In Part 1 of this series (Installing Active Directory Domain Services – Establishing an AD DS Forest in Windows Server – Part 1) I wrote on how to establish an Active Directory Forest.
In Part 2 (Installing Active Directory – Adding a child domain to an existing Active Directory Domain Services Forest (AD DS) in Windows Server – Part 2) we explored how to add a child domain to an existing AD DS Forest.
This is Part 3 and we will be adding a second tree to the forest. The Active Directory Domain Services (AD DS) design team has finished the design phase for your new AD DS environment and now it is time to implement the new domain tree. The Domain Name System (DNS) will be installed in the forest root domain and configured to support our new domain tree and domain. To following steps have been accomplished:
- DNS has been installed
- A new Forward Lookup and Reverse Lookup Zones allowing both Secure and Non-Secure Dynamic Updates were created.
- A static IP Address was configured with the DNS entry pointing to it’s own address.
- On the server that AD DS will be installed on the properties sheet the DNS suffix has been modified to represent the new AD DS Domain name and the computer restarted.
- After the computer has restarted verify the host has registered it A and Pointer records in DNS. (see diagram below)
Now that DNS is configured to support AD DS we can begin the installation.
The Local Administrator account should have a strong password as it will become the first Administrator of the Domain and will be automatically added to the following groups: Administrators, Domain Admins, and Group Policy Creators Owners.
To install AD DS complete the following steps:
Use PowerShell to add the Active Directory Domain Services Role to install the Binaries to support this server becoming a Domain Controller.
In the first of the series I used Server Manager to install the AD DS Role in order to install the AD DS Binaries required to promote the server to a domain controller. In the second of the series I used DCPROMO.EXE to install the AD DS Role in order to install the AD DS Binaries required to promote the server to a domain controller.
1. Start PowerShell, to get a list of available PowerShell manifests, type get-module –listavailable, press Enter.
2. Import the ServerManager module, type import-module ServerManger, press Enter.
3. To view the currently installed Roles and Features or the name of the Role or Feature you wish to install, type get-windowsfeature press Enter.
If a role or feature is installed there will be an X inside the brackets for that feature.
4. To add the ADDS Binaries, type Add-WindowsFeature ADDS-Domain-Controller press Enter.
The Binaries are now installed on the server to support this server becoming a Domain Controller. Continue using DCPROMO to promote this computer to a Domain Controller.
5. To start the promotion of the server to a domain controller, open a command prompt and type DCPROMO press Enter, the server will conduct a check to ensure the Binaries are installed.
If the Binaries were not pre-installed, DCPROMO will install them.
6. On the Welcome screen, because we are establishing a separate Tree in the Forest be sure to check the Use advanced mode installation then press Enter.
If establishing a separate Tree in the Forest or creating a Replica Domain Controller from alternate location be sure to check the Use advanced mode installation.
7. Review the Operating System Compatibility page, click Next.
8. On the Choose a Deployment Configuration sheet, select the Existing forest and Create a new domain in an existing forest radial buttons, Check Create a new domain tree root instead of a new child domain, click Next.
9. Enter the Fully Qualified Domain Name for the forest root domain. For this demonstration I will be USSHQ.Local.
10. To create a child domain requires Enterprise Administrator credentials. Click Set to provide Alternate credentials. After entering the credentials click OK then Next.
11. On the Name the New Domain Tree Root page enter the FQDN of the new domain. In this example I will be using Military.Local for the domain name.
12. The AD DS Installation Wizard will verify the FQDN is unique, the Netbios name and validity of the Forest.
13. Set Domain Functional Level based on the AD DS design team’s instructions, click Next.
Based on your Forest Functional Level setting the options for the Domain Level will vary.
14. If more than one site were available on the Select a Site you could select a site to place the domain controller object.
If more than one site were defined in AD DS the site that corresponds to the IP Address of the server would automatically have been selected.
15. The AD DS installation wizard will now examine the current DNS configuration.
16. On the Additional Domain Controller Options screen, click Next.
If you desired this new domain controller to be a DNS server or a Global catalog server then check the appropriate boxes. The ROCD option is greyed out because there is currently only one site defined in AD DS.
If you choose not to install DNS on the first domain controller in the child domain, a dialog box will require to click confirm you do not desire DNS on the server. Click Yes to continue.
17. On the Source Domain Controller page, press Next.
18. On the Location for Database, Log Files and SYSVOL sheet, click Next.
If space or performance were concerned the files would be placed on a separate drive.
19. Enter a Restoration Password, click Next.
This password will be used when restarting the sever in Directory Services Restore Mode.
20. Verify your installation setting on the summary page, click Next.
To create an unattended installation file click the Export setting button before clicking next.
The Active Directory Domain Services Installation Wizard will not install and configure AD DS based off your entries. The progress can be viewed from the dialog box in the middle of the screen.
21. Click Finish, then Restart Now to restart the server. Once restarted AD DS is installed and your AD DS Forest has been established.
Verifying the installation of AD DS
1. Logon to the Domain Controller using the Administrator account credentials.
2. Launch the DNS console and verify the creation of Service Records for the newly established AD DS Forest. Below is an expanded view of the new DNS structure.
Your new domain controller in your new domain tree with AD DS is now installed.
Until next time, RIDE SAFE!