Configuring a forest root domain on Windows Server 2012
This scenario is suitable mostly for test environments because it is very rarely that someone wants to do that in production (because it already exists). But of course, maybe you start creating domain environment for new company which doesn’t have it or you are preparing new forest for migration. Then this article is also for you.
This article describes only single forest, single domain scenario.
We need some details before we will start configuration.
- Company name – which will be helpful in choosing forest/domain name
- Network configuration – valid IP addresses range for our company, router’s IP (as default gateway)
- ISP DNS servers on any public DNS servers – to be able to access the Internet resources from our company
- Services we need to run – what additional services will be required to fulfill a company requirements
Let’s start to prepare them all.
- Company name – Test Environment
- Network configuration – IP addresses range 192.168.1.0/24; the last available IP address is a router (default gateway)
- Public DNS servers – 220.127.116.11 and 18.104.22.168 (Google public DNS servers)
- Services – Active Directory: Directory Services, DNS server(s), DHCP server(s)
Now, we can install our first Windows Server 2012 and configure it. After that we would be able to promote this box as a Domain Controller.
When our server is installed, then we need to log on there on local administrator account and we can start its preparation.
Open Server Manager (or wait short time because it runs itself by default), set up static IP address for your server (in this case it’s 192.168.1.1 with 255.255.255.0 network mask), configure time zone and change server name accordingly to naming convention in your company. You may also set up there other options like NIC teaming, remote management and remote access.
This is very important part of network configuration before promoting server as a Domain Controller. In DNS preferred IP address type 127.0.0.1 (loopback interface) or the same IP address as server is configured 192.168.1.1 to point the server to DNS itself.
To configure network parameters, click on “Local Server” node on the left side of Server Manager
and then click on “Ethernet” to configure these settings
You will see “Network connections” where you network card is being seen
edit its properties and set up required IP information under IPv4 section
Note! Do not disable IPv6 if you do not use it. Just go go to its properties and disable dynamic DNS registration for it only. This can be done under “Advanced” settings on “DNS” tab under IPv6 section
So, going back to IPv4 IP settings, under its properties put valid IP address, network mask, default gateway and DNS server IP address
Now, let’s configure server name and reboot it to be able start promotion to Domain Controller. To change server name, click on “Computer name” section and provide appropriate name
apply changes and reboot server. When your server is up and running again, you can start promotion process.
Now, small change in Domain Controller promotion There is no more dcpromo command valid. Microsoft decided to simplify this process as much as it was possible.
This time, you need to install Active Directory: Directory Services role and after all, follow post-install steps which promotes server to Domain Controller. To do that open Server Manager and go to “Add roles and features” on Dashboard screen
You will see a wizard which will guide you through role installation process. Go further up to a screen with roles selection using default options and choose “Active Directory Directory Services” role. Confirm all dependent roles/features to be installed with AD:DS role
confirm also features which will be installed with selected role
Go “Next” to screen with installation summary and click “Install”
and wait until Active Directory: Directory Services role will be installed
When role is installed, you will see yellow exclamation mark in notification area
That means, there are additional steps to do after role installation. Click on that field and you will see what do to next
Click on “Promote this server to a domain controller” and promotion wizard will be displayed.
It is similar to previous wizard from DCPROMO on older OS versions. Promotion process is much more simple than previously and requires less steps to be finished.
In our case, we are configuring new forest root domain, so we need to choose “Add a new forest” option and specify DNS domain name for this new forest. As it was mentioned before, in this example we will use testenv.local as DNS domain name
On the next screen, you need to specify Domain and Forest Functional Levels. For more details about that, please check another articles on my blog:
Important! When you set up Domain/Forest Functional level it cannot be changed to lower mode, so be careful when you choose them. If you are not sure which functional level is adequate for you, choose the lower one. You can always raise it without any business continuity disruption later.
also, define if that server would have DNS role installed and if it would be Global Catalog. As this is the first Domain Controller, all these roles must be installed.
Specify Directory Services Restoration Mode (DSRM) password which will be also used for domain administrator account at this stage
As this is the first Domain Controller and forest root domain, do not worry about DNS delegation and go to the next step
When you specified DNS domain name, you need to type also NetBIOS domain name. By default wizard suggests the first part from DNS domain name. If you have no reasons to use different NetBIOS name, I would suggest to leave that as after this name change, you will have an issue with Active Directory Administrative Center which does not recognize changed NetBIOS domain name (it uses the first part of DNS domain name).
Specify location of AD database and SYSVOL. You may leave defaults or move them to another drive
You will see summary screen with all details before installation. As in Windows Server 2012 everything from Server Manager is translated into PowerShell and executed in the background, you may click on “View script” to see what will be done to install and configure Domain Controller
when you are ready, click on next to go to the final screen where script will be executed in a background
If all prerequisites will pass, you can start installation
Wait a while and server will be rebooted. After reboot, your server will be a Domain Controller.
Congratulations! Your Domain Controller for a forest root domain is ready! You can log on, on it, using password specified during promotion process (the same password as Directory Services Restoration Mode)
Log on, using domain administrator credentials into your new Domain Controller.
We have to configure DNS server to send unresolved DNS queries to ISP DNS server(s) or any other public DNS server(s). This configuration is necessary to be able to access the Internet resources from our internal network.
Open DNS management console from Tools in Server Manager and select server name.
In the right pane at the bottom of that window, double click on Forwarders
When Forwarders window appears, click on “Edit” button to put there public DNS server for the Internet access
You should see a window, where you can put ISP or public DNS servers. Add DNS to the list. In this case we will use Google public DNS servers (22.214.171.124. and 126.96.36.199) Wait until they will be validated and close console
After all, you should consider Domain Controller and DNS server redundancy in your network by placing additional server with these roles. Another very important part is performing SystemState backup of Domain Controllers regularly.
In case of lack hardware resources in your network, you can consider placing DHCP server on this Domain Controller. However, it’s not recommended to install additional roles on DCs because of security reasons.
Author: Krzysztof Pytko