...
A Local User account can have the same userid as a Domain account. The Domain account is referred to by the fully qualified name of domainname\userid. In the YALE Domain, YALE\bellman is a Domain account, and it is entirely different and completely unrelated to the Local Users BOOJUM\bellman and SNARK\bellman. They have different home directories, own different files, and have different permissions (because they have different SIDs).
Your Own Domain Controller
You can only create an AD on a Windows Server machine. It can be a real computer or a VM. Yale’s site license allows anyone at Yale to run Windows Server, but it is not a very good choice for a personal computer. Traditionally Windows Server lacks support for many consumer-oriented features. It doesn’t support Webcams for meetings, and by default all audio support is turned off so you have to reconfigure to hear anything. There is no Windows Store, and WiFi isn’t a type of networking that Servers need.
Windows Server 2025 will enable a lot of these features and might become a more reasonable choice for adventuresome end users. It is also an easier choice to download the disk and install in a VM.
When you launch Windows Server for the first time, Server Manager comes up. This is a GUI interface for adding Features and Roles like AD. Click “Local Server”, the second entry in the list in the left margin. Here you can click on and change things like the generated bad Computer Name (defaults to something like “WIN-0E37EN6I3U6“) and Time Zone (defaults to Pacific). For this example, we give the Server a Computer Name of FIT.
Before you create the AD, you should create Local Users who are going to be in the Administrators group of the Server. Every Yale Managed Workstation is a member of the YALE Domain. Other computers and VMs can be added to the YALE Domain, though it is best if you administer a departmental OU and can create a “new computer” object with that hostname in that OU before you join them to the Domain. When you have two systems in the Yale OU, you can use and test most Domain identity features.
Your Own Domain
You can only create an AD on a computer or VM running Windows Server. It takes about 10 minutes to install the VM from an ISO image file (or you can download a VHDX file where it is already installed). You can then install your own AD with two PowerShell commands. Unless you really want to learn about ADs, or you need to test a program that manages them, having your own AD is probably more trouble than it is worth.
Yale’s site license allows us to run as many copies of Windows Server as we want, so there is no cost to installing it in a VM. It is not an attractive choice as the primary system on the first two or three personal computers that you own because it lacks a few consumer-oriented features. Windows Server 2025 will be better, but traditionally Server expected to run unattended in a machine room and lacked good WiFi, audio, webcam, and drivers for some devices. Don’t plan on using it for Zoom meetings.
Windows Server 2022 looks like Windows 10. Server 2025 looks like Windows 11 and can, for the most part, be configured and managed the same way that you manage a desktop.
The instructions for adding AD to a Windows Server VM are covered in detail in Howto Create Standalone AD Server - Identity and Access Management - Confluence (atlassian.net).
A Domain needs a DNS name and a nickname. We will call this one yu.yale.sandbox with nickname HUNTING.
When the DNS Server Role was added, Windows tells it to forward all requests it cannot resolve internally to the same external DNS server that
That is because when you create the AD, they also become Domain Admins. This initial group of admins becomes especially useful because they are both Local Users and Domain Users at the same time. This will allow you to use either Workgroup Authentication or Domain Authentication to connect to this Server and access files or services (including AD Admin services). We create a user named “bellman”, or to be precise “FIT\bellman”.
...