Windows server 2019 Step-By-Step: Setup Active Directory environment using PowerShell
Introduction
This article helps to Install / setup the active directory environment using windows server 2019 using PowerShell / PowerShell config file.
Prerequisites
- Install Windows server 2019 Standard / Data center on a Hardware.
- Active Directory Topology
- Make sure Active directory ports are open.
- Patch the Server with the latest Windows Updates and hot-fix.
- Assign the static IP address to Domain Controller
- Install Active directory domain services (ADDS) Role on the server.
- Configure ADDS according to requirement.
- Evaluate the windows event logs to validate the health of ADDS installation and configuration
- Configure Service and Performance Monitoring
- ADDS Backup / DR Configuration
Active Directory Topology
https://gallery.technet.microsoft.com/site/view/file/221068/1/topology.png
In my sample environment, example.com will be the forest root domain. The first domain controller installs on the forest will hold all five FSMO roles. Once additional domain controllers are in place you can place them inapposite locations.
Active Directory Port Details
Active Directory communications comprise of the number of ports, below table explains ports with its details.
Active Directory Default Ports
| Port | Type | Description |
| 135 | TCP/UDP | RPC endpoint mapper |
| 137 | TCP/UDP | NetBIOS name service |
| 138 | UDP | NetBIOS datagram service |
| 139 | TCP | NetBIOS session service |
| 445 | TCP/UDP | SMB over IP (Microsoft-DS) |
| 389 | TCP/ UDP | LDAP |
| 636 | TCP | LDAP over SSL |
| 3268 | TCP | Global catalog LDAP |
| 3269 | TCP | Global catalog LDAP over SSL |
| 88 | TCP/ UDP | Kerberos |
| 53 | TCP/ UDP | DNS |
| 1512 | TCP/ UDP | WINS resolution |
| 42 | TCP/ UDP | WINS replication |
| Dynamically-assigned ports, unless restricted | TCP | RPC |
Active Directory Replication
| Port | Type | Description |
| 135 | TCP | RPC endpoint mapper |
| 389 | TCP/UDP | LDAP |
| 636 | TCP | LDAP over SSL |
| 3268 | TCP | Global catalog LDAP |
| 3269 | TCP | Global catalog LDAP over SSL |
| 53 | TCP/UDP | DNS |
| 88 | TCP/UDP | Kerberos |
| 445 | TCP | SMB over IP (Microsoft-DS) |
| RPC | TCP | Dynamically-assigned ports (unless restricted) |
Active Directory Authentication
| Port | Type | Description |
| 445 | TCP/UDP | SMB over IP (Microsoft-DS) |
| 88 | TCP/UDP | Kerberos |
| 389 | UDP | LDAP |
| 53 | TCP/UDP | DNS |
| RPC | TCP | Dynamically-assigned ports (unless restricted) |
Installation Steps
Step 1: Login as Local Admin
To start the configuration, log in to Windows server 2019 server as the local administrator.
https://gallery.technet.microsoft.com/site/view/file/221069/1/ad2.JPG
Step 2: IP Config
We already changed the name of the server to a meaningful one. Then need to check the IP config. in my initial configuration, it shows DHCP IP.
We need to change it to static first, with PowerShell
https://gallery.technet.microsoft.com/site/view/file/221070/1/ad3.jpg
Step 3: Static IP
To set the static IP, we can use below PowerShell command.
New-NetIPAddress` -InterfaceIndex 4 -IPAddress 192.168.61.100 -PrefixLength 24 DefaultGateway 192.168.61.2`
Note: Here we assigned IP based on my network requirement. Hence use the IP address according to your Infrastructure.
https://gallery.technet.microsoft.com/site/view/file/221073/1/ad5.jpg
Step 4: Find InterfaceIndex
In above, InterfaceIndex can find using Get-NetIPAddress command.
Step 5 : DNS
Next step is to set DNS Ip addresses. The primary dc also going to act as DC so we need to set it as the preferred DNS. We can do this using below command.
Set-DnsClientServerAddress -InterfaceIndex 4 -ServerAddresses ("192.168.61.100","8.8.8.8")
After config, we can verify it using ipconfig /all.
https://gallery.technet.microsoft.com/site/view/file/221074/1/ad6.jpg
Step 6: Install AD-DS Role
Before the AD configuration process, we need to install the AD-DS Role in the given server. In order to do that we can use the Following command.
Install-WindowsFeature –Name AD-Domain-Services –IncludeManagementTools`
Note: Reboot is not required to complete the role service installations.
https://gallery.technet.microsoft.com/site/view/file/221075/1/ad7.jpg
Now we have the AD-DS role installed, the next step is to proceed with the configuration
Step 7:AD-DS Configuration
Below is the power-shell configuration file / script for configuring the ADDS.
Install-ADDSForest `
-DomainName "example.com" `
-CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "7" `
-DomainNetbiosName "example" `
-ForestMode "7" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$True `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true
Following explain the Power-Shell arguments and what it will do. Install-WindowsFeature
This cmdlet will allow to install windows role, role services or windows feature in la ocal server or remote server. It is similar to using windows server manager to install those.
IncludeManagementTools
This cmdlet will allow to install windows role, role services or windows feature in local server or remote server. It is similar to using windows server manager to install those.
This will install the management tools for the selected role service.
Install-ADDSForest
This cmdlet will allow to setup a new active directory forest.
- DomainName: This parameter defines the FQDN for the active directory domain.
- CreateDnsDelegation Using this parameter can define whether to create DNS delegation that reference active directory integrated DNS.
- DatabasePath; this parameter will use to define the folder path to store the active directory database file (Ntds.dit).
- DomainMode: This parameter will specify the active directory domain functional level. In above I have used mode 7 which is windows server 2016. Windows Server 2019 doesn’t have separate domain functional level.
- DomainNetbiosName This defines the NetBIOS name for the forest root domain.
- ForestMode; This parameter will specify the active directory forest functional level. In above I have used mode 7 which is windows server 2016. Windows Server 2016 doesn’t have separate forest functional level.
- InstallDns: Using this can specify whether DNS role need to install with the active directory domain controller. For new forest, it is the default requirement to set it to $true.
- LogPath: Log path can use to specify the location to save domain log files.
- SysvolPath
- SysvolPath | This is to define the SYSVOL folder path. Default location for it will be C:\Windows
- NoRebootOnCompletion: By default, the system will restart the server after domain controller configuration. using this command can prevent the automatic system restart.
- Force: This parameter will force command to execute by ignoring the warning. It is typical for the system to pass the warning about best practices and recommendations.
Step 8 : Prompt for the Safe Mode Admin Pass
After executing the command it will prompt for the Safe Mode Administrator Password. This is to use in Directory Services Restore Mode (DSRM).
Make sure to use the complex password (According to windows password complexity recommendations). Failure to do so will stop the configuration.
Step 9 : Reboot & Login
When configuration complete, reboot the domain controller and log back in as domain administrator.
Step 10 : Confirm the Installation
To confirm the successful installation of the services.
Get-Service adws,kdc,netlogon,dns
Above command will list down the status of the active directory related services running on the domain controller.
https://gallery.technet.microsoft.com/site/view/file/221076/1/ad8.jpg
Step 11 : Run Get-ADDomainController
It will list down all the configuration details of the domain controller.
Step 12 : Run Get-ADDomain example.com
It will list down the details about the active directory domain.
Step 13 : List The AD Forest Details
Same way Get-ADForest example.com will list down the active directory forest details.
Step 14 : Check if DC Sharing The SYSVOL Folder
Get-smbshare SYSVOL will show if the domain controller sharing the SYSVOL folder.
Conclusion
As we can see AD DS components are installed and configured successfully. This marks the end of this post. Please feel free to rate this article.
References
Glossary
| Item | Description |
| SYSVOL | SYSTEM VOLUME |
| DC | Domain Controller |
| AD DS | Active Directory Domain Services |
| DNS | Domain Name System |
| FQDN | Fully Qualified Domain Name |
| DSRM | Directory Services Restore Mode |
|
Key Distribution Center |
| LDAP | Lightweight Directory Access Protocol |
| NTDS | NT Directory Services |
| IP | Internet Protocol |
| FSMO | Flexible Single-Master Operation |