Install Active Directory Domain Services .pdf

My Collection

This document is provided "as-is". Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. This document does not provide you with any legal rights to any intellectual property in any Microsoft product or product name. You may copy and use this document

for your internal, reference purposes. You may modify this document for your internal, reference purposes. 2015 Microsoft. All rights reserved. Terms of Use (https://technet.microsoft.com/cc300389.aspx) | Trademarks (http://www.microsoft.com/library/toolbar/3.0/trademarks/en-us.mspx)

Page 1 of 82My Collection

28-04-2015http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6...

Table Of ContentsChapter 1

Install Active Directory Domain Services (Level 100)



Chapter 1Install Active Directory Domain Services (Level 100)Published: April 28, 2012

Updated: April 14, 2014

Applies To: Windows Server 2012, Windows Server 2012 R2

This topic explains how to install AD DS in Windows Server 2012 by using any of the following methods:

Credential requirements to run Adprep.exe and install Active Directory Domain Services

Installing AD DS by Using Windows PowerShell

Installing AD DS by using Server Manager

Performing a Staged RODC Installation using the Graphical User Interface

Credential requirements to run Adprep.exe and install Active Directory Domain Services

The following credentials are required to run Adprep.exe and install AD DS.

To install a new forest, you must be logged on as the local Administrator for the computer.

To install a new child domain or new domain tree, you must be logged on as a member of the Enterprise Admins group.

To install an additional domain controller in an existing domain, you must be a member of the Domain Admins group.

Note

If you do not run adprep.exe command separately and you are installing the first domain controller that runs Windows Server 2012 in an existing domain or forest, you will be prompted to supply credentials to run Adprep commands. The credential requirements are as follows:

To introduce the first Windows Server 2012 domain controller in the forest, you need to supply credentials for a member of Enterprise Admins group, the Schema Admins group, and the Domain Admins group in the domain that hosts the schema master.

To introduce the first Windows Server 2012 domain controller in a domain, you need to supply credentials for a member of the Domain Admins group.

To introduce the first read-only domain controller (RODC) in the forest, you need to supply credentials for a member of the Enterprise Admins group.

Note

If you have already run adprep /rodcprep in Windows Server 2008 or Windows Server 2008 R2, you do not need to run it again for Windows Server 2012.

Installing AD DS by Using Windows PowerShell

Beginning with Windows Server 2012, you can install AD DS using Windows PowerShell. Dcpromo.exe is deprecated beginning with Windows Server 2012, but you can still run dcpromo.exe by using an answer file (dcpromo /unattend: or dcpromo /answer:). The ability to continue running dcpromo.exe with an answer file provides organizations that have resources invested in existing automation time to convert the automation from dcpromo.exe to Windows PowerShell. For more information about running dcpromo.exe with an answer file, see http://support.microsoft.com/kb/947034.

For more information about removing AD DS using Windows PowerShell, see Remove AD DS using Windows PowerShell.

Start with adding the role using Windows PowerShell. This command installs the AD DS server role and installs the AD DS and AD LDS server administration tools, including GUI-based tools such as Active Directory Users and Computers and command-line tools such as dcdia.exe. Server administration tools are not installed by



default when you use Windows PowerShell. You need to specify IncludeManagementTools to manage the local server or install Remote Server Administration Tools to manage a remote server.

There is no reboot required until after the AD DS installation is complete.

You can then run this command to see the available cmdlets in the ADDSDeployment module.

To see the list of arguments that can be specified for a cmdlets and syntax:

For example, to see the arguments for creating an unoccupied read-only domain controller (RODC) account, type

Optional arguments appear in square brackets.

You can also download the latest Help examples and concepts for Windows PowerShell cmdlets. For more information, see about_Updatable_Help.

You can run Windows PowerShell cmdlets against remote servers:

In Windows PowerShell, use invoke-command with the ADDSDeployment cmdlet. For example, to install AD DS on a remote server named ConDC3 in the contoso.com domain, type:

-or-

In Server Manager, create a server group that includes the remote server. Right-click the name of the remote server and click Windows PowerShell.

The next sections explain how to run ADDSDeployment module cmdlets to install AD DS.

ADDSDeployment cmdlet arguments

Specifying Windows PowerShell Credentials

Using test cmdlets

Installing a new forest root domain using Windows PowerShell

Installing a new child or tree domain using Windows PowerShell

Installing an additional (replica) domain controller using Windows PowerShell

ADDSDeployment cmdlet arguments

The following table lists arguments for the ADDSDeployment cmdlets in Windows PowerShell. Arguments in bold are required. Equivalent arguments for dcpromo.exe are listed in parentheses if they are named different in Windows PowerShell.

Windows PowerShell switches accept $TRUE or $FALSE arguments. Arguments that are $True by default do not need to be specified.

To override default values, you can specify the argument with a $False value. For example, because -installdns is automatically run for a new forest installation if it is not specified, the only way to prevent DNS installation when you install a new forest is to use:

Similarly, because installdns has a default value of $False if you install a domain controller in an environment that does not host Windows Server DNS server, you need to specify the following argument in order to install DNS server:

Installwindowsfeature name ADDomainServices IncludeManagementTools

Getcommand module ADDSDeployment

Gethelp

Gethelp AddADDSReadOnlyDomainControllerAccount

invokecommand {installaddsdomaincontroller domainname contoso.com credential (getcredential) computername condc3

InstallDNS:$false

InstallDNS:$true



Argument Description

ADPrepCredential

Note

Required if you are installing the first Windows Server 2012 domain controller in a domain or forest and the credentials of the current user are insufficient to perform the operation.

Specifies the account with Enterprise Admins and Schema Admins group membership that can prepare the forest, according to the rules of Get-Credential and a PSCredential object.

If no value is specified, the value of the credential argument is used.

AllowDomainControllerReinstall Specifies whether to continue installing this writable domain controller, despite the fact that another writable domain controller account with the same name is detected.

Use $True only if you are sure that the account is not currently used by another writable domain controller.

The default is $False.

This argument is not valid for an RODC.

AllowDomainReinstall Specifies whether an existing domain is recreated.

The default is $False.

AllowPasswordReplicationAccountName Specifies the names of user accounts, group accounts, and computer accounts whose passwords can be replicated to this RODC. Use an empty string "" if you want to keep the value empty. By default, only the Allowed RODC Password Replication Group is allowed, and it is originally created empty.

Supply values as a string array. For example:

ApplicationPartitionsToReplicate

Note

There is no equivalent option in the UI. If you install using the UI, or using IFM, then all application partitions will be replicated.

Specifies the application directory partitions to replicate. This argument is applied only when you specify the -InstallationMediaPath argument to install from media (IFM). By default, all application partitions will replicate based on their own scopes.


Confirm Prompts you for confirmation before running the cmdlet.

CreateDnsDelegation

Note

You cannot specify this argument when you run the Add-ADDSReadOnlyDomainController cmdlet.

Indicates whether to create a DNS delegation that references the new DNS server that you are installing along with the domain controller. Valid for ActiveDirectoryintegrated DNS only. Delegation records can be created only on Microsoft DNS servers that are online and accessible. Delegation records cannot be created for domains that are immediately subordinate to top-level domains such as .com, .gov, .biz, .edu or two-letter country code domains such as .nz and .au.

The default is computed automatically based on the environment.

Credential

Note

Required only if the credentials of the current user are insufficient to perform the operation.

Specifies the domain account that can logon to the domain, according to the rules of Get-Credentialand a PSCredential object.

If no value is specified, the credentials of the current user are used.

CriticalReplicationOnly Specifies whether the ADDS installation operation performs only critical replication before reboot and then continues. The noncritical replication happens after the installation finishes and the computer reboots.

Using this argument is not recommended.

There is no equivalent for this option in the user interface (UI).

AllowPasswordReplicationAccountName "JSmith","JSmithPC","Branch Users"

ApplicationPartitionsToReplicate "partition1","partition2","partition3"



DatabasePath Specifies the fully qualified, nonUniversal Naming Convention (UNC) path to a directory on a fixed disk of the local computer that contains the domain database, for example, C:\Windows\NTDS.

The default is %SYSTEMROOT%\NTDS.

Important

While you can store the AD DS database and log files on volume formatted with Resilient File System (ReFS), there are no specific benefits for hosting AD DS on ReFS, other than the normal benefits of resiliency you get for hosting any data on ReFS.

DelegatedAdministratorAccountName Specifies the name of the user or group that can install and administer the RODC.

By default, only members of the Domain Admins group can administer an RODC.

DenyPasswordReplicationAccountName Specifies the names of user accounts, group accounts, and computer accounts whose passwords are not to be replicated to this RODC. Use an empty string "" if you do not want to deny the replication of credentials of any users or computers. By default, Administrators, Server Operators, Backup Operators, Account Operators, and the Denied RODC Password Replication Group are denied. By default, the Denied RODC Password Replication Group includes Cert Publishers, Domain Admins, Enterprise Admins, Enterprise Domain Controllers, Enterprise Read-Only Domain Controllers, Group Policy Creator Owners, the krbtgt account, and Schema Admins.


DnsDelegationCredential

Note

You cannot specify this argument when you run the Add-ADDSReadOnlyDomainController cmdlet.

Specifies the user name and password for creating DNS delegation, according to the rules of Get-Credential and a PSCredential object.

DomainMode {Win2003 | Win2008 | Win2008R2 | Win2012 | Win2012R2}

Or

DomainMode {2 | 3 | 4 | 5 | 6}

Specifies the domain functional level during the creation of a new domain.

The domain functional level cannot be lower than the forest functional level, but it can be higher.

The default value is automatically computed and set to the existing forest functional level or the value that is set for -ForestMode.

DomainName

Required for Install-ADDSForest and Install-ADDSDomainController cmdlets.

Specifies the FQDN of the domain in which you want to install an additional domain controller.

DomainNetbiosName

Required for Install-ADDSForest if FQDN prefix name is longer than 15 characters.

Use with Install-ADDSForest. Assigns a NetBIOS name to the new forest root domain.

DomainType {ChildDomain | TreeDomain} or {child | tree}

Indicates the type of domain that you want to create: a new domain tree in an existing forest, a child of an existing domain, or a new forest.

The default for DomainType is ChildDomain.

Force When this parameter is specified any warnings that might normally appear during the installation and addition of the domain controller will be suppressed to allow the cmdlet to complete its execution. This parameter can be useful to include when scripting installation.

ForestMode {Win2003 | Win2008 | Win2008R2 | Win2012 | Win2012R2}

Or

ForestMode {2 | 3 | 4 | 5 | 6}

Specifies the forest functional level when you create a new forest.

The default value is Win2012.

InstallationMediaPath Indicates the location of the installation media that will be used to install a new domain controller.

InstallDns Specifies whether the DNS Server service should be installed and configured on the domain controller.

For a new forest, the default is $True and DNS Server is installed.

DenyPasswordReplicationAccountName "RegionalAdmins","AdminPCs"



For a new child domain or domain tree, if the parent domain (or forest root domain for a domain tree) already hosts and stores the DNS names for the domain, then the default for this parameter is $True.

For a domain controller installation in an existing domain, if this parameter is left unspecified and the current domain already hosts and stores the DNS names for the domain, then the default for this parameter is $True. Otherwise, if DNS domain names are hosted outside of Active Directory, the default is $False and no DNS Server is installed.

LogPath Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer that contains the domain log files, for example, C:\Windows\Logs.

The default is %SYSTEMROOT%\NTDS.

Important

Do not store the Active Directory log files on a data volume formatted with Resilient File System (ReFS).

MoveInfrastructureOperationMasterRoleIfNecessary Specifies whether to transfer the infrastructure master operations master role (also known as flexible single master operations or FSMO) to the domain controller that you are creatingin case it is currently hosted on a global catalog serverand you do not plan to make the domain controller that you are creating a global catalog server. Specify this parameter to transfer the infrastructure master role to the domain controller that you are creating in case the transfer is needed; in this case, specify the NoGlobalCatalog option if you want the infrastructure master role to remain where it currently is.

NewDomainName

Note

Required only for Install-ADDSDomain.

Specifies the single domain name for the new domain.

For example, if you want to create a new child domain named emea.corp.fabrikam.com, you should specify emea as the value of this argument.

NewDomainNetbiosName

Required for Install-ADDSDomain if FQDN prefix name is longer than 15 characters.

Use with Install-ADDSDomain. Assigns a NetBIOS name to the new domain. The default value is derived from the value of NewDomainName.

NoDnsOnNetwork Specifies that DNS service is not available on the network. This parameter is used only when the IP setting of the network adapter for this computer is not configured with the name of a DNS server for name resolution. It indicates that a DNS server will be installed on this computer for name resolution. Otherwise, the IP settings of the network adapter must first be configured with the address of a DNS server.

Omitting this parameter (the default) indicates that the TCP/IP client settings of the network adapter on this server computer will be used to contact a DNS server. Therefore, if you are not specifying this parameter, ensure that TCP/IP client settings are first configured with a preferred DNS server address.

NoGlobalCatalog Specifies that you do not want the domain controller to be a global catalog server.

Domain controllers that run Windows Server 2012 are installed with the global catalog by default. In other words, this runs automatically without computation, unless you specify:

NoRebootOnCompletion Specifies whether to restart the computer upon completion of the command, regardless of success. By default, the computer will restart. To prevent the server from restarting, specify:

There is no equivalent for this option in the user interface (UI).

ParentDomainName

Note

Required for Install-ADDSDomain cmdlet

Specifies the FQDN of an existing parent domain. You use this argument when you install a child domain or new domain tree.

For example, if you want to create a new child domain named emea.corp.fabrikam.com, you should specify corp.fabrikam.com as the value of this argument.

ReadOnlyReplica Specifies whether to install a read-only domain controller (RODC).

ReplicationSourceDC

NoGlobalCatalog

NoRebootOnCompletion:$True



Indicates the FQDN of the partner domain controller from which you replicate the domain information. The default is automatically computed.

SafeModeAdministratorPassword

Supplies the password for the administrator account when the computer is started in Safe Mode or a variant of Safe Mode, such as Directory Services Restore Mode.

The default is an empty password. You must supply a password. The password must be supplied in a System.Security.SecureString format, such as that provided by read-host -assecurestring or ConvertTo-SecureString.

The SafeModeAdministratorPassword argument's operation is special:If not specified as an argument, the cmdlet prompts you to enter and confirm a masked password. This is the preferred usage when running the cmdlet interactively.If specified without a value, and there are no other arguments specified to the cmdlet, the cmdlet prompts you to enter a masked password without confirmation. This is not the preferred usage when running the cmdlet interactively.If specified with a value, the value must be a secure string. This is not the preferred usage when running the cmdlet interactively.For example, you can manually prompt for a password by using the Read-Host cmdlet to prompt the user for a secure string:-safemodeadministratorpassword (read-host -prompt "Password:" -assecurestring)You can also provide a secure string as a converted clear-text variable, although this is highly discouraged. -safemodeadministratorpassword (convertto-securestring "Password1" -asplaintext -force)

SiteName

Required for the Add-addsreadonlydomaincontrolleraccount cmdlet

Specifies the site where the domain controller will be installed. There is no sitename argument when you run Install-ADDSForest because the first site created is Default-First-Site-Name.

The site name must already exist when provided as an argument to -sitename. The cmdlet will not create the site.

SkipAutoConfigureDNS Skips automatic configuration of DNS client settings, forwarders, and root hints. This argument is in effect only if the DNS Server service is already installed or automatically installed with -InstallDNS.

SystemKey Specifies the system key for the media from which you replicate the data.

The default is none.

Data must be in format provided by read-host -assecurestring or ConvertTo-SecureString.

SysvolPath Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer, for example, C:\Windows\SYSVOL.

The default is %SYSTEMROOT%\SYSVOL.

Important

SYSVOL cannot be stored on a data volume formatted with Resilient File System (ReFS).

SkipPreChecks Does not run the prerequisite checks before starting installation. It is not advisable to use this setting.

