Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL
Help

4. Deploying Domain Controllers > Lesson 2: Deploying domain controllers using ...

Lesson 2: Deploying domain controllers using Server Manager

Server Manager provides an easy way to deploy Windows Server 2012 domain controllers. Server Manager is mainly intended for managing small and midsized environments where the automation of domain controller deployment is not required. This lesson demonstrates how to use Server Manager to deploy domain controllers in both new and existing forests.

After this lesson, you will be able to

  • Use Server Manager to prepare your Windows Server 2012 environment for domain controller deployment.

  • Install the Active Directory Domain Services role using the Add Roles And Features Wizard of Server Manager.

  • Promote servers to domain controllers using the Active Directory Domain Services Configuration Wizard of Server Manager.

  • Verify the promotion of servers to domain controllers.

  • Demote domain controllers, and remove the Active Directory Domain Services role.

Estimated lesson time: 30 minutes

Preparing for domain-controller deployment

The steps for preparing to deploy Windows Server 2012 domain controllers using Server Manager differ depending on whether you are deploying the first domain controller in a new forest, deploying additional domain controllers in the new forest, or deploying domain controllers in an existing forest whose domain controllers are running an earlier version of Windows Server.

Preparing for deploying the first domain controller in a new forest

To deploy the first Windows Server 2012 domain controller in a new forest, you should either log on locally to the server or connect to it using Remote Desktop. No other preparation is needed for this scenario.

Preparing for deploying additional domain controllers in the new forest

After you create a new forest by deploying your first Windows Server 2012 domain controller, you can use Server Manager to deploy additional domain controllers in an existing domain, create new child domains, or create new tree domains. These tasks can be performed remotely by using Server Manager on any Windows Server 2012 domain controller or member server, or on a Windows 8 client computer that has the Remote Server Administration Tools (RSAT) installed.

The recommended steps for preparing to use Server Manager to deploy additional domain controllers are as follows:

  1. Make sure you have the appropriate credentials for the task you are going to perform. For example, if you are going to add additional domain controllers to an existing domain, make sure you have Domain Admin credentials for that domain. If you are going to create a new child domain, make sure you have Enterprise Admin credentials.

  2. Add the remote servers you’ll be promoting to domain controllers to the server pool so that you can manage them remotely using Server Manager.

  3. Create a new server group for the remote servers you’ll be promoting to domain controllers, and add the servers to the server group. Doing this makes it easier to promote multiple remote servers to domain controllers simultaneously.

Preparing for deploying domain controllers in an existing forest

Adding Windows Server 2012 domain controllers to an existing forest or domain running an earlier version of Windows Server first requires that the existing Active Directory schema be extended. In previous versions of Windows Server, Adprep.exe was used for extending the schema.Adprep is a command-line tool that was available in the \support\adprep folder of Windows Server 2008 R2 installation media or in the \sources\adprep folder of Windows Server 2008 installation media. The Adprep command uses parameters such as /forestprep and /domainprep to prepare an existing forest for the introduction of a domain controller running a newer version of Windows Server.

Beginning with Windows Server 2012, however, Adprep is now run automatically as needed when you deploy a new Windows Server 2012 domain controller in an existing forest or domain running an earlier version of Windows Server. This change simplifies the task of adding Windows Server 2012 domain controllers to an existing forest or domain running an earlier version of Windows Server because you no longer need to manually run Adprep before introducing the new domain controllers into your forest.

Adprep is also available as a standalone command-line tool in the \support\adprep folder of Windows Server 2012 installation media. The standalone version of Adprep is required for certain scenarios, such as performing an in-place upgrade of your first Windows Server 2012 domain controller, where you must run Adprep manually to prepare your forest and its domains before you begin upgrading your existing domain controllers to Windows Server 2012.

Note

Adprep syntax

To display the syntax and usage examples for Adprep, type <drive>\support\adprep\adprep at a command prompt where drive is the letter for the drive where your Windows Server 2012 installation media can be found.

