Introducing and Installing Active Directory

0:00[MUSIC PLAYING]

0:06All right, as we get started with the AZ-800 course,

0:09it's kind of fitting that we really

0:11start with Active Directory because, really, Active

0:14Directory forms pretty much the underpinnings of Windows Server

0:182022 and all the versions before it,

0:21really, because Active Directory is

0:23responsible for so many things in a Windows computing

0:26environment.

0:27So Active Directory, also known as Active Directory Domain

0:30Services or AD DS, this is really just a structured data

0:35store of objects.

0:37So you may have already had experience

0:39with Active Directory.

0:40You may already be very familiar with some of those things.

0:42If that's the case, we'll just kind of

0:43review this real quick for you.

0:45But for some of the rest of you that

0:46are getting started with Windows Server

0:48and getting started in an Active Directory environment,

0:51you might need to know some of this.

0:52This is going to be kind of an overview of some of the things

0:55that we'll be covering later on in this course.

0:58First of all, it's going to be where

0:59the users are stored, where the user accounts are

1:02stored mostly, mostly.

1:04Why do I say that?

1:04You can't actually store a user in Active Directory,

1:07but you can store their accounts in Active Directory.

1:09And this would include everything,

1:11such as their username, their password.

1:14You may choose to include an email in there,

1:17which department they work in, their address.

1:20All kinds of things you can put in there,

1:22but the main things that we generally

1:23think of in terms of the user account

1:25is, of course, going to be the username and password.

1:27And the reason why that's significant

1:29is because that will then be used to log on that user,

1:33and so that they can access resources,

1:35either on their own local computer, like a Windows 11

1:38computer, for example, or elsewhere

1:40throughout the entire environment.

1:42And also, the computer accounts will be stored there as well.

1:45The computers will have a unique identifier.

1:47Users and computers both have a unique identifier

1:50associated with them.

1:52And you may not know it, but computers actually

1:54do log on as well.

1:55There's not somebody that types in a password there, of course,

1:58for the computer, but the computer

2:00does have a randomly generated password that

2:02gets refreshed every so often, and so it does actually

2:05have an identity-- a security identity there.

2:08And then, of course, we will have groups.

2:11These are all things that are going

2:12to be part of the data store in Active Directory.

2:15So you could take users and put those into groups.

2:18You can take computers and put those into groups,

2:20and you can take groups and put other groups inside

2:23of other groups, or nesting groups

2:25is another way to say that.

2:26And the basic idea there with the groups, of course,

2:28is that it's going to make most administration simpler later

2:32on down the road when you start to assign resources to--

2:36assign permissions to various resources, such as file

2:39permissions, for example.

2:40There are other types of objects that we

2:41think of there as well that do go into Active Directory.

2:44We're not going to exhaust every type of an object that

2:47can go in there, but you can have printers that

2:49appear in Active Directory.

2:50That makes them easier to find for your users,

2:53especially in larger organizations where they might

2:55be going into a building in a campus

2:57that they've never been in before

2:59and they need to find a printer.

3:00Well, you can make them easy to find there in Active Directory.

3:03Shares can also be easily found in Active Directory.

3:05They don't have to be put in Active Directory,

3:07but certainly, that's a possibility.

3:09And again, it makes it very searchable.

3:11That's a big part of what this data store is, by the way,

3:13is that it's going to be more easily

3:15searchable by its very nature.

3:18We'll talk about that again here in a moment.

3:20And then we have something called

3:21Group Policy Objects, or GPOs.

3:23This is actually a combination of both a file location

3:27as well as in Active Directory, group policy objects

3:30do exist there as well.

3:32And group policies really centrally

3:35control most everything that the user can see or do

3:39on their computers, as well as many other things

3:42related to Windows.

3:44So a lot of things involved.

3:45They're very, very powerful.

3:47Thousands of different separate settings

3:49that can be configured in a group policy,

3:50and I'll be talking about that in much more detail

3:52later on in this course.

3:54Like I said, it is easily searchable.

3:56A big part of the reason for that is something

3:58called the global catalog which has every object that's

4:02in Active Directory.

4:03And because of the nature of it and the way that it's stored,

4:06it's very easy and fast to search against.

4:09Your users don't have to know about that.

4:11Even we as administrators don't have

4:13to know that we're searching using the global catalog.

4:15We just do a search and we get results, thankfully.

4:18Active Directory also has security features

4:21integrated directly into it.

4:23So for example, when these users or computers log on,

4:26or we get our credentials checked

4:27to see if we are members of certain groups, one

4:29of the things that's going to be done

4:31involving that will be a security

4:33check against our tickets.

4:35There's tickets that are issued in this

4:37and that's going way beyond what we

4:38need to talk about right now, really,

4:40but they're Kerberos tickets is what they're called.

4:43And users are issued Kerberos tickets when they log on.

4:46They're very secure tickets that can be used,

4:49and it's just all integrated into Active Directory.

4:51And Active Directory by its very nature

4:53is logical and hierarchical.

4:55So we'll see this as we go on throughout this course,

4:58but for example, you might have at the top of your domain here

5:01in kind of diagram fashion.

5:04Normally, domains are represented

5:05by a triangle like this.

5:08And you may have domains that have child domains like this.

5:11So that would be another like a subdomain or a child domain

5:13that appears underneath there, for example.

5:15And then also within this, you'll

5:17also have things such as organizational units.

5:20And an organizational unit might be a state or a city.

5:23Let's say this is Phoenix.

5:25And within Phoenix, you might have a department.

5:27So maybe this is HR.

5:29That's another organizational unit.

5:30You may also have other OUs underneath Phoenix,

5:33I don't know, for the IT department.

5:35All different kinds of departments,

5:36different purposes for these organizational units, and so

5:39forth, but the point I'm making here

5:40is they're all hierarchical.

5:43Same with our domains and our child domains, if we have any.

5:46And it's important that they are logical and hierarchical

5:49so that they're easier to think through when

5:51you're trying to find things.

5:52I mean, yes, they're searchable, but it also

5:54helps just as humanly speaking to be

5:56able to see the kind of hierarchy that's

5:58involved there as well.

6:00There's something else in Active Directory called the schema.

6:03We're not going to delve into that right now as well,

6:06but it's kind of the skeletal structure for things that

6:09appear within Active Directory.

6:10So for example, if you had a user account,

6:13how do we know what we can put into a user account?

6:15Well, I mentioned a few things we could put in there earlier,

6:17right?

6:17Username, of course, a password, of course,

6:20but how about other things, such as which department they

6:23work in?

6:23Well, the reason why that appears in the user account

6:26and you don't have to put it in-- you don't have

6:28to enter in something for that, but you

6:29can-- the reason why that even appears

6:31is because of the schema.

6:33It kind of defines all of the various fields, if you will,

6:36all the various checkmarks and so forth

6:38that you can define within a user account.

6:41It defines all of the objects.

6:43So an object would be something like a user

6:45account, for example, or a computer account.

6:46And then the attribute would be the specific item

6:49that you can select or configure within the user account,

6:53within the computer account, or whatever it is.

6:56And they are also effectively replicated.

6:59So all of this stuff that we have--

7:01let's say that we have this domain here--

7:03in most organizations, you're going to have a domain,

7:06but you're going to have a domain controller here as well.

7:09And the domain controller is what stores your Active

7:12Directory Domain Services.

7:13That's all stored usually on a domain controller.

7:16But normally, you have more than one because from failover,

7:20as well as load balancing and all kinds of other reasons,

7:23but you'd have more than one.

7:24And a copy of your users, for example,

7:27on this domain controller, as well as everything else that's

7:30involved in Active Directory, would

7:31be copied over to this other domain controller.

7:34It's an exact copy.

7:36And it's a peer domain controller.

7:38One is not superior to the other in any way.

7:41Later on, we'll be talking about something called Flexible

7:43Single-Master Operations.

7:45And these are also known as FSMOs.

7:47And they are special roles that each one might have,

7:50but as far as the accounts go, one

7:52is not really special compared to another.

7:54And they are called peer domain controllers

7:57because they are on kind of a peer level.

7:59But regardless, these peer domain controllers

8:01have a replication mechanism kind of built into them,

8:04where anything that changes-- maybe this user right here

8:06changes their password-- well, we

8:08need to have that reflected over on the other copy of the user

8:11account over on this other domain controller, right?

8:14That happens almost instantly in a single site

8:17within a single domain.

8:18So there's really hardly any lag time there at all.

8:21And if you have a domain controller, let's say,

8:23that's in a different city, somewhere else

8:25in a different site, there's also an efficient replication

8:28mechanism that makes sure that that's still

8:31replicated over there in a practical and timely fashion.

8:34And that's adjustable a little bit here as well.

8:36Again, a lot of these things are just overview topics.

8:38We could get into more details with some

8:40of these things a little bit later on,

8:42but that's just kind of an idea of what Active Directory Domain

8:45Services does and the kind of things that it's used for.

8:48All right, so that's it for this Nugget.

8:50In the next Nugget, we'll be talking

8:52about some things that are new in Active Directory Domain

8:54Services.

8:55I hope this has been informative for you,

8:56and I'd like to thank you for viewing.

0:07About a year ago, I got a brand new truck.

0:09And it was really cool because it

0:10has a lot of computerized new features

0:12that I didn't use to have in some of the older cars

0:14that I would drive.

0:16And it would do things, like, tell me

0:18when I'm about to depart out of my lane.

0:20Lane departure, I think they call it.

0:21It also has this collision avoidance thing

0:24where if you come up too fast on a car

0:26or if a car slams on its brakes in front of you,

0:28then it will beep, and it'll automatically warn you.

0:31And then it'll even apply the brake, if necessary.

0:34And before all of those whiz bang automatic features

0:37to correct your driving, I used to have to depend upon my wife.

0:40That didn't come out right.

0:41I still have my wife.

0:43It's just that this computer is an upgrade.

0:45That's not right, either.

0:46Anyway, let's move on.

0:47One of the cool things about getting something new

0:49is that it has upgraded features,

0:51and we certainly have some of those things

0:53here in Active Directory Directory Services.

0:56One of those things-- and we're going

0:58to be talking about a lot of these things in much

1:00more detail in this course as we continue on.

1:03So we're not going to cover all the details right now,

1:06but I want to give you the bullet

1:07points of some of the cool things that are included.

1:09And then in our next Nugget, we'll

1:10actually get started with the installation

1:12of Active Directory.

1:13So first of all, some of the things that it includes

1:15are something called Privileged Access Management.

1:17That's an encompassing term that involves

1:20a lot of different things.

1:22But some of the new things that are involved

1:23in that, first of all, would be something

1:25called a bastion forest.

1:27And this, again, it's just an overview,

1:28a quick top-down look at it.

1:31Here's your domain, and then you might have an IT department.

1:34You have to have an IT department, right?

1:36But the IT department can be this bastion organization

1:40where the security requirements are higher,

1:43some of the security protections are higher.

1:45It's known good in terms of knowing

1:48that there's no breaches in that domain,

1:51and everything like that.

1:52So the accounts that we can have here

1:54are much more highly protected accounts.

1:56And in fact, because of the way that it inter-operates

1:59with our other domains here, for example,

2:02if this gets compromised somehow,

2:04it can't even reach down in here.

2:05It doesn't have privileges into doing that.

2:07I'm way oversimplifying things here,

2:10but that's the idea of a bastion forest.

2:11It gives you a higher level of protection,

2:14and you can put more protected accounts in that domain

2:17or in that forest.

2:18And there's also shadow security principles.

2:21What this does is it's a special SID that exists in the bastion

2:25forest, and it allows you to apply permissions

2:28administratively to a resource without actually

2:30changing the ACL.

2:31Kind of weird, right?

2:33Anyway, we also have something called expiring links

2:35and this would be useful because we might have somebody

2:37right here that we want to perform

2:39some administrative task on a resource,

2:43but we want them to be able to do that maybe

2:45today or even this afternoon.

2:46But we don't want them to have permanent access to whatever it

2:49is we're granting them.

2:50Well, you can put expiring links on that.

2:53So they have access only till the end of the day,

2:55and they won't have access tomorrow.

2:57It uses a special time to live, or a TTL,

2:59that's associated with this specific Kerberos ticket item.

3:02In addition, we have something called KDC TTL enhancement.

3:06So what that is, let's say I've got this user right here--

3:08and let me clean up a little bit.

3:10This user right here is a member of group 1 and of group 2.

3:13And let's say that group 1, their ticket--

3:16if you're familiar with Active Directory and Kerberos

3:19and all of that, when you log on, you get tickets.

3:22And in your tickets, there's an association with the groups

3:24that you're a member of.

3:25Well, they have a time to live because you don't

3:27want those tickets to live forever

3:29because the longer a ticket lives, for example,

3:31the more time a hacker or some bad actor

3:34has to be able to manipulate it or to exploit it somehow.

3:38So on an active login process then,

3:41where the user's actually on the computer regularly

3:43and stuff like that, it's going to renew itself

3:45every now and then.

3:46But what we have going on here is

3:48we have a TTL, time to live, for maybe each one of these groups

3:52that we're a member of.

3:53Maybe this one has a time to live-- let's

3:55say some time has elapsed.

