****
*
*
*
*







*
*
                                      
*
*
Windows Server



    

Windows Server Microsoft Active Directory DCPROMO procedure explained    

*
*

*
*

Windows Server Microsoft Active Directory DCPROMO procedure explained


Categories:


Tags:


Apr
26

Windows Server 2008 : DCPROMO

 

OS Compatibility

 

Windows Server 2008 domain controllers have a new more secure default for the security setting named "Allow cryptography algorithms compatible with Windows NT 4.0." This setting prevents Microsoft Windows and non-Microsoft SMB "clients" from using weaker NT 4.0 style cryptography algorithms when establishing security channel sessions against Windows Server 2008 domain controllers. As a result of this new default, operations or applications that require a security channel serviced by Windows Server 2008 domain controllers might fail.

 

Platforms impacted by this change include Windows NT 4.0, as well as non-Microsoft SMB "clients" and network-attached storage (NAS) devices that do not support stronger cryptography algorithms. Some operations on clients running versions of Windows earlier than Vista with Service Pack 1 are also impacted, including domain join operations performed by the Active Directory Migration Tool or Windows Deployment Services.

 

For more information about this setting, see Knowledge Base article 942564 (http://go.microsoft.com/fwlink/?LinkId=104751).

 

Forest Functionality Levels

 

The Windows 2000 forest functional level provides all Active Directory Domain Services features that are available in Windows 2000 Server. If you have domain controllers running later versions of Windows Server, some advanced features will not be available on those domain controllers while this forest is at the Windows 2000 functional level.

 

 

The Windows Server 2003 forest functional level provides all features that are available in Windows 2000 forest functional level, and the following additional features:

    -    Linked-value replication, which improves the replication of

    changes to group memberships.

    -    More efficient generation of complex replication topologies

    by the KCC.

    -    Forest trust, which allows organizations to easily share

    internal resources across multiple forests.

Any new domains that are created in this forest will automatically operate at the Windows Server 2003 domain functional level.

 

You will be able to add only Domain Controllers that are running Windows Server 2003 or later to this Forest

 

This forest functional level does not provide any new features over the Windows 2003 forest functional level. However, it ensures that any new domains created in this forest will automatically operate at the Windows Server 2008 domain functional level, which does provide unique features.

 

You will be able to add only Domain Controllers that are running Windows Server 2008 or later to this Forest

 

Additional Domain Controller Options

 

The DNS Server service is already installed on this server.

 

The first domain controller in a forest must be a global catalog server and cannot be an RODC.

 

The error

 

---------------------------

Active Directory Domain Services Installation Wizard

---------------------------

A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain corp.skar.pri. Otherwise, no action is required.

 

 

 

Do you want to continue?

---------------------------

Yes   No 

---------------------------

 

Answer File

 

Summary:

 

Configure this server as the first Active Directory domain controller in a new forest.

 

The new domain name is corp.skar.pri. This is also the name of the new forest.

 

The NetBIOS name of the domain is SKAR

 

Forest Functional Level: Windows Server 2008

 

Domain Functional Level: Windows Server 2008

 

Site: Default-First-Site-Name

 

Additional Options:

  Read-only domain controller: No

  Global catalog: Yes

  DNS Server: Yes

 

Create DNS Delegation: No

 

Database folder: C:\Windows\NTDS

Log file folder: C:\Windows\NTDS

SYSVOL folder: C:\Windows\SYSVOL

 

The DNS Server service will be configured on this computer.

This computer will be configured to use this DNS server as its preferred DNS server.

 

The password of the new domain Administrator will be the same as the password of the local Administrator of this computer.

 

 

 

; DCPROMO unattend file (automatically generated by dcpromo)

; Usage:

;   dcpromo.exe /unattend:C:\Users\Administrator\Desktop\ans.txt

;

[DCInstall]

; New forest promotion

ReplicaOrNewDomain=Domain

NewDomain=Forest

NewDomainDNSName=corp.skar.pri

ForestLevel=3

DomainNetbiosName=SKAR

DomainLevel=3

InstallDNS=Yes

ConfirmGc=Yes

CreateDNSDelegation=No

DatabasePath="C:\Windows\NTDS"

LogPath="C:\Windows\NTDS"

SYSVOLPath="C:\Windows\SYSVOL"

; Set SafeModeAdminPassword to the correct value prior to using the unattend file

SafeModeAdminPassword=

; Run-time flags (optional)

; RebootOnCompletion=Yes

 

 

 

Choosing an Active Directory Domain Services Deployment Configuration

 

When you install Active Directory Domain Services (AD DS), you choose one of the following possible deployment configurations:

     Adding a new domain controller to a domain

     Adding a new child domain to a forest, or, as an option, adding a new domain tree

Note

The option to install a new domain tree appears only if you select the Use advanced mode installation check box on the Welcome to the Active Directory Domain Services Installation Wizard page of the Active Directory Domain Services Installation Wizard.

