Interviewing Active Directory Engineers

One of the most difficult challenges an IT manager faces is hiring the right people. Finding the right employee is more than just looking for strong performance in a single area, but requires that you consider several different skill domains to not only measure technical ability, but to ensure that the prospective employee is a good fit for your organization.

Know Thyself

Before jumping into a technical interview, it is important to take a step back to look at the environment and team that you will be bringing this candidate. Some questions you might want to ask yourself:

  1. What criteria do I use to describe a successful candidate?
  2. What qualities do I see in my best people that I am looking for in a new employee?
  3. Am I looking for someone to tow the line or be an agent of change? (Think hard and be honest)
  4. How would I describe my corporate culture? Challenges integrating with the team?

The Golden Mean

Once you have taken an honest look at your environment and the role that you are really looking for the new person to fill, it is time to look at specific interview questions that will help you narrow the field. It is always hard to find people who have a high-level of technical competency, but I’ll often have to reject these people for other reasons. It is usually easier to train a quality candidate than it is to hammer someone with amazing book knowledge into the right mold.

There are a couple of key skills that can’t be easily taught and take a significant investment over time to develop:

  • Logical Progression through Fault Isolation – It is important that a candidate be able to troubleshoot a complex situation through methodical fault isolation dealing with one variable at a time and be able to narrow the field of probability in a logical order. Lack of this skill leads to a network engineer that grasps at straws and can’t decide what is important and what is not.
  • Ability to Communicate in Written and Verbal Media – This is of the utmost importance to be able to lead a team and act as a focal point for end-user communication. This comes down to the ability to clearly express ideas and to be able to break problems into common experiences and clear ideas that anyone can understand.
    Lack of this skill leads to alienation of the working team as well as mistrust on the part of the users.
  • Ability to Understand the Business – This doesn’t require an MBA or advanced training, but every employee with system/ enterprise-level responsibility should be able to identify when a situation has the ability to impact the bottom line and how revenue streams are driven through the company. Lack of this skill leads to a mis-prioritization of tasks and a lack of ability to evaluate the risk involved in work items.
  • Ability to Work as a Team – This skill encompasses leadership and appropriately handling team dynamics. Active Directory and Windows Server often form the nexus of many disparate IT systems and will require team integration to serve these different consumers. It is important to be able to recognize politically charged situations and appropriately deal with these situations driving consensus. Lack of this skill leads to team alienation and infighting between teams and team members.
  • Ability to Face Mistakes and Learn from Them – Nothing it more frustrating than dealing with a coworker or employee who does the same thing over and over and expects a different result. Even worse is when the outcome is always blamed on other people. A strong candidate will be able to talk freely about mistakes made as these are often the birthplace of high-level expertise. Lack of this skill is usually expressed through displays of bravado and ego contests. This is a lack of objective self-evaluation. In its worst expression, this leads to an institutional culture of blame and lying to cover missteps.
Counter-Example: Hiring by Skill Alone

About three years ago, I was looking for an engineer that had both high-end Active Directory skills and moderate-level Cisco infrastructure skills for a client I had in the Chicago metro area. On the resume and in the technical interview the candidate hit all of the technical requirements out of the park. He was able to answer all of my questions and was even able to push back to read into the questions and challenge the suppositions behind the relatively simple scenarios posed by the questions.

At the time, I was having a hard time finding qualified technical people to put into a client who was already contracting for the FTE – needless to say, I really wanted a qualified body to put into that role. This eagerness caused me to gloss over some of my non-technical questions and ignore minor idiosyncrasies that I was picking up on in the interview.

This misstep on my part led to a tumultuous working relationship that disrupted the rest of the team and caused us to lose weeks of work time to deal with personality conflicts.

This eventually came to a head with the engineer refusing to take criticism on his work and refusing to be held to the same standards as the rest of team. In a morning progress meeting where we were reviewing status and needs, the employee got so upset at having his work reviewed that he lost control of himself and even asked me, his manager, to leave the room so he didn’t have to punch me!

Needless to say, that was his last day.

Active Directory Interview Questions

Situational Questions

  1. What was the hardest technical challenge you’ve ever faced? How did you overcome that?
  2. Describe a situation where it was you against the technology and the technology won? How did you handle the communication during the crisis?
  3. What do you consider your best technical strength? How do you use that to give back to the community to mentor new people?
  4. Talk about a project with which you’ve been involved that was abandoned/ cancelled before it was completed? What went into making that decision? What positive things came out of the project in spite of its overall failure?

Team Dynamics

  1. What things to you do on a day-to-day basis to maintain your skills?
  2. What skills do you think most AD/ Windows engineers lack? How would you help them get up to speed?
  3. How would you describe your learning style? How do you learn best from experiences? Other coworkers?
  4. Who was the most frustrating person you’ve ever had to work with? What made that so painful? How did you help that person become a better team member?
  5. If a coworker were to tell you that you were at the top of their list for most frustrating team mate, how would you address that? What would they probably see as your worst trait?
  6. The last time your manager made you angry, how did you bring that to a positive conclusion?
  7. How would you describe your ideal team environment? What would make it rewarding for you?
  8. Describe your best day at work? What is the one thing you could do to make your life better?

