Creating a domain on a Server 2012 differs a little from previous versions of Windows.
The process is much more streamlined now, and administrators no longer has to use the command dcpromo.exe in order to create a domain.
Server Manager – Dashboard.
We continue where we left in my previous post “Server 2012 – What’s new and basic installation and setup” and proceed to making the first domain in a new forest.
- The new “Add Roles and Features Wizard” opens up -> Next.
- Here you are met with something new, but for now, Choose Role-based or feature-based installation -> Next.
- Make sure you have selected the right server, as you can install Roles and Features on any server (pr PC for that matter), as long as you have the needed rights to do so. In our LAB, we only have one server, so click -> Next.
- Select “Active Directory Domain Services”. A new window will pop-up listing the required following services and features, which will be installed once you click “Add Feature”. Be sure not to uncheck the “Include management tools (if applicable).
Notice how “AD DS” is now listed in the left hand column.
- We also need “DNS Server” Role in order for our Domain Controller to function, so select that one as well. You will be met with a pop-up which lists the tools needed to be installed in order to manage our DNS server. Click “Add Features”.
Notice Again, how “DNS Server” is now listed in the left hand column.
- Once you have marked “Active Directory Domain Services” and “DNS Server”, click -> Next.
- Now we are at the “Features” part. As you can see, the “Group Policy Management” is preselected as part of the AD DS Role. If you scroll Down, you can see additional preselected items. Click – Next.
- You are met with informations regarding the installation of “AD DS”. It’s a good idea to read this, at least the first time you install something new. Click Next, and you are met with the informational screen regarding your “DNS Server” Role you are about to install. Click Next.
- In the Confirmation section, you can see what you are about to install, but more interestingly, you can also choose to “Restart the destination server automatically if required”. This is highly usefull as you don’t have to monitor the server for the right moment to performa a restart. For the purpose of this post, I’m not selecting the Restart option thought. Click Install.
- You can click close which will put the installation process in the background. You can click the “Flag” in the upper right corner for your Dashboard, in order to view Progress and other informations. The Flag will turn yellow, when action is needed.
- Once the installation is ready, you can click on the Flag and choose “Promote this server to a domain controller.”
Installing Active Directory Domain Services Post installation processes – setup.
- Now we need to deploy our installation of our new Roles. We are going to create a new Domain Controller in a new domain. Select “Add a new forest”.
- Type in your domain name. I’m going to use “adatum.com” – Please note that we are now using FQDN (Fully Qualified Domain Names) and not .local or similar. Click Next.
- The installation will now check for availability. As long as the check runs, the window is sort of faded and you can’t select anything. Can be hard to see, if you are colorblind (as me) but notice the moving bar then.Once it stops moving, you can proceed.
- We are not going to change Forest or Domain functional leve, as we do not plan to include any old servers. Type in a DSRM password in case you ever need to restore your Active Directory. It’s a good idea to make it different than your Administrator password, but make sure to write it Down somewhere. Click Next.
- On the NeXT screen we get the message “A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found…” What it Means is that the DNS server cannot receive the permissions needed as it cannot find the Domain Controller. This is expected, as we are in the process of installing the Domain Controller. Click Next.
- The wizard verifies wheter the NetBIOS name is assigned to some other entity on the Network. Click Next.
- Specify Paths for Database, Log and Sysvol folder. Database and Log folder contains data about your Active Directory and is needed if you need to make an offline Domain Join. Don’t change these. Click Next.
- Review the selections we have made. Please be sure to click the “View Script”. Here you can view how the script would look, if these changes were made using Powershell. Click Next.
- Review the Prerequisite check. You will recieve some warnings about the DNS Server we mentioned above. There will also be some additional genereal info, which I’ll recommend reading this first time. The links provided also usually contains very usefull information. Click Install.
- The server restarts automatically.
Notes: All actions in Server 2012 can be recreated using Powershell and for most things, you can view the scripts created for later usage.
Server Manager – Dashboard
Now that you’ve created your first domain, you get some new information widgets on the Dasboard.
We now have “AD DS”, “File and Storage Services” and “DNS” in addition to the “Local Server” and “All Servers”. You also have the new Roles listed in the left hand bar of the Dashboard.
It’s pretty obvious, that this is the place for creating the big overview.
If you have the need to install either of these new Roles on any other server in the domain, it’s as simple as right-clicking the desired service, say AD DS, and select “Add AD DS to Another Server.”
- Here you find Servers added to the domain, where you can click a server to get info from it.
- If you click the small arrow just under “TASKS” in the right hand side an option to “Add criteia” will show up. Here you can choose a wealth of info to show or hide.
- Scrolling down a little, we can see the Events for the selected server.
- Further Down we can see the Services running on the selected server.
- Now we are Down to Best Practice Analyzer, which has been improved a lot from previous Server versions. Click “Tasks” and “Start BPA scan”. Select the Server you wish to run BPA scan on. Since we only have one, just click “Start Scan”.
Best Practice Analazyer result rundown
- Clicking at the Error we can read: “The primary domain controller (PDC) emulator operations master in this forest is not configured to correctly synchronize time from a valid time source.
This is actually a very severe error and one we have to fix as soon as possible. De-synchronized Servers can lead to some really bad functional errors, and will prevent users from logging on with just 5 minutes difference in time.
We will fix this right after this rundown.
- Next Warning informs us that this particular Domain Controller is Virtualized, which can lead to replication errors if we don’t follow the best practice guidelines.
Mostly regarding Time syncrhonization, as this can (and will) lead to all kinds of errors, which we will fix right after this.
- Next warning tell us that all OUs in the domain should be protected from accidental deletion. This is to prevent some bulk action to accidentially delete a lot of OUs. We will do this later on-
- Last one tell us that we only have one Domain Controller, and we should have an extra to create redundancy in case of system failure and for faster domain access for users and resources. – We will do this later on.