{"id":2158,"date":"2024-12-07T12:36:25","date_gmt":"2024-12-07T18:36:25","guid":{"rendered":"https:\/\/techlensfocus.com\/?p=2158"},"modified":"2024-12-07T12:36:26","modified_gmt":"2024-12-07T18:36:26","slug":"mastering-windows-server-domain-controller-and-redundancy","status":"publish","type":"post","link":"https:\/\/techlensfocus.com\/index.php\/2024\/12\/07\/mastering-windows-server-domain-controller-and-redundancy\/","title":{"rendered":"Mastering Windows Server: Domain Controller and Redundancy"},"content":{"rendered":"\n
Table of Contents<\/div>
<\/span><\/span><\/span><\/span><\/div><\/div>
<\/div>
    <\/ol><\/div><\/div><\/div>\n\n\n\n

    <\/p>\n\n\n\n

    Introduction<\/h2>\n\n\n\n

    <\/p>\n\n\n\n

    In the Windows Server environment, Active Directory (AD) plays a vital role in managing users, computers, and resources. In this blog, we will explore key concepts such as forests, domain controllers, and why adding redundancy in your AD setup is critical. We\u2019ll conclude with a hands-on lab to create a new AD Forest and install an additional domain controller.<\/p>\n\n\n\n

    <\/p>\n\n\n\n

    What is an Active Directory Forest?<\/h2>\n\n\n\n

    <\/p>\n\n\n\n

    Active Directory Forest is the highest level of organization within the AD structure. It include all of the domains, users, computers, groups, and resources within the network. Typically, one AD forest is sufficient for a large company to organize its network assets into a single directory service, simplifying management and security.<\/p>\n\n\n\n

    If we have many AD forest, each AD forest is isolated from other forests, and objects in one forest are not automatically visible or accessible to another forest unless trust relationships are established<\/strong>.<\/p>\n\n\n\n

    Key components of an AD forest include:
    <\/p>\n\n\n\n

      \n
    • Schema Naming Context (NC):<\/strong> Defines all object types (e.g., users, computers) and their attributes (e.g., usernames, email addresses). There is only one schema <\/strong>per forest.<\/li>\n\n\n\n
    • Configuration Naming Context:<\/strong> Stores information about network services and site (locations). This partition is unique to the forest and applies to all domains within it.<\/li>\n\n\n\n
    • Domain Naming Context:<\/strong> Contains the actual objects within each domain (such as users, computers, groups, organizational unit). There can be multiple domain partitions in a forest.<\/li>\n<\/ul>\n\n\n\n

      Organizations may create a new AD forest for various reasons, such as:<\/p>\n\n\n\n

        \n
      • Security Isolation<\/strong>: Each forest acts as a security boundary, and creating a new forest ensures that resources remain isolated from other forests unless explicitly shared.<\/li>\n\n\n\n
      • Independent Management<\/strong>: Different divisions or subsidiaries within a company may require their own forest to manage resources independently.<\/li>\n\n\n\n
      • Geographic\/Organizational Structure<\/strong>: Some organizations set up multiple forests to reflect distinct operational boundaries, such as different regions or departments.<\/li>\n<\/ul>\n\n\n\n

        <\/p>\n\n\n\n

        What is a Forest Root Domain?<\/h2>\n\n\n\n

        <\/p>\n\n\n\n

        The Forest Root Domain is the first domain created<\/strong> when a new AD forest is built.  It is the foundation of the AD structure, defining the administrative boundaries for an organization’s network. From this root domain, additional domains can be added<\/strong> over time, building out the larger AD forest. <\/p>\n\n\n\n

        When you create a new AD forest, the process starts with establishing the Forest Root Domain. This root domain is essential because it becomes the administrative hub for all future domains and objects within the forest.<\/p>\n\n\n\n

        <\/p>\n\n\n\n

        Active Directory Domain Services (AD DS)<\/h2>\n\n\n\n

        <\/p>\n\n\n\n

        AD DS<\/strong> is a Windows Server role that provides directory services to manage network object such as users, groups, computers, subnets, and sites. Without AD DS, you cannot create domains or manage directory objects.<\/p>\n\n\n\n

        When AD DS is installed, the server becomes a Domain Controller (DC)<\/strong>, responsible for maintaining the Active Directory (AD) <\/strong>database.<\/p>\n\n\n\n

        <\/p>\n\n\n\n

        Role of a Domain Controller<\/h2>\n\n\n\n

        <\/p>\n\n\n\n

        A Domain Controller (DC)<\/strong> is a server that runs AD DS and authenticates users and devices within a domain. It stores a copy of the Active Directory database, containing information about all users, computers, and security groups in that domain.<\/p>\n\n\n\n

        The key functions of a domain controller include:<\/p>\n\n\n\n

          \n
        • Authentication<\/strong>: Ensuring users and computers can access resources.<\/li>\n\n\n\n
        • Authorization<\/strong>: Managing permissions to resources based on policies.<\/li>\n\n\n\n
        • Replication<\/strong>: Sharing changes across other DCs to maintain consistency.<\/li>\n<\/ul>\n\n\n\n

          <\/p>\n\n\n\n

          Additional Domain Controller<\/h2>\n\n\n\n

          <\/p>\n\n\n\n

          In larger or more critical environments, having an additional domain controller is essential for the following reasons:<\/p>\n\n\n\n

