Active Directory Administrator's Pocket Consultant: Deploying Writable Domain Controllers

  • 1/14/2009
Contents

Adding Writable Domain Controllers

You establish a server as a domain controller by installing the necessary binaries for the Active Directory Domain Services (AD DS) and then configuring the services using the Active Directory Domain Services Installation Wizard (Dcpromo.exe). If you are deploying Windows Server 2008 for the first time in a Windows Server 2003 or Windows Server 2000 forest, you must prepare Active Directory as discussed in “Deploying Windows Server 2008” in Chapter 2.

Installing Additional Writable Domain Controllers

Any computer running Windows Server 2008 can act as a domain controller. Essentially, domain controllers are database servers with extensive directory, application, and replication features. Because of this, the hardware you choose for the domain controllers should be fairly robust. You’ll want to look carefully at the server’s processor, memory, and hard disk configuration.

In many cases, you’ll want to install domain controllers on hardware with multiple, fast processors. This will help ensure the domain controller can efficiently handle replication requests and topology generation. When you install the second domain controller in a forest, the Knowledge Consistency Checker (KCC) begins running on every domain controller. Not only does the KCC generate replication topology, it also dynamically handles changes and failures within the topology. By default, the KCC recalculates the replication topology every 15 minutes. As the complexity of the replication topology increases, so does processing power required for this calculation. You’ll need to monitor processor usage and upgrade as necessary.

In addition to running standard processes, domain controllers must run processes related to storage engine operations, knowledge consistency checking, replication, and garbage collection. Most domain controllers should have at least 2 gigabytes (GB) of RAM as a recommended starting point for full server installations and 1 GB of RAM for core server installations. You’ll need to monitor memory usage and upgrade as necessary.

With regard to hard disks, you’ll want to closely examine fault tolerance and storage capacity needs. Domain controllers should use fault-tolerant drives to protect against hardware failure of the system volume and any other volumes used by Active Directory. I recommend using a redundant array of independent disks (RAID), RAID 1 for system volumes and RAID 5 for data. Hardware RAID is preferable to software RAID. Storage capacity needs depend on the number of objects related to users, computers, groups, and resources that are stored in the Active Directory database. Each storage volume should have ample free disk space at all times to ensure proper operational efficiency.

When you add a domain controller to an existing domain, you should consider whether you want to perform an installation from media rather than creating the domain controller from scratch. With either technique, you will need to log on to the local machine using either the local Administrator account or an account that has administrator privileges on the local machine. Then start the installation. You also will be required to provide the credentials for an account that is a member of the Domain Admins group in the domain of which the domain controller will be a part. Because you will be given the opportunity to join the domain controller to the domain if necessary, it is not necessary for the server to be a member of the domain.

Adding Writable Domain Controllers Using Replication

You can add a writable domain controller to an existing domain by completing the following steps:

  1. Check the TCP/IP configuration of the server. The server must have a valid IP address and must have properly configured DNS settings.

    NOTE

    Domain controllers that also act as DNS servers should not have dynamic IP addresses, to ensure reliable DNS operations. Otherwise, the server can have a static IP address or a dynamic IP address assigned by a DHCP server.

  2. Install the Active Directory binaries by entering the following command at an elevated command prompt: servermanagercmd–install adds-domain-controller. This installs the AD DS binaries, which enables the Active Directory Domain Services role on the server.

  3. Before starting an Active Directory installation, you should examine local accounts to determine whether you need to take special steps to preserve any local accounts. You should also check for encrypted files and folders using the EFSInfo utility. At a command prompt, enter efsinfo /s:DriveDesignator/i | find “: Encrypted” where DriveDesignator is the drive designator of the volume to search, such as C:.

    CAUTION

    Domain controllers do not have local accounts or separate cryptographic keys. Making a server a domain controller deletes all local accounts and all certificates and cryptographic keys from the server. Any encrypted data on the server, including data stored using the Encrypting File System (EFS), must be decrypted before Active Directory is installed, or it will be permanently inaccessible.

