This article will provide detailed step-by-step instructions for installing and configuring a role from scratch. Active Directory on the Windows based Server 2012. The instructions will be based on the English edition. Sometimes the names of parameters and commands will be given, similar to Russian Windows editions Server 2012.
Training
Before configuring the Active Directory role, you must perform Windows customization Server 2012 - set static IP address and rename computer.
To set a static IP address, you need to click right click mouse on the Network icon in the taskbar and select Open Network ang Sharing Center -> Change adapter settings... Select the adapter that looks into internal network... Properties -> Internet Protocol Version 4 (TCP / IPv4) and set an IP address similar to the one shown in the picture.
192.168.0.11 - IP address current server- the first domain controller.
192.168.0.254 - gateway IP address.
Now you need to rename the server name and restart it. Start -> System -> Change Settings -> Computer Name -> Change. Enter Computer Name. In the example, the server will be named DC1.
Installing the Active Directory Role on Windows Server 2012
So after presetting server, move on to installing the directory service role.
Start -> Server Manager(Start -> Server manager).
Add roles and features -> Next
Select Role-based or feature-based Installation(Installing Roles and Features) -> Next
Select the server on which the AD role is installed and click Next. Select a server from the server pool-> Next
Choosing a role Active Directory Domain Services(Domain Active services Directory), after which a window appears asking you to add roles and features required to install the AD role. Click the Add Features button.
You can also choose DNS role Server. If you forget to check the box to add the DNS Server role, you don't have to worry too much, because it can be added later during the AD role configuration stage.
After that, we press the Next button each time and set the role.
Configuring Active Directory Domain Services
After installing the role, close the window - Close. Now you need to move on to configuring the AD role.
In the Server Manager window, click the notification flag icon and click Promote this server to a domain controller(Promote this server to a domain controller) on the Post-deploiment Configuration plate.
Select Add a new forest(Add a new forest), enter the domain name and click Next.
You can choose compatibility between the forest functional level and the root domain. Windows Server 2012 is installed by default.
On this tab, you can disable the DNS Server role. But, in our case, we leave a tick.
On the next step the wizard warns that no delegation has been created for this DNS server ( A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server .. Otherwise, no action is required.).
Click Next.
In the next step, you can change the NetBIOS name that was assigned to the domain. We will not do this. Just click Next.
In the next step, you can change the paths to the AD DS (Active Directory Domain Services) database directories, log files, and the SYSVOL folder. We will not change anything. Click the Next button.
The next step displays a summary of the setup. By clicking the View Script button, you can see Powershell script which will configure Active Directory Domain Services.
# Windows PowerShell script for AD DS Deployment
Import-Module ADDSDeployment Install-ADDSForest `-CreateDnsDelegation: $ false` -DatabasePath "C: \ Windows \ NTDS" `-DomainMode" Win2012 "` -DomainName "site" `-DomainNetbiosName" ITME "` -ForestMode "Win2012" `- InstallDns: $ true `-LogPath" C: \ Windows \ NTDS "` -NoRebootOnCompletion: $ false `-SysvolPath" C: \ Windows \ SYSVOL "` -Force: $ true
After making sure that everything is correct, click on the Next button.
The next step is to check if all the prerequisites are met. Then it will show us a report. One of mandatory requirements- it set password local administrator. At the very bottom, you can read a warning that after the Install button is pressed, the server level will be raised to a domain controller and an automatic reboot will be performed.
An inscription should appear All prerequisite checks are passed successfully. Click "install" to begin installation.
Click the Install button.
After completing all the settings, the server will reboot, and you will make the first entry of the computer into your domain. To do this, you must enter the login and password of the domain administrator.
On this basic setup services Active directory Directory completed. Of course, there is still a huge amount of work to be done on creating divisions, creating new users, setting up group policies security, ...
Additional information on the article
Goodbye dcpromo, hello Powershell
Everyone already knows from the announcements that the dcpromo utility is outdated. If you run in command line dcpromo, a warning window will appear prompting you to use Server Manager.
The active Directory Services installation Wizard is relocated in Server Manager.
However, this command can be used with the parameter automatic tuning — dcpromo / unattend... When the server is running in Core mode, there will be no warning, and information on using the dcpromo utility will appear on the command line.
All these changes are due to the fact that in Windows Server 2012 they made an emphasis on administration using Powershell.
Active Directory-related components removed from Windows Server 2012
Active Directory Federation Services (AD FS)
- Applications that use "NT token mode" web agents are no longer supported. These applications should be ported to Windows platform Identity Foundation and use the Claims to Windows Token service to convert the UPN from a SAML token to a Windows token for use in your application.
