Windows Active Directory Domain Services (AD DS) is a leading identity management solution for organizations of all sizes. At the core of Windows AD DS is the domain controller. The domain controller provides login services, group policies, domain naming services (DNS), and other identity management services for users and computers in a domain along with other enterprise management services.
In this course, we start by reviewing the Windows AD DS environment including forests and domains. Then we review considerations for deploying domain controllers in a virtualized environment, on-premises, and in Azure. Next, we look at use cases for deploying read-only domain controllers at locations where physical security cannot be guaranteed. Lastly, we examine flexible single master operations roles and how to locate and move them to support troubleshooting efforts.
- Deploy and manage domain controllers on-premises
- Deploy and manage domain controllers in Azure
- Deploy read-only domain controllers (RODCs)
- View, manage, and troubleshoot flexible single master operations (FSMO) roles
- System administrators with responsibilities for managing hybrid identities
- Subject matter experts in configuring and managing Active Directory workload on-premises and in Azure
- Anyone preparing for the Azure AZ-800 Administering Windows Server Hybrid Core Infrastructure exam
- A basic understanding of deploying and managing Microsoft Windows servers
- Windows Server installation media and an environment to run Windows Server (trial available at https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2022)
Welcome to the first demo where we install active Directory Domain Services on a Windows server. Before we get started, let's review what's required and what's already in place. This example uses Windows Hyper-V as a virtualization platform. If you're following along and have a different virtualization platform, that's fine. Windows server is supported on platforms other than Windows Hyper-V. Be aware if you're studying for a Microsoft certification, any hypervisor-related questions will likely be on Hyper-V.
The demo environment is a physical server with server 2022 and Hyper-V installed. It also has a virtual switch with external connectivity.
We'll create a Windows VM on Hyper-V in this demo, then install Active Directory Domain Services to create our first domain controller. We'll need a couple pieces of information to move forward including the name of our new domain. This name is not public and can be anything you would like it to be. It has to be in a name.extension format similar to an Internet domain name. It was not uncommon to use non-writable domain names, these are domain names that are not RFC compliant, such as domain_name.local.
Domains were configured this way as a security measure because the name is not valid on the Internet. There's a good chance you may see non-writable domain names in a production environment. Non-writable domains is still an option for Windows ID, but there's little security advantages with a non-writable domain. To take full advantage of a hybrid configuration with Azure ID, we need a fully qualified domain name to add to Azure ID. Fully qualified domain names are purchased, and depending on the name are relatively inexpensive. The public domain name does not have to match the domain name used for Active Directory Domain Services, but some upcoming configuration items are simpler if they're the same. Purchasing a fully qualified domain name is not required to follow along with the demos coming up, but it is something to be aware of for hybrid identities with Azure ID. Also, a static IP address is recommended for domain controllers; have a static IP address allocated and ready to assign to the VM that will become the domain controller. Lastly, if you'd like to follow along, Microsoft has 180-day trial of Windows server available. A link is included with the course material.
Let's go to Hyper-V and start the deployment. Here we are in Hyper-V manager. Let's start by creating a new VM. Click 'Next' through the wizard. We'll give it a name, WindowsDC1, for this example. We'll use Generation 2 hardware, for RAM we'll give it 4 gigs Or 4,096 MB of RAM. Select the virtual switch you'd like the VM to attach to. The default disk settings are sufficient for this example. From the installation option screen, select the Windows Server ISO file. If it all looks good, click 'Finish' to create the VM. Before we start the VM and the installation, let's add a data disk to the VM that we'll use to store the active directory database. Right click on the server and go to 'Settings.' From Add hardware go to 'SCSI controller' and add. Add a hard drive, select 'New' to create a new virtual disk. Dynamic is fine for this example. This option will then partition the drive allowing it to grow up to the allocated size as data is added. Change the name, WindowsDC1 data for this example, set the size to 100 gigs and go to Summary. Click 'Finish and Apply' to add the disk.
Next, we'll start the VM to install the OS. Double click on the server to open the console. Next we'll click the 'Start' button, then while we're in the new VM window, click any key from the keyboard to boot from the CD. If that goes too quickly, you can press the virtual control or 'Delete' buttons in the top left to restart the VM. Select the location information and then install now. Enter a product key if you have one, otherwise select, 'I don't have a product key' and enter it later. For this example, we'll install Windows Server 2022 Datacenter with the desktop. Read and accept the terms and click 'Next.' Select custom installation, select the first disk Drive zero and go to next. This starts the OS installation. Let's pause here until it finishes and reboots. The installation is finished and once it reboots, we get a prompt to create an administrative password. This server will be the first domain controller in a forest.