            \n
          • Performance<\/strong>: By distributing authentication and request processing across multiple DCs, the overall network performance improves.<\/li>\n\n\n\n
          • Redundancy<\/strong>: If one domain controller fails, others can take over to ensure high availability, preventing a single point of failure.<\/li>\n\n\n\n
          • Database Recovery<\/strong>: Each domain controller holds a writable copy of the Active Directory database, so having multiple DCs ensures better data integrity and faster recoverability in case of a failure.<\/li>\n<\/ul>\n\n\n\n

            <\/p>\n\n\n\n

            Lab: Creating a New AD Forest and Install an Additional Domain Controller<\/h2>\n\n\n\n

            <\/p>\n\n\n\n

            Now that we\u2019ve covered the theoretical aspects, let\u2019s move on to the practical side. In this section, we will guide you through creating a new AD forest and adding an additional domain controller in a Windows Server environment using both GUI and PowerShell methods.<\/p>\n\n\n\n

            <\/p>\n\n\n\n

            Lab Topology<\/h3>\n\n\n\n

            <\/p>\n\n\n\n

            Here is the requirements for this lab (example.local<\/strong>):<\/p>\n\n\n\n

            Device<\/strong><\/td>IP Address<\/strong><\/td>Default Gateway<\/strong><\/td>Preferred DNS<\/strong><\/td>Alternate DNS<\/strong><\/td><\/tr>
            Server 1 (Primary DC)<\/strong><\/td>192.168.1.100<\/td>192.168.1.254<\/td>127.0.0.1 (Loopback Address)<\/td>192.168.1.101 (Secondary DC’s IP)<\/td><\/tr>
            Server 2 (Additional DC)<\/strong><\/td>192.168.1.101<\/td>192.168.1.254<\/td>127.0.0.1 (Loopback Address)<\/td>192.168.1.100 (Primary DC’s IP)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

            Secondly, for lab testing, using .local<\/strong> is recommended to keep it isolated and avoid unintentional DNS conflict. <\/p>\n\n\n\n

            However, for production, you should use a registered domain name that aligns with your organization’s actual domain. Reason include: <\/p>\n\n\n\n

              \n
            • Future Proofing:<\/strong> Allows integration with public services (e.g., Azure AD, Office 365) without requiring domain reconfiguration.<\/li>\n\n\n\n
            • Security and Consistency:<\/strong> Using the real domain ensures consistent naming and better alignment with external DNS configurations.<\/li>\n<\/ul>\n\n\n\n

              <\/p>\n\n\n\n

              Recommended DNS Configuration<\/h3>\n\n\n\n

              <\/p>\n\n\n\n

              Primary DC (192.168.1.100)<\/strong><\/p>\n\n\n\n

                \n
              • Preferred DNS Server:<\/strong> 127.0.0.1 (Loopback Address)\n
                  \n
                • The primary DC should refer to itself first to resolve DNS queries, ensuring it can handle local lookups efficiently and operate independently if the network or secondary DC is temporarily unavailable.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
                    \n
                  • Alternate DNS Server: <\/strong>192.168.1.101 (Secondary DC\u2019s IP)\n
                      \n
                    • Use the secondary DC as a fallback in case of issues with the primary server’s DNS service.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n

                      Secondary DC (192.168.1.101)<\/strong><\/p>\n\n\n\n

                        \n
                      • Preferred DNS Server:<\/strong> 127.0.0.1 (Loopback Address)\n
                          \n
                        • Similarly, the secondary DC should prioritize itself for DNS queries.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
                        • Alternate DNS Server: <\/strong>192.168.1.100 (Primary DC\u2019s IP)\n
                            \n
                          • The primary DC acts as a backup if the secondary DC\u2019s DNS service encounters issues.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n

                            <\/p>\n\n\n\n

                            Setting Up a New AD Forest<\/h3>\n\n\n\n

                            <\/p>\n\n\n\n

                            GUI Method<\/h4>\n\n\n\n

                            <\/p>\n\n\n\n

                            Step 1: Install Active Directory Domain Services (AD DS)<\/strong><\/p>\n\n\n\n

                            In Server 1<\/strong> (Primary Domain Controller), follow these steps:<\/p>\n\n\n\n

                              \n
                            • Open Server Manager<\/strong> on your Windows Server.<\/li>\n\n\n\n
                            • Click Manage<\/strong> > Add Roles and Features<\/strong>.<\/li>\n<\/ul>\n\n\n
                              \n
                              \"\"<\/figure><\/div>\n\n\n

                              In the Add Roles and Features Wizard<\/strong>:<\/p>\n\n\n\n

                                \n
                              • Click Next<\/strong> on the Before you begin<\/strong> page.<\/li>\n\n\n\n
                              • Choose Role-based or feature-based installation<\/strong> and click Next<\/strong>.<\/li>\n\n\n\n
                              • Select the local server from the server pool and click Next<\/strong>. In this case, our server named VM-DC01<\/strong>.<\/li>\n\n\n\n
                              • On the Server Roles<\/strong> page, check Active Directory Domain Services<\/strong>, then click Add Features<\/strong> when prompted. Click Next<\/strong>.<\/li>\n\n\n\n
                              • Keep default selections for features and click Next<\/strong>.<\/li>\n\n\n\n
                              • Review the information on the AD DS<\/strong> page and click Next<\/strong>.<\/li>\n\n\n\n
                              • Click Install<\/strong> on the confirmation page.<\/li>\n\n\n\n
                              • See screenshots below:<\/li>\n<\/ul>\n\n\n
                                \n
                                \"\"<\/figure><\/div>\n\n
                                \n
                                \"\"<\/figure><\/div>\n\n
                                \n
                                \"\"<\/figure><\/div>\n\n
                                \n
                                \"\"<\/figure><\/div>\n\n
                                \n
                                \"\"<\/figure><\/div>\n\n
                                \n
                                \"\"<\/figure><\/div>\n\n
                                \n
                                \"\"<\/figure><\/div>\n\n\n

