Complete Active Directory Guide: Tutorial for Beginners & Administrators [2026]

Active Directory (AD) is Microsoft’s directory service that manages users, computers, and resources in Windows domains. This comprehensive guide covers everything from basic concepts to advanced administration, helping you master Active Directory for enterprise environments.

Whether you’re a beginner learning Active Directory for the first time or an experienced administrator looking to deepen your knowledge, this guide provides practical insights, real-world examples, and best practices for managing Active Directory environments.

Table of Contents

1. Introduction to Active Directory
2. What is Active Directory?
3. Active Directory Architecture
4. Core Components Deep Dive
5. Installing Active Directory
6. User & Computer Management
7. Group Management
8. Organizational Units (OUs)
9. Group Policy Management
10. Security & Permissions
11. Active Directory Replication
12. Sites and Services
13. Backup & Recovery
14. Monitoring & Troubleshooting
15. Advanced Topics
16. Best Practices
17. Common Issues & Solutions
18. Frequently Asked Questions
19. Additional Resources

---

Introduction to Active Directory

Active Directory (AD) is the cornerstone of Windows-based enterprise networks, providing centralized authentication, authorization, and management of network resources. Since its introduction with Windows 2000 Server, Active Directory has evolved into a comprehensive identity and access management solution used by organizations worldwide.

Why Learn Active Directory?

Understanding Active Directory is essential for:

• IT Administrators: Managing users, computers, and network resources
• System Engineers: Designing and implementing enterprise infrastructure
• Security Professionals: Implementing access controls and security policies
• DevOps Engineers: Automating user provisioning and infrastructure management
• IT Support Staff: Troubleshooting authentication and access issues

What You’ll Learn

This guide covers:

• ✅ Active Directory fundamentals and architecture
• ✅ Domain Controllers and forest/domain structures
• ✅ User, computer, and group management
• ✅ Group Policy Objects (GPOs) and policy management
• ✅ Active Directory security and permissions (ACLs, delegation)
• ✅ Replication, sites, and multi-location management
• ✅ Backup, recovery, and disaster preparedness
• ✅ Monitoring, troubleshooting, and performance optimization
• ✅ Integration with Azure AD and hybrid scenarios
• ✅ PowerShell automation for AD management

---

What is Active Directory?

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It provides a centralized location for network administration and security, allowing administrators to manage users, computers, groups, network resources, file shares, group policies, and more from a single location.

Key Functions of Active Directory

1. Authentication: Verifies user identities using Kerberos protocol
2. Authorization: Controls what resources users can access
3. Directory Services: Stores information about network objects
4. Centralized Management: Manage user, groups, and resources from a central location
5. Policy Enforcement: Applies security and configuration policies via Group Policy
6. Replication: Ensures data consistency across multiple domain controllers

Active Directory vs. Azure Active Directory

Feature	Active Directory (AD DS)	Azure Active Directory
Location	On-premises	Cloud-based
Authentication	Kerberos, NTLM	OAuth 2.0, SAML, OpenID Connect
Primary Use	Windows networks	SaaS applications, Microsoft 365
Management	Windows Server	Azure Portal
Objects	Users, computers, OUs, GPOs	Users, groups, applications
Integration	Traditional Windows apps	Modern web applications

Note: Many organizations use both in a hybrid configuration, synchronizing on-premises AD with Azure AD using Azure AD Connect.

Business Benefits

• Centralized User Management: Single source of truth for user accounts
• Enhanced Security: Centralized security policies and access controls
• Single Sign-On (SSO): Users log in once to access all resources
• Scalability: Supports organizations from 10 to 10,000+ users
• Disaster Recovery: Built-in replication and backup capabilities
• Compliance: Helps meet regulatory requirements (HIPAA, SOC 2, GDPR)

---

Active Directory Architecture

Active Directory uses a hierarchical, multi-tiered architecture designed for scalability and manageability. Understanding this architecture is crucial for designing and managing AD environments.

Logical Structure

Active Directory’s logical structure is independent of physical network topology, allowing flexible organization of network resources.

Forests

A forest is the top-level container in Active Directory. It represents a complete instance of Active Directory and defines the security boundary.

Key Characteristics:

• Contains one or more domains
• Shares a common schema
• Shares a common configuration container
• Shares a common Global Catalog
• Automatically establishes two-way transitive trust relationships between domains

Example Use Case: A multinational corporation might have a single forest with multiple domains for different geographic regions (americas.contoso.com, europe.contoso.com, asia.contoso.com).

Domains

A domain is the core administrative unit in Active Directory. It represents a logical group of network objects (users, computers, groups) that share a common directory database.

Key Characteristics:

• Has a unique DNS name (e.g., contoso.com)
• Contains its own security policies
• Managed by Domain Controllers
• Can contain thousands to millions of objects
• Replicates data only within the domain (except Global Catalog data)

Naming Convention: Domains follow DNS naming standards:

• Single domain: contoso.com
• Child domains: sales.contoso.com, hr.contoso.com
• Tree domains: fabrikam.com (different namespace in same forest)

Organizational Units (OUs)

Organizational Units are containers within a domain used to organize objects logically. OUs are the smallest scope to which Group Policy Objects (GPOs) can be applied.

Common OU Structures:

contoso.com
├── Domain Controllers (default OU)
├── Users (by department)
│   ├── Sales
│   ├── Marketing
│   ├── IT
│   └── Finance
├── Computers (by type)
│   ├── Workstations
│   ├── Laptops
│   ├── Servers
│   └── Virtual Machines
├── Groups
│   ├── Security Groups
│   └── Distribution Groups
└── Service Accounts

Benefits of OUs:

• Delegate administrative control
• Apply Group Policies to specific sets of objects
• Organize objects logically (mirrors organizational structure)
• Simplify management and reporting

Trees

A tree is a collection of one or more domains that share a contiguous namespace. Domains in a tree have an established trust hierarchy.

