The router config is detailed here:
http://www.cisco.com/en/US/tech/tk583/tk642/technologies_configuration_example09186a00800a393b.shtml
For AD authentication, the router can't do this natively so you'll have to send it to a Radius server first and then have it use the AD database. Windows Radius server (IAS) is a good choice for this since it's free and will interact with AD quite well.
In the sample config above just change the keyword "tacacs" to "radius" and point it to your Windows IAS server.