  4. Start the Active Directory Domain Services Installation Wizard by clicking Start, typing dcpromo in the Search box, and pressing Enter.

  5. By default, the wizard uses Basic Installation mode. If you want to install from media as discussed in “Adding Writable Domain Controllers Using Installation Media,” later in this chapter, or choose the source domain controller for replication, select the Use Advanced Installation Mode check box before clicking Next to continue.

  6. If the Operating System Compatibility page is displayed, review the warning about the default security settings for Windows Server 2008 domain controllers and then click Next.

  7. On the Choose A Deployment Configuration page, shown in Figure 3-1, select Existing Forest and then select Add A Domain Controller To An Existing Domain. By choosing this option, you specify that you are adding a domain controller to an existing domain in the Active Directory forest.

    Figure 3-1

    Figure 3-1. Specify that you want to add a domain controller to the domain.

  8. When you click Next, you see the Network Credentials page, shown in Figure 3-2. In the field provided, type the full DNS name of any domain in the forest where you plan to install the domain controller. Preferably, this should be the name of the forest root domain, such as cpandl.com. If you are logged on to a domain in this forest and have the appropriate permissions, you can use your current logged-on credentials to perform the installation. Otherwise, select Alternate Credentials, click Set, type the user name and password for an enterprise administrator account in the previously specified domain, and then click OK.

    Figure 3-2

    Figure 3-2. Set the network credentials.

  9. When you click Next, the wizard validates the domain name you provided and then lists all domains in the related forest. On the Select A Domain page, shown in Figure 3-3, select the domain to which the domain controller will be added and then click Next.

    Figure 3-3

    Figure 3-3. Select the target domain.

  10. When you click Next, the wizard determines the available Active Directory sites. On the Select A Site page, you’ll see a list of available sites. If there is a site that corresponds to the IP address of the server you are promoting, select the Use The Site That Corresponds To The IP Address check box to place the new domain controller in this site. If you want to place the new domain controller in a different site or there isn’t an available subnet for the current IP address, select the site in which you want to locate the domain controller.

  11. When you click Next, the wizard examines the DNS configuration and attempts to determine whether any authoritative DNS servers are available. It then displays the Additional Domain Controller Options page, shown in Figure 3-4. As permitted, select additional installation options for the domain controller and then click Next.

    Figure 3-4

    Figure 3-4. Specify the additional installation options.

  12. If you choose to let the wizard install the DNS Server service, note the following:

    1. The DNS Server service will be installed, and the domain controller will also act as a DNS server. A primary DNS zone will be created as an Active Directory–integrated zone with the same name as the new domain you are setting up. The wizard will also update the server’s TCP/IP configuration so that its primary DNS server is set to itself.

    2. During installation of the operating system, Windows Setup installs and configures IPv4 and IPv6 if networking components were detected. If you’ve configured dynamic IPv4, IPv6, or both addresses, you’ll see a warning. Click Yes to ignore the warning and continue.

    3. If you want to modify the TCP/IP configuration, click No to return to the Additional Domain Controller Options page and then make the appropriate changes to the system configuration before clicking Next to continue. If you configure a static IPv4 address but do not configure a static IPv6 address, you’ll also see the warning. To ignore the warning and continue with the installation, click Yes.

      NOTE

      At a minimum, you should configure a static IPv4 address before continuing. Click Start, type ncpa.cpl in the Search box, and then press Enter. In Network Connections, double-click Local Area Connection. In Local Area Connection Properties, click Properties and then double-click Internet Protocol Version 4 (TCP/IPv4), make any necessary changes, and then click OK. If you also want to configure a static IPv6 address, double-click Internet Protocol Version 6 (TCP/IPv6), make any necessary changes, and then click OK. If you decide not to configure a static IPv6 address, you may need to make changes to DNS records later if your organization starts using IPv6 addresses.

