Deploying Windows Server 2012 and Windows Server 2012 R2 Domain Controllers

  • 4/24/2014

Lesson 2: Deploying domain controllers using Server Manager

Server Manager provides an easy way to deploy Windows Server 2012 and Windows Server 2012 R2 domain controllers. Server Manager is mainly intended for managing small and midsized environments where the automation of domain controller deployment is not required. This lesson demonstrates how to use Server Manager to deploy domain controllers in both new and existing forests.

Preparing for domain controller deployment

The steps for preparing to deploy Windows Server 2012 or Windows Server 2012 R2 domain controllers using Server Manager differ depending on whether you are deploying the first domain controller in a new forest, deploying additional domain controllers in the new forest, or deploying domain controllers in an existing forest whose domain controllers are running an earlier version of Windows Server.

Preparing for deploying the first domain controller in a new forest

To deploy the first Windows Server 2012 or Windows Server 2012 R2 domain controller in a new forest using Server Manager, you should either log on locally to the server or connect to it using Remote Desktop. No other preparation is needed for this scenario.

Preparing for deploying additional domain controllers in the new forest

After you create a new forest by deploying your first Windows Server 2012 or Windows Server 2012 R2 domain controller, you can use Server Manager to deploy additional domain controllers in an existing domain, create new child domains, or create new tree domains. You can perform these tasks remotely by using Server Manager on any Windows Server 2012 or Windows Server 2012 R2 domain controller or member server or on a Windows 8 or Windows 8.1 client computer that has the appropriate version of the Remote Server Administration Tools (RSAT) installed.

The recommended steps for preparing to use Server Manager to deploy additional domain controllers are as follows:

  1. Make sure you have the appropriate credentials for the task you are going to perform. For example, if you are going to add domain controllers to an existing domain, make sure you have Domain Admin credentials for that domain. If you are going to create a new child domain, make sure you have Enterprise Admin credentials.
  2. Add the remote servers you’ll be promoting to domain controllers to the server pool so that you can manage them remotely using Server Manager.
  3. Create a new server group for the remote servers you’ll be promoting to domain controllers and add the servers to the server group. Doing this makes it easier to promote multiple remote servers to domain controllers simultaneously.

Preparing for deploying domain controllers in an existing forest

Adding Windows Server 2012 or Windows Server 2012 R2 domain controllers to an existing forest or domain running an earlier version of Windows Server first requires that you extend the existing Active Directory schema. In previous versions of Windows Server, you used Adprep.exe for extending the schema. Adprep is a command-line tool that was available in the \support\adprep folder of Windows Server 2008 R2 installation media or in the \sources\adprep folder of Windows Server 2008 installation media. The Adprep command uses parameters such as /forestprep and /domainprep to prepare an existing forest for the introduction of a domain controller running a later version of Windows Server.

Beginning with Windows Server 2012, however, Adprep is run automatically as needed when you deploy a new Windows Server 2012 or Windows Server 2012 R2 domain controller in an existing forest or domain running an earlier version of Windows Server. This change simplifies the task of adding Windows Server 2012 or Windows Server 2012 R2 domain controllers to an existing forest or domain running an earlier version of Windows Server because you no longer need to manually run Adprep before introducing the new domain controllers into your forest.

Adprep is also available as a stand-alone command-line tool in the \support\adprep folder of Windows Server 2012 and Windows Server 2012 R2 installation media. The stand-alone version of Adprep is required for certain scenarios, such as performing an in-place upgrade of your first Windows Server 2012 or Windows Server 2012 R2 domain controller. In this case, you must run Adprep manually to prepare your forest and its domains before you begin upgrading your existing domain controllers to Windows Server 2012 or Windows Server 2012 R2.

You can use the Windows Server 2012 version of Adprep to extend the schema of an existing forest whose domain controllers are running any of the following versions of Windows Server:

  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Server 2003 R2
  • Windows Server 2003

However, the following considerations apply when running the Windows Server 2012 version of Adprep:

  • You must have the credentials of a member of the Enterprise Admins group to run the Adprep /forestprep command.
  • Adprep can be run only on a server (domain controller, member server, or stand-alone server) that is running a 64-bit version of Windows Server 2008 or later. You cannot run Adprep on a server running Windows Server 2003 or a 32-bit version of Windows Server 2008.
  • The server on which you run Adprep must have network connectivity to the schema master of the existing forest.
  • The server on which you run Adprep must have network connectivity to the infrastructure master of the existing domain where you want to add a new Windows Server 2012 domain controller.

You can use the Windows Server 2012 R2 version of Adprep to extend the schema of an existing forest whose domain controllers are running any of the following versions of Windows Server:

  • Windows Server 2012
  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Server 2003 R2
  • Windows Server 2003

Similar considerations apply when running the Windows Server 2012 R2 version of Adprep as when running the Windows Server 2012 version.

Installing the AD DS role

Before you can promote a server to a domain controller, you must first install the AD DS role on the server. To do this using Server Manager, select Add Roles And Features from the Manage menu to launch the Add Roles And Features Wizard. On the Select Server Roles page of the wizard, select the Active Directory Domain Services role and confirm the installation of the tools for managing AD DS, as shown in Figure 4-2.

FIGURE 4-2

FIGURE 4-2 Install the AD DS role with the role-management tools.

Running the AD DS Configuration Wizard

When you complete the installation of the role, the final page of the AD DS Configuration Wizard prompts you to promote the server to a domain controller. If you close the wizard at this point, you can still access the link to promote the server from the Notifications menu of Server Manager, as shown in Figure 4-3.

FIGURE 4-3

FIGURE 4-3 You can use the Notifications menu to promote the server to a domain controller.

Clicking the link to promote the server to a domain controller launches the AD DS Configuration Wizard. The steps of this wizard depend on which type of domain controller deployment scenario you are performing. The upcoming sections cover the following scenario types:

  • First domain controller in new forest
  • Additional domain controller in new domain
  • First Windows Server 2012 or Windows Server 2012 R2 domain controller in existing forest

First domain controller in new forest

After you have added the AD DS role to the server, using the AD DS Configuration Wizard to promote the server to the first domain controller in a new forest involves the following steps:

  1. On the Deployment Configuration page of the wizard, shown in Figure 4-4, select the Add A New Forest option and specify the root domain for your new forest. Then proceed through the wizard and perform the steps that follow.

    FIGURE 4-4

    FIGURE 4-4 Deploy the first domain controller for a new forest using the AD DS Configuration Wizard.

  2. On the Domain Controller Options page, specify a functional level for your new forest and root domain. The default forest and functional levels are Windows Server 2012 if your server is running Windows Server 2012 or Windows Server 2012 R2 if your server is running Windows Server 2012 R2. If you have no domain controllers running earlier versions of Windows Server in your environment, you should leave the defaults unchanged.
  3. On the same page, specify whether your domain controller should also be a DNS server. Microsoft recommends that all domain controllers also be DNS servers to ensure AD DS availability.
  4. On the same page, note that the first domain controller must be a global catalog server and that it cannot be an RODC.
  5. On the same page, enter a password for the Directory Services Restore Mode (DSRM) administrator account.
  6. On the DNS Options page, specify DNS delegation options if you are integrating AD DS with an existing DNS infrastructure. To do this, you can manually create a delegation for your new DNS server in its authoritative parent zone to ensure reliable name resolution from outside your AD DS environment. For example, if the root domain name of your new forest is corp.contoso.com, as shown in Figure 4-4, you create a delegation for your DNS server in the authoritative parent zone on the DNS server that manages the public contoso.com domain for your organization.
  7. On the Additional Options page, the wizard suggests a NetBIOS name for your forest root domain. You can either accept what the wizard suggests or specify a different name of up to 15 Internet-standard characters (A–Z, a–z, 0–9, and “-”) but not entirely numeric.
  8. On the Paths page, specify the location of the AD DS database, log files, and SYSVOL or accept the defaults.
  9. The Review Options page displays the results of your selections.
  10. The Prerequisites Check page verifies that all prerequisites have been met for successfully deploying the domain controller. See Figure 4-1 earlier in this chapter for an example of what this wizard page looks like.
  11. Clicking Install promotes the server to a domain controller and automatically reboots the server at the end of the promotion operation.

Additional domain controller in new domain

After you deploy the first domain controller in a new domain or forest, you should deploy at least one additional domain controller in the domain for fault tolerance. After adding the AD DS role to the server that will become the additional domain controller, you can use the AD DS Configuration Wizard to promote the server to be an additional domain controller for the domain by performing the following steps:

  1. On the Deployment Configuration page of the wizard, shown in Figure 4-5, select the Add A Domain Controller To An Existing Domain option. Specify the domain to which you want to add the new domain controller, and if your current logon credentials have insufficient privileges to perform the option, click Change and specify suitable credentials.

    FIGURE 4-5

    FIGURE 4-5 Deploy an additional domain controller to an existing domain.

  2. On the Domain Controller Options page, specify whether your domain controller should also be a DNS server. (This option is selected by default.)
  3. On the same page, specify whether your domain controller should also be a global catalog server. (This option is selected by default.)
  4. On the same page, specify whether your domain controller should also be an RODC. You should have at least two writeable domain controllers in every domain in your forest, so do not select this option if this is the second domain controller in your domain.
  5. On the same page, specify the name of the existing AD DS site to which the new domain controller should belong. (The default is Default-First-Site-Name.)
  6. On the same page, enter a password for the DSRM administrator account.
  7. On the DNS Options page, specify DNS delegation options if you are integrating AD DS with an existing DNS infrastructure.
  8. On the Additional Options page, select the Install From Media (IFM) option if you used the Ntdsutil.exe tool to create installation media for additional domain controllers that you are deploying in the domain. You can use the Install From Media (IFM) option to minimize the replication of directory data over your network, which helps make deploying additional domain controllers at remote sites more efficient. If you are deploying additional domain controllers at your organization’s hub site (its headquarters or central office), however, you generally will not use the IFM option.
  9. On the same page, if you are not using the IFM option for deploying additional domain controllers, you can select which domain controller in your domain the new additional domain controller should use as an initial replication partner for pulling down a copy of the AD DS database. By default, your new domain controller replicates from any available domain controller in the domain, but you have the option of specifying a particular domain controller as its initial replication partner.
  10. Complete the remaining steps of the wizard to deploy the additional domain controller in the domain.

First Windows Server 2012 or Windows Server 2012 R2 domain controller in existing forest

You can also use the AD DS Configuration Wizard to deploy Windows Server 2012 or Windows Server 2012 R2 domain controllers in a forest or domain whose existing domain controllers are running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. As explained earlier in this lesson, when you use the wizard to deploy the first Windows Server 2012 or Windows Server 2012 R2 domain controller in a domain of a forest whose domain controllers are running earlier Windows Server versions, the Adprep tool automatically runs to prepare the forest and domain by extending the schema to its latest version.

The procedure that follows demonstrates this scenario by deploying a Windows Server 2012 or Windows Server 2012 R2 domain controller named VAN-SRV-3 in a forest root domain named fabrikam.com whose existing domain controllers are all running Windows Server 2008 R2. After you have added the AD DS role to server VAN-SRV-3, using the AD DS Configuration Wizard to add the server as the first Windows Server 2012 or Windows Server 2012 R2 domain controller in the fabrikam.com forest involves the following steps:

  1. On the Deployment Configuration page of the wizard, shown in Figure 4-6, select the Add A Domain Controller To An Existing Domain option, specify fabrikam.com as the forest root domain, and specify suitable credentials for performing the operation.

    FIGURE 4-6

    FIGURE 4-6 Promote the server named VAN-SRV-3 to be the first Windows Server 2012 or Windows Server 2012 R2 domain controller in the existing fabrikam.com forest root domain.

  2. Proceed through the wizard as described in the previous section until you reach the Preparation Options page shown in Figure 4-7. This page informs you that performing this operation will prepare your forest and domain for Windows Server 2012 or Windows Server 2012 R2 domain controllers by extending the schema. If you do not want to extend the schema, cancel the operation and do not deploy the new domain controller.

