Active Directory from scratch

- [Narrator] Since so many organizations use on-Premises Active Directory and plan on doing so for many years to come, understanding Active Directory is going to be an important part of your job as a CIS admin. And what I'm going to do here is I'm going to give a demonstration of installing Active Directory. Now, in most cases, you won't need to do that, but understanding how Active Directory has been installed will help you understand better how to troubleshoot and manage it. Also, if you end up working for a managed service provider as a consultant, you may have some opportunities to set up Active directory for the first time for a new startup company. So I'm going to go into add roles and features inside Server Manager and set up a brand new active directory domain in Forest. So I'm going to choose my server that you see here. Click next. And here you can see I've already installed the Active Directory Domain services. If you have not done that, just go ahead and check that box. It does not create an active directory domain in Forest. It just gives you the tools to be able to do it. To save a little time, I went ahead and checked that box and finished the installation. Now you're going to see this triangle at the top. So here you're going to choose to promote this server to be a domain controller. Now we're going to create a brand new forest. So far there is no active directory domain in forest. When we create an active directory domain, it starts out with a forest at the very top level and creates a domain underneath it. Now it's going to call it the same thing under the forest and the domain name. So whatever you call the forest, it's also going to call it the same as the domain, but that's just true of the first domain. If you add a second domain in the forest, you can call it anything you'd like. I'll click next. And there is a tool called rendom for renamed domain that would allow you to change that to a different name, but keep the forest name the same if you'd like. Now, by default, you can see, since this is Windows Server 2025, the forest functional level and the domain functional level are both set to 2025. However, if you have 2022, 2019 or 2016, then you're going to want to change this to the 2016 level, and that's the lowest level that is still compatible to work with 2025. So you have to set the forest and domain functional level to be whatever the oldest, lowest operating system it is that you're using. If you're using 2012 or older, you'll have to upgrade those first in order for 2025 to be able to work with them as domain controllers. By default, we're going to also need DNS. DNS or domain name services makes active directory work by resolving names to IP addresses along with other DNS type services. And global catalog, you have to have at least one global catalog in the domain. It contains a copy of active directory. The third option for read only domain controller, that is only if you're going to set up a read-only DC, say in a remote small office where you don't want anyone to make any changes. Now, if active directory breaks, you've got to be able to load and log in to your Windows server without active directory running. So in order for that to happen, we need to put in a password for recovery mode. And I'll click next. Now this DNS warning, that is because we are the very first domain controller in the domain, so it can't find any parent DNS server. So you can ignore that. Now, it's going to come up with what's called the net bios domain name. That has to do with Windows NT, NT4 and 3.5, et cetera, back from the 1990s. So, you can ignore that and we'll just leave that as it was. Click next as well as the location for the database and click next again. Now at this next part, as long as you don't get any errors, you can go ahead and continue with the installation, but in every case, you're always going to see at least that one DNS warning. And of course, there it is. So I'll click install, and now it's going to install Active Directory in a brand new forest and domain. And when it's all done, it's going to automatically restart. So you don't have to stay here and watch this, you can just go ahead and come back later after it restarts. And the next time you log in, you'll be logging into Active Directory instead of the local server. And the server has restarted and I've logged back in, but now I'm logged into Active Directory instead of just the local server. And you can see all these new active directory tools that were not there before. The most common is Active Directory users and computers. So I'll go ahead and launch that, and I can see the name of the domain and you can see the domain controller. In this case, we just have the one DC1 server. What I'd like to do is to add a second domain controller to add redundancy just in case anything happens to our primary. So I'm going to switch to DC2. I'm on DC2, and I'm going to go to add roles and features. And once again, you just need to make sure that that same role is there, which is going to be active director domain services, and I saved a little time just by going ahead and doing that ahead of time. And you would just check that box, click next several times until it's finished. Now I'm going to promote this server to be a domain controller as well. However, instead of choosing the New Forest option like I did with DC1, that forest already exists, so I don't want to create it again. I want to add a domain controller to an existing domain. And the third option to add a new domain to an existing forest would add additional domains underneath the parent forest, but I don't need to do that here. I'm just going to add another domain controller. Give me some redundancy in case anything happens to DC1. Now I'm going to go to the credentials. So I'll click change. I need to add in the username and password. I could have logged in with the LinkedIn backslash administrator name, which has been the traditional way of logging in, using the domain backslash administrator to domains for all the different versions prior to 2025. However, starting in 2025, you need to log in using this administrator @ and then whatever the domain name is, that's also the same syntax you would use to log into any Azure type of accounts as they don't support the domain backslash username at all. So I'll click okay. Now, if you don't use that way of logging in, and that's called the user principle name instead of the old fashioned net bios domain backslash administrator name, then you won't be able to find the domain. It'll just come up blank. You'll click Select for instance, and it just won't show up anything. But because I did log in with the UPN way, it went ahead and found the domain properly. Now in older versions of Windows Server, you'll have no problem logging in with either way. So I'll go ahead and put in the same directory services restore mode, just in case active directory breaks. You'll also see that the read only domain controller is now an option where it was grayed out before. That's because you need to have at least one writeable controller before you can create a read only one. And I'm going to put in that password and click next, get the same DNS warning. That's fine. Make sure that your DNS settings for your IP address are pointing back to the original domain controller. Otherwise, it won't be able to find the domain. So I'll choose all the defaults here and click next. And once again, I'll choose install and it'll restart when it's done. Active directory uses what's called a multi-master domain. So in the Windows NT days, we had what was called a primary domain controller and a secondary domain controller. It's not that way. All domain controllers starting with Windows Server 2000 and newer are all equal to each other. So if I create one domain controller and create another domain controller, they're both active at the same time. Whereas prior to that, you would have only one active domain controller called the primary, and all the secondaries would be in standby mode until you needed to promote one of them. So by having the multi-master domain, it gives you that redundancy automatically without having to manually promote a domain controller. Active directory allows us to maintain and manage all resources like client computers and other servers when we join them to the Active Directory database. It adds security and control to any device that is joined to it.