Active Directory Tutorial for Beginners
In this Active Directory for beginners tutorial, we will show you how to install, how to configure and how to use Active Directory. You can also get this Active Directory eBook PDF by providing your email address and the AD tutorial will be emailed to you.
What is Active Directory?
Let's start this Active Directory tutorial by defining what exactly Active Directory is. Microsoft Active Directory (AD) is a core component of the Server operating system. It is a directory (database) and set of services that enable secure access to resources in a networked Windows environment. Other types of environments have different directory services; for instance, OpenLDAP is used in various Unix/Linux environments.
Benefits of Active Directory
Active Directory offers a wide range of benefits for organizations of all sizes, so it is a fundamental component of many IT infrastructures. Below are some of the key benefits of using Active Directory:
What Does Active Directory Do?
Services that AD provides or supports include:
Active Directory has a hierarchical structure with the following components:
Active Directory Domain Controllers
Each domain has one or more domain controllers. DCs are the servers that store the Active Directory database and provide directory services like authentication and authorization. All domain controllers run the Windows Server operating system.
If a domain has multiple DCs, changes to the AD database on one DC are replicated to the others. This redundancy provides fault tolerance in case a DC experiences problems.
How to Stand Up a Domain Controller
To create a domain controller, you need to perform two steps:
Install the Active Directory Domain Services Role on a Windows Server
To manage Active Directory, you need to install administrative tools on a client machine. To install RSAT on Windows 11, follow these steps:
Active Directory provides logging feature for maintaining the security, integrity and performance of your directory service. Monitoring these events using a tool like Windows Event Viewer helps you detect suspicious activity so you can promptly troubleshoot issues and respond to security breaches. Below are some common events to look for.
User Account Management
What is Active Directory?
Let's start this Active Directory tutorial by defining what exactly Active Directory is. Microsoft Active Directory (AD) is a core component of the Server operating system. It is a directory (database) and set of services that enable secure access to resources in a networked Windows environment. Other types of environments have different directory services; for instance, OpenLDAP is used in various Unix/Linux environments.
Benefits of Active Directory
Active Directory offers a wide range of benefits for organizations of all sizes, so it is a fundamental component of many IT infrastructures. Below are some of the key benefits of using Active Directory:
- Active Directory provides centralized authentication and authorization services that enable users to log in to the network and access the resources that administrators have granted them access permissions for.
- Active Directory supports single sign-on (SSO), which allow users to access multiple resources across the network without having to log in separately to each resource.
- AD includes Group Policy, which allows administrators to define and enforce security settings, configurations and policies across multiple computers and users within the network.
- Active Directory serves as a central repository for managing network resources such as users, groups, computers, printers and network devices.
- AD stores information about network objects such as users, groups, computers and printers in a structured hierarchical database.
- Active Directory provides security features such as encryption, access controls and auditing to protect sensitive information and ensure compliance with security standards.
- Active Directory is designed to scale with the growth of an organization, supporting thousands or even millions of users, computers, groups and other objects within a single directory.
- Active Directory seamlessly integrates with other Microsoft products and services, such as Microsoft Exchange Server, SharePoint, Microsoft 365 (formerly Office 365) and Azure services, providing a unified identity and access management solution across the Microsoft ecosystem.
What Does Active Directory Do?
Services that AD provides or supports include:
- Authentication — Active Directory provides authentication, which is the process of verifying that users are who they claim to be. Active Directory supports single sign-on, allowing users to authenticate once and then access multiple resources across the network.
- Authorization — Active Directory also manages authorization, which is the process of determining whether to allow a user to access requested resources using criteria such as their roles and security group membership.
- Resource management — Active Directory serves as a central repository for managing network resources such as computers, servers, printers and network devices. It allows administrators to organize these resources into logical groupings, making it easier to manage and allocate resources within the network.
- Group Policy — AD includes Group Policy, which enables administrators to define and enforce security policies, settings and configurations across multiple computers and users within the network. This ensures consistency in configurations and helps enforce security standards.
- Directory services — Active Directory stores information about network objects such as users, groups, computers and printers in a structured hierarchical database called the directory. This directory service provides a scalable and efficient way to organize and access information about network resources.
- LDAP — Active Directory supports the Lightweight Directory Access Protocol (LDAP), which provides a standard method for accessing and querying directory data. LDAP enables applications and services to interact with the directory for authentication, information retrieval and other purposes.
- DNS — Active Directory integrates with the Domain Name System (DNS) to provide name resolution services within the network. DNS enables users and computers to locate domain controllers and other network resources using friendly names (such as host names) rather than IP addresses.
- Trust relationships — Active Directory supports trust relationships between domains to enable users and resources in one domain to access resources in another domain. Trust relationships are automatically established between all domains in a forest, which enables users to seamlessly access resources across domains. Administrators can also establish external trusts to enable users in one Active Directory domain to access resources in another domain in a different forest. Trusts can be one-way or two-way. With a one-way trust, users in one domain can access resources in another domain, but the reverse is not true. In a two-way trust, users in both domains can access resources in the other domain. For example, an external two-way trusts might be established between partner organizations to facilitate collaboration. Both types of trusts can be transitive or non-transitive. A non-transitive trust is limited to the specific domains involved. A transitive trust allows access to resources in other trusted domains in the same forest. For example, suppose there is a transitive trust between Domain A and Domain B. If Domain B trusts Domain C, then Domain A also trusts Domain C.
- Replication — Active Directory uses multi-master replication to ensure that directory data is synchronized across all domain controllers within the domain. Replication ensures data consistency and fault tolerance, allowing users to access directory information even if some domain controllers are unavailable.
Active Directory has a hierarchical structure with the following components:
- Forest — The forest is the top-level container in Active Directory and a security boundary. It contains one or more domains, which all share a common schema, configurations and global catalog. The first domain created in the forest is the forest root domain; domains added to the forest later are called child domains. Organizations typically have a single forest, but they can have more.
- Tree — A tree is a hierarchical structure within an AD forest that consists of one or more domains arranged in a contiguous namespace. The root domain of the tree is the first domain created within the tree. Subdomains created under the root domain are called child domains, and additional child domains can be created under these child domains, forming a hierarchical tree structure. Domains within the same tree share a contiguous namespace and are connected by transitive trust relationships, allowing users and resources to access resources across domains within the same tree.
- Domain — A domain is a group of users, computers and other objects that are stored in a single Active Directory database and can be managed together. Each domain has its own security policies, trust relationships and domain controllers. For example, an organization might have a domain for each of its locations, which is managed by the local IT team.
- Organizational unit (OU) — Organizational units are containers within a domain that are used to organize and manage subsets of AD objects in that domain. For instance, the domain for a company’s San Francisco branch might have OUs for each department there, such as Sales and Finance.
- AD object — Active Directory objects include user accounts, computer accounts, and security and distribution groups. Each AD object has a set of attributes. For example, the attributes of a user account include its username, password, contact information, roles and groups.
Active Directory Domain Controllers
Each domain has one or more domain controllers. DCs are the servers that store the Active Directory database and provide directory services like authentication and authorization. All domain controllers run the Windows Server operating system.
If a domain has multiple DCs, changes to the AD database on one DC are replicated to the others. This redundancy provides fault tolerance in case a DC experiences problems.
How to Stand Up a Domain Controller
To create a domain controller, you need to perform two steps:
- Install the Active Directory Domain Services (AD DS) role to a Windows Server machine.
- Promote the server to domain controller.
Install the Active Directory Domain Services Role on a Windows Server
- Log in to the Windows Server using an account with administrative privileges. Open Server Manager by either clicking on the Server Manager icon in the taskbar or by searching for "Server Manager" in the Start menu.
- In the top menu, click Manage and select Add Roles and Features.
- In the Add Roles and Features Wizard, select Role-based or feature-based installation and click Next.
- Ensure that the correct server is selected and click Next.
- On the “Select server roles” page, click Active Directory Domain Services. In the pop-up window, click Add Features.
- On the “Select features” page, do not select any additional features. Click Next.
- On the “Active Directory Domain Services” page, review the information and click Next.
- Review your installation selections and click Install.
- Wait for the installation process to complete, which may take a few minutes. Then click Close to exit the wizard.
- When the installation is complete, a notification will appear in the Server Manager. In the notification click Promote this server to a domain controller.
- The Active Directory Domain Services Configuration Wizard will open. First, specify whether you want to add a domain controller to an existing domain, add a new domain to an existing forest or add a new forest. For this example, select Add a new forest, enter a name for the root domain and click Next.
- Select the functional levels for the forest and its root domain, add capabilities like DNS, and set the Directory Services Restore Mode (DSRM) password. Click Next to continue.
- If you selected the DNS option, the “DNS Options” page may display a warning. Since we are creating a new forest, we can safely ignore this warning. Click Next to continue.
- The wizard will search the network on the domain and assign a NetBIOS domain name automatically. You can change it if required. Click Next to continue.
- On the “Paths” page, specify the location of the AD DS database, log files and SYSVOL files. You can change the default location provided. In large environments, it is recommended to keep them on a separate drive so can be used to restore Active Directory if the system drive gets corrupted. Click Next to continue.
- Review the summary of your selections and click Next.
- The wizard will check that the computer meets the prerequisites. Once you see a confirmation that the computer has passed, click Install.
- Once the installation completes, the server will automatically restart. After the restart, the server will be a domain controller with Active Directory Domain Services installed.
- To verify that the domain structure has been created, open Server Manager, click Tools, and click Active Directory Users and Computers.
To manage Active Directory, you need to install administrative tools on a client machine. To install RSAT on Windows 11, follow these steps:
- Open Settings, click Apps in the left sidebar, and then click Optional features.
- Click View features.
- Search for “RSAT” (or simply scroll down) and check the box next to RSAT: Active Directory Domain Services and Lightweight Directory Services Tools. Then click Next.
- Click the Install button to begin the installation process.
- Wait for the installation to complete. This may take a few minutes. Once your computer has restarted, you can verify that RSAT has been installed by searching for any of the RSAT tools, such as Active Directory Users and Computers, from the Start menu.
Active Directory provides logging feature for maintaining the security, integrity and performance of your directory service. Monitoring these events using a tool like Windows Event Viewer helps you detect suspicious activity so you can promptly troubleshoot issues and respond to security breaches. Below are some common events to look for.
User Account Management
- Account creation: Event ID 4720
- Account deletion: Event ID 4726
- Account enabled/disabled: Event IDs 4722, 4725
- Password changes/reset: Event IDs 4723, 4724, 4725
- Account lockouts: Event ID 4740
- Group creation/deletion: Event IDs 4727, 4731
- Group membership changes: Event IDs 4728, 4729, 4732, 4733.
- Replication success/failure: Event IDs 4928, 4929, 4932, 4933
- Domain controller/systems startup/shutdown: Event IDs 6005,6006,6008,1074
- Directory service access: Event IDs 2889, 2887
- Successful logons: Event IDs 4624,4648,4768
- Failed logons: Event IDs 4625
- Privileged access: Event IDs 4672
- LDAP modifications: Event IDs 5136, 5137, 5138
- Schema changes: Event ID 5139