The Windows Server 2012 version of Adprep can be used to extend the schema of an existing forest whose domain controllers are running any of the following versions of Windows Server:

  • Windows Server 2008 R2

  • Windows Server 2008

  • Windows Server 2003 R2

  • Windows Server 2003

However, the following considerations apply when running the Windows Server 2012 version of Adprep:

  • You must have the credentials of a member of the Enterprise Admins group to run the Adprep /forestprep command.

  • Adprep can be run only on any server (domain controller, member server or standalone server) that is running a 64-bit version of Windows Server 2008 or later. You cannot run Adprep on a server running Windows Server 2003 or a 32-bit version of Windows Server 2008.

  • The server you run Adprep on must have network connectivity to the schema master of the existing forest.

  • The server you run Adprep on must have network connectivity to the infrastructure master of the existing domain where you want to add a new Windows Server 2012 domain controller.

Note

REAL WORLD Verifying Adprep

The Dsquery.exe command-line tool can be used to verify whether Adprep has extended your forest’s schema.For example, let’s say your existing forest has domain controllers running Windows Server 2008 R2. To determine the current schema level of your forest, open a command prompt on one of your domain controllers and run the following command:

dsquery * cn=schema,cn=configuration,dc=fabrikam,dc=com -scope base
  -attr objectVersion

The output from this command looks like this:

objectVersion
47

Now take a server running Windows Server 2012, join it to a domain in your forest, and use Server Manager to promote the server to a domain controller. After you finish introducing the new domain controller into your forest, re-run the preceding dsquery command on the domain controller you previously ran it on. The output from the command looks like this:

objectVersion
56

The version number 56 indicates that the schema of your forest has been extended to include domain controllers running Windows Server 2012.

Quick check

  • When deploying additional domain controllers in a forest using Server Manager, why should you create a server group using Server Manager for the remote servers you’ll be promoting to domain controllers?

Quick check answer

  • So that you can more easily promote them remotely as domain controllers and manage them.

Installing the AD DS role

Before you can promote a server to domain controller, you must first install the Active Directory Domain Services role on the server. To do this using Server Manager, select Add Roles And Features from the Manage menu to launch the Add Roles And Features Wizard. On the Select Server Roles page of the wizard, select the Active Directory Domain Services role and confirm the installation of the tools for managing AD DS as shown in Figure 4-2.

Installing the AD DS role together with the role-management tools.
Figure 4-2. Installing the AD DS role together with the role-management tools.

Running the AD DS Configuration Wizard

When you complete the installation of the role, the final page of the Configuration Wizard prompts you to promote the server to a domain controller. If you close the wizard at this point, you can still access the link to promote the server from the Notifications menu of Server Manager as shown in Figure 4-3.

You can use the Notifications menu to promote the server to a domain controller.
Figure 4-3. You can use the Notifications menu to promote the server to a domain controller.

Clicking the link to promote the server to a domain controller launches the AD DS Configuration Wizard. The steps of this wizard depend on which type of domain-controller deployment scenario you are performing. The upcoming sections cover the following scenario types:

  • First domain controller in new forest

  • Additional domain controller in new domain

  • First Windows Server 2012 domain controller in an existing forest

First domain controller in new forest

After the AD DS role has been added to the server, using the AD DS Configuration Wizard to promote the server to the first domain controller for a new forest involves the following steps:

  1. On the Deployment Configuration page of the wizard, shown in Figure 4-4, select the Add A New Forest option and specify the root domain for your new forest. Then proceed through the wizard and perform the steps that follow.

    Deploying the first domain controller for a new forest using the AD DS Configuration Wizard.
    Figure 4-4. Deploying the first domain controller for a new forest using the AD DS Configuration Wizard.
  2. On the Domain Controller Options page, specify a functional level for your new forest and root domain. The default forest and functional levels are Windows Server 2012. If you have no domain controllers running earlier versions of Windows Server in your environment, you should leave the defaults unchanged.

  3. On the same page, specify whether your domain controller should also be a DNS server. Microsoft recommends that all domain controllers also be DNS servers to ensure AD DS availability.

  4. On the same page, note that the first domain controller must be a global catalog server and that it cannot be an RODC.

  5. On the same page, enter a password for the Directory Services Restore Mode (DSRM) administrator account.

  6. On the DNS Options page, specify DNS delegation options if you are integrating AD DS with an existing DNS infrastructure. To do this, you can manually create a delegation for your new DNS server in its authoritative parent zone to ensure reliable name resolution from outside your AD DS environment. For example, if the root domain name of your new forest is corp.contoso.com as shown in Figure 4-4, you create a delegation for your DNS server in the authoritative parent zone on the DNS server that manages the public contoso.com domain for your organization.

  7. On the Additional Options page, the wizard suggests a NetBIOS name for your forest root domain. You can either accept what the wizard suggests or specify a different name of up to 15 Internet-standard characters (A–Z, a–z, 0–9, and “-” but not entirely numeric).

  8. On the Paths page, specify the location of the AD DS database, log files, and SYSVOL or accept the defaults.

  9. The Review Options page displays the results of your selections.

  10. The Prerequisites Check page verifies that all prerequisites have been met for successfully deploying the domain controller. See Figure 4-1 earlier in this chapter for an example of what this wizard page looks like.

  11. Clicking Install promotes the server to a domain controller and automatically reboots the server at the end of the promotion operation.

Note

REAL WORLD Windows PowerShell behind the wizard

The AD DS Configuration Wizard is built entirely on Windows PowerShell. In other words, you can think of the wizard as a UI that simply runs a Windows PowerShell command whose parameters are determined by the selections you made on the different wizard pages. On the Review Options page of the wizard, you can click View Script to display the Windows PowerShell script in Notepad. For example, if you are deploying the first domain controller for a new forest whose forest root domain is corp.contoso.com, the script that performs this action looks like this:

#
# Windows PowerShell script for AD DS Deployment
#

Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "Win2012" `
-DomainName "corp.contoso.com" `
-DomainNetbiosName "CORP" `
-ForestMode "Win2012" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true

Being able to view the script behind the wizard provides several benefits. First, it enables you to quickly learn the syntax of Windows PowerShell cmdlets for AD DS deployment. And second, you can copy these scripts, customize them, and use them to automate the deployment of other domain controllers in your environment.

Note

MORE INFO Naming your new forest

For some recommendations on how to name the forest root domain of a new forest, see the topic “Selecting the Forest Root Domain” in the TechNet Library at http://technet.microsoft.com/en-us/library/cc726016(v=WS.10).aspx.

Additional domain controller in new domain

After you deploy the first domain controller for a new domain or forest, you should deploy at least one additional domain controller in the domain for fault tolerance. After adding the AD DS role to the server that will become the additional domain controller, you can use the AD DS Configuration Wizard to promote the server to be an additional domain controller for the domain using following steps:

  1. On the Deployment Configuration page of the wizard, shown in Figure 4-5, select the Add A Domain Controller To An Existing Domain option. Specify the domain you want to add the new domain controller to, and if your current logon credentials have insufficient privileges to perform the option, click Change and specify suitable credentials.

    Deploying an additional domain controller to an existing domain.
    Figure 4-5. Deploying an additional domain controller to an existing domain.
  2. On the Domain Controller Options page, specify whether your domain controller should also be a DNS server. (This option is selected by default.)

  3. Also on this page, specify whether your domain controller should also be a global catalog server. (This option is selected by default.)

  4. Also on this page, specify whether your domain controller should also be an RODC. You should have at least two writeable domain controllers in every domain in your forest, so do not select this option if this is the second domain controller for your domain.

  5. Also on this page, specify the name of the existing AD DS site the new domain controller should belong to. (The default is Default-First-Site-Name.)

  6. Also on this page, enter a password for the DSRM administrator account.

  7. On the DNS Options page, specify DNS delegation options if you are integrating AD DS with an existing DNS infrastructure.

