How to Install Active Directory on Windows 11
Active Directory (AD) is Microsoft's directory service for managing users, computers, and resources across a network. If you're setting up a home lab, preparing for IT certification, or managing a small business domain, getting AD running on Windows 11 is a common starting point — though it's not as straightforward as installing standard software.
Here's what you actually need to know.
What Active Directory Is (and What It Isn't)
Active Directory Domain Services (AD DS) is a server role — meaning it's designed to run on Windows Server, not consumer desktop operating systems. Windows 11, as a desktop OS, doesn't host AD DS natively.
What Windows 11 can do is run the Remote Server Administration Tools (RSAT), which includes the Active Directory Users and Computers (ADUC) console and related management snap-ins. This lets you manage an Active Directory environment from your Windows 11 machine — but the actual domain controller still needs to live somewhere else.
This distinction matters a lot depending on what you're actually trying to accomplish.
Two Paths: Managing AD vs. Running a Domain Controller
| Goal | What You Need | Runs on Windows 11? |
|---|---|---|
| Manage an existing AD environment | RSAT for Windows 11 | ✅ Yes |
| Host a domain controller | Windows Server + AD DS role | ❌ Not natively |
| Lab/test environment | Windows Server VM on Windows 11 | ✅ Via virtualization |
Understanding which path applies to your situation changes everything about the installation process.
Path 1: Installing RSAT (Active Directory Management Tools) on Windows 11
If you already have a domain controller running somewhere on your network and need to manage it from Windows 11, RSAT is what you install.
How to install RSAT on Windows 11:
- Open Settings → System → Optional Features
- Click View features next to "Add an optional feature"
- Search for "Active Directory"
- Select RSAT: Active Directory Domain Services and Lightweight Directory Tools
- Click Next → Install
After installation, you'll find tools like Active Directory Users and Computers, Active Directory Domains and Trusts, and Active Directory Sites and Services available through the Windows Administrative Tools folder or by searching in the Start menu.
⚙️ Important: RSAT is only available on Windows 11 Pro, Enterprise, and Education editions. Windows 11 Home does not support RSAT installation through Optional Features.
Path 2: Running a Domain Controller in a Virtual Machine
For home labs, practice environments, or development setups, the most practical approach is running Windows Server as a virtual machine (VM) on your Windows 11 host. This is how most IT professionals and students build test environments.
What you need:
- A Windows 11 machine with enough RAM (16 GB or more is comfortable), storage, and CPU cores to spare for a VM
- A hypervisor — Hyper-V is built into Windows 11 Pro/Enterprise, or you can use third-party options like VirtualBox or VMware Workstation
- A Windows Server license or evaluation image (Microsoft offers free 180-day evaluation ISOs directly from their site)
General process inside the VM:
- Install Windows Server on the virtual machine
- Open Server Manager
- Click Add Roles and Features
- Select Active Directory Domain Services
- Complete the installation, then promote the server to a domain controller using the post-deployment configuration wizard
- Define a new forest and domain name (e.g.,
lab.local)
Once the domain controller is running inside the VM, you can join your Windows 11 host or other VMs to that domain and manage everything with RSAT from the Windows 11 desktop.
Key Variables That Affect Your Setup 🖥️
Several factors shape how this process plays out for any given user:
- Windows 11 edition — Home users can't install RSAT and can't run Hyper-V. Pro or Enterprise is the minimum for most AD-related work.
- Hardware resources — Running a Windows Server VM alongside a normal workload requires meaningful RAM and CPU headroom. Machines with 8 GB of RAM will feel the squeeze; 16 GB gives comfortable breathing room.
- Network configuration — If you're joining a real domain, your DNS settings, firewall rules, and network topology all affect whether your Windows 11 machine can communicate with the domain controller.
- Purpose of the environment — A single IT admin managing an existing corporate domain has entirely different needs than a student studying for a Microsoft certification or a developer testing Azure AD integration.
- Licensing — Windows Server requires its own license. Evaluation versions work for learning and testing but have time limits and aren't appropriate for production.
What About Azure Active Directory (Now Microsoft Entra ID)?
It's worth noting that Azure Active Directory — now rebranded as Microsoft Entra ID — is a cloud-based identity service that works differently from on-premises AD DS. Joining a Windows 11 machine to Entra ID is built directly into Windows 11's setup and account settings, and doesn't require any of the steps above.
If your organization uses Microsoft 365 or Azure, Entra ID is likely already in play. On-premises AD DS and cloud-based Entra ID can coexist through Azure AD Connect, but they serve different architectural roles.
The Variables That Make This Personal
Whether you need RSAT, a local VM, a full Windows Server deployment, or just an Entra ID join depends entirely on what you're building, what edition of Windows 11 you're running, what hardware you have available, and whether you're working in a learning context or a real network environment. The technical steps are well-defined — but the right starting point is different for everyone.