- [Instructor] The installation of active directory domain services is really a two step process. The first step, being the installation of the server role itself, and the second step being the promotion of the domain control. To demonstrate this, I am going to jump onto a computer that I have here named DC1. Now DC stands for domain controller, but I want you to know that even though I've named the computer DC1, it's currently just a stand alone server. We're going to make it a domain controller in this exercise.
Here in the server manager on DC1, what we want to do first is add the role for active directory domain services. And to do that, we come right down here to the middle where it says add roles and features and click on that, and this takes you into the add roles and features wizard. The first screen we always get is the before you begin screen, where it's pretty much just giving us a heads up, saying hey look you're about to do something pretty significant to this machine, you might want to make sure that you have security settings and things of that nature in place. I know that we do, so I'm going to go ahead and click on next.
It is a role based installation, so again I will click next. We are installing on DC1, so I will click next. And here I get the actual roles to choose from, and right near the top, it's actually the second choice, is active directory domain services. So I will check the box, and when I do, I get a little pop-out window saying hey there are some other features that are required, so I will go ahead and click the button to say go ahead and add those features. And then I can click next, here's an option to install any other features I want to do as part of this process.
There's nothing else I specifically want to do at this point, so I will click next. And here's just a quick overview of what active directory domain services is, so I will click next through this screen. And then I get a confirmation screen, and I will go ahead and click install. Now at this point, depending on the speed of the machine, it could take anywhere from about a minute to a few minutes to go through and do the installation of active directory domain services. If you are following along with me, and your machine is moving slower than mine, feel free at this point to go ahead and pause the video, and then you can just resume it when you get to the completed state, that I'm actually in right now.
Okay, when it says installation succeeded, but with configuration required, at that point you're done, and you can resume the video. So mine is complete, but as it does state, it says configuration required. In other words, all we did was step one. Step one was to install the server role itself. Step two is to promote this server to a domain controller. Now, back in the old days, we used to do that promotion through a command line entry that was called dc promo.
If you try to do a dc promo at this point, it will just tell you that everything's been moved into the server manager. And in fact, you can see right here, it says promote this server to a domain controller. So if I click on that link, watch what happens. It takes me right into the active directory domain services configuration wizard. Which, by the way, is what dc promo used to be. All right. So now that we're in this wizard, we have to first select a deployment operation. First choice is to add a domain controller to an existing domain, well that would be difficult because this is the very first domain controller anywhere in my network.
So second choice would be add a new domain to an existing forest, which again, we're just building the forest at this point, which means we have to take choice number three, which is add a new forest. At this point it wants to know the root domain name. So I'm going to use landonhotel.local, that's a domain name that I like to use in my courses here. And I will click next. At this point, it's kind of going through and making sure that that name is appropriate, isn't being used on the network somewhere else, doesn't have some sort of a conflict in place.
Takes just a moment to go through and do that. It has now completed, so the next screen is asking us to select the forest and domain functional level, and I'll talk about functional levels in other videos, possibly even in other courses. But the short version is, you want to have functional levels that are equal to the domain controllers that you have running on your network. And you'll see here that the drop down, there's only one choice, because if the forest is set at 2016, that's the only option in the domain.
But on the forest level, you'll see that we can go all the way back to Windows Server 2008. All right? So you want to make sure you go to a functional level that is as far back as any domain controllers that you'll have running in your environment. In this case, I'm only going to be running Windows Server 2016, so I can leave the forest and domain functional levels alone. I now can specify any additional domain controller capabilities. By default, it's going to assume that I want to also be a DNS server, and this is a good choice.
You do want to be a DNS server. You'll notice that I don't have to be, I could clear that box. But I do want to be a DNS server, because DNS is crucial to the operation of active directory. Second option is global catalog, which is a grayed-out checkbox, I can't clear this box. And the reason why is because you must have at least one global catalog server in the forest. So if this is the first computer I'm promoting to a domain controller, it has to be a global catalog server.
The third option is a checkbox that is not checked and I cannot check it, and that would be for read only domain controller. And the reason I cannot check that box is because the only way to have a read only domain controller is if you first have a full-blown read writable domain controller to replicate from. So I'll go over read only domain controllers in a later video. It now wants me to enter a directory services restore mode password, so I will put in a super secret password here that I would use in the event that I needed to try to recover my domain controller.
