Microsoft Windows

Active Directory
Introduction to Windows Active Directory

Microsoft Active Directory Domain Services are the foundation for

distributed networks built on Windows 2000 Server, Windows Server 2003
and Microsoft Windows Server 2008 operating systems that use domain
controllers.

Active Directory Domain Services provide secure, structured, hierarchical

data storage for objects in a network such as users, computers, printers,
and services.

Active Directory Domain Services provide support for locating and working
with these objects.

Windows 2000 Server and later operating systems provide a user

interface for users and administrators to work with the objects and data in
Active Directory Domain Services.
‹#›
Introduction to Windows Active Directory

Active Directory stores the identity information of users, applications, and

resources in a multi-master database.

This database is a file called ntds.dit. This database is based on

Joint Engine Technology (JET) database engine.

The data in this database can be modified using any alternative domain
controller.

The Active Directory database can store some 2 billion objects.

Users can use the identity data stored in Active Directory from anywhere
in the network in order to access resources.

‹#›
Introduction to Windows Active Directory

Administrators can manage authentication and authorization of the

organizational identities from a centralized location.

Without directory services, identities would be duplicated across different

systems and add administrative
overhead to manage.
There are organizations that use a single domain controller.

But when it comes to complex business requirements such as branch

offices, it is required that they have multiple domain controllers.

If the identities are managed from a centralized system, it's important

that each domain controller be aware of the changes that have been made
to the Active Directory database.

‹#›
Introduction to Windows Active Directory

Microsoft Active Directory has two types of replications.

If a domain controller advertises the changes made on that particular

domain controller to neighbouring domain controllers, it is called outbound
replication.

If a domain controller accepts changes advertised by neighbouring domain

controllers, it called inbound replication.

The replication connections (from who and to whom) and replication

schedule can be modified based on the business requirements.

Logical components of the Active Directory help you structure the identity
infrastructure by considering design, administration, extensibility, security,
and scalability.
‹#›
Introduction to Windows Active Directory

The Active Directory logical structure contains two types of objects.

Objects can be either container objects or leaf objects.

Container objects can be associated with other objects in the logical

structure.

Leaf objects are the smallest components in the logical structure.

They will not have any other child objects associated.

Let’s look at some basic terms.

‹#›
Introduction to Windows Active Directory

Active Directory Basic Terms.

Forests

The Active Directory forest represents a complete Active Directory

instance.
It is made of one or more domain and domain trees.
Each domain has its own characteristics, boundaries, and resources
allocated. But at the same time, it shares a common logical structure,
schema, and directory configuration within the forest.
Domains in the Active Directory forest will have a two-way trust
relationship.
Domains in a forest can be assigned any domain name

‹#›
Introduction to Windows Active Directory

The first domain controller in the Active Directory service creates the first
domain, it will create the forest as well.

This first domain will become the forest root domain.

A domain tree contains its own root domain.

Thus forests can contain multiple root domains as the forest can contain
multiple domain trees.

All the domains within an Active Directory Forest are bind with each other
by a two way trust relationship.

Two forests can not directly communicate with each other, means they do
not share the security (authentication) database.
‹#›
Introduction to Windows Active Directory

Domains

The domain contains the logical components to achieve administrative

goals in the organization.
By default, the domain become the security boundary for the objects
inside it.
Objects in the domain are also controlled by the security rules defined.
These security rules are only applicable within that particular domain and
are not valid for any object outside the domain boundaries.
A domain also allows you to set smaller administrative boundaries within
the organization.
The domain is a partition of Active Directory. Each of the domain
controllers also has a copy of the domain partition.
All the information about objects in that particular domain is saved in that
domain partition.
‹#›
Introduction to Windows Active Directory

A domain may be used to represent a branch or a subsidiary of an

organization.
Thus all the information like users, computers, printers etc. of that
particular branch or subsidiary is stored in a domain database.

Domain trees

A domain tree is a collection of domains that reflects the organization's

structure.
Domains inside the domain tree have a parent-child relationship.
The first domain in the domain tree is called the parent domain.
This is the root domain as well.
All other domains in the domain tree are the child of this root domain.
Within the domain tree, domains will share the same contiguous
namespace.
‹#›
Introduction to Windows Active Directory

The root domain name within a domain tree is appended to the individual
domain names.
Forest – abc.int

abc.int (Forest root domain) lmn.lab (Root

Domain)

xyz.abc.int (Child a1.lmn.lab (Child

Domain) Domain)

mnc.abc.int (Child a2.lmn.lab (Child

Domain) Domain)

Domain Domain
Tree Tree

‹#›
Introduction to Windows Active Directory

Each of the child domain maintains its own domain partition.

This configuration data will be replicated only to the domain controllers in
the same child domain.
When the child domain is introduced to the domain tree, it will
automatically create a direct two way trust relationship with the parent
domain.
The two child domains within a same domain tree are bind with a two way
transitive trust.
If two child domains on different domain trees want to authenticate,
authenticated traffic must pass through the forest root domains.

