Active Directory in Windows Server 2016
|What is Active Directory?
If you are new to Active Directory I guess the first question you have is, what is Active Directory? at the most basic level, Active Directory is a hierarchical database that keeps track of user accounts, computers, certificates, security policies, and other resources in a computer network. Before AD was created by Microsoft, computers were standalone devices and hard to manage. For example, imagine we are in the year 1998 right now, and you are the systems administrator for a company of 300 people, and you need to install a new printer for all employees in the office, how you go do that? because all computers are standalone you have to install the driver for the new printer in all 300 computers manually, one by one. That would be a lot of work to accomplish a simple thing. A lot of things that we systems administrators take for granted today like file and print sharing, network group policies, etc. weren’t possible before active directory. so in essence, AD is that, a hierarchical database that makes it easier to manage user accounts, computers, and other network resources from single point location.
How does Active Directory work?
The way I have always picture AD is that of a phone book. A phone book basically matches names to phone numbers, Active Directory matches user accounts to network objects and resources. Unlike phone books though, AD can keep information about organizations, sites, systems, users, shares, and many other things, so AD is more flexible than a phone book but the concept is similar. One significant difference of AD is that it saves objects in a hierarchical order, and all objects are unique. that’s why a domain name is required when installing AD, all objects in a domain forest are “subdomain” or children of the top domain. For example, If I create a user called “ayyu” in my AD it will be saved as “[email protected]”, if you try to create the same account again, you will get an error saying there is an object already in the network with the same name.
Active Directory Components
When discussing or learning Active Directory there are some terms you need to be familiar with:
- Domain Controller a domain controller is the server where AD is installed. Sometimes the term Active Directory and Domain Controller is used interchangeably.
- Forest A forest is the highest level of the logical structure hierarchy. An Active Directory forest represents a single self-contained directory. A forest is a security boundary, which means that administrators in a forest have complete control over all access to information that is stored in the forest and to the domain controllers that are used to implement the forest
- Tree Trees are a cohesive group of domains, known as subdomains or child domains, that grow from a root domain. All the domains within a tree share a contiguous namespace
- Schema The Active Directory schema contains definitions for all the objects that are used to store information in the directory. There is one schema per forest
- operations masters or FSMO roles There many FSMO roles in AD but the most popular one is the Primary Domain Controller (PDC) and Backup Domain Controller (BCD) role. The Primary Domain Controller maintains the master copy of the directory database and validates users. A Backup Domain Controller contains a copy of the directory database and can validate users. If the PDC fails then a BDC can be promoted to a PDC. Possible data loss is can happen if changes that have not yet been replicated from the PDC to the BDC. A PDC can be demoted to a BDC if one of the BDC’s is promoted to the PDC
- Global Catalog (GC ) Server The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multi-master replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.
- AD relies heavily on the DNS system too, that’s why you can’t install active directory without choosing a domain name first. Unlike a website, the domain when installing active directory does not need to be unique, but if you have a public domain name it is recommended to use the same name when installing AD. for example if your public website is ittutorials.net then your AD domain name could be “ad.ittutorials.net” or something like that. This domain name will become your “domain forest” once the AD component is installed successfully on the server. AD requires a DNS server, but if you don’t have one already installed when installing AD you can choose to make that server a DNS server as well. If you are setting up Active Directory for a production environment is always recommended to setup two domain controllers at least.
Active Directory Roles in Windows Server 2016
So far we have focused almost just in the domain services role which is the role AD is mostly identified by. But in Windows Server 2016 as in previous Windows server versions, there are five individual roles that make up an active directory:
- Federation Services ( AD FS ) This role is necessary if you need to authenticate applications or services outside your network. for example, a few months ago we signed up for Facebook Workplace, and we wanted to authenticate users against our AD. Using this role I was able to connect the application using the OSS and the SAML protocol.
- Lightweight Directory Services ( AD LDS ) Most of us are familiar with this role because we use LDAP a lot. When Kerberos authentication is not possible we rely on LDAP to authenticate application or services against AD
- Certificate Services (AD CS ) This role is responsible for managing certificates and other cryptographic components in your network. When you install a certificate in your network you use this role.
- Rights Management Services ( AD RMS ) this role provides persistent data protection by enforcing data access policies. For documents to be protected with AD RMS, the application the document is associated with must be RMS-aware
- Domain Services ( AD DS ) This is the main role in active directory. it stores and manages information about the network resources.
There are interesting new features now made available in Windows Server 2016 such as time-based group membership, privileged access management, and others. Most will be covered in future posts. This post will detail how to install Active Directory on Windows Server 2016.
Before the AD install, however, it is important to understand what is the minimum requirement to install windows server 2016. Details are as follows:
Processor
• 1.4 GHz 64-bit processor
• Compatible with x64 instruction set
• Supports NX and DEP
• Supports CMPXCHG16b, LAHF/SAHF, and PrefetchW
• Supports Second Level Address Translation (EPT or NPT)
Coreinfo is a tool you can use to confirm which of these capabilities you CPU has.
RAM
• 512 MB (2 GB for Server with Desktop Experience installation option)
• ECC (Error Correcting Code) type or similar technology
Storage controller and disk space requirements
Computers that run Windows Server 2016 must include a storage adapter that is compliant with the PCI Express architecture specification. Persistent storage devices on servers classified as hard disk drives must not be PATA. Windows Server 2016 does not allow ATA/PATA/IDE/EIDE for boot, page, or data drives.
The following are the estimated minimum disk space requirements for the system partition.
Minimum: 32 GB
Network adapter requirements
Minimum:
• An Ethernet adapter capable of at least gigabit throughput
• Compliant with the PCI Express architecture specification.
• Supports Pre-boot Execution Environment (PXE).
A network adapter that supports network debugging (KDNet) is useful, but not a requirement.
So in my demo, I am using a virtual server with Windows server 2016 datacenter. In order to setup active directory, we need to log in as a local administrator. The first thing to check is IP address configuration.
1) Once Active Directory setup on the server, it also going to act as DNS server. There for change the DNS settings in network interface and set the server IP address (or localhost IP 127.0.0.1) as the primary DNS server.
2) Then open the server manager. Go to PowerShell (as administrator) and type ServerManager.exe and press enter.
or click on the Start button, and then click on Server Manager:
3) Then on server manager click on Add roles and features
4) Then it opens the Add roles and features wizard. Click on next to proceed.
5) Then in next window keep the default and click next
6) Since its going to be a local server, in next window keep the default selection.
7) In next window from the roles put tick box for active directory domain services. Then it will prompt to show you what are the associated features for the role. Click on add features to add those. Then click next to continue.
8) The features page, keep it default and click on next to proceed.
9) In next windows, it gives a brief description about AD DS service. Click next to proceed.
10) Then it will give the confirmation about the install, click on Install to start the role installation process.
11) Once done, it will start the installation process
12) Once installation completes, click on option promote this server to a domain controller.
13) Then it will open the active directory configuration wizard. In my demo, I am going to setup new forest. But if you adding this to existing domain you can choose relevant option. (I am going to write separate article to cover how you can upgrade from older version of Active Directory). Select the option to add new forest and type FQDN for the domain. Then click next.
14) In next page, you can select the domain and forest functional levels. I am going to set it up with the latest. Then type a password for DSRM. Then click next
15) For the DNS options, this going to be the first DNS server in the new forest. So no need any modifications. Click next to proceed.
16) For the NETBIOS name keep the default and click next
17) Next page is to define the NTDS, SYSVOL and LOG file folders. You can keep the default or define a different path for these. In the demo, I will be keeping the default. Once changes are done, click next to continue
18) Next page will give the option to review the configuration changes. If everything okay you can click next to proceed or otherwise can go back and change the settings.
19) In next windows, it will do prerequisite check. If it’s all good it will enable the option to install. Click on Install to begin the installation process.
20) Then it will start the installation process.
21) After the installation system will restart automatically. Once it comes backlog into the server as domain admin.
22) Once log in open the PowerShell (as administrator) and type dsac.exe and press enter. It will open up the active directory administrative center. There you can start managing the resources.
23) Also, you can use Get-ADDomain | FL Name, DomainMode, and Get-ADForest | FL Name, ForestMode from PowerShell to confirm domain and forest functional levels
https://www.youtube.com/watch?v=lbf8PHuz4r4
Summary
AD is a very complex system and it takes awhile to wrap your head around it. Understanding it takes time and a lot of hands-on experience. A lot of the things we do as systems administrators involve AD anyhow, it could be either group policy, permission access management, LDAP authentication, etc. I hope you find this tutorial useful.