Active Directory (Yes, finally)

  1. What are the 5 FSMO (Fizz-mō) roles and what do they do?
    (A lot of interviews will skip a question like this that will spark a long explanation on the part of the interviewee, but it is important to ask as this will demonstrate attention to detail, handling several things at once, and handling of the core of AD. I’ve found that 75% of MCSEs can’t answer this question and can often hurt the interview so much that this is the only technical question I’ll get to.)
    1. Primary Domain Controller Emulator (PDCe) – This role handles ubiquity of password changes and some GPO operations. This also participates as a PDC in NT4 Domains.
    2. Schema Master (SM) – Acts as the single point of authority in maintaining the AD Schema
    3. Infrastructure Master (IM) – This is responsible for the mapping of GUUIDs to objects across the domains. This role maintains object references.
    4. Domain Naming Master (DNM) – This is responsible for the addition, removal, and management of domains in the forest.
    5. Relative ID Master (RID Master) – This role is responsible for the assignment of unique SIDs to objects created in the domain.
  2. Which FSMO roles are Forest-specific?
    1. There is only on Schema in a forest. This is managed by the Schema Master
    2. The Domain Naming Master controls domain declarations and object identity (uniqueness) in a forest as a whole.
  3. What is the role of the Global Catalog (GC)? Why is this not a FSMO Role?
    1. The GC holds a flat/ denormalized version of the Active Directory that can be more quickly searched and accessed without having to traverse the hierarchical tree
    2. Since any DC can hold a copy of the GC, this is not a Single Master in the FSMO sense. This is an important piece of the AD system, though.
  4. Which role is no longer used if all Domain Controllers are holders of the GC?
    1. The Infrastructure Master is not used if all DCs are GCs
    2. Normally the IM and the GC should not be on the same server, but this is not the case if all DCs also have the GC
    3. In smaller networks (under a dozen DCs, usually all DCs should be GCs and ADi DNS holders)
  5. What is the role of the PDC Emulator (PDCe) if you are in 2003 native mode and all of your clients are running Windows XP?
    1. The PDCe is required for GPO and Password Updates
    2. Unavailability of this service results in long logon times and policy application problems
    3. Time services are also bound here
    4. If the answer is that this service is only for backwards compatibility, this is a HUGE flag that the candidate only has book knowledge!
  6. Talk about the role of DNS in the Active Directory
    1. DNS is the backbone of AD as all resource location is done against the DNS
    2. DNS helps to shape all communication patterns and is integral to replication
    3. DNS also supports the location of servers and maps to the AD topology of the domain
    4. 80% of AD problems can be traced DNS problems
  7. How would you repopulate the SRV records if you needed to update them?
    1. Restart the NETLOGON service
    2. You can also reboot the server, but this isn’t the preferred method as it requires downtime.
  8. Why would one choose AD integrated (ADi) DNS over standard DNS or BIND?
    1. ADi DNS uses the replication strategy of the AD itself providing a better replication topology and a differential replication of changes rather than whole zone transfers
    2. This is the most reliable DNS to support all of the features of Active Directory
  9. How would you check the health of your domain?
    1. You can use a combination of DCDIAG, NetDIAG and REPLMON
    2. Event logs can also be used, but these will not give deep knowledge into the AD’s innerworkings
  10. What tools would you use to check replication?
    1. REPLMON in the Server Support Tools is the best tool
    2. You can also force replication in AD Sites& Services
  11. What does it mean when an object is tombstoned?
    1. This means that the object hasn’t replicated in a long time and the tombstone threshold was exceeded. (60 days in W2K and 120 in W2K3)
    2. This object gets sent to garbage collection
    3. This usually happens when a DC is offline or cannot replicate for a long time. The DC has to be rebuilt to rejoin the domain.
  12. How would you remove a failed Domain Controller from the domain if it couldn’t be demoted gracefully?
    1. DCPROMO /forceremove
    2. Delete from AD Sites and Services
    3. Delete the DNS records
    4. Perform a metadata cleanup (NTDSUtil)
  13. What are the three objects to which you can attach GPOs?
    1. Domain
    2. Organizational Unit (OU)
    3. Site – this is the least common
  14. If your domain is in Windows 2003 Native mode and your clients are all Vista/ XP, when would you run WINS?
    1. When you cross subnet boundaries it is still necessary to run WINS. Otherwise the workstations will still rely on NetBIOS elections to populate the master browser. This will also provide a list in My Network Places/ Computers Near Me that cross the subnet boundaries providing a full list.
  15. What does DHCP do in your network? How does a workstation find a DHCP server?
    1. DHCP hands out IP addresses and network configuration information to workstations and hosts.
    2. A workstation will broadcast on the network to find a server and will respond to whatever server responds first
    3. If there isn’t one on the local broadcast domain, a router or layer-3 switch can direct the server request using an IP Helper-Address to cross domains.
  16. What is the difference between an Authoritative and non-Authoritative AD restore?
    1. Authoritative takes control of the AD and overwrites the current version with records of a timestamp. Non-authoritative will allow newer records to be replicated on top of the restored records.
  17. Under what circumstances would you need a new domain? A new Forest?
    1. New Domain
      1. In the case of needing a new domain security policy or password policy (not Server 2008 though)
      2. If you need a soft security boundary for administration
      3. If you need a separate IPSec policy
      4. Crossing geopolitical boundaries
    2. New Forest
      1. If you need to split Namespace ( vs.
      2. If you need a hard security boundary without an implicit trust
  18. What tools would you use to join two domains together?
    1. Active Directory Migration Tool (ADMT)
    2. 3rd party tools are available like the Qwest tools
  19. How would you copy files from one server to another and keep the NTFS permissions?
    1. Use xcopy or xcopy.vbs
    2. Use a 3rd party tool like robocopy
  20. What commands would you put in a logon script to map the W: drive to the Home Directory?
    1. Net use W: /home


There are a number of considerations that should be taken when looking for new Active Directory engineers, both on the soft skills as well as the technical. Of course, a list like this can never be complete and would have to be tailored on a case-by-case basis, but should act as a guide for the careful interviewer.