WhatIf Shows what would happen if the cmdlet runs. The cmdlet is not run.

Specifying Windows PowerShell Credentials

You can specify credentials without revealing them in plain text on screen by using Get-credential.

The operation for the -SafeModeAdministratorPassword and LocalAdministratorPassword arguments is special:

If not specified as an argument, the cmdlet prompts you to enter and confirm a masked password. This is the preferred usage when running the cmdlet interactively.

If specified with a value, the value must be a secure string. This is not the preferred usage when running the cmdlet interactively.

For example, you can manually prompt for a password by using the Read-Host cmdlet to prompt the user for a secure string

Warning

As the previous option does not confirm the password, use extreme caution: the password is not visible.

You can also provide a secure string as a converted clear-text variable, although this is highly discouraged:

safemodeadministratorpassword (readhost prompt "DSRM Password:" assecurestring)

safemodeadministratorpassword (converttosecurestring "Password1" asplaintext force)



Warning

Providing or storing a clear text password is not recommended. Anyone running this command in a script or looking over your shoulder knows the DSRM password of that domain controller. With that knowledge, they can impersonate the domain controller itself and elevate their privilege to the highest level in an Active Directory forest.

Using test cmdlets

Each ADDSDeployment cmdlet has a corresponding test cmdlet. The test cmdlets runs only the prerequisite checks for the installation operation; no installation settings are configured. The arguments for each test cmdlet are the same as for the corresponding installation cmdlet, but SkipPreChecks is not available for test cmdlets.

Test cmdlet Description

Test-ADDSForestInstallation Runs the prerequisites for installing a new Active Directory forest.

Test-ADDSDomainInstallation Runs the prerequisites for installing a new domain in Active Directory.

Test-ADDSDomainControllerInstallation Runs the prerequisites for installing a domain controller in Active Directory.

Test-ADDSReadOnlyDomainControllerAccountCreation Runs the prerequisites for adding a read-only domain controller (RODC) account.

Installing a new forest root domain using Windows PowerShell

The command syntax for installing a new forest is as follows. Optional arguments appear within square brackets.

Note

The -DomainNetBIOSName argument is required if you want to change the 15-character name that is automatically generated based on the DNS domain name prefix or if the name exceeds 15 characters.

For example, to install a new forest named corp.contoso.com and be securely prompted to provide the DSRM password, type:

Note

DNS server is installed by default when you run Install-ADDSForest.

To install a new forest named corp.contoso.com, create a DNS delegation in the contoso.com domain, set domain functional level to Windows Server 2008 R2 and set forest functional level to Windows Server 2008, install the Active Directory database and SYSVOL on the D:\ drive, install the log files on the E:\ drive, and be prompted to provide the Directory Services Restore Mode password and type:

Installing a new child or tree domain using Windows PowerShell

The command syntax for installing a new domain is as follows. Optional arguments appear within square brackets.

InstallADDSForest [SkipPreChecks] DomainName SafeModeAdministratorPassword [CreateDNSDelegation

InstallADDSForest domainname "corp.contoso.com"

InstallADDSForest DomainName corp.contoso.com CreateDNSDelegation DomainMode Win2008 ForestMode Win2008R2 DatabasePath

InstallADDSDomain [SkipPreChecks] NewDomainName ParentDomainName SafeModeAdministratorPassword

Note

The -credential argument is only required when you are not currently logged on as a member of the Enterprise Admins group.

The -NewDomainNetBIOSName argument is required if you want to change the automatically generated 15-character name based on the DNS domain name prefix or if the name exceeds 15 characters.

For example, to use credentials of corp\EnterpriseAdmin1 to create a new child domain named child.corp.contoso.com, install DNS server, create a DNS delegation in the corp.contoso.com domain, set domain functional level to Windows Server 2003, make the domain controller a global catalog server in a site named Houston, use DC1.corp.contoso.com as the replication source domain controller, install the Active Directory database and SYSVOL on the D:\ drive, install the log files on the E:\ drive, and be prompted to provide the Directory Services Restore Mode password but not prompted to confirm the command, type:

Installing an additional (replica) domain controller using Windows PowerShell

The command syntax for installing an additional domain controller is as follows. Optional arguments appear within square brackets.

To install a domain controller and DNS server in the corp.contoso.com domain and be prompted to supply the domain Administrator credentials and the DSRM password, type:

If the computer is already domain joined and you are a member of the Domain Admins group, you can use:

To be prompted for the domain name, type:

The following command will use credentials of Contoso\EnterpriseAdmin1 to install a writable domain controller and a global catalog server in a site named Boston, install DNS server, create a DNS delegation in the contoso.com domain, install from media that is stored in the c:\ADDS IFM folder, install the Active Directory database and SYSVOL on the D:\ drive, install the log files on the E:\ drive, have the server automatically restart after AD DS installation is complete, and be prompted to provide the Directory Services Restore Mode password:

Performing a staged RODC installation using Windows PowerShell

The command syntax to create an RODC account is as follows. Optional arguments appear within square brackets.

The command syntax to attach a server to an RODC account is as follows. Optional arguments appear within square brackets.

For example, to create an RODC account named RODC1:

InstallADDSDomain SafeModeAdministratorPassword credential (getcredential corp\EnterpriseAdmin1) NewDomainName child P

InstallADDSDomainController DomainName [SkipPreChecks] SafeModeAdministratorPassword [ADPrepCre

InstallADDSDomainController credential (getcredential corp\administrator) domainname "corp.contoso.com"

InstallADDSDomainController domainname "corp.contoso.com"

InstallADDSDomainController credential (getcredential) domainname (readhost "Domain to promote into")

InstallADDSDomainController Credential (getcredential contoso\EnterpriseAdmin1) CreateDNSDelegation DomainName corp.con

AddADDSReadOnlyDomainControllerAccount [SkipPreChecks] DomainControllerAccuntName DomainName SiteName

InstallADDSDomainController DomainName [SkipPreChecks] SafeModeAdministratorPassword [ADPrepCre



Then run the following commands on the server that you want to attach to the RODC1 account. The server cannot be joined to the domain. First, install the AD DS server role and management tools:

The run the following command to create the RODC:

Press Y to confirm or include the confirm argument to prevent the confirmation prompt.

Installing AD DS by using Server Manager

AD DS can be installed in Windows Server 2012 by using the Add Roles Wizard in Server Manager, followed by the Active Directory Domain Services Configuration Wizard, which is new beginning in Windows Server 2012. The Active Directory Domain Services Installation Wizard (dcpromo.exe) is deprecated beginning in Windows Server 2012.

The following sections explain how to create server pools in order to install and manage AD DS on multiple servers, and how to use the wizards to install AD DS.

Creating server pools

Server Manager can pool other servers on the network as long as they are accessible from the computer running Server Manager. Once pooled, you choose those servers for remote installation of AD DS or any other configuration options possible within Server Manager. The computer running Server Manager automatically pools itself. For more information about server pools, see Add Servers to Server Manager.

Note

In order to manage a domain-joined computer using Server Manager on a workgroup server, or vice-versa, additional configuration steps are needed. For more information, see Add and manage servers in workgroups in Add Servers to Server Manager.

Installing AD DS

Administrative credentials

The credential requirements to install AD DS vary depending on which deployment configuration you choose. For more information, see Credential requirements to run Adprep.exe and install Active Directory Domain Services.

Use the following procedures to install AD DS using the GUI method. The steps can be performed locally or remotely. For more detailed explanation of these steps, see the following topics:

Deploying a Forest with Server Manager

Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200)

Install a New Windows Server 2012 Active Directory Child or Tree Domain (Level 200)

Install a Windows Server 2012 Active Directory Read-Only Domain Controller (RODC) (Level 200)

To install AD DS by using Server Manager

1. In Server Manager, click Manage and click Add Roles and Features to start the Add Roles Wizard.

2. On the Before you begin page, click Next.

3. On the Select installation type page, click Role-based or feature-based installation and then click Next.

4. On the Select destination server page, click Select a server from the server pool, click the name of the server where you want to install AD DS and then click Next.

