SETTING UP ACTIVE DIRECTORY 2016

Active Directory is a directory service that Microsoft developed for windows domain networks. It is

included in most Windows operating system as a set of process and services. Active Directory has

been around since quite literally the last century, first released with Windows 2000 Server. Since then

we have so far seen eight updates to its function and services. Initially Active Directory was only in

charge of centralized domain management, starting with windows server 2008, however, Active

Directory became an umbrella title for a broad range of directory-based identity-related services.

In this article we will learn how we can maintain Active Directory 2016 in a complex environment. First

we will learn how to set an additional domain controller 2016 in an existing domain and then we will

create additional domain in a different site and finally we will learn to set up a multi forest

environment in 2016.

I’m using below servers in my virtual lab environment to set below AD network. And in this article we

will learn how to setup below AD network in windows 2016.

Forest - ABHI.LAB Forest- FRUIT.LAB

I’ve already set a domain environment in windows 2012 and I have 2 domain controllers running in my

forest. We will see now how to setup an additional domain controller 2016 in our existing domain.

Before the setup below is my existing forest/domain details:

Server Name Role Site Forest Domain

LABAD01

Domain

Controller hlab abhi.lab abhi.lab

LABAD02

Domain

Controller

hlab-

site abhi.lab abhi.lab

We will use labad03 to install additional domain controller in our existing domain. To do so, log into

server and open server manager and open Add Roles and Features Wizard and select Active Directory

Domain Services

LABAD03:

Server Name Role Site

OS

Version IP Address RAM hard Disk Forest Domain

LABAD01

Domain

Controller hlab

Win

2012 192.168.1.1 2 GB

C - 30 GB E-

20 GB abhi.lab abhi.lab

LABAD02

Domain

Controller

hlab-

test

Win

2012 192.168.1.12 2 GB

C - 30 GB E-

20 GB abhi.lab abhi.lab

LABAD03

Domain

Controller hlab Win2016 192.168.1.11 2 GB

C - 40 GB E-

20 GB abhi.lab abhi.lab

EUDC01

Domain

Controller UKEU Win2016 192.168.2.10 2 GB

C - 40 GB E-

20 GB abhi.lab Devt.Local

EUDC02

Domain

Controller UKEU Win2016 192.168.2.11 2 GB

C - 40 GB E-

20 GB abhi.lab Devt.Local

USDC01

Domain

Controller USAT Win2016 192.168.4.10 2 GB

C - 40 GB E-

20 GB Fruit.lab Fruit.lab

MS2012

Routing and

Remote

Services hlab win2008 192.168.1.200 1 GB 30 GB abhi.lab abhi.lab

192.168.2.200

192.168.4.200

MS2016 Member Server USAT

Win

2016 192.168.4.50 2 GB 40 GB

Wizard will automatically select all the necessary feature of AD deployments. Leave default

and click Next.

Click Next

Click Install on confirm installation selections to install active directory binaries on server.

Once feature got installed click the link promote this server to a domain controller

Now we will get AD deployment Configuration wizard to deploy a domain controller. In this

demo we will use our existing domain to install domain controller which is on windows 2016.

Select Add a domain controller to an existing domain

Make sure the credentials supplied for this operation has enough rights to deploy the active

directory. In my lab I have given domain admin rights for user account labadmin.

Click Next

We have these options in domain controller options. DNS and Global Catalog server roles are

selected and we are going to deploy the active directory in hlab site. Enter DSRM password

here This is a special password that need to enter once and then never need to enter again

except in the situation where someone need to perform an authoritative restore of the active

directory database.

Directory Service Restore Mode (DSRM) – is a safe mode boot option for windows server domain

controllers. It allows an administrator to repair or restore an active directory database.

Click Next after entering DSRM password for this domain controller.

Next is the DNS option, here we have a warning message says that delegation for this DNS

server can’t be created because the authoritative parent zone can’t be found. This is to be

expected, the wizard is trying to contact the name servers for .lab. it can be safely ignore

because we are not concerned that people in other domains or on the internet will not resolve

DNS queries for computer names in the local domain. So we can disregard the message and

click next.

Select a partner domain controller for replication. In this demo I have selected labd01.abhi.lab

Specify the location of AD files. As a best practise always a different folder than your sustem

folder. Since it is in my lab I am using system drive for the location of AD DS database.

I’ve used this purposely for this domain controller because in another article I will show how

this database move to another drive. But for this demo it is fine to use this drive. Click Next.

Now the wizard will do forest and schema preparation and domain preparation for you. Here

if your account doesn’t have enterprise and schema admin rights it will prompt you to enter

the credentials which has enough permission for ad forest and schema.

