Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

Active Directory: Core Concepts, Architecture and Best Practices

Active Directory (AD) is a hierarchical directory service from Microsoft that is used in a Windows domain environment to organize and centrally manage different types of objects: computers, users, servers, printers, etc. AD is at the heart of management and authentication in Windows Domain organizations. Active Directory is tightly integrated with many Microsoft services and applications such as DNS, DHCP, Exchange Server, etc. Because all user accounts are stored in a single AD database, users can log into any computer in the AD domain using their personal account and password (this is unlike a workgroup, where each computer has its own local database of users).

Understanding Active Directory concepts and architecture

AD is organized in a hierarchical structure. The AD architecture consists of the following basic elements:

  • AD forest – the top level of the Active Directory hierarchical structure. A forest is a collection of related domains that share a common schema, structure, and global catalog;
  • Domain – a separate area within the AD forest, with its own security boundary and replication. Contains users, computers, groups, and other objects;
  • Organizational Unit (OU) – Containers for logical grouping of objects within a domain (similar to folders on a drive). The OU is the point at which the GPO is linked and AD permissions are delegated;
  • In order to install an Active Directory domain, you will need to install the Active Directory Domain Services (ADDS) role on the Windows Server machine. This server is called an Active Directory Domain Controller (DC). Depending on the needs and size of the domain, a domain can have one or more domain controllers. Domain controller authenticates users and services requests to access network resources (used as a logon server);
  • The Active Directory database (NTDS.DIT) is stored on the domain controller. Each domain controller stores its own copy of the AD database and replicates any new or changed data to other DCs;
  • Active Directory Sites – AD objects, one or more physical IP subnets connected by fast LAN channels. Typically, AD sites reflect physical geographic or logical boundaries within your corporate network. Clients authenticate and retrieve GPO files from domain controllers at their sites. There can be one or more domain controllers at each site. To reduce the load on WAN links, you can configure replication intervals between sites;
  • Global Catalog (GC) – this role can be assigned to any domain controller. This DC is used to perform lookups and authentication across domains. It also stores a summary of object information across the forest;
  • Group Policy Objects (GPO) — allows administrators to configure settings for domain computers and users centrally;
  • AD Schema – defines the structure and the possible attributes of the objects in the Active Directory.

active directory structure and architecture

Install and configure Active Directory domain controller on Windows Server

Let’s take a look at some useful guides for the installation, configuration, and maintenance of AD domain controllers:

  • Installing AD controller on Windows Server Core
  • Adding an additional DC to an existing AD domain
  • How to demote (remove) a domain controller from Active Directory
  • How to properly rename the AD domain
  • Install and Configure Read-Only Domain Controller (RODC)
  • Checking AD domain controller health and replication state
  • How to backup and restore the Active Directory domain controller
  • Reset domain administrator password in AD

Active Directory domain controllers are equal and perform the same functions. However, in order to prevent conflicting updates, some operations in AD require the change source controller to be unique. These operations are called Flexible Single-Master Operations (FSMO), and the Domain Controllers that perform FSMO roles are called Operations Masters.

There are five FSMO roles:

  • Schema Master
  • Domain Naming Master
  • Infrastructure Master
  • RID Master
  • PDC Emulator

The list of Operation Master DCs holding FSMO roles can be displayed using the following command

netdom query fsmo

You can move FSMO roles from one domain controller to another.

Active Directory management tools

In the Windows environment, several tools are available to help administer Active Directory. You can use both graphical MMC snap-ins, command-line tools, and PowerShell cmdlets for AD management:

  • Active Directory Users and Computers ADUC (dsa.msc) MMC console – is One of the most widely used AD administration tools. It allows you to create, edit attributes, delete, and move various AD objects: users, computers, groups, organizational units (OUs);
  • ADAC (Active Directory Administrative Center) – the basic functionality is similar to ADUC, but has more possibilities for the management of child domains;
  • ADSS (Active Directory Sites and Services) — used to manage AD sites, subnets, topology, and replication schedule;
  • ADDT (Active Directory Domains and Trusts) – used to manage trust relationships between domains and establish cross-domain connections;
  • AD Schema – AD schema management tool;
  • GPMC (Group Policy Management, gpmc.msc) – used to manage Group Policy Objects (GPOs) in the AD domain;
  • ADSIEdit – MMC snap-in that allows you to connect to the LDAP AD directory database and edit attributes and configuration at a lower level;
  • Active Directory module for Windows PowerShell includes all the cmdlets you need to manage AD objects, settings, and policies from the PowerShell console.
AD management tools can be used not only directly from Windows Server with domain controller role but also from a regular user workstation.  To do this, install the RSAT administration package. In Windows 10/11 this can be done with the command:

Add-WindowsCapability –online –Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

Manage users, groups, and computers in Active Directory

There are many detailed Active Directory setup and administration guides available on our website. The following is a list of typical operations with different types of AD objects:

Active Directory machine (computer) accounts:

  • Join a Windows computer to an Active Directory domain
  • Cached domain logon credentials on Windows
  • Deny and allow workstation logons in Active Directory
  • Fill the AD computer description with PowerShell
  • Repairing the trusted relationship between the workstation and the AD domain