3:56They have one hour left.

3:59And this ticket here has two hours left on it.

4:02And what happens is this KDC TTL enhancement,

4:05it will default to the lesser of the two.

4:08So if we're a member of a shadow group, which

4:10we talked about just a moment ago,

4:12if we're member of a shadow group, then what will happen

4:14is it'll default to the lesser of the two values

4:17here in our two groups.

4:19We also have improved monitoring,

4:21which makes collecting of the data

4:23for monitoring your Active Directory much simpler.

4:26We have Windows Hello for Business.

4:28Now if you're familiar with Windows-- what it'd start in?

4:30Windows 8, I think it was.

4:31And we also had it in Windows 10 and now in Windows 11.

4:34Windows Hello was where you can log on with a camera.

4:37I've got a camera right over here.

4:39It's a webcam that has infrared capabilities and it's Windows

4:42Hello capable.

4:43And so when I log on to my computer every day,

4:45I just use that camera.

4:46I just look into the camera, and about a second or even less,

4:49it logs me on.

4:50I also have a fingerprint scanner under my desk somewhere

4:53and I also have a key.

4:54So several different ways that I can log on here.

4:56It's a key-based authentication mechanism.

4:59Well, that has now been also transferred into Active

5:02Directory here as well.

5:03That's part of the capabilities here.

5:05And what happened here is it avoids passwords.

5:08So, for example, I'll be honest.

5:10Time for true confessions here.

5:12This computer, I've been using it for maybe a year,

5:14and I know I set a password on.

5:17I haven't used the password for over a--

5:19I don't even remember the password.

5:21There's ways of recovering it if I actually have to use it,

5:23but I've been using this camera over here for the whole time.

5:26I don't even remember my own password anymore.

5:28And that's good in a certain way.

5:29Why?

5:30Because I'll never type it in because I'm using that camera,

5:33or I can use my fingerprint scanner.

5:35Therefore, there's no password to exploit.

5:37There's no keystroke logger or spyware

5:40that can capture my password at this point.

5:42So even though I'm not using a password,

5:43it actually increases my security.

5:45And, again, you can use things like a pin as well.

5:47That's also considered part of Windows Hello,

5:49and it's associated, by the way, only with this one computer.

5:53So I couldn't use that same pin and log on to another computer.

5:56A lot of this also involves things like Trusted Platform

5:59modules, or TPM chips, which can store

6:01cryptographic or authentication data within them.

6:04And it can be-- and it's isolated to that one computer

6:07because it's a physical device on the motherboard.

6:09Now also we have something called Azure Active Directory

6:12Join.

6:12This has actually been growing.

6:13This is part of what I was talking about earlier when

6:14I was saying not all of this is strictly new with Server

6:172022 and Active Directory.

6:19This has been going on for a while

6:20because Azure has been a growing technology and a growing cloud

6:25service from Microsoft that we've been able to use.

6:28Azure Active Directory Join is available

6:30under many different versions of Active Directory.

6:33But the basic idea here is, when you use it,

6:36you can join your own local Active Directory

6:38on-prem by using a connector tool to Azure Active Directory.

6:43And then you can have resources from both

6:45that are interchangeable or exchangeable.

6:47You can get modern settings using a corporate account.

6:50And when we say modern settings, what does that mean?

6:52Well, that means you can do things like access

6:54the Microsoft Store using your work account.

6:56You can have Live Tiles that are associated with it.

6:58You can have things like backup and restore.

7:01Some personalization settings that

7:02will transfer back and forth between maybe a work

7:05computer and a home computer, or something like that.

7:08So there's a lot more of an interoperability

7:10and an exchange that goes on here when we have Azure Active

7:14Directory Join.

7:14What this also allows us to do is

7:16to access corporate resources even if you're not

7:19joined to the domain.

7:19That's what I was just talking about there.

7:22And a lot of that has to do with bringing your own devices

7:25items, BYODs.

7:27Also, we have single sign-on for things

7:29like Office 365, your organizational applications

7:33that you may have developed that are part of the Microsoft

7:35Store, for example.

7:37Websites, things like that.

7:39So this has really greatly simplified the access

7:43that users have so that they can use work devices or BYOD

7:48devices or work from home, and still

7:50be able to access all the resources they

7:52need both from their home computer and from work devices.

7:55And with their own devices, the BYOD devices, part of that's

7:58going to be involving the fact that they can add a work

8:01account to their own device.

8:02And just for giggles, I thought I'd go ahead and show you

8:04what I was talking about when I talk about accessing work

8:07resources with a BYOD device.

8:09So, for example, this is my own personal computer here,

8:12but if I needed to connect to a corporate resource

8:14or an educational resource like a university computers

8:17or something like that, then I could do that right here.

8:20I would go down into Accounts right here.

8:22This is Windows 11 by the way, but it's similar in Windows 10.

8:25The UI is a little different, but same basic idea.

8:27And I would just go down here, and then I would go down

8:29to Access Work or School.

8:32And then you can add or work or school account here,

8:34and connect it.

8:35And then you'd have to just fill in the credentials

8:38and everything else that you need there,

8:39your email address and so forth.

8:41And then, henceforth, you could do things

8:43like transmit back and forth your personalization settings

8:47between your working personal computer.

8:49Or you can access Microsoft Store applications

8:53that are available because of your work account.

8:55You could use Office 365 here on your own personal computer

8:58at home even though the licensing is all

9:00from your company.

9:02All right.

9:02That's enough for this Nugget.

9:03Stick around for the next Nugget,

9:05where we'll actually get to work installing Active Directory.

9:07I hope this has been informative for you,

9:09and I'd like to thank you for viewing.

0:07All right, I promised you in our last Nugget

0:09that we are going to start installing a domain controller.

0:11And that's exactly what we're going to do here.

0:13Before we do that, however, I think

0:14it is important to discuss a little bit about what

0:17privileges you need to have.

0:18And I want to, again, go over the hierarchy of a domain

0:22environment here because that's something

0:25that especially if you're not used to domains and Active

0:27Directory domains can be confusing at the beginning.

0:29So here we'll have-- we'll start off

0:31with a single forest in a single domain.

0:35Let's call this nuggetlab.com because that's what we normally

0:39use in our labs.

0:40And by the way, we can have labs that you

0:42can do with this as well if you want to later on when

0:44I get started installing.

0:45I'll give you more details about that later.

0:47So that might be all I ever have.

0:50So this would be a domain of nuggetlab.com.

0:53And it would be a single forest.

0:56How do you spell forest?

0:57F-O-R-E-S-T, forest.

1:01So in other words, this forest, the way it looks now,

1:04consists of only a single domain.

1:07That's it.

1:08Now what else could I do here, though?

1:11Let's say we have another domain that we

1:13want to install here that's a child domain

1:16of that original domain here.

1:17So instead of nuggetlab.com, now I'm going to have--

1:21let's just call this phoenix.nuggetlab.com.

1:24It might be for a number of different things.

1:26It could be a subsidiary that we have.

1:28It could be geographic, like this--

1:31Phoenix, it could be a department,

1:33something like that.

1:34A lot of different reasons for creating a child domain.

1:36Or I might have different security requirements

1:38down there that require a different domain.

1:40But regardless, I now have a child domain here

1:44connected to the same namespace.

1:46So this is just Phoenix, but now it's phoenix.nuggetlab.com

1:50So this is another domain in the same forest.

1:53This domain down here is a member of the same forest.

1:56It's hierarchically connected,

1:59The other thing we could do here would

2:00be to create another tree.

2:02This one might be more likely to be the case

2:04if I did have a totally different business unit,

2:07but I wanted it to be within the same forest.

2:09So maybe this one is called accusource--

2:12that's the name of one of my domains--

2:15so accusource.com-- .net.

2:17Excuse me.

2:18I'm forgetting the names of my own domains.

2:20Accusource.net-- I'm just going to abbreviate that.

2:22So I could join that.

2:24It's a different namespace.

2:25But when I create that and I join and I create that domain,

2:29I can join it to this existing forest right here.

2:32It could be its own forest if I decided to do that.

2:35Or in this case, I join it to an existing forest.

2:39The name is different.

2:41But in terms of its schema and its identity and its Active

2:45Directory existence, it's part of the same forest right here.

2:49Now, expanding that a little further,

2:51in each one of these domains, what do you

2:53have to have in order to have a domain in Active Directory?

2:56You have to have a domain controller.

2:58So when we first created this existence,

3:02this forest here with this nuggetlab.com domain,

3:05we had a domain controller.

3:06Very likely, we have multiple other domain controllers,

3:09especially in a larger organization.

3:11But even in a smaller one, you want

3:13to have more than one domain controller for failover,

3:16possibly for load balancing, but mostly it's

3:17going to be for failover.

3:19And as I mentioned in a previous Nugget,

3:20these are peer domain controllers.

3:22Likewise, in this child domain, I also

3:26have two or more domain controllers.

3:28And in this other tree over here,

3:31this is a separate tree in the same forest, which, again,

3:34may have its own children as well,

3:36then I'll also have two or more domain controllers

3:40for all of this over here.

3:42Now, what's the significance of this,

3:44and why am I emphasizing that?

3:45Because when we talk about Active Directory installation,

3:48I want you to be aware of credentials

3:50that might be required there.

3:52So let me clear the screen here and talk about that.

3:54When I created a new forest-- remember,

3:56that's what I created that first triangle way up at the top

3:58there-- all I have to have there in order

4:01to install that first forest is a local administrator account.

4:03We're going to see that coming up here in the lab.

4:06Also, if I had a new child domain--

4:09remember, I created-- what was it?

4:10Phoenix.nuggetlab.com-- in order to create

4:14that domain, all I would have to have for credentials

4:17there would be an Enterprise Admin.

4:19Now, the Enterprise Admin account, it's actually a group.

4:23I have to be a member of that group up here

4:25in the forest root.

4:27Now, that account that's a member of this security group

4:30can install this child domain.

4:32Or if it's a member of the Enterprise Admins security

4:36group could also create another tree with a totally different

4:39namespace, like accusource.net.

4:43So this user here, remember, if it's a member of the Enterprise

4:46Admins group, they could also create this other tree

4:49over here when they install the domain controller over there.

4:52Now, if I wanted to add an additional domain controller

4:55to an existing domain--

4:56remember, because we have more than one-- then

4:58all I have to have there in terms of credentials

5:01are Domain Admins security membership, security group

5:05membership, in the same domain.

5:07So if I created this second domain controller here,

5:10the second peer domain controller

5:12in the forest root, that's all I'd

5:14have to have is a Domain Admin privilege.

5:16Also, down here in this child domain,

5:19all I would have to have to create this second domain

5:21controller over here would be membership in Domain Admins

5:24in that domain.

5:27And likewise, again, over here, I

5:29would have to have Domain Admins membership

5:31in this domain over here in order

5:33to create that second domain controller.

5:35Now, on your lab machines, as well as

5:37this machine that I'm working on right here,

5:39there should be a static IP address.

5:41So I'm going to right-click on the little network icon

5:43down here, Open Network and Internet Settings,

5:46go to Ethernet, choose Change adapter options,

5:49and then right-click on our ethernet connection there

5:52to choose Properties.

5:53Once I've done that, I'm going to TCP/IPv4 here.

5:55And I've already entered in my settings here.

5:57Your IP address may not be the same as these.

6:00But it should be a static IP address that we'll have there.

6:03And we're going to point to ourselves, to our own loopback

6:07address of 127.0.0.1 for the preferred DNS server.

6:12Now, the reality is we don't have DNS set up yet here.

6:14Now, you may have a different preferred DNS server

6:17down there.

6:18If you do, just go ahead and enter in the loopback address

6:20that you see there, 127.0.0.01.

6:24Even though this is not yet a DNS server,

6:27it will be in just a few moments.

6:28Now, here we'll go ahead and go to Add roles and features.

6:31This is how we would do all the rest of this through the UI.

6:34So once I click on that, it just gives you an introduction here.

6:37It looks like I've scrolled down here.

6:39Let me bring that up a little bit.

6:40So then once that's been opened up, we'll click on Next.

6:43Then it says, role-based or feature-based installation?

6:47Ever since 2000, Windows 2000, 21 years ago or so,

6:52they've never made a very good distinction between what's

6:54a role and what's a feature.

6:55So I still don't even know.

6:57I just click Next until I find what I need.

6:59And then what I want to do is to install,

7:01to select a server from the server

7:03pool, which is just this local server that we have right here.

7:05Otherwise, I could choose to enter in a name here.

7:09But we're really just going to do this locally.

7:12You can also install this stuff remotely

7:13if you want to, though.

7:15And then what I'm going to do is to add Active Directory Domain

7:18Services that you saw me select right there.

7:20And it automatically adds in several other tools

7:23that are needed.

7:24And you can see here that's it's also clicked

7:25right here by default to install those tools.

7:28There's not really much reason not to do that.

7:30I guess if you wanted to make this a dumb server,

7:33so to speak, so that there was no real interaction,

7:36no real configuration that can be done here--

7:38and that's sometimes the case if you

7:40have a server that's just sitting in a rack

7:42that you want to always remotely administrate.

7:44I guess you could do it that way because you'll

7:46have the administrative tools on your local machine.

7:48Usually that's going to be a Windows 10, Windows 11

7:51computer that has administrative tools installed on it.

7:54I'm getting out of scope here a little bit.

7:56But a lot of times, that's how we administer these machines

7:59is remotely.

7:59But we're going to do everything locally

8:01here just to make it a little bit more intuitive.

8:04Then we'll just click on Add features here.

8:06Then we'll click on Next.

8:08Now, the other thing we have here

8:09is that notice that there's also a Group Policy Management

8:13feature that's going to be added in here.

8:15That's an essential part of Active Directory.

8:17So we'll click on Next there.

8:19And then there's a new thing here

8:21that didn't appear in some of the previous versions

8:23of Windows Server, where it's now emphasizing Azure Active

8:26Directory.

8:26Again, we're going to have a lot on that coming up,

8:29especially from Daniel as he continues on from some

8:32of our Azure integrations here.

8:34But there's the Azure Active Directory Connector

8:37Tool and some other things that we

8:38can do to make this interoperate with our cloud services.

8:42So we'll just put a push pin in that for now and click on Next.

8:45And then what we're going to do is click on Install.

8:48Now, once we click on Install, you

8:49can see that it gets started here,

8:51and it's going to continue to do its business.

8:53I'm going to let it continue to do that.

8:55And then later on, what I'm going to do

8:57is I'm actually going to end the lab and come back in here

9:00and do this using PowerShell instead

9:02so you can see how that works.

9:04It's actually pretty easy.

9:05But all this is doing right now, by the way,

9:07is installing the skeletal structure,

9:10the tools that we will need to have Active Directory.

9:13Active Directory itself is still not installed.

9:16In the old days, we would use a tool called DCPromo,

9:18and you would type that from a command prompt,

9:20and then it would open up a wizard

9:22and you'd Next, Next, Finish your way through it.

9:24Here we're just going to choose this option.

9:26It pops up right now, in fact--

9:27Promote this server to a domain controller.

9:30So we'll choose that option there.

9:32And then we'll choose whichever option applies to us.

9:35Add a domain controller to an existing domain-- remember,

9:37we're not doing that.

9:38We're getting started from scratch,

9:40installing the forest and everything.

9:41Add a new domain to an existing forest--

9:44that might be like if we had a child domain,

9:46or if we wanted to install another tree in the forest.

9:49But we're going to Add a new forest.

9:51And I'll have to enter in the root name of this forest.

9:54So I'm going to call this nuggetlab.com,

9:58and then we'll click on Next.

9:59Now, I do want to emphasize--

10:02I guess, supposedly, in a lab it's probably

10:03OK to do it this way.

10:05But you could do nuggetlab.local or somedomain.local.

10:09A lot of organizations used to do that in the past

10:12because they didn't want to confuse their local--

10:15let's say we did have a company called nuggetlab.com.

10:17And we had an internet presence, and people

10:19can order our products by going to our website and all

10:22that kind of stuff.

10:22But we also had a nuggetlab.com for our users,

10:26joe@nuggetlab.com or email addresses,

10:29and that was the name of our Active Directory domain.

10:31Well, the concern there was that we did not

10:34want DNS to get confused and to route internet requests

10:38to our internal network somehow or to create a vulnerability

10:40or any of that kind of stuff.

10:41There's other ways of resolving that, Split-Brain

10:44DNS and some other things, but one

10:47of the ways that people used to do that as well would be they

10:49would say, you know what?

10:50Instead of nuggetlab.com, which is our website

10:53and our internet presence, we're going

10:54to change this to nuggetlab.local.

10:57And it actually worked OK for a while.

10:59But there were some other DNS complications that came up

11:03as a result of that, not the least of which is if you have

11:05Apple computers, they see .local in a little bit of a different

11:08way.

11:09So that kind of fell out of favor a few years back.

11:12So now you have to use either Split-Brain DNS or some other

11:17DNS tricks or just have to get creative with your naming

11:19and call this, I don't know, internal-nuggetlab.com

11:23or something like that.

11:25That's just a side note.

11:26But that is something to be aware of in your naming.

11:30You have to figure that all out in advance.

11:33That has to be done through meetings

11:34and writing on whiteboards and all that kind of stuff.

11:38Anyway, we've decided to use nuggetlab.com,

11:41so we're going to click on Next.

11:42The next thing here is it's going

11:44to ask us for our forest functional level and our domain

11:47functional level.

11:48Now, here's the trick.

11:49The most recent one you can use is Windows Server 2016.

11:53There's different versions of this.

11:55You see it goes down to 2008.

11:56Previous versions besides that are deprecated.

11:58You can't use those anymore.

12:00And in fact, you almost always want

12:02to use the most recent one you can.

12:03So 2016 would be our preference here.

12:06The reason for that is with each one of these,

12:08as it progressed up through the versions,

12:11it added new features to Active Directory.

12:14And if you want to make sure that you have the most features

12:17available to you-- and some of these are security-related,

12:19too, so that's a good idea--

12:20then you'd always want to go with the most recent one

12:22that you possibly can.

12:23Also note that we're going to install a DNS server here.

12:26And we're going to make it a global catalog server.

12:29Remember, I talked about that in a previous Nugget.

12:31The global catalog is just a copy of every object

12:34that you have in Active Directory.

12:35And you can think of it as an index.

12:38So it makes things searchable much faster.

12:40It's faster to search against the global catalog

12:42than it would be to search against actual Active

12:46Directory.

12:47And then we could also make it a read-only domain controller,

12:49which is a discussion for a different day.

12:51But that's exactly what it sounds like.

12:53It's read-only.

12:55Then we will enter in the password.

12:56Now, this is going to be important.

12:58You need to make sure you keep a hold of this.

13:00Have it stored somewhere secure because what

13:03this will allow us to do is to boot

13:05into a special version of--

13:07Directory Services Restore Mode is what it's called.

13:09And you can see that right there.

13:10And this is what we would do if we needed

13:12to recover some deleted objects, or if we needed

13:15to repair Active Directory, or something catastrophic had

13:18happened like that, or to restore it.

13:21So be aware of this.

13:23So we'll go ahead and click on Next there.

13:25This is about delegations.

13:27We always get this message.

13:28We have since the beginning of Active Directory.

13:31It's not really relevant in our case

13:32because we're creating the root of a new DNS

13:35infrastructure with a new forest and everything,

13:38so it doesn't have to have the ability

13:41to be found by any external DNS servers.

13:43So that's not going to be an issue for us.

13:45So we'll click on Next.

13:46And then what's going to happen is this broadcasting right now.

13:48We can't really see that happening.

13:49But it's shouting out and saying,

13:52is there a NetBIOS name of nuggetlab

13:55anywhere in my organization?

13:56And if it can't find one, then it

13:58will return nuggetlab right here as available.

14:01On the other hand, if it had broadcast for nuggetlab,

14:04and it got an answer back from some server

14:07somewhere or some identity, then it would say, oops.

14:11That's already been taken.

14:12And then we'd have to get creative

14:13and call it nuggetlab-1 or something like that.

14:16But we're OK here.

14:17So we'll click on Next.

14:19And then it asks us where we want

14:21to store all of our files related to Active Directory.

14:25There's the database folder itself, NTDS, which

14:27also contains the log files.

14:29And you can see that there as well.

14:30And the SYSVOL folder, which contains a lot of components

14:33of Active Directory.

14:33But more particularly, it also contains files associated

14:38with Group Policy objects.

14:39And those will be also, then, replicated

14:42to other peer domain controllers in our organization

14:46and other domain controllers.

14:47So that's where the location is.

14:48Now, the significance of this is changed a little bit over time.

14:52When Windows 2000 came out, and we had these default locations

14:55on C, a lot of administrators would

14:57recommend putting those elsewhere because, they'd say,

14:59well, we don't want it to get-- we don't

15:01want the database and the logs and SYSVOL to get hammered

15:04on the domain controller.

15:05So put it on a different drive on the same computer.

15:09That way, you split the burden off.

15:11Well, think about when that was in Windows 2000.

15:13Now, 21 years later, we have SSDs.

15:16We have much faster computers.

15:18Everything is faster.

15:20So it's not really as much of an issue

15:21to put that on the same drive now as it used to be.

15:24So I'm not really reluctant to put those there.

15:26I'll just leave them in place, and that'll be fine.

15:28Then we'll click on Next.

15:29It gives us a handy little summary.

15:31But here's what I want you to see--

15:33View script.

15:35This is what we would do in order

15:37to make this an Active Directory domain

15:39controller using PowerShell.

15:41I'm going to come back to that here.

15:43So put a push pin in that for now and be aware of the fact

15:45that this option does exist.

15:47What we could do next is to click on Next.

15:50And it would actually perform all of the installation.

15:53What I'm going to show you here is

15:55all the PowerShell commandlets.

15:57So let me make this a little bigger

15:59so I can see it a little bit better.

16:02And this is what we're going to do.

16:03So the first thing that we did when we were in Server Manager

16:07before was we wanted to install Active Directory Domain

16:10Services, including all the tools.

16:11Well, this is the PowerShell commandlet that'll do that.

16:15Very, very simple.

16:16The next thing we could do, all the things

16:18with the pound symbols or the hashes

16:20here, those are all just remarks.

16:22So don't pay attention to those.

16:23But this is where I could put in additional commandlet arguments

16:27if I wanted to.

16:28But I don't really need to in our case.

16:30And then down here, I would import

16:32the module for Active Directory Domain Services Deployment,

16:35or ADDS Deployment.

16:37And then it would pull in those modules that

16:40would allow us to do further Active Directory PowerShell

16:44commandlets.

16:45Then I want to do this.

16:46I would install the active ADDSForest.

16:48I just pulled this, by the way, from that script

16:50that I showed you a moment ago, back when

16:52we were first installing everything, remember?

16:54So this is just pulled directly from that.

16:56And you can look at those and pause the screen

16:57if you want to and look at these.

16:59And you can see all of this stuff that it's doing.

17:01It pretty well explains itself.

17:03But what I'm going to do is I'm going

17:05to just Control-A to select all of this,

17:07and press Control-C to copy it.

17:09And you can do the same if you like.

17:10And then what I'm going to do is go down here

17:12to this PowerShell icon on the taskbar and Run ISE

17:17as Administrator.

17:18And the reason why I'm doing that

17:19is simply because I like to run it out of that

17:22only so that I can-- wow.

17:23That looks weird.

17:24I'm not sure what happened with our visual there.

17:27Let me try that again.

17:28Let me close that and open it up again.

17:30I don't know why it's doing that.

17:32It's something weird going on in my machine right now.

17:34But I think we'll still be able to get everything to work.

17:36But I'm just going to paste all of that in.

17:38And then don't pay attention to the checkerboard looking thing

17:40down here at the bottom.

17:41That's weird.

17:43So we're just going to run the first line here.

17:45But I'm going to put my cursor in this first line right here.

17:49I can't run all of this at once because it doesn't all

17:52exist yet.

17:53But I'm going to run that first line here

17:55to install the Windows feature of Active Directory Domain

17:57Services.

17:58And you can see now that it's actually just doing that.

18:01And after a little while, it finishes.

18:03And we do get this message here--

18:04Active Directory Domain Services, Group Policy,

18:07everything success.

18:08And then, now we have all the tools that we need.

18:10But remember, Active Directory itself is not installed yet.

18:13So what I want to do there is to do all the rest of this.

18:16And this, again, you can pause and look at this,

18:18if you want to, in a little bit more detail.

18:20But we're now going to do all of this stuff right here.

18:23So I've selected all of that.

18:25And now I'm going to click the little Play button again.

18:27Sorry about this checkerboard.

18:28I can't seem to get it to go away.

18:30But anyway, SafeModeAdministratorPassword,

18:33this is the Directory Services Restore Mode

18:34password that we need to use.

18:37This is interactive.

18:38So I'm going to enter that in.

18:39And you can also click off to the side

18:41there where it shows the password.

18:42And it should click right in here.

18:45But I'm typing mine in.

18:46And then we'll just click OK.

18:48And that's pretty much it.

18:49It'll give you some of the same messages

18:51that we got previously when we saw the installation of Active

18:54Directory in the UI.

18:56But those were innocuous.

18:57Nothing really to be concerned about.

18:59And we'll just let it do its thing.

19:01And then notice that the system will reboot,

19:03because after installing Active Directory,

19:04it does have to do that.

19:06And now notice that it's prompting

19:08me to sign into nuggetlab here because the domain now exists.

19:11And that's exactly what I'll do.

19:13And here we go.

19:14Now just to make sure that this car we bought actually

19:17has an engine under the hood, let's look under the hood

19:20and see what's here.

19:21And for that, I'm going to go down--

19:22I'm going to minimize Server Manager here.

19:24We don't really need to use that.

19:26We can get to the tools that we want through Server Manager.

19:28For example, there's ADDS, which just popped up,

19:31and DNS, which just popped up as well.

19:33It's a little bit cumbersome, though.

19:35Most administrators, instead what we'll do

19:37is we'll go into something like Administrative Tools here.

19:40And then anything that we need to access frequently, we'll

19:44just put a shortcut somewhere.

19:45So Active Directory Users and Computers

19:47is one of the most commonly used Active Directory tools,

19:49so I'll right-click there.

19:51And I can pin that to the taskbar.

19:53There it is, pinned to the taskbar.

19:55And then, now it appears here.

19:56Similarly, we could do--

19:58what's another one?

19:59Group Policy Management is another frequent one

20:01that we use.

20:02I could add that if I wanted as well.

20:03But I'll just go ahead and click this for Active Directory Users

20:06and Computers.

20:07And then when I open this up, we'll

20:08see that there indeed is our domain.

20:10And then what I could do is to add a user account

20:12if I wanted to.

20:13There's all the groups that we have.

20:15The other thing I'd want to check

20:16is DNS because if DNS is not working,

20:19Active Directory is not going to work either.

20:21Very dependent upon DNS.

20:23So we'll go to Administrative Tools here again

20:26and go down to DNS.

20:28And once I'm in this, we just confirm that.

20:30Yep, there, sure enough, there's my DNS server,

20:33which is also in this case, my domain control.

20:35That, by the way, is a common role for domain controllers

20:38to share.

20:39Many, many domain controllers are also DNS servers.

20:42And these are also pure DNS servers, by the way.

20:45So I can select that and open it up.

20:47And we can see our forward lookup zones.

20:48There's my nuggetlab.com.

20:51Here's the host record for my server.

20:53I guess it applied a different static IP address to it,

20:55but that's all right.

20:57And then what we also have here is how it's located.

21:00Now, it's going to get a little bit beyond our scope for what

21:02I want to show you here.

21:04But just so you know, your clients on the network--

21:07so, for example, you get someone logging

21:09on to a Windows 11 computer using their domain credentials

21:13for the user account that exists in Active Directory.

21:15That computer has to find the domain controller somehow.

21:18How does it do that?

21:19Through DNS.

21:20And it does that in its site.

21:21So, for example, if it's in the same site,

21:23then it can locate it through TCP here.

21:26And it can find, for example this LDAP

21:29record, which is Lightweight Directory Access Protocol.

21:32This is part of how it finds the domain controllers, through all

21:36of this stuff here-- its kerberos server, which

21:38is another name for, in this case, a domain controller.

21:42It uses these SRV records to be able to find that.

21:45So that's all we're going to talk about there for the time

21:48being.

21:48But that's why DNS is so critical to Active Directory

21:52because that's how it gets located.

21:55All right, wow.

21:56That's a lot for one video.

21:59I hope this has been informative for you,

22:01and I'd like to thank you for viewing.

0:06All right, then real quick here at the end

0:08of this particular skill, I wanted

0:10to show you how you would add computers

0:12to an existing domain, how you would create a new child

0:14domain, for example, in the same forest,

0:16or how you would even create a new tree.

0:18Actually, those two things are very similar.

0:21But let's take a look at how we would

0:24add in an additional domain controller

0:26to an existing domain.

0:28So in a previous Nugget, we had dc01-22.

0:31That's our domain controller, the first domain controller

0:34that we installed, interactive directory

0:36forest of nuggetlab.com.

0:37And here we have another computer.

0:40They look the same.

0:40The wallpaper's the same and all that.

0:42But if I take a look at this and go to the system,

0:45you'll see here that this computer is dc02,

0:48and it's not a member of a domain.

0:51It's just a standalone server.

0:53You can see that a little more clearly

0:54if you go to Advanced system settings over on the right.

0:57This is how we always used to do it in the old days

0:59before Microsoft had us using these fancy settings.

1:02But you can see here that it's just a member of a Workgroup.

1:05One thing I could do, if I wanted

1:07to just join this computer to my existing domain,

1:10is I could click on Change and then I

1:12could choose Domain and then add in nuggetlab.com right here.

1:16And then henceforth, once I click OK and possibly enter

1:20credentials-- might be necessary, as well--

1:22then it would restart and it would

1:23be a member of that domain.

1:24I could do the same thing for a workstation,

1:27like a Windows 10 or 11 computer, for example.

1:29But that's not what we want to do here.

1:31And that's not how I would make this an additional peer domain

1:35controller.

1:35So let me close everything up there.

1:37And then what I would do here is I would do a similar thing

1:40to what I did in a previous Nugget,

1:42where I created our domain controller.

1:44I would add roles and features.

1:45And again, there's several different ways you can do this.

1:47This is one of the ways.

1:49And I can Next, Next, Finish my way through.

1:51Or since Microsoft wants us to use PowerShell

1:54instead for whatever we can, let me just do it that way.

1:58And so I'm going to go to my search area

2:00down here at the bottom and just type PowerShell.

2:03PowerShell right there.

2:04I'm not going to use ISE this time.

2:05It kind of gave me a weird result last time.

2:07So I'm just going to use Windows PowerShell.

2:09And there's not that much to what we're about to do, anyway.

2:12But remember, what I can do is to just type in the command

2:15again, Install-WindowsFeature.

2:17And I don't know why PowerShell has it this way by default,

2:20but the little gray areas here for the options

2:23are very difficult to see.

2:25I guess we could change that.

2:26But just so you know, this says -name or hyphen name.

2:29And then what we're going to install

2:31is Active Directory Domain Services.

2:33That's similar to what we did, and actually,

2:34like the same thing that we did using a command

2:36line in our last Nugget.

2:37And then -IncludeManagementTools.

2:39And then I added in a -WhatIf, just so

2:43that you can know about that.

2:44When you use a -WhatIf, that will show you

2:46what would happen if I were to run

2:48that cmdlet with those options.

2:52But it doesn't actually commit to making any of those changes.

2:54So I could just press Enter.

2:56And then here, you can see it looks like it would

2:58install all of these tools.

3:00It tells me that it would be successful

3:02if it were to attempt to do those things.

3:04And it says Restart, Maybe.

3:06Now why is that?

3:07Because it knows that if I were to use those tools to join

3:10this computer to an existing domain

3:11or any other domain-related function,

3:14such as becoming an additional domain controller,

3:17creating a child domain, creating another tree,

3:20all those types of things, those domain controller-ish things,

3:24then it would require a restart for those things.

3:26Actually installing the tools that by themselves

3:28does not require a restart, though.

3:30So what I can do here is now I'm going to do the same thing,

3:32but I'm going to take off the -WhatIf.

3:34And this is just going to exactly do

3:36the same thing, like I showed you on our last Nugget,

3:39doing it as if I had done it in the UI.

3:41It's just using PowerShell instead.

3:43And when it's finished, it just gives me the exit code

3:46that it was successful.

3:47And so we're now good to go.

3:48And then I'm going to actually use PowerShell ISE because I'm

3:51not getting that weird checkerboard

3:53that I had in the last Nugget.

3:54So we have two cmdlets.

3:56One, I'm going to import the module for ADDSDeployment.

3:59We talked about that in our last Nugget.

4:01And I'm going to install ADDSDomainController.

4:05Too many Ds in here.

4:06I'm like, A-D-D-D-D-S.

4:08Anyway, so oh also, let me point this out.

4:11You'll see that there's this strange little mark right here.

4:15It's kind of like a backwards apostrophe.

4:16That's a backtick.

4:17And in PowerShell, normally, you would

4:19enter in the cmdlet, which is -Install-ADDSDomainController

4:23in this case, and then followed by hyphen and then

4:25whatever else you want.

4:26So -NoGlobalCatalog, all of these other things.

4:29Normally, those would all appear on one line.

4:31In order to make it more readable,

4:33though, you can do a backpick, which

4:35is kind of that backwards apostrophe that we see there,

4:38and then put those all on a separate line

4:40and it'll be treated as if it's all on a single line.

4:43OK, so that's basically all that's really doing.

4:45Now let me run this.

4:48Hopefully, I'm entering in the credentials correctly,

4:51I didn't enter any typos in the password there.

4:55We'll enter in the safe password and do that again.

4:58This is very similar to what we did

5:00when we joined created a domain controller in the first place.

5:03And then now we see it's going ahead and doing

5:05all of its various functions.

5:07And we see that it's installing the domain controller.

5:09I don't know if you saw it.

5:10It kind of flashed up real quick there.

5:11But it showed that it was replicating all the schema

5:13objects and everything, all that kind of stuff.

5:15So remember, it does have to restart since it's going

5:17to be a domain controller now.

5:19So let me close all of this up.

5:20And it should restart.

5:21There it goes.

5:22I was going to restart it manually

5:23if it didn't restart soon.

5:25And then now when it comes back up,

5:27we'll see that we have a peer domain

5:28controller in the same domain.

5:30OK, and here you can see the computer has restarted.

5:33I've gone to Server Manager and to ADDS.

5:36You can see that the server name is DC02.

5:38That's this computer.

5:39That's not the original domain controller, which is DC01.

5:43And now I am a domain controller.

5:45From here, I can access the administrative tools,

5:47such as Active Directory Users and Computers.

5:49And if I create a user account, for example,

5:52then it would also appear on DC01

5:54because we are peer domain controllers.

5:56And in the same site, it's almost instantaneous,

5:59any changes to Active Directory.

6:00So in fact, I'll just click the little icon

6:02to create a user real quick.

6:03I'm just going to call this person Joe User.

6:07Enter in a password, and then Next and Finish.

6:09There's my Joe user right there.

6:10And then if I flip over real quick to my other server,

6:13and here I am on DC01-22, then if I go into Active Directory

6:19Users and Computers and go to Users,

6:21you can see that, sure enough, there's

6:23Joe user, because that account, remember, was created on DC02.

6:27We're in the same domain, peer domain controllers

6:29on the same site.

6:30It gets replicated almost immediately to this local copy

6:34of Active Directory, as well.

6:35So I now have two effective domain controllers

6:38in the same site.

6:39All right, now using the magic of snapshots--

6:41or checkpoints, actually, they're called in Hyper-V--

6:44I've gone back in time to the previous point where

6:46we were, where I had just installed the Domain

6:48Services here, but I did not make this a domain controller.

6:51And likewise on the domain controller,

6:53DC01, I reset that back to its previous point, as well.

6:57Now what I'm going to do is to install a child domain.

7:00How about phoenix.nuggetlab.com?

7:02And I'm just going to use the UI for this one for expediency's

7:04sake right now.

7:05But up here, we get that little warning symbol,

7:08and it says, Promote this server to a domain controller.

7:10I'm going to go ahead and do that.

7:11But in this case, I'm going to add a new domain to an existing

7:15forest.

7:15So this will now be a child domain.

7:17Remember, I can also choose a tree domain.

7:19If I did that, I would have to enter

7:21in the name of the new domain that I wanted.

7:24That would be more of like a lateral domain

7:26that's connected.

7:27Here I'm going to make it a child

7:28domain, phoenix.nuggetlab.com.

7:30And my parent domain is nuggetlab.com, of course.

7:34My new domain I'll enter in down here will be phoenix.

7:38I'll need to enter in probably some credentials for this

7:40because I'm not a member of the domain on this computer

7:43right now.

7:43So I'll enter those in right here.

7:50And I'm just doing this as nuggetlab.

7:53So I'll enter in nuggetlab as the domain

7:55and the administrator account with the password.

7:58And then we'll click on Next.

8:01And then most of the rest of this

8:03is similar to what you would do when

8:04you install the first domain controller at the root domain.

8:07Just here, we're installing a new domain as a child.

8:10And then, of course, for this one,

8:11we are creating a DNS delegation,

8:13because we have to point it up to the root domain

8:15where there's a domain controller and a DNS

8:17server that already exists.

8:19We'll enter in the DNS domain name, NetBIOS domain name.

8:22We probably don't need to enter anything here.

8:24It should be able to pick it up automatically.

8:26There it is.

8:27PHOENIX does appear.

8:28And then we just click on Next.

8:30Again, our paths for the various types of

8:32files that will be created.

8:33If you want to view the script, you can certainly do that here,

8:36as well.

8:36Some of the notable differences would

8:38be that we are installing a child domain,

8:41as you can see right here.

8:42And then we enter in the new domain name, as well as

8:45the NetBIOS name of the domain.

8:48But let's go ahead and click on Next and let it do its thing.

8:50Looks like all of our checks come out OK,

8:52so we'll click on Install and let it complete.

8:55And then you can see when the computer reboots

8:57and it's a domain controller in the PHOENIX domain,

9:00then it's asking me for credentials in that PHOENIX

9:02domain.

9:03So I'll enter those in and here we go.

9:05And then from within Server Manager,

9:06if I go into Active Directory Domain Services

9:08and go to this domain controller,

9:10then we can go to Domains and Trusts.

9:13And you kind of see visually again how this all connects.

9:17So there's my child domain that is

9:19part of the nuggetlab.com forest and part of the same namespace,

9:23as well.

9:24And then remember, if I were to add

9:25another tree in the same forest, it would just

9:27be a different namespace.

9:29So it might be my domain, which is accusource.net.

9:33But in the schema and its identity,

9:35it would actually be associated with

9:37and part of the nuggetlab.com forest.

9:40It's a little bit confusing because the namespaces

9:42are different.

9:43But when you configure it, the schema

9:45will be associated with nuggetlab.com forest.

9:48All right, I hope this has been informative for you,

9:51and I'd like to thank you for viewing.