Windows Server Domain Setup and Management Guide

This guide covers setting up an Active Directory domain, connecting Windows machines, managing domain accounts, implementing security policies, and monitoring your domain environment.

1. Introduction to Active Directory Domain Services

Active Directory Domain Services (AD DS) provides centralized authentication, authorization, and directory services for Windows-based environments. Key benefits include:

• Centralized user and computer management
• Single sign-on across domain resources
• Group Policy implementation
• Resource delegation and security

2. Setting up a Domain Controller

Hardware Requirements

For a production domain controller, ensure your server meets these minimum requirements:

• Processor: 1.4 GHz 64-bit processor (2+ cores recommended)
• RAM: 4 GB minimum (8+ GB recommended)
• Storage: 80 GB minimum (SSD recommended)
• Network: Gigabit Ethernet
• Static IP address

Pre-installation Tasks

1. Install Windows Server according to the instructions in mssvr-step-1.md
2. Apply security hardening as outlined in mssvr-step-2.md
3. Configure a static IP address
4. Set an appropriate computer name
5. Install all available Windows updates

3. Installing Active Directory and Promoting to Domain Controller

Install AD DS Role

1. Log in to the server with administrator credentials
2. Open Server Manager
3. Click Manage > Add Roles and Features
4. In the wizard, select Role-based or feature-based installation
5. Select the local server
6. From the list of roles, check Active Directory Domain Services
7. Click Add Features when prompted for additional features
8. Continue through the wizard, accepting the defaults
9. Click Install and wait for the installation to complete

Promote Server to Domain Controller

1. From Server Manager, click the notification flag with a yellow warning icon
2. Click Promote this server to a domain controller
3. Select Add a new forest and enter your root domain name (e.g., company.local)
4. Choose a Forest and Domain functional level (typically the highest available)
5. Set the Domain Controller options:
   • Ensure DNS Server is checked
   • Enter and confirm the DSRM (Directory Services Restore Mode) password
6. Ignore DNS delegation warnings (for a new forest)
7. Verify or change the NetBIOS domain name
8. Accept or modify the default paths for the database, logs, and SYSVOL folders
9. Review the options and click Next
10. When prerequisite checks are complete, click Install
11. The server will automatically restart after installation

# Alternative: Install AD DS and promote to DC using PowerShell
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

# Create a new forest
Install-ADDSForest `
    -DomainName "company.local" `
    -DomainNetbiosName "COMPANY" `
    -ForestMode "WinThreshold" `
    -DomainMode "WinThreshold" `
    -InstallDns:$true `
    -NoRebootOnCompletion:$false `
    -Force:$true

4. Adding Windows Machines to the Domain

Preparing for Domain Join

Before joining any machine to the domain, ensure the following:

• The machine can resolve DNS to the domain controller
• Network connectivity exists between the machine and domain controller
• Required ports are open (53/TCP/UDP, 88/TCP/UDP, 389/TCP/UDP, etc.)
• The machine has a unique computer name

Joining a Windows Server to the Domain

1. Log in to the server with local administrator credentials
2. Open System Properties:
   • Right-click Start > System > Advanced system settings
   • Or run sysdm.cpl from the Run prompt
3. On the Computer Name tab, click Change
4. In the Computer Name/Domain Changes dialog:
   • Select Domain
   • Enter the domain name (e.g., company.local)
   • Click OK
5. When prompted, enter domain administrator credentials
6. Restart the server when prompted

Joining a Windows Client to the Domain

1. On the Windows client, open Settings > Accounts > Access work or school
2. Click Connect
3. Click Join this device to a local Active Directory domain
4. Enter the domain name and click Next
5. Enter domain administrator credentials when prompted
6. Choose whether to add a domain user as a local administrator
7. Restart the computer when prompted

# Alternative: Join a machine to the domain using PowerShell
Add-Computer -DomainName "company.local" -Credential (Get-Credential) -Restart

5. Managing Domain Accounts

Creating User Accounts

Through Active Directory Administrative Center (ADAC)

1. On the domain controller, open Server Manager > Tools > Active Directory Administrative Center
2. In ADAC, click on the domain (e.g., company.local)
3. Navigate to the appropriate container (e.g., Users)
4. In the right pane, click New > User
5. Fill in the required fields:
   • First name, Last name
   • User UPN logon (e.g., user@company.local)
   • User SamAccountName logon (pre-Windows 2000 logon)
   • Password and confirmation
6. Set password options as needed
7. Click OK to create the user

Through PowerShell

# Create a new user account
New-ADUser `
    -Name "John Smith" `
    -GivenName "John" `
    -Surname "Smith" `
    -SamAccountName "jsmith" `
    -UserPrincipalName "jsmith@company.local" `
    -AccountPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force) `
    -Enabled $true `
    -ChangePasswordAtLogon $true `
    -Path "CN=Users,DC=company,DC=local"

Creating and Managing Groups

Creating Security Groups

1. Open Active Directory Users and Computers (ADUC)
2. Navigate to the appropriate container (e.g., Users)
3. Right-click > New > Group
4. Enter a group name
5. Select the group scope:
   • Domain local
   • Global
   • Universal
6. Select the group type (typically Security)
7. Click OK

Adding Members to Groups

1. In ADUC, right-click the group > Properties
2. Go to the Members tab
3. Click Add
4. Enter the user names to add and click Check Names
5. Click OK twice to save

# Create a new security group via PowerShell
New-ADGroup `
    -Name "IT Staff" `
    -SamAccountName "ITStaff" `
    -GroupCategory Security `
    -GroupScope Global `
    -Path "CN=Users,DC=company,DC=local"

# Add a user to the group
Add-ADGroupMember -Identity "ITStaff" -Members "jsmith"

Creating Organizational Units (OUs)

1. In ADUC, right-click the domain > New > Organizational Unit
2. Enter a name for the OU
3. Click OK
4. You can now move users, groups, and computers into this OU

# Create a new Organizational Unit via PowerShell
New-ADOrganizationalUnit `
    -Name "Marketing" `
    -Path "DC=company,DC=local" `
    -ProtectedFromAccidentalDeletion $true

6. Applying Security Policies

Group Policy Basics

Group Policy Objects (GPOs) allow you to apply and enforce settings across your domain. They can be linked to:

• Entire domains
• Organizational Units (OUs)
• Sites

Creating and Configuring GPOs

1. On the domain controller, open Server Manager > Tools > Group Policy Management
2. Expand the forest and domain
3. Right-click on Group Policy Objects > New
4. Enter a descriptive name for the GPO (e.g., "Workstation Security Settings")
5. Right-click the new GPO and select Edit
6. The Group Policy Management Editor opens, showing:
   • Computer Configuration (for computer policies)
   • User Configuration (for user policies)

Common Security Policies

Password Policies

1. In the Group Policy Management Editor, navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy
2. Configure settings such as:
   • Enforce password history
   • Maximum password age
   • Minimum password length
   • Password complexity requirements

Account Lockout Policies

1. Navigate to Account Lockout Policy in the same section
2. Configure:
   • Account lockout threshold
   • Account lockout duration
   • Reset account lockout counter after

Audit Policies

1. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration
2. Configure detailed auditing for events like:
   • Account logon events
   • Account management
   • Logon events
   • Policy changes

Linking and Testing GPOs

1. In the Group Policy Management console, drag the GPO to the domain or OU
2. Right-click the link and select Link Enabled to activate it
3. Test the policy by running the following command on a target machine:

   gpupdate /force

4. Verify policy application with:

   gpresult /r

7. Monitoring and Auditing

Setting Up Security Monitoring

Configuring Event Log Settings

1. Create a GPO for event log configuration
2. Edit the GPO and navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Event Log Service
3. Configure settings for:
   • Maximum log size
   • Retention method
   • Access rights

Implementing Centralized Event Collection

1. Install Windows Event Collector service on a monitoring server
2. Configure subscription for forwarding events from domain computers
3. Create a GPO to enable Windows Event Forwarding on all client computers

# Configure event forwarding on collector server
wecutil qc /q

# Create an event subscription
$xml = @"
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>Security Events</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Description>Collects security events from domain computers</Description>
    <Enabled>true</Enabled>
    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
    <ConfigurationMode>Normal</ConfigurationMode>
    <Query><![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
            </Query>
        </QueryList>
    ]]></Query>
    <ReadExistingEvents>false</ReadExistingEvents>
    <TransportName>HTTP</TransportName>
    <ContentFormat>RenderedText</ContentFormat>
    <Locale Language="en-US"/>
    <LogFile>ForwardedEvents</LogFile>
    <PublisherName>Microsoft-Windows-EventCollector</PublisherName>
    <AllowedSourceDomainComputers>O:NSG:BAD:P(A;;GA;;;DC)S:</AllowedSourceDomainComputers>
</Subscription>
"@

$xml | Out-File -FilePath "C:\EventSubscription.xml" -Encoding ASCII
wecutil cs "C:\EventSubscription.xml"

Implementing Regular Monitoring Practices

Essential Areas to Monitor

1. Security Events: Failed logons, privilege use, account management
2. System Performance: CPU, memory, disk usage
3. Service Status: Critical services running/stopped
4. Active Directory Health: Replication, SYSVOL, DNS

Regular Maintenance Tasks

1. Review security logs daily
2. Monitor user account status (locked, disabled, expired)
3. Check for unauthorized privilege escalation
4. Verify backup status and test restores
5. Monitor for unauthorized changes to Group Policy

Advanced Monitoring Solutions

Consider implementing more comprehensive monitoring with:

1. Microsoft Operations Management Suite (OMS)
2. System Center Operations Manager (SCOM)
3. Azure Security Center (for hybrid environments)
4. Third-party SIEM solutions like Splunk, QRadar, or Wazuh

8. Domain Maintenance and Best Practices

Regular Maintenance Tasks

1. Backup Active Directory: Schedule regular system state backups

   Wbadmin start systemstatebackup -backuptarget:E:

2. Check Domain Health: Run DCDIAG regularly

   dcdiag /v

3. Verify Replication (for multiple DCs)

   repadmin /replsummary

4. Clean up Stale Objects:

   • Inactive computer accounts
   • Disabled user accounts
   • Empty groups

5. Update Domain Controllers:

   • Apply Windows updates monthly
   • Follow a staged approach for critical servers

Security Best Practices

1. Secure Domain Admin Accounts:

   • Use separate accounts for administrative tasks
   • Implement time-based access
   • Restrict logon workstations

2. Implement Tiered Administration Model:

   • Tier 0: Domain controllers, enterprise admins
   • Tier 1: Server administrators
   • Tier 2: Workstation support

3. Apply the Principle of Least Privilege:

   • Grant only necessary permissions
   • Use role-based access control
   • Regularly review and audit permissions

4. Protect Against Credential Theft:

   • Implement Protected Users security group
   • Enable Credential Guard on supported systems
   • Use Group Managed Service Accounts (gMSAs) for services

5. Monitor for Indicators of Compromise:

   • Unusual logon patterns
   • Suspicious account modifications
   • Unexpected privilege escalation

Conclusion

Setting up and managing a Windows Server domain environment requires careful planning and ongoing maintenance. By following these best practices for installation, security, and monitoring, you can create a secure and reliable domain infrastructure that supports your organization's needs.

For further information, refer to Microsoft's official documentation and security baselines.