The administrator account and password will eventually be the enterprise admin and domain admin account. Enter a password to finish installation. We'll log in with the administrator account. The virtual control 'Delete' key on the top left corner will display the login prompt. Now we're logged in at the server manager window. Let's complete a couple of steps before we install Active Directory Domain Services. First, let's change the server name. Go to local server, click on the 'Server name' and go to change. Change it to match the VM name, Windows DC1, for this example. Click 'Okay', don't restart yet. Close server manager and go to disk manager. Create and format hard disk partitions. Our 100 gig data drive is attached but it hasn't been initialized and formatted yet. Let's initialize the disk and create a new volume. The drive letter E is fine for this example, give it a name DataDrive, and we'll leave it formatted as an NTFS volume.
Now we have our data drive for the Active Directory database, next we need to set a static IP. Close disk management and go to network connections. We'll go to 'Control panel,' 'Network status and tasks,' 'Change adapter settings,' right-click and go to 'Properties' on the internet adapter, select 'Internet protocol version 4' 'Properties,' provide the IP address subnet mask and gateway for this server. Also, set the DNS server to itself. The server will eventually have DNS services installed, click 'Okay' and close, now we can restart the server. Log into the VM with the local admin account again. We'll install the Active Directory role next. These steps are the same no matter what virtualization platform is used, from Server Manager go to 'Manage,' add roles and features. Click 'Next' to server roles, select 'Active Directory Domain Services' in roles. Click 'Add Features' to add the required services, click 'Next' to AD DS. Note the recommendations to install a minimum of two domain controllers for the domain and the requirements for DNS. Click 'Next' then 'Install.' This will install the Active Directory Domain Services service, once it's finished, we can configure the server as a domain controller. Let's pause here until it finishes.
Here we are, it's finished, and now we have a warning indicator and server manager, let's open that. It's telling us we have some post-deployment configuration. Let's promote this server to a domain controller. This brings us to the Active Directory Domain Services Configuration Wizard. We have the option to add a domain controller to an existing domain. We can add a new domain to an existing forest. This is the first domain in the new forest, so we need to select the 'Add new forest.' This will create the root domain in the forest. Provide a domain name for the new domain. For my example, I'll use edinalab.local. This is a non-writable domain, you can use a writable domain that matches a fully qualified domain name you may own. For this example, though, I'm using a non writable domain, click 'Next.' We can leave the domain and forest functional level to Server 2016. The server will also be a DNS server and has to be the global catalog server. Provide a password for Directory Services Restore Mode. This password is required for recovering the directory services database. It's not the administrator log in. You'll need this password if you have to recover the database, so it's critical that you save the password so it's available if the database has to be recovered. We'll see a warning that 'There's no authoritative parent zone,' that's fine, we can click 'Next.' The NetBIOS name is a legacy name used for older clients, leave it as it is and go to 'Next.' We'll change the drive letter in the path to the new data disk. If this was a large environment, we could split the log in database folder into different drives as well. For this example, we'll keep them on the same drive. Review the information and click 'Next.'
It's not uncommon to see some warnings on the prerequisite check, review them and once finished click 'Install.' This will configure the service and restart the VM. Let's pause here and come back once it's finished. Once the services are configured and it's restarted, we'll log in as a domain admin. In server manager, we now have Active Directory Domain Services listed as well as DNS. Let's go to 'Active directory users and computers.' Here are the users and computer accounts in the domain. Let's go to the 'Domain,' 'Users' open the administrator account we used to log in, go to 'Member of.' Notice that this account is a domain admin and an enterprise admin for the domain and forest. We now have a virtualized Domain Controller running on-premises with Hyper-V.
Travis Roberts is a Cloud Infrastructure Architect at a Minneapolis consulting firm, a Microsoft MVP, MCT, and author. Travis has 20 years of IT experience in the legal, pharmaceutical, and marketing industries and has worked with IT hardware manufacturers and managed service providers. In addition, Travis has held numerous technical certifications throughout his career from Microsoft, VMware, Citrix, and Cisco.