Active Directory Fundamentals

Last updated: January 13, 2026

📚 Reference: This guide aligns with Active Directory Domain Services Overview

My First Encounter with Active Directory

I'll never forget my first major Active Directory project. The organization had grown organically over a decade, and their AD structure reflected it – a chaotic mix of poorly named OUs, users in the wrong containers, and GPOs applied haphazardly. Cleaning up that environment taught me more about AD architecture than any book could.

That experience shaped how I approach Active Directory design today: start with solid fundamentals, plan for growth, and build with intention rather than reaction.

What is Active Directory Domain Services?

Active Directory Domain Services (AD DS) is Microsoft's directory service for Windows domain networks. In every enterprise environment I've managed, AD DS serves as the central nervous system, handling:

Authentication: Who are you?
Authorization: What can you access?
Directory Services: Where is everything?
Policy Management: How should things be configured?

Why AD DS Matters

In my experience, a well-designed AD DS provides:

Centralized Management: Single source of truth for user identities
Security: Centralized authentication and authorization
Scalability: From 10 to 10,000+ users with the same architecture
Integration: Foundation for Exchange, SharePoint, SQL Server, and third-party apps
Automation: PowerShell-based management for repeatable tasks

Active Directory Architecture

The Logical Structure

Forest

The forest is the top-level container and security boundary. In my deployments:

Single Forest (Most Common)

All domains share the same schema
Trust relationships are automatic
Global catalog is shared
Best for single organizations

Multiple Forests (Rare)

Complete isolation between forests
Explicit trusts required
Used when companies need strict separation
More complex to manage

Domain

A domain is an administrative boundary within a forest. My typical domain decisions:

Single Domain

Forest: company.com
└── Domain: company.com (Single domain)
    ├── OU: Corporate
    ├── OU: Branch Offices
    └── OU: Servers

Multiple Domains

Forest: company.com
├── Domain: corp.company.com (Corporate)
├── Domain: manufacturing.company.com (Manufacturing division)
└── Domain: research.company.com (Research division - strict isolation)

When I use multiple domains:

Geographic distribution with poor WAN links
Different security or password policies required
Political/organizational boundaries
Acquisitions that maintain separate IT

Organizational Units (OUs)

OUs are containers for organizing objects within a domain. This is where I spend most of my design time.

My OU Design Principles

By Location

Domain: company.com
├── OU: US
│   ├── OU: New York
│   ├── OU: Los Angeles
│   └── OU: Chicago
└── OU: Europe
    ├── OU: London
    └── OU: Paris

By Function

Domain: company.com
├── OU: Users
│   ├── OU: Executives
│   ├── OU: IT Staff
│   ├── OU: Finance
│   └── OU: Sales
├── OU: Computers
│   ├── OU: Workstations
│   ├── OU: Laptops
│   └── OU: Kiosks
└── OU: Servers
    ├── OU: Domain Controllers
    ├── OU: File Servers
    └── OU: Application Servers

Hybrid Approach (What I typically use)

Domain: company.com
├── OU: Corporate
│   ├── OU: Users
│   │   ├── OU: IT
│   │   ├── OU: Finance
│   │   └── OU: HR
│   ├── OU: Computers
│   │   ├── OU: Desktops
│   │   └── OU: Laptops
│   └── OU: Groups
│       ├── OU: Security Groups
│       └── OU: Distribution Groups
├── OU: Servers
│   ├── OU: Infrastructure
│   │   ├── OU: Domain Controllers
│   │   └── OU: File Servers
│   └── OU: Applications
│       ├── OU: Web Servers
│       └── OU: Database Servers
└── OU: Branch Offices
    ├── OU: New York
    └── OU: Los Angeles

OU Delegation

One powerful feature I use regularly is OU delegation – allowing help desk staff or local admins to manage specific OUs without domain admin rights.

# Delegate password reset permissions on Users OU
$ou = "OU=IT Users,OU=Users,OU=Corporate,DC=company,DC=com"
$user = "COMPANY\HelpDesk"
$acl = Get-Acl "AD:\$ou"

# Create ACE for password reset
$sid = New-Object System.Security.Principal.SecurityIdentifier `
    (Get-ADUser -Filter {SamAccountName -eq "HelpDesk"}).SID

$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
    $sid, "ExtendedRight", "Allow", `
    [guid]"00299570-246d-11d0-a768-00aa006e0529" # Reset Password

$acl.AddAccessRule($ace)
Set-Acl "AD:\$ou" $acl

The Physical Structure: Sites and Replication

While OUs are logical, sites represent physical network locations.

Site Configuration

Creating Sites in My Deployments

# Create sites
New-ADReplicationSite -Name "New-York-HQ"
New-ADReplicationSite -Name "Chicago-Branch"
New-ADReplicationSite -Name "LA-Branch"

# Create subnets and associate with sites
New-ADReplicationSubnet -Name "10.1.0.0/16" -Site "New-York-HQ"
New-ADReplicationSubnet -Name "10.2.0.0/24" -Site "Chicago-Branch"
New-ADReplicationSubnet -Name "10.3.0.0/24" -Site "LA-Branch"

# Create site links
New-ADReplicationSiteLink -Name "HQ-to-Chicago" `
    -SitesIncluded "New-York-HQ","Chicago-Branch" `
    -Cost 100 `
    -ReplicationFrequencyInMinutes 180

New-ADReplicationSiteLink -Name "HQ-to-LA" `
    -SitesIncluded "New-York-HQ","LA-Branch" `
    -Cost 150 `
    -ReplicationFrequencyInMinutes 180

Site Link Cost and Replication

I set site link costs based on:

Network bandwidth (slower = higher cost)
Connection reliability
Financial cost of WAN circuits

Example from a recent project:

Link                Bandwidth    Latency    Cost    Replication Interval
HQ to Branch A      1 Gbps       5ms        50      15 minutes
HQ to Branch B      100 Mbps     30ms       100     60 minutes
HQ to Remote Site   10 Mbps      150ms      500     180 minutes

Domain Controllers and FSMO Roles

Domain Controller Placement

In my experience, DC placement follows these rules:

Minimum Configuration:

2 DCs at main site (redundancy)
1 DC per large branch office (>50 users)
Read-Only DC (RODC) for insecure locations

Enterprise Configuration:

Corporate HQ (New York)
├── DC01 (PDC Emulator, RID Master, Infrastructure Master)
├── DC02 (Schema Master, Domain Naming Master)
├── DC03 (General replication)
└── DC04 (General replication)

Branch Office (Chicago - 200 users)
└── DC05 (Local authentication)

Branch Office (LA - 75 users)
└── DC06 (Local authentication)

Remote Office (Field Office - 10 users)
└── RODC01 (Read-Only Domain Controller)

FSMO Roles Explained

FSMO (Flexible Single Master Operations) roles are unique responsibilities that only one DC can hold.

Forest-Wide Roles (One per Forest)

1. Schema Master

Controls AD schema modifications
Rarely used except during upgrades
I keep this on a protected, rarely rebooted DC

2. Domain Naming Master

Controls adding/removing domains
Needed when creating new domains or application partitions
Also on a stable DC at main site

Domain-Wide Roles (One per Domain)

3. PDC Emulator

Authoritative time source
Password changes processed here first
Group Policy central management
Most critical FSMO role

4. RID Master

Allocates RID pools to DCs
Without it, you can't create new objects
Important for active environments

5. Infrastructure Master

Maintains references between domains
Don't place on Global Catalog in multi-domain forests
Less critical in single-domain environments

Checking FSMO Role Holders

# Get all FSMO roles
netdom query fsmo

# Or with PowerShell
Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator
Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster

# Detailed view
Get-ADDomainController -Filter * | 
    Select-Object Name, OperationMasterRoles | 
    Where-Object {$_.OperationMasterRoles}

