Microsoft Active Directory provides the structure to centralize the network management and store information about network

resources across the entire domain. Active Directory uses Domain Controllers to keep this centralized storage available to network users. In order to configure a Windows Server 2008 machine to act as Domain Controller, several considerations and prerequisites should be taken into account, and several steps should be performed.

What’s New in Windows Server 2008 Active Directory Domain Services
Active Directory Domain Services in Windows Server 2008 provides a number of enhancements over previous versions, including these: 1. Server roles and features: Microsoft has organized the capabilities of a computer into various roles and features. Simply put, a role is a specific function that a server can perform on the network, including file services, terminal services, and certificate services. Active Directory Domain Services (AD DS) is the server role that

encompasses all domain control functions. A feature is an optional component that adds a specific function such as the .NET Framework 3.0, BitLocker Drive Encryption, Network Load Balancing, and so on. Certain roles require that specific features be installed, and these are automatically installed when you add this role. You can add roles and features from the Initial Configuration Tasks window, Server Manager, or the command line. 2.Server Core: A Server Core is a stripped-down version of Windows Server 2008 that does not contain any GUI, taskbar, or Start menu. After logging on, you are presented with a command prompt window from which you perform all administrative actions. A Server Core computer uses less hardware and memory resources than a normal server but is able to perform most (but not all) of the roles that a normal server performs. Furthermore, a Server Core computer is more secure because it presents a smaller attack footprint than a normal server. 3.Enhancements to Group Policy: Microsoft has added many new policy settings. In particular, these settings enhance the management of Windows Vista client computers. All policy management is now handled by means of the Group Policy Management Console (GPMC), which was an optional feature first added to Windows Server 2003 R2. In addition, Microsoft has added new auditing capabilities to Group Policy and added a searchable database for locating policy settings from within GPMC. In Windows Server 2008 R2, GPMC enables you to use a series of PowerShell cmdlets to automate many of the tasks (such as maintenance and linking of GPOs) that you would otherwise perform in the GUI. In addition, R2 adds new policy settings that enhance the management of Windows 7 computers. 4. Auditing—AD DS auditing has been enhanced significantly in Windows Server2008. The enhancements provide more granular auditing capabilities through four new auditing categories: Directory Services Access, Directory Services Changes, Directory Services Replication, and Detailed Directory Services Replication. Additionally,

The AD DS database mounting eliminates the need to restore multiple backups to compare the AD data that they contain and provides the capability to examine any change made to data stored in AD DS. you can enroll network devices such as routers for certificates. Additionally.Active Directory Certificate Services (AD CS): Certificate Services has been enhanced considerably from Windows Server 2003.RODCs contain a read-only copy of the AD DS database. 6. 8. 5. and you can use the online responder service as an alternative to traditional certificate revocation lists. 9. User and group password and account lockout policies are defined and applied via a Password Setting Object (PSO). 7. . Fine-Grained Password Policies—AD DS in Windows Server 2008 now provides the capability to create different password and account lockout policies for different sets of users in a domain. AD DS Database Mounting Tool—AD DS in Windows Server 2008 comes with a AD DS database mounting tool. PSOs can be applied to both users and groups. Read-Only Domain Controllers—AD DS in Windows Server 2008 introduces a new type of domain controller called a read-only domain controller (RODC). The restartable AD DS service reduces the time required to perform certain maintenance and restore operations. Restartable Active Directory Domain Services—AD DS in Windows Server 2008 can now be stopped and restarted through MMC snapins and the command line. you can use new certificate templates that support new cryptographic algorithms. you can designate several limited roles for delegating administrative tasks to different individuals.auditing now provides the capability to log old and new values of an attribute when a successful change is made to that attribute. A PSO has attributes for all the settings that can be defined in the Default Domain Policy. except Kerberos settings. other services running on the server remain available to satisfy client requests while AD DS is stopped. For example. which provides a means to compare data as it exists in snapshots or backups taken at different times.

Active Directory Lightweight Domain Services (AD LDS): Microsoft has enhanced and modified the previous Active Directory Application Mode (ADAM) feature first introduced in Windows Server 2003 Release 2 (R2). shown in Figure 3.1. 6. 8. delegation of administration. 7. Install a New Forest by Using the Windows Interface To install a new forest by using the Windows interface. 3. shown in Figure shown in Figure verify that the installation succeeded and then click Close this wizard and launch the Active Directory Domain Services Installation Wizard (dcpromo. On the Active Directory Domain Services page. Click Start and then click Server Manager. On the Select Server Roles page. 4. perform the following steps using a local account that has membership in the following local group:  Administrators 1. click Install. On the Installation Results page. . On the Confirm Installation Selections page.exe). Log on to the server you want to promote to a domain controller. click Add Roles. click Next. 11. On the Before You Begin page. click Next.10. In Roles Summary. then click Next.Active Directory Rights Management Service (AD RMS): Microsoft has added numerous features such as a new interface. and integration with Active Directory Federation Service (AD FS). 2. click the Active Directory Domain Services check box. 5.

The Select Server Roles page .

11. . then click Next. On the Choose a Deployment Configuration page. shown in Figure click Create a new domain in a new forest.The Installation Results page. 9. On the Operating System Compatibility page. 10. click Next. On the Welcome to the Active Directory Domain Services Installation Wizard page. click Next.

shown in following Figure 3 select the forest functional level that meets your requirements and click Next. 13.The Choose a Deployment Configuration page. shown in following Figure type the fully qualified domain name (FQDN) for the forest root domain and then click Next. On the Name the Forest Root Domain page. 12. . On the Set Forest Functional Level page.

The Name the Forest Root Domain page .

