Windows Server 2008 : Promote Servers as Domain Controllers

10/29/2010 7:24:50 PM

An Active Directory domain begins with the installation of a single DC. To ensure that the first controller will work, however, you might need to make decisions about your DNS infrastructure. If you have one already, you need to ensure that it is ready for Active Directory. If you do not have one, you may choose to install DNS when you install your first DC.
However, you also need to consider the installation of additional DCs and possibly RODCs. You will need to design your forest (starting with its name) and possible child domains. (As you read the previous section, you learned about sites and physical boundaries that may come into play.) You may also want to install DCs through an unattended installation with answer files. Yes, it can all become quite complicated.

But let’s go back a step and install the first DC, with DNS included in the installation.

Install the First DC of the Forest

Although there are a variety of different ways to set up DCs, in setting up this first one, you are going to start with the basics:

1.	To begin the process, from a Windows Server 2008 system that is acting as a member server (that is, not running AD DS), click Start and enter dcpromodcpromo command at an earlier time and cancelled the operation. in the Instant Search pane (or in the Run dialog). The system checks whether AD DS binaries are installed, and then it installs them. These might already be installed if you ran
2.	On the Active Directory Domain Services Installation Wizard startup screen (shown in Figure 1), click Next or select the checkbox Use Advanced Mode Installation and then click Next. (You might want to check the box because you might want to see some of the valuable configuration screens that are added to the installation.) Figure 1. The Active Directory Domain Services Installation Wizard.
3.	If you have selected advanced mode, you see some information regarding OS compatibility (because of the improved security settings in Windows Server 2008). Read the information and click Next.
4.	Under Choose a Deployment Configuration, because this is the first DC in the forest, choose Create a New Domain in a Forest and click Next.
5.	Provide the fully qualified domain name (FQDN) of the new forest root domain (for example, corp.contoso.com). Normally, you’d think about your company name and the name you have registered and then, if you choose to use the same name, enter that here. In this scenario, however, enter primatech.com and click Next.
6.	The wizard checks to see if this name is already in use, and if it is not, it takes you to the Domain NetBIOS Name screen, which it fills in for you. Change it if you like and click Next.
7.	When you are asked to set the forest functional level, choose Windows 2000, Windows Server 2003, or Windows Server 2008. Because this is a brand new forest, you would most likely want to choose Windows Server 2008 and click Next. Note As you select the functional level you want, you are shown details that indicate what features are being added with each choice. There are new features between the Windows 2000 and Windows Server 2003 options; however, there are no new features in choosing Windows Server 2008 over Windows Server 2003. The only valid distinction to keep in mind with choosing Windows Server 2008 is that you will be able to add to this forest only DCs that are running Windows Server 2008 or later.
8.	If you select Windows Server 2008 as the forest functional level, you do not see Set Domain Functional Level because it is automatically set to Server 2008. If, however, you did not choose Windows Server 2008, you need to choose a domain functional level and click Next.
9.	In the Additional Domain Controller Options page, choose to install DNS as an additional option. Because this is the first DC of the forest and/or domain, it is automatically a global catalog server, and that option is selected. There is another option to install as an RODC, but it will be disabled due to the fact that this is your first DC in a new forest and/or domain and therefore cannot be an RODC. In this case, you leave the default settings that install DNS with Active Directory and click Next. Note You may see a warning sign because the wizard is not able to create a delegation for the DNS server. In this case, because you are not integrating with an existing DNS server and are making this server a DNS server, you do not have to worry about this warning. Click Yes to continue.
10.	Provide the location for the database, log, and SYSVOL folders: Database: Stores information about the objects (such as users and computers) on the network Logs: Record activities related to Active Directory (such as object updates) SYSVOL: Contains Group Policy objects and scripts Each of these is important. Select locations (or leave the default) and click Next.
11.	On the Directory Services Restore Mode Administrator Password page, provide a password for the Administrator account that will be used when the DC is started in Active Directory Directory Services Restore Mode (AD DSRM). Make sure the password you use meets the complexity requirements, or you receive an error.
12.	On the Summary page, examine the settings you have chosen or click Export Settings to create an answer file for use with unattended Active Directory configurations. Click Next.
13.	A variety of different options are established (DNS, Group Policy Management Console installation, and so forth). When this process is complete, click Finish on the final screen.
14.	Restart the server, and the AD DS goes into action.

After you reboot the system, note the new tools available Administrative Tools. They include the following:

Active Directory Domains and Trusts
Active Directory Sites and Services
Active Directory Users and Computers
ADSI Edit
DNS
Group Policy Management

Setting Up Additional DCs

To add more DCs to an existing forest (after the first DC has been created), you run the Active Directory Domain Services Installation Wizard again through dcpromo.

