Trisul's Blog

Network & Cloud Engineering Insights

Active Directory Domain Services: Advanced Configuration and Security

Written by Trisul ·

Building enterprise-grade Active Directory environments requires careful planning of organizational units, Group Policy design, and security hardening. This comprehensive guide covers AD DS deployment, advanced configuration, and integration with modern cloud services like Azure AD.

AD DS Architecture Planning

  • Forest Design: Single vs. multiple forest considerations
  • Domain Structure: Geographic vs. administrative boundaries
  • OU Design: Delegation and Group Policy application
  • Site Topology: Replication and authentication optimization

Step 1: Install and Configure AD DS

# Install AD DS role
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

# Promote server to domain controller
Install-ADDSForest -DomainName "contoso.com" -DomainNetbiosName "CONTOSO" -InstallDns -SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force)

# Verify installation
Get-ADDomain
Get-ADForest

Step 2: Design Organizational Unit Structure

# Create top-level OUs
New-ADOrganizationalUnit -Name "Corporate" -Path "DC=contoso,DC=com"
New-ADOrganizationalUnit -Name "Servers" -Path "DC=contoso,DC=com"
New-ADOrganizationalUnit -Name "Workstations" -Path "DC=contoso,DC=com"
New-ADOrganizationalUnit -Name "Service Accounts" -Path "DC=contoso,DC=com"

# Create departmental OUs
New-ADOrganizationalUnit -Name "IT" -Path "OU=Corporate,DC=contoso,DC=com"
New-ADOrganizationalUnit -Name "HR" -Path "OU=Corporate,DC=contoso,DC=com"
New-ADOrganizationalUnit -Name "Finance" -Path "OU=Corporate,DC=contoso,DC=com"

# Create sub-OUs for users and groups
New-ADOrganizationalUnit -Name "Users" -Path "OU=IT,OU=Corporate,DC=contoso,DC=com"
New-ADOrganizationalUnit -Name "Groups" -Path "OU=IT,OU=Corporate,DC=contoso,DC=com"

Step 3: Configure Group Policy Objects

# Create security baseline GPO
New-GPO -Name "Security Baseline" -Comment "Enterprise security settings"

# Configure password policy
Set-ADDefaultDomainPasswordPolicy -Identity contoso.com -MinPasswordLength 12 -PasswordHistoryCount 24 -MaxPasswordAge 90.00:00:00 -MinPasswordAge 1.00:00:00 -ComplexityEnabled $true

# Import security templates
Import-Module GroupPolicy
$gpo = Get-GPO -Name "Security Baseline"
Import-GPO -BackupGpoName "Security Template" -TargetName "Security Baseline" -Path "C:\GPOBackups"

# Link GPO to domain
New-GPLink -Name "Security Baseline" -Target "DC=contoso,DC=com"

Step 4: Implement Fine-Grained Password Policies

# Create password settings object for administrators
New-ADFineGrainedPasswordPolicy -Name "Admin Password Policy" -Precedence 10 -MinPasswordLength 15 -PasswordHistoryCount 24 -MaxPasswordAge 60.00:00:00 -MinPasswordAge 1.00:00:00 -ComplexityEnabled $true -ReversibleEncryptionEnabled $false -LockoutDuration 00:30:00 -LockoutObservationWindow 00:30:00 -LockoutThreshold 3

# Apply to Domain Admins group
Add-ADFineGrainedPasswordPolicySubject -Identity "Admin Password Policy" -Subjects "Domain Admins"

# Create policy for service accounts
New-ADFineGrainedPasswordPolicy -Name "Service Account Policy" -Precedence 20 -MinPasswordLength 20 -PasswordHistoryCount 12 -MaxPasswordAge 365.00:00:00 -MinPasswordAge 1.00:00:00 -ComplexityEnabled $true -ReversibleEncryptionEnabled $false -LockoutThreshold 0

Step 5: Configure Sites and Replication

# Create additional sites
New-ADReplicationSite -Name "Branch-Office-1"
New-ADReplicationSite -Name "Branch-Office-2"

# Create subnets
New-ADReplicationSubnet -Name "192.168.1.0/24" -Site "Default-First-Site-Name"
New-ADReplicationSubnet -Name "192.168.10.0/24" -Site "Branch-Office-1"
New-ADReplicationSubnet -Name "192.168.20.0/24" -Site "Branch-Office-2"

# Create site links
New-ADReplicationSiteLink -Name "HQ-to-Branch1" -SitesIncluded "Default-First-Site-Name","Branch-Office-1" -Cost 100 -ReplicationFrequencyInMinutes 180

# Configure replication schedule
Set-ADReplicationSiteLink -Identity "HQ-to-Branch1" -ReplicationSchedule @(0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0)

Step 6: Security Hardening

# Enable advanced audit policies
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Account Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable

# Configure LDAP signing and channel binding
Set-ADDomainController -Identity $env:COMPUTERNAME -LDAPServerIntegrity $true

# Disable legacy protocols
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" -Name "LDAPServerIntegrity" -Value 2

# Configure Kerberos settings
Set-ADDomain -Identity contoso.com -KerberosEncryptionType AES128,AES256

Step 7: Azure AD Integration

# Install Azure AD Connect
# Download from: https://www.microsoft.com/en-us/download/details.aspx?id=47594

# Configure hybri