                                Step 2: Promote your server to a domain controller<\/strong><\/p>\n\n\n\n

                                We are still in Server 1<\/strong>. After the AD DS installation, it doesn\u2019t make the server a domain controller yet, it merely adds the required components. Click the Promote this server to a domain controller<\/strong> link in the notification area of Server Manager.<\/p>\n\n\n

                                \n
                                \"\"<\/figure><\/div>\n\n\n

                                In the Deployment Configuration<\/strong> window:<\/p>\n\n\n\n

                                  \n
                                • Choose Add a new forest<\/strong>. This will establish a new independent AD environment, the root of all domains in the organization.<\/li>\n\n\n\n
                                • Enter techexample.local<\/strong> as the Root domain name<\/strong> and click Next<\/strong>. This domain name aligns with our lab environment.<\/li>\n\n\n\n
                                • See screenshot below:<\/li>\n<\/ul>\n\n\n
                                  \n
                                  \"\"<\/figure><\/div>\n\n\n

                                  In the Domain Controller Options<\/strong> window:<\/p>\n\n\n\n

                                    \n
                                  • Verify that Domain Name System (DNS) server<\/strong> is selected (it is enabled by default). Active Directory heavily relies on DNS for name resolution and locating domain controllers.<\/li>\n\n\n\n
                                  • Enter a Directory Services Restore Mode (DSRM) password<\/strong>, then click Next<\/strong>. The DSRM password is used for recovering or repairing AD in case of failures.<\/li>\n\n\n\n
                                  • See screenshot below:<\/li>\n<\/ul>\n\n\n
                                    \n
                                    \"\"<\/figure><\/div>\n\n\n

                                    Leave default settings for DNS Options<\/strong>, and click Next<\/strong>. Adjusting these settings is only necessary for advanced or hybrid configurations.<\/p>\n\n\n

                                    \n
                                    \"\"<\/figure><\/div>\n\n\n

                                    On the Additional Options<\/strong> page, verify the NetBIOS domain name<\/strong> (e.g., TECHEXAMPLE) and click Next<\/strong>. NetBIOS domain name is a short, legacy-compatible version of the domain name. It is used in environments or applications that rely on NetBIOS.<\/p>\n\n\n

                                    \n
                                    \"\"<\/figure><\/div>\n\n\n

                                    Accept default paths for the database, log files, and SYSVOL folder, then click Next<\/strong>. These folder store critical AD data: <\/p>\n\n\n\n

                                      \n
                                    • Database (NTDS.dit):<\/strong> Contains the Active Directory database.<\/li>\n\n\n\n
                                    • Log files:<\/strong> Track changes to the database.<\/li>\n\n\n\n
                                    • SYSVOL folder:<\/strong> Holds shared files like group policy and logon scripts.<\/li>\n<\/ul>\n\n\n\n

                                      Review the configuration and click Install<\/strong>. The server will automatically reboot after the installation.<\/p>\n\n\n

                                      \n
                                      \"\"<\/figure><\/div>\n\n
                                      \n
                                      \"\"<\/figure><\/div>\n\n
                                      \n
                                      \"\"<\/figure><\/div>\n\n\n

                                      Step 3: Verify the Installation<\/strong><\/p>\n\n\n\n

                                      Once the server reboots, log in using the domain administrator account.<\/p>\n\n\n

                                      \n
                                      \"\"<\/figure><\/div>\n\n\n

                                      Open Server Manager<\/strong> and ensure the Active Directory Users and Computers<\/strong> console is available under Tools<\/strong>.<\/p>\n\n\n

                                      \n
                                      \"\"<\/figure><\/div>\n\n\n

                                      Verify the domain by opening a PowerShell window and running the following command:<\/p>\n\n\n\n

