This comprehensive course will take you from understanding the basic concepts of Active Directory to implementing advanced security configurations. Each module builds upon the previous one, ensuring a solid foundation before advancing to complex topics.
Active Directory (AD) is Microsoft's directory service that provides centralized authentication, authorization, and management of network resources in Windows environments.
Key Concepts:
- Directory Service: A hierarchical database that stores information about network objects
- Domain: A logical group of network objects that share the same AD database
- Forest: A collection of one or more domains that share a common schema and global catalog
- Tree: A hierarchical arrangement of domains within a forest
¶ 1. Domain Controllers (DCs)
- Windows servers that host the AD database
- Handle authentication and authorization requests
- Replicate data between other domain controllers
- At least one DC required per domain
- Containers that organize objects within a domain
- Used for applying Group Policy and delegating administration
- Can contain users, computers, groups, and other OUs
¶ 3. Objects and Attributes
- Users: Represent people who can log into the domain
- Computers: Represent machines joined to the domain
- Groups: Collections of users or computers for easier management
- Attributes: Properties of objects (name, email, group membership, etc.)
Forest: company.com
├── Domain: company.com
│ ├── OU: Sales
│ │ ├── User: john.doe
│ │ └── Computer: SALES-PC01
│ ├── OU: IT
│ │ ├── User: admin.user
│ │ └── Group: IT Admins
│ └── Built-in Containers
│ ├── Users
│ ├── Computers
│ └── Domain Controllers
¶ Module 2: Installing and Configuring Active Directory
- Windows Server 2019/2022 (recommended)
- Static IP address configuration
- Proper DNS configuration
- Administrator privileges
¶ 1. Promote Server to Domain Controller
# Install AD Domain Services role
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
# Promote to domain controller (new forest)
Install-ADDSForest -DomainName "company.local" -SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force)
- Verify DNS is working correctly
- Check Event Logs for errors
- Validate replication (if multiple DCs)
- Configure time synchronization
¶ 3. Creating Additional Domain Controllers
# Add additional DC to existing domain
Install-ADDSDomainController -DomainName "company.local" -SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force)
- Use dedicated servers for domain controllers
- Implement at least two DCs for redundancy
- Place DCs in secure physical locations
- Configure proper backup strategies
¶ Module 3: Managing Users, Groups, and Computers
# Create new user with PowerShell
New-ADUser -Name "John Doe" -GivenName "John" -Surname "Doe" -SamAccountName "jdoe" -UserPrincipalName "jdoe@company.local" -Path "OU=Sales,DC=company,DC=local" -AccountPassword (ConvertTo-SecureString "TempPass123!" -AsPlainText -Force) -Enabled $true
¶ User Properties and Attributes
- Account Options: Password policies, account expiration, logon restrictions
- Profile Information: Home directory, profile path, logon script
- Contact Information: Email, phone, address
- Organization: Department, title, manager
# Import users from CSV
$users = Import-Csv "C:\users.csv"
foreach ($user in $users) {
New-ADUser -Name $user.Name -SamAccountName $user.Username -UserPrincipalName "$($user.Username)@company.local" -Path $user.OU -AccountPassword (ConvertTo-SecureString $user.Password -AsPlainText -Force) -Enabled $true
}
- Security Groups: Used for permissions and access control
- Distribution Groups: Used for email distribution
- Domain Local: Can contain members from any domain in the forest, used for resource access
- Global: Can contain members from the same domain, used for organizing users
- Universal: Can contain members from any domain in the forest, stored in Global Catalog
¶ Creating and Managing Groups
# Create security group
New-ADGroup -Name "Sales Team" -GroupScope Global -GroupCategory Security -Path "OU=Sales,DC=company,DC=local"
# Add users to group
Add-ADGroupMember -Identity "Sales Team" -Members "jdoe", "msmith"
¶ Joining Computers to Domain
# From the computer to be joined
Add-Computer -DomainName "company.local" -Credential (Get-Credential) -Restart
- Move computers to appropriate OUs
- Configure computer policies
- Monitor computer health and compliance
¶ Module 4: Organizational Units and Group Policy
Consider these factors:
- Administrative delegation: Who will manage what
- Group Policy application: How policies will be applied
- Geographic locations: Physical site considerations
- Business structure: Departments and functions
company.local
├── Corporate
│ ├── Users
│ │ ├── Sales
│ │ ├── Marketing
│ │ ├── IT
│ │ └── HR
│ ├── Computers
│ │ ├── Workstations
│ │ ├── Servers
│ │ └── Laptops
│ └── Groups
├── Branch Offices
│ ├── New York
│ └── Los Angeles
└── Service Accounts
Group Policy provides centralized management and configuration of operating systems, applications, and user settings in an AD environment.
- Local Policy: Policies stored on the local computer
- Site: Policies linked to AD sites
- Domain: Policies linked to the domain
- OU: Policies linked to organizational units (processed from top to bottom)
¶ Creating and Linking GPOs
# Create new GPO
New-GPO -Name "Sales Security Policy" -Domain "company.local"
# Link GPO to OU
New-GPLink -Name "Sales Security Policy" -Target "OU=Sales,DC=company,DC=local"
- Password Policies: Complexity, length, history
- Account Lockout: Failed logon attempts, lockout duration
- User Rights: Logon rights, privileges
- Security Options: Authentication, network security
- Software Installation: Deploy applications
- Folder Redirection: Redirect user folders to network locations
¶ Module 5: DNS Integration and Sites/Services
¶ DNS and Active Directory
- AD relies heavily on DNS for:
- Domain controller location
- Service location (SRV records)
- Authentication processes
- Client computer domain joining
# Create AD-integrated DNS zone
Add-DnsServerPrimaryZone -Name "company.local" -ReplicationScope "Domain" -DynamicUpdate "Secure"
- A Records: Map hostnames to IP addresses
- SRV Records: Service location records (_ldap._tcp.company.local)
- CNAME Records: Alias records
- PTR Records: Reverse DNS lookups
¶ Sites and Services
¶ Understanding AD Sites
- Represent physical locations or network segments
- Control replication traffic between DCs
- Optimize authentication traffic
¶ Creating and Configuring Sites
# Create new site
New-ADReplicationSite -Name "Branch-Office-NY"
# Create subnet and associate with site
New-ADReplicationSubnet -Name "192.168.10.0/24" -Site "Branch-Office-NY"
¶ Site Links and Replication
- Configure replication schedules
- Set replication costs
- Control bandwidth usage
- NTLM: Legacy authentication protocol
- Kerberos: Default authentication protocol in AD
- Certificate-based: Using PKI certificates
- User requests Ticket Granting Ticket (TGT) from KDC
- KDC verifies credentials and issues TGT
- User requests service ticket for specific resource
- KDC issues service ticket
- User presents service ticket to resource
- Users: Individual user accounts
- Groups: Collections of users
- Computers: Computer accounts
- Service Accounts: Accounts for services
¶ Permissions and Rights
- NTFS Permissions: File and folder access
- Share Permissions: Network share access
- User Rights: System-level privileges
- Object Permissions: AD object access
¶ Security Groups and Built-in Accounts
- Domain Admins: Full administrative rights in domain
- Enterprise Admins: Full administrative rights in forest
- Schema Admins: Can modify AD schema
- Account Operators: Can manage user accounts
- Server Operators: Can manage domain controllers
- Grant minimum permissions necessary
- Use security groups for access control
- Regularly review and audit permissions
- Implement role-based access control
¶ Hardening Domain Controllers
- Secure physical access to servers
- Implement rack security
- Use security cameras and access logs
- Environmental controls (temperature, humidity)
# Disable unnecessary services
Set-Service -Name "Fax" -StartupType Disabled
Set-Service -Name "Print Spooler" -StartupType Disabled
# Configure Windows Firewall
New-NetFirewallRule -DisplayName "Block Outbound HTTP" -Direction Outbound -Protocol TCP -LocalPort 80 -Action Block
- Use Microsoft Security Compliance Toolkit
- Implement CIS benchmarks
- Regular security assessments
- Vulnerability scanning
# Enable Azure AD Connect for hybrid identity
# Configure MFA policies
Set-MsolUserMfa -UserPrincipalName "admin@company.local" -StrongAuthenticationRequirements @{State="Enabled"}
- Deploy PKI infrastructure
- Configure certificate templates
- Enable smart card logon
- Configure Group Policy for smart cards
# Add user to Protected Users group
Add-ADGroupMember -Identity "Protected Users" -Members "high-privilege-user"
Benefits of Protected Users group:
- Cannot use NTLM authentication
- Cannot use DES or RC4 encryption
- Cannot be delegated with constrained or unconstrained delegation
- Cannot renew TGTs beyond 4-hour lifetime
¶ Security Templates and Baselines
# Import security template
secedit /configure /db security.sdb /cfg "security_template.inf"
