Active Directory (AD) is a critical technology for system administrators, network engineers, and IT support professionals.

It provides centralized domain management, authentication, and directory services in Windows environments.

Below is a comprehensive list of the top 100 Active Directory interview questions and answers covering beginner, intermediate, and advanced levels.

Beginner-Level Questions

1. What is Active Directory?
Active Directory is a directory service developed by Microsoft that stores information about objects on the network and makes this information easy for administrators and users to find and use.

2. What are the main components of AD?
Domains, Trees, Forests, Organizational Units (OUs), Sites, Domain Controllers.

3. What is a domain?
A logical group of objects (such as users and devices) that share the same Active Directory database.

4. What is a tree in AD?
A collection of one or more domains that share a contiguous namespace.

5. What is a forest?
The topmost logical container in Active Directory that contains one or more domain trees.

6. What is an Organizational Unit (OU)?
A container within a domain used to organize users, groups, and computers logically.

7. What is a Domain Controller (DC)?
A server that handles all the authentication requests and changes in AD.

8. What is Group Policy?
A feature of Windows that provides centralized management and configuration of operating systems, applications, and users’ settings.

9. What is DNS and how is it related to AD?
Domain Name System translates domain names to IP addresses. Active Directory is heavily dependent on DNS.

10. What is LDAP?
Lightweight Directory Access Protocol. AD uses LDAP as its directory service protocol.

11. What is the Global Catalog?
A distributed data repository that contains a searchable, partial representation of every object in every domain in a forest.

12. What is the SYSVOL folder?
A folder that stores server copy of the domain’s public files like logon scripts and Group Policies.

13. What are the default groups in AD?
Administrators, Users, Guests, Domain Admins, Enterprise Admins.

14. What is Kerberos?
The default authentication protocol used in AD.

15. What are the FSMO roles?
Schema Master, Domain Naming Master, RID Master, PDC Emulator, Infrastructure Master.

16. What is the Schema in AD?
Defines all objects and their attributes that can be stored in the directory.

17. What is a user account?
An object in AD that allows a person to log in and access resources.

18. What is a computer account?
An object in AD that represents a computer in the domain.

19. How can you create users in AD?
Using Active Directory Users and Computers (ADUC) console or PowerShell.

20. What is a security group?
A group used to assign permissions to shared resources.

Intermediate-Level Questions

21. How does replication work in AD?
AD uses multi-master replication where changes can be made on any DC and are replicated to others.

22. What is a Site in AD?
A Site represents a physical location in a network that contains DCs connected via high-speed connections.

23. What is a Trust Relationship?
A link between two domains that enables users in one domain to access resources in another.

24. What are the types of trusts?
Parent-child, Tree-root, External, Forest, Shortcut, Realm, and Transitive/Non-transitive.

25. How do you transfer FSMO roles?
Using the NTDSUTIL tool or AD administrative consoles.

26. What is the RID Master role?
Allocates unique IDs to DCs for creating new objects.

27. What is the PDC Emulator?
Acts as a primary domain controller for legacy clients and for password changes.

28. What is the Infrastructure Master?
Updates references from objects in its domain to objects in other domains.

29. What is the Domain Naming Master?
Controls addition or removal of domains in the forest.

30. What is the Schema Master?
Controls all updates and modifications to the schema.

31. What is an RODC?
Read-Only Domain Controller. Used in branch offices where security is a concern.

32. What is tombstoning in AD?
A deleted object is marked and retained for a period before being permanently removed.

33. What is the default tombstone lifetime?
180 days in newer versions.

34. What is AD Recycle Bin?
Feature that allows restoring deleted objects without restarting the DC.

35. How do you enable the AD Recycle Bin?
Using the AD Administrative Center or PowerShell.

36. What tools can you use to troubleshoot replication?
Repadmin, DCDiag, Event Viewer.

37. What is a Service Principal Name (SPN)?
A unique identifier for each service instance in Kerberos authentication.

38. What is a Trust Transitivity?
Indicates whether the trust can extend beyond two domains.

39. What is a Fine-Grained Password Policy?
Allows different password policies for different sets of users.

40. How do you apply GPOs?
By linking them to sites, domains, or OUs in Group Policy Management Console (GPMC).

Advanced-Level Questions

41. How do you restore a deleted object in AD?
Using the AD Recycle Bin or authoritative restore via NTDSUTIL.

42. How do you seize FSMO roles?
Using NTDSUTIL when the current role holder is permanently offline.

43. What is the difference between seizing and transferring FSMO roles?
Transferring is a clean handover, while seizing is a forced action during failure.

44. What are lingering objects?
Objects present on one DC that were deleted from others.

45. How do you detect lingering objects?
Using Repadmin tool.

46. What is metadata cleanup?
The process of removing data about decommissioned DCs.

47. What is a UPN?
User Principal Name. Format: user@domain.com

48. What is a SID?
Security Identifier used to identify objects in Windows security.

49. What is a SAML token?
Security Assertion Markup Language token used for federated identity.

50. What is ADFS?
Active Directory Federation Services – allows single sign-on.

51. What is an AD forest functional level?
It defines the available AD features based on the Windows Server OS versions used by all domain controllers in the forest.

52. What is a domain functional level?
It determines the AD features within a domain based on the OS version of its domain controllers.

53. What is a replication topology?
The framework that defines how domain controllers replicate data with one another.

54. What is KCC (Knowledge Consistency Checker)?
A process that automatically generates and manages the replication topology in AD.

55. What is the difference between authorization and authentication?
Authentication verifies identity; authorization determines access levels.

56. What is a managed service account (MSA)?
An account used to run services with automatic password management and simplified SPN management.

57. What is a stale object in AD?
An outdated or unused object that remains in the directory and may need cleanup.

58. What are replication conflicts?
Conflicts that arise when the same attribute of an object is modified on two different domain controllers simultaneously.

59. What is time synchronization in AD?
A process ensuring all domain controllers and clients have a consistent time, crucial for Kerberos authentication.

60. How do you promote a server to a domain controller?
Using Server Manager or PowerShell with Install-ADDSDomainController.

61. What is a trust anchor?
A trusted certificate used to validate AD FS tokens in a federated identity setup.

62. What is schema versioning?
The tracking of schema changes over time, especially during OS upgrades.

63. What is the purpose of Netdom?
A command-line tool for managing domains and trust relationships.

64. What is DCDiag used for?
To analyze the state and health of domain controllers.

65. What is the Repadmin tool?
A command-line utility to diagnose replication problems between domain controllers.

66. What is Active Directory Lightweight Directory Services (AD LDS)?
A standalone AD service that provides directory services without domain services.

67. What is an SRV record?
A DNS record that helps locate AD-related services such as domain controllers.

68. What are GPO inheritance and precedence?
Rules that determine which Group Policies apply when multiple policies are linked at different levels.

69. What is loopback processing in GPOs?
A setting that allows user policy settings to be applied based on the computer GPOs.

70. What is a security filtering in GPOs?
Controls which users or groups a GPO applies to by setting permissions.

71. What is RSOP (Resultant Set of Policy)?
A tool used to determine the effective Group Policies that apply to a user or computer.

72. What is a logon script?
A script that runs automatically when a user logs into a domain.

73. What is SID history?
A feature used during domain migrations to retain access to resources.

74. What is ADMT (Active Directory Migration Tool)?
A tool to migrate objects between domains or forests.

75. What is a GPO backup and how do you restore it?
GPMC can back up and restore Group Policies.

76. What is trust authentication path?
The chain of trust between domains that allow users to access resources.

77. What is token bloat?
A condition where a user’s access token is too large due to excessive group memberships.

78. What is a smart card logon?
Authentication using a physical smart card and PIN.

79. What is LDAP signing?
A security setting that ensures data integrity between clients and servers.

80. What is LDAPS?
LDAP over SSL for secure directory access.

81. What is an ACL in AD?
Access Control List – defines permissions on AD objects.

82. What is NTLM?
An older authentication protocol used before Kerberos.

83. What is Kerberos delegation?
Allows a service to impersonate a user to access resources on their behalf.

84. What is constrained delegation?
Limits which services can be impersonated with Kerberos delegation.

85. What is an attribute in AD?
A property or characteristic of an AD object.

86. What is a naming context?
A portion of the directory partitioned for replication.

87. What is a site link?
A logical connection that specifies the path and schedule for replication.

88. What is bridgehead server?
A designated server in each site that handles replication.

89. What is replication latency?
The delay between when a change is made and when it is replicated.

90. What is LDP.exe?
A GUI tool for advanced AD and LDAP operations.

91. What is Kerberos pre-authentication?
A security feature that helps prevent replay attacks.

92. What is Active Directory Certificate Services (AD CS)?
Provides customizable services for issuing and managing digital certificates.

93. What is a forest trust?
A trust between two AD forests.

94. What is selective authentication?
A method to control access across trust boundaries.

95. What is Active Directory Sites and Services?
A tool used to manage replication and site topology.

96. What is replication interval?
Defines how often replication occurs between DCs.

97. What is transitive trust?
A trust relationship that extends beyond two domains.

98. What is AD PowerShell module?
A set of cmdlets for managing AD from the command line.

99. What is the difference between OU and container?
OU can have GPOs applied; a container is a default object that cannot.

100. What are stale DNS records?
Old DNS records that are no longer valid but still exist.

Conclusion
Active Directory is a foundational technology in enterprise IT infrastructure.

This list of 100 questions and answers prepares you for interviews by covering practical knowledge from basics to advanced concepts.

Whether you are a beginner or seasoned professional, understanding these questions will boost your confidence and improve your chances of success in Active Directory-related roles.