Active Directory ports

Active DirectoryActive Directory uses some ports for authentication and replication. And if you have a firewall, keep in mine these ports should be opened in the firewall, in order for Active Directory to work properly. 

135 (TCP) RPC(Remote Procedure Call) for AD replication & File Replication Services(FRS)
389 (TCP) LDAP
639 (TCP) LDAP over SSL
88 & 464 (TCP & UDP) Kerberos
3268 (TCP) Global Catalog
3269 (TCP) Global catalog over SSL
137 & 138 (UDP) NetBIOS
139 & 445 (TCP) SMB
53 (TCP & UDP) DNS
123 (UDP) NTP

Managing Active Directory accounts using PowerShell

powershellYou leaned how to create Active Directory user accounts in “Adding user accounts in Active Directory of Windows Server 2012”, and now you will learn to mange accounts with PowerShell. I list the below PowerShell commands with descriptions.

These commands applies to Windows Server 2008 R2 and Windows Server 2012.

PowerShell command Command description
New-ADUser Creates a new AD user
Remove-ADUser Removes an AD user
Set-ADAccountPassword Modifies the password of an AD account
Set-ADAccountExpiration Sets the expiration date for an AD account
Clear-ADAccountExpiration Clears the expiration date for an AD account
Enable-ADAccount Enables an AD account
Disable-ADAccount Disables an AD account
Unlock-ADAccount Unlocks an AD account
Set-ADUser Modifies an AD user
Search-ADAccount Gets AD user account
Set-ADAccountControl Modifies user account control (UAC) values for an AD account
Get-ADUser Gets one or more AD users
Get-ADUserResultantPasswordPolicy Gets the resultant password policy for a user
Add-ADGroupMember Adds one or more users to an AD group
Remove-ADGroupMember Removes one or more users from an AD group
Add-ADPrincipalGroupMembership Adds a user to one or more AD groups
Remove-ADPrincipalGroupMembership Removes a user from one or more AD groups

Adds users to the Allowed List or the Denied List of the readonly
domain controller (RODC) Password Replication Policy (PRP)


Removes users from the Allowed List or the Denied List of the RODC PRP

Add-ADFineGrainedPasswordPolicySubject Applies a fine-grained password policy to one or more users
Remove-ADFineGrainedPasswordPolicySubject Removes one or more users from a fine-grained password policy

For fetching more information about each command, just put Get-Help before every command to see the full guide for that command.

Adding user accounts in Active Directory of Windows Server 2012

Active Directory users and computersOne of the first jobs after installing Active Directory, is creating user accounts, in order for the users to be authenticated in Active Directory. The authenticated user; therefore, can access the network resources. In this way an unauthorized user does not have access to the network without administrator’s permission. 

As usual, my well known two ways:


  1. Hit Windows Key + R buttons, type dsa.msc, and press OK
  2. Active Directory Users and Computers window opens. Remember you can open it via Server Manager too
  3. The easiest way, is to right click Users object on the left bottom side, click on New, then User
  4. Fill the First and Last names as you desire. Mine will be User1. User logon name is User1 too. Click Next
  5. Choose a strong password, and leave the default settings intact. Then Next and Finish
  6. Now I want to make this account, a member of administrators. So on the working window, click on Users, and right click User1 on the left side. Then click on Add to a group…
  7. On Select Groups window, type Domain Admins; Enterprise Admins. Then click on OK twice

As a result, a user, by the name of User1 is created, who is the administrator of both domain and forest.



  1. Open PowerShell console
  2. Type and hit enter this command:

New-ADUser -SamAccountName User1 -AccountPassword (read-host "Set user password" -assecurestring) -name "User1" -enabled $true -PasswordNeverExpires $false -ChangePasswordAtLogon $true
Add-ADPrincipalGroupMembership -Identity "CN=User1,CN=Users,DC=cyrusbesharat,DC=local" -MemberOf "CN=Enterprise Admins,CN=Users,DC=cyrusbesharat,DC=local","CN=Domain Admins,CN=Users,DC=cyrusbesharat,DC=local"

Installing Active Directory on Windows Server 2012

logo-active-directoryThe first role that a newly installed server can have, is the role of Domain Controller (DC). By installing Active Directory (AD), the server will become a DC. Active Directory provides a central location for network administration and security.

It’s better to visit “What’s New in Active Directory Domain Services (AD DS)” TechNet page to be familiar with the changes of AD in Windows Server 2012.

In previous versions of Windows Server, dcpromo (DC promotion) command was used to promote a server to a DC, but in Windows Server 2012, dcpromo has been deprecated.

Therefore, follow my 2 methods:

  1. Open Server Manager, and click on Add roles and features
  2. Click on Next, and select Role-based or feature-based installation and then click Next
  3. Click Select a server from the server pool, click the name of the server, and then click Next
  4. Select Active Directory Domain Services, in the new window, click Add Features, and then click Next twice
  5. Finally click Install, when the installation is completed, click on Promote this server to a domain controller
  6. Check Add a new forest radio button ( Because this is the first DC in our environment, we should create a new forest first)
  7. In front of Root domain name, write the name of the forest (root domain), that is CyrusBesharat.local. Then click Next
  8. Here we can choose forest and domain functional level, I prefer to keep them both intact, which is Windows Server 2012. The default configuration has selected the role of Domain Name System (DNS) server to be installed which is recommended to install DNS on a DC. And because this is the first DC in our forest, Global Catalog (GC) role is selected, and Read only domain controller (RODC) is not selected, and we cannot change them either. Under Directory Services Restore Mode (DSRM), type a strong password. This password will be used in recovery. Then click Next
  9. On DNS Options page, as this is the root domain, there is no need to delegate DNS. Just click Next
  10. Review The NetBIOS domain name, which is CYRUSBESHARAT, then click Next
  11. On Paths page, I recommend to change the path of Database, Log files and SYSVOL folders, and put them on different physical hard disk with RAID technology. Click on Next
  12. Review your selections and click Next
  13. On Prerequisites Check page, click Install
  14. After some times, the server will restart automatically

Now the second method:

  1. Open PowerShell, and type the below command:

Install-WindowsFeature AD-Domain-Services –IncludeManagementTools

Install-ADDSForest -DomainName CyrusBesharat.local


You noticed that using PowerShell is much easier and faster than the GUI one.

%d bloggers like this: