In this post I am going to walk you though a process I perform regularly when creating new domains for the purpose of testing, and occasionally in production environments. This procedure is going to be performed on Windows Server 2016 Core edition.
I normally choose Core edition for Domain Controllers as it reduces the overall footprint of the server by not having to run a GUI. This is perfect for Domain Controllers as not only do I want to reduce the possible security vulnerabilities on the server, but also after the DC has been deployed I will “never” need to log on to the server itself as all Active Directory management will be performed using Remote Server Admin Tools on remote server/workstations. On top of this its always nice to reduce the amount of CPU/RAM the server needs to run.
Note: For the purpose of this post we will assume that the server Operating System has already been deployed and network adaptors configured. I am using Windows Server 2016 Datacenter, but the process should be identical for all other versions and editions. Also, in this demo there is no existing Active Directory Domain deployed in the environment so we will be creating a new AD Forest, Domain and DNS whilst deploying this Domain Controller.
Installing the Active Directory features
When deploying Windows Server 2016 it does not include the necessary features to function as a Domain Controller. Therefore the first action we need to perform is to install the required feature. As this is process is being performed on Server Core we will need to do this from the command line/PowerShell.
Firstly, connect to the freshly built server using the local credentials supplied during deployment. This will open a Command Prompt window as shown below:
We then need to launch PowerShell by typing the command ‘PowerShell’:
Before installing the Active Directory feature on our server we first need to know the exact name of the feature. To get this we can simply run the cmdlet ‘Get-WindowsFeature’ which will list all of the available features, already installed and available for installation
Scrolling up we can find the Active Directory feature we are looking for ‘Active Directory Domain Services’. We can see by the lack of the X to the left that the feature is not currently installed, and can see in the ‘Name’ column the name of the feature is ‘AD-Domain-Services’.
We can now go ahead and install this feature by running the command ‘Install-WindowsFeature AD-Domain-Services’
Which then returns the following if successful
This completes the installation of the Active Directory Domain Controller feature on our server. We now need to configure the new Domain Controller…
Configuring Active Directory Domain Controller
Firstly, we need to ensure that the AD management module is imported to PowerShell so we can start our deployment. I will first check if the module is already imported by running the command ‘Get-Module’
We can see that the module is not currently imported so we will go ahead and import the module by running the command ‘Import-Module ADDSDeployment’
And run ‘Get-Module’ again to confirm that our import has completed successfully
We can see that the ADDSDeployment module is now listed
Now we are ready to actually execute our command to install and configure our new forest and domain. I will be configuring my new domain with the following attributes:
- DNS Delegation – False
- Database Path – C:\Windows\NTDS (Default)
- Domain Mode – Server 2016
- Domain Name – StingraySystems.com.au
- NetBIOS Domain name – StingraySystems
- Forest Mode – Server 2016
- Install DNS – True
- Log Path – C:\Windows\NTDS (Default)
- Reboot on Completion – True
- Sysvol Path – C:\Windows\SYSVOL
In order to apply all of these attributes during the creation of the Forest and Domain I therefore need o execute the following command – Install-ADDSForest -CreateDnsDelegation:$False -DatabasePath “C:\Windows\NTDS” -DomainMode “7” -DomainName “StingraySystems.com.au” -DomainNetbiosName “StingraySystems” -ForestMode “7” -InstallDns:$True -LogPath “C:\Windows\NTDS” -NoRebootOnCompletion:$False -SysvolPath “C:\Windows\SYSVOL” -Force:$True
Note: Obviously if you intend to run this command on your own server then please adjust the relevant attributes to match your own environment
I will then be prompted to enter (and confirm) the Safe Mode Administrator password for the domain. Enter these and press enter to start the installation of the forest and domain
After a few mins the server will then restart as we had told it this was OK to proceed in the command
Once the server completes its restart it is possible to logon to the server again but this time we must use domain credentials as all local accounts will be removed during the promotion to a Domain Controller.
Note: The account used to execute the Domain Controller installation on the first Domain Controller in the domain is automatically converted to a domain account and made a member of the Domain Admins security group so this account can be used for logging on to the server.
And that completes the installation of the Domain Controller on Windows Server Core. We are now ready to start using the domain.
If you have any questions or feedback on this guide please feel free to leave a comment below…