And I'll go ahead and click on next. At this point, there's a little warning that comes up. If you understand how DNS works and how DNS name resolution works, for instance out on the internet, the problem is as it says, that the delegation for this DNS server cannot be created because of an authoritative parent zone cannot be found, and as I hover over it, you'll see it's a big long message. What they're saying is, we can't find a DNS server for the local name space. In other words, we're doing landonhotel.local. Okay, so it's kind of like on the internet if you're going to www.yourfavoritewebsite.com there's the com DNS servers, well we can't find a local DNS server. So what we're saying here is this is okay, because this is not out on the internet, this is just in a local network.
The parent domain is going to be landonhotel.local. So all I have to do is click next through this warning, and it's now going to verify that the NetBIOS name does not conflict with anything out on the network. NetBIOS name is kind of an older naming strategy, mostly from back in like the 1990s, but we still have it available, and it's still in use today. It would be the first 15 characters of the name if it was longer than 15, but landonhotel is not. So it's got the full landonhotel name, which is fine.
So I'll click next. It's now asking me for the location of the active directory database log files and the SYSVOL folder. If I have a system with multiple hard drives, you can improve performance by separating out the database location from the log file location. Only if it's to completely separate physical hard drives. This is true of any database. They'll always perform better, because then what can happen is the database can be reading and writing while the log files are also being written to, separately, on a separate drive.
In this case, I only have the one hard drive, so I'm just going to take the default location for everything. Then I'll click next, here's a review of everything that we're about to do. I also could click on view script, let me click on that and show you. This would be a Powershell script to perform the actions that we're performing right now. So if you wanted to let's say copy this, or even save this right now, this is simply in a Notepad. If I want to save this for future use in scripting, I could do that.
I'm going to go ahead and click on next. It's going to do a prerequisite check to make sure that everything's in place, and that this server can be promoted to a domain controller. What we should find is a couple of warnings that are going to come up, but that it should pass the prerequisite check. So this is another example of it can take a little bit longer, depending on the machine, so if your machine takes longer than mine, than feel free to go ahead and pause the video and then resume it once you get to the point that I'm at.
You'll see here that it's exactly what I expected to see. Yes there are some warnings down here, one of them is that DNS delegation, another one has to do with some security settings that are backward compatible to Windows NT, so it's almost ridiculous that they even point that out. But they do have to, it's a technicality. But most importantly at the top here, I get this green circle with a checkmark in it that says all prerequisite checks have passed successfully. So at this point I can click install to begin the installation. During the installation I'm going to see those same warnings pop up again that we saw during the prerequisite check.
But otherwise, it's just going to go through and do it's thing. And when it's done installing, and promoting itself to a domain controller, the system is going to reboot, and then you will log in as the domain administrator. So through the magic of video editing, I'm going to kind of speed this thing up, and skip through to where it's all done. As I've been saying all along, on your end if you're following along, pause the video and resume as soon as this process has completed, and you have rebooted your server, and you're back ready to get rolling on the domain controller.
All right, so as you can see, my system has completed the installation process, and it rebooted, and I've logged back in as the Landonhotel administrator. If you are following along, I'm not sure how long it took on your end, I could tell you mine did take probably a good five or 10 minutes, again, through the magic of video editing. We don't bore you with staring at a screen for five 10 minutes, but I just wanted to give you that heads up, in case you were concerned that yours took to long, or if you've never done this, when you go to do it, that it takes a lot longer than mine here, that's why.
Now the other thing I will tell you is when you reboot, you may end up with these red boxes with what looks like errors, that's actually fairly common when you first boot Windows Server 2016. These are delayed start services, that's all it's warning you about. In fact if I refresh, you can refresh once every few moments or so, and yeah, see it just went away. All that is is a delay in starting services. I'd say if your machine is running for a good 10 15 minutes and you still have the messages, then you may want to look into why the services aren't starting.
But anyway, at this point, I can see that I have roles for active directory domain services, and for DNS. In addition, if I come up to the tools menu, you'll see that I have a number of active directory tools available at my disposal, as well as the DNS administrator tool. And so that is pretty much what shows us that we have successfully installed the active directory domain services role, and then also promoted it to a domain controller as well as making it a DNS server.
- Installing Active Directory Domain Services
- Installing additional domain controllers
- Configuring AD DS permissions
- Managing accounts, groups, and OUs