Configure Active Directory Domain Services (AD DS)

Introduction

AD DS is the beating heart of any IT environment as it serves as the identity provider (you could opt to go down a cloud-only route by using Entra ID alone, but you’d be losing a lot of functionality and is only appropriate for very specific environments). The server with AD DS configured on it is a Domain Controller (DC), and this DC will generally be used to manage:

• Users and computer objects within Active Directory Users and Computers.

• DNS.

• GPO.

• Sites and Services.

The above services can be split out among an unlimited number of servers, but outside of very niche requirements or enormous environments, they generally will live on the DCs. This article won’t do a deep dive on the theory of AD DS and will more focus on the practical side, however, if interested in learning further theory: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview.

Building the Domain

In the following demo, we’re going to create a new domain on a fresh Windows Server 2022 VM.

Before we begin, it’s worth setting your DC to a static IP address (especially if it’s providing DNS). I won’t cover how to do this as there will be different best practices depending on if this is a physical or virtual server, but your specific best practice can easily be found online.

Domain Build Demo

1. Log into the server that will be your first DC with a local administrator account.

2. Open Server Manager (can find it pinned in the start menu of Windows Server operating systems) > ‘Manage’ in the top-right > ‘Add Roles and Features’:

3. Click ‘Next’ on the ‘Before You Begin’ tab.

4. Ensure that ‘Role-based or feature-based installation’ is selected on the ‘Installation Type’ tab and click ‘Next’.

5. Click ‘Next’ on the ‘Server Selection’ tab.

6. On the ‘Server Roles’ tab, select ‘Active Directory Domain Services’ and ‘Add Features’ in the pop-up box that appears.:

7. Once the above is done, click ‘Next’ on the ‘Server Roles’ tab.

8. Click ‘Next’ on the ‘Features’ tab.

Author's note: the two sections we’ve just worked through (Server Roles and Features) are where all the good stuff is kept when it comes to adding new roles/features to a server. It’s worth spending some time having a look at what’s there and playing around with the roles in a sandbox environment.

9. Click ‘Next’ on the ‘AD DS’ tab.

10. Click ‘Install’ on the ‘Confirmation’ tab.

Author's note: this step can take a little while. Feel free to check the restart destination server box if needed.

11. Once the install completes, you will see a message that states “Configuration required. Installation succeeded on [hostname].”

12. Click ‘Close’ – it’s now time to promote the server to a DC.

13. To promote the server, click the flag in the top-right of server manager that should now have an exclamation mark on it > click ‘Promote this server to a domain controller’:

14. As we’re building a fresh domain, we’ll be selecting ‘Add a new forest’ and entering a new root domain name of our choice.

Author's note: the ‘Add a domain controller to an existing domain’ would be used if you wanted to add another DC to an existing domain.

‘Add a new domain to an existing forest’ would be used if you were adding a new domain under the existing root.

More here on the logical structure of Active Directory: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/understanding-the-active-directory-logical-model

15. Select the relevant ‘Forest functional level’ and ‘Domain functional level’.

Author's note: it’s worth doing some reading on what these functional levels do.

A quick and dirty summary would be that you want to use the highest functional levels you can, as that will result in you being able to take advantage of the most functionality. The limitation, however, is that all your domain controllers (not members servers or workstations) need to be at least that version of Windows.

For example, if you use the highest currently available functional levels, you’ll be setting them to Windows Server 2016. This means that all your DCs must be Windows Server 2016 OS or higher, however, this does not mean all your members servers/workstations also must be 2016 or higher.

More useful info here: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels

16. You will need to select a Domain Name System (DNS) server for your first DC.

17. The Global Catalog (GC) role will be selected for you. Servers with this role store a copy of all Active Directory objects in the forest.

18. The Read only domain controller (RODC) role will not be available for you (due to this being the first DC). This role allows servers to host Active Directory, but not make any changes.

19. Create the Directory Services Restore Mode (DSRM) password. DSRM is a safe mode boot option for DCs. It’s required for several DC-related troubleshooting options, including an authoritative restore. Make sure you keep a record of this password.

Author's note: this password can be reset at a later date, however, this can only be done if the DC is running in normal mode. This means that if you have a major issue and need to boot the DC into restore mode, you are generally already too late to reset it.

20. There will be no DNS options assuming that this is the first DNS server in the environment.

21. Customise the NetBIOS domain name if required:

22. Customise the AD DS database, log files and SYSVOL paths if required.

23. Review all the options we have configured and confirm all is correct.

24. Wait while the prerequisites are verified.

25. You will likely be greeted with some recommendations. Assuming the bottom message reads “All prerequisite checks passed successfully. Click ‘Install’ to begin installation.” then you will be fine to kick off the installation.

26. Once the process completes, the server will restart. When the server comes back up, it will now be a domain controller. The local admin account that ran through the promotion process will now be the built-in domain administrator account.

Conclusion

In this article, I’ve covered a very high-level introduction to AD DS, including a detailed demo of the process required to install the role and promote the server to a domain controller. Once this process has been complete, you will be left with the base building blocks of a domain that you will need to build on top of, like:

• DNS.

• DHCP (if required).

• Time.

• Entra Connect (if required).

• Group Policy.