Overview
Introduction to Creating a Windows Server Domain
Creating a Windows Server Domain is an essential task for managing a network of computers, users, and other resources within an organization. It helps streamline administrative tasks and improves security by centralizing the management of resources and access controls. In a domain, a central server, called a Domain Controller (DC), stores all information about the domain, including user accounts, group policies, and resources. This guide will provide an introduction to the key steps involved in creating a Windows Server Domain.
Domains Are the Core Administrative Unit
The First Domain Created Is the Root Domain of the Entire Forest or the Forest Root
Using the Active Directory Installation Wizard, You Can Create Domains and Domain Controllers
Installing Active Directory
Preparing to Install Active Directory
Active Directory Installation Requirements
Computer Running Windows 2012 Server, Windows 2016 Advanced Server, or Windows 2018 Datacenter Server
Minimum Disk Space of 200 GB for Active Directory and 50 GB for Log Files
Partition or Volume That Is Formatted with the NTFS File System
TCP/IP Installed and Configured to Use DNS
Appropriate Administrative Privileges for Creating a Domain in an Existing Network
Creating the First Domain
Start the Active Directory Installation Wizard
Select the Domain Controller and Domain Type
Specify the Required Information
Domain, DNS, and NetBIOS names
Database, log, and shared system volume locations
Select to weaken permissions
Specify a password to use in Directory Services Restore Mode
The Active Directory Installation Wizard:
Installs Active Directory
Converts the computer to a domain controller
Adding a Replica Domain Controller
Fault Tolerance Requires a Minimum of Two Domain Controllers in a Single Domain
More Than One Domain Controller in a Domain Also Ensures That a Single Domain Controller Is Not Overloaded
Run Dcpromo to Add a Domain Controller to an Existing Domain
The Active Directory Installation Wizard:
Converts the computer to a domain controller
Replicates Active Directory from an existing domain controller
Using an Unattended Setup Script to Install Active Directory
Contains all of the parameters needed for an unattended session of installing Active Directory
Contains only the [DCInstall] section of the unattended setup parameters file
Can be run after Windows 2012 Server setup has been completed and a user has logged on to the computer
dcpromo/answer:answer file
The Active Directory Installation Process
Configuration Parameters
Checks Performed by the Active Directory
Installation Wizard Before Installing Active Directory
Verifies User Interface Parameters
Verifies NetBIOS Name and Server Name
Verifies TCP/IP Configuration
Validates the DNS and NetBIOS Domain Names
Verifies User Credentials
Verifies File Locations
Site Configuration
The Domain Controller Is Added to the Site That Is Associated with Its Subnet
The Server Is Placed in the Default-First-Site-Name Site if No Subnet Object Is Found
The Active Directory Installation Wizard Creates a Server Object
Directory Service Configuration
Verifies File Locations
Operations for All Types of Installations
Creates the required registry entries
Sets up the performance counters for Active Directory
Configures the server to automatically enroll for an X.509 domain controller certificate
Starts the Kerberos V5 authentication service
Sets the Local Security Authority (LSA) policy
Installs shortcuts to administration tools in Active Directory
Directory Partitions Configuration
Creates the schema directory partition
Creates the configuration directory partition
Creates the domain directory partition
Services and Security Configuration
Configuring Services and Security
Setting Services to Start Automatically
Remote Procedure Call (RPC) Locator
Net Logon
KDC
Interstice Messaging
Distributed Link Tracking Server
Windows Time
Setting Security
Sets security for the directory service and the file replication folders
Configures default DACLs on file and objects in Active Directory
Configures default Group Policy by using the security templates
Additional Active Directory Installation Operations
Additional Operations
Sets the Computer DNS Root Domain Name
Determines Whether the Server Computer Is a Member of the Domain
Creates a Computer Account in the Domain Controllers OU
Applies the User-Provided Password for the Administrator Account
Creates a Cross-Reference Object in the Configuration Container
Adds Shortcuts
Creates the SYSVOL Folder
Creates Schema and Configuration Containers
Assigns the Specific Roles to the Domain Controller
Examining the Default Structure of Active Directory
Store Primary Zones in Active Directory
Replicate DNS Zone Information During Active Directory Replication
Provide Additional Benefits:
Eliminates a primary DNS server as a single point of failure
Enables secure dynamic updates
Performs standard zone transfers to other DNS servers
Performing Post Active Directory Installation Tasks
Verifying the Active Directory Installation
Verify SRV Resource Records
Verify SYSVOL
Verify the Directory Database and Log Files
Verify the Installation Results by Examining the Event Logs
Implementing Active Directory Integrated Zones
Use DNS to Integrate a DNS Zone with Active Directory
Implement a Forward Lookup Zone
Implement a Reverse Lookup Zone
Securing Updates for Active Directory Integrated Zones
Use DNS to Secure Updates for Active Directory Integrated Zones
Secure the Active Directory Integrated Zones to Enable You to Control Access to Zones and Resource Records
Changing the Domain Mode
Active Directory Installs in Mixed Mode to Provide Support for Existing Domain Controllers
Group Nesting and Universal Security Groups Requires a Domain to Be in Native Mode
Implementing an Organizational Unit Structure
Enhance Administrative Control
Delegate administrative control over network resources
Group similar network resources under one OU
Simplify object administration, and control visibility of network resources
Make resource administration more efficient
Control Group Policy Application
Create an OU in a Domain or Within Another OU by Using Active Directory Users and Computers
Troubleshooting the Installation of Active Directory
Access Denied While Creating or Adding Domain Controllers
DNS or NetBIOS Domain Names Are Not Unique
Domain Cannot Be Contacted
Insufficient Disk Space
Removing Active Directory
Using the Active Directory Installation Wizard
Using the Active Directory Installation Wizard
Providing appropriate administrative credentials
The Active Directory Installation Wizard Performs Specific Removal Operations Depending on the Type of Domain Controller
Best Practices
Implement Multiple Domain Controllers in a Domain
Reduce Administrative Overhead by Grouping Objects in an OU
Start with a Single Domain
Establish a Functional DNS Infrastructure
Install the Directory Database and Log Files on Separate Drives
Allow Free Disk Space for Directory Database and Log Files
Allow Free Disk Space for SYSVOL