Building Your First Domain Controller on 2012 R2

So you want to build an Active Directory domain? Congratulations! This guide is not really meant for the seasoned admins who eat, sleep, & breathe Active Directory. It is meant for the folks who have a real job, but since they own a computer at home, they are now the company's network administrator. J You know who you are. I will go through the process in as non-techie terms as possible, but will link to online documentation just in case you want to dive deeper. In this post I walk through setting up a brand new 2012R2 Standard edition Server. While technically I am building out a virtual machine, a physical machine would be the same process. So why build a domain in the first place? There are many reasons to need or want a domain;

• Software like Exchange Server and many 3^rd party vendors require having Active Directory in your environment.
• Centralized security – All user accounts are stored in the domain so users will be able to log into any PC in the domain and all Active Directory integrated apps with the same account – that means no more password post-it notes attached to monitors
• Centrally manage user and computer policies to control things like how long a password should be and what drive letters should be mapped for users
• Many, many other reasons.

But this isn’t a walkthrough on why, but how. Lets start:

---

Step 1 – Evaluate

• The Server - While Active Directory doesn't tend to be processor intensive or memory intensive in small environments, minimally I would recommend 8 – 16 Gb of Ram, Quad-core processor, and around 100 GB's of free hard drive space – Microsoft has some guidance on the amount of memory and processing power Active Directory located here .
• The Network – Chances are you have a router, that hands out IP Addresses to computers to allow them to get to the network and ultimately to the internet – this is a great time to figure out what the IP Range that it has is and any passwords that are needed to configure it are. The reason behind this would be that Active Directory stores information about itself in DNS – I will go through the basics of DNS when the time comes, just think of DNS as how Internet Explorer knows how to find www.facebook.com. The networking piece is an important part and where things can go wrong if not set up correctly. Microsoft has published a good explanation of DNS here.
• Domain – What are you going to call this creature you are about to build? In my test lab I build out a fictional company called Matrix.loc (Yes I really liked the movie). There are a few things to note about the name, Matrix is the fictional company name and loc is a fake root domain. The fake root domain could easily be .com, edu, .net and I would have made it that if I actually owned those names on the internet – I don't own them so I use a fake root name. It won't matter the server will still be able to get to the internet as will the clients.

---

Step 2 – Set Server up

• Get the server setup, cabled, powered up and if need be get OS installed on it

• First screen will ask for a password – fill that out – the server will finalize the settings, reboot and then allow you to log in. http://windorks.files.wordpress.com/2014/01/011814_0709_buildingyou1.png

• When you finally log into the server for the first time – Server Manager will start up

• Select Local Server on the left and you should see a screen similar to below: http://windorks.files.wordpress.com/2014/01/011814_0709_buildingyou2.png

• NOTE: there are a few things we need to change here – first being Computer name (Nobody will remember that name if they needed to)

• Click on the Server's Name (The Blue text) this screen will show up – Click Change

  http://windorks.files.wordpress.com/2014/01/011814_0709_buildingyou3.png

• Type in the name that you want for this domain controller in the screen that comes up like below

  http://windorks.files.wordpress.com/2014/01/011814_0709_buildingyou4.png

• Click OK when done, and then close the screen behind – Reboot when it asks you to

• Login to windows when ready and when Server Manager comes back up, click on Local Server again and validate the Name change http://windorks.files.wordpress.com/2014/01/011814_0709_buildingyou5.png

• Now let's validate that the internet is working so we can get some network settings written down. I went to www.bing.com and after the Internet Enhanced configuration prompts I was able to get to the internet.

• http://windorks.files.wordpress.com/2014/01/011814_0709_buildingyou6.png

• Let's assign a static IP to the network card as you do not want the servers IP changing on you

  • Grab the current settings from Powershell – Click the Icon http://windorks.files.wordpress.com/2014/01/011814_0709_buildingyou7.pngon the task bar or open a command prompt and type "IPconfig /All" The resulting output will be a lot but scroll up and you will see a section like below http://windorks.files.wordpress.com/2014/01/011814_0709_buildingyou8.png The highlighted area are the most important:
  • Refer back to your router information and check the scope of address that it hands out: For instance Linksys routers hands out normally 192.168.1.100 to 192.168.1.150 (50 addresses) my network hands out 192.168.1.64 to 192.168.1.253 (190 devices) This is important to be able to assign an IP to your new server that is still on the network defined by the subnet mask but outside of the client scope, I am choosing 192.168.1.50 for my new domain controller for example.
  • Right click this icon***http://windorks.files.wordpress.com/2014/01/011814_0709_buildingyou9.png*** on the taskbar and select "Open Network and Sharing Center"
  • Select the "Change adapter settings" on the left
  • Right click on your network adapter and select properties
  • On the screen that comes up click "Internet Protocol Version 4 (TCP/IPv4) and then click the Properties button http://windorks.files.wordpress.com/2014/01/011814_0709_buildingyou10.png
  • Make your ip settings match mine with the exception of the IP address (If you selected another one) , Gateway depending on your routers config, and DNS most likely this will be your router if not refer back to the ipconfig /all output and have your dns settings match that. http://windorks.files.wordpress.com/2014/01/011814_0709_buildingyou11.png
  • Once that's done lets validate that the internet still works – if so let's go to step 10, if not we need to redo step 9 to make sure there isn't anything that was missed.

