The first thing to observe about this articleis that it’s pretty common place now to only build servers using core, there are many requirements why you should not have a desktop experience or GUI
The desktop experience has quite a bit of an overhead to a server, so you generally have to build a more powerful server to accommodate for the fact you’re running explorer, you also reduce your attack surface by 70% by not having a desktop experience.
You also no longer have to be logged in locally to the server via the remote desktop protocol to manage it, but old habits die hard here, you can issue all the commands remotely
If you’re not confident with PowerShell (why are you working is Technology/IS?) then you can always use the Windows Administrative Centre (WAC) this is a website that will remotely connect to the server and run the commands for you in a web interface like this when starting up:
Then you can connect to servers and get a virtual GUI from a website:
Note : This guide will be using VMware as the Hypervisor, your actual instructions may be slightly different dependant on the platform.
Preparing server, 2022 core installation
First, you need to get the configuration correct, and we quickly need to look at only Two main areas and then if it’s a virtual server some sub categories.
Network Card(s)
I would highly recommend you have two network card connections available for HA.
If this is a physical server, many of the servers will have two network cards by default as a minimum
If this is a virtual machine, I would recommend having two network cards on different ports from the host machine.
Hard disks
If this is a physical server, and you only have one array of disks then you can configure the 3x individual partitions from the set up wizard which we will cover later.
If this is a virtual server, you can create 1 x larger disk and partition it or you can create 3x drives on the same or different data stores with multiple paths back to the storage host,
Logical Drive Requirements
You will need three drives, this is what I would call them, but its personal, the naming comes from N for NTDS and L for logs, but this is dealers choice.
System - C:
NTDS Database - N:
NTDS Logs - L:
Note : If you want logical drive letters like C then D then E, remember windows reserves D: for the CD drive you don’t have, so this drive letter will need to be changed if you want logical drives.
If you are using Azure then remember that the temporary staging disk is the D:
You just need to remember what drive letter you’ve assigned for what purpose, so labeling the disks would be a good idea.
Memory
Please do not run your servers with to little memory even if you are installing Core, I would recommend for an ADDS server the following configuration:
Minimum RAM : 16GB
Recommended RAM : 32GB
CPU/Processor
If you are using a virtual machine the CPU will reflect what the hypervisor is running however its best for the following configuration:
Note : In Azure please do not use the AMD EPC processors designed around efficiency and power saving, they are not good for a ADDS server - you will likely get bad ADDS performance
Cloud Virtual Processor : Intel Xenon Platinum class with 4 cores minimum
Hypervisor Virtual Processor : Intel Xeon E5 with 4 core minimum (Hyper-threaded sharing : Disabled)
Physical processor : Intel Xenon class processor.
Remote mounting ISO image.
This will depend on whether you’re building a physical server, or a virtual server as a guest The instructions for installing the operating system are the same on both it’s just how you get to installing the operating system that is different, obviously, I can’t go through every example, but the high-level summary will include one of these methods:
Note : Unfortunately, gone were the days of having to have a physical CD, or for that matter, a USB boot volume on a flash drive.
- Virtually mounting and ISO on iLO
- Virtually mounting an ISO in hypervisor
Anyway, once you have your ISO virtually mounted, and you have booted it off it, depending on your individual configuration.
Security Note : if you have not secured the UEFI or BIOS Settings with a password so anyone can select a bootable drive, you may wish to reconsider as someone can quite easily boot off that into DaRT and compromise your server.
You may need to enter the boot menu, which is usually F9 - once here you will need to choose the virtual drive you’ve just mounted.
Installing Server 2022 Core
You need the ISO mounted and have it boot off that ISO image which should get you here the language selection, please ensure like a cowboy you do not click next and install the USA regional settings on a server for example which is in the UK......
Then you need to click the only button on the screen to begin:
Then we want the default selection here, no surprise its the default and recommended, but this is the Core install, the one without the Desktop Experience aka GUI:
I think Microsoft have no realised that people do not have the whole months to read the endless terms and conditions and that not everyone is a lawyer - however in this case we agree.....next.....
