I am involved in setting up many bespoke hosted solutions for various customers that I deal with as part of my job. The vast majority of these revolve around a Microsoft Windows based domain, and at the heart of this is the Domain Controller. Setting this up is simple so let’s get started.
Terminology: Domain Controller (DC)
A Domain Controller is a server that is responsible for responding to authentication requests. It is possible to have a single server or several servers acting as Domain Controllers. In the days of NT4 you would have a Primary Domain Controller and then one or more Backup Domain Controllers. Windows 2000 introduced Active Directory and eliminated the need for Master and Backup severs and utilising multi-master replication.
Terminology: Active Directory (AD)
Active Directory is a directory service that stores information relating to network objects such as Users, Computers, Printers etc. It also allows administrators to assign policies to the objects. The Active Directory database is held on the Domain Controllers.
A domain is a collections of objects including at least one domain controller that all share the same DNS namespace. For example you might have have server1.mydomain.com, server2.mydomain.com and pc1.mydomain.com these would all be part of the same domain.
A tree is a collection of domains in a contigous DNS namespace, so you could have your tree contain the domains red.mydomain.com, blue.mydomain.com and green.mydomain.com.
A Forest is a collections of Trees that share common elements such as the Global Catalog and Directory Schema.
Terminology: Global Catalog (GC)
Global Catalog servers are Domain Controllers but rather than just containing the information for their own domain they hold the information for all objects in the forest. This information is then replicated to other Global Catalog Servers in the Forest. In a large forest the information being replicated could cause network issues especially over slow WAN / Internet connections so only selected attributes of each object are replicated.
Terminology: Directory Schema
The Directory Schema a database of all the object classes such as users, groups computers etc and attributes that can be stored in the directory. The schema can be extended to include additional classes and attributes.
Terminology: Flexible single master operation (FSMO)
FSMO pronounced “fizz-mo” also known as operations master roles. There are five FSMO roles that exists. Some of these are required once per domain and some once per forest. We’ll look at FSMO roles in a later article but for now as we are only deploying a single server all roles will exist on the one server.
1. We start with a fresh install of Windows Server 2008 R2 which at the moment is just part of a workgroup and does not have any domain membership. First thing we need to do with our new server is to set the name of our new server. We do this by going into “System Properties“. Once there we need to click on “Change” under the “Computer Name” tab, this will open the “System Properties” dialogue box for us.
In here we’ll enter our new server name “server“, we want to ignore the Member of section because this is used if we want to add our server or PC to a domain. After clicking OK we’ll be prompted to reboot the server for the changes to take effect.
Alternatively we can do this using commands from the command prompt, the command we would use is “netdom renamecomputer currentservername/newname:newservername/reboot:0” where newservername is the name we want to change our server to and currentservername is the name of the server currently, we can find the current name from the output of the “hostname” command. We specify the “/reboot:0” to reboot the server after the change and to wait for zero seconds before reboot, if we don’t add the “:0” to the end the server will wait for the default 30 seconds before restarting.
Once we enter the command we will be asked if this is what we want to do because changing the name after certain roles have been installed can cause issues with the services. As this is a new server install we have no services or roles installed that would require a fixed name so we can choose Y to continue, the server will then reboot.
2. OK so the server is backup, the next thing we need to do before promoting the server to a domain controller is is set a static IP address. We do this in the “Internet Protocol Version 4 (TCP/IPv4) Properties” dialogue. We just need a static IP address, the correct subnet mask and gateway. I’ll enter the DNS server addresses too, because when we install the DNS server role later it’ll automatically take the values set here as our forwarder addresses and set our DNS server as 127.0.0.1.
Alternatively we can do this at the command line with the “netsh interface ipv4 set address name=”myadapterid” source=static address=myipaddress mask=mysubnetmask gateway=mydefaultgateway” command where myadapterid is the idx value show in the output of the “netsh interface ipv4 show interfaces” command.
Now we can add our DNS servers using the command “netsh interface ipv4 add dnsservers name=”myadapterid” address=mydnsserver index=x validate=no” where myadapterid is the same idx value as earlier, mydnsserver is the ip address of your DNS server and x is the index so 1 for the first DNS server address, 2 for the second etc, I always add “validate=no” to the end to stop windows
We can then verify with “ipconfig /all” that all the information we have entered has been assigned to the adapter.
3. We’ll run a tool called “dcpromo“. This will launch a wizard and allow us to promote this server to a Domain Controller. We can run “dcpromo /answer:C:\filename.txt” where C:\filename.txt is the full path and name of a text file that we create with all the answers the wizard would ask us defined to allow for an unattended setup of the domain.
After running “dcpromo” the server will start to install the Active Directory Domain Services binaries to the server.
Once this has completed, you will be presented with the wizard and asked if we wish to use advanced mode installation. We can also launch the advanced mode installation by adding the switch “/adv” to the “dcpromo” command. The advanced mode install gives us additional options in particular is the Domain NETBIOS name, when not in advanced mode the server will determine the best name to use but when using advanced mode we can set our own. So going with the old adage “more is better”, let’s tick “use advanced mode configuration” and click next.