Active Directory users:

  • Create a new user account in Active Directory
  • How to find the source of AD account lockouts
  • Unlock user account in Active Directory
  • Change (reset) a user’s password in Active Directory
  • Managing UserPrincipalName and UPN suffixes in Active Directory
  • Notify AD users when their password is about to expire
  • Add user to local administrator group on AD computers

Active Directory groups:

  • How to create an AD group with dynamic membership using PowerShell
  • Temporary group membership in Active Directory

Other Active Directory features and usage scenarios

  • Restoring deleted AD objects
  • How to find inactive users and computers in Active Directory
  • Using Active Directory saved queries
  • Group Managed service account overview (MSA, gMSA)
ad time sync schema
Active DirectoryGroup PoliciesQuestions and AnswersWindows Server 2022

Configure NTP Time Source for Active Directory Domain

May 6, 2025

Time synchronization in an Active Directory is critical to properly functioning of the domain services and security mechanisms. If a proper and reliable time sync scheme is not configured in…

0 Facebook Twitter Google + Pinterest
GPO: Reject passwords found in the compromised password store
Active DirectoryWindows 11Windows Server 2022

How to Block Common (Weak) Passwords in Active Directory

March 25, 2025

Only the most basic password length, frequency, and complexity requirements can be enabled for domain users in the default Active Directory password policy. Enabling the mandatory password complexity option, which…

0 Facebook Twitter Google + Pinterest
eventcreate.exe - add ta custom event in a specified event log
Active DirectoryGroup PoliciesWindows Server 2022

Exclude a Specific User or Computer from Group Policy

March 12, 2025

There are several ways to prevent certain Group Policy Object (GPO) settings from being applied to specific users and/or computers in Active Directory: Use GPO security filtering to control which…

6 Facebook Twitter Google + Pinterest
An account with the same name exists in Active Directory. Re-using the account was blocked by security policy
Active DirectoryWindows 11Windows Server 2022

AD Domain Join: Computer Account Re-use Blocked

March 11, 2025

When attempting to join a computer to an Active Directory domain, an error may occur: Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: An account with the same name exists in Active Directory. Re-using…

1 Facebook Twitter Google + Pinterest
Windows device logs in Graylog
Active DirectoryWindows Server 2022

Collecting Windows and Active Directory Event Logs with Graylog

February 4, 2025

In the previous post, we covered how to deploy a centralized log collection and management service based on the Graylog stack (Graylog + OpenSearch + MongoDB). Now let’s cover how…

4 Facebook Twitter Google + Pinterest
Extend expired AD user password using PowerShell:
Active DirectoryPowerShell

Extend an Expired User Password in Active Directory

December 20, 2024

The password policy, which is enabled by default in Active Directory, sets a maximum age for a user’s password. If the password age exceeds this value, it is considered expired,…

10 Facebook Twitter Google + Pinterest
Windows 11 compatibility check results in computer properties in AD
Active DirectoryPowerShellWindows 11

Check Windows 11 Hardware Readiness with PowerShell Script

May 15, 2024

In this article, we’ll look at how to use the official Microsoft HardwareReadiness.ps1 PowerShell script to perform a bulk Windows 11 hardware compatibility check on domain computers.

3 Facebook Twitter Google + Pinterest
Enable automatic scavenging of status records
Active DirectoryWindows Server 2019

Configure DNS Scavenging to Clean Up Stale DNS Records in AD

April 25, 2024

Two special Windows Server DNS features can be used to automatically clean up old DNS records in Active Directory: DNS Aging – allows to determine the age of the dynamically…

4 Facebook Twitter Google + Pinterest
Unlock user with ADUC
Active DirectoryGroup PoliciesPowerShell

Unlocking Active Directory User Accounts

February 13, 2024

A user account lockout in a domain is one of the most popular reasons why users contact the technical support team. In most cases, the lockout is caused either by…

3 Facebook Twitter Google + Pinterest
The specified domain either does not exist or could not be contacted: Cant' join Windows to domain
Active DirectoryWindows 10Windows 11

Error: The Specified Domain Doesn’t Exist or Couldn’t Be Contacted

January 23, 2024

The main reason for the The specified domain either does not exist or could not be contacted error in Windows is usually due to incorrect network settings on the computer.…

2 Facebook Twitter Google + Pinterest
  • 1
  • 2
  • 3
  • …
  • 11
join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMware
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025
  • How to Write Logs to the Windows Event Viewer from PowerShell/CMD

    March 3, 2025
  • How to Hide (Block) a Specific Windows Update

    February 25, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Extend an Expired User Password in Active Directory
  • Check Windows 11 Hardware Readiness with PowerShell Script
  • Exclude a Specific User or Computer from Group Policy
  • Error: The Specified Domain Doesn’t Exist or Couldn’t Be Contacted
  • Unlocking Active Directory User Accounts
  • How to Block Common (Weak) Passwords in Active Directory
  • AD Domain Join: Computer Account Re-use Blocked
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top