This page looks best with JavaScript enabled

Installing and Configuring Domain Controllers with Windows Server Core

 ·  ☕ 6 min read

Windows Server Core is an ideal choice for Active Directory Domain Controllers due to it’s low resource usage and greatly reduced attack surface. In this post I’ll go through the initial steps on how to deploy a new Active Directory forest and add an additional Domain Controller to the domain, and finally I’ll run some basic checks on the health of the domain after installation. This guide is also suitable for regular GUI Windows Server installations.

Installing Windows Server Core

Boot the server from the Windows Server media and on the “Select the Operating System you want to install” screen, select the option “Windows Server Standard” or “Datacenter” edition. The other options with “Desktop Experience” in brackets are the options for the other server editions with a GUI also installed.

Please note: You can no longer add and remove the GUI (Desktop Experience) with Windows Server 2016 as you could with Windows Server 2012 & 2012 R2. This is due to numerous problems with keeping the installation and removal process consistent with updates. With Windows Server 2016, the only way to add or remove the GUI is to re-install and select one of the server editions with the “Desktop Experience” option.

Initial Configuration

Once the install process has completed, you will be prompted with a command line window, and asked to set the Administrator password.

  1. Set the Administrator password.
  2. Type sconfig to get the Server Configuration menu. It’s pretty straight forward. In the Server Configuration menu, you can configure all the basics required for the server.
  3. For the first Domain Controller in the new forest, you’ll need to configure at least the Network Settings - IP address, subnet mask, gateway, and DNS.
  4. You may also want to configure the computer name. Configuring the computer name will require a restart.
  5. After the restart, log in to the server with the Administrator password you set in step 1.

Tip: “sconfig” is also present in the GUI version of Windows Server, making initial configuration of new servers easier.

Additional Storage Configuration

You may want to configure additional locally attached disks or iSCSI/MPIO storage. Creating new volumes that are locally attached can be done via the diskpart command line tool. Here’s the series of commands to create a new, NTFS formatted volume, with the drive letter of E:\ and the name “Data”, from a second disk in the server using the diskpart tool. First, run diskpart from the command line, then use the following commands:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
list disk
select disk 1
online disk
attributes disk clear readonly
clean
convert mbr -or gpt
create partition primary
select part 1
active
format fs=ntfs label=Data quick
assign letter E:
list volume

iSCSI storage can be configured using the same GUI tools you would use in the GUI version of Windows Server. The MPIO feature must be installed before the tool is available. You can do this via PowerShell:

1
Install-WindowsFeature -Name 'Multipath-IO'

When MPIO is installed you can load the MPIO utility using mpiocpl. For the iSCSI utility you can use iscsicpl. iSCSI is installed as part of the base Windows Server feature set.

Install Active Directory Domain Services

Now we’ll install Active Directory Domain Services, and create the first Domain Controller for a new forest.

The following PowerShell command will install the Active Directory Domain Services binaries, but will not make the server a Domain Controller:

1
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

Once the binaries have been installed, now the forest can be created and the server can become a Domain Controller:

1
Install-ADDSForest -DomainName contoso.com

If you’d like to configure the path of where the AD database, AD logs, and the SYSVOL are stored, then run the following command:

1
Install-ADDSForest -DomainName contoso.com -DatabasePath "E:\AD\DB" -LogPath "E:\AD\Log" -SysvolPath "E:\AD\SYSVOL"

As part of the install process you’ll be asked to set the “safe mode administrator password” - this is also known as the “Directory Services Restore Mode (DSRM) password”.

Once the install process completes, you’ll be prompted for a restart, and after restarting you’ll have the first Domain Controller for a new forest.

Adding an Additional Domain Controller To An Existing Domain

To add an additional Domain Controller to a domain, first install Windows Server Core as detailed above, configure the network settings and any extra storage you require.

Add the server to the existing domain that you want to create an additional Domain Controller for and log in as a user with domain admin privileges for that domain.

Install the Active Directory Domain Services binaries by running the following command in PowerShell:

1
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

To promote the server to a Domain Controller, run the following command:

1
Install-ADDSDomainController -DomainName "contoso.com"

If you’d like to configure the path of where the AD database, AD logs, and the SYSVOL are stored, then run the following command:

1
Install-ADDSDomainController -DomainName "contoso.com" -DatabasePath "E:\AD\DB" -LogPath "E:\AD\Log" -SysvolPath "E:\AD\SYSVOL"

As part of the install process you’ll be asked to set the “safe mode administrator password” - this is also known as the “Directory Services Restore Mode (DSRM) password”.

Once the install process completes, you’ll be prompted for a restart, and after restarting you’ll have another Domain Controller for the domain.

Post Install Health Check

To check the health of the Domain Controller, you can use the dcdiag tool. To direct the output to a TXT file and read it with notepad run the following from the command line:

1
2
dcdiag >C:\dctest.txt
notepad C:\dctest.txt

You may have a problem with the first Domain Controller for a forest not advertising itself as a time server. If you experience this issue, try the following commands to fix the issue:

1
2
3
4
net stop w32time
w32tm /unregister
w32tm /register
net start w32time

Run dcdiag once again and the problem should be resolved. One potential problem to look out for with Active Directory is DNS. You can configure dcdiag to run a DNS specific test:

1
dcdiag /test:dns

Final Tasks

You may want to revisit the Server Configuration tool “sconfig” and do some final configuration tasks like enable Remote Desktop or configure Windows Updates. To administer Active Directory using the GUI management consoles, add a PC or VM with a recent version of Windows 10 to the domain, and install the Remote Server Administration Tools (RSAT) for Windows 10.

Support My Work

If you would like to support me, please check out the link below.

If you have any questions or comments, please leave them below.

Thanks
-Mike

Share on
Support the author with