     Creating a new forest

The following sections describe each of these deployment configurations in detail.

Adding a new domain controller to a domain

If you already have one domain controller in a domain, you can add additional domain controllers to the domain to improve the availability and reliability of network services. Adding additional domain controllers can help provide fault tolerance, balance the load of existing domain controllers, and provide additional infrastructure support to sites.

More than one domain controller in a domain makes it possible for the domain to continue to function if a domain controller fails or must be disconnected. Multiple domain controllers can also improve performance by making it easier for clients to connect to a domain controller when they log on to the network.

Preparing an existing domain

Before you add a domain controller running Windows Server 2008 to an existing Active Directory domain, you have to prepare the forest and the domain by running Adprep.exe. Be sure to run the version of Adprep that is included with your Windows Server 2008 installation media. This version of Adprep adds schema objects and attributes that are required by domain controllers that run Windows Server 2008, and it modifies permissions on new and existing objects.

Run the following adprep parameters as necessary for your environment:

     Run adprep /forestprep once on the domain controller in the forest that holds the schema operations master role (the schema master) before you add a domain controller that runs Windows Server 2008. To run this command, you must be a member of the Enterprise Admins group, the Schema Admins group, and the Domain Admins group of the domain that includes the schema master. For more information, see Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=93242).

     In addition, run adprep /domainprep /gpprep once on the domain controller that holds the infrastructure operations master role (the infrastructure master) in each domain in which you plan to add a domain controller that runs Windows Server 2008. To run this command, you must be a member of the Domain Admins group. For more information, see Prepare a Windows 2000 or Windows Server 2003 Domain for a Domain Controller That Runs Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=93243).

     If you plan to deploy a read-only domain controller (RODC) in any domain in the forest, you also must run adprep /rodcprep once in the forest. You can run this command on any computer in the forest. To run this command, you must be a member of the Enterprise Admins group. For more information, see Prepare a Forest for a Read-Only Domain Controller (http://go.microsoft.com/fwlink/?LinkId=93244).

Installing from media

When you install a new domain controller in an existing domain, you can choose to install from media (IFM), in which the domain database is copied from the media rather than over the network. This option is available in the Active Directory Domain Services Installation Wizard only if you select the Use advanced mode installation check box on the Welcome page. The recommended tool for creating the installation media is the ntdsutil ifm subcommand, which is new for domain controllers that run Windows Server 2008. For more information about using IFM, see Installing from Media.

Adding a new domain to a forest

By default, the new forest that you create will contain one domain, which is known as the forest root domain. This single domain can accommodate thousands of users even if only a small amount of network bandwidth is available for Active Directory replication. Therefore, a single domain is typically sufficient for most small organizations and medium-sized organizations. Adding more domains to the forest greatly increases the administration requirements for the forest.

Larger organizations, however, may decide to add child domains to the forest so that domain data is replicated only where it is needed. A child domain shares a contiguous namespace with its parent domain. For example, sales.contoso.com is a child domain of contoso.com. A child domain automatically has a two-way, transitive trust with its parent domain.

A new domain that does not share a contiguous namespace with its parent domain is known as a new domain tree. For more information about creating a new domain tree, see Creating a new domain tree later in this topic.

When you add domains to the forest, you are partitioning AD DS, which allows data to be replicated only where it is needed. In this way, a single Active Directory forest can scale globally to accommodate hundreds of thousands—or even millions—of users on a network that has limited bandwidth.

Requirements for creating a new domain

When you create a new child domain, you must be a member of the Domain Admins group in the parent domain or the Enterprise Admins group to proceed. When you create a new domain tree, you must be a member of the Enterprise Admins group.

