Latest posts by Sander Berkouwer (see all)
- Review: Softerra Adaxes - Automating Active Directory management - Thu, Jun 4 2015
- Azure Multi-Factor Authentication - Part 8: Delegating Administration - Tue, Apr 28 2015
- Azure Multi-Factor Authentication - Part 7: Securing AD FS - Thu, Apr 23 2015
Active Directory and Server Core ^
Since the first release of Server Core in Windows Server 2008, the Active Directory Domain Services Server Role has been available to configure Server Core installations as Domain Controllers.
However, with Windows Server 2008 R2, Microsoft introduced the Active Directory Web Service on the Domain Controller to serve as an endpoint for the Active Directory Administrative Center and the Active Directory PowerShell cmdlets. Microsoft introduced the Active Directory Web Services gateway for Windows Server 2003 and Windows Server 2008 to allow the Active Directory Administrative Center and the Active Directory PowerShell cmdlets to communicate with these hosts. This download, however, is not available for Server Core installations of Windows Server 2008. This explains the few remaining Windows Server 2008 Server Core-based Domain Controllers; most previously deployed Server Core-based Domain Controllers have been upgraded to Windows Server 2008 R2.
In Windows Server 2012, Microsoft introduced significant new functionality in Active Directory Domain Services, including virtualization-safe Active Directory, Domain Controller Cloning, Dynamic Access Control (DAC), and Active Directory-Based Activation. All of this functionality is also available in Server Core installations of Windows Server 2012.
First steps ^
When you want a Windows Server to operate as an Active Directory Domain Controller, you need to perform a few steps:
- Provide the host with a meaningful NetBIOS name.
- Configure appropriate networking settings, including fixed IP addresses, name resolving settings, and suffix settings. (As a best practice, try to avoid creating a disjoint namespace.)
- Update the server with all appropriate Service Packs and Windows Updates.
- Activate the Windows Server installation.
- Implement Information Security measures (like anti-malware, UPS).
Configuring Server Core as a Domain Controller ^
- Configuring a Windows Server 2012-based Server Core installation as a Domain Controller starts with one of the following:
- Promoting a standalone server to a Domain Controller for a new domain
- Promoting a member server to a replica or read-only replica Domain Controller (also known as an additional Domain Controller)
- Cloning a Windows Server 2012-based Server Core Domain Controller to a new replica Domain Controller
Note: Because there are three ways to promote a server to a Domain Controller (described above) and three different toolsets, I’ll show you each of the ways with a different toolset.
Creating the first Domain Controller in a forest
With the essentials covered in the “first step” section (above), creating your first Domain Controller is as easy as running a single command:
dcpromo.exe /unattend /NewDomain:forest /ReplicaOrNewDomain:Domain /NewDomainDNSName:domain.tld /DomainLevel:4 /ForestLevel:4 /SafeModeAdminPassword:"P@ssw0rd"
Note: That’s right! There’s no need to install the Active Directory Domain Controller role, or anything like that, as you’d need to do on a Server with a GUI Domain Controller.
After promoting the server to a fresh Domain Controller for a fresh new Domain in a fresh Forest, the server will automatically restart:
dcpromo unattended command promotion
Of course, dcpromo.exe has way more tricks up its sleeve beyond the many defaults automatically selected in the example above. All its command line switches are explained on TechNet.
Creating a replica Domain Controller
An Active Directory best practice is to have at least two Domain Controllers hosting each of your Active Directory Domains. A Server Core installation lends itself to this task. The easiest way to achieve this is to use an unattended installation file on a domain-joined installation. The first thing you do is open Notepad.exe and type (or paste in) the following text:
replicaDomainDNSName = domain.tld
ReplicaOrNewDomain = Replica
UserDomain = DOMAIN
Username = administrator
Password = "P@ssw0rd1"
InstallDNS = Yes
ConfirmGc = Yes
CreateDNSDelegation = No
SafeModeAdminPassword = "P@ssw0rd"
dcpromo - unattend answer file
Save the file to a suitable location and then run the following command:
Again, this is a sample unattended answer file. For more options, take a look at Microsoft Knowledgebase article 947034.
Cloning a Domain Controller
Windows Server 2012 introduces Domain Controller Cloning for virtualized Domain Controllers. This dramatically reduces the time to get the second Domain Controller from the best practice and might also assist you in your backup and recovery strategies.
You need to cover a couple of prerequisites before you can start thinking about cloning, but when you have, cloning a Server Core Domain Controller can be performed in these six steps:
- Grant the source Domain Controller the ability to clone by adding the computer account of the virtualized source Domain Controller to the Cloneable Domain Controllers group with the following PowerShell command:1Add-ADGroupMember "Cloneable Domain Controllers" "cn=dc01,ou=Domain Controllers,dc=domain,dc=tld"
- Check for DC Cloning blockers with Get-ADDCCloningExcludedApplicationList and examine the outcome. Resolve any issues that might arise by uninstalling the application, disabling the Windows Feature, or simply ignoring the blocker with the following PowerShell command:1Get-ADDCCloningExcludedApplicationList -GenerateXml -Path C:\Windows\NTDS -Force
- Write the DCCloneConfig file using the following PowerShell command:Note: Alternatively, you can use the New-ADDCCloneConfigFile command without parameters to create auto-named DHCP-enabled Domain Controllers.1New-ADDCCloneConfigFile -CloneComputerName "dc02" -Static -IPv4Address "192.168.0.2" -IPv4SubnetMask "255.255.255.0" -IPv4DefaultGateway "192.168.0.254" -IPv4DNSResolver "192.168.0.1"
- Shut down the source Domain Controller.
- Base a new virtual Domain Controller on the virtual hard disk of the source Domain Controller.
- Start the source Domain Controller and start the cloned Domain Controller.
More information can be found in the Introduction to Active Directory Domain Services (AD DS) Virtualization.
Managing Active Directory on Server Core ^
Once your Server Core installations are fully functioning Domain Controllers, there are multiple ways to manage the contents of Active Directory and the Domain Controllers themselves.
Managing Server Core Domain Controllers
Just like on Server with a GUI installations, you can use tools such as ntdsutil.exe, dcdiag.exe, dslint.exe, ldp.exe, setspn.exe, nltest.exe, csvde.exe, ldifde.exe and repadmin.exe on Server Core Domain Controllers.
Also, in Windows Server 2012, a collection of new Active Directory PowerShell cmdlets is available to you to create read-only Domain Controllers (Add-ADDSReadOnlyDomainControllerAccount), demote Domain Controllers (Uninstall-ADDSDomainController), and troubleshoot Active Directory replication (with the 23 Get-ADRerplication*¸New-ADReplication, Remove-ADReplication*, and Set-ADReplication* cmdlets, Get-ADTrust and Sync-ADObject).
Needless to say, you can run these commands remotely through WinRS, Remote Desktop, and/or PowerShell Remoting. Also, all the fine Joeware command line utilities work on Server Core installations.
Managing Active Directory contents
On the command line, tools like dsadd.exe, dsquery.exe, dsget.exe, dsmod.exe, dsrm.exe, and dsmove.exe are available as they’ve been for the last decade. With PowerShell, you can use any of the 28 account management cmdlets, 7 group management cmdlets, 10 password settings cmdlets, 7 Managed Service Account (MSA) cmdlets, and 26 Dynamic Access-related cmdlets.
For managing the contents of Active Directory Domain Services, you can go wild on the console of your Server Core Domain Controllers, or you can manage remotely from the comfort of your office chair. Active Directory Administrative Center (dsac.exe), Active Directory Users and Computers (dsa.msc), Active Directory Sites and Services (dssite.msc), Active Directory Domains and Trusts (domain.msc), and ADSI Edit (adsiedit.msc) can all be used from Windows Server 2012 installations and Windows 8 installations with the Remote Server Administration Tools (RSAT) installed:
Server Core Remote Active Directory Management
Remotely, a Server Core Domain Controller feels exactly the same as a Server with a GUI-based Domain Controller. Of course, in the back of your mind, you’d always know your Server Core Domain Controller is a lot faster, safer, and more reliable than your neighbor’s.