Domain Controller Deployment in Homelab

There are numerous tutorials on domain controller deployment in homelab; why not write my own and contribute to the confusion?

This is a quick one, focusing on fast deployment and adding DNS, DHCP, and WSUS configuration.

A Windows Server install is a requirement, of course.

I already changed a few things, as seen in the screenshot above.
I added a static IP address, a hostname, and a computer name. I enabled remote desktop in the same window but ignored the request to restart.
On the right side, I changed the timezone; that’s it for this window.

Next; start Perfmon:

Go to Data Collector Sets / Startup Trace Sessions, and click right on DefenderAPILogger.

Open Trace Session and uncheck “Enabled.”

Ignore the error message as it did work anyway.

The same applies to DefenderAuditLogger.
These steps prevent some nasty error messages later.

Now go to the settings and select Updates and Advanced Options to enable “Receive updates for other Microsoft…”

Run one set of updates and download and install all offered additional updates in the same window.
Now we’re ready for a restart. 
First thing after the machine is back, check again for updates. 
Rinse repeat.

Now let’s move on to Server Manager and add a role:

Select Active Directory Domain Services:

Wait a bit and promote the server:

If this is the first DC, we’ll create a new forest.

Tip: If you’ve registered a domain name, don’t use it for the homelab. It’s going to cause issues with DNS.
Instead, create a subdomain as seen here:

Just follow the steps:

Remember the Netbios name as we need it to log in later.

I’m somewhat experienced with AD and suffer from IT-OCD, so I’ll start cleaning the Eventlog.

In a homelab, we can be brutal and ignore best practices, and here I’m going to delete and disable secondary logs like User Device Registration.

I suggest a restart, keep watching the Eventlog, and fix individual errors along the deployment.

DHCP Server Installation

In Server Manager, add a new role and select DHCP Server.

Complete DHCP configuration:

Follow the steps.

Inside DHCP Manager create a new scope:

I’m choosing an (almost) complete /24 subnet:

In the next step, we define exclusions. In my example, I go with static assignments up until .29:

Adjust the lease duration.
In a homelab, with all of its constant changes, I wouldn’t go for more than one day:

Configure the scope options:

Assigning the IP of the router is probably the most important one:

And the DNS Server. The DC itself is already shown; here, I’m adding another one and increasing the priority for the time being:

That’s it for DHCP now.
You can enable the scope now or keep it on hold in case other stuff needs to be sorted first.

We’re going elsewhere now.

Adjusting DNS

In DNS Manager, click the server with the right mouse button and Set Aging for all zones:

Hop into the settings and select the Forwarder tab. We need at least one forwarder for the server to resolve external IPs, like the internet.
In most cases, it’s the router or firewall, but I run an AdGuardHome container on the .14, and my firewall is on .1.

Don’t forget to create a matching reverse zone. Just follow the steps on the screen.

I might confuse versions, but I think with 20212, Microsoft improved this step a lot, and all that’s left to do is to enter the first three octets of the forward zone:

Once the reverse zone is up, we can add static IPs and the respective hostnames. But besides that, we’re done here.

Set up WSUS

Back in Server Manager, add the WSUS role.

Windows Internal Database (WID) is perfectly fine for a handful of servers.

Create a random folder in Explorer and point to it, here I use c:wsus

Post-installation tasks:

The whole setup process is a bit slow and requires patience.
While waiting, we could pop into Server Manager and disable autostart, as we won’t need it anymore:

When the setup finishes, start the WSUS console and continue to follow the steps.

Get a coffee. Or lunch. That’ll take some time.

But at some point, it will finish, and the first setting is to choose whatever language:

Now to the products.
Pay attention; in the default settings, some products are already selected. The fastest way to start with your selection is to click “All Products” and uncheck it again.

I’m only interested in SQL Server 2019 and Windows Server 2022:

I automize everything but the drivers:

Choose a time outside of your, ahem, production hours:

Click. And wait.

In the WSUS console, we can watch the progress of the first sync. Please don’t wait for it. It’ll take a while. Do something else, play with your cat. Don’t have one? Check out mine.

Later check Server/Updates/All Updates and change from Failed or Needed to Any so we can see them all.

Right-click the title row and add Supersedence.

Now sort by supersedence and scroll all down.
There are only three different icons, and you can quickly identify outdated stuff:

Choose outdated revisions, right-click and decline:

The result looks much better, but check the details. A few updates are aiming at ARM servers, but we most likely won’t need them.

Now let’s approve everything that’s left:

Depending on how much attention you give to your infrastructure, you might want to select “unassigned computers” as well:

Back in the dashboard, we can check the download status. It’s going to take a few more minutes:

That’s it!

Of course, we need to adjust group policies, but that’s another topic, and to increase availability, we’ll add a second domain controller later.

More homelab posts:

1 2 3 4

Leave a Comment

Your email address will not be published.