Active Directory in Windows Server 2016

What is Active Directory?

If you are new to Active Directory I guess the first question you have is, what is Active Directory? at the most basic level, Active Directory is a hierarchical database that keeps track of user accounts, computers, certificates, security policies, and other resources in a computer network. Before AD was created by Microsoft, computers were standalone devices and hard to manage. For example, imagine we are in the year 1998 right now, and you are the systems administrator for a company of 300 people, and you need to install a new printer for all employees in the office, how you go do that? because all computers are standalone you have to install the driver for the new printer in all 300 computers manually, one by one. That would be a lot of work to accomplish a simple thing. A lot of things that we systems administrators take for granted today like file and print sharing, network group policies, etc. weren’t possible before active directory. so in essence, AD is that, a hierarchical database that makes it easier to manage user accounts, computers, and other network resources from single point location.

How does Active Directory work?

The way I have always picture AD is that of a phone book. A phone book basically matches names to phone numbers, Active Directory matches user accounts to network objects and resources. Unlike phone books though, AD can keep information about organizations, sites, systems, users, shares, and many other things, so AD is more flexible than a phone book but the concept is similar. One significant difference of AD is that it saves objects in a hierarchical order, and all objects are unique. that’s why a domain name is required when installing AD, all objects in a domain forest are  “subdomain” or children of the top domain. For example, If I create a user called “ayyu” in my AD it will be saved as “[email protected]”, if you try to create the same account again, you will get an error saying there is an object already in the network with the same name.

Active Directory Components

When discussing or learning Active Directory there are some terms you need to be familiar with:

  •  Domain Controller a domain controller is the server where AD is installed. Sometimes the term Active Directory and Domain Controller is used interchangeably.
  • Forest A forest is the highest level of the logical structure hierarchy. An Active Directory forest represents a single self-contained directory. A forest is a security boundary, which means that administrators in a forest have complete control over all access to information that is stored in the forest and to the domain controllers that are used to implement the forest
  • Tree Trees are a cohesive group of domains, known as subdomains or child domains, that grow from a root domain. All the domains within a tree share a contiguous namespace
  • Schema The Active Directory schema contains definitions for all the objects that are used to store information in the directory. There is one schema per forest
  • operations masters or FSMO roles There many FSMO roles in AD but the most popular one is the Primary Domain Controller (PDC) and Backup Domain Controller (BCD) role. The Primary Domain Controller maintains the master copy of the directory database and validates users. A Backup Domain Controller contains a copy of the directory database and can validate users. If the PDC fails then a BDC can be promoted to a PDC. Possible data loss is can happen if changes that have not yet been replicated from the PDC to the BDC. A PDC can be demoted to a BDC if one of the BDC’s is promoted to the PDC
  • Global Catalog (GC ) Server The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multi-master replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.
  • AD relies heavily on the DNS system too, that’s why you can’t install active directory without choosing a domain name first. Unlike a website, the domain when installing active directory does not need to be unique, but if you have a public domain name it is recommended to use the same name when installing AD. for example if your public website is ittutorials.net then your AD domain name could be “ad.ittutorials.net” or something like that. This domain name will become your “domain forest”  once the AD component is installed successfully on the server.  AD requires a DNS server, but if you don’t have one already installed when installing AD you can choose to make that server a DNS server as well. If you are setting up Active Directory for a production environment is always recommended to setup two domain controllers at least.

Active Directory Roles in Windows Server 2016

So far we have focused almost just in the domain services role which is the role AD is mostly identified by. But in Windows Server 2016 as in previous Windows server versions, there are five individual roles that make up an active directory:

Active Directory Roles

  • Federation Services ( AD FS ) This role is necessary if you need to authenticate applications or services outside your network. for example, a few months ago we signed up for Facebook Workplace, and we wanted to authenticate users against our AD. Using this role I was able to connect the application using the OSS and the SAML protocol.
  • Lightweight Directory Services ( AD LDS ) Most of us are familiar with this role because we use LDAP a lot. When Kerberos authentication is not possible we rely on LDAP to authenticate application or services against AD
  • Certificate Services (AD CS ) This role is responsible for managing certificates and other cryptographic components in your network. When you install a certificate in your network you use this role.
  • Rights Management Services ( AD RMS ) this role provides persistent data protection by enforcing data access policies. For documents to be protected with AD RMS, the application the document is associated with must be RMS-aware
  • Domain Services ( AD DS ) This is the main role in active directory. it stores and manages information about the network resources.

There are interesting new features now made available in Windows Server 2016 such as time-based group membership, privileged access management, and others. Most will be covered in future posts. This post will detail how to install Active Directory on Windows Server 2016.

Before the AD install, however, it is important to understand what is the minimum requirement to install windows server 2016. Details are as follows:

Processor

• 1.4 GHz 64-bit processor

• Compatible with x64 instruction set

• Supports NX and DEP

• Supports CMPXCHG16b, LAHF/SAHF, and PrefetchW

• Supports Second Level Address Translation (EPT or NPT)

Coreinfo is a tool you can use to confirm which of these capabilities you CPU has.

RAM

• 512 MB (2 GB for Server with Desktop Experience installation option)

• ECC (Error Correcting Code) type or similar technology

Storage controller and disk space requirements

Computers that run Windows Server 2016 must include a storage adapter that is compliant with the PCI Express architecture specification. Persistent storage devices on servers classified as hard disk drives must not be PATA. Windows Server 2016 does not allow ATA/PATA/IDE/EIDE for boot, page, or data drives.

The following are the estimated minimum disk space requirements for the system partition.

Minimum: 32 GB

Network adapter requirements

Minimum:

• An Ethernet adapter capable of at least gigabit throughput

• Compliant with the PCI Express architecture specification.

• Supports Pre-boot Execution Environment (PXE).

A network adapter that supports network debugging (KDNet) is useful, but not a requirement.

So in my demo, I am using a virtual server with Windows server 2016 datacenter. In order to setup active directory, we need to log in as a local administrator. The first thing to check is IP address configuration.

1) Once Active Directory setup on the server, it also going to act as DNS server. There for change the DNS settings in network interface and set the server IP address (or localhost IP 127.0.0.1) as the primary DNS server.

2016AD1

2) Then open the server manager. Go to PowerShell (as administrator) and type ServerManager.exe and press enter.

2016AD2

or  click on the Start button, and then click on Server Manager:

image_thumb-345

3) Then on server manager click on Add roles and features

2016AD3

4) Then it opens the Add roles and features wizard. Click on next to proceed.

2016AD4

5) Then in next window keep the default and click next

2016AD5

6) Since its going to be a local server, in next window keep the default selection.

2016AD6

7) In next window from the roles put tick box for active directory domain services. Then it will prompt to show you what are the associated features for the role. Click on add features to add those. Then click next to continue.

2016AD7

2016AD8

2016AD9

8) The features page, keep it default and click on next to proceed.

2016AD10

9) In next windows, it gives a brief description about AD DS service. Click next to proceed.

2016AD11

10) Then it will give the confirmation about the install, click on Install to start the role installation process.

2016AD12

11) Once done, it will start the installation process

2016AD13

12) Once installation completes, click on option promote this server to a domain controller.

2016AD14

13) Then it will open the active directory configuration wizard. In my demo, I am going to setup new forest. But if you adding this to existing domain you can choose relevant option. (I am going to write separate article to cover how you can upgrade from older version of Active Directory). Select the option to add new forest and type FQDN for the domain. Then click next.

2016AD15

14) In next page, you can select the domain and forest functional levels. I am going to set it up with the latest. Then type a password for DSRM. Then click next

2016AD16

15) For the DNS options, this going to be the first DNS server in the new forest. So no need any modifications. Click next to proceed.

2016AD17

16) For the NETBIOS name keep the default and click next 

2016AD18

17) Next page is to define the NTDS, SYSVOL and LOG file folders. You can keep the default or define a different path for these. In the demo, I will be keeping the default. Once changes are done, click next to continue

2016AD19

18) Next page will give the option to review the configuration changes. If everything okay you can click next to proceed or otherwise can go back and change the settings.

2016AD20

19) In next windows, it will do prerequisite check. If it’s all good it will enable the option to install. Click on Install to begin the installation process.

2016AD21

20) Then it will start the installation process.

2016AD22

21) After the installation system will restart automatically. Once it comes backlog into the server as domain admin.

2016AD23

22) Once log in open the PowerShell (as administrator) and type dsac.exe and press enter. It will open up the active directory administrative center. There you can start managing the resources.

2016AD24

2016AD25

23) Also, you can use Get-ADDomain | FL Name, DomainMode, and Get-ADForest | FL Name, ForestMode from PowerShell to confirm domain and forest functional levels

2016AD26

Summary

AD is a very complex system and it takes awhile to wrap your head around it. Understanding it takes time and a lot of hands-on experience. A lot of the things we do as systems administrators involve AD anyhow, it could be either group policy, permission access management, LDAP authentication, etc. I hope you find this tutorial useful.

Add a Comment

Your email address will not be published. Required fields are marked *