Configuring a combination Domain Controller, DNS server, and DHCP server

The directory structure that Microsoft networks use to house their users and computer accounts is called Active Directory (AD), and the directory information is controlled and managed by Domain Controller (DC) servers. Two other server roles that almost always go hand-in-hand with Active Directory are DNS and DHCP, and in many networks, these three roles are combined on each server where they reside. A lot of small businesses have always made do with a single server containing all three of these roles, but in recent years, virtualization has become so easy that almost everyone runs at least two DCs for redundancy purposes. And if you are going to have two DCs, you may as well put the DNS and DHCP roles on them both to make those services redundant as well. But I'm getting ahead of myself. For this recipe, let's get started building these services by installing the roles and configuring them for the first time: the first DC/DNS/DHCP server in our network.

Getting ready

The only prerequisite here is an online Windows Server 2019 that we can use. We want it to be plugged into a network and have a static IP address assigned so that as you add new computers to this network, they have a way of communicating with the domain we are about to create. Also, make sure to set the hostname of the server now. Although domain controllers in Windows Server 2019 can be renamed, it's best to get them right from the start.

How to do it…

Let's configure our first DC/DNS/DHCP server by performing the following set of instructions:

1. Add the roles all at once. To do this, open up Server Manager and click on the link to add some new roles to this server. Now, check all three, that is, Active Directory Domain Services, DHCP Server, and DNS Server:
   

   Figure 2.1 – Service listings in the Add a Role wizard

2. When you click on some of these items, you will be prompted regarding whether you want to install some supporting items. Go ahead and click on the Add Features button to allow this:
   

   Figure 2.2 – Confirmation screen for new services being added

3. Click Next through the following few screens. We don't have to add any additional features, so you can read and click through the informational screens that tell you about these new roles.
4. Once satisfied with the installation summary, press the Install button on the last page of the wizard.
5. Following installation, your progress summary screen will provide a window with a couple of links on it. These are Promote this server to a domain controller and Complete DHCP configuration. We are going to click on the first link to promote this machine so that it's a DC:
   

   Figure 2.3 – An in-progress installation of selected Windows features

   After this, we are taken into the configuration of our DC. Since this is the very first DC in our entire network, we will choose the Add a new forest option. At this point, we must also specify a name of our root domain. Please read the There's more… section of this recipe before choosing your domain name. There is a lot of misinformation around how to choose a domain name that I want to educate you on first!

   

   Figure 2.4 – Creating a new Active Directory forest

   Tip

   It is very important that you choose a root domain name that you like and that makes sense for your installation. Whatever you enter here will more than likely be your domain name forever and always.

6. On the Domain Controller Options screen, you can choose to lower the functional level of your forest or domain, but this is not recommended unless you have a specific reason to do so. One thing to note is that Windows Server 2019 does not introduce any new functional levels, so you will still have this set to 2016. You must also specify a DSRM password on this screen in case it is ever needed for recovery. You will receive a DNS Options warning message on the next page. This is normal, because we are turning on the first DC and DNS servers in our environment.
7. The following two screens are for NetBIOS and Paths. You can leave Paths alone, but pay close attention to the NetBIOS name. This is very difficult to change later, so make sure it's something sensible. If you are using a subdomain of a real domain, it might default to something like CORP or AD. In this book, I have renamed this to COOKBOOK as it's more meaningful than the default AD.
8. Once you have reviewed the installation plan, go for it! You should see a green check mark telling you All prerequisite checks passed successfully, which means you are ready to proceed. There might be some scary-looking warnings, but for a fresh new domain that you do not intend to connect old NT4 or Windows 2000 servers to, you can ignore them. When the server has finished being promoted to a DC, it will have to be restarted:
   

   Figure 2.5 – Reviewing the selected options for your new Windows forest

9. Following the restart, you will have noticed that you are now forced to log into the server as a domain account. Once a server has been promoted to a DC, it no longer contains local user accounts on the system. All logins to the server from this point forward will have to be user accounts within the domain. Your old Administrator password is now the Domain Administrator password, and you will need to use this to log in.
10. Inside Server Manager, you will have a notification up top to Complete DHCP configuration. Go ahead and click on that:
    

    Figure 2.6 – Reviewing the post-deployment requirements for the DHCP feature

11. You don't have to specify anything in this wizard. Simply click through the steps.
12. Now, that was a fair few steps to go through – but, of course, you can also do the exact same steps via PowerShell, and it's an awful lot less clicking. To do this, you would use the Install-ADDSForest cmdlet. For this book, I used this exact command:

    Install-WindowsFeature AD-Domain-Services, DNS, DHCP -IncludeManagementTools

    Install-ADDSForest -DomainName ad.cookbook.packt.com -DomainMode WinThreshold -DomainNetbiosName COOKBOOK

    Those two lines of code are equivalent to the previous 12 steps of clicking:

Figure 2.7 – The output of the Install-ADDSForest command

Tip

Because your domain controller is not a server you typically log onto, it has excellent remote management tools for all its features. You might want to try using Windows Server Core. You can read more about this GUI-less version of Windows Server in Chapter 12, Server Core.

How it works…

Configuring your first DC is essential to having a successful Microsoft Windows network. We now have roles installed for AD, DNS, and DHCP. This means we have the core infrastructure in place to start joining computers to the domain, adding users to the network, and shuttling around some network traffic. Each of these technologies has enough depth to warrant their own book, so there is no way that we can cover everything here. I hope that this tutorial has got you comfortable with enabling these system-critical functions in your own network. Having the ability to create a network properly from scratch is priceless ammunition to a server administrator.

There's more

Before we conclude this recipe, this might be a good opportunity to explore some definitions and explanations. You can think of a forest as the top level of your Active Directory structure. Within that forest, you are setting up a domain, which is the container within your forest that contains your user, computer, and other accounts that will be joined to the domain. You can contain multiple domains within a forest, and multiple forests can share information and talk to each other by using something called a trust.

I'm going take this opportunity to discuss what you should name your root domain. There is more than one school of thought on this, so I'm going to refer to what Microsoft officially recommend. Unfortunately, Microsoft have violated their own recommendations in the past (their Small Business Server unfortunately started many bad practices that continue to this day). I will be summarizing Microsoft's advice from https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx.

Firstly, you should name your Active Directory using a real domain name that you or your company own. A lot of people recommended using a fake domain name, such as mydomain.local, as your domain name. This turned out to be a mistake because .local is now a real internet routable top-level domain and is no longer fake. However, you also shouldn't use the exact domain you run your website on. If your company website is example.com, then your domain name could be a subdomain such as ad.example.com or corp.example.com. This way, you can ensure that you retain ownership over your domain forever. Alternatively, you could register a whole new domain name just for your Active Directory, such as example.net. Domain names are cheap – just remember to renew it every year!

Now, I know what you might be thinking – 'I want my users to be able to use their email address as their username. How can I do that if our domain is corp.example.com? Won't that make it username@corp.example.com or CORP\username? I'll never be able to train them to remember that!' Nope. The part of the username that comes after the @ sign is called the UPN suffix. You can have more than one to choose from, and it can be anything you want. As for the CORP name, that's called the NetBIOS name for your domain and it does not need to be related to your UPN suffix at all.

In this book, I have chosen ad.cookbook.packt.com as the domain name. I chose it pretending that my company site was cookbook.packt.com, and ad.cookbook.packt.com is a subdomain that this fictional company can control as long as they own packt.com.