So, this is a bit overdue. The screenshots have been sitting in a folder for weeks. In this post, I get a basic domain controller setup, a web and SQL server joined to the domain, and test that a domain user can login at the console. Fairly straightforward stuff.
Always start out with checking for Windows Updates. Get it done.
Change the name to something useful. I don’t really use cute names like the members of Fantastic Four, letters of the Greek alphabet, etc. Obfuscation is unnecessary in my opinion. For the first domain controller in my environment, DC01 it is.
Bring up Server Manager, select Manage, and click on Add Roles and Features.
This starts a wizardly set of dialog boxes, click Next.
…and click Next...
…and Next again…
In Server Roles, check Active Directory Domain Services, generating a popup dialog like shown below. Make sure Include management tools is checked too. Click Add Features.
…and click Next.
Ok, Next one more time.
I typically check the Restart the destination server automatically, then click Install.
Wait for it to finish. You can safely click Close if you wish. Server Manager will prompt when complete.
Active Directory Domain Services is installed, but not configured yet. In fact, we need to click Promote this server to a domain controller in the Server Manager notifiaction (flag) dialog.
This is my first domain controller in my entire environment, so it is my first forest. Make sure Add a new forest is selected and fill in your Root domain name. There are some schools of thought on naming, but Microsoft has the most definitive thoughts on this topic, especially disjointed name spaces. That said, for my test environment, I accept my test lab will be disjointed with WIRELESSHOBO.TEST.
I didn’t see new functional levels prior to install of Server 2022 because 2016 Forest and Domain functional levels are maxed out at 2016. Make sure Domain Name Server and Global Catalog are selected. Set a DSRM password. Keep it secret. Keep it safe.
Review settings. Check out the script and maybe back it up somewhere should want to try that route later. Next.
None of the warnings concerned me for a test environment, click Install.
When done, reboot the box if it doesn’t reboot. Sign in with the Administrator account set for the domain. Important to note that domain controllers do not have a local administrator account.
Start up the DNS manager… 192.168.68.74? Ooops, I think my DC is on dynamic host configuration protocol (DHCP).
Let’s set it to something static like 192.168.68.200. Remember that I am running in a virtualized environment. Reboot and check the DNS settings — should be 192.168.68.200 now.
Fire up Active Directory Users and Computers. You will probably see just a lonely domain controller under Domain Controllers. We will add some friends soon.
Expand the domain’s tree and just look through all the subfolders. In this case, I added all of the underscore prefaced folders. I like how the underscore makes those folders always sort to the top.
I am thinking we have two classes of Computers, Servers and Workstations. We have two classes of Users, Service Accounts and Staff.
Why not user Users or Computers at the top of the tree? I like the specificity of knowing anything under _Wirelesshobo are likely generated by me and group policy that might be applied is also on organizational units (OU’s) that I created.
Join A Server to the Domain
Now that the domain is up and running, let’s join a test web server to the domain. From the web server, click on Workgroup in Server Manager -> Local Server.
Click on the Change button to join to the WIRELESSHOBO domain.
Enter a domain administrator username and password to authorize the addition to the domain.
Oops. Turns out IPV6 isn’t configured in my test environment and I couldn’t join the web server to the domain. Again for the purposes of this lab, I don’t care about IPV6 at this time.
So I turned off IPV6 on DC01 and rebooted.
Here is the event log that started me down this path…what do you mean it can’t find domain WIRELESSHOBO? Well, it is defaulting to IPV6 and can’t find it.
Disabled IPV6 on the web server too.
Statically set the IP address for WEB01 to 192.168.68.201.
Make sure time is in sync on the server. Maybe we will explore keeping time in a domain at some point, but right now I feel like it has been written a few times. Again for a simple environment, default time synchronization should be more than sufficient to keep servers and workstations from dropping off the domain.
Retrying the join, yields a more positive resultant dialog message.
Time to close the dialog and reboot the server. You should be able rinse and reboot for any additional servers.
After adding the SQL01 server to the domain, notice that the join process automatically put them in Computers by default. We will come back to that in another post.
Let’s create a test staff user on DC01. Jane Doe is born!
Can we login to WEB01 from the local console with our new test user?
Yes, we can.
I still have some AD cleanup and checks to do. Maybe some simple group policy to do. And finally connect it to my developer tenant. Maybe I should revisit my goals and generate a high level of tasks I want to accomplish? We’ll see.