory, all DCs are peers...

 

Thats still a bit vague to my eyes really. an 'Associate System Admin' could be the person who changes the backup tapes, all the way up to someone who implements, designs, troubleshoots the Domain. What kind of day to day tasks is the candidate expected to perform?

Its worth reiterating, but its pointless asking questions about AD that are utterly unrelated to what the candidate is going to be expected to do on a day to day basis. Asking about trusts when the person just creates users is a waste of time, and only serves to give false impressions as to the candidates suitability for the job ('oh, he couldnt tell me about trusts, and the enterprise admin permissions, so he obviously isnt suitable for creating users'). Tailor the questions to the day to day tasks.

 

Not entirely correct. We had a PDC in my old job, running Active Directory. I believe that a mixed mode domain has to have a DC designated as a PDC.

Standard behaviour (on that domain at least) for logging on was that the computer would query the local DC and, if the password was incorrect, or the account was locked, it would recheck with the PDC to verify if newer details had been set. This allowed me to use the PDC for creating a program to reset passwords and unlock accounts, and not have to wait the 15-20 minutes replication for it to take effect from using a DC not local to the user.

 

Michael said BDC's, btw.
But there is a PDC-emulator. What is its purpose? Can we remove it when a domain is in 2003 native mode?
Why or why not.

How could you make the social security number part of AD?

 

That would be the trick!

 

PDC emulator, not a PDC. NT4 can't run AD, and Win2K doesn't have PDC/BDCs.

 

probably. I dont know exactly how it was set up, all I know is that one of the DCs reported as the PDC, and behaved in the described manner.

 

Fergal

Check out your FSMO roles for a better understanding of what roles the PDC Emulator, RID Master, Infrastructure Master etc perform in Active Directory. You'll need to know this at some point - especially when the shite hits the fan and you need to seize one or more of the roles from a failed DC!

Interesting questions in this thread - I've asked or been asked many or most at interview in the past and been surprised at the lack of understanding of even basic AD concepts amongst people applying for quite senior roles. Also, when I interviewed for my current role I was a bit taken aback that I wasn't asked any really difficult AD questions - then I started here and realised that the AD is very simple (single site model, remote offices all connecting to DCs in a data centre, OU & GPO structure very straightforward). Seems that I've been cursed in the past to have worked in places where the AD has either been implemented poorly, mismanaged or just generally shite!

 

Correct me if im wrong but doesnt the PDC emulator keep the time synced in the domain.

and i also belive that the time is kept in sync within abtou +- 5 seconds and this is something to do with the kerberos authentication systems in place within a 2003 network ( but this is where my knowlage is really sketchy and i dont have much of a clue)

 

Among other things yes.