Step-by-step install Windows Server Essentials 2012 R2 with non local domain

As the best practice of the latest few years, .local domain is not a good way to be deployed in any environment. The main reason for this is that since November 1 2015, will end the ability to have .local domains in public certificates. This will also apply in small environments, because we also use that certificates (for example we use them in Remote desktop services, Exchange, Remote web workplace…). On the other way, it is also not a good choice to have the internal domain name the same as the external. I would suggest you, for the internal domain name, to choose some kind of subdomain of the public domain name. For example, we can use company.com as public (external) domain name and internal.company.com as internal (Active Directory) domain name.
When you install the Essentials Server 2012R2, you will not be able to choose the internal domain name as you want, but this is simply your NetBIOS domain with.local extension in the end – exactly the type of extension we want to avoid.
Here is the step-by-step guide how to install Essentials server with different, more accurate options. In the example we have below, we will install Essentials server with NetBIOS domain name MyCompany, AD domain name Internal.Mycompany.com, server name MyServer and company name MyCompany. In your installation, you have to change the variables to your desired values.

The installation begins with a normal server installation from a media and after the server restarts, when the Configure Windows Server Essentials wizard will appear, you can see that you have no place to write your AD domain name (picture 1).

Picture 1
At this point, just close this wizard with cancel (picture 2).

Picture 2
Open the PowerShell as Administrator and write the syntax:
Start-WssConfigurationService -CompanyName “MyCompany” -DNSName “Internal.MyCompamny.com” -NetBiosName “MyCompany” -ComputerName “MyServer” –NewAdminCredential $cred -Setting All
The explanation of all used switches is available on TechNet. Enter your AD administrator credentials in the window that will appear. This will be the new administrator – the same as you configure it in the Essential server wizard (picture 3).

Picture 3
When the system will prompt, if you want to continue the Essentials server configuration, just click Y (picture 4).

Picture 4
Exit from PowerShell and the server will restart. After this, when you log in, you will see that the wizard Configure Windows Server Essentials will run. You have just to wait that it will finish. At this point the wizard has all the information it needs and you are not able to change them (picture 5).

Picture 5
This is all you need to do. As you can see in the picture 6, now we have installed the server with a non .local domain and with all the settings we want.

Picture 6
.

Recommended Reading

Comments Icon47 comments found on “Step-by-step install Windows Server Essentials 2012 R2 with non local domain

  1. is it posible to use a domain name such as “myown.mx” in the -DNSName “Internal.MyCompamny.com”?

    1. Hi,
      Of course. You can use any domain name, but my suggestion is to use a subdomain of public used company domain.

      1. well, i’ve tryed with a domain an sufix .mx but it doesn’t permit so!!
        any sugestion?

      2. Thanks for your answer! i tryed with a different domain name (as well as subdomains) and seems like it does not allow me to use the .mx suffix.

        if i use something like “subserver.myown.com” its ok for the setup process …
        it reports me an error if I add the “.mx” Do you know if it is restricted?

        or can you try and test this example: “subdmntest.myown.com.mx”?
        than you very much for your help!

        1. Hm, I don’t know why. The “.mx” domain is just a domain. Maybe it was something wrong with resolving it? Internet connection?

  2. I found this article and have used the technique 3 times now. I was thrown by the fact that the “Enter your AD administrator credentials in the window that will appear. This will be the new administrator – the same as you configure it in the Essential server wizard” REQUIRES an answer DIFFERENT than the “administrator” login created when first installing Windows 2012r2. Once I got past trying to figure out what the error message was all about and put in a different user name and password. (I am NOT joining this to an existing domain so I am setting up a new AD Administrator) It worked exactly as expected.

    There is a noticeable time delay between when you exit power shell and the system reboots. Something that is a little disconcerting after just seeing several errors (because of the user/password miss understanding) and wondering if something is broken.

    Third time’s the charm! 🙂

    Thank you very much for this article. I wonder why the world is not beating down your door. I have chosen to register a second “short as possible” domain.net for my clients to use as their internal domain. I also use the “short” domain name for their Office 365 account initial internal domain.

    Randy

  3. Thanks for this tip – extremely useful. I have been testing it for use with a Windows 2012 R2 Std on which the Essentials Experience role has been enabled (not a Windows 2012 R2 Essentials SKU). So this is Windows 2012 R2 Std install with the Essentials Experience role installed, then a reboot performed and then the PowerShell script is run. It works well with one or two small changes that i would like to document here if anyone else stumbles across this blog page.

    1) The server rejects the -Setting All parameter for some reason. I omitted it in the end because it is simply the Windows Updates config which you can do later in the GUI.

    2) I discovered that whatever I did, the server completely ignored the -ComputerName “MyServer” parameter. When the server rebooted the server name had not changed. This was annoying because once AD is installed, you can’t change the server name through the GUI. I believe there may be some registry hack or script you can use to change the name but this seems unclean. So, I started again and simply named the server to my required name when it was in workgroup mode, then ran the script. I kept the parameter in the script, just in case, but reading Technet, it seems it’s not required, so you can probably leave it out.

    So this is the script I used:

    Start-WssConfigurationService -CompanyName “MyCompany” -DNSName “Internal.MyCompamny.com” -NetBiosName “MyCompany” -ComputerName “MyServer” –NewAdminCredential $cred

    And as Randy says, there is a noticeable time delay between closing PowerShell and the server rebooting – it appears as though nothing is happening but just leave it and it will reboot (you can check Task manager to see that it is indeed doing something behind the scenes).

    1. Thank you for comments.
      You are totally right.
      1. As you write, this is an Windows Update setting and can be changed later without any problem. The succes of this setting of course depend on many things (internet connection, …) and can fail.
      2. True. My Mistake. DC name can not be changed, but you can use the same script if you want to install a new domain on Essentials server (if you don’t want a .local domain). There you need to specify a computer name.
      Thank you for a comment.

    2. I think the -ComputerName command didn’t work because of the “double quotes” around the name. Try it without the quotes. I did and it worked for me.

      1. Could be true. Yes, you can use without quotes, but is better to use quotes as in this case you can use any symbol (many times also more than one word).
        You should use double quotes, but unfortunately many times happens that formatting text with MS Word or with other word processor change the normal double quote symbol to something similar. In this case you have to write quotes manually.

  4. This article was found after trying to use an answer file a few times, thanks for writing it. I had no errors and now I am having trouble after reboot joining PC’s to the corp.company.com
    Anyone else have this? to me it sounds like a DNS lookup issue but I see nothing wrong

  5. Figured it out, small office everyone was on wifi and I didnt have the server as primary DNS, !!
    Thanks again for the instructions can’t believe <S just didnt allow the .com in the first place

    1. Not really agree with you. If you have server in company, it is always the best choice to put this server as DNS.
      Otherwise, if you look to company without server, then this article is not for you and it doesn’t matter if it is on wireless or wired network. As I know all access points and routers they have an option to disable DHCP and change DNS server.

  6. After running this command upon reboot I’m finding I have no active directory users and computers tools and I cannot edit group policies on the domain, almost like I’m not a full admin for some reason. Anyone else run into this?

    1. Something went wrong between instalation. The istalation in this mode could not modify the installation of ADDS tools or roles.
      In any case, you can try to add this snap ins manually, but I am affraid that there are more problems in the installation.

      1. My bad, I made too many changes at once it seems, I had a few dozen updates still pending reboot when I ran the powershell command, I let it reboot and it finished the updates. After the reboot I had some issues, no ADDS tools (found an article that says the powershell doesn’t add them like the wizard does, so added them manually)

        I had other strange issues, couldn’t authorize DHCP server, error said it couldn’t find AD. Couldn’t edit the 2 default group policies. (edit greyed out)
        I had a robocopy running so didn’t want to reboot until it was done but the good old “Did you reboot it?” seems to have solved the strangeness. After a second reboot I can auth the dhcp and edit gp.
        Hopefully this helps someone else!

  7. I am installing Windows 2012 Essentials that came with my new Dell R320 server and I can perform the Cancel as you describe. It only has back and next.

