SETTING UP ACTIVE DIRECTORY 2016
Active Directory is a directory service that Microsoft developed for windows domain networks. It is
included in most Windows operating system as a set of process and services. Active Directory has
been around since quite literally the last century, first released with Windows 2000 Server. Since then
we have so far seen eight updates to its function and services. Initially Active Directory was only in
charge of centralized domain management, starting with windows server 2008, however, Active
Directory became an umbrella title for a broad range of directory-based identity-related services.
In this article we will learn how we can maintain Active Directory 2016 in a complex environment. First
we will learn how to set an additional domain controller 2016 in an existing domain and then we will
create additional domain in a different site and finally we will learn to set up a multi forest
environment in 2016.
I’m using below servers in my virtual lab environment to set below AD network. And in this article we
will learn how to setup below AD network in windows 2016.
Forest - ABHI.LAB Forest- FRUIT.LAB
I’ve already set a domain environment in windows 2012 and I have 2 domain controllers running in my
forest. We will see now how to setup an additional domain controller 2016 in our existing domain.
Before the setup below is my existing forest/domain details:
Server Name Role Site Forest Domain
LABAD01
Domain
Controller hlab abhi.lab abhi.lab
LABAD02
Domain
Controller
hlab-
site abhi.lab abhi.lab
We will use labad03 to install additional domain controller in our existing domain. To do so, log into
server and open server manager and open Add Roles and Features Wizard and select Active Directory
Domain Services
LABAD03:
Server Name Role Site
OS
Version IP Address RAM hard Disk Forest Domain
LABAD01
Domain
Controller hlab
Win
2012 192.168.1.1 2 GB
C - 30 GB E-
20 GB abhi.lab abhi.lab
LABAD02
Domain
Controller
hlab-
test
Win
2012 192.168.1.12 2 GB
C - 30 GB E-
20 GB abhi.lab abhi.lab
LABAD03
Domain
Controller hlab Win2016 192.168.1.11 2 GB
C - 40 GB E-
20 GB abhi.lab abhi.lab
EUDC01
Domain
Controller UKEU Win2016 192.168.2.10 2 GB
C - 40 GB E-
20 GB abhi.lab Devt.Local
EUDC02
Domain
Controller UKEU Win2016 192.168.2.11 2 GB
C - 40 GB E-
20 GB abhi.lab Devt.Local
USDC01
Domain
Controller USAT Win2016 192.168.4.10 2 GB
C - 40 GB E-
20 GB Fruit.lab Fruit.lab
MS2012
Routing and
Remote
Services hlab win2008 192.168.1.200 1 GB 30 GB abhi.lab abhi.lab
192.168.2.200
192.168.4.200
MS2016 Member Server USAT
Win
2016 192.168.4.50 2 GB 40 GB
Wizard will automatically select all the necessary feature of AD deployments. Leave default
and click Next.
Click Next
Click Install on confirm installation selections to install active directory binaries on server.
Once feature got installed click the link promote this server to a domain controller
Now we will get AD deployment Configuration wizard to deploy a domain controller. In this
demo we will use our existing domain to install domain controller which is on windows 2016.
Select Add a domain controller to an existing domain
Make sure the credentials supplied for this operation has enough rights to deploy the active
directory. In my lab I have given domain admin rights for user account labadmin.
Click Next
We have these options in domain controller options. DNS and Global Catalog server roles are
selected and we are going to deploy the active directory in hlab site. Enter DSRM password
here This is a special password that need to enter once and then never need to enter again
except in the situation where someone need to perform an authoritative restore of the active
directory database.
Directory Service Restore Mode (DSRM) – is a safe mode boot option for windows server domain
controllers. It allows an administrator to repair or restore an active directory database.
Click Next after entering DSRM password for this domain controller.
Next is the DNS option, here we have a warning message says that delegation for this DNS
server can’t be created because the authoritative parent zone can’t be found. This is to be
expected, the wizard is trying to contact the name servers for .lab. it can be safely ignore
because we are not concerned that people in other domains or on the internet will not resolve
DNS queries for computer names in the local domain. So we can disregard the message and
click next.
Select a partner domain controller for replication. In this demo I have selected labd01.abhi.lab
Specify the location of AD files. As a best practise always a different folder than your sustem
folder. Since it is in my lab I am using system drive for the location of AD DS database.
I’ve used this purposely for this domain controller because in another article I will show how
this database move to another drive. But for this demo it is fine to use this drive. Click Next.
Now the wizard will do forest and schema preparation and domain preparation for you. Here
if your account doesn’t have enterprise and schema admin rights it will prompt you to enter
the credentials which has enough permission for ad forest and schema.
