Installing Active Directory Domain Services in Windows Server 2022, along with DNS and DHCP

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey bear oh wanna help me today okay what are we yes yes this is where i talk to the people where are the people how come i can't see the people no uh i'm looking for no it doesn't work that way when we talk about stuff they see us but we can't see them but what if i want to see the people well that's just how it works okay let's teach something let's let's teach something with browsers let's teach them with brett no today we're installing active directory we're supposed to do that i think i'd rather do browsers why okay why would you rather talk about browsers because browsers have cookies and i'm hungry okay let's just roll the thing you woke me up for this hey everybody troy here and welcome to today's video we are doing active directory and we're going to do a fairly in-depth installation here today i want to show you how important active directory is as the cornerstone of your network environment now there's going to be quite a few aspects to this video so as always take a look at the time stamps see if there's any particular spot that you want to jump to if you're here for something very specific otherwise just walk through step by step we'll get this done all right let's jump to our topology what you can see here is i'm building two machines today in a virtualized environment i'm using microsoft hyper-v and my first machine will be a server running windows server 2022 this is going to be the domain controller for a domain called corp.acme.com that's going to be my active directory environment it's going to be running my active directory domain services role dns dhcp you can see i'm running with ipv4 here and i've already assigned a static ip to this machine i'm also going to be adding a client pc just a simple windows 10 it's going to be dhcp enabled and i'm going to join this machine to the corp.acme.com domain for testing and verification purposes i'm also going to be building a fairly simple organizational unit structure this is going to help us going forward and give us some preliminary configuration and organization within our active directory environment for our users specifically an it group and a general staff group when we're all finished we're gonna have some fairly broad functionality and the cornerstone of a pretty good active directory environment all right let's get this out of the way and pop into our server and we'll get this train on the rails the first thing you're going to see is that i've simply deployed windows server 2022 this is its default configuration with the exception of two key things what i've done is i have renamed the machine to the desired hostname of dc01 and i have statically assigned the ip address of 192.1680.1 as per my topology best practices for a domain controller to have a static ip and good practice for any machine that's going to serve as a server in your world we're going to start by adding the server role pop over to my dashboard tab i'm going to add roles and features and i'm going to follow the wizard to add the active directory domain services server role this is a role-based installation i'm going to verify that the server pool is showing the correct parameters as intended and i'm going to move to check this box called active directory domain services and it immediately says i'm going to add all these management features which i'm going to agree to hit next and follow through oh you'll see here that it is going to add also a series of management features for something we call group policy management we're going to cover that off in a video to come now let's keep going here it gives me some information about what active directory does it stores information about users computers and other devices on the network this is an entire virtual environment that's going to allow us to securely administer authorize authenticate all the users computers objects resources in our environment couple things it suggests we should have redundancy we should possibly consider having more than one domain controller i'm going to do that in the very next video it also tells me i need dns it has to have dns to work they're integrated at the core and if we do not have a dns server it's going to give us a chance to install the dns server role right now i have not installed dns yet i'm going to take care of two birds with one stone here simply by following this wizard next we go you'll see that i get a chance to restart this destination server active directory does require a restart now we've done videos on dhcp on dns it's not required a restart after the installation of the server role active directory will need it so pay attention to that if you're working on a production machine this is a lab environment i have no problem i'm going to let it do that it's going to summarize what it's going to install active directory gp management my group policy management all the additional tools that i need to do so and here comes my installation now this portion of the installation is fairly quick this is just the server role this is not creating or promoting this machine to a domain controller or creating the active directory environment yet this is just setting the role up to allow me to do so in the post deployment configuration stage which will be coming right after this and there we go we have successfully configured our installation on dc01 we now have all these tools now remember i said that there's a restart coming it's not right after that roll where we're going to see is right here when we do our post deployment configuration i now have to promote this machine to a domain controller essentially what i'm doing here everybody is now that i have active directory installed on this machine i need to create the active directory environment that's the restart that's coming i was talking about i'm going to hit the button that says promote this server to a domain controller and i'm going to make this server the anchor of my active directory environment