                                      Get-ADDomain<\/pre>\n\n\n\n
                                      The output should display information about the techexample.local<\/strong> domain.<\/p>\n\n\n
                                      \n
                                      \"\"<\/figure><\/div>\n\n\n
                                      Step 4: Verify DNS Resolution<\/strong><\/p>\n\n\n\n
                                      Check Forward and Reverse Lookup<\/strong><\/p>\n\n\n\n
                                      From the Domain Controller (VM-DC01<\/strong>), open PowerShell and type this command to test forward lookup (resolving domain name to IP):<\/p>\n\n\n\n
                                      nslookup techexample.local<\/pre>\n\n\n\n
                                      The result should show the IP address of your domain controller, in this case is 192.168.1.100<\/strong><\/p>\n\n\n
                                      \n
                                      \"\"<\/figure><\/div>\n\n\n
                                      Next, we test the reverse lookup (resolving IP to domain name). Reverse lookups are particularly useful for troubleshooting and logging. First, we need to go to DNS manager to configure the reverse DNS zone:<\/p>\n\n\n\n
                                        \n
                                      • Go to Server Manager <\/strong>> Tools <\/strong>> DNS<\/strong><\/li>\n\n\n\n
                                      • Right-click Reverse Lookup Zones<\/strong> and select New Zone<\/strong><\/li>\n\n\n\n
                                      • Follow the New Zone Wizard:\n
                                          \n
                                        • Zone Type:<\/strong> Choose Primary zone<\/strong>.<\/li>\n\n\n\n
                                        • Replication Scope:<\/strong> Keep the default (to all DNS servers in the forest or domain).<\/li>\n\n\n\n
                                        • Network ID:<\/strong> Enter 192.168.1<\/strong> (the first three octets of your IP address).<\/li>\n\n\n\n
                                        • Dynamic Updates:<\/strong> Allow Secure Dynamic Updates<\/strong>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n
                                          \n
                                          \"\"<\/figure><\/div>\n\n
                                          \n
                                          \"\"<\/figure><\/div>\n\n
                                          \n
                                          \"\"<\/figure><\/div>\n\n
                                          \n
                                          \"\"<\/figure><\/div>\n\n
                                          \n
                                          \"\"<\/figure><\/div>\n\n
                                          \n
                                          \"\"<\/figure><\/div>\n\n
                                          \n
                                          \"\"<\/figure><\/div>\n\n
                                          \n
                                          \"\"<\/figure><\/div>\n\n\n
                                            \n
                                          • Next, add a Pointer (PTR) record<\/strong> for your domain controller.<\/li>\n\n\n\n
                                          • Right-click the new reverse lookup zone.<\/li>\n\n\n\n
                                          • Select New Pointer (PTR)<\/strong>.<\/li>\n\n\n\n
                                          • Enter IP address and Host name, click OK<\/strong>.<\/li>\n<\/ul>\n\n\n
                                            \n
                                            \"\"<\/figure><\/div>\n\n
                                            \n
                                            \"\"<\/figure><\/div>\n\n\n
                                            Now, we can test the reverse lookup:<\/p>\n\n\n\n
                                            nslookup 192.168.1.100<\/pre>\n\n\n\n
                                            The result now display the hostname techexample.local<\/strong><\/p>\n\n\n
                                            \n
                                            \"\"<\/figure><\/div>\n\n\n
                                            Test DNS Service Health:<\/strong><\/p>\n\n\n\n
                                            Run the following command on the domain controller, pay attention to any warnings or errors, as they may highlight configuration issues:<\/p>\n\n\n\n
                                            dcdiag \/test:dns<\/pre>\n\n\n\n
                                            As you can see from the screenshot below, techexample.local<\/strong> have passed test DNS.<\/p>\n\n\n
                                            \n
                                            \"\"<\/figure><\/div>\n\n\n
                                            <\/p>\n\n\n\n
                                            PowerShell Method<\/h4>\n\n\n\n
                                            <\/p>\n\n\n\n
                                            Step 1: Disable DHCP and configure Server IP Address<\/strong><\/p>\n\n\n\n
                                            An Active Directory server should always have a static IP address to ensure reliable connectivity. Second, if the server is intended to function with a fixed IP address, DHCP should be disabled on that specific NIC.<\/p>\n\n\n\n
                                            On Server 1 (VM-DC01<\/strong>), begin disable DHCP for the specific NIC, and set IP:<\/p>\n\n\n\n
                                            # Get the network adapter name\n$AdapterName = Get-NetAdapter | Where-Object {$_.Status -eq \"Up\"} | Select-Object -ExpandProperty Name\n\n# Disable DHCP\nSet-NetIPAddress -InterfaceAlias $AdapterName -DHCP Disabled -PassThru\n\n#Assign Ips to variables\n$Ipaddress      = \"192.168.1.100\"\n$Dnsaddress     = \"127.0.0.1\"\n$Gatewayaddress = \"192.168.1.254\"\n\n#Removing existing IP and Gateway\nRemove-NetRoute -InterfaceAlias $AdapterName `\n                -AddressFamily IPv4 `\n                -Confirm:$false `\n                -PassThru\n\nRemove-NetIpAddress -InterfaceAlias $AdapterName `\n                    -AddressFamily IPv4 `\n                    -Confirm:$false `\n                    -PassThru\n\n# Assign static IP\nNew-NetIPAddress -InterfaceAlias $AdapterName `\n                 -IPAddress $Ipaddress `\n                 -AddressFamily IPv4 `\n                 -PrefixLength 24 `\n                 -DefaultGateway $Gatewayaddress\n\n# Set DNS server addresses\nSet-DnsClientServerAddress -InterfaceAlias $AdapterName -ServerAddresses $Dnsaddress\n<\/pre>\n\n\n\n
                                            Verify the static IP address and DNS settings:<\/p>\n\n\n\n
                                            Get-NetIPAddress -InterfaceAlias $AdapterName\nGet-DnsClientServerAddress -InterfaceAlias $AdapterName<\/pre>\n\n\n\n
                                            Step 2: Install Active Directory Domain Services (AD DS)<\/strong><\/p>\n\n\n\n
                                            Here is how you Install the AD DS role and other services: <\/p>\n\n\n\n
                                            Open PowerShell as an Administrator, run the following command to install the AD DS role<\/p>\n\n\n\n
                                            # Setting Roles and Features variable\n$FeaturesToAdd = @('SNMP-Service', 'AD-Domain-Services')\n\n# Install the Roles and Features listed above\nInstall-WindowsFeature -Name $FeaturesToAdd -IncludeAllSubFeature -IncludeManagementTools\n\n# Setup SNMP Community \nREG ADD \"HKLM\\System\\ControlSet001\\Services\\SNMP\\Parameters\\ValidCommunities\" \/v \"public\" \/t REG_DWORD \/d 4 \/f\n<\/pre>\n\n\n\n
                                              \n
                                            • HKLM<\/strong>: Stands for HKEY_LOCAL_MACHINE, a registry hive that stores settings for the local machine.<\/li>\n\n\n\n
                                            • ControlSet001\\Services\\SNMP\\Parameters\\ValidCommunities:<\/strong> Specifies the location where SNMP community settings are stored.<\/li>\n\n\n\n
                                            • \/v<\/strong> “public”<\/li>\n\n\n\n
                                            • \/t REG_DWORD<\/strong>: Specifies the type of the registry value to be added. <\/li>\n\n\n\n
                                            • \/d 4<\/strong>: 4 typically means READ-WRITE access, allowing both viewing and modification of SNMP-managed objects.<\/li>\n<\/ul>\n\n\n\n
                                              Step 3: Promote Server to a Domain Controller<\/strong><\/p>\n\n\n\n
                                              Next, we use the following command to create a new forest and promote Server 1 (VM-DC01<\/strong>) to become a Domain Controller. <\/p>\n\n\n\n
                                              # Imports the relevant cmdlets for AD DS deployment into PowerShell\nImport-Module ADDSDeployment\n\nGet-Command -Module ADDSDeployment | Format-Table Name\n\n# Deploy the first domain controller and forest\n$ParamterToAdd = @{\n\nDomainName           = \"techexample.local\"\nDomainNetbiosName    = \"TECHEXAMPLE\"\nDomainMode           = \"7\"\nForestMode           = \"7\"\nDatabasePath         = \"C:\\Windows\\NTDS\"\nLogPath              = \"C:\\Windows\\NTDS\"\nSysvolPath           = \"C:\\Windows\\SYSVOL\" \nInstallDns           = $true \nCreateDnsDelegation  = $false\nNoRebootOnCompletion = $false \nForce                = $true \n\n}\n\nInstall-ADDSForest @ParamterToAdd\n\n<\/pre>\n\n\n\n
                                                \n
                                              • DomainMode “7”<\/strong> and ForestMode “7”<\/strong>: This corresponds to Windows Server 2016 or higher forest functional level.<\/li>\n<\/ul>\n\n\n\n
                                                During the execution, the server will restart automatically after completing the promotion process.<\/p>\n\n\n\n
                                                Note: <\/strong><\/p>\n\n\n\n
                                                  \n
                                                • You’ll be prompted to enter and verify a Directory Services Restore Mode (DSRM) password. You can skip this step by using parameter -SafeModeAdministratorPassword<\/strong>  and provide a secure string representation of your password. For example: <\/li>\n<\/ul>\n\n\n\n
                                                  Install-ADDSForest -DomainName \"techexample.local\" `\n                   -SafeModeAdministratorPassword (ConvertTo-SecureString \"YourSecurePassword\" -AsPlainText -Force)<\/pre>\n\n\n\n
                                                    \n
                                                  • If you’re frequently automating forest or domain creation processes, like in a lab setting, use this syntax to set the DSRM password to a specific value:<\/li>\n<\/ul>\n\n\n\n
                                                    # Example 1:\n$Password = ConvertTo-SecureString -String 'P@ssw0rd!' -AsPlainText -Force\n\n# OR\n\n# Example 2: \n$Password = Read-Host -Prompt 'Enter SafeMode Admin Password' -AsSecureString\n\nInstall-ADDSForest -DomainName \"techexample.local\" `\n                   -SafeModeAdministratorPassword $Password<\/pre>\n\n\n\n
                                                    Step 4: Verify the Installation<\/strong><\/p>\n\n\n\n
                                                    Log in to the server with the domain administrator account: Administrator@techexample.local<\/strong><\/p>\n\n\n\n
                                                    Open PowerShell and run the following commands to verify:<\/p>\n\n\n\n
                                                    # To check the domain details:\nGet-ADDomain\n\n# To list the domain controllers in the forest:\nGet-ADDomainController -Filter *<\/pre>\n\n\n\n
                                                    <\/p>\n\n\n\n
                                                    Installing an Additional Domain Controller<\/h3>\n\n\n\n
                                                    <\/p>\n\n\n\n
                                                    GUI Method<\/h4>\n\n\n\n
                                                    <\/p>\n\n\n\n
                                                    Step 1: Add another server to the domain<\/strong><\/p>\n\n\n\n
                                                    In Server 2<\/strong>, before joining the domain, we need to ensure the server has a static IP address, below is screenshot of the configuration:<\/p>\n\n\n
                                                    \n
                                                    \"\"<\/figure><\/div>\n\n\n
                                                    Next, test the connectivity to the Primary Doman Controller (Server 1), making sure it is reachable. Run the following command:<\/p>\n\n\n\n
                                                    ping 192.168.1.100<\/pre>\n\n\n\n
                                                    Next, test the DNS resolution, ensure the domain name resolves to the primary DC’s IP. Use nslookup to resolve the domain: <\/p>\n\n\n\n
                                                    nslookup techexample.local<\/pre>\n\n\n
                                                    \n
                                                    \"\"<\/figure><\/div>\n\n\n
                                                    Now, begin joining the Domain (GUI): <\/p>\n\n\n\n
                                                      \n
                                                    • Open Server Manager<\/strong> on the Server 2<\/strong>, in this example is VM-WS01<\/strong>.<\/li>\n\n\n\n
                                                    • Click Local Server<\/strong> in the left pane.<\/li>\n\n\n\n
                                                    • In the Properties<\/strong> pane, locate Workgroup<\/strong> and click the adjacent link labeled Workgroup<\/strong> or Change<\/strong>.<\/li>\n\n\n\n
                                                    • In the System Properties<\/strong> window:\n
                                                        \n
                                                      • Click the Change<\/strong> button.<\/li>\n\n\n\n
                                                      • Under Member of<\/strong>, select Domain<\/strong> and enter the domain name.<\/li>\n\n\n\n
                                                      • Click OK<\/strong>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
                                                      • Enter credentials for a domain account with the necessary privileges (e.g., a Domain Administrator account).<\/li>\n\n\n\n
                                                      • After the server successfully joins the domain, you\u2019ll see a welcome message.<\/li>\n\n\n\n
                                                      • Restart the server when prompted.<\/li>\n<\/ul>\n\n\n\n
                                                        See screenshots of these steps below: <\/p>\n\n\n
                                                        \n
                                                        \"\"<\/figure><\/div>\n\n
                                                        \n
                                                        \"\"<\/figure><\/div>\n\n
                                                        \n
                                                        \"\"<\/figure><\/div>\n\n
                                                        \n
                                                        \"\"<\/figure><\/div>\n\n
                                                        \n
                                                        \"\"<\/figure><\/div>\n\n\n
                                                        <\/p>\n\n\n\n
                                                        Step 2: Adding AD DS on Server 2<\/strong><\/p>\n\n\n\n
                                                        This step is the same as the one we just did on Server 1<\/strong>, (Setting Up a New AD Forest (GUI)<\/strong>) including: <\/p>\n\n\n\n
                                                          \n
                                                        • Open Server Manager<\/strong> on the additional server.<\/li>\n\n\n\n
                                                        • Click Add roles and features<\/strong> <\/strong>in the Dashboard.<\/li>\n\n\n\n
                                                        • Proceed through the wizard:\n
                                                            \n
                                                          • Select Role-based or feature-based installation<\/strong> and click Next<\/strong>.<\/li>\n\n\n\n
