Installing domain controllers
Once the TCP/IP networking is set up and working, the next step to tackle is installing the domain controllers. In a Windows Active Directory domain, the domain controllers can be viewed as the core of the network. Domain controllers provide user authentication, group policy information, time synchronization, and access to Active Directory objects. Additionally, domain controllers often provide several network services such as DNS, DHCP, certificate services, and more.
This recipe will set up and install the first domain controller, creating a new domain in a new forest. Once completed, the second domain controller will be remotely installed and promoted. Additionally, we will install DNS on both domain controllers to provide name resolution services.
Getting ready
This recipe assumes a server and networking configuration setup similar to the prior recipe. We will be working with newly installed servers without any additional roles or software installed. To complete these tasks, you will need to log on to the server as the local administrator.
How to do it...
Carry out the following steps to install the domain controller:
- As an administrator, open a PowerShell.
- Identify the Windows Features to install:
Get-WindowsFeature | Where-Object Name -like *domain* Get-WindowsFeature | Where-Object Name -like *dns*
- Install the necessary features:
Install-WindowsFeature AD-Domain-Services, DNS –IncludeManagementTools
- Configure the domain:
$SMPass = ConvertTo-SecureString 'P@$$w0rd11' –AsPlainText -Force Install-ADDSForest -DomainName corp.contoso.com –SafeModeAdministratorPassword $SMPass –Confirm:$false
How it works...
The first step executes the Get-WindowsFeature Cmdlet to list the features necessary to install domain services and DNS. If you are unsure of the exact names of the features to install, this is a great method to search for the feature names using wildcards. The second step uses Install-WindowsFeature to install the identified features, any dependencies, and any applicable management tools.
The third step calls Install-ADDSForest to create a new domain/forest named corp.contoso.com. Before promoting the server to a domain controller, we create a variable named $SMPass, which will hold a secure string that can be used as a password when promoting the server. This secure string is then passed as -SafeModeAdministratorPassword to the server, allowing access to the server if the domain services fail to start in the future:
You will see a notice similar to the preceding screenshot when installation is finished. The system will automatically restart and the domain controller install will be complete.
There's more...
The following lists what more can be done with the domain controller:
- Joining a computer to domain: Once the domain has been created, computers can be joined to the domain manually or via automation. The following example shows how to use PowerShell to join the
CorpDC2computer to thecorp.contoso.comdomain.$secString = ConvertTo-SecureString 'P@$$w0rd11' -AsPlainText -Force $myCred = New-Object -TypeName PSCredential -ArgumentList "corp\administrator", $secString Add-Computer -DomainName "corp.contoso.com" -Credential $myCred –NewName "CORPDC2" –Restart
Similar to creating the domain, first a
$secStringvariable is created to hold a secure copy of the password that will be used to join the computer to the domain. Then a$myCredvariable is created to convert the username/password combination into aPSCrededntialobject that will be used to join the computer to the domain. Lastly, theAdd-ComputerCmdlet is called to join the computer to the domain and simultaneously, rename the system. When the system reboots, it will be connected to the domain. - Push install of domain controller: It is normally considered best practice to have at least two domain controllers (DCs) for each domain. By having two DCs, one can be taken offline for maintenance, patching, or as the result of an unplanned outage, without impacting the overall domain services.
Once a computer has been joined to the domain, promoting the system to a DC can be performed remotely using PowerShell:
Install-WindowsFeature –Name AD-Domain-Services, DNS -IncludeManagementTools –ComputerName CORPDC2 Invoke-Command –ComputerName CORPDC2 –ScriptBlock { $secPass = ConvertTo-SecureString 'P@$$w0rd11' -AsPlainText –Force $myCred = New-Object -TypeName PSCredential -ArgumentList "corp\administrator", $secPass $SMPass = ConvertTo-SecureString 'P@$$w0rd11' –AsPlainText –Force Install-ADDSDomainController -DomainName corp.contoso.com –SafeModeAdministratorPassword $SMPass -Credential $myCred –Confirm:$false }First, the Domain and DNS services and appropriate management tools are installed on the remote computer. Then, using the
Invoke-CommandCmdlet, the commands are executed remotely to promote the server to a domain controller and reboot.