Unlock hundreds more features
Save your Quiz to the Dashboard
View and Export Results
Use AI to Create Quizzes and Analyse Results

Sign inSign in with Facebook
Sign inSign in with Google

Windows Server Active Directory Configuring Quiz - Test Your Skills

Troubleshoot DNS delegation errors and ace your AD Config test!

Difficulty: Moderate
2-5mins
Learning OutcomesCheat Sheet
Paper art illustration for Windows Server Active Directory quiz on a coral background

This quiz helps you practice Windows Server Active Directory setup, from DNS delegation to common dcpromo errors. Use it to check weak spots before an exam or a real deployment; start with this AD configuration quiz and follow up with the AD DS practice set to lock in what you know.

What port does LDAP use by default?
3268
389
636
3269
Active Directory Domain Services uses LDAP for directory queries over TCP port 389 by default. LDAPS (LDAP over SSL) uses port 636. Port 3268 is used for Global Catalog LDAP queries, and 3269 for secure Global Catalog LDAP.
What console is primarily used to manage Active Directory user and computer objects?
Server Manager
Event Viewer
DNS Manager
Active Directory Users and Computers
Active Directory Users and Computers (ADUC) is the primary MMC snap-in used to manage user, group, computer, and organizational unit objects in Active Directory. DNS Manager is used for DNS zones, Server Manager is for server roles, and Event Viewer is for viewing logs.
Which service is responsible for translating hostnames to IP addresses within an AD environment?
NTP
DNS
WINS
DHCP
DNS (Domain Name System) resolves hostnames to IP addresses in Active Directory environments. DHCP assigns dynamic IP addresses, WINS is a legacy NetBIOS name service, and NTP synchronizes clocks.
What type of DNS zone should you use to store your AD DS DNS records and allow automatic replication to other DCs?
Secondary zone
Primary zone
Stub zone
Active Directory - integrated zone
An Active Directory - integrated zone stores DNS data in the AD DS database, enabling secure, multimaster replication to other domain controllers. Primary zones are file-based, secondary zones are read-only copies, and stub zones contain only delegation records.
What authentication protocol does Active Directory Domain Services use by default?
Kerberos
RADIUS
LDAP
NTLMv1
Kerberos is the default authentication protocol in Active Directory Domain Services, providing mutual authentication and ticketing. NTLM is supported for backward compatibility, LDAP is a directory access protocol, and RADIUS is a remote authentication protocol.
What is the primary purpose of the SYSVOL folder on a domain controller?
Backup system state
Store user home directories
Store Active Directory database
Store Group Policy templates and logon scripts
SYSVOL is a shared folder on domain controllers that stores Group Policy templates, scripts, and related files, enabling clients to download policy and scripts at logon. The AD database is stored in NTDS.DIT, not SYSVOL.
Which SRV record is used by clients to locate a domain controller for LDAP services?
_ldap._tcp.gc._msdcs.
_kerberos._udp.dc._msdcs.
_ldap._tcp.dc._msdcs.
_gc._tcp.
The _ldap._tcp.dc._msdcs. SRV record tells clients the hostnames and ports of domain controllers offering LDAP services. Kerberos uses _kerberos._udp, and global catalog uses _gc._tcp.
What is the default maximum length for a NetBIOS name?
32
15
63
128
NetBIOS names are limited to 15 characters, plus a 16th character for the NetBIOS suffix. DNS labels, by contrast, can be up to 63 characters.
Which command-line tool can you use to join a Windows server to an AD domain?
nltest /sc_join
dsadd computer
netdom join
djoin.exe
The netdom join command-line tool is used to join workstations or servers to a domain. djoin.exe performs offline domain joins, dsadd computer creates a computer object but doesn't join the OS, and nltest tests trust relationships.
Which record type maps a hostname to its IPv4 address in DNS?
CNAME
MX
AAAA
A
An A record in DNS maps a hostname to its IPv4 address. AAAA records map to IPv6 addresses, CNAME records are alias records, and MX records specify mail exchange servers.
Which FSMO role is responsible for coordinating ID allocations such as user and computer security identifier pools?
PDC Emulator
Infrastructure Master
RID Master
Schema Master
The RID (Relative Identifier) Master FSMO role allocates pools of RIDs to each domain controller for creating security principals. The PDC Emulator handles time synchronization, the Infrastructure Master updates cross-domain references, and the Schema Master controls schema changes.
