IT tutorials
 
Windows
 

Windows Server 2012 : Preparing for deploying domain controllers (part 2) - New forest domain controller deployment

- Windows 10 Product Activation Keys Free 2019
- How to active Windows 8 without product key
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
12/26/2013 3:02:18 AM

2. New forest domain controller deployment

Depending on the administrative and geographical structure of your organization and the number of users to be supported, deploying a new forest based on Windows Server 2012 AD DS might involve several of the following domain-controller deployment scenarios:

  • Deploying the first domain controller in a new forest (required)

  • Deploying the first domain controller for a new domain (required if additional domains need to be created in the forest)

  • Deploying additional domain controllers in each domain for fault tolerance and to support the number of users at each location (recommended)

  • Deploying read-only domain controllers (RODCs) at remote branch office locations (recommended)

  • Deploying virtualized domain controllers (not recommended for most production environments)

The sections that follow provide some additional information on each of these deployment scenarios.

First domain controller in a new forest

Installing the first domain controller in a new forest requires that you be logged on as the local Administrator of the server.

Regardless of which method you use for deploying the first domain controller in your forest root domain, you need to provide the following information:

  • Domain name Enter the fully qualified domain name (FQDN) for the root domain of your new forest—for example, corp.contoso.com.

  • Domain NetBIOS name Enter the NetBIOS name for your new forest (required if the FQDN prefix name is longer than 15 characters).

  • Forest functional level Select one of the following:

    • Windows Server 2003

    • Windows Server 2008

    • Windows Server 2008 R2

    • Windows Server 2012 (the default)

  • Domain functional level Select one of the following:

    • Windows Server 2003

    • Windows Server 2008

    • Windows Server 2008 R2

    • Windows Server 2012 (set to the selected forest functional level)

  • Directory Services Restore Mode (DSRM) password You must specify this at the time the server is promoted to a domain controller.

  • DNS Server Indicate whether the new domain controller should also be a DNS server (recommended).

  • Database folder Specify where the AD DS database is stored. (The default location is %windir%\NTDS.)

  • Log files folder Specify where the AD DS log files are stored. (The default location is %windir%\NTDS.)

  • SYSVOL folder Specify where the AD DS SYSVOL share is located. (The default is %windir%\SYSVOL.)

A new feature of deploying Windows Server 2012 domain controllers is a validation phase that is performed just prior to the promotion process. As Figure 1 illustrates, this validation phase invokes a series of tests that check whether all necessary prerequisites have been met to ensure that the domain controller deployment operation will succeed. This prerequisite check can be bypassed when deploying domain controllers using Windows PowerShell, but doing this is not recommended.

Example of the new validation phase that occurs during domain controller promotion using Server Manager.
Figure 1. Example of the new validation phase that occurs during domain controller promotion using Server Manager.

Note

Domain controllers and DNS servers

Unless your organization uses a third-party DNS server such as BIND on your internal network, you should always have all your domain controllers also function as DNS servers to ensure high availability in distributed environments. By default, when you install the AD DS role on a server and then promote the server to a domain controller, the DNS Server role is automatically installed and configured as well.

First domain controller in a new domain

After the first domain of the forest (that is, the forest root domain) has been created, new child domains or tree domains can be created if your AD DS design warrants doing so. Installing the first domain controller for a new child domain or tree domain requires supplying the credentials of a member of the Enterprise Admins security group, which is one of two new security groups (the other is the Schema Admins group) that is created by AD DS when the forest root domain controller is deployed.

Deployment of domain controllers for new child domains or tree domains can be performed remotely using Server Manager or Windows PowerShell. The required information is similar to that listed in the previous section, with the addition of the following:

  • Domain type Specify whether to create a new child domain or a new tree domain.

  • Parent domain name Enter the name of the parent domain of which the new child or tree domain will be a subdomain.

  • DNS delegation Specify whether to create a DNS delegation that references the new DNS server you are installing along with the domain controller. (The default is determined automatically based on your environment.)

Additional domain controllers in a domain

After you create a domain created by deploying its first domain controller, additional domain controllers can be deployed for fault tolerance and to support the number of users at the location. Installing additional domain controllers in a domain requires supplying the credentials of a member of the Domain Admins security group for that domain.

