Getting to started with server core. Part2 – Joining a domain or becoming a domain controller

Joining an existing domain

Follow the steps below to join your server to an existing domain as a member server. (not an additional domain controller)

Sconfig

The Server Configuration tool (Sconfig.cmd) can also be used to join your server to an existing Active Directory domain. But fefore you go ahead and join a domain you’ll need to make sure that you have set your DNS servers correctly, which can also be done with sconfig.

sconfig

Command Prompt & PowerShell

You can also join a domain using Windows PowerShell.

The -restart  parameter instructs the target computer to restart automatically, if a restart is required by the installation process.

Installing Active Directory

First you need to install the Active Directory Domain Services role using the install-windowsfeature command.

Before we go ahead and promote this server to be the first domain controller in our new forest lets talk about choosing your active directory domain name.

Choosing your Active Directory domain name

Please do not use a domain name ending with .local such as mycompany.local as your active directory domain name. Or any other non-existent TLD like .corp or .lan etc. There really is absolutely no security benefit to doing this. One of the biggest problems with doing this though is that certificate vendors will not issue an SSL certificate for an address with a made up TLD.

You also want to avoid your Active Directory domain being the same as your company’s Internet domain verbatim. Eg. mycompany.com Doing this will result in you having to configure split DNS which will add unnecessary complexity to your internal DNS.

If you go with any of the above options I promise you WILL regret it later on! Also renaming a domain in a production environment at a later stage can be exceptionally challenging, if even practical at all!

Best practice is to use a sub-domain of your company’s registered Internet domain name. So if your Internet domain name is mycompany.com use ad.mycompany.com or corp.mycompany.com You don’t have to setup a delegation on your public DNS infrastructure because for security reasons you want your Active Directory domain to only resolve internally.

Installation of the first domain controller in a new forest

To install the first domain controller in a new forest:

The -DomainName parameter specifies the fully qualified domain name (FQDN) for the root (first) domain in the forest.
The -DomainNetBIOSName specifies the NetBIOS name for the root domain in the new forest.

There are other parameters too. To get more information on syntax:

It’s normal to get a warning that Windows 2012 R2 domain controllers have a default for the security setting named “Allow cryptography algorithms compatible with Windows NT 4.0” that prevents weaker cryptography algorithms when establishing security channel sessions. I’m pretty sure that you’re not running NT4 in your environment anymore (if you are I’d love to know why!) so this won’t be an issue at all.

Your server should reboot and you now have your first domain controller up and running in your new domain.

Leave a Reply

Your email address will not be published. Required fields are marked *