Active Directory – Blog Part II: Where AD Starts

Installing Active Directory Domain Services

Oftentimes, when Active Directory - AD is introduced and talked about, many can interpret the technology in a more mysterious way. I remember learning about it for the first time back when I began my career on the help desk. Early on, I just saw it as this unique directory service, not realizing that it's installed as a Server Role on Windows Server operating systems, heavily reliant on DNS, and the historic backbone of domain networks.

I walked into my first help desk role on day one and learned that AD facilitates Windows logins, as I began doing password resets.

So, I understood it very differently in the beginning. It wasn't until I learned how to set it up for the first time using a Windows Server Evaluation version on Oracle VirtualBox and learned more about its structure, I came to understand the technology more for what it is, which made me realize how Active Directory can often be interpreted when first introduced.

With that being said, I thought I would put together a hands-on demonstration on where Active Directory starts. By installing the AD DS Server Role on a Windows Server operating system and promoting the machine to a domain controller.

This demonstration is being carried out on a Windows Server Evaluation version for educational purposes.

If you're someone new to IT, getting started, aspiring, etc. Or interested in learning how to setup Active Directory from scratch in a lab environment, this is a great starting point.

In this hands-on example, I have an Evaluation version of Windows Server 2022 installed and running on Hyper-V using a Lenovo Thinkpad.

This demonstration outlines a basic run through of installing the AD DS Server Role in a lab environment.

There are several steps to take prior to implementing AD on a production enterprise network.

Common Active Directory Setup Mistakes to avoid include:

• Installing AD DS without configuring a static IP address
• Using a public DNS server instead of the Domain Controller for DNS
• Deploying only a single Domain Controller in production environments
• Ignoring time synchronization requirements (Kerberos dependency)
• Promoting a Domain Controller before verifying hostname and domain naming

Step-by-Step Lab Walk Through

1. Open Server Manager > Dashboard

Starting out on the Windows Server Manager Dashboard, click on Add roles and features in the quick start listing.

2. Before You Begin

The Add Roles and Features Wizard will come up.

The Before You Begin screen serves as a critical pre-flight checklist to ensure your server is physically and logically prepared for the Active Directory role. It strongly recommends verifying that you have a secure Administrator password, a fixed static IP address, and that the server is fully patched. By confirming these three pillars are in place, you avoid common installation failures and ensure your new domain starts on a stable, secure foundation.

These are the prerequisite best practices to have in place when building out the foundation of a professional enterprise network.

3. Installation Type

To configure a single server by adding roles, role services, and features, select Role-based or feature-based installation. Then click Next.

4. Server Selection

Select the server the AD DS Server Role is being installed on, then click Next.

5. Server Roles

In the listing of Server Roles, select the checkbox for Active Directory Domain Services. click Next.

6. Click the Add Features button for the additional features needed for AD DS.

7. Click Next to the Features slide.

8. Features

In this example, I'll go with the default selections, and click Next.

9. AD DS

The Active Directory Domain Services overview screen serves as a high-level summary of the service's role in managing users, computers, and network resources securely.

It emphasizes the critical best practice of deploying at least two domain controllers to prevent a single point of failure and reminds you that a DNS server must be available for the directory to function.

This step ensures that administrators understand the foundational infrastructure requirements before proceeding with the final stages of the installation.

10. Click Next, then Yes to allow automatic restarts.

11. Confirmation

Confirm installation selections before proceeding with installation.

Review and click Install.

12. Installation progress

AD DS Server Role installation in progress.

13. After the installation completes click Promote this server to a domain controller.

14. Select Add a new forest and click Next.

An AD forest is the highest level of organization in an AD environment. It is the topmost logical container that groups together one or more domains.

As this example outlines creating a new domain from scratch, a new forest will be added.

15. Domain Controller Options

The Domain Controller Options step configures the server's core roles, such as DNS and the Global Catalog, while setting the Functional Level to determine which Advanced Active Directory features are available.

It also requires you to create a Directory Services Restore Mode (DSRM) password, which acts as a unique "emergency key" for local access if the database ever becomes corrupted or needs offline maintenance.

By completing this step, you are essentially defining both the operational capabilities of the domain and the security guardrails of its recovery.

Directory Services Restore Mode (DSRM) is a special "Safe Mode" for Windows Domain Controllers. It provides administrators with the ability to repair, restore, or recover an Active Directory (AD) database when the directory service cannot start or needs to be taken offline for maintenance.

During this step, when I saw Windows Server 2016, I thought to myself, interesting, isn't this a Windows Server 2022 version I'm working with? Which made me curious. This occurs because Windows Server 2016 is currently the highest available forest and domain functional level, even when deploying on Windows Server 2022. This helps to preserve compatibility with newer domain controllers.

The DNS Options step displays a warning about 'DNS delegation,' but for most new setups, this can be safely ignored. It indicates that no DNS delegation could be created in an existing parent zone, which is expected in a new forest deployment.

