- Windows Server 2016 – Active Directory Setup – Part 1
- Windows Server 2016 – Active Directory Setup – Part 2
- Windows Server 2016 – Active Directory Setup – Part 3
With this series I hope to put my own spin on the well documented process to build an Active Directory Domain Controller from scratch. I’ll of course be using Microsoft Windows Server 2016 for this. I’m going to include tons of screenshots to document the process step-by-step. The new AD domain is going to be VILAB.local which is clearly for my lab. It will be the cornerstone of my lab in terms of authentication, authorization and centralized LDAP domain management. I’ve broken this series into 3 parts as below:
- Part 1 – AD Domain Controller Requirements & Basic Server Configuration
- Part 2 – Adding AD Domain Services Roles & Adding a new Forest
- Part 3 – AD Configuration & Validation
Adding Active Directory Domain Services Roles
In Part 1 of this series I covered the hardware requirements and some recommended server configuration settings for building a Windows Server 2016 Active Directory Domain Controller. The next step is to actually install the Roles needed for Active Directory Domain Services and then to promote the server to the first domain controller in our new forest.
As you’re surely familiar we’re back at Server Manager to start the process. First we click on Add roles and features.
The first page of the Add Roles and Features Wizard describes what this wizard does and recommends a few prerequisite tasks. Just click Next here to continue.
The Installation Type page gives us two options although we’re only concerned with one. Leave the radio button on the Role-based or feature-based installation option and click Next.
The Server Selection page is where we can select one or more servers to install roles and features to. The default setting is the local server and so we’ll leave it as is and click Next.
The Server Roles page has a ton of possible roles to install. The Active Directory Domain Services and DNS Server roles need to both be checked.
When you check the Active Directory Domain Services role it will pop open another dialog that notifies you of additional features that will automatically be installed along with the AD DS roles. These features are needed to manage the AD DS role through PowerShell, the GUI and the command line. When you click the Add Features button the AD DS Role will show as checked.
When you check the DNS Server role it will pop open another dialog that notifies you of additional features that will automatically be installed along with the DNS Server roles. This feature is the DNS Server command line and GUI tool. When you click the Add Features button the DNS Server Role will show as checked.
With both roles selected we can now click Next.
On the Features page I usually add .NET Framework 3.5 Features because it always seems something needs it. Other than that nothing else needs to be added so we can click Next.
The AD DS page describes the role you’re installing and tells you that you need to install DNS Server. Click Next to continue.
The DNS Server page describes the DNS Server role. Click Next here as well.
The Confirmation page displays the roles and features we previously selected and allows us to verify our choices. There’s a warning at the top that discusses missing source files. Since we selected the .NET framework 3.5 Feature it requires that we Specify an alternate source path.
This simply means we need to point it to a directory on the Windows Server 2016 ISO. The Specify Alternate Source Path dialog indicates why this is necessary and even explains that for the .NET Framework 3.5 Features we will have to specify a path. There’s also an example which we will base our entry off of. The CD/DVD drive is D: in this context and so we’ll enter D:\Sources\SxS\ into the Path: box and click OK.
After clicking Install the installation process for the roles and features selected will begin.
When the process completes we’re presented with a link to Promote this server to a domain controller. Clicking the link opens up the Active Directory Domain Services Configuration Wizard.
Adding the new Active Directory Domain/Forest
On the Active Directory Domain Services Configuration Wizard we get the first actual steps to building the new domain controller. Presented with several options we want to select Add a new forest. On Root domain name we’ll enter the name for the new domain. Since this is for my home lab I’m naming the domain VILAB.local.
On the Domain Controller Options page we can choose the Forest functional level and Domain functional level. Since this is a new forest there’s no reason why these need to be changed. I want my lab running at Windows Server 2016 levels so that’s what I’ll leave it at. The Specify domain controller capabilities check boxes have 3 options that are all grayed out. The DNS and Global Catalog options are automatically selected for us since this is our first domain controller. We also must enter a Directory Services Restore Mode (DSRM) password here. DSRM is essentially safe mode for a domain controller which allows an administrator to repair or restore an Active Directory database.
Moving to the DNS Options sub-page we see a warning indicating that the wizard can’t create a delegation for you. This error is benign and can be ignored. It’s trying to contact a DNS server that is authoritative for the domain that doesn’t exist yet. Click Next here.
The Additional Options page asks for the NetBIOS domain name. I don’t want to create a disjoint namespace or anything crazy for this domain controller so I’m going to make it VILAB which is the primary DNS suffix match for VILAB.local. Click Next again here.
Many people used to recommend changing the Paths for the Active Directory Database, Logs and SYSVOL but these days that just creates unnecessary complication. With currently available all flash arrays and virtualized storage it just doesn’t make sense any more. Click Next again.
This one should be pretty self-explanatory. Make sure you picked all the right options and click Next.
The Prerequisites Check makes sure your server is ready to go and a green check at the top signifies we’re clear to click Install. You’ll notice there are a few warnings, one of which we’ve already discussed (the DNS delegation issue) and the other mentions cryptography algorithms for NT 4.0. Since I’m not running NT 4.0 in this environment (or ever again) we can safely ignore both warnings.
Clicking Install starts the promotion of this server to an Active Directory Domain Controller and usually only takes a few minutes.
When the wizard has completed you’ll see a green check notification in the dialog that states the server was successfully configured as a domain controller. You will also be notified that you’re being logged out because the server is going to restart.
Windows will restart and start applying all the setting changes necessary to make this server an Active Directory Domain Controller.
When it finishes rebooting the installation is complete and you can login using domain credentials. We’ve added roles and features to this server. We’ve promoted the server and rebooted it to this point. In the next article we’ll validate Active Directory and get it ready for prime time.