Requirements

Features

The following features will be installed:

  • Windows Server 2022 (Core)
  • Flexible Single Master Operation (FSMO)
  • DNS server

System Requirements

We will configure AD with the following Virtual Machine (VM) specs:

  • CPU: 1 socket x 4 vCPU (2.2GHz)
  • Storage: 100GB (thin provision)
  • Memory: 16GB
  • Network: VMXNET3

Resource: Capacity planning for Active Directory Domain Services | Microsoft Learn

Installation

OS Installation

Proceed with Windows Server 2022 installation. In our case, we will install non GUI Datacenter edition of Windows Server.

Change Computer Name

  • At SConfig console, pick option 2) Computer Name
  • Restart the computer when asked

Assign Temporary fixed IP

  • At SConfig console, pick option 8) Network settings
  • Follow by select adapter index. Usually this is 1 if we only have 1 Network Interface Card (NIC)
  • Pick the option to 1) Set network adapter address
  • S option for static
  • Follow the prompt and fill in the required information
    • IP address
    • Subnet
    • Gateway
  • Back to 8) Network settings and pick your adapter index
  • Next, we will choose 2) Set DNS servers
  • Follow the prompt and fill in the required information
    • DNS Server
    • Alternative DNS Server

Telemetry settings

  • On SConfig, pick 11) Telemetry
  • Follow the prompt to change telemetry settings

Join Existing domain

  • On SConfig, pick 1) Domain/workgroup
  • Choose Domain
  • Enter domain name and proceed according to prompt

Enable PowerShell remoting

  • On SConfig, 15) Exit to command line (PowerShell)
  • Enter the following command
# Enable PSRemoting feature
Enable-PSRemoting -Force

# Allow inbound traffic for PSRemoting
New-NetFirewallRule -DisplayName "Allow inbound PowerShell" -Direction inbound -LocalPort 5985 -Protocol TCP -Action Allow

Use the code below if network DNS is not configured properly or the network is marked as public network
Enable-PSRemoting -Force -SkipNetworkProfileCheck

Install PoSh 7

Copy the latest powershell msi to destination server and run

msiexec.exe /package PowerShell.msi /quiet ADD_EXPLORER_CONTEXT_MENU_OPENPOWERSHELL=1 ADD_FILE_CONTEXT_MENU_RUNPOWERSHELL=1 ENABLE_PSREMOTING=1 REGISTER_MANIFEST=1 USE_MU=1 ENABLE_MU=1 ADD_PATH=1

Firewall

Server PortService
135/TCPRPC Endpoint Mapper
1024-65535/TCPRPC for LSA, SAM, NetLogon (*)
389/TCP/UDPLDAP
636/TCPLDAP SSL
3268/TCPLDAP GC
3269/TCPLDAP GC SSL
53/TCP/UDPDNS
88/TCP/UDPKerberos
445/TCPSMB
1024-65535/TCPFRS RPC (*)
# Add firewall rules for AD Server

New-NetFirewallRule -DisplayName "Allow inbound RPC Endpoint mapper" -Direction Inbound -LocalPort 135 -Protocol TCP -Action Allow -Profile 'Domain'
New-NetFirewallRule -DisplayName "Allow inbound LDAP" -Direction Inbound -LocalPort 389 -Protocol TCP -Action Allow -Profile 'Domain'
New-NetFirewallRule -DisplayName "Allow inbound LDAP" -Direction Inbound -LocalPort 389 -Protocol UDP -Action Allow -Profile 'Domain'
New-NetFirewallRule -DisplayName "Allow inbound LDAP SSL" -Direction Inbound -LocalPort 636 -Protocol TCP -Action Allow -Profile 'Domain'
New-NetFirewallRule -DisplayName "Allow inbound GC" -Direction Inbound -LocalPort 3268-3269 -Protocol TCP -Action Allow -Profile 'Domain'
New-NetFirewallRule -DisplayName "Allow inbound DNS" -Direction Inbound -LocalPort 53 -Protocol TCP -Action Allow -Profile 'Domain'
New-NetFirewallRule -DisplayName "Allow inbound DNS" -Direction Inbound -LocalPort 53 -Protocol UDP -Action Allow -Profile 'Domain'
New-NetFirewallRule -DisplayName "Allow inbound Kerberos" -Direction Inbound -LocalPort 88 -Protocol TCP -Action Allow -Profile 'Domain'
New-NetFirewallRule -DisplayName "Allow inbound Kerberos" -Direction Inbound -LocalPort 88 -Protocol UDP -Action Allow -Profile 'Domain'
New-NetFirewallRule -DisplayName "Allow inbound SMB" -Direction Inbound -LocalPort 445 -Protocol TCP -Action Allow -Profile 'Domain'

New-NetFirewallRule -DisplayName "Allow inbound LSA" -Direction Inbound -Program "C:\Windows\System32\lsass.exe" -Action Allow -Profile 'Domain'
New-NetFirewallRule -DisplayName "Allow inbound DFSR" -Direction Inbound -Program "C:\Windows\System32\dfsrs.exe" -Action Allow -Profile 'Domain'

New-NetFirewallRule -DisplayName "Allow ICMP Ping" -Direction Inbound -Protocol ICMPv4 -IcmpType 8 -Action Allow -Profile 'Domain'

# Enable Remote Service Management inside Firewall Advanced Security
Set-NetFirewallRule -DisplayGroup "Remote Service Management" -Enabled True

Resource: Configure firewall for AD domain and trusts – Windows Server | Microsoft Learn

Migration Workflow

Perform the following checklist before migration

  1. Check AD infrastructure health
  2. Patch the new server with latest Windows Updates
  3. Note down “existing DC IP Address” and “temporary DC IP Address”
  4. Install AD DS role on new computer
  5. If required, do a VM snapshot
  6. Migrate application and server roles from existing domain controllers
  7. Migrate FSMO roles to the new DC
  8. Add new DC to existing monitoring system
  9. Add new DC to existing Disaster Recovery (DR) plan
  10. Finalize DNS settings
  11. Decommission ALL old DCs
  12. Raise the domain and forest functional level
  13. Perform ongoing maintenance

Resource: How to migrate Active Directory from Windows Server 2008 R2 to Windows Server 2022 (microsoft.com)

Check AD Health on Existing Server

Resource: How to check Active Directory health using powershell | ManageEngine ADAudit Plus

Replication

Make sure that existing Domain Controller (DC) are in sync and replication is ongoing

# Check replication summary
repadmin /replsummary

If there is any issue with replication, fix the issue before proceeding

Check Dependency Services

Make sure the components are running properly

$Services='DNS','DFS Replication','Intersite Messaging','Kerberos Key Distribution Center','NetLogon',’Active Directory Domain Services’
ForEach ($Service in $Services) {Get-Service $Service | Select-Object Name, Status}

Use DCDiag to check various aspects

One of the most common reasons for the non-performance of AD is DNS. DNS failure can in turn lead to replication failure.

DCDiag /Test:DNS /e /v

Check for insecure LDAP binds

This is more for good cyber hygiene

Get-WinEvent -FilterHashtable @{
                LogName = 'Security'
                    ID = 2889
                }

Check for Global Catalog (GC) Server

To check where GC server is, run the script

# Change example.com to your domain name

Get-ADForest example.com | FL GlobalCatalogs

Installing AD on new server

Install Windows Role and Feature

We need to make the new server (Windows Server 2022) as a additional domain controller:

  • Login to the server as Enterprise Administrators
  • Verify the static IP address
  • Launch PowerShell as Administrator
  • Install AD DS Role in the server
 Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Promoting to Domain Controller

Configure the new server as additional domain controller with the following

# Change example.com to your domain name
# Change existing.example.com to your existing DC

Install-ADDSDomainController -CreateDnsDelegation:$false -InstallDns:$true -DomainName "example.com" -SiteName "Default-First-Site-Name" -ReplicationSourceDC "existing.example.com" -DatabasePath "C:\Windows\NTDS" -LogPath "C:\Windows\NTDS" -SysvolPath "C:\Windows\SYSVOL" -Force:$true

Checking Replication

After running the above, check replication status before proceeding

# Check replication summary
repadmin /replsummary

Configure Time Server for New DC

Many Windows and network functions rely on robust time synchronization across the network. 

# Replace ntp.example.com with NTP server or IP address

w32tm.exe /config /syncfromflags:manual /manualpeerlist:ntp.example.com /reliable:yes /update

w32tm.exe /config /update

# To check configuration and source of time synchronization
w32tm /query /configuration
w32tm /query /source

Resource: Recommendation to onfigure the Root PDC with an Authoritative Time Source and Avoid Widespread Time Skew | Microsoft Learn

Check DC status

Run the following on both old and new DC locally

# Check DNS configuration
dcdiag /test:DNS

# /c for comprehensive test
# /q for output error only, due to massive information from dcdiag
dcdiag /c /q

# Check replication configuration and last run time
Get-ADReplicationPartnerMetadata -Target newserver.example.com

# Check for replication failrue
Get-AdReplicationFailure -Target newserver.example.com

Migration of DC Roles

Pre-Migration Check

  • After the server is rebooted, log back in as an administrator. and run the following commands to verify the current FSMO role holder.
Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator
Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster

Migration of roles

Move-ADDirectoryServerOperationMasterRole -Identity newserver -OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster, InfrastructureMaster

Post-Migration Check

Once we are done, we can run the command to verify FSMO role holder

Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster

Decommission Old Server

Run dcdiag from old server, choose remove DNS delegation

Finalize DNS

DNS Workflow

On new server:

  • Configure NIC setting on DNS section to point to existing DNS server that hosts the AD zone for the domain (i.e. old DC)
  • Once DNS service is installed, verify that replication of the DNS zone has occured
  • We can then modify the DNS client setting for the new server if needed

New DC should not point to itself until DNS replication is verified.

Resource: DNS Client Settings for Domain Controllers | ITGeared

DNS settings on AD

  • The other DNS’s IP Address
  • Your own IP address
  • 127.0.0.1

Configure public DNS servers as forwarders and not in IP settings

Run the following after changing DNS settings

ipconfig /registerdns

Raise Domain (DFL) and Forest Functional Level (FFL)

Only when all Domain Controllers for an Active Directory domain would run the newer version of Windows Server, could an Active Directory admin raise the Domain Functional Level (DFL) to the version corresponding with the version of Windows Server.

The latest DFL and FFL for Windows Server 2022 is at 2016

# Change example.com to your domain name

# First, we raise DFL
Set-ADDomainMode -identity example.com -DomainMode Windows2016Domain
# Next, we raise FFL
Set-ADForestMode -Identity example.com -ForestMode Windows2016Forest

# To verify
Get-ADDomain | fl Name,DomainMode
Get-ADForest | fl Name,ForestMode

Management Client

We will need to install RSAT, DNS and GPMC on client machine

# Remote Server Administration Tool
Install-WindowsFeature -Name RSAT

# Group Policy management
Install-WindowsFeature -Name GPMC

# DNS management
Install-WindowsFeature -Name RSAT-DNS-Server

Securing Domain Controller

Resource: Securing Domain Controllers to Improve Active Directory Security – Active Directory Security (adsecurity.org)

Last modified: 19 December 2022