Install AD DS, DNS, and DHCP using Powershell on Windows Server 2016

This article serves as a guide to installing and configuring roles on Windows 2016 servers using powershell.

To begin, right-click the Windows Powershell taskbar icon and select “Run as Administrator”. To view Windows features and statuses enter this command into the console:

Get-WindowsFeature

To install an individual feature the following command syntax is used:

Install-WindowsFeature -Name [feature_name] -[Options] 

Active Directory Role

We will begin by installing the Active Directory role using the following:

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

To view the available module commands related to AD DS use the following:

Get-Command -Module ADDSDeployment

First, the root domain is installed:

Install-ADDSForest -DomainName “corp.momco.com”

Note that you may see several error messages and this is okay. Watch the banner for update information regarding your domain forest. Once the root forest is successfully created you’ll see this message:

The server will restart. Open Powershell again as Administrator and check to make sure the appropriate changes were made:

Now we can join a computer connected to our vlan to our domain. In this instance I log onto a Windows 7 vm on the same VLAN as the Windows Server and join this box by changing the domain in the computer’s System Properties. To join the domain, you must authorize the client using an administrative username/password from the domain. In this example my username was “momco\administrator”. Upon successfully joining you should see a messagebox welcoming you to your domain:

Restart your client computer to apply the new changes. You should now be able to view this client on your Windows server domain controller (DC) using the following command:

get-ADComputer | Format-Table DNSHostName, Enabled, Name, SamAccountName

The client computer can be seen above as “WIN-BOB-01”. We can add a user to the Active Directory domain using the following command:

New-ADUser -Name [Username] -AccountPassword(Read-Host -AsSecureString AccountPassword) -PassThru | Enable-ADAccount

DNS Role

The DNS server was created when AD DS role installed the root forest. We can see that the DNS role is installed using the Get-WindowsFeature command:

Get-WindowsFeature | where {($_.name -like “DNS”)}

If your DNS server is not installed, you can install it with this command:

Install-WindowsFeature DNS -IncludeManagementTools

The DNS primary zone is created when the forest is generated. Next, the network ID and file entry is made:

Add-DnsServerPrimaryZone -NetworkID 192.168.64.0/24 -ZoneFile “192.168.64.2.in-addr.arpa.dns”

Next, the forwarder is added:

Add-DnsServerForwarder -IPAddress 8.8.8.8 -PassThru

You should now be able to test your dns server:

Test-DnsServer -IPAddress 192.168.64.2 -ZoneName "corp.momco.com"

DHCP Role

We’ll begin by installing the DHCP role. To do this, the Windows 2016 Sever must be configured with a static IP address. The New-NetIpAddress command is used:

New-NetIPAddress -InterfaceIndex 2 -IPAddress 192.168.64.2 -PrefixLength 24 -DefaultGateway 192.168.64.1

You’ll need to know the ifIndex the network interface of which you are configuring the IP address. To view your available network interfaces, use the Get-Net-IPInterface command. Now that the server has been configured with an IP address the DHCP role can be installed:

Install-WindowsFeature DHCP -IncludeManagementTools

Next, a security group is created using the netsh command. The service is then restarted. When the following command is run, the DHCP Administrators and DHCP Users security groups are created in Local Users and Groups on the DHCP server.

Now that the DHCP role and security groups are installed, we need to configure the subnets, scope and exclusions. Configure the DHCP scope for the domain. This will be the addresses that are handed out the to network by DHCP.

Add-DHCPServerv4Scope -Name “Employee Scope” -StartRange 192.168.64.10 -EndRange 192.168.64.30 -SubnetMask 255.255.255.0 -State Active

The DHCP lease can be set to 1 day using the following command:

Set-DhcpServerv4Scope -ScopeId 192.168.64.0 -LeaseDuration 1.00:00:00

Next, authorize the DHCP server to operate in the domain:

Set-DHCPServerv4OptionValue -ScopeID 192.168.64.0 -DnsDomain corp.momco.com -DnsServer 192.168.64.2 -Router 192.168.64.1

Finally, the DHCP Server is added to the DC:

Add-DhcpServerInDC -DnsName corp.momco.com -IpAddress 192.168.64.2

We can verify the DHCP Scope setting using this command:

Get-DhcpServerv4Scope

We can verify the existence of this DHCP server in this DC with the following command:

Get-DhcpServerInDC

Restart the DHCP service:

Restart-service dhcpserver

We can verify that DHCP is working properly by releasing the client IP and then requesting a new IP address from the DHCP server. (This step assumes that your client is set to automatically receive IP addresses via DHCP.)

ipconfig /release
ipconfig /renew

The appropriate IP address was distributed to the client, shown above.

Have a comment or question? I’d love to hear about it. Please let me know in the comments below! Thanks for reading!

Resources

I write about DFIR, GRC, and defensive security topics.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store