Kickstart AD with the Active Directory Administrative Center

Published:29 July 2022 - 9 min. read

James Berrisford Image

James Berrisford

Read more tutorials by James Berrisford!

Azure Cloud Labs: these FREE, on‑demand Azure Cloud Labs will get you into a real‑world environment and account, walking you through step‑by‑step how to best protect, secure, and recover Azure data.

Managing users and permissions can be dreadful, especially if you’re only starting as an admin. But the good news is the Active Directory Administrative Center (ADAC) is just around the corner.

Whether creating a user, resetting a password, or changing user permissions, ADAC is up to the task. And in this tutorial, you’ll learn how to deploy and utilize ADAC to a professional level.

Feel excited yet? Read on and start your journey as an admin with ADAC!

A FREE read only tool that scans your AD and generates multiple interactive reports for you to measure the effectiveness of your password policies against a brute-force attack. Download Specops Password Auditor now!

Prerequisites

If you plan to follow the examples in this tutorial, ensure you have a Windows Server. This tutorial uses Windows Server 2019, but later versions will also work.

Installing Active Directory on Windows Server 2019+

Active Directory (AD) is a directory service that enables administrators like yourself to manage permissions and control access to network resources. But since AD doesn’t come installed with your Windows Server by default, you’ll first have to install AD via the Server Manager.

1. Open Server Manager from the Start menu.

Launching Server Manager
Launching Server Manager

2. On the Server Manager, click Manage (top-right), and select the Add Roles and Features option. An installation wizard pops up where you can install AD.

Accessing the Add Roles and Features Wizard
Accessing the Add Roles and Features Wizard

3. Tick the Skip this page by default option, and click Next as this page is purely introductory.

Acknowledging the beginning of the installation
Acknowledging the beginning of the installation

4. Under the Installation Type section, choose Role-based or feature-based installation since you’re working on a single server, not part of a VDI, and click Next.

Selecting the installation type
Selecting the installation type

5. Now, select the Select a server from the pool option, select the relevant server as the destination for the installation, and click Next.

Selecting the server that you wish to be your DC is crucial in this process. If you’re working on the first host in your environment, there will be just one server in the pool. But if you’re on a live environment with existing services, you’ll see the other servers from the environment.

Selecting Destination Server for installation
Selecting Destination Server for installation

6. Tick the Active Directory Domain Services option, which may bring up an additional window if dependent features are missing.

Selecting the Active Directory Domain Services role
Selecting the Active Directory Domain Services role

7. Confirm the dependencies, and click Add Features.

Confirming additional dependencies
Confirming additional dependencies

8. Confirm the Active Directory Domain Services option is selected, and click Next.

Confirming the selected server roles
Confirming the selected server roles

9. Leave everything as default in the Features section, and click Next.

Selecting additional features
Selecting additional features

10. Feel free to review the AD DS introduction and click Next.

Reviewing the selected role
Reviewing the selected role

11. Confirm your installation selections, and click Install. Doing so initiates the installation of AD onto your server.

Confirming the installation settings
Confirming the installation settings

12. Finally, click on Close once the installation completes. You’ve successfully installed ADAC, and from here on out, you’ll get to experience flexible AD management.

Finishing the installation
Finishing the installation

Configuring the AD Installation

Even after installation, AD still requires configuration for the server to be promoted to a domain controller. Doing so lets your server become authoritative for an AD domain, which is essential for hosts to recognize which server is the domain controller.

1. On your Server Manager, select the yellow exclamation next to the flag (top-right), and click on the Promote this server to a domain controller link.

The Active Directory Domain Services Configuration Wizard opens, where you’ll configure your new domain controller.

Promoting the server to a domain controller
Promoting the server to a domain controller

2. Under Deployment Configuration, select the Add a new forest option. A forest is a construct used by AD to define and group domains together.

Specify the Root domain name, and click Next. This tutorial’s choice for the root domain name is testdomain12.tk.

In this tutorial, you’ll create a new forest, but it’s possible to join an existing domain to expand your estate.

Defining the domains name
Defining the domains name

3. Leave the defaults in the Domain Controller Options, and only define your desired password.

Defining the restore mode’s password
Defining the restore mode’s password

If your server can’t find an authoritative parent for the DNS, you’ll encounter the following warning message.