• Download and install all windows updates for the server – to do that right click the little flag icon by the clock and open the action center.

  • On the left there will be a Windows Update link, click that and turn on Automatic Updating.
  • Check for updates – this will take a bit to gather all of the updates that may be waiting for you.
  • Go ahead and install any updates found and let the server reboot if it needs to. With the operating system being 2012 R2 there may not be a lot of updates.

---

Step 3 - Promote to Domain Controller

• Once everything is up and running again – it's time to finally install the Directory Services role

  • In Server Manager, Local Server Click Manage and then Add Roles and Features

    http://windorks.files.wordpress.com/2014/01/011814_0709_buildingyou12.png

  • Click next on the first screen

  • Keep the defaults (Role-based or feature-based installation) on Installation type and click Next

  • Keep the defaults (Select a server from the server pool), make sure your new server is highlighted, click Next

  • Put a check mark next to "Active Directory Domain Services" on Server Roles , Click Add Features on the popup screen, click Next

  • On the features screen, click Next

  • On AD DS screen, Click Next

  • And finally on the confirmation screen, click Install

  • At this point the Active Directory binaries will be installed, once that finishes click the Close button

• The binaries are installed but where is my Active Directory? At this point you should be looking at Server Manager, and at the top of the screen there should be a flag next to the word manage with a yellow caution symbol.

  http://windorks.files.wordpress.com/2014/01/011814_0709_buildingyou13.png

• When you click the flag a window will open telling you that there is still some configuration that is needed to make this server a domain controller. http://windorks.files.wordpress.com/2014/01/011814_0709_buildingyou14.png

• Click the "Promote this server to a domain controller" link

• Select the option to "Add a new forest" and then type the domain name that you want, then click Next http://windorks.files.wordpress.com/2014/01/011814_0709_buildingyou15.png

  NOTE: Here are some guidelines to stay away from:

  • No single label names i.e. Matrix
  • Don't over complicate it, if the name of your company is Brads Totally Awesome Computer Repair and Web Design, I would never create a domain called bradstotallyawesomecomputerrepairandwebdesign.local. In Fact the domain name should be less than 15 characters for technical reasons. In the example above I would shorten it up to something like BTAC.local – trust me your users will thank you J
  • Avoid using special characters in the domain name like |/\"><:*, periods are ok as long as it is not the first character, dashes (-) are OK but still wouldn't use as first character

• On the Domain Controller Options screen

  • Select the Forest functional and Domain functional level – The wizard will pick the highest functional level that the OS will support, so defaults are usually the best bet.
  • In the section labeled "Specify domain controller capabilities" again the defaults are the best option
  • There is a section that can be hard to see for the DSRM password, which should be something that is easily remembered or stored securely somewhere, as the only time you will need this password is during a disaster
  • Click Next

  http://windorks.files.wordpress.com/2014/01/011814_0709_buildingyou16.png

• On the DNS options screen, ignore the warning about the delegation and click Next

• On the Additional options page, make sure that the name of your domain is listed as the NetBios domain name, sometimes there will already be a computer or printer on the network with the same name so if your NetBios name ends in a 0, we will need to change the name of that device before we continue. For my Domain of Matrix.loc the NetBios name is Matrix – Click Next

• On the Paths screen, defaults should be fine but if you so desired you could change them to another local harddisk or partition.

• On review options click Next

• The server will now check to make sure all the prerequisites for the domain controller is satisfied, there will be some warnings, but that should be fine, review and Click Install

• Once the install completes the server will reboot

• Once rebooted you will sign into your new domain

Once the domain is up and running there are a few things that will need to be done to fully utilize Active Directory

1. Users will need to be created
2. Client computers will need to point their Nics dns settings to the servers IP
3. Computers will need to be joined to the domain

Active Directory is scalable and flexible enough to grow with your company. Please feel free to ask us any questions or provide feedback (good or bad) to us.