The Active Directory Domain Services Installation Wizard allows Active Directory domain names up to 64 characters or up to 155 bytes. Although the limit of 64 characters is usually reached before the limit of 155 bytes, the opposite could be true if the name contains Unicode characters that consume three bytes. These limits do not apply to computer names.

During installation, a Domain Name System (DNS) zone delegation is created by Dcpromo.exe. If DNS zone delegation creation fails or you choose not to create it (which is not recommended), you must create a zone delegation manually. For more information about creating a zone delegation, see Creating or Updating a DNS Delegation.

Before you can add a domain to a forest, a DNS delegation must be created for the DNS zone that matches the name of the Active Directory domain that you are adding. On a server running Windows Server 2008, the Active Directory Domain Services Installation Wizard verifies that the DNS delegation exists. If it does not exist, the wizard provides an option to create the DNS delegation automatically during the creation of the new domain.

Creating a new domain tree

You should create a new domain tree only when you need to create a domain whose DNS namespace is not related to the other domains in the forest. This means that the name of the tree root domain (and any child domain below it) does not have to contain the full name of the parent domain.

For example, treyresearch.net can be a domain tree in the contoso.com forest. New domain trees are most commonly created as part of a business acquisition or a merger of multiple organizations. A forest can contain one or more domain trees.

Before you create a new domain tree, consider creating another forest when you want a different DNS namespace. Multiple forests provide administrative autonomy, isolation of the schema and configuration directory partitions, separate security boundaries, and the flexibility to use an independent namespace design for each forest.

Creating a new forest

To create a new forest, you must be a member of the local Administrators group on the server where you are installing AD DS.

DNS and NetBIOS names

Before you create a new forest, be sure that you have completely planned your DNS infrastructure. To create a new forest, you must know the full DNS name for it. You can install the DNS Server service before you install AD DS or, preferably, you can choose to have the Active Directory Domain Services Installation Wizard install the DNS Server service for you.

If you have the wizard install the DNS Server service, the wizard uses the DNS name that you provide to automatically generate a NetBIOS name for the first domain in the forest. The wizard verifies that the DNS name and the NetBIOS name are unique on the network before it continues. You must select the Use advanced mode installation check box on the Welcome to the Active Directory Domain Services Installation Wizard page to specify a different NetBIOS name than the name that is generated automatically by the wizard.

Note

The Domain NetBIOS Name wizard page also appears if the automatically generated NetBIOS name conflicts with an existing name.

By default, the DNS Server service is installed on the first domain controller in a forest. If you already have a DNS infrastructure set up to support name resolution for the new forest, you can clear the DNS server check box on the Additional Options wizard page. However, if you do not have a supporting DNS infrastructure already in place, accept the default setting to have the wizard install the DNS Server service on the first domain controller in the forest.

When you click Next to continue, the Active Directory Domain Services Installation Wizard examines your existing DNS infrastructure. If you cleared the DNS server check box, the wizard performs diagnostic tests to verify that the supporting DNS infrastructure is in place. If the diagnostic tests fail, you again have the option to install the DNS Server service by using the wizard.

Functional levels

For a new forest, the default forest functional level is Windows 2000 and the domain functional level is Windows 2000 native. These are the lowest possible functional levels, and they allow domain controllers to run Windows Server 2003, Windows® 2000 Server, or Windows Server 2008.

If you do not plan to add domain controllers that run these earlier versions of Windows Server, select higher functional levels to enable advanced features. If you select Windows Server 2008 as the forest functional level, all domains that are subsequently added to the forest will be created at the Windows Server 2008 domain functional level. Therefore, the Set Domain Functional Level page does not appear in the Active Directory Domain Services Installation Wizard. If you select a different forest functional level, you can set the domain functional level independently for each domain in the forest. For more information about functional levels, see Setting the Domain or Forest Functional Level.

Operations master roles

The first domain controller for this domain hosts all the operations master roles (also known as flexible single master operations or FSMO) for the forest.

Additional domain controllers in the domain are recommended to improve the availability and fault tolerance of AD DS. After you create additional domain controllers, you may want to transfer some of the operations master roles that are hosted on the first domain controller to these other domain controllers. If you plan to create a multidomain forest and any domain controller in your forest root domain will not be a global catalog server, then you should transfer at least the infrastructure master role in the forest root domain to another domain controller in the domain that is not a global catalog server.