Since I’m using an account which has enterprise admin, schema admin and domain admin I don’t have

any permission issue. Click Next.

The Review Options page enables you to validate settings before we start the

installation. This is not the last opportunity to stop the installation using Server Manager. This

page simply enables you to review and confirm your settings before continuing the

configuration. Click Next.

Now wizard will give prerequisites check page. Some of the warning may be expected on this

page. It can be safely ignore and click Install to start the AD installation

Once it is done server will restart and after restart server will be a new domain controller.

So now we have another domain controller in our domain abhi.lab. To view this new domain controller

in our site, open active directory site and services wizard. To open this wizard run the command

dssite.msc

So we have now 3 domain controllers in domain abhi.lab and all the domain controllers sit in a single

site hlab. I will make it a bit simpler by creating a secondary site for domain controller

labad02.abhi.lab.

I have created another site called hlab-test and move the domain controller labad02 into this site.

At this stage my domain environment in my lab is like this. We have a forest/domain called abhi.lab

and we have 2 sites and 3 domain controllers:

Server Name Role Site Forest Domain

LABAD01

Domain

Controller hlab abhi.lab abhi.lab

LABAD02

Domain

Controller

hlab-

site abhi.lab abhi.lab

LABAD03

Domain

Controller hlab abhi.lab abhi.lab

Forest - abhi.lab

Now I will show how to setup a new tree domain in existing forest ABHI.LAB. and this new domain will

be in different subnet that this. But before I will install and configure a new server for routing and

remote access so that the all subnet in this lab can communicate with each other.

To demonstrate this in my lab I am using a server 2012 which is a member server of abhi.lab domain

My RRAS server has three network adapter:

192.168.1.200 --- abhi.alb

192.168.2.200 --- devt.local ( new tree domain)

192.168.4.200 -- fruit.local ( new forest)

To configure RRAS service in the server install the roles and configure deply VPN only as shown below:

Right click the server in Routing and Remote access wizard and click configure and enable

Routing and Remote Access.

This will start setup wizard click Next to continue.

Select Custom configuration and click next.

Select LAN Routing

Click Finish to Complete the Routing and Remote Access Server setup wizard.

Start the service

And we have our routing and remote access server ready for lan routing

Select IPv4 – General and check the status.

To test if our RRAS server is running and working fine, login to new server which we will be using for

new domain installation and open command prompt or PS window and ping a IP from different

subnet. Here we can successfully able to ping server from different subnet.

INSTALL NEW DOMAIN TREE IN ABHI.LAB FOREST

Now we are ready to install one more domain in our existing forest. And in this section I will show how

to install a new domain tree in forest “devt.local” and domain controller “eudc01.devt.local”

A domain tree is made up of several domains that share a common schema and configuration,

forming a contiguous namespace. Domain in a tree also also linked together by trust relationship. It is

different than child domains. Child domain shares the same Domain naming master & schema master

role & it inherits namespace of parent domain.

I’m using below server to install a new tree domain.

EUDC01

Domain

Controller UKEU Win2016 192.168.2.10 2 GB

C - 40 GB E-

20 GB

The new domain controller name for this domain -- EUDC01.devt.local

Install the active directory domain services role. And once binaries are installed click the link to

promote the server to domain controller.

Select Add a new domain to an existing forest in Deployment Configuration Page.

Specify the new domain as – devt.local

Select Domain Functional level as Windows Server 2012 R2

We can safely ignore the warning message in DNS options. Click next to continue.

The Additional Options page shows the NetBios name of the domainBy default, the NetBIOS

domain name matches the left-most label of the fully qualified domain name provided on

the Deployment Configuration page.

Specify the location of Active Directory files in the Paths page. In my lab demo I have used E

drive for the location of AD DS database, the database transaction logs and the SYSVOL share.

Click Next

Review the selections and click Next.

Make sure no errors in this page and click Install to deploy active directory domain services.

Once it is done it will restart the server and we have our new domain ready.

Once server reboot, check the system properties and we have our first domain controller ready in a

new tree domain in our existing forest.

And this new domain controller is part of same site –hlab.

Since Domain in a tree also also linked together by trust relationship, we can login into domain

“devt.local” using “abhi.lab” account.

And to check the FSMO role for this domain, run the following command:

Netdom query fsmo

In the above screenshot, the FSMO role for domain devt.local is showing schema master and Domain

naming master is from abhi.lab and PDC ,RID and Inframaster master owner is devt.local.

This is because the schema master FSMO role holder is the responsible for performing updates to the

directory schema and is the only one that can process to the directory schema. Once the schema

update is complete it is replicated from the schema master to all other DCs in the forest and there is

only one schema master per forest. And so this role is considered as Forest-wide Role.

