What is Active Directory and what does it do?

Active Directory Domain Services (AD DS) is a directory service that stores information about network objects (users, computers, groups, printers) and provides authentication and authorisation for a Windows domain. When you log into a domain-joined PC, Active Directory verifies your credentials and determines what resources you can access.

How do I set up my first Active Directory domain?

Install the AD DS role via Server Manager, then promote the server to a domain controller using the post-deployment wizard. Choose a domain name (like corp.yourdomain.local), set a DSRM recovery password, and let the wizard install DNS automatically. The server restarts as the first domain controller in a new forest. The entire process takes about 30 minutes.

What is the difference between Active Directory and Azure AD (Entra ID)?

Active Directory (AD DS) is on-premises, uses LDAP and Kerberos, manages domain-joined devices, and relies on Group Policy. Azure AD (now Entra ID) is cloud-based, uses OAuth/SAML, manages cloud apps and identities, and uses Conditional Access. Most enterprises use both, synchronised via Entra Connect for hybrid identity.

What is an Organizational Unit (OU) in Active Directory?

An OU is a container within Active Directory used to organise objects (users, computers, groups) and apply Group Policies. Common OU structures separate by department (HR, IT, Finance), location (London, Manchester), or function (Servers, Workstations, Users). OUs provide administrative delegation and targeted policy application without creating separate domains.

What is the difference between a forest, domain, and OU?

A forest is the top-level security boundary containing one or more domains that share a common schema and trust. A domain is an administrative boundary with its own user database and policies. An OU is an organisational container within a domain for grouping objects and applying policies. Most small and medium organisations need only one forest, one domain, and several OUs.

Active Directory Essentials: Set Up Your First Domain

“Do you have Active Directory experience?”

I’ve never seen a Windows sysadmin job posting that doesn’t ask this. Active Directory is the backbone of enterprise Windows environments – managing users, computers, permissions, and policies across thousands of devices. If you want to work in enterprise IT, AD isn’t optional.

In this guide, we’ll go from zero to functioning domain. You’ll understand the core concepts, build your first domain controller, and learn the daily operations every AD admin needs.

What you’ll learn:

What Active Directory actually is (and isn’t)
Core concepts: forests, domains, OUs
Setting up your first Domain Controller
Users, groups, and organizational units
Essential daily operations

Career Value: Active Directory experience is the single most requested skill for Windows sysadmin roles. Being able to discuss forests, domains, group scopes, and LDAP with confidence will set you apart in interviews. Senior AD admins command salaries of GBP 50-70k+.

Active Directory: The backbone of enterprise Windows environments

Quick Reference

Concept	What It Is	Real-World Use
Forest	Top-level AD container	Typically one per organization
Domain	Security boundary	contoso.local, corp.company.com
OU	Organizational Unit – folder for objects	HR Users, London Servers
DC	Domain Controller – server running AD	Authentication, DNS, policies
DN	Distinguished Name – full path to object	CN=John,OU=Users,DC=contoso,DC=local

What Is Active Directory?

Active Directory Domain Services (AD DS) is Microsoft’s directory service. Think of it as a database of everything in your network:

Users – People who log in
Computers – Devices joined to the domain
Groups – Collections of users/computers
Policies – Settings applied across the network

What AD Does

Authentication: “Is this really John?” (Kerberos)
Authorization: “Can John access this file?” (Permissions)
Directory: “Where is the printer?” (LDAP queries)
Policy: “Force these settings on all laptops” (Group Policy)

AD vs Azure AD

This trips people up:

Active Directory (AD DS)	Azure Active Directory (Azure AD)
On-premises	Cloud-based
LDAP + Kerberos	SAML + OAuth/OIDC
Group Policy	Intune/Conditional Access
Your servers	Microsoft’s servers
Full control	Managed service

Many environments use both (hybrid identity). We’ll cover that in the Azure series.

The Hierarchy: Forests, Domains, OUs

Forest: contoso.local
|
+-- Domain: contoso.local
|   +-- OU: Users
|   |   +-- OU: HR
|   |   +-- OU: IT
|   +-- OU: Computers
|   |   +-- OU: Workstations
|   |   +-- OU: Servers
|   +-- OU: Groups
|
+-- Domain: subsidiary.contoso.local (child domain)

Forest

Top-level container
Shares a common schema
Most organizations have ONE forest
Multiple forests = complexity (avoid unless necessary)

Domain

Security boundary
Users authenticate to a domain
Named like DNS: contoso.local or corp.company.com
Can have child domains: uk.contoso.local

Organizational Unit (OU)

Folders for organizing objects
NOT a security boundary
Used for applying Group Policy
Structure often mirrors org chart or geography

Pro Tip: In interviews, know the difference between domains (security boundary) and OUs (organizational structure). OUs do NOT provide security isolation.

Setting Up Your First Domain Controller

Prerequisites

Windows Server (2019 or 2022)
Static IP address configured
Server renamed to meaningful name (DC01, SVR-DC-01)
DNS pointing to itself (we’ll fix this)

Step 1: Install AD DS Role

GUI Method:

Server Manager → Add Roles and Features →
Active Directory Domain Services → Install

PowerShell Method:

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Step 2: Promote to Domain Controller

After installation, you’ll see a notification flag in Server Manager. Click it and select “Promote this server to a domain controller.”

For a new forest:

Install-ADDSForest `
    -DomainName "yourdomain.local" `
    -DomainNetBIOSName "YOURDOMAIN" `
    -InstallDNS:$true `
    -SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force)

The server will restart. When it comes back up, you’ll have a functioning domain.

Step 3: Verify Installation

# Check domain
Get-ADDomain

# Check forest
Get-ADForest

# Check DC
Get-ADDomainController

# Check DNS
Resolve-DnsName yourdomain.local

[SCREENSHOT: Server Manager showing AD DS role installed]

Users, Groups, and OUs

Creating Users

GUI: Active Directory Users and Computers (ADUC)

Server Manager → Tools → Active Directory Users and Computers
Right-click OU → New → User

PowerShell:

New-ADUser -Name "John Smith" `
    -GivenName "John" `
    -Surname "Smith" `
    -SamAccountName "jsmith" `
    -UserPrincipalName "[email protected]" `
    -Path "OU=Users,DC=yourdomain,DC=local" `
    -AccountPassword (ConvertTo-SecureString "TempP@ss123" -AsPlainText -Force) `
    -Enabled $true `
    -ChangePasswordAtLogon $true

Creating Groups

Two group types you must understand:

Security Groups – Used for permissions

“HR Team” can access the HR folder
“IT Admins” can RDP to servers

Distribution Groups – Used for email

“All Staff” email list
No security function

Group Scopes:

Scope	Can Contain	Can Be Used In
Domain Local	Anything	Same domain only
Global	Same domain objects	Anywhere in forest
Universal	Anything from forest	Anywhere in forest

# Create a security group
New-ADGroup -Name "IT-Admins" `
    -GroupScope Global `
    -GroupCategory Security `
    -Path "OU=Groups,DC=yourdomain,DC=local"

# Add member
Add-ADGroupMember -Identity "IT-Admins" -Members "jsmith"

Creating OUs

# Create OU structure
New-ADOrganizationalUnit -Name "Company" -Path "DC=yourdomain,DC=local"
New-ADOrganizationalUnit -Name "Users" -Path "OU=Company,DC=yourdomain,DC=local"
New-ADOrganizationalUnit -Name "Computers" -Path "OU=Company,DC=yourdomain,DC=local"
New-ADOrganizationalUnit -Name "Groups" -Path "OU=Company,DC=yourdomain,DC=local"

Essential Daily Operations

Finding Objects

# Find a user
Get-ADUser -Identity "jsmith"
Get-ADUser -Filter "Name -like '*smith*'"

# Find all users in an OU
Get-ADUser -SearchBase "OU=HR,OU=Users,DC=yourdomain,DC=local" -Filter *

# Find disabled accounts
Get-ADUser -Filter {Enabled -eq $false}

# Find computers
Get-ADComputer -Filter * | Select-Object Name

Password Operations

# Reset password
Set-ADAccountPassword -Identity "jsmith" -Reset -NewPassword (ConvertTo-SecureString "NewP@ss123" -AsPlainText -Force)

# Force password change at next logon
Set-ADUser -Identity "jsmith" -ChangePasswordAtLogon $true

# Unlock account
Unlock-ADAccount -Identity "jsmith"

Account Management

# Disable account
Disable-ADAccount -Identity "jsmith"

# Enable account
Enable-ADAccount -Identity "jsmith"

# Move user to different OU
Move-ADObject -Identity "CN=John Smith,OU=IT,DC=yourdomain,DC=local" -TargetPath "OU=HR,DC=yourdomain,DC=local"

Joining a Computer to Domain

From the client machine:

GUI:

System Properties → Computer Name → Change → Domain
Enter domain name → Provide credentials

PowerShell:

Add-Computer -DomainName "yourdomain.local" -Credential (Get-Credential) -Restart

LDAP: The Query Language of AD

Active Directory speaks LDAP (Lightweight Directory Access Protocol). Understanding LDAP paths is essential.

Distinguished Names (DN)

Every object has a unique DN:

CN=John Smith,OU=Users,OU=Company,DC=yourdomain,DC=local

CN = Common Name (the object)
OU = Organizational Unit (the path)
DC = Domain Component (the domain)

LDAP Queries

# Using LDAP filter
Get-ADUser -LDAPFilter "(department=IT)"

# Find all objects modified in last 24 hours
$date = (Get-Date).AddDays(-1)
Get-ADObject -Filter {whenChanged -gt $date}

Troubleshooting Common Issues

Problem: User Can’t Log In

Check these in order:

# Is account locked?
Get-ADUser jsmith -Properties LockedOut

# Is account disabled?
Get-ADUser jsmith -Properties Enabled

# Has password expired?
Get-ADUser jsmith -Properties PasswordExpired

# Can you reach a DC?
nltest /dsgetdc:yourdomain.local

Problem: Computer Won’t Join Domain

Common causes:

DNS not pointing to DC
Wrong credentials
Computer name already exists
Network connectivity

# Check DNS
nslookup yourdomain.local

# Check DC connectivity
Test-ComputerSecureChannel -Verbose

# Check for duplicate computer
Get-ADComputer -Filter "Name -eq 'WORKSTATION01'"

Problem: Replication Issues

# Check replication status
repadmin /replsummary

# Force replication
repadmin /syncall /A /e

# Check for replication errors
Get-ADReplicationFailure -Target yourdomain.local

Interview Questions

Q1: “Explain the AD hierarchy.”

Good Answer: “At the top is the forest – the security boundary that shares a common schema. Within a forest, you have domains which are authentication boundaries – users log into a domain. Within domains, Organizational Units provide structure for management and Group Policy application, but they’re not security boundaries. Most organizations have one forest with one domain and use OUs to organize by department or location.”

Q2: “What’s the difference between security and distribution groups?”

Good Answer: “Security groups are used for assigning permissions – file access, application access, delegated rights. They have a SID. Distribution groups are for email distribution lists – no security function, just an email address. In practice, security groups can also be email-enabled, so many organizations use security groups for everything.”

Q3: “A user calls saying they can’t log in. Walk me through troubleshooting.”

Good Answer: “First, verify the username. Then check if the account is locked out – this is the most common issue. Check if the account is disabled or expired. Verify the password hasn’t expired. Then check client-side: can they reach a DC? Is DNS working? Is their computer’s secure channel valid? I’d use Get-ADUser with the relevant properties and nltest to check DC connectivity.”

Career Application

On your resume:

“Managed Active Directory environment with X users across Y sites”
“Administered user lifecycle: provisioning, modifications, deprovisioning”
“Implemented OU structure and delegation model”

Skills to highlight:

User and group management
LDAP understanding
Troubleshooting authentication issues
PowerShell AD administration

Next Steps

Next in series: PowerShell Basics – automate all of this
Related: Group Policy Deep Dive – apply settings via AD
Practice: Build a lab domain, create users and groups, join workstations

Active Directory is the foundation. Next, we’ll learn PowerShell to automate all of this at scale.

Windows Fundamentals Series

Part 2 of 6

Previous: Windows Server Basics | Next: PowerShell Basics

ReadTheManualTech

ReadTheManual is run, written and curated by Eric Lonsdale.

Eric has over 20 years of professional experience in IT infrastructure, cloud architecture, and cybersecurity, but started with PCs long before that.

He built his first machine from parts bought off tables at the local college campus, hoping they worked. He learned on BBC Micros and Atari units in the early 90s, and has built almost every PC he’s used between 1995 and now.

From helpdesk to infrastructure architect, Eric has worked across enterprise datacentres, Azure environments, and security operations. He’s managed teams, trained engineers, and spent two decades solving the problems this site teaches you to solve.

ReadTheManual exists because Eric believes the best way to learn IT is to build things, break things, and actually read the manual. Every guide on this site runs on infrastructure he owns and maintains.

Enjoyed this guide?

New articles on Linux, homelab, cloud, and automation every 2 days. No spam, unsubscribe anytime.