Setup a Domain Controller as Recommended by Microsoft

Posted on Christian By Christian No Comments on Setup a Domain Controller as Recommended by Microsoft
DC-creation-as-recommended-by-Microsoft

A Domain Controller (DC) responds to authentication requests. It has an hierarchical structure called domains. In this article, I will be discussing how to Setup a Domain Controller as Recommended by Microsoft in HyperV. Please see Pleasant User Group Permission and User Access, Domain Name System Protocol: Client Registration Issue, Domain Name System: How to create a DNS record, and how to fix “DNS Bad key 9017: The Cluster Name registration failed of one or more associated DNS names“.

When settings up a new Active Directory (AD), it is important to plan the DNS setup accordingly. DNS is the Domain Naming system used to translate names into network (IP) addresses.

Note: Discouraging the use of non-official internal domain names is crucial due to potential security and verification issues. In November 2015, SSL certificates for servers with non-public domain suffixes were withdrawn by Certificate Authorities (CAs) because public verification was not possible. Unofficial domain names lack routability and do not adhere to internet naming standards, making them unsuitable for widespread support.

Using a single DNS name space for internal and external services is also frowned at too. For example using a public registered domain name such as techdirectarchivedotcom can create a number of DNS, and security issues.

Active Directory Domain vs DNS name

The AD domain name differs from the DNS name but they are interconnected. The AD domain name primarily serves within AD operations, particularly for LDAP queries supporting AD functionality. In contrast, DNS functions as a network-level solution for resolving names to IP addresses. This distinction enables the utilization of an ‘internal,’ private AD domain name alongside a public, registered DNS.

This is why, the AD domain short name is referred as the NetBIOS Name (as in the AD logon name <DOMAIN>\username>).

Learn What happens when WDS and DNS are installed on the same Windows Server? DNS issues with WDS, and Video on how to Back Up and Restore Windows Registry.

Best Practice for DNS naming for internal domains and networks

Microsoft generally recommends using a subdomain of an existing domain for your Active Directory (AD) implementation. That is, a subdomain of a publicly registered top level domain. This is because AD is tightly integrated with DNS, and using a subdomain helps to isolate the AD namespace from the rest of your organisation’s DNS namespace. This isolation can be beneficial for management and security purposes.

Therefore, register a public DNS name such as techdirectarchivedotcom. Then create subdomains for internal use such as (tda.techdirectarchive.com).

Plan your AD Domain Structure

Decide on the domain name you want to use for your AD. For example, if your organization’s public domain is exampledotcom, you might choose ad.exampledotcom for your Active Directory.

As discussed above, Microsoft generally recommends using a subdomain of an existing domain for your Active Directory (AD) implementation. This is because AD is tightly integrated with DNS, and using a subdomain helps to isolate the AD namespace from the rest of your organization’s DNS namespace. This isolation can be beneficial for management and security purposes.

Create a Virtual Machine for your Domain Controller

I will be using a VM created on HyperV. If you wish to follow my steps, please proceed and have a VM created on Hyper. Enter the VM name as shown below.

Create-VM-in-Hyper-for-Active-Directory

Enter the disk size. The can be extended later depending on your need. See how to fix unable to Extend Volume on Windows protected by BitLocker, and how to Increase Disk Size in Hyper-V.

Disk-Size

Click Finish to complete the VM creation on HyperV.

VM-summary

Install Windows Server 2022 onto the HyperV VM

Now, you can start and connect to your VM.

Connect-to-VM-1

Please start the VM.

Start-VM-1

Note: Ensure you enable Trusted Platform Module as shown below. This is disabled by default in HyperV VMs.

Enable-TPM-on-VM

Click on Install to install the OS.

Install-OS-1

The OS is being installed.

Installing-OS

Windows Server setup is complete. Enter your Admin password to access the OS.

VM-Created

As discussed extensively, the best practice remains to use a subdomain of a domain you own. For instance, if you own mydomaindotcom. Then you can consider using internal.mydomaindotcom for your internal network.

This approach ensures you align with standard practices and avoids potential issues with future TLDs or conflicts with mDNS or other services.

Here is how to Create local Backup Repository and Add HyperV to VBR Inventory, and video on how to Fix the Boot Failed UEFI SCSI Device on HyperV.

Install Active Directory Domain Services (AD DS)

After installing Windows Server, install the Active Directory Domain Services role. This can be done using the Server Manager

Add-Roles-and-featuress

On the before you begin page, click Next

Before-you-begin

Select Role-based or feature-based installation and click next.

Role-Based-istallation

On the select destination server, click next.

Select-server-frm-pool

Select “Active Directory Domain Services” under server roles and click next.

Select-ADDS-services

Click Add features at the prompt

Add-ADDS-features

We have selected to add the ADDS role

Proceed-with-ADDS-role-installtion

Click Next on the Select features page

Proceed-with-the-ADDS-installation

This is just informational. Since this is an entirely new domain, I will be installing another DC very shortly. See

ADDS-

Kindly install the ADDS role.

Install-ADDS-Role

The ADDS role is being installed.

ADDS-Role-is-being-intalled

Feel free to close the wizard at this time.

Close-ADDS-Installation

Learn from this video on how to Enable Find My Device on Windows 11, and also the video on how to increase Disk Size in Hyper-V.

Domain Controller Promotion

Promote the server to a domain controller using the Active Directory Domain Services Installation Wizard. This will involve specifying the domain name and providing Directory Services Restore Mode (DSRM) password.

Promote-Server-as-Domain-Controller

Specify the full domain name for the new forest as recommended by Microsoft. If you already have a DC. You can install additional domain controllers in the same domain.

