Adding Active Directory to Windows Server 2016 Core

Microsoft Windows Server, , , ,

Server 2016

Overview of Active Directory and Windows Server 2016 Core

What is the trimmest, slimmest Windows Server 2016 system you can spin up these days? Well, that is Nano Server. But unfortunately, Nano Server does not support hosting Active Directory in any variation. In steps “Server Core” for Windows Server 2016. In this post, I outline just how easy it is to add Active Directory (and a Domain Controller) using this Graphical User Interface-less version of Windows Server 2016.

The Steps

How do we get Active Directory implemented in a “normal” GUI-based version of Windows Server 2016? Well of course we use the Add Roles and Features Wizard launched from Server Manager. We then engage in two steps. We add Active Directory Services, and then we promote the server to a Domain Controller. Nothing changes in Server Core! Except, since there is no GUI, we MUST use Windows PowerShell in order to perform these two steps. Interestingly, we could have done it this way in the Desktop Experience version of Windows Server 2016 as well.

Installing Active Directory with PowerShell in Server Core

In order to perform the first step, installing AD, follow these simple steps:

  1. At the Server Core Command Prompt window, launch Windows PowerShell using the powershell command.
  2. In Windows PowerShell, use the following command:
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Be sure to stick around and receive confirmation of success from the system.

Promoting Server Core to a Domain Controller

Here is the process for your second step, the promotion of the Server Core system to a Domain Controller:

  1. At the Server Core Command Prompt window, launch Windows PowerShell using the powershell command.
  2. In Windows PowerShell, use the following command:
Install-ADDSForest -DomainName nuggetlab.com

You will need to provide Directory Services Restore Mode password and press Enter.

Just as with the larger Desktop Experience version of Windows Server 2016, your nimble Server Core needs a reboot when this promotion process is complete.

Deploying and Managing Active Directory with Windows PowerShell: Tools for cloud-based and hybrid environments

Security Identifiers (SID) in Active Directory

Microsoft Windows Server, , ,

SID

Here is post on the SID in AD serving as a great primer for Identity in Windows Server 2016.

SID Overview

In our post here at the blog on the important FSMO roles, we examined the RID Master. This device helps with the creation of unique Security Identifiers (SIDs) in the domain. The SID is used to uniquely identify an object that receives security permissions. A SID consists of several components. One of those components is the Relative Identifier (RID). The RID Master gives your domain controllers each their own portion of the overall RID pool. This keeps different domain controllers from creating and assigning the same SID to different objects in your domain.

The SID Dissected

The Windows SID is generally made up of 2 fixed fields and up to 15 additional fields all separated by dashes. For example, the format looks like this:

S-v-id-s1-s2-s3-s4-s5-s6-s7-s8-s9-s10-s11-s12-s13-s14-s15

Here is the actual SID I am using right now on Windows 10:

S-1-5-21-863435222-3640012759-1033413245-1001

Notice the following about SIDs:

  • The first fixed field (v) describes the version of the SID structure, Microsoft has never changed this from 1
  • The second field (id) is the identifier authority; it uniquely identifies the authority involved; for example, NULL (0), World (1), Local (2), NT Authority (5)
  • The next 15 fields are not all required and are called sub-authorities; they help uniquely identify the object
  • The last sub-authority field is normally the RID

Well-Known SIDs

There are indeed well-known SIDs. For example:

  • S-1-5-10; this represents NT Authority/Self
  • S-1-1-0; this represents Everyone

There is also a well-known RID of 500. This translates to the built-in administrator account. Here we can see this on my Windows 10 system:

SID

I hope you enjoyed this post on the important SIDs in Windows technologies!
Pearson Education (InformIT)