4.1. Installation Preparation Before adding the first domain controller running Windows Server 2008 to an existing Windows 2000 or Windows Server 2003 Active Directory environment, the forest and domain levels must be set appropriately: The forest functional level must be set to Windows 2000 or higher. The domain functional level where the 2008 server will be added must be set to Windows 2000 Native or higher. Note: Because Windows NT 4.0 domain controllers require the Windows 2000 Mixed functional level, you cannot have NT 4.0 and 2008 domain controllers within the same forest or domain. Before adding the first domain controller running Windows Server 2012 R2 to an existing Windows 2008/2008 R2 or Windows Server 2012 Active Directory environment, the forest and domain levels must be set appropriately: The forest functional level must be set to Windows 2008 or higher. The domain functional level where the 2008 server will be added must be set to Windows 2003 or higher. In addition to ensuring the correct functional level, the Active Directory schema must be updated to support Windows Server 2008/2012 R2 domain controllers. Use the following tools to prepare forest and domain support for Windows Server 2008/2012 R2. Tools Description Use the adprep /forestprep command to update the Windows Server 2003 (2008) or Windows 2000 Server Active Directory schema for Windows Server 2008 adprep /forestprep (2012 R2). You run this command only once in the forest. Run this command on the domain controller that holds the schema operations master role for the forest. You must be a member of all the following groups to run this command: o Enterprise Admins group o Schema Admins group o The Domain Admins group of the domain that hosts the schema master Use the adprep /domainprep command to prepare a domain for a Windows Server 2008/2012 R2 domain controller. Run this command on the domain controller that holds the infrastructure operations master role for the domain. Run this command after the adprep /forestprep command finishes and after the changes replicate to all the domain controllers in the forest. Run this command in each domain where you plan to add a domain controller that runs Windows Server 2008/2012 R2. adprep /domainprep You must be a member of the Domain Admins group to run this command. For domains at the Windows 2000 functional level, run adprep /domainprep /gpprep instead. This provides updates that are necessary to enable Resultant Set of Policy (RSOP) Planning Mode functionality. This command performs updates during off‐peak hours. This minimizes replication traffic that is created in those environments by updates to file system permissions and Active Directory permissions on existing Group Policy objects (GPOs). Use the adprep /rodcprep command if you plan on installing an RODC in any domain in the forest. The adprep /rodcprep command updates permissions on application directory partitions to enable replication of the partitions to read‐only domain controllers (RODCs). This operation runs remotely; it contacts the infrastructure master in each domain to update the adprep /rodcprep permissions. You need to run this command only once in the forest. However, you can rerun this command any time if it fails to complete successfully because an infrastructure master is not available. You can run this command on any computer in the forest. You must be a member of the Enterprise Admins group to run this command. When installing Active Directory Domain Services (AD DS) for Server 2008, you face one or more of the following installation scenarios: Installation scenario Description When you install AD DS in a new Windows Server 2008 and later forest, be aware of the following: The first Server 2008 and later domain controller in a forest must be a global Installing a new Windows catalog server and it cannot be a Read Only Server 2008/2012 R2/2016 Domain Controller (RODC). Forest The default domain functional level is set to Windows 2003/2008/2012 R2 for both the forest and the domain. Before you create a new domain running on a Windows Server 2008 domain controller in a Windows 2000 Server or Windows Server 2003 forest: Run the adprep /forestprep command if this is the first Windows Server 2008 domain controller in the forest. If you plan on installing an RODC in any domain in the forest, use the adprep Installing a new Windows /rodcprep command. Server 2008 domain The schema must be updated before the controller to create a new operating system is installed if you are domain in an existing performing an unattended installation of Windows 2000 Server or AD DS with Windows Server 2008. Windows Server 2003 forest For standard installations, the schema must be updated before you install AD DS on the first Windows Server 2008 domain controller. Note: You only update the forest once before installing the first Windows Server 2008 domain controller. After the schema has been updated, you can install additional 2008 domain controllers without running adprep /forestprep. If you are installing a new domain controller running Windows Server 2008 into an existing domain: Installing a new Windows Server 2008 domain Run the adprep /forestprep command if controller in an existing this is the first Windows Server 2008 Windows 2000 Server or domain controller in the forest. Windows Server 2003 Run the adprep /rodcprep command if this domain is the first read‐only domain controller in the forest and if adprep /rodcprep have not yet been run. Run the adprep /domainprep command if this is the first Windows Server 2008 domain controller in the domain. If necessary, Use the adprep /domainprep /gpprep command. Note: Same configuring requires for installing new domain controller 2016/2012 R2 to existing forest/domain 2012 R2/2008 ‐ adprep /forestprep and adprep /domainprep /gpprep commands. © Sergey Gorokhod MCT/MCSE/MCITP/MCTS/MCSA/CCSE/CCSA/CCNA/A+® E‐mail: [email protected] Mob: (+972) 526848757 4.2. AD DS Installation The following list contains the requirements for installing Active Directory Domain Services (AD DS): You must have membership in the Domain Admins, Schema Admins, and Enterprise Admins group. You must have properly configured static IP addresses and Domain Name System (DNS) server addresses. You must verify that a DNS infrastructure is in place on your network before you add AD DS to create a domain or forest. Use local, fixed disks for the volumes that store the database, log files, and SYSVOL folder for AD DS. For added security, place the database and log files on a volume with the NTFS file system. There are four methods for Active Directory Domain Services (AD DS) installation: Method Description AD DS installation using wizards requires the following actions: Active In Server Manager, run the Add Roles Wizard to install Directory the Active Directory binaries. Domain Run dcpromo.exe to run the Active Directory Domain Services Services Installation Wizard. This wizard can be used to Installation install new 2008/2012/2016 forests, domains, and Wizard domain controllers. At the command line, use the dcpromo command combined with unattended installation switches and parameter values to create forests, domains, and domain controllers. Use the following switches to customize the installation: Command Line Use /NewDomain with the Forest, Tree, or Child switch to specify the type of new domain. Use /DomainLevel or /ForestLevel with the following options: o 0 = Windows 2000 Server Native o 2 = Windows Server 2003 Native o 3 = Windows Server 2008 Use /databasePath:C:\Windows\ntds /logPath:C:\Windows\ntdslogs /sysvolpath:C:\Windows\sysvol to specify the location of the database file, directory service log files, and system volume (SYSVOL) folder, respectively. Use /DNSOnNetwork to specify whether DNS service is available on the network. Use /NewDomainDNSName to specify a fully qualified domain name (FQDN) for the new domain. Note: For a complete list of unattended installation switches, including default values, allowed values, and descriptions, type dcpromo /?:Promotion at the command prompt. An answer file is a list of Active Directory configuration values in a text file which is used to install AD DS on either a full installation of Windows Server 2008 or a Server Core installation. To create an answer file you can: Run the Active Directory Domain Services Installation Answer file Wizard and export your choices to a file. Create or edit the answer file directly in a text editor. To perform the install using the answer file, run dcpromo /unattend:C:\unattend.txt, using the name of the answer file you created. Using media is an alternate method of AD DS installation. The media contains the unattended installation parameters which will create additional domain controllers, as well as the Active AD DS Directory database. During installation, the Active Directory installation database is copied from the media instead of replicated from from media another domain controller. Use the media installation method if you need to perform a domain controller install where the domain controller will not be able to contact another domain controller during installation. Use one of the following to create the installation media: Run ntdsutil.exe. Run Windows Server backup in Windows Server 2008. A critical‐volumes backup includes all files on the volumes that are required to recover AD DS which is significantly more space than required for AD DS installation. To install a domain controller using media, use one of the following methods: In the Active Directory Domain Services Installation Wizard, use the Install from Media page to refer to the location of the shared folder or removable media. Use the /ReplicationSourcePath parameter during an unattended installation to specify the location of the shared folder or removable media. Be aware of the following when installing a RODC: The first Windows Server 2008 and later domain controller in a forest cannot be a Read Only Domain Controller (RODC).