Active Directory, DNS and DHCP Configuration on Windows Server

13 min readMar 15, 2024

Introduction

This is the first part of my Windows server configuration article series. In this article, we discuss what AD DS, DNS, and DHCP services are, and we also discuss how we implement these features in a Windows server environment. In the first section of this article, we discuss the basic configurations for Windows Server and Windows Client PC. Then we talk about AD DS, and DNS services and their implementation in the following sections. Finally, we configure the DHCP server and test its functionality as well.

I hope to write this article as much as possible to make it easier for beginners. I mention almost all the steps in some sections. I plan to delve more into Windows server setups in upcoming articles in this series. In this post, I establish groundwork for the Windows server environment.

PreConfigurations for the Windows Client

In this demonstration, I hope to use one client PC. To change the hostname of your client PC, right-click on the “This PC” icon, select properties, and change the host name to “FCT-CL1”.

Basic Configurations for Windows Server

First of all, we should start server manager in the windows server. Then I change the server’s hostname to “FCT-DC1,” and then I change the time zone to UTC+5:30 because my server is located in Sri Lanka. After that, we should check for available updates and install them. Operating system updates are crucial for servers to patch vulnerabilities, enhance security, and ensure optimal performance by incorporating bug fixes and improvements.

Then we should change the IPv4 configuration. Next, navigate to the server’s Ethernet configuration. Next, turn off IPv6 and navigate to IPv4 Properties. I statically define the IPv4 address here. Set the IP address to 172.16.0.5/24 and the default gateway to 172.16.0.1. Setting up the DNS server IP as 127.0.0.1 is done to designate the local machine itself as the DNS resolver, allowing it to handle DNS queries internally and simplifying the configuration for applications running on the same server.

In this lab environment, I hope to use the internal network only, so I added an internal network adapter to my VM.

After that, we should restart the server. When we restart the server, we follow good practice to mention the reason why we restart this server. When you initiate a shutdown with a specified reason, this information gets logged in the event logs. The specified reason can be helpful for troubleshooting, auditing, and maintaining a record of server activities.

Install ADDS, DNS and DHCP Services

First we should navigate to Manage > Add roles and features. Then select features which we want to add. I select Active Directory Domain Services, DNS and DHCP servers and install them.

AD DS, DNS and DHCP Configuration

What is AD DS (Active Diretory Domain Services)?

Active Directory is a directory service developed by Microsoft that provides a centralized and standardized system for managing and organizing network resources, such as users, computers, and other devices. Active Directory Domain Services (AD DS) is a role in Windows Server that allows administrators to create and manage domains, users, and objects within a network. AD DS provides authentication and authorization services, allowing users to log in to the network and access resources based on their permissions.

AD DS Implementation

After installing the AD DS service on the Windows server, we can see a notification to promote the server to a domain controller in the Server Manager. Click the link to navigate the domain controller configuration. As a first step, we select adding a new forest because I do not have any existing domain controllers or forests in here. We create a root domain called “fct.ac.lk”. Then we click next.

Here, the forest functional level and domain functional level are already selected as Windows Server 2016. Forest level in Active Directory defines the security and administrative boundaries for multiple domains, while domain level specifies settings and configurations specific to individual domains within the forest. In Active Directory, the forest level and domain level, when set to Windows Server 2016, enable and provide access to the latest features and functionality available in that specific Windows Server version for the entire forest or individual domain, respectively.

This server is the first domain controller in this forest, which is why this DNS and Gobal Catalog are already selected. We let the DNS server be checked because we used the DNS server as well.

This is not used as a read-only domain controller (RODC), so I let it be unchecked. RODC maintains a read-only copy of the Active Directory database, providing authentication and directory services while minimizing security risks in branch office or less secure environments.

After that, we type the proper strong password and click next.

It is already unchecked to create a DNS delegation. DNS delegation is the process of assigning authority for a subdomain to a different set of name servers, allowing the management of domain names and their associated records to be distributed across multiple DNS servers for improved scalability and organization.

We cannot create a delegation because you lack the necessary permissions to modify the DNS records at the parent level because we don’t have authority over the parent zone. The parent zone’s DNS servers are responsible for maintaining the delegation information, specifying which name servers are authoritative for the delegated subdomain.

Then click next again. We selected fct.ac.lk as our root domain, which is why we can see the NetBIOS domain name as FCT. If we want to change, we can change it here. But I do not change it and click next.

After that, we can see the Active Directory Database, log files, and the SYSVOL (System Volume) folder’s location. We can change it, but I let it be the default. Click next.

After reviewing our configurations, click next for installation. After that, click the install button and close the window after the installation is complete. Then the server will restart automatically.

Then we can see the server is promoted as a domain controller successfully, and we can sign in using a password. Then we can see that active directory management consoles are available in the tools menu in the server manager. We can use this console in the near future.

What is DNS (Domain Name System)?

DNS (Domain Name System) refers to the role and service that provides domain name resolution for network resources. DNS is a fundamental component of the internet and local networks, translating human-readable domain names into IP addresses that computers use to identify each other on the network. In this demonstration, our domain name is fct.ac.lk.

DNS Implementation

We already installed the DNS management tools in the previous step. Now we start to configure the DNS server. First, we navigate to Tools > DNS to start the DNS Management Console. We can see the FCT-DC1 server, which is our server here, and we can expand it to see the zone list. Now we cannot see any zone in forward lookup zones. At this time, we called our server the “catching server”.

A forward lookup zone is used to resolve hostnames to IP addresses, and a reverse lookup zone is used to resolve IP addresses to hostnames. With these two zones, we can set up a server with full DNS functionality.

Right-click on the reverse lookup zone and select a new zone. After that, we should select the type of zone that we want to create. By default, it is selected as the primary zone. A primary zone contains the authoritative copy of the zone data; a secondary zone is a read-only copy of the primary zone for fault tolerance; and a stub zone contains only essential resource records for forwarding queries to authoritative servers in another DNS domain. Here we go in with the primary zone.

We can see that the zone in the active directory is already selected because we have installed and configured AD DS in previous steps. Otherwise, it will be grayed out and disabled. In other words, that box is only available when we create a DNS zone in the domain controller. I keep it as the default and click next.

We already have the fct.ac.lk domain in here, and we also added a DNS server to the domain controller. We do not require Windows 2000 capability, so we select it and click next.

Select IPv4 reverse lookup zone and click next.

After that, we enter the network ID as 172.16.0. Network ID means the network portion of IP.

Select “Allow only secure dynamic updates” because we want to enhance security and prevent unauthorized or malicious updates to the reverse DNS records. It is recommended for Active Directory.

Then navigate to the properties of fct-dc1 in the forward lookup zone folder and tick the ‘Update associated pointer (PTR) record’ because it ensures that the corresponding reverse lookup record (PTR record) is automatically updated when the forward lookup record (A record) is modified or added. This helps maintain consistency between the forward and reverse DNS records for the specified host.

We can see a pointer (PTR) added to the reverse lookup zones.

What is DHCP?

DHCP stands for Dynamic Host Configuration Protocol. It’s a network protocol that automatically assigns IP addresses and other network configuration parameters to devices on a network.

DHCP follows four main steps to grant IP addresses to devices.

Discover — Client broadcasts a message to discover a DHCP server.
Offer — DHCP servers offer an IP address and other configuration parameters, such as subnet mask, default gateway, and DNS servers.
Request — Client selects an offer and formally requests to use the IP.
Acknowledge — The DHCP server responds with an acknowledgment, confirming that the IP address has been assigned to the device.

This process allows network administrators to manage and allocate IP addresses dynamically, without having to manually configure each device with a static IP address.

DHCP Configuration

In here, we already installed the DHCP server role in the previous step, and we set the static IP to the server. Then we open the DHCP post-install configuration wizard.

Here, we use the user’s credentials as FCT\Administrator, click commit, and then we can see security groups are created successfully and authorizing the DHCP server is successfully done. After that, close this window.

Then we should create the DHCP scope. So, we navigate to Tools > DHCP and open the DHCP console. Then we can see IPv4 on our fct-dc1 server. Then right-click on it and select Create New Scope. Instead of this, we can also create scope by navigating Action > Create Scope.

Then give a name for the scope. I used it as “IP Pool.” We can also add a description to it. Then click next, and after that, we should specify the IP address range you want to assign to your client’s computers. In this demonstration, I select the IP range as 172.16.0.10 to 172.16.0.100. My subnet mask should be 255.255.255.0. The length of the network bit in IPv4 address 24 will be automatically adjusted. Click on Next.

If we want to exclude any IP address in this range, then we can do it here. Exclude IP ranges in DHCP are used to reserve specific IP addresses within the address pool to prevent them from being assigned to devices dynamically, ensuring they remain available for static assignment or other purposes. We can add a range of IP addresses or single IP addresses as an excluded address range and then click add. In this demonstration, I do not use any excluded IP addresses, so I do not make any changes here.

After that, we can configure the lease duration as 1 day. The lease duration in DHCP specifies the length of time an IP address is temporarily assigned to a device, after which it must be renewed or released.

Then we ask if we want to configure DHCP options now. If we want to configure DHCP options right now, we want to select yes; otherwise, no. In this demonstration, we want to configure our default gateway IP address, DNS server IP address, and domain details. So, I selected yes as an option. Then click next.

Next, we add our default gateway (router) IP address as 172.16.0.1. Click next.

Then we can see the parent domain is already added as “fct.ac.lk,” and the DNS server IP address is also added as 172.16.0.5. The reason for this is that we install and configure DHCP server rules on the domain controller. If you have not provided this information automatically, we can manually add it by adding the server name as FCT-DC1.fct.ac.lk and clicking resolve. Then we can see it resolved as IP address 172.16.0.5. Now add it and click next.

If you have any WINS servers, we can add IP information here. In this lab, I do not have one. So I leave it empty and click next. Then it asks me to activate my scope, so I select yes and activate my scope, click next, and then finish to finish configurations.

Now we can see that our scope was created successfully. Here, we can see our IP range in the Address Pool Folder, and we can see router, DNS server, and DNS domain name details in the Scope Options Folder. Also, we can see the IP addresses that are leased in the Address Leases folder.

Now we go back to the client PC and try to get the IP address from the DHCP server. Right-click on the start button and select network connections, then navigate to change adapter options > Ethernet adapter and go to properties. Then select Internet Protocol Version 4 (TCP/IPv4) and go properties. Then select obtain an IP address automatically. Now the client PC obtains an IP address, a default gateway IP address, and a DNS server IP address from the DHCP server.

Then our client PC (FCT-CL1) leases an IP address from the DHCP server. Now we can confirm that by navigating to Ethernet status by right-clicking on the Ethernet adapter and selecting status, then checking network connection details. We can see DHCP enabled in here, and DHCP and DNS server IP addresses and default gateway are also set to 172.16.0.5. There are much more details regarding DNS and DHCP.

Navigating to the Address Leases folder in the Scope folder on the DHCP server. We can see 172.16.0.20, which is an IP address in between our IP ranges that automatically leases for the FCT-CL1 client PC. We can see some information regarding this lease, such as the lease expiration time.

Also, we can use the command prompt on the client PC to check connections and troubleshoot. Execute a ping command to fct.ac.lk (the domain controller). So, we can see ping is a success because we successfully configured DNS and DHCP features. If you obtain 100% fails in ping, mostly you have misconfigured in some way in DNS or DHCP or maybe have any physically network-related issue.

We have now effectively finished the DNS, DHCP, and AD DS services on Windows Server. I want to configure organization units (OUs) and add group policies to them in our upcoming post in this series.

Next Part of this Series — Click here >>