For more information about managing operations master roles, see Ensure Successful Active Directory Operations by Managing Operations Master Roles.

 

 

Setting the Domain or Forest Functional Level

 

Functional levels determine the features of Active Directory Domain Services (AD DS) that are enabled in a domain or forest. They also restrict which Windows Server operating systems can run on domain controllers in the domain or forest. However, functional levels do not affect which operating systems can run on workstations and member servers that are joined to the domain or forest.

When you create a new domain or a new forest, set the domain and forest functional levels to the highest values that you know your environment can support. This way, you can take advantage of as many AD DS features as possible. For example, if you are sure that no domain controllers that run Windows Server 2003 (or any earlier operating system) will ever be added to the domain or forest, select the Windows Server 2008 functional level. On the other hand, if it is possible that you will retain or add domain controllers that run Windows Server 2003 or earlier, select the Windows Server 2003 functional level during installation. You can raise the functional level after the installation, when you are sure that no such domain controllers will be added or are still in use. You cannot lower a functional level.

When you install a new forest, you are prompted to set the forest functional level and then the domain functional level. You cannot set the domain functional level to a value that is lower than the forest functional level. For example, if you set the forest functional level to Windows Server 2008, you can set the domain functional level only to Windows Server 2008. The Windows 2000 and Windows Server 2003 domain functional level values will not be available on the Set domain functional level wizard page. In addition, all domains that you subsequently add to that forest will have the Windows Server 2008 domain functional level by default.

The following sections explain the sets of features that are enabled at the different domain and forest functional levels.

Features that are enabled at domain functional levels

The following table lists the enabled features and supported domain controller operating systems for each domain functional level.

Domain functional level

 

Enabled features

 

Supported domain controller operating systems

Windows 2000 native

All default Active Directory features, plus the following features:

     Universal groups for both distribution groups and security groups.

     Group nesting.

     Group conversion, which makes conversion possible between security groups and distribution groups.

     Security identifier (SID) history.

Windows 2000

Windows Server 2003

Windows Server 2008

 

Windows Server 2003

All default Active Directory features, all features from the Windows 2000 native domain functional level, plus the following features:

     The domain management tool, Netdom.exe, is available to prepare for domain controller rename.

     Logon time stamp update. The lastLogonTimestamp attribute will be updated with the last logon time of the user or computer. This attribute is replicated within the domain. Note that this attribute might not be updated if a read-only domain controller (RODC) authenticates the account.

     The userPassword attribute can be set as the effective password on inetOrgPerson objects and user objects.

     Users and Computers containers can be redirected. By default, two well-known containers are provided for housing computer and user/group accounts: cn=Computers,<domain root> and cn=Users,<domain root>. With this feature, you can define a new well-known location for these accounts.

     Authorization Manager can store its authorization policies in AD DS.

     Constrained delegation, which makes it possible for applications to take advantage of the secure delegation of user credentials by means of the Kerberos authentication protocol. You can configure delegation to be allowed only to specific destination services.

     Support for selective authentication, which makes it possible to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.

Windows Server 2003

Windows Server 2008

 

Windows Server 2008

All default Active Directory features, all features from the Windows Server 2003 domain functional level, plus the following features:

     Distributed File System (DFS) Replication support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents. You may need to perform additional steps to use DFS Replication for SYSVOL. For more information, see File Services (http://go.microsoft.com/fwlink/?LinkId=93167).

     Advanced Encryption Services (AES 128 and 256) support for the Kerberos protocol.

     Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon.

     Fine-grained password policies, which make it possible for password and account lockout policies to be specified for users and global security groups in a domain.

Windows Server 2008

Features that are enabled at forest functional levels

The following table lists the enabled features and supported domain controller operating systems for each forest functional level.

Forest functional level

 

Enabled features

 

Supported domain controller operating systems

Windows 2000

All default Active Directory features.

Windows Server 2008

Windows Server 2003

Windows 2000

 

Windows Server 2003

All default Active Directory features, plus the following features:

     Forest trust.

     Domain rename.

     Linked-value replication (changes in group membership to store and replicate values for individual members instead of replicating the entire membership as a single unit). This change results in lower network bandwidth and processor usage during replication, and it eliminates the possibility of lost updates when different members are added or removed concurrently at different domain controllers.

