Installing and Configuring the Windows Domain Controller: Part 2 of 4

Installing a Windows Domain Controller is a relatively easy task. I also provide a list of service accounts to create for the new environment.

This is a copy of the blog post that I originally posted here:

Installing and Configuring the Windows Domain Controller: Part 2 of 4

 

As a reminder, I am separating the details into four blog posts:

Installing and Configuring a Three-Server SharePoint 2013 Environment: Part 1 of 4
Installing and Configuring the Windows Domain Controller: Part 2 of 4
Installing and Configuring SQL Server 2012: Part 3 of 4

Installing and Configuring SharePoint 2013: Part 4 of 4

 

I downloaded Windows Server 2012 (64-bit) from MSDN. I plan to perform the following tasks

  • Install operating system
  • Add Active Directory Domain Services (ADDS)
  • Add DNS
  • Add domain groups and users

I create a custom Virtual Machine in VMWare Workstation. I click on Create a New Virtual Machine.

clip_image001

I click Next to continue.

clip_image002

The New Virtual Machine Wizard screen is displayed. I click Next to continue.

clip_image003

I select the Installer disc image file (iso) and select the Windows Server 2012 iso file. I click Next to continue.

clip_image004

I enter the Windows product key, select Server 2012 Standard, enter Admin in the Full Name field and a password: pass@word1. I click Next to continue.

clip_image005

I enter the Virtual machine name and Location. I click Next to continue.

clip_image006

I keep the Processor Configuration settings as is and click Next.

clip_image007

I change the memory setting to 1024 and click Next.

image

I select Use host-only networking and click Next.

clip_image008

I keep the Controller Type settings as is and click Next.

clip_image009

The Select a Disk screen appears. I want to Create a new virtual disk and click Next.

clip_image010

I keep SCSI selected and click Next.

clip_image011

I change the Maximum disk size to 32.0 and keep the Split virtual disk into multiple files setting. I click Next.

clip_image012

I update the Disk File setting and click Next.

clip_image013

I click Customize Hardware on the Ready to Create Virtual Machine and remove the Floppy and Printer devices.

clip_image015

I click on the Network Adapter and change the Network Connection setting to Custom and select VMnet8 (NAT) in the drop down list. I click Close to continue.

clip_image016

I click Finish in the Ready to Create Virtual Machine window.

clip_image017

I close the Removable Devices window by clicking OK.

clip_image018

Installation continues until the operating system is installed. The server reboots and the Server Manager \ Dashboard is displayed.

clip_image020

clip_image022

Change the Server Name and the IP Address

I want to change the server name and IP address. I click on Local Server.

clip_image023

I click on the displayed computer name and the System Properties screen appears.

clip_image024

I click on Change and the Computer Name / Domain Changes dialog box is displayed. I update the computer name as displayed below. I click OK to continue. I will update the domain later.

Computer name: server2012dc

clip_image025

I click OK when asked to restart the computer.

clip_image026

I click on Close to close the Systems Properties.

clip_image027

I click on Restart Now.

clip_image028

The computer immediately restarts. I confirm that the computer name has changed.

clip_image029

I click on the Ethernet setting to change the IP address.

clip_image030

The Network Connections screen is displayed.

clip_image031

I double-click on the Ethernet icon and the Ethernet Status window is displayed.

clip_image032

I click on Properties and the Ethernet Properties dialog box is displayed.

clip_image033

I click on Internet Protocol Version 4 and Properties. I select Use the following IP address and enter the IP address displayed below. I click OK to accept the changes and continue.

clip_image034

I click Close to close the Ethernet Properties dialog box.

I click Close to close the Ethernet Status dialog box.

I close the Network Connections window and I am returned to the Local Server dashboard.

I click on Tasks \ Refresh to update the dashboard.

image

I can see that my change is applied.

clip_image035

Active Directory Domain Services

I want to add AD DS now. I click on the Dashboard link on the left.

clip_image036

I click on “2 Add roles and features”

clip_image037

The Add Roles and Features Wizard opens. I just set the static IP address. I click Next to continue.

clip_image039

I keep the Role-based … selection and click Next

clip_image041

I make no changes to the next screen and click Next

clip_image043

I click on Active Directory Domain Services in the Add Roles and Features Wizard.

clip_image045

A new screen appears immediately. I click Add Features to continue.

clip_image046

I click Next on the Add Roles and Features Wizard to continue. The Select Features screen has Group Policy Management pre-selected. I click Next to continue.

clip_image048

The Active Directory Domain Services screen displays notes. I click Next to continue.

clip_image050

The Confirm installation sections screen appears.

clip_image052

I click on the Restart checkbox and a confirmation dialog box appears. I click Yes to continue.

clip_image053

I click Install on the Confirm Installation selections screen. The Feature installation shows the progress.

clip_image054

I click Close after seeing that installation succeeded.

clip_image055

An AD DS box appears on the Dashboard

clip_image057

Promote Server to Domain Controller

I want to promote the server to a domain controller next. I click on the flag with the warning triangle. A Post-deployment Configuration list appears.

clip_image058

I click on Promote this server to a domain controller. The Active Directory Domain Services Configuration Wizard appears.

clip_image060

I change the deployment operation to Add a new forest and enter contoso.com as the root domain name. I click Next to continue.

clip_image061

I enter a DSRM password in the next screen. I leave the rest of the settings as is and click Next to continue.

clip_image063

A warning is displayed on the DNS Options page.

clip_image065

A DNS Options warning box also appears. I click OK to continue.

clip_image066

I click Next on the DNS Options screen to continue. The Additional Options screen verifies the NetBIOS domain name. I click Next to continue.

clip_image068

I do not change the path settings in the Path screen. I click Next to continue.

clip_image070

I review the options on the Review Options screen. I click Next to continue.

clip_image070[1]

The Review Options screen is displayed. I do not have plans of running the scripts with PowerShell. I click Next to continue.

clip_image072

The Prerequisites Check runs. Unfortunately, one or more prerequisites fails.

clip_image074

I need to set a strong password for the local Administrator account. I click on Tools \ Computer Management.

clip_image075

The Computer Management windows opens. I click on Local Users and Groups.

clip_image077

I double-click on Users and the list of user accounts is displayed.

clip_image079

I right-click on Administrator and select Set Password….

clip_image080

The Set Password for Administrator dialog box is displayed. I click Proceed to continue.

clip_image081

I enter the password in both password fields in the next screen. I click OK to continue.

clip_image082

I receive a confirmation that the password is set. I click OK to close the confirmation window.

clip_image083

I close the Computer Management window and return to the AD DS Configuration Wizard. I click Rerun prerequisites check.

clip_image084

The prerequisites check passed successfully this time.

clip_image086

I click Install to continue. The process starts …

clip_image087

Installation continues with status updates displayed.

clip_image088

The server automatically restarts.

clip_image090

The server restarts. I logon with the local Admin account. The Dashboard shows the new AD DS and DNS roles.

clip_image092

I can also see the new components available under the Tools menu.

clip_image093

Service Accounts

I will install the service accounts as listed on http://www.toddklindt.com/SP2013ServiceAccounts. I also plan to install some additional service accounts as listed on http://www.absolute-sharepoint.com/2013/01/sharepoint-2013-service-accounts-best.html. I really like the details provided in both blog entries. I changed the table format to follow what was in Todd’s blog.

The Account permissions and security settings in SharePoint 2013 document (link) provides a detailed list of all of the permissions and security settings automatically added to accounts during the various installation processes.

Service Accounts Needed for a Base Install of SharePoint 2013

Account name

Role

Domain rights

Local SharePoint Server rights needed

SQL rights needed

sp_install

Used to install SharePoint binaries.

Domain User

Local administrator on all SharePoint servers (but not on SQL Server)

public, dbcreator, and securityadmin SQL roles. Need to be SysAdmin on SQL when installing the Workflow Manager

sp_farm

Farm account. Used for Windows Timer Service, Central Admin and User Profile service

Domain User

Local administrator on all SharePoint servers (but not on SQL Server)

public, dbcreator, and securityadmin SQL roles. Need to be SysAdmin on SQL when installing the Workflow Manager

sp_webapp

App pool id for content web apps

Domain User

None

None

sp_serviceapps

Service app pool id

Domain User

None

None

sp_userprofile

Account used by the User Profile services to access Active Directory

Must have Replicating Change permissions to AD. Must be given in BOTH ADUC and ADSIEDIT. If domain is Windows 2003 or early, must also be a member of the “Pre-Windows 2000” built-in group.

None

None

sp_superuser

Cache account

Domain User

Web application Policy Full Control

Web application super account setting

None

sp_superreader

Cache account

Domain User

Web application Policy Full read

Web application super reader account setting

None

sp_MySitePool

Used for the My Sites Web Application

Domain User

This account must not be a member of the Farm Administrators group.

None

Accounts Required for SQL Server
The security benefit here is that the account running the Agent and Database Engine services is not a local administrator anymore.
Name Role Domain rights Local SharePoint Server rights needed SQL rights needed
SQL_Admin SQL Admin on the SQL Server. Used to Install the SQL Server. Domain User None Local Administrator on the SQL Server
SQL_Services It is the service account for the following SQL Server services: MSSQLSERVER SQLSERVERAGENT. Domain User None Will be given necessary permissions when SQL Server is installed by a local administrator on the SQL box
Accounts Required for Search

Instead of letting The sp_content account runs both the Windows Service and have FULL-READ rights on all the web applications, the SP_Search will now run the Windows Service and the SP_Crawl account has the FULL-READ rights for crawling.

Name

Role

Domain rights

Local SharePoint Server rights needed

SQL rights needed

SP_Crawl

The Default Content Access Account for the Search Service Application

Domain User

None

None

SP_Search

Service Account to run the SharePoint Search “Windows Service”

Domain User

None

None

Accounts Required for Optional Components
Account name

Role

Domain rights

Local SharePoint Server rights needed

SQL rights needed

sql_ssas

Account that we run the SQL Server Analysis Service services as

Domain User

None

db_datareader on databases

sp_excel

Excel services unattended account.

Domain User

None

None

sp_pps

PerformancePoint Unattended account

Domain User

None

None

sp_accsvc

Access Services. Used to create all Access databases in SQL and the service account running the service app pool for the Access Service Application

Domain User

None

db_owner, public, and securityadmin

sp_workflow

The RunAs account for the Workflow Manager service

Domain User

None

None

I create all accounts in the Active Directory Users and Computers screen in the same manner. I have “Users” pre-selected.

clip_image095

I right-click in the right pane and select New \ User. I enter the details as seen in the screen below.

clip_image096

I click on Next to continue.

clip_image097

I click on Next to continue.

clip_image098

I click on Finish to continue. The New Object screen closes. I can then double-click on the new user object and edit all of the properties. For example, I can add a description.

clip_image099

I click OK to close the window. The end result looks like below.

clip_image101

I close the Active Directory Users and Computers screen.

I click on the Windows Start button on the keyboard. I can see new icons for Active Directory and DNS programs. I click on the [ESC] key on the keyboard.

clip_image103

This ends my work on the domain controller. I will leave the virtual machine up and running.

As a reminder, I am separating the details into four blog posts:

Installing and Configuring a Three-Server SharePoint 2013 Environment: Part 1 of 4

Installing and Configuring the Windows Domain Controller: Part 2 of 4

Installing and Configuring SQL Server 2012: Part 3 of 4

Installing and Configuring SharePoint 2013: Part 4 of 4