Deployment of additional domain controllers for a domain can be performed remotely using Server Manager or Windows PowerShell. The information you will be required to provide is similar to that listed in the previous section, with the addition of the following:

  • Site name Specify the name of the AD DS site to which the domain controller should be added.

  • Global catalog Specify whether the new domain controller should host the global catalog.

  • Replication source Specify an existing domain controller to be used as the initial replication partner for replicating a copy of the directory database to the new domain controller. (The default is any available domain controller.)

  • Application partitions to replicate Specify application partitions on existing domain controllers that should be replicated to the new domain controller.

  • Install from media path You can choose to install the new domain controller using backed-up media by means of the Install From Media (IFM) deployment option.

Note

Domain controllers and the global catalog

The global catalog contains a searchable, partial representation of every object in every domain in the forest. You can use the global catalog to quickly locate objects from any domain in the forest without having to know the name of the domain. All your domain controllers should also function as global catalog servers to ensure high availability in distributed environments. By default, when you promote a server to a domain controller, the new domain controller is automatically configured as a global catalog server.

Read-only domain controllers

Read-only domain controllers (RODCs) are additional domain controllers for a domain and are intended mainly for deployment in branch office environments that have relatively few users, few or no IT staff, and a slow wide area network (WAN) connectivity with the head office, and in environments that lack the level of physical security controls available at a typical head office.

RODCs host read-only partitions of the AD DS database. Clients can authenticate against an RODC but cannot write directory changes to it. RODCs include additional safeguards that help ensure any information on the RODC remains confidential if it is stolen or has its security compromised.

Deployment of an RODC can be performed remotely using Server Manager or Windows PowerShell. Deploying an RODC requires the following:

  • Availability of credentials of a member of the Domain Admins for the domain

  • A forest functional level of Windows Server 2003 or higher

  • At least one writable domain controller running Windows Server 2008 or later installed in the domain


Note

RODC on Server Core installations

Beginning with Windows Server 2008 R2, RODCs can be deployed on Windows Server Core installations. Doing this helps to further reduce the attack surface of your RODCs and lower their maintenance requirements.

Virtualized domain controllers

Virtualized domain controllers are domain controllers running in virtual machines on Hyper-V hosts. Windows Server 2012 includes new capabilities that help make domain controller virtualization much safer and less prone to problems than previous Windows Server versions. For more information, see the following “Real World” topic.

Note

Virtualizing domain controllers

Windows Server 2012 helps enable cloud computing by making virtualized domain controllers both easier to deploy and less prone to problems. For example, you can now deploy replica virtual domain controllers by cloning existing virtual domain controllers and then deploying them using Server Manager or Windows PowerShell. Virtualizing domain controllers is also much safer than it was with previous versions of Windows Server. That’s because each virtual domain controller has a unique identifier called a GenerationID that is exposed to the hypervisor on the host machine. This helps protect the AD DS directory hosted by a virtual domain controller from unexpected rollback events caused by the accidental application of snapshots or other occurrences that caused duplicate directory objects and other issues in previous Windows Server versions.

 
Others
 
- Windows Server 2012 : Preparing for deploying domain controllers (part 1) - AD DS deployment scenarios
- Windows Server 2012 : Windows PowerShell automation (part 2) - Disconnected sessions
- Windows Server 2012 : Windows PowerShell automation (part 1) - Background jobs, Scheduled jobs
- Windows 7 : Making and Ending a Dial-Up Connection
- Windows 7 : Configuring a Dial-Up Internet Connection (part 2) - Adjusting Dial-Up Connection Properties
- Windows 7 : Configuring a Dial-Up Internet Connection (part 1) - Creating a New Dial-Up Connection
- Windows 7 : Installing a Modem for Dial-Up Service
- Windows 7 : Connection Technologies - Analog Modem, ISDN, DSL, Cable Modem, Satellite Service, Wireless and Cellular Service
- Windows Server 2012 : Securing IIS 8 (part 4) - Configuring Feature Delegation, Using IIS Logging
- Windows Server 2012 : Securing IIS 8 (part 3) - Creating an IIS 8 User Account, Assigning Permissions to an IIS 8 User Account
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
programming4us programming4us
 
Popular tags
 
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS