We’ve all heard of the many benefits of Active Directory (AD) for IT admins– it makes your job simpler because there’s a central vault of user information, and it’s scalable, supporting millions of objects in a single domain. However, it can be a pain in the ACLs to implement and maintain—a cluttered, misconfigured AD can cause even the most veteran sysadmins anxiety. In this article, we’ll give you an overview of the basics to help you learn Active Directory.
Most of the material in this guide will be aimed at beginners, but we’ve also included some resources for more experienced IT admins. So whether you’re just getting started with AD, want to refresh your knowledge of the basics, or feel that now is the time to take your skills to the next level, you are in the right place.
Get the Free Pen Testing Active Directory Environments EBook
This guide builds on some of our other guides, so after reading it you might want to check out our guide to the Top Ten AD Tutorials on the web, our tutorial on how to get started with PowerShell and AD, or our explanation of AD in plain English.
Or, if you are looking for a complete understanding of how to use PowerShell and AD, you can sign up for our free Active Directory PowerShell course.
- Active Directory Guides
- How to Set Up AD
- AD Installation and Uses
- AD Services Technologies
- Azure AD: Best Practices
- AD Forests and Trees
- Varonis and AD
- Tutorials for AD
Active Directory Guides
Though this guide will take you through the basics of working with AD, it builds on a suite of resources that we’ve published before. We’ve focused these resources on the two subjects that most of our readers have questions about – using AD with PowerShell tools, and how to use AD to ensure cybersecurity. However, if you are looking for a guide to specific subject, you can find more detailed guides below:
- Active Directory Users and Computers (ADUC): Installation and Uses
- The Difference Between Active Directory and LDAP
- Active Directory: Difference Between Windows and Azure AD
- Active Directory Has a Privacy Problem
- What is a Domain Controller, When is it Needed + Set Up
- Active Directory Domain Controller (AD DC) Could Not Be Contacted [SOLVED]
- Active Directory Migration Tool (ADMT): Your Essential Guide
- Active Directory Forest
- Active Directory Domain Services
- Active Directory Domain Naming Best Practices
Tutorial: How to Install Active Directory in Windows Server
In this section, we’ll show you how to install Active Directory in Windows Server. You’ll need to download some tools, and then configure them to work on your system.
First, you’ll need to make sure that you have Windows Professional or Windows Enterprise. AD will not function on the standard home installs of Windows, because it is designed to be a network management tool. You’ll then need to install Remote Server Administration Tools. The way to do that will depend on what version of Windows you are running:
Install Active Directory on Windows 10 Version 1809 (or higher)
- To use AD on this system, right-click on the “Start” button and go to Settings > Apps > Manage optional features > Add feature.
- Next, click RSAT: Active Directory Domain Services and Lightweight Directory Tools.
- Then select “Install”.
- To access AD, go to Start > Windows Administrative Tools.
Install Active Directory on Windows 8, or Windows 10 Version 1803 (or lower)
- To use AD on this system, you’ll first have to install the correct version of Server Administration Tools for your device: Windows 8, or Windows 10.
- Now right click on the “Start” button and go to Control Panel > Programs > Programs and Features > Turn Windows features on or off.
- Look on this list for Remote Server Administration Tools, and click on it.
- Now click on Role Administration Tools.
- Click on AD DS and AD LDS Tools, and verify that AD DS Tools have been checked.
- Click OK.
- To access AD, go to Start > Administrative tools.
Now you have a running version of AD, we’ll show you how to set it up, and then how to use it to accomplish some basic tasks.
Active Directory Installation and Uses
In this section, we’ll show you how to set up AD. This will require setting up a Domain Controller, and then adding users to AD.
This is not the only way that you can use AD to manage objects like users and computers. We’ve previously covered how to use ADUC, a Microsoft Management Console snap-in that you use to administer AD. This is just one of the many tools you can use to administer AD and is best used alongside PowerShell tools to maximize efficiency.
In this section, though, we’ll take a more direct approach, and set up management functionality straight from AD.
How to Setup a Domain Controller
A domain controller is a fundamental part of your AD set up. A domain controller is a central machine that will manage authentication requests across your network. This computer will store all of the login credentials for all the other devices on your network, so you won’t have to enter dozens (or even hundreds) of usernames and passwords when you want to access particular devices.
The process of setting up a domain controller is relatively simple:
- First, you’ll need to assign a static IP address to the computer you want to use as a domain controller. You can do this by downloading and installing Active Directory Domain Services or ADDS.
- With ADDS installed, click on Server Manager and then click Roles Summary > Add roles and features.
- Click Next.
- Now select Remote Desktop Services installation if you’re deploying a domain controller in a virtual machine, or select role-based or feature-based installation.
- Select a server from the server pool.
- Select Active Directory Domain Services from the list, and click Next.
- You should leave the Features checked by default on the next page, so just click Next.
- Click “Restart the destination server automatically if required”, and then click Install.
- Close the window once the installation is complete.
- Once the ADDS role has been installed, a notification will appear next to the Manage menu. Click “Promote this server into a domain controller”.
- Next, click “Add a new forest” and enter a Root domain name. Press Next.
- Select the Domain functional level you desire and enter a password into the Type the Directory Services Restore Mode (DSRM password) section. Click Next.
- When the DNS Options page displays, click Next again.
- Enter a domain in the NetBios Domain name box (preferably the same as the root domain name). Press Next.
- Select a folder to store your database and log files. Click Next.
- Press Install to finish. Your system will now reboot.
If all goes well, you will now have a functional domain controller for your AD system. The next step is to create users on your system.
How to Create Directory Users
Users and computers are the two most basic objects in AD, and in order to use them we’ll first set up an AD user. This process is quite simple, but it is best achieved using a tool that sits on top of AD. The Active Directory Users and Computers (ADUC) tool was the subject of a previous blog post here, where we showed you how to add users. Let’s quickly summarize that article, though, for clarity:
Install ADUC on Windows 10 Version 1809 (or higher)
- Right-click on the Start button and then click Settings > Apps
- Now click Manage optional features > Add feature
- Select RSAT: Active Directory Domain Services and Lightweight Directory Tools.
- Select Install, and then wait for the installation to complete.
- Go to Start > Windows Administrative Tools to access ADUC
Install ADUC on Windows 8 and Windows 10 Version 1803 (or lower):
- Download and install Remote Server Administrator Tools for your version of Windows. You can do that from one of these links:
Remote Server Administrator Tools for Windows 10, Remote Server Administrator Tools for Windows 8, or Remote Server Administrator Tools for Windows 8.1.
- Right-click on Start > Control Panel > Programs > Programs and Features > Turn Windows features on or off
- Scroll down and select Remote Server Administration Tools
- Expand Role Administrator Tools > AD DS and AD LDS Tools
- Check AD DS Tools and then click OK
- Go to Start > Administrative Tools and select Active Directory Users and Computers
Now, you can create new AD users straight from ADUC. To do that:
How to Create New Users with ADUC
- Open the Server Manager
- Go to the Tools menu, and select Active Directory Users and Computers
- Expand the domain and click Users
- Right-click on the right pane and press New > User
- When the New Object-User box displays enter a First name, Last name, User logon name, and then click Next
- Enter a password, and press Next
- Click Finish
- The new user account can now be found in the Users section of ADUC
Active Directory Services Technologies
Like many other areas of IT, directory services have rapidly expanded with new features and functionality along with additional complexity. Instead of a single directory product such as AD DS, there are quite a few other services that make up the directory services category.
In addition to Microsoft solutions, many third-party vendors are creating products that stand alone on their own or enhance and expand Microsoft offerings. Today, directory services technologies from Microsoft includes the following products:
- Active Directory Domain Services (ADDS). ADDS is the core focus of this e-book so it doesn’t require an introduction. But, how about an interesting fact instead? According to Microsoft Corporate Vice President Takeshi Numoto, Active Directory is used by 93% of the Fortune 1000.
- Active Directory Lightweight Directory Services (ADLDS). ADLDS is the lightweight, developer-friendly, directory that can be deployed on a client computer and client operating system as well as on a server. It isn’t as full-featured as ADDS (for example, Group Policy isn’t part of it) but it can be useful as a decentralized directory for developers and testers.
- Active Directory Federation Services (ADFS). ADFS is a claims-based identity solution that helps independent organizations connect their directory services technologies together to facilitate single sign-on and cross-organizational resource access. Today, it has become a fairly common solution because it helps organizations connect to cloud services such as Microsoft Azure.
Additionally, there are two other roles that you may be wondering about. Active Directory Certificate Services (ADCS) and Active Directory Rights Management Services (ADRMS) are often grouped in with the other technologies listed above to form the suite of technologies offered by Microsoft for on-premise Active Directory related deployments.
Additionally, there are products outside of the immediate Active Directory family such as Microsoft Forefront Identity Manager (FIM).
Beyond the on-premise technologies, there are also several cloud-based solutions that offer services in the cloud such as Azure Active Directory and Azure Multi-Factor Authentication.
Azure Active Directory: Best Practices
Azure Active Directory (Azure AD) is an extension for AD that extends your control and monitoring capabilities to hybrid and external platforms, devices, and applications. It is a critical part of your cybersecurity tools.