14. the Set Domain Functional Level page displays.The Set Forest Functional Level page. If you set a forest functional level other than Windows Server 2008. as shown in following Figure Select the domain functional level that meets your requirements and click Next. .

which allows the DNS infrastructure to be created by the installation process.The Set Domain Functional Level page. clear the DNS Server check box and click Next. If you plan to use AD-Integrated DNS. If you plan to use an existing DNS infrastructure and do not want the domain controller to be a DNS server. On the Additional Domain Controller Options page. 15. shown in following Figure DNS Server is selected by default. click Next. .

The Additional Domain Controller Options page. it displays a message to indicate that you can create the delegation manually. . click Yes. as shown in following Figure To continue. If the wizard cannot create a delegation for the DNS server. The manual DNS Delegation Message. 16.

. then click Next. shown in following Figure . The Location for Database. 18. On the Directory Services Restore Mode Administrator Password page. On the Location for Database.17. and SYSVOL page. type the volume and folder locations for the database file. Log Files. Log Files. and the SYSVOL files. the directory service log files. and SYSVOL page. shown in following Figure type and confirm the restore mode password and then click Next.

19.The Directory Services Restore Mode Administrator Password page. On the Summary page. . shown in following Figure click Next after you review your selections.

as shown in following Figure . The Active Directory Domain Services installation process starts.The Summary page.

log file and analyze the results in the file. click Start. Ensure the installation was successful and click Finish. click Run. . and click OK. When prompted to restart. After the installation is complete. 23. 22. type C:\Windows\Debug. To validate the installation process. click Restart Now.20. The Completing the Active Directory Domain Services Installation Wizard page. 21. Open the DCPROMO. the Completing the Active Directory Domain Services Installation Wizard page appears. as shown in following Figure.

perform the following steps using a local account that has membership in the following local group:  Administrators 1. type notepad. Log on to the server you want to promote to a domain controller. Type the following entries. In order to install a new forest by using an answer file. click Run. On the first line. Click Start. and click OK. type [DCINSTALL]. This is useful when installing AD DS on a server that has a Server Core installation of Windows Server 2008.Install a New Forest by Using an Answer File Active Directory Domain Services can also be installed using an answer file. 4. 3. 2. as shown in Figure -- . and then press ENTER. one entry on each line. Table lists the installation parameters used in the steps that follow and the corresponding action of each parameter.

5.InstallDNS=yes NewDomain=forest NewDomainDNSName=WS08Domain03.txt. . Click Start and then click Command Prompt.local DomainNetBiosName=WS08Domain03 ReplicaOrNewDomain=domain ForestLevel=3 DomainLevel=3 DatabasePath=”c:\Windows\ntds” LogPath=”c:\Windows\ntds” RebootOnCompletion=yes SYSVOLPath=”c:\Windows\sysvol” SafeModeAdminPassword=Today01! The answer file. Save the answer file as C:\DCAnswer. 6.

txt” The dcpromo process begins by determining whether the AD DS binaries are installed. The status of the AD DS installing is updated in the command prompt window. 8.7. To validate the installation process. If the /rebootOnCompletion was not used in the answer file. . dcpromo installs them. click Run. Type the following into the command prompt window.log file and analyze the results in the file. and click OK. then the AD DS installation process begins. When the installation process is complete. If the binaries are not installed. type C:\Windows\Debug. 11. as shown in Figure and then press Enter: dcpromo /unattend:”C:\DCAnswer. you are prompted to restart the server. Open the DCPROMO. Installing a new forest by using an answer file. the server reboots automatically if the /rebootOnCompletion option was used in the answer file. click Start. a summary of the installation options is presented in the command prompt window. 10. After the AD DS binaries have been installed. 9.

Remove a Domain Controller from a Domain To remove a domain controller from a domain. 3. Global catalog warning. 5. On the Summary page. 7. make no selection if this is not the last domain controller in the domain. If the domain controller is a global catalog server. 4. type dcpromo. Log on to the domain controller you want to remove from the domain. then click Next. and click OK. perform the following steps using an AD DS account that has membership in the following AD DS group:  Domain Admins 1. click Next. click Next. click Run. On the Delete the Domain page. . On the Administrator Password page. Click Start. select the option to delete the domain and click Next. a message appears to warn you about the effect of removing a global catalog server from the environment. as shown in Figure Click OK to continue. 6. If you do want to delete the domain. type and confirm a secure password for the local Administrator account. On the Welcome to the Active Directory Domain Services Installation Wizard page. 2.

The Active Directory Domain Services Installation Wizard deletes AD DS from the server. where CurrentComputerName is the current FQDN name and NewComputerName is the new FQDN name.8. In the Command Prompt window. In the Command Prompt window. where CurrentComputerName is the current FQDN name and NewComputerName is the new FQDN name. 3. Log on to the domain controller you want to rename. 4. . where CurrentComputerName is the current FQDN name and NewComputerName is the new FQDN name. perform the following steps using an AD DS account that has membership in one of the following AD DS groups:  Domain Admins  Enterprise Admins 1. Ensure the computer account updates and DNS registrations are completed. Click Start and click Command Prompt. type netdom computername CurrentComputerName /makeprimary:NewComputerName. type netdom computername CurrentComputerName /add:NewComputerName. In the Command Prompt window. Rename a Domain Controller To rename a domain controller. Then press ENTER. Then press ENTER. 2. On the Completing the Active Directory Domain Services Installation Wizard page. 9. type netdom computername NewComputerName /remove:OldComputerName. Then press ENTER. Then reboot the server. click Finish. 5.

Sign up to vote on this title
UsefulNot useful