Windows Server 2016 - Setup Local Domain Controller  

Awesome tutorial!

There is one small but important step you did not mention, which should be part of every Server installation. That is setting the correct time and disabling internet time. AD does not need it that much but if you are going to use other server roles, it's extremely important that your time stamps are correct.

Once installing other services, one should also make the AD server the default timeserver in the network so all computer times stay in sync with it. This could also be done during the initial installation, which is always better.

While the server product is not free, the eval copy is good for 180 days, and can be reinstalled.

Do you have any tutorials or videos for setting up recommended group policies?

altmoola said:

Do you have any tutorials or videos for setting up recommended group policies?

The pertinent ones are pretty straight forward, but you have to be careful what you enable on the system running the server, particularly its hardware and whether client-connected PCs/laptops will be able to utilize those features and actually log on properly. For example, the usage of smart cards and various cryptography settings.
And really GPO depends on how secure you want client-connected PCs and laptops when connected. That said, after setting up the Domain Controller, you will want to set up the Certification Authority with the Certification Authority Web Enrollment, followed ideally by a DHCP server. Remove the DNS relay feature from any physical hub/router you may have and use the server as the DNS relay. From there, you can easily assign static IP addresses using client MAC addresses and control IP ranges and firewall/port settings with ease.

To start assigning GPO settings for provisioning, start at Policies > Windows Settings > Security Settings > Local Policies > Security Options. Here, I like disabling Administrator account status (after using it to assign myself a personal Domain Admin account), requiring the use of smart cards for interactive logon or CTRL+ALT+DEL at the very least, and disabling anonymous SID/Name translation right out of the gate.

For Password Policy, you can change those to whatever you want, since their default settings can be annoying if you're just using the server for testing and nothing substantive. From there the rest of the stuff is pretty simple, though I recommend staying away from cryptographic features and settings unless you know what you're doing. That said, if your hardware allows for it, you can secure end-point PCs/laptops from 98% of virtual and physical intrusion attempts.

Also invest some time in reading about nested virtualization to isolate server functions like MySQL databases. Virtualization is extremely important and vital to use for various server functions in order to isolate them from the physical server itself. Most of us who run full enterprise servers run multiple Domain Controllers on nested VMs and secure them using Host Guardian certificates for key and access management and Shielding, which are all features you can install from the Add Roles and Features Wizard.

Regarding the domain controller name, if I buy myself a domain,mydomain.info. Is it better if I name the root domain for mydomain.info or should I still go for mydomain.local? Or is it better if I call it ad.mydomain.info.

Nice tutorial btw!

Thanks for the awesome guide, please help me to solve,

Static IP provide by the telco
gateway for local ip address is 172.20.20.1

i'm having contacting the laptop to the server, when i tried to join username and password came up. and try to input my credentials.

the error was can't be contacted.. etc..