Active Directory tutorial for beginners

TL;DR: Active Directory is the identity and access backbone of most Windows environments, controlling who can log in, what they can reach, and how policies are enforced across the network. This tutorial walks through what Active Directory is, how it is organized, how to configure a domain controller, how to create users, and which events to monitor once your environment is running.

Active Directory sits at the center of how organizations manage access, enforce policy, and authenticate users across their networks.

For IT professionals entering a Windows environment for the first time, or taking on broader administrative responsibilities, understanding how Active Directory works is not optional.

Nearly every task in a Windows environment, from onboarding a new employee to investigating a security event, traces back to it.

This tutorial covers each step in sequence: what Active Directory is, how it is structured, what it does, how to get it running, how to start managing it, and which events to monitor once it is live.

What is Active Directory?

Microsoft Active Directory (AD) is a fundamental component of the Windows Server operating system. It consists of a directory database and a set of services that enable secure access to resources in a networked Windows environment.

Other environments use different directory services; for example, OpenLDAP serves a similar function in Unix and Linux environments.

At its core, Active Directory answers two questions: who is this person, and what are they allowed to do?

It does this through a set of core services that run in the background on every login, file access, and policy change.

• Authentication: Active Directory verifies user identity and supports single sign-on (SSO), so users authenticate once and access all permitted resources without logging in separately to each.
• Authorization: Active Directory determines whether a verified user can access a specific resource, using security group membership and assigned roles to make that decision.
• Resource management: Active Directory serves as a central repository for network resources such as computers, servers, printers, and devices, allowing administrators to organize them into logical groupings and manage them from a single location.
• Group Policy: Group Policy allows administrators define and enforce security settings, configurations, and software policies across all computers and users in the domain from a single location.
• Directory services: Active Directory stores all information about network objects in a structured hierarchical database, providing a scalable and efficient way to organize and retrieve information about users, groups, computers, and devices.
• Lightweight Directory Access Protocol (LDAP): Active Directory supports the LDAP, which gives applications and services a standard method to query and interact with the directory for authentication, information retrieval, and other purposes.
• Domain Name System (DNS): Active Directory integrates with the DNS to provide name resolution across the network, allowing users and computers to locate domain controllers and resources using human-readable names rather than IP addresses.
• Trust relationships: Active Directory supports trust relationships between domains so users in one domain can access resources in another, automatically across a forest or externally through configured trusts.
• Replication: Active Directory uses multi-master replication to keep directory data synchronized across all domain controllers, ensuring availability even if individual controllers are offline.

How Active Directory is organized

Active Directory organizes resources in a hierarchical structure. Understanding these components helps you navigate the directory and make informed decisions about how to design and manage it.

• Forest: The forest is the highest-level container in Active Directory and a security boundary. It contains one or more domains sharing a common schema, configurations, and global catalog. The first domain created is the forest root. Most organizations operate a single forest.
• Tree: A tree is a hierarchical grouping of one or more domains within a forest arranged under a contiguous namespace. Domains within the same tree are connected by automatic transitive trust relationships.
• Domain: A domain is a group of users, computers, and other objects stored in a single Active Directory database and managed together. Each domain has its own security policies, trust relationships, and domain controllers. An organization might maintain a separate domain for each of its locations, each managed by a local IT team.
• Organizational unit (OU): An OU is a container within a domain used to organize and manage subsets of AD objects. A domain for a company's San Francisco branch, for example, might have separate OUs for Sales and Finance, each with its own policies and delegated administrator.
• AD object: An AD object is any entity stored in the directory, including user accounts, computer accounts, and security and distribution groups. Each object carries a set of attributes. A user account object, for instance, stores username, password, contact information, roles, and group memberships.

How to set up Active Directory

Setting up Active Directory requires two steps: installing the Active Directory Domain Services (AD DS) role on a Windows Server machine, and then promoting that server to a domain controller. The steps below walk through both.

Install the Active Directory Domain Services role

1. Log in to your Windows server using an account with administrative privileges. Open Server Manager by clicking the Server Manager icon in the taskbar or searching for "Server Manager" in the Start menu.
2. In the top menu, click Manage and select Add Roles and Features.
3. In the Add Roles and Features wizard, select Role-based or feature-based installation and click Next.
4. Make sure the correct server is selected and click Next.
5. On the "Select Server Roles" page, click Active Directory Domain Services. In the pop-up window, click Add Features.
6. On the "Select Features" page, do not select any additional features. Click Next.
7. On the "Active Directory Domain Services" page, review the information and click Next.
8. Review your installation selections and click Install.
9. Wait for the installation process to complete, which may take several minutes. Then click Close to exit the wizard.

Promote the server to domain controller

1. When the installation is complete, a notification will appear in Server Manager. Click Promote this server to a domain controller.
2. The Active Directory Domain Services Configuration Wizard will open. Specify whether you want to add a domain controller to an existing domain, add a new domain to an existing forest, or add a new forest. For this example, select Add a new forest, enter a name for the root domain, and click Next.
3. Select functional levels for the forest and its root domain, add features such as DNS, and set the Directory Services Restore Mode (DSRM) password. Click Next to continue.
4. If you selected the DNS option, the "DNS Options" page may display a warning. Since you are creating a new forest, you can safely ignore this warning. Click Next to continue.
5. The wizard will search the network and automatically assign a NetBIOS domain name. You can change it if necessary. Click Next to continue.
6. On the "Paths" page, specify the location of the AD DS database, log files, and SYSVOL files. In large environments, keeping these on a separate drive allows Active Directory to be restored if the system drive is corrupted. Click Next to continue.
7. Review the summary of your selections and click Next.
8. The wizard will check whether your computer meets the prerequisites. Once the check passes, click Install.
9. Once the installation is complete, the server will automatically restart. After restarting, the server will be a domain controller with Active Directory Domain Services installed.

To verify that the domain structure has been created, open Server Manager, click Tools, and click Active Directory Users and Computers.

How to manage Active Directory

With the domain controller running, the next step is connecting your management workstation and creating your first objects.

Install Remote Server Administration Tools (RSAT)

RSAT gives you the AD management tools on a client machine so you do not need to work directly on the server. To install RSAT on Windows 11:

1. Open Settings, click Apps in the left sidebar, and then click Optional features.
2. Click View features.
3. Search for "RSAT" and check the box next to RSAT: Active Directory Domain Services and Lightweight Directory Services Tools. Then click Next.
4. Click Install to start the installation.
5. Wait for the installation to complete. Once your computer restarts, verify that RSAT is installed by searching for Active Directory Users and Computers from the Start menu.

Netwrix PingCastle runs a free assessment of your AD environment and surfaces misconfigurations before they become incidents.

Create your first user

Once RSAT is installed, you can create and manage users from your workstation. To create a user through Active Directory Users and Computers:

1. Open Active Directory Users and Computers from the Start menu.
2. In the left panel, expand your domain and navigate to the OU where the new user should be placed.
3. Right-click the OU, select New, and then click User.
4. Enter the user's first name, last name, and logon name. Click Next.
5. Set a temporary password and choose whether the user must change it at next login. Click Next, then Finish.

For bulk user creation or repeated provisioning tasks, PowerShell is the more practical path:

      New-ADUser -Name "Jane Smith" `
    -SamAccountName "jsmith" `
    -UserPrincipalName "jsmith@contoso.com" `
    -Path "OU=Users,DC=contoso,DC=com" `
    -AccountPassword (ConvertTo-SecureString "TempP@ss1!" -AsPlainText -Force) `
    -Enabled $true `
    -ChangePasswordAtLogon $true
      

Reset a password in Active Directory

To reset a user password through Active Directory Users and Computers, right-click the user account, select Reset Password, enter a new temporary password, and check the box requiring the user to change it at next login.

To do the same via PowerShell:

      New-ADUser -Name "Jane Smith" `
    -SamAccountName "jsmith" `
    -UserPrincipalName "jsmith@contoso.com" `
    -Path "OU=Users,DC=contoso,DC=com" `
    -AccountPassword (ConvertTo-SecureString "TempP@ss1!" -AsPlainText -Force) `
    -Enabled $true `
    -ChangePasswordAtLogon $true
      

Active Directory events to monitor

Active Directory logs events that record every significant change, authentication attempt, and configuration modification in the directory.

Monitoring these events using Windows Event Viewer allows you to detect suspicious activity, troubleshoot issues quickly, and respond to security incidents before they escalate.

User account management

User account events record when accounts are created, changed, or disabled. These are the events most relevant to identity lifecycle management and access control hygiene. An account created outside your provisioning process, or one that was re-enabled without approval, should be investigated immediately.

