Enterprise IT Infrastructure

Active Directory
Implementation Guide

Complete guide to design, deploy, and manage Microsoft Active Directory — from concept to production-ready architecture.

0
% Enterprise Adoption
0
+ AD Service Types
0
M+ Users Worldwide
Start Learning Cost Calculator
🌳 Forest
🏠 Domain
👥 Users
💻 Computers
🔓 Groups
Chapter 01

What is Active Directory?

Microsoft's directory service that stores information about objects on a network and makes this information available to users and administrators.

🔒

Identity & Access

Centralized identity management for users, computers, and services across the enterprise network.

📄

Directory Service

Hierarchical database of network resources following LDAP (Lightweight Directory Access Protocol) standards.

Policy Management

Group Policy Objects (GPOs) enable centralized configuration of computers and user settings.

🔗

Authentication

Kerberos and NTLM protocols provide secure Single Sign-On (SSO) authentication.

AD History Timeline

1999

Windows 2000 Server

Active Directory introduced as part of Windows 2000 Server, replacing Windows NT domain model.

2003

Windows Server 2003

Forest and domain functional levels introduced. Cross-forest trusts and improved replication.

2008

Windows Server 2008

Read-Only Domain Controllers (RODC), fine-grained password policies, AD Recycle Bin preview.

2012

Windows Server 2012

Dynamic Access Control, AD Recycle Bin GUI, Kerberos armoring, Virtualization-safe replication.

2016

Windows Server 2016

Privileged Access Management (PAM), Azure AD integration, just-in-time administration.

2019

Windows Server 2019

Enhanced hybrid cloud support, Security improvements, Azure Arc integration capabilities.

2022

Windows Server 2022

Secured-core server, TLS 1.3, SMB AES-256 encryption, advanced threat protection built-in.

2024

Microsoft Entra ID

Azure Active Directory rebranded to Microsoft Entra ID — cloud-native identity platform at scale.

💡

Core AD Components

  • Forest Top-level security and administrative boundary
  • Domain Administrative unit containing users, computers, and groups
  • OU Organizational Unit — logical container for policy application
  • DC Domain Controller — server hosting the AD database (NTDS.dit)
  • GC Global Catalog — partial replica of all objects in the forest
  • FSMO Flexible Single Master Operations — 5 special DC roles
  • GPO Group Policy Object — configuration settings for users/computers
  • Schema Defines all object classes and attributes in the directory
Chapter 02

Active Directory Types

Microsoft Active Directory comes in multiple service types, each designed for specific use cases and deployment scenarios.

On-Premises

Active Directory Domain Services (AD DS)

The core Active Directory service. Stores directory information and manages communication between users and domains, including user logon processes, authentication, and directory searches.

  • ✅ Centralized user and computer management
  • ✅ Kerberos-based authentication (SSO)
  • ✅ Group Policy administration
  • ✅ LDAP directory service
  • ✅ DNS integration required
  • ✅ Replication between DCs
  • ✅ FSMO role management
  • ✅ Schema extensible
AD DS Architecture
🌳 Forest: contoso.com
🏠 Root Domain
🏠 Child Domain A
🏠 Child Domain B
Cloud / Hybrid

Microsoft Entra ID (Azure AD)

Cloud-based identity and access management service. Not a direct replacement for AD DS but complements it for cloud and hybrid scenarios. Supports OAuth 2.0, OIDC, SAML 2.0.

  • ✅ Cloud-native identity platform
  • ✅ Multi-tenant SaaS application support
  • ✅ Conditional Access policies
  • ✅ MFA / Passwordless auth
  • ✅ Identity Protection (risk-based)
  • ✅ Privileged Identity Management (PIM)
  • ✅ Azure AD Connect for hybrid sync
  • ✅ B2B / B2C scenarios
Note: Azure AD Domain Services (AADDS) provides managed domain services (LDAP, Kerberos, NTLM) without managing DCs.
Hybrid Identity Architecture
💻 On-Prem AD DS
⇄ Azure AD Connect
☁ Microsoft Entra ID
📸 Microsoft 365
☁ Azure Apps
🔗 SaaS Apps
On-Premises

Active Directory Certificate Services (AD CS)

Creates a Public Key Infrastructure (PKI) for issuing and managing digital certificates. Enables secure communications, code signing, smart card logon, and data encryption.