first thing i'm challenged with is the wizard i'm going to name this particular domain by default it's assuming that there may already be an existing domain there is not i'm going to create a brand new forest with a brand new domain name now what do we call our domain well there are best practices here honestly it is a simple i could call this bob if i wanted to i could call my virtual environment my active directory domain bob it's that flexible and that simple however there are best practices here and i've sent an article into the description that talks about the general naming conventions of act directory for computer names domain sites and ous i'm going to follow the microsoft best practices here which takes a registered external namespace such as acme.com and prepends it with something to denote this as a subdomain i'm going to use int dot acme.com just per my topology now you will see domains where the administrator has elected to simply match the namespace for the domain with their external registered namespace so maybe there's acme.com that's a web space out on the world wide web and maybe an administrator chooses to match that name with his or her active directory domain if you do that you do have to have some additional configuration to deal with something we refer to as split brain dns i'll put a link to some information on that in the description below as well but as i said i'm going to avoid that problem by prepending my external domain name with an internal domain reference making it int.acme.com as i built in my topology let's hit next and my forest is being created and we're all set okay now we get a chance to select the functional level of our new forest and root domain this is for backwards compatibility and you can see that i can actually make this domain compatible with server server installations as far back as windows server 2008 i'm not going to do that because what happens is it does compromise some of the functionalities that have been present since 2016. i'm going to leave the defaults meaning that i'm going to take advantage of as much functionality as i can without compromising it for the need for compatibility to old systems you'll see now that this domain controller is going to include the anchor of my dns it is going to be a domain name system server it's also going to be the location of something called the global catalog which means this is the primary place that the global catalog will live for my active directory environment i need to give my installation a directory services restore mode password a dsrm and i'm going to just type in a password right here that meets my complexity requirements and i'm going to hit enter now my servers discovered that there is no place for dns there's no dns installed right now and so it says i can't find one gives me a chance to create a dns delegation with another server but i don't need to do so because we're going to install dns right here i'm going to hit next and now i get a chance to verify something we refer to as our net bios name now pay close attention here it is pulled from my remember the the name i gave this entire domain environment was int dot acme.com now the int was the preceding portion of my entire namespace i don't want int to be my namespace i'll show you where this comes into play later on when we add our computer to this domain environment but what i'm going to do is change this for a more sensible sensible name for our users this is what our users are going to see i'm going to change this to acme and you'll see why in about 10 minutes let's hit next more configuration happens it's going to create now my database files for my active directory not normally any need to change the location of these folders i'm going to accept the defaults move forward and i now have a summary of my installation again just as always with my windows wizards i can export these parameters so i could i could reinstall these using powershell if i wanted to but i'm going to hit next and enter the prerequisite check to ensure that this machine can support its role as a domain controller and there we go now you're going to see that i actually have a couple things here i got some yellow amber kind of warnings it's giving me some information i may want to just read about but what's important is that i successfully passed all prerequisite checks i am good to go with this in this installation this is also the reboot i was talking about remember i said there is a reboot involved here with setting up active directory this is where this is going to happen i'm going to hit install and i'm just gonna let this cook it's gonna take a couple minutes i'm gonna pause the video come back when it's done okay and we're back it's going to reboot my machine what it did was installed that active directory environment based on the parameters that i gave it it also created the dns role and it's now rebooting to open up this new active directory environment that we just created and there we go we are now ready to log into our new active directory environment now remember i mentioned that net bios setting this is where it shows up it's giving me a chance to sign into the acme environment now that is the net bios that i chose remember had i not changed it it would have had the prepended word in my namespace which would have been i n t and that would have been a bit confusing to my users it's not the end of the world it's just this is a bit tidier it definitely denotes the name of this environment i'm going to log in as the administrator that i created in the process of setting that up okay so this is the domain administrator it was set by default and now i am now looking at my machine as the domain controller for my active directory environment let's look and see what's different so first and foremost you can see that i have a series of tools here i've got my active directory installation along with my domain name system installation so both were installed in the course of that configuration this has also been promoted to no longer be part of the workgroup you'll see that it is now a domain join machine in int.acme.com that's the domain that we built you'll remember it previously said work group it is now the anchor to this domain nothing has changed with respect to my ip addressing i do have a series of tools available to me that i did not have before in the course of the installation you'll see i now have the active directory admin center domains and trusts sites and services users and computers i also have dns let's verify dns first i'm going to click on the mmc for dns my dns manager and let's take a look and see what happened here first i'm going to be in and out of this a lot i'm going to right click just pin this to my taskbar for easy reference and let's take a quick look at what active directory configured when it built dns for me i'm going to open up this and you can see that i have my dns forward lookup constructed for me already and you can see it's all good to go including the a record for that server so my dc01 this machine has been properly added to the dns it is if i were to right click take a look at the properties the start of authority it is a qualified name server for this environment fully validated everything is good and it has already added this host name for me fantastic look what it is not done though fairly important it is not created a reverse lookup zone there's no primary reverse lookup zone here so if i'm using this as a dns server this lack of pointer record is going to be a problem let's fix that right on the spot i'm going to create a new zone this is going to be a primary reverse zone and look at the difference in the wizard i'm talking about the difference of the video that we created a little while back on creating standalone dns i now have a chance to create a replication scope this is going to automatically replicate my dns to all dns servers running on domain controllers in this domain by default so what that means is that if i add another domain controller which i'm going to do this dns information will be transferred and shared with other domain controllers in the domain by default that's easy that's awesome that's fantastic let's hit next it is an ipv4 reverse lookup zone my network address is 192.168.0 on a slash 24 i'm going to hit next and now i see that i have an opportunity by default to allow for secure dynamic updates so what this means basically is as as machines are added to my active directory records will be created for those resources inside my dns awesome i'm going to accept that and hit finish and you'll see there is my option here there's my soa i'm gonna go take a look at my name server let's verify this just quick resolve everything is good apply click let's go now and fix a point of record for my dc-01 and open this up update that point of record hit apply done a little bit of a refresh here and i've just validated my dns beautiful so let's recap so far here's what we've done i have installed the active directory domain services role and then i promoted this machine to be the domain controller for a new active directory domain environment called int.acme.com in the course of that installation active directory built me a dns environment and i have now gone in and validated those records the primary forward lookup zones were already established however i had to go in and build my own reverse lookup zone to make this work and correct that host record for my domain controller which is called dc01 easy peasy now just for fun what i'm going to do is i'm going to install dhcp because i want to round out this environment a little bit more let's close up my dns manager i'm going to go back to my server manager i'm going to add this role for dhcp i'm going to kind of go through this fairly quickly because i did a full video on this if you want to do this and dive into how we configure dhcp take a look at that other video on installing dhcp as well as failover dhcp notice that my machine is now representing the fully qualified domain name dc01.int.acme.com i'm going to install the dhcp role along with all its management features i'm going to hit next and i'm going to install this is a fairly quick little installation i'm gonna let that happen and we're going to commit that dhcp installation as soon as it pops up on my screen and there we go dhcp is ready to go and as expected i have to complete my dhcp configuration by creating a couple security groups inside my environment now it was fairly important that i did this after the installation of my active directory why because it recognizes my active directory credentials to manage and monitor my dhcp so that was a fairly strategic application i did that kind of on purpose you'll see that it's asking me if i can use the acme domain administrator's credentials to manage dhcp and i'm going to say yes i can done and done let's go build a scope i'm going to go under tools dhcp this is my dhcp snap in i'm going to right click i'm going to pin that to the taskbar so i'll probably be in and out of that quite a bit let's build a quick little scope for ipv4 right click new scope check and i'm just going to call this my acme oh i should spell that right acme ipv4 excellent i'll skip the description let's use a subset of my address space so what i'm going to do here is not give out the full range i'm going to say i want all my dhcp clients to start at say 50 and i'm going to take them up to 200 that's going to give me 251 clients in this environment perfectly fine for my lab environment this is a slash 24 a two five five two five five two five five zero subnet i'm gonna leave that default and i don't have any exclusions i'm gonna accept the regular lease and i'm gonna configure the additional parameters now i've got a pretend gateway here which i'm going to hand out to my clients and i'm going to say that that router is 192.16680.254. check now look at this it's now asking me hey do i want this this integration to marry to my parent domain my into acme.com it recognizes that this domain exists and it's saying hey i presume you want to use the domain controllers in your acme.com environment right and it has correctly defined that the answer that question is yes this machine is 192.168.0.1 that's going to be one of the dns servers that i'm going to hand out let's hit next no wins involved i'm going to activate this scope finish and away we go fantastic now there's another machine at the other end of this wire there's a pc set up with a private switch let's go see if we can get a dhcp assignment from this new scope i'm going to minimize my dhcp minimize my server and i'm going to pop over to pc1 alright pc1 let's take a look okay now this particular machine i'm going to pop in here and i'm going to go to my adapter properties and you're going to see that this thing is actually set for dhcp so if i hit ok i should be able to do my command line ipconfig and let's see if i got an address i have not i've not got an address yet so i'm going to have to force this actually did you just see that i was actually going to have to do an ipconfig renew but i did not have to have to it popped up and it was just a little bit of propagation i was a little bit ahead of myself i'm going to hit yes and i'm going to join this environment let's do another there we go there's my 192 168 0.50 so we're good i didn't even have to do anything let's add an all to my ipconfig there is my dhcp server everything is looking good this is fantastic okay so now i know that i have connectivity what i need to do is join the domain formally to make sure that this computer can be properly administered in my active directory environment so what i'm going to do is move to my pc and i'm going to right click go to the system and i'm going to join this machine to the domain so what i'm going to do is move down to my system info and i'm going to change the settings and i am going to change its domain or work group right there change now the name of this machine pc01 i did set that as before i could change it right here if i wanted to but i'm going to join the domain called int dot acme dot com and it's going to challenge me for credentials it's going to say hold on are you allowed to join this domain i'm going to add the credentials for my domain administrator which is going to be administrator and i'm going to use the password that i use okay now this is the domain administrator credentials that will actually authorize this machine to be part of this domain i'm not using my pc credentials here because those are not recognized in my active directory environment and hit ok and short little weight and now it has welcomed me to the insta acme.com domain i'm going to hit close and restart this machine now the restart here is fairly important because what this now gives me a chance to do is log into this machine using domain credentials you saw a short little flash there where i saw that i was using a local user called test user now my active directory environment has no idea that test user exists if i go try to log in i'm logging in locally and that does not make me part of my active directory world i want to log in with an active directory user but first we should create them so i'm going to minimize this and i'm going to go back to my friend dc01 okay in my topology i said that i was going to create a series of users and i was going to create specifically two users an i.t administrator called me and a staff employee called batman now i'm going to do that and then i'm going to show you that i'll be able to use these credentials to log into this machine and access the resources provided by my active directory environment so the way we're going to do that is under a tool called active directory users and computers so i went into my server manager i'm going to open up a fresh new snap in and i'll just make that go away so you can see this nice and easy and again a little right click pin this to my taskbar because i'll be in and out of this quite a bit as well and there is my insta acme.com world what you're looking at everybody is a series of organizational units these are built in containers that separate and organize all the resources inside my world you'll see that i have a series of built-in groups i have there's my default users as well sorry so these are my built-in groups these are my built-in users there's my domain administrators there's my dhcp administrators all of these security groups are stored right here i also have a default container called domain controllers and that is where my dc01 lives and look at this i have a special organizational folder called computers and in there i have pc01 where did that come from that was put there when i joined pc01 to my domain awesome thanks for taking care of me active directory you are making this so easy i appreciate it now i haven't built any unique users i haven't built any for my personal environment which was one of the reasons i did this in the first place so what i'm going to do is i'm going to build a small subsection of organizational units to house my particular users so i can administer and manage their permissions easily now let's add our own users i'm going to right click at the top level of this domain and i'm going to go new organizational unit i get a chance to name this thing i'm just going to call it acme this is my topology it's going to be very very simple for now i'm going to uncheck this box where it says protect container from accidental deletion i recommend you do that for yourself as well especially as you're playing in the lab you're going to build remove you want to adjust and move these things around it's a little bit easier if you don't protect it in a production environment it's very smart to have that checkbox done and i i'll try to show you in another video where you would actually delete an ou that was protected from deletion but i just uncheck that box i'm going to hit ok and there is my oh you okay now my topology says i want a couple ous inside there so i want to know you for my i.t people and an o u for my staff i'm going to right click on acme again new organizational unit and now i'm building a nested ou called it again i'm going to uncheck that box and i'm going to build another nested off the acme oh you nested ou called staff uncheck that box and away we go i need to build an it user called troy so let's put let's build troy in this active directory world i'm going to right click on this space called new user and i'm going to put troy in here great challenges me for a logon what naming convention do i want to use what credentials do i want to tell my users to use when they log into my environment i'm just going to go first initial last name that's what i'm going to do so that so troy will log on as t berg when he logs onto that machine i'm going to hit next gives me a chance to create a password and i'm just going to create a simple password here that meets the complexity requirements of the domain you get it you see here that there's an opportunity for me to challenge this user to change the password i'm not going to do that right now you can also restrict the user from changing the password you could set some parameters about the account i'm going to leave those blank and i'm going to hit finish and troy is created as a user okay now troy is an i.t administrator and we want to give him domain administration rights and so one of the good practices that we follow in a production environment is we try to avoid using the default domain administrator account administrator which gives you all the power so we're going to log in in future as troy but i need to give troy the domain administration privileges the way i would do that is i'm going to right click and i'm going to look at the properties for troy and you'll see that i've got all sorts of things that i can set here in future videos we're going to dig in and see all the parameters we can set for our users but what i want to do is i want to make sure troy is a member of a group called i'm just going to do type the word domain here check names i want troy to be a member of the group called domain admins it means i can use troy's credentials or troy can use his credentials as a domain administrator throughout this environment i'm going to hit ok hit ok you'll see now that troy me is a member not only of the domain users but also a member of the security group called domain admins i've given myself permission to be a power user in this active directory environment now let's build our second user you'll see that i've got batman he needs to live in the staff folder i'm going to right click on my or i'm going to regular click on my staff folder right click anywhere in this white area new user and i'm just going to do this same thing again oh i should type that right batman and i'm going to use my same login naming convention be man so bman at in.acme.com let's give let's give bat a password go i'm not going to make him change that path well you know what let's do that let's let's watch this work we'll watch this in action i'm going to leave that checked everything else is fine hit finish away we go batman is set now what we've done everybody is we've created some users with credentials that we can use to log into this workstation at pc01 let's go test them i'm going to get rid of this i'm going to go down here and i'm going to go back to pc1 and let's see if we can make this work there we go i don't want to log in as test user you'll notice that that's the local user that i had used what i'm going to do is i'm going to click on other user and you see i get a chance now to log in to my acme domain and let's start off with tberg i know these credentials are going to work because those are now being authenticated against the active directory environment that i just created so troy berg now these credentials are being authenticated against dc01 it's the one that's actually saying hey are you allowed to be logging in here um well your username and your password match and it should be welcoming me in in just a second and we're in there we go and so i can actually just go and verify i'm going to pop into my there's my start menu you see if i hover over this you're going to see that troy berg that's who i'm logged in as and i should be able to do this let's get my start menu and do a little quick query user and it says yes the user is tberg i am logged on it recorded the time that i created that connection now i have full administrative rights in this domain i'm a user on this machine i have passed that authentication let's log in as batman i'm going to log off i'm going to sign out from troy's account and i'm going to log back in as batman a little ctrl alt delete again let's go to other user and i'm going to go b man and i'm going to type in the password that i set in active directory now remember we had a check box here that said batman should have to change the password upon login for the first time and there's that action right there user's password must be changed i'm going to hit ok and i get a chance to create a new password uh it was the same one with just a another number it changes the password and it's going to create this new environment for batman so again what's happened here is that i have now authenticated against active directory to create this new environment and it's creating this first profile logged in on pc1 for batman so what we did is we installed a fully functional active directory environment complete with dns and dhcp we then added some users to this active directory environment and we used those users to log into our pc01 which we joined to our active directory environment we allocated an ipv4 address via dhcp and we watched the entire world propagate and interact together with the credentials and authentication that we built with our active directory dc that was a lot if you come back for the next video what we're going to do is we're going to add a second domain controller and we're going to watch how we can create some active directory redundancy in this world see you soon
Info
Channel: Troy Berg
Views: 42,530
Rating: undefined out of 5
Keywords:
Id: joIubWzQ6P8
Channel Id: undefined
Length: 33min 35sec (2015 seconds)
Published: Mon Feb 07 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.