Since I’m using an account which has enterprise admin, schema admin and domain admin I don’t have
any permission issue. Click Next.
The Review Options page enables you to validate settings before we start the
installation. This is not the last opportunity to stop the installation using Server Manager. This
page simply enables you to review and confirm your settings before continuing the
configuration. Click Next.
Now wizard will give prerequisites check page. Some of the warning may be expected on this
page. It can be safely ignore and click Install to start the AD installation
Once it is done server will restart and after restart server will be a new domain controller.
So now we have another domain controller in our domain abhi.lab. To view this new domain controller
in our site, open active directory site and services wizard. To open this wizard run the command
dssite.msc
So we have now 3 domain controllers in domain abhi.lab and all the domain controllers sit in a single
site hlab. I will make it a bit simpler by creating a secondary site for domain controller
labad02.abhi.lab.
I have created another site called hlab-test and move the domain controller labad02 into this site.
At this stage my domain environment in my lab is like this. We have a forest/domain called abhi.lab
and we have 2 sites and 3 domain controllers:
Server Name Role Site Forest Domain
LABAD01
Domain
Controller hlab abhi.lab abhi.lab
LABAD02
Domain
Controller
hlab-
site abhi.lab abhi.lab
LABAD03
Domain
Controller hlab abhi.lab abhi.lab
Forest - abhi.lab
Now I will show how to setup a new tree domain in existing forest ABHI.LAB. and this new domain will
be in different subnet that this. But before I will install and configure a new server for routing and
remote access so that the all subnet in this lab can communicate with each other.
To demonstrate this in my lab I am using a server 2012 which is a member server of abhi.lab domain
My RRAS server has three network adapter:
192.168.1.200 --- abhi.alb
192.168.2.200 --- devt.local ( new tree domain)
192.168.4.200 -- fruit.local ( new forest)
To configure RRAS service in the server install the roles and configure deply VPN only as shown below:
Right click the server in Routing and Remote access wizard and click configure and enable
Routing and Remote Access.
This will start setup wizard click Next to continue.
Select Custom configuration and click next.
Select LAN Routing
Click Finish to Complete the Routing and Remote Access Server setup wizard.
Start the service
And we have our routing and remote access server ready for lan routing
Select IPv4 – General and check the status.
To test if our RRAS server is running and working fine, login to new server which we will be using for
new domain installation and open command prompt or PS window and ping a IP from different
subnet. Here we can successfully able to ping server from different subnet.
INSTALL NEW DOMAIN TREE IN ABHI.LAB FOREST
Now we are ready to install one more domain in our existing forest. And in this section I will show how
to install a new domain tree in forest “devt.local” and domain controller “eudc01.devt.local”
A domain tree is made up of several domains that share a common schema and configuration,
forming a contiguous namespace. Domain in a tree also also linked together by trust relationship. It is
different than child domains. Child domain shares the same Domain naming master & schema master
role & it inherits namespace of parent domain.
I’m using below server to install a new tree domain.
EUDC01
Domain
Controller UKEU Win2016 192.168.2.10 2 GB
C - 40 GB E-
20 GB
The new domain controller name for this domain -- EUDC01.devt.local
Install the active directory domain services role. And once binaries are installed click the link to
promote the server to domain controller.
Select Add a new domain to an existing forest in Deployment Configuration Page.
Specify the new domain as – devt.local
Select Domain Functional level as Windows Server 2012 R2
We can safely ignore the warning message in DNS options. Click next to continue.
The Additional Options page shows the NetBios name of the domainBy default, the NetBIOS
domain name matches the left-most label of the fully qualified domain name provided on
the Deployment Configuration page.
Specify the location of Active Directory files in the Paths page. In my lab demo I have used E
drive for the location of AD DS database, the database transaction logs and the SYSVOL share.
Click Next
Review the selections and click Next.
Make sure no errors in this page and click Install to deploy active directory domain services.
Once it is done it will restart the server and we have our new domain ready.
Once server reboot, check the system properties and we have our first domain controller ready in a
new tree domain in our existing forest.
And this new domain controller is part of same site –hlab.
Since Domain in a tree also also linked together by trust relationship, we can login into domain
“devt.local” using “abhi.lab” account.
And to check the FSMO role for this domain, run the following command:
Netdom query fsmo
In the above screenshot, the FSMO role for domain devt.local is showing schema master and Domain
naming master is from abhi.lab and PDC ,RID and Inframaster master owner is devt.local.
This is because the schema master FSMO role holder is the responsible for performing updates to the
directory schema and is the only one that can process to the directory schema. Once the schema
update is complete it is replicated from the schema master to all other DCs in the forest and there is
only one schema master per forest. And so this role is considered as Forest-wide Role.
