Active Directory Domain Services Part 2: AD DS, RAS/NAT, and DHCP Installation.

Michael John
9 min readNov 8, 2023

--

Introduction

In part 1 of this series on active directory, we downloaded and installed the Oracle VirtualBox, provisioned virtual machines, and installed Windows Server 2019 and Windows 11. In this part, we will take it further.

What you will learn:

  • Configure Network Interface Controller (NIC) or Network Adapter for our DC.
  • Install Active Directory Domain Controller (AD DS) software
  • Promote server 2019 to DC.
  • Create a dedicated domain Administrator account.
  • Install Remote Access Services (RAS) and Network Address Translation (NAT) on the DC.
  • Install Dynamic Host Configuration Protocol (DHCP) server.

Configure Network Interface Controller (NIC) or Network Adapter on the DC

We will start by configuring two network adapters on the virtual machine hosting the DC. The first network adapter will be for Internet connection, and the second will be for Internal network connection.

Open the VirtualBox, select the “Primary-DC” deployed previously => click “Settings” => select “General” => select “Advanced” and choose “Bidirectional” in the dropdown box for both “Shared Clipboard” and “Drag ‘n’ Drop”

Still on the “settings”, select “Network”, “Adapter 1" is enabled with “NAT” by default allowing your VM to connect to your home network. Select “Adapter 2” and check the box to enable it with the “Internal Network” option. Click “OK” to save your settings.

Note: The VM being configured is the one you installed Windows Server 2019 on. It will serve as the domain controller. Remember that the DC is a server that has active directory software installed on it.

The “Adapter 1” which is attached by default to “NAT” gets its IP address automatically from your home router or your internet service provider (ISP) DHCP server. But we have to set up the internal network “Adapter 2” manually. Follow the steps below to complete the setup.

Select the “Primary-Dc” and click “start” to launch the server. Remember to select “input” => “Keyboard” => “insert ctrl-alt-delete” to take you to the login page where you will supply your password.

Click on “Network & Internet Settings”

Select “Ethernet” => and click on the “Change Adapter option”. You should see two Ethernet options. If you double-click on each ethernet option, you will see that the IPv4 connectivity for one of them is “Internet” and the other one says “No Network Access”.

Click once to edit the ethernet names for ease of identification.

Right-click on the “Internal Network” => click “Properties” => click “Internet Protocol Version 4 …” => click the “Properties” option below it again => select “use the following IP” and use the details in our network design figure above for the set up as follows:
IP: 192.168.0.1
Subnet Mask: 255.255.255.0
Default Gateway: <empty> // Because the DC will serve as the default gateway
Preferred DNS: 127.0.0.1 (loop-back IP address) // When we install AD DS, DNS is automatically installed and this server will use itself as the DNS server.

Before moving on, let’s change the computer's name. Search and click on control panel, => system and security => system => change settings => change => “computer name”: Primary-DC => OK. You have to restart the server for the changes to take effect.

Install Active Directory Domain Service (AD DS) software

Brief theory, There are two main logical network designs:

  • Workgroup Environment: Like your home network where a user’s credential (username and password) is stored in a database called Security Account Manager (SAM) which is only resident in the user’s device and not replicated across the devices in the network. That way, the user can only log on to that specific device and no other user can log on to that device except their account is created on that device. It is pretty much a good way to keep your home device safe, but in a business environment that has, say — a thousand and one devices, it is a huge pain to manage individual devices for cases of user account creation and password reset.
  • Domain-based Environment. Businesses require a domain-based environment to centrally manage users and computer account creation, password reset, and authentication. Here, users are created in the domain controller and computers are joined to the domain. These accounts are resident in the domain controller and not in the individual devices like in the case of Workgroup. That way, a user within the domain can access any computer within the domain, supply their credentials, and get authenticated to log on to any computer.

Active Directory Domain Services is the software installed on a Windows Server that makes managing users and computers possible. The AD writes a lot of DNS records to the DC using the preferred DNS configuration from the previous step. In the next few steps, we will proceed to install AD DS on the Server 2019.

Click on the Windows icon, and click on “Server Manager”. Click on the “Add Role & Feature” option, => Next => Role-based or feature-based installation => select the “Primary-DC” server => select the “Active Directory Domain Services” => Add features => Next (3X) => Install.

