Skip navigation

Category Archives: Windows Server 2016


Today, we are talking about some tricks about how to promote Windows Server 2016 server core to Domain controller.

Windows Server 2016 (currently on TP4) has default install with server core mode which lacks of GUI and normal configuration doesn’t work. This post will walk through an example about how to setup second domain controller in the domain and errors I encounter and also how to fix.

First of all, let me introduce my environment.

It’s a simple environment with one domain and two domain controllers. The domain name is Marvel. Server names are MarvelDC01 and MarvelDC02.

They are both windows 2016 server but DC01 is with GUI while DC02 is Server Core. You would need a GUI windows 2016 as remote management server. Both servers are running on Hyper-v with Surface 2.0 Windows 10.

 

Build first Domain and Domain Controller

After I deploy first DC01 with GUI interface, I add Directory Service and promote it to first Domain controller without any issues.

server_core001

I have setup FFL and DFL as 2016 preview level. server_core002

The schema version is 85. (will this be different after GA? ;))

Configure Server Core

Now, here comes the server core

as you know, we need to change Computer name, IP, setup DNS and personally, enable ICMP for ping test as well.

We can use Powershell, command line, but I prefer to use sconfig.vbs which is the fast way to configure all these above.

server_core003

sconfig was introduced from Windows 2008 R2 with vb script. Now, it is a CMD file. current version is 5.812 and in Windows 2012, the version is 5.8. so not too much change.

sconfig.cmd can easily configure firewall and basic tasks you would to do on server core. But it is not faultproof which I will mention later.

Tip:

How to reboot server core server?

CMD:

Shutdown -r -t 1

Powershell:

Restart-computer

Tip:

How to check whether system is domain joined or not

CMDE:

Systeminfo

Join to Domain

Once that is done, you would need to join the Server Core(MarvelDC02) into Marvel.com domain. That can be done via sconfig as well.

Prepare for Promoting to Domain controller

If you think you are ready, then you are wrong. In terms of promoting a member server to domain controller, we would need domain admin rights to have full control on member server. That should be done via GPO (Default Domain Policy). When the server just joined the domain, it’s in the computer container which doesn’t accept any policies.

Hence, I create a Servers OU and move member server object in to this new folder.

Then, you would need to use gpupdate /force and gpresult /r to check whether the default domain policy GPO is applied on this member server.

In terms of promoting member server to domain controller, we would need to use dcpromo.exe which was deprecated in the GUI version. You DO NOT need to install Directory service components like GUI version, as this will be automatically installed during the process. However, we would need to create an answer file instead of typing all parameters all the time.

Same of of answer file is following:

[DCInstall]

createOrjoin= join

replicaDomainDNSName = domain.tld

ReplicaOrNewDomain = Replica

UserDomain = DOMAIN

Username = administrator

Password = “P@ssw0rd1”

InstallDNS = Yes

ConfirmGc = Yes

CreateDNSDelegation = No

SafeModeAdminPassword = “P@ssw0rd”

We can call it dcpromoanswer.txt. The reason I use Red on actually password is once the file been used once, those password (mark in the red) will disappear. so if you need to run the dcpromo again, you need to open the text file and retype the password.

Promote to Domain controller

After reboot member server, you would need to login into server as Marvel\administrator. You need to hit “ESC” key to get this screen

First screen which remembers last user login, you hit “ESC”

server_core004

strange enough to see this screen, not quite sure what’s meaning behind it, but you would need to hit “ESC” key again

server_core005

This is what we want, you can select “other user” to login differently

server_core006

Tip:

Believe it or not, I struggled on hitting “ESC” key quite bit. It just doesn’t work!!It turns out that you MUST high light the Windows (not your virtual machine) before you hit “ESC” key.

Now, you can run dcpromo.exe /unattend c:\dcpromoanswer.txt

server_core007

If you are lucky, then you will see following screen and it’s all good.server_core008

If you are not lucky..

Well, not everyone and everyday is a lucky one. You may run into following errors just like I did.

server_core009

That above error tells you your password in the answer file has been wiped out. You need to retype the password.

server_core011

This above error tells you you didn’t move our computer object(MarvelDC02) away from computer container.

server_core012

Believe it or not, after multiple trying with failure, your member server somehow made half way through. so it’s not domain controller yet, but it is registered in the NTDS database. Hence, we need to use ntdsutil to do metadata cleanup as following.

server_core013

Unfortunately, after cleaning up NTDS, your server object doesn’t exist in AD anymore. so you would need to quit domain and rejoin. However, sconfig failed when your object is not in AD so it is not able to quit domain and join workgroup.

What I did was run a sysprep to regenerate ID. That resolves the issue.

Group Policy not applied

This is another issue with my MARVELDC01. It flaps on time every couple of hours. MARVELDC02 is not able to sync GPO due to time difference.

After investigation, you need to turn off time sync service in Hyper-v Layer for that domain controller.

server_core012

That’s all for now, As usual, please leave feed back

Reference:

https://4sysops.com/archives/server-roles-in-server-core-part-2-domain-controllers/