- Resource Groups are no longer supported (see http://technet.microsoft.com/library/cc753670(WS.10).aspx for a description of resource groups)
- The ability to use Active Directory Lightweight Directory Services (AD LDS) as the repository for authentication results is no longer supported.
- Requires migration to AD FS on Windows Server 2012. In-place upgrade from AD FS 1.0 or from the “standard” version of AD FS 2.0 is not supported.
In this post, we'll take a closer look at the process of implementing the first domain controller in an enterprise. And there will be three of them in total:
1) Primary domain controller, OS - Windows Server 2012 R2 with GUI, network name: dc1.
Select the default option, click Next. Then select the default IPv4 protocol and click Next again.
On the next screen, we will set the Network ID. In our case 192.168.0. In the Reverse Lookup Zone Name field, we will see how the address of the reverse lookup zone will be automatically substituted. Click Next.
On the Dynamic Update screen, select one of three possible options dynamic update.
Allow Only Secure Dynamic Updates. This option is available only if the zone is Active Directory-integrated.
Allow Both Nonsecure And Secure Dynamic Updates. This switch allows any client to update their DNS resource records when there are changes.
Do Not Allow Dynamic Updates. This option disables dynamic DNS updates... It should only be used if the zone is not integrated with Active Directory.
We select the first option, click Next and complete the setup by clicking Finish.
Another useful option that is usually configured in DNS is Forwarders or Forwarders, the main purpose of which is to cache and redirect DNS requests from a local DNS server to an external DNS server on the Internet, for example, the one located at the ISP. For example, we want local computers in our domain network, in network settings who have a registered DNS server (192.168.0.3) were able to access the Internet, it is necessary that our local dns server was configured to allow upstream server dns requests. To configure Forwarders, go to the DNS manager console. Then, in the server properties, go to the Forwarders tab and click Edit there.
We will indicate at least one IP address. Several are desirable. Click OK.
Now let's configure the DHCP service. We launch the snap-in.
First, let's set the full working range of addresses from which addresses will be taken for issuing to clients. Choose Action \ New Scope. The Add Region Wizard starts. Let's set the name of the area.
Next, we will indicate the starting and ending address of the network range.
Next, let's add the addresses that we want to exclude from the issuance of clients. Click Next.
On the Lease Duration screen, specify a different lease time from the default, if required. Click Next.
Then we agree that we want to configure these DHCP options: Yes, I want to configure these option now.
We will indicate the gateway one by one, Domain name, DNS addresses, We skip WINS and at the end agree with the activation of the scope by pressing: Yes, I want to activate this scope now. Finish.
For safe work DHCP service, you need to configure a dedicated account for dynamic update DNS records... This must be done, on the one hand, in order to prevent dynamic registration of clients in DNS using the domain administrative account and possible abuse of it, on the other hand, in the event of a DHCP service reservation and a failure of the main server, it will be possible to transfer backup zones to the second server, and this requires the account of the first server. To fulfill these conditions, in the Active Directory Users and Computers snap-in, create an account named dhcp and assign an indefinite password by selecting the option: Password Never Expires.
Assign to the user strong password and add it to the DnsUpdateProxy group. Then we will remove the user from the Domain Users group, having previously assigned the “DnsUpdateProxy” group to the primary user. This account will be solely responsible for dynamic update records and not have access to any other resources where basic domain rights are sufficient.
Click Apply and then OK. Open the DHCP console again. Go to the properties of the IPv4 protocol on the Advanced tab.
Click on Credentials and specify our DHCP user there.
Click OK, restart the service.
We'll come back later to DHCP setting, when we will configure the reservation of the DHCP service, but for this we need to raise at least the domain controllers.
In our article, we have analyzed the minimum of theoretical material that you need to know before deploying Active Directory Domain Services. Today we will begin the practical part of the cycle, in which we will take a closer look at the creation and transition to the domain structure of the network. Let's start, as always, first - in this article we will show you how to properly deploy domain controllers.
Before proceeding to the practical implementation of all your plans, take a break and check some of the little things again. Very often these things elude the administrator's eyes, bringing quite serious difficulties in the future, especially for beginners.
- Assign to the future domain controller a human-readable name, such as SRV-DC01, not WIN-VAGNTE3N62T.
- Set the network adapter to a static IP address.
- Rename the built-in administrator account, use only Latin letters and symbols.
Installing this role will not do this server domain controller, for this you need to run the Domain Services Installation Wizard, which will be prompted to do at the end of the installation, you can also do this later by running dcpromo.exe.
We will not analyze in detail all the settings of the wizard, focusing only on the key ones, in addition, it is worth noting that during the installation process a rather large number of reference information and we recommend that you read it carefully.
Since this is our first domain controller, we select Create new domain in the new forest.
