DNS
Master the Forest: Top Active Directory Interview Questions & Answers | Lazy Admin Blog
Part 1: The Logical vs. Physical Structure
Understanding how AD is organized is the first step in mastering the service. Interviewers often look for the distinction between how objects are managed (logical) and how traffic flows (physical).
Logical Components
These define the administrative boundaries and hierarchy:
- Forest: The uppermost boundary. It contains one or more trees that share a common schema and global catalog.
- Tree: A collection of domains that share a contiguous namespace (e.g.,
corp.comanddev.corp.com). - Domain: The primary unit of replication and security. All objects in a domain share a common database (
ntds.dit). - Organizational Unit (OU): Containers used to organize objects within a domain. OUs are primarily used to delegate administration and apply Group Policy.
Physical Components
These define how AD exists on hardware and over the network:
- Domain Controllers (DC): The servers that host the AD database and handle authentication.
- Sites: A grouping of IP subnets connected by high-speed links. Sites are used to control replication traffic and ensure users log on to a local DC rather than one across a slow WAN link.
Part 2: The Core “Under the Hood” Mechanics
The Active Directory Database
The database is stored in %systemroot%\ntds as ntds.dit. Key files include:
- edb.log: Transaction logs (changes are written here first).
- res1.log / res2.log: Reserve logs to ensure the system can write to disk if space runs out.
- edb.chk: The checkpoint file that tracks which transactions have been committed to the database.
The Global Catalog (GC)
The GC is a partial, read-only replica of every object in the forest. It allows users to search for resources (like a printer in another domain) without needing to query every single DC in the forest.
SYSVOL Folder
The SYSVOL folder is a shared directory on every DC that stores the domain’s public files, including:
- Login scripts (Netlogon share).
- Group Policy Templates.
- It is kept in sync across all DCs using the File Replication Service (FRS) or DFSR.
Part 3: Protocols and Naming
LDAP (Lightweight Directory Access Protocol)
LDAP is the language used to talk to Active Directory. It follows the X.500 standard and uses TCP/IP.
- Distinguished Name (DN): The full path to an object (e.g.,
CN=JohnDoe,OU=Sales,DC=corp,DC=com). - Relative Distinguished Name (RDN): Just the object’s name (e.g.,
JohnDoe). - UPN (User Principal Name): The “email-style” login name (e.g.,
johndoe@corp.com).
Part 4: Essential Admin Tools
| Tool | Purpose |
| ADSIEdit | A low-level “registry editor” for Active Directory objects and attributes. |
| LDP | A tool for performing LDAP searches and operations manually. |
| Repadmin | The go-to command-line tool for diagnosing replication health. |
| Netdom | Used for managing trust relationships and joining computers to domains via CLI. |
| Dcpromo | (Legacy) The command to promote or demote a Domain Controller. |
Common Interview Scenario: “My Replication is Broken”
Answer: I would start by checking connectivity between sites. Then, I would use repadmin /showrepl to see which naming contexts (Domain, Configuration, or Schema) are failing. I’d also check the DNS SRV records to ensure the DCs can find each other.
#ActiveDirectory #SysAdmin #WindowsServer #ITJobs #TechInterview #Microsoft #Networking #ITOps #LazyAdmin
Dcdiag Overview: The Essential Domain Controller Diagnostic Tool
If you suspect issues with Active Directory—whether it’s slow logins, replication failures, or DNS errors—the first command you should run is Dcdiag. This command-line tool analyzes the state of your Domain Controllers (DCs) across a forest or enterprise and provides a detailed report of abnormal behavior.
Why use Dcdiag?
In a Windows environment, all DCs are peers. Any DC can update the directory, and those changes must replicate to all other peers. If the replication topology is broken or the DC Locator service has inaccurate DNS information, your environment will quickly fall out of sync.
Dcdiag identifies these “silent” failures before they become major outages.
Key Functional Areas Tested
Dcdiag doesn’t just run one check; it executes a series of specialized tests:
- Connectivity: Verifies if DCs are reachable and have the necessary services running.
- Replication: Checks for latent or failed replication links between peers.
- Topology: Ensures the Knowledge Consistency Checker (KCC) has built a valid path for data to travel.
- Advertising: Confirms the DC is properly announcing its roles (Global Catalog, KDC, etc.) so clients can find it.
- DNS: Validates that the necessary resource records are present in DNS.
How to Run Dcdiag
To get the most out of the tool, you should run it with administrative credentials.
To test a single server:
DOS
dcdiag /s:DC_NameTo identify and automatically fix minor DNS/Service record issues:
DOS
dcdiag /fixUnderstanding the Scope
Dcdiag is flexible. You can target:
- A Single Server: For local troubleshooting.
- A Site: To check health within a specific physical location.
- The Entire Enterprise: To ensure forest-wide health.
The LazyAdmin Lesson: Make dcdiag a part of your weekly routine. Catching a replication error on Monday is much easier than fixing a fragmented database on Friday afternoon!
#ActiveDirectory #Dcdiag #SysAdmin #WindowsServer #ITPro #TechSupport #ServerHealth #LazyAdmin #ADTroubleshooting #DataCenter
How to Change the Static IP Address of a Windows Domain Controller
Whether you are re-IPing a subnet or moving a server to a new VLAN, changing a Domain Controller’s IP address requires more than just updating the NIC settings. If DNS records don’t update correctly, users won’t be able to log in, and replication will fail.
Prerequisites
- Credentials: You must be a member of the Domain Admins group.
- Access: Log on locally to the system console. If you lose network connectivity during the change, you may need to boot into DSRM to recover.
Step-by-Step: Changing the IP Address
- Open Network Connections: Right-click My Network Places (or Network in newer versions) and click Properties.
- Edit Adapter: Right-click your Local Area Connection and select Properties.
- TCP/IP Settings: Double-click Internet Protocol (TCP/IP).
- Update Addresses:
- Enter the new IP address, Subnet mask, and Default gateway.
- Update the Preferred and Alternate DNS servers.
- Note: Usually, a DC points to itself (127.0.0.1) or a partner DC for DNS.
- WINS (Optional): If your environment still uses WINS, click Advanced > WINS tab and update any static WINS server entries.
- Apply: Click OK until all dialog boxes are closed.
Critical Step: Post-Change Registration
Once the IP is changed, Windows needs to tell the rest of the domain where the DC is now located. Do not skip these commands.
Open a Command Prompt and run:
- Register DNS Records:DOS
ipconfig /registerdnsThis forces the DC to update its ‘A’ (Host) record in DNS. - Fix Service Records:DOS
dcdiag /fixThis ensures that vital SRV records (which clients use to find the DC) are updated to point to the new IP.
Potential Pitfalls: Mapped Drives and Hardcoded IPs
Changing the IP settings won’t affect shared permissions, but it will break any connection made via IP address rather than hostname.
- Avoid This:
net use g: \\192.168.0.199\data(This breaks after the change). - Do This:
net use g: \\DC1\data(This continues to work regardless of the IP).
The LazyAdmin Lesson: Always use DNS names (Hostnames) for your resources. It saves you from manual updates every time a server moves!
ActiveDirectory #SysAdmin #WindowsServer #Networking #IPAddress #ITPro #DNS #Troubleshooting #LazyAdmin #ServerAdmin