As the complexity of networking resources has grown, directory services have become ever more important for managing IT infrastructure. There is no directory service with a bigger name than Active Directory. Microsoft’s directory service has been established as a staple tool amongst network administrators. In this Active Directory tutorial we’re going to look at what Active Directory is, how to use it, and Active Directory tools like SolarWinds Access Rights Manager. Topics include:
- What is Active Directory?
- What does Active Directory do?
- How to Set Up Active Directory
- How to Use Active Directory: Setting Up a Domain Controller, Creating Directory Users
- Active Directory Events to Monitor
- Trust Relationships (and Trust Types)
- An Overview of Active Directory Forests and Trees
- Active Directory Reporting (with SolarWinds Access Rights Manager)
What is Active Directory?
Active Directory is a directory service or container which stores data objects on your local network environment. The service records data on users, devices, applications, groups, and devices in a hierarchical structure.
The structure of the data makes it possible to find the details of resources connected to the network from one location. In essence, Active Directory acts like a phonebook for your network so you can look up and manage devices easily.
What does Active Directory do?
There are many reasons why enterprises use directory services like Active Directory. The main reason is convenience. Active Directory enables users to log on to and manage a variety of resources from one location. Login credentials are unified so that it is easier to manage multiple devices without having to enter account details to access each individual machine.
How to Setup Active Directory (with RSAT)
To begin you will need to first make sure that you have Windows Professional or Windows Enterprise installed otherwise you won’t be able to install Remote Server Administration Tools. Then do the following:
For Windows 10 Version 1809:
- Right-click on the Start button and go to Settings > Apps > Manage optional features > Add feature.
- Now select RSAT: Active Directory Domain Services and Lightweight Directory Tools.
- Finally, select Install then go to Start > Windows Administrative Tools to access Active Directory once the installation is complete.
For Windows 8 (And Windows 10 Version 1803)
- Download and install the correct version of Server Administrator Tools for your device: Windows 8, Windows 10.
- Next, right-click the Start button and select Control Panel > Programs > Programs and Features > Turn Windows features on or off.
- Slide down and click on the Remote Server Administration Tools option.
- Now click on Role Administration Tools.
- Click on AD DS and AD LDS Tools and verify AD DS Tools has been checked.
- Press Ok.
- Go to Start > Administrative Tools on the Start menu to access Active Directory.
How to use Active Directory: How to Setup a Domain Controller, Creating Directory Users
How to Setup A Domain Controller
One of the first things you need to do when using Active Directory is to set up a domain controller. A domain controller is a central computer that will respond to authentication requests and authenticate other computers throughout the network. The domain controller stores the login credentials of all other computers and printers.
All other computers connect to the domain controller so that the user can authenticate every device from one location. The advantage of this is that the administrator won’t have to manage dozens of login credentials.
The process of setting up a domain controller is relatively simple. Assign a static IP address to your Domain Controller and install Active Directory Domain Services or ADDS. Now follow these instructions:
- Open Server Manager and click Roles Summary > Add roles and features.
- Click Next.
- Select Remote Desktop Services installation if you’re deploying a domain controller in a virtual machine or select role-based or feature-based installation.
- Select a server from the server pool.
- Select Active Directory Domain Services from the list and click Next.
- Leave the Features checked by default and press Next.
- Click Restart the destination server automatically if required and click Install. Close the window once the installation is complete.
- Once the ADDS role has been installed a notification will display next to the Manage menu. Press Promote this server into a domain controller.
- Now click Add a new forest and enter a Root domain name. Press Next.
- Select the Domain functional level you desire and enter a password into the Type the Directory Services Restore Mode (DSRM password) section. Click Next.
- When the DNS Options page displays click Next again.
- Enter a domain in the NetBios Domain name box (preferably the same as the root domain name). Press Next.
- Select a folder to store your database and log files. Click Next.
- Press Install to finish. Your system will now reboot.
Creating Active Directory Users
Users and computers are the two most basic objects that you will need to manage when using Active Directory. In this section, we’re going to look at how to create new user accounts. The process is relatively simple, and the easiest way to manage users is through the Active Directory Users and Computer or ADUC tool that comes with the Remote Server Administration Tools or RSAT pack. You can install ADUC by following the instructions listed below:
Install ADUC on Windows 10 Version 1809 and Higher:
- Right-click on the Start button and click Settings > Apps, then click Manage optional features > Add feature.
- Select RSAT: Active Directory Domain Services and Lightweight Directory Tools.
- Select Install and wait for the installation to complete.
- Go to Start > Windows Administrative Tools to access the feature.
Install ADUC on Windows 8 and Windows 10 Version 1803 or Lower:
- Download and install Remote Server Administrator Tools for your version of Windows. You can do so from one of these links here:
Remote Server Administrator Tools for Windows 10, Remote Server Administrator Tools for Windows 8, or Remote Server Administrator Tools for Windows 8.1.
- Right-click on Start > Control Panel > Programs > Programs and Features > Turn Windows features on or off.
- Scroll down and select Remote Server Administration Tools.
- Expand Role Administrator Tools > AD DS and AD LDS Tools.