    FIGURE 4-7

    FIGURE 4-7 The wizard informs you that the forest schema will be extended if you perform this operation.

  3. Complete the remaining steps of the wizard to deploy the domain controller and extend the schema. Note that you did not have to manually run Adprep to prepare your forest or domain for the domain controller running Windows Server 2012 or Windows Server 2012 R2.

Verifying the installation

After deploying a new domain controller running Windows Server 2012 or Windows Server 2012 by using Server Manager, you should verify the installation by performing the following steps:

  1. Add the new domain controller to the server pool and to any server group you created for grouping together your Windows Server 2012 domain controllers.
  2. Select the new domain controller from any applicable page of Server Manager.
  3. Check for any alerts raised concerning the new controller on the Notifications menu.
  4. Scroll down the page to the Events tile and review any events raised for the new domain controller. Pay special attention to any critical, error, or warning events raised and perform any additional configuration or remedial action needed to address these events.
  5. Scroll down the page to the Services tile and review the condition of the services on the new domain controller. Make sure that all services have their startup values configured appropriately and that automatic services are running.
  6. Scroll down the page and start a Best Practices Analyzer (BPA) scan on the new domain controller by selecting Start BPA Scan from the Tasks menu of the Best Practices Analyzer tile. (See Figure 4-8.) BPAs are server management tools built into Windows Server 2012 and Windows Server 2012 R2 that help you adhere to best practices by scanning installed server roles and reporting any violations discovered.

    FIGURE 4-8

    FIGURE 4-8 Start a BPA scan on a domain controller.

As an example, Figure 4-9 shows the results of running a BPA scan on two Windows Server 2012 or Windows Server 2012 R2 domain controllers deployed in a new forest. These domain controllers have been grouped together in Server Manager by creating a custom server group named Domain Controllers. The Error displayed in the Best Practices Analyzer tile indicates that domain controller SEA-DC-1 is the PDC Emulator operations master for the forest and needs to be able to synchronize its clock with a reliable time source on the Internet. After you run a BPA scan on your domain controllers, be sure to carefully review the results displayed in the tile.

FIGURE 4-9

FIGURE 4-9 Review the results of a BPA scan performed on newly deployed domain controllers.

Uninstalling AD DS

If you need to retire a Windows Server 2012 or Windows Server 2012 R2 domain controller from your environment—for example, to repurpose its server hardware for some other role—you can do this using Server Manager by performing the following steps:

  1. Launch the Remove Roles And Features Wizard from the Manage menu and select your server from the server pool.
  2. On the Remove Server Roles page, deselect the Active Directory Domain Services check box. The Validation Results page appears, indicating that you must demote the domain controller before you can remove the AD DS role. (See Figure 4-10.)

    FIGURE 4-10

    FIGURE 4-10 You must demote a domain controller before you can remove the AD DS role from it.

  3. On the Validation Results page, click Demote This Domain Controller to launch the AD DS Configuration Wizard.
  4. On the Credentials page, supply the necessary credentials to perform this operation if your current logon credentials have insufficient privileges. If previous attempts to remove AD DS from this domain controller failed, select the Force The Removal Of This Domain Controller check box on this page.
  5. If you are demoting the last domain controller in the domain, make sure the Last Domain Controller In The Domain check box is selected to confirm that you want to remove the domain from your forest. Note that this check box is displayed only if the server is the last domain controller in the domain.
  6. On the Warnings page, make sure the Proceed With Removal check box is selected to confirm your decision to perform the demotion. Note that this page is not displayed if you chose to force the removal of AD DS in the previous step.
  7. On the Removal Options page, you have the option to remove any DNS delegations created in the authoritative parent zone. Note that you need to supply appropriate credentials to perform this action.
  8. If you are demoting the last domain controller in the domain, you also have the options of removing the DNS zone and any application partitions from the domain. (See Figure 4-11.) By clicking View Partitions, you can display a list of any application partitions in AD DS.

    FIGURE 4-11

    FIGURE 4-11 You have options for removing the DNS zone and application partitions when demoting the last domain controller in a domain.

  9. On the New Administrator Password page, enter a password for the local Administrator account for the server.
  10. On the Review Options page, click Demote. The server restarts, and you can log on using the local Administrator account and the new password you specified in the previous step.
  11. Launch the Remove Roles And Features Wizard again from the Manage menu and select your server from the server pool.
  12. On the Remove Server Roles page, deselect the Active Directory Domain Services and DNS Server check boxes. Finish running the wizard. When the server restarts, both the AD DS and DNS Server roles will have been removed.

Lesson summary

  • You can use Server Manager to deploy Windows Server 2012 and Windows Server 2012 R2 domain controllers. This procedure is mainly intended for small and midsized environments in which automating this process is not needed.
  • After you use the Add Roles And Feature Wizard to install the AD DS role on a remote server, you can use the AD DS Configuration Wizard to promote the server to a domain controller.
  • After you deploy a domain controller, you can use Server Manager to verify the installation by reviewing the Event logs, reviewing the state of services, and running a Best Practices Analyzer scan on the new domain controller.
  • You can use the Remove Roles And Features Wizard to uninstall the AD DS role on a remote server, but you first need to demote the server from being a domain controller.
  • Adprep is still available as a stand-alone command-line tool in the \support\adprep folder of Windows Server 2012 and Windows Server 2012 R2 installation media when you need to perform an in-place upgrade of your first Windows Server 2012 or Windows Server 2012 R2 domain controller.

Lesson review

Answer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.

  1. Which of the following procedures for deploying the first Windows Server 2012 R2 domain controller in a new forest is correct? (Choose all that apply.)

    1. Install Windows Server 2012 R2 on your server and log on using the local Administrator account. Open Server Manager and run the AD DS Configuration Wizard to promote the server as a domain controller.
    2. Install Windows Server 2012 R2 on your server and log on using the local Administrator account. Open Server Manager and run the Add Roles And Features Wizard to promote the server as a domain controller.
    3. Install Windows Server 2012 R2 on your server and log on using the local Administrator account. Open Server Manager and run the Add Roles And Features Wizard to install the AD DS role on the server. Then run the AD DS Configuration Wizard to promote the server as a domain controller.
    4. Install Windows Server 2012 R2 on your server and log on using the local Administrator account. Open Server Manager and run the AD DS Configuration Wizard to install the AD DS role on the server. Then run the Add Roles And Features Wizard to promote the server as a domain controller.
  2. Which of the following statements is not correct concerning the deployment of the first Windows Server 2012 R2 domain controller in an existing forest running an earlier version of Windows Server? (Choose all that apply.)

    1. You must prepare the forest and domain and extend the schema by manually running Adprep before you use Server Manager to deploy the first Windows Server 2012 R2 domain controller in an existing forest running an earlier version of Windows Server.
    2. You must select the Add A Domain Controller To An Existing Domain option on the Deployment Configuration page of the AD DS Configuration Wizard to deploy the first Windows Server 2012 R2 domain controller in an existing forest running an earlier version of Windows Server.
    3. You can use the Install From Media (IFM) deployment method to deploy the first Windows Server 2012 R2 domain controller in an existing forest running an earlier version of Windows Server.
    4. If your current logon credentials have insufficient privileges to deploy the first Windows Server 2012 R2 domain controller in an existing forest running an earlier version of Windows Server, you can specify different credentials on the Deployment Configuration page of the AD DS Configuration Wizard.
  3. Which of the following is the best syntax when using the Dsquery.exe command-line tool to verify that Adprep has successfully extended your forest’s schema?

    1. Dsquery * cn=schema,cn=configuration,dc=fabrikam,dc=com –attr objectVersion
    2. Dsquery * cn=schema,cn=configuration,dc=fabrikam,dc=com –scope base –attr sAMAccountName
    3. Dsquery * cn=schema,cn=configuration,dc=fabrikam,dc=com –scope base –attr *
    4. Dsquery * cn=schema,cn=configuration,dc=fabrikam,dc=com –scope base –attr objectVersion