To raise a domain functional level to Windows Server 2016, which console should be used?
Active Directory Sites and Services
Active Directory Users and Computers
Group Policy Management Console
Active Directory Domains and Trusts
Raising a domain functional level is performed in the Active Directory Domains and Trusts snap-in by right-clicking the domain and selecting 'Raise Domain Functional Level.' Other consoles manage different aspects of AD. Microsoft Docs: Domain Functional Levels
Which SRV record identifies the global catalog service for a domain?
_ldap._tcp.gc._msdcs.
_ldap._tcp.dc._msdcs.
_gc._tcp.dc._msdcs.
_gc._tcp.
Clients use the _gc._tcp. SRV record to locate global catalog servers within a domain. The record lists all GC-capable DCs for cross-domain object searches.
What is the default schedule interval for inter-site replication in Active Directory?
3 hours
1 hour
30 minutes
15 minutes
By default, inter-site replication in Active Directory occurs every 180 minutes (3 hours) to balance replication frequency and network utilization. Intra-site replication happens continuously.
Which wizard in Active Directory Users and Computers allows you to grant granular permissions to an OU?
Security Configuration Wizard
Group Policy Management Wizard
Active Directory Migration Wizard
Delegation of Control Wizard
The Delegation of Control Wizard in ADUC provides a guided interface to assign specific permissions to users or groups on OUs. It simplifies granular permission assignments without using ADSIEdit.
Which tool can be used to configure time synchronization on a domain controller?
time config
net time
timeserv.exe
w32tm.exe
w32tm.exe is the command-line tool to configure Windows Time service settings on domain controllers, including sync source and polling intervals. net time is deprecated, and other commands do not exist.
Which FSMO role must be available when adding a new domain to a forest?
Domain Naming Master
PDC Emulator
Infrastructure Master
Schema Master
The Domain Naming Master FSMO role controls adding and removing domains from the forest. When creating a new domain, this role must be online. Schema Master handles schema updates, PDC Emulator handles time, and Infrastructure Master handles cross-domain references.
What type of DNS record would you delegate to point to a child domain name server?
TXT record
SRV record
NS record
MX record
NS (Name Server) records are used in DNS to delegate a subdomain to the authoritative name servers of the child domain. MX records specify mail servers, SRV records locate services, and TXT records store arbitrary text.
Which PowerShell cmdlet enables the Active Directory Recycle Bin feature?
Install-WindowsFeature
Enable-ADForest
Enable-ADOptionalFeature
Set-ADForestMode
Enable-ADOptionalFeature is the PowerShell cmdlet used to activate the AD Recycle Bin, specifying the Recycle Bin feature and forest scope. Set-ADForestMode raises functional level but doesn't enable this feature.
Which attribute on a user object specifies a user's UPN suffix?
mail
userPrincipalName
displayName
sAMAccountName
The userPrincipalName attribute stores the user's logon name in the format of UPN suffix (user@domain). sAMAccountName is the pre-Windows 2000 logon name, displayName is for display in lists, and mail holds the email address.
How can you perform an authoritative restore of Active Directory objects?
Use the Recycle Bin feature
Use dsadd -restore
Use Ldp.exe export
Use ntdsutil authoritative restore
ntdsutil supports authoritative restores, allowing you to mark restored objects so they replicate to other DCs. Ldp.exe can query but not authoritatively restore, the Recycle Bin requires objects to be undeleted within tombstone lifetime, and dsadd has no restore function.
Which PowerShell cmdlet will grant a fine-grained password policy to a group?
Grant-ADPasswordPolicy
New-ADFineGrainedPasswordPolicy
Add-ADFineGrainedPasswordPolicySubject
Set-ADFineGrainedPasswordPolicy
Add-ADFineGrainedPasswordPolicySubject assigns an existing Password Settings Object to users or groups. New-ADFineGrainedPasswordPolicy creates the PSO itself, and Set-ADFineGrainedPasswordPolicy modifies it. There is no Grant-ADPasswordPolicy cmdlet.
What is the name of the default AD DS database file?
DIT.DB
SAM.DB
NTDS.LOG
NTDS.DIT
NTDS.DIT is the default Extensible Storage Engine (ESE) database file where Active Directory stores directory data. NTDS.LOG files are transaction logs, SAM.DB is the local security accounts database, and DIT.DB is not used.
Which global catalog port is used when performing LDAP queries against the GC?
3268
389
636
3269
Port 3268 is the default port for LDAP queries to the global catalog. Port 389 is for standard LDAP, 636 for LDAPS, and 3269 for secure global catalog LDAPS.