In a typical Active Directory deployment, this requirement is fulfilled automatically, as the AD DS installation process installs and configures the DNS Server role on the Domain Controller.

16. Additional Options

Verify the NetBIOS name resolution to the domain.

Before DNS became the standard for the internet, Windows used NetBIOS to identify computers and domains on a local network. Today, it remains relevant primarily for the legacy login format that most users are familiar with: DOMAIN\username (e.g., Domain-1\JDoe).

In this example, the domain name DOMAIN-1 is the NetBIOS domain name.

17. Paths

Specify and review the folder location of the database, log files, and SYSVOL.

The Paths step allows you to define the storage location paths for the Active Directory database, transaction logs, and the SYSVOL folder.

While the default C:\Windows locations are standard for smaller setups, moving these files to separate physical drives can significantly boost performance and simplify disaster recovery in larger environments. Properly configuring these paths ensures that your identity data, system "receipts" (logs), and Group Policies are stored securely and efficiently.

18. Review Options

The Review Options step provides a comprehensive summary of all your configuration choices, from naming conventions to functional levels, ensuring everything is correct before the installation begins.

It serves as a final safety check to prevent deployment errors that could be difficult to change later.

The "View Script" button lets you export your settings into a PowerShell script for automated, consistent deployments in the future.

19. Prerequisites Check:

Run the check and then click Install.

The Prerequisites Check is a mandatory diagnostic phase where the wizard scans the server's hardware, network settings, and security permissions to ensure they meet the strict requirements of a Domain Controller.

While it may display yellow warning icons regarding legacy cryptography or static IP addresses, these are often informational; as long as you see the green checkmark at the top stating that all checks passed successfully, you are cleared to proceed.

Clicking Install at this stage will begin the actual promotion process, after which the server will automatically reboot to finalize its new identity.

20. Installation

Install & Reboot: The server installs AD DS and restarts automatically.

21. Waiting for the gpsvc service to start.

After the promotion process completes, it is perfectly normal for the first reboot to take significantly longer as the server initializes the Active Directory database and sets up the SYSVOL share.

You may see the screen hang on "Please wait for the gpsvc" while the system creates and applies the initial Group Policy objects that govern the new domain.

SYSVOL and replication: The SYSVOL folder stores Group Policy templates and logon scripts and is automatically replicated between Domain Controllers using DFS Replication (DFS-R). This ensures all domain controllers apply the same policies consistently across the environment.

This delay is a one-time occurrence that ensures the security and directory services are fully operational before the login screen is presented.

22. Domain Logon Screen

23. Under the Tools menu on the Server Manager Dashboard is Active Directory Users and Computers.

24. Active Directory Console

Note: Active Directory Users and Computers (ADUC) is only one of several management consoles used to administer Active Directory. Others include Active Directory Administrative Center (ADAC), ADSI Edit, and Group Policy Management.

25. Expanding the domain hierarchy.

26. Builtin Security Groups - Domain Local

The Builtin container holds a collection of default security groups that come pre-configured with specific administrative rights to manage various parts of the domain.

These groups, such as Account Operators or Backup Operators, allow you to delegate specific tasks to users without granting them full control over the entire network.

Understanding these groups is essential for maintaining a secure environment. These groups represent how Active Directory organizes domain-level administrative permissions, particularly as they apply to Domain Controllers.

27. Domain Controller(s)

When you install the AD DS Server Role onto a server, and promote the machine to a Domain Controller, that converts that server from a regular server into a Domain Controller.

A Domain Controller is the server that runs the AD DS Windows Server Role and is responsible for running Active Directory.

A Domain Controller hosts a writable replica of the Active Directory database for the forest root domain, providing authentication, authorization, and directory services for the logical root of the structure.

A single domain can have one or more Domain Controllers (DCs), one or more of these computers that run Active Directory.

The Domain Controller(s) that pertain to a given domain will have a computer account here in the Domain Controllers container of ADUC.

28. Users container

The Users container is where a lot of daily administrative tasks are performed in Active Directory. This is where you create and provision new user account objects, reset passwords, assign applicable group membership to user account objects, and more.

29. Right-click the Users container and select New > User to create a new User Account Object.

30. New User Account Object creation.

31. Specify first and last name attribute details, specify domain logon name. Click Next.

32. Specify and create a password for the user account logon. Click Next

33. Click Finish

34. New User Account Object in Users container.

Active Directory Best Practices

• Deploy at least two Domain Controllers per domain to avoid single points of failure
• Use static IP addresses and configure DNS correctly on all Domain Controllers
• Separate AD database, logs, and SYSVOL onto dedicated storage when possible
• Apply the principle of least privilege when assigning administrative rights
• Document domain naming, functional levels, and recovery procedures

These practices form the foundation for a secure, resilient, and scalable Active Directory environment.

An Active Directory implementation begins with installing the AD DS Server Role on a Windows server operating system and promoting the machine to a Domain Controller - DC. Here, we have the root of several lab opportunities. See what you can do.

Now that Active Directory is set up, the next step is understanding how it can be misconfigured, attacked, and defended.