    4. The wizard next attempts to register a delegation for the DNS server with an authoritative parent zone. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to the DNS server and then click Yes to continue. Otherwise, you can ignore this warning and click Yes to continue.

  13. If you choose to not let the wizard install the DNS Server service, the wizard next attempts to register a delegation for the DNS server with an authoritative parent zone. If the wizard cannot create a delegation for the DNS server, it displays a warning message to indicate that you must create the delegation manually. Click No to return to the Additional Domain Controller Options page so you can select and install DNS Server services. To continue without installing DNS Server services, click Yes. Keep in mind that you’ll then need to manually configure the required DNS settings, including SRV and A resource records.

  14. If you selected Use Advanced Installation Mode, the Install From Media page is displayed, as shown in Figure 3-5. You can provide the location of installation media to be used to create the domain controller and configure AD DS, or you can have all of the replication done over the network. Even if you install from media, some data will be replicated over the network from a source domain controller. For more information about installing from media, see “Adding Writable Domain Controllers Using Installation Media.”

    Figure 3-5

    Figure 3-5. Set the installation mode.

  15. If you selected Use Advanced Installation Mode, the Source Domain Controller page is displayed. Select Any Writable Domain Controller or select This Specific Domain Controller to specify a source domain controller for replication. Then click Next. If you choose to install from media, only changes since the media was created will be replicated from this source domain controller. If you choose not to install from media, all data will be replicated from this source domain controller.

  16. On the Location For Database, Log Files, And SYSVOL page, shown in Figure 3-6, select a location to store the Active Directory database folder, log folder, and SYSVOL folder. The default location for the database and log folders is a subfolder of %SystemRoot%\NTDS. The default location for the SYSVOL folder is %SystemRoot%\Sysvol. You’ll get better performance if the database folder and log folder are on two separate volumes, each on a separate disk. Placement of the SYSVOL is less critical, and you can accept the default in most cases. Although you can change the storage locations later, the process is lengthy and complex.

    Figure 3-6

    Figure 3-6. Configure storage locations.

    NOTE

    Your organization should have a specific plan in place for sizing the server hardware and designating Active Directory storage locations. You’ll want to ensure the server you use is powerful enough to handle authentication, replication, and other directory duties. The server’s hard disk configuration should be optimized for storage of Active Directory data. Each storage volume should have at least 20 percent free storage space at all times. You may also want to use a redundant array of independent disks (RAID) to protect against disk failure.

  17. Click Next. On the Directory Services Restore Mode Administrator Password page, type and confirm the password that should be used when you want to start the computer in Directory Services Restore Mode. Be sure to track this password carefully. This special password is used only in Restore mode and is different from the Administrator account password. The password complexity and length must comply with the domain security policy.

  18. Click Next. On the Summary page, review the installation options. If desired, click Export Settings to save these settings to an answer file that you can use to perform unattended installation of other domain controllers. When you click Next again, the wizard will use the options you’ve selected to install and configure Active Directory. This process can take several minutes. If you specified that the DNS Server service should be installed, the server will also be configured as a DNS server at this time.

  19. When the wizard finishes configuring Active Directory, click Finish. You are then prompted to restart the computer. Click Restart Now to reboot.

After installing Active Directory, you should verify the installation. Start by examining the installation log, which is stored in the Dcpromo.log file in the %SystemRoot%\Debug folder. The log is very detailed and takes you through every step of the installation process, including the creation of directory partitions and the securing of the Registry for Active Directory.

Next, check the DNS configuration in the DNS console. DNS is updated to add SRV and A records for the server. Because you created a new domain, DNS is updated to include a forward lookup zone for the domain. You may also need to add a reverse lookup zone for the domain.

Check for updates in Active Directory Users and Computers. The Domain Controllers OU should have an account for the domain controller you installed.