                                                          • Server Selection:<\/strong> Choose the local server (VM-WS01<\/strong>) and click Next<\/strong>.<\/li>\n\n\n\n
                                                          • Server Roles:<\/strong> Check Active Directory Domain Services<\/strong>. When prompted, click Add Features<\/strong>.<\/li>\n\n\n\n
                                                          • Keep the default selections for features and click Next<\/strong>.<\/li>\n\n\n\n
                                                          • Review the information on the AD DS<\/strong> page and click Next<\/strong>.<\/li>\n\n\n\n
                                                          • Click Install<\/strong> on the confirmation page.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
                                                          • Wait for the installation to complete but do not restart the server yet<\/strong>.<\/li>\n<\/ul>\n\n\n\n
                                                            Step 3: Promote the server to act as an additional domain controller<\/strong><\/p>\n\n\n\n
                                                            After the installation, click the Promote this server to a domain controller<\/strong> link in the notification area.<\/p>\n\n\n
                                                            \n
                                                            \"\"<\/figure><\/div>\n\n\n
                                                            In the Deployment Configuration<\/strong> window:<\/p>\n\n\n\n
                                                              \n
                                                            • Select Add a domain controller to an existing domain<\/strong>.<\/li>\n\n\n\n
                                                            • Enter the domain name,  techexample.local<\/strong> and provide domain admin credentials if prompted.<\/li>\n<\/ul>\n\n\n
                                                              \n
                                                              \"\"<\/figure><\/div>\n\n\n
                                                              In the Domain Controller Options<\/strong> window:<\/p>\n\n\n\n
                                                                \n
                                                              • Select the desired roles (DNS Server and Global Catalog are selected by default).<\/li>\n\n\n\n
                                                              • Enter the Directory Services Restore Mode (DSRM)<\/strong> password (used for recovery purposes) and click Next<\/strong>.<\/li>\n\n\n\n
                                                              • See screenshots below:<\/li>\n<\/ul>\n\n\n
                                                                \n
                                                                \"\"<\/figure><\/div>\n\n\n
                                                                Leave default settings for DNS Options<\/strong> and click Next<\/strong>.<\/p>\n\n\n
                                                                \n
                                                                \"\"<\/figure><\/div>\n\n\n
                                                                On the Additional Options<\/strong> page, verify the replication source, our primary DC (192.168.1.100) and click Next<\/strong>.<\/p>\n\n\n
                                                                \n
                                                                \"\"<\/figure><\/div>\n\n\n
                                                                Accept default paths for the database, log files, and SYSVOL folder, and click Next<\/strong>.<\/p>\n\n\n\n
                                                                Review the configuration summary and click Install<\/strong>. The server will restart automatically after the promotion.<\/p>\n\n\n
                                                                \n
                                                                \"\"<\/figure><\/div>\n\n
                                                                \n
                                                                \"\"<\/figure><\/div>\n\n
                                                                \n
                                                                \"\"<\/figure><\/div>\n\n\n
                                                                Step 4: Verify the additional domain controllers<\/strong><\/p>\n\n\n\n
                                                                After rebooting, check to see if the server is listed as a domain controller in Active Directory Users and Computers<\/strong> under Domain Controllers<\/strong>. <\/p>\n\n\n
                                                                \n
                                                                \"\"<\/figure><\/div>\n\n\n
                                                                <\/p>\n\n\n\n
                                                                PowerShell Method<\/h4>\n\n\n\n
                                                                <\/p>\n\n\n\n
                                                                Step 1: Add another server to the domain<\/strong><\/p>\n\n\n\n
                                                                Open PowerShell as Administrator<\/strong> on the additional server (Server 2<\/strong>), then run the following command to join the domain:<\/p>\n\n\n\n
                                                                Add-Computer -DomainName \"techexample.local\" -Credential (Get-Credential) -Restart<\/pre>\n\n\n\n
                                                                After the restart, confirm the server has joined the domain:<\/p>\n\n\n\n
                                                                (Get-WmiObject -Class Win32_ComputerSystem).Domain<\/pre>\n\n\n\n
                                                                The output should display techexample.local<\/strong><\/p>\n\n\n\n
                                                                Step 2: Adding AD DS on Server 2<\/strong><\/p>\n\n\n\n
                                                                Open PowerShell as Administrator and run:<\/p>\n\n\n\n
                                                                Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools<\/pre>\n\n\n\n
                                                                Wait for the installation to complete.<\/p>\n\n\n\n
                                                                Step 3: Promote the Server to an Additional Domain Controller<\/strong><\/p>\n\n\n\n
                                                                We use the following command to promote Server 2<\/strong> (VM-WS01<\/strong>) to be secondary DC:<\/p>\n\n\n\n
                                                                Install-ADDSDomainController -DomainName \"techexample.local\" `\n                             -InstallDns `\n                             -Credential (Get-Credential techexample\\administrator) `\n                             -DatabasePath \"C:\\Windows\\NTDS\" `\n                             -LogPath      \"C:\\Windows\\NTDS\" `\n                             -SysvolPath   \"C:\\Windows\\SYSVOL\" `\n                             -SafeModeAdministratorPassword (ConvertTo-SecureString \"YourDSRMPasswordHere\" -AsPlainText -Force) `\n                             -Force<\/pre>\n\n\n\n
                                                                After the command completes, the server will automatically reboot.<\/p>\n\n\n\n
                                                                Step 4: Verify the Additional Domain Controller<\/strong><\/p>\n\n\n\n
                                                                After rebooting, use the following PowerShell commands to verify:<\/p>\n\n\n\n
                                                                # Check the domain controller is registered\nGet-ADDomainController -Filter *\n\n# Test replication\nrepadmin \/replsummary\n\n# Test DNS functionality\nnslookup techexample.local<\/pre>\n\n\n\n
                                                                <\/p>\n\n\n\n
                                                                Verify the Domain Controller and Additional Domain Controller<\/h3>\n\n\n\n