  • ✅ Certificate Authority (CA) management
  • ✅ Root CA and Subordinate CA hierarchy
  • ✅ Auto-enrollment for machine/user certs
  • ✅ OCSP / CRL distribution
  • ✅ Smart card authentication
  • ✅ SSL/TLS certificate issuance
  • ✅ Code signing certificates
  • ✅ EFS (Encrypting File System) support
PKI Hierarchy
🌐 Offline Root CA
🏠 Subordinate CA 1
🏠 Subordinate CA 2
📄 User Certs
💻 Machine Certs
🔗 Server Certs
Hybrid

Active Directory Federation Services (AD FS)

Provides federated identity and Single Sign-On for web-based applications across organizational boundaries. Enables claims-based authentication using SAML 2.0, WS-Federation, OAuth 2.0.

  • ✅ Cross-organization SSO (federation)
  • ✅ SAML 2.0 / WS-Federation support
  • ✅ Claims transformation rules
  • ✅ Multi-Factor Authentication integration
  • ✅ Web Application Proxy (WAP)
  • ✅ Device registration service
  • ✅ OAuth 2.0 / OpenID Connect
  • ✅ Token issuance and validation
AD FS Federation Flow
👤 User
🔒 AD FS (STS)
🌐 Partner App
Claims-based Token
On-Premises

Active Directory Lightweight Directory Services (AD LDS)

Provides LDAP directory services for directory-enabled applications without requiring a full AD DS deployment. Runs as a non-OS service, allowing multiple instances per server.

  • ✅ Standalone LDAP directory service
  • ✅ Multiple instances on one server
  • ✅ No domain/forest dependency
  • ✅ Custom schema per application
  • ✅ Application-specific directory data
  • ✅ Lightweight deployment
  • ✅ Runs on Server Core
AD LDS Use Cases
🌐 Web App User Store
🔒 Auth Data Store
📄 Custom Directory
💻 Dev / Test LDAP
On-Premises

Active Directory Rights Management Services (AD RMS)

Information protection technology that works with RMS-enabled applications to help safeguard digital information from unauthorized use. Controls access to documents, email, and web content.

  • ✅ Document rights management (DRM)
  • ✅ Email protection (IRM in Exchange)
  • ✅ Usage policy enforcement
  • ✅ Persistent content protection
  • ✅ Offline protection support
  • ✅ SharePoint integration
  • ✅ Office application integration
  • ☑ Superseded by Azure Information Protection
RMS Protection Flow
📄 Create Document
🔒 Apply Rights Policy
⛜ RMS License Check
✅ Authorized Access
Chapter 03

Windows Server Editions

Choosing the right Windows Server edition is critical for cost optimization and feature requirements.

Feature Essentials 2022 Standard 2022 Datacenter 2022
Max Processors1UnlimitedUnlimited
Max RAM128 GB24 TB24 TB
User Limit25 usersUnlimitedUnlimited
Domain Controller
CALs Required❌ No✅ Yes✅ Yes
VMs per License1 VM2 VMsUnlimited
Hyper-V
Storage Spaces Direct
Shielded VMs
Storage ReplicaLimited
Network Controller
Approx. License Price~$501~$1,069~$6,155
Essentials

Best For

Small businesses with up to 25 users. Simple file/print sharing, basic domain services. No VM stacking.

Small Office Simple Domain No Virtualization
Most Common
Standard

Best For

Medium to large environments. Supports 2 VMs per license. Ideal for non-heavily virtualized DCs.

Mid-size Enterprise Multiple DCs Moderate VMs
Datacenter

Best For

Highly virtualized datacenters. Unlimited VMs. Required for SDN, Storage Spaces Direct, Shielded VMs.

Large Enterprise Hyper-V Hosts Full SDN / S2D

Domain & Forest Functional Levels

Win Server 2008 R2
AD Recycle Bin, Managed Service Accounts
Win Server 2012
KDC support for claims, compound auth, Kerberos armoring
Win Server 2012 R2
Protected Users group, Authentication Policy Silos
Win Server 2016
Privileged Access Management (PAM) forest trust
Win Server 2019 / 2022
No new FL features yet; inherits all 2016 features
Chapter 04

Implementation Solution

Step-by-step guide to deploying Active Directory in your organization.