• Account creation: Event ID 4720 is logged whenever a new user account is created in the domain.
• Account deletion: Event ID 4726 is logged when a user account is permanently deleted.
• Account enabled/disabled: Event IDs 4722 and 4725 record when an account is enabled or disabled respectively.
• Password changes/resets: Event IDs 4723 and 4724 capture user-initiated password changes and administrator-initiated resets.
• Account lockout: Event ID 4740 is triggered when an account is locked out after too many failed login attempts, which can indicate a brute force attempt or a misconfigured service.

To query account creation events across the Security log:

      Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4720} |
    Select-Object TimeCreated, Message | Format-List
      

Group management

Group membership changes are high-priority events because they directly affect what users can access. An account added to Domain Admins outside of a formal change process is one of the most common indicators of a privilege escalation attempt.

• Creating or deleting groups: Event IDs 4727 and 4731 record the creation and deletion of security and distribution groups.
• Group membership changes: Event IDs 4728, 4729, 4732, and 4733 capture additions and removals from security groups.

To surface recent group membership changes:

      Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4728,4729,4732,4733} |
    Select-Object TimeCreated, Message | Format-List
      

Active Directory replication

Replication failures mean that domain controllers are out of sync. When this happens, users in different sites may see inconsistent directory data, authentication may fail, and Group Policy may not apply correctly.

• Replication success/failure: Event IDs 4928, 4929, 4932, and 4933 record the start, end, and outcome of replication cycles between domain controllers.

To check replication status from the command line:

      repadmin /replsummary
      

This returns a summary of replication health across all domain controllers, including any failures and how long ago they occurred.

Domain controller operations

These events capture the operational state of domain controllers. Unexpected restarts or shutdowns outside of maintenance windows should be flagged for investigation.

• Domain controller start/stop: Event IDs 6005, 6006, 6008, and 1074 record system startup, shutdown, unexpected shutdown, and initiated restarts.
• Directory service access: Event IDs 2887 and 2889 record unsigned or weakly bound LDAP queries, which can indicate misconfigured applications or reconnaissance activity.

Authentication and authorization

Authentication events are foundational for detecting unauthorized access and investigating lateral movement. A spike in failed logons from a single account or IP address is a reliable early signal of credential stuffing or brute force activity.

• Successful logons: Event IDs 4624, 4648, and 4768 record interactive, explicit credential, and Kerberos authentication successes.
• Failed logons: Event ID 4625 records every failed authentication attempt, including the failure reason code.
• Privileged access: Event ID 4672 is logged whenever an account with elevated privileges such as Domain Admins logs on.

To count failed logon attempts by account over the last 24 hours:

      Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddHours(-24)} | 
ForEach-Object { $msg = $_.Message if ($msg -match 'Account Name:\s+(\S+)') { $matches[1] } } |
Group-Object | Sort-Object Count -Descending | 
Select-Object Name, Count

      

Directory service changes

These events record modifications to directory objects at the LDAP level. Schema changes are especially significant because they affect the entire forest and are irreversible without a recovery procedure.

• LDAP changes: Event IDs 5136, 5137, and 5138 record object attribute modifications, object creation, and object moves within the directory.
• Schema changes: Event ID 5139 records modifications to the Active Directory schema, which should occur only during planned, authorized changes.

Windows Event Viewer captures all of these events, but correlating them across multiple domain controllers, filtering by time range, and generating compliance-ready reports requires significant manual effort. The logs exist; making them actionable at scale is where native tools fall short.

See how Netwrix Auditor surfaces AD change events with before-and-after values, without querying raw Security logs.

How Netwrix helps you monitor and secure Active Directory

Collecting AD events is only half the challenge. Finding a specific change across multiple domain controllers, under time pressure, is where native tools fall short.

Netwrix Auditor gives you searchable change history across Active Directory and Group Policy changes. It records who made each change, the before and after values, when it happened, and from which machine.

Administrators can receive real-time alerts on high-risk changes such as privilege group modifications. For environments that need to reverse unauthorized directory changes without a full backup restore, Netwrix Recovery for Active Directory handles granular object and attribute-level recovery.

For hybrid environments spanning on-premises Active Directory and Microsoft Entra ID, Netwrix 1Secure adds SaaS-based identity risk monitoring from a single interface. Risk dashboards surface hygiene issues such as inactive accounts, accounts with passwords set to never expire, and open group memberships that create unnecessary exposure.

Run a free AD security assessment with Netwrix PingCastle to surface misconfigurations and security gaps in your environment today