Active Directory Domain Services (AD DS) ?????????????????????
Active Directory Domain Services (AD DS) ???????????? directory service ????????? Microsoft ?????????????????? Windows domain networks ???????????????????????????????????????????????????????????????????????????????????? users, computers, groups, policies ????????? resources ?????????????????????????????????????????????
AD DS ?????????????????????????????? components ???????????? Domain Controller (DC) ???????????? server ?????????????????? AD DS services ????????? authentication requests, LDAP (Lightweight Directory Access Protocol) ????????? query ????????? modify directory data, Kerberos ???????????? authentication protocol ????????????, DNS integration ????????? DNS ?????????????????? service discovery, Group Policy (GPO) ?????????????????? settings ????????? users ????????? computers, Organizational Units (OU) ???????????????????????????????????? objects ?????? directory
??????????????????????????????????????????????????? AD DS ?????????????????? users ????????????????????????????????? (centralized management), Single Sign-On (SSO) login ???????????????????????????????????????????????? services, Security policies ??????????????????????????? password policy, software restrictions, Resource access control ?????????????????????????????????????????????????????? files, printers, applications, Automation ?????????????????????????????? PowerShell scripts
??????????????????????????????????????????????????? AD DS
?????????????????????????????????????????? Active Directory Domain Services
# === Install Active Directory Domain Services ===
# 1. Install AD DS Role (PowerShell as Administrator)
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
# 2. Promote server to Domain Controller
# New Forest (first DC)
Install-ADDSForest `
-DomainName "corp.example.com" `
-DomainNetbiosName "CORP" `
-ForestMode "WinThreshold" `
-DomainMode "WinThreshold" `
-InstallDns:$true `
-DatabasePath "C:\Windows\NTDS" `
-LogPath "C:\Windows\NTDS" `
-SysvolPath "C:\Windows\SYSVOL" `
-SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force) `
-Force:$true
# 3. Add additional Domain Controller (replica)
Install-ADDSDomainController `
-DomainName "corp.example.com" `
-InstallDns:$true `
-Credential (Get-Credential) `
-DatabasePath "C:\Windows\NTDS" `
-LogPath "C:\Windows\NTDS" `
-SysvolPath "C:\Windows\SYSVOL" `
-SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force) `
-Force:$true
# 4. Verify installation
Get-ADDomainController -Filter *
Get-ADDomain
Get-ADForest
# 5. Configure DNS
Add-DnsServerForwarder -IPAddress "8.8.8.8", "1.1.1.1"
Get-DnsServerForwarder
# 6. Create Organizational Units (OU)
New-ADOrganizationalUnit -Name "IT Department" -Path "DC=corp, DC=example, DC=com"
New-ADOrganizationalUnit -Name "Sales" -Path "DC=corp, DC=example, DC=com"
New-ADOrganizationalUnit -Name "HR" -Path "DC=corp, DC=example, DC=com"
New-ADOrganizationalUnit -Name "Servers" -Path "DC=corp, DC=example, DC=com"
New-ADOrganizationalUnit -Name "Workstations" -Path "DC=corp, DC=example, DC=com"
Write-Host "AD DS installation complete"?????????????????? Users ????????? Groups ???????????? PowerShell
PowerShell scripts ???????????????????????????????????? AD objects
# === AD User and Group Management ===
# 1. Create single user
New-ADUser `
-Name "??????????????? ????????????" `
-GivenName "???????????????" `
-Surname "????????????" `
-SamAccountName "somchai.j" `
-UserPrincipalName "somchai.j@corp.example.com" `
-Path "OU=IT Department, DC=corp, DC=example, DC=com" `
-AccountPassword (ConvertTo-SecureString "Welcome@2024" -AsPlainText -Force) `
-Enabled $true `
-ChangePasswordAtLogon $true `
-Department "IT" `
-Title "System Administrator" `
-Office "Bangkok HQ"
# 2. Bulk create users from CSV
# CSV format: FirstName, LastName, Username, Department, Title
$csvContent = @"
FirstName, LastName, Username, Department, Title, OU
Somchai, Jaidee, somchai.j, IT, SysAdmin, IT Department
Somying, Rakdee, somying.r, Sales, Sales Manager, Sales
Pranee, Sukthai, pranee.s, HR, HR Specialist, HR
"@
$csvContent | ConvertFrom-Csv | ForEach-Object {
$password = ConvertTo-SecureString "Welcome@2024" -AsPlainText -Force
$ouPath = "OU=$($_.OU), DC=corp, DC=example, DC=com"
New-ADUser `
-Name "$($_.FirstName) $($_.LastName)" `
-GivenName $_.FirstName `
-Surname $_.LastName `
-SamAccountName $_.Username `
-UserPrincipalName "$($_.Username)@corp.example.com" `
-Path $ouPath `
-AccountPassword $password `
-Enabled $true `
-ChangePasswordAtLogon $true `
-Department $_.Department `
-Title $_.Title
Write-Host "Created: $($_.Username)"
}
# 3. Create Security Groups
New-ADGroup -Name "IT-Admins" -GroupScope Global -GroupCategory Security `
-Path "OU=IT Department, DC=corp, DC=example, DC=com" `
-Description "IT Administrators"
New-ADGroup -Name "VPN-Users" -GroupScope Global -GroupCategory Security `
-Path "DC=corp, DC=example, DC=com" `
-Description "VPN Access Group"
# 4. Add users to groups
Add-ADGroupMember -Identity "IT-Admins" -Members "somchai.j"
Add-ADGroupMember -Identity "VPN-Users" -Members "somchai.j","somying.r"
# 5. Query users
# Find all users in IT
Get-ADUser -Filter {Department -eq "IT"} -Properties Department, Title |
Select-Object Name, SamAccountName, Department, Title |
Format-Table -AutoSize
# Find disabled accounts
Get-ADUser -Filter {Enabled -eq $false} | Select-Object Name, SamAccountName
# Find users not logged in 90 days
$threshold = (Get-Date).AddDays(-90)
Get-ADUser -Filter {LastLogonDate -lt $threshold} -Properties LastLogonDate |
Select-Object Name, LastLogonDate | Sort-Object LastLogonDate
# 6. Disable inactive accounts
$inactiveUsers = Get-ADUser -Filter {LastLogonDate -lt $threshold -and Enabled -eq $true} -Properties LastLogonDate
foreach ($user in $inactiveUsers) {
Disable-ADAccount -Identity $user
Write-Host "Disabled: $($user.Name) (Last login: $($user.LastLogonDate))"
}
Write-Host "User management complete"Group Policy Management
?????????????????? Group Policy Objects (GPO)
# === Group Policy Management ===
# 1. Create and configure GPOs
# Password Policy GPO
New-GPO -Name "Security-PasswordPolicy" -Comment "Organization password policy"
Set-GPRegistryValue -Name "Security-PasswordPolicy" `
-Key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
-ValueName "EnableLUA" -Type DWord -Value 1
# Link GPO to OU
New-GPLink -Name "Security-PasswordPolicy" -Target "DC=corp, DC=example, DC=com" -Enforced Yes
# 2. Software Restriction GPO
New-GPO -Name "Workstation-SoftwareRestriction" -Comment "Restrict software installation"
New-GPLink -Name "Workstation-SoftwareRestriction" `
-Target "OU=Workstations, DC=corp, DC=example, DC=com"
# 3. List all GPOs
Get-GPO -All | Select-Object DisplayName, GpoStatus, CreationTime |
Format-Table -AutoSize
# 4. Backup all GPOs
$backupPath = "C:\GPOBackup\$(Get-Date -Format 'yyyyMMdd')"
New-Item -ItemType Directory -Path $backupPath -Force
Get-GPO -All | ForEach-Object {
Backup-GPO -Guid $_.Id -Path $backupPath
Write-Host "Backed up: $($_.DisplayName)"
}
# 5. Generate GPO Report
Get-GPO -All | ForEach-Object {
Get-GPOReport -Guid $_.Id -ReportType HTML `
-Path "$backupPath\$($_.DisplayName).html"
}
# 6. Common GPO Settings Script
# Map network drive
New-GPO -Name "Drive-Mapping" -Comment "Map network drives"
# Via Group Policy Preferences: User Config > Preferences > Windows Settings > Drive Maps
# Desktop wallpaper
Set-GPRegistryValue -Name "Desktop-Settings" `
-Key "HKCU\Control Panel\Desktop" `
-ValueName "WallPaper" -Type String `
-Value "\\corp.example.com\SYSVOL\corp.example.com\wallpaper.jpg"
# Disable USB storage
New-GPO -Name "Security-DisableUSB" -Comment "Disable USB storage devices"
Set-GPRegistryValue -Name "Security-DisableUSB" `
-Key "HKLM\SYSTEM\CurrentControlSet\Services\UsbStor" `
-ValueName "Start" -Type DWord -Value 4
Write-Host "GPO management complete"Backup ????????? Disaster Recovery
???????????????????????????????????????????????????????????? Active Directory
# === AD DS Backup and Recovery ===
# 1. Windows Server Backup for AD DS
# Install Windows Server Backup feature
Install-WindowsFeature -Name Windows-Server-Backup
# Full system state backup (includes AD DS)
wbadmin start systemstatebackup -backuptarget:E: -quiet
# Schedule daily backup
$policy = New-WBPolicy
$systemState = New-WBSystemStateBackup
Add-WBSystemState -Policy $policy
$target = New-WBBackupTarget -VolumePath "E:"
Add-WBBackupTarget -Policy $policy -Target $target
Set-WBSchedule -Policy $policy -Schedule 02:00
Set-WBPolicy -Policy $policy -Force
# 2. Backup script with logging
$logFile = "C:\Logs\AD_Backup_$(Get-Date -Format 'yyyyMMdd').log"
function Write-Log {
param($Message)
$timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
"$timestamp - $Message" | Out-File -Append -FilePath $logFile
Write-Host $Message
}
Write-Log "Starting AD DS backup..."
# Backup System State
$result = wbadmin start systemstatebackup -backuptarget:E: -quiet 2>&1
if ($LASTEXITCODE -eq 0) {
Write-Log "System State backup: SUCCESS"
} else {
Write-Log "System State backup: FAILED - $result"
}
# Backup GPOs
$gpoBackup = "E:\GPOBackup\$(Get-Date -Format 'yyyyMMdd')"
New-Item -ItemType Directory -Path $gpoBackup -Force
Get-GPO -All | ForEach-Object {
Backup-GPO -Guid $_.Id -Path $gpoBackup
Write-Log "GPO backed up: $($_.DisplayName)"
}
# Export AD users
Get-ADUser -Filter * -Properties * |
Export-Csv "E:\ADBackup\Users_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Write-Log "AD users exported"
# 3. Recovery procedures
# Restore System State (must boot to DSRM)
# bcdedit /set safeboot dsrepair
# wbadmin start systemstaterecovery -version:06/15/2024-02:00
# bcdedit /deletevalue safeboot
# 4. AD Recycle Bin (recover deleted objects)
# Enable AD Recycle Bin (one-time, irreversible)
Enable-ADOptionalFeature -Identity "Recycle Bin Feature" `
-Scope ForestOrConfigurationSet `
-Target "corp.example.com" -Confirm:$false
# Recover deleted user
Get-ADObject -Filter 'isDeleted -eq $true -and Name -like "*somchai*"' `
-IncludeDeletedObjects | Restore-ADObject
Write-Log "Backup procedures complete"Monitoring ????????? Troubleshooting
?????????????????????????????????????????????????????? AD DS
# === AD DS Monitoring and Troubleshooting ===
# 1. Health Check Script
function Test-ADHealth {
Write-Host "=== AD DS Health Check ===" -ForegroundColor Cyan
# Check DC connectivity
Write-Host "`n[DC Status]"
Get-ADDomainController -Filter * | ForEach-Object {
$ping = Test-Connection $_.HostName -Count 1 -Quiet
$status = if ($ping) { "ONLINE" } else { "OFFLINE" }
Write-Host " $($_.HostName): $status ($($_.Site))"
}
# Check replication
Write-Host "`n[Replication]"
repadmin /replsummary
# Check SYSVOL
Write-Host "`n[SYSVOL Status]"
$sysvol = "\\$env:USERDNSDOMAIN\SYSVOL"
if (Test-Path $sysvol) {
Write-Host " SYSVOL: Accessible" -ForegroundColor Green
} else {
Write-Host " SYSVOL: NOT Accessible" -ForegroundColor Red
}
# Check DNS
Write-Host "`n[DNS]"
$ldapSrv = Resolve-DnsName "_ldap._tcp.$env:USERDNSDOMAIN" -Type SRV -ErrorAction SilentlyContinue
if ($ldapSrv) {
Write-Host " LDAP SRV: OK ($($ldapSrv.Count) records)"
} else {
Write-Host " LDAP SRV: MISSING" -ForegroundColor Red
}
# Check FSMO roles
Write-Host "`n[FSMO Roles]"
$forest = Get-ADForest
$domain = Get-ADDomain
Write-Host " Schema Master: $($forest.SchemaMaster)"
Write-Host " Domain Naming: $($forest.DomainNamingMaster)"
Write-Host " PDC Emulator: $($domain.PDCEmulator)"
Write-Host " RID Master: $($domain.RIDMaster)"
Write-Host " Infrastructure: $($domain.InfrastructureMaster)"
# Check account lockouts (last 24h)
Write-Host "`n[Recent Lockouts]"
$lockouts = Search-ADAccount -LockedOut | Select-Object Name, LastLogonDate
if ($lockouts) {
$lockouts | Format-Table -AutoSize
} else {
Write-Host " No locked accounts"
}
# Check password expiring soon
Write-Host "`n[Passwords Expiring in 7 Days]"
$maxAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days
$warnDate = (Get-Date).AddDays(-($maxAge - 7))
Get-ADUser -Filter {PasswordLastSet -lt $warnDate -and Enabled -eq $true} `
-Properties PasswordLastSet |
Select-Object Name, PasswordLastSet | Format-Table -AutoSize
}
Test-ADHealth
# 2. Common troubleshooting commands
# Check event logs for AD errors
Get-WinEvent -LogName "Directory Service" -MaxEvents 20 |
Where-Object { $_.Level -le 3 } |
Select-Object TimeCreated, LevelDisplayName, Message | Format-Table -Wrap
# Test DC diagnostics
dcdiag /v /c /d /e /s:DC01
# Test DNS
dcdiag /test:dns /v /e
# Force replication
repadmin /syncall /AdeP
Write-Host "Monitoring check complete"FAQ ??????????????????????????????????????????