01

Planning & Assessment

📋

Inventory Current Environment

Document existing users, computers, groups, applications, and network topology.

🏠

Design Domain Structure

Determine number of forests, domains, domain names (use .local vs routable DNS suffix).

👥

Plan OU Hierarchy

Design OU structure based on administrative delegation, not org chart. Reflect GPO application needs.

🔗

Define Site Topology

Map physical locations to AD Sites. Plan site links and replication schedule.

02

Infrastructure Preparation

💻

Server Hardware / VMs

Minimum: 2 vCPU, 4 GB RAM, 60 GB disk per DC. Recommended: 4 vCPU, 8 GB RAM, 100 GB.

📡

Network Configuration

Static IP for all DCs. Configure DNS to point to itself (first DC) or other DCs. Ensure ports open: TCP/UDP 88, 389, 636, 3268, 3269, 445, 49152-65535.

📄

OS Installation & Updates

Install Windows Server, apply all updates. Rename server before promotion. Join to workgroup (not another domain yet).

03

AD DS Deployment

PowerShell — Install AD DS Role & Promote First DC 
# Step 1: Install AD DS role
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

# Step 2: Import ADDSDeployment module
Import-Module ADDSDeployment

# Step 3: Promote to Domain Controller (New Forest)
Install-ADDSForest `
  -DomainName "contoso.com" `
  -DomainNetbiosName "CONTOSO" `
  -DomainMode "WinThreshold" `
  -ForestMode "WinThreshold" `
  -DatabasePath "C:\Windows\NTDS" `
  -LogPath "C:\Windows\NTDS" `
  -SysvolPath "C:\Windows\SYSVOL" `
  -InstallDns:$true `
  -SafeModeAdministratorPassword (ConvertTo-SecureString `
    "P@ssw0rd123!" -AsPlainText -Force) `
  -Force:$true

# Server will automatically restart after promotion
PowerShell — Add Additional Domain Controller 
# Install AD DS role on second server
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

# Promote as additional DC in existing domain
Install-ADDSDomainController `
  -DomainName "contoso.com" `
  -InstallDns:$true `
  -Credential (Get-Credential "CONTOSO\Administrator") `
  -SafeModeAdministratorPassword (ConvertTo-SecureString `
    "P@ssw0rd123!" -AsPlainText -Force) `
  -Force:$true
04

Post-Deployment Configuration

🔓

Create OU Structure

Build OU hierarchy. Delegate control to appropriate admin teams. Move default computer/user objects.

Configure Group Policies

Create baseline GPOs: Password Policy, Account Lockout, Security Baseline, Software Deployment.

👥

Create User Accounts & Groups

Bulk create users from HR data. Implement RBAC with security groups. Apply least privilege.

📄

Verify FSMO Roles

Run netdom query fsmo to confirm role placement. Plan FSMO distribution across DCs.

PowerShell — Common Post-Deployment Tasks 
# Create OU structure
New-ADOrganizationalUnit -Name "Corp" -Path "DC=contoso,DC=com"
New-ADOrganizationalUnit -Name "Users" -Path "OU=Corp,DC=contoso,DC=com"
New-ADOrganizationalUnit -Name "Computers" -Path "OU=Corp,DC=contoso,DC=com"
New-ADOrganizationalUnit -Name "Groups" -Path "OU=Corp,DC=contoso,DC=com"
New-ADOrganizationalUnit -Name "Servers" -Path "OU=Corp,DC=contoso,DC=com"

# Create user accounts in bulk from CSV
Import-Csv "C:\users.csv" | ForEach-Object {
  New-ADUser `
    -Name "$($_.FirstName) $($_.LastName)" `
    -GivenName $_.FirstName `
    -Surname $_.LastName `
    -SamAccountName $_.Username `
    -UserPrincipalName "$($_.Username)@contoso.com" `
    -Path "OU=Users,OU=Corp,DC=contoso,DC=com" `
    -AccountPassword (ConvertTo-SecureString $_.Password -AsPlainText -Force) `
    -Enabled $true `
    -ChangePasswordAtLogon $true
}

# Verify FSMO roles
netdom query fsmo

# Check AD replication
repadmin /replsummary
repadmin /showrepl
05

Hybrid Identity (Optional)

Install Azure AD Connect

Sync on-premises identities to Microsoft Entra ID. Choose sync method: Password Hash Sync, Pass-Through Auth, or Federation.

