When we first log into the local administrator account, we are presented with a wizard that I believe is more than half useless. The only thing that I use it for is to enable automatic updates, and then I click ‘Do Not Show This on Login’ and kill it forever with fire. Then we are presented with this:
Unpin the bullshit from the start menu (Like anyone seriously will use PowerShell or Server Manager ever let alone on a regular enough basis to have it on my quicklaunch lolol) and we will be even more clean/minimalistic:
At this point in time, Windows already wants us to restart to install critical updates which means it will not allow for us to dcpromo at this point, so now is a good time to reset our Local Administrator password to something not assigned by the vendor:
The Remote Desktop session will drop, and then go make a cup of coffee or something because it takes a minute to come back up.
Now once you kill Server Manager one more time (even though we said last time for it to die forever) and acknowledge that Windows has installed updates – look how clean our interface is!
Use Win + R to run dcpromo:
After a bit of the most fun part of Windows systems administration (waiting for progress bars) you are thrown into the Active Directory Domain Services Installation Wizard:
The scope of this howto is to create a standalone minimal domain controller/terminal services box that (in the ideal/corporate/best-practice/you have more than $20 world – you never would mix. Domain Controllers are supposed to only be Domain Controllers. Assuming we don’t have retarded administrators it shouldn’t be too big of a deal even if we do have to scale up later on. So we are going to create a new forest/domain:
It is very important if you actually plan on having shit work right that we use a real FQDN:
Considering we do not have to worry about any DCs pre-2k8R2 – select 2k8R2 functional equivalency:
Ensure you don’t do something retarded like disable DNS on a domain controller lol, click next:
Unless you are super pro and have already set up a delegation for this DC, you probably will get a popup saying that you cannot delegate DNS. Continue:
You probably would be dumb if you changed these defaults. Continue:
Now we are prompted for a Directory Services Restore password which I always set to be the same as the Domain Administrator password:
Here we are prompted with a summary. Continue:
Check the box that says “Reboot upon Completion” and go make another cup of coffee or grab a beer.
Now we want to login with domain credentials forever and ever and ever unless shit gets really broken and it is all our fault… so the way with which you do this is typing the domain name\username
in my instance it is wecansolve.org\Administrator
We are again greeted by the stupid fucking Server Manager thing, so make it go away. Now here we are again with a clean interface:
Invoke Active Directory Users and Computers:
We are greeted with the particulars for the Domain we have just created. The first step is to add folders to contain Domain Objects. Why do we use folders? If we install unique domain info into the system default locations – there is no way to differentiate between objects we have added/modified versus those that are default at this point/known good state.
So expand the domain and create a new OU to contain users with Domain Administrator credentials. Trust me, this becomes very *very* important later on when scaling and ensuring account policies are consistent throughout the organization. Never just grant admin privileges to a user without changing them to an administrative OU. It would really suck to have someone go around breaking shit they shouldn’t later on because you were lazy and lacked foresight:
Name the new OU appropriately so anyone will know at a glance that this is the OU that users with Domain Administrator credentials are located within:
Duplicate this step to create a container for Domain Users:
Now it is time to create ourselves a Domain Administrator account, as logging in as a Domain Administrator on Windows is a lot like running as root – not only do you not *need* to do it pretty much ever, it pretty much never is a good idea unless your credentials are somehow broken to the point where that is the least of your concerns. The only exception to this rule is when we do not have any other Domain Administrators as we are fresh out of the box, ergo, vis a vis – right now. The quickest way to create a new user is to right click inside the OU we just created:
You always want to be as precise as possible with user information in Windows domains as you never know if your entity will become the next Facebook or some shit. You might have a dozen John Smiths at some point and really want to punch yourself in the balls for not adding initials to user accounts until duplicates crop up:
Uncheck all this crap as you are adding the user for yourself. When setting temporary passwords for users that you want to expire upon first login – it is best to ensure these single use passwords are still very secure instead of something dumb like LogMeIn! You also should not use the same initial credentials for separate users because even if it was a short period of time, it is easy for rogue employees (the worst possible ‘hacker’ scenario) to hijack accounts simply by knowing the names of new hires:
Now we need to change the properties of the user we have just created to add fields not present in the wizard we just completed, and to add ourselves to the appropriate administrative groups. Right click for properties:
Add the relevant contact information for yourself. Make sure that every time you make changes on any pane in Active Directory Users and Computers that you click Apply:
Now we need to add this user to two groups – the Domain Administrators and Remote Desktop Users groups. Click Add:
Use a semicolon between Usernames or Groups and what Windows calls Builtin Security Principals:
Click ‘Check Names’ and they should be underlined:
Then ensure that you click OK and Apply:
Now you should be able to log in as the Domain Administrator account you have just created. Stay tuned for more in this series on configuring Windows Server in Cloud environments.
I read this paragraph completely on the topic of the resemblance
of most recent and preceding technologies, it’s amazing article.