Domain Controllers, FSMO roles, replication, sites and services, UPN suffixes, Recycle Bin, Group Managed Service Accounts, trusts, and the day-two operations every AD admin runs - install, demote, audit, backup, restore.
30 articles • follow them in order
Active Directory is the backbone of almost every enterprise Windows environment — and it's one of the most attacked surfaces in modern networks. These 10 controls will significantly shrink your attack surface.
Learn how to create and manage Fine-Grained Password Policies (FGPP) in Active Directory using ADAC and PowerShell. Apply separate password requirements to privileged accounts and user groups without touching the Default Domain Policy.
Learn how to configure Active Directory auditing via Group Policy on Windows Server 2008 R2 and later. Track account changes, directory service modifications, and policy updates across all domain controllers.
Learn how to establish a two-way forest trust between independent Active Directory forests. This guide covers DNS conditional forwarding setup, the New Trust Wizard, authentication scope selection, and SID filtering considerations.
Add an alternative UPN suffix to your AD forest so users can sign in as user@abccorp.com without renaming the domain. Walks the optional internal DNS zone, the AD Domains and Trusts registration, the per-user assignment, and the Microsoft 365 hybrid pre-flight (domain verification, UPN audit, sign-in mode). Includes the Set-ADForest / Set-ADUser PowerShell equivalents and the common mistakes (wrong right-click, suffix vs email, forgetting public DNS validation).
Learn how to permanently delete objects from the Active Directory Recycle Bin using PowerShell. This guide explains why the ADAC GUI cannot permanently delete recycled objects and shows the exact Get-ADObject and Remove-ADObject commands to safely and irreversibly remove an AD object before its tombstone lifetime expires.
Learn how to restore deleted Active Directory objects using the AD Recycle Bin. This guide explains the object lifecycle with and without the Recycle Bin enabled, and walks through restoring a deleted user account using the Active Directory Administrative Center (ADAC) and Windows PowerShell.
Learn how to configure Active Directory Sites and Services for a multi-site environment. This step-by-step guide covers creating AD sites, configuring site links with costs, setting the replication interval and schedule, mapping IP subnets to sites, and managing site link bridging for efficient domain controller replication.
Learn how to configure Group Managed Service Accounts (gMSA) in Active Directory. This step-by-step guide covers creating the KDS Root Key, creating and installing the gMSA with New-ADServiceAccount and Install-ADServiceAccount, verifying with Test-ADServiceAccount, and configuring Services.msc to use the account with automatic password rotation.
Step-by-step guide to installing the Active Directory Domain Services (AD DS) role on Windows Server and promoting the machine to the first Domain Controller in a new forest. Covers the Add Roles and Features wizard, the Configuration Wizard, DSRM password, DNS delegation warning, paths, the auto-generated PowerShell script, and post-promotion verification.
Step-by-step walkthrough for adding a second Windows Server Domain Controller to an existing AD domain. Covers prerequisites, installing the AD DS role on the member server, promoting through the Configuration Wizard, replicating from the existing DC, cross-configuring DNS, and verifying replication health with repadmin /replsummary.
Step-by-step guide to enabling the Active Directory Recycle Bin forest-wide using Active Directory Administrative Center. Covers prerequisites, the irreversible nature of the change, GUI and PowerShell verification, restoring deleted objects with Restore-ADObject, and follow-up hardening like Protect from accidental deletion.
Three reliable ways to check FSMO role holders in Active Directory: the netdom query FSMO command, the Get-ADForest/Get-ADDomain PowerShell cmdlets (and the Get-ADInfo.ps1 script), and the GUI walkthrough across Active Directory Schema, Active Directory Domains and Trusts, and Active Directory Users and Computers.
Audit and harden Active Directory against breached passwords using Lithnet Password Protection and the Have I Been Pwned compromised hash list. Covers installing Lithnet PP on a Domain Controller, syncing the HIBP store, running the Audit-Passwords.ps1 script to find pwned accounts, and configuring the GPO that rejects new pwned passwords on every set/change.
Bulk-create AD users from a CSV in seconds instead of clicking the ADUC wizard for hours. Covers designing the CSV template, generating strong passwords, finding the target OU's distinguishedName, importing the file with Import-Csv, and the Add-NewUsers.ps1 script that splats parameters into New-ADUser with a duplicate check and try/catch error handling.