Example:

contoso.com (parent domain)
├── sales.contoso.com (child domain)
├── marketing.contoso.com (child domain)
└── hr.contoso.com (child domain)

All child domains automatically trust the parent domain (and vice versa) through transitive trust relationships.

Physical Structure

The physical structure defines how data is stored and replicated across the network.

Domain Controllers (DCs)

Domain Controllers are servers running Active Directory Domain Services (AD DS) that authenticate and authorize users and computers.

Key Functions:

• Store a copy of the Active Directory database (NTDS.DIT)
• Authenticate user logons and verify credentials
• Process security policy enforcement
• Replicate changes to other domain controllers
• Respond to LDAP queries from clients

Multi-Master Replication: All domain controllers are writable (unlike older systems with primary/backup models). Changes made on any DC replicate to all other DCs.

Types of Domain Controllers:

1. Regular DC: Standard domain controller with full read/write capabilities
2. Global Catalog Server: Holds partial replica of all domains in the forest
3. Read-Only Domain Controller (RODC): Read-only copy, typically for branch offices
4. Primary Domain Controller (PDC) Emulator: FSMO role holder (see Advanced Topics)

Recommended Number:

• Minimum: 2 DCs per domain (for redundancy)
• Branch offices: Consider RODC
• Large sites: 1 DC per 5,000-10,000 users

Sites

Sites represent physical locations with good network connectivity. Sites help optimize replication and client authentication.

Purpose:

• Control replication traffic between locations
• Direct clients to nearest domain controller
• Optimize bandwidth usage for WAN links
• Configure replication schedules

Example Site Structure:

Forest: contoso.com
├── Site: HeadOffice (New York)
│   ├── Subnet: 10.1.0.0/16
│   └── Domain Controllers: DC01, DC02
├── Site: BranchOffice-LA (Los Angeles)
│   ├── Subnet: 10.2.0.0/16
│   └── Domain Controller: DC03
└── Site: BranchOffice-Chicago (Chicago)
    ├── Subnet: 10.3.0.0/16
    └── Domain Controller: DC04

Site Links

Site links define the connections between sites and control replication traffic.

Configuration Options:

• Cost: Lower cost = preferred path (default: 100)
• Replication Interval: How often replication occurs (default: 180 minutes)
• Schedule: When replication is allowed (default: always)
• Transport: IP (default) or SMTP (rarely used)

Active Directory Database

The Active Directory database is stored in the NTDS.DIT file on each domain controller.

Location: C:\Windows\NTDS\ntds.dit (default)

Components:

• Data Table: Stores all directory objects (users, computers, groups, OUs)
• Link Table: Stores multi-valued attributes (group memberships)
• Security Descriptor Table: Stores Access Control Lists (ACLs)

Database Size: Grows based on number of objects:

• Small organization (500 users): ~100-500 MB
• Medium organization (5,000 users): ~1-3 GB
• Large organization (50,000+ users): ~10-50 GB

Maintenance:

• Online defragmentation (automatic, nightly)
• Offline defragmentation (manual, recovers space)
• Tombstone cleanup (removes deleted objects after 180 days)

Active Directory Schema

The schema defines the types of objects and their attributes that can be stored in Active Directory.

Schema Components:

• Classes: Define object types (user, computer, group)
• Attributes: Define properties of objects (name, email, department)

Examples:

User Class Attributes:
- sAMAccountName (username)
- givenName (first name)
- sn (surname)
- mail (email address)
- memberOf (group memberships)
- userAccountControl (account status)

Schema Extensions:

• Add new attributes or classes
• Required for some applications (Exchange, Lync/Skype)
• Caution: Schema changes are forest-wide and cannot be easily reversed

---

Core Components Deep Dive

Let’s explore the essential components that make Active Directory function.

LDAP (Lightweight Directory Access Protocol)

LDAP is the protocol used to query and modify Active Directory.

LDAP Ports:

• 389: Standard LDAP (unencrypted)
• 636: LDAPS (LDAP over SSL/TLS)
• 3268: Global Catalog
• 3269: Global Catalog over SSL

LDAP Distinguished Name (DN) Format:

CN=John Doe,OU=Users,OU=Sales,DC=contoso,DC=com

Components:

• CN: Common Name (object name)
• OU: Organizational Unit
• DC: Domain Component

LDAP Query Examples:

Finding a user:

(&(objectClass=user)(sAMAccountName=jdoe))

Finding all users in an OU:

(&(objectClass=user)(ou=Sales))

Finding disabled accounts:

(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

Kerberos Authentication

Kerberos is the primary authentication protocol used by Active Directory (replacing the older NTLM protocol).

How Kerberos Works:

1. Authentication Service (AS) Request: Client requests Ticket Granting Ticket (TGT)
2. AS Response: Key Distribution Center (KDC) issues TGT
3. Ticket Granting Service (TGT) Request: Client requests service ticket
4. TGS Response: KDC issues service ticket
5. Application Request: Client presents service ticket to application
6. Application Response: Application validates ticket and grants access

Benefits:

• Mutual authentication (client and server verify each other)
• Delegated authentication (services can act on behalf of users)
• Encrypted credentials (more secure than NTLM)
• Single Sign-On (SSO) capabilities

Kerberos Ports:

• 88: Kerberos authentication
• 464: Kerberos password change

Common Kerberos Issues:

• Time skew (clocks out of sync > 5 minutes)
• Missing or incorrect SPNs (Service Principal Names)
• Expired tickets
• DNS issues

Global Catalog

The Global Catalog is a distributed data repository containing a searchable partial representation of all objects in a multi-domain forest.

Purpose:

• Universal Group membership enumeration
• Fast cross-domain searches
• User Principal Name (UPN) authentication
• Forest-wide logon authentication

What’s Stored:

• All objects from all domains (partial attribute set)
• Full replica of objects in its own domain
• Most frequently searched attributes

Global Catalog Placement:

• First DC in forest is automatically a GC
• Best practice: Multiple GCs per site
• All DCs can be GCs in single-domain forests

GC Ports:

• 3268: Global Catalog queries
• 3269: Global Catalog over SSL

DNS Integration

DNS (Domain Name System) is critical for Active Directory operation. AD uses DNS for locating domain controllers and services.

AD-Specific DNS Records:

• _ldap._tcp.dc._msdcs.domain.com: Domain Controller LDAP services
• _kerberos._tcp.domain.com: Kerberos authentication services
• _gc._tcp.domain.com: Global Catalog servers

DNS Requirements:

• Must support SRV records
• Must support dynamic updates (recommended)
• Must support secure dynamic updates (best practice)

Common DNS Issues:

• Missing SRV records (prevents DC location)
• Incorrect DNS server configuration on clients
• DNS scavenging removing active records
• Split-brain DNS (different internal/external views)

SYSVOL and NETLOGON

SYSVOL is a shared folder on all domain controllers containing Group Policy Objects and logon scripts.

Location: C:\Windows\SYSVOL\sysvol\domain.com

Contents:

• Group Policy templates (GPT)
• Logon/logoff scripts
• Startup/shutdown scripts
• Administrative templates

Replication:

• FRS (File Replication Service): Legacy, deprecated
• DFSR (Distributed File System Replication): Current, more efficient

NETLOGON Share: \\domain.com\NETLOGON

• Used for legacy logon scripts
• Maps to SYSVOL\sysvol\domain.com\SCRIPTS

Active Directory Partitions

Active Directory data is divided into partitions (naming contexts):

1. Domain Partition

   • Contains all objects in the domain
   • Replicates to all DCs in the domain
   • Example: DC=contoso,DC=com

2. Configuration Partition

   • Contains forest-wide configuration data
   • Sites, site links, services
   • Replicates to all DCs in the forest
   • Example: CN=Configuration,DC=contoso,DC=com

3. Schema Partition

   • Contains schema definitions
   • Replicates to all DCs in the forest
   • Example: CN=Schema,CN=Configuration,DC=contoso,DC=com

4. Application Partitions (optional)

   • Custom partitions for specific applications
   • DNS zones can use application partitions
   • Replication scope is configurable

---

Installing Active Directory

Installing Active Directory Domain Services (AD DS) transforms a Windows Server into a Domain Controller. This section covers planning, installation, and initial configuration.

Prerequisites

Before installing AD DS, ensure you meet these requirements:

Hardware Requirements (Minimum):

• Processor: 1.4 GHz 64-bit processor
• RAM: 2 GB (4 GB+ recommended for production)
• Disk Space: 32 GB (separate disk for NTDS.DIT recommended)
• Network: Static IP address configured

Software Requirements:

• Windows Server 2016, 2019, 2022, or later
• Administrator privileges
• Proper DNS configuration
• Static IP address assigned

Planning Decisions:

• Forest root domain name (e.g., contoso.com)
• Forest/domain functional level
• Domain Controller naming convention
• Site topology (for multi-location environments)
• DNS strategy (integrated vs. separate)

Installation Methods

Method 1: Using Server Manager (GUI)

Step 1: Add AD DS Role

1. Open Server Manager
2. Click Manage → Add Roles and Features
3. Click Next through the wizard
4. Select Role-based or feature-based installation
5. Select your server
6. Check Active Directory Domain Services
7. Click Add Features when prompted
8. Click Next through remaining screens
9. Click Install

Step 2: Promote to Domain Controller

After role installation completes:

1. Click the notification flag in Server Manager
2. Click Promote this server to a domain controller

Deployment Configuration Options:

Option A: New Forest (First DC)

• Select Add a new forest
• Enter root domain name: contoso.com
• Click Next

Option B: New Domain in Existing Forest

• Select Add a new domain to an existing forest
• Choose domain type (Child or Tree)
• Provide credentials for forest admin

Option C: Additional DC in Existing Domain

• Select Add a domain controller to an existing domain
• Enter domain name: contoso.com
• Provide domain admin credentials

Step 3: Domain Controller Options

• Select Forest/Domain functional level:

  • Windows Server 2016 (most common)
  • Windows Server 2019
  • Windows Server 2022 (latest)

• Check Domain Name System (DNS) server (recommended)

• Check Global Catalog (automatic for first DC)

• Enter Directory Services Restore Mode (DSRM) password

  • Critical: Store this securely! Used for AD recovery

Step 4: DNS Options

• If DNS delegation warning appears, it’s usually safe to ignore for first DC
• DNS delegation creates a pointer from parent DNS zone

Step 5: Additional Options

• NetBIOS domain name: Auto-populated (e.g., CONTOSO)
• Usually keep the default

Step 6: Paths

Specify locations for AD database and logs:

• Database folder: C:\Windows\NTDS (default)
• Log files folder: C:\Windows\NTDS (default)
• SYSVOL folder: C:\Windows\SYSVOL (default)

Best Practice: In production, place database and logs on separate disks for performance and reliability:

• Database: D:\NTDS\
• Logs: E:\NTDS-Logs\
• SYSVOL: F:\SYSVOL\

Step 7: Review and Install

• Review configuration summary
• Optionally View script to see PowerShell equivalent
• Click Install
• Server will automatically restart

Installation Time: 10-30 minutes depending on hardware

Method 2: Using PowerShell

PowerShell provides a faster, scriptable method for AD DS installation.

Install AD DS Role:

# Install the AD DS role
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Promote to Domain Controller (New Forest):

# Create a new forest
Install-ADDSForest `
    -DomainName "contoso.com" `
    -DomainNetbiosName "CONTOSO" `
    -ForestMode "WinThreshold" `
    -DomainMode "WinThreshold" `
    -InstallDns:$true `
    -CreateDnsDelegation:$false `
    -DatabasePath "C:\Windows\NTDS" `
    -LogPath "C:\Windows\NTDS" `
    -SysvolPath "C:\Windows\SYSVOL" `
    -Force:$true

Parameters Explained:

• -DomainName: FQDN of new forest root domain
• -DomainNetbiosName: NetBIOS name (15 characters max)
• -ForestMode: Forest functional level
  • “WinThreshold” = Windows Server 2016+
• -DomainMode: Domain functional level
• -InstallDns: Install and configure DNS
• -CreateDnsDelegation: Create DNS delegation in parent zone
• -Force: Suppress confirmation prompts

Promote to Domain Controller (Existing Domain):

# Add DC to existing domain
$credential = Get-Credential -Message "Enter Domain Admin credentials"

Install-ADDSDomainController `
    -DomainName "contoso.com" `
    -Credential $credential `
    -InstallDns:$true `
    -CreateDnsDelegation:$false `
    -DatabasePath "C:\Windows\NTDS" `
    -LogPath "C:\Windows\NTDS" `
    -SysvolPath "C:\Windows\SYSVOL" `
    -Force:$true

Unattended Installation (Fully Automated):

# Set DSRM password
$DSRMPassword = ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force

# Install with stored password
Install-ADDSForest `
    -DomainName "contoso.com" `
    -DomainNetbiosName "CONTOSO" `
    -ForestMode "WinThreshold" `
    -DomainMode "WinThreshold" `
    -InstallDns:$true `
    -SafeModeAdministratorPassword $DSRMPassword `
    -Force:$true `
    -NoRebootOnCompletion:$false

Post-Installation Verification

After installation and reboot, verify Active Directory is functioning correctly:

1. Verify Domain Controller Services

# Check critical AD services are running
Get-Service -Name ADWS, DNS, KDC, NETLOGON | Format-Table Name, Status, StartType

Expected output: All services should show Status: Running

2. Verify DNS Registration

# Check DC is registered in DNS
nslookup contoso.com
nslookup dc01.contoso.com

# Check SRV records
nslookup -type=SRV _ldap._tcp.dc._msdcs.contoso.com

3. Verify Active Directory Replication (if multiple DCs)

# Check replication status
repadmin /replsummary

# Check replication partners
repadmin /showrepl

4. Verify SYSVOL Sharing

# Check SYSVOL share is accessible
Test-Path "\\contoso.com\SYSVOL"
Test-Path "\\contoso.com\NETLOGON"

5. Test Domain Authentication

# Verify domain functional level
Get-ADDomain | Select-Object Name, DomainMode, Forest

# Verify forest functional level
Get-ADForest | Select-Object Name, ForestMode

# List all domain controllers
Get-ADDomainController -Filter * | Select-Object Name, Site, IPv4Address

6. Run DCDiag (Domain Controller Diagnostics)

# Comprehensive DC health check
dcdiag /v

# Quick test focusing on critical issues
dcdiag /test:DNS /test:Replications /test:SysVolCheck /test:Services

Common dcdiag tests:

• Connectivity: Network connectivity to other DCs
• DNS: DNS configuration and registration
• Replications: AD replication status
• SysVolCheck: SYSVOL share accessibility
• Services: Critical AD services running
• FrsEvent/DFSREvent: SYSVOL replication health

Functional Levels

Functional levels determine which Active Directory features are available and which Windows Server versions can be domain controllers.

Forest Functional Levels:

Level	Released	Minimum DC OS	Key Features
Windows Server 2016	2016	Server 2016	Privileged Access Management, time-based group memberships
Windows Server 2012 R2	2013	Server 2012 R2	Enhanced auditing, DC cloning
Windows Server 2012	2012	Server 2012	KDC support for claims, compound auth
Windows Server 2008 R2	2009	Server 2008 R2	AD Recycle Bin, managed service accounts

Current Recommendation: Windows Server 2016 functional level

• Supports modern features
• Compatible with most environments
• Server 2016+ DCs required

Raising Functional Levels:

# Check current levels
Get-ADDomain | Select Name, DomainMode
Get-ADForest | Select Name, ForestMode

# Raise domain functional level
Set-ADDomainMode -Identity contoso.com -DomainMode Windows2016Domain

# Raise forest functional level (after all domains raised)
Set-ADForestMode -Identity contoso.com -ForestMode Windows2016Forest

Important Notes:

• ⚠️ Irreversible: Cannot downgrade functional levels
• Must raise domain level before forest level
• All DCs must run supported OS version
• Test in non-production environment first

---

User & Computer Management

Managing users and computers is a primary Active Directory function. This section covers creation, modification, and management best practices. PowerShell automation can significantly streamline these tasks.