Adding Writable Domain Controllers Using Installation Media

Performing an Active Directory installation from media allows the Active Directory Domain Services Installation Wizard to get the initial data for the Configuration, Schema, and Domain directory partitions, and optionally the SYSVOL, from the backup media rather than through a full synchronization over the network. In this way, you establish a domain controller using a media backup of another domain controller rather than using replication over the network. Although not designed to be used to restore failed domain controllers, this technique does help you rapidly establish additional domain controllers by reducing the amount of network traffic generated, accelerating the process of installing an additional domain controller, and getting the directory partition data synchronized.

You can use a 32-bit domain controller to generate installation media for a 64-bit domain controller, and vice versa. When installing Active Directory using a media backup, you’ll want to follow these guidelines:

  • Use the most recent media backup to reduce the number of updates that must be replicated.

  • Use a backup of a domain controller running the same operating system in the same domain in which the new domain controller is being created.

  • Copy the backup to a local drive on the server you are configuring. You cannot use backup media from Universal Naming Convention (UNC) paths or mapped drives.

  • Don’t use backup media that is older than the tombstone lifetime of the domain. The default value is 60 days. If you try to use backup media older than the tombstone lifetime, the Active Directory installation will fail.

You can create installation media by completing the following steps:

  1. Log on to a domain controller. On a writable domain controller, the account you use must be a member of the Administrators, Server Operators, Domain Admins, or Enterprise Admins group. On a read-only domain controller, a delegated user can create the installation media for another read-only domain controller.

  2. Click Start, right-click Command Prompt, and then click Run As Administrator to open an elevated command prompt. At the command prompt, type ntdsutil. This starts the Directory Services Management tool.

  3. At the ntdsutil prompt, type activate instance ntds. This sets Active Directory as the directory service instance to work with.

  4. Type ifm to access the install from media prompt. Then type one of the following commands, where FolderPath is the full path to the folder in which to store the Active Directory backup media files:

    • Create Full FolderPath. Creates a full writable installation media backup of Active Directory. You can use the media to install a writable domain controller or a read-only domain controller.

    • Create RODC FolderPath. Creates a read-only installation media backup of Active Directory. You can use the media to install a read-only domain controller. The backup media does not contain security credentials, such as passwords.

  5. Ntdsutil creates snapshots of Active Directory partitions. When it finishes creating the snapshots, Ntdsutil mounts the snapshots as necessary and then defragments the media backup of the Active Directory database. The progress of the defragmentation is shown by percent complete.

  6. Next, Ntdsutil copies registry data related to Active Directory. When it finishes this process, Ntdsutil unmounts any snapshots it was working with. The backup process should complete successfully. If it doesn’t, note and resolve any issues that prevented successful creation of the backup media, such as the target disk running out of space or insufficient permissions to copy to the folder path.

  7. Type quit at the ifm prompt and then type quit at the ntdsutil prompt.

  8. Copy the backup media to a local drive on the server for which you are installing Active Directory.

  9. On the server you want to make a domain controller, start the Active Directory Domain Services Installation Wizard in Advanced Installation mode. Follow all the same steps you would if you were adding a domain controller to the domain without media. After you select additional domain controller installation options and get past any DNS prompts, you see the Install From Media page. On this page, select Replicate From Media Stored At The Following Location, and then type the location of the backup media files or click Browse to find the backup media files.

  10. You can now complete the rest of the installation as discussed in the section titled “Adding Writable Domain Controllers Using Replication” earlier in this chapter. Continue with the rest of the steps and perform the postinstallation checks as well.

    Real World

    Objects that were modified, added, or deleted since the installation media was created must be replicated. If the installation media was created recently, the amount of replication that is required should be considerably less than the amount of replication required otherwise.

    The only data that must be fully replicated from another domain controller is the SYSVOL data. Although you can run Ntdsutil with an option to include the SYSVOL folder in the installation media, the SYSVOL folder from the installation media cannot be used because SYSVOL must be absent when the Active Directory Domain Services server role starts on a server running Windows Server 2008.

