Thursday, 4 September 2014

Building your first Windows Domain Controller

Are you a first time admin for a Windows network? Do you want to learn how to build a AD domain and attached PCs to them? What about pushing policies and updates?

I'm in the same situation where the number of Windows VMs I manage have been slowing increasing. This meant that I was repeating the same tasks on each VM. Adding a Windows Domain controller will allow me to offload some of this repetition by setting domain policies.

Here's how to begin your first Windows domain network.
Choosing an Active Directory name
The AD domain name is also the name of the forest. The forest root name is a Domain Name System (DNS) name that consists of a prefix and a suffix in the form of prefix.suffix. For example, an organization might have the forest root name In this example, corp is the prefix and is the suffix.

Select the suffix from a list of existing names on your network. For the prefix, select a new name that has not been used on your network previously. By attaching a new prefix to an existing suffix, you create a unique namespace. Creating a new namespace for Active Directory Domain Services (AD DS) ensures that any existing DNS infrastructure does not need to be modified to accommodate AD DS.

There is a number of options of what should be done. This post discusses each one and lets you make a decision for yourself. I decided to use option 2  - using a subdomain off my public domain.
Building the domain controller
This post by Brad Held is the best one I've ever read. I didn't have much experience with Windows networking and this post help quite a lot.

Creating an alternative (easy-to-remember) Active Directory name
My choice for the AD name above was quite long and this post described how to set a more friendly name. 

Add the first user to the domain

Login to the domain controller using the local admin account
Run the Active Directory Users & Computers tool
Click on the Users Folder and Add a new User
Make the user a Member of the Domain Users (default) and Domain Admin Group

Add the first PC to the domain (for initial testing)
Login to the PC as the local admin account
Change the DNS settings to point to the new domain controller (if you have a DHCP server then make the change here for everyone else)
Right Click computer and change from workgroup to domain
Provide the domain name and credentials for the admin account created above

Start configuring Domain Policies
Here is a good page which describes how to setup your first policy

Some polices I'm setting up:

 Now you can begin the following tasks:

  • Adding users
  • Adding PCs

  • One thing to consider is that you might want to organize your AD tree so that you can group computers/users in easily recognizable structures. For example:

    • AD Forest (
      • Computers (Default, where all new PCs are stored when added to the domain)
      • Users (Default where all users can live)
      • Resources (A name I used but it could be anything you like)
        • Site A (Site / Office Name)
          • Computer (Computers at this site)
          • Users (Users at this site)
        • Site B (Site / Office Name)
          • Computer (Computers at this site)
          • Users (Users at this site)
    As you add users and PCs to the domain, drag-and-drop them into the correct folders in the Resources section.

    For me the has the benefit of identifying the users and hardware in geographical locations. I can then apply polices / Updates / software on a "per Office" basis.

    1 comment: