4.1. Installation Preparation

Before adding the first domain controller running 2008 to an existing or environment, the forest and domain levels must be set appropriately:

 The forest functional level must be set to Windows 2000 or higher.  The domain functional level where the 2008 server will be added must be set to Windows 2000 Native or higher.

Note: Because Windows NT 4.0 domain controllers require the Windows 2000 Mixed functional level, you cannot have NT 4.0 and 2008 domain controllers within the same forest or domain.

Before adding the first domain controller running R2 to an existing Windows 2008/2008 R2 or Windows Server 2012 Active Directory environment, the forest and domain levels must be set appropriately:

 The forest functional level must be set to Windows 2008 or higher.

The domain functional level where the 2008 server will be added must be set to Windows 2003 or higher.

In addition to ensuring the correct functional level, the Active Directory schema must be updated to support /2012 R2 domain controllers. Use the following tools to prepare forest and domain support for Windows Server 2008/2012 R2.

Tools Description Use the adprep /forestprep command to update the Windows Server 2003 (2008) or Windows 2000 Server Active Directory schema for Windows Server 2008 adprep /forestprep (2012 R2).

 You run this command only once in the forest.  Run this command on the domain controller that holds the schema operations master role for the forest.  You must be a member of all the following groups to run this command: o Enterprise Admins group o Schema Admins group o The Domain Admins group of the domain that hosts the schema master

Use the adprep /domainprep command to prepare a domain for a Windows Server 2008/2012 R2 domain controller.

 Run this command on the domain controller that holds the infrastructure operations master role for the domain.  Run this command after the adprep /forestprep command finishes and after the changes replicate to all the domain controllers in the forest.  Run this command in each domain where you plan to add a domain controller that runs Windows Server 2008/2012 R2. adprep /domainprep  You must be a member of the Domain Admins group to run this command.  For domains at the Windows 2000 functional level, run adprep /domainprep /gpprep instead. This provides updates that are necessary to enable Resultant Set of Policy (RSOP) Planning Mode functionality. This command performs updates during off‐peak hours. This minimizes replication traffic that is created in those environments by updates to file system permissions and Active Directory permissions on existing objects (GPOs). Use the adprep /rodcprep command if you plan on installing an RODC in any domain in the forest.

 The adprep /rodcprep command updates permissions on application directory partitions to enable replication of the partitions to read‐only domain controllers (RODCs).  This operation runs remotely; it contacts the infrastructure master in each domain to update the adprep /rodcprep permissions.  You need to run this command only once in the forest. However, you can rerun this command any time if it fails to complete successfully because an infrastructure master is not available.  You can run this command on any computer in the forest.  You must be a member of the Enterprise Admins group to run this command.

When installing Active Directory Domain Services (AD DS) for Server 2008, you face one or more of the following installation scenarios:

Installation scenario Description When you install AD DS in a new Windows Server 2008 and later forest, be aware of the following:

 The first Server 2008 and later domain controller in a forest must be a global Installing a new Windows catalog server and it cannot be a Read Only Server 2008/2012 R2/2016 Domain Controller (RODC). Forest  The default domain functional level is set to Windows 2003/2008/2012 R2 for both the forest and the domain.

Before you create a new domain running on a Windows Server 2008 domain controller in a Windows 2000 Server or Windows Server 2003 forest:

 Run the adprep /forestprep command if this is the first Windows Server 2008 domain controller in the forest.  If you plan on installing an RODC in any domain in the forest, use the adprep Installing a new Windows /rodcprep command. Server 2008 domain  The schema must be updated before the controller to create a new is installed if you are domain in an existing performing an unattended installation of Windows 2000 Server or AD DS with Windows Server 2008. Windows Server 2003 forest  For standard installations, the schema must be updated before you install AD DS on the first Windows Server 2008 domain controller.

Note: You only update the forest once before installing the first Windows Server 2008 domain controller. After the schema has been updated, you can install additional 2008 domain controllers without running adprep /forestprep. If you are installing a new domain controller running Windows Server 2008 into an existing domain: Installing a new Windows Server 2008 domain  Run the adprep /forestprep command if controller in an existing this is the first Windows Server 2008 Windows 2000 Server or domain controller in the forest. Windows Server 2003  Run the adprep /rodcprep command if this domain is the first read‐only domain controller in the forest and if adprep /rodcprep have not yet been run.  Run the adprep /domainprep command if this is the first Windows Server 2008 domain controller in the domain. If necessary, Use the adprep /domainprep /gpprep command.

Note: Same configuring requires for installing new domain controller 2016/2012 R2 to existing forest/domain 2012 R2/2008 ‐ adprep /forestprep and adprep /domainprep /gpprep commands.

© Sergey Gorokhod MCT/MCSE/MCITP/MCTS/MCSA/CCSE/CCSA/CCNA/A+® E‐mail: [email protected] Mob: (+972) 526848757 4.2. AD DS Installation

The following list contains the requirements for installing Active Directory Domain Services (AD DS):

 You must have membership in the Domain Admins, Schema Admins, and Enterprise Admins group.  You must have properly configured static IP addresses and Domain Name System (DNS) server addresses.  You must verify that a DNS infrastructure is in place on your network before you add AD DS to create a domain or forest.  Use local, fixed disks for the volumes that store the database, log files, and SYSVOL folder for AD DS.  For added security, place the database and log files on a volume with the NTFS file system.

There are four methods for Active Directory Domain Services (AD DS) installation:

Method Description AD DS installation using wizards requires the following actions: Active  In Server Manager, run the Add Roles Wizard to install Directory the Active Directory binaries. Domain  Run dcpromo.exe to run the Active Directory Domain Services Services Installation Wizard. This wizard can be used to Installation install new 2008/2012/2016 forests, domains, and Wizard domain controllers.

At the command line, use the dcpromo command combined with unattended installation switches and parameter values to create forests, domains, and domain controllers. Use the following switches to customize the installation: Command Line  Use /NewDomain with the Forest, Tree, or Child switch to specify the type of new domain.  Use /DomainLevel or /ForestLevel with the following options: o 0 = Windows 2000 Server Native o 2 = Windows Server 2003 Native o 3 = Windows Server 2008  Use /databasePath:C:\Windows\ntds /logPath:C:\Windows\ntdslogs /sysvolpath:C:\Windows\sysvol to specify the location of the database file, log files, and system volume (SYSVOL) folder, respectively.  Use /DNSOnNetwork to specify whether DNS service is available on the network.  Use /NewDomainDNSName to specify a fully qualified domain name (FQDN) for the new domain.

Note: For a complete list of unattended installation switches, including default values, allowed values, and descriptions, type dcpromo /?:Promotion at the command prompt. An answer file is a list of Active Directory configuration values in a text file which is used to install AD DS on either a full installation of Windows Server 2008 or a installation. To create an answer file you can:

 Run the Active Directory Domain Services Installation Answer file Wizard and export your choices to a file.  Create or edit the answer file directly in a text editor.

To perform the install using the answer file, run dcpromo /unattend:C:\unattend.txt, using the name of the answer file you created. Using media is an alternate method of AD DS installation. The media contains the unattended installation parameters which will create additional domain controllers, as well as the Active AD DS Directory database. During installation, the Active Directory installation database is copied from the media instead of replicated from from media another domain controller. Use the media installation method if you need to perform a domain controller install where the domain controller will not be able to contact another domain controller during installation. Use one of the following to create the installation media:

 Run ntdsutil.exe.  Run Windows Server backup in Windows Server 2008. A critical‐volumes backup includes all files on the volumes that are required to recover AD DS which is significantly more space than required for AD DS installation.

To install a domain controller using media, use one of the following methods:

 In the Active Directory Domain Services Installation Wizard, use the Install from Media page to refer to the location of the shared folder or removable media.  Use the /ReplicationSourcePath parameter during an unattended installation to specify the location of the shared folder or removable media.

Be aware of the following when installing a RODC:

 The first Windows Server 2008 and later domain controller in a forest cannot be a Read Only Domain Controller (RODC). If your forest does not have a Windows Server 2008 and later domain controller, install a writable domain controller prior to installing the RODC.  You cannot convert an RODC to a full installation, nor can you convert a full installation to an RODC.  You cannot upgrade a Windows Server 2003 domain controller as a Windows Server 2008 read‐only domain controller. To make a Windows Server 2003 domain controller an RODC, first remove AD DS, then re‐install the domain controller as an RODC.

4.3. AD DS Answer File Details

Below is an example of an answer file that creates a new child domain (named sales) into the existing westsim.com forest:

[DCINSTALL] InstallDNS=yes ParentDomainDNSName=westsim.com ReplicaOrNewDomain=domain NewDomain=child NewDomainDNSName=sales.westsim.com ChildName=sales DomainNetBiosName=sales DomainLevel=2 DatabasePath=C:\Windows\ntds LogPath=C:\Windows\ntdslogs SYSVOLPath=C:\Windows\sysvol SafeModeAdminPassword=w3st1m2008 RebootOnCompletion=yes

The following list describes the various parameters you can use within the answer file:

Entry Parameter Description Specifies the single‐label DNS name of the child ChildName domain. Do not include parent domain names in the name. Specifies the fully qualified, non‐UNC path to a directory on a fixed disk of the local computer that DatabasePath contains the domain database. For example, C:\Windows\ntds Specifies the domain functional level when a new domain is created in an existing forest. DomainLevel 0 = Windows 2000 Server Native 2 = Windows Server 2003 3 = Windows Server 2008 Assigns a NetBIOS name to the new domain. It is the DomainNetBiosName left‐most label of DNS name, without parent domain names. Specifies the forest functional level when a new domain is created in a new forest. 0 = Windows 2000 Server 2 = Windows Server 2003 ForestLevel 3 = Windows Server 2008

Note: Do not use this switch when you are installing a domain controller in an existing forest. Specifies whether DNS is configured for a new domain if Dcpromo detects that the DNS dynamic InstallDNS update protocol is not available, or if it detects an insufficient number of DNS servers for an existing domain.

Note: InstallDNS replaces AutoConfigDNS. Specifies the fully qualified, non‐UNC path to a directory on a fixed disk of the local computer that LogPath contains the domain log files, for example, C:\Windows\ntdslogs Specifies the type of new domain: Forest = The root domain of a new forest (Default) Tree = The root domain of a new tree in an existing forest NewDomain Child = A child domain in an existing forest

The type of new domain must be specified when AD DS is installed on a Windows server core installation. Specifies a fully qualified domain name (FQDN) for NewDomainDNSName the new domain. Specifies the FQDN of an existing parent domain ParentDomainDNSName when installing a child domain. Specifies the password corresponding to the user name (account credentials) that is used to promote Password the domain controller. Specify * to prompt the user to enter credentials. Specifies the FQDN of the domain in which you want ReplicaDomainDNSName to promote an additional domain controller. Specifies whether to install the domain controller as: Replica = An additional domain controller in an existing domain (Default) ReplicaOrNewDomain ReadOnlyReplica = An RODC in an existing domain Domain = The first domain controller in a new domain Indicates whether an install from media is being ReplicateFromMedia performed. Possible options are Yes or No. Indicates the location of the installation media that ReplicationSourcePath will be used to install a new domain controller. The password for the administrator account to use when starting the computer in Safe Mode or a SafeModeAdminPassword variant of Safe Mode, such as Directory Service Restore Mode. You cannot specify a blank password. Specifies the fully qualified, non‐UNC path to a SysVolPath directory on a fixed disk of the local computer, for example, C:\Windows\SYSVOL

The following table lists key answer file settings for various installation examples:

Scenario Description The following lines indicate you are installing a new Windows Server 2008 forest: NewDomain=forest ReplicaOrNewDomain=domain Forest NewDomainDNSName=westsim.com DomainNetBiosName=westsim ForestLevel=2 DomainLevel=2 The following lines indicate you are installing a child domain into an existing domain tree: NewDomain=child ReplicaOrNewDomain=domain Child Domain ParentDomainDNSName=westsim.com NewDomainDNSName=sales.westsim.com ChildName=sales DomainNetBiosName=sales DomainLevel=2 The following lines indicate you are installing the first domain in a new domain tree: NewDomain=tree ReplicaOrNewDomain=domain Domain Tree ParentDomainDNSName=westsim.com NewDomainDNSName=eastsim.com ChildName=eastsim DomainNetBiosName=eastsim DomainLevel=2 The following lines indicate you are installing an additional domain controller in an existing domain: ReplicaOrNewDomain=replica ReplicaDomainDNSName=sales.westsim.com UserName=aWaters Additional UserDomain=westsim.com Domain Password=1q2w3e4r Controller ConfirmGC=yes

Note: The UserDomain indicates the domain where the user account exists, not the domain where you are installing the domain controller.

4.4. AD DS Installation Verification

After installing AD DS, use the following methods to verify the installation. To perform these procedures, you must be a member of the Domain Users group.

Task Description After Active Directory is properly installed on a domain controller, the Server object for the domain controller will have a child NTDS‐Settings object. Other applications that are running on domain controllers can also publish child Determine whether objects. a Server object has child objects To verify that the server has child objects, in Active Directory Sites and Services, browse to the server object (located within the appropriate site) and then expand the server object to view any child objects. This procedure involves checking to make sure that the File Replication service is started properly and then ensuring that the SYSVOL and NETLOGON shared folders are created. Do the following to verify the SYSVOL status:

 In Event Viewer, click File Replication Service, and look for the following events: Check the status of o Event 13508 indicates that FRS is in the the shared SYSVOL process of starting the service. o Event 13509 indicates that the service has started successfully. o Event 13516 indicates that the service is started, the folders are shared, and the domain controller is functional. The event has a date and time stamp that corresponds with the recent restart. It can take 15 minutes or more to appear.  Run net share to display a list of the shared folders on this domain controller, including NETLOGON and SYSVOL.  Run dcdiag /test:netlogons, and look for a message that states computername passed test NetLogons where computername is the name of the domain controller. If you do not see the test passed message, replication will not function. This test verifies that the proper logon privileges are set to allow replication to occur. If this test fails, verify the permissions set on the NETLOGON and SYSVOL shared folders.

This test verifies that a new domain controller has successfully become a member of the domain. To verify domain membership for a new domain controller, run Verify domain netdiag /test:member and look for the following membership for a message: new domain Domain membership test Passed controller If you use the /v option, it will list the name of the domain controller, its role, the name of the domain, and a number of other statistics about the new domain controller. This procedure verifies that domain controllers can be located. To verify communication with other domain controllers, run the netdiag /test:dsgetdc command.

 If domain controllers are successfully located, the Verify last line of the response is DC discovery test...... : communication with Passed. The /v option lists the specific domain other domain controllers that are located. controllers  If the test fails, do not attempt any additional steps until you determine and fix the problem that prevents communication with other domain controllers. The tests performed in this procedure verify that different aspects of the replication topology are working properly. They check to see that objects are replicating and they verify that the proper logon permissions are set to allow replication to occur. Verify replication with other domain  To verify replication is functioning, run dcdiag controllers /test:replications.  To verify that the proper permissions are set for replication, run dcdiag /test:netlogons. Messages indicate whether the connectivity and netlogons tests passed.

© Sergey Gorokhod MCT/MCSE/MCITP/MCTS/MCSA/CCSE/CCSA/CCNA/A+® E‐mail: [email protected] Mob: (+972) 526848757 4.5. AD DS Removal

Similar to AD DS installation, there are three tools you can use to remove a domain controller:

 The Active Directory Domain Services 2008/2012/2016 Installation Wizard removes domain controllers in a prompted environment in the same manner it adds domain controllers.  Use dcpromo.exe to start the Active Directory Domain Services Installation Wizard (only in Windows Server 2008/2008 R2).  The command line uses the dcpromo command combined with unattended installation switches and parameter values to remove domain controllers.  An answer file is called by the dcpromo command to remove domain controllers.

The following table describes what to do in specific uninstall scenarios:

Scenario Description You should know the following about removing a domain controller from a domain:

 You must be a member of the Domain Admins group in the domain to perform this procedure.  If necessary, you must first transfer the operations master roles hosted by the domain controller to other domain Remove a controllers. domain  If you are using the wizard to perform this task, do not controller choose the Delete the domain option. from a  If you are using the command line to perform this task, use domain dcpromo combined with unattended installation switches and parameter values.  If you are using an answer file to perform this task, include the removeapplicationpartitions=yes and removeDNSDelegation=yes entries.

You should know the following about removing the last domain controller from a domain:

 You must be a member of the Enterprise Admins group in the forest to perform this procedure.  You must move all forest operations master roles before Remove the you can remove the last domain controller from a domain. last domain  If you are using the wizard to perform this task, select the controller Delete the domain option and proceed through the wizard from a prompts. domain  If you are using an answer file to perform this task, include the IsLastDCInDomain=yes entry.  If you are using the command line to perform this task, use the /IsLastDCInDomain:Yes and /DemoteFSMO:Yes switches.

You should know the following about removing the last domain controller from a forest:

 You must be a member of the Domain Admins group in the forest root domain or a member of the Enterprise Admins group in the forest to perform this procedure. Remove the  If you are using the wizard to perform this task, select the last domain Delete the domain and forest option and proceed through controller the wizard prompts. from a forest  If you are using the answer file and command line methods to perform this task, they are the same as if you were removing the last domain controller from a domain. Because the forest root domain is the domain that you are removing, the options for removing the domain effectively remove the forest itself.

Forced Forcefully remove a domain controller only if the domain removal of a controller has no connectivity with other domain controllers. You domain should know the following about forcefully removing a domain controller controller from a domain:  You must be a member of the Domain Admins group in the domain to perform this procedure.  You must manually update the forest metadata after you remove the domain controller because the AD DS forest metadata is not automatically updated, as is the case when a domain controller is removed normally.  If you are using the wizard to perform this task, go to the Force the Removal of Active Directory Domain Services page and proceed through the wizard's prompts.  If you are using the command line (only in Windows Server 2008/2008 R2) to perform this task, use the dcpromo /ForceRemoval command. In addition, use /DemoteFSMO command to force the removal of AD DS even if an operations master role is held by the domain controller.

Note: If you cancel the Active Directory Domain Services Installation Wizard during installation, the AD DS binary files are not removed. To uninstall the binary files, use Server Manager to uninstall the AD DS role.

© Sergey Gorokhod MCT/MCSE/MCITP/MCTS/MCSA/CCSE/CCSA/CCNA/A+® E‐mail: [email protected] Mob: (+972) 526848757