Build a Windows Server 2008 R2 Domain Controller

I posted a tutorial on creating a domain controller using Windows Server 2003, and decided to post an update that included step-by-step instructions for Windows Server 2008 R2.  This should be the same for Windows Server 2008.

This is great for developers, testers, and anyone looking to learn Active Directory or deploy to a small network.  If this is for a production deployment, you might want to bring in a professional to help you.  There are many other things to consider, like ‘hardening’ your server and setting up Group Policy.  Having an insecure or unprotected domain controller is inviting havoc on your network.

So without any further ado and in the immortal words of ‘Marv’, “Let’s get to it!”

In the Server Manager click on Add Roles.

001 

Keep reading…

[ad#Google Adsense-1]

Click next on the ‘Before You Begin’ screen if it shows.  On the next screen, ‘Select Server Roles’, check the box for Active Directory Domain Services.  After checking the box, you may receive a window that says you need to add required features, click the button marked Add Required Features.

002

003

Then back at the ‘Select Server Roles’ window, click Next.  Here you can do some reading if you’re unfamiliar with Active Directory.  There are links for an overview, installation instructions, and common configurations.  There’s also some notes that say it is advisable to have at least 2 domain controllers, that you’ll need a DNS server, that you’ll have to run DCPROMO.exe, and informs you that you’re also installing DFS (Distributed File System), and some replication services tied to DFS.

Click Next and you’ll see the ‘Confirm Installation Selections’ window.  Click the button marked Install.

004

The ‘Installation Progress’ window will appear letting you know what the system is doing.  After a few minutes the ‘Installation Results’ window will appear.  Click the link marked Close this wizard and launch the Active Directory Domain Services Installation Wizard (dcpromo.exe).

005

Another wizard will open, ‘Active Directory Domain Services Installation Wizard’.  Click Next.

006

Read the note on the next screen titled ‘Operating System Compatibility’.  The link to the KB article 942564 underneath is (http://go.microsoft.com/fwlink/?LinkId=104751).  Click Next. On the ‘Choose a Deployment Configuration’ screen, we’ll choose Create a new domain in a new forest for the purposes of this tutorial.  If you’re attempting to add a domain controller to an existing domain / forest, you would choose the ‘Existing Forest’ checkbox.  Click Next.

007

Here’s where you input what you want your FQDN (Fully Qualified Domain Name) to be.  Then click Next

008

[ad#Google Adsense-1]

The system will confirm that the FQDN is not in existence already on your network, then allow you to choose your Domain NetBIOS name.  After doing so, click Next.  The system will then confirm that NetBIOS name is not in use.

009

On the next screen, you select what you want your forest functional level to be.  You can choose: Windows Server 2003, 2008, or 2008 R2.  In this tutorial we’ll be setting the forest functional level to Windows Server 2008 R2.  If you’ll be connecting other DCs that are running Windows Server 2008 or 2003, then may will need to choose a compatible level.  Click Next.

010

Now we’ll install the DNS server.  Make sure that DNS server checkbox is checked, then click Next.  Domain controllers, DCs, require Domain Name Services.

011

Click Yes at the next window, which is warning you that delegation cannot be configured for the parent zone.  Don’t worry, there is no parent zone.  Accept the default locations for your Database, Log Files, and SYSVOL folders, or change them if you really like.  Click Next.

012

Input a password, twice, in the ‘Directory Services Restore Mode Administrator Password’ window.  Then click Next.  Review your selections and click Next.

The wizard will then install and configure Active Directory Domain Services and Directory Services on the DC.  Click Finish, and select to Restart.

013

Congratulations, you’ve just done the basic setup for an Active Directory Domain Controller, and DNS support services on Windows Server 2008 R2.  After the reboot, you can log into your server using the administrator account and password that was previously assigned to the local administrator account.  NOTE: the password that you were using, is now assigned as your domain admin.  It is advisable to make sure that password is STRONG.  If you have questions about that, you can check out my other post on passwords and security. Protecting yourself and your passwords…

014

My next post, will be on installation of a Enterprise CA, Certificate Authority.  I’ll demo this on the same Windows Server 2008 R2 domain controller, as this is a very likely place to put a CA.  If this is for production, you may want to create an Enterprise CA, and a subordinate CA, taking your Enterprise CA offline, which is more secure from what I’ve come to understand.  For development and small networks, combining the CA with the domain controller is convenient and will provide certificate services to your network.

Good luck and happy administering. 😉

Advertisements

30 thoughts on “Build a Windows Server 2008 R2 Domain Controller”

  1. very helpful post. the static ip config done for 2003 R2 DC – any need to do that for IPv6 as well as the IPV4 on the 2008 R2 DC ? the IPv6 settings are quite different. thinking of having the VM as a DC on a host-only VMWare dev network …

  2. Nollkoll, I would deselect IPv6 or leave it enabled as it is by default. Unless you’re building out a future network and have switches and routers that support IPv6, you’ll never put it to use. The main thing that I can think of off-hand that would require IPv6 is the Direct Access feature which allows remote connections without VPN. A very cool feature, but I haven’t had the chance to play with it yet.

    Good luck. 🙂

  3. Hi this nikhil, working as a sys admin L1 in Hp. no idea about building a server. please give me some note or tutorial link so that i can go through in my training session. Also i would like to have a good RPO with you all guys. please help freshers…..
    vMbanusi plse rply.

  4. This first step is fine and easy. I am having problems adding servers to this domain. They add of but then the added servers cannot access the internet. My network
    1 IBM326 Windows Server 2008 R2 DNS/DHCP etc
    2 IBM326 Windows Data Centre Server 2008 R2 running SQL Server 2008 R2
    3 IBM326 Windows Web Server 2008 R2 running SharePoint

    1 Is fine gets on internet
    2 Logs onto domain but cannot see the internet
    3 Logs onto domain but cannot see the internet and cannot access the SQL Server on 2

    Any ideas?

  5. @Tony. This sounds like you need to check your network settings. I’m assuming that all of your servers are set to static IP addresses… is that correct?

    If so:
    You need to make sure that each server is pointing to your DNS server (1 – assuming that’s AD integrated DNS, on your domain controller?) for DNS services. Their gateway addresses need to be pointing to your Internet gateway/router. DNS forwarding needs to be configured on your DNS server so that your DNS server forwards requests that it cannot answer to a public DNS server.

    If set to DHCP on 2 and 3, make sure your DHCP is configured to issue address settings with the above mentioned.

    You can check DNS by opening up a command prompt, and typing NS lookup. That should give you a > prompt and the address of the DNS server that you’re connected to (should be server 1). Type in the FQDN (fully qualified domain name) for your SQL server. You should see the name and address returned. Do this from Server 3. Also make sure that you’ve opened the firewall for ports 1433 and 1434 on the SQL server for inbound connections in the firewall. These ports are ALL blocked by default. Pings are also blocked by default so you may appear to be blind on your network simply because the other servers aren’t responding to any of your requests.

    Let me know how these settings are configured and how the testing works out and we’ll move on from there.

    Summary:
    Server to server communications may be blocked by firewall.
    Internet connection may be a DNS forwarding error.

    Good luck and let me know.

  6. How to Set up an SMTP/POP3 mail server with Windows Server 2008 ??

    I am currently using windows server 2008 at my workplace . Here i’m developing a application where i need to send mails using a mail server . The problem over here is we haven’t purchased any third party hosting service and after struggling for sometime i came to know that we can create and host our own mailing server ,so i want a detailed explanation of “Setting up an SMTP/POP3 mail server with Windows Server 2008” .
    List of Roles and features i have installed –
    ->WEB SERVER IIS .
    ->FILE SERVICES .
    ->Smtp ERVICES(FEATURE).

    WHAT ARE THE OTHER ROLES AND FEATURES TO BE INSTALLED IF NEEDED .
    Please help me out . Thanks in advance :(:(

    1. @Manish, apologies for taking so long to reply. I have not configured a Win Server in the way that you’re asking for regular email / production use. I’ve used it as a mail recipient for SharePoint lists and that works pretty well and is likely compatible with what you’re trying to do, however from a maintenance and usage perspective, I would say you should look for a free email server that runs on Windows instead. Something that was written and dedicated to doing the job like: http://www.hmailserver.com/.

      Microsoft’s email system is Exchange and that’s where they put all the goodness. The built-in SMTP / POP server is, IMHO, nothing I’d want to be playing with / maintaining on a regular basis.

      Hope this helps and good luck.

  7. Hi Clement

    I have an HP server running Windows 2008 Server (32 Bit) and SQl Server 2008 R2. After promoting the Server to a domain controller, login fails to SQL Server from SSMS.

    The machine is supposed to be both the domain controller and Sql Server machine for an N-tier Application being built. I would appreciate any assistance you can give with the following:

    1. Successfully logging onto SQL Server SSMS after running dcpromo

    2. Setting up Network Access for SQL Server 2008 R2 rempotely, so that other machines may access the DB via the LAN.

    Thanks in advance

    1. @Simba,
      Before upgrading the server to a DC you can enable mixed mode security in SQL, assign a password to the ‘SA’ account, or create another SQL based login and assign the appropriate permissions. After the upgrade, you can login using SA and add your domain admins group to the logins, or any specific account that you want to be able to manage SQL. Then if you don’t need it, you can change SQL back to Windows auth only.

      As for configuring network access, you need to create an inbound firewall rule that allows incoming traffic on port 1433 for TCP traffic, and possibly 1434 for UDP traffic. If you enable firewall logging for blocked requests while testing the setup, you can see any traffic / ports that are being refused.

      Hope this helps.
      Clement

  8. Thanks. please inform me if any other post will publish because i am a learner and i need our cooperation. Thanks

  9. Hi Clement

    I have set up a server before I found your instructions but I’m unsure of whether or not DNS is integrated into AD or how to check and no machines are getting an IP address. How should DHCP be configured? These things are all running on the same machine with 2008R2.

    Cheers

    1. @TimTams: If you left default choices selected then DNS will be integrated. You need to set up a DHCP scope that doesn’t overlap any addresses that you are using as static and then authorize the scope. if you’ve added DHCP as a role, Right-Click IPv4 and select ‘New scope’ from the DHCP Snap-In. After creating the scope, you have to authorize it. If there is an overlap of IP addresses with your static addresses, you can exclude certain IP addresses from the scope via the wizard. Be sure in your scope to set up your IP range, default gateway, and DNS servers. You have full control of what is issued. Also make sure in your DNS settings that you are forwarding DNS requests to a few public DNS servers for requests that can’t be served by your domain, otherwise you won’t be able to use your DC as the primary DNS server. Let me know if you need more detail on any of these pieces / tasks.

  10. Hi clement this is subhash.can you tell me if i have 6 Domain controller, they communicate which each other ,where is Global Catalog server create by default.It means there is 6 Global catalog server..Than how we’ll find our first Global catalog server in 2003 or 2008 R2 by command.

    1. @Subhash,

      To my knowledge, all the roles are installed on the first DC that you stand up. So your first DC should have the GC role on it, along with the others unless you move them.

      Good luck.

  11. Hi clement, i am shaikh from India

    i setup new network infrastructure, and in it when i installing active directory in my windows server 2008 r2, it pause and shows the massage “Configuring the local computer to host Active Directory Domain Services”, and process going on till 20 to 25 min, and after that system got hanged and i cant access any thing,

    what i do now

    regards thanks

    1. @Shaikh: It sounds like you have some sort of corruption, either during the AD configuration process or within the OS itself. Have you tried this more than once or is it the first time that this has occured? If I ran into this problem, and since it’s a new network it shouldn’t affect much, I’d reinstall the OS, and try promoting it to a domain controller again. Starting over from square one can be a pain, but I’ve found that troubleshooting random hangs can end up taking far more time than starting again.

      Hope this helps.

  12. Clement-Great post. Thanks for your walk through. I am using a DNS server ont the network that is setup in my router. I assume that this is not a problem, and that I simply do not setup the Server to be a DNS server, but do set it up as a DHCP client. That will not affect AD config, will it? Or am I missing a step?

    1. @Bob: Thank you for the comment. AD integrated DNS allows the servers that you stand up to immediately find each other and gives you control over DNS records including CNames, which you can use to add other DNS records and point to something like a webserver. You can also set up multiple DNS zones, for example d3planet.com is an internet domain and if I’m not running a DNS zone for it, I would have to leave my network to do the lookup and then comeback into my network if the server is hosted locally. AD integrated DNS also allows your domain controller to make the updates automatically. You can then add a DNS forward to your router so that for all entries that are not found on your DC, the requests would be forwarded to your router and so on. You could even bypass your routers DNS services and go directly out to a public DNS server via forwarding.

      Is there a particular reason that you would choose to use your router’s DNS?

  13. Hi Clement,
    I setup a new system exactly as you did above WIN2008r2 ad with DNS.
    I went to install DHCP, it hangs I get a white box, realize its nothing close it then the ERROR box is under that :cannot install do to error (i dont have the code as am @ work. Question is this even possible to run DHCP on this sever with the above setup? or do I need a another server for DHCP? Noobe
    Thanks,
    Rotten

    1. @Rotten: The configuration should be good. I’ve got multiple environments running AD, DNS, DHCP, as well as certificate services. Did you try installing DHCP after AD/DNS were set up? Any errors in your event log re: the installation? You can open up the log by typing ‘eventvwr’ at the ‘run’ prompt. Is this in a lab or production? I also assume you’ve gone through at least one server reboot since attempting the install.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s