Q: AD DS ????????? Azure AD (Entra ID) ???????????????????????????????????????????
A: AD DS (on-premises) ???????????? directory service ????????????????????????????????? run ?????? Windows Server ????????? LDAP, Kerberos ?????????????????? domain-joined computers, Group Policy, file shares ??????????????? on-premises infrastructure Azure AD (Microsoft Entra ID) ???????????? cloud-based identity service ????????? SAML, OAuth, OpenID Connect ?????????????????? cloud apps (Microsoft 365, SaaS), Conditional Access, MFA ??????????????? cloud-first organizations Hybrid ????????? Azure AD Connect sync users ????????? on-premises AD ?????? Azure AD ????????????????????? on-prem ????????? cloud SSO ??????????????? ??????????????????????????????????????????????????? Hybrid (AD DS + Azure AD Connect + Entra ID)
Q: Domain Controller ??????????????????????????????????
A: ????????????????????? 2 ????????????????????? (redundancy) ????????? DC 1 ?????????????????? ???????????? domain ???????????????????????????????????? ?????????????????? ???????????????????????? 1 ???????????? (< 500 users) DC 2 ?????????, ???????????????????????????????????????????????? DC 2 ?????????????????? HQ + DC 1 ?????????????????? branch (??????????????? WAN link ?????????), ?????????????????????????????? (1000+ users) DC 3-5 ?????????????????? HQ + RODC (Read-Only DC) ????????? branches ????????? DC ????????? separate physical/virtual machines, ????????? different storage, ???????????????????????? rack/host ?????????????????? Azure ????????? Azure AD Domain Services (managed) ????????????????????? manage DC ?????????
Q: AD DS ????????? hack ????????????????????????????
A: AD DS ???????????? target ????????????????????? attackers ????????????????????????????????????????????? network ????????????????????? ????????? Tiered Admin model (Tier 0 = DC/AD admins ?????????????????? Tier 1 = Server admins ????????? Tier 2 = Workstation admins), ???????????? MFA ?????????????????? privileged accounts, ????????? Privileged Access Workstations (PAW) ?????????????????? admin tasks, Monitor ???????????? Microsoft Defender for Identity ???????????? ATA, ????????? NTLM ????????? Kerberos ????????????????????????, ???????????? password policy ????????????????????? (14+ characters), ?????? Regular security audit (BloodHound, PingCastle) ?????????????????? hack ???????????? Isolate compromised systems, Reset KRBTGT password (2 ???????????????), Reset all admin passwords, Rebuild DCs from scratch (????????? restore ????????? backup ?????????????????????????????? backdoor), Engage incident response team
Q: GPO ????????? apply ????????????????????????????
A: Troubleshooting steps ???????????? GPO link ????????? OU ????????????????????? (gpmc.msc), ???????????? security filtering (GPO apply ????????? user/computer ????????????????????????), ????????? gpresult /r ????????????????????????????????????????????????????????? ??????????????? GPO ????????? apply ????????????????????? deny, ????????? gpupdate /force ?????????????????? refresh policies, ???????????? WMI filter ??????????????? ????????? block GPO, ???????????? Block Inheritance ????????? OU ?????????????????????, ???????????? Event Log (Event Viewer ??? Applications and Services ??? Microsoft ??? Windows ??? GroupPolicy), ???????????? DNS ????????????????????? (computer ???????????? resolve domain name ?????????), ???????????? SYSVOL replication (??????????????????????????? DC) ??????????????????????????????????????????????????? computer ????????????????????? OU ???????????? security filtering ??????????????????