Which PowerShell cmdlet lists all replication partners of a domain controller?
Get-ADReplicationConnection
Get-ADReplicationSite
Get-ADReplicationFailure
Get-ADReplicationPartnerMetadata
Get-ADReplicationPartnerMetadata retrieves metadata for replication partners, including last replication status. Get-ADReplicationConnection lists connection objects, Get-ADReplicationFailure shows failures, and Get-ADReplicationSite lists sites.
How do you configure DNS scavenging for stale records on a zone?
Enable scavenging on the zone and set no-refresh and refresh intervals
Restart the DNS service
Manually delete stale records
Use dnscmd /AgeAll
Scavenging requires enabling it on the zone and configuring No-Refresh and Refresh intervals to define record aging. Manually deleting records or restarting the service doesn't automate scavenging. dnscmd /AgeAll ages records but doesn't enable scavenging.
What is the default tombstone lifetime for a Windows Server 2016 forest?
90 days
30 days
180 days
60 days
New Windows Server 2016 forests default to a 180-day tombstone lifetime to allow sufficient time for recovery of deleted objects. Earlier versions defaulted to 60 days. Microsoft Docs: Active Directory Functional Levels
Which Windows feature must be installed to support DNS delegation management in Server Manager?
DNS Server Tools
AD RMS Tools
Active Directory Lightweight Directory Services
Group Policy Management
DNS Server Tools, part of the Remote Server Administration Tools (RSAT), provides DNS management capabilities in Server Manager. AD LDS is a lightweight directory, Group Policy Management is for GPO, and AD RMS Tools manage rights services.
When configuring a new RODC, which credential replication policy group must you define first?
Denied RODC Password Replication Group
RODC Key Holders
RODC Administrators
Allowed RODC Password Replication Group
The Denied RODC Password Replication Group is configured first to explicitly block credentials replication to the RODC for security. The Allowed group is a whitelist; you configure it after setting the denies.
In an AD site topology, what attribute defines the site link cost?
replicationInterval
schedule
cost
transport
The cost attribute on a site link determines preference for replication paths - lower cost links are preferred. Schedule defines replication times and replicationInterval (in minutes) is legacy. Transport designates the transport protocol.
When would you use selective authentication in a forest trust?
When only specific users need cross-forest resource access
When you restrict domain controller replication
When you want full administrative trust
When enabling transitive trust
Selective authentication allows you to grant resource access in the trusting domain to specific users from the trusted domain. It's used when tight control is required. Full or forest-wide authentication grants access to all authenticated users.
To enable the Active Directory Recycle Bin, which minimum forest functional level is required?
Windows Server 2016
Windows Server 2008
Windows Server 2012
Windows Server 2008 R2
The AD Recycle Bin feature was introduced in Windows Server 2008 R2, so that functional level or higher is required to enable it. Windows Server 2008 cannot support it. Higher levels also support it but aren't the minimum.
Which PowerShell cmdlet allows you to disable site link bridging in Active Directory?
Set-ADReplicationSiteLinkBridge -Enabled $false
Set-ADReplicationSite -BridgeAll $false
Disable-ADSiteLinkBridge
New-ADReplicationSiteLink -BridgeAll:$false
Set-ADReplicationSite with the BridgeAll parameter set to $false disables automatic site link bridging. There is no Disable-ADSiteLinkBridge cmdlet. Other options either don't exist or create new links.
How do you manage claims and resource properties in dynamic access control?
Use Group Policy Management Console
Use the Active Directory Administrative Center
Use Claims Based Delegation
Use File Server Resource Manager
The Active Directory Administrative Center provides interfaces for managing claims, resource properties, and central access policies in Dynamic Access Control. GPMC manages GPOs, FSRM manages quotas and file screening, and Claims Based Delegation is different.
0
{"name":"What port does LDAP use by default?", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"What port does LDAP use by default?, What console is primarily used to manage Active Directory user and computer objects?, Which service is responsible for translating hostnames to IP addresses within an AD environment?","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}

Study Outcomes

  1. Troubleshoot DNS Delegation Errors -

    Identify the root causes behind the "dcpromo a delegation for this dns server cannot be created" error and apply targeted fixes to restore proper DNS delegation.

  2. Configure Active Directory Domain Services -

    Set up new forests, domains, and organizational units using industry best practices to build a scalable Windows Server Active Directory environment.

  3. Validate DNS Server Delegation -

    Apply DNS delegation principles to ensure correct zone transfers and name resolution across multiple DNS servers in your network.

  4. Prepare for 70-640 Certification -

    Review key concepts and real-world scenarios covered in the 70-640 practice quiz to boost your readiness for the Active Directory Configuring exam prep.

  5. Optimize AD Deployment and Replication -

    Implement best practices for domain controller placement, site topology, and replication strategies to maintain a healthy and efficient directory infrastructure.

Cheat Sheet

  1. DNS Delegation Fundamentals -

    DNS delegation lets a parent zone hand off responsibility for a subdomain by creating NS and A records that point to the child DNS server. For example, to delegate "child.contoso.com," add an NS record for child.contoso.com linking to ns1.child.contoso.com and an A record for its IP (per RFC 1034 and Microsoft Docs). Remember the simple mnemonic "NS = Name Server, A = Address" to keep delegation steps clear.

  2. Troubleshooting "dcpromo a delegation for this dns server cannot be created" -

    This error often appears when you lack write permissions on the parent zone or the zone is set to not allow dynamic updates. Verifying you have sufficient DNS Admin permissions and enabling secure dynamic updates on the parent zone typically resolves the issue (Microsoft Learn recommends checking zone ACLs first). A quick tip is to run "dnscmd /ZoneInfo" to confirm update settings before retrying dcpromo.

  3. FSMO Role Awareness -

    Active Directory has five Flexible Single Master Operations (FSMO) roles: Schema, Domain Naming, RID, PDC Emulator, and Infrastructure. Use the mnemonic "RID PDC E P C" ("Ripe Pecan Pie is Delicious") to recall RID, PDC, Infrastructure, Schema, and Domain Naming order. According to Microsoft Docs, placing these roles strategically prevents conflicts and optimizes replication.

  4. Active Directory Sites and Services Configuration -

    Sites group Domain Controllers by physical location to optimize replication and authentication traffic; define site links and set replication schedules in the "Active Directory Sites and Services" console. For instance, create a "New York - London" site link with scheduled off-peak replication windows to conserve bandwidth (per Microsoft TechNet). Remember: "Sites for Speed, Services for Sync."

  5. DNS SRV Records for AD Functionality -

    Active Directory relies on DNS SRV records (e.g., _ldap._tcp.dc._msdcs.contoso.com) to enable client DC location and service discovery. Ensure your DNS server automatically registers these records by allowing dynamic updates and verifying them under the zone's _msdcs subdomain (as detailed in Microsoft's official documentation). A quick check via "nslookup -type=SRV _kerberos._tcp.contoso.com" confirms proper SRV registration.

Powered by: Quiz Maker