Active Directory (AD) — 50 QnA

Active Directory is a Microsoft directory service for managing identities and access in Windows environments. It organizes objects like users, computers, and groups in a hierarchical structure using domains and forests. AD uses LDAP for querying and Kerberos for authentication, ensuring secure access to network resources. It centralizes administration, enabling admins to enforce policies, manage permissions, and deploy software. Key components include Domain Controllers (DCs), schema, and organizational units (OUs) for logical grouping. AD supports scalability from small businesses to large enterprises with complex trust relationships. Troubleshoot AD issues by checking replication, DNS configuration, and event logs for errors. Interviewers expect understanding of AD’s role in identity management and its integration with other systems.

A Domain Controller is a server running AD Domain Services (AD DS) to store and manage AD data. It authenticates users, enforces security policies, and replicates directory data across other DCs. DCs host the AD database (NTDS.dit), which includes user accounts, groups, and computer objects. Multiple DCs ensure redundancy, fault tolerance, and load balancing in larger environments. Use tools like dcdiag to troubleshoot DC health, replication failures, or DNS misconfigurations. Secure DCs with restricted physical access, strong passwords, and regular patching to prevent compromise. Monitor event logs for authentication failures or replication errors to detect issues early. Interviewers may ask about DC roles, replication troubleshooting, and securing sensitive DC operations.

An OU is a container in AD used to organize objects like users, groups, and computers for management. OUs allow admins to apply Group Policy Objects (GPOs) and delegate administrative tasks granularly. They simplify access control and policy enforcement by grouping objects based on department or role. OUs can be nested for hierarchical organization, but deep nesting may complicate management. Troubleshoot OU issues by verifying GPO application, delegation permissions, and object placement. Use PowerShell (Get-ADOrganizationalUnit) to audit OU structures and linked policies efficiently. Document OU design to align with business needs and ensure consistent policy application. Interviewers may ask about OU design principles and how they support delegated administration.

A GPO is a collection of settings in AD that control user and computer configurations across a domain. GPOs manage security, software installation, scripts, and desktop settings for consistent environments. They are linked to OUs, domains, or sites and applied in a specific order: Local, Site, Domain, OU. Troubleshoot GPO issues using gpresult or rsop.msc to verify policy application and precedence. Secure GPOs by restricting edit permissions and auditing changes to prevent unauthorized modifications. Use PowerShell (Get-GPO) to manage and report on GPO settings for compliance and troubleshooting. GPOs can conflict; understanding inheritance and blocking is key to resolving application issues. Interviewers may ask about GPO troubleshooting, inheritance, and strategies for large-scale policy management.

Kerberos is the primary authentication protocol in AD, using tickets to verify user and service identities. It relies on a Key Distribution Center (KDC) on DCs to issue Ticket Granting Tickets (TGTs) and service tickets. Kerberos provides secure, mutual authentication without transmitting passwords over the network. Troubleshoot Kerberos issues by checking time sync (max 5-minute skew), SPNs, and event logs. Use klist to inspect ticket caches and diagnose authentication failures or ticket expiration. Secure Kerberos by protecting service accounts and monitoring for ticket-based attacks like Golden Tickets. Kerberos supports delegation for scenarios requiring impersonation, but misconfigurations can lead to vulnerabilities. Interviewers may ask about Kerberos flows, troubleshooting steps, and securing against ticket attacks.

LDAP (Lightweight Directory Access Protocol) is used in AD to query and modify directory objects. AD exposes its database via LDAP, allowing applications to retrieve user, group, or computer data. LDAP queries use distinguished names (DNs) to locate objects in the AD hierarchy (e.g., CN=User,OU=Sales,DC=example,DC=com). Secure LDAP (LDAPS) uses TLS to encrypt communication, critical for sensitive operations. Troubleshoot LDAP issues by verifying port connectivity (389/636), bind credentials, and query syntax. Use tools like ldp.exe or PowerShell (Get-ADUser) to test and debug LDAP interactions. Misconfigured LDAP filters can cause performance issues; optimize queries for efficiency. Interviewers may ask about LDAP query optimization and securing LDAP communications.

A forest is the top-level container in AD, encompassing one or more domains sharing a common schema. It defines a security boundary and trust relationships, with a single root domain at its core. Forests enable centralized management while allowing domain-level autonomy for policies and permissions. Troubleshoot forest issues by checking schema consistency, global catalog availability, and trust configurations. Use repadmin to diagnose replication issues across domains within the forest. Secure forests by limiting schema admin access and monitoring for unauthorized schema changes. Multi-forest setups require explicit trusts; validate trust direction and type for functionality. Interviewers may ask about forest design, trust management, and schema update processes.

A domain is a logical grouping of objects (users, computers, groups) in AD with shared security policies. Each domain has its own database and policies but shares a schema and global catalog within a forest. Domains provide administrative boundaries, allowing different teams to manage their own objects. Troubleshoot domain issues by checking DNS resolution, replication status, and DC availability. Use PowerShell (Get-ADDomain) to inspect domain health and configuration settings. Secure domains by enforcing strong passwords and monitoring privileged accounts for misuse. Domains can form trusts to enable resource sharing across boundaries; validate trust configurations. Interviewers may ask about domain hierarchy, replication troubleshooting, and trust types.

The Global Catalog is a distributed data store in AD that contains a partial replica of all domain objects. It enables cross-domain searches and authentication by storing key attributes for quick lookup. GC servers are DCs designated to host the catalog, critical for multi-domain or forest environments. Troubleshoot GC issues by checking replication, port availability (3268/3269), and GC server health. Use nltest or PowerShell to verify GC functionality and locate GC servers in the forest. Secure GC by ensuring only necessary attributes are included to minimize replication overhead. GC is vital for logon processes and Exchange; ensure sufficient GC servers for redundancy. Interviewers may ask about GC’s role in authentication and optimizing its placement.

AD trusts are relationships between domains or forests allowing resource sharing and cross-authentication. Types include parent-child, tree-root, external, forest, and shortcut trusts, each with specific use cases. Trusts can be one-way or two-way, transitive or non-transitive, depending on configuration. Troubleshoot trust issues by validating DNS, NetBIOS names, and trust authentication protocols (Kerberos/NTLM). Use nltest or AD Domains and Trusts to verify and manage trust relationships. Secure trusts by limiting scope, using selective authentication, and monitoring for abuse. Misconfigured trusts can lead to unauthorized access; regularly audit trust configurations. Interviewers may ask about trust types, configuration steps, and securing trust relationships.

AD replication synchronizes directory data across DCs to ensure consistency in a domain or forest. It uses a multi-master model, where changes can originate from any DC and propagate to others. Replication occurs within sites (fast) and between sites (scheduled) based on topology. Troubleshoot replication with repadmin, checking for errors, latency, or stuck updates. Use sites and services to optimize replication by defining subnets and site links. Secure replication by enabling encryption (LDAPS) and monitoring for unauthorized changes. Replication failures can cause inconsistent policies or authentication; monitor event logs. Interviewers may ask about replication topology, troubleshooting, and optimizing inter-site replication.

The AD schema defines the structure of objects and attributes stored in the AD database. It includes object classes (e.g., user, computer) and their permissible attributes, like sAMAccountName. Schema changes are forest-wide, replicated to all DCs, and require careful planning. Troubleshoot schema issues by verifying update permissions and checking replication status. Use Schema Admin group sparingly and audit schema changes to prevent unauthorized modifications. Schema updates (e.g., for Exchange) must be tested in a lab to avoid forest-wide issues. Back up the schema before changes and document all modifications for compliance. Interviewers may ask about schema extension processes and risks of schema misconfiguration.