First, it’s best to review some of the existing resources on Azure AD. Here are the best:
- Whiteboard description of the difference between Windows Server AD and Azure AD
- A whiteboard video of how Azure AD works
- Interactive, college-style lecture on Azure AD
This video also explains Azure AD but also provided foundational information on the challenges that lead to the creation of Azure AD, (i.e., the enormous amount of apps, a multitude of devices), while maintaining all sorts of credentials and connections with all your Saas applications.
I also really liked the Cloud App Discovery feature: you’re able to get a detailed report on who’s using yourSaaS applications.
Azure Active Directory Premium: If you’re curious about Azure AD premium, this video is a demo of an enterprise that had data on-prem, but started to move to cloud applications such as Office 365, workday HR, Salesforce and Marketing applications.
Azure Active Directory Connect: The connector is a great tool to integrate your on-premise identity system with Azure AD and Office 365.
Azure Active Directory best practices: It’s extremely helpful to learn from others, especially what worked, what didn’t work, and how they made important, fundamental security and infrastructure decisions.
Authentication on Azure Active Directory: Before federation, a user had to share their username and password with any application that they wanted to use services on their behalf. Users had to trust unknown applications with their credentials, users had to update all their applications if their credentials changed, and once you provided your credentials, they could all do whatever they wanted. See what federation protocols, libraries, and directories you’ll be using to authenticate on Azure AD and 101 ways to authenticate with Azure AD.
Azure Active Directory Best Practices
Security experts advocate best practices to configure Azure AD to create a secure and stable operating environment. Here is a long list of different best practices for your consideration.
Azure Security Policy
- Enable Azure Policy Services so you can create, assign, and manage security policies.
- Manage user password policies and enforce strong passphrases that are difficult for a computer to guess.
- Use Azure Management Groups to organize users into different Azure subscriptions. Each user account subscribes to Azure, and one user might not need the same subscription type as another. Management groups allow you to control costs by assigning each user only the subscriptions they need.
- Use Azure Blueprints during account creation to automate and recreate compliant and secure environments each time.
Azure Account and Identity Management
- Make Identify the primary security perimeter. No one accesses the network without authorization.
- If you are using a hybrid cloud – where you have resources both on-premise and in Azure – manage users in Azure AD as the authoritative user store, and sync Azure AD to your other directory services AD with Azure AD Connect.
- Enable Single Sign-on (SSO), so your users need one identity to access all of your company resources.
- Configure Azure AD Conditional Access to prevent unauthorized devices and legacy authentication protocols from connecting to your environment.
- Set up the Azure Self Service Password Reset feature so users can update and manage their passwords, but monitor password requests for any shenanigans.
- Azure AD supports multi-factor authentication. Turn that on for all of your users.
- Establish role based access control (RBAC) to provide new users with least privilege access based on their job function.
- Carefully manage and monitor the use of privileged accounts.
Azure Access Control Security
- Use the Azure Key Vault or something similar to store your application and encryption keys. Manage application and encryption keys from one system so you can revoke and deploy keys as needed.
- Use secured workstations to access Azure AD management so only a few systems in your environment can make changes to Azure.
Azure Storage Accounts
- Require secure transit protocols for any data transfers to your storage – on-premise or cloud.
- Use encryption to keep your data on disk safer.
Azure SQL Service
- Use firewalls to restrict database access to a whitelist of IP addresses.
- Enable Azure AD database authentication to manage and monitor who accesses your data.
- Encrypt your database and your database files on disk.
- Enable database auditing to log database events.
Azure Virtual Machine
- Only allow users to connect to your VMs via the VPN. Disable direct access to your VMs via RDP or SSH from the internet.
- Lockdown and secure VMs.
- Enable High Availability (HA) services on your VMs
- Install endpoint protection and monitor your VMs for malware and ransomware.
- Manage and enforce OS update policies for your VMs.
- Monitor VMs for security incidents and performance.
- Encrypt VM hardware disk files.
- Logically segment subnets in your Azure AD virtual network.
- Create specific routing behavior rules when necessary – for example, for your security appliances.
- Use virtual networking appliances for the security of your Azure stack available on the Azure Marketplace.
- Deploy perimeter network security zones, or DMZ, to keep traffic to your internal resources to a minimum.
- Avoid exposure to the internet with a solution built for hybrid IT, like site-to-site VPN or Azure ExpressRoute.
Other Azure Best Practices
- Actively monitor Azure AD for any abnormal activity that could indicate a cyberattack in process.
- Adopt the Zero Trust approach to network security and apply those principles to Azure AD.
- Subscribe to receive incident reports from Microsoft about security threats to your Azure AD environment.
- Perform pentesting to test out your security posture.
- Upgrade to Azure Security Center Standard to get the best security options available.
Azure AD provides many built-in capabilities to secure your hybrid cloud environment. Varonis gives you the monitoring of your hybrid cloud with the advanced threat detection and response capabilities you need to prevent data breaches. Varonis creates individualized baselines of user behavior and compares the current activity to those baselines and our data security threat models. Any abnormal behavior that matches a threat model generates an alert that your Incident Response team can use to investigate and deal with the threat.
Check out our webinar 25 Key Risk Indicators to Help Secure Active Directory for some more tips to secure Active Directory from attackers.
Using AD Forests
Once you start working with AD, you’ll come across two terms: forests and trees. These can be very confusing to beginners. We’ve made a detailed guide to forests and trees for you, but in this section, we’ll just give a basic definition.
A forest is the highest logical container in an Active Directory configuration that contains domains, users, computers, and group policies. A single Active Directory configuration can contain more than one domain, and we call the tier above this domain the AD forest.
Under each domain, you can have several trees. These trees can each contain multiple organizational units.
This structure provides a powerful way to organize your system, but can also be a potential cybersecurity risk. Your domain forest is linked together by trust relationships between trees, and so you need to ask several key questions about your forest model with a focus on data security:
- Are there overarching policies you can set at the AD forest level?
- Do you need additional domains with different security policies or segregated network connectivity?
- Are there legal or application requirements that require separate domains in the forest?
Once you have the “autonomy and isolation” requirements documented, the design team can build the forest, domains, and GPOs according to each team or organization’s needs. In our detailed guide to forests and trees, we’ll show you how to create a secure and adaptable model.
How Varonis and Active Directory Work Together
Varonis gathers and stores the security event logs from your Domain Controllers (DC). Then it analyzes the AD log data in context with file activity, VPN activity, DNS requests, and Proxy requests to paint a clear picture of normal and abnormal behavior. Varonis analyzes user behavior patterns over time and compares known behavior patterns to current activity – if there’s AD activity that looks suspicious, or deviates from the norm for a particular user (or type of user), it triggers an alert. Security teams use these alerts to detect active threats, while leveraging the Varonis UI to investigate how the incident occurred in the first place.
Top 10 Active Directory Tutorials on the Web
Though you should now have a good understanding of the most basic features of AD, actually using the system can get confusing very quickly. But don’t go into panic mode. Instead, review our list of Active Directory tutorials, which explains this essential Windows service in 10 different ways:
- Active Directory is what makes businesses work if you’re a corporation with tens (or even hundreds) of thousands of users. Here are some great videos to help you understand:
- A high-level overview on AD (it’s an informational video, not tutorial)
- Also, listen to Eli the Computer Guy on Active Directory for Windows Server 2012. He knows what he’s talking about.
- Explained by System and Network Admins, this Q&A from Server Fault does a thorough job explaining AD.
- If you’re a visual learner, I think you’d like to see these slides covering all the components of AD and how they work together.
- Even if you’re not studying for your certification, it’s fun to test yourself with these flashcards.
- Straight from the source, what is Azure Active Directory?
- Now that you know what Azure AD is, you’ll really like Sean Deuby’s compare/contrast of Windows Azure Active Directory and Windows Server Active Directory.
- At Varonis, checklists have been a beneficial tool, streamlining our process and benefiting many departments as well as cross-functional teams. While every organization operates differently, here’s a possible checklist for you to consider when planning, installing and configuring AD. And info on documenting Active Directory environments.
- A checklist, along with a gentle push in the right direction, such as this detailed AD planning and design guide just might be the right level of guidance you’ll need. And straight from the source: Best Practices for Active Directory Design to Manage Windows Networks
- Top Active Directory Complaint: Lockouts!
- Once you’re all set up, a common AD complaint is troubleshooting an account lockout issue. The Directory Services team does a great job explaining AD’s UI behavior for account lockouts. It also discusses the differences between Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012
- Also, don’t miss Andy’s excellent Secrets of Active Directory Lockouts: How to Find Apps with Stale Credentials
- Download Account Lockout Tool from Microsoft (Supported Operating Systems: Windows 2000, Windows NT, Windows Server 2003)
- While a mailing list isn’t a tutorial, sometimes you just need human help. Created in January 2001 with the aim of discussing Active Directory, it has over 1,000 subscribers and 5,000 site members.
A Final Word
AD is a powerful system for system administrators. It allows you to monitor, control, and manage multiple entities from a centralized system, and removes the need to enter dozens of usernames and passwords to access individual system components.
Because of the power of the system, though, it also presents a security risk. If you’ve read through this guide, you’ll now have a great understanding of the basics to learn Active Directory. However, you should also make sure you check out our cybersecurity tips in order to keep your system secure.
And if you want to take your knowledge and skills to the next level, take a look at our course on using PowerShell alongside AD.