Setting Up A Secure Tiered Active Directory Domain Services using Windows Server 2016


Physical Setup

We are going to be installing our first Domain Controller on a local physical server. This guide can also be performed in a virtual server. We have already installed our Windows Server 2016 GUI server and are able to use Remote Desktop to access the server. We will be configuring Active Directory using PowerShell so this guide should also work for Windows Server Core devices. We have already applied all available updates through standard internet Windows Update Services.

Prerequisite Tools Install

Before we can get started setting Active Directory Domain Services we need to install the required modules and features. Open an Administrative PowerShell Prompt.

Install the Active Directory Domain Services feature using the PowerShell command:

Install-WindowsFeature AD-Domain-Services

The Windows Feature Install will begin, wait until the installation finshes.

You should be prompted that the install completed successfully.

We now need to import the Active Directory Domain Services Deployment Module. This can also be done using our Administrative PowerShell Prompt by entering the command:

Import-Module ADDSDeployment

There is no feedback in the prompt but the module should have been imported.

Install and Configure Active Directory Domain Services

We are now ready to actually install ADDS. Copy and paste the following code block into a notepad file and prepare to update variables as needed;

Install-ADDSForest `
-DatabasePath “C:\Windows\NTDS” `
-DomainMode “Win2012R2” `
-DomainName “” `
-DomainNetbiosName “LABGRASSA” `
-ForestMode “Win2012R2” `
-InstallDns:$true `
-LogPath “C:\Windows\NTDS” `
-NoRebootOnCompletion:$false `
-SysvolPath “C:\Windows\SYSVOL” `

We are installing ADDS with a standard configuration. Be sure to update the DomainName and DomainNetbiosName. Before entering the command generate a secure password to serve as the SafeModeAdministratorPassword. This password is of critical security and disaster recovery importance, be sure it is securely stored and can be referenced if needed.

Upon entering the command in the Administrative PowerShell Prompt we are prompted for the SafeModeAdministratorPassword. Enter and confirm the password.

The installation will begin.

You may receive warnings about not having a static IP address configured as well as various warnings about creating DNS Delegation Zones or enabled legacy Cryptography Algorithms. These warnings can be ignored for now.

When the installation is completed the server will automatically reboot. Wait for it to restart then establish a new Remote Desktop Services session. You may wait for a while due to initial Active Directory configuration.

Manually set DNS Forwarders

Right now the Domain Controller is using the Unifi Controller as a DNS forwarder. This is opposite to how our setup should be.

Open another Administrative PowerShell Prompt

We can verify our DNS forwarding settings using the command:


We see that the forwarding address is currently listed as

We can remove the local forwarding address using:

Remove-DnsServerForwarder -IPAddress

You will be asked to confirm removing the forwarder. Select Yes.

We can now add a new DNS forwarder from a trusted DNS provider. I will be using CloudFlare DNS. You may add multiple DNS forwarders. To add a DNS Forwarder use the command:

Add-DnsServerForwarder -IPAddress

Verify the DNS Forwarder settings are correct:


Set Static IP Address

Open an Administrative CMD Prompt and enter the command:


In the Server Configuration Menu enter option 8.

Select your network adapter:

Select 1 for Set Network Adapter Address.

Select S for Static IP Address and enter the current server network configuration.

Close the Server Configuration Menu.

Conclusion and Next Steps

We now have a Windows Server 2016 Domain Controller configured on our Tier 0 network. The next steps will be to complete our Active Directory Users and Computers initial configuration by defining our Tiered Access Organizational Units and populate our first users.

Leave a Reply

Your email address will not be published. Required fields are marked *