• ARTICLES
SEARCH

How-To Geek

How To Make Windows Home Server into a Domain Controller

Active Directory lets companies manage users, computers, printers, and more from a centralized location. Have you wanted this functionality at home but don’t have money for Windows Server? Here’s how you can promote Windows Home Server to a domain controller.

Maybe you don’t have 100+ computers in your closet but sometimes it may feel that way. Active Directory allows you to centrally manage the users that can log into the machines as well as help quickly set up machine preferences and can even help manage your virtual machines. If you have been wanting a better way to manage it all, or even just want to dive into Active Directory here’s how you can do it on the cheap.

Please be aware that Microsoft specifically says you are not allowed to do this according to their end user license agreement (EULA) that you have to agree to when installing or setting up a Windows Home Server. As such, this article will be strictly for educational purposes.

If you are allergic to breaking EULAs I suggest you purchase Windows Server from Microsoft. Select students on the other hand can freely download Windows Server from Microsoft DreamSpark.

Set Up Windows Home Server

After your initial setup of Windows Home Server you will need to turn on remote desktop abilities from the Windows Home Server console. If you are reading this article I am going to assume you know how to do that yourself.

You will also need a couple of dedicated disks or partitions for storing Active Directory information. Active directory uses the folders NTDS and SYSVOL to store its database and public files and if they are not on dedicated disks you most likely see slowdown with your server and with your network.

Active Directory requires that you have DNS and a static IP address on your server. You don’t have to do these two steps right now, but you will need to be prepared to do them during the process.

Promoting your WHS to a domain controller is going to do a few things that you may not want. Please read the below precautions before continuing.

  1. You will no longer be able to add computers to WHS with the WHS connector. From now on you will have to join computers to your new domain that you will set up. In order to be able to add computers to a domain you cannot use any of the “home” variants of Windows and instead will need to use the business, professional, or enterprise tiers.
  2. All of your users in WHS will be erased and only the default user accounts (e.g. administrator, guest, etc.) will be left in WHS.
  3. Your WHS webpage will be broken. You can “fix” this by installing another web server (e.g. Apache) but it will take more setup and work.

All in all, be prepared to do a fresh install on your WHS and do not do this on a machine you are actively keeping information on. It would probably be a better idea to have a second computer to set up AD and migrate any information over that you want.

Always have backups, if this is a computer you use it is your responsibility to make a backup before you start this process.

Promote Your Server

Domain controller promotion is done through the dcpromo.exe command. Go remote with your server and then open the run dialog and run the command.

Click next a couple times and then select the option to create a new controller for a new domain.

Then select new domain forest.

Next it is best to select to set up DNS on the local machine. This is the easiest way to get the controller configured. You will just have to make sure you turn off DNS on your router.

If you are going to keep DHCP issued from your router you will also need to point DNS responsibilities to your server. Please check your router manual for how to do that.

Finally we can name the new domain. If you own a web domain name don’t name it the same thing as your domain name because in this case it may cause problems unless you are also running the web service and dynamic DNS updater from this computer.

Instead it is a better idea to come up with a .local name for your domain.

Next you will need to put in a NETBIOS name. You should be able to select the default and just click next.

We need to tell the domain controller where to store the database, log files, and public files. It is recommended to store all of this on a separate hard drive. In my installation I have a separate 20 Gb hard drive plugged in (E:) where I have put the required files.

If you have any pre-Windows 2000 computers I feel bad for you. In most cases you can leave out support for anything that old in the next step.

Select a new Administrator password.

And then review your changes and click next.

Your promotion will start the process for you.

You will probably be asked for your installation CD at some point so make sure you have your CD (or the files from your CD) available to you.

You will also probably be prompted to change your IP address from dynamic to static during the process.

Click OK and then continue to change your IP address to a suitable static address.

Your setup should finish with this screen. Once you click finish go ahead and restart your new domain controller.

Don’t worry if the reboot takes a while. It needs to start up a lot new services and will probably take a while for the first reboot.

Once the machine reboots you may get an error about a service failing to start. You should also have a new option at your login screen to log into the new domain you just created.

Post Installation Settings

Now that you have a domain and a domain controller there are just a couple of things we need to do to make sure things run smoothly.

First we can fix the services error we got before by going to start -> run -> “services.msc”

Find the “SSDP Discovery Service” and the “Universal Plug and Play Device Host” services and set them to start automatically. Then start the services manually.

Now browse to C:\Windows\Temp. Right click on the folders and choose properties.

On the security tab click add and then type network service and click check names. Once the name is verified (it will be underlined) click OK.

Repeat the above two steps for the c:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files directory too.

Now we need to configure the Windows Firewall to allow for the correct programs to get through. You could just disable the firewall but you will take a performance hit by just disabling it. Here are the ports and programs you will need to allow access through your firewall.

To add a program exception click on the exceptions tab and then click add program. Browse to the dns.exe located in the c:\windows\system32 folder and then click change scope.

Change the scope to only be on your local subnet because you don’t want anyone outside of your network using your DNS for lookups.

Next do the same thing for the DHCP server located at C:\WINDOWS\system32\tcpsvcs.exe but don’t limit the scope. Instead allow any computer to connect to DHCP otherwise the computers will never get an IP address after we turn that on.

We won’t set up DHCP in this article but may revisit this in the future. If you want to know how to set up DHCP check out the we got served link at the end of this post.