🔒

Configure Conditional Access

Set up Entra ID Conditional Access policies. Require MFA for cloud applications. Enable risk-based policies.

Chapter 05

Architecture Design

Reference architectures for small, medium, and enterprise-scale Active Directory deployments.

Single Domain Design
Forest: company.com (Single)
🏠 Domain: company.com
💻
DC-01 (PDC)
All FSMO roles
💻
DC-02
Redundancy
👥 Users OU
💻 Computers OU
🔓 Groups OU
💻 Workstations
📡 File Server
🌐 Print Server

Specifications

  • Domain Controllers: 2 DCs (1 primary, 1 standby)
  • FSMO: All roles on DC-01, Schema Master optionally on DC-02
  • DNS: AD-integrated DNS on both DCs
  • Sites: Single AD site
  • OU Depth: 3-4 levels maximum
  • Replication: Within site (auto, every 15 min)
  • Backup: Daily System State backup
💡 Recommendation: Windows Server 2022 Standard. 2 DCs minimum for redundancy. Keep it simple — one domain, flat OU structure.
Regional Domain Design
Forest: corp.com
🏠 Root: corp.com
💻
DC-HQ-01
💻
DC-HQ-02
💻
GC Server
🏠 Site: Bangkok
💻
DC-BKK-01
🏠 Site: Chiang Mai
💻
DC-CNX-01

Specifications

  • Domain Controllers: 4-6 DCs across sites
  • FSMO: Distributed (Schema/Dom Naming on HQ DCs)
  • Global Catalog: At least 1 GC per site
  • Sites & Services: One site per physical location
  • Site Links: Define cost based on WAN bandwidth
  • DNS: AD-integrated, conditional forwarders
  • RODC: Consider for branch offices with limited security
💡 Recommendation: Standard edition per DC. Consider RODC for branch offices. Implement AD Sites & Services properly for efficient replication.
Multi-Domain Forest Design
Forest Root: corp.com (Empty Root)
🏠 Forest Root DC (2 DCs, no users)
🏠 asia.corp.com
DC-AS-01
DC-AS-02
🏠 emea.corp.com
DC-EU-01
DC-EU-02
🏠 americas.corp.com
DC-US-01
DC-US-02

Specifications

  • Forest: Empty root domain + child domains per region
  • DCs: 2+ per domain, geographically distributed
  • FSMO: Schema/Dom Naming on root, RID/PDC/Infra per child
  • Global Catalog: Multiple GC servers per region
  • Admin Tiers: Tier 0 (DA), Tier 1 (Server Admin), Tier 2 (Workstation)
  • PAM: Privileged Access Workstations (PAWs)
  • Monitoring: Microsoft Defender for Identity (MDI)
💡 Recommendation: Datacenter edition for virtualization hosts. Implement tiered administration model. Deploy MDI for threat detection.
Hybrid Identity Architecture
On-Premises
🏠 AD DS
DC-01
DC-02
⇅ Azure AD Connect
Microsoft Cloud
☁ Microsoft Entra ID
📸 Microsoft 365
☮ Azure Resources
🔒 Conditional Access

Hybrid Components

  • Azure AD Connect: Identity sync (PHS recommended)
  • Entra ID P2: PIM, Identity Protection, Access Reviews
  • Conditional Access: Risk-based MFA policies
  • Hybrid Join: Devices registered in both AD and Entra ID
  • SSPR: Self-Service Password Reset with writeback
  • App Proxy: Publish on-prem apps via Entra App Proxy
💡 Recommendation: Password Hash Sync is the most resilient sync method. Enable Seamless SSO. Use Entra ID P2 for advanced identity security.

FSMO Roles Reference

Forest-wide (1 per forest)

🌐 Schema Master

Controls all changes to the AD schema. Only one per forest. Keep on a secure, well-maintained DC.

🏠 Domain Naming Master

Controls addition/removal of domains in the forest. Must be a Global Catalog server.

