This guide will show you how to deploy two headless Windows Server 2016 domain controllers in a new environment. This guide (first of the series) assumes you are standing up a hybrid Microsoft environment within a VMware homelab.
First we need to get a few things out of the way:
- 2 Windows 2016 virtual machines with 2 vCPUs and 4-8GB RAM
- Make sure you are using VMXNET3 network adapters
- Install latest VMware Tools
- Apply latest OS updates
- Change the HOSTNAME of the VMs (XXX-DC01 and XXX-DC02)
- Change the host to use static TCP/IP and DNS
If you are deploying domain controllers from a base Windows 2016 VM template, do not forget to generate a new SID using: C:\Windows\System32\Sysprep\sysprep.exe
We are going to deploy two domain controllers at a bare minimum, the domain name is going to be called corp.fixmytech.ca and our network will be 192.168.1.1/25.
The domain name you choose should be resolvable from the internet, so choose a domain that you have registered with a domain registrar and that of which you have full control of.
Some common candidates for xxx.fixmytech.ca are:
- internal.fixmytech.ca
- ad.fixmytech.ca
- corp.fixmytech.ca
One common 3 letter server prefix used for the internal server names is the IATA 3-Letter Codes of the closest airport.
To do most of the basic first steps you can use sconfig (shell GUI) or issue the following:
Set a static DNS and TCP/IP:
Get-NetAdapter | Get-Member Set-NetIPInterface -InterfaceAlias "PROD Network" -DHCP Disabled -PassThru New-NetIPAddress ` -AddressFamily IPv4 ` -InterfaceAlias "PROD Network" ` -IPAddress 192.168.1.2 ` -PrefixLength 25 ` -DefaultGateway 192.168.1.1 Set-DnsClientServerAddress -InterfaceAlias "10 Network" -ServerAddresses 192.168.10.2
Rename the computer and reboot:
Rename-Computer -NewName FMT-DC01 -Restart -Force -PassThru
Create the forest:
Add-WindowsFeature AD-Domain-Services Import-Module ADDSDeployment Install-ADDSForest ` -DomainName corp.fixmytech.ca ` -DomainNetbiosName CORP ` -DomainMode 7 ` -ForestMode 7 ` -InstallDns:$true ` -LogPath "C:\Windows\NTDS" ` -SysvolPath "C:\Windows\SYSVOL" ` -DatabasePath "C:\Windows\NTDS"` -NoRebootOnCompletion:$false ` -CreateDnsDelegation = $false ` -Force:$true ` -Verbose
Deploy your second domain controller using:
Add-WindowsFeature AD-Domain-Services Import-Module ADDSDeployment Install-ADDSDomainController ` -NoGlobalCatalog:$false ` -CreateDnsDelegation:$false ` -Credential (Get-Credential) ` -CriticalReplicationOnly:$false ` -DatabasePath "C:\Windows\NTDS" ` -DomainName "corp.fixmytech.ca" ` -InstallDns:$true ` -LogPath "C:\Windows\NTDS" ` -NoRebootOnCompletion:$false ` -SiteName "Default-First-Site-Name" ` -SysvolPath "C:\Windows\SYSVOL" ` -Force:$true
Do not forget to stand up a Windows 10 jump server with RSAT tools installed so that you still have GUI access to most AD MMC snap-ins.
Next logical steps are to deploy DHCP, basic Group Policy Objects, Internal PKI and ADFS.