Windows Server Core: Installing Active Directory Domain Controller

0
14

Windows Server Core is a good platform to host the Active Directory domain controller role due to fewer resource requirements, increased stability and security (due to less code and updates). In this article, we’ll show how to install a domain controller on Windows Server Core 2019 in a new or existing Active Directory forest using PowerShell.

Contents:
  • How to Install Active Directory Domain Controller Using PowerShell?
  • Checking Domain Controller Health on Server Core
  • Installing an AD Domain Controller Using Windows Admin Center (WAC)

How to Install Active Directory Domain Controller Using PowerShell?

Install the Windows Server Core on a new host (physical or virtual), configure the basic host settings: set its hostname, network settings (static IP address, subnet mask, gateway, DNS), date/time, time zone, etc.

Rename-Computer -NewName hb-dc03
Get-NetAdapter
$ip = "192.168.13.11"
$gw="192.168.13.1"
$dns = "192.168.13.10"
New-NetIPAddress -InterfaceAlias Ethernet -IPAddress $ip -AddressFamily IPv4 -PrefixLength 24 –DefaultGateway $gw
Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses $dns

These steps are described in detail in the article Basic Commands for Configuring a Windows Server Core Installation.

The next step is to install the Active Directory Domain Services (ADDS) role. To do it, run the following command in the PowerShell console:

Install-WindowsFeature AD-Domain-Services –IncludeManagementTools -Verbose

Install-WindowsFeature AD-Domain-Services on Windows Server Core

Make sure that the AD-Domain-Services role is installed:

Get-WindowsFeature -Name *AD*
ADDS role is installed on WIndows Server Core 2019

After installing the ADDS role, you can use ADDSDeployment module cmdlets to deploy a new domain, forest, or additional domain controller:

Get-Command -Module ADDSDeployment

ADDSDeployment PowerShell module - promotr the domain controller

There are three possible scenarios:

  • Installation of new Active Directory forest: Install-ADDSForest -DomainName woshub.com -ForestMode Win2016 -DomainMode Win2016 -DomainNetbiosName WOSHUB -InstallDns:$true
  • The Install-ADDSDomain cmdlet allows to create a new domain in an existing Active Directory forest
  • Install-ADDSDomainController – allows to add a new (additional) domain controller to an existing Active Directory domain
If you want to deploy an RODC domain controller, use the Add-ADDSReadOnlyDomainControllerAccount cmdlet.

In most cases, you will use the 3rd scenario — adding an additional domain controller to an existing Active Directory domain.

Before promoting a new domain controller, make sure that your Active Directory domain works correctly. Check the errors on each DC carefully that are returned by Dcdiag /v and check the AD replication (repadmin /showrepl and repadmin /replsum). Make sure that you have an up-to-date AD domain controller backup.

In the simple scenario, when you want to add a new extra DC to the Default-First-Site-Name site, run this command:

Install-ADDSDomainController -DomainName woshub.com -InstallDns -Credential (get-credential WOSHUBAdministrator) -DatabasePath "D:ADDSDB" -LogPath "D:ADDSLog" -SysvolPath "D:ADDSSYSVOL"

In this example, I have additionally specified that the AD database, logs, and SYSVOL are stored on a separate disk. By default, they are located in %SYSTEMROOT%NTDS and %SYSTEMROOT%SYSVOL.

Also, you can specify the Active Directory site you want to place your new domain controller. We will also specify that the DC will be the Global Catalog and set the DSRM (Directory Services Restore Mode) password using the ConvertTo-SecureString command:

Install-ADDSDomainController -DomainName woshub.com -InstallDns:$true -NoGlobalCatalog:$false -SiteName 'Hamburg' -NoRebootOnCompletion:$true -Force:$true -SafeModeAdministratorPassword (ConvertTo-SecureString 'R0DCP@ssw0rd' -AsPlainText -Force) -Credential (get-credential WOSHUBAdministrator) –verbose

Install-ADDSDomainController install additional active directory domain controller on windows server core

Check the command output carefully, if it is ok, then restart your host:

Restart-Computer

Checking Domain Controller Health on Server Core

After the domain controller installation, do some basic checks to make sure that the new domain controller has been successfully added to the domain and takes part in replication.

You can manage a domain controller on Windows Server Core from another server using the standard graphic Active Directory snap-ins (dsa.msc, gpmc.msc, dnsmgmt.msc, dssite.msc, adsiedit.msc, domain.msc) or from a computer running Windows 10 with RSAT installed (Rsat.ActiveDirectory.DS-LDS.Tool).

Open the ADUC (dsa.msc) console on any computer and make sure that the new DC appeared in the Domain Controllers OU.

New domain controller in ADUC

After Windows Server Core restart, you must login to the host under a domain administrator account.

Using the Get-ADDomainController cmdlet, make sure that the domain controller is located on the correct AD site:

Get-ADDomainController -Discover

Get-ADDomainController - checking AD site

Check that Active Directory services are running:

Get-Service adws,kdc,netlogon,dns

check Active Directory services state on domain controller

In addition to the built-in hidden admin shares, the SYSVOL and NETLOGON folders must be shared:

Get-SMBShare

SYSVOL and NETLOGON - logon server shares on DC

Make sure that there are ADDS events in the Event Viewer:

Get-Eventlog "Directory Service" | Select-Object entrytype, source, eventid, message
Get-Eventlog "Active Directory Web Services" | Select-Object entrytype, source, eventid, message

Then perform a test using the dcdiag command (all stages must be Passed), and check replication between the DCs using the following commands:

repadmin /replsummary

or

Get-ADReplicationFailure -Target DC03

Check where the FSMO roles are located in your domain and forest. If necessary, transfer the FSMO roles to your new DC:

Netdom /query FSMO

Installing an AD Domain Controller Using Windows Admin Center (WAC)

To install a domain controller in Windows Server Core, you can also use Windows Admin Center (WAC) web interface.

  1. Add your Windows Server Core host to the Windows Admin Center interface;
  2. To install the ADDS role, open the Roles and Features section, select Active Directory Domain Services in the list of available roles and click Install;
  3. Confirm the installation of the role and administration tools; Windows Admin Center installing Active Directory Domain Services role
  4. To promote the Windows Server Core to the domain controller, open the PowerShell web console and use the cmdlets shown above to configure the DC; prome windows server to AD domain controller via WAC
  5. When the DC installation is over, restart Server Core and reconnect it to WAC using a domain account;
  6. To manage Active Directory from the web interface, install a special WAC extension (it is available in Preview mode yet). So a new section will appear in your Windows Admin Center, where you can view and manage your AD tree. Browse Active Directory OUs in WIndows Admin Center

Dịch từ: http://woshub.com/windows-server-core-install-active-directory-domain-controller/

BÌNH LUẬN

Vui lòng nhập bình luận của bạn
Vui lòng nhập tên của bạn ở đây