This message simply reminds you to set your existing DNS records to correctly resolve your domain’s name. This action only applies when you want to integrate your domain into the existing infrastructure.

If not, and you’re building new infrastructure with this server being your new DNS parent host, ignore this message.

Reviewing the warning message
Reviewing the warning message

4. Leave the Create DNS delegation option unchecked and click Next.

Skipping creating DNS delegation
Skipping creating DNS delegation

5. Now, leave the default NetBIOS domain name, and click Next.

By default, the wizard sets the NetBIOS domain name as a shortened version of the domain name you provided in the root domain name in step two.

Even though you can change the NetBIOS domain name, it’s best practice to leave this as default because it’s related to your domain.

Setting the NetBIOS domain name
Setting the NetBIOS domain name

6. Like in the previous steps, leave the default paths to define the installation’s local directories.

Defining Active Directories Path
Defining Active Directories Path

7. Review the options for your installation, and click Next when you’re happy with everything.

Reviewing the configuration
Reviewing the configuration

8. Click Install once the wizard has validated your configuration and ensured everything’s ready for deployment.

If you see the All prerequisite checks passed successfully message, as shown below, you’re good to proceed with the installation. If not, click Show more and investigate further.

Running a prerequisites check
Running a prerequisites check

After the installation completes, your server will reboot.

Proceeding with installation
Proceeding with installation

9. Lastly, open your Server Manager after the reboot and navigate to the Local Server tab (left pane). You’ll see the workgroup has changed to your root domain name (testdomain12.tk), which confirms your server is now on the domain.

Verifying domain controller
Verifying domain controller

Creating an Organizational Unit

An Organizational Unit (or OU) is a container designed to organize your environment, keeping things neat and secure. OUs are especially helpful when setting specific permissions for OU members.

To create an OU in the main forest directory of your domain:

1. Open Active Directory Administrative Center (ADAC) from the Start Menu.

2. Once ADAC opens, select your managed domain from the left pane, as shown below.

Selecting managed domain and viewing existing OUs
Selecting managed domain and viewing existing OUs

3. In the Tasks panel (right-most), select New —> Organizational Unit under your selected domain. Doing so opens a dialog box where you can configure a new OU (step four).

If the Tasks panel is not shown by default, click on Manage (top-right) —> Tasks Pane.

Initiating creating a new organizational unit
Initiating creating a new organizational unit

4. Now, specify a Name and short Description for the new OU, and click OK to create the OU. This tutorial uses TestOU for the OU’s name.

Creating a new organizational unit
Creating a new organizational unit

5. Finally, select your domain, and confirm the existence of the new OU, as shown below.

Confirming the newly-created OU’s existence
Confirming the newly-created OU’s existence

Adding Users to an Organizational Unit

Employees need access to the organization’s resources when onboarding to the company. Typically, your first task is adding a user account in AD and providing necessary permissions later.

To add users to your OU:

1. Double click on your desired directory or OU. Accessing the newly-created OU

Accessing the newly-created OU
Accessing the newly-created OU

2. Next, right-click in the blank table list —> New —> User to initiate creating a new user.

Initiating creating a new user
Initiating creating a new user

3. Finally, fill in the required fields (marked with red asterisks) along with the user password, and click OK to create the new user.

The Full name and User SamAccountName logon are the only mandatory fields. But, as you can see by the number of optional fields, many customizable fields are available. For example, the full name, Middle initials, and Last name will translate to the user’s account and any application using SSO (AD User sign-on integration).

Creating a new user
Creating a new user

Back to ADAC’s main window, you’ll see the newly-created user in your OU.

Verifying the newly-created user
Verifying the newly-created user

Resetting User Passwords

Perhaps one of the users has forgotten their password (which happens all the time). If so, you’ll need to find the user in question and reset their password. Luckily, ADAC is up to the task.

To reset a user’s password:

1. Open ADAC, highlight the domain where the user exists, and click on Search under this node option in the Tasks pane, as shown below.

A Global Search option appears on the left pane (step three).

Selecting OU where the user exists
Selecting OU where the user exists

2. Next, click the Global Search option (left-pane), input the username (or any of the users identifying attributes, like First or Last name), and press Enter to search for the user.

Searching for a user
Searching for a user

3. Select the user, and click on Reset password in the Tasks panel. A dialog box opens where you can reset the user’s password (step four).

Opening the Password Reset Dialog
Opening the Password Reset Dialog

If you’re deleting a user or any AD objects, choose the Delete option instead. When employees leave the company, deleting the user accounts in AD is essential for closing access, so they can’t log back in to wreak havoc.

4. Lastly, reset the user’s password with the following:

  • Put a random password and confirm the password. Make the password match your organizational requirements.
  • Tick the User must change password at next log on option to require the user to change the password before logging in to the account.
  • Click OK to finalize resetting the user’s password.
Resetting the user's password
Resetting the user’s password

Restoring a User or Any AD Object

When you accidentally delete an object, such as a user or a group, you’ll need to recover that object. But how? You can recover any object so long as the Recycle Bin is enabled.

So before making any drastic changes to your domain, be sure to enable the Recycle Bin first:

1. Select the relevant domain (left pane), and click on the Enable Recycle Bin option under the Tasks pane, as shown below, to enable the Recycle Bin.

Enabling the Recycle Bin
Enabling the Recycle Bin

2. Next, click OK when prompted with the message below to confirm enabling the Recycle Bin.

Confirming enabling the Recycle Bin

3. Click OK again to confirm the changes.

Confirming the changes
Confirming the changes

4. Press the F5 key to refresh ADAC, and the Enable Recycle Bin option is now grayed out, indicating the Recycle Bin is enabled.

You can now safely delete objects and recover them when necessary.

Verifying the Enable Recycle Bin option is grayed out
Verifying the Enable Recycle Bin option is grayed out

5. Now, delete a user with the following:

  • Navigate to your domain.
  • Select the OU where the user resides.
  • Right click on the user and select the Delete option to delete the user.
Deleting a user
Deleting a user

6. Click on the right arrow icon beside your domain (left pane), and select the Deleted Objects container to see the list of all deleted objects.

Accessing the list of all deleted objects
Accessing the list of all deleted objects

7. Right click on the user from the list of deleted objects and select the Restore option to restore the user to its original OU. But if you prefer to restore the user to a different container/OU, choose the Restore To option instead.

Restoring a user to its OU
Restoring a user to its OU

If you choose to restore the user to a different location, the pop-up window below appears where you can select the restore location.

Selecting the location to restore the user
Selecting the location to restore the user

Once restored, the user disappears from the Deleted Objects container.

Verifying the user is not in the Deleted Objects container anymore
Verifying the user is not in the Deleted Objects container anymore

8. Ultimately, click on the OU where you created the user, and you’ll see the user is back in the OU.

Verifying the user is restored to its original OU
Verifying the user is restored to its original OU

Viewing PowerShell History in ADAC

Suppose one of your colleagues has made unauthorized changes to your domain controller. Naturally, you’ll need to view the history and see what changes were made ASAP, and ADAC can help.

Navigate to your domain, and click on the WINDOWS POWERSHELL HISTORY section at the bottom to expand the section since it’s minimized by default.

Once expanded, you can see the PowerShell history since PowerShell runs commands for all changes you make in ADAC. Reviewing the history allows you to identify which unauthorized changes were made to your domain and eventually reverse them.

Below, you can see an object (a user) was removed with the Remove-ADObject cmdlet. Now you can restore that deleted user to its OU.

Viewing PowerShell history
Viewing PowerShell history

Extend the functionality of Group Policy and simplify the management of fine-grained password policies. Target any GPO level, group, user, or computer with dictionary and passphrase settings with Specops Password Policy. Try it Free!

Conclusion

This tutorial aimed to up your ability to manage an AD instance from scratch. Did it do well? You’ve gone over installing and configuring the instance, administering users, objects, and organizational units, allowing you to manage a humble environment.

You’re now confident to manage objects in your domain without worrying if they get deleted since you can always restore them from the Recycle Bin in a few clicks.

If you ever get to a point where your large organization becomes a mess, consider cleaning up your AD.

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!