Add-a-new-Forest

The functional level establishes the characteristics and functionalities of Active Directory Domain Services (ADDS) and dictates the available features within both the forest and the domain. It also influences the permissible server operating systems that can operate on Domain Controllers (DCs). Furthermore, it establishes the baseline ADDS functionality for all domains and all DCs within the domain.

The Domain Functional Level establishes the Active Directory Domain Services (ADDS) functionality level for all domain controllers within the domain. You cannot set the Domain Functional Level below the Forest Functional Level, but you can set it higher.

If you have multiple domains, consider whether you need to configure the domain controller as a Global Catalog server. This is often recommended for better search performance in a multi-domain environment.

Set a password for Directory Services Restore Mode (DSRM). This password is used to recover the domain controller if it fails

Domain-Controller-Options

DNS Options

The authorization parent zone cannot be found, preventing the DNS server from creating the delegation. This issue arises due to the new installation, and currently, there is no dynamic Microsoft DNS server in place.

If you already have a DNS server, proceed by clicking next. If your organization hosts its DNS externally, you might need to create a DNS delegation for the subdomain to direct it to your internal DNS servers. This ensures that your internal DNS queries for the subdomain get resolved correctly.

Note: I will click next to install the DNS server on the domain controller. DNS is a crucial component of AD. If the DNS role is not already installed, it will be automatically installed during the promotion of the server to a domain controller.

DNS-Options

NetBIOS, a protocol largely obsolete in contemporary settings, represents a technology predating Windows Server 2000. The default settings will be retained, and the next button will be clicked.

While the name can be altered at this stage, the pre-populated name is satisfactory for the current configuration.

NetBIOS-domain-name

Specify the locations for the AD DS database, log files, and SYSVOL

ADDS-DB-Log-and-Sysvol-path

Review the options as shown below, and click next to continue.

Review-Options

The wizard performs a prerequisites check. If there are any issues, resolve them before proceeding

Performing-prerequisite-checks

Prerequisite check passed. Click on Install

Domain-Controller-prerequiste-checks-passed

The server will automatically restart after the Active Directory installation is complete. See this guide if you wish to demote and remove a Domain Controller on Windows Servers.

PC-restart

Post-Installation Steps

I would recommend you implement best practices for securing your Active Directory environment. This includes enabling some Group Policy settings, creating organisational unit (OU) structure, and users account setup and group group creation and permissions assignment.

Verify DNS Settings

Ensure that DNS is configured correctly, and the server points to itself for DNS resolution. Launch the DNS Manager.

DNS-Manager
As you can see the forward lookup zone has been created for us us.

It also created an A Record for me

Created-an-A-Record-for-my-Server

But, the Reverse lookup Zone was not created. Right click to create a New Zone

Create-Reverse-Lookup-Zone

Click Next to create a new reverse lookup Zone

New-Zone-Wizarrd

I am fine with the default options. 

This will create a copy of this zone that can be updated on this server.
Primary-Zone

This option will replicate to all DNS servers running in this domain

Replicate-all-DNS-to-other-DCS-by-default

I will select the IPv4 option.

IPv4-lookup-Zone

Enter your Network ID and click Next

Network-ID

This means, when devices are added to AD, records will be created automatically. Click Next.

Allo-Dynamic-Updates

Click Finish to complete this process.

Finish-Reverse-lookup-zone-creation

Now, we have our reverse lookup zone created.

Pointer-recod-created

Let’s fix the Pinter Record for LabDC01. Update Pointer Record for Server. Right click on the record ad select properties.

Update-Pointer-Record-for-Server

Click the checkbox to select “update associated pointer (PRT) record

Update-associated-Pointer-record

The associated pointer (PRT) record has been updated.

Pointer-Record-updated

2. Manage Active Directory– Create OU and AD User Account

Open ‘Active Directory Users and Computers’ to manage users, groups, and organisational units. But in this guide, I will focus on creating AD User Account, and Organisation Unit

Active-Directory-Users-and-Computers

Click on Organisational Unit to create an OU.

Create-OU

Enter the OU name and click OK

OU-NAme

to create a User, select the OU where you want the user to be. You can move the user around later on. Right click on the OU and select New, and then user.

Create-AD-User

Populate the New Object field for the user

User-information

Enter the password and select any applicable option for you and click Next.

Enter-Password

Click Finish to complete this process

Finish-user-account-creation

Our User has been created.

First-AD-account

Conclusion on how to Setup a Domain Controller as Recommended by Microsoft

In this comprehensive guide, we have learnt how to install ADDS role onto Windows Sever, and promoted the Server as a domain controller. ALso, we created Organisational Units, and users. We also created a reverse look up zone for DNS and updated the PRT recorded for our Domain controller.

I hope you found this article on how to setup a Domain Controller as Recommended by Microsoft very useful. Please feel free to leave a comment below.

5/5 - (1 vote)
Windows Server Tags:, , , , , ,

Related Posts

More Related Articles

Create Password Policies via GPO How to Create a Password Policy with Group Policy Object Windows
update device drivers windows 10 thumbnail How to install SCConfigMgr Driver Automation Tool on Windows Windows Server
esd convert wim 1280x720 1 Differences between Capture image, Discover image, Install and Boot images Windows Server
WinPE How to uninstall and upgrade ADK, WinPE, and MDT Windows Server
Windows server 2025 set up Install Windows Server 2025 via iDRAC Virtual Media or PXE Windows Server
DC 3 How to demote and remove a Domain Controller on Windows Servers Windows Server

Leave a Reply