Week 2 - Domain Controllers and Operations Masters
• Domain Controller Installation Options
• Install a Server Core DC
• Manage Operations Masters
Install and Configure a Domain Controller
the Active Directory Domain Services role
1 Install
using the Server Manager
Run the Active Directory Domain Services
2 Installation Wizard (dcpromo.exe)
3 Choose the deployment configuration
4 Select the additional domain controller features
Select the location for the database, log files, and
5 SYSVOL folder
Configure the Directory Services Restore
6 Mode Administrator Password
Prepare to Create a New Forest with
Windows Server 2008
• Domain’s DNS name (e.g. contoso.com)
• Domain’s NetBIOS name (e.g. contoso)
• Whether the new forest will need to support DCs
running previous versions of Windows (affects choice
of functional level)
• Details about how DNS will be implemented to support
AD DS
Default: Creating domain controller and adds DNS Server role
 IP configuration for the DC
 IPv4 and, optionally, IPv6

• Username and password of an account in the server’s
Administrators group. Account must have a password.
• Location for data store (ntds.dit) and SYSVOL

Default: %systemroot% (c:\windows)
Unattended Installation Options and Answer Files
• Options can be specified at the command line
 /option:value
– for example,
/newdnsdomainname:contoso.com
 dcpromo.exe
/?[:operation] for help
• Options can be specified in an answer file
[DCINSTALL]
NewDomainDNSName=contoso.com
 And
called using
dcpromo.exe /unattend:”path to answer file”
• Options on command line will override answer file
• Options not specified will be prompted by wizard
Install a New Windows Server 2008 Forest
[DCINSTALL]
ReplicaOrNewDomain=domain
NewDomain=forest
NewDomainDNSName=fqdn
DomainNetBiosName=name
ForestLevel={0, 2, 3}
DomainLevel={0, 2,3}
InstallDNS=yes
DatabasePath="path"
LogPath="path"
SYSVOLPath="path"
SafeModeAdminPassword=pwd
RebootOnCompletion=yes
dcpromo.exe
/unattend:”path”
dcpromo.exe /unattend
/installDNS:yes /dnsOnNetwork:yes
/replicaOrNewDomain:domain
/newDomain:forest
/newDomainDnsName:contoso.com
/DomainNetbiosName:contoso
/databasePath:"e:\ntds"
/logPath:"f:\ntdslogs"
/sysvolpath:"g:\sysvol"
/safeModeAdminPassword:password
/forestLevel:3 /domainLevel:3
/rebootOnCompletion:yes
Prepare an Existing Domain for Windows
Server 2008 DCs
• ADPrep (adprep.exe) prepares AD DS for the first DC
running a version of Windows newer than current DCs

DVD:\sources folder
• adprep /forestprep

Log on to the Schema master (see Lesson 3) as a member of
Enterprise Admins, Schema Admins, and Domain Admins

Run once per forest. Wait for change to replicate.
• adprep /domainprep /gpprep

Log on to Infrastructure master as a member of Domain Admins

Run once per domain. Wait for change to replicate.
• adprep /rodcprep

Log on to any computer as a member of Enterprise Admins

Run once per forest. Wait for change to replicate
Install an Additional DC in a Domain
[DCINSTALL]
ReplicaOrNewDomain=replica
ReplicaDomainDNSName=fqdn
UserDomain=fqdn
UserName=DOMAIN\username*
Password=password*
InstallDNS=yes
ConfirmGC=yes
DatabasePath="path"
LogPath="path"
SYSVOLPath="path"
SafeModeAdminPassword=pwd
RebootOnCompletion=yes
dcpromo.exe
/unattend:”path”
dcpromo.exe /unattend
/replicaOrNewDomain:replica
/replicaDomainDNSName:contoso.com
/installDNS:yes /confirmGC:yes
/databasePath:"e:\ntds"
/logPath:"f:\ntdslogs"
/sysvolpath:"g:\sysvol"
/safeModeAdminPassword:password
/rebootOnCompletion:yes
Install a New Windows Server 2008 Child Domain
[DCINSTALL]
dcpromo.exe
/unattend:”path”
ReplicaOrNewDomain=domain
NewDomain=child
ParentDomainDNSName=fqdn
UserDomain=fqdn
UserName= DOMAIN\username*
Password=password*
dcpromo.exe /unattend
ChildName=name*
/installDNS:yes
DomainNetBiosName=name
/replicaOrNewDomain:domain
DomainLevel={0,2,3}*
/newDomain:child
InstallDNS=yes
/ParentDomainDNSName:contoso.com
CreateDNSDelegation=yes
/newDomainDnsName:na.contoso.com
DNSDelegationUserName=DOMAIN\user
/childName:subsidiary
name
/DomainNetbiosName:subsidiary
DNSDelegationPassword=password*
/databasePath:"e:\ntds"
DatabasePath="path"
/logPath:"f:\ntdslogs"
LogPath="path"
/sysvolpath:"g:\sysvol"
SYSVOLPath="path"
/safeModeAdminPassword:password
SafeModeAdminPassword=pwd
/forestLevel:3 /domainLevel:3
RebootOnCompletion=yes
/rebootOnCompletion:yes
Install a New Domain Tree in a Forest
[DCINSTALL]
dcpromo.exe
/unattend:”path”
ReplicaOrNewDomain=domain
NewDomain=tree
NewDomainDNSName=fqdn
DomainNetBiosName=name
UserDomain=fqdn
UserName= DOMAIN\username*
dcpromo.exe /unattend
Password=password*
/installDNS:yes
DomainLevel={0,2,3}*
/replicaOrNewDomain:domain
InstallDNS=yes
/newDomain:tree
CreateDNSDelegation=yes
/newDomainDnsName:tailspintoys.com
DNSDelegationUserName=DOMAIN\user
/DomainNetbiosName:tailspintoys
name
/databasePath:"e:\ntds"
DNSDelegationPassword=password*
/logPath:"f:\ntdslogs"
DatabasePath="path"
/sysvolpath:"g:\sysvol"
LogPath="path"
/safeModeAdminPassword:password
SYSVOLPath="path"
/domainLevel:2
SafeModeAdminPassword=pwd
/rebootOnCompletion:yes
RebootOnCompletion=yes
Install AD DS from Media
• Install from media (IFM)
• Create installation media—a specialized AD DS backup
• Use installation media for creation of DC

