Windows 10: Windows Server 2016 - Setup Local Domain Controller

How to: Windows Server 2016 - Setup Local Domain Controller


Information There are several reasons to create and use a local domain even in relatively small home networks. To list a few:

• Centralized user management
• Users sign in to domain instead of signing in to just a certain PC. No separate user account setup on each machine, a domain user can sign in on each domain joined machine, access level controlled by server admin
• Centrally managed Group Policies; Restrict or expand user rights with group policies on server, all policies applied throughout the domain
• And so on...

To create a local domain, you need a Windows Server operating system (yes, of course you can set up a Linux server, too, but this is Windows 10 Forums! *Wink). It can be installed on physical hardware with quite modest specifications, or on a virtual machine. Naturally, to guarantee that your domain and Active Directory which controls and manages the users and computers on your domain function, the server should be always on, up and running.

Setting up an Active Directory Domain Controller can be divided to five phases:

1. Install Windows Server
2. Set up the server (static IP, updates, server name etc.)
3. Create the domain
4. Setup Active Directory Domain Services
5. Create domain / AD users

This tutorial will show you how to do this. When done, your users and computers can join your own local domain.

The new Windows Server 2016 is now (end of May 2016) in version Technical Preview 5 and can be downloaded for free from Microsoft TechNet Evaluation Center: Technet Evaluation Center

More information about Windows Server 2016: https://www.microsoft.com/en-us/serv...s-server-2016/

More about Active Directory:

• Active Directory - Wikipedia, the free encyclopedia
• Active Directory
• Active Directory Domain Services

Let's start! The tutorial might look long and complicated but please believe me, it's a piece of cake, doing everything told in this tutorial will take 30 to 40 minutes of your time, including the time needed to install Windows Server 2016




Warning To join a Windows PC or virtual machine to a domain, it must be PRO or better edition:

• Windows 7 Professional, Ultimate, Enterprise
• Windows 8 & 8.1 Pro, Enterprise
• Windows 10 Pro, Education, Enterprise

If your home computers have a Home edition of any Windows version, they cannot join a domain.

Contents
[table][tr][td]Part One:[/td] [td]Install Windows Server 2016[/td] [/tr] [tr][td]Part Two:[/td] [td]Setup Windows Server 2016[/td] [/tr] [tr][td]Part Three:[/td] [td]Setup Active Directory Domain Controller[/td] [/tr] [tr][td]Part Four:[/td] [td]Create a domain[/td] [/tr] [tr][td]Part Five:[/td] [td]Add users to Active Directory[/td] [/tr] [tr][td]Part Six:[/td] [td]Additional videos[/td] [/tr] [/table]



Note Click or tap screenshots in this tutorial to pop out them, click / tap again to enlarge.





Part One [/i] Install Windows Server 2016

1.1) Download Windows Server 2016: Technet Evaluation Center. Notice that you need to register to be able to download

1.2) If installing on a virtual machine select the ISO file as install media. On a physical machine you need first to create a DVD or flash install media. See this tutorial for help: USB Flash Drive - Create to Install Windows 10 - Windows 10 Forums

1.3) Boot from Windows Server 2016 install media

1.4) When prompted, enter the generic product key shown in Preinstall Information:






1.5) Select the Desktop Experience version:



1.6) Install Windows normally, as any other Windows version. When installation is done, you need to set the password for the built-in administrator


1.7) Press CTRL+ALT+DEL to enter the sign-in dialog, enter the password, hit Enter to sign in:











Part Two [/i] Setup Windows Server 2016

2.1) Server Dashboard opens automatically by default (when closed it can be opened from Start). First thing is to change the resolution, after the installation Windows defaults to 1024*768, aspect ratio 4:3. To work comfortably you need better resolution. Minimize the Dashboard, select Display Settings from desktop context menu. This warning will be shown:



Just ignore the warning, click Close to open display settings and change the resolution to what you prefer

2.2) Maximize / open the Dashboard. Select Local Server on left pane



It is extremely important that Windows Server is fully updated before going any further. Click Never after Last checked for updates, run Windows Update, restart if prompted:



2.3) Change the computer name to something easier to remember and recognize. In this example I changed the name to TenForumsServer. Remember to restart after computer name change!

2.4) Set a static IP address for server. Select an IP outside the DHCP IP pool your router uses to assign dynamic IP addresses.

In this example I checked my router settings, learned that the IP pool it uses is from 192.168.2.100 to 192.168.2.200, router itself using 192.168.2.1:


I chose 192.168.2.50 for the server, set it as static IP, setting both Default Gateway and Preferred DNS server to use the router IP 192.168.2.1:










Part Three [/i] Setup Active Directory Domain Controller

3.1) Select Add Roles and Features from the Manage menu top right:



3.2) Click Next:



3.3) Select Role-based or feature-based installation, click Next:


3.4) See that your server is listed, select it and choose Select a server from the server pool. Click Next:



3.5) Click on the selection box Active Directory Domain Services. A dialog opens, click Add Features:



3.6) Click Next:



3.7) Click Next:



3.8) Click Next:



3.9) Click Install:



3.10) You can close the wizard now, installation continues in the background:







Part Four [/i] Create a domain

4.1) You should now see a yellow warning sign next to Notifications flag in menu bar top right. Click the flag to open the menu. When it tells you Installation succeeded on ServerName, select Promote this server to a domain controller:



4.2) Select Add a new forest, enter your chosen local domain name (prefix.suffix). In this example I named my domain as ten.forums:




Note Local domain name guidelines

A domain name as we have been used to see on Internet consists of subdomain (optional), domain and TLD (top level domain). They are separated with a dot.

For example in domain name www.myownwebsite.com, the www is the subdomain, myownwebsite domain and com the TLD. My favourite news site from my native Finland is http://www.yle.fi, again the subdomain being www, the domain itself yle and the TLD the country code for Finland fi. Their on-demand TV I can find from http://areena.yle.fi where areena is subdomain, yle the domain and again fi as TLD.

In naming local domains the subdomain can be used but is mostly left out as unnecessary. The local domain suffix can be almost anything you'd like to, important to remember is not to use any reserved top level domain suffixes like .com, .org, .net or the country TLDs like .co.uk, .fi, .fr and so on.

TLD suffixes commonly used in local domains are for instance .loc and .local. My home domain is called agm.home, I'm used to name my home network domains with suffix .home but as it might happen that it will be registered as an available TLD for Internet, I need to rethink that and rename my domain.

A local domain prefix (domain name) should be max 15 characters; if any longer, Windows Server uses the first 15 characters of it as so called NetBIOS name. The prefix may only contain letters A-Z, a-z, numbers 0-9 and one or more hyphens. It must contain at least one letter, a domain prefix containing numbers only is not allowed.
4.3) This is important: on the next page of the wizard you need to set up a password you wish you will never need: A recovery password in case something goes awfully wrong and you need to run Directory Services Restore. Select a good password, it may but don't have to be the same as your server admin password. Click Next when done:



4.4) The DNS options page shows you a warning which you can completely ignore. Click Next:



4.5) On Additional Options page check that NetBIOS name is correct; it should be the prefix of your local domain. In this example I named my domain as ten.forums, the NetBIOS name therefore being TEN (NetBIOS names are usually written with upper case). Click Next:


4.6) Accept default paths, click Next:



4.7) Review your settings, click Next



4.8) You will now see a list of warnings. As long as the bottom of this list tells you that All prerequisite checks passed successfully, you can ignore the warnings and click Install:



4.9) Windows Server will restart automatically to finalize the installation:



4.10) Sign in. Notice the missing network connection:



4.11) Fix the DNS server IP error (see previous screenshot in step 4.10 for explanation), change it back to your default gateway IP. In my case now for this example I changed it back to 192.168.2.1:



4.12) To be sure let's check Internet works. You cannot use Edge:



4.13) Instead open Internet Explorer (WIN+R, type iexplore, hit Enter). You will be notified that Enhanced Security is enabled. You need to manually add websites you want to visit to list of allowed sites:



4.14) Everything OK, Internet works. You can close the browser:



4.15) Dashboard > Local Server shows the domain is OK:







Part Five [/i] Add users to Active Directory

5.1) A domain without users allowed to sign in is useless. To create users, open Tools menu, select Active Directory Users and Computers:



5.2) Expand your domain, select Users, click New User button:



5.3) Add a user, click Next:



5.4) Set password for this user. As this is a private home domain, select Password never expires, click Next:



5.5) Review the information, click Finish:



5.6) The first user is usually yourself. To add this user to Administrators, right click the user and select Properties:



5.7) Add user to Administrators:



5.8) In the future you can sign in to server with your own domain user credentials









Part Six [/i] Additional videos













That's it!



Note Your domain is set up and running. Now you can join your devices to the domain.

