Unlock hundreds more features
Save your Quiz to the Dashboard
View and Export Results
Use AI to Create Quizzes and Analyse Results

Sign inSign in with Facebook
Sign inSign in with Google

Take the Windows Server Active Directory Configuration Quiz

Discover which Windows Server core technology uses snap-ins - challenge your AD knowledge now!

Difficulty: Moderate
2-5mins
Learning OutcomesCheat Sheet
Paper art illustration of server network and folder icons on coral background for Windows Server AD configuration quiz

Use this quiz to practice Windows Server Active Directory configuration, from AD snap-ins to everyday admin tasks and roles. Check your gaps before an exam. For extra drills, try the guided walkthrough or the Domain Services practice set to keep your skills fresh.

What is the primary purpose of Active Directory?
Network printing
File storage
Centralized identity and access management
Database management
Active Directory provides a centralized directory service for authentication and authorization of users and resources. It stores information about objects on the network and makes this information easy for administrators and users to find and use. AD is not designed primarily for file storage, printing, or general database management.
Which tool is used to view and manage Active Directory objects?
Group Policy Management Console
DHCP Manager
DNS Manager
Active Directory Users and Computers
Active Directory Users and Computers (ADUC) is an MMC snap-in for managing user, group, computer, and organizational unit objects in AD. DNS Manager handles DNS zones, DHCP Manager handles DHCP, and GPMC manages Group Policy.
Which port does LDAP use by default?
80
389
3268
636
LDAP uses TCP port 389 by default for non-secure communications. Port 636 is used for LDAP over SSL (LDAPS), and 3268/3269 are used for Global Catalog queries.
Which built-in account is created when you install Active Directory?
krbtgt
DomainUser
Guest
Administrator
During AD DS installation, the built-in Administrator account is created as a domain-level principal with full privileges. The krbtgt account is used internally by Kerberos, and Guest is a separate account.
Which DNS record type is required for domain controllers?
PTR record
MX record
SRV record
A record
SRV records identify domain controllers that provide LDAP, Kerberos, and other directory services. Clients use these records to locate DCs. A records map hostnames to IPs, MX records identify mail servers, and PTR records map IPs to hostnames.
Which service topology generator calculates AD replication connections?
Ntfrs
KCC
DFSR
Ntdsutil
The Knowledge Consistency Checker (KCC) runs on each domain controller and automatically generates and maintains the replication topology based on site and connection information. DFSR and FRS handle file replication, while ntdsutil is a management tool.
What is the file name of the Active Directory database?
ntds.dit
ntds.osm
edb.log
ntds.log
Active Directory stores its directory database in the ntds.dit file. Log files such as edb.log and ntds.log are transaction logs, but the .dit file contains the actual database.
Which PowerShell cmdlet adds a new domain controller?
Add-ADGroupMember
Install-ADDSForest
New-ADComputer
Install-ADDSDomainController
The Install-ADDSDomainController cmdlet promotes a server to be an additional domain controller in an existing domain. Install-ADDSForest creates a new forest, while New-ADComputer and Add-ADGroupMember handle objects, not DC installation.
Which group type can be assigned to resource permissions directly?
Security
Distribution
Built-in
Domain Local
Security groups are used to assign permissions to network resources. Distribution groups are used for email distribution only. Built-in is not a group type, and Domain Local describes scope, not type.
Which MMC snap-in is used to manage Group Policy Objects?
Active Directory Sites and Services
Group Policy Management Console
GPEDIT
DNS Manager
The Group Policy Management Console (GPMC) provides a centralized interface to create, edit, and manage GPOs across the domain. GPEDIT is for local policies only. DNS Manager and Sites and Services do not handle GPOs.
What is the default location of the SYSVOL folder on a domain controller?
D:\SYSVOL
C:\SYSVOL
C:\Windows\System32
C:\Windows\SYSVOL
By default, the SYSVOL share is located at C:\Windows\SYSVOL on a Windows Server domain controller. This folder stores logon scripts and Group Policy template files. Moving SYSVOL requires DFS-R migration steps.
What is the purpose of the Global Catalog?
Host DNS zones
Manage printer objects
Authenticate users from any domain
Store global security policy
The Global Catalog holds partial, read-only copies of all objects in the forest to facilitate searches and universal group membership across domains. It helps authenticate users when they log on to a domain that is not their home domain.
How many FSMO roles exist in a single AD forest?
3
7
2
5
Active Directory defines five Flexible Single Master Operation (FSMO) roles: Schema Master, Domain Naming Master, RID Master, PDC Emulator, and Infrastructure Master. These roles handle forest-wide and domain-wide tasks.
Which replication topology is used by default within an AD site?
Star
Hub and spoke
Ring
Full mesh
Within a single AD site, the KCC generates a full-mesh replication topology so that every domain controller replicates directly with every other DC. This optimizes replication speed and minimizes latency.
What does GC stand for in the context of Active Directory?
Global Controller
Global Catalog
Group Controller
General Catalog
GC stands for Global Catalog, which contains a partial, read-only replica of all objects in the forest to accelerate searches and cross-domain authentication. It is not a controller or general catalog.
