Microsoft Azure AZ-800 — Section 3: Deploy and manage AD DS domain controllers Part 3
20. Before proceeding with the next video
Now, I just wanted to give you a warning in this next video, I am going to be creating a domain controller and I’m the domain I’m going to set up for. The domain control is going to be called examlabpractice.com.
Now, if you are doing these steps with me, you may want to choose a domain name that’s very unique. You don’t want to choose examlabpractice.com because if you eventually do integrate this into the cloud, you don’t want to have any kind of a name conflict with me or anybody else.
So, I would recommend choosing a domain name that is unique to you that you can play around with and endpoint.
So don’t go with examlabpractice.com go with a different domain name just to be safe.
21. Deploy and manage domain controllers on-premises
We’re now ready to go ahead and set up a Microsoft Active Directory domain, so here we are on the NYC DC one virtual machine running server 2022, and we’re going to when you first go into it, you’ll notice that it brings in a server manager with this message here. For now, I’m going to close this now. If you close out a server manager and you don’t know how to get back in. All you got to do is it start. You’ll see server manager right there. You can open that back up. And always remember you’ll see a little blue bar kind of going by. You want to wait for that blue bar to kind of stop spinning before you do anything, and server manager L sometimes server manager will throw a message telling you have to wait.
OK, so, If you’re wanting to set up Active Directory, there’s a few things I want to look at. All right. First, I want to click on local server, and when I click on local server, I can see that my computer name is currently this crazy name here.
OK? And I would like to change that name. I’m going to use a different name instead.
So. We go ahead and click that and then that name and then a click change. I’m just going to call this NYC D.C. one. All right. And currently I am part of a workgroup. If I was going to join a domain, then I would choose Domain. But in my case, I’m going to be starting a domain, creating a domain.
So, we’re just going to leave that alone, going to call it NYC DC one. All right, I’m going to click, OK? It’s going to tell me that I need to reboot my computer now before we reboot my computer. When we say restart later, I’m going to take a look at my IP information.
So from there you’ll notice I have Ethernet, says IP form and a click on that. All right. And I’m going to now right click my either adapter, go to properties and I’ve got TCP IP version four. For now, I’m just going to disable version six. I don’t want version six interfering with, and I’m just going to disable it. For now, I’m going to go to properties on version four. And now in the real world, normally I’m going to go with the static address and all that. The problem is if anybody’s doing this with me, I don’t know what your static IP information is for the network you’re on, so, I’m just going to leave this set to obtain. But for the DNS, I’m going to point to one two seven zero zero one JUN. If you understand basic network concepts, you may know that that’s called the loopback address, and it basically allows the computer to point to itself for DNS. Keep in mind that while we’re doing this, our server will not have any kind of internet access, but that’s OK for what we’re doing right now.
So, we’re going to click OK? We’re going to click Close. All right. And we’re now officially ready to reboot our computer, so, I’m going to go ahead and reboot the machine.
So going right click Start, shut down, restart, and then I’m going to pause the video. Want to restart? OK. The restart is complete, I’ve logged back on and I’m back in server manager, I’m going to go to this manage menu option here and click add roles and features.
OK. All right, so this the welcome admirals and features wizards, sincerely, what it’s going to do is allow me to install different roles and features onto my server.
So, it’s just given me some information here. I’m going to click next.
So ask me if this going to be a role based or feature installation. If I’m doing something involving remote desktop, I’m going to choose his first option because it is a role based, feature based installation. From there, it’s going to let me select if I’m installing this on one server. Right now, it’s just this one server. If I had a group of Windows servers, I could actually have multiple servers that I install on at the same time.
OK. But in my case, I’m actually just installing on this one machine for now, so, I’m going to click next on that. And then from there, I can choose what I want.
OK, so to install Active Directory, the first thing that needs to happen is we need to install Active Directory domain services.
So this his first little option right here. We’re going to select that option, click add features, and we’re now officially ready to start installing Active Directory so before we can configure our domain and set to remain up and all that stuff, the first thing we got to do is we got to install a GPS Active Directory domain services, So, we’re going to click next. There’s no additional features. We’re just going to have the ADC Active Directory Domain Services roll installed. There’s no additional features of an install. This very moment I’m going to click next. All right. At that point, it’s going to tell us that, hey, you know, you can link this to Azure Active Directory in the cloud. I’m going to not going to get into that. Just this very moment right now. We just want to install the on-premise version of Active Directory on this machine.
So, we’re going to click next and we’re going to click install and I’m going to pause. VIDEO While let’s install. I’ve now got the Active Directory Domain Services roll installed, I’m going to hit close and up at the top of the screen. You’ll notice there’s a little yellow exclamation mark. I’m going to click that little yellow exclamation mark and I’m going to click promote the server to a domain controller.
OK. All right, so, in our case, we are going to be setting up a whole new forest. All right. Of course, being a group of domains and you can’t have a single domain that creates what’s called a forest, a lot of people think you have to have lots of domains for it to be a forest or at least to a single domain can actually have a forest. But just to look at these other options real quick, you’ll notice the first option says add a domain controller to an existing domain.
So, if I was going to if I already had a domain and I wanted to add this server to an existing domain and be a domain controller for that domain, I would choose that first option. The second option says add a new domain to an existing forest. All right.
So that means I’m going to set up a whole new domain. There’s going to be part of a forest. In my case, I don’t even have a forest, so, I need to start a forest.
So, we’re going to say, add a new forest. All right. And so what’s the root domain? It’s going to be examlabpractice.com. This my little domain I’m setting up to demonstrate with, so, I’m going to click next. That point is what’s the functional level of your forest not to get too deep into functional levels this very minute, but the idea of a functional level is as time has gone on over the years of Active Directory coming out, they’ve released new features.
Now your Active Directory is really only as up to date as its oldest domain controller, so you’re kind of pinpointing what level your new domain is going to operate at. As you can see, I can go to my forest, can go all the way from 2008 or higher my domain. It’s going to make me do my domain in 2016 because the I’ve only got one domain controller at this point, and it’s in. It’s going to be a 2022 server. And that’s the latest functional level.
So, they haven’t added any more functional level since Windows Server 20 16 has come out. This the reason why there’s not another a new or functional level.
So as time has gone on, there have been new features that have been added. And essentially I’m telling my Active Directory just how up-to-date it can be.
OK.
So, if you had a group of domains like in a forest and maybe one of the domains was running Server 2008 or something as a domain controller, you’d have to choose that it’s really only domain controllers that matter when it comes to functional levels.
So, I could have right now I can be 2016 server functional level for my domain and have like a, you know, I could still have a server 2008 server in my domain as long as it’s not my domain controller. From there, to specify your domain capabilities to make sure capabilities, I want to have DNS installed, this server is going to host DNS for my domain. You absolutely must have a DNS server set up. And the second thing is the global catalog. The global catalog is a special server that’s going to replicate amongst all the domains in your forest is going to replicate certain types of things like universal groups and things like that not to get too deep in the global catalog servers right now, but that’s the idea. It’s a special type of server that a domain controller that’s going to replicate amongst multiple domains in a forest. If we had multiple domains now, in our case, we’ve only got one domain, So, it’s not a big deal. And then you could choose Rod S. Of course, I can’t set up a see a read only domain controller unless I’ve actually set up the domain.
So this completely great out. I’m not going to get deep into Rothesay right now, either.
So understand that some things are going to get explained a little bit later.
OK, so here we go. Then it wants to know the DSM password that is the Directory Services Restore Mode Administrator password. This password is used if you need to restore Active Directory from backup.
So you’re definitely going to want to remember this password. Cam’s going to enter in a password now. And it is possible later down the road, if you want to change this password, you can’t.
OK, so, I’m going to click next. All right. At that point, says a delegation for Dennis can’t be found. That’s because DNS is not installed on this server yet. But Active Directory should take care of all this for us.
So that’s fine. We’re going to go ahead and click next to that. Then it’s going to say, What do you want your net bios name to be? All right.
So your net boss name is an old legacy name for older devices that need to be able to interact with your domain. Hopefully, we don’t have any older devices in order to me. When I say older devices I’m talking about, like 1990s devices they would utilize instead of DNS, they would utilize what was known as net boss names. Net boss names can only be up to 15 characters and link.
So the reason why we’re we’re using this just in case we had some older devices in our environment. To be honest with you, in the real world, it’s a good idea. Once you set this up to just completely disable net bias altogether, if you don’t have any older devices because it is a bit of a security risk to continuously allow net bias naming.
OK, So, we’re going to go ahead and click next. All right, it’s going to go through and just double check and make sure that there isn’t a conflict out there on her network and there is not.