FSMO roles are specialized tasks assigned to specific DCs to avoid conflicts in multi-master replication. Five roles exist: Schema Master, Domain Naming Master, PDC Emulator, RID Master, and Infrastructure Master. Schema and Domain Naming Masters are forest-wide; others are domain-wide. Troubleshoot FSMO issues by checking role holder status (ntdsutil) and seizing roles if a DC fails. Transfer roles gracefully during maintenance to avoid outages; avoid seizing unless necessary. Secure FSMO role holders with strong physical and logical security to prevent compromise. Monitor FSMO role performance and ensure redundancy plans for role holder failures. Interviewers may ask about FSMO role functions, troubleshooting, and role transfer/seizure processes.

The PDC Emulator is an FSMO role handling critical tasks like password changes and time synchronization. It emulates a Windows NT PDC for legacy clients and processes account lockouts and authentication. The PDC Emulator also synchronizes time across the domain to ensure Kerberos functionality. Troubleshoot PDC issues by checking time sync (w32tm), event logs, and replication health. Ensure the PDC Emulator is highly available, as it’s critical for authentication workflows. Secure it with restricted access and monitor for signs of compromise or overload. If the PDC Emulator fails, seize the role to another DC after verifying replication status. Interviewers may ask about PDC Emulator’s role in time sync and handling legacy clients.

Group Policy Inheritance determines how GPOs are applied based on their link order: Local, Site, Domain, OU. Child OUs inherit parent GPO settings unless blocked or overridden by higher-priority GPOs. Use “Block Inheritance” to prevent parent GPOs from applying, or “Enforced” to ensure application. Troubleshoot inheritance issues with gpresult or GPMC to identify conflicting or missing policies. Misconfigured inheritance can lead to unintended settings; document GPO links and priorities. Use PowerShell (Get-GPInheritance) to audit and manage inheritance settings efficiently. Test GPO changes in a lab to avoid disrupting production due to inheritance conflicts. Interviewers may ask about resolving GPO conflicts and optimizing inheritance for complex OUs.

AD Sites and Services manages replication and service location based on physical network topology. Sites represent physical locations (e.g., offices) defined by IP subnets for efficient replication. Site links control inter-site replication schedules and costs to optimize bandwidth usage. Troubleshoot site issues by verifying subnet definitions, site link configurations, and replication health. Use repadmin and dcdiag to diagnose replication delays or site misconfigurations. Secure site configurations by restricting admin access and auditing changes to site topology. Proper site design reduces latency for authentication and improves client-DC communication. Interviewers may ask about site design, replication optimization, and troubleshooting site-related issues.

The AD Recycle Bin allows recovery of deleted objects (users, groups, OUs) without restoring backups. Enabled at the forest level, it retains deleted objects for a configurable tombstone lifetime (default 180 days). Recover objects using PowerShell (Restore-ADObject) or AD Administrative Center for quick restoration. Troubleshoot recovery issues by checking tombstone lifetime and ensuring the Recycle Bin is enabled. Enable the Recycle Bin before critical operations to avoid permanent data loss. Secure access to recovery operations, as unauthorized restores can reintroduce compromised accounts. Monitor Recycle Bin usage to detect accidental deletions or malicious activity. Interviewers may ask about enabling the Recycle Bin and steps for recovering complex objects.

An SPN is a unique identifier for a service instance used by Kerberos authentication in AD. It maps a service to an account (e.g., MSSQLSvc/server.example.com) for secure client authentication. Duplicate SPNs cause authentication failures; use setspn to detect and resolve conflicts. Troubleshoot SPN issues by validating registrations and checking Kerberos event logs. Register SPNs for services like SQL Server or IIS to ensure proper Kerberos functionality. Secure SPNs by restricting who can modify them and auditing changes to prevent spoofing. Use PowerShell (Set-SPN) to manage SPNs and avoid manual errors in complex environments. Interviewers may ask about SPN troubleshooting and its role in Kerberos delegation.

