Active Directory: Core Concepts, Architecture and Best Practices

Active Directory (AD) is a hierarchical directory service from Microsoft that is used in a Windows domain environment to organize and centrally manage different types of objects: computers, users, servers, printers, etc. AD is at the heart of management and authentication in Windows Domain organizations. Active Directory is tightly integrated with many Microsoft services and applications such as DNS, DHCP, Exchange Server, etc. Because all user accounts are stored in a single AD database, users can log into any computer in the AD domain using their personal account and password (this is unlike a workgroup, where each computer has its own local database of users).

Understanding Active Directory concepts and architecture

AD is organized in a hierarchical structure. The AD architecture consists of the following basic elements:

AD forest – the top level of the Active Directory hierarchical structure. A forest is a collection of related domains that share a common schema, structure, and global catalog;
Domain – a separate area within the AD forest, with its own security boundary and replication. Contains users, computers, groups, and other objects;
Organizational Unit (OU) – Containers for logical grouping of objects within a domain (similar to folders on a drive). The OU is the point at which the GPO is linked and AD permissions are delegated;
In order to install an Active Directory domain, you will need to install the Active Directory Domain Services (ADDS) role on the Windows Server machine. This server is called an Active Directory Domain Controller (DC). Depending on the needs and size of the domain, a domain can have one or more domain controllers. Domain controller authenticates users and services requests to access network resources (used as a logon server);
The Active Directory database (NTDS.DIT) is stored on the domain controller. Each domain controller stores its own copy of the AD database and replicates any new or changed data to other DCs;
Active Directory Sites – AD objects, one or more physical IP subnets connected by fast LAN channels. Typically, AD sites reflect physical geographic or logical boundaries within your corporate network. Clients authenticate and retrieve GPO files from domain controllers at their sites. There can be one or more domain controllers at each site. To reduce the load on WAN links, you can configure replication intervals between sites;
Global Catalog (GC) – this role can be assigned to any domain controller. This DC is used to perform lookups and authentication across domains. It also stores a summary of object information across the forest;
Group Policy Objects (GPO) — allows administrators to configure settings for domain computers and users centrally;
AD Schema – defines the structure and the possible attributes of the objects in the Active Directory.

Install and configure Active Directory domain controller on Windows Server

Let’s take a look at some useful guides for the installation, configuration, and maintenance of AD domain controllers:

Active Directory domain controllers are equal and perform the same functions. However, in order to prevent conflicting updates, some operations in AD require the change source controller to be unique. These operations are called Flexible Single-Master Operations (FSMO), and the Domain Controllers that perform FSMO roles are called Operations Masters.

There are five FSMO roles:

Schema Master
Domain Naming Master
Infrastructure Master
RID Master
PDC Emulator

The list of Operation Master DCs holding FSMO roles can be displayed using the following command

netdom query fsmo

You can move FSMO roles from one domain controller to another.

Active Directory management tools

In the Windows environment, several tools are available to help administer Active Directory. You can use both graphical MMC snap-ins, command-line tools, and PowerShell cmdlets for AD management:

Active Directory Users and Computers ADUC (dsa.msc) MMC console – is One of the most widely used AD administration tools. It allows you to create, edit attributes, delete, and move various AD objects: users, computers, groups, organizational units (OUs);
ADAC (Active Directory Administrative Center) – the basic functionality is similar to ADUC, but has more possibilities for the management of child domains;
ADSS (Active Directory Sites and Services) — used to manage AD sites, subnets, topology, and replication schedule;
ADDT (Active Directory Domains and Trusts) – used to manage trust relationships between domains and establish cross-domain connections;
AD Schema – AD schema management tool;
GPMC (Group Policy Management, gpmc.msc) – used to manage Group Policy Objects (GPOs) in the AD domain;
ADSIEdit – MMC snap-in that allows you to connect to the LDAP AD directory database and edit attributes and configuration at a lower level;
Active Directory module for Windows PowerShell includes all the cmdlets you need to manage AD objects, settings, and policies from the PowerShell console.

AD management tools can be used not only directly from Windows Server with domain controller role but also from a regular user workstation. To do this, install the RSAT administration package. In Windows 10/11 this can be done with the command:

Add-WindowsCapability –online –Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

Manage users, groups, and computers in Active Directory

There are many detailed Active Directory setup and administration guides available on our website. The following is a list of typical operations with different types of AD objects:

Active Directory machine (computer) accounts:

Active Directory users:

Active Directory groups:

Other Active Directory features and usage scenarios

change the IP address on a domain controller

Active Directory Questions and Answers

Best Practices: Changing the IP Address on a Domain Controller

June 23, 2025

Changing the IP address of a domain controller in Active Directory is a non-standard operation that could disrupt domain services and affect client connectivity. However, if properly planned and executed,…

Active Directory Group Policies Windows Server 2022

Configure NTP Time Source for Active Directory Domain

May 6, 2025

Time synchronization in an Active Directory is critical to properly functioning of the domain services and security mechanisms. If a proper and reliable time sync scheme is not configured in…

GPO: Reject passwords found in the compromised password store

Active Directory Windows 11 Windows Server 2022

How to Block Common (Weak) Passwords in Active Directory

March 25, 2025

Only the most basic password length, frequency, and complexity requirements can be enabled for domain users in the default Active Directory password policy. Enabling the mandatory password complexity option, which…

eventcreate.exe - add ta custom event in a specified event log

Active Directory Group Policies Windows Server 2022

Exclude a Specific User or Computer from Group Policy

March 12, 2025

There are several ways to prevent certain Group Policy Object (GPO) settings from being applied to specific users and/or computers in Active Directory: Use GPO security filtering to control which…

An account with the same name exists in Active Directory. Re-using the account was blocked by security policy

Active Directory Windows 11 Windows Server 2022

AD Domain Join: Computer Account Re-use Blocked

March 11, 2025

When attempting to join a computer to an Active Directory domain, an error may occur: Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: An account with the same name exists in Active Directory. Re-using…

Active Directory Windows Server 2022

Collecting Windows and Active Directory Event Logs with Graylog

February 4, 2025

In the previous post, we covered how to deploy a centralized log collection and management service based on the Graylog stack (Graylog + OpenSearch + MongoDB). Now let’s cover how…

Extend expired AD user password using PowerShell:

Active Directory PowerShell

Extend an Expired User Password in Active Directory

December 20, 2024

The password policy, which is enabled by default in Active Directory, sets a maximum age for a user’s password. If the password age exceeds this value, it is considered expired,…

Windows 11 compatibility check results in computer properties in AD

Active Directory PowerShell Windows 11

Check Windows 11 Hardware Readiness with PowerShell Script

May 15, 2024

In this article, we’ll look at how to use the official Microsoft HardwareReadiness.ps1 PowerShell script to perform a bulk Windows 11 hardware compatibility check on domain computers.

Enable automatic scavenging of status records

Active Directory Windows Server 2019

Configure DNS Scavenging to Clean Up Stale DNS Records in AD

April 25, 2024

Two special Windows Server DNS features can be used to automatically clean up old DNS records in Active Directory: DNS Aging – allows to determine the age of the dynamically…

Active Directory Group Policies PowerShell

Unlocking Active Directory User Accounts

February 13, 2024

A user account lockout in a domain is one of the most popular reasons why users contact the technical support team. In most cases, the lockout is caused either by…

Active Directory: Core Concepts, Architecture and Best Practices

Understanding Active Directory concepts and architecture

Install and configure Active Directory domain controller on Windows Server

Active Directory management tools

Manage users, groups, and computers in Active Directory

What Others Are Reading in Active Directory