Installing an RODC on a Windows Server 2008 R2 Server Core Installation
One of the most
innovative and anticipated security features of Windows Server 2008 R2
is Windows Server Core, a scaled-down installation option that uses
command-line prompts instead of graphical user interfaces (GUIs) to
manage the server. Because a Server Core installation is able to provide
a minimal environment by only installing a subset of the Windows Server
2008 R2 binaries, to support server roles, it is especially ideal for
remote locations such as branch offices where only the bare essentials
need to be installed.
Operating with a lean
server has its benefits. Through Windows Server Core, a minimal
environment is created that decreases the amount of maintenance and
management an administrator is required to perform when running specific
server roles such as Active Directory Domain Services. This comes in
handy at branch offices as organizations don’t typically want
inexperienced administrators managing the branch office domain
controller. Therefore, the reduced amount of administration is an
advantage. In addition, by having a minimal environment, the attack
surface for the server roles residing on the Server Core installation is
also reduced. It is also worth mentioning that Server Core is in line
with Microsoft’s Trustworthy Computing initiative.
Unlike installing other Windows
Server 2008 R2 roles on a Server Core installation, installing AD
DS—which is part of the RODC installation—on a Server Core installation
of Windows Server 2008 R2 requires an unattended answer file to first be
created. The unattended answer file provides answers to questions that
might be asked during the installation of an Active Directory Domain
Services installation. After the unattended answer file is created, the
next step is to run dcpromo from the RODC and reference the unattended answer file by using the following syntax at the command prompt: dcpromo /unattend:<unattendfile>.
Note
It is possible to create an
unattended answer file by exporting settings on the Summary page when
using the Active Directory Domain Services Installation Wizard. This
answer file can be used for creating subsequent installations of Active
Directory domain controllers on Server Core installations.
The following example depicts
installing an RODC on a Server Core installation. The first step creates
the unattended answer file based on settings included in Table 1. The second step conducts the dcpromo
process on the Server Core installation by referencing the answer file
created in the first step. This example assumes a Windows Server 2008 R2
Server Core installation already exists at the branch office.
Table 1. Parameters and Values for Creating an Unattended Answer File
Parameter | Value |
---|
Site | Toronto |
Additional options | Read-only DC: Yes |
| Global catalog: Yes |
| DNS server: Yes |
Update DNS delegation | No |
Source DC | Any writable domain controller |
Password Replication Policy | Allow: COMPANYABC1\Allowed RODC Password Replication Group |
| Deny: BUILTIN\Administrators |
| Deny: BUILTIN\Server Operators |
| Deny: BUILTIN\Backup Operators |
| Deny: BUILTIN\Account Operators |
| Deny: COMPANYABC1\Denied RODC Password Replication Group |
Delegation for RODC installation and administration | COMPANYABC1\RODC-Admins-BranchOffice-10 |
Active Directory file placement | Database folder: c:\Windows\NTDS |
| Log file folder: c:\Windows\NTDS
sysvol folder: c:\Windows\SYSVOL |
DNS server settings | The DNS service will be installed on this computer.
The DNS service will be configured on this computer.
This computer will be configured to use this DNS server as its preferred DNS server. |
Creating the Unattended Answer File Based on the Values in Table 1
1. | First
create an unattended answer file similar to the following example. The
parameters and values found in this example have been summarized in Table 32.1.
; DCPROMO unattend file (automatically generated by dcpromo) ; Usage: ; dcpromo.exe /unattend:C:\Temp\RODCAnswerFile.txt ; ; [DCInstall] ; Read-Only Replica DC promotion ReplicaOrNewDomain=ReadOnlyReplica ReplicaDomainDNSName=companyabc1.com ServerAdmin="COMPANYABC1\RODC-Admins-BranchOffice-10" SiteName=Toronto InstallDNS=Yes ConfirmGc=Yes DNSDelegation=No UserDomain=companyabc1.com UserName=* Password=* DatabasePath=C:\Windows\NTDS LogPath=C:\Windows\NTDS SYSVOLPath=C:\Windows\SYSVOL ; Set SafeModeAdminPassword to the correct value prior to using the unattend file SafeModeAdminPassword= ; Run-time flags (optional) ; CriticalReplicationOnly=Yes ; RebootOnCompletion=Yes TransferIMRoleIfNecessary=No
Note
This
example represents the unattended answer file for the RODC
installation, which also includes parameters and values for installing
DNS, a global catalog, Password Replication Policy, administrator
delegation, Active Directory file placement, and DNS settings. Modify
the values as needed.
Note
You might need to fill in
password fields prior to using the unattended file. If you leave the
values for “Password” and/or “DNSDelegationPassword” as “*”, you will be
asked for credentials at runtime.
|
2. | Save
the unattended file and copy it to the Windows Server 2008 R2 Server
Core installation system that will be the new branch office RODC server.
|
Implementing the RODC on a Server Core Installation by Using an Unattended Answer File
3. | Now that the unattended answer file is created, you must run the following syntax dcpromo /unattend:<unattendfile> from a Server Core installation command prompt.
|
For a full list of Active Directory Domain Services installation options, review this web link: http://technet.microsoft.com/en-us/library/cc772074(WS.10).aspx.