Active directory is a very large set of things and all of which have to work together in order to create that experience that we’re used to. The first step is going to be installation of AD DS role. Active Directory Domain Services (AD DS) is a server role in Active Directory that allows admins to manage and store information about resources from a network, as well as application data, in a distributed database. AD DS can also help admins manage a network’s elements (computers and end users) and reorder them into a custom hierarchy.

We will install DC01 as our first domain controller in the forest/domain and then we will add second domain controller (DC02) to an existing domain.

Open Server Manager –> Manage –> Add Roles and Features

On Before you begin page click next.

On Select Installation Type page, click next

screen.1.jpg

In server selection, leave the default selection and click on next.

screen.2.jpg

From the role selection click on Active Directory Domain Services and click on next. Then it will ask to add additional features. Click on add features and click on next.

screen.3.jpg

In the features selection and Active Directory Domain Services pages, we will keep the default settings and click on next. When you come to Confirmation page click Install.

As you can see here in the add roles and features wizard we’ve completed the installation of the role and now we need to go through the promotion of this server to an active directory domain controller, click Promote this server to a domain controller.

screen.5.jpg

OBS!!! If you close the wizard without clicking on Promote this server… you can get it back by clicking on Tasks in Server Manager.

screen.6

It will open up the new wizard for the additional AD DS configuration and it’s here where we have a very large number of decisions that we have to make, hopefully you’ve made these decisions before you get to this point.

screen.7.jpg

So one of which is whether or not we’re going to be installing a brand new forest, so is this the first domain controller in the first domain in a forest that we’re creating from scratch? If yes choose Add a new forest option.

screen.8.jpg

Or are we adding a new domain to an existing forest? If we’re adding a new domain to an existing forest, we are creating another triangle underneath the triangle that we have already created before. Anytime I’m adding a new domain to an existing forest this will be the first DC in that new domain.

screen.9.jpg

But in order to establish the connection, the trust between the two, I would need to choose one of the available domain types. That being either a child domain or a tree domain. The biggest difference here is that a tree domain gives you the ability to create a noncontiguous namespace. For example, in a child domain, if I were creating a child domain of mehic.se, the domain name I would be creating would be <something.mehic.se>. If you don’t want to inherit parent domain name, you use new tree in the forest like parent is mehic.se and you can have new tree as something.com. Tree domain don’t share a contiguous namespace but still belongs to the same forest.

screen.10.jpg

I do also have a third deployment option which is to add a new domain controller to an existing domain, which is of the three the one you’ll find yourself doing quite a bit more than the other two. In this case all I need to do is identify which domain I’m interested in and then provide credentials.

screen.11.jpg

We are, however, creating a brand new forest, a brand new domain, and a brand new domain controller and so, because of that we need to create a new root domain. Choose Add a new forest, type in the name and click next

screen.12.jpg

When I do that I’m going to have a variety of different other options and configurations that I need to set for this domain and forest that I’m creating. The first of which is determining what the forest and domain functional level will need to be for the domain. Now you’ll notice that there are a couple of different options for forest and just a single one for domain. To be able to choose Domain Functional Level 2012 R2 or 2008 you will need to change Forest Functional Level to 2012 R2 or 2008 first.

In most cases, when you’re creating a brand new domain and a brand new forest, you’ll want to create that forest and domain with the highest functional level available. But occasionally if you have applications that you know will not function with that forest or domain functional level, well you may need to set it down to one level below. More often than not, in the vast majority of cases the highest functional level is indeed the one that you’re looking for. (I will choose Windows Server 2012 R2 because I will need it later, but in your case choose 2016)

Now when you’re also creating a new domain controller you have some additional capabilities that you can apply on the domain controller itself. The first of which is whether or not that machine should be a DNS server or not, and whether or not that machine should be a global catalog. Because this is the first domain controller in the domain and the forest, we already have this selection selected for us for global catalog. We have to have it as a GC.

Down at the bottom we have what’s called the directory services restore mode password, which is a special password that you will enter once and then never need to enter again, except in the situation where you need to perform an authoritative restore of the active directory database. Once done, click next

screen.13.jpg

On DNS Option page, click Next

screen.15.jpg

On Additional Options page, it’s going to verify the net bios name that’s going to be assigned to the domain. The net bios domain name will be, in most cases, the first set of characters before the first dot, in whatever fully qualified domain name that you create. Click Next

screen.16.jpg

On Paths page, Here I can define what the paths will be for the different components of active directory that are to be installed. The database folder, the log files folder, as well as the SYSVOL file folder . Leave the defaults and click Next

screen.17.jpg

Review Options page, Here we can go through the review of the options and we can also click on View Script. I will click next

screen.18.jpg

and then allow our prerequisites check to complete. So that we can go about the installation of active directory domain services onto this machine DC. Looks like all of our prerequisite checks completed successfully, so I’ll click the install button to begin the installation of active directory.

screen.19.jpg

After the reboot, this machine DC01 will be in the mehic.se domain. If I click on Tools we will be able to see usual active directory tools that have been installed. If I click on active directory users and computers we can see that we indeed now have this domain mehic.se.

screen.20.jpg

That’s it. Our first domain controller is up and running. Our next step is to add another DC (DC02). The process of installing AD DS role is the same so I will skip that part.

When you come to the Deployment Configuration page, choose the first option Add a domain controller to an existing domain and specify the domain and the credentials. Once done click next

screen.21.jpg

Now again we have the option to determine if whether or not this machine should be a DNS server or not, and whether or not this machine should be a global catalog. I will leave the defaults and specify the DSRM password. Click next

screen.22.jpg

On DNS options page, click next.

On Additional Options page, Here we can choose to install it from media. I don’t have IFM media so I will click next. Walk through the wizard accepting the defaults and click install. Once installed, it will reboot and next time you login the server will be promoted as second DC in the domain.

screen.23.jpg

That’s it. In our next parts we will see how we can manage users, computers, groups, what are FSMO roles, functional levels etc.

What we covered.

  • How to install AD DS and how to promote a server to domain controller
  • How to add second domain controller to an existing domain.

Cheers,

Nedim