Setup Active Directory Domain Services on Windows Server 2022 using PowerShell

A directory service is a software system that provides a centralized database of information about resources and entities in a computer network. It allows users to access and manage information about various network resources, such as users, computers, printers, applications, and other devices, in a unified and organized manner. The most common directory service is Microsoft’s Active Directory, which is widely used in enterprise networks to manage users, computers, and other network resources. There are other examples of directory services including LDAP (Lightweight Directory Access Protocol), Novell eDirectory, and OpenLDAP.

Active Directory is a directory service developed by Microsoft. It provides a centralized and standardized way to manage and authenticate resources on a network. This is a critical component of the Windows Server Operating System which is used to manage and control network resources, such as users, computers, printers, and applications, in a hierarchical and organized manner. Information about the network is stored in a hierarchical structure called a domain, and multiple domains can be organized into a forest. This information can be organized into objects that include user accounts, computer accounts, and security groups, that can be searched and managed easily.

The features and benefits offered by Active Directory are:

• Group Policy: The Group Policy feature allows administrators to set policies and settings for groups of users or computers, providing granular control over network resources and improving security and compliance.
• Centralized management: It provides a single point of administration for managing network resources, simplifying network management and reducing administrative overhead.
• Scalability: It is designed to scale to meet the needs of organizations of all sizes, from small businesses to large enterprises.
• Interoperability: It supports industry-standard protocols and can be integrated with other directory services, such as LDAP, to enable interoperability with non-Microsoft systems.
• Security: It offers robust security features, including authentication, access control, and encryption, to protect network resources and data.

Active Directory has the following components:

• Domain Controllers(DC): makes the primary component of AD. It is responsible for authenticating users and computers on the network and managing access to network resources. Each domain in Active Directory must have at least one DC.
• Domains: This is a logical grouping of computers, users, and other resources on a network. Domains can be grouped together into a forest, which is a collection of domains that share a common directory database.
• Organizational Units (OU): They are containers within a domain that are used to organize resources and apply policies. OUs can be nested within each other to create a hierarchical structure.
• Objects: they are the fundamental building blocks of Active Directory. They can be users, computers, groups, printers, and other network resources. Each object has a set of attributes that define its characteristics and properties.
• Authentication and Authorization: When a user logs in to a computer on the network, Active Directory authenticates the user’s credentials and grants access to the resources that the user is authorized to use.
• Group Policy: This is a feature of Active Directory that allows administrators to centrally manage the settings and configurations of computers and users on the network. Group Policy settings can be applied to users, computers, or OUs.

The below diagram will demonstrate how AD works:

In our previous guide, we went through how to install Active Directory Domain Services in Windows Server 2022 using GUI. In this guide, we will learn how to setup Active Directory Domain Services on Windows Server 2022 using PowerShell

Step 1: Install AD DS with admin tools on Windows Server 2022

Now on your Windows Server 2022, run PowerShell with elevated privileges and install Active Directory Domain Services with the admin tools using the command:

Install-WindowsFeature -name AD-Domain-Services -IncludeManagementTools 

Sample Output:

Step 2 – Configure New DC (Domain Controler) using PowerShell

Once installed, we need to have at least one domain controller on Active Directory. This configuration can still be done from the PowerShell

The command below will set the forest name,(with a root domain name), Forest and Domain functional levels, NetBIOS name(GEEKS), and a password for Directory Services Restore Mode.

Install-ADDSForest -DomainName "neveropen.org" `
-ForestMode WinThreshold `
-DomainMode WinThreshold `
-DomainNetbiosName GEEKS `
-SafeModeAdministratorPassword (ConvertTo-SecureString -AsPlainText "Passw0rd!" -Force) `
-InstallDNS 

You need to replace the Password with the desired string. We have set the Forest and Domain functional levels to Windows Server 2016 = [WinThreshold], the other available functional levels are [Win2008], [Win2008R2], [Win2012], [Win2012R2].

Sample execution.

The system will be restarted automatically during the installation. Once it boots, log in with an AD user, such as Administrator

Step 3 – Add User Accounts on Active Directory

Now we have Active Directory set up, we need to add users to be used for authentication. Run PowerShel with admin privileges and execute the below commands to manage users on AD.

By default the Admin user exists, check the user info with the command:

Get-ADUser -Filter * | Format-Table DistinguishedName 

Sample Output:

To add a new user, use a command with the below syntax. Remember to replace the values where required:

New-ADUser thor `
-Surname Klinsmann `
-GivenName klinsmann `
-DisplayName "Klinsmann TheGEEK" `
-EmailAddress "[email protected]" `
-AccountPassword (ConvertTo-SecureString -AsPlainText "Passw0rd!" -Force) `
-ChangePasswordAtLogon $true `
-Enabled $true 

Once added, verify:

Get-ADUser -Identity thor 

Sample Output:

You can also add a user with specific OU. For example:

New-ADUser thor `
-Path "OU=Test,DC=neveropen,DC=org" `
-Surname Klinsmann `
-GivenName klinsmann `
-DisplayName "Klinsmann TheGEEK" `
-EmailAddress "[email protected]" `
-AccountPassword (ConvertTo-SecureString -AsPlainText "Passw0rd!" -Force) `
-ChangePasswordAtLogon $true `
-Enabled $true 

To reset an existing user’s password, use the command with the below syntax:

Set-ADAccountPassword -Identity thor `
-NewPassword (ConvertTo-SecureString -AsPlainText "Passw0rd2!" -Force) `
-Reset

You can also delete a user with the command:

 Remove-ADUser -Identity "CN=username,CN=Users,DC=neveropen,DC=org" 

Replace, username with the exact name of the user in your AD. For example:

Step 4 – Add Unix Users with Attributes

Unix systems can also authenticate to AD as demonstrated in the below guide:

• How To Join CentOS 8 / RHEL 8 System to Active Directory (AD) domain
• Join Ubuntu / Debian To Active Directory (AD) domain

But the Unix users need to be created with some attributes. To add a Unix user account with attributes, use a command that has the below syntax:

New-ADUser user1 `
-Surname user `
-GivenName user1 `
-DisplayName "User1 test" `
-EmailAddress "[email protected]" `
-AccountPassword (ConvertTo-SecureString -AsPlainText "StrongPassw0rd!" -Force) `
-ChangePasswordAtLogon $true `
-Enabled $true `
-OtherAttributes @{uidNumber="5001"; gidNumber="100"; loginShell="/bin/bash"; unixHomeDirectory="/home/user1"}

Once created, verify:

Get-ADUser -Identity user1 -Properties * | Out-String -Stream | Select-String "uidNumber","gidNumber","loginShell","unixHomeDirectory"

Sample Output:

You can also add attributes to an existing user using the -Add flag. For example, if user3, is an existing user in my AD, the command will be:

Set-ADUser -identity "CN=user5,CN=Users,DC=neveropen,DC=org" `
-Add @{uidNumber="5000"; gidNumber="100"; loginShell="/bin/bash"; unixHomeDirectory="/home/user5"} 

Step 5 – Add Group Accounts on Active Directory

Group accounts are used to easily assign permissions to groups of users or computers, providing granular control over network resources and improving security and compliance.

To list the current group use:

Get-ADGroup -Filter * | Format-Table DistinguishedName 

Sample Output:

To add a new group say, Developers, the command will be:

New-ADGroup Developers `
-GroupScope Global `
-GroupCategory Security `
-Description "Developers Group" 

Check if the group exists:

Get-ADGroup -Identity Developers 

Sample Output:

Now you can add a member to the group. For example:

Add-ADGroupMember -Identity Developers -Members thor 

Verify the changes:

Get-ADGroupMember -Identity Developers

Sample Output:

To delete the user from the group use:

Remove-ADGroupMember -Identity Developers -Members Username 

You can also delete a group using a command with the below syntax:

Remove-ADGroup -Identity Developers 

Step 6 – Join a Client System to Active Directory

For this demonstration, we will learn how to join a Windows system to the installed Active Directory.

On your client machine, launch PowerShell with elevated permissions. First, get the available interfaces:

Get-NetIPInterface -AddressFamily IPv4 

Now configure your DNS to point to the Active Directory server, replace 4 with your Interface Index number obtained on your system:

Set-DnsClientServerAddress -InterfaceIndex 4 -ServerAddresses "192.168.205.21" -PassThru 

Replace 192.168.205.21, with the IP address of your Active Directory server. Sample Output:

Now apply the DNS changes:

ipconfig /all | Select-String -Pattern "DNS" 

Now join the system to AD using a command with the below syntax:

Add-Computer -DomainName neveropen.org -Credential (New-Object PSCredential("thor", (ConvertTo-SecureString -AsPlainText "Passw0rd!" -Force))) 

In the command, replace username thor and password Passw0rd! with your own creds on AD.

For the changes to apply, restart your computer:

 Restart-Computer -Force 

When the system restarts successfully, log in using any domain user.

You can verify the login from PowerShell:

whoami 
Get-WmiObject Win32_NTDomain 

Sample Output:

Verdict

We have successfully learned how to set up Active Directory Domain Services on Windows Server 2022 using PowerShell. We have walked through how to install, configure, add users and join clients to Active Directory using PowerShell. I hope this was informative.

See more:

• Install Active Directory Domain Services in Windows Server 2022
• Join Windows System to FreeIPA Realm without Active Directory
• Integrate TrueNAS with LDAP / Active Directory for user Authentication