Which FSMO role controls the creation and deletion of domains within the forest?
PDC Emulator
Domain Naming Master
RID Master
Schema Master
The Domain Naming Master handles forest-level operations such as creating or removing domains in the forest. It must be available when you add or remove a domain.
Which command-line tool is used to seize FSMO roles when the original role holder is unavailable?
dsquery
ntdsutil
repadmin
netdom
You use ntdsutil to seize FSMO roles when the active holder is offline or cannot be recovered. Netdom manages trusts, dsquery queries AD, and repadmin manages replication.
Which replication method replaces FRS for SYSVOL replication in newer Windows Server versions?
SMB
Robocopy
FRS
DFS-R
Distributed File System Replication (DFS-R) replaces File Replication Service (FRS) for SYSVOL replication starting in Windows Server 2008 R2 and later. It provides improved performance and reliability.
Which port does LDAPS (LDAP over SSL) use by default?
3268
389
636
3269
LDAP over SSL (LDAPS) uses TCP port 636 by default to secure directory traffic with TLS/SSL. Port 389 remains for non-secure LDAP.
Which function is provided by the PDC Emulator FSMO role?
Schema updates
Global Catalog maintenance
Time synchronization
DNS zone management
The PDC Emulator handles time synchronization for the domain, processes password changes, and provides backward compatibility for NT4 clients. It does not update the schema or maintain DNS.
Which PowerShell cmdlet resets the machine account password of a domain-joined computer?
Set-ADRestoreModePassword
Set-ADAccountPassword
Reset-ADServiceAccountPassword
Reset-ComputerMachinePassword
Reset-ComputerMachinePassword updates the local computer account password in AD and on the local machine. The other cmdlets handle service or user account passwords.
Which MMC snap-in allows you to manage DNS zones stored in AD?
Group Policy Management
Active Directory Sites and Services
DNS Manager
ADSI Edit
DNS Manager lets you manage DNS zones, including AD-integrated zones stored in the application partition. Sites and Services manages site topology, ADSI Edit edits low-level AD objects, and GPMC manages GPOs.
What does the DNS SRV record _ldap._tcp.dc._msdcs. identify?
Kerberos servers
Global Catalog servers
Domain controllers
DNS servers
The _ldap._tcp.dc._msdcs. SRV record locates domain controllers offering LDAP services for the specified domain. Clients query this record to find DCs.
Which tool can export and import directory data as LDIF?
LDIFDE
Dcdiag
ADPREP
CSVDE
LDIFDE imports and exports Active Directory data using LDIF format. CSVDE uses CSV, ADPREP prepares AD for upgrades, and Dcdiag diagnoses DC health.
Which group scope can contain members from any domain and assign permissions in any domain?
Built-in
Domain Local
Global
Universal
Universal groups can have members from any domain in the forest and can assign permissions in any domain. Global groups contain only same-domain members, and domain local groups can assign permissions only within their domain.
What is the effect of raising the domain functional level?
Alters replication schedule
Deletes old domain controllers
Enables new AD features
Changes DNS settings
Raising the domain functional level enables advanced features that require newer Windows Server versions. It does not remove DCs or modify DNS or replication schedules directly.
Which netdom trust parameter validates the trust relationship?
/Check
/Validate
/Verify
/Test
The /Validate option confirms that a trust is properly configured and functioning. There is no /Verify or /Check parameter for trust validation in netdom.
Which PowerShell cmdlet moves a FSMO role to a different domain controller?
Move-ADDirectoryServerOperationMasterRole
Move-ADObject
Transfer-ADFSMORole
Set-ADDomainController
Move-ADDirectoryServerOperationMasterRole transfers FSMO roles to another DC. The other cmdlets do not handle FSMO role movement directly.
Which LDAP filter retrieves all user objects?
(objectCategory=person)
(user=*)
(objectClass=user)
(cn=user)
The filter (objectClass=user) returns all objects of type user in AD. While objectCategory=person can also return user objects, objectClass=user is more specific for user class.
Which AD partition is replicated to all domain controllers in the forest?
Configuration partition
Schema partition
Application partition
Domain partition
The Configuration partition is forest-wide and contains topology information for sites, subnets, and services. It is replicated to every DC in every domain.
Which command shows AD replication status for a domain controller?
dcdiag /test:replications
nltest /replicate
netdom query fsmo
repadmin /showrepl
Repadmin /showrepl displays incoming and outgoing replication partners and status for each directory partition on a DC. Dcdiag tests replication but under a different switch.
What is required before enabling the Active Directory Recycle Bin?
Forest functional level Windows Server 2008 R2 or higher
Domain functional level Windows Server 2003
Installation of RSAT tools
Active Directory snapshot enabled
The AD Recycle Bin requires the forest functional level to be raised to Windows Server 2008 R2 or above. It cannot be enabled on lower functional levels. No additional tools or snapshots are prerequisites.
Which command removes metadata of a failed domain controller?
repadmin /clean
dcdiag /cleanup
ntdsutil metadata cleanup
dcpromo /forceremoval
The ntdsutil metadata cleanup context removes lingering references to decommissioned or failed DCs from AD. Dcpromo /forceremoval demotes a DC forcibly but does not clean up metadata.
What is the default tombstone lifetime for AD objects in Windows Server 2016?
