Order a virtual server

A virtual server of the following specification is suitable for an ADDNS server host and can be ordered using the instructions at Creating virtual server instances by using the UI.

• Profile: bx2-2x8
• Type: Public
• OS: WIndows 2019
• NIC Qty: 1
• Data Volumes: None

Connect to the server

After the virtual server has been deployed you need to connect a Floating IP address to it so that you can access the server remotely, refer to Adding a floating IP address.

Refer to Connecting to Windows instances to access the Windows Administrator's password, however, in short the following commands are used from your laptop, where the instances command returns the <INSTANCE_ID> of the virtual server:

ibmcloud is instances
ibmcloud is instance-initialization-values <INSTANCE_ID> --private-key @~/.ssh/id_rsa

Create the domain

To create a domain the following commands are used which:

• Install the AD features on the server using the Install-WindowsFeature command.
• Configures the AD forest. The WinThreshold value configures a Windows Server 2016 forest with the domain name of <Domain_Name>. e.g. sqlserver.test and <NB_Domain> e.g. sqlserver. Create a password for <Safe_Mode_Admin_Password> that adheres with your standards. The server restarts and DNS is configured, including setting DNS resolvers to be 161.26.0.10 and 161.26.0.11 (as the virtual server network interfaces was already configured with these DNS servers).

$domainfull = "<Domain_Name>"
$domainnb = "<NB_Domain>"
$smpassword = "<Safe_Mode_Admin_Password>"
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
Install-ADDSForest -CreateDnsDelegation:$false -DatabasePath “C:\Windows\NTDS” -DomainMode “WinThreshold” -DomainName $domainfull  -DomainNetbiosName $domainnb -ForestMode “WinThreshold” -InstallDns:$true -LogPath “C:\Windows\NTDS” -NoRebootOnCompletion:$false -SysvolPath “C:\Windows\SYSVOL”  -SafeModeAdministratorPassword (ConvertTo-SecureString $smpassword -AsPlainText -Force)-Force:$true

Create groups and users

The following Powershell commands create a new AD group called SQL Admins, and a new user sqluser1 with a password of <Password> added to the SQL Admins group. The suffix is the suffix of your domain name e.g. com or local:

$password = "<Password>"
$domainnb = "<NB_Domain>"
$dnssuffix = "<suffix>"
$path = "CN=Users,DC=" + $domainnb + ",DC=" + $dnssuffix
New-ADGroup -Name "SQL Admins" -SamAccountName SQLAdmins -GroupCategory Security -GroupScope Global -DisplayName "SQL Administrators" -Path $path -Description "Members of this group are SQL Administrators"
$secpassword = ConvertTo-SecureString $password -AsPlainText -Force
New-ADUser -Name "sqluser1" -AccountPassword $secpassword -Enabled $true
Add-ADGroupMember -Identity SQLAdmins -Members sqluser1

The following Powershell commands create a new AD group called SQL Service, and a new user sqlsvc with a password of <Password> added to the SQL Service group. The suffix is the suffix of your domain name e.g. com or local:

$password = "<Password>"
$domainnb = "<NB_Domain>"
$dnssuffix = "<suffix>"
$path = "CN=Users,DC=" + $domainnb + ",DC=" + $dnssuffix
New-ADGroup -Name "SQL Service" -SamAccountName SQLService -GroupCategory Security -GroupScope Global -DisplayName "SQL Service" -Path $path -Description "Members of this group are services accounts for SQL"
$secpassword = ConvertTo-SecureString $password -AsPlainText -Force
New-ADUser -Name "sqlsvc" -AccountPassword $secpassword -Enabled $true
Add-ADGroupMember -Identity SQLService -Members sqlsvc

If you want to use alternative service accounts, see Managed Service Accounts, Group-Managed Service Accounts, and Virtual Accounts.

Configure the NTP server

To synchronize time automatically from the IBM Cloud NTP server, run the following commands:

w32tm /config /manualpeerlist:"161.26.0.6" /syncfromflags:MANUAL /update
net stop w32time
net start w32time
w32tm /query /status