Significantly reduce over-the-network replication
• DC will need to replicate any changes after backup
• ntdsutil – activate instance ntds – ifm
create
 create
 create
 create

sysvol full path : media with sysvol for writable DC
full path : media without sysvol for writable DC
sysvol rodc path : media with sysvol for read-only DC
rodc path : media without sysvol for read-only DC
• Active Directory Domain Services Installation Wizard,
select Use Advanced Mode

ReplicationSourcePath option/switch
Authentication and Domain Controller Placement
in a Branch Office
Data center
Branch
Office
• Personnel
• Secure facilities
• Few, if any, personnel
• Less secure facilities
• Authentication of branch
users subject to availability
and performance of WAN
• Improved authentication
• Security: Exposure of AD
database
• Directory Service
Integrity: Corruption at
branch replicating to other
DCs
• Administration:
Administration requires
domain Administrators
membership
?
Read-Only Domain Controllers
Data Center
• Writeable Windows
Server 2008 DC
• Password Replication
Policy (PRP)
• Specifies which user (and
computer) passwords can
be cached by the RODC
Branch office
• RODC
• All objects
• Subset of attributes
• No "secrets"
• Not writeable
• Users log on
• RODC forwards
authentication
• Password is cached
• If PRP allows
• Has a local
Administrators group
Deploy an RODC
1. Ensure the forest functional level is Windows Server
2003 or higher



All domain controllers running Windows Server 2003 or later
All domains functional level of Windows Server 2003 or higher
Forest functional level set to Windows Server 2003 or higher
2. Ensure that there is at least one writeable DC running
Windows Server 2008
•
If not, run adprep /forestprep & install one 2008 writable DC
3. If the forest has any DCs running Windows Server
2003, run adprep /rodcprep

Windows Server 2008 CD:\sources\adprep folder
4. Install the RODC


Active Directory Domain Services Installation Wizard (dcpromo)
Stage the installation of an RODC: from Domain Controllers OU
Stage the Installation of an RODC
• Create the account for the RODC

Right-click the Domain Controllers OU  Pre-Create
Read-only Domain Controller Account

Delegation of RODC Installation and Administration
•
Delegate to a group
•
Members of the group can join RODC to domain
•
Members of the group are local Administrators after
join
• Attach the server to the RODC account

Server must be a member of a workgroup

dcpromo /UseExistingAccount:attach
Attach a Server to a Prestaged RODC Account
[DCINSTALL]
ReplicaDomainDNSName=fqdn
UserDomain=fqdn
UserName= DOMAIN\username*
Password=password*
InstallDNS=yes
ConfirmGC=yes
DatabasePath="path"
LogPath="path"
SYSVOLPath="path"
SafeModeAdminPassword=pwd
RebootOnCompletion=yes
• GUI Active Directory
Domain Services Wizard:
dcpromo.exe
/useexistingaccount:attach
dcpromo.exe
/useexistingaccount:attach
/unattend:”path”
dcpromo.exe /unattend
/UseExistingAccount:Attach
/ReplicaDomainDNSName:contoso.com
/UserDomain:contoso.com
/UserName:contoso\dan
/password:*
/databasePath:"e:\ntds"
/logPath:"f:\ntdslogs"
/sysvolpath:"g:\sysvol"
/safeModeAdminPassword:password
/rebootOnCompletion:yes
Remove a Domain Controller
[DCINSTALL]
dcpromo.exe
/uninstallbinaries
/unattend:”path”
UserName= DOMAIN\username*
UserDomain=fqdn
Password=password*
AdministratorPassword=password*
RemoveApplicationPartitions=yes
RemoveDNSDelegation=yes
DNSDelegationUserName=DOMAIN\user
name
dcpromo.exe /unattend
DNSDelegationPassword=password*
/uninstallbinaries
• GUI Active Directory Domain
/UserName:contoso\dan
Services Wizard: dcpromo.exe /password:*
/administratorpassword:Pa$$w0rd
• Command line:
dcpromo.exe /uninstallbinaries
• If DC cannot contact the domain
dcpromo /forceremoval