Also Domain Naming Master in another forest-wide FSMO role and is the responsible for making

changes to the forest-wide domain name space of the directory and it is only one that can add or

remove a domain from forest.

Now next is create a different site for this domain and domain controller. To do this I opened active

directory sites and services and created a new site “UKEU”.

And moved this domain controller “EUDC01.devt.local” into this site.

So now our forest structure for lab is like as below. We have a forest “abhi.lab” with two domains

“abhi.lab” & “devt.local”

Server Name Role Site Forest Domain

LABAD01

Domain

Controller hlab abhi.lab abhi.lab

LABAD02

Domain

Controller

hlab-

site abhi.lab abhi.lab

LABAD03

Domain

Controller hlab abhi.lab abhi.lab

EUDC01

Domain

Controller UKEU abhi.lab devt.local

The new domain controller “EUDC01.devt.local” is in site UKEU and KCC made automatic connection

with server LABAD02.abhi.lab. This means that this server with replicate all settings from this server.

And if this server is not available then server will get failure/error in replication. To test this I have

made LABAD02.abhi.lab powered off in my lab so this machine is not reachable:

And since this machine “labad02.abhi.lab” is a replication partner for server eudc01.devt.local we will

see failure and error in replication status on server EUDC01.

To fix this replication error, we have to switch on server “labad02.abhi.lab” but let say for some

unknown reason we are not able to power on this machine and the server is facing replication issue.

So to fix this we have to change its replication partner and have to make a manual connection.

To create a manual connection for replication, expand site and select NTDS Settings under Server

object:

Select any available domain controllers from the list and click OK. In this lab demo I have

selected LABAD03 from hlab site.

Label the connection

So now we have a manual connection with LABAD03.abhi.lab from site hlab. Server

EUDC01.devt.local is set to replicate from LABAD03.abhi.lab. This connection is not made by

KCC automatically and created manually.

And now we will test the replication and it will show that replication is happening from the server:

Below shot shows that EUDC01.devt.local is replicated from LABAD03.abhi.lab.

CREATE A MULTI-FOREST INFRASTRUCTURE

Now we can setup a new forest in our network and will make a trust relationship between this new

forest and our existing forest abhi.lab

We will create a new domain in new forest and details are:

Forest name – fruit. Lab

IP subnet – 192.168.4.0/24

Domain- fruit. Lab

Domain controllers – USDC01

So let’s start deploying another domain controller in our lab network. Use the same way to install

Active Directory Domain Services binaries on server. Once you got the Deployment Configuration

wizard follow the process as below:

Select Add a new forest . Enter the name Fruit.lab

This time we will select domain and forest functional level as Windows Server 2016. Enter the

DSRM password and click Next.

Disregard the warning message in DNS Options page and click Next.

Enter the netbios domain name - Fruit

Specify the location of the AD DS database, log files and SYSVOL files. And click Next. In my

lab demo I have used C drive for this domain controller.

Review the selection and click Next.

Click Install to begin installation. Once it is done server will get reboot and a new forest and

domain controller will be ready.

After reboot check the system properties:

This new domain controller is belongs to site USAT.

Now we have 2 forest in our lab network:

Forest Server Network

abhi.lab labad03.abhi.lab labad01.abhi.lab 192.168.1.0/24

fruit.lab usdc01.fruit.lab 192.168.4.0/24

Next is to create a trust relationship between these 2 forest. In the next demo I will show how to

create a forest trust relation between these 2 forest. The trust type will be transitive but one way trust

type. So in the next demo our forest domain will be:

Abhi.lab -- TRUSTING

Fruit.lab – TRUSTED

To create a trust between 2 different forests first we need to create Conditional forwarder in DNS so

that it can look up the DNS for remote forest.

First we will create a conditional forwarder in abhi.lab forest. Log into LABAD03 and open DNS

management console. Right click the conditional forwarder and click New Conditional Forwarder

Enter the remote forest domain Name. In this lab it is fruit.lab and its IP is 192.168.4.10.

Check the box store this command forwarder in Active Directory and replicate it as follows:

Click ok and we have created a conditional forwarder for remote domain. Now we can test it

using nslookup. We can see now DNS at labad03.abhi.lab is resolving to fruit.lab

Repeat the same process on fruit.lab domain controller.

Once conditional forwarder is configured on both forests , it is time to setup the trust between them.

Log into Labad03.abhi.lab and run the command – domain.msc. this will open Active Directory

Domain Services. Select the forest domain abhi.lab and right click and go to properties. And Select

New trust and shown below:

Click Next to continue

Enter the name of the forest for this trust.

