Windows Server 2022 Active Directory Setup Guide for Small Business
Active Directory Domain Services (AD DS) is the backbone of Windows-based networks, providing centralized authentication and authorization services. This guide walks through setting up AD DS on Windows Server 2022 for small business environments.
Prerequisites
Before starting, ensure you have: - Windows Server 2022 Standard or Datacenter Edition - Static IP address configured - DNS properly configured - Administrator privileges - Server joined to workgroup (not domain)
Planning Your Active Directory Structure
Domain Naming Convention
Choose a proper domain name structure:
- Internal domain: company.local or ad.company.com
- Avoid: Using your public domain directly
- Best practice: Use .local for internal domains
Organizational Units (OUs)
Plan your OU structure:
Company.local
├── Users
│ ├── Employees
│ ├── Contractors
│ └── Service Accounts
├── Computers
│ ├── Workstations
│ ├── Servers
│ └── Mobile Devices
└── Groups
├── Security Groups
└── Distribution Groups
Step 1: Install Active Directory Domain Services
Using Server Manager
- Open Server Manager
- Click "Add roles and features"
- Select "Role-based or feature-based installation"
- Choose your server from the server pool
- Select "Active Directory Domain Services"
- Add required features when prompted
- Click "Install" to begin installation
Using PowerShell
# Install AD DS role
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
# Verify installation
Get-WindowsFeature -Name AD-Domain-Services
Step 2: Promote Server to Domain Controller
Using Server Manager
- Click the notification flag in Server Manager
- Select "Promote this server to a domain controller"
- Choose "Add a new forest"
- Enter your root domain name (e.g.,
company.local) - Set Domain and Forest functional levels to "Windows Server 2022"
- Configure Directory Services Restore Mode (DSRM) password
- Review DNS delegation warning (can be ignored for new forests)
- Choose NetBIOS domain name (usually auto-generated)
- Review paths for database, log files, and SYSVOL
- Review configuration and click "Install"
Using PowerShell
# Promote to domain controller
Install-ADDSForest `
-DomainName "company.local" `
-DomainNetbiosName "COMPANY" `
-ForestMode "WinThreshold" `
-DomainMode "WinThreshold" `
-InstallDns:$true `
-SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force) `
-Force:$true
Step 3: Post-Installation Configuration
Verify Installation
# Check domain controller functionality
Get-ADDomainController
# Verify forest and domain information
Get-ADForest
Get-ADDomain
# Test DNS resolution
nslookup company.local
Configure DNS
Ensure DNS is properly configured:
# Check DNS server configuration
Get-DnsServerSetting
# Verify DNS zones
Get-DnsServerZone
# Test DNS functionality
Resolve-DnsName company.local
Step 4: Create Organizational Units
Using Active Directory Users and Computers
- Open "Active Directory Users and Computers"
- Right-click on your domain
- Select "New" → "Organizational Unit"
- Create the following OUs:
- Users
- Computers
- Groups
- Service Accounts
Using PowerShell
# Create OUs
New-ADOrganizationalUnit -Name "Users" -Path "DC=company,DC=local"
New-ADOrganizationalUnit -Name "Computers" -Path "DC=company,DC=local"
New-ADOrganizationalUnit -Name "Groups" -Path "DC=company,DC=local"
New-ADOrganizationalUnit -Name "Service Accounts" -Path "DC=company,DC=local"
# Create sub-OUs
New-ADOrganizationalUnit -Name "Employees" -Path "OU=Users,DC=company,DC=local"
New-ADOrganizationalUnit -Name "Contractors" -Path "OU=Users,DC=company,DC=local"
Step 5: Create User Accounts
User Account Best Practices
- Use consistent naming conventions
- Implement strong password policies
- Enable account lockout policies
- Set appropriate user rights
Creating Users with PowerShell
# Create a new user account
New-ADUser `
-Name "John Doe" `
-GivenName "John" `
-Surname "Doe" `
-SamAccountName "jdoe" `
-UserPrincipalName "jdoe@company.local" `
-Path "OU=Employees,OU=Users,DC=company,DC=local" `
-AccountPassword (ConvertTo-SecureString "TempPass123!" -AsPlainText -Force) `
-ChangePasswordAtLogon:$true `
-Enabled:$true
# Bulk user creation from CSV
$users = Import-Csv "C:\Users.csv"
foreach ($user in $users) {
New-ADUser `
-Name "$($user.FirstName) $($user.LastName)" `
