How to Configure Your First Domain Controller

configure your first domain controller

Today, we will be configuring our first domain controller in our Windows environment. Now we get to some of the good stuff! If you are following along in my Home Lab from Scratch series, then you know we just finished our first Windows Server installation, and are ready to give it some purpose. Active Directory is a Windows based Identity Provider (IdP) that provides authentication for everything in a Windows environment. Active Directory uses domain controllers to process these requests, and allow administrators the ability to manage these permissions on various levels of scale.

In any business environment, we need redundancy, so typically we would have more than one domain controller. For this Lab, we only will need one because it should have a minimal workload. Whether you are new to being a System Administrator or not, it is important to know how to create the first domain controller for a Windows environment. Microsoft’s official documentation is located here, but to be honest, it is a little hard to follow. I have simplified it in these instructions here so you see what you need to see to get started. So follow along, and we will get started.

DISCLAIMER

Please understand that the content herein is for informational purposes only. This existence and contents shall not create an obligation, liability or suggest a consultancy relationship. In further, such shall be considered as is without any express or implied warranties including, but not limited to express and implied warranties of merchantability, fitness for a particular purpose and non-infringement. There is no commitment about the content within the services that the specific functions of the services or its reliability, applicability or ability to meet your needs, whether unique or standard. Please be sure to test this process fully before deploying in ANY production capacity, and ensure you understand that you are doing so at your own risk.

Project List

  1. Download and Install vSphere (ESXi)
  2. Install and Configure OPNsense Firewall
  3. Download and Install Windows Server 2022
  4. Download and Install FreeNAS or Configure Synology (TBD)
  5. Install Windows Server and Configure Veeam Backup Server
  6. Install Windows Server and Configure ManageEngine Patch Manager
  7. Download and Configure MFA solution (Duo or KeyCloak)
  8. Evaluate Home Lab against initial requirements list
  9. Write Lessons Learned Blog post
  10. Plan Next Steps for Home Lab including Expansion

Table of Contents

Update Windows and Install VMWare Tools
Install Active Directory and Configure Basics
Conclusion

Update Windows and Install VMWare Tools

If you are following along in our series, it should mean that you already have a virtual machine with Windows Server 2022 installed. If you don’t you can see the post HERE to get caught up. So lets get signed back into ESXi and navigate to our virtual machine so we can install our first domain controller!

  1. In ESXi, navigate to Virtual Machines, and find the machine we named DC1 (or whatever you decided to name as your first VM).
DC1 living in VMWare ESXi
DC1 living in VMWare ESXi
  1. On this screen, choose Actions –> Guest OS –> Install VMWare Tools. This will mount the installer in File Explorer on the VM, we so we can get VMWare Tools installed. VMWare Tools adds additional functionality through virtual drivers that normally would need installed manually in a bare metal host (meaning no VMWare Hypervisor).
Install VMWare Tools for Best Compatibility
Install VMWare Tools for Best Compatibility
  1. Next, click on “Console” and choose “Open Browser Console”. (Alternatively, you can choose “Open in Remote Console” to download the app for viewing VMs in ESXi. Easier to use in my opinion, but requires an app to be installed).
Remote Console will require an additional install
Remote Console will require an additional install
  1. Now, from the console, you should be able to interact with the VM and get signed in. Sign in with the account you made previously during installation.
  2. Now when you sign in, you will notice that you have a Windows Evaluation notice in the lower left hand screen. For a Home Lab, you can handle this how you want. (Check out my article, where I talk about how you can set Windows up to automatically renew the evaluation license for you, so you don’t have to remember to do this manually.)
  3. Once you are signed in, we need to prepare Windows for its upcoming role. Open File Explorer, and navigate to the D: Drive, where VMWare Tools has been mounted. From here, run Setup64.exe to install the 64-bit version of VMWare Tools.
Install VMware Tools GUI Installer
  1. In our case, we can click Next through each prompt. We aren’t planning on anything special at this time, so a Typical installation is sufficient. Once it is finished it will ask us to reboot Windows for the changes to take effect.
  2. After the Server reboot is finished, sign back in. Open the Settings app –> Update & Security –> Check for Updates. If you already have some pending, then go ahead and choose Install Updates.
installing windows updates on our new server
Install all Missing Windows Updates

Install Active Directory and Configure Basics

Once VMware Tools and all your Windows updates are installed, we are ready to get started with the Domain Controller. In a Windows environment, the Domain Controller is the primary location where authentication takes place. Every account in the domain will pass a username and password combination to the domain controller to prove their identity. The beauty of this is that Active Directory has many integrations at this point. That means you can extend your private authentication methods to 3rd party apps and services. IdP and authentication are a much bigger discussion than this post, but I feel it is helpful to understand the basics before we get started.

Windows Server Manager

Every time you sign into a Windows Server, you are presented with Windows Server Manager. This is an excellent tool for managing not only the server you are signed into, but also other servers in your environment. Server Manager lets you monitor services, add/remove roles and features, and perform basic health checks on Windows Servers in your environment. It is important to understand this, because you will see it every time you sign in. I used to immediately close it because I never understood the value of what it was meant to add. Now, I let it open and use it as a quick way to diagnose issues, or identity problems the second I log in.

Windows Server Manager
Windows Server Manager

Think of it like this. You are the captain of a large ship, and it is nearly impossible to know everything going on on your ship at any given time. Windows Server manager is like your first mate, giving you a status update and a report of everything you need to know. Its that kind of relationship. Most of the time, there won’t be anything of value. However, when there is, you will be glad it is there.

Set Static IP Address

In this scenario, we are configuring a server. This server provides an important role in our environment, so we need to make sure it has a permanent IP address. This way if the server reboots, we don’t get another server that will accidentally take its IP address. We want it to stay the same, so DNS is always up to date. We will set the IP address statically with the instructions below.

  1. On the server, right click the network icon, and open network and internet settings.
  2. From there, make sure you are on the Ethernet Connection, and choose “Change Adapter Options”
change adapter properties to set IP address static
  1. When you see the network adapters window, right-click your ethernet device, and go to Properties.
  2. Double Click the Internet Protocol Version 4 (TCP/IPv4) option to edit the IP address properties for this ethernet adapter.
Configure IPv4 on ethernet adapter
  1. In the dialog box that pops up, configure your IP address to match something in the subnet you have available. Since we configured our firewall to have 192.168.10.1/24 subnet, we will need to pick something in that range.
set IP address statically based on the available subnet
  1. Once you have it configured, you can check the box to “Validate settings upon exit” and hit OK. This will ensure that you have it configured correctly.

That is all there is to it. We now have our server with a static IP address. We are ready to configure the other services on this server.

Active Directory

Active Directory is probably the worlds most well known identity provider solution. It encompasses ever facet of working in a Windows environment, from granting access to restricted folders to ensuring policy is distributed correctly across the environment. It is solid, effective, and everywhere. If this doesn’t sell you on why you should know how to set it up, then I don’t know what will. Let’s build our first domain controller and configure some basics in Active Directory.

Installation

  1. Once our server is all up to date, we are ready to begin. Navigate to Server Manager, Click Manage –> Add Roles and Features.
Server Manager Add roles and features button
Here we go!
  1. Take note of the first screen that comes up here. If you are new to Windows Server, then this first screen is important. It includes the absolute basic steps you should take when configuring your server. You should always perform these steps before you install a role into a server. Once those things are ready, you can hit Next to begin.
before you begin screen from add roles and features
Before you Begin Screen
  1. From here you will see the option “Roles Based” is default. Hit next to choose this option.
  2. As I mentioned before, Server Manager can manage multiple servers remotely. If you haven’t added any servers to your local Server Manager (if you are following along, you didn’t) then you can hit Next on the “Select Destination Server” screen because there should only be one listed. The one you are signed into.
Select Destination Server dialog box
Ignore the IP address here, I grabbed this screenshot before I realized I forgot to set the IP address statically!
  1. On the next screen, you need to check the box for Active Directory Domain Services. We can add other features later if we need them but to get started, this is all we want. Hit Next to continue.
Select Server Roles dialog box
Select Server Roles
  1. On the next screen, we will leave these default options the as they are and hit Next again to continue.
  2. When you get to the next screen, you will see the image below. Our home lab likely doesn’t need 2 DC’s at this time, but we can look at that later. Additionally, we don’t have a formal DNS server configured anywhere yet, so it will include that in the configured options. This is perfectly fine. In an Active Directory environment, it is best to have your DC’s act as the DNS for the devices on the domain, and then get its own DNS information from a secure DNS server, or the firewall. Hit Next to continue.
active directory domain services description page
ADDS description page
  1. On the final screen, check the box to “Restart the destination server automatically if required”. Accept the pop up that comes when you do that. Finally, hit Install to begin the installation.
Confirm Installation Selections for ADDS
Confirm Installation Selections for ADDS
  1. Once this is complete, the server may reboot, and then bring you back to the login screen. If not, it is a good idea to reboot once it is done installing. This process will take some time, so go get some coffee or a snack.

Configure AD DS

  1. Once you sign back in, you need to go to Windows Server Manager, and click on AD DS. You will notice a message saying that “Configuration required for Active Directory Domain Services at DC1”. Click More to open the next screen. On the All Server Task Details screen, click the “Promote this server to a Domain Controller” link.
Continue Active Directory Domain Services Configuration
Continue Active Directory Domain Services Configuration
  1. On the Deployment Configuration window that comes up, change the deployment operation to “Add a New Forest”. Then, choose a root domain name. If you were doing this for a company, and not a Home Lab, you should choose something that your company owns in your public DNS, that isn’t the same as your website or any public resources that you have. I also happen to own seesmitty.net, so that is what I will be using for my Home Lab domain. You can also use domain.local or domain.lan if you don’t plan to ever connect this domain to anything external. Hit Next to continue.
Deployment configuration screen
Deployment configuration screen
  1. Next we will choose the functional domain level. Since we are starting a new forest, we will be choosing the highest functional level available, in this case Windows Server 2016. Also you will need to create Directory Services Restore Mode password in this step. Create a strong password, and save it in a password vault so you have it if you need it. Then, hit next to continue.
Domain Controller Options Screen
Domain Controller Options Screen
  1. On the DNS options screen, at this point you may see a warning. For now this is fine. Since this is the first DC in our environment, there is no existing DNS server available, and we cannot configure this screen. It is expected behavior. Hit next to continue.
DNS options screen
DNS options screen
  1. On the next Screen, you will see a message about the NETBIOS name. This is legacy technology that you don’t need. However, it will autofill, so you can hit next.
  2. Next it will ask for the storage location for the AD DS database. Defaults are fine unless you want to move them to a separate drive. Hit next to continue.
  3. Finally, you will see a summary screen discussing everything we configured. Review the configuration to confirm all is set up the way we configured. Hit next to continue.
  4. Since this is the first DC in our environment, you will see an error here. AD DS will install fine. This is expected at this point. Hit Install to finalize the installation.
Prerequisite Check for AD DS installation
Prerequisite Check for AD DS installation

The server will reboot automatically once the installation is finished. Once it is done, you should be able to sign back in to the server, but this time it will be as the Domain Administrator instead of a local one. You can open up Active Directory Users and Computers to see the basics of your structure. From here you can create OUs, users and groups to start using as you build out your lab.

Active Directory Users and Computers
Active Directory Users and Computers

Conclusion

We have now completed our basic Active Directory Domain Services installation and configured our first domain controller! Congrats if this is your first time setting one up. Now you can start to learn about creating user accounts, permissions, GPO’s and more. The goal here is to establish the core of our Windows environment, and build out from here. Next we will talk about NTP, Group Policy and setting up a Windows File server.

I hope you are finding value in this series. It is helpful for me to go through these things writing as I go. It helps me remember the steps, and document my journey as I build a new home lab for myself. As always, I’m open to suggestions, and willing to update this as I go, so if you have suggestions on what I missed, please let me know.

As always, hit me up on Twitter @SeeSmittyIT to let me know what you thought of this post. Thanks for reading!

Smitty

Curtis Smith works in IT with a primary focus on Mobile Device Management, M365 Apps, and Azure AD. He has certifications from CompTIA and Microsoft, and writes as a hobby.

View all posts by Smitty →