Domain-wide (1 per domain)

📄 RID Master

Allocates pools of relative identifiers (RIDs) to DCs, ensuring unique SIDs for all objects.

📅 PDC Emulator

Password changes, account lockouts, time synchronization, legacy client support. Most sensitive role.

🔗 Infrastructure Master

Updates cross-domain group-to-user references. Should NOT be on a GC server (unless all DCs are GCs).

Chapter 06

Cost Estimator

Estimate your Active Directory implementation costs based on your organization's requirements.

⚙ Configuration Parameters

100
2
1

📈 Cost Estimate

Windows Server Licenses $2,138
Client Access Licenses (CALs) $3,800
Server Hardware $6,000
Azure AD / Entra ID (Annual) $0
Professional Services $0
AD CS / PKI Setup $0
Microsoft Defender for Identity $0
📈 Total Upfront Cost $11,938
📅 Estimated Annual Recurring $0
Cost Distribution

⚠️ Estimates are based on MSRP pricing. Actual costs vary by region, volume licensing agreements, and negotiated discounts. Software Assurance may add 25-29% annually but includes upgrade rights.

Licensing Models Comparison

🔒 Perpetual License

One-time purchase. Requires CALs. SA optional for upgrades. Best for stable, long-term deployments.

+ Predictable cost, no recurring fees
- Upfront investment, upgrade costs

📄 Volume Licensing (EA)

Enterprise Agreement. Covers all servers + CALs. Includes Software Assurance. 3-year commitment.

+ Latest versions, Azure hybrid benefit
- 3-year commitment, higher annual cost

☁ Azure SPLA

Service Provider License Agreement. Per-user monthly billing. Best for MSPs and cloud deployments.

+ Pay-as-you-go, no upfront
- Higher total cost over time
Chapter 07

Best Practices

Security hardening, operational excellence, and maintenance guidelines for Active Directory.

🔒

Security Hardening

  • ✅ Implement Tiered Administration Model (Tier 0/1/2)
  • ✅ Use Privileged Access Workstations (PAWs) for Tier 0 admin
  • ✅ Enable Protected Users security group for privileged accounts
  • ✅ Disable NTLM where possible; enforce Kerberos
  • ✅ Configure Authentication Policy Silos
  • ✅ Enable AD Recycle Bin
  • ✅ Audit all changes to privileged groups
  • ✅ Deploy Microsoft Defender for Identity (MDI)
  • ✅ Disable legacy protocols (LM hash, NTLMv1)
  • ✅ Set 120-day maximum password age with 14+ char minimum

Operations & Maintenance

  • ✅ Minimum 2 DCs per domain (never just 1)
  • ✅ Never run DCs as Tier 1 or 2 servers (dedicated role)
  • ✅ Keep DCs fully patched (cumulative updates monthly)
  • ✅ Schedule regular SYSVOL health checks
  • ✅ Monitor replication with repadmin /replsummary
  • ✅ Test FSMO seizure procedures in lab regularly
  • ✅ Document all OU delegations and GPO links
  • ✅ Clean up stale computer accounts (90-day threshold)
  • ✅ Quarterly AD health assessments
  • ✅ Use AGDLP (Account→Global→DomainLocal→Permission)
💾

Backup & Recovery

  • ✅ Daily System State backups of all DCs
  • ✅ Test restore procedures quarterly
  • ✅ Keep backups for at least 180 days (tombstone lifetime)
  • ✅ Store backups off-site or in Azure Backup
  • ✅ Document DSRM password and store securely
  • ✅ Know how to perform authoritative restore
  • ✅ Document the steps to build a DC from scratch
  • ✅ Backup GPO configurations using GPMC
📊

Monitoring & Alerting

  • ✅ Monitor Event ID 4768 (TGT requests), 4769, 4771
  • ✅ Alert on Event ID 4720/4722 (account created/enabled)
  • ✅ Alert on group membership changes (4728, 4732, 4756)
  • ✅ Monitor SYSVOL replication (DFSR)
  • ✅ Track logon failures (Event ID 4625)
  • ✅ Watch for Kerberoasting / Pass-the-Hash indicators
  • ✅ Deploy Microsoft Sentinel with AD connector
  • ✅ Set up SIEM alerts for Golden Ticket attacks

☑ AD Security Checklist

Domain Functional Level raised to maximum supported
AD Recycle Bin enabled
Fine-Grained Password Policy for admin accounts
LAPS deployed for local admin password management
SMB signing enforced via GPO
LDAP signing and channel binding required
krbtgt password rotated (twice) after incidents
Domain Admins not used for day-to-day admin tasks
WDigest authentication disabled (prevent cleartext in LSASS)
Credential Guard enabled on Tier 0 servers
No service accounts with Kerberos delegation (unconstrained)
Microsoft Defender for Identity deployed
Chapter 08

FAQ & Resources

Frequently asked questions about Active Directory implementation and management.