The difference with setting up an additional DC is that when the wizard brings you to the Choose a Deployment Configuration page, you now select Existing Forest, as shown in Figure 2.

Figure 2. Choosing a deployment configuration.

You can now choose to do one of the following:

Add a domain controller to an existing domain.
Create a new domain in an existing forest. (This server will become the first DC in the new domain.)
Create a new domain tree root instead of a new child domain.

On the Network Credentials page, type in the name of the domain you are looking to add this server to and indicate whether there are alternate credentials you want to use.

Note

To add a DC to a domain, you need to be a member of the Enterprise Admins group and the Domain Admins group for that domain.

You then select a domain and a site or choose the option Use the Site That Corresponds to the IP Address of This Computer.

When you come to the Additional Domain Controller Options screen, you need to decide whether you want to make this server a DNS server, a global catalog server, or an RODC.

On the Install from Media page, you would most likely choose Replicate Data over the Network from an Existing Domain Controller, unless you have a reason to choose otherwise.

On the Source Domain Controller page, you can choose Let the Wizard Choose an Appropriate Domain Controller or Use This Specific Domain Controller and choose the one you think is best.

Note

A replication partner imposes certain logical restrictions. For example, an RODC cannot be an installation partner. If you are installing an RODC, you need a DC that runs Windows Server 2008 for an installation partner. Only DCs within a domain can be installation partners for one another.

For the most part, the rest of the options and dialog screens in the wizard are the same as in the preceding section.

Install an RODC

Recall that an RODC is a DC that you might utilize when you are working with a branch office situation that doesn’t require write capability to the domain (and might be a security risk if you did use a traditional DC).

During the installation procedure, when you reach the Additional Domain Controller Options page, you can choose the Read-Only Domain Controller (RODC) option, as shown in Figure 3.

Figure 3. Choosing an RODC.

When you select this option, you need to select other options as well. You need to establish a password replication policy in the Specify the Password Replication Policy window, as shown in Figure 4. This policy determines which users and their user object information will be replicated to the RODC and stored locally. You can select Deny or Allow as setting choices.

Figure 4. The password replication policy.

Note

Typically you want to allow password replication for the accounts that belong in the site where the RODC is located. Then those accounts can authenticate locally against that RODC. However, accounts that are perhaps used only at main sites should not be replicated down to this RODC. It is recommended that you use global groups to control the replication and replicate only those accounts you need to replicate.

An interesting feature is the Delegation of RODC Installation and Administration page, where you can specify a user or group that can administer the RODC locally.

Install from Media

At times you might want to install from media for your DCs because the amount of data transfer over your network lines may be excessive. This is especially the case when you have remote locations with slow WAN links. Installation from Media (IFM) begins with the process of capturing the Active Directory database from an existing DC and then pulls it into your remote DC.

To capture the existing DC, you would use NTDSUTIL. There is some flexibility as to what you can capture. You can choose one of the following four options:

Create IMF media for a full AD DC or an AD LDS instance.
Create IMF media without SYSVOL for a full AD DC or AD LDS instance.
Create IMF media for an RODC.
Create IMF media without SYSVOL for an RODC.

Depending on which version you choose, you use the NTDSUTIL command on a DC to create the IMF.

When you are doing the installation, you come to the Install from Media screen (shown in Figure 5) where you can select Replicate Data from Media at the Following Location and select the location.

Figure 5. The Install from Media page.

Prepare an Existing Domain Schema

In the event that you are attempting to install a Windows Server 2008 machine running AD DS into an existing Windows 2000 Server/Windows Server 2003 domain, you need to modify the schema to reflect this. To accomplish this, you use the adprep command.

To access this command, you use your Windows Server 2008 media and locate the \sources\adprep folder for the command under the command prompt. The adprep command comes with familiar switches (familiar because they were also available in Windows Server 2003) and one new one, /rodcPrep. These are the switches:

/forestPrep: Updates forest information. Must be run on the Schema Master role.
/domainPrep: Updates domain information. Must be run on the Infrastructure Master role. Must be run after /forestPrep is finished.
/domainprep /gpprep: Updates permissions on Group Policy objects in AD DS and SYSVOL. Must be run on the Infrastructure Master role. Must be run after /forestPrep is finished. (You use this switch only if your DCs are running Windows 2000 Server. Otherwise, /domainPrep is fine.)
/rodcPrep: Updates permissions on Nondomain Naming Context (NDNC) partitions to enable replication for RODCs. Runs remotely and contacts an NDNC replica to update permissions. Must be run after /forestPrep is finished. Can be rerun at any time. You should run this in particular when you have DNS application partitions in your forest.