Promote server 2019 to DC

In the previous step, we installed the AD DS software. We will proceed to complete the post-deployment configuration by promoting the server to a domain controller. Once this process is completed, a DNS is automatically installed. To do this, click on the yellow triangular warning sign => and click on the “Promote this server to a domain controller”

Click “Add a new forest” => Root domain name: mydomain.local => Choose a password => Next (4x) => Install and the server will be restarted automatically. You will need to log in again.

Create a dedicated domain administrator account

It is a good practice to create a dedicated administrator account instead of the built-in admin account you’ve been using to access the server.

On the top-right menu, click on “Tools”, => active directory users and computers => right-click “mydomain.local” => New => Organizational Unit => you can name it “Admin” => right-click on “Admin” => New => user => For the first and last name, I will use Michael John. You can use yours. => user logon name: a-mjohn ( ‘a’ for the admin account, first name initial and last name convention) => Next => provide login password => Check the “password never expires” for this exercise purposes => Next => Finish.

We have created a user, but we need to make this user an admin. Right-click on the user => click “properties” => “Member of” => Add => type “Domain Admins” in the textbox => OK => Apply.

We can now sign out of the default admin account and sign in using the domain admin user account we just created.

Click on the Windows icon => click on the Administrator icon => click “sign out” => and sign in with the new account.

Install Remote Access Services (RAS) and Network Address Translation (NAT) on the DC

Our network is designed to simulate a corporate environment where traffic from clients on our private network or local area network (LAN) is routed through the domain controller (a single IP address) to the internet. This is possible through the RAS gateway and NAT.

To install RAS and NAT, navigate to the server manager => click “Add roles & features” => Next => Role-based or feature-based installation => select the “Primary-DC” server => click “Remote Access” => Next (3x) => Select “Routing” => Add feature => Next (3x) => Install.

Once the installation is completed, click on “tools” => click on “Router and Remote Access Service” => Right-click “Primary-DC (local)” => click “Configure and enable RRAS” => Next => Select Network Address Translation => Next => If your network interfaces don’t show up, cancel and repeat the process => Select the internet => Next => Finish.

With the installation of RAS and NAT completed computers on our LAN will be able to reach the internet once the DHCP server is installed.

Install Dynamic Host Configuration Protocol (DHCP) server

DHCP is a protocol for dynamically assigning IP addresses to computers on a network. We will not go into much detail about how this protocol works but generally, IP addresses are assigned based on the mode (Automatic, Dynamic, and Fixed) configured on the DHCP server and the scope (range) of IP addresses designated.

From our Network architecture above, we have reserved IPs between the ranges of 192.168.0.150 to 192.168.0.250. This means that any computer requesting an IP to join our network will be “offered” an IP within this range. Alright, that's a lot of theory already.

As usual, click “Add roles & features” => Next => Role-based or feature-based installation => Select the “Primary-DC” server => Select DHCP server => Add features => Next (3x) => Install.

Once the installation is completed, click on “close”. Next is to configure the installed DHCP server with the scope as discussed.

Click “Tools” => DHCP => Click “Primary-DC” => Rightclick on “IPv4” => New scope => use 192.168.0.150–250 as the scope name => Start IP address: 192.168.0.150 => End IP address: 192.168.0.250 => subnet mask of /24 or 255.255.255.0 => No exclusion in our case so click “Next” => Lease duration is case dependent, so leave the default => Click yes to configure DHCP options — this specifies how computers joining the domain will access the internet. In this case, our DC is the option, so click next and Enter 192.168.0.1 => click “Add” => Next (3x) => Finish.

The IPv4 is currently displaying a red arrow, We need to authorize the DC and refresh. So right-click “Primary-DC” => click authorize => right-click again and click refresh and both IPv4 and IPv6 will turn green.

Summary

You configured two network interfaces on your DC and set up the DC with AD DS, DNS, RAS, NAT, and DHCP. These are core aspects of Active Directory Domain Services you have covered already. In the next part, we will take it further to automate creating users with the Shell script and join the Windows 11 client to the domain. We will look into Group policy and other interesting aspects of managing permissions.

You have accomplished a lot in this part and you should feel proud of yourself! See you in the next part.

--

--