-GivenName $user.FirstName `
-Surname $user.LastName `
-SamAccountName $user.Username `
-UserPrincipalName "$($user.Username)@company.local" `
-Path "OU=Employees,OU=Users,DC=company,DC=local" `
-AccountPassword (ConvertTo-SecureString $user.Password -AsPlainText -Force) `
-ChangePasswordAtLogon:$true `
-Enabled:$true
}
Step 6: Configure Group Policy
Default Domain Policy
Configure the default domain policy:
# Open Group Policy Management
gpmc.msc
Key policies to configure: - Password Policy: Minimum length, complexity, age - Account Lockout Policy: Threshold, duration, counter reset - Audit Policy: Enable security auditing - User Rights Assignment: Logon rights, privileges
Common Group Policy Settings
<!-- Password Policy -->
<PasswordPolicy>
<MinimumPasswordLength>12</MinimumPasswordLength>
<PasswordComplexity>Enabled</PasswordComplexity>
<MaximumPasswordAge>90</MaximumPasswordAge>
<MinimumPasswordAge>1</MinimumPasswordAge>
<PasswordHistorySize>12</PasswordHistorySize>
</PasswordPolicy>
<!-- Account Lockout Policy -->
<AccountLockoutPolicy>
<AccountLockoutThreshold>5</AccountLockoutThreshold>
<AccountLockoutDuration>30</AccountLockoutDuration>
<ResetAccountLockoutCounter>30</ResetAccountLockoutCounter>
</AccountLockoutPolicy>
Step 7: Join Client Computers to Domain
Prepare Client Computers
- Configure DNS to point to domain controller
- Ensure network connectivity
- Update computer name if needed
Join Domain Process
# Join computer to domain
Add-Computer -DomainName "company.local" -Credential (Get-Credential)
# Restart computer
Restart-Computer -Force
Verify Domain Join
# Check domain membership
Get-ComputerInfo | Select-Object CsDomain, CsWorkgroup
# Test domain connectivity
Test-ComputerSecureChannel
Step 8: Configure File Shares and Permissions
Create Shared Folders
# Create shared folder
New-Item -Path "C:\Shares\CompanyData" -ItemType Directory
New-SmbShare -Name "CompanyData" -Path "C:\Shares\CompanyData" -FullAccess "COMPANY\Domain Admins"
# Set NTFS permissions
icacls "C:\Shares\CompanyData" /grant "COMPANY\Domain Users:(OI)(CI)M"
Home Directory Configuration
# Configure user home directories
Set-ADUser -Identity "jdoe" -HomeDirectory "\\server\home$\jdoe" -HomeDrive "H:"
Step 9: Backup and Recovery
System State Backup
# Install Windows Server Backup
Install-WindowsFeature -Name Windows-Server-Backup -IncludeManagementTools
# Backup system state
wbadmin start systemstatebackup -backuptarget:E: -quiet
Active Directory Backup
# Backup AD database
ntdsutil
activate instance ntds
create full backup to "C:\ADBackup"
quit
quit
Step 10: Monitoring and Maintenance
Event Log Monitoring
Monitor key event logs: - Security Log: Authentication events - System Log: System-related events - Directory Service Log: AD-specific events
Performance Monitoring
# Check AD replication health
repadmin /replsummary
# Monitor LDAP performance
Get-Counter "\DirectoryServices(NTDS)\LDAP Client Sessions"
# Check DNS health
dcdiag /test:dns
Regular Maintenance Tasks
- Daily: Check event logs, monitor replication
- Weekly: Review user accounts, group memberships
- Monthly: Test backup restoration, security audit
- Quarterly: Update documentation, disaster recovery testing
Troubleshooting Common Issues
DNS Resolution Problems
# Check DNS configuration
nslookup company.local
ipconfig /displaydns
# Flush DNS cache
ipconfig /flushdns
Authentication Issues
# Test user authentication
Test-ADUser -Identity "jdoe"
# Check Kerberos tickets
klist
Replication Problems
# Check replication status
repadmin /showrepl
# Force replication
repadmin /syncall
Security Best Practices
Hardening Active Directory
- Use least privilege principle
- Enable advanced auditing
- Implement privileged access workstations
- Regular security assessments
Backup Security
- Store backups offline
- Encrypt backup media
- Test restoration procedures
- Document recovery processes
Conclusion
Setting up Active Directory on Windows Server 2022 provides a robust foundation for small business network management. This configuration enables centralized user management, enhanced security, and simplified administration.
For professional Active Directory implementation and management services in Louisville, contact Tyler on Tech Louisville for expert assistance with your Windows Server infrastructure.