Managing users and computers, group policies and much more in future tutorials and videos.

Kari


Related Tutorials

• How to Join a Windows 10 PC to a Local Active Directory Domain
• How to Remove a Windows 10 PC from a Local Active Directory Domain

:)

 

windows server 2016 standard as addtional domain controller

Hi,

I have a primary domain controller running on windows server 2008 R2 & also have a additional domain controller running on same windows server 2008 R2.

Recently I have bought a new server hardware and installed windows server 2016 standard OS. Now the requirement is to promote this new server 2016 as domain controller. I will make this server additional domain controller and still the PDC will be running
on windows server 2008 R2 only. I need to know when the PDC & ADC server version will be different then will it causes any issue in functionality of domain controller.

Group policy will be migrated to the ADC or not. We will check the functionality of ADC by shutting down the PDC server.

Kindly let me know what all difficulties I can face during this setup. Are there any compatibility issue which can occur.

Regards

Ankur

[Moved from: Windows / Windows 10 / Windows update, recovery, & backup]

 

Windows 10 Pro desktop.ini file doesn't display

Can you please set Full Control permissions on Windows Server 2016 shared folders for your own user (are you in domain environment)?

 

Very good Kari. *Smile Your instructions are always precise and easy to follow.

 

Thanks Simrick!

My goal was to make it as simple as possible to follow without any knowledge about the subject, even when it meant a lot of screenshots, to make sure that someone who has never installed a server OS or set up a domain can manage it.

 

And that would be me....*Wink

 

Well done Kari, impressive job

 

You should make sure to mention that, while the technical preview is free... it won't remain so. Some people might have a rude awakening to find out they have to pay several hundred dollars to keep their network running.

 

Hi,
Great post! Thank you for these detailed instructions. I got to step 4.11 - 4.13. I am running Windows Server 2016 as a VM in VM Workstation 12 Pro. Before I made these changes, I had internet access. My VM Network Adapter is set to NAT.

I'm now connected to my new domain and I've changed the Preferred DNS address back to my router's IP address, but I'm still showing "No Internet access" and I have the yellow warning on my network connection. Any suggestions? I've restarted the vm and the main machine with no luck.

 

Awesome tutorial!

There is one small but important step you did not mention, which should be part of every Server installation. That is setting the correct time and disabling internet time. AD does not need it that much but if you are going to use other server roles, it's extremely important that your time stamps are correct.

Once installing other services, one should also make the AD server the default timeserver in the network so all computer times stay in sync with it. This could also be done during the initial installation, which is always better.

 

While the server product is not free, the eval copy is good for 180 days, and can be reinstalled.

 

Exactly. Plenty of time to test.

 

Do you have any tutorials or videos for setting up recommended group policies?

 

The pertinent ones are pretty straight forward, but you have to be careful what you enable on the system running the server, particularly its hardware and whether client-connected PCs/laptops will be able to utilize those features and actually log on properly. For example, the usage of smart cards and various cryptography settings.
And really GPO depends on how secure you want client-connected PCs and laptops when connected. That said, after setting up the Domain Controller, you will want to set up the Certification Authority with the Certification Authority Web Enrollment, followed ideally by a DHCP server. Remove the DNS relay feature from any physical hub/router you may have and use the server as the DNS relay. From there, you can easily assign static IP addresses using client MAC addresses and control IP ranges and firewall/port settings with ease.

To start assigning GPO settings for provisioning, start at Policies > Windows Settings > Security Settings > Local Policies > Security Options. Here, I like disabling Administrator account status (after using it to assign myself a personal Domain Admin account), requiring the use of smart cards for interactive logon or CTRL+ALT+DEL at the very least, and disabling anonymous SID/Name translation right out of the gate.

For Password Policy, you can change those to whatever you want, since their default settings can be annoying if you're just using the server for testing and nothing substantive. From there the rest of the stuff is pretty simple, though I recommend staying away from cryptographic features and settings unless you know what you're doing. That said, if your hardware allows for it, you can secure end-point PCs/laptops from 98% of virtual and physical intrusion attempts.

Also invest some time in reading about nested virtualization to isolate server functions like MySQL databases. Virtualization is extremely important and vital to use for various server functions in order to isolate them from the physical server itself. Most of us who run full enterprise servers run multiple Domain Controllers on nested VMs and secure them using Host Guardian certificates for key and access management and Shielding, which are all features you can install from the Add Roles and Features Wizard.

 

Very good post, thanks for sharing your insights.