Collections
Deploying Active Directory
Installation

Installation

In this article we’ll walk through the process of installing Active Directory Domain Service for a brand-new environment. Before we begin, know this article makes a few assumptions:

  1. That we’re setting up a brand-new environment and not tying into any existing setup.
  2. We’re a small/medium-sized business. Larger businesses may have more complicated requirements.

Domain Name

Before installing ADDS, we need to select a domain name.

Choose carefully and with thought as once decided its difficult to change. I recommend using a dedicated sub-domain either identifying the businesses location or a generic name. Avoid using a top-level domain, such as twobyte.blog, private domain such as .local or domains you do not own.

Examples of common domain names (for small businesses):

  • yvr.twobyte.blog. (Airport Code)
  • van.twobyte.blog. (City)
  • ad.twobyte.blog. (Generic)
  • corp.twobyte.blog. (Generic)

NETBIOS Name

Another important consideration is the NETBIOS name you’ll use within your Active Directory environment. While NETBIOS itself is slowly becoming relegated to the past, its still an important aspect of Active Directory.

Where you’ll most commonly see the NETBIOS name is when referencing resources or accounts. For example assuming a NETBIOS name of ESM for Eastern Steel Mill:

  1. Printers from a Print Management Server will appear as ESM\PrinterName
  2. When entering in a username to connect to a share, it will be ESM\Username.
  3. When signing into a device, the domain will be listed as ESM.

So how do you choose?

Most commonly, the NETBIOS name will be the name of the company if the company name is short. If it’s longer or multiple words, it may be abbreviated or shorted. The largest limiting factor when determining a NETBIOS name is its character limit of 15 charaters.

Examples:

  • ESM for East Steel Mills.
  • PORTWORTH for Portworth Technologies.
  • ITALIAN for Italian Cooking Solutions.
  • PORTABELLA for Portabella Inc.

Whatever you choose just make sure it makes sense with the domain name you selected. You want folks to logically come to the same conclusion as you when trying to figure out the NETBIOS name.

Server Prerequisites

On each of your future domain controllers (minimum two), ensure the following settings are configured.

Hostname

Assign a hostname using your organization’s naming conventions. Choose a name carefully as changing the name after the fact can be difficult. Common usage is to have “DC” with a number to indicate each server, such as:

  • DC01
  • PROD-DC01
  • CMY-PROD-DC01 (Company Name, Prod/Dev, Host)
  • CMY-S01-DC01 (Company Name, Site Number, Host)
  • CMYS01DC01 (Company Name, Site Number, Host)
  • YVR-DC01 (Airport Code, Host)

Network Adapter Settings

Ensure each host is configured with a static IP address and the appropiate DNS settings.

DNS settings are a common point of confusion regarding DCs. Common wisdom is that each server should point towards itself and another DC within the environment. Logical enough, but the question comes down to what DC and in what order?

Here are the current recommendations to the best of my knowledge.

If running a single DC, the DCs network adapter should be pointed towards itself.

Primary DNS Address:    127.0.0.1
Secondary DNS Address:  [none]

If running two domain controllers, each DC should be pointed towards the other as its primary, with itself as the secondary.

Primary DNS Address:    [IP ADDRESS OF SECONDARY DC]
Secondary DNS Address:  127.0.0.1

If running three or more domain controllers, choosing the correct DC to be your primary DNS server will depend on both the topology of your domain and underlying network. As with two DCs, the primary DNS server will be another DC in the domain and itself as the secondary.

Primary DNS Address:    [IP ADDRESS OF ANOTHER DC]
Secondary DNS Address:  127.0.0.1

Installation

Finally its time to install Active Directory! Starting with your primary DC, follow these steps. Once complete repeat the process for the secondary DC. Rinse and repeat for any additional DCs.

Install Role

Open PowerShell (as an administrator) and run the following command to install the Active Directory Domain Services role.

Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

Deploy Forest

Next, we’ll configure the domain and install DNS, a vital component of Active Directory.

Install-ADDSForest -DomainName ad.twobyte.blog -DomainNetbiosName TWOBYTE -InstallDNS

Recovery Password

Immediately you’ll be asked for a Safe Mode Administrator Password.

SafeModeAdministratorPassword: **************
Confirm SafeModeAdministratorPassword: **************

This password commonly referred to as the DSRM (Directory Services Restore Mode) password, is a password you will use if you ever need to boot into safe mode or a variant of it. Hopefully you never need it, but keep it safe and available incase you do.

Confirm Reboot

Lastly, you’ll be asked for confirmation that a reboot can occur after the deployment has completed. Enter Y to allow the reboot.

The target server will be configured as a domain controller and restarted 
when this operation is complete. Do you want to continue with this operation?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y

Verification

With the domain successfully deployed across all servers, lets check a few areas of Active Directory to ensure everything is working as expected.

Diagnotics

Open PowerShell (as Admin) and run dcdiag. This command will walk through and check various aspects of Active Directory. If an issue is found, it will report the error within its report.

dcdiag

Replication

With multiple DCs communicating together, check and verify that AD replication is succeeding.

Replication in the most basic sense is the synchronization of LDAP data between DCs. If a new user account (aka. object) is created on one DC, than after a replication event, that user object will be created on the secondary DC. For more information, I recommend this article from Microsoft.

repadmin /replsummary

Below is example output indicating successfully replication between two DCs.

Replication Summary Start Time: 2024-10-29 17:43:51

Beginning data collection for replication summary, this may take awhile:

Source DSA          largest delta    fails/total %%   error
 DC1                       58m:00s    0 /  10    0
 DC2                       58m:26s    0 /  10    0

Destination DSA     largest delta    fails/total %%   error
 DC1                       58m:27s    0 /  10    0
 DC2                       58m:01s    0 /  10    0

FSMO Roles

Lastly, check and document which domain controller has each of the five FSMO roles. This information can become important during a disaster recovery scenario.

netdom query fsmo

In the example below, the domain controller DC1.ad.twobyte.blog is the role master for all FMSO roles on the ad.twobyte.blog domain.

Schema master               DC1.ad.twobyte.blog
Domain naming master        DC1.ad.twobyte.blog
PDC                         DC1.ad.twobyte.blog
RID pool manager            DC1.ad.twobyte.blog
Infrastructure master       DC1.ad.twobyte.blog

The command completed successfully.

Congratulations, you’ve successfully installed Active Directory.