The next step is to enter your domain name. It is not recommended to give the Internet domain the name of an external domain; it is also not recommended to give a name in non-existent first-level zones, such as .local or .test etc. The best option for an AD domain, there will be a subdomain in the external internet domain namespace, for example corp.example.com... Since our domain is used exclusively for testing purposes within the laboratory, we named it interface31.lab, although it would be correct to call it lab.site.
Then we indicate the operating mode of the forest, we have already stopped on this issue in the previous part of the article and will not go into details.
Very important point- specify and write down in a safe place the administrator password for the directory services recovery mode, in a good scenario you should not need it, but much worse if you cannot remember it.
In the next window, double-check all the entered data and you can start the process of configuring domain services. Remember, from this moment nothing can be changed or corrected, and if you are mistaken somewhere, you will have to start all over again. In the meantime, the wizard is setting up domain services, you can go and pour yourself a cup of coffee.
After completing the wizard, restart the server and, if everything was done correctly, you have the first domain controller at your disposal, which will also act as the DNS server for your network. Here another subtle point arises, this server will contain records about all objects of your domain, when requesting records related to other domains that it cannot resolve, they will be transferred to higher servers, the so-called. forwarding servers.
By default, the address of the DNS server from the properties is specified as forwarders. network connection, in order to subsequently avoid all sorts of network failures, you should explicitly specify available servers in the external network. To do this, open the snap-in DNS v Server Manager and select Forwarders for your server. Specify at least two available external servers, these can be both the provider's servers and public DNS services.
Also note that in the properties of the network connection of the domain controller that is the DNS server, the DNS address must be specified 127.0.0.1 , any other writing options are wrong.
By creating your first domain controller, without delaying long box, start deploying the second, without this your AD structure cannot be considered complete and fault-tolerant. Also make sure the server has a human readable name and static IP address, specify the address of the first controller as the DNS server and enter the machine into the domain.
After reboot, login as domain administrator and install the role Active Directory Domain Services and then run the wizard as well. Fundamental differences there is no second controller in the setup, unless you have to answer fewer questions. First of all, indicate that you are adding a new controller to an existing domain.
As we said, we recommend that you make this server a DNS server and a Global Catalog. Remember that if you don't have a global catalog, your domain might not work, so it's a good idea to have at least two global catalogs and additionally add GCs to every new domain or AD site.
The rest of the settings are completely identical, and after checking everything again, proceed to deploying the second controller, during which the corresponding services will be configured and replicated with the first controller.
After finishing the installation of the second controller, you can proceed to the settings of domain services: create users, assign them to groups and departments, configure group policies, etc. etc. This can be done on any domain controller, for this use the appropriate menu items Administration.
The next step will be the introduction of user PCs and member servers into the domain, as well as the migration of the user environment to the domain Accounts, we will talk about this in the next part.
As you know, Active Directory Domain Services (AD DS) is installed on a server called a domain controller (DC). Dozens of additional controllers can be added to the active directory of an AD domain for load balancing, fault tolerance, reducing the load on WAN links, and more. All domain controllers must maintain the same base of user accounts, computer accounts, groups, and other LDAP directory objects.
For correct work all domain controllers need to synchronize and copy information among themselves. When you add a new domain controller to an existing domain, the domain controllers should automatically synchronize data with each other. If the new domain controller and the existing DC are in the same site, they can easily replicate data among themselves. If the new DC is located at a remote site, then automatic replication is not as effective. Since replication will go through slow (WAN links), which, as a rule, are expensive and the data transfer speed over them is not high.
In this article, we will show you how to add an additional domain controller to an existing Active Directory domain ().
Add an additional domain controller to an existing AD domain
First of all, we need to install the Active Directory Domain Services role on the server that will be the new DC.
Installing the ADDS Role
First of all, open the Server Manager console. When Server Manager opens, click Add roles and features to open the Server Roles Installation Console.
Skip the "Before you Begin" page. Select "Role-based or featured-based installation" and click the "Next" button. On the Server Selection page, click Next again.
Choose a role Active Directory Domain Services... In the window that opens, click the Add Features button to add the required Active Directory Management Tools.
When the installation process is complete, restart the server, log into the system as an administrator, and follow these steps.
Configuring an additional domain controller
Now in the Role Installation Wizard, click on the link “ Promote this server to a domain controller».
Select "Add a domain controller to an existing domain", below specify the name of your AD domain. If you are logged in under regular user, you can change the credentials to a domain administrator. Click the "Select" button, a new window will open, select your domain name and click "Ok", then "Next".
On the Domain Controller Options page, you can choose to install the DNS server role on your DC. Also select the Global Catalog role. Enter and confirm the administrator password for DSRM mode, then click Next.