  8. On the Additional Options page, select the Install From Media (IFM) option if you used the Ntdsutil.exe tool to create installation media for additional domain controllers that you are deploying in the domain. You can use the Install From Media (IFM) option to minimize the replication of directory data over your network, which helps make deploying additional domain controllers at remote sites more efficient. If you are deploying additional domain controllers at your organization’s hub site (its headquarters or central office), however, you would generally not use the IFM option.

  9. Also on this page, if you are not using the IFM option for deploying additional domain controllers, you can select which domain controller in your domain the new additional domain controller should use as an initial replication partner for pulling down a copy of the AD DS database. By default, your new domain controller replicates from any available domain controller in the domain, but you also have the option of specifying a particular domain controller as its initial replication partner.

  10. Complete the remaining steps of the wizard to deploy the additional domain controller to the domain.

Note

MORE INFO Install From Media

For more information about deploying domain controllers using the Install From Media (IFM) option, see the topic “Installing AD DS from Media” in the TechNet Library at http://technet.microsoft.com/en-us/library/cc770654(v=WS.10).aspx.

First Windows Server 2012 domain controller in an existing forest

You can also use the AD DS Configuration Wizard to deploy Windows Server 2012 domain controllers in a forest or domain whose existing domain controllers are running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. As explained earlier in this lesson, when you use the wizard to deploy the first Windows Server 2012 domain controller in a domain of a forest whose domain controllers are running earlier Windows Server versions, the Adprep tool automatically runs to prepare the forest and domain by extending the schema to its latest version.

The procedure that follows demonstrates this scenario by deploying a Windows Server 2012 domain controller named VAN-SRV-3 in a forest root domain named fabrikam.com whose existing domain controllers are all running Windows Server 2008 R2. After the AD DS role has been added to server VAN-SRV-3, using the AD DS Configuration Wizard to add the server as the first Windows Server 2012 domain controller in the fabrikam.com forest involves the following steps:

  1. On the Deployment Configuration page of the wizard, shown in Figure 4-6, select the Add A Domain Controller To An Existing Domain option, specify fabrikam.com as the forest root domain, and specify suitable credentials for performing the operation.

    Promoting the server named VAN-SRV-3 to be the first Windows Server 2012 domain controller in the existing fabrikam.com forest root domain.
    Figure 4-6. Promoting the server named VAN-SRV-3 to be the first Windows Server 2012 domain controller in the existing fabrikam.com forest root domain.
  2. Proceed through the wizard as described in the previous section until you reach the Preparation Options page shown in Figure 4-7. This page informs you that performing this operation will prepare your forest and domain for Windows Server 2012 domain controllers by extending the schema.If you do not want to extend the schema, cancel the operation and do not deploy the new domain controller.

    The wizard informs you that the forest schema will be extended if you perform this operation.
    Figure 4-7. The wizard informs you that the forest schema will be extended if you perform this operation.
  3. Complete the remaining steps of the wizard to deploy the domain controller and extend the schema.Note that you did not have to manually run Adprep to prepare your forest or domain for the domain controller running the new version of Windows Server.

Verifying the installation

After deploying a new domain controller running Windows Server 2012 using Server Manager, you should verify the installation by performing the following steps:

  1. Add the new domain controller to the server pool and to any server group you created for grouping together your Windows Server 2012 domain controllers.

  2. Select the new domain controller from any applicable page of Server Manager.

  3. Check for any alerts raised concerning the new controller on the Notifications menu.

  4. Scroll down the page to the Events tile, and review any events raised for the new domain controller. Pay special attention to any critical, error, or warning events raised, and perform any additional configuration or remedial action needed to address these events.

  5. Scroll down the page to the Services tile, and review the condition of the services on the new domain controller. Make sure that all services have their startup values configured appropriately and that automatic services are running.

  6. Scroll down the page, and start a Best Practices Analyzer (BPA) scan on the new domain controller by selecting Start BPA Scan from the Tasks menu of the Best Practices Analyzer tile. (See Figure 4-8.) BPAs are server management tools built into Windows Server 2012 that help you adhere to best practices by scanning installed server roles and reporting any violations discovered.

    Starting a BPA scan on a domain controller.
    Figure 4-8. Starting a BPA scan on a domain controller.

As an example, Figure 4-9 shows the results of running a BPA scan on two Windows Server 2012 domain controllers deployed in a new forest. These domain controllers have been grouped together in Server Manager by creating a custom server group named Domain Controllers. The Error displayed in the Best Practices Analyzer tile indicates that domain controller SEA-DC-1 is the PDC Emulator operations master for the forest and needs to be able to synchronize its clock with a reliable time source on the Internet. After you run a BPA scan on your domain controllers, be sure to carefully review the results displayed in the tile.

Reviewing the results of a BPA scan performed on newly deployed domain controllers.
Figure 4-9. Reviewing the results of a BPA scan performed on newly deployed domain controllers.

Quick check

  • You used Server Manager to install the AD DS role on a remote server, but you closed the Add Roles And Features Wizard without first promoting the server to a domain controller. How can you finish the job and promote the server?

Quick check answer

  • Access the link to promote the server from the Notifications menu of Server Manager.

Uninstalling AD DS

If you need to retire a Windows Server 2012 domain controller from your environment—for example, to repurpose its server hardware for some other role—you can do this using Server Manager by performing the following steps:

  1. Launch the Remove Roles And Features Wizard from the Manage menu, and select your server from the server pool.

  2. On the Remove Server Roles page, deselect the Active Directory Domain Services check box. The Validation Results page is displayed at this point to indicate that you must first demote the domain controller before you can remove the AD DS role. (See Figure 4-10.)

    You must demote a domain controller before you can remove the AD DS role from it.
    Figure 4-10. You must demote a domain controller before you can remove the AD DS role from it.
  3. On the Validation Results page, click Demote This Domain Controller to launch the AD DS Configuration Wizard.

  4. On the Credentials page of this wizard, supply the necessary credentials to perform this operation if your current logon credentials have insufficient privileges. If previous attempts to remove AD DS from this domain controller failed, select the Force The Removal Of This Domain Controller check box on this page.

  5. If you are demoting the last domain controller in the domain, make sure the Last Domain Controller In The Domain check box is selected to confirm that you want to remove the domain from your forest. Note that this check box is displayed only if the server is the last domain controller in the domain.

  6. On the Warnings page, make sure the Proceed With Removal check box is selected to confirm your decision to perform the demotion. Note that this page is not displayed if you chose to force the removal of AD DS in the previous step.

  7. On the Removal Options page, you have the option to remove any DNS delegations created in the authoritative parent zone. Note that you need to supply appropriate credentials to perform this action.

  8. If you are demoting the last domain controller in the domain, you also have the options of removing the DNS zone for the domain and also any application partitions. (See Figure 4-11.) By clicking View Partitions, you can display a list of any application partitions in AD DS.

    Options for removing the DNS zone and application partitions when demoting the last domain controller in a domain.
    Figure 4-11. Options for removing the DNS zone and application partitions when demoting the last domain controller in a domain.
  9. On the New Administrator Password page, enter a password for the local Administrator account for the server.

  10. Complete the wizard to demote the domain controller. The server restarts, and you can log on using the local Administrator account and the new password you specified in the previous step.

  11. Launch the Add Roles And Features Wizard again from the Manage menu, and select your server from the server pool.

  12. On the Remove Server Roles page, deselect the Active Directory Domain Services and DNS Server check boxes. Finish running the wizard. When the server restarts, both the AD DS and DNS Server roles will have been removed.

Important

Removing application partitions

When you demote the last domain controller in a domain using Server Manager, you have the option of removing any application partitions. At a minimum, when you do this you should see the default DNS application partitions—for example:

  • DC=DomainDNSZones,DC=corp,DC=contoso,DC=com

  • DC=ForestDNSZones,DC=corp,DC=contoso,DC=com

If you have other server applications deployed in your environment, you might see additional application partitions. Before removing these partitions, make sure that your deployed server applications will still be able to work properly, unless you are also retiring those server applications from your environment.