     Deployment of an RODC that runs Windows Server 2008.

     Improved Knowledge Consistency Checker (KCC) algorithms and scalability. The intersite topology generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than can be supported at the Windows 2000 forest functional level.

     The ability to create instances of the dynamic auxiliary class called dynamicObject in a domain directory partition.

     The ability to convert an inetOrgPerson object instance into a User object instance, and the reverse.

     The ability to create instances of the new group types, called application basic groups and Lightweight Directory Access Protocol (LDAP) query groups, to support role-based authorization.

     Deactivation and redefinition of attributes and classes in the schema.

Windows Server 2003

Windows Server 2008

 

Windows Server 2008

All of the features that are available at the Windows Server 2003 forest functional level, but no additional features. All domains that are subsequently added to the forest, however, will operate at the Windows Server 2008 domain functional level by default.

If you plan to include only domain controllers that run Windows Server 2008 in the entire forest, you might choose this forest functional level for administrative convenience. If you do, you will never have to raise the domain functional level for each domain that you create in the forest.

Windows Server 2008

 

 

 

 

Configuring Additional Domain Controller Options

 

You can choose additional installation options for a domain controller during Active Directory Domain Services (AD DS) installation. For example, you can install the DNS Server service or make the server a global catalog server or a read-only domain controller (RODC). The following sections explain these additional installation options in more detail. These sections also explain how the options interact with each other.

DNS server option

Installing the DNS Server service on a domain controller makes that domain controller a Domain Name System (DNS) server. The default setting for the DNS server option depends on the following factors:

     The deployment configuration that you choose, for example, adding a new domain or adding an additional domain controller for an existing domain

     Your current DNS environment

The following table lists the default settings for installing a DNS server for the various AD DS deployment configurations.

Deployment configuration

Default setting for DNS server installation

New forest

The DNS server is installed by default.

 

New domain

The DNS server is installed by default if the wizard detects a DNS infrastructure in the parent domain.

The DNS server is not installed by default if the wizard does not detect a DNS infrastructure.

 

New domain tree

The DNS server is installed by default if the wizard detects a DNS infrastructure in the forest root domain.

The DNS server is not installed by default if the wizard does not detect a DNS infrastructure.

 

Additional domain controller

The DNS server is installed by default if the wizard detects a DNS infrastructure in the domain.

The DNS server option is not available if the wizard does not detect a DNS infrastructure in the domain.

 

Note

If the DNS server is already installed before you start the Active Directory Domain Services Installation Wizard but the Active Directory domain does not have a DNS infrastructure, the DNS server continues to resolve names for any file-based zones that it hosts but it will not host any Active Directory–integrated DNS zones for the domain in which it is a domain controller.

DNS client settings

When you install an additional domain controller in an existing domain, the Active Directory Domain Services Installation Wizard verifies that the DNS client settings are correctly configured on the server. If the DNS client settings are not correctly configured with the IP address of a preferred DNS server, the wizard returns an error and you must correct the problem before you can continue.

You can then choose to manually configure the DNS client settings correctly. If you are creating a new forest that does not have an existing DNS infrastructure, you can also choose to have the wizard automatically install the DNS Server service and configure the DNS client settings with the IP address of the local DNS server.

If you choose to have the wizard configure DNS client settings when it installs the DNS Server service (an option that is available only when you are creating a new forest), the DNS server check box on the Additional Domain Controller Options page is selected and it cannot be cleared. You must install the DNS Server service at this point or click Back through the wizard until you are again provided the option to manually configure the DNS client settings.

Global catalog option

Because the first domain controller in a forest must be a global catalog server, the Global catalog check box is selected and it cannot be cleared when you create a forest. The check box is also selected by default when you install an additional domain controller in an existing domain. However, you can clear this check box if you do not want the additional domain controller to be a global catalog server.

When you create a new child domain or domain tree, the Global catalog check box is not selected by default because the first domain controller in the new domain hosts all domain-wide operations master roles (also known as flexible single master operations or FSMO roles), including the infrastructure operations master role. In a multidomain forest, you may encounter problems if you host the infrastructure master role on a global catalog server, unless all of the domain controllers in the domain are global catalog servers.

Therefore, if you decide to install the global catalog on the first domain controller in a new child domain or domain tree, either transfer the infrastructure master role after you install additional domain controllers in the domain or ensure that all the additional domain controllers that you install in the domain are also global catalog servers.