Also Domain Naming Master in another forest-wide FSMO role and is the responsible for making
changes to the forest-wide domain name space of the directory and it is only one that can add or
remove a domain from forest.
Now next is create a different site for this domain and domain controller. To do this I opened active
directory sites and services and created a new site “UKEU”.
And moved this domain controller “EUDC01.devt.local” into this site.
So now our forest structure for lab is like as below. We have a forest “abhi.lab” with two domains
“abhi.lab” & “devt.local”
Server Name Role Site Forest Domain
LABAD01
Domain
Controller hlab abhi.lab abhi.lab
LABAD02
Domain
Controller
hlab-
site abhi.lab abhi.lab
LABAD03
Domain
Controller hlab abhi.lab abhi.lab
EUDC01
Domain
Controller UKEU abhi.lab devt.local
The new domain controller “EUDC01.devt.local” is in site UKEU and KCC made automatic connection
with server LABAD02.abhi.lab. This means that this server with replicate all settings from this server.
And if this server is not available then server will get failure/error in replication. To test this I have
made LABAD02.abhi.lab powered off in my lab so this machine is not reachable:
And since this machine “labad02.abhi.lab” is a replication partner for server eudc01.devt.local we will
see failure and error in replication status on server EUDC01.
To fix this replication error, we have to switch on server “labad02.abhi.lab” but let say for some
unknown reason we are not able to power on this machine and the server is facing replication issue.
So to fix this we have to change its replication partner and have to make a manual connection.
To create a manual connection for replication, expand site and select NTDS Settings under Server
object:
Select any available domain controllers from the list and click OK. In this lab demo I have
selected LABAD03 from hlab site.
Label the connection
So now we have a manual connection with LABAD03.abhi.lab from site hlab. Server
EUDC01.devt.local is set to replicate from LABAD03.abhi.lab. This connection is not made by
KCC automatically and created manually.
And now we will test the replication and it will show that replication is happening from the server:
Below shot shows that EUDC01.devt.local is replicated from LABAD03.abhi.lab.
CREATE A MULTI-FOREST INFRASTRUCTURE
Now we can setup a new forest in our network and will make a trust relationship between this new
forest and our existing forest abhi.lab
We will create a new domain in new forest and details are:
Forest name – fruit. Lab
IP subnet – 192.168.4.0/24
Domain- fruit. Lab
Domain controllers – USDC01
So let’s start deploying another domain controller in our lab network. Use the same way to install
Active Directory Domain Services binaries on server. Once you got the Deployment Configuration
wizard follow the process as below:
Select Add a new forest . Enter the name Fruit.lab
This time we will select domain and forest functional level as Windows Server 2016. Enter the
DSRM password and click Next.
Disregard the warning message in DNS Options page and click Next.
Enter the netbios domain name - Fruit
Specify the location of the AD DS database, log files and SYSVOL files. And click Next. In my
lab demo I have used C drive for this domain controller.
Review the selection and click Next.
Click Install to begin installation. Once it is done server will get reboot and a new forest and
domain controller will be ready.
After reboot check the system properties:
This new domain controller is belongs to site USAT.
Now we have 2 forest in our lab network:
Forest Server Network
abhi.lab labad03.abhi.lab labad01.abhi.lab 192.168.1.0/24
fruit.lab usdc01.fruit.lab 192.168.4.0/24
Next is to create a trust relationship between these 2 forest. In the next demo I will show how to
create a forest trust relation between these 2 forest. The trust type will be transitive but one way trust
type. So in the next demo our forest domain will be:
Abhi.lab -- TRUSTING
Fruit.lab – TRUSTED
To create a trust between 2 different forests first we need to create Conditional forwarder in DNS so
that it can look up the DNS for remote forest.
First we will create a conditional forwarder in abhi.lab forest. Log into LABAD03 and open DNS
management console. Right click the conditional forwarder and click New Conditional Forwarder
Enter the remote forest domain Name. In this lab it is fruit.lab and its IP is 192.168.4.10.
Check the box store this command forwarder in Active Directory and replicate it as follows:
Click ok and we have created a conditional forwarder for remote domain. Now we can test it
using nslookup. We can see now DNS at labad03.abhi.lab is resolving to fruit.lab
Repeat the same process on fruit.lab domain controller.
Once conditional forwarder is configured on both forests , it is time to setup the trust between them.
Log into Labad03.abhi.lab and run the command – domain.msc. this will open Active Directory
Domain Services. Select the forest domain abhi.lab and right click and go to properties. And Select
New trust and shown below:
Click Next to continue
Enter the name of the forest for this trust.