We would now like a "Custom" install as we only require one partition at the moment, not the whole volume:
Then you will see the disks available, here we can see the allocated disk of 200GB, do not click next that will install Windows on a single partition, we need the new button with that partition selected:
We then need to allow 150GB for the C: therefore we need to enter "150000" in the MB box and choose Apply:
This will then create this partition, once complete you should system "Drive 0 Partition 2" of 146GB, that is the one we need to click and then click next:
Once this has completed you will then see this, you can wait the 10 seconds or click "Restart Now" make a choice, quickly:
Once the server restarts the Desktop Experience is gone and its all PowerShell now here you need to change you password:
Once you press enter on OK you will need a new password, to get to the confirm box use the down arrow:
Now you are ready to login, like I said no Explorer at all:
Server Core : SConfig
If you would rather not have sconfig loading on every login then run this to prevent it enter 15 as the option then enter this:
Set-SConfig -AutoLaunch $False
Then you will be fully in PowerShell mode like this:
Note : You can configure many of the settings with sconfig but the commands below will configure items you cannot configure with sconfig, however the choice on how your server is configured is down to you.....
Get-Disk
You will then see all the disks available, notice here the Disk is 0, we have no other disks:
Now we need to create the partitions for the N: and the L: with the relevent space on the disks, so this is how we do it
Finally to check the drives are there and valid run this command:
Get-Volume
This will then show you the disks as you have formatted them and labelled them:
You will notice that the C: is not called System, so lets fix that now with this:
Get-CimInstance -ClassName Win32_Volume -Filter "DriveLetter = 'C:'" | Set-CimInstance -Property @{Label='System'}
Get-NetConnectionProfile
New-NetLbfoTeam -Name BearLive -TeamMembers "Ethernet0","Ethernet1" -TeamingMode SwitchIndependent
This will look like this if done correct:
If you the run the command to check the Teaming which is:
Get-NetLbfoTeam
You should notice that is is not online and active as below:
If you now run the command below to get the InterfaceIndex value:
Get-NetConnectionProfile
You can see from below ours for this example is 10.....
You can now set the IP address with this command, obviously replace the values in bold with you values:
Get-NetAdapter BearLive | New-NetIPAddress -IPAddress '<ip_addr>' -AddressFamily IPv4 -PrefixLength 16 –defaultgateway '<gateway>'
Finally we need to set the DNS servers for this server to use, this can be done with this command, again change the bold values for your environment:
Get-NetAdapter BearLive | Set-DnsClientServerAddress -ServerAddresses '<dns1>','<dns2>'
Rename the Computer
We do not want a randomly generated computer number so lets get that updated, this is best to do this before you join it to the domain, so to accomplish that use this command:
Rename-Computer -NewName "BearLiveDC"
This will then confirm the computer name has been changed after a reboot
Join to Domain
You now need to join the domain which you can do with this command:
Add-Computer –DomainName "bear.local" -Restart
This will look like this:
Where you will need to provide your credentials for the domain join:
When you enter valid credentials the server will then reboot automatically then it will apply your group policy on the next boot and as we require ctrl+alt+del to login we should see that after the boot:
Windows Activation
We now need to activate Windows which is very simple to complete, if you have a KMS server you need to follow these instructions, the key provided is for Server 2022 GLVK and requires a activated KMS server.
Activate with a on-premsis KSM server
slmgr /ipk VDYBN-27WPP-V4HQT-9VMD4-VMK7H
slmgr /skms kmsserver.bear.local:1688
slmgr /ato
Activate with Azure based Cloud server
slmgr /ipk VDYBN-27WPP-V4HQT-9VMD4-VMK7H
slmgr /skms kms.core.windows.net:1688
slmgr /ato
SConfig Updates
Now we need to setup all the other features which you can use with sconfig so this is menu you will see:
We will only focus on 3 settings here, the rest has been done with PowerShell, lets get started:
Remote Management
This is enabled by default and the ping option sis disabled by default, if you would like to allow a ping then you
Windows Update
We need to keep our server healthy with all the updates and hotfixes so lets ensure this is enabled with the below:
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
This will mean the role is installed but not activated, the role will require post-deployment tasks to complete, if you had the Desktop Experience if would look like this, but you don't, this is Core:
Install ADDS Role (Active Directory Domain Services)
This will make the domain controller like for the domain you join it to, and this is the command to perform that action:
Install-ADDSDomainController -DomainName bear.local -SiteName London -InstallDNS:$True -DatabasePath "N:\NTDS" -LogPath "L:\NTDS" $Credential (Get-Credential)
When you run this command you will be prompted for the credentials as expected, then when you enter valid credentials you will be asked for a "SafeModeAdministratorPassword" this is the password you will need for Active Directory Restore mode, or commonly known as a authoritative restore, this is seen below:
Once you have entered this password the installation will begin as below, this install can take a while depending on the side of your ADDS database