An
Active Directory domain begins with the installation of a single DC. To
ensure that the first controller will work, however, you might need to
make decisions about your DNS infrastructure. If you have one already,
you need to ensure that it is ready for Active Directory. If you do not
have one, you may choose to install DNS when you install your first DC.
However,
you also need to consider the installation of additional DCs and
possibly RODCs. You will need to design your forest (starting with its
name) and possible child domains. (As you read the previous section,
you learned about sites and physical boundaries that may come into
play.) You may also want to install DCs through an unattended
installation with answer files. Yes, it can all become quite
complicated.
But let’s go back a step and install the first DC, with DNS included in the installation.
Install the First DC of the Forest
Although
there are a variety of different ways to set up DCs, in setting up this
first one, you are going to start with the basics:
1. | To
begin
the process, from a Windows Server 2008 system that is acting as
a member server (that is, not running AD DS), click Start and enter
dcpromodcpromo command at an earlier time and cancelled the operation.
in the Instant Search pane (or in the Run dialog). The system checks
whether AD DS binaries are installed, and then it installs them. These
might already be installed if you ran |
2. | On the Active Directory Domain Services Installation Wizard startup screen (shown in Figure 1),
click Next or select the checkbox Use Advanced Mode Installation and
then click Next. (You might want to check the box because you might
want to see some of the valuable configuration screens that are added
to the installation.)
|
3. | If
you have selected advanced mode, you see some information regarding OS
compatibility (because of the improved security settings in Windows
Server 2008). Read the information and click Next.
|
4. | Under
Choose a Deployment Configuration, because this is the first DC in the
forest, choose Create a New Domain in a Forest and click Next.
|
5. | Provide the fully qualified domain name (FQDN) of the new forest root domain (for example, corp.contoso.com).
Normally, you’d think about your company name and the name you have
registered and then, if you choose to use the same name, enter that
here. In this scenario, however, enter primatech.com and click Next.
|
6. | The
wizard checks to see if this name is already in use, and if it is not,
it takes you to the Domain NetBIOS Name screen, which it fills in for
you. Change it if you like and click Next.
|
7. | When
you are asked to set the forest functional level, choose Windows 2000,
Windows Server 2003, or Windows Server 2008. Because this is a brand
new forest, you would most likely want to choose Windows Server 2008
and click Next.
Note
As
you select the functional level you want, you are shown details that
indicate what features are being added with each choice. There are new
features between the Windows 2000 and Windows Server 2003 options;
however, there are no new features in choosing Windows Server 2008 over
Windows Server 2003. The only valid distinction to keep in mind with
choosing Windows Server 2008 is that you will be able to add to this
forest only DCs that are running Windows Server 2008 or later.
|
8. | If
you select Windows Server 2008 as the forest functional level, you do
not see Set Domain Functional Level because it is automatically set to
Server 2008. If, however, you did not choose Windows Server 2008, you
need to choose a domain functional level and click Next.
|
9. | In
the Additional Domain Controller Options page, choose to install DNS as
an additional option. Because this is the first DC of the forest and/or
domain, it is automatically a global catalog server, and that option is
selected. There is another option to install as an RODC, but it will be
disabled due to the fact that this is your first DC in a new forest
and/or domain and therefore cannot be an RODC. In this case, you leave
the default settings that install DNS with Active Directory and click
Next.
Note
You
may see a warning sign because the wizard is not able to create a
delegation for the DNS server. In this case, because you are not
integrating with an existing DNS server and are making this server a
DNS server, you do not have to worry about this warning. Click Yes to
continue.
|
10. | Provide the location for the database, log, and SYSVOL folders:
- Database: Stores information about the objects (such as users and computers) on the network
- Logs: Record activities related to Active Directory (such as object updates)
- SYSVOL: Contains Group Policy objects and scripts
Each of these is important. Select locations (or leave the default) and click Next.
|
11. | On
the Directory Services Restore Mode Administrator Password page,
provide a password for the Administrator account that will be used when
the DC is started in Active Directory Directory Services Restore Mode
(AD DSRM). Make sure the password you use meets the complexity requirements, or you receive an error.
|
12. | On
the Summary page, examine the settings you have chosen or click Export
Settings to create an answer file for use with unattended Active
Directory configurations. Click Next.
|
13. | A
variety of different options are established (DNS, Group Policy
Management Console installation, and so forth). When this process is
complete, click Finish on the final screen.
|
14. | Restart the server, and the AD DS goes into action.
|
After you reboot the system, note the new tools available Administrative Tools. They include the following:
Active Directory Domains and Trusts
Active Directory Sites and Services
Active Directory Users and Computers
ADSI Edit
DNS
Group Policy Management
Setting Up Additional DCs
To
add more DCs to an existing forest (after the first DC has been
created), you run the Active Directory Domain Services Installation
Wizard again through dcpromo.
