Install AD DS, DNS, and DHCP using Powershell on Windows Server 2016

This article serves as a guide to installing and configuring roles on Windows 2016 servers using powershell.

To begin, right-click the Windows Powershell taskbar icon and select “Run as Administrator”. To view Windows features and statuses enter this command into the console:

Get-WindowsFeature
Image for post
Image for post

To install an individual feature the following command syntax is used:

Install-WindowsFeature -Name [feature_name] -[Options] 

Active Directory Role

We will begin by installing the Active Directory role using the following:

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Image for post
Image for post

To view the available module commands related to AD DS use the following:

Get-Command -Module ADDSDeployment
Image for post
Image for post

First, the root domain is installed:

Install-ADDSForest -DomainName “corp.momco.com”
Image for post
Image for post

Note that you may see several error messages and this is okay. Watch the banner for update information regarding your domain forest. Once the root forest is successfully created you’ll see this message:

Image for post
Image for post

The server will restart. Open Powershell again as Administrator and check to make sure the appropriate changes were made:

Image for post
Image for post

Now we can join a computer connected to our vlan to our domain. In this instance I log onto a Windows 7 vm on the same VLAN as the Windows Server and join this box by changing the domain in the computer’s System Properties. To join the domain, you must authorize the client using an administrative username/password from the domain. In this example my username was “momco\administrator”. Upon successfully joining you should see a messagebox welcoming you to your domain:

Image for post
Image for post

Restart your client computer to apply the new changes. You should now be able to view this client on your Windows server domain controller (DC) using the following command:

get-ADComputer | Format-Table DNSHostName, Enabled, Name, SamAccountName
Image for post
Image for post

The client computer can be seen above as “WIN-BOB-01”. We can add a user to the Active Directory domain using the following command:

New-ADUser -Name [Username] -AccountPassword(Read-Host -AsSecureString AccountPassword) -PassThru | Enable-ADAccount
Image for post
Image for post

DNS Role

The DNS server was created when AD DS role installed the root forest. We can see that the DNS role is installed using the Get-WindowsFeature command:

Get-WindowsFeature | where {($_.name -like “DNS”)}
Image for post
Image for post

If your DNS server is not installed, you can install it with this command:

Install-WindowsFeature DNS -IncludeManagementTools
Image for post
Image for post

The DNS primary zone is created when the forest is generated. Next, the network ID and file entry is made:

Add-DnsServerPrimaryZone -NetworkID 192.168.64.0/24 -ZoneFile “192.168.64.2.in-addr.arpa.dns”

Next, the forwarder is added:

Add-DnsServerForwarder -IPAddress 8.8.8.8 -PassThru

You should now be able to test your dns server:

Test-DnsServer -IPAddress 192.168.64.2 -ZoneName "corp.momco.com"
Image for post
Image for post

DHCP Role

We’ll begin by installing the DHCP role. To do this, the Windows 2016 Sever must be configured with a static IP address. The New-NetIpAddress command is used:

New-NetIPAddress -InterfaceIndex 2 -IPAddress 192.168.64.2 -PrefixLength 24 -DefaultGateway 192.168.64.1
Image for post
Image for post

You’ll need to know the ifIndex the network interface of which you are configuring the IP address. To view your available network interfaces, use the Get-Net-IPInterface command. Now that the server has been configured with an IP address the DHCP role can be installed:

Install-WindowsFeature DHCP -IncludeManagementTools
Image for post
Image for post

Next, a security group is created using the netsh command. The service is then restarted. When the following command is run, the DHCP Administrators and DHCP Users security groups are created in Local Users and Groups on the DHCP server.

Image for post
Image for post

Now that the DHCP role and security groups are installed, we need to configure the subnets, scope and exclusions. Configure the DHCP scope for the domain. This will be the addresses that are handed out the to network by DHCP.

Add-DHCPServerv4Scope -Name “Employee Scope” -StartRange 192.168.64.10 -EndRange 192.168.64.30 -SubnetMask 255.255.255.0 -State Active

The DHCP lease can be set to 1 day using the following command:

Set-DhcpServerv4Scope -ScopeId 192.168.64.0 -LeaseDuration 1.00:00:00

Next, authorize the DHCP server to operate in the domain:

Set-DHCPServerv4OptionValue -ScopeID 192.168.64.0 -DnsDomain corp.momco.com -DnsServer 192.168.64.2 -Router 192.168.64.1
Image for post
Image for post

Finally, the DHCP Server is added to the DC:

Add-DhcpServerInDC -DnsName corp.momco.com -IpAddress 192.168.64.2
Image for post
Image for post

We can verify the DHCP Scope setting using this command:

Get-DhcpServerv4Scope
Image for post
Image for post

We can verify the existence of this DHCP server in this DC with the following command:

Get-DhcpServerInDC
Image for post
Image for post

Restart the DHCP service:

Restart-service dhcpserver

We can verify that DHCP is working properly by releasing the client IP and then requesting a new IP address from the DHCP server. (This step assumes that your client is set to automatically receive IP addresses via DHCP.)

ipconfig /release
ipconfig /renew
Image for post
Image for post

The appropriate IP address was distributed to the client, shown above.

Have a comment or question? I’d love to hear about it. Please let me know in the comments below! Thanks for reading!

Resources

Written by

I write about cybersecurity topics including DFIR, MARE, and programming.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store