Adding Writable Domain Controllers Using Answer Files or the Command Line

On a Full Server or Core Server installation of Windows Server 2008, you can add domain controllers using an unattended installation or the command line. You must be logged on as the Domain Admins group in the domain.

With the unattended method of installation, you must first prepare an answer file that contains the desired configuration values. You can create the required answer file by completing the following steps:

  1. Open Notepad or any other text editor.

  2. On the first line, type [DCINSTALL], and then press Enter.

  3. Type the following entries, one entry on each line.

    ReplicaOrNewDomain=Replica
ReplicaDomainDNSName=FQDNOfDCDomain
SiteName=SiteName
InstallDNS=Yes
ConfirmGc=Yes
CreateDNSDelegation=Yes
UserDomain=DomainOfAdminAccount
UserName=AdminAccountInDomainOfDC
Password=*
ReplicationSourceDC=SoureDCName
DatabasePath="LocalDatabasePath"
LogPath="LocalLogPath"
SYSV0LPath="LocalSysVolPath"
SafeModeAdminPassword=
RebootOnCompletion=Yes

    NOTE

    Values you must specify are shown in bold. You can set Password to * if you do not want to include it in the answer file. When you run Dcpromo to initiate the unattended installation, you will be prompted for the password.

    TIP

    SafeModeAdminPassword sets the Directory Services Restore Mode password in the answer file. If you don’t want to include the password, you can omit the password. However, you will need to use the /SafeModeAdminPassword command-line parameter to provide the password later when you run Dcpromo to initiate the unattended installation.

  4. If you want to configure the domain controller as a DNS server, add the following command.

    InstallDNS=yes

  5. If you want to configure the domain controller as a global catalog server, add the following command.

    ConfirmGC=yes

  6. If you are installing from media, you can refer to the location where you stored the installation media by using the following command.

    ReplicationSourcePath=FolderPathToMedia

  7. Save the answer file as a .txt file and then copy the file to a location accessible from the server you want to promote.

    The following is a complete example.

    ; Replica DC promotion
[DCInstall]
ReplicaOrNewDomain=Replica
ReplicaDomainDNSName=cpandl.com
SiteName=LA-First-Site
InstallDNS=Yes
ConfirmGc=Yes
CreateDNSDelegation=No
UserDomain=cpandl.com
UserName=cpandl.com\williams
Password=*
ReplicationSourceDC=CorpServer65.cpandl.com
DatabasePath="D:\Windows\NTDS"
LogPath="D:\Windows\NTDS"
SYSVOLPath="D:\Windows\SYSVOL"
; Set SafeModeAdminPassword later
SafeModeAdminPassword=

; Run-time flags (optional)
RebootOnCompletion=Yes

  8. After you create the answer file, you can start the unattended installation by entering the following at a command prompt:

    dcpromo /unattend:"PathToAnswerFile"

    where PathToAnswerFile is the full file path to the answer file, such as C:\data\newdc.txt.

At the command line, you can add a domain controller to a domain using the following command.

dcpromo /unattend
/ReplicaOrNewDomain:Replica
/ReplicaDomainDNSNamer:FQDNOfDCDomain
/SiteName:SiteName
/InstallDNS:Yes
/ConfirmGc:Yes
/CreateDNSDelegation:Yes
/UserDomain:DomainOfAdminAccount
/UserName:AdminAccountInDomainOfDC
/Password:"Password"
/ReplicationSourceDC:SoureDCName
/DatabasePath:"LocalDatabasePath"
/LogPath:"LocalLogPath"
/SYSVOLPath:"LocalSysVolPath"
/SafeModeAdminPassword:"Password"
/RebootOnCompletion:Yes

If you are installing from media, you can refer to the location where you stored the installation media by using the following command.

/ReplicationSourcePath:FolderPathtoMedia

When the unattended installation or command-line execution completes, Dcpromo exits with a return code. A return code of 1 to 10 indicates success. A return code of 11 to 100 indicates failure. Note any related error text and take appropriate corrective action as necessary.

Save to your account

This chapter is from the book