- Check AD DS Tools and press Ok.
- Go to Start > Administrative Tools and select Active Directory Users and Computers.
How to Create New Users with ADUC
- Open the Server Manager, go to the Tools menu and select Active Directory Users and Computers.
- Expand the domain and click Users.
- Right-click on the right pane and press New > User.
- When the New Object-User box displays enter a First name, Last name, User logon name and click Next.
- Enter a password and press Next.
- Click Finish.
- The new user account can be found in the Users section of ADUC.
Active Directory Events to Monitor
Like all forms of infrastructure, Active Directory needs to be monitored to stay protected. Monitoring the directory service is essential for preventing cyber-attacks and delivering the best end-user experience to your users.
Below we’re going to list some of the most important network events that you should look out for. If you see any of these events then you should investigate further ASAP to make sure that your service hasn’t been compromised.
|Current Windows Event ID||Legacy Windows Event ID||Description
|4618 ||N/A ||A security event pattern has been recognized.|
|4649||N/A ||A replay attack was detected (potentially a false positive).
|4719||612||A system audit policy was changed.
|4765||N/A ||SID History added to an account.
|4766||N/A ||The attempt failed to add SID History to account.
|4794||N/A ||Attempt to launch Directory Services Restore Mode.
|4897||801||Role separation enabled.
|4964||N/A ||Special groups have been assigned a new logon.
|5124||N/A ||Security updated on OCSP Responder Service.|
|N/A||550||Potential DoS attack.|
|1102||517||Audit log was cleared.
An Overview of Active Directory Forests and Trees
Forest and trees are two terms you will hear a lot when delving into Active Directory. These terms refer to the logical structure of Active Directory. Briefly, a tree is an entity with a single domain or group of objects that is followed by child domains. A forest is a group of domains put together. When multiple trees are grouped together they become a forest.
Trees in the forest connect to each other through a trust relationship, which enables different domains to share information. All domains will trust each other automatically so you can access them with the same account info you used on the root domain.
Each forest uses one unified database. Logically, the forest sits at the highest level of the hierarchy and the tree is located at the bottom. One of the challenges that network administrators have when working with Active Directory is managing forests and keeping the directory secure.
For example, a network administrator will be tasked with choosing between a single forest design or multi-forest design. The single-forest design is simple, low-cost and easy to manage with only one forest comprising the entire network. In contrast, a multi-forest design divides the network into different forests which is good for security but makes administration more complicated.
Trust Relationships (and Trust Types)
As mentioned above, trusts are used to facilitate communication between domains. Trusts enable authentication and access to resources between two entities. Trusts can be one-way or two-way in nature. Within a trust, the two domains are divided into a trusting domain and a trusted domain.
In a one-way trust, the trusting domain accesses the authentication details of the trusted domain so that the user can access resources from the other domain. In a two-way trust, both domains will accept the other’s authentication details. All domains within a forest trust each other automatically, but you can also set up trusts between domains in different forests to transfer information.
You can create trusts through the New Trusts Wizard. The New Trust Wizard is a configuration wizard that allows you to create new trust relationships. Here you can view the Domain Name, Trust Type, and Transitive status of existing trusts and select the type of trust you want to create.
There is a range of trust types in Active Directory. We’ve listed these in the table below:
|Trust Type||Transit Type||Direction||Default?||Description|
|Parent and child ||Transitive||Two-way ||Yes||A parent and child trust is established when a child domain is added to a domain tree.
|Tree-root ||Transitive||Two-way ||Yes||
A tree-root trust is established the moment a domain tree is created within a forest.
|External ||Non-transitive||One-way or two-way||No||Provides access to resources in a Windows NT 4.0 domain or a domain located in a different forest that isn’t supported by a forest trust.
|Realm||Transitive or non-transitive ||One-way or two-way||No||Forms a trust relationship between a non-Windows Kerberos realm and a Windows Server 2003 domain.
|Forest||Transitive||One-way or two-way||No||Shares resources between forests.
|Shortcut||Transitive||One-way or two-way||No||Reduces user logon times between two domains within a Windows Server 2003 forest.
Generating reports on Active Directory is essential for optimizing performance and staying in accordance with regulatory compliance. One of the best Active Directory reporting tools is SolarWinds Access Rights Manager (ARM). The tool has been created to increase visibility into how directory credentials are used and managed. For example, you can view accounts with insecure configurations and credential abuse that could indicate a cyber attack.
Using a third-party tool like SolarWinds Access Rights Manager is beneficial because it provides you with information and features that would be much more difficult or impossible to access through Active Directory directly.
As well as generating reports you can automatically delete inactive or expired accounts that cybercriminals target. SolarWinds Access Rights Manager starts at $3,444 (£2,829). There is also a 30-day free trial version that you can download.
Active Directory Tutorial: The Basics
Active Directory is one of the best tools for managing resources in your network. In this article, we’ve just scratched the surface of the potential of this tool. If you’re using Active Directory remember that it is a potential entry point for cyber attackers. Making a note of key directory events and use a directory monitor will go a long way towards minimizing the risk of a malicious attack and protect the availability of your service.