As you install additional writable domain controllers, the Active Directory Domain Services Installation Wizard validates that the infrastructure master is hosted on a suitable domain controller and it provides you with options to remedy any problems that can arise with the installation options that you choose. For more information, see Validation checks for the options that you select.

RODC option

In a staged installation of an RODC, the Read-only domain controller check box is selected and it cannot be cleared when you create the RODC account. The Additional Domain Controller Options page does not appear when you attach the server to the RODC account.

If you are installing an additional domain controller in a domain but you are not performing a staged installation, the Read-only domain controller check box is cleared by default. You can select it unless conditions in your environment prevent RODC installation. If conditions in your environment do prevent RODC installation, the RODC check box is cleared and it cannot be selected. The following conditions prevent RODC installation:

     You are installing the first domain controller in a new forest.

     You are installing the first domain controller in a new domain.

     The forest functional level is not Windows Server 2003 or Windows Server 2008.

     There are no writable domain controllers running Windows Server 2008 in the domain in which you want to install the RODC.

How additional installation options interact

If you select the Read-only domain controller check box, the wizard automatically selects the DNS server check box unless this option cannot be selected, for example, when no current DNS infrastructure exists for that domain. If you clear the DNS server check box after the wizard selects it, the wizard warns you that clients in the branch office might not be able to locate the RODC if you do not also install the DNS server.

The Global catalog check box might also be selected by default, depending on the other installation options that you select. By default, if you select the Read-only domain controller check box, the wizard automatically selects the Global catalog check box. For more information about other installation options in which the Global catalog check box is selected by default, see Global catalog option earlier in this topic.

Additional information about the options that you select

The Active Directory Domain Services Installation Wizard updates the Additional information text box with information about your environment, based on the default selections and the options that you select on the Additional Domain Controller Options page. As you change your selections, the wizard dynamically updates the messages that appear in this text box.

For example, if you select the Global catalog check box, the wizard updates the Additional information text box to indicate how many other global catalog servers are deployed in the domain and site. This information can help you confirm that you are installing AD DS with the options that you planned.

The wizard also updates the Additional information text box to indicate if any existing conditions in your environment currently prevent any of the options from being available. For example, if no writable domain controller in your domain is running Windows Server 2008, the wizard clears the Read-only domain controller check box, makes this option unavailable, and writes a message in the Additional information text box that states that there must be a writable domain controller running Windows Server 2008 in the domain to install an RODC.

Validation checks for the options that you select

After you select your options on the Additional Domain Controller Options page and then click Next, the wizard performs the following validation checks before it continues:

     Infrastructure master check

     Adprep /rodcprep check

     Validation of static IP address

Infrastructure master check

If you select the option to install an additional domain controller in a domain, the Active Directory Domain Services Installation Wizard selects the Global catalog check box by default. If you are installing a writable domain controller (the Read-only domain controller check box is cleared) and you also clear the Global catalog check box, the wizard checks whether the infrastructure master role is currently hosted on a global catalog server in the domain. If it is, the wizard prompts you to transfer the role to the domain controller that you are installing. You can either click Yes to transfer the infrastructure master role to this domain controller or click No to correct the configuration later.

Adprep /rodcprep check

If you are installing an RODC, the wizard verifies that the adprep /rodcprep command completed successfully and that the changes that result from the command are replicated throughout the forest. If the adprep /rodcprep command does not complete successfully or the changes are not yet replicated, you receive an error message that states that the command must be run before you can continue with the installation. If you receive this message, run adprep /rodcprep again on any computer in the forest or wait until the changes are replicated throughout the forest. For more information about running adprep /rodcprep, see Prepare a Forest for a Read-Only Domain Controller (http://go.microsoft.com/fwlink/?LinkId=93244).

Validation of static IP address

If you select the DNS server check box, the Active Directory Domain Services Installation Wizard verifies that all of the physical network adapters for the server have a static address, including a static IP version 4 (IPv4) address and a static IP version 6 (IPv6) address if they are both available. Although you can complete the AD DS installation without using a static IP address, this is not recommended because clients can have trouble contacting the domain controller if its IP address changes. For more information about setting a static IP address, see Configuring TCP/IP and DNS Client Settings.