Then you must clean up metadata: KB 216498
Understand Server Core
Minimal installation: 3 GB disk space, 256 MB RAM
No GUI: Command-line local UI. Can use GUI tools remotely.
• Roles
• Features
Active Directory Domain
Services

Microsoft Failover Cluster

Network Load Balancing

Active Directory AD LDS

Subsystem for UNIX applications

DHCP Server

Windows Backup

DNS Server

Multipath I/O

File Services

Removable Storage Management

Print Server


Streaming Media Services
Windows Bitlocker Drive
Encryption

Web Server: HTML. R2 adds
.NET

SNMP

WINS
Hyper-V

Telnet client

Quality of Service (QoS)


Install Server Core
• Select the Server Core Installation option in Windows setup
Server Core Configuration Commands
Task
Command
Change the Administrator Password
When you log on with Ctrl+Alt+Delete, you will be
prompted to change the password.
You can also type the following command:
Net user administrator*
Set a static IPv4 Configuration
Netsh interface ipv4
Activate Windows Server
Cscript c:\windows\system32\slmgr.vbs –ato
Join a domain
Netdom
Add Server Core roles, components, or
features
Ocsetup.exe package or feature
Note that the package or feature names are case
sensitive
Display installed roles, components, and
features
Oclist.exe
Enable Remote Desktop
Promote a domain controller
Configure DNS
Configure DFS
Cscript C:\windows\system32\scregedit.wsf /AF 0
Dcpromo.exe
Dnscmd.exe
Dfscmd.exe
Understand Single Master Operations
• In any multimaster replication topology, some
operations must be “single master”
• Many terms used for single master operations in
AD DS

Operations master (or operations master roles)

Single master roles

Operations tokens

Flexible single master operations (FSMOs)
• Roles
Forest
• Domain naming
• Schema
Domain
• Relative identifier (RID)
• Infrastructure
• PDC Emulator
Operations Master Roles
• Forest-wide

Domain naming: adds/removes domains to/from the forest

Schema: makes changes to the schema
• Domain-wide

RID: provides “pools” of RIDs to DCs, which use them for SIDs

Infrastructure: tracks changes to objects in other domains that
are members of groups in this domain

PDC: plays several very important roles
•
Emulates a Primary Domain Controller (PDC): compatibility
•
Special password update handling
•
Default target for Group Policy updates
•
Master time source for domain
•
Domain master browser
Optimize the Placement of Operations Masters
• Forest root DC (first DC in forest) has all roles by default
• Best practice guidance

Co-locate the schema master and domain naming master on a GC

Co-locate the RID master and PDC emulator rules

Place the infrastructure master on a DC that is not a GC*

Have a failover plan
• * Real-world enhancements to best-practice guidance

Consider configuring all DCs as GCs
•

In a single domain forest, it doesn’t increase replication traffic
If all DCs are GCs, infrastructure master role is not “necessary”
•
Still exists, but does not start on a GC and isn’t needed
Identify Operations Masters
• User interface tools

PDC Emulator: Active Directory Users And Computers

RID: Active Directory Users And Computers

Infrastructure: Active Directory Users And Computers

Schema: Active Directory Schema

Domain Naming: Active Directory Domains and Trusts
• Command line tools

NTDSUtil

DCDiag

netdom query fsmo
Transfer Operations Master Roles
• Transfer roles in these scenarios

To distribute roles away from the forest domain root DC

Prior to taking a role holding DC offline for maintenance

Prior to demoting a role holding DC
• Procedure

Ensure that the new role holder is up to date with
replication from the current role holder

Open the appropriate administrative snap-in

Connect to the target domain controllers

Open the Operations Master dialog box and click Change

Or use NTDSUtil to change transfer the master
Seize Operations Master Roles
• Recognize operations master failures

Typically you notice when you attempt to perform an action
for which the master is responsible, and receive an error
• Respond to an operations master failure
Determine whether the DC can be brought online, and when
 Evaluate whether the enterprise can continue to function
temporarily without the DC
• See Student Manual for specific guidance

• Seize the role using NTDSUtil

Refer to procedure in Student Manual
• Return a role to its original holder?
Only for PDC and Infrastructure tokens
 If Schema, RID, or domain naming have been seized, you
must decommission the failed DC offline, then re-promote it

Raise the Domain Functional Level
• All domain controllers in the domain must be
Windows Server 2008 or greater

DCs in other domains and member server OSs don’t
matter
• Active Directory Domains And Trusts

Right-click domain  Raise Domain Functional Level