<!-- AppLocker Policy Example -->
<AppLockerPolicy Version="1">
<RuleCollection Type="Exe" EnforcementMode="Enabled">
<FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="Allow all files located in the Program Files folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%\*"/>
</Conditions>
</FilePathRule>
</RuleCollection>
</AppLockerPolicy>
# Create password settings object
New-ADFineGrainedPasswordPolicy -Name "ExecutivePasswordPolicy" -Precedence 10 -ComplexityEnabled $true -MinPasswordLength 12 -MaxPasswordAge 60.00:00:00
# Apply to security group
Add-ADFineGrainedPasswordPolicySubject -Identity "ExecutivePasswordPolicy" -Subjects "Executive Users"
¶ Monitoring and Auditing
# Configure audit policies
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Account Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Object Access" /success:enable /failure:enable
- Deploy ATA for behavioral analysis
- Monitor suspicious activities
- Detect lateral movement
- Identify compromised credentials
# Enable PowerShell script block logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1
- Implement time-limited administrative access
- Use Microsoft Identity Manager (MIM)
- Configure PAM forest architecture
- Implement approval workflows
- Tier 0: Domain controllers, enterprise admins
- Tier 1: Servers and server administrators
- Tier 2: Workstations and standard users
# Enable Credential Guard via Group Policy
# Computer Configuration > Administrative Templates > System > Device Guard
# Turn On Virtualization Based Security = Enabled
# Platform Security Level = Secure Boot and DMA Protection
# Credential Guard Configuration = Enabled with UEFI lock
# Install LAPS
# Configure Group Policy
# Set password complexity and rotation interval
Set-AdmPwdComputerSelfPermission -OrgUnit "OU=Workstations,DC=company,DC=local"
- Protect authentication processes
- Prevent credential theft
- Use with Windows Defender Credential Guard
- Implement VLANs for different security zones
- Use firewalls between network segments
- Configure IPSec policies
- Implement Network Access Control (NAC)
# Install Certificate Services
Install-WindowsFeature -Name ADCS-Cert-Authority -IncludeManagementTools
# Configure certificate templates
# Enable certificate autoenrollment via Group Policy
¶ Advanced Monitoring and Detection
<!-- Event forwarding subscription -->
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
<SubscriptionId>SecurityEvents</SubscriptionId>
<SubscriptionType>SourceInitiated</SubscriptionType>
<Query>
<![CDATA[
<QueryList>
<Query Id="0">
<Select Path="Security">*[System[(EventID=4624 or EventID=4625)]]</Select>
</Query>
</QueryList>
]]>
</Query>
</Subscription>
- Configure log forwarding to SIEM
- Create correlation rules
- Implement automated response
- Regular security assessments
¶ Module 9: Disaster Recovery and Business Continuity
# Windows Server Backup for System State
wbadmin start systemstatebackup -backuptarget:E: -quiet
# PowerShell backup
Checkpoint-Computer -Description "Pre-maintenance backup"
# Boot into Directory Services Restore Mode (DSRM)
# Use ntdsutil for authoritative restore
ntdsutil
activate instance ntds
authoritative restore
restore subtree "OU=Sales,DC=company,DC=local"
quit
quit
- Identify root cause of forest corruption
- Isolate remaining DCs from network
- Restore forest root domain from backup
- Rebuild child domains if necessary
- Restore trusts and replication
# Remove failed DC metadata
Remove-ADDomainController -Identity "FAILED-DC01" -Force
¶ Multiple Domain Controllers
- Deploy DCs across different sites
- Implement load balancing
- Configure site link costs
- Monitor replication health
¶ Read-Only Domain Controllers (RODC)
# Install RODC
Install-ADDSDomainController -DomainName "company.local" -ReadOnlyReplica -SiteName "Branch-Site"
¶ Module 10: Troubleshooting and Maintenance
¶ Common Issues and Solutions
# Test domain connectivity
Test-ComputerSecureChannel -Verbose
# Reset computer account
Reset-ComputerMachinePassword -Credential (Get-Credential)
# Check Kerberos tickets
klist tickets
# Check replication status
repadmin /replsummary
# Force replication
repadmin /syncall /A /P /d
# Check replication topology
repadmin /showrepl
