Apart from the physical or virtual resources requirements, there are other factors to consider before installing the first domain controller:

• Operating system version and installation mode: Windows Server 2016 has standard and data center versions. Based on the version, its capabilities will be decided. AD DS is a core functionality and it does not have dependencies on the version, but it is important to arrange the required licenses in advance for the Active Directory domain controllers.
  Windows Server 2016 supports three installation modes. A server with desktop experience is the standard installation method with GUI. Server roles and operations can be managed by using GUI or commands. Server core method also supports AD DS. Server core doesn't have GUI and it reduces the operating system footprint. It also reduces the attack surface of the identity infrastructure. Nano Server mode was introduced with Windows Server 2016. It is similar to server core but optimized from private clouds. Its OS footprint is lower than Windows Server core and only allows 64-bit applications. It also only allows remote administration. At the time of writing this book, Microsoft Nano Server does not support AD DS. Before installing the domain controller, it's important to decide the server operating system version and installation mode. Based on that, system prerequisites and licensing will change as well.

• Design document: Documentation is crucial in any system implementation. Before starting the installation process, produce a document including the Active Directory physical and logical topology, risks, technologies in use, and so on.

• Domain and forest names: During the AD DS installation, we need to specify the domain name and the forest name. In an organization, it's important to agree about these names with management before starting the installation process. This information can be added to your Active Directory design document and submitted for approval. A year ago, I wrote an article in my blog about the Active Directory domain rename process. Engineers write to me if they require any further guidance regarding the rename process, and I am always curious to find out the reason for a domain rename as it's not normal. One of the instances was very interesting. It was a large organization, with nearly 500 users. They changed their business name and wanted to create a separate forest and domain structure, and move users over to it along with resources in a merged company. They hired an engineer to do it. The engineer created a new Active Directory structure and moved more than 400 users and devices over to the new structure. After a few weeks, the management came back and said that instead of using .com in the primary domain, they would prefer to use the .ca domain name. Even after long discussions, the company still didn't change its mind and wanted to remove the .com domain name. Although this sounds like a small task, it can have a big operational impact.
• Dedicated IP address: Domain controllers are recommended to operate with static IP addresses. Before installation begins, assign static IP addresses to domain controllers and test the connectivity. Active Directory domain controller IP addresses can be changed later if required, but it is recommended to avoid that as much as possible.
• Monitoring: Once AD DS service is installed, we need to monitor system performance, replication health, and component and services integrity to identify potential service impacts and bottlenecks. Microsoft System Center Operation Manager (SCOM) and Microsoft Operation Management Suite (OMS) are the recommended monitoring tools, as they include modules especially designed to identify both service level and security issues.
• Backup/disaster recovery: High availability of identity infrastructure is a must for organizational operations as many services, applications, and other business components depend on it. Therefore, we need to plan how to keep identity infrastructure functioning in a disaster with minimum operations impact. There are different technologies and services which can be used to backup Active Directory domain controllers, and some of those will be evaluated later on in this book. After deciding the solution, also plan for periodic DR tests to verify solution validity.
• Virus protection in domain controllers: As with any other system, domain controllers also can get infected by malicious codes. There is debate about whether Active Directory domain controller should have antivirus software installed or not, but in Microsoft documentations, I have never found anything saying it should not have antivirus software. Always refer to your antivirus solution provider and check if the solution is supported to protect Active Directory domain controllers.
  Once I was working on an Active Directory upgrade project for a world-leading bank. Everything went smoothly, and after project closure, one morning I received a call from their support team about the domain controller's replications. When I checked, I found out that they had installed antivirus software on the domain controllers and it was preventing DFS SYSVOL replication between domain controllers. Therefore, follow the relevant guidelines from your service provider before antivirus installations.