Note

REAL WORLD Forcing the removal of AD DS

The demotion of domain controllers can fail when the domain controller you are performing this action on has no connectivity with other domain controllers in the domain. If this happens, try selecting the Force The Removal Of This Domain Controller check box on the Credentials page of the AD DS Configuration Wizard when you are attempting to demote the domain controller.

Lesson summary

  • Server Manager can be used to deploy Windows Server 2012 domain controllers. This procedure is mainly intended for small and midsized environments, where automating this process is not needed.

  • After you use the Add Roles And Feature Wizard to install the AD DS role on a remote server, you can use the AD DS Configuration Wizard to promote the server to a domain controller.

  • After you deploy a domain controller, you can use Server Manager to verify the installation by reviewing the Event logs, reviewing the state of services, and running a Best Practices Analyzer scan on the new domain controller.

  • You can use the Remove Roles And Features Wizard to uninstall the AD DS role on a remote server, but you first need to demote the server from being a domain controller.

  • Adprep is still available as a standalone command-line tool in the \support\adprep folder of Windows Server 2012 installation media when you need to perform an in-place upgrade of your first Windows Server 2012 domain controller.

Lesson review

Answer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the Answers section at the end of this chapter.

  1. Which of the following procedures for deploying the first Windows Server 2012 domain controller in a new forest is correct? (Choose all that apply.)

    1. Install Windows Server 2012 on your server, and log on using the local Administrator account. Open Server Manager, and run the AD DS Configuration Wizard to promote the server as a domain controller.

    2. Install Windows Server 2012 on your server, and log on using the local Administrator account. Open Server Manager, and run the Add Roles And Features Wizard to promote the server as a domain controller.

    3. Install Windows Server 2012 on your server, and log on using the local Administrator account. Open Server Manager, and run the Add Roles And Features Wizard to install the AD DS role on the server. Then run the AD DS Configuration Wizard to promote the server as a domain controller.

    4. Install Windows Server 2012 on your server, and log on using the local Administrator account. Open Server Manager, and run the AD DS Configuration Wizard to install the AD DS role on the server. Then run the Add Roles And Features Wizard to promote the server as a domain controller.

  2. Which of the following statements is not correct concerning the deployment of the first Windows Server 2012 domain controller in an existing forest running an earlier version of Windows Server? (Choose all that apply.)

    1. You must prepare the forest and domain and extend the schema by manually running Adprep before you use Server Manager to deploy the first Windows Server 2012 domain controller in an existing forest running an earlier version of Windows Server.

    2. You must select the Add A Domain Controller To An Existing Domain option on the Deployment Configuration page of the AD DS Configuration Wizard to deploy the first Windows Server 2012 domain controller in an existing forest running an earlier version of Windows Server.

    3. You can use the Install From Media (IFM) deployment method to deploy the first Windows Server 2012 domain controller in an existing forest running an earlier version of Windows Server.

    4. If your current logon credentials have insufficient privileges to deploy the first Windows Server 2012 domain controller in an existing forest running an earlier version of Windows Server, you can specify different credentials on the Deployment Configuration page of the AD DS Configuration Wizard.

  3. Which of the following is the best syntax when using the Dsquery.exe command-line tool to verify whether Adprep has successfully extended your forest’s schema?

    1. Dsquery *cn=schema,cn=configuration,dc=fabrikam,dc=com –attr objectVersion

    2. Dsquery *cn=schema,cn=configuration,dc=fabrikam,dc=com –scope base –attr sAMAccountName

    3. Dsquery *cn=schema,cn=configuration,dc=fabrikam,dc=com –scope base –attr *

    4. Dsquery *cn=schema,cn=configuration,dc=fabrikam,dc=com –scope base –attr objectVersion

  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint