What is active directory?

Active Directory is a database that keeps track of all the user accounts and passwords in your organization.
It allows you to store your user accounts and passwords in one protected location, improving your
organization's security.

By using the Active Directory® Domain Services (AD DS) server role, you can create a scalable, secure, and
manageable infrastructure for user and resource management, and you can provide support for directory-
enabled applications, such as Microsoft® Exchange Server.

Active Directory is subdivided into one or more domains. A domain is a security boundary. Each domain is
hosted by a server computer called a domain controller (DC). A domain controller manages all of the user
accounts and passwords for a domain.

Domains and the Domain Name System (DNS)

Domains are named using the Domain Name System (DNS). If your company is called ACME Corporation
your DNS name would be (for example) acme.com. This is the top-level domain name for your company.
The security domain in Active Directory maps directly to the DNS domain name.

For larger organizations you can subdivide Active Directory into child domains (based on on geography for
example). If ACME Corporation has three divisions named West, Central, and East, the sub-domains can
have the DNS names west.acme.com, central.acme.com, and east.acme.com.

Featured Resources

What's New in AD DS in Windows Server 2012

AD DS in Windows Server 2012 includes new features that make it simpler and faster to deploy domain
controllers (both on-premises and in the cloud), and easier to perform administrative tasks at scale.

1|Page
Windows Server 2012 R2 Hardware Requirements

Component Minimum Requirement Microsoft Recommended

Processor 1.4 GHz 2 GHz or faster

Memory 512 MB RAM 2 GB RAM or greater

Available Disk Space 32 GB 40 GB or greater

Optical Drive DVD-ROM drive DVD-ROM drive

Display Super VGA (800x600) monitor XGA (1024x768) monitor

2|Page
Installing the Active Directory and Domain Services (AD DS) role
“Before You Begin” screen provides you basic information such as configuring strong passwords, IP
addresses and Windows updates.

In the Server Manager > Dashboard windows, on Configure this local server, click Add Roles and feature.

1. On the Before You Begin page of the Add Roles and features Wizard, click next.

3|Page
 2. On Installation Type page, select the first option “Role-based or Feature-based Installation“.
Scenario-based Installation option applied only to Remote Desktop services.

3. On the “Server Selection” Page, select a server from the server pool and click next.

4|Page
 4. To install AD DS, select Active Directory Domain Services in turn it will pop-up to add other AD DS
related tools. Click on Add Features.

5. After clicking “Add Features” above, you will be able to click “Next >” as shown in the screen below.

5|Page
 6. On the “Select Features” Page, Group Policy Management feature automatically installed during
the promotion. Click next.

7. On the “Active Directory Domain Services” page, it gives basic information about AD DS. Click Next.

6|Page
 8. On the “Confirmation” Page, You need to confirm this to continue with this configuration. It will
provide you an option to export the configuration settings and also if you want the server to be
restarted automatically as required.

9. After clicking “Install” the selected role binaries will be installed on the server.

7|Page
 10. After “Active Directory Domain Services” role binaries have been installed and now it is time to
promote the server to a Domain Controller.

8|Page
 Promoting Windows 2012 Server to Domain Controller

To create a new AD forest called “ArabITPro.local”, select add a new forest.

11. Type the name ArabITPro.local

9|Page
 12. Specify the FFL, DFL, whether or not it should be a DNS Server and also the DSRM administrator
password.
As you can see, it has selected the GC option by default and you cannot deselect it.
The reason for this is that is the very first DC of the AD forest and at least one needs to be a GC.

13. DNS delegation warning.

10 | P a g e
 14. Checks the NetBIOS name already assigned.

15. Specify the location of the AD related folders and then click next.

11 | P a g e
 16. Summary Of All Installation Options/Selections.

17. Before the actual install of AD, all prerequisites are checked. If All prerequisite checks are passed
successfully then click Install.

12 | P a g e
 18. When you click Install, DNS and the GPMC are installed automatically.

After the promotion of the server to a DC finished server restart automatically.

Once the server is booted and you logon to it, click on Server Manager | Tools, will notice that following
have been installed:

 Active Directory Administrative Center

 Active Directory Domains and Trusts
 Active Directory Module for Windows PowerShell
 Active Directory Sites and Services
 Active Directory Users and Computers
 ADSI Edit
 DNS
 Group Policy Management

13 | P a g e
14 | P a g e
To create a new organizational unit using the Windows interface

1. To open Active Directory Users and Computers, click Start, click Control Panel, double-
click Administrative Tools, and then double-click Active Directory Users and Computers.