To select remote servers, first create a server pool and add the remote servers to it. For more information about creating server pools, see Add Servers to Server Manager.

5. On the Select server roles page, click Active Directory Domain Services, then on the Add Roles and Features Wizard dialog box, click Add Features, and then click Next.

AddADDSReadOnlyDomainControllerAccount DomainControllerAccountName RODC1 DomainName corp.contoso.com SiteName Boston Del

installwindowsfeature name ADDomainServices includemanagementtools

InstallADDSDomainController DomainName corp.contoso.com SafeModeAdministratorPassword (readhost prompt "DSRM Password:"



6. On the Select features page, select any additional features you want to install and click Next.

7. On the Active Directory Domain Services page, review the information and then click Next.

8. On the Confirm installation selections page, click Install.

9. On the Results page, verify that the installation succeeded, and click Promote this server to a domain controller to start the Active Directory Domain Services Configuration Wizard.

Important

If you close Add Roles Wizard at this point without starting the Active Directory Domain Services Configuration Wizard, you can restart it by clicking Tasks in Server Manager.

10. On the Deployment Configuration page, choose one of the following options:

If you are installing an additional domain controller in an existing domain, click Add a domain controller to an existing domain, and type the name of the domain (for example, emea.corp.contoso.com) or click Select to choose a domain, and credentials (for example, specify an account that is a member of the Domain Admins group) and then click Next.

Note



The name of the domain and current user credentials are supplied by default only if the machine is domain-joined and you are performing a local installation. If you are installing AD DS on a remote server, you need to specify the credentials, by design. If current user credentials are not sufficient to perform the installation, click Change in order to specify different credentials.

For more information, see Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200).

If you are installing a new child domain, click Add a new domain to an existing forest, for Select domain type, select Child Domain, type or browse to the name of the parent domain DNS name (for example, corp.contoso.com), type the relative name of the new child domain (for example emea), type credentials to use to create the new domain, and then click Next.

For more information, see Install a New Windows Server 2012 Active Directory Child or Tree Domain (Level 200).

If you are installing a new domain tree, click Add new domain to an existing forest, for Select domain type, choose Tree Domain, type the name of the root domain (for example, corp.contoso.com), type the DNS name of the new domain (for example, fabrikam.com), type credentials to use to create the new domain, and then click Next.

For more information, see Install a New Windows Server 2012 Active Directory Child or Tree Domain (Level 200).

If you are installing a new forest, click Add a new forest and then type the name of the root domain (for example, corp.contoso.com).

For more information, see Install a New Windows Server 2012 Active Directory Forest (Level 200).

11. On the Domain Controller Options page, choose one of the following options:

If you are creating a new forest or domain, select the domain and forest functional levels, click Domain Name System (DNS) server, specify the DSRM password, and then click Next.

If you are adding a domain controller to an existing domain, click Domain Name System (DNS) server, Global Catalog (GC), or Read Only Domain Controller (RODC) as needed, choose the site name, and type the DSRM password and then click Next.

For more information about which options on this page are available or not available under different conditions, see Domain Controller Options.

12. On the DNS Options page (which appears only if you install a DNS server), click Update DNS delegation as needed. If you do, provide credentials that have permission to create DNS delegation records in the parent DNS zone.

If a DNS server that hosts the parent zone cannot be contacted, the Update DNS Delegation option is not available.

For more information about whether you need to update the DNS delegation, see Understanding Zone Delegation. If you attempt to update the DNS delegation and encounter an error, see DNS Options.

13. On the RODC Options page (which appears only if you install an RODC), specify the name of a group or user who will manage the RODC, add accounts to or remove accounts from the Allowed or Denied password replication groups, and then click Next.

For more information, see Password Replication Policy.

14. On the Additional Options page, choose one of the following options:

If you are creating a new domain, type a new NetBIOS name or verify the default NetBIOS name of the domain, and then click Next.

If you are adding a domain controller to an existing domain, select the domain controller that you want to replicate the AD DS installation data from (or allow the wizard to select any domain controller). If you are installing from media, click Install from media path type and verify the path to the installation source files, and then click Next.

You cannot use install from media (IFM) to install the first domain controller in a domain. IFM does not work across different operating system versions. In other words, in order to install an additional domain controller that runs Windows Server 2012 by using IFM, you must create the backup media on a Windows Server 2012 domain controller. For more information about IFM, see Installing an Additional Domain Controller by Using IFM.

15. On the Paths page, type the locations for the Active Directory database, log files, and SYSVOL folder (or accept default locations), and click Next.

Important

Do not store the Active Directory database, log files, or SYSVOL folder on a data volume formatted with Resilient File System (ReFS).

16. On the Preparation Options page, type credentials that are sufficient to run adprep. For more information, see Credential requirements to run Adprep.exe and install Active Directory Domain Services.

17. On the Review Options page, confirm your selections, click View script if you want to export the settings to a Windows PowerShell script, and then click Next.

18. On the Prerequisites Check page, confirm that prerequisite validation completed and then click Install.

19. On the Results page, verify that the server was successfully configured as a domain controller. The server will be restarted automatically to complete the AD DS installation.

Performing a Staged RODC Installation using the Graphical User Interface



A staged RODC installation allows you to create an RODC in two stages. In the first stage, a member of the Domain Admins group creates an RODC account. In the second stage, a server is attached to the RODC account. The second stage can be completed by a member of the Domain Admins group or a delegated domain user or group.

To create an RODC account by using the Active Directory management tools

1. You can create the RODC account using Active Directory Administrative Center or Active Directory Users and Computers.

a. Click Start, click Administrative Tools, and then click Active Directory Administrative Center.

b. In the navigation pane (left pane), click the name of the domain.

c. In the Management list (center pane), click the Domain Controllers OU.

d. In the Tasks Pane (right pane), click Pre-create a read-only domain controller account.

-Or-

a. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.

b. Either right-click the Domain Controllers organizational unit (OU) or click the Domain Controllers OU, and then click Action.

c. Click Pre-create Read-only Domain Controller account.

2. On the Welcome to the Active Directory Domain Services Installation Wizard page, if you want to modify the default the Password Replication Policy (PRP), select Use advanced mode installation, and then click Next.

3. On the Network Credentials page, under Specify the account credentials to use to perform the installation, click My current logged on credentialsor click Alternate credentials, and then click Set. In the Windows Security dialog box, provide the user name and password for an account that can install the additional domain controller. To install an additional domain controller, you must be a member of the Enterprise Admins group or the Domain Admins group. When you are finished providing credentials, click Next.

4. On the Specify the Computer Name page, type the computer name of the server that will be the RODC.

5. On the Select a Site page, select a site from the list or select the option to install the domain controller in the site that corresponds to the IP address of the computer on which you are running the wizard, and then click Next.

6. On the Additional Domain Controller Options page, make the following selections, and then click Next:

DNS server: This option is selected by default so that your domain controller can function as a Domain Name System (DNS) server. If you do not want the domain controller to be a DNS server, clear this option. However, if you do not install the DNS server role on the RODC and the RODC is the only domain controller in the branch office, users in the branch office will not be able to perform name resolution when the wide area network (WAN) to the hub site is offline.

Global catalog: This option is selected by default. It adds the global catalog, read-only directory partitions to the domain controller, and it enables global catalog search functionality. If you do not want the domain controller to be a global catalog server, clear this option. However, if you do not install a global catalog server in the branch office or enable universal group membership caching for the site that includes the RODC, users in the branch office will not be able to log on to the domain when the WAN to the hub site is offline.

Read-only domain controller. When you create an RODC account, this option is selected by default and you cannot clear it.

7. If you selected the Use advanced mode installation check box on the Welcome page, the Specify the Password Replication Policy page appears. By default, no account passwords are replicated to the RODC, and security-sensitive accounts (such as members of the Domain Admins group) are explicitly denied from ever having their passwords replicated to the RODC.

To add other accounts to policy, click Add, then click Allow passwords for the account to replicate to this RODC or click Deny passwords for the account from replicating to this RODC and then select the accounts.