The
difference with setting up an additional DC is that when the wizard
brings you to the Choose a Deployment Configuration page, you now
select Existing Forest, as shown in Figure 2.
You can now choose to do one of the following:
Add a domain controller to an existing domain.
Create a new domain in an existing forest. (This server will become the first DC in the new domain.)
Create a new domain tree root instead of a new child domain.
On
the Network Credentials page, type in the name of the domain you are
looking to add this server to and indicate whether there are alternate
credentials you want to use.
Note
To add a DC to a domain, you need to be a member of the Enterprise Admins group and the Domain Admins group for that domain.
You then select a domain and a site or choose the option Use the Site That Corresponds to the IP Address of This Computer.
When
you come to the Additional Domain Controller Options screen, you need
to decide whether you want to make this server a DNS server, a global
catalog server, or an RODC.
On
the Install from Media page, you would most likely choose Replicate
Data over the Network from an Existing Domain Controller, unless you
have a reason to choose otherwise.
On
the Source Domain Controller page, you can choose Let the Wizard Choose
an Appropriate Domain Controller or Use This Specific Domain Controller
and choose the one you think is best.
Note
A
replication partner imposes certain logical restrictions. For example,
an RODC cannot be an installation partner. If you are installing an
RODC, you need a DC that runs Windows Server 2008 for an installation
partner. Only DCs within a domain can be installation partners for one
another.
For the most part, the rest of the options and dialog screens in the wizard are the same as in the preceding section.
Install an RODC
Recall
that an RODC is a DC that you might utilize when you are working with a
branch office situation that doesn’t require write capability to the
domain (and might be a security risk if you did use a traditional DC).
During
the installation procedure, when you reach the Additional Domain
Controller Options page, you can choose the Read-Only Domain Controller
(RODC) option, as shown in Figure 3.
When
you select this option, you need to select other options as well. You
need to establish a password replication policy in the Specify the
Password Replication Policy window, as shown in Figure 4.
This policy determines which users and their user object information
will be replicated to the RODC and stored locally. You can select Deny
or Allow as setting choices.
Note
Typically
you want to allow password replication for the accounts that belong in
the site where the RODC is located. Then those accounts can
authenticate locally against that RODC. However, accounts that are
perhaps used only at main sites should not be replicated down to this
RODC. It is recommended that you use global groups to control the
replication and replicate only those accounts you need to replicate.
An
interesting feature is the Delegation of RODC Installation and
Administration page, where you can specify a user or group that can
administer the RODC locally.
Install from Media
At
times you might want to install from media for your DCs because the
amount of data transfer over your network lines may be excessive. This
is especially the case when you have remote locations with slow WAN
links. Installation from Media (IFM) begins with the process of
capturing the Active Directory database from an existing DC and then
pulls it into your remote DC.
To capture the existing DC, you would use NTDSUTIL. There is some flexibility as to what you can capture. You can choose one of the following four options:
Create IMF media for a full AD DC or an AD LDS instance.
Create IMF media without SYSVOL for a full AD DC or AD LDS instance.
Create IMF media for an RODC.
Create IMF media without SYSVOL for an RODC.
Depending on which version you choose, you use the NTDSUTIL command on a DC to create the IMF.
When you are doing the installation, you come to the Install from Media screen (shown in Figure 5) where you can select Replicate Data from Media at the Following Location and select the location.
Prepare an Existing Domain Schema
In
the event that you are attempting to install a Windows Server 2008
machine running AD DS into an existing Windows 2000 Server/Windows
Server 2003 domain, you need to modify the schema to reflect this. To
accomplish this, you use the adprep command.
To access this command, you use your Windows Server 2008 media and locate the \sources\adprep folder for the command under the command prompt. The adprep
command comes with familiar switches (familiar because they were also
available in Windows Server 2003) and one new one, /rodcPrep. These are
the switches:
/forestPrep: Updates forest information. Must be run on the Schema Master role.
/domainPrep: Updates domain information. Must be run on the Infrastructure Master role. Must be run after /forestPrep is finished.
/domainprep /gpprep: Updates permissions on Group Policy objects in AD DS and SYSVOL. Must be run on the Infrastructure Master role. Must be run after /forestPrep is finished. (You use this switch only if your DCs are running Windows 2000 Server. Otherwise, /domainPrep is fine.)
/rodcPrep:
Updates permissions on Nondomain Naming Context (NDNC) partitions to
enable replication for RODCs. Runs remotely and contacts an NDNC
replica to update permissions. Must be run after /forestPrep
is finished. Can be rerun at any time. You should run this in
particular when you have DNS application partitions in your forest.