One of the important things to do before anyone jumps into AD security is, setting up an active directory on a windows server. This is one of those things that feel empowering for some reason, at least to me. Anyways, let’s not get too sentimental about it and being.
We’ll be using Windows Server 2019 for the Domain Controller (DC), and we’ll first set that up. In the later posts, we’ll join other machines to this DC, but for now, we’ll set up DC and AD DS (Active Directory Domain Services)
So let’s being
Login in to your Windows Server using RDP/Console, whatever way is possible for you right now, and navigate to Server Manager. Select “Add roles and features” from the Dashboard screen.
Now follow the screens as shown below, the steps here are simple, and I’d like you to not stress it. I’ll provide explanations where I feel it is essential.
As we have installed AD DS, we’ll promote the current server to a Domain Controller; as of now, we just have installed AD DS, but we don’t have a DC to control it. This is exactly what we’ll be doing in this step.
As we set up a fresh forest and a fresh domain in that forest, we’ll choose the option to “Add a new forest,” then we can define what would our root domain be called; for me, it is called “windows.local.” Once define the root domain name, we can move onto the next step.
If we had been adding a new domain to an existing forest, we would have chosen option 2. It is improbable to have multiple domains in a forest, but it can be done.
The first option is to add a new domain controller; it could be a backup domain controller for load sharing or a Read-Only Domain Controller (RODC)
In layman’s terms, “Functional levels” define the latest version of servers that can be attached to this domain. There are a lot of advanced features as well, which come with a high domain functional level. However, as I plan to add Windows 8 and 2012R2 servers to this domain; thus, I chose 2012 as the functional level.
NETBIOS name defines what will our logins look like, e.g., Administrator account will be called
winlab\Administrator the NETBIOS value can be anything of your choice.
Setting up a static IP address for the machine. We want out DC to stay in one place and not change its IP address on boot. This rarely happens, but if its IP lease expires and we reboot the machine, we’ll have a new IP address, and all the machines in the domain will not be able to resolve the address, thus making the AD non-functional. Thus to avoid situations like these, we set up static IP addresses for the Domain controllers. That is exactly what we are going to do this in step.
Once you click install, the installation will begin, and there will be one/two restarts of the machine before the installation is complete, and you are allowed to login into the machine. Once you’ve logged in to the machine, we’ll move on giving our machine a respectable name; right now, it is gibberish generated by the machine installation.
Changing hostname of the machine.
This step can be done before installation as well; however, I chose to do it later. If you haven’t attached any machine to this domain, you can do it at any time. However, please consider doing this before the installation of AD DS as a general good practice.
Now we have completed the installation of the AD DS feature on a machine, and we have promoted it to a Domain Controller. We will take a look at exploiting these machines/setups in later posts. However, this is it for now.
If you need to learn how to spin up a Windows Server machine faster, look at my post about using SysPrep for faster provision of windows machines.
If you have questions or need help setting things up, reach out to me @jtnydv