Delegation of Control assigns specific administrative permissions to users or groups for AD objects. It allows granular management, like resetting passwords or managing group memberships, without full admin rights. Use the Delegation of Control Wizard or PowerShell to assign permissions to OUs or objects. Troubleshoot delegation issues by auditing permissions with dsacls or PowerShell (Get-ACL). Secure delegation by following least privilege and regularly reviewing delegated permissions. Misconfigured delegation can lead to privilege escalation; monitor for unauthorized changes. Document delegation assignments to ensure accountability and simplify audits. Interviewers may ask about delegation scenarios and securing delegated permissions.

Security groups in AD manage permissions for users and computers accessing resources like files or applications. They can be domain-local, global, or universal, depending on scope and replication needs. Assign permissions to groups, not individuals, to simplify administration and auditing. Troubleshoot group issues by checking membership, scope, and permission assignments with PowerShell. Secure groups by limiting membership changes and monitoring privileged groups like Domain Admins. Use nested groups for scalability but avoid excessive nesting to maintain clarity. Audit group memberships regularly to prevent unauthorized access or stale memberships. Interviewers may ask about group scope differences and managing group-based permissions.

NTLM is a legacy authentication protocol in AD, used when Kerberos is unavailable or unsupported. It relies on challenge-response mechanisms, transmitting hashed credentials over the network. NTLM is less secure than Kerberos due to vulnerabilities like pass-the-hash attacks. Troubleshoot NTLM issues by checking client compatibility, SPNs, and fallback settings. Disable NTLM where possible, enforcing Kerberos to reduce attack surface. Monitor NTLM usage via event logs to detect legacy systems or potential attack attempts. Secure environments by auditing NTLM traffic and prioritizing Kerberos adoption. Interviewers may ask about NTLM vs. Kerberos and steps to phase out NTLM usage.

NTDS.dit is the core AD database file storing all directory objects, located on each DC. It contains user accounts, groups, computers, and security descriptors, encrypted for security. The database is replicated across DCs to ensure consistency and fault tolerance. Troubleshoot database issues by checking disk space, file integrity, and replication status. Back up NTDS.dit regularly using system state backups to enable recovery. Secure the database by restricting physical and logical access to DCs. Use tools like ntdsutil to perform offline maintenance or recover corrupted databases. Interviewers may ask about database maintenance, backup strategies, and recovery processes.

SYSVOL is a shared folder on DCs storing Group Policy files, scripts, and other domain-wide data. It’s replicated across DCs using File Replication Service (FRS) or Distributed File System Replication (DFSR). SYSVOL hosts GPO templates and scripts critical for policy application and domain functionality. Troubleshoot SYSVOL issues by checking replication status, permissions, and DFSR health. Secure SYSVOL by restricting write access and monitoring for unauthorized file changes. Use dfsrdiag or repadmin to diagnose replication failures or inconsistencies. Ensure consistent SYSVOL replication to avoid GPO application failures across DCs. Interviewers may ask about SYSVOL replication troubleshooting and its role in GPO delivery.

AD FS provides federated identity and SSO for AD users accessing external or cloud applications. It uses SAML, OAuth, or WS-Federation to exchange claims with trusted partners or services. AD FS acts as an Identity Provider (IdP), issuing tokens for authentication and authorization. Troubleshoot AD FS by checking relying party trusts, certificates, and token-signing configurations. Secure AD FS with strong certificates, TLS, and monitoring for token misuse or replay attacks. Use PowerShell (Get-AdfsProperties) to manage and audit AD FS configurations. Ensure high availability with multiple AD FS servers and proper load balancing. Interviewers may ask about AD FS setup, federation troubleshooting, and integration with Azure AD.

Conditional Access enforces policies based on user, device, location, or risk signals in AD-integrated systems. It’s often used with Azure AD to require MFA, compliant devices, or block risky logins. Policies are applied at authentication or resource access, enhancing security for cloud and on-prem resources. Troubleshoot issues by checking policy conditions, logs, and user/device compliance status. Secure Conditional Access by testing policies in report-only mode to avoid lockouts. Integrate with Intune or other MDM solutions for device posture checks. Monitor policy enforcement logs to detect bypass attempts or misconfigurations. Interviewers may ask about designing Conditional Access policies and troubleshooting user access issues.