                                                                <\/p>\n\n\n\n
                                                                After setting up your Domain Controller (DC) and Additional Domain Controller (ADC), it\u2019s crucial to verify their functionality and ensure proper replication and DNS resolution. Here are several methods to confirm everything is working as expected, you will see some methods we already covered in the earlier section.<\/p>\n\n\n\n
                                                                <\/p>\n\n\n\n
                                                                Verify Domain Membership<\/h4>\n\n\n\n
                                                                <\/p>\n\n\n\n
                                                                On the Additional DC (VM-WS01<\/strong>), confirm it has joined the domain by typing this PowerShell commands:<\/p>\n\n\n\n
                                                                (Get-WmiObject -Class Win32_ComputerSystem).Domain\n\n$env:USERDOMAIN<\/pre>\n\n\n\n
                                                                The output should display the domain name, techexample.local<\/strong><\/p>\n\n\n\n
                                                                You can also this command to check whether the Domain Controller is registered:<\/p>\n\n\n\n
                                                                Get-ADDomainController -Filter *<\/pre>\n\n\n\n
                                                                <\/p>\n\n\n\n
                                                                Ping the Domain<\/h4>\n\n\n\n
                                                                <\/p>\n\n\n\n
                                                                From a client machine or the Domain Controller, test connectivity by typing: <\/p>\n\n\n\n
                                                                ping techexample.local<\/pre>\n\n\n\n
                                                                The result should resolve to the IP address of your Domain Controller and Additional DC.<\/p>\n\n\n\n
                                                                <\/p>\n\n\n\n
                                                                Test DNS Resolution<\/h4>\n\n\n\n
                                                                <\/p>\n\n\n\n
                                                                On your Primary DC and Additional DC, use nslookup <\/strong>to confirm that DNS is resolving correctly. The output should return IP address of your Primary DC (192.168.1.100) and Additional DC (192.168.1.101).<\/p>\n\n\n\n
                                                                nslookup techexample.local<\/pre>\n\n\n\n
                                                                Next, we confirm self-resolution for each DC. On Primary and Secondary DC, type:<\/p>\n\n\n\n
                                                                nslookup 127.0.0.1<\/pre>\n\n\n\n
                                                                The output should show techexample.local<\/strong><\/p>\n\n\n\n
                                                                Tool like dcdiag <\/strong>can be used to monitor DNS health:<\/p>\n\n\n\n
                                                                dcdiag \/test:dns<\/pre>\n\n\n\n
                                                                <\/p>\n\n\n\n
                                                                Verify AD DS Health<\/h4>\n\n\n\n
                                                                <\/p>\n\n\n\n
                                                                On each DC, use the dcdiag<\/strong> command to run a comprehensive diagnostic. Look for PASS<\/strong> messages, especially for Connectivity, Replication, DNS health:<\/p>\n\n\n\n
                                                                dcdiag<\/pre>\n\n\n\n
                                                                <\/p>\n\n\n\n
                                                                Verify Replication<\/h4>\n\n\n\n
                                                                <\/p>\n\n\n\n
                                                                Check the replication status between the DC and Additional DC using command:<\/p>\n\n\n\n
                                                                repadmin \/replsummary<\/pre>\n\n\n\n
                                                                The output should show no errors and that replication is occurring successfully.<\/p>\n\n\n\n
                                                                You can also have a detailed view of replication partners using command:<\/p>\n\n\n\n
                                                                repadmin \/showrepl<\/pre>\n\n\n\n
                                                                The output should show replication status for each naming context.<\/p>\n\n\n\n
                                                                <\/p>\n\n\n\n
                                                                Test Authentication<\/h4>\n\n\n\n
                                                                <\/p>\n\n\n\n
                                                                Log in to a domain-joined client or server using the format: <\/p>\n\n\n\n
                                                                  \n
                                                                • techexample.local\\<username><\/li>\n\n\n\n
                                                                • username@techexample.local<\/li>\n<\/ul>\n\n\n\n
                                                                  <\/p>\n\n\n\n
                                                                  Verify SYSVOL and NETLOGON Sharing<\/h4>\n\n\n\n
                                                                  <\/p>\n\n\n\n
                                                                  Confirm the SYSVOL <\/strong>and NETLOGON <\/strong>shares are active on both DCs. If you can access these folders, the domain controller is sharing Group Policy and logon scripts properly.<\/p>\n\n\n\n
                                                                  Run the following commands on both DCs. The output should display the SYSVOL <\/strong>and NETLOGON <\/strong>shares:<\/p>\n\n\n\n
                                                                  net share<\/pre>\n\n\n\n
                                                                  We can further check replication of SYSVOL<\/strong> folder by creating a test file in the SYSVOL <\/strong>folder of the primary DC:<\/p>\n\n\n\n
                                                                  C:\\Windows\\SYSVOL\\domain\\scripts\\testfile.txt<\/pre>\n\n\n\n
                                                                  Verify that it replicates to the SYSVOL folder on the additional DC.<\/p>\n\n\n\n
                                                                  <\/p>\n\n\n\n
                                                                  Confirm Global Catalog Role<\/h4>\n\n\n\n
                                                                  <\/p>\n\n\n\n
                                                                  Verify if the additional DC (VM-WS01<\/strong> )has been promoted as a Global Catalog server. Open PowerShell and run:<\/p>\n\n\n\n
                                                                  Get-ADDomainController -Filter {IsGlobalCatalog -eq $true}<\/pre>\n\n\n\n
                                                                  The output should list both DCs if the ADC is a Global Catalog server.<\/p>\n\n\n\n
                                                                  <\/p>\n\n\n\n
                                                                  Conclusion<\/h2>\n\n\n\n
                                                                  <\/p>\n\n\n\n
                                                                  To sum up, understand the structure of an Active Directory Forest, the role of the forest root domain, and the importance of having multiple domain controllers are crucial for maintaining a secure and resilient network. Through this blog, we explored these concepts and demonstrated how to implement them with a hands-on lab.<\/p>\n\n\n\n

