Active Directory, Part 1, Installation
Active Directory, what is it and why do you need it? Why does it always sound like such a mystery? Well I'm hoping to shed some light on it, at a high level for all you beginners out there.
Active Directory (AD) is Microsoft’s Directory Service that lets you do a bunch of really cool things with the computers that are part of your “AD”. I’ll try to keep it simple.
Active Directory is a database that is distributed across “Domain Controllers” that allows administrators to manage multiple computers by giving them the ability to push polices that can control:
1. What users can do on their computers
2. What settings they want to push across all the computers in the domain
3. Control applications
4. Install applications
5. User directory and user data
6. System information like printers and file shares to make them easily accessible to the end
7. It’s the base for many high level applications from Microsoft, Like Lync and Exchange
AD is based on industry standard Lightweight directory access protocol (LDAP). The objects (anything in the AD) are made up of attributes that help define the object in the AD. The objects and attributes are defined by the AD Schema. Its split up into 3 major “partitions” or naming contexts:
Contains classes and attribute definitions
Contains configuration data for services, partitions, and sites.
Contains users, groups, contacts, computers
Since AD is a database it can be extended almost any way you want to include any attribute you can create for your organization.
Enough of that, let’s get to it. As with most my posts ill use Windows Server 2008 R2 but here is a list of other versions of Windows that can run Active Directory
1. Where it all started, Windows 2000
2. Windows Server 2003
3. Windows Server 2003
4. Windows Server 2003 R2
5. Windows Server 2008
6. Windows Server 2008 R2
7. Windows Server 2012
8. Windows Server 2012 R2
9. Windows Server 2016
From Windows Server 2008 and above these steps are pretty much the same so feel free to follow along.
First deploy a VM or physical machine with these specs:
Minimum: 1.4 GHz (x64 processor). An Intel Itanium 2 processor is required for
Windows Server 2008 R2 for Itanium-Based Systems
Minimum: 512 MB RAM. Maximum: 8 GB (Foundation) or 32 GB (Standard) or 2 TB (Enterprise, Datacenter, and Itanium-Based Systems)
Minimum: 32 GB or greater, Note: Computers with more than 16 GB of RAM will require more disk space for paging, hibernation, and dump files
Super VGA (800 × 600) or higher resolution monitor
DVD Drive, Keyboard and Microsoft Mouse (or compatible pointing device)
Do your build like you have in the past or you can use the Windows 7 post here as the install is very similar:
Couple things to do before you start your ADDS install:
1. Log into your server.
2. Make sure you assign a static IP address. (if on premise, if in the cloud make sure its the
same dynamic address assigned to the VM.)
3. Change the server’s hostname. Run this command and replace “NEW-NAME” with the
name you want your server to be. Follow your naming convention
netdom renamecomputer "$env:COMPUTERNAME" /Newname "NEW-NAME"
When you log on to the server, Server Manager opens automatically.
In Server Manager click on Roles
Select Active Directory Domain Services (ADDS). You WILL be prompted to install another feature, .NET Framework 3.5.1
Click Add Required Feature
This is an intoduction into ADDS. After you read through it click Next
In the confirmation tab, Click Install
Installation Results. When you see this you should see Installation Complete in both sections.
Click Close to close this Wizard. That completes the ADDS installation.
Switching gears lets walk through a basic configuration
There are two ways to kick off the ADDS configuration.
Can be run from the command line. Start a command prompt and type DCPROMO. This still works in Windows Server 2012 and Windows Server 2012 R2 but it says its Deprecated and you should use the Wizard to configure ADDS
Method 2: (Preferred)
When you click on Active Directory Domain Services on the left, on the right there is a dialog in BLUE that says "Run the Active Directory Domain Services Installation Wizard"
Both methods end up in the same place.
This is an important dialog box and we need to stop here to explain what it means.
In short it means that computers running Windows NT4.0 or older can and will have issues joining this domain. This is not limited to Windows machines however. Linux machines can utilize SAMBA to attach to Windows Domains. Older implementations of SAMBA will have issues with these domains as well. For further details see this LINK
For this exercise we are going to Create a new domain in a new forest. If we were expanding a forest we would select Existing Forest.
This is one of the parts where it can get confusing to people. Since ADDS is an LDAP it follows a DNS domain standard. In traditional domains your .com, .edu, etc are the top domain levels. Most companies have DNS in place already and it used to be acceptable to use non-routable DNS names like .local in your AD. Well not anymore. Now its acceptable to use your domain name and make your AD a subdomain. In our example we use misfitbox.com. This AD will be called ad.misfitbox.com.
Fill in your Fully Qualified Domain Name for the AD and click Next
We need to decide the Forest Functional Level of the Forest. What and why? It basically sets the level of domain controller, version of Windows can participate as a domain controller and what features of ADDS are unlocked. For more details see this LINK
Additional roles are needed to have a fully functional domain controller. ADDS can work with your existing DNS if your DNS implementation supports SRV records. Easiest is to use DNS that is installed with Windows. If you are integrating with your current DNS
Click DNS Server and Next
DNS delegation was just mentioned. Click Yes
Database, logs and SysVOL. this is where you chose where you want them. If your VM or physical server has multiple volumes you can setup these folders on a separate volume. On a physical server with physical drives you can split the folders on to a separate set of spindles for faster access in reads and writes.
Directory Services Restore Mode Administrator Password is needed when something had gone totally wrong with your ADDS and needs to be restored in an Emergency.
Fill in a password, keep it safe, write it down, seal it in an envelope, put it in a safe etc.
Finally a summary. There is a nifty Export Settings button here. This allows you to export all the settings you just entered for your AD and use them again for other server deployments that will be Domain Controllers. Click it, save it off and take a look at what's in there.
Configuration is done, Installation is starting again
I generally click the Reboot on completion tick box to reboot when the Wizard is done.
Server will reboot automatically (since we told it to and will boot back to the familiar CTRL-ALT-DEL screen
When you log on, the password you set for the local server will now the Domain Admin password for your new Forest.
That's your AD install. There are many configurations that need to occur now but ill save that for the next post.