On the page Additional options specify the server with which you want to perform the initial replication of the Active Directory database (with the specified server the schema and all AD directory objects will be copied). You can take a snapshot current state Active Directory on one of the domain controllers and apply it on new car... After that, the AD base of this server will be exact copy existing domain controller. Learn more about the Install From Media (IFM) function - installing a new DC from media in one of the following articles ():
We don't have to configure anything on the Paths and Review options pages, skip them by clicking Next. On the Prerequisite page, if you see any error, please check and meet all the requirements, then click the Install button.
Configuring Replication Between New and Existing Domain Controller
We're almost done, now let's check and run replication between the primary DC (DC01..site). When copying information between these two domain controllers, the Active Directory database data will be copied from the DC01..site. After the process completes, all data for the root domain controller will appear on the new domain controller.
In the Server Manager select the Tools tab then Active directory sites and services.
In the left pane, expand the Sites tab -> Default-First-Site-Name -> Servers. Both new DCs are in the same AD site (this implies that they are on the same subnet, or networks connected by a high-speed link). Then select the name of the current server you are currently working on, then click NTDS Settings. In my case DC01 is the root domain controller, in this moment the console is launched on DC02, which will be an additional domain controller.
Right click on the element named "automatically generated". Click Replicate now. A warning appears that replication is starting between the root domain controller and the new domain controller.
Do the same for DC01. Expand the DC01 tab and click NTDS Settings. Right click on "automatically generated", then click "Replicate now". Both servers replicate with each other, and all content from DC01 will be copied to DC02.
An essential element of effective corporate network is the controller Domain Active Directory that manages many services and provides many benefits.
There are two ways to build an IT infrastructure - standard and casual, when minimal sufficient effort is made to solve emerging problems, without building a clear and reliable infrastructure. For example, building a peer-to-peer network throughout the organization and opening general access to all the files you need and folders, without the ability to control user actions.
Obviously, this path is undesirable, since in the end you will have to disassemble and properly organize a chaotic jumble of systems, otherwise it will not be able to function - and your business along with it. Therefore, the sooner you accept the only the right decision building a corporate network with a domain controller - the better for your business in the long run. And that's why.
“Domain is the basic unit of OS-based IT infrastructure Windows family, a logical and physical association of servers, computers, equipment and user accounts. "
Domain controller (DC) is a separate server running Windows Server OS running Active Directory services that possible job a large number of software requiring CD for administration. Examples of such software are mail server Exchange cloud Office suite 365 and others software environments corporate level from Microsoft.
In addition to ensuring the correct operation of these platforms, CA provides businesses and organizations with the following benefits:
- Deploying Terminal Server... allows you to significantly save resources and efforts by replacing constant renewal office PCs with a one-time investment in placement " thin clients”To connect to a powerful cloud server.
- Enhanced security... CA allows you to set password generation policies and force users to apply more complex passwords than your date of birth, qwerty or 12345.
- Centralized access control... Instead of manual update passwords on each computer separately, the CD administrator can centrally change all passwords in one operation from one computer.
- Centralized Group Policy Management. Active tools Directory allows you to create group policies and set access rights to files, folders and other network resources for specific user groups. This greatly simplifies setting up new user accounts or changing the settings for existing profiles.
- Pass-through entrance... Active Directory supports pass-through, when, when entering their username and password for the domain, the user automatically connects to all other services such as mail and Office 365.
- Create Computer Configuration Templates... Customizing each separate computer when added to a corporate network it can be automated using templates. For example, using special rules, CD drives or USB ports can be centrally disabled, certain network ports etc. Thus, instead of manual setting a new workstation, the administrator simply adds it to a certain group, and all the rules for this group will be applied automatically.
As you can see, configuring an Active Directory domain controller brings numerous benefits and benefits to businesses and organizations of all sizes.
When to Implement an Active Directory Domain Controller in a Corporate Network?
We recommend that you consider configuring a domain controller for your company when more than 10 computers are connected to the network, since it is much easier to set the necessary policies for 10 computers than for 50. In addition, since this server does not perform particularly resource-intensive tasks, a powerful desktop computer may well be suitable for this role.
However, it is important to remember that this server will store passwords for accessing network resources and the domain user database, the scheme of user rights and group policies. Need to deploy standby server with constant copying of data to ensure the continuity of the domain controller, and this is much faster, easier and more reliable using server virtualization provided when hosting a corporate network in the cloud. This avoids the following problems:
- Wrong DNS server settings, which leads to errors in the location of resources in the corporate network and on the Internet
- Incorrectly configured security groups leading to errors in user access rights to network resources
- Incorrect OS versions... Each version of Active Directory supports certain versions Windows desktop OS for thin clients
- Absence or wrong setting automatic copying data to the backup domain controller.
