AD Interview Questions (Part 2)

What is Active Directory Partitions?

Active Directory partition is how and where the AD information logically stored.

What are all the Active Directory Partitions?

Application partition

What is use Active Directory Partitions? And
How to find the Active Directory Partitions and their location?

Schema Partition – It stores details about objects and attributes. Replicates to all domain controllers in the Forest

DN location is CN=Schema,CN=Configuration,DC=Domainname, DC=com

Configuration Partition – It stores details about the AD configuration information like Site, site-link, subnet, and other replication topology information. Replicates to all domain controllers in the Forest

DN Location is CN=Configuration,DC=Domainname,DC=com

Domain Partitions – object information for a domain like a user, computer, group, printer, and other Domain-specific information. Replicates to all domain controllers within a domain

DN Location is DC=Domainname, DC=com

Application Partition – information about applications in Active Directory. Like AD integrated DNS is used there are two application partitions for DNS zones – ForestDNSZones and DomainDNSZones, see more

How to configure Active Directory Partitions?
You can only configure the Application partition manually to use with AD integrated applications, refer to this article for details on that

How to create a DNS zone in Application Directory Partition?

see on my previous article

How to move the DNS zone from Domain Partition to Application partition?

see on my previous article

How to take active directory backup?
System state backup will back up the Active Directory, NTbackup can be used to backup active directory

Active Directory restores types?
Authoritative restore
Non-authoritative restore

Non-authoritative restore of Active Directory
Non-authoritative restore restores the domain controller to its state at the time of backup and allows normal replication to overwrite restored domain controller with any changes that have occurred after the backup. After system state restores, domain controller queries its replication partners and get the changes after backup date, to ensure that the domain controller has an accurate and updated copy of the Active Directory database.
Non-authoritative restore is the default method for restoring Active Directory, just a restore of system state is non-authoritative restore and mostly we use this for Active Directory data loss or corruption.

How perform a non-authoritative restore?
Just start the domain controller in Directory Services Restore Mode and perform a system state restore from backup

Authoritative restore of Active Directory
An authoritative restore is the next step of the non-authoritative restore process. We have to do a non-authoritative restore before you can perform an authoritative restore. The main difference is that an authoritative restore has the ability to increment the version number of the attributes of all objects or an individual object in an entire directory, this will make it authoritative restore an object in the directory. This can be used to restore a single deleted user/group and event an entire OU.

In a non-authoritative restore, after a domain controller is back online, it will contact its replication partners to determine any changes since the time of the last backup. However, the version number of the object attributes that you want to be authoritative will be higher than the existing version numbers of the attribute, the object on the restored domain controller will appear to be more recent and therefore, the restored object will be replicated to other domain controllers in the Domain

How perform a non-authoritative restore?
Unlike a non-authoritative restore, an authoritative restores need to Ntdsutil.exe to increment the version number of the object attributes

What are Active Directory Partitions can be restored?
You can authoritatively restore only objects from the configuration and domain partition. Authoritative restores of schema-naming contexts are not supported.

How many domain controllers need to back up? Or which domain controllers to back up?
The minimum requirement is to back up two domain controllers in each domain, one should be an operations master role holder DC, no need to backup RID Master (relative ID) because RID master should not be restored

Can we restore the backup of the domain controller to other/different domain controller?
Backup of one domain controller can’t be restored to another domain controller, should be restored to the same domain controller

 Continue reading → page 1 2 3 4

2 thoughts on “AD Interview Questions (Part 2)

Leave a Reply

Your email address will not be published. Required fields are marked *