 

 

 

Placing Active Directory Domain Services Files

 

When you install Active Directory Domain Services (AD DS), you specify where the Active Directory database, log files, and the SYSVOL shared folder will be placed on the server. The database stores information about the users, computers, and other objects on the network. The log files record activities that are related to AD DS, such as information about an object being updated. SYSVOL stores Group Policy objects and scripts. By default, SYSVOL is part of the operating system files in the %windir% directory.

Consider the following factors when you decide where to place AD DS files:

     Backup and recovery

     Performance

Backup and recovery considerations for placing AD DS files

For a simple installation in which the server has only one hard disk, you can simply accept the default installation settings that are supplied by the Active Directory Domain Services Installation Wizard. However, you must create at least two volumes on that one hard disk. One volume is required for critical-volume data and another volume is required for backup.

When you use Windows Server Backup or the Wbadmin.exe command-line tool to back up a server, you must back up at least the critical volumes that are required to recover the server. The volume that you use to create the backups cannot be the same volume that hosts critical-volume data. This requirement can affect where you decide to place AD DS files. On a domain controller, the critical volumes include the following:

     The system volume

     The boot volume

     The volume that hosts SYSVOL

     The volume that hosts the Active Directory database (Ntds.dit)

     The volume that hosts the Active Directory database log files

For example, if you are installing AD DS on a server that has one hard disk, you might create the following logical volumes to accommodate backups:

     Drive C, which hosts all the critical volume data

     Drive D, which is used as a target for Windows Server Backup or Wbadmin.exe

For more information about backing up and recovering a domain controller, see Step-by-Step Guide for Windows Server 2008 Active Directory Domain Services Backup and Recovery (http://go.microsoft.com/fwlink/?LinkId=93077).

Performance considerations for placing AD DS files

For more complex installations, you may configure your hard disk storage to optimize the performance of AD DS. Because the database and log files utilize disk storage space in different ways, you can improve AD DS performance by devoting separate hard disk spindles for each.

For example, suppose that a server has four available hard disk drives that are labeled as follows:

     Drive C, which includes the operating system files

     Drive D, which is not used

     Drive E, which is not used

     Drive F, which is used for backup

On this server, you can improve AD DS performance the most by installing the database and log files on separate drives that are devoted to those resources, such as drives D and E. This can help improve the performance of searches against the database because one disk spindle can be devoted solely to that activity. If a large number of changes are ever made at one time, this configuration also reduces the chance of bottlenecks developing on the disk that hosts the log files. You can place SYSVOL on drive C with the operating system files.

 

 

 

Using an Answer File

 

On the Summary page of the Active Directory Domain Services Installation Wizard, you can click Export settings to save the settings that you specified in the wizard to an answer file. You can then use the answer file to automate subsequent installations of Active Directory Domain Services (AD DS).

The answer file is a plain text file with a [DCInstall] header. The answer file provides answers to the questions that are asked by the Active Directory Domain Services Installation Wizard. Using the answer file eliminates the need for an administrator to interact with the wizard. The Active Directory Domain Services Installation Wizard adds text to the answer file that explains how to use it, such as how to invoke it with the dcpromo command and which settings must be updated to use it.

During an unattended operation, a return code indicates whether or not the operation was successful. For information about return codes, see Unattended Installation Return Codes.

To use an answer file to install AD DS, type the following command at a command prompt, and then press ENTER:

dcpromo /answer[: filename ]

Where filename is the name of your answer file.

 

 

 



No TrackBacks

TrackBack URL: http://www.skar.us/site/mt-tb.cgi/3312

Leave a comment








*
*

ebhakt
Author Bio          ★★★★★

Author Name:         ebhakt
Author Location:    India
Author Rank:          Writer
Author Status:        
The Green leave stands!!


*
*
*
*
****



*****



    Desktop
  • eBooks
  • Games
  • Softwares
  • Tools
  • Tweaks
  • Wallpapers
  • Warez
    PDA
  • Games
  • Tools
  • Wallpapers
    System Administration
  • dll Center
  • Scripts
  • Tools
  • .extensions database
  • Write-up
    more...
  • Download Database
  • Jobs
  • Lists
  • Polls
  • Glossary

01000011 01110010 01100001 01100011 01101011 01111010 01101000 01100001 01100011 01101011