                                                                  <\/p>\n\n\n\n

                                                                  <\/p>\n","protected":false},"excerpt":{"rendered":"
                                                                  Exploring key concepts like AD forests, root domains, and domain controller, along with setting up an AD forest and installing an additional domain controller<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[6,18],"tags":[83,82,27],"class_list":["post-2158","post","type-post","status-publish","format-standard","hentry","category-it","category-windowserver","tag-active-directory","tag-domain-controller","tag-windows-server"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/techlensfocus.com\/index.php\/wp-json\/wp\/v2\/posts\/2158","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techlensfocus.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techlensfocus.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techlensfocus.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/techlensfocus.com\/index.php\/wp-json\/wp\/v2\/comments?post=2158"}],"version-history":[{"count":250,"href":"https:\/\/techlensfocus.com\/index.php\/wp-json\/wp\/v2\/posts\/2158\/revisions"}],"predecessor-version":[{"id":2462,"href":"https:\/\/techlensfocus.com\/index.php\/wp-json\/wp\/v2\/posts\/2158\/revisions\/2462"}],"wp:attachment":[{"href":"https:\/\/techlensfocus.com\/index.php\/wp-json\/wp\/v2\/media?parent=2158"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techlensfocus.com\/index.php\/wp-json\/wp\/v2\/categories?post=2158"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techlensfocus.com\/index.php\/wp-json\/wp\/v2\/tags?post=2158"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}