# Test DNS resolution
nslookup company.local
# Check SRV records
nslookup -type=SRV _ldap._tcp.company.local
# Verify DC registration
dcdiag /test:dns
- NTDS\DRA Inbound Full Sync Objects Remaining
- NTDS\LDAP Client Sessions
- NTDS\LDAP Searches/sec
- Database\Database Cache % Hit
# DCDiag comprehensive test
dcdiag /v /c /d /e /s:company.local
# Network connectivity test
dcdiag /test:connectivity
# Replication test
dcdiag /test:replications
¶ Maintenance Tasks
¶ Regular Maintenance Checklist
- Weekly: Check event logs, verify backups
- Monthly: Review group memberships, audit permissions
- Quarterly: Update documentation, security assessments
- Annually: Password policy review, disaster recovery testing
¶ Automated Maintenance Scripts
# Daily health check script
$DCs = Get-ADDomainController -Filter *
foreach ($DC in $DCs) {
Test-NetConnection -ComputerName $DC.HostName -Port 389
if (Test-NetConnection -ComputerName $DC.HostName -Port 389) {
Write-Output "$($DC.Name) is responding on LDAP port"
} else {
Write-Warning "$($DC.Name) is not responding on LDAP port"
# Send alert email
}
}
¶ Module 11: Integration and Modern Authentication
# Configure Azure AD Connect
# Synchronize on-premises AD with Azure AD
# Enable Password Hash Sync or Pass-through Authentication
# Configure Single Sign-On (SSO)
- SAML 2.0: Web-based SSO
- OAuth 2.0: Authorization framework
- OpenID Connect: Authentication layer on OAuth 2.0
- WS-Federation: Enterprise federation protocol
# Install Certificate Authority
Install-WindowsFeature -Name ADCS-Cert-Authority -IncludeManagementTools
# Configure certificate templates for authentication
# Enable certificate auto-enrollment
# Deploy certificates to users and computers
- Configure certificate templates
- Deploy smart card readers
- Configure Group Policy for smart card requirements
- Implement card management procedures
¶ Module 12: Security Assessment and Compliance
# PowerShell script for privilege escalation check
Get-ADUser -Filter * -Properties MemberOf | Where-Object {
$_.MemberOf -match "Domain Admins|Enterprise Admins|Schema Admins"
} | Select-Object Name, SamAccountName, @{Name="Groups";Expression={$_.MemberOf}}
- External testing: Test from internet perspective
- Internal testing: Test from network insider perspective
- Social engineering: Test user awareness
- Physical security: Test physical access controls
- SOX: Sarbanes-Oxley Act requirements
- HIPAA: Healthcare data protection
- PCI-DSS: Payment card industry standards
- GDPR: General Data Protection Regulation
- Security policies: Written security procedures
- Change management: Documentation of changes
- Incident response: Security incident procedures
- Access reviews: Regular access audits
- Install Windows Server 2019/2022
- Promote to domain controller
- Create organizational structure
- Add users and computers
- Configure basic Group Policy
- Implement fine-grained password policies
- Configure Protected Users group
- Enable advanced auditing
- Deploy LAPS
- Configure Credential Guard
- Perform system state backup
- Simulate DC failure
- Restore from backup
- Test replication recovery
- Document recovery procedures
- Run security scanning tools
- Identify security weaknesses
- Implement remediation
- Verify fixes
- Create security report
¶ Advanced Topics and Best Practices
- Verify explicitly
- Use least privilege access
- Assume breach mentality
- Infrastructure as Code (IaC)
- Automated security testing
- Continuous compliance monitoring
- Hybrid identity models
- Conditional access policies
- Cloud security posture management
¶ Conclusion and Next Steps
This course has covered Active Directory from basic concepts to advanced security configurations. Continue your learning journey by:
- Hands-on Practice: Set up lab environments
- Certifications: Pursue Microsoft certification paths
- Community Engagement: Join AD administrator communities
- Continuous Learning: Stay updated with security trends
- Real-world Application: Apply concepts in production environments
Remember that security is an ongoing process, not a one-time implementation. Regular assessment, monitoring, and improvement are essential for maintaining a secure Active Directory environment.