Back to work
Case studyAugust 13, 20252 min read
Windows ServerAD DSGPOSecurityPowerShell

Setting Up Active Directory for Beginners

I set up a small AD DS lab on Windows Server and wrote down the parts that actually mattered: DNS, time sync, group policy, and the bits that broke first.

Setting Up Active Directory for Beginners

What I built

  • A Windows Server promoted to a Domain Controller for corp.local
  • A basic OU (Organizational Unit) structure to keep users and workstations tidy
  • A couple of users and groups with a simple role-based setup
  • Password policies - one for everyone, and a stricter one for admins
  • Some baseline Group Policies to lock things down

Core steps (plain English)

  1. Promoted the server to a Domain Controller so it could run AD DS.
  2. Created OUs to separate users and computers.
  3. Added users and groups to test a small role-based setup.
  4. Set password rules for regular users and admins.
  5. Applied baseline security policies through GPOs.

What went wrong

  • DNS and time matter more than you think. If the Domain Controller is not using itself as DNS, or the time drifts, Kerberos breaks and sign-ins fail.

    Fix: point DNS to 127.0.0.1 and make the server a reliable time source.

  • OU structure is worth thinking through early. Dropping policies at the domain root gets messy fast. It is easier to manage users and devices when they already sit in the right OUs.

  • Password policy scope can trip you up. The default domain policy applies broadly. Fine-grained password policies only work for the groups you target on purpose.

  • Never assume a policy applied. I had to keep checking with tools like gpresult /r and whoami /all instead of trusting the UI.

  • PowerShell saves time quickly. Creating multiple users and groups by hand gets old after about five minutes.

Quick checks I ran

  • Get-ADDomain; Get-ADForest to make sure the domain was healthy
  • gpresult /r to confirm which policies reached a workstation
  • whoami /all to see group membership and privileges for a signed-in user

What I learned

  • Good AD setups start with DNS, time sync, and a sensible OU structure
  • Group Policy is powerful, but it can also create chaos if you test carelessly
  • Fine-grained password policies are best for special cases, not every account
  • Scripts beat clicking around when you want repeatable setup steps

What is next

  • Add a second Domain Controller for redundancy
  • Set up System State backups
  • Write and test a recovery runbook so I know what to do if the lab falls over