The Beginning – Create a Forest and Domain

Your first choice will be how you want to provision your domain controllers. Your choices include purchasing physical servers, using a hypervisor such as VMware ESXi or Microsoft Hyper-V, or going cloud and using Azure or AWS.

As discussed in an earlier post, I have a full home lab which uses Microsoft Hyper-V. I am a fan of Hyper-V due to the fact that with Server 2012 R2 they introduced Automatic Virtual Machine Activation. Unfortunately, due to summer heat, my home lab is powered off, so I will be using Azure DevTest Labs as part of my MSDN Subscription. Either way, I will not go in to how to configure these environments ready to take your domain controllers, but rather assume you have the relevant storage and networking already configured.

In the beginning, I have provisioned 3 machines to get us going. 2 will be used as domain controllers and one workstation. The two domain controllers are using Windows Server 2016 Core. For a workstation, I am using Windows 10 Enterprise.  By having a workstation early on, it makes life easier for configuring as we go along. Windows Server Core does not include a GUI or management tools.  Whilst a lot of the configuration can be done through PowerShell and the console, it will be easier using the Remote Server Administration Tools installed on a member server or workstation.  I am using Windows Server Core to reduce the attack surface.  There are fewer patches that need to be applied, and with a lack of GUI there is no Internet Explorer to encourage someone to inadvertantly download something nasty.

You can use “sconfig” from the command line of a Server Core installation to configure the name, IP Address and peform Windows Update.  Once your basic configuration is done we use PowerShell to install the Roles and Features, then install the domain and subsequent domain controllers (note: this process is now done through PowerShell and no longer using dcpromo.exe).

With your basic configuration done via sconfig, you can proceed to open PowerShell and perform the following:

Remove-WindowsFeature FS-SMB1
Restart-Computer

This command will remove the old SMB1 protocol from the server.  This protocol is how the recent WannaCrypt ransomware spread through networks. Removing this is an ideal process due to the lack of security measures in SMB1. However, care should be taken as there are still services that rely on SMB1.  A list of these can be found at the following Microsoft page – http://aka.ms/StillNeedsSMB1.  It will be removed from future releases of Windows Server 2016 and Windows 10, so it’s good to start without it if you can. Once SMB1 has been removed, you need to restart the computer.

Once the server has been rebooted, we can proceed to create the forest and domain root. This is a relatively simple task to complete:

Add-WindowsFeature -Name AD-Domain-Services, RSAT-AD-PowerShell, DNS, RSAT-DNS-Server
Install-ADDSForest -DomainName <<your domain name>>

Remember to substitute your desired domain name in to the Install-ADDSForest cmdlet. Gone are the days of using company.local, you should now be using a public domain that you own and control. This can be either a domain dedicated to your directory environment (companyname.net) or you can use a sub domain of an existing domain you own (ad.companyname.com). Personally, I prefer the latter and tend to use a subdomain. This also allows to create additional domains and implement trusts where required (admin.companyname.com as part of a “Red Forest” Design).

Once the first server has rebooted, your domain will exist and you can add machines, users and other domain controllers. Our next step will be to deploy an additional domain controller. First of all, we need to ensure that it’s primary DNS server is the newly provisioned domain controller, then we open PowerShell and enter the following two commands:

Add-WindowsFeature -Name AD-Domain-Services, RSAT-AD-PowerShell, DNS, RSAT-DNS-Server
Install-ADDSDomainController -DomainName <<your domain name>>

Once this has compelted, a reboot will be perfored and we can do the final step of the configuration. On DC01, it’s DNS servers should be:

  1. The IP address of DC02
  2. The IP address of DC01

Then on DC02 (and all subsequent member servers and workstations) we need to make sure it’s DNS servers are

  1. The IP address of DC01
  2. The IP address of DC02

With the DNS servers set correct, you should be able to successfully join your workstation to the domain. Then working with RSAT on the workstation we can proceed with the configuration of the Gold Standard domain.

Apologies it’s a bit of a long one, it will give a little insight to what’s coming and I am sure as we progress things will be shorter and sweeter.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s