Select Forest trust. This will allow trust between two forests that allows users in any of the
domain in one forest to be authenticated in any of the domains in the other forest
Now we have 3 options here. In this lab demo I have selected one-way incoming because I
want abhi.lab forest users can access the resources on fruit.lab but I don’t want fruit.lab users
to access the resources on abhi.lab forest.
Select Both this domain and the specified domain.
Enter the user name and password that has enough permission on fruit.lab forest. In this
demo I have used account trustadmin at fruit.lab
Select Forest-wide authentication. Because I want it authenticate users for all the resources in
fruit.lab forest. We will selective authentication next in this lab
Click Next and you will see the wizard is making trust changes. Click next and it will create a
trust between these two forest.
Now we have a trust record in incoming trusts from fruit.lab this means users from abhi.lab can access
the resource on fruit.lab
Log into USDC01.fruit.lab domain controller and we have outgoing trust here created.
Click properties and click validate the trust connection
Yes we want to validate the incoming trust. Enter the credentials which has admin privileges in
fruit.lab
And yes we have successfully verified the connection.
So our lab setup will be like:
Forest - ABHI.LAB Forest – FRUIT.LAB
EXTERNAL TRUST BETWEEN DEVT.LOCAL and FRUIT.LAB
So we have created a forest trust transitive type trust between abhi.lab and fruit.lab forest. User from
abhi.lab can access all the resources from fruit.lab because we had selected forest-wide
authentication.
And since the trust is transitive type fruit.lab can trust all the domain in abhi.lab forest. And actually
there is no need for any external trust between fruit.lab and devt.local.
But we will use these two domain to create an external trust relationship in our lab demo.
To do so I will login into devt.local domain controller eudc01.devt.local. run the command –
domain.msc.
This will open active directory domain services console. Select the domain devt.local and go to
properties by right click it.
Select Trust console and click new trust.
In the New trust Wizard Page enter the domain name to create a trust with devt.local. In this
lab demo the domain name is fruit.lab
Select Direction of trust in this wizard. In this lab demo I have selected “one-way incoming” so
that users from devt.local domain can be authenticated in the forest.lab
This trust is a incoming direction type of trust, This time I have selected This domain only in
sides of trust page. And I will create outgoing trust from fruit.lab to devt.local.
Enter the trust password. Make sure the same password to used when creating outgoing trust
from specified domain.
Click Next to make changes to this trust.
Click next to configure the new trust.
Yes I want to confirm the incoming trust. Enter the credentials with admin rights for domain
forest.lab
Click Next and then we have our external trust created. And this trust is not transitive.
Now outgoing trust need to create from forest.lab. Enter the domain name- devt.local
Select Out-going Trust in the direction of trust wizard page.
Select This domain only This domain only.
And since we are creating external trust between two domains from different forest we have
option of Domain-Wide authentication instead of forest-wide authentication. If you remember
during our forest trust relationship we had forest-wide authentication option.
Select Domain-wide authentication and click Next to continue
Enter the same trust password which used during incoming trust set up.
Click Next to Create external trust.
Click Next to configure the trust.
Yes I want to confirm the outgoing trust.
Click Finish to close the wizard.
And we have our out-going trust type set from fruit.lab domain to devt.local
Now we have trust setup between all these domain and it is working. We can see it from one of our
member server MS2016 which is part of fruit.lab domain.
And finally, our domain network is setup like:
Forest – ABHI.LAB Forest – FRUIT.LAB
SELECTIVE AUTHETICATION BETWEEN TRUST
Selective authentication is a security setting that can be enabled on external trusts and forest trusts.
Selective authentication over a forest trust restricts access to only those users in a trusted forest who
have been explicitly given authentication permissions to computer objects (resource computers) that
reside in the trusting forest.
It’s a time to check for selective authentication:
Let’s assume we want only few users from devt.local can access on fruit.lab resource. To do this, log
into trusting domain. In our lab trusting domain is and trusted domain is devt.local
Open Active Directory Domain Services ( run – domain.msc) and select the domain and go to
properties by right click it.
Under trusts tab select the trusted domain and click properties and go to the authentication page and
check radio button of selective authentication. And click apply and ok
Next now try to access this trusting domain share from our trusted domain controller
“eudc01.devt.local” and since we have a trust with selective authentication it will give error as below:
We have now to give an access for this resource to access by trusted domain “devt.local”. To do so
search the resource object in trusting domain “fruit.lab” and go to security tab for object. In our lab
demo it is the domain controller of trusting domain “usdc01.fruit.lab”
Give the resource permission to allow to authenticate. And then we can able to access the resource.
And yes now we can access the resource
In this article we learned how to setup and configure Active Directory 2016 in a simple and complex
environment. We have also see different type of trust and how to set up trust between different
domain and forest.