Installing Windows Server

Most existing companies have some sort of established directory services implemented, such as Active Directory, LDAP, Azure AD (Ok… Fine… aka Entra ID), etc, which keeps track of user identity, credentials, and permissions. However, you might find yourself needing to set up a lab environment to test some of topics that I will be blogging about. Or maybe you don’t have Windows PKI set up or are unsure of what Group Policy Object (GPO) settings to configure to help you with certain products. For that reason, I’m dusting off my old MCSE knowledge and starting this blog with a series of posts on setting up a basic Windows Server, Active Directory, and PKI environment.

Much of this initial setup is based on the assumption that you might eventually set up an Identity Services Engine (ISE) alongside it. However, even if that isn’t your goal for setting it up, there is still educational value in learning to configure the basics of Active Directory, Group Policy Objects (GPO), and PKI. I’ll be using Windows Server 2016, but the process will likely not change if you’re using a newer version of Windows Server, so you should be able to follow along if you’re using Server 2022.

If you want to set up a lab, I recommend checking out Microsoft’s Evaluation Center , which should allow you to download ISOs for the Microsoft products you wish to test. You should be able to run Windows Server in evaluation mode for 180 days. That should be plenty of time to test out a lab. If you run out of time, you will have more practice setting it up again. While that sounds redundant, rebuilding labs and testing new use cases has helped me keep sharp over the years.

After you download the ISO, you can mount it on your hypervisor of choice. If you’re wondering what hypervisor to use, there are various options ranging from free to a few hundred, depending on what you plan on installing this on. If you’re setting up your lab on your computer, you have free options such as VirtualBox if you are running Windows or Linux as your operating system. For Macs, it gets a little more complicated. VirtualBox is still an attractive option if you use one of the old Macs with an Intel CPU. However, Apple started producing its own ARM-based CPUs in 2020, and newer Mac computers will have those CPUs. Due to that change, Virtualbox can struggle with Apple silicon. However, there are still some options. One popular option is Parallels, which costs $99.99/year and appears to be a rather popular option for Mac users.

Alternatively, you may want to run a lab server or use an old computer to run a bare metal hypervisor. One option is to join VMUG for $210/year, and you will receive 365-day evaluation licenses for all VMware products. This might be useful if you’re trying to lab an environment similar to your work environment. There are also free alternatives, such as Proxmox Virtual Environment, an open-source solution for enterprise virtualization that integrates with KVM hypervisors and Linux Containers (LXC). Alternatively, you may also consider one of the many products that are purpose-built for labbing such as Cisco Modeling Labs ($199/year, which includes many Cisco device images), GNS3 (free, but bring your own images), and Eve-NG (free option, but bring your own images) – which all can either be installed as a virtual machine or bare metal on a server.

After downloading the ISO for Windows Server from Microsoft’s Evaluation Center, you must install it on a virtual machine. As you can see above, there are many different virtualization platforms, so I will keep this post agnostic to the virtualization platform of choice.

For most hypervisors, they will have an option to add or create a new virtual machine. During the creation of the virtual machine, you will be asked how many vCPUs/cores, RAM, hard drive space, and network interfaces you want to allocate for the virtual machine. It may even ask what operating system you are installing. If Windows Server is on the dropdown, choose that and the hypervisor will try to recommend or predict the VM settings based on that operating system type.

It is important to note the requirements for the virtual machine resources as you prepare to create your virtual machine:

Windows Server 2016 & 2022

• Processor: 1.4 GHz 64-bit. The CPU must support NX, DEP, CMPXCHG16b, LAHF/SAHF, PrefetchW and second-level address translation
• RAM: 2GB for GUI
• Storage: Minimum of 32GB
• At least one 1GB Network Interface  – most of these are virtualized

For more information, see Hardware Requirements for Windows Server

I try to go a little higher than the minimum requirements for my labs. For example, I’ll usually use at least 2 vCPUs, 4 GB RAM, and 50-80 GB of storage. Most hypervisors allow you to thin-provision your storage so it does not utilize the full allocated disk space during installation and allows the VM to allocate the disk space dynamically as needed for storage. That way, the full 50-80 GBs of storage space is not utilized until needed. The only drawback to this is that you don’t have the space left to allocate if the time comes for your VM to need more space. However, this method tends to help scale your labs a little more if you’re often spinning up and breaking down new VMs.

Another thing to note is that if you are using VMware as your hypervisor, you might get a choice of E1000E vs VMXNET3 for the network interface. VMXNET3 takes fewer resources from the hypervisor since it is not an emulated card, so I suggest using that option for the Windows Server VM.

During the installation, the hypervisor might ask you for the operating system’s ISO. You may either mount it then or after the VM is built. You can then go into the settings of that VM and mount it as an optical drive. After it is mounted, power up the VM. It should boot to the installation media (the ISO).

Initially, you will be asked to pick to the language to install and the keyboard to use.

After clicking Next and then clicking on an Install Now button on the next screen, you will be asked which operating system you want to install. I would recommend choosing Windows Server Standard Evaluation. This should provide all the features you will need for your lab environment.

The next window might be confusing. It will ask you what type of installation you want. The default is “Upgrade, ” meaning you would be upgrading an existing Windows Server installation. Instead, choose the second option: Custom: Install Microsoft Server Operating System only (advanced).

On the next screen, you will be presented with options on what storage to install Windows Server to. Since this is a new virtual machine, you should have only one option to choose. After you click Next, the installation will begin, which will take some time.

At some point, the VM will reboot, and you will be asked to set the administrator password. After doing so, you should be able to log into Windows Server. The Server Manager will pop up after you log in for the first time. Click on the Local Server option on the left-hand pane to make basic changes to the server.

The first thing you might want to do is click on the link to the right of  Ethernet0 to set the server’s IP address.

Next, you will right-click the Ethernet0 adapter, choose Properties from the drop-down, and change the IP address to a static IP address since we usually want our Active Directory, DNS, and PKI server not to have a dynamic address.

After setting the static IP address, go back to the Server Manager, and this time, click the link to the right of Computer Name. 

You will receive a pop-up for the System Properties. Under the Computer Name tab, click the Change… button.

We will want to change the Computer Name before we make any role changes on this server since the computer name generated during a fresh install is not usually human-friendly. In the screenshot below, I changed my computer name to ad-2016.

Click OK to close the Computer Name/Domain Changes dialog window and then click OK again to close the System Properties window to save your changes.

Changing the computer’s name will usually prompt a restart. Allow the computer to restart to let the name change take effect.

Another housecleaning item to check here is the time and date on your server. If your new Windows Server believes it’s January 1st of 2010, that’s going to cause some huge problems when you add the Certificate Authority role and ISE believes all the certificates have expired. Another common issue with ISE failing to join a domain is the time skew. The time skew must be under 5 minutes between the time set on the ISE server and the Active Directory server.