Without Active Directory, every server maintains its own user list. A 500-user organisation with 50 servers means 25,000 separate accounts — if Alice changes her password, it needs updating in 50 places. AD introduces centralised identity: one account, one password, one policy. Alice authenticates once via Kerberos, and that identity is trusted by every server in the domain.
| Component | What it is |
|---|---|
| Domain | The fundamental unit — objects sharing a directory database, security policies, and trust. Named like a DNS domain: corp.example.com |
| Domain Controller (DC) | Windows Server running AD DS. Stores the database, handles authentication, replicates to other DCs. Always deploy at least two. |
| Forest | One or more domains sharing a schema and Global Catalog. The security boundary in AD. |
| Tree | Contiguous namespace within a forest. corp.example.com and eu.corp.example.com form a tree. |
| Organizational Unit (OU) | Container for organising objects. Where GPOs are linked and admin rights are delegated. |
| Schema | Defines object types and attributes. One per forest. Schema changes are irreversible. |
Active Directory is completely dependent on DNS. DCs register SRV records so clients can locate them. When a machine joins a domain it queries DNS for _ldap._tcp.corp.example.com. If DNS breaks, AD breaks.
Kerberos is a ticket-based protocol. Instead of sending passwords over the network it issues cryptographic tickets that prove identity. The KDC (Key Distribution Center) runs on every DC.
NTLM is used when Kerberos cannot be: accessing resources by IP address instead of hostname, non-domain environments, some legacy apps. NTLM is vulnerable to Pass-the-Hash attacks — an attacker with your hash can authenticate without knowing the password. Minimise NTLM wherever possible.
| Error | Meaning | Fix |
|---|---|---|
| KDC_ERR_PREAUTH_FAILED | Wrong password or locked account | Check lockout status, verify password |
| KRB_AP_ERR_SKEW | Clock skew > 5 minutes between client and DC | Fix NTP — domain members should sync to the DC |
| KDC_ERR_S_PRINCIPAL_UNKNOWN | SPN not found | Check/register SPN with setspn |
| KRB_ERR_RESPONSE_TOO_BIG | Ticket too large (too many group memberships) | Reduce group memberships or increase MaxTokenSize |
corp.example.com, not corp.local. The .local suffix conflicts with mDNS and causes TLS certificate issues. You cannot rename a domain without rebuilding.# Install the AD DS and DNS roles Install-WindowsFeature -Name AD-Domain-Services, DNS -IncludeManagementTools # Create a NEW forest (very first DC ever) Install-ADDSForest ` -DomainName "corp.example.com" ` -DomainNetBiosName "CORP" ` -ForestMode "WinThreshold" ` -DomainMode "WinThreshold" ` -InstallDns:$true ` -SafeModeAdministratorPassword (ConvertTo-SecureString "P@ss!DSRM" -AsPlainText -Force) # Add a SECOND DC to an existing domain Install-ADDSDomainController ` -DomainName "corp.example.com" ` -InstallDns:$true ` -Credential (Get-Credential) ` -SafeModeAdministratorPassword (ConvertTo-SecureString "P@ss!DSRM" -AsPlainText -Force)
| Role | Scope | What it does |
|---|---|---|
| Schema Master | Forest | Only DC that can modify the AD schema. |
| Domain Naming Master | Forest | Controls adding/removing domains from the forest. |
| PDC Emulator | Domain | Password changes, account lockout, time sync source, GPO updates. Most critical. |
| RID Master | Domain | Issues pools of Relative IDs to DCs so they can create new SIDs. |
| Infrastructure Master | Domain | Updates cross-domain group-to-user references. |
# Find which DC holds each FSMO role netdom query fsmo Get-ADDomain | Select-Object PDCEmulator, RIDMaster, InfrastructureMaster Get-ADForest | Select-Object SchemaMaster, DomainNamingMaster
AD uses multi-master replication — changes can be made on any DC and propagate to all others. Changes are tracked via USNs (Update Sequence Numbers). Within a site, replication triggers within seconds. Between sites it's scheduled and compressed to conserve WAN bandwidth.
Sites represent physical network locations with fast internal connectivity. Site links connect sites and define replication schedule and cost. The KCC (Knowledge Consistency Checker) auto-builds the replication topology.
# View replication status across all DCs repadmin /replsummary # Detailed replication links and last sync times repadmin /showrepl # Force immediate replication after a change repadmin /syncall /AdeP
| Error | Meaning | Fix |
|---|---|---|
| 8614 — Time skew | Clock difference >5 min between DCs | Fix NTP. PDC Emulator syncs to external source; all other DCs sync to PDC Emulator. |
| 8453 — Access denied | Replication permission denied | Check "Replicating Directory Changes" rights on domain NC. |
| 1722 — RPC unavailable | Cannot reach DC | Check network/firewall: TCP 135 and dynamic ports 49152–65535. |
| 8606 — Lingering objects | Deleted object still present past tombstone lifetime | Run repadmin /removelingeringobjects |
# Create a new user New-ADUser ` -Name "Alice Smith" ` -SamAccountName "asmith" ` -UserPrincipalName "asmith@corp.example.com" ` -Path "OU=Finance,OU=Users,DC=corp,DC=example,DC=com" ` -AccountPassword (ConvertTo-SecureString "TempP@ss1!" -AsPlainText -Force) ` -ChangePasswordAtLogon $true -Enabled $true # On departure: disable and move (don't delete immediately) Disable-ADAccount -Identity "asmith" Move-ADObject ` -Identity "CN=Alice Smith,OU=Finance,OU=Users,DC=corp,DC=example,DC=com" ` -TargetPath "OU=Disabled,DC=corp,DC=example,DC=com" # Find accounts inactive for 90+ days Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 -UsersOnly
| Scope | Members from | Assign permissions in | Use for |
|---|---|---|---|
| Domain Local | Anywhere (any domain) | Same domain only | Assigning permissions on local resources |
| Global | Same domain only | Anywhere in forest | Grouping users by role or department |
| Universal | Anywhere in forest | Anywhere in forest | Cross-domain group memberships |
OUs serve two purposes: GPO application — policies linked to an OU apply to all objects inside — and delegating admin rights without giving full domain admin.
# Create OUs New-ADOrganizationalUnit -Name "Finance" -Path "OU=Users,DC=corp,DC=example,DC=com" # Delegate password reset to Helpdesk group for an OU dsacls "OU=Users,DC=corp,DC=example,DC=com" /G "CORP\Helpdesk:CA;Reset Password;User"
# Join and place in a specific OU Add-Computer ` -DomainName "corp.example.com" ` -OUPath "OU=Workstations,DC=corp,DC=example,DC=com" ` -Credential (Get-Credential) -Restart # Verify after restart (Get-WmiObject Win32_ComputerSystem).Domain Get-ADComputer -Filter {Name -eq "WORKSTATION01"} -Properties DistinguishedName
CN=Computers — a container, not an OU. GPOs cannot be linked to it. Always specify a target OU.A domain-joined computer has a password stored locally and in AD that auto-rotates every 30 days. If this relationship breaks (e.g. after restoring an old VM snapshot), users get "The trust relationship between this workstation and the primary domain failed".
# Test the secure channel Test-ComputerSecureChannel -Verbose # Repair a broken secure channel (fastest fix, no disjoin needed) Test-ComputerSecureChannel -Repair -Credential (Get-Credential CORP\DomainAdmin)
GPOs apply in order: Local → Site → Domain → OU. Later wins for conflicting settings — so child OU GPOs override domain GPOs.
| Section | Applies to | When processed | Examples |
|---|---|---|---|
| Computer Configuration | Computer accounts in the OU | At startup, every 90 min | Security settings, Windows Update, startup scripts |
| User Configuration | User accounts in the OU | At logon, every 90 min | Drive mappings, logon scripts, folder redirection |
# Create and link a GPO to an OU New-GPO -Name "Security Baseline - Workstations" New-GPLink ` -Name "Security Baseline - Workstations" ` -Target "OU=Workstations,DC=corp,DC=example,DC=com" ` -LinkEnabled Yes # Force immediate refresh on a remote computer Invoke-GPUpdate -Computer "WORKSTATION01" -Force # Troubleshoot — show which GPOs applied and why gpresult /r gpresult /h C:\gp-report.html
# View current domain password policy Get-ADDefaultDomainPasswordPolicy # Configure (applies via Default Domain Policy) Set-ADDefaultDomainPasswordPolicy ` -MinPasswordLength 14 ` -PasswordHistoryCount 24 ` -LockoutThreshold 5 ` -LockoutDuration "00:30:00" ` -LockoutObservationWindow "00:30:00" ` -Identity "corp.example.com"