‹#›
Introduction to Windows Active Directory

Organizational units

Within the organization, objects can be categorized into different groups

considering the operations, organizational structure, geographical
locations, or roles and responsibilities.
Organizational units help group objects on a smaller scale within the
domain.
The most common way is to group objects that have similar security
and administrative requirements together.
For example, there are more than 50 users in the sales department. The
sales department uses common shared folders and printers. Their security
requirements for data and network are similar. We can create an
organizational unit (OU) called sales and put all the sales department
users into it.
We can apply security policies to the OU level now instead of the user
level. ‹#›
Introduction to Windows Active Directory

When deploying a domain controller, it creates a default OU structure to

segment the most common object types, such as users, computers, and
domain controllers.
The administrator can add, remove, and delete OU as required.
Once an object is assigned to an OU, it inherits security settings and
permissions applied on the OU level.
If the same object is moved to a different OU, then it will apply the settings
from the new OU and discard the settings that were applied from the
previous OU.
Organization units also help delegate administrative control to individuals
for specific tasks.
It's possible to create administrators and assign them to manage objects
and resources on an organization level.
OUs also can contain child Ou’s along with other objects like users,
computers, groups, printers etc.
‹#›
Introduction to Windows Active Directory

Domain controllers

The domain controller is a computer that runs a Windows Server operating

system and holds the Active Directory Domain Services role.
It can be either a physical server or a virtual server.
The domain controller holds the directory partition that will be replicated to
the other domain controllers in the same domain.
The domain can have any number of domain controllers.
After Windows 2000, there has been support for the multi-master mode.
Any object-level changes made in one domain controller will be replicated
to all other domain controllers.
Additional domain controller hold the read/write replica of a domain
database.
A Read Only Domain Controller (RODC) holds a read only copy of the
directory partition which means no changes can be made on this domain
controller. ‹#›
Introduction to Windows Active Directory

Functional Level

Functional levels determine the available Active Directory Domain

Services (AD DS) domain or forest capabilities.
They also determine which Windows Server operating systems you can
run on domain controllers in the domain or forest.
However, functional levels do not affect which operating systems you can
run on workstations and member servers that are joined to the domain or
forest.
When you deploy a new forest, you are prompted to set the forest
functional level and then set the domain functional level. You can set the
domain functional level to a value that is higher than the forest functional
level, but you cannot set the domain functional level to a value that is
lower than the forest functional level.

‹#›
Introduction to Windows Active Directory

Forest Functional Level

The forest functional level decides which Windows server editions can be
added as a domain controller in any domain in the entire forest.
The forest functional level is set when you install the first domain controller
and create a forest and a domain also.
The Windows server edition present on that server decides the maximum
forest functional level that you can set.
If the OS on the first domain controller is Windows 2016 then you can set
forest functional level as Windows server 2016 which is the highest level.
You can set earlier OS versions like Windows Server 2012 R2, Windows
Server 2012 etc. As the forest functional level.
Whatever forest functional level you have set, you can then add that
Windows Server version or the higher version as the domain controller in
that forest.
The forest functional level can be changed
‹#› later also.
Introduction to Windows Active Directory

Domain Functional Level

The domain functional level is same as forest functional level, however the
domain function level affects the domain only.
The forest function level is set when the forest is created.
But the domain functional level needs to be set each time you add a new
domain to the forest (Root domain or child domain).
Each domain can be set to have a different domain functional level.
The domain functional level can be higher than the forest functional level
but can not be lower than the forest functional level.
The domain functional level will affect on which Windows server OS can
be added as an additional domain controller or as Read only domain
controller in the domain.
The domain functional level can be changed later.

‹#›
Introduction to Windows Active Directory

Global catalog server

The global catalog server holds the full writeable copy of objects in its host
domain and the partial copy of the objects in other domains in the same
forest.
The partial replica contains a copy of every object in the forest and the
most commonly used attributes used by queries.
Applications and users in one domain can query for the objects in another
domain (sameforest) via the global catalog server.
All domain controllers in the domain will not be a global catalog server by
default.
When installing the first domain controller, it will become the global catalog
server, and other domain controllers can promote them as global catalog
servers according to business requirements.
Every domain controller in the domain does not need to be a global
catalog server. ‹#›
Introduction to Windows Active Directory

Active Directory sites

The AD DS site defines a physical topology of the network.

Sites can be separate buildings in a campus network and branch office in
a separate city or even in a separate country.
Your site topology significantly affects the performance of your network
and the ability of your users to access network resources.
Active Directory Domain Services (AD DS) uses a multimaster, store-and-
forward method of replication.
A domain controller communicates directory changes to a second domain
controller, which then communicates to a third, and so on, until all domain
controllers have received the change.
To achieve the best balance between reducing replication latency and
reducing traffic, site topology controls Active Directory replication by
distinguishing between replication that occurs within a site and replication
that occurs between sites. ‹#›
Introduction to Windows Active Directory

Within sites, replication is optimized for speed, data updates trigger

replication, and the data is sent without the overhead required by data
compression.
Conversely, replication between sites is compressed to minimize the cost
of transmission over wide area network (WAN) links.
When replication occurs between sites, a single domain controller per
domain at each site collects and stores the directory changes and
communicates them at a scheduled time to a domain controller in another
site.
Domain controllers use site information to inform Active Directory clients
about domain controllers present within the closest site as the client.
For example, consider a client in the Seattle site that does not know its
site affiliation and contacts a domain controller from the Atlanta site. Based
on the IP address of the client, the domain controller in Atlanta determines
which site the client is actually from and sends the site information back to
the client. ‹#›
Introduction to Windows Active Directory

The domain controller also informs the client whether the chosen domain
controller is the closest one to it.
The client caches the site information provided by the domain controller in
Atlanta, queries for the site-specific service (SRV) resource record (a
Domain Name System (DNS) resource record used to locate domain
controllers for AD DS) and thereby finds a domain controller within the
same site.
By finding a domain controller in the same site, the client avoids
communications over WAN links.
If no domain controllers are located at the client site, a domain controller
that has the lowest cost connections relative to other connected sites
advertises itself (registers a site-specific service (SRV) resource record in
DNS) in the site that does not have a domain controller.
The domain controllers that are published in DNS are those from the
closest site as defined by the site topology. This process ensures that
every site has a preferred domain controller
‹#› for authentication.
Introduction to Windows Active Directory

The File Replication Service (FRS) or Distributed File System Replication

(DFSR) replicate changes made to the SYSVOL folders from one domain
controller to other domain controllers.
FRS and DFSR replicate these changes according to the schedule that
you create during your site topology design.
By publishing services such as file and print services in AD DS, you allow
Active Directory clients to locate the requested service within the same or
nearest site.
Print services use the location attribute stored in AD DS to let users
browse for printers by location without knowing their precise location.
The administrator who manages the site topology is known as the site
topology owner.

‹#›
Introduction to Windows Active Directory

Active Directory Replication terms important for understanding sites and

their designing.

Connection object
A connection object is an Active Directory object that represents a
replication connection from a source domain controller to a destination
domain controller.
A domain controller is a member of a single site and is represented in the
site by a server object in Active Directory Domain Services (AD DS).
Each server object has a child NTDS Settings object that represents the
replicating domain controller in the site.
For replication to occur between two domain controllers, the server object
of one must have a connection object that represents inbound replication
from the other.
All replication connections for a domain controller are stored as
connection objects under the NTDS Settings
‹#› object.
Introduction to Windows Active Directory

The connection object identifies the replication source server, contains a

replication schedule, and specifies a replication transport.

Knowledge Consistency Checker (KCC)

The KCC is a built-in process that runs on all domain controllers and
generates replication topology for the Active Directory forest.
The KCC creates separate replication topologies depending on whether
replication is occurring within a site (intrasite) or between sites (intersite).
The KCC also dynamically adjusts the topology to accommodate the
addition of new domain controllers, the removal of existing domain
controllers, the movement of domain controllers to and from sites,
changing costs and schedules, and domain controllers that are temporarily
unavailable or in an error state.
When you have more than one site, you configure site links between sites,
and a single KCC in each site automatically creates connections between
sites as well. ‹#›
Introduction to Windows Active Directory

The KCC reviews the replication status of existing connections to

determine if any connections are not working.
If a connection is not working due to a failed domain controller, the KCC
automatically builds temporary connections to other replication partners (if
available) to ensure that replication occurs.
If all the domain controllers in a site are unavailable, the KCC
automatically creates replication connections between domain controllers
from another site.

Subnet
A subnet is a segment of a TCP/IP network to which a set of logical IP
addresses are assigned.
Subnets group computers in a way that identifies their physical proximity
on the network.
Subnet objects in AD DS identify the network addresses that are used to
map computers to sites. ‹#›
Introduction to Windows Active Directory

Site link

Site links are Active Directory objects that represent logical paths that the
KCC uses to establish a connection for Active Directory replication.
A site link object represents a set of sites that can communicate at uniform
cost through a specified intersite transport.
All sites contained within the site link are considered to be connected by
means of the same network type.
Sites must be manually linked to other sites by using site links so that
domain controllers in one site can replicate directory changes from domain
controllers in another site.
Because site links do not correspond to the actual path taken by network
packets on the physical network during replication, you do not need to
create redundant site links to improve Active Directory replication
efficiency.
‹#›
Introduction to Windows Active Directory

Site link bridge

A site link bridge is an Active Directory object that represents a set of site
links, all of whose sites can communicate by using a common transport.
Site link bridges enable domain controllers that are not directly connected
by means of a communication link to replicate with each other.
Typically, a site link bridge corresponds to a router (or a set of routers) on
an IP network.
Site link bridges are only necessary if a site contains a domain controller
hosting a directory partition that is not also hosted on a domain controller
in an adjacent site, but a domain controller hosting that directory partition
is located in one or more other sites in the forest.
Adjacent sites are defined as any two or more sites included in a single
site link.

‹#›
Introduction to Windows Active Directory

Site link transitivity

By default, all site links are transitive, or "bridged."

When site links are bridged and the schedules overlap, the KCC creates
replication connections that determine domain controller replication
partners between sites, where the sites are not directly connected by site
links but are connected transitively through a set of common sites.
This means that you can connect any site to any other site through a
combination of site links.
In general, for a fully routed network, you do not need to create any site
link bridges unless you want to control the flow of replication changes.
If your network is not fully routed, site link bridges should be created to
avoid impossible replication attempts..

‹#›
Introduction to Windows Active Directory

Active Directory objects

Within an organization, there are many physical entities. These can be

either employees or resources.
In order to manage those using Active Directory Domain Services, each of
these physical entities needs to be presented to Active Directory. Active
Directory will understand these entities as objects.
In Active Directory, there are two types of objects. Container objects can
store other objects in the Active Directory. The domain or OU is an
example of a container object.
Leaf objects cannot store other objects in Active Directory. A service
account is an example of a leaf object.
Active Directory objects needs attributes to describe their nature.
First name, Last name, Full name, and User logon name are some of the
attributes of an User object.
‹#›
Introduction to Windows Active Directory

Different objects have different attributes.

Active Directory does have different types of object classes. Users,
groups, computers, printers, and domain controllers are examples of
object classes.
The user object attributes will be different than a computer object or printer
object.
However all objects of the same type will have same attributes. Like all
user objects will have the same attributes.
Within the Active Directory schema, it is defined which attributes are
attached to each object class.
Each attribute has a value.
While creating an object it is compulsory to assign values to certain
attributes.
Even though the attributes are same for the same type of objects, their
values will be different. Each user object will have a different value for Full
Name, Last Name etc. attributes. ‹#›
Introduction to Windows Active Directory

Active Directory Schema (AD Schema)

The Microsoft Active Directory schema contains formal definitions of every

object class that can be created in an Active Directory forest.
The schema also contains formal definitions of every attribute that can
exist in an Active Directory object.

Globally unique identifier and security identifier

In the Active Directory database, nearly 2 billion objects can be stored.

Each object needs to be uniquely identified.
Every time we create an object in Active Directory, it will be assigned with
one or two unique values.
If it is a user or group object, it will receive a globally unique identifier
(GUID) and security identifier (SID).
‹#›
Introduction to Windows Active Directory

The GUID value will be saved in the objectGUID attribute in each object
and the SID value will be saved in the objectSid attribute in each object.
In order to view the GUID and SID values for the user account, the
following PowerShell command can be run from the domain controller:
Get-ADUser username

ObjectGUID is a 128-bit value and is applied to each and every object in

Active Directory.
This value is not just for the particular Active Directory domain. It is valid
globally as well.
Once a GUID is assigned to an object, it will be there until the object is
deleted from the directory.
Modifying or moving objects will not change the value of the GUID.
The ObjectGUID attribute value will be published to global catalog
servers.
‹#›
Introduction to Windows Active Directory

The SID value for an object is unique within its domain. The SID values
associated with the user will be changed if the user object is migrated to
another domain.
An SID value assigned by one domain will not be accepted by another
domain.
As soon as a user object is migrated to another domain, a new SID value
will be generated.
Then, the old SID value will be saved in the sIDHistory attribute.
This attribute can contain multiple values.
When the system creates a Kerberos ticket for user authentication, it will
consider a new SID value and all other SID values listed in the sIDHistory
attribute.
sIDHistory is important,especially in Active Directory restructuring.
The resources in the domain decide access or deny permissions to a user
account based on their access control list (ACL).
‹#›
Introduction to Windows Active Directory

This ACL uses the SID values.

So, if an object moves to a different domain without sIDHistory , it will
lose its access to resources until ACL is modified.
But if the system considers sIDHistory when granting access token and if
the old SID value is moved over to the new domain, the user is still
allowed to access the resources he/she was assigned.

Distinguished names

Distinguished names in Active Directory are used to identify an object

uniquely.
Distinguished name uses the full path to the object within the directory that
will help you uniquely identify an object.

‹#›
Introduction to Windows Active Directory

There are three types of Active Directory naming attributes that have been
used to generate distinguished names:

organizationName (O) or organizationalUnitName (OU): Organization

represents the root-level domain. The organization unit refers to the OU in
which the object is located.

domainComponent (DC): This is the naming attribute for the domain and
the DNS. If the DNS name for the domain is abc.int, the domain
component for it will be DC=abc,DC=int.

commonName (CN): This refers to the objects and containers within the
directory.
The distinguished name for a user will be as follows:
CN=user1,OU=sales,DC=abc,DC=int
‹#›
 Windows Active Directory
Creating a new forest

The steps mentioned in this document can be performed on Windows Server 2012 R2 and
above.

This is the first step in installing Active Directory in any organization. This step will create the
first forest and first domain in an organization. Once a Forest and a Domain is created,
additional domains (either child or root domain) can be created in that forest. Also
additional domain controllers also can be added to the required domains.

Prerequisites :-

1. A Windows Server 2012 R2 or above installed either on physical server or on a virtual

machine. For this document Windows Server 2016 Evaluation version is used.
2. Basic knowledge about Windows Active Directory and its terms like Forest, Domain,
Domain Controller, Additional Domain Controller etc.

Steps:-

1. Post install configuration of Windows Server.

A. Set the correct time zone.
In the Server Manager window that opens when the server starts, click the Local
Server option as shown below.

In the right side pane, click the option in front of Time zone.
On the new window that opens click the Change Time one button. In the new
window that opens, use the drop down list to select appropriate time zone.

Click Ok. After you select the time zone, the time displayed will change. Make sure
the time displayed is the current time displayed as per your location. Click OK to
close the window.

If the selected time zone is not shown in the Server Manager in front of Time zone
option, click refresh button to refresh the Server Manager window.

B. Set the IPv4 address

To set manual IPv4 address to the server, click the option in front of Ethernet in the
Server Manager Window as shown below. If multiple adapters are attached then
there will be multiple entries. Select the adapter that will be used to communicate
with Active Directory clients or servers.

A new window showing the Ethernet adapter will open.

Double click the adapter name. Following window will be displayed.

Click Properties button. Again a new Window opens as shown below.

In that window double click the Internet Protocol Version 4(TCP/IPv4) option.
A new window is displayed. Select the Use the following IP address option. Then
provide the required IP address and subnet mask.
For Lab purpose default gateway and DNS server configuration is not required. Click
OK.

Then click OK on earlier windows and close all the windows opened. Do not close
the Server Manager window.

Again if the given IP address is not displayed in the Server Manager window, Click
the refresh button.
 C. Set a computer name for the server.
After this step, you need to restart the server.
To assign a computer name to the server, in the Server Manager click any option -
Computer Name or Workgroup. It will open the same window.

In the following window, click the change button.

This will open following window. In the Computer Name field specify a name for this server.
Do not change anything in the workgroup field.

Click OK. It will display a restart warning. Click OK to close all earlier windows. The server
restart option will be displayed. Click Restart Now and restart the server. This will bring the
new computer name in effect.

Restart is necessary to successfully install Windows Active Directory.

After restart logon as Administrator and now you are ready to install your first forest and
create your first Active Directory domain.

2. Install Active Directory Domain Services (ADDS)

A. Install Active Directory Domain Services (ADDS)
To create a new forest and a new domain, you need to first install the Windows Active
Directory Domain Services (ADDS). This will copy all the files and create a directory structure
required.
You do not require Windows Server installation media (CD/DVD/USB) for any of the steps.
To install ADDS, in the Server Manager window, click the Manage option.

Then Click the Add Roles and Features option.

Click Next on all the screens displayed till the following screen is displayed.

In this screen, select the check box in front of Active Directory Domain Services role. As the
check box is selected following screen is displayed.

Click Add Features button.

Click Next on all screens till you get the following final screen.

Click Install button to start installing the ADDS role on the server.
Once the installation is complete, following screen will be displayed.

Make sure the installation succeeded without any errors. Click Close.

B. Configure Windows Active Directory Domain Services (ADDS)

Once the ADDS service is successfully installed. The Server Manager window will display a
yellow triangle near flag in right upper corner as shown below.

Click on that triangle to display following option.

Click Promote this server to a domain controller option in the post-deployment

configuration section.

This will open the following window.

Select Add a new forest option and specify a Root domain name.
This will create a new forest by the same name as provided for the Root domain. Thus a new
forest and a new domain tree will be created.
Click Next.

Following window opens.

In this window you need to set the Forest Functional Level and Domain Functional Level.

The Forest functional level decides the Windows Server editions that can be added as
domain controllers in the entire forest. If the forest functional level is set to Windows server
2016 then only Server 2016 and above server editions like 2019 and 2022 can be added as
domain controllers. In other words if you want to add another domain in this forest, the
server on which you install ADDS service, needs to have a Windows Server 2016/2019/2022
operating system installed. Earlier Server versions like 2012 R2 will not be allowed. An error
will be displayed if you try to add this server.

The Domain Functional level depends on the Forest Functional Level. The Domain
Functional level can be same or higher than Forest Functional level. However it can not be
lower than forest functional level. The Domain functional level decides which Windows
Serve editions can work as additional domain controllers within a domain.

Here for this practical we keep both Forest Functional level and Domain Functional level to
default. The default option displayed depends on the Windows Server OS installed on this
server.
Keep all other options as default.
Type a Directory Restore Mode Password (DSRM).
This password is required when the active directory fails. The password provided should be
complex means it needs a capital letter, Special character and small characters. As we are
installing active directory on this server its SAM database (the database that holds
usernames and passwords) is disabled. All the usernames and their passwords will be stored
in the active directory database. You always take backup of this database. Thus when this
database fails no username and password is available for logon. Thus this DSRM password
will allow you to logon to server and restore your active directory database from backup.

The server can be started into a DSRM mode by pressing F8 button when the server starts.

Thus keep all settings as default. Provide DSRM password. Click Next.
Following screen is displayed.

Windows active directory requires a working DNS server. However we do not have any DNS
sever installed. Thus above warning screen is displayed. Click Next.

The following screen checks the NetBIOS domain name of the given domain name. It varifies
that the domain name is not in use. The NetBIOS protocol does not support Internet naming
style like demo.labs. Thus it removes the anything after . and keeps the starting name as the
NetBIOS domain name. This is for the backward compatibility with older operating systems
like Windows NT etc. Click Next.

The next screen displays the directory paths where the active directory database and active
directory logs will be stored. The sysvol folder is used to replicate data to other domain
controllers and domain clients. This folder should be placed on an NTFS formatted partition.

Keep all defaults on this screen and click Next.

The review screen displays all the earlier settings done. Please verify the options selected on
all earlier screens. If you have selected a wrong option you can click back button to go to the
required screen and modify the setting.

To finally configure the ADDS as per the settings , click Next.

The installer will verify that all the required prerequisites are met and the ADDS can be
successfully configured on this server.

If there is any red coloured warning message, the Install button will be disabled. In such
case read the error carefully and solve the problem.
Any warning with yellow signs can be neglected and will not create any problems for ADDS
configuration.
Click Install.

This will start configuring ADDS service. Once it finishes, following message will be displayed.

Just wait and server will automatically restart.

It will require some time for the server to start.

Once the server starts and you go the logon scree, it looks like as shown below.

Now the Logon name is displayed as domain-name/Administrator.

Provide earlier administrator password to logon.
Now in the Server Manager window that opens, click Local Server option. In the workgroup
option it will display your domain name.

This is how you have successfully installed the ADDS role on this server. You configured
ADDS on this sever to create a new forest and a new domain. This server is now domain
controller for the domain demo.lab.
 Windows Active Directory
Adding an Additional Domain Controller to an existing domain

The steps mentioned in this document can be performed on Windows Server 2012 R2 and
above.

This step adds another server to an existing active directory domain as Additional Domain
Controller (ADC). The ADC server holds the same active directory database as the main
Domain Controller. Thus creating this server solves 2 problems. First in case if the main
Domain controller fails, the ADC will work and provide services to clients.

The second problem it solves is by reducing WAN traffic between branch office and head
office. For this an ADC is required to be places in the branch office. This will help clients in
the branch office get active directory services like authentication locally. Thus clients do not
need to contact the DC/ADC in the head office.

Prerequisites :-

1. A Windows Server 2012 R2 or above installed either on physical server or on a virtual

machine. For this document Windows Server 2016 Evaluation version is used.
2. An existing forest and a domain with domain controller up and running.
3. Basic knowledge about Windows Active Directory and its terms like Forest, Domain,
Domain Controller, Additional Domain Controller etc.

***Perform following steps on the second server which will be working as an additional
domain controller.

Steps:-

1. Post install configuration of Windows Server.

A. Set the correct time zone.
In the Server Manager window that opens when the server starts, click the Local
Server option as shown below.

In the right side pane, click the option in front of Time zone.
On the new window that opens click the Change Time one button. In the new
window that opens, use the drop down list to select appropriate time zone.

Click Ok. After you select the time zone, the time displayed will change. Make sure
the time displayed is the current time displayed as per your location. Click OK to
close the window.

If the selected time zone is not shown in the Server Manager in front of Time zone
option, click refresh button to refresh the Server Manager window.

B. Set the IPv4 address

To set manual IPv4 address to the server, click the option in front of Ethernet in the
Server Manager Window as shown below. If multiple adapters are attached then
there will be multiple entries. Select the adapter that will be used to communicate
with Active Directory clients or servers.
A new window showing the Ethernet adapter will open.

Double click the adapter name. Following window will be displayed.

Click Properties button. Again a new Window opens as shown below.

In that window double click the Internet Protocol Version 4(TCP/IPv4) option.
A new window is displayed. Select the Use the following IP address option. Then
provide the required IP address and subnet mask.
Make sure you provide the main DC server IP address in the Preferred DNS Server.

For Lab purpose default gateway is not required. Click OK.

 Then click OK on earlier windows and close all the windows opened. Do not close
the Server Manager window.

Again if the given IP address is not displayed in the Server Manager window, Click
the refresh button.
C. Set a computer name for the server.
After this step, you need to restart the server.
To assign a computer name to the server, in the Server Manager click any option -
Computer Name or Workgroup. It will open the same window.

In the following window, click the change button.

This will open following window. In the Computer Name field specify a name for this server.
Do not change anything in the workgroup field.

Click OK. It will display a restart warning. Click OK to close all earlier windows. The server
restart option will be displayed. Click Restart Now and restart the server. This will bring the
new computer name in effect.

Restart is necessary to successfully install Windows Active Directory.

After restart logon as Administrator and now you are ready to install your first forest and
create your first Active Directory domain.
2. Install Active Directory Domain Services (ADDS)
A. Install Active Directory Domain Services (ADDS)
To this server as an additional domain controller in an existing domain , you need to first
install the Windows Active Directory Domain Services (ADDS). This will copy all the files and
create a directory structure required.
You do not require Windows Server installation media (CD/DVD/USB) for any of the steps.

To install ADDS, in the Server Manager window, click the Manage option.

Then Click the Add Roles and Features option.

Click Next on all the screens displayed till the following screen is displayed.

In this screen, select the check box in front of Active Directory Domain Services role. As the
check box is selected following screen is displayed.

Click Add Features button.

