Hi all, and welcome back to another blog post, by yours-truly!
The purpose of this post, is to outline the deployment of 2012 Active Directory empty root domain, using a single GUI DC and a single CORE DC. In a future blog, I may build on this and create a separate sub-domain that all domain work would be accomplished from.
This build is based on a once Microsoft best practice guide, however, with that being said, this may or may not be true anymore.. Mark Parris indicates on his blog in 2009, that several factors have now changed in newer releases of Windows Server, which may or may not make the need for a empty root domain a viable best practice anymore, and you can make your own decision on what fits with your infrastructure needs/requirements.
Just to quote the final paragraph in his blog post:
Microsoft’s official stance is start with a single domain and implement new domains based on your own requirements as necessary, I can find nowhere an official statement stating the fact that the empty root domain is no longer valid; but it is widely accepted in Active Directory circles that having an empty forest root is no longer best practice – this does not mean it is wrong to implement an empty forest root – it just means that it is no longer best practice.
Essentially, its up to you to determine what’s best for your environment, and while having a root domain, and child domain aren’t necessarily wrong, (and still widely considered to be best practice), its not necessarily correct either – your individual requirements, and the cost of having the additional servers, and management needed to keep those servers powered, cooled, and updated, will ultimately drive what you need in your environment, and all factors have to be carefully weighed, prior to deploying your AD environment.
With that being said, back to my build. For the sake of my build, like I said, I am building a 2 host root domain, and in a later blog post, I will probably go ahead and add a child domain. (or maybe I’ll scrap it all, and just keep it simple stupid)
- All server will be deployed using Windows Server 2012 R2 Standard Edition.
- Both of these are currently VMs on VMWare Workstation 10.
- Basic Windows Installation is complete. NO roles or features have been installed.
- The first DC is built as a FULL GUI installation, the 2nd, as a CORE installation.
- Full GUI installation is Named RDC01, and CORE installation is named RDC02.
- Windows Firewall will be disabled on both machines.
- Static IP Addresses are set on both machines.
- 192.168.127.130 – RDC01
- 192.168.127.131 – RDC02
Installing the 1st Domain Controller
High Level View
As many Windows guys will attest too, on earlier versions of Windows Server (2008 and earlier), it was common to start the Active Directory Installation Wizard with the dcpromo.exe executable on your first DC. Beginning with Windows Server 2012, the installation of Active Directory has been moved to Server Manager. The use of dcpromo.exe is still around (deprecated), however, its only supported for legacy automation, and requires the use of an install file.
The DC promotion process is a two-step procedure. First you need to actually install the files that the domain controller role uses, then you install the domain controller role itself.
Nuts & Bolts – Installing the Role
- So, we have our firewall disabled, and we have a static IP address set. (If not,do that before proceeding any further)
- Navigate up to the Grey Ribbon, and locate the Manage Link, Select Add Roles and Features
- On the Window “Before you begin”, read though the information, and Select “Next“.
- On the Select installation type tab, Select “Role-based or feature-based installation”, Select “Next”
- On the Select destination server tab, your server should already be highlighted, select “Next”
- Now here’s the good stuff! On the Select server roles tab, Select the check box next to “Active Directory Domain Services”
An additional box will pop up prompting you to install the RSAT Tools, AD PowerShell Module, and the ADDS Tools. Leave everything selected, and select “Add Features”
- Leave the default options selected on the Select features, and select “Next“
- ADDS Notes will appear next, Read through the notes, and select “Next”
- Time to confirm your settings prior to installation. I have selected the Check box next to “Restart the destination server automatically if required”. Select “Install” to install the AD DS role.
Nuts & Bolts – Promoting the Domain Controller
- Congratulations! you now have the role files installed. Now its time to promote the server to an actual domain controller.
- In the notification flag in the ribbon, you should see a yellow exclamation, and if you hover, you should see a link to “Promote this server to a domain controller“. What are you waiting for, Click that link!
- This will open the window title “Active Directory Domain Services Configuration Wizard”
- Under the Deployment Configuration, we are creating a new forest, so select the bubble to “Add a new forest”, then enter the new name for your root domain in the text box. Then select “Next”
- I am creating a 2012 forest and domain, and I want to install DNS on my first Domain Controller, so I will leave the forest, and domain functional levels alone, and leave the Domain Name System (DNS) server check box selected. Type in a complex password and store it in a safe location for the Directory Services Restore Mode Password. Select “Next”
- On the DNS Options tab, You will receive a warning on the DNS Options page, that’s okay! We’re installing a DNS server, so select “Next”
- On the Additional Options tab, The NetBIOS name will be filled in, and should match your Domain Name. There is really no reason to change this, unless you enjoy playing evil practical jokes on your co-workers. Select “Next”
- On the Paths tab, Leave the Paths as default, and select “Next”
- Review the options, and select “Next”
- Next the installer, will check the prerequisites, and if everything checks out, select “Install”
- On a successful prerequisite check, you have the option to Install. Select “Install“
Nuts & Bolts – Adding the core Domain Controller
Howdy, glad you made it this far! You’re really committed and I’m proud of you. So, quick recap. We have our first Domain Controller installed and online, and we have our 2nd CORE server online, and at the cmd prompt. Because there is a little more fear in using Core mode, I will go ahead and walk through the IP addressing and disabling of the firewall for you.. I know, I’m a real swell dude!
- At the command prompt, type sconfig.
- (I don’t expect you really need pictures for this part, so I’ll breeze through) — This will open the Server Configuration Dialog. The first thing we will do is change the name of the system. So select #2, I named mine to RDC01. IMPORTANT NOTE – At this point, you’ll be prompted to reboot. Hold off for now, and we’ll reboot after we set the IP address below.
- Next, select #8, and set your Network settings. After you are done here. (you made sure to set your primary DNS server to be the first Domain Controller correct? – if not, go back and change it..)
- Press 13 to restart the server
- After the server reboots, log back in, and next we are going to disable the firewall. The command to do this is:
netsh advfirewall set allprofiles state off
You should get a simple reply of “Ok.”
- Next, just like the GUI install, we need to install the required files for AD DS. To add the ADDS service role files, we use the powershell command:
First, we have to switch to powershell by typing…. yep you guessed it… powershell
Then Type the command above.
And watch it install the components..
- After the files are installed, we need to promote and join to the existing domain. The following command is used:
Install-ADDSDomainController -DomainName newdomain.net -Credential (get-credential newdomain\administrator)
You will be prompted to authenticate to the primary DC.
Finally, enter the Safe Mode Password..
- The next prompt is simply a confirmation of what we’re about to do, so when your ready, select either [Y] or [A]
- And watch it install!
- With any luck, and if you followed all the steps properly, You now have a pair of Domain Controllers. 1 GUI mode DC, and 1 CORE mode DC! Yippee!
And that ladies and Gentlemen is how to install your first empty root domain on server 2012 with 1 GUI mode DC, and 1 CORE mode DC. Please feel free to leave you love/hate in the comments.