Page 2 of 2 FirstFirst 12
  1.    10 Feb 2017 #10
    Join Date : Jan 2017
    Turku
    Posts : 1,822
    Windows 10 Pro IP Build 16299.98 (Branch: RS3 Release)

    Awesome tutorial!

    There is one small but important step you did not mention, which should be part of every Server installation. That is setting the correct time and disabling internet time. AD does not need it that much but if you are going to use other server roles, it's extremely important that your time stamps are correct.

    Once installing other services, one should also make the AD server the default timeserver in the network so all computer times stay in sync with it. This could also be done during the initial installation, which is always better.
      My ComputersSystem Spec
  2.    11 Feb 2017 #11
    Join Date : Oct 2014
    Posts : 920
    Windows 10 Pro

    While the server product is not free, the eval copy is good for 180 days, and can be reinstalled.
      My ComputerSystem Spec
  3.    11 Feb 2017 #12
    Join Date : Oct 2013
    A Finnish expat in Germany
    Posts : 13,131
    Windows 10 Pro
    Thread Starter

    Quote Originally Posted by pparks1 View Post
    While the server product is not free, the eval copy is good for 180 days, and can be reinstalled.
    Exactly. Plenty of time to test.
      My ComputerSystem Spec
  4.    21 Feb 2017 #13
    Join Date : Feb 2017
    Posts : 1
    Windows 7

    Do you have any tutorials or videos for setting up recommended group policies?
      My ComputerSystem Spec
  5.    02 Mar 2017 #14
    Join Date : Aug 2016
    Posts : 30
    Windows 10 Pro for Workstations

    Quote Originally Posted by altmoola View Post
    Do you have any tutorials or videos for setting up recommended group policies?
    The pertinent ones are pretty straight forward, but you have to be careful what you enable on the system running the server, particularly its hardware and whether client-connected PCs/laptops will be able to utilize those features and actually log on properly. For example, the usage of smart cards and various cryptography settings.
    And really GPO depends on how secure you want client-connected PCs and laptops when connected. That said, after setting up the Domain Controller, you will want to set up the Certification Authority with the Certification Authority Web Enrollment, followed ideally by a DHCP server. Remove the DNS relay feature from any physical hub/router you may have and use the server as the DNS relay. From there, you can easily assign static IP addresses using client MAC addresses and control IP ranges and firewall/port settings with ease.

    To start assigning GPO settings for provisioning, start at Policies > Windows Settings > Security Settings > Local Policies > Security Options. Here, I like disabling Administrator account status (after using it to assign myself a personal Domain Admin account), requiring the use of smart cards for interactive logon or CTRL+ALT+DEL at the very least, and disabling anonymous SID/Name translation right out of the gate.

    For Password Policy, you can change those to whatever you want, since their default settings can be annoying if you're just using the server for testing and nothing substantive. From there the rest of the stuff is pretty simple, though I recommend staying away from cryptographic features and settings unless you know what you're doing. That said, if your hardware allows for it, you can secure end-point PCs/laptops from 98% of virtual and physical intrusion attempts.

    Also invest some time in reading about nested virtualization to isolate server functions like MySQL databases. Virtualization is extremely important and vital to use for various server functions in order to isolate them from the physical server itself. Most of us who run full enterprise servers run multiple Domain Controllers on nested VMs and secure them using Host Guardian certificates for key and access management and Shielding, which are all features you can install from the Add Roles and Features Wizard.
      My ComputersSystem Spec
  6.    02 Mar 2017 #15
    Join Date : Oct 2013
    A Finnish expat in Germany
    Posts : 13,131
    Windows 10 Pro
    Thread Starter

    Quote Originally Posted by DrEmpiricism View Post
    The pertinent ones are pretty straight forward, but you have to be careful what you enable on the system running the server, particularly its hardware and whether client-connected PCs/laptops will be able to utilize those features and actually log on properly.
    Very good post, thanks for sharing your insights.
      My ComputerSystem Spec
  7.    19 Mar 2017 #16
    Join Date : Mar 2017
    Posts : 2
    Windows 10

    Regarding the domain controller name, if I buy myself a domain,mydomain.info. Is it better if I name the root domain for mydomain.info or should I still go for mydomain.local? Or is it better if I call it ad.mydomain.info.

    Nice tutorial btw!
      My ComputerSystem Spec
  8.    19 Mar 2017 #17
    Join Date : Oct 2013
    A Finnish expat in Germany
    Posts : 13,131
    Windows 10 Pro
    Thread Starter

    Hi Bcil, welcome to Ten Forums.

    A local domain is as name says local. It should not be named as any existing domain. If you have a site up and running on http://MyExtremelyGoodBusiness.com, you should not use that name for your local domain.

    In fact, you should not even use official top level domains in the name of your local domain (.com, .net, .org, .co.uk, .fr and so on). You can use pretty much anything else you want to; I used to use .home on my local domains but as .homes (for real estate agents) was accepted to the list of official top level domains I wanted to change mine as it was in my opinion too close.

    Check this list, do not use anything on it: List of Internet top-level domains - Wikipedia

    Kari
      My ComputerSystem Spec
  9.    19 Mar 2017 #18
    Join Date : Mar 2017
    Posts : 2
    Windows 10

    Aha I see, I thought previously that if we had bought a domain then we were supposed to use that, but now i know better, hehe thanks
    Last edited by bcil; 20 Mar 2017 at 20:54.
      My ComputerSystem Spec

 
Page 2 of 2 FirstFirst 12


Similar Threads
Tutorial Category
Final public test builds of Windows Server 2016 and System Center 2016
Read more: Microsoft delivers final public test builds of Windows Server 2016, System Center 2016 | ZDNet See also: What's New in Windows Server 2016 Technical Preview 5
Windows 10 News
SharePoint Server 2016 and Project Server 2016 RC available
Source: SharePoint Server 2016 and Project Server 2016 Release Candidate available - Office Blogs
Windows 10 News
How to Dispay Domain Controller computers in Windows 10 PRO Explorer
Your Linux based NAS not showing up in Windows File Explorer view? I had this problem with 2 Win 10 PRO installations. Now mind you I have 3 Win 10 Home installs that did not have this issue so if yours is a Win 10 Home install this will not...
Network and Sharing
domain server problems
I have had windows 10 a couple weeks and if this issue had not starter a week before that I would blame 10. My internet cuts off at random times, sometimes just for seconds and sometimes I have to turn off modem and restart. At first the...
Network and Sharing
Windows Server 2016 leaks reveal Nano Server, protected VM role plans
Read more: Windows Server 2016 leaks reveal Nano Server, protected VM role plans | ZDNet
Windows 10 News
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 17:48.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums