Installing and Configuring Domain Controllers with Windows Server 2016 Core

Windows Server Core is an ideal choice for Active Directory Domain Controllers due to it’s low resource usage and greatly reduced attack surface. In this post I’ll go through the initial steps on how to deploy a new Active Directory forest and add an additional Domain Controller to the domain, and finally I’ll run some basic checks on the health of the domain after installation.

Important note: If you need the to boot Windows Server 2016 ISO from a USB flash drive, use the Windows USB/DVD Tool available to download direct from Microsoft.

 

Installing Windows Server 2016 Core

Boot the server from the Windows Server 2016 media and on the Select the Operating System you want to install screen, select the option Windows Server 2016 Standard or Datacenter edition. The other options with Desktop Experience in brackets are the options for the other server editions with a GUI also installed.

Important Note: You can no longer add and remove the GUI (Desktop Experience) with Windows Server 2016 as you could with Windows Server 2012 & 2012 R2. This is due to numerous problems with keeping the installation and removal process consistent with updates. With Windows Server 2016, the only way to add or remove the GUI is to re-install and select one of the server editions with the Desktop Experience option.

Initial Configuration

Once the install process has completed, you will be prompted with a command line window, and asked to set the Administrator password.

  1. Set the Administrator password.
  2. Type sconfig to get the Server Configuration menu. It’s pretty straight forward. In the Server Configuration menu, you can configure all the basics required for the server.
  3. For the first Domain Controller in the new forest, you’ll need to configure at least the Network Settings – IP address, subnet mask, gateway, and DNS.
  4. You may also want to configure the computer name. Configuring the computer name will require a restart.
  5. After the restart, log in to the server with the Administrator password you set in step 1.

Tip: The sconfig menu is also present in the GUI version of Windows Server 2016, making initial configuration of new servers easier.

 

Additional Storage Configuration

You may want to configure additional locally attached disks or iSCSI/MPIO storage.

Creating new volumes that are locally attached can be done via the diskpart command line tool. Here’s the series of commands to create a new, NTFS formatted volume, with the drive letter of E:\ and the name “Data”, from a second disk in the server using the diskpart tool.

First, run diskpart from the command line, then use the following commands:

list disk
select disk 1
online disk
attributes disk clear readonly
clean
convert mbr -or gpt
create partition primary
select part 1
active
format fs=ntfs label=Data quick
assign letter E:
list volume

iSCSI storage can be configured using the same GUI tools you would use in the GUI version of Windows Server. The MPIO feature must be installed before the tool is available. You can do this via PowerShell:

Install-WindowsFeature -Name 'Multipath-IO'

When MPIO is installed you can load the MPIO utility using mpiocpl. For the iSCSI utility you can use iscsicpl. iSCSI is installed as part of the base Windows Server 2016 feature set.

 

Install Active Directory Domain Services

Now we’ll install Active Directory Domain Services, and create the first Domain Controller for a new forest.

  1. The following PowerShell command will install the Active Directory Domain Services binaries, but will not make the server a Domain Controller:
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
  1. Once the binaries have been installed, now the forest can be created and the server can become a Domain Controller:
Install-ADDSForest -DomainName contoso.com
  1. If you’d like to configure the path of where the AD database, AD logs, and the SYSVOL are stored, then run the following command:
Install-ADDSForest -DomainName contoso.com -DatabasePath "E:\AD\DB" -LogPath "E:\AD\Log" -SysvolPath "E:\AD\SYSVOL"
  1. As part of the install process you’ll be asked to set the safe mode administrator password – this is also known as the Directory Services Restore Mode (DSRM) password.
  2. Once the install process completes, you’ll be prompted for a restart, and after restarting  you’ll have the first Domain Controller for a new forest.

 

Adding an Additional Domain Controller To An Existing Domain

To add an additional Domain Controller to a domain, first install Windows Server 2016 Core as detailed above, configure the network settings and any extra storage you require.

  1. Add the server to the existing domain that you want to create an additional Domain Controller for and log in as a user with domain admin privileges for that domain.
  2. Install the Active Directory Domain Services binaries by running the following command in PowerShell:
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
  1. To promote the server to be a Domain Controller, run the following command:
Install-ADDSDomainController -DomainName "contoso.com"
  1. If you’d like to configure the path of where the AD database, AD logs, and the SYSVOL are stored, then run the following command:
Install-ADDSDomainController -DomainName "contoso.com" -DatabasePath "E:\AD\DB" -LogPath "E:\AD\Log" -SysvolPath "E:\AD\SYSVOL"
  1. As part of the install process you’ll be asked to set the safe mode administrator password – this is also known as the Directory Services Restore Mode (DSRM) password.
  2. Once the install process completes, you’ll be prompted for a restart, and after restarting  you’ll have another Domain Controller for the domain.

 

Post Install Health Check

To check the health of the Domain Controller, you can use the dcdiag tool. To direct the output to a TXT file and read it with notepad run the following from the command line:

dcdiag >C:\dctest.txt
notepad C:\dctest.txt

You may have a problem with the first Domain Controller for a forest not advertising itself as a time server. If you experience this issue, try the following commands to fix the issue:

net stop w32time
w32tm /unregister
w32tm /register
net start w32time

Run dcdiag once again and the problem should be resolved.

One potential problem to look out for with Active Directory is DNS. You can configure dcdiag to run a DNS specific test:

dcdiag /test:dns

 

Final Tasks

You may want to revisit the Server Configuration tool sconfig and do some final configuration tasks like enable Remote Desktop or configure Windows Updates.

To administer Active Directory using the GUI management consoles, add a PC or VM with a recent version of Windows 10 to the domain, and install the Remote Server Administration Tools (RSAT) for Windows 10.

 

-Mike

Twitter – @Digressive

One Comment Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.