Get-ADInfo.ps1 is a single PowerShell script that prints ten Active Directory facts in one output: computer/workstation/server/user/group counts, forest and domain functional levels, schema version translated to a Windows Server release name, and all five FSMO role owners. The right script to run before a migration, an audit, or a tier-zero handover.
Export AD users to CSV using the three-cmdlet pipeline (Get-ADUser, Select-Object, Export-Csv). Covers scope selection (-Filter, -SearchBase, -SearchScope), the computed-property pattern for columns like Manager-DN-to-name and clean OU paths, a reusable function with parameters, and common variations (disabled accounts, stale logons, group membership exports).
How to read the current Active Directory forest functional level (FFL) and domain functional level (DFL), what each level unlocks, the pre-flight checklist before raising, and how to actually raise it with Set-ADForestMode / Set-ADDomainMode. Includes the schema-version-to-OS table, a decision flow for whether to raise, and the common pitfalls (forgotten DCs, Server 2019/2022 reporting Windows2016Forest, irreversibility).
Configure your on-premises Active Directory UPNs before syncing to Office 365. Add an alternative UPN suffix in AD Domains and Trusts, then bulk-change every user's UPN with Get-ADForest / Set-ADForest and Get-ADUser / Set-ADUser - either across the whole forest or scoped to a single OU. Verification commands included.
One PowerShell script that wraps dcdiag, Test-Connection, Resolve-DnsName, w32tm, Get-Service, and CIM into a single colored HTML report — one row per Domain Controller, 35 columns of pass/warn/fail per cell. Includes the full Get-ADHealth.ps1 source, what each dcdiag test actually catches (Connectivity, SysVolCheck, KccEvent, FSMOCheck, NCSecDesc, etc.), how to schedule a daily SMTP-emailed run, the MotW / Unblock-File / ExecutionPolicy gotchas, and the green-DNS-red-everything-else fingerprint that means a DC is offline.
How to add the Global Catalog flag to an existing Domain Controller in Active Directory Sites and Services, and the PowerShell equivalent (one bit on the NTDS Settings options attribute via Set-ADObject). Walks the GUI three-click path, the Set-ADObject cmdlet, post-change verification with Get-ADDomainController IsGlobalCatalog / dsquery server -isgc / repadmin /options / Test-NetConnection on port 3268, the partial-attribute-set replication timing caveat, and the common pitfalls (right-clicking the wrong tree node, leaving only one GC, demoting accidentally).
How to enable Universal Group Membership Caching (UGMC) on a remote AD site so user logons no longer have to traverse a slow WAN to a Global Catalog. Walks the GUI three-click path (Sites and Services > site > NTDS Site Settings > Properties > Enable UGMC) with the actual screenshots, the Set-ADObject PowerShell equivalent (one bit on the NTDS Site Settings options attribute, 0x20), the design choice between UGMC and a local Global Catalog, the 8-hour cache refresh behaviour, and the common pitfalls (right-clicking the wrong node, first-logon needs the GC, stale cache after Universal Group changes).
Two paths to remove a Domain Controller from Active Directory - graceful demotion via Server Manager (Remove Roles and Features wizard) for an online DC, and manual / forced removal via ADUC delete-from-Domain-Controllers-OU for an offline one. Walks both paths end to end with the actual screenshots. Includes the FSMO transfer pre-flight, the Test-ADDSDomainControllerUninstallation cmdlet, the post-demote AD Sites and Services cleanup, and a one-shot DNS scrub script that removes A/NS/SRV/CNAME records for the demoted DC across every Primary forward zone in one pass.
Run Semperis Purple Knight Community against an Active Directory forest to surface Indicators of Exposure (weak crypto, print spooler on DCs, AdminSDHolder drift, kerberoastable accounts, etc.) and produce a graded HTML/PDF report. Walks the download, MotW Unblock-File pre-flight, the wizard's six indicator categories (AD Delegation, Account Security, AD Infra, Group Policy, Kerberos, Hybrid), the Zerologon-skip nuance, the score-grade scale, the remediation-then-rescan loop, and the common pitfalls (running as DA, running on a DC, skipping updates, mass-fixing without reading).
