In previous chapters, we looked at Active Directory (AD) components and learned how to design an AD infrastructure using them. Now, it's time to look at installing Active Directory Domain Services (AD DS). It would be perfect if we could design and implement an AD infrastructure from scratch, but in reality, the majority of organizations already have an AD infrastructure. Therefore, most of the time, as engineers, we will be looking into AD migrations rather than completely new designs. Apart from migrations, we may also have to work on extending the current AD design to meet new business requirements (for example, creating a new domain, introducing a new AD site, Azure AD integration, and so on) or to correct existing design issues (for example, changing the domain name, dealing with mergers and acquisitions). In all of these scenarios, we may have to add new domain controllers and these installation steps are pretty much the same. Apart from...

Before we look at installing AD DS, there are certain prerequisites that need to be fulfilled. Without these, even if we have a good design, we will not have a healthy AD DS environment.

Hardware requirements

In modern infrastructures, most workloads run on virtualized platforms. Some still think it is best to keep at least one physical domain controller in AD infrastructure but this is not true. In the early days of virtualization, I would somewhat agree but now technology has moved on. We can keep all domain controllers as virtualized domain controllers. However, if required, the following are the minimum hardware requirements for AD DS 2022:

• 1.4 GHz 64-bit processor
• 2 GB RAM
• A storage adapter that supports the PCI Express architecture (Windows Server 2022 does not support IDE/ATA/PATA/EIDE for boot, data, or page drives)
• 32 GB of free space
• 1 x network adapter
• DVD drive or support for a network USB...

There are two methods we can use to install AD domain controllers:

• Using the Windows GUI: After Microsoft introduced Server Manager with Windows Server 2008, the installation process of AD DS was simplified. In order to install AD DS using the Windows GUI, we need to install the AD DS role using Server Manager. Once this has been completed, we can run the AD DS configuration wizard:

  

  Figure 6.2: AD DS server role

  The following screenshot shows the AD DS configuration wizard:

  

Figure 6.3: New AD forest root domain name

• Using PowerShell: Before Windows Server 2012, AD DS could be configured using DCPromo unattended files. The DCPromo tool was used to configure AD DS, and, using a text file, it was possible to pass the configuration values that were required. It removed user interaction for the AD DS configuration. With Windows Server 2012, DCPromo was replaced with PowerShell. Now, we can use a PowerShell script...

In this section, we are going to look into different installation scenarios for AD DS.

Setting up a new forest root domain

For the first scenario, I am going to demonstrate how to set up a new AD forest. This will be the first domain controller of a new AD infrastructure. You can use the following checklist to make sure you have done your homework before clicking on the installation button.

AD DS installation checklist for the first domain controller

The following checklist can be used for a fresh AD DS installation:

1. Produce an AD design document
2. Prepare the physical/virtual resources for the domain controller
3. Install Windows Server 2022 Standard/Datacenter
4. Patch your servers with the latest Windows updates
5. Assign a dedicated IP address to the domain controller
6. Install an AD DS role
7. Configure AD DS according to the design
8. Review the logs to verify the health of the AD DS installation and...

AD migration from an older version to a newer one is a common requirement for any AD infrastructure. As time goes by, operating systems go out of support. Even if an organization is not looking to implement new AD features, sometimes they have to migrate to a newer version if the operating system is out of support. In a typical AD migration process, a new AD DS version will be installed on a new server. Then, the FSMO roles will migrate to the new domain controllers.

Once this is completed, the older version of AD DS will be decommissioned. Afterward, the domain and forest functional levels will be raised to match the new AD DS version. Even though each AD DS version has core functions that are the same, newer versions always have new features and enhancements that apply to the domain or forest level.

There can be many reasons why an organization may consider an AD migration. I have listed a few reasons as follows:

• To implement new...

The first few chapters of this book were focused on understanding AD DS and its capabilities. This chapter is different from those as it is more focused on the implementation of AD DS. In the first part of this chapter, we learned about the implementation of domain controllers in different scenarios. The second part of this chapter was focused on AD DS migration from an older version of AD DS to AD DS 2022. As part of this learning experience, we looked at how to perform AD health checks, application audits, information gathering, and AD design reviews. Last but not least, we learned how to migrate from AD DS 2008 R2 to AD DS 2022.

In the next chapter, we are going to learn about managing AD objects.