ADDS Server : Building as Server Core

The first thing to observe about this articleis that it’s pretty common place now to only build servers using core, there are many requirements why you should not have a desktop experience or GUI

The desktop experience has quite a bit of an overhead to a server, so you generally have to build a more powerful server to accommodate for the fact you’re running explorer, you also reduce your attack surface by 70% by not having a desktop experience.


You also no longer have to be logged in locally to the server via the remote desktop protocol to manage it, but old habits die hard here, you can issue all the commands remotely

If you’re not confident with PowerShell (why are you working is Technology/IS?) then you can always use the Windows Administrative Centre (WAC) this is a website that will remotely connect to the server and run the commands for you in a web interface like this when starting up:


Then you can connect to servers and get a virtual GUI from a website:


Note : This guide will be using VMware as the Hypervisor, your actual instructions may be slightly different dependant on the platform.

Preparing server, 2022 core installation

First, you need to get the configuration correct, and we quickly need to look at only Two main areas and then if it’s a virtual server some sub categories.

Network Card(s)

I would highly recommend you have two network card connections available for HA.

If this is a physical server, many of the servers will have two network cards by default as a minimum
If this is a virtual machine, I would recommend having two network cards on different ports from the host machine.

Hard disks

If this is a physical server, and you only have one array of disks then you can configure the 3x individual partitions from the set up wizard which we will cover later.

If this is a virtual server, you can create 1 x larger disk and partition it or you can create 3x drives on the same or different data stores with multiple paths back to the storage host,

Logical Drive Requirements

You will need three drives, this is what I would call them, but its personal, the naming comes from N for NTDS and L for logs, but this is dealers choice.

System - C:
NTDS Database - N:
NTDS Logs - L:

Note : If you want logical drive letters like C then D then E, remember windows reserves D: for the CD drive you don’t have,  so this drive letter will need to be changed if you want logical drives.

If you are using Azure then remember that the temporary staging disk is the D: 

You just need to remember what drive letter you’ve assigned for what purpose, so labeling the disks would be a good idea.

Memory

Please do not run your servers with to little memory even if you are installing Core, I would recommend for an ADDS server the following configuration:

Minimum RAM : 16GB
Recommended RAM : 32GB

CPU/Processor

If you are using a virtual machine the CPU will reflect what the hypervisor is running however its best for the following configuration:

Note : In Azure please do not use the AMD EPC processors designed around efficiency and power saving, they are not good for a ADDS server
 - you will likely get bad ADDS performance

Cloud Virtual Processor : Intel Xenon Platinum class with 4 cores minimum
Hypervisor Virtual Processor : Intel Xeon E5 with 4 core minimum (Hyper-threaded sharing : Disabled)
Physical processor : Intel Xenon class processor.

Remote mounting ISO image.

This will depend on whether you’re building a physical server, or a virtual server as a guest The instructions for installing the operating system are the same on both it’s just how you get to installing the operating system that is different, obviously, I can’t go through every example, but the high-level summary will include one of these methods:

Note : Unfortunately, gone were the days of having to have a physical CD, or for that matter, a USB boot volume on a flash drive.

  1. Virtually mounting and ISO on iLO
  2. Virtually mounting an ISO in hypervisor

Anyway, once you have your ISO virtually mounted, and you have booted it off it, depending on your individual configuration.

Security Note : if you have not secured the UEFI or BIOS Settings with a password so anyone can select a bootable drive, you may wish to reconsider as someone can quite easily boot off that into DaRT and compromise your server.

You may need to enter the boot menu, which is usually F9 - once here you will need to choose the virtual drive you’ve just mounted.

Installing Server 2022 Core 

You need the ISO mounted and have it boot off that ISO image which should get you here the language selection, please ensure like a cowboy you do not click next and install the USA regional settings on a server for example which is in the UK......


Then you need to click the only button on the screen to begin:


Then we want the default selection here, no surprise its the default and recommended, but this is the Core install, the one without the Desktop Experience aka GUI:


I think Microsoft have no realised that people do not have the whole months to read the endless terms and conditions and that not everyone is a lawyer - however in this case we agree.....next.....



We would now like a "Custom" install as we only require one partition at the moment, not the whole volume:



Then you will see the disks available, here we can see the allocated disk of 200GB, do not click next that will install Windows on a single partition, we need the new button with that partition selected:



We then need to allow 150GB for the C: therefore we need to enter "150000" in the MB box and choose Apply:



This will then create this partition, once complete you should system "Drive 0 Partition 2" of 146GB, that is the one we need to click and then click next:


Then the installer will run like this:


Once this has completed you will then see this, you can wait the 10 seconds or click "Restart Now" make a choice, quickly:


Once the server restarts the Desktop Experience is gone and its all PowerShell now here you need to change you password:



Once you press enter on OK you will need a new password, to get to the confirm box use the down arrow:


Now you are ready to login, like I said no Explorer at all:


Server Core : SConfig

When you login to the server you can use sconfig and it will automatically start when you login successfully that will look like this:

If you would rather not have sconfig loading on every login then run this to prevent it enter 15 as the option then enter this:

Set-SConfig -AutoLaunch $False


Then you will be fully in PowerShell mode like this:

Note : You can configure many of the settings with sconfig but the commands below will configure items you cannot configure with sconfig, however the choice on how your server is configured is down to you.....

Setup Disks/Partitions

You first need to list the Disks in the server, so for that you need the command:

Get-Disk

You will then see all the disks available, notice here the Disk is 0, we have no other disks:


Now we need to create the partitions for the N: and the L: with the relevent space on the disks, so this is how we do it 

New-Partition -DiskNumber 0 -size 35gb -DriveLetter N | Format-Volume -FileSystem NTFS -NewFileSystemLabel "ADDS Database"

New-Partition -DiskNumber 0 -size 25gb -DriveLetter L | Format-Volume -FileSystem NTFS -NewFileSystemLabel "ADDS Logs"

This should look like this showing they are now as NTDS with the label on the disk as well:


Finally to check the drives are there and valid run this command:

Get-Volume

This will then show you the disks as you have formatted them and labelled them:


You will notice that the C: is not called System, so lets fix that now with this:

Get-CimInstance -ClassName Win32_Volume -Filter "DriveLetter = 'C:'" | Set-CimInstance -Property @{Label='System'}

Then if you run the check command as above you will notice you now have labelled drive letters that are all correct:



Setup Networking

First we need to list all the network cards on the server which you can do with this, we are after the names of the interfaces

Get-NetConnectionProfile

This will show you this:


We now have the names so we can create the Teamed adapter using this command:

New-NetLbfoTeam -Name BearLive -TeamMembers "Ethernet0","Ethernet1" -TeamingMode SwitchIndependent

This will look like this if done correct:


If you the run the command to check the Teaming which is:

Get-NetLbfoTeam 

You should notice that is is not online and active as below:


If you now run the command below to get the InterfaceIndex value:

Get-NetConnectionProfile

You can see from below ours for this example is 10.....

You can now set the IP address with this command, obviously replace the values in bold with you values:

Get-NetAdapter BearLive | New-NetIPAddress -IPAddress '<ip_addr>' -AddressFamily IPv4 -PrefixLength 16 –defaultgateway '<gateway>'

Finally we need to set the DNS servers for this server to use, this can be done with this command, again change the bold values for your environment:

Get-NetAdapter BearLive | Set-DnsClientServerAddress -ServerAddresses '<dns1>','<dns2>'

Rename the Computer

We do not want a randomly generated computer number so lets get that updated, this is best to do this before you join it to the domain, so to accomplish that use this command:

Rename-Computer -NewName "BearLiveDC"

This will then confirm the computer name has been changed after a reboot

Join to Domain

You now need to join the domain which you can do with this command:

Add-Computer –DomainName "bear.local" -Restart

This will look like this:


Where you will need to provide your credentials for the domain join:


When you enter valid credentials the server will then reboot automatically then it will apply your group policy on the next boot and as we require ctrl+alt+del to login we should see that after the boot:


Windows Activation

We now need to activate Windows which is very simple to complete, if you have a KMS server you need to follow these instructions, the key provided is for Server 2022 GLVK and requires a activated KMS server.

Activate with a on-premsis KSM server

slmgr /ipk VDYBN-27WPP-V4HQT-9VMD4-VMK7H
slmgr /skms kmsserver.bear.local:1688
slmgr /ato

Activate with Azure based Cloud server

slmgr /ipk VDYBN-27WPP-V4HQT-9VMD4-VMK7H
slmgr /skms kms.core.windows.net:1688
slmgr /ato

SConfig Updates 

Now we need to setup all the other features which you can use with sconfig so this is menu you will see:


We will only focus on 3 settings here, the rest has been done with PowerShell, lets get started:

Remote Management

This is enabled by default and the ping option sis disabled by default, if you would like to allow a ping then you 

Type 4 and press Enter to select Enable Server Respond to a Ping from the menu.
Type 3 and press Enter to change the allow the ping, press enter to confirm


Windows Update 

We need to keep our server healthy with all the updates and hotfixes so lets ensure this is enabled with the below:

Type 5 and press Enter to select Windows Update Settings from the menu.
Type 1 and press Enter to change the Windows Update to Automatic press enter

Remote Desktop

If you want to allow RDP access then you need to ensure you enable this feature, so to complete the action follow the below:

Type 7 and press Enter to select Remote Desktop Settings from the menu.
Type E to enabled Remote Desktop then press enter
Type 1 to allow RDP using NLA only press enter


Prepare ADDS Role (Active Directory Domain Services)

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

This will mean the role is installed but not activated, the role will require post-deployment tasks to complete, if you had the Desktop Experience if would look like this, but you don't, this is Core:


Install ADDS Role (Active Directory Domain Services)

This will make the domain controller like for the domain you join it to, and this is the command to perform that action:

Install-ADDSDomainController -DomainName bear.local -SiteName London -InstallDNS:$True -DatabasePath "N:\NTDS" -LogPath "L:\NTDS" $Credential (Get-Credential)

When you run this command you will be prompted for the credentials as expected, then when you enter valid credentials you will be asked for a "SafeModeAdministratorPassword" this is the password you will need for Active Directory Restore mode, or commonly known as a authoritative restore, this is seen below:


Once you have entered this password the installation will begin as below, this install can take a while depending on the side of your ADDS database


If you have a rather large domain database you may see the objects being replicated, you will need to wait the out:


Once this server reboots, it will come back online as an active Domain Controller.

Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„