Go back to the main exceptions tab and then click add port. Type in LDAP for the name and 389 for the port number. Change the scope to my network (subnet) only and then click OK.

Repeat these steps for the following additional ports.

LDAP – 389 – UDP

LDAP – 636 – TCP

LDAP – 3268 – TCP

Kerboros – 88 – TCP and UDP

You now have Active Directory all set up and the necessary ports required to join computers to your new domain and begin managing users, computers, printers, and much more from a central location.

we got served wiki

Justin is a Linux and HTPC enthusiast who loves to try new projects. He isn't scared of bricking a cell phone in the name of freedom.

  • Published 04/4/11

Comments (13)

  1. AbbaDabba

    WHS sets a default size for primary hard drive to 20 gig which is ridiculous. I guess the folks at Microsoft wanted to make sure you couldn’t ran anything more than just WHS on the machine you set it up on. I used a partition manager and increased it to a more significant size so I could run things like a cloud backup service and an sql server.

  2. Terry

    Would love to see something like this for Linux.

  3. JCL

    Samba on Linux runs just fine doing this stuff.If you menu driven and easy… look at http://www.zentyal.com

  4. ipm2

    ^bump^ Terry’s comment above…

    I have a register domain name, and currently paying hosting service to host my website. However, just bought a mini shuttle box to be a music and eventual web server, running some distro of RedHat. Would love to see a post like this for Linux, or maybe even just a link to a good article on it.

    Thanks!

  5. wonki

    “Would love to see a post like this for Linux, or maybe even just a link to a good article on it.”

    Try freenas http://freenas.org/ this can run active directory.

  6. ipm2

    Thanks for the tip wonki – I’ll read up on it some…

  7. Ja5087

    Now I know how my school sets up domain login

  8. AbbaDabba

    One other question: you can’t use home connector, you erase all your users and you break your home page. Why would I want to do this? What benefits do I get from promoting it?

  9. frank

    Just a note. Yes putting the ad database on a separate spindle (physical harddisk) speeds things up, but Microsoft actually suggests two different drives be used. Like many databases, entries are first written to a log file then committed to the database. That way the logs can be replayed to recover from system errors/crashes. A better suggestion is to keep the database on the main drive and put the logs and some portion of your often used files on the second drive.

    Background

    If your pc server is fairly new, it probably has lots of reserve cpu “horsepower” and adequate RAM memory. Home/soho servers are often limited by not having enough drives (spindles) with fewer heads than enterprise class drives. Newer flash based drives will clear up part of this congestion. For now, hard drives are limited in how fast they can deliver or save data by how densely the data is stored, how many heads are simultaneously and independently in use, how many platters are in each drive, how fast the drives are spinning so the heads can read the data, how many spindles are in use at the same time, and a bunch of other stuff like ncq, etc.

    In short, for lower end servers, use at least two identical drives. Set them up as raid 1 which means they mirror each other for safety. Then if you have a 3rd drive, use it for the ad log files. And don’t forget to back up, preferably offsite

  10. GReg

    Great tutorial, as I just installed my WHS – but… what is the purpose of all that, I know, I am server n00b, but what I can get by doing this. I have small firm with 3 desktops, 2 laptops, 2 network printers. Do I benefit from this, can someone just gimme some links, so I can read more on this?

  11. Drashna (WGS)

    Specifically, the drive that the AD database/files are on have write caching disabled forcefully. This is to help prevent corruption, but do slow down the disk. And every reboot will reset the setting to make sure caching is turned off. Using a SSD is a good idea for the AD files.

    Applying “Network Service” to the temp directories fixes the pages, but not the RDP Proxy (which is arguably the most important part). There is a hack listed at the WGS Wiki that will “update” and work around the issue with the RDP Proxy part (specifically, it’s not using the domain name when trying to authenticate, which on a domain setup causes it to fail). Between these two actions, the remote website will work 100% guaranteed!

  12. John Zajdler

    You should include the following from Drashna’s wiki to allow you to add computers using the WHS Console;

    Password Policies

    One of the first things you may noticed after promoting your server, is that when you try to create new accounts, it may fail. By default Active Directory requires that all accounts have a strong password. Great for corporate security, but generally overkill for home users. And if you want to create an account with less the strong passwords, you can’t. The solution is to change the default password policy to allow weak passwords. But this does lower the overall security in your newly created domain. But I’m going to show you anyways, because there will be those that want to know.
    1.Open “Domain Security Policy” in Administrative Tools (located in your server’s Control Panel)
    2.Open “Account Policies” and then “Password Policies”
    3.Open the settings for “Minimum password length” and set to “0″ DO NOT uncheck “Define this policy settings”, as that will reset the value and undo what we want to do.
    4.Open the settings for “Password must meet complexity requirements”, and set this to disabled. Again, leave the “Define this…” checked.
    5.Exit out of that and run “gpupdate /force”.

    This will immediately put the new password policy in effect and allow you to create accounts through the console with weak passwords.

  13. John Zajdler

    With Active Directory installed, I added WDS. Windows Deployment Services allows me to put different OS image on my WHS. Since I am the family PC guy, if I need to reinstall any Windows OS onto a desktop or laptop or especially a netbook without a CD drive. I can do a PXE boot into the server and install the OS without looking for the CD’s.

    Also as Drashna suggested to me, I have a WHS PC restore image on the server so if I need to do a WHS Restore to a PC, again I point to the WHS so I don’t need a physicsl CD.

Enter Your Email Here to Get Access for Free:

Go check your email!