When complete (or to accept the default setting), click Next.

8. On the Delegation of RODC Installation and Administration page, type the name of the user or the group who will attach the server to the RODC account that you are creating. You can type the name of only one security principal.

To search the directory for a specific user or group, click Set. In Select User or Group, type the name of the user or group. We recommend that you delegate RODC installation and administration to a group.

This user or group will also have local administrative rights on the RODC after the installation. If you do not specify a user or group, only members of the Domain Admins group or the Enterprise Admins group will be able to attach the server to the account.

When you are finished, click Next.

9. On the Summary page, review your selections. Click Back to change any selections, if necessary.

To save the settings that you selected to an answer file that you can use to automate subsequent ADDS operations, click Export settings. Type a name for your answer file, and then click Save.

When you are sure that your selections are accurate, click Next to create the RODC account.

10. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.

After an RODC account is created, you can attach a server to account to complete the RODC installation. This second stage can be completed in the branch office where the RODC will be located. The server where you perform this procedure must not be joined to the domain. Beginning in Windows Server 2012, you use the Add Roles Wizard in Server Manager to attach a server to an RODC account.

To attach a server to an RODC account using Server Manager



1. Log on as local Administrator.

2. In Server Manager, click Add roles and features.

3. On the Before you begin page, click Next.

4. On the Select installation type page, click Role-based or feature-based installation and then click Next.

5. On the Select destination server page, click Select a server from the server pool, click the name of the server where you want to install AD DS and then click Next.

6. On the Select server roles page, click Active Directory Domain Services, click Add Features and then click Next.

7. On the Select features page, select any additional features that you want to install and click Next.

8. On the Active Directory Domain Services page, review the information and then click Next.

9. On the Confirm installation selections page, click Install.

10. On the Results page, verify Installation succeeded, and click Promote this server to a domain controller to start the Active Directory Domain Services Configuration Wizard.

Important

If you close Add Roles Wizard at this point without starting the Active Directory Domain Services Configuration Wizard, you can restart it by clicking Tasks in Server Manager.

11. On the Deployment Configuration page, click Add a domain controller to an existing domain, type the name of the domain (for example, emea.contoso.com) and credentials (for example, specify an account that is delegated to manage and install the RODC), and then click Next.

12. On the Domain Controller Options page, click Use existing RODC account, type and confirm the Directory Services Restore Mode password, and then click Next.

13. On the Additional Options page, if you are installing from media, click Install from media path type and verify the path to the installation source files, select the domain controller that you want to replicate the AD DS installation data from (or allow the wizard to select any domain controller) and then click Next.

14. On the Paths page, type the locations for the Active Directory database, log files, and SYSVOL folder, or accept default locations, and then click Next.

15. On the Review Options page, confirm your selections, click View Script to export the settings to a Windows PowerShell script, and then click Next.

16. On the Prerequisites Check page, confirm that prerequisite validation completed and then click Install.

To complete the AD DS installation, the server will restart automatically.

See Also ConceptsTroubleshooting Domain Controller DeploymentInstall a New Windows Server 2012 Active Directory Forest (Level 200)Install a New Windows Server 2012 Active Directory Child or Tree Domain (Level 200)Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200)



2015 Microsoft

Install a New Windows Server 2012 Active Directory Forest (Level 200)Published: January 15, 2015

Updated: November 19, 2012

Applies To: Windows Server 2012

This topic explains the new Windows Server 2012 Active Directory Domain Services domain controller promotion feature at an introductory level. In Windows Server 2012, ADDS replaces the Dcpromo tool with a Server Manager and Windows PowerShell-based deployment system.

Active Directory Domain Services Simplified Administration

Technical Overview


Deploying a Forest with Windows PowerShell

Active Directory Domain Services Simplified Administration

Windows Server 2012 introduces the next generation of Active Directory Domain Services Simplified Administration, and is the most radical domain re-envisioning since Windows 2000 Server. AD DS Simplified Administration takes lessons learned from twelve years of Active Directory and makes a more supportable, more flexible, more intuitive administrative experience for architects and administrators. This meant creating new versions of existing technologies as well as extending the capabilities of components released in Windows Server 2008 R2.

What Is AD DS Simplified Administration?

AD DS Simplified Administration is a reimagining of domain deployment. Some of those features include:

AD DS role deployment is now part of the new Server Manager architecture and allows remote installation.

The AD DS deployment and configuration engine is now Windows PowerShell, even when using a graphical setup.

Promotion now includes prerequisite checking that validates forest and domain readiness for the new domain controller, lowering the chance of failed promotions.

The Windows Server 2012 forest functional level does not implement new features and domain functional level is required only for a subset of new Kerberos features, relieving administrators of the frequent need for a homogenous domain controller environment.

Purpose and Benefits

These changes may appear more complex, not simpler. In redesigning the AD DS deployment process though, there was opportunity to coalesce many steps and best practices into fewer, easier actions. This means, for example, that the graphical configuration of a new replica domain controller is now eight dialogs rather than the previous twelve. Creating a new Active Directory forest requires a single Windows PowerShell command with only one argument: the name of the domain.

Why is there such an emphasis on Windows PowerShell in Windows Server 2012? As distributed computing evolves, Windows PowerShell allows a single engine for configuration and maintenance from both graphical and command-line interfaces. It permits fully featured scripting of any component with the same first class citizenship for an IT Professional that an API grants to developers. As cloud-based computing becomes ubiquitous, Windows PowerShell also finally brings the ability to remotely administer a server, where a computer with no graphical interface has the same management capabilities as one with a monitor and mouse.

A veteran AD DS administrator should find their previous knowledge highly relevant. A beginning administrator will find a far shallower learning curve.

Technical Overview

What You Should Know Before You Begin

This topic assumes familiarity with previous releases of Active Directory Domain Services, and does not provide foundational detail around their purpose and functionality. For more information about AD DS, see the TechNet Portal pages linked below:

Active Directory Domain Services for Windows Server 2008 R2

Active Directory Domain Services for Windows Server 2008

Windows Server Technical Reference



Functional Descriptions

AD DS Role Installation

Active Directory Domain Services installation uses Server Manager and Windows PowerShell, like all other server roles and features in Windows Server 2012. The Dcpromo.exe program no longer provides GUI configuration options.

You use a graphical wizard in Server Manager or the ServerManager module for Windows PowerShell in both local and remote installations. By running multiple instances of those wizards or cmdlets and targeting different servers, you can deploy AD DS to multiple domain controllers simultaneously, all from one single console. Although these new features are not backwards compatible with Windows Server 2008 R2 or earlier operating systems, you can also still use the Dism.exe application introduced in Windows Server 2008 R2 for local role installation from the classic command-line.

AD DS Role Configuration



Active Directory Domain Services configuration previously known as DCPROMO is a now a discrete operation from role installation. After installing the AD DS role, an administrator configures the server as a domain controller using a separate wizard within Server Manager or using the ADDSDeployment Windows PowerShell module.

AD DS role configuration builds on twelve years of field experience and now configures domain controllers based on the most recent Microsoft best practices. For example, Domain Name System and Global Catalogs install by default on every domain controller.

The Server Manager AD DS configuration wizard merges many individual dialogs into fewer prompts and no longer hides settings in an advanced mode. The entire promotion process is in one expanding dialog box during installation. The wizard and the ADDSDeployment Windows PowerShell module show you notable changes and security concerns, with links to further information.

The Dcpromo.exe remains in Windows Server 2012 for command-line unattended installations only, and no longer runs the graphical installation wizard. It is highly recommended that you discontinue use of Dcpromo.exe for unattended installs and replace it with the ADDSDeployment module, as the now-deprecated executable will not be included in the next version of Windows.

These new features are not backwards compatible to Windows Server 2008 R2 or older operating systems.

Important

Dcpromo.exe no longer contains a graphical wizard and no longer installs role or feature binaries. Attempting to run Dcpromo.exe from the Explorer shell returns:

The Active Directory Domain Services Installation Wizard is relocated in Server Manager. For more information, see http://go.microsoft.com/fwlink/?LinkId=220921.

