Windows Server Core is an ideal choice for Active Directory Domain Controllers due to it’s low resource usage and greatly reduced attack surface. In this post I’ll go through the initial steps on how to deploy a new Active Directory forest and add an additional Domain Controller to the domain, and finally I’ll run some basic checks on the health of the domain after installation. Important note: If you need the to boot Windows Server 2016 ISO from a USB flash drive, use the Windows USB/DVD Tool available to download direct from Microsoft.
Installing Windows Server 2016 Core
Boot the server from the Windows Server 2016 media and on the Select the Operating System you want to install screen, select the option Windows Server 2016 Standard or Datacenter edition. The other options with Desktop Experience in brackets are the options for the other server editions with a GUI also installed. Important Note: You can no longer add and remove the GUI (Desktop Experience) with Windows Server 2016 as you could with Windows Server 2012 & 2012 R2. This is due to numerous problems with keeping the installation and removal process consistent with updates. With Windows Server 2016, the only way to add or remove the GUI is to re-install and select one of the server editions with the Desktop Experience option.
Initial Configuration
Once the install process has completed, you will be prompted with a command line window, and asked to set the Administrator password.
- Set the Administrator password.
- Type sconfig to get the Server Configuration menu. It’s pretty straight forward. In the Server Configuration menu, you can configure all the basics required for the server.
- For the first Domain Controller in the new forest, you’ll need to configure at least the Network Settings - IP address, subnet mask, gateway, and DNS.
- You may also want to configure the computer name. Configuring the computer name will require a restart.
- After the restart, log in to the server with the Administrator password you set in step 1.
Tip: The sconfig menu is also present in the GUI version of Windows Server 2016, making initial configuration of new servers easier.
Additional Storage Configuration
You may want to configure additional locally attached disks or iSCSI/MPIO storage. Creating new volumes that are locally attached can be done via the diskpart command line tool. Here’s the series of commands to create a new, NTFS formatted volume, with the drive letter of E:\ and the name “Data”, from a second disk in the server using the diskpart tool. First, run diskpart from the command line, then use the following commands:
|
|
iSCSI storage can be configured using the same GUI tools you would use in the GUI version of Windows Server. The MPIO feature must be installed before the tool is available. You can do this via PowerShell:
|
|
When MPIO is installed you can load the MPIO utility using mpiocpl. For the iSCSI utility you can use iscsicpl. iSCSI is installed as part of the base Windows Server 2016 feature set.
Install Active Directory Domain Services
Now we’ll install Active Directory Domain Services, and create the first Domain Controller for a new forest.
- The following PowerShell command will install the Active Directory Domain Services binaries, but will not make the server a Domain Controller:
|
|
- Once the binaries have been installed, now the forest can be created and the server can become a Domain Controller:
|
|
- If you’d like to configure the path of where the AD database, AD logs, and the SYSVOL are stored, then run the following command:
|
|
- As part of the install process you’ll be asked to set the safe mode administrator password - this is also known as the Directory Services Restore Mode (DSRM) password.
- Once the install process completes, you’ll be prompted for a restart, and after restarting you’ll have the first Domain Controller for a new forest.
Adding an Additional Domain Controller To An Existing Domain
To add an additional Domain Controller to a domain, first install Windows Server 2016 Core as detailed above, configure the network settings and any extra storage you require.
- Add the server to the existing domain that you want to create an additional Domain Controller for and log in as a user with domain admin privileges for that domain.
- Install the Active Directory Domain Services binaries by running the following command in PowerShell:
|
|
- To promote the server to be a Domain Controller, run the following command:
|
|
- If you’d like to configure the path of where the AD database, AD logs, and the SYSVOL are stored, then run the following command:
|
|
- As part of the install process you’ll be asked to set the safe mode administrator password - this is also known as the Directory Services Restore Mode (DSRM) password.
- Once the install process completes, you’ll be prompted for a restart, and after restarting you’ll have another Domain Controller for the domain.
Post Install Health Check
To check the health of the Domain Controller, you can use the dcdiag tool. To direct the output to a TXT file and read it with notepad run the following from the command line:
|
|
You may have a problem with the first Domain Controller for a forest not advertising itself as a time server. If you experience this issue, try the following commands to fix the issue:
|
|
Run dcdiag once again and the problem should be resolved. One potential problem to look out for with Active Directory is DNS. You can configure dcdiag to run a DNS specific test:
|
|
Final Tasks
You may want to revisit the Server Configuration tool sconfig and do some final configuration tasks like enable Remote Desktop or configure Windows Updates. To administer Active Directory using the GUI management consoles, add a PC or VM with a recent version of Windows 10 to the domain, and install the Remote Server Administration Tools (RSAT) for Windows 10.
If you’d like to contact me, please leave a comment, send me a tweet or DM, or you can join my Discord server.
-Mike