On your local network, Active Directory is a directory service or container that holds data items. In a hierarchical structure, the service records data about users, devices, applications, groups, and devices.
Because of the data’s structure, it’s feasible to find information about all of the network’s resources in one place. In essence, Active Directory serves as a phonebook for your network, allowing you to quickly locate and manage devices.
What does Active Directory do?
Enterprises utilize directory services like Active Directory for a variety of reasons. The fundamental argument is practicality. Active Directory allows users to access and manage multiple resources from a single location. Login credentials are unified to make managing many devices easily without having to enter account information for each system.
Set up Active Directory with RSAT
You’ll need Microsoft Remote Server Administration Tools (RSAT) installed on a Windows machine to set up Active Directory. RSAT enables IT administrators to remotely manage Windows Server 2012 and 2016 roles and functionalities. To administer Windows Server roles and features, RSAT offers the Server Manager, Microsoft Management Console (MMC) snap-ins, PowerShell cmdlets, consoles, and other command-line tools. RSAT works on Windows 10 servers, Windows 8.1 servers, Windows 8 servers, Windows 7 servers, and Windows Vista servers. RSAT 10 is only available in full editions of Windows Professional, Windows Enterprise, and Windows Education. RSAT is not compatible with Windows Home, Standard Edition, or Windows RT 8.1 machines.
Installing RSAT: If you have the Windows 10 Oct 2018 update (1809) or later, RSAT is already included as a set of Features on Demand.
- Go to Settings > Click on “Apps” > Apps & Features > Manage Optional Features > Add Feature.
- Scroll down, find, and select RSAT: Active Directory Domain Services and Lightweight Directory Tools. Click on Install.
For before the October 10 update (1809) – Windows 8 or Windows 10 (1803):
- RSAT for Windows 10 is available for download from Microsoft’s official website.
- Click “Install” after double-clicking the installer (.msu). Accept the license terms and then wait for the installation to complete.
- Turn Windows features on or off in Control Panel > Programs > Programs and Features.
- Scroll down to “Remote Server Administration Tools” and expand it.
- Select Role Administration Tools from the menu. Make sure “AD DS and AD LDS Tools” is checked. Check that the Active Directory Module for Windows PowerShell and AD DS Tools are set under “AD DS and AD LDS Tools”.
Installing and running AD DS On Windows Server 2019
The essential Active Directory capabilities that manage people and computers are provided by Active Directory Domain Services (AD DS). The Domain Controller is the server that runs the AD DS role (DC). Within a Windows domain, this server authenticates and authorizes all users and computers. It also assigns and enforces security policies, as well as installs and updates software. You’ll need the following to set up Active Directory DS on a Windows Server 2019:
- The server’s administrator rights.
- The static IP address for the server.
- To install the AD DS role:
- Go to Server Manager > Manage > Roles and Features > Add Roles and Features.
- Choose “Role-based or feature-based installation” under Installation Type and then click Next.
- Select your local server (or any distant server) where you want to deploy the AD DS role under Server Selection. This option displays the IP address and OS version of our local server, NAT-DC01.
- Select your server and continue by clicking Next.
- Find and choose “Active Directory Domain Services” under Server Roles. A new pop-up window will display once you select that option. This pane displays the characteristics that are required for AD DS and that you must include. Go ahead and click “Add Features” after selecting “Include management tools”.
- You’ll need to pick the DNS server role if your AD Server also has it. Include the essential features in the “DNS Server” section. A static IP address is required for your server to function as a DNS server.
- Click “Next” under Features, AD DS, and DNS Server.
- Verify your configuration and click “Install” on Confirmation.
- Wait for the installation to complete. The “Results” phase of the Installation wizard should not be closed yet.
Creating an Active Directory Forest and Domain
Before closing the Installation wizard, select “Promote this server to a domain controller” once the installation is complete.
The Active Directory Domain Services Configuration Wizard will appear in a new window. “Create a domain controller to an existing domain,” “Add a new domain to an existing forest,” or “add a new forest” are the three deployment choices. Because we’re starting from zero, we’ll make a completely new forest.
You’ll need a forest before you can create your first Domain Controller, and a forest requires a valid root domain. DNS is used by all Active Directory clients to locate domain controllers, and DNS is also used by domain controllers to communicate. “nat. local” or “nat-internal.company.com” are examples of AD root domain names, where “nat-internal” is the internal AD domain name and “company.com” is the external resource name.
- You can choose the functional level of the new forest and root domain on the next screen, “Domain Controller Options”.
- Set the capabilities of the domain controller. Check the DNS server and Global Catalog boxes, as this is the first AD domain controller.
- Set a password for the Directory Services Restore Mode (DSRM). Then press “Next”.
- Skip the DNS settings. DNS Delegation is no longer required.
- The NetBIOS domain name is taken from the root domain and displayed in Additional Options. However, you have the option to modify it.
- You can define the location of the AD DS database, log files, and SYSVOL directories in Paths.
- You can check your setup under Review Options and go back if you need to make any changes before installing.
- A checklist containing warnings or critical alarms will appear when you run the Prerequisites Check. If the check passes, a green light will appear, indicating that AD DS with the new domain controller and forest can be installed. You can deal with these warnings later.
- Install is selected. The server will automatically install and restart.
- “Use the following IP address” should be selected. Give your server the IP address, subnet, and default gateway information, as well as DNS information, according to your IP addressing scheme (your IP).
Configure the Active Directory DNS server zones
You’ve already set up AD DS and the DNS role, as well as a new forest and DC. Only the DNS zones need to be configured now.
Resource records (IP blocks and names) used to resolve DNS requests make up a DNS zone. The Active Directory-integrated DNS zone is the most prevalent zone type in Active Directory.
- Open “Server Manager,” then “Tools”, then “DNS”.
- Expand your host in DNS and click “Forward Lookup Zones”. Two primary DNS zones are AD integrated. The root domain name we supplied in the previous AD DS configuration phase is “nat. local”. The _msdcs zone is its partition in the application partition. This zone is replicated to every DNS server on every DC.
- The forward lookup zones are already present, but you’ll need to build a reverse lookup zone immediately.
- Let’s set up the reverse lookup zone now. To begin, right-click on “Reverse Lookup Zone” and select “New Zone…” from the drop-down menu.
- Leave the zone type as “primary zone” in the New Zone Wizard, and check the “Store the zone in Active Directory” box. Then press “Next”.
- How do you want DNS data to be replicated in the “AD Zone Replication Scope”? “To all DNS Servers running on domain controllers in this domain: (your domain name)” should be selected.
- Select “IPv4 reverse lookup zone” and click “Next” on the next screen.
- To help identify the reverse lookup zone, specify the reverse zone’s Network ID. The first three octets are your server’s network ID.
- Use the “cmd” program and the “ipconfig” command if you don’t know your server’s IPv4 address.
- Click “Next” > “Next” > “Finish” to continue.
- Examine your newly created reverse lookup zone. There should be two DNS resource records inside, SOA and NS.
- Your domain’s DNS zone file contains the A record, commonly known as the host record or DNS host. It establishes a link between domain names and IP addresses. In other words, the A record stores hostnames along with their IPv4 addresses. Update it.
- Allowing the Pointer (PTR) Record is required to enable reverse lookups. The PTR record establishes a pointer that connects an IPv4 address to a hostname.
- Select “Properties” from the context menu of the Host A record. There will be a new “Properties” window appearing. To begin, select “Update related pointer (PTR) record”. Then select Apply > Ok.
- You’ll need to refresh if you don’t see the PTR record in the reverse lookup zone. Right-click the space and select “refresh”. The new PTR record should now be visible.
Additional Active Directory Setup
Adding a new Domain Controller to an Existing Root Domain: Follow the steps below:
- Ensure that both domains are connected.
- Make a new domain name. Select role-based or feature-based installation and the local server under Add Roles and Features. Select Active Directory Domain Services from the server roles menu.
- Choose “promote this server to a domain controller” before closing the installation. Select “Add a domain controller to an existing domain” on the next screen, “Deployment setup”. Choose your domain based on its name or qualifications.
- Select “Replicate from” and “your root domain controller” from the extra options menu. Then proceed to install it.
- Change the new domain controller’s DNS server to the core DNS server.
Create a new Active Directory Users, Computers, or Groups: Follow the steps below:
- Go to Server Manager > Local Server > Tools > Active Directory Users and Computers > Active Directory Users and Computers.
- Right-click your domain name (or any OU) and select “New” > Users, Computers, or Groups.
- You must enter the first and last name, the login name, and the password when creating a new user. Give a new Group a new name if you create one.
- To add a new user or computer to a new group, right-click on the new user and select “Add to a group” > Locate and select the new group.
Active Directory Events to Monitor
Active Directory, like all forms of infrastructure, needs constant monitoring to be secure. The directory service must be monitored to prevent cyber-attacks and provide the greatest end-user experience to your users.
We’ve compiled a list of some of the most important network events to keep an eye on. If you see any of these things, you should look into it right away to be sure your service hasn’t been hacked.
One of the best tools for managing resources in your network is Active Directory. We’ve attempted to explain how to use this tool in this article. If you use Active Directory, keep in mind that it could be a point of entry for hackers. Making a note of significant directory events and using a directory monitor can help you reduce the danger of a malicious attack and protect your service’s availability.