30 days
180 days
60 days
120 days
Starting with Windows Server 2016, the default tombstone lifetime is 180 days. Older versions default to 60 or 180 days depending on the OS. This setting determines how long deleted objects are retained.
Which tool allows low-level editing of Active Directory objects and attributes?
Active Directory Users and Computers
Group Policy Management Console
ADSI Edit
LDP
ADSI Edit provides a low-level view of AD directory partitions and allows direct editing of attributes. LDP is an LDAP client but lacks the same object editing convenience.
How do you create a Read-Only Domain Controller (RODC)?
dcpromo /ReplicaDomainController:Yes /ReadOnly:Yes
dcpromo /forceremoval
dcpromo /unattend /replicaType:RODC
Install-ADDSDomainController -ReadOnly
RODCs are installed using dcpromo with ReplicaDomainController and ReadOnly parameters. They host a read-only replica of AD and store only permitted account credentials.
Fine-grained password policies in AD apply to which of the following?
Sites
Global security groups or users
Domain controllers
Organizational Units
Fine-grained password policies apply to users and global security groups in a domain. They allow different password settings for different users. OUs cannot directly receive password policies.
Which command backs up the system state, including AD database?
ntbackup
Backup-ADObject
Get-ADReplicationSite
wbadmin start systemstatebackup
Windows Server Backup (wbadmin start systemstatebackup) backs up the system state, including the AD database, registry, and other critical system files. Ntbackup is deprecated and Backup-ADObject only backs up individual objects.
Which snap-in provides the Operations Master interface to transfer FSMO roles?
Active Directory Domains and Trusts
Group Policy Management
Active Directory Users and Computers
Active Directory Sites and Services
Active Directory Users and Computers offers the Operations Master dialog for transferring RID, PDC Emulator, and Infrastructure Master roles for its domain. The other snap-ins handle different tasks.
Which replication transport protocol supports mail-based transport for certain AD partitions?
LDAP
SMTP
RPC
SMB
SMTP is used for replication of the Configuration and Schema partitions when RPC is unavailable or blocked. It is not used for domain partition replication.
What role does the Key Distribution Center (KDC) play in AD authentication?
Host LDAP queries
Manage Kerberos tickets
Maintain DNS records
Enforce GPO refresh
The KDC issues Kerberos ticket-granting tickets and service tickets for authentication. It is a service running on domain controllers. It does not handle DNS or GPOs.
Which tool combines health checks and replication analysis for AD?
adprep
dcdiag
netdiag
ldp
Dcdiag runs a series of diagnostic tests on domain controllers, including replication checks. Netdiag is deprecated, adprep prepares a forest for upgrade, and ldp is an LDAP client utility.
What is the default site link object name in Active Directory Sites and Services?
DEFAULTSITEIP
IPDEFAULTSITE
DEFAULTSITE
DEFAULTIPSITELINK
When AD Sites and Services is first installed, a site link named DEFAULTIPSITELINK is created to simulate a fully connected IP network. Administrators can create additional links as needed.
Which component determines the inter-site replication schedule and topology?
USN Manager
RID Manager
KCC
FSMO Scheduler
The Knowledge Consistency Checker (KCC) runs every five minutes on each DC to calculate the inter-site replication connections and schedule based on site link costs and schedules. No other FSMO or manager component handles topology.
How do you create a cross-forest external trust using PowerShell?
New-ForestTrust -Name Example -External
New-ADTrust -Name Example -TrustType External -Forest
Add-ADForestTrust -Name Example -Type External
netdom trust Example /domain:other /External
The New-ADTrust cmdlet with the -TrustType External and -Forest flags establishes a cross-forest external trust. Add-ADForestTrust and New-ForestTrust are not valid cmdlets, and netdom trust uses a different syntax.
What does a USN rollback on a DC indicate?
Replication inconsistency due to restored VM snapshot
DNS record conflict
Time synchronization failure
Broken FSMO role
A USN rollback occurs when a DC is reverted to an earlier state (e.g., by restoring a VM snapshot) without proper AD-aware restoration. This breaks replication consistency with other DCs.
Which directory partition stores site and subnet mappings?
Application partition
Configuration partition
Domain partition
Schema partition
Sites, site links, subnets, and server connection objects are stored in the Configuration partition, which is replicated forest-wide. Schema contains class and attribute definitions, while domain partitions contain domain objects.
Which FSMO role exists once per forest only?
PDC Emulator
Schema Master
Infrastructure Master
RID Master
The Schema Master is a forest-wide FSMO role and there is only one per forest. The RID, PDC, and Infrastructure masters exist once per domain.
Which LDAP control OID allows retrieval of deleted objects?
1.2.840.113556.1.4.44
1.2.840.113556.1.4.800
1.2.840.113556.1.4.473
1.2.840.113556.1.4.417
The LDAP_SERVER_SHOW_DELETED_OID (1.2.840.113556.1.4.417) control enables clients to search the Deleted Objects container for tombstoned entries. Without this control, deleted objects are hidden.
0
{"name":"What is the primary purpose of Active Directory?", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"What is the primary purpose of Active Directory?, Which tool is used to view and manage Active Directory objects?, Which port does LDAP use by default?","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}

Study Outcomes

  1. Understand MMC as the core technology for snap-ins -

    Explain how Microsoft Management Console (MMC) serves as the Windows Server core technology with which you use snap-ins to manage Active Directory.

  2. Identify Windows Server AD snap-ins -

    Recognize and navigate key Windows Server AD snap-ins, such as Active Directory Users and Computers, to effectively manage directory objects.

  3. Configure Active Directory Windows Server components -

    Set up essential Active Directory elements - domains, organizational units, and DNS integration - using practical configuration steps.

  4. Apply best practices in Windows Server Active Directory Configuration -

    Implement security and performance guidelines to optimize your Active Directory environment for reliability and compliance.

  5. Evaluate skills with an Active Directory configuration quiz -

    Test your knowledge through targeted questions that reinforce your understanding and highlight areas for further improvement.

Cheat Sheet

  1. Microsoft Management Console & Snap-ins -

    Windows Server Active Directory Configuration relies on the Microsoft Management Console (MMC) as its core technology for snap-ins, such as Active Directory Users and Computers or DNS Manager (Microsoft Docs). Remember "Add and Remove Snap-ins" under File to load Windows Server AD snap-ins quickly. A handy mnemonic is "M-M-C" = "Manage, Monitor, Configure."

  2. Domain Controller Installation & Promotion -

    To configure Active Directory Windows Server environments, you first install the AD DS role with Install-WindowsFeature AD-Domain-Services, then run Install-ADDSForest (Microsoft Learn). You can also use Server Manager's Active Directory Domain Services Configuration Wizard for a GUI-driven process. Think "Install → Promote" as a simple two-step checklist.

  3. FSMO Roles & Mnemonic -

    Active Directory uses five Flexible Single Master Operations (FSMO) roles: Schema, Domain Naming, PDC Emulator, RID Master, and Infrastructure Master (TechNet). A popular mnemonic is "S N P R I" pronounced "snipry" for Schema, Naming, PDC, RID, Infrastructure. Always verify role holders with Get-ADForest and Get-ADDomain PowerShell cmdlets.

  4. DNS Integration & SRV Records -

    AD DCs depend on DNS for service location via SRV records like _ldap._tcp.dc._msdcs.contoso.com (RFC 2782). Ensure your DNS zones allow secure dynamic updates to register domain controllers automatically. Remember: "SRV finds DC" to recall that DNS SRV records locate controllers.

  5. Group Policy Objects & Delegation -

    After you configure Active Directory Windows Server structure, use the Group Policy Management Console (GPMC) snap-in to create and link GPOs at domain or OU levels (Microsoft Docs). Delegate GPO management by assigning "Edit settings" rights to break out admin duties. A quick tip: "Link first, then delegate" to maintain order in larger environments.

Powered by: Quiz Maker