Select Forest trust. This will allow trust between two forests that allows users in any of the

domain in one forest to be authenticated in any of the domains in the other forest

Now we have 3 options here. In this lab demo I have selected one-way incoming because I

want abhi.lab forest users can access the resources on fruit.lab but I don’t want fruit.lab users

to access the resources on abhi.lab forest.

Select Both this domain and the specified domain.

Enter the user name and password that has enough permission on fruit.lab forest. In this

demo I have used account trustadmin at fruit.lab

Select Forest-wide authentication. Because I want it authenticate users for all the resources in

fruit.lab forest. We will selective authentication next in this lab

Click Next and you will see the wizard is making trust changes. Click next and it will create a

trust between these two forest.

Now we have a trust record in incoming trusts from fruit.lab this means users from abhi.lab can access

the resource on fruit.lab

Log into USDC01.fruit.lab domain controller and we have outgoing trust here created.

Click properties and click validate the trust connection

Yes we want to validate the incoming trust. Enter the credentials which has admin privileges in

fruit.lab

And yes we have successfully verified the connection.

So our lab setup will be like:

Forest - ABHI.LAB Forest – FRUIT.LAB

EXTERNAL TRUST BETWEEN DEVT.LOCAL and FRUIT.LAB

So we have created a forest trust transitive type trust between abhi.lab and fruit.lab forest. User from

abhi.lab can access all the resources from fruit.lab because we had selected forest-wide

authentication.

And since the trust is transitive type fruit.lab can trust all the domain in abhi.lab forest. And actually

there is no need for any external trust between fruit.lab and devt.local.

But we will use these two domain to create an external trust relationship in our lab demo.

To do so I will login into devt.local domain controller eudc01.devt.local. run the command –

domain.msc.

This will open active directory domain services console. Select the domain devt.local and go to

properties by right click it.

Select Trust console and click new trust.

In the New trust Wizard Page enter the domain name to create a trust with devt.local. In this

lab demo the domain name is fruit.lab

Select Direction of trust in this wizard. In this lab demo I have selected “one-way incoming” so

that users from devt.local domain can be authenticated in the forest.lab

This trust is a incoming direction type of trust, This time I have selected This domain only in

sides of trust page. And I will create outgoing trust from fruit.lab to devt.local.

Enter the trust password. Make sure the same password to used when creating outgoing trust

from specified domain.

Click Next to make changes to this trust.

Click next to configure the new trust.

Yes I want to confirm the incoming trust. Enter the credentials with admin rights for domain

forest.lab

Click Next and then we have our external trust created. And this trust is not transitive.

Now outgoing trust need to create from forest.lab. Enter the domain name- devt.local

Select Out-going Trust in the direction of trust wizard page.

Select This domain only This domain only.

And since we are creating external trust between two domains from different forest we have

option of Domain-Wide authentication instead of forest-wide authentication. If you remember

during our forest trust relationship we had forest-wide authentication option.

Select Domain-wide authentication and click Next to continue

Enter the same trust password which used during incoming trust set up.

Click Next to Create external trust.

Click Next to configure the trust.

Yes I want to confirm the outgoing trust.

Click Finish to close the wizard.

And we have our out-going trust type set from fruit.lab domain to devt.local

Now we have trust setup between all these domain and it is working. We can see it from one of our

member server MS2016 which is part of fruit.lab domain.

And finally, our domain network is setup like:

Forest – ABHI.LAB Forest – FRUIT.LAB

SELECTIVE AUTHETICATION BETWEEN TRUST

Selective authentication is a security setting that can be enabled on external trusts and forest trusts.

Selective authentication over a forest trust restricts access to only those users in a trusted forest who

have been explicitly given authentication permissions to computer objects (resource computers) that

reside in the trusting forest.

It’s a time to check for selective authentication:

Let’s assume we want only few users from devt.local can access on fruit.lab resource. To do this, log

into trusting domain. In our lab trusting domain is and trusted domain is devt.local

Open Active Directory Domain Services ( run – domain.msc) and select the domain and go to

properties by right click it.

Under trusts tab select the trusted domain and click properties and go to the authentication page and

check radio button of selective authentication. And click apply and ok

Next now try to access this trusting domain share from our trusted domain controller

“eudc01.devt.local” and since we have a trust with selective authentication it will give error as below:

We have now to give an access for this resource to access by trusted domain “devt.local”. To do so

search the resource object in trusting domain “fruit.lab” and go to security tab for object. In our lab

demo it is the domain controller of trusting domain “usdc01.fruit.lab”

Give the resource permission to allow to authenticate. And then we can able to access the resource.

And yes now we can access the resource

In this article we learned how to setup and configure Active Directory 2016 in a simple and complex

environment. We have also see different type of trust and how to set up trust between different

domain and forest.