How many Domain Controllers should I deploy? +

At minimum, deploy 2 DCs per domain for redundancy. A general guideline is 1 DC per 1,000-2,000 users, plus at least 1 DC per site/location. For branch offices with fewer than 50 users and limited physical security, consider a Read-Only Domain Controller (RODC) to reduce risk.

Should I use a .local domain name or a routable DNS suffix? +

Use a routable DNS suffix (e.g., corp.contoso.com or contoso.local is no longer recommended). Microsoft recommends using a subdomain of your public domain (e.g., corp.contoso.com) or a completely separate routable domain. The .local suffix causes issues with mDNS/Bonjour, macOS clients, and hybrid Azure AD scenarios.

What's the difference between AD DS and Azure AD (Entra ID)? +

AD DS is the traditional on-premises directory service using Kerberos/NTLM, LDAP, Group Policy, and OUs. Microsoft Entra ID is a cloud-based identity platform using OAuth 2.0, OIDC, SAML 2.0 — built for internet-scale and SaaS applications. They are complementary, not interchangeable. Most enterprises use hybrid identity: AD DS on-premises synced to Entra ID via Azure AD Connect.

How do I migrate from Windows Server 2012 R2 DCs to 2022? +

Use the "introduce new, transfer roles, decommission old" method: (1) Add new WS2022 DCs to the existing domain, (2) Let replication sync fully, (3) Transfer FSMO roles to new DCs using Move-ADDirectoryServerOperationMasterRole, (4) Raise Domain/Forest Functional Level after removing all old DCs, (5) Decommission old DCs using dcpromo /forceremoval and clean up metadata.

Can I run Active Directory on virtual machines? +

Yes — this is the standard approach today. Key considerations: (1) Use VM Generation ID aware hypervisors (Hyper-V, VMware 5.5+), (2) Never snapshot/restore DCs — it causes USN rollback, (3) Don't co-locate all DC VMs on a single physical host (anti-affinity rules), (4) Ensure DCs have sufficient dedicated resources and are not overprovisioned. The AD Recycle Bin is a better option than VM snapshots.

What are the firewall ports required for Active Directory? +
PortProtocolService
53TCP/UDPDNS
88TCP/UDPKerberos
135TCPRPC Endpoint Mapper
137-138UDPNetBIOS (legacy)
389TCP/UDPLDAP
445TCPSMB (SYSVOL, NETLOGON)
636TCPLDAPS (LDAP over SSL)
3268TCPGlobal Catalog
3269TCPGlobal Catalog SSL
49152-65535TCPRPC Dynamic Ports
What is the AGDLP naming convention? +

AGDLP = Accounts → Global groups → Domain Local groups → Permissions. Place user accounts in Global security groups (organized by role/department). Nest Global groups into Domain Local groups. Assign resource permissions to Domain Local groups. This allows cross-domain membership while keeping permission management simple and scalable.

🔗 Key Resources

📄

Microsoft Docs — AD DS

Official AD DS documentation, deployment guides, and troubleshooting resources from Microsoft.

🔗 learn.microsoft.com → AD DS Overview
🔓

Security Baselines

Microsoft Security Compliance Toolkit — download recommended GPO baselines for Windows Server.

🔗 microsoft.com → Security Compliance Toolkit
🎭

AD Health Assessment

Microsoft's Active Directory Health Assessment helps identify security and operational health issues.

🔗 learn.microsoft.com → AD Health Check
💻

PowerShell AD Module

RSAT: Active Directory Domain Services and Lightweight Directory Services Tools — essential for management.

🔗 learn.microsoft.com → ActiveDirectory Module