In the previous post, I gave you a conceptional overview of Active Directory.
In this post, we’re going to put our fingers to the keys and actually begin installing it from scratch in Windows Server 2012 R2.
You’re going to learn:
- How to add the Active Directory Domain Service option on your server
- How to promote the server to a Domain Controller
- Learn what about common features and when to use them
Let’s freggin’ do this!
With the advent of Windows Server 2012 R2, Microsoft has really improved the entire process of setting up a new Domain Controller. (DC)
Microsoft also amped up the migration process. Previously, if you had an older domain controller, you needed to run Adprep.exe to migrate the domain and forest so that the older schema (the database skeleton) would mesh with the newer schema of your DC. Windows 2012 won’t importune you with any crap like that because it handles adprep for you.
Let’s get started.
Go ahead and login to your Windows Server 2012 machine and open the Server Manager by clicking the little icon next to the Start Button in the bottom left corner of the screen.
Setting up the Active Directory Role
Select Manage from the menu bar and then choose Add Roles and Features.
The Before you Begin wizard should pop up.
Click Next to kick off the show.
Since we’re not doing any virtualization just stick with the default Role-based or feature-based installation.
Now we need to choose which the server where we want to install the Active Directory role and feature.
You can install it on multiple servers concurrently. We only have one server though so just click Next.
In the Select server roles screen choose Active Directory domain Services.
Pick Add Features.
Now you can Next your way passed the Features, AD DS, and Confirmation sections.
Finish the wizard and grab a cup of Kirkland’s Signature Green Tea because you’re installing AD like a pro now.
Now back in the Server Manager, you’ll notice a shiny new AD DS role hanging out in the left pane.
Then in the right pane, click the More… link in the alert that says Configuration required for Active Directory Domain Services at MyServerName.
Promoting your Server to a Domain Controller
If only getting a promotion in your real job were as easy as clicking a button…
Just click Promote this server to a domain controller.
Since we’re creating the first, and only, domain in our company we can select Add a New Forest.
Remember a single domain is also a forest…
The Root Domain Name is none other than your super creative domain name: smocksocks.com
On the next screen, you might get the following error:
A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain "domain-name.com". Otherwise, no action is required.
That’s just Microsoft’s grandiloquent way of saying:
Hey where’s the DNS server? I can’t find one so I’m going to warn you about that. But hey, if you’re going to make this server the DNS server just ignore my little error.
Click OK and keep going forward.
The next screen gives you more options for your Domain Controller. Let’s focus on the top half of the screen first:
You’ll see two drop down boxes next to Forest functional level and Domain functional level.
If we were adding Active Directory Domain Services to an existing, older domain then we could downgrade our Windows Server 2012 site so that it could match up with the older feature set. In other words, we could manually set the compatibility level of the forest or domain by striping away features based on the selected functional level.
This doesn’t apply to us.
Under the functional levels drop down boxes are three sections that let you specify the capabilities of your domain controller:
- Domain Name System (DNS) server
- Global Catalog (GC)
- Read only domain controller (RODC)
I’m not really sure why the DNS setting is optional because Active Directory relies on DNS for name resolution. Definitely leave this one checked.
The Global Catalog is also another good one to leave checked because it lets users search for objects from every domain in your forest. Think of it like the “Yellow Pages” of Active Directory.
The final domain controller option is really interesting.
If you enable Read only domain controller (RODC) this domain controller will forbid anyone from creating or modifying accounts on the server. It’s sometimes prudent to use this in smaller branch offices where you have less than ideal levels of physical security. If an incensed employee gained physical access to a RODC he couldn’t modify any of your objects. It limits the scope of damage.
Speaking of damage, what happens if your Domain Controller fails? How would you log into your DC if the DC is down?
That’s what the Directory Services Restore Mode (DSRM) password is all about. It lets you sign in to your DC with a non-Active Directory account so you can troubleshoot problems. Make sure you establish a strong password here because it’s your life boat for emergencies.
Now keep clicking next until you get to the Paths section. This is where you’ll find the folder location for the Active Directory database, logs and public files that get replicated (the SYSVOL folder)
In the past,it made sense to install the Database and Logs on a distinct hard drive; however, this is no longer critical because of recent hardware and software improvements. Most System Administrators can safely leave these defaults untouched.
Click Next to Review your options and then choose the View Script button in the bottom right corner of the screen.
A text file will leap onto the screen with a bunch of cool code.
Guess what this does?
If you save this file as a PowerShell script (For example, File, Save As, “ADDSSetup.ps1”) you can execute it from other servers in your environment to quickly breeze through the setup process. The PowerShell script is basically a concise text-based way to do all the stuff we just did in the Active Directory Domain Services Configuration Wizard.
Alright, now click Next to encourage the wizard to automatically perform a Prerequisite check. Windows will make sure everything is in the right place before proceeding with the installation.
You will invariably see a collection of alerts in the View Results box. Most of them are benign but you should still understand each warning. For example, one of the alerts below is telling me my server doesn’t have a static IP address and I should probably fix that.
Duh, who uses a static IP for a server? Rebooting the server could result in a different IP address making it difficult for workstations to authenticate!
Anyway, click Install and wait.
After a few minutes the server will reboot.
Let’s jump back in the Server Manager for a moment. I want to show you something cool.
A brief look at the DNS Manager
Click Tools in the upper right corner and mouse down to DNS.
The DNS Manager will jump to the screen awaiting your commands.
Expand the left pane. I want to show you the DNS record for our new domain controller.
The hostname of my domain controller is FBVDC1. So when I expand DNS > FBVDC1 I see a bunch of options. One of them is called Forward Lookup Zones.
A zone is just a trusted, authoritative place for DNS information. In this example, the Forward Lookup Zones section shows the IP address that maps to our domain.
For example, you can actually see the Host record for the object we just created. This means if we type fbvdc1.smocksocks.com on our LAN, it will take our users to 10.0.2.15.
I just wanted to show you this really quick so you can get an idea for how name resolution works.
In the next and final article in our three part series, I’m going to show you how to create your first organizational unit and user. Then I’ll show you how to a join a PC to the domain.
You’re becoming an expert!
Let’s keep it going. Check back tomorrow.