Domain Controller Setup Complete Documentation

Document NameDomain Controller Implementation and configuration – SaveTheChildren
Date Created21-08-yyyy
Review Date30-08-yyyy
Version No.V2.0
AuthorYour Name

The purpose of this document is to provide SaveTheChildren Charity Organization with a knowledge document on how to set up their domain controller to house their user details and groups. This will help them migrate to the cloud in azure by syncing with Azure active directory.

Scope

The scope of this document is to provide the SaveTheChildren with information such as

·       Reasons for using a domain controller
·    Limitations in our set-up
·       Setup instructions step by step
·       How to create user groups
·       How to create users
3.   Reasons for using a domain controller

The domain controller is the heart of any organization with an on-prem presence. A domain controller (DC) is a server computer that responds to security authentication requests within a computer network domain. It is a network server that is responsible for allowing host access to domain resources. It authenticates users, stores user account information, and enforces security policy for a domain. It is most commonly implemented in Microsoft Windows environments where it is the centerpiece of the Windows Active Directory service. However, non-Windows domain controllers can be established via identity management software such as Samba and Red Hat FreeIPA.

Domain controllers are typically deployed as a cluster to ensure high availability and maximize reliability. In a Windows environment, one domain controller serves as the Primary Domain Controller (PDC), and all other servers are promoted to domain controller status in the domain server as a Backup Domain Controller (BDC).In Unix-based environments, one machine serves as the master domain controller and others serve as replica domain controllers, periodically replicating database information from the main domain controller and storing it in a read-only format.

4.   Limitations in our set-up

In our set-up, we do not have access to the azure active directory as implied in the figure below.

Figure 1: Access denied in AAD module in azure

Our implementation will not sync with the AAD module using an Azure Active Directory connect server as implied in the diagram below.

Figure 2: DC to AAD general diagram [Source-Microsoft]

5.   Setup instructions step by step

This section provides step-by-step instructions with screenshots to deploy a VM and set up DC.

Figure 3: DC VM deployment step 1

Figure 3 shows the basic details such as the resource group the VM will be in, and the subscription used to cover the costs of the VM. It includes details such as region of deployment, the OS we will use, in this case – windows server 2019 datacentre edition. We have selected no redundancy as there is no free quota on a free subscription.

Figure 4: DC VM deployment step 2 – networking

Figure 4 shows the networking concepts used for the VM deployment. We have created a subnet with 10.0.0.0/24 and assigned a dynamic public IP to reduce costs. This IP will be decommissioned after the entire setup is completed for security purposes. A network security group is created to add rules and policy regarding connection incoming and outgoing.

Figure 5: DC VM deployment step 3 – backup management

Figure 5 shows the backup policy created to ensure that we can always recover from a disaster. In our case to cut down costs we have created a weekly backup every Sunday at 6pm and will retain that copy for 5 days. This replication is one of the best practices to ensure reliability in the case of disasters.

Figure 6: DC VM deployment step 4 storage

Figure 6 shows the data disk we have attached to the VM as we may require additional storage to store data that can persist and install application backups.

Figure 7: DC VM deployment step 5 deployment

Figure 7 shows the successful deployment of the VM adhering to our configurations.

Figure 8: Network diagram on Azure

Figure 8 shows the network topology diagram for the deployed VM and its resources in the resource group at this stage.

As the domain controller is vital for the functioning of Active Directory, the configuration should be done carefully to avoid any errors. Follow the steps below to make sure your domain controller is set up perfectly.

Before you begin, ensure you assign a static IP address to your Domain Controller to help Active Directory objects locate the Domain Controller easily. We will not stop the VM to ensure that the dynamic address is valid for the proof-of-concept stage.

  1. Log into your Active Directory Server with administrative credentials.
  2. Open Server Manager → Roles Summary → Add roles and features
Figure 9: server manager

The “Before you begin” screen, which pops up next, is purely for an informational purpose. You may read through it and click “next”.

Select the installation type. If you’re going to deploy your DC in a virtual machine, choose Remote Desktop Services installation. Else, choose Role-based or Feature-based installation.

Figure 10: Installation type

Now, select the destination server on which the role will be installed. Make sure the IP address points to the selected server. Else, close the server manager and retry.

Figure 11: Select destination server

Select the roles you want to install on this server. The basic requirement to promote this server into a domain controller is in Active Directory Domain Services.

Figure 12: creating server roles step 1
Figure 13: creating server roles step 2
Figure 14: creating server roles step 3

The basic features required for the proper functioning of this role are selected by default. Click next to install them.

https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-4462760071454301
Figure 15: Installing server roles
Figure 16: Server roles installed notification

Confirm your installation selections. It is recommended to select the “Restart the destination server automatically if required” button. Select “Install” and once the installation is complete, close the window.

Figure 18: Configuration menu

Once the ADDS role is installed in this server, you will see a notification flag next to the Manage menu. Select “Promote this server into a domain controller”

Select “Add a new forest” and enter the Root domain name. This domain name will also be the forest name.

Figure 19: Configuring Domain controller deployment options
Figure 20: naming the DC forest
Figure 21: selection DNS option

Select a forest functional level and a domain functional level of your choice. Ensure that the domain functional level is equal to or higher than the forest functional leave.
Since this is the first domain controller, it automatically becomes the DNS server and also the Global Catalog (GC). Enter a unique Active Directory Restore Mode password used to retrieve Active Directory data.

Since a DNS Server is being configured as part of our efforts, you’ll be warned that a delegation for this DNS server cannot be created. This can be safely ignored.

Figure 22: DNS options
Figure 23: creating a domain name

Enter a NetBIOS name for your domain. It is preferable to match the NetBIOS name with the root domain name. For more information on NetBIOS name restrictions, see

https://support.microsoft.com/en-us/kb/909264

Figure 24: path settings

Select the folder where your database, log files, and SYSVOL will be stored. It is recommended to stick to the default settings.

Figure 25: reviewing selections

Review your options and click Next. A prerequisites check will be done by Active Directory. Once it is completed, click Install.

Figure 26: final pre-req check
Figure 27: Installing services

Your system will be rebooted automatically for the changes to take effect. Verify the health of the domain controller as shown below. All services in green.

Figure 29: immediate login success identification
Figure 30: AD users and computers setup tool
Figure 32: Initial password and option setup
Figure 34: Save the children Melbourne setup
Figure 35: checking user groups

6.   Next steps

These steps will confirm that the DC is functional and can be setup to give user permissions for virtual remote desktop as a service in both on-prem and access permissions to the cloud workflows.

  • Creating a new VM with windows 10 professional as OS
  • Adding its DNS to be the DC we just created
  • Adding the VM we added to the DC computer group in Melbourne org unit we created.
  • Testing login from the profiles we created in DC