Attempting to run Dcpromo.exe /unattend still installs the binaries, as in previous operating systems, but warns:

The dcpromo unattended operation is replaced by the ADDSDeployment module for Windows PowerShell. For more information, see http://go.microsoft.com/fwlink/?LinkId=220924.

Windows Server 2012 deprecates dcpromo.exe and it will not be included with future versions of Windows, nor will it receive further enhancements in this operating system. Administrators should discontinue its use and switch to the supported Windows PowerShell modules if they wish to create domain controllers from the command-line.

Prerequisite Checking

Domain controller configuration also implements a prerequisite checking phase that evaluates the forest and domain prior to continuing with domain controller promotion. This includes FSMO role availability, user privileges, extended schema compatibility and other requirements. This new design alleviates issues where domain controller promotion starts and then halts midway with a fatal configuration error. This lessens the chance of orphaned domain controller metadata in the forest or a server that incorrectly believes it is a domain controller.




This section explains how to install the first domain controller in a forest root domain using Server Manager on a graphical Windows Server 2012 computer.

Server Manager AD DS Role Installation Process

The diagram below illustrates the Active Directory Domain Services role installation process, beginning with you running ServerManager.exe and ending right before the promotion of the domain controller.

Server Pool and Add Roles

Any Windows Server 2012 computers accessible from the computer running Server Manager are eligible for pooling. Once pooled, you select those servers for remote installation of AD DS or any other configuration options possible within Server Manager.

To add servers, choose one of the following:

Click Add Other Servers to Manage on the dashboard welcome tile

Click the Manage menu and select Add Servers

Right-click All Servers and choose Add Servers

This brings up the Add Servers dialog:

This gives you three ways to add servers to the pool for use or grouping:

Active Directory search (uses LDAP, requires that the computers belong to a domain, allows operating system filtering and supports wildcards)

DNS search (uses DNS alias or IP address via ARP or NetBIOS broadcast or WINS lookup, does not allow operating system filtering or support wildcards)

Import (uses a text file list of servers separated by CR/LF)

Click Find Now to return a list of servers from that same Active Directory domain that the computer is joined to, Click one or more server names from the list of servers. Click the right arrow to add the servers to the Selected list. Use the Add Servers dialog to add selected servers to dashboard role groups. Or Click Manage, and then click Create Server Group, or click Create Server Group on the dashboard Welcome to Server Manager tile to create custom server groups.

Note



The Add Servers procedure does not validate that a server is online or accessible. However, any unreachable servers flag in the Manageability view in Server Manager at the next refresh

You can install roles remotely on any Windows Server 2012 computers added the pool, as shown:

You cannot fully manage servers running operating systems older than Windows Server 2012. The Add Roles and Features selection is running ServerManager Windows PowerShell Module Install-WindowsFeature.

You can also use the Server Manager Dashboard on an existing domain controller to select remote server AD DS installation with the role already preselected by right clicking the AD DS dashboard tile and selecting Add AD DS to Another Server. This is invoking Install-WindowsFeature AD-Domain-Services.

The computer you are running Server Manager on pools itself automatically. To install the AD DS role here, simply click the Manage menu and click Add Roles and Features.

Installation Type



The Installation Type dialog provides an option that does not support Active Directory Domain Services: the Remote Desktop Services scenario based-installation. That option only allows Remote Desktop Service in a multi-server distributed workload. If you select it, AD DS cannot install.

Always leave the default selection in place when installing AD DS: Role-based or Feature-based Installation.

Server Selection

The Server Selection dialog enables you to choose from one of the servers previously added to the pool, as long as it is accessible. The local server running Server Manager is automatically available.

In addition, you can select offline Hyper-V VHD files with the Windows Server 2012 operating system and Server Manager adds the role to them directly through component servicing. This allows you to provision virtual servers with the necessary components before further configuring them.

Server Roles and Features



Select the Active Directory Domain Services role if you intend to promote a domain controller. All Active Directory administration features and required services install automatically, even if they are ostensibly part of another role or do not appear selected in the Server Manager interface.

Server Manager also presents an informational dialog that shows which management features this role implicitly installs; this is equivalent to the -IncludeManagementTools argument.

Additional Features can be added here as desired.

Active Directory Domain Services



The Active Directory Domain Services dialog provides limited information on requirements and best practices. It mainly acts as a confirmation that you chose the AD DS role if this screen does not appear, you did not select AD DS.

Confirmation

The Confirmation dialog is the final checkpoint before role installation starts. It offers an option to restart the computer as needed after role installation, but AD DS installation does not require a reboot.

By clicking Install, you confirm you are ready to begin role installation. You cannot cancel a role installation once it begins.

Results



The Results dialog shows the current installation progress and current installation status. Role installation continues regardless of whether Server Manager is closed.

Verifying the installation results is still a best practice. If you close the Results dialog before installation completes, you can check the results using the Server Manager notification flag. Server Manager also shows a warning message for any servers that have installed the AD DS role but not been further configured as domain controllers.

Task Notifications

AD DS Details

Task Details



Promote to Domain Controller

At the end of the AD DS role installation, you can continue with configuration by using the Promote this server to a domain controller link. This is required to make the server a domain controller, but is not necessary to run the configuration wizard immediately. For example, you may only want to provision servers with the AD DS binaries before sending them to another branch office for later configuration. By adding the AD DS role before shipping, you save time when it reaches its destination. You also follow the best practice of not keeping a domain controller offline for days or weeks. Finally, this enables you to update components before domain controller promotion, saving you at least one subsequent reboot.

Selecting this link later invokes the ADDSDeployment cmdlets: install-addsforest, install-addsdomain, or install-addsdomaincontroller.

Uninstalling/Disabling

You remove the AD DS role like any other role, regardless of whether you promoted the server to a domain controller. However, removing the AD DS role requires a restart on completion.

Active Directory Domain Services role removal is different from installation, in that it requires domain controller demotion before it can complete. This is necessary to prevent a domain controller from having its role binaries uninstalled without proper metadata cleanup in the forest. For more information, see Demoting Domain Controllers and Domains (Level 200).

Warning

Removing the AD DS roles with Dism.exe or the Windows PowerShell DISM module after promotion to a Domain Controller is not supported and will prevent the server from booting normally.

Unlike Server Manager or the AD DS Deployment module for Windows PowerShell, DISM is a native servicing system that has no inherent knowledge of AD DS or its configuration. Do not use Dism.exe or the Windows PowerShell DISM module to uninstall the AD DS role unless the server is no longer a domain controller.

Create an AD DS Forest Root Domain with Server Manager

The following diagram illustrates the Active Directory Domain Services configuration process, in the case where you have previously installed the AD DS role and started the Active Directory Domain Services Configuration Wizard using Server Manager.



Deployment Configuration

Server Manager begins every domain controller promotion with the Deployment Configuration page. The remaining options and required fields change on this page and subsequent pages, depending on which deployment operation you select.

To create a new Active Directory forest, click Add a new forest. You must provide a valid root domain name; the name cannot be single-labeled (for example, the name must be contoso.com or similar and not just contoso) and must use allowed DNS domain naming requirements.

For more information on valid domain names, see KB article Naming conventions in Active Directory for computers, domains, sites, and OUs.

Warning

Do not create new Active Directory forests with the same name as an external DNS name. For example, if your Internet DNS URL is http://contoso.com, you must choose a different name for your internal forest to avoid future compatibility issues. That name should be unique and unlikely for web traffic. For example: corp.contoso.com.

A new forest does not need new credentials for the domain's Administrator account. The domain controller promotion process uses the credentials of the built-in Administrator account from the first domain controller used to create the forest root. There is no way (by default) to disable or lock out the built-in Administrator account and it may be the only entry point into a forest if the other administrative domain accounts are unusable. It is critical to know the password before deploying a new forest.

DomainName requires a valid fully qualified domain DNS name and is required.

Domain Controller Options

The Domain Controller Options enables you to configure the forest functional level and domain functional level for the new forest root domain. By default, these settings are Windows Server 2012 in a new forest root domain. The Windows Server 2012 forest functional level does not provide any new functionality over the Windows Server 2008 R2 forest functional level. The Windows Server 2012 domain functional level is required only in order to implement the new Kerberos settings "always provide claims" and "Fail unarmored authentication requests." A primary use for functional levels in Windows Server 2012 is to restrict participation in the domain to domain controllers that meet minimum-allowed operating system requirements. In other words, you can specify Windows Server



2012 domain functional level only domain controllers that run Windows Server 2012 can host the domain. Windows Server 2012 implements a new domain controller flag called DS_WIN8_REQUIRED in the DSGetDcName function of NetLogon that exclusively locates Windows Server 2012 domain controllers. This allows you the flexibility of a more homogeneous or heterogeneous forest in terms of which operating systems are permitted to be run on domain controllers.

For more information about domain controller Location, review Directory Service Functions.

The only configurable domain controller capability is the DNS server option. Microsoft recommends that all domain controllers provide DNS services for high availability in distributed environments, which is why this option is selected by default when installing a domain controller in any mode or domain. The Global Catalog and read only domain controller options are unavailable when creating a new forest root domain; the first domain controller must be a GC, and cannot be a read only domain controller (RODC).

The specified Directory Services Restore Mode Password must adhere to the password policy applied to the server, which by default does not require a strong password; only a non-blank one. Always choose a strong, complex password or preferably, a passphrase.

DNS Options and DNS Delegation Credentials

The DNS Options page enables you to configure DNS delegation and provide alternate DNS administrative credentials.

You cannot configure DNS options or delegation in the Active Directory Domain Services Configuration Wizard when installing a new Active Directory Forest Root Domain where you selected the DNS server on the Domain Controller Options page. The Create DNS delegation option is available when creating a new forest root DNS zone in an existing DNS server infrastructure. This option enables you to provide alternate DNS administrative credentials that have the rights to update DNS zone.

For more information about whether you need to create a DNS delegation, see Understanding Zone Delegation.

Additional Options

The Additional Options page shows the NetBIOS name of the domain and enables you to override it. By default, the NetBIOS domain name matches the left-most label of the fully qualified domain name provided on the Deployment Configuration page. For example, if you provided the fully qualified domain name of corp.contoso.com, the default NetBIOS domain name is CORP.

If the name is 15 characters or less and does not conflict with another NetBIOS name, it is unaltered. If it does conflict with another NetBIOS name, a number is appended to the name. If the name is more than 15 characters, the wizard provides a unique, truncated suggestion. In either case, the wizard first validates the name is not already in use via a WINS lookup and NetBIOS broadcast.

For more information on valid domain names, see KB article Naming conventions in Active Directory for computers, domains, sites, and OUs.

Paths



The Paths page enables you to override the default folder locations of the AD DS database, the database transaction logs, and the SYSVOL share. The default locations are always in subdirectories of %systemroot% (i.e. C:\Windows).

Review Options and View Script

The Review Options page enables you to validate your settings and ensure they meet your requirements before you start the installation. This is not the last opportunity to stop the installation when using Server Manager. This is simply an option to confirm your settings before continuing the configuration

The Review Options page in Server Manager also offers an optional View Script button to create a Unicode text file that contains the current ADDSDeployment configuration as a single Windows PowerShell script. This enables you to use the Server Manager graphical interface as a Windows PowerShell deployment studio. Use the Active Directory Domain Services Configuration Wizard to configure options, export the configuration, and then cancel the wizard. This process creates a valid and syntactically correct sample for further modification or direct use. For example:

Note

# # Windows PowerShell Script for AD DS Deployment #

ImportModule ADDSDeployment InstallADDSForest ` CreateDNSDelegation ` DatabasePath "C:\Windows\NTDS" ` DomainMode "Win2012" ` DomainName "corp.contoso.com" ` DomainNetBIOSName "CORP" ` ForestMode "Win2012" ` InstallDNS:$true ` LogPath "C:\Windows\NTDS" ` NoRebootOnCompletion:$false ` SYSVOLPath "C:\Windows\SYSVOL" Force:$true



Server Manager generally fills in all arguments with values when promoting and does not rely on defaults (as they may change between future versions of Windows or service packs). The one exception to this is the -safemodeadministratorpassword argument (which is deliberately omitted from the script). To force a confirmation prompt, omit the value when running cmdlet interactively.

Prerequisites Check

The Prerequisites Check is a new feature in AD DS domain configuration. This new phase validates that the server configuration is capable of supporting a new AD DS forest.

When installing a new forest root domain, the Server Manager Active Directory Domain Services Configuration Wizard invokes a series of modular tests. These tests alert you with suggested repair options. You can run the tests as many times as required. The domain controller process cannot continue until all prerequisite tests pass.

The Prerequisites Check also surfaces relevant information such as security changes that affect older operating systems.

For more information on the specific prerequisite checks, see Prerequisite Checking.

Installation

When the Installation page displays, the domain controller configuration begins and cannot be halted or canceled. Detailed operations display on this page and are written to logs:



%systemroot%\debug\dcpromo.log

%systemroot%\debug\dcpromoui.log

Note

You can run multiple role installation and AD DS configuration wizards from the same Server Manager console simultaneously.

Results

The Results page shows the success or failure of the promotion and any important administrative information. The domain controller will automatically reboot after 10 seconds.

Deploying a Forest with Windows PowerShell

This section explains how to install the first domain controller in a forest root domain using Windows PowerShell on a Core Windows Server 2012 computer.

Windows PowerShell AD DS Role Installation Process

By implementing a few straightforward ServerManager deployment cmdlets into your deployment processes, you further realize the vision of AD DS simplified administration.

The next figure illustrates the Active Directory Domain Services role installation process, beginning with you running PowerShell.exe and ending right before the promotion of the domain controller.

ServerManager Cmdlet Arguments (Bold arguments are required. Italicized arguments can be specified by using Windows PowerShell or the AD DS Configuration Wizard.)

Install-WindowsFeature/Add-WindowsFeature

-Name

-Restart

-IncludeAllSubFeature

-IncludeManagementTools

-Source

-ComputerName

-Credential



-LogPath

-Vhd

-ConfigurationFilePath

Note

While not required, the argument -IncludeManagementTools is highly recommended when installing the AD DS role binaries

The ServerManager module exposes role installation, status, and removal portions of the new DISM module for Windows PowerShell. This layering simplifies the most tasks and reduces need for direct usage of the powerful (but dangerous when misused) DISM module.

Use Get-Command to export the aliases and cmdlets in ServerManager.

For example:

To add the Active Directory Domain Services role, simply run the Install-WindowsFeature with the AD DS role name as an argument. Like Server Manager, all required services implicit to the AD DS role install automatically.

If you also want the AD DS management tools installed - and this is highly recommended - then provide the -IncludeManagementTools argument:

For example:

To list all features and roles with their installation status, use Get-WindowsFeature without arguments. Specify -ComputerName argument for the installation status from a remote server.

Because Get-WindowsFeature does not have a filtering mechanism, you must use Where-Object with a pipeline to find specific features. The pipeline is a channel used between multiple cmdlets to pass data and the Where-Object cmdlet acts as a filter. The built-in $_ variable acts as the current object passing through the pipeline with any properties it may contain.

For example, to find all features containing "Active Dir" in their Display Name property, use:

Further examples illustrated below:

GetCommand module ServerManager

InstallWindowsFeature name ADDomainServices

InstallWindowsFeature name ADDomainServices IncludeManagementTools

GetWindowsFeature

GetWindowsFeature | whereobject

GetWindowsFeature | where displayname like "*active dir*"



For more information about more Windows PowerShell operations with pipelines and Where-Object, see Piping and the Pipeline in Windows PowerShell.

Note also that Windows PowerShell 3.0 significantly simplified the command-line arguments needed in this pipeline operation. Windows PowerShell 2.0 would have required:

By using the Windows PowerShell pipeline, you can create readable results. For example:

Note how using the Select-Object cmdlet with the -expandproperty argument returns interesting data:

Note

The Select-Object -expandproperty argument slows down overall installation performance slightly.

Create an AD DS Forest Root Domain with Windows PowerShell

To install a new Active Directory forest using the ADDSDeployment module, use the following cmdlet:

GetWindowsFeature | where {$_.displayname like "*active dir*"}

InstallWindowsFeature | FormatList InstallWindowsFeature | selectobject | FormatList



The Install-AddsForest cmdlet only has two phases (prerequisite checking and installation). The two figures below show the installation phase with the minimum required argument of -domainname.

ADDSDeployment Cmdlet

Arguments (Bold arguments are required. Italicized arguments can be specified by using Windows PowerShell or the AD DS Configuration Wizard.)

Install-Addsforest -Confirm

-CreateDNSDelegation

-DatabasePath

-DomainMode

-DomainName

-DomainNetBIOSName

-DNSDelegationCredential

-ForestMode

-Force

-InstallDNS

-LogPath

-NoDnsOnNetwork

-NoRebootOnCompletion

-SafeModeAdministratorPassword

-SkipAutoConfigureDNS

-SkipPreChecks

-SYSVOLPath

-Whatif

Note

The -DomainNetBIOSName argument is required if you want to change the automatically generated 15-character name based on the DNS domain name prefix or if the name exceeds 15 characters.

The equivalent Server Manager Deployment Configuration ADDSDeployment cmdlet and arguments are:

The equivalent Server Manager Domain Controller Options ADDSDeployment cmdlet arguments are:

The Install-ADDSForest arguments follow the same defaults as Server Manager if not specified.

The SafeModeAdministratorPassword argument's operation is special:

If not specified as an argument, the cmdlet prompts you to enter and confirm a masked password. This is the preferred usage when running the cmdlet interactively.

For example, to create a new forest named corp.contoso.com and be prompted to enter and confirm a masked password:

Installaddsforest

InstallADDSForest DomainName

ForestMode DomainMode InstallDNS SafeModeAdministratorPassword

InstallADDSForest DomainName corp.contoso.com



If specified with a value, the value must be a secure string. This is not the preferred usage when running the cmdlet interactively.

For example, you can manually prompt for a password by using the Read-Host cmdlet to prompt the user for a secure string:

Warning

As the previous option does not confirm the password, use extreme caution: the password is not visible.

You can also provide a secure string as a converted clear-text variable, although this is highly discouraged.

Finally, you could store the obfuscated password in a file, and then reuse it later, without the clear text password ever appearing. For example:

Warning

Providing or storing a clear or obfuscated text password is not recommended. Anyone running this command in a script or looking over your shoulder knows the DSRM password of that domain controller. Anyone with access to the file could reverse that obfuscated password. With that knowledge, they can logon to a DC started in DSRM and eventually impersonate the domain controller itself, elevating their privileges to the highest level in an Active Directory forest. An additional set of steps using System.Security.Cryptography to encrypt the text file data is advisable but out of scope. The best practice is to totally avoid password storage.

The ADDSDeployment cmdlet offers an additional option to skip automatic configuration of DNS client settings, forwarders, and root hints. You cannot skip this configuration option when using Server Manager. This argument matters only if you installed the DNS Server role prior to configuring the domain controller:

The DomainNetBIOSName operation is also special:

If the DomainNetBIOSName argument is not specified with a NetBIOS domain name and the single-label prefix domain name in the DomainNameargument is 15 characters or fewer, then promotion continues with an automatically generated name.

If the DomainNetBIOSName argument is not specified with a NetBIOS domain name and the single-label prefix domain name in the DomainNameargument is 16 characters or more, then promotion fails.

If the DomainNetBIOSName argument is specified with a NetBIOS domain name of 15 characters or fewer, then promotion continues with that specified name.

If the DomainNetBIOSName argument is specified with a NetBIOS domain name of 16 characters or more, then promotion fails.

The equivalent Server Manager Additional Options ADDSDeployment cmdlet argument is:

The equivalent Server Manager Paths ADDSDeployment cmdlet arguments are:

Use the optional Whatif argument with the Install-ADDSForest cmdlet to review configuration information. This enables you to see the explicit and implicit values of a cmdlet's arguments.

For example:

safemodeadministratorpassword (readhost prompt "Password:" assecurestring)

safemodeadministratorpassword (converttosecurestring "Password1" asplaintext force)

$file = "c:\pw.txt" $pw = readhost prompt "Password:" assecurestring $pw | ConvertFromSecureString | SetContent $file

safemodeadministratorpassword (GetContent $File | ConvertToSecureString)

SkipAutoConfigureDNS

domainnetbiosname

databasepath logpath sysvolpath



You cannot bypass the Prerequisite Check when using Server Manager, but you can skip the process when using the AD DS Deployment cmdlet using the following argument:

Warning

Microsoft discourages skipping the prerequisite check as it can lead to a partial domain controller promotion or damaged AD DS forest.

Note how, just like Server Manager, Install-ADDSForest reminds you that promotion will reboot the server automatically.

To accept the reboot prompt automatically, use the -force or -confirm:$false arguments with any ADDSDeployment Windows PowerShell cmdlet. To prevent the server from automatically rebooting at the end of promotion, use the -norebootoncompletion argument.

Warning

Overriding the reboot is discouraged. The domain controller must reboot to function correctly.

skipprechecks



See Also Other ResourcesActive Directory Domain Services (TechNet Portal)Active Directory Domain Services for Windows Server 2008 R2Active Directory Domain Services for Windows Server 2008Windows Server Technical Reference (Windows Server 2003)Active Directory Administrative Center: Getting Started (Windows Server 2008 R2)Active Directory Administration with Windows PowerShell (Windows Server 2008 R2)Ask the Directory Services Team (Official Microsoft Commercial Technical Support Blog)

2015 Microsoft

Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200)Published: August 14, 2012

Updated: November 19, 2012

Applies To: Windows Server 2012

This topic covers the steps necessary to upgrade an existing forest or domain to Windows Server 2012, using either Server Manager or Windows PowerShell. It covers how to add domain controllers that run Windows Server 2012 to an existing domain.

Upgrade and Replica Workflow

Upgrade and Replica Windows PowerShell

Deployment

Upgrade and Replica Workflow

The following diagram illustrates the Active Directory Domain Services configuration process when you previously installed the AD DS role and you have started the Active Directory Domain Services Configuration Wizard using Server Manager to create a new domain controller in an existing domain.

Upgrade and Replica Windows PowerShell

ADDSDeployment Cmdlet Arguments (Bold arguments are required. Italicized arguments can be specified by using Windows PowerShell or the AD DS Configuration Wizard.)

Install-AddsDomainController

-SkipPreChecks

-DomainName

-SafeModeAdministratorPassword

-SiteName

-ADPrepCredential

-ApplicationPartitionsToReplicate



-AllowDomainControllerReinstall

-Confirm

-CreateDNSDelegation

-Credential

-CriticalReplicationOnly

-DatabasePath

-DNSDelegationCredential

-Force

-InstallationMediaPath

-InstallDNS

-LogPath

-MoveInfrastructureOperationMasterRoleIfNecessary

-NoDnsOnNetwork

-NoGlobalCatalog

-Norebootoncompletion

-ReplicationSourceDC

-SkipAutoConfigureDNS

-SiteName

-SystemKey

-SYSVOLPath

-UseExistingAccount

-Whatif

Note

The -credential argument is only required if you are not already logged on as a member of the Enterprise Admins and Schema Admins groups (if you are upgrading the forest) or the Domain Admins group (if you are adding a new DC to an existing domain).

Deployment

Deployment Configuration

Server Manager begins every domain controller promotion with the Deployment Configuration page. The remaining options and required fields change on this page and subsequent pages, depending on which deployment operation you select.

To upgrade an existing forest or add a writable domain controller to an existing domain, click Add a domain controller to an existing domain and click Select to Specify the domain information for this domain. Server Manager prompts you for valid credentials if needed.



Upgrading the forest r

Date post:	22-Sep-2015
Category:	Documents
Upload:	ds0909gmail
View:	52 times
Download:	5 times

Install Active Directory Domain Services .pdf

Documents