Cybersecurity | Hybrid Cloud Infrastructure

Deploy headless Server 2016 Domain Controllers

This guide will show you how to deploy two headless Windows Server 2016 domain controllers in a new environment. This guide (first of the series) assumes you are standing up a hybrid Microsoft environment within a VMware homelab.

First we need to get a few things out of the way:

  • 2 Windows 2016 virtual machines with 2 vCPUs and 4-8GB RAM
  • Make sure you are using VMXNET3 network adapters
  • Install latest VMware Tools
  • Apply latest OS updates
  • Change the HOSTNAME of the VMs (XXX-DC01 and XXX-DC02)
  • Change the host to use static TCP/IP and DNS

If you are deploying domain controllers from a base Windows 2016 VM template, do not forget to generate a new SID using: C:\Windows\System32\Sysprep\sysprep.exe

We are going to deploy two domain controllers at a bare minimum, the domain name is going to be called corp.fixmytech.ca and our network will be

The domain name you choose should be resolvable from the internet, so choose a domain that you have registered with a domain registrar and that of which you have full control of.

Some common candidates for xxx.fixmytech.ca are:

  • internal.fixmytech.ca
  • ad.fixmytech.ca
  • corp.fixmytech.ca

One common 3 letter server prefix used for the internal server names is the IATA 3-Letter Codes of the closest airport.

To do most of the basic first steps you can use sconfig (shell GUI) or issue the following:

Set a static DNS and TCP/IP:

Set-NetIPInterface -InterfaceAlias "PROD Network" -DHCP Disabled -PassThru
New-NetIPAddress ` 
     -AddressFamily IPv4 ` 
     -InterfaceAlias "PROD Network" ` 
     -IPAddress ` 
     -PrefixLength 25 ` 
Set-DnsClientServerAddress -InterfaceAlias "10 Network" -ServerAddresses

Rename the computer and reboot:

Rename-Computer -NewName FMT-DC01 -Restart -Force -PassThru

Create the forest:

Import-Module ADDSDeployment 
Install-ADDSForest ` 
  -DomainName corp.fixmytech.ca `
  -DomainNetbiosName CORP `
  -DomainMode 7 `
  -ForestMode 7 `
  -InstallDns:$true `
  -LogPath "C:\Windows\NTDS" `
  -SysvolPath "C:\Windows\SYSVOL" `
  -DatabasePath "C:\Windows\NTDS"`
  -NoRebootOnCompletion:$false `
  -CreateDnsDelegation = $false `
  -Force:$true `

Deploy your second domain controller using:

Import-Module ADDSDeployment
Install-ADDSDomainController `
  -NoGlobalCatalog:$false `
  -CreateDnsDelegation:$false `
  -Credential (Get-Credential) `
  -CriticalReplicationOnly:$false `
  -DatabasePath "C:\Windows\NTDS" `
  -DomainName "corp.fixmytech.ca" `
  -InstallDns:$true `
  -LogPath "C:\Windows\NTDS" `
  -NoRebootOnCompletion:$false `
  -SiteName "Default-First-Site-Name" `
  -SysvolPath "C:\Windows\SYSVOL" `

Do not forget to stand up a Windows 10 jump server with RSAT tools installed so that you still have GUI access to most AD MMC snap-ins.

Next logical steps are to deploy DHCP, basic Group Policy Objects, Internal PKI and ADFS.