4. We are presented with a page of text, basically this is saying that some older clients and applications may not be compatible with the new Domain Controller because of newer more secure settings preventing clients from using the weaker NT4 style cryptography algorithms.
We’re OK with this so we can just click next.
5. Now our first proper question. Do we want to set this up in an “Existing Forest” or do we want to “Create a new domain in a new forest”. We have no existing Forest or Domain so we need to choose the option to create a new one. You’ll also see options greyed out beneath “Existing Forest” these let us specify what type of new Domain we would be adding to our forest. For now we’ll click “Create a new domain in a new forest” and click Next.
We now need to pick out FQDN or Fully Qualified Domain Name for our new forest and domain. We’ll go with “pebelnet.local”. You can use a full real Internet domain name such as “pebelnet.co.uk” but usually the servers responsible for your real domain name are completely separate from your Windows doamin and you’ll have problems with DNS later on down the line.
The server will then check to see if it can find the new forest/domain name you specified is already in use. If all is OK you’ll be asked to enter a NETBIOS name. The server will try and determine the best name to use based on the FQDN you entered, usually this is acceptable, however in some cases you may wish to change it and without the “use advanced mode installation” ticked at the beginning we wouldn’t have been given this option.
6. So we are now asked to set the Forest Functional Level. The Forest Functional Level is the level of the earliest version of windows you want to add as a domain controller to the forest. If the level is set at “Windows Server 2003″ you can only add domain controllers running Windows Sever 2003 or later, you will not be able to add Windows Server 2000 to the forest because the level is too high. Similarly if the level is set at “Windows Sever 2008 R2″ servers running Windows Server 2000, Server 2003 and Server 2008 will not be able to join the forest as domain controllers.
Where possible I like to set the Forest Functional Level as high as I can as more features are available in the later levels, however if you choose a lower level you can at a later stage increase the functional level but you cannot decrease it.
We are only going to use Windows Server 2008 R2 in our forest but just in case we’ll set it to the “Windows Server 2003″ level and click next.
7. Next the server will examine the DNS configuration and checks to see if we have a DNS server available and if we have any DNS server that are already authoritative for our chosen forest / domain name.
After the server has finished checking it will now ask us what additional options we wish to install. As this is our first Domain Controller it must be the Global Catalog too, because we arn’t managing DNS for this domain elsewhere we need to install the DNS server role also. The third option we have is for a RODC or Read Only Domain Controller, these are domain controllers that do not allow changes to be made to made to Active Directory and do not store password by default. Because of this we cannot have our first Domain Controller as a RODC.
RODCs would be used in branch offices or in insecure locations, if access was gained to the server objects within the directory could not be altered, i.e. users cannot be added or removed, passwords changed etc. As passwords are not stored on the server if it was stolen from an insecure branch office then someone trying to obtain or brute force the passwords would be out of luck. We can specify that the RODC stores passwords for certain accounts, like the users and computers at the branch office so they can have their logons authenticated locally. But again if the server is stolen, the administrator can remove the server from the domain / forest, without all the issues associated with removing Domain Controllers that cannot be safely demoted, this act also resets the passwords and in effect lock out the accounts of all the users and computers that that RODC has stored.
So getting back to the setup. Lets make sure DNS is selected and click next.
8. The server will go ahead and examine the DNS configuration again and we should then be told that the server cannot find a DNS server for the domain we specified earlier and therefore cannot create a delegation for this DNS server. We’re fine with this because we’re using a “.local” domain and this is only specific to this Windows Domain we’re creating now so we can click yes to continue.
9. We now get to choose where to put the Database Log Files and SYSVOL. In an ideal world each of these would be on their own separate volume for easier recovery in case of hardware failure. This isn’t possible in our setup as we only have one volume available to us so we’ll have to stick with the defaults.
10. We now need to pick a DSRM or Directory Services Restore Mode password, this password will be used if we have a problem with Active Directory and need to boot the server in DSRM, the boot option is found in the boot menu by pressing F8 at startup just like you were trying to get into safe mode. Pick something secure and something that you can remember when you need it.
11. We are now presented with a summary of our setup before we commit it. You can also export the answer file using the “Export settings…” button, this will save a copy of the answer file that can be used with the “dcpromo /unattend:c:\myanswerfile.txt” command. The export will remove any passwords set such as the DSRM password and these will have to be re-added manually to the text file before it can be used for an unattended setup. Clicking next will start the setup of our Domain Controller.
12. The server is now installing various roles and components needed to function as a Domain Controller. Once it has complete we click the “Finish” button and the server will prompt us for a reboot to complete the setup.
13. Now our server has booted back up it is now a domain controller, we need to login for the first time, the administrator’s password is still the same as before, the password we set during the wizard is just for the Directory Services Restore Mode. We can confirm by looking at the install roles in “Server manager” and can see the roles “Active Directory Domain Services” and “DNS Server” as installed roles.
We’ve seen how to setup Windows Server 2008 R2 as a Domain Controller in a new Forest. We’ve seen the additional options available during setup, and what options, such as Global Catalog and Read Only Domain Controller, do for us and our Windows Domain.
I hope you found this post informative, please leave a comment if you have any questions or feedback.