    What am I missing? I really need this to be a .com server. I had found steps to change it later, but I worry there will be lingering issues later.

    Thoughts?

  8. I am trying to use your script, but I keep getting an error message saying Start-WSSConfiguraitionService does not exist.

    I am doing it a bit different. my install CD does not allow me to exit where yours does, so I was following James’s post about doing it after the install and the restart. But as I said it keeps saying that it is not a valid program script.

    1. You have to instal complete server from CD! You have to breake role instalation after the logon to the server is done.

  9. Unfortunately, all I have in my server 2012 essentials installation is “back” and “next”. Why don’t I have cancel

    1. You can exit from that windows in many moeds. You can close it, from task manager,…
      Just use one of them.

  10. Elvis, I’m still have same issue as Chris Hall…I let the installation complete but at no point is accepting Start-Wss…cmdlet. Is it the difference between Essentials plain and Essentials R2?

    1. If you are talking between Essentials 2012 and Essentials 2012R2, the answer is yes. There is a difference.
      It should be done in different way on server 2012 – answer file.

  11. What am I missing?

    A .local domain is simply a nuisance for Macs. I could have a public domain name acme.com, name the internal DNS domain acme.lan, have a server on the local network named mail.acme.lan, buy a certificate for it named mail.acme.com, with a firewall that routes the mail ports to it, and a resource record in the public acme.com zone that points to the firewall.

    Using a public internal domain name, I could sub it using the identifier of the closest airport, such as lax.acme.com, with mail on the local network hosting a certificate named mail.lax.acme.com. I still need to add a resource record in the public acme.com zone for mail.lax.acme.com that points to the firewall. I probably wouldn’t want to name something used publicly, internal.acme.com or lan.acme.com, nor would I want to expose the internal zone to the Internet.

    I don’t know why anyone would want to want to buy a cert for mail.acme.lan even if they could. The problem is you cannot access it from anywhere but the local area network without getting a warning. On the other hand, a cert that uses an Internet routable name can be used anywhere, including on internal networks that use non-routable names such as .local and .lan. So other than the Apple issue with .local, I don’t see where it makes much difference, and something like acme.lan is pretty simple.

    So help me out, what am I missing?

    ;;

    1. Hi,

      With .local domain you will have problems with MAC’s (for now) and with public certificate – exactly as you mentioned. I don’t know what exactly you want to tell me with mail.acme.lan certificate.
      The answer is simple: As is described in best practices, one of the solutions for internal domain name is subdomain of existing external domain (for example internal.acme.com). You need a certificate for access to internal website true https and must have the same CN that you published in external DNS servers. It should be whatever you want – like myoffice.acme.com, but the Essentials server wizard will create the cone for that record (in my case myoffice.acme.com) with root A record. This record is needed to resolve this DNS name from LAN.
      Hope this answer will help you.

  12. What I meant is 3rd party certificates do not need to match the server name nor internal network name. It can be anything you like, including your external internet domain name.
    Thanks!

  13. Thank you for taking the time to talk through this. It works either way whether you do a .lan or a .com. However, I am seeing the merit of the sub domain now.

    – With the .lan approach, you can have a server named server.acme.lan internally, and install a certificate on it named server.acme.com. Internal and external users can do an NS lookup on server.acme.com, which is a single resource record on the public dns, which will return the IP of the Internet router, and be NATed to server.acme.lan. Since the cert matches, everyone is happy. However, the router is involved to NAT or consulted for the internal address. If you lose the connection to the outside, you can no longer resolve the local resource.

    – With the subdomain approach, you have a server named server.lax.acme.com, a cert named server.lax.acme.com, and two resource records, one private and one public. The private one contains “server” and the private IP address, and the public DNS faking it with a resource named “server.lax” which associates it with a company public address that usually gets NATed to the internal address. This requires two resource records, like a typical split-brain. The flaw in my thinking is I was thinking delegation, which can’t work as-is, and exposes the private DNS. It’s true, with the sub domain method you have to maintain two resource records like a split brain, but local users are not dependent on the public zone to resolve local shared resources, and the same resource has the same FQDN everywhere, so it’s still a better way to go.