Azure AD Connect synchronizes on-prem AD objects (users, groups) to Azure AD for hybrid identity. It supports password hash sync, pass-through authentication, or federation for seamless SSO. Configure attribute filtering to sync only necessary data, reducing cloud exposure. Troubleshoot sync issues by checking AD Connect logs, attribute mappings, and connectivity. Secure AD Connect with least-privilege accounts and encrypted communication channels. Monitor sync health via Azure portal or PowerShell to detect delays or errors. Regularly update AD Connect to ensure compatibility with Azure AD updates. Interviewers may ask about sync configurations, troubleshooting sync errors, and hybrid identity setups.

PAM in AD secures high-privilege accounts like Domain Admins to prevent misuse or compromise. It uses tools like Microsoft Identity Manager (MIM) or third-party solutions for just-in-time access. PAM includes credential vaulting, session monitoring, and temporary privilege elevation. Troubleshoot PAM issues by checking vault access, approval workflows, and session logs. Secure PAM by restricting permanent admin accounts and enforcing MFA for privileged access. Audit privileged group memberships and monitor for unauthorized elevation attempts. Integrate PAM with SIEM for real-time alerts on suspicious privileged activity. Interviewers may ask about PAM implementation, securing admin accounts, and audit strategies.

AD CS is a Microsoft role for issuing and managing digital certificates for authentication and encryption. It supports scenarios like VPNs, smart cards, and secure email within an AD environment. AD CS includes a Certificate Authority (CA) hierarchy with root and subordinate CAs. Troubleshoot certificate issues by checking CA health, CRL availability, and certificate templates. Secure AD CS by restricting CA admin access and protecting root CA offline storage. Monitor certificate issuance and revocation to detect misuse or expired certificates. Use PowerShell (Get-CACertificate) to manage and audit certificate configurations. Interviewers may ask about CA hierarchy design and securing certificate-based authentication.

gMSAs are AD accounts for services with automatic password management and simplified SPN handling. They reduce administrative overhead by auto-rotating passwords and supporting multiple servers. gMSAs use Kerberos for authentication and are ideal for clustered or load-balanced services. Troubleshoot gMSA issues by checking account permissions, SPN registration, and key distribution. Secure gMSAs by limiting retrieval of credentials and auditing usage for anomalies. Create gMSAs with PowerShell (New-ADServiceAccount) and assign to specific hosts. Monitor gMSA health to ensure services remain operational during password rotations. Interviewers may ask about gMSA benefits, setup steps, and troubleshooting access issues.

AD Password Policies enforce complexity, length, and expiration rules for user passwords. Defined at the domain level via Default Domain Policy or fine-grained password policies (FGPP). FGPP allows different password settings for specific users or groups, applied via PSO objects. Troubleshoot policy issues by checking GPO application and PSO precedence with PowerShell. Secure policies by enforcing strong complexity and monitoring for weak or reused passwords. Use tools like Specops Password Auditor to identify vulnerable accounts. Regularly review policies to align with compliance (e.g., NIST, PCI-DSS) requirements. Interviewers may ask about FGPP implementation and resolving conflicting password policies.

Account Lockout Policies in AD prevent brute-force attacks by locking accounts after failed login attempts. Settings include lockout threshold, duration, and observation window, defined in Default Domain Policy. Troubleshoot lockout issues by checking event logs, identifying source devices, and reviewing services using accounts. Secure policies by setting reasonable thresholds to balance security and user experience. Monitor lockout events to detect potential attacks or misconfigured applications. Use PowerShell (Get-ADUser) to find locked accounts and unlock them as needed. Document lockout policies and ensure users are educated on password retry limits. Interviewers may ask about lockout troubleshooting and mitigating denial-of-service risks.

AD object permissions control access to objects like users, groups, or OUs using Access Control Lists (ACLs). Permissions include read, write, delete, or full control, assigned to users or groups. Use the AD Users and Computers snap-in or PowerShell (Set-ACL) to manage permissions. Troubleshoot permission issues by auditing ACLs with dsacls or PowerShell for misconfigurations. Secure permissions by following least privilege and avoiding broad “Full Control” assignments. Regularly audit permissions to detect over-privileged accounts or unauthorized changes. Document permission assignments to ensure accountability and simplify compliance audits. Interviewers may ask about permission delegation and resolving access denial issues.

AD auditing tracks security events like logons, account changes, and permission modifications. Enable auditing via Group Policy (Audit Policy settings) to log events in the Security Event Log. Monitor logs using Event Viewer, PowerShell, or SIEM tools for real-time alerts. Troubleshoot auditing issues by verifying GPO application and checking log storage capacity. Secure auditing by protecting log access and ensuring logs are tamper-proof. Use tools like ADAudit Plus for advanced reporting and anomaly detection. Regularly review logs to detect unauthorized access or privilege escalation attempts. Interviewers may ask about audit policy setup and analyzing logs for security incidents.

AD backup and recovery involve system state backups to restore DCs or objects like users and OUs. Use Windows Server Backup or third-party tools to capture NTDS.dit and SYSVOL. Perform authoritative restores for specific objects or non-authoritative for entire DC recovery. Troubleshoot recovery issues by verifying backup integrity and testing restores in a lab. Secure backups by encrypting them and restricting access to backup storage. Schedule regular backups and test recovery procedures to ensure reliability. Monitor backup success and retention to meet compliance and recovery objectives. Interviewers may ask about backup strategies, authoritative vs. non-authoritative restores, and recovery testing.

Security principals in AD are objects (users, groups, computers) assigned a Security Identifier (SID) for access control. SIDs uniquely identify principals in ACLs for permissions to resources like files or shares. Manage principals via AD Users and Computers or PowerShell for bulk operations. Troubleshoot principal issues by checking SID history, group memberships, and ACLs. Secure principals by auditing SID usage and removing stale or orphaned accounts. Use PowerShell (Get-ADObject) to query and manage principals efficiently. Misconfigured principals can lead to access issues; regularly audit for consistency. Interviewers may ask about SID management, resolving SID conflicts, and securing principals.

Domain Functional Level (DFL) determines AD features available based on the oldest DC operating system. Higher DFLs (e.g., Windows Server 2019) enable advanced features like fine-grained password policies. Raise DFLs via AD Domains and Trusts after ensuring all DCs meet the required OS version. Troubleshoot DFL issues by verifying DC versions and checking for deprecated features. Secure DFL upgrades by testing in a lab to avoid breaking legacy applications. Document DFL changes and ensure all DCs are updated before raising the level. Monitor DFL compatibility to ensure new features align with infrastructure needs. Interviewers may ask about DFL benefits, upgrade processes, and compatibility risks.

Forest Functional Level (FFL) defines forest-wide AD features based on the lowest DFL in the forest. Higher FFLs enable features like AD Recycle Bin and advanced replication capabilities. Raise FFL via AD Domains and Trusts after all domains reach the required DFL. Troubleshoot FFL issues by ensuring domain compatibility and checking replication health. Secure FFL upgrades by testing in a lab and validating application dependencies. Document FFL changes and communicate impacts to domain admins across the forest. Monitor FFL to ensure new features are leveraged without breaking existing systems. Interviewers may ask about FFL upgrade steps and managing multi-domain forest features.

Tombstone Lifetime is the period deleted AD objects remain recoverable in the AD Recycle Bin. Default is 180 days; adjust via PowerShell (Set-ADObject) for compliance or recovery needs. Longer lifetimes increase storage but improve recovery; shorter lifetimes reduce overhead. Troubleshoot tombstone issues by checking deletion dates and Recycle Bin status. Secure tombstone recovery by restricting restore permissions and auditing restore actions. Monitor tombstone usage to detect accidental deletions or potential attacks. Use PowerShell (Get-ADObject -IncludeDeletedObjects) to manage tombstoned objects. Interviewers may ask about configuring tombstone lifetime and recovering deleted objects.

Password Hash Sync synchronizes AD password hashes to Azure AD via Azure AD Connect for hybrid authentication. It enables seamless SSO and cloud authentication without requiring full federation. Hashes are one-way and encrypted, ensuring security during sync to Azure AD. Troubleshoot sync issues by checking AD Connect logs, sync rules, and network connectivity. Secure sync by using least-privilege accounts and monitoring sync operations for anomalies. Disable sync for sensitive accounts if not needed to reduce cloud exposure. Monitor sync health via Azure portal to ensure timely updates to cloud identities. Interviewers may ask about hash sync vs. federation and troubleshooting sync failures.

Pass-Through Authentication (PTA) validates Azure AD logins directly against on-prem AD via agents. It avoids storing password hashes in the cloud, relying on real-time AD authentication. PTA agents are lightweight, installed on servers with AD connectivity for high availability. Troubleshoot PTA by checking agent health, network connectivity, and AD account status. Secure PTA with encrypted channels and monitoring agent logs for unauthorized access. Ensure multiple PTA agents for redundancy to avoid authentication outages. Monitor PTA performance via Azure AD portal to detect delays or failures. Interviewers may ask about PTA vs. hash sync and ensuring high availability for PTA.

A Golden Ticket attack uses a forged Kerberos TGT to gain unauthorized domain admin access. Attackers exploit compromised KRBTGT account credentials to create persistent, forged tickets. Detect attacks by monitoring KRBTGT account activity and auditing TGT usage in logs. Prevent attacks by resetting KRBTGT passwords regularly (twice to invalidate old tickets). Secure KRBTGT with strong passwords, restricted access, and monitoring for anomalies. Use tools like Microsoft Defender for Identity to detect Golden Ticket attempts. Mitigate impact by enabling strict Kerberos auditing and limiting admin account scope. Interviewers may ask about detecting and preventing Golden Ticket attacks and KRBTGT management.

Pass-the-Hash (PtH) attacks use stolen NTLM hashes to authenticate without knowing the password. Attackers extract hashes from memory (e.g., via Mimikatz) and reuse them for lateral movement. Prevent PtH by disabling NTLM where possible and enforcing Kerberos authentication. Detect PtH by monitoring NTLM authentication events and anomalous account activity. Secure systems by enabling Credential Guard and restricting admin logons to sensitive servers. Use LAPS (Local Administrator Password Solution) to randomize local admin passwords. Audit privileged accounts and limit their use to reduce hash exposure risk. Interviewers may ask about PtH mitigation strategies and tools for detecting hash misuse.

Kerberos delegation allows a service to impersonate a user to access other services on their behalf. Types include unconstrained (less secure), constrained, and resource-based constrained delegation. Misconfigured delegation can lead to privilege escalation; use constrained delegation for security. Troubleshoot delegation by verifying SPNs, account settings, and protocol transition settings. Secure delegation by limiting trusted accounts and auditing delegation usage regularly. Use PowerShell (Set-ADAccountControl) to configure and manage delegation settings. Monitor delegation events to detect misuse or unauthorized impersonation attempts. Interviewers may ask about delegation types, risks, and securing delegation configurations.

SID History stores previous SIDs of an object during domain migrations to maintain access to resources. It ensures users retain permissions to resources in old domains during transitions. Misconfigured SID History can lead to unauthorized access if old SIDs grant excessive rights. Troubleshoot SID History issues by auditing SIDs with PowerShell (Get-ADUser -Properties SIDHistory). Secure SID History by cleaning up old SIDs post-migration and monitoring for misuse. Use tools like ADMT (Active Directory Migration Tool) to manage SID History during migrations. Document SID History usage to ensure compliance and simplify permission audits. Interviewers may ask about SID History risks and cleanup strategies post-migration.

Conditional Forwarders in AD DNS direct queries for specific domains to designated DNS servers. They optimize name resolution for external or cross-forest domains, reducing query latency. Configure forwarders in DNS Manager or PowerShell (Add-DnsServerConditionalForwarderZone). Troubleshoot forwarder issues by checking DNS server reachability and zone configurations. Secure forwarders by restricting access to trusted DNS servers and monitoring query patterns. Use conditional forwarders for hybrid environments or federated trusts with external domains. Validate forwarder configurations to avoid resolution failures or DNS spoofing risks. Interviewers may ask about forwarder use cases and troubleshooting DNS resolution issues.

PIM manages and monitors privileged access in AD, often integrated with Azure AD PIM for hybrid setups. It enforces just-in-time access, requiring approvals and time-bound privilege elevation. PIM reduces standing privileges, minimizing risks from compromised admin accounts. Troubleshoot PIM issues by checking approval workflows, role assignments, and access logs. Secure PIM with MFA, strong policies, and auditing of privileged role activations. Use PowerShell or Azure portal to manage PIM roles and monitor activation requests. Integrate PIM with SIEM for real-time alerts on suspicious privilege usage. Interviewers may ask about PIM setup, just-in-time access benefits, and audit strategies.

AD DNS Integration uses DNS to resolve DC names and locate services like LDAP and Kerberos. AD requires SRV records to advertise DCs, GCs, and KDCs for client authentication. Misconfigured DNS can cause authentication failures or replication issues; use secure dynamic updates. Troubleshoot DNS with nslookup, dcdiag, or PowerShell (Resolve-DnsName) for record validation. Secure DNS by enabling DNSSEC and restricting zone update permissions to authorized accounts. Monitor DNS logs for query anomalies or unauthorized record modifications. Ensure AD-integrated zones replicate correctly to maintain consistent name resolution. Interviewers may ask about DNS troubleshooting and securing AD-integrated DNS zones.

AD object recovery restores deleted or modified objects like users, groups, or OUs from backups or Recycle Bin. Use AD Recycle Bin for quick recovery or system state backups for authoritative restores. PowerShell (Restore-ADObject) or AD Administrative Center simplifies object restoration. Troubleshoot recovery by verifying tombstone lifetime and backup integrity before restoration. Secure recovery by restricting restore permissions and auditing restore operations. Test recovery processes regularly to ensure reliability and compliance with SLAs. Document recovery procedures and maintain logs for audit and compliance purposes. Interviewers may ask about recovery workflows, Recycle Bin vs. backups, and securing restore operations.

AD Security Baselines are predefined configurations to harden AD against common threats. They include settings for password policies, account lockouts, and privileged group protections. Apply baselines via GPOs or tools like Microsoft Security Compliance Toolkit. Troubleshoot baseline issues by checking GPO application and resolving policy conflicts. Secure baselines by regularly updating them to address new vulnerabilities or threats. Monitor compliance with baselines using tools like SCAP or PowerShell scripts. Document baseline deviations and remediation plans for audit and compliance. Interviewers may ask about implementing baselines and ensuring compliance across domains.

The future of AD involves hybrid integration with Azure AD, passwordless auth, and AI-driven security. Azure AD Connect and Conditional Access bridge on-prem and cloud identity management. Passwordless methods like FIDO2 and Windows Hello reduce reliance on passwords. AI enhances threat detection, identifying anomalies like Golden Ticket or Pass-the-Hash attacks. Troubleshoot hybrid setups by monitoring sync and Conditional Access policy logs. Secure future AD with zero-trust principles, MFA, and automated privilege management. Pilot new features in labs to assess impact on legacy systems and user experience. Interviewers may ask about hybrid AD strategies, passwordless adoption, and AI in identity security.