To open Active Directory Users and Computers in Windows Server® 2012 R2, click Start, type dsa.msc.

2. In the console tree, right-click the domain name (davilib.com is domain name). Point to New ,
and then click Organizational Unit

15 | P a g e
 3. Type the name of the organizational unit (OU).

After click Ok button you will be created your organizational unit.

16 | P a g e
Adding a User to the OU (Organizational Unit)

Now that we have our Organizational Unit lets create our user. I created an OU named “Production” inside
the New York OU because our new user is the EVP of Production for our company. It makes sense to place
him here.

1. Right-click the OU, go to New and choose User.

2. Fill out the user information and click Next.

It’s pretty standard to set the user logon name as the first initial last name so I’m following that
convention here.

17 | P a g e
 3. Now we can create a password for the user and a few other things.

Your user is going to need a password to access the domain but you can’t just type any old
password. Windows Server 2012 has password complexity requirements in place to make sure the
password isn’t too easy to guess.
How to remove password complexity in Windows server 2012 R2
1. Open the Administrative Tool

18 | P a g e
 2. This places you in the Administrative Tools section. Select Local Security Policy.

3. Change the password Must Meet Complex Requirements option to Disabled.

In a Domain Environment, for an Active Directory Domain Server.

1. In the Server Manager click on Tools and from the drop down click Group Policy
Management

19 | P a g e
 2. Expand Forrest >> Domains >> Your Domain Controller.

3. Right click on the Default Domain Policy and click on the Edit from the context menu.

20 | P a g e
 4. Now Expand Computer Configuration -> Policies -> Windows Settings -> Security Settings -
> Account Policies -> Password Policy

5. Double-click on the Passwords Must Meet Complexity Requirements option in the right pane.
Select Disabled under define this policy setting: Click Apply then OK all the way out and close
the GPO window.

21 | P a g e
 6. In order to refresh the policy type the following command: “gpupdate /force” in the CMD
window and click ENTER.
Sharing Folder
We can share folders using File and Storage Services using the following steps
1. open Server Manager then click File and Storage Services

2. In the File and Storage Services interface, in the navigation pane, click Shares

22 | P a g e
 3. On share page right-click New Share

4. New share wizard pops up. There are number of share profiles by default. You can choose
any of these share profiles as seen below. I will choose SMB Share – Quick and click Next.

23 | P a g e
 5. Now you are asked to provide the share location of the folder that you want to share. I will
choose custom location as G:\Share folder. Then click Next.

6. Type the share name and description of the shared folder. Then click Next. Click OK to
create the new directory on path doesn’t exist warning.

24 | P a g e
 7. Now configure other settings. Here, I will check to enable access-based enumeration. This
option makes the folder visible for users that have permission to access the folder
otherwise the folder will be hidden. Allow caching of share option makes the folder to be
accessed even when the user is offline. Click Next.

25 | P a g e
 8. Here, configure the folder permission. The shared folder have shared folder
permission and NTFS permission. These both permission work together to allow/deny users
to access the shared folder. Microsoft recommends to allow full control for share
permission and use NTFS permission to restrict and configure folder access. As you can see
below, Share permissions: Everyone Full Control. The permission shown here, is the
inherited NTFS permission from drive NTFS permission. To change the permission,
click Customize permission.

9. On share you can see the changes below. Remove Everyone from the permission. This Users
group contains all the users of the domain. We don’t want all the users of the domain to
access this shared folder so remove it. Click Add to add the marketing group. Click Select a
principal and add Marketing group. Select the basic permissions and click OK.

26 | P a g e
 10. Now the overall permission for the Marketing folder looks like this. Users of marketing
group can only read the files of Marketing folder.

11. Now let’s come back to the wizard. Click Next.

27 | P a g e
 12. Review the settings and click Create.

13. The shared folder is now created. You can view the shared folder in Server
Manager console.

28 | P a g e
 14. Clients can now access the shared folder by typing the UNC (Universal Naming Convention)
path of the shared folder in windows explorer. In our case, the UNC path is, \\172.18.0.8 or
\\your_server_name and then fill your username & password.

29 | P a g e