So the next thing is it’s going to ask us where our database and logs are going to be.
So the Active Directory database is stored in a file called in TD-SCDMA I.T, and that gets stored by default on the C drive slash windows into folder year. Logs are as well. You have what are known as database transaction logs that log every single thing that’s going on in the Active Directory database and you’ve got what’s called a list of all folder. The System All Folder is where group policy information and log on scripts are stored. It’s actually if you want better performance out of your computer, out of your domain controller, it’s actually a good idea to store your database and logs on a separate hard drive.
So put your database on one hard drive. Put your logs on another hard drive. If you have two hard drives in your server, you get a slightly better performance boost out of your database and log into action. All right. All right, so now I’m going to click next to that and it’s going to tell me everything it’s going to do now. I would like to point out to you can you can see what it’s doing is actually going to use PowerShell in the background to install Active Directory.
So, if we click View script, you can see the PowerShell command that’s actually being ran import -module AIDS deployment.
So, it’s pulling the active vector deployment commands into memory. It’s running the installed Ash AIDS forest Command, meaning you’re setting up a new forest. It’s calling the Create the Nest delegation parameter false. I’m not delegating anything here for DNS, it’s actually installing DNS on this machine. The database, it’s specifying the database path with this, with this parameter specifying the domain mode. It’s basically going with the highest functional mode. That’s what that’s doing. You have the domain name exam, labpractice.com. The net boss name the forest. It’s using the latest functional over the forest just like it is for the domain. It’s installing DNS to true specifying the log path says no reboot on completion. False? OK, So, it’s a no reboot. And then it’s installing this fall folder here, and it’s going to go ahead and forest it just if it pops any message up, just forest it to stay true to that.
So that’s going to be the PowerShell command. You could copy and copy this PowerShell command to something like the integrated scripting environment you could run. This like a cookie cutter on multiple machines if you want it to. Granted, you don’t want any kind of conflict, but if you want to set multiple domains for practice, you could do that if you needed to. All right, so, I’m going to go ahead now and click next. It’s going to verify all the prerequisites are met and let me know if there’s any kind of error messages or anything like that or any kind of warnings that that it’s ran across. It’s going to let me know. Anything there? OK, so Windows Domain controllers, I tell you have default security settings allow cryptography algorithms compatible with Windows Ninety that’s basically telling you that it is going to support an older type of encryption to allow old in server from the 1990s to interact with the domain. It’s in your best interest from a security standpoint. You can control these through policies. You can disable some of that to increase security.
So the next message is this computer has at least one physical network it after, but that does not have a static address.
Now, in the real world, you would want your domain controller to have a static address or the address doesn’t change. Ideally, I already mentioned though earlier that I don’t really know what kind of address that. If you’re doing this with me, I don’t know what your address is for your network.
So, in my case, I chose to use a dynamic address, which means you will get an address from the DHP service on your network, which is fine for lab purposes. The main thing is we want to make sure we’re pointing to ourself for DNS, and that’s what this little message here is involving. It’s telling you that DNS is not set up, however. Active Directory is going to install DNS for us so that we have a database going. All right.
So from there, it says there are prerequisites, are complete and we are ready to install says everything’s pass excessively.
So, we’re ready to install them and go ahead and click the install button and it’s going to take just a moment. I’m going to pause the video and let it finish up.
OK. After the wizard completes the installation, the domain controller will reboot, and at that point, you’ll come to your log on screen here and you’ll notice it says exam lab practice slash administrative. That means I’m logging on to the domain as opposed to the local user account. I’m just going to go ahead now and put my password in, and it’s going to officially log me on to the domain controller.
OK, I’m now back in server manager after I log on, let’s just verify a few things we’re going to click on local server. All right, from there, we’re going to notice that. Computer names in my CDK1 domain is exam lab practice, .com.
OK, we’re going to go to the tools menu and we’re going to open up DNS and we’re just going to verify that our DNS databases there.
OK, so, in my CDC, one for lookup zones, exam lab practice, .com, that’s exactly what we want to see right there. Want to see that database? And then if we click on the underscore TCP and UDP, we have service records that are created. These records are needed in order for the Active Directory services to run properly. And so everything seems to be in order. We now have, if we go up to the tools menu, we have our Active Directory tools, such as Active Directory users of computers where we create user accounts and all that fun stuff.
So our domain controller is now officially set up.