User Account Management

Creating User Accounts (GUI)

Using Active Directory Users and Computers (ADUC):

1. Open Active Directory Users and Computers
2. Navigate to target OU (e.g., contoso.com → Users → Sales)
3. Right-click → New → User
4. Enter user information:
   • First name: John
   • Last name: Doe
   • User logon name: jdoe (pre-Windows 2000: CONTOSO\jdoe)
5. Click Next
6. Set password and account options:
   • Enter password (twice for confirmation)
   • ☐ User must change password at next logon (typical for new users)
   • ☐ User cannot change password
   • ☐ Password never expires
   • ☐ Account is disabled
7. Click Next → Finish

Creating User Accounts (PowerShell)

Basic User Creation:

# Create a new user
New-ADUser `
    -Name "John Doe" `
    -GivenName "John" `
    -Surname "Doe" `
    -SamAccountName "jdoe" `
    -UserPrincipalName "jdoe@contoso.com" `
    -EmailAddress "john.doe@contoso.com" `
    -Path "OU=Sales,OU=Users,DC=contoso,DC=com" `
    -AccountPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force) `
    -Enabled $true `
    -ChangePasswordAtLogon $true `
    -Department "Sales" `
    -Title "Sales Representative" `
    -Company "Contoso" `
    -Office "New York"

Bulk User Creation from CSV:

CSV File (users.csv):

FirstName,LastName,Username,Email,Department,Title,Office
John,Doe,jdoe,john.doe@contoso.com,Sales,Sales Rep,New York
Jane,Smith,jsmith,jane.smith@contoso.com,Marketing,Marketing Manager,Los Angeles
Bob,Johnson,bjohnson,bob.johnson@contoso.com,IT,System Admin,Chicago

PowerShell Script:

# Import CSV and create users
Import-Csv "C:\users.csv" | ForEach-Object {
    $Password = ConvertTo-SecureString "TempPass123!" -AsPlainText -Force
    $UPN = $_.Username + "@contoso.com"

    New-ADUser `
        -Name "$($_.FirstName) $($_.LastName)" `
        -GivenName $_.FirstName `
        -Surname $_.LastName `
        -SamAccountName $_.Username `
        -UserPrincipalName $UPN `
        -EmailAddress $_.Email `
        -Department $_.Department `
        -Title $_.Title `
        -Office $_.Office `
        -Path "OU=$($_.Department),OU=Users,DC=contoso,DC=com" `
        -AccountPassword $Password `
        -Enabled $true `
        -ChangePasswordAtLogon $true

    Write-Host "Created user: $($_.Username)" -ForegroundColor Green
}

User Account Properties

Important User Attributes:

Property	AD Attribute	Description
Username	sAMAccountName	Pre-Windows 2000 logon name
User Principal Name	userPrincipalName	Email-style logon (user@domain.com)
Display Name	displayName	Name shown in address lists
Email Address	mail	Email address
Department	department	Organizational department
Manager	manager	Distinguished name of manager
Member Of	memberOf	Group memberships (read-only)
Account Status	userAccountControl	Enabled/disabled, password policies

Modifying User Properties (PowerShell):

# Update single property
Set-ADUser -Identity jdoe -EmailAddress "john.doe@contoso.com"

# Update multiple properties
Set-ADUser -Identity jdoe `
    -Department "Sales" `
    -Title "Senior Sales Representative" `
    -OfficePhone "+1-555-0100" `
    -MobilePhone "+1-555-0101" `
    -StreetAddress "123 Main Street" `
    -City "New York" `
    -State "NY" `
    -PostalCode "10001"

# Set manager
Set-ADUser -Identity jdoe -Manager "CN=Jane Smith,OU=Sales,OU=Users,DC=contoso,DC=com"

Disabling and Enabling Accounts

Disable Account:

# Disable user account
Disable-ADAccount -Identity jdoe

# Verify status
Get-ADUser -Identity jdoe -Properties Enabled | Select Name, Enabled

Enable Account:

# Enable user account
Enable-ADAccount -Identity jdoe

Common Reasons to Disable (Not Delete) Accounts:

• Employee on leave
• Security investigation
• Contractor engagement ended (pending final billing)
• Preserve access history for compliance

Resetting Passwords

GUI Method:

1. Right-click user in ADUC
2. Select Reset Password
3. Enter new password (twice)
4. Check User must change password at next logon
5. Click OK

PowerShell Method:

# Reset password (interactive prompt)
Set-ADAccountPassword -Identity jdoe -Reset

# Reset with specified password
Set-ADAccountPassword -Identity jdoe -Reset -NewPassword (ConvertTo-SecureString "NewP@ss123!" -AsPlainText -Force)

# Force password change at next logon
Set-ADUser -Identity jdoe -ChangePasswordAtLogon $true

Unlocking Accounts

Locked Out Users: After multiple failed login attempts (based on Account Lockout Policy), accounts are automatically locked.

Unlock Account:

# Unlock user account
Unlock-ADAccount -Identity jdoe

# Check if account is locked
Get-ADUser -Identity jdoe -Properties LockedOut | Select Name, LockedOut

# Find locked out users
Search-ADAccount -LockedOut | Select Name, SamAccountName, LockedOut

Deleting User Accounts

⚠️ Warning: Deleted users cannot be restored (unless AD Recycle Bin is enabled).

PowerShell:

# Delete user (moves to Deleted Objects, recoverable with Recycle Bin)
Remove-ADUser -Identity jdoe -Confirm:$true

# Permanently delete (skip Recycle Bin) - use with extreme caution!
Remove-ADUser -Identity jdoe -Confirm:$false -Permanent:$true

Best Practice: Disable accounts for 90 days before deletion to allow for recovery if needed.

Computer Account Management

Computer accounts represent workstations, servers, and other devices joined to the domain.

Joining Computers to Domain

Windows 10/11 Join Process:

1. Open Settings → Accounts → Access work or school
2. Click Connect
3. Click Join this device to a local Active Directory domain
4. Enter domain name: contoso.com
5. Enter domain admin credentials (or delegated user)
6. Optionally add the user to local administrators group
7. Restart computer

PowerShell (Run on client):

# Join computer to domain
Add-Computer -DomainName contoso.com -Credential (Get-Credential) -Restart

# Join and specify OU
Add-Computer -DomainName contoso.com -OUPath "OU=Workstations,OU=Computers,DC=contoso,DC=com" -Credential (Get-Credential) -Restart

Offline Domain Join (For Remote/Pre-provisioned Systems):

On Domain Controller:

# Generate offline join file
djoin /provision /domain contoso.com /machine COMPUTER01 /savefile C:\offline-join.txt

On Client Computer (before joining):

# Join using offline file
djoin /requestODJ /loadfile C:\offline-join.txt /windowspath %windir% /localos
Restart-Computer

Pre-creating Computer Accounts

Benefits:

• Control computer OU placement
• Delegate join permissions to non-admin users
• Apply GPOs before first login

PowerShell:

# Create computer account
New-ADComputer -Name "WORKSTATION01" -Path "OU=Workstations,OU=Computers,DC=contoso,DC=com"

# Create and set description
New-ADComputer -Name "WORKSTATION01" -Path "OU=Workstations,OU=Computers,DC=contoso,DC=com" -Description "Sales Department Laptop - John Doe" -Enabled $true

Managing Computer Accounts

List Computers:

# Get all computers
Get-ADComputer -Filter * | Select Name, DNSHostName, OperatingSystem

# Get computers by OU
Get-ADComputer -Filter * -SearchBase "OU=Workstations,OU=Computers,DC=contoso,DC=com"

# Get computers with specific OS
Get-ADComputer -Filter {OperatingSystem -like "*Windows 11*"} | Select Name, OperatingSystem

Find Stale Computer Accounts:

# Find computers not logged in for 90+ days
$90DaysAgo = (Get-Date).AddDays(-90)
Get-ADComputer -Filter {LastLogonDate -lt $90DaysAgo} -Properties LastLogonDate | Select Name, LastLogonDate | Sort LastLogonDate

Move Computer to Different OU:

# Move computer
Move-ADObject -Identity "CN=WORKSTATION01,OU=OldOU,DC=contoso,DC=com" -TargetPath "OU=NewOU,OU=Computers,DC=contoso,DC=com"

# Or using Get-ADComputer
Get-ADComputer -Identity WORKSTATION01 | Move-ADObject -TargetPath "OU=NewOU,OU=Computers,DC=contoso,DC=com"

Remove Computer from Domain:

On Client (before removing from AD):

# Remove computer from domain (returns to workgroup)
Remove-Computer -UnjoinDomainCredential (Get-Credential) -WorkgroupName "WORKGROUP" -Restart

In Active Directory:

# Delete computer account
Remove-ADComputer -Identity WORKSTATION01 -Confirm:$true

---

[Content continues with remaining sections…]

Frequently Asked Questions

General Active Directory Questions

Q: What is Active Directory used for?

A: Active Directory is used for centralized management of users, computers, and resources in Windows networks. It provides authentication (verifying user identities), authorization (controlling access to resources), and policy management (enforcing security and configuration settings) across an organization’s network infrastructure.

Q: What is the difference between Active Directory and Azure Active Directory?

A: Active Directory (AD DS) is an on-premises directory service for traditional Windows networks using Kerberos/NTLM authentication. Azure Active Directory (Azure AD, now Microsoft Entra ID) is a cloud-based identity service for modern applications using OAuth/SAML/OpenID Connect. Many organizations use both in a hybrid configuration.

Q: How many domain controllers do I need?

A: Minimum of 2 domain controllers per domain for redundancy. For branch offices, consider Read-Only Domain Controllers (RODCs). Large sites should have 1 DC per 5,000-10,000 users. Geographic distribution also matters;place DCs in each major location for optimal authentication performance.

Q: Can I rename a domain controller?

A: No, you cannot rename a domain controller while it’s functioning as a DC. You must demote it to a member server, rename it, then promote it back to a domain controller. For production environments, it’s often easier to deploy a new DC with the correct name and retire the old one.

Q: What is the DSRM password and why is it important?

A: The Directory Services Restore Mode (DSRM) password is a local administrator password used to boot a DC into a special recovery mode for Active Directory restoration. It’s critical to store this securely;without it, you cannot perform certain recovery operations. Test it periodically to ensure it works.

Domain and Forest Questions

Q: Should I use a single domain or multiple domains?

A: Most organizations should use a single domain unless there are specific requirements like:

• Different password policies for different user groups (use Fine-Grained Password Policies instead)
• Political/administrative boundaries requiring complete isolation
• International operations with distinct legal entities

Multiple domains add complexity without significant benefits for most scenarios.

Q: What domain name should I use?

A: Use a subdomain of your public domain (e.g., corp.contoso.com if your website is contoso.com) rather than the root domain. This avoids conflicts between internal AD DNS and public DNS. Alternatively, use .local (e.g., contoso.local), though this is less recommended due to potential mDNS conflicts.

Q: Can I change my domain name after installation?

A: No, you cannot rename the forest root domain. You can rename child domains, but it’s complex and risky. Plan your domain name carefully before installation. If absolutely necessary, the only reliable option is migrating to a new forest.

Q: What is a trust relationship?

A: A trust relationship allows users in one domain to access resources in another domain. Trusts can be:

• One-way: Domain A trusts Domain B (B users can access A resources)
• Two-way: Mutual trust (users in both domains can access each other’s resources)
• Transitive: Trust extends through multiple domains (automatic within forests)
• Non-transitive: Trust is limited to specified domains only

User and Group Management

Q: What’s the difference between a user account and a service account?

A: A user account is for individual people to log in interactively. A service account is for applications and services to run under specific credentials. Service accounts typically have “Service Account” in the description, password never expires enabled, and limited interactive logon rights.

Use Group Managed Service Accounts (gMSA) or Managed Service Accounts (MSA) for services when possible;they provide automatic password rotation and enhanced security.

Q: Should I delete or disable user accounts when employees leave?

A: Best practice: Disable immediately when the employee leaves, then delete after 90 days. This allows:

• Time to transfer ownership of files/emails
• Audit trail preservation
• Recovery if termination is reversed
• Compliance with data retention policies

Q: How do I find all members of a group recursively?

A: Use PowerShell with the -Recursive parameter:

Get-ADGroupMember -Identity "Domain Admins" -Recursive | Select Name, SamAccountName

This expands nested groups and shows all effective members.

Q: What’s the maximum number of users in Active Directory?

A: Active Directory can theoretically support billions of objects, but practical limits depend on hardware and design. A single domain can comfortably handle:

• Small: 10,000 users
• Medium: 100,000 users
• Large: 1,000,000+ users (with proper infrastructure)

Microsoft has tested with databases containing over 2 billion objects.

Group Policy

Q: How long does it take for Group Policy to apply?

A: Group Policy refreshes every 90 minutes by default (plus a random offset of 0-30 minutes to prevent all computers refreshing simultaneously). Domain Controllers refresh every 5 minutes. You can force immediate refresh with gpupdate /force.

Security-related policies and some software installation policies only apply at startup/logon.

Q: Why isn’t my Group Policy applying?

A: Common causes:

1. User/computer in wrong OU: GPOs linked to specific OUs only affect objects within them
2. Link disabled: GPO link must be enabled
3. Security filtering: User/computer must have Read and Apply Group Policy permissions
4. WMI filter blocking: Computer doesn’t match WMI filter criteria
5. GPO disabled: Computer or User configuration (or both) must be enabled
6. Block inheritance: OU has “Block Inheritance” set
7. Enforced GPO conflict: Higher-priority enforced GPO overrides it
8. Slow link detected: Some policies skip application on slow connections

Use gpresult /h report.html to diagnose.

Q: What’s the difference between Block Inheritance and Enforced?

A:

• Block Inheritance (set on OU): Prevents GPOs from parent OUs from applying to this OU and its children. Like a shield blocking policies from above.
• Enforced (set on GPO link): Forces this GPO to apply regardless of Block Inheritance. Overrides all conflicting settings. Also called “No Override.”

Enforced GPOs always win over blocked ones.

Q: Can I apply Group Policy to specific users within an OU?

A: Yes, using Security Filtering:

1. Link GPO to OU containing all target users
2. Remove “Authenticated Users” from Security Filtering
3. Add specific users or groups who should receive the policy
4. Ensure they have Read and Apply Group Policy permissions

Alternatively, use Item-Level Targeting within Group Policy Preferences for more granular control.

Security and Permissions

Q: What are the default administrative groups in Active Directory?

A: Key administrative groups:

• Domain Admins: Full control over the entire domain
• Enterprise Admins: Full control over the entire forest (all domains)
• Schema Admins: Can modify the Active Directory schema
• Account Operators: Can create/modify user and group accounts (not administrator accounts)
• Server Operators: Can manage domain controllers (backup, shutdown, etc.)
• Backup Operators: Can backup and restore files regardless of permissions

Best Practice: Use these groups sparingly. Implement delegation and custom groups for day-to-day administration.

Q: How do I delegate password reset permissions?

A: Using Active Directory Users and Computers:

1. Right-click OU → Delegate Control
2. Click Next
3. Add user or group to delegate to
4. Select Reset user passwords and force password change at next logon
5. Click Next → Finish

This allows help desk staff to reset passwords without full Domain Admin rights.

Q: What is the Administrator account’s SID?

A: The built-in Administrator account always has a relative identifier (RID) of 500. Full SID format: S-1-5-21-[domain identifier]-500

Even if renamed (security best practice), it retains this SID, making it identifiable.

Q: Should I disable the built-in Administrator account?

A: No, but rename it and set a strong, unique password. The built-in Administrator:

• Cannot be locked out (useful for recovery)
• Is required for certain disaster recovery scenarios
• Can be identified by SID 500 regardless of name

Instead, create and use named administrative accounts for daily work.

Replication and Sites

Q: How does Active Directory replication work?

A: AD uses multi-master replication;changes can be made on any DC and replicate to others. Replication uses:

• Intrasite rereplication: Fast, automatic, change notification-based (within same site)
• Intersite replication: Scheduled, compressed, follows site link schedule (between sites)

The Knowledge Consistency Checker (KCC) automatically creates replication topology.

Q: What is a Global Catalog server?

A: A Global Catalog (GC) server holds:

• Full replica of all objects in its own domain
• Partial replica of all objects in other domains in the forest

It’s used for:

• Universal Group membership enumeration (required for logon)
• Cross-domain searches
• UPN-based authentication

First DC in forest is automatically a GC. Best practice: Multiple GCs per site.

Q: How do I check replication status?

A: Use repadmin:

# Summary of replication health
repadmin /replsummary

# Detailed replication status
repadmin /showrepl

# Force replication between DCs
repadmin /syncall /AdeP

Or PowerShell:

Get-ADReplicationPartnerMetadata -Target * -Partition * | Select Server, Partner, LastReplicationSuccess, LastReplicationResult

Q: What causes replication conflicts?

A: Conflicts occur when the same attribute of an object is modified on different DCs before replication occurs. Active Directory automatically resolves conflicts using:

1. Version number: Higher version wins
2. Timestamp: Most recent change wins
3. Originating DC GUID: Tie-breaker if timestamps equal

Conflicts are rare in normal operation.

Backup and Recovery

Q: How do I backup Active Directory?

A: Use Windows Server Backup (bare metal/system state backup):

# Install Windows Server Backup
Install-WindowsFeature -Name Windows-Server-Backup

# Backup system state (includes AD database)
wbadmin start systemstatebackup -backupTarget:E: -quiet

Or use third-party backup solutions that support Active Directory (Veeam, Commvault, etc.).

Backup Frequency: Daily minimum, with off-site copies.

Q: How do I restore a deleted Active Directory object?

A: If Active Directory Recycle Bin is enabled:

# Enable AD Recycle Bin (one-time, irreversible)
Enable-ADOptionalFeature -Identity "Recycle Bin Feature" -Scope ForestOrConfigurationSet -Target contoso.com

# Restore deleted user
Get-ADObject -Filter {DisplayName -eq "John Doe"} -IncludeDeletedObjects | Restore-ADObject

If Recycle Bin is not enabled, restore from system state backup or use tombstone reanimation (complex, limited success).

Q: What is the Active Directory tombstone lifetime?

A: When an object is deleted, it becomes a tombstone (placeholder) and is retained for 180 days by default (60 days in older versions). After this period, the tombstone is permanently removed by garbage collection.

Backups older than the tombstone lifetime cannot be safely restored without risking USN rollback issues.

Q: How do I perform an authoritative restore?

A: An authoritative restore restores deleted objects and marks them as authoritative so they replicate to other DCs:

1. Reboot DC in Directory Services Restore Mode (DSRM)
2. Restore system state backup
3. Mark restored objects as authoritative:

   ntdsutil
   activate instance ntds
   authoritative restore
   restore subtree "OU=Sales,DC=contoso,DC=com"
   quit
   quit
   

4. Reboot normally;restored objects replicate to other DCs

Troubleshooting

Q: How do I troubleshoot authentication issues?

A: Systematic approach:

1. Verify credentials: Ensure username/password are correct
2. Check account status: Not disabled, not locked, not expired
3. Verify DC connectivity: nltest /dsgetdc:contoso.com
4. Check DNS: Client must resolve domain name and SRV records
5. Verify time sync: Clock skew > 5 minutes breaks Kerberos
6. Test LDAP: ldp.exe or ldapsearch to test connectivity
7. Review event logs: Security log on DC, System log on client
8. Check Kerberos: klist shows tickets, klist purge clears cache

Q: What does “The trust relationship between this workstation and the primary domain failed” mean?

A: This means the computer’s machine account password is out of sync with Active Directory. It happens when:

• Computer was restored from old backup
• Computer was offline > 30 days (password change period)
• Time skew caused password update to fail

Solution: Rejoin computer to domain or use netdom resetpwd (from DC).

Q: How do I fix “The RPC server is unavailable” errors?

A: This error usually indicates network connectivity issues:

1. Verify network connectivity: Ping DC by IP and hostname
2. Check firewall rules: Ensure AD ports are open (see Technical SEO section)
3. Verify DNS resolution: Client must resolve DC hostname
4. Check RPC services: Ensure RPC and RPC Locator services are running
5. Review event logs: Look for specific RPC error codes

Required ports: 88 (Kerberos), 389 (LDAP), 445 (SMB), 135 (RPC Endpoint Mapper), 49152-65535 (Dynamic RPC).

Q: How do I troubleshoot Group Policy not applying?

A: Use gpresult:

# Generate HTML report
gpresult /h C:\gpreport.html /f

# Console output
gpresult /r

# Verbose console output
gpresult /v

Check report for:

• Applied GPOs and their settings
• Denied GPOs and reasons (filtering, WMI, etc.)
• Last Group Policy refresh time
• Fast logon optimization status

Also useful:

• Group Policy Management Console (GPMC): Group Policy Modeling (what-if analysis)
• GPMC: Group Policy Results (actual applied policies on a computer)

---

Additional Resources

Microsoft Official Documentation

• Active Directory Documentation
• Active Directory PowerShell Module
• Group Policy Documentation
• Best Practices for Securing Active Directory

Tools for Active Directory Management

Built-in Tools:

• Active Directory Users and Computers (ADUC): dsa.msc
• Active Directory Sites and Services: dssite.msc
• Active Directory Domains and Trusts: domain.msc
• Group Policy Management Console: gpmc.msc
• ADSI Edit: adsiedit.msc (low-level editor)

PowerShell Modules:

• ActiveDirectory module (install with RSAT)
• ActiveDirectory cmdlets reference

Third-Party Tools:

• ADExplorer - Sysinternals AD viewer
• ADRecon - AD documentation tool
• See our Active Directory Tools guide for more options

---

Conclusion

Active Directory is a powerful and complex system that forms the backbone of most Windows enterprise environments. This guide has covered the fundamentals through advanced topics, providing you with the knowledge to design, implement, and manage Active Directory infrastructures.

Key Takeaways

1. Proper Planning is Essential: Domain names, forest structure, and site topology decisions are difficult to change later
2. Security First: Implement least privilege, secure Domain Admins, enable audit logging
3. Automation with PowerShell: Learn PowerShell for efficient AD management
4. Regular Backups: Maintain current system state backups and test restoration
5. Monitoring: Proactively monitor replication, authentication, and DC health
6. Documentation: Document your AD structure, policies, and procedures
7. Continuous Learning: Active Directory evolves;stay current with new features and best practices

Next Steps

Now that you understand Active Directory fundamentals:

1. Set up a lab environment to practice without affecting production
2. Learn PowerShell for AD automation (see our PowerShell Guide)
3. Study Group Policy in depth for policy management
4. Explore Azure AD for hybrid and cloud scenarios
5. Investigate security hardening to protect your AD infrastructure

For specific commands, scripts, and how-to guides, explore our other tutorials:

• Complete PowerShell Guide - PowerShell basics
• CMD Commands - Command-line reference
• Active Directory Tools - Specialized AD tools