    I’ve done split-brain before also. The advantage of the sub domain method is that it is much simpler to prevent multiple resources from having the the same FQDN, and the DNS can be self-documenting if you use the location for the sub domain.

    This all strengthens what you wrote. It is not possible to look intelligent while making an argument for .local. Not allowing users to spec the intenal domain name is also indefensible. I’ve decided to use the location for the sub domain from now on. Moreover, just because it is Essentials doesn’t mean that it will not grow into Standard or Enterprise.

    Thanks!

  14. The easiest solution is to exit the configuration wizard when it starts.
    Open server manager and add the AD role.
    Configure AD as you would any new domain
    reboot the server
    Now when the essentails wizard starts, it will tell you that the domain already exist and configure essentials for that domain.

  15. So why did Microsoft design server essentials to set itself up in this way? What issues will I face leaving the default domain configuration? Can you explain a little more about how this will effect applications using certificates as mentioned?

  16. Thanks for guiding it worked after little tweaking the command.
    The server essential would take too long at the time of adding a next user after 75th user.
    Virtually you can not add 76th user through the essential dashboard.

    I still looking the way where I can avoid installing server essential. I guess we could have better control if we go all without essential. But essential gets the server ready very quickly without knowing much configuration tasks.

    1. Well, you can use standard server with Essentials role. This will make possible to have more than 75 users and essentials functionalities.
      You can use also Active directory users and computers for managing users.

  17. Hello there,
    I have tried your script in order to move away from .local.
    However, I keep on getting this error on powershell.
    Command used :
    Start-WssConfigurationService -CompanyName “DECA” -DNSName “dc.decacalgary.com” -NetBiosName “DECA” -ComputerName “SV-DECA” –NewAdminCredential $cred -Setting All

    Error :
    Start-WssConfigurationService : Type a different name
    At line:1 char:1
    + Start-WssConfigurationService -CompanyName “DECA” -DNSName “dc.decacalgary” -Net …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (administrator:String) [Start-WssConfigurationService], ArgumentExcepti
    on
    + FullyQualifiedErrorId : ValidatorUserUniqueInfo,Microsoft.WindowsServerSolutions.Setup.Commands.InvokeEssentials
    ConfigureServiceCommand

    Can some body please help me, what I am doing wrong ? Thanks

    1. It should work. As I can see in your reply, I suspect to quotes.
      Sometimes just with copy and paste can be wrong character.

  18. @Kapil Bharwdwaj please enter some other username (not administrator) when it ask for credential after executing the script.
    @elvis I am installing the role. Yes it allows you to add more than 75 users but practically it takes to long to add users after 75th count.

  19. First off, I am not a professional IT person. I purchased a server from Dell for our extremely small business. It came with WS 2012 R2 Essentials already installed. Please note, the main reason I got this server was for a design software we use that must utilize SQL Server in order for all the workstations to share the data files. The software company came to set things up for me and said we can’t install SQL Server 2014 on a domain controller (still a bit over my head as to why). My question is as follows:
    – Is there a way to format the server and reinstall WS 2012 R2 E without making it a domain controller so the SQL Server 2014 will work?

    1. Hi Josh,

      To be honest it is not a good idea to install SQL server on domain controller and I prefer to add a second server in environment for DB server.
      But if you are really a small organization and you have small SQL DB, you can install Express edition on Essentials. It is not the same as standard edition and some software cannot use this edition; you will have some limitations like 10GB size of database – anyway in many cases is OK. Ask them for this option.
      If you can format this server? I don’t know as I am not working with Dell servers but I suppose yes. Your license in this case is for Essentials server and also if you can format and reinstall the server, will be just new Essentials server with the same roles and same functions – so nothing will change, you will still have domain controller. Essentials server must be domain controller.

      Elvis

  20. This did not work. I tried the command for windows server 2016 essentials and it simply did not work. Errors like company name exists. invalid admin string. will this work on server essentials 2016?

Discuss with Elvis Cancel

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.