Click Next on all screens till you get the following final screen.
Click Install button to start installing the ADDS role on the server.

Once the installation is complete, following screen will be displayed.

Make sure the installation succeeded without any errors. Click Close.

B. Configure Windows Active Directory Domain Services (ADDS)

Once the ADDS service is successfully installed. The Server Manager window will display a
yellow triangle near flag in right upper corner as shown below.

Click on that triangle to display following option.

Click Promote this server to a domain controller option in the post-deployment

configuration section.

This will open the following window.

Select Add a domain controller to a existing domain option. Specify the domain name in
which this server will work as an ADC.

Click Change button in the Supply the credentials to perform this operation.
In the new window that opens, provide the username and password of the main DC server.
Make sure you provide the username with domain name as shown below.

Click OK. Click Next.

Following window opens.

In this window keep all other settings as default.

Provide a DSRM password. As you know this password will be required for recovering active
directory database from backup.
Click Next.
Following screen is displayed.

Windows active directory requires a working DNS server. However we do not have any DNS
sever installed. Thus above warning screen is displayed. Click Next.

The next screen displays the options about how this server will get the copy of the existing
active directory domain database. As you know that ADC holds the same database as the
main domain controller.

The Install from media option helps you install the active directory domain database from a
backup device like tape or external USB drive. This option is useful while installing ADC in
branch offices. For a branch office where low speed WAN link is present, using this option
helps save time and network traffic. You need to send the database backup to the branch
office before you start this process.

However for all LAN and high speed WAN installations replicate from option is used.
If you already have multiple domain controllers within a domain then the drop down button
in front of Replicate from will display a list of all these domain controllers.
The default Any Domain controller option will select one of the available domain controller.

Keep the default option and click Next.

Click Next on the following window to select the default directory paths for the active
director database, logs and the sysvol folder.

The next review screen is displayed.

Make sure all selected options on the earlier screens are correct.
To finally configure the ADDS as per the settings , click Next.

The installer will verify that all the required prerequisites are met and the ADDS can be
successfully configured on this server.

If there is any red coloured warning message, the Install button will be disabled. In such
case read the error carefully and solve the problem.
Any warning with yellow signs can be neglected and will not create any problems for ADDS
configuration.
Click Install.

This will start configuring ADDS service. Once it finishes, following message will be displayed.

Just wait and server will automatically restart.

It will require some time for the server to start.

Once the server starts and you go the logon scree, it looks like as shown below.

Now the Logon name is displayed as domain-name/Administrator.

Provide earlier administrator password to logon.
Now in the Server Manager window that opens, click Local Server option. In the workgroup
option it will display your domain name.
3. Verify that the ADC is installed correctly.
To verify that ADC is correctly install and the main DC and the new ADC are able to
synchronize their database, perform the following steps.

A. Logon to the main domain controller and create a user in an organizational unit.
After you logon to the man DC as administrator, in the Server Manager window click Tools
option. In the menu displayed click Active Directory Users and Computers.

In the Active Directory Users and Computers window, expand the domain name shown.
Then right click on the domain name. Go to the New option in the displayed menu. Then
click Organizational Unit option as shown below.

In the new window that opens provide a name for the organizational unit(OU). Click OK.

Once the OU is created , right click the name of the OU. Then select New option in the menu
displayed. Click User to create a user inside the OU. This is show below.
In the new window that opens provide First name, Full name and User logon name as shown
below.

Click Next.
In the new window that opens , provide a password for the new user. Also deselect the
checkbox from User must change password at next logon.

Click Next. Then click Finish to create the user.

The user will be displayed as below.

B. Logon to the Additional Domain Controller and Open Active Directory Users and
Computers.

Logon to the ADC as administrator. Go to Tools option in the Server Manager. The click
Active Directory Users and Computers . The following window opens.
Both the Domain controllers should show the OU created above and also the user within it
as shown below.

Also create an OU and a user within it on the Additional Domain Controller and verify that it
automatically reflects in the main Domain Controller.

This is how you have successfully installed the ADDS role on this server. You configured
ADDS on this sever to add this server as a Additional Domain Controller (ADC) in your
existing domain. This server is now additional domain controller for the domain demo.lab.
 Windows Active Directory
Removing an Additional Domain Controller from an existing domain

The steps mentioned in this document can be performed on Windows Server 2012 R2 and
above.

This step removes an additional domain controller server from an existing active directory
domain . This is required when an ADC is no longer required like a branch office is closed and
all the IT setup is removed. This step is also required when you want to replace the existing
ADC with a new server with higher hardware configuration. In this case you remove the old
ADC first and then add the new ADC to the domain.

Prerequisites :-

1. A Windows Server 2012 R2 or above installed either on physical server or on a virtual

machine. For this document Windows Server 2016 Evaluation version is used.
2. An existing forest and a domain with domain controller up and running.
3. A working additional domain controller in the above domain.
4. Basic knowledge about Windows Active Directory and its terms like Forest, Domain,
Domain Controller, Additional Domain Controller etc.

***Perform following steps on the second server which is configured as an additional

domain controller.

Steps:-
1. Demote The additional domain controller
To perform this step, logon to ADC as administrator. In the Server Manager window, click
Manage and select Remove Roles and Features option.

In the new window that opens, click Next.

Click Next, till you get the following window.

Un-check the check box for the Active Directory Domain Services. As soon as you un-check
the box, following screen is displayed.

Click Remove Features.

Next following screen appears. Even though it is an error message. It gives you an option to
demote the server.

Click the Demote the domain controller option.

Following screen will be displayed. However it may take some time to display the next
button. Thus jus wait.

Click Next.
Do not select the check box of Force the removal of this domain controller option.

This option should be used only when the normal removal fails or this domain controller is
not able to connect to the main DC.

Following screen appears.

On this screen click check box in front of Proceed with removal. Click Next.

On the next screen that appears, you need to enter a password for the administrator
password. As you are aware that when you made this server as ADC, its SAM file was
disabled. Now as you are demoting the server, its SAM file will be enabled.
On this screen provide a password and click Next.

The Review options screen appears.

Click the Demote button.

It will start the demotion process. It will take some time. Once the demotion process is
complete, following screen is displayed.

Wait for some time. The server will automatically restart.

Once the server restarts, logon as administrator. The server is demoted as a member server.
However the Active Directory Domain Services role is not yet removed.
2. Remove the Active Directory Domain Services (ADDS)
After restart when you logon to the server, you can see the yellow triangle near the flag sign
in Server Manager. This is as shown below.

This appears because the Active Directory Domain Services (ADDS) role is not removed.
To remove this role, Click Manage and select Remove Roles and Features option.

Click Next on all screens till you get the following window.

Un-check the check box for the Active Directory Domain Services. As soon as you un-check
the box, following screen is displayed.

Click Remove Features.

Click Next on all the screens that appear till you get to the following screen.

Click Remove button.

Once the role is removed, following screen is displayed.

Click Close.

You need to manually restart the server.

After restart, logon to server as administrator. The server is still the member of the domain.

This is how you have successfully demoted the server from Additional Domain Controller
(ADC) to a member server. This server is now a member server of the domain demo.lab.
 Windows Active Directory
Add a client to a domain

The steps mentioned in this document can be performed on any Windows 7/10/11 or
Windows Server operating system.

Once you have deployed a new forest and a new domain, next step is to add the clients to
the domain. This helps you manage the computers and users from a centralized location
(Domain Controller).

Prerequisites :-

1. A Windows machine with any Windows installed either on physical server or on a virtual
machine. For this document Windows Server 2016 Evaluation version is used.
2. An existing forest and a domain with its domain controller up and running.
3. Basic knowledge about Windows Active Directory and its terms like Forest, Domain,
Domain Controller, Additional Domain Controller etc.

Steps:-

1. Post install configuration of Windows Server.

A. Set the correct time zone.
In the Server Manager window that opens when the server starts, click the Local
Server option as shown below.

In the right side pane, click the option in front of Time zone.
On the new window that opens click the Change Time one button. In the new
window that opens, use the drop down list to select appropriate time zone.

Click Ok. After you select the time zone, the time displayed will change. Make sure
the time displayed is the current time displayed as per your location. Click OK to
close the window.

If the selected time zone is not shown in the Server Manager in front of Time zone
option, click refresh button to refresh the Server Manager window.

B. Set the IPv4 address

To set manual IPv4 address to the server, click the option in front of Ethernet in the
Server Manager Window as shown below. If multiple adapters are attached then
there will be multiple entries. Select the adapter that will be used to communicate
with Active Directory clients or servers.

A new window showing the Ethernet adapter will open.

Double click the adapter name. Following window will be displayed.

Click Properties button. Again a new Window opens as shown below.

In that window double click the Internet Protocol Version 4(TCP/IPv4) option.
A new window is displayed. Select the Use the following IP address option. Then
provide the required IP address and subnet mask.
For Lab purpose default gateway and DNS server configuration is not required. Click
OK.

Then click OK on earlier windows and close all the windows opened. Do not close
the Server Manager window.

Again if the given IP address is not displayed in the Server Manager window, Click
the refresh button.
C. Set a computer name for the server.
After this step, you need to restart the server.
 To assign a computer name to the server, in the Server Manager click any option -
Computer Name or Workgroup. It will open the same window.

In the following window, click the change button.

This will open following window.

In the Computer Name field specify a name for this server. Click the Domain option. In the
field enter your domain name as shown below.

Click OK. It will display a new window asking for username and password.

Please enter the administrator username and password of the main DC. Click OK.
A welcome to domain message is displayed as shown below.

Click OK.

A restart warning is displayed.The server restart option will be displayed. Click Restart Now
and restart the server. This will bring the new computer name in effect and add the sever to
the domain as member.

After restart following logon screen appears.

If you logon directly as Administrator, it will be a local logon. However you will not be able to
access domain computers. You will get a username and password prompt.

To logon to domain, click the Other User option on the screen. The following screen is
displayed.
Now enter the username in the following format to logon to domain.

Make sure the domain name is shown in the Sign in to option below the username and
password field.

This is how you have successfully added a server as a member server to the domain.This
server is now domain member in the domain demo.lab.