Three GUI clicks to set a new IP, four CLI commands (ipconfig /flushdns, /registerdns, nltest /dsregdns, dcdiag /fix) to re-register with DNS, and one downstream-consumer audit afterwards. Walks the pre-flight (second DC, console access not RDP, replication health, downstream-consumers list), the GUI procedure with screenshots, the PowerShell-only equivalent (Remove-NetIPAddress / New-NetIPAddress / Set-DnsClientServerAddress), DNS-pointer trap (don't point at the DC's old IP), the SRV-records-need-nltest /dsregdns trap, and 7 common pitfalls (RDP'd into it, peer DCs caching old IP, stale scavenger window, FSMO concerns).
The 'maximum number of computer accounts' error comes from ms-DS-MachineAccountQuota, the domain-wide AD attribute that limits how many machine accounts any single authenticated user can create (default: 10). This article walks the four ways to fix it: delegate Create Computer Objects on the OU (recommended), raise the global quota in ADSI Edit (with caution), use a domain admin account (lazy), or reset/delete a stale computer object that is in the way. Includes the post-change replication step and the common pitfalls (setting the quota to 0, delegating to Authenticated Users, forgetting orphan objects, wrong default OU).
Domain join error 0x3a (The specified server cannot perform the requested operation) is almost always a TCP 389 LDAP connectivity problem dressed up in directory-layer language. This article walks the diagnostic path: confirm DNS and basic reachability, prove TCP 389 with Test-NetConnection, then narrow the block to the workstation host firewall, the DC host firewall, or the network ACL between them. Includes the multi-port sweep (53/88/135/389/445/464/3268), the residual-causes list when port 389 is open (AD DS service, time skew, stale computer object), and the common pitfalls (disabled firewall left off, public DNS resolver, 389-vs-636 confusion).
The Active Directory promotion wizard reaches Creating the NTDS Settings object and never advances. The Directory Service log on the candidate fills with events 1963 / 1962 / 1125. The cause is almost always one of two things: a credential mismatch (local Administrator password matches the domain Administrator password, or the wizard credential was supplied without a domain qualifier) or stale residue from a prior failed promotion. This article walks the five-step path: prerequisite check, fix the two credential mistakes, four-step residue cleanup (reboot, delete computer object, force-leave domain, uninstall AD DS role), retry the promotion, and only then chase the deeper network and DNS causes. Includes the LDAP port 389 sweep, SRV-record verification, and replication health check on the existing DC.
Every domain-joined Windows machine shares a machine-account password with the domain controller; the password rotates every 30 days, and when the local and DC copies drift apart the secure channel collapses and logon dies with: The trust relationship between this workstation and the primary domain failed. Four working fixes, ordered heaviest to lightest. Solution 1 - drop the machine to a workgroup and rejoin the domain (always works, two reboots). Solution 2 - Reset-ComputerMachinePassword -Credential from PowerShell (one command, no reboot, the cleanest fix). Solution 3 - cache a domain credential in Credential Manager (a workaround, not a fix - the underlying drift is still there). Solution 4 - right-click the computer object in dsa.msc and pick Reset Account, then reboot the client (the right answer when the desktop is unreachable). Includes the four root causes (long offline gap, snapshot restore, cloning without sysprep, replication lag) and which solution best matches each.
The DSRM password is the local-Administrator credential a domain controller uses when AD is offline - the only account that works during authoritative restores, ntds.dit corruption recovery, or last-DC rebuilds. Forgetting it means none of those recoveries work when you actually need them. This article walks the full reset + verify cycle on a real DC: rotate the password with ntdsutil (set dsrm password / reset password on server null - takes one minute, no reboot, no downtime), then prove the new credential works by rebooting into DSRM via F8 or 'bcdedit /set safeboot dsrepair', signing in as .\\administrator with the new password, observing the directory is offline (NTDS / Intersite Messaging / DFSR / KDC stopped, dsa.msc red-crossed), then rebooting back to normal with 'bcdedit /deletevalue safeboot'. Includes the multi-DC rotation pattern, the local-admin-vs-DSRM-vs-domain-admin distinction, and why storing the DSRM password in an AD-integrated vault is a circular dependency.