22. Joining a server to a domain
It’s now time to join our second server to our Microsoft domain, so, we have NYC DC one, which is up and running right now as a domain controller, and we have NYC server, one that is currently not a member of any domain.
So let’s take a look at that server right now. Here we are on NYC server one. And I’m just going to hit start. All right. And from there, we’ll go to server manager. First thing we’re going to do is take a look at the name of the server.
OK. Not going to get into Windows Admin Center right now. Wait on the little bar to quit, spin and buy here and server manager. Once that’s done, I’m going to click on Server Local Server, so you can see the name is this name here. I’m going to click on there and I’m going to go ahead and change the name, so, I’m going to call it NYSE SVR one.
OK, I’m going to I’m going to go ahead now and let the computer reboot before I try to join the domain. I’ve had some issues in the past while doing that, So, we’re going to go ahead and tell it to restart.
OK. After it rebooted, I’ve logged back on and server manager reappears, I’m going to close that, go over to local server and notice the name is now NYSE SVR one, but I’m still part of a work group now. This very important. In order for me to join the domain, I need to make sure that my DNS settings on this machine are pointed to the domain controller because the domain controller is our DNS server. That’s that is going to be needed in order for me to join the domain.
So, I’m going to jump over to NYC DC one.
So here we are. This NYC DC one. I’m an open up server manager and I’m going to go tools and I’m going to go. To actually, you know what, I’m going to go to command prompt, so, I’m going to type CMT. Go to command prompt. Type ipconfig, OK, and that is my IP address. 191, sixty one point five. If you’re doing this with me as well, you need to find out what your IP address is and you need to write that number right there down.
OK. Whatever it is, I don’t know what it is for you, but for me, it’s 192, 168 one point five.
OK, so once I got that written down, I’m going to jump back over to server one.
So here we are. We’re back on server one.
OK. We’re going to go right here on local server Ethernet IP for.
OK, we’re going to right click the Ethernet adapter.
OK, I’m going to disable IPV six on it. Highlight V for IP two, IP version four, go to property and I’m going to point to 192.168.1.1 five.
So again, that should match what you’ve got on your domain controller right now.
So unlike, we’re not going to put one 27 zero zero one like we did for to make sure because we’re not pointing to ourselves, we want to point to the domain controller. From there, we’re going to click, OK, we’re going to click close. All right. We can close out of the screen and we’re now ready to join the domain.
OK, so currently on local server, you see, we’re part of a work group. We’re going to click where it says Work Group right there. All right, we’re going to click right here where it says change and we’re going to switch to a domain. We’re going to put examlabpractice.com. That’s what I’m put in, because that’s what my domain is called. In your case, you may have a different domain. You would need to put in whatever that name is. I’m going to click, OK, OK, it wants to know what my credentials are. I’m going to put exam lab practice backslash administrator and then I’m going to put the password in. If everything went through successfully, you should get this message here. Welcome to the domain, you’ve got to make sure again that you’re pointing to the domain tour for DNS. That is critical. All right. That’s where most everybody messes up as they don’t point their selves to the domain, to the domain controller. They point to their ISP for DNS or whatever. And at that point, it’s not going to work. You got to point to the domain for DNS. That point, we’re going to click, OK, I’m going to click close. We’re going to tell it to restart and I’ll pause. VIDEO wants restarting.
OK, so once it’s done restarting, you may come to a screen like this. I’m going to say other user, though. And then I’m going to put exam lab practice slash administrator, backslash administrator. This going to let me log on to the domain administrator account instead of the local administrator account. We’re going to hit Enter. And it’s now officially logging us on to the exam lab practice domain. And I’ve officially joined the server to the domain. We can go now over to Active Directory on our domain controller and we can verify that the server is showing up in our Active Directory environment.
So runners jump back over to NYC DC one.
OK, so here’s NYC DC one. As you can see, all right, I’m going to go. Up here to I’m in server manager, I’m going to go to ols. Active Directory users and computers. All right. Expand out the exam, labpractice.com name, I’m going to click on computers and you guys can see and want to see server one, as shown in Remember NYC server one in this case is not a domain controller at the moment, it is just a member server. All right, the only domain controller we’ve got in our environment right now is NYC DC one, and we can see that by clicking on this little domain controllers organizational unit. Oh, you all right. And then there’s NYC Server one. All right.
So, we’ve officially joined the domain and we’ve got the two machines able to communicate together.