Transferring FSMO Roles

# Transfer PDC Emulator role
Move-ADDirectoryServerOperationMasterRole -Identity "DC02" -OperationMasterRole PDCEmulator

# Transfer all roles to one DC (during decommission)
Move-ADDirectoryServerOperationMasterRole -Identity "DC02" `
    -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster

Seizing FSMO Roles (Emergency Only)

When a DC fails catastrophically:

# Only use when the original role holder is permanently gone!
Move-ADDirectoryServerOperationMasterRole -Identity "DC02" `
    -OperationMasterRole PDCEmulator -Force

# Or using ntdsutil (old method)
ntdsutil
roles
connections
connect to server DC02
quit
seize pdc
quit
quit

Active Directory Authentication Flow

Understanding how authentication works helps troubleshoot issues.

Common Authentication Issues I've Troubleshooted

1. Clock Skew

# Kerberos requires time sync within 5 minutes
w32tm /query /status
w32tm /resync

2. SPN Issues

# Check SPNs for a service
setspn -L SERVER01

# Add missing SPN
setspn -A HTTP/webapp.company.com SERVER01

3. Credential Caching

# Clear cached credentials
klist purge

# View cached tickets
klist

Global Catalog

The Global Catalog (GC) is a partial, read-only replica of all objects in the forest.

When GC Matters

In my deployments, GC servers are critical for:

Universal Group Membership: Required for logon in multi-domain forests
Cross-Domain Searches: Finding users in other domains
Exchange Server: Email lookups and GAL
User Principal Name (UPN) Logon: [email protected] style logins

Configuring Global Catalog

# Make DC a Global Catalog server
Get-ADDomainController DC01 | Set-ADObject -Replace @{options='1'}

# Check if DC is a GC
Get-ADDomainController -Filter * | Select-Object Name, IsGlobalCatalog

# Force replication
repadmin /syncall /AdeP

My GC Placement Strategy

Every site with >20 users: Local GC server
Hub sites: Multiple GC servers
Small branches: Rely on cached universal group memberships

# Enable cached universal group membership (for sites without GC)
Set-ADReplicationSite -Identity "Small-Branch" -UniversalGroupCachingEnabled $true

Installing Active Directory Domain Services

First Domain Controller in New Forest

# Install AD DS role
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

# Promote to domain controller (new forest)
Import-Module ADDSDeployment

$params = @{
    DomainName = "company.com"
    DomainNetbiosName = "COMPANY"
    ForestMode = "WinThreshold"  # Windows Server 2016+
    DomainMode = "WinThreshold"
    InstallDNS = $true
    NoRebootOnCompletion = $false
    SafeModeAdministratorPassword = (ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force)
}

Install-ADDSForest @params

Additional Domain Controller in Existing Domain

# Install AD DS role
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

# Join existing domain as DC
$params = @{
    DomainName = "company.com"
    InstallDNS = $true
    SiteName = "Chicago-Branch"
    NoRebootOnCompletion = $false
    SafeModeAdministratorPassword = (ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force)
    Credential = (Get-Credential COMPANY\Administrator)
}

Install-ADDSDomainController @params

Read-Only Domain Controller (RODC)

For branch offices with limited physical security:

# Install RODC
$params = @{
    DomainName = "company.com"
    SiteName = "Remote-Site"
    InstallDNS = $true
    ReadOnlyReplica = $true
    NoRebootOnCompletion = $false
    SafeModeAdministratorPassword = (ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force)
    Credential = (Get-Credential COMPANY\Administrator)
}

Install-ADDSDomainController @params

AD Replication

Replication ensures all DCs have consistent data.

Replication Flow

Monitoring Replication

# Check replication status
repadmin /replsummary

# Show replication partners
repadmin /showrepl

# Force replication from specific DC
repadmin /replicate DC02 DC01 "DC=company,DC=com"

# Full replication topology
repadmin /syncall /AdeP

# Check for replication errors
Get-ADReplicationFailure -Target "DC01"

# Replication metadata
repadmin /showmeta "CN=Administrator,CN=Users,DC=company,DC=com"

Troubleshooting Replication

From my experience, common issues:

1. DNS Problems

# Test DNS registration
dcdiag /test:dns

# Force DNS registration
ipconfig /registerdns

2. Time Synchronization

# Check time source
w32tm /query /status

# Configure PDC as authoritative time source
w32tm /config /manualpeerlist:"time.windows.com,0x8" /syncfromflags:MANUAL
net stop w32time && net start w32time
w32tm /resync

3. USN Rollback (Serious)

# Check for USN issues
repadmin /showutdvec * "DC=company,DC=com"

# If USN rollback detected, DC must be rebuilt!

Backup and Recovery

Backing Up Active Directory

# Install Windows Server Backup
Install-WindowsFeature Windows-Server-Backup

# Backup System State (includes AD)
wbadmin start systemstatebackup -backupTarget:E: -quiet

# Scheduled daily backup
$action = New-ScheduledTaskAction -Execute "wbadmin.exe" `
    -Argument "start systemstatebackup -backupTarget:E: -quiet"
$trigger = New-ScheduledTaskTrigger -Daily -At "2:00AM"
Register-ScheduledTask -TaskName "AD Backup" -Action $action -Trigger $trigger

Authoritative Restore

When you need to restore deleted objects:

# Restart in Directory Services Restore Mode (DSRM)
# Press F8 during boot, select DSRM

# Restore from backup
wbadmin start systemstaterecovery -version:01/13/2026-02:00

# Mark data as authoritative
ntdsutil
activate instance ntds
authoritative restore
restore subtree "OU=DeletedUsers,DC=company,DC=com"
quit
quit

# Restart normally
shutdown /r /t 0

AD Recycle Bin (Easier Method)

# Enable AD Recycle Bin (requires Forest Functional Level 2008 R2+)
Enable-ADOptionalFeature -Identity "Recycle Bin Feature" `
    -Scope ForestOrConfigurationSet `
    -Target "company.com"

# Restore deleted object
Get-ADObject -Filter 'samaccountname -eq "jsmith"' -IncludeDeletedObjects | Restore-ADObject

Performance Monitoring

Key Metrics I Monitor

# LDAP query performance
Get-Counter "\NTDS\LDAP Searches/sec"
Get-Counter "\NTDS\LDAP Bind Time"

# Replication
Get-Counter "\NTDS\DRA Inbound Bytes Total/sec"
Get-Counter "\NTDS\DRA Pending Replication Synchronizations"

# Database performance
Get-Counter "\Database ==> Instances(lsass/NTDSA)\I/O Database Reads/sec"

DC Health Check Script

# Comprehensive DC health check
dcdiag /v /c /d /e /s:DC01 > C:\Logs\dcdiag.log

# Specific tests
dcdiag /test:replications
dcdiag /test:dns
dcdiag /test:fsmocheck
dcdiag /test:systemlog

# Network connectivity
dcdiag /test:connectivity

# AD database integrity
esentutl /g C:\Windows\NTDS\ntds.dit /!10240 /8 /o

Best Practices from My Projects

Design Phase

Plan OU structure before deployment: Changing later impacts GPO links
Document FSMO role placement: Know where they are before emergencies
Design sites based on physical network: Align with WAN topology
Choose naming carefully: Domain names can't be easily changed
Plan for at least 2 DCs per site: High availability is critical

Operational Phase

Monitor replication daily: repadmin /replsummary in automated scripts
Regular backups: Daily system state backups on all DCs
Separate Domain Admin use: Use regular accounts for daily work
Document delegation: Track who can manage what OUs
Review security logs: Monitor for unusual authentication patterns

Security Hardening

Enable Advanced Audit Policy

auditpol /set /category:"Account Logon" /success:enable /failure:enable
auditpol /set /category:"Account Management" /success:enable /failure:enable

Protect Admin Accounts

# Add Domain Admins to Protected Users group
Add-ADGroupMember -Identity "Protected Users" -Members "Domain Admins"

Regular Password Rotation for Service Accounts (or use gMSA)
Monitor FSMO Role Transfers

Troubleshooting Common Issues

Users Can't Log In

# 1. Check account status
Get-ADUser jsmith -Properties LockedOut, PasswordExpired, Enabled

# 2. Unlock account
Unlock-ADAccount -Identity jsmith

# 3. Check DC availability
nltest /dclist:company.com

# 4. Verify client can reach DC
nltest /dsgetdc:company.com

# 5. Test authentication
Test-ComputerSecureChannel -Verbose

Slow Logons

# Enable UserEnv logging
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v UserEnvDebugLevel /t REG_DWORD /d 0x30002 /f

# Check logs: Applications and Services Logs > Microsoft > Windows > User Profile Service > Operational

# Common causes:
# - Slow site link
# - No GC in site
# - Large number of GPOs
# - Home folder mapping timeout

Trust Relationship Failures

# Reset computer account
Test-ComputerSecureChannel -Repair -Credential (Get-Credential COMPANY\Administrator)

# Or rejoin domain
Reset-ComputerMachinePassword

Conclusion

Active Directory is the foundation of Windows enterprise infrastructure. In my years managing AD environments, I've learned that careful planning during initial design prevents countless headaches later.

Key takeaways:

Design OUs for delegation and GPO application
Place DCs strategically based on user count and network topology
Monitor replication continuously
Backup religiously
Document everything – especially FSMO roles and site links

In the next article, we'll dive deep into AD Groups, Service Accounts, and Group Policy Objects – the tools that make AD management efficient and scalable.

hashtagMy First Encounter with Active Directory

hashtagWhat is Active Directory Domain Services?

hashtagWhy AD DS Matters

hashtagActive Directory Architecture

hashtagThe Logical Structure

hashtagForest

hashtagDomain

hashtagOrganizational Units (OUs)

hashtagMy OU Design Principles

hashtagOU Delegation

hashtagThe Physical Structure: Sites and Replication

hashtagSite Configuration

hashtagCreating Sites in My Deployments

hashtagSite Link Cost and Replication

hashtagDomain Controllers and FSMO Roles

hashtagDomain Controller Placement

hashtagFSMO Roles Explained

hashtagForest-Wide Roles (One per Forest)

hashtagDomain-Wide Roles (One per Domain)

hashtagChecking FSMO Role Holders

hashtagTransferring FSMO Roles

hashtagSeizing FSMO Roles (Emergency Only)

hashtagActive Directory Authentication Flow

hashtagCommon Authentication Issues I've Troubleshooted

hashtagGlobal Catalog

hashtagWhen GC Matters

hashtagConfiguring Global Catalog

hashtagMy GC Placement Strategy

hashtagInstalling Active Directory Domain Services

hashtagFirst Domain Controller in New Forest

hashtagAdditional Domain Controller in Existing Domain

hashtagRead-Only Domain Controller (RODC)

hashtagAD Replication

hashtagReplication Flow

hashtagMonitoring Replication

hashtagTroubleshooting Replication

hashtagBackup and Recovery

hashtagBacking Up Active Directory

hashtagAuthoritative Restore

hashtagAD Recycle Bin (Easier Method)

hashtagPerformance Monitoring

hashtagKey Metrics I Monitor

hashtagDC Health Check Script

hashtagBest Practices from My Projects

hashtagDesign Phase

hashtagOperational Phase

hashtagSecurity Hardening

hashtagTroubleshooting Common Issues

hashtagUsers Can't Log In

hashtagSlow Logons

hashtagTrust Relationship Failures

hashtagConclusion

hashtagFurther Reading