2. New forest domain controller deployment
Depending on the administrative and geographical structure of
your organization and the number of users to be supported, deploying a
new forest based on Windows Server 2012 AD DS might involve several of
the following domain-controller deployment scenarios:
-
Deploying the first domain controller in a new forest
(required)
-
Deploying the first domain controller for a new domain
(required if additional domains need to be created in the
forest)
-
Deploying additional domain controllers in each domain for
fault tolerance and to support the number of users at each
location (recommended)
-
Deploying read-only domain controllers (RODCs) at remote
branch office locations (recommended)
-
Deploying virtualized domain controllers (not recommended
for most production environments)
The sections that follow provide some additional information on
each of these deployment scenarios.
First domain controller in a new forest
Installing the first domain controller in a new forest
requires that you be logged on as the local Administrator of the
server.
Regardless of which method you use for deploying the first
domain controller in your forest root domain, you need to provide
the following information:
-
Domain name Enter the fully
qualified domain name (FQDN) for the root domain of your new
forest—for example, corp.contoso.com.
-
Domain NetBIOS name Enter
the NetBIOS name for your new forest (required if the FQDN
prefix name is longer than 15 characters).
-
Forest functional level
Select one of the following:
-
Domain functional level
Select one of the following:
-
Directory Services Restore Mode
(DSRM) password You must specify this at the time the
server is promoted to a domain controller.
-
DNS Server Indicate whether
the new domain controller should also be a DNS server
(recommended).
-
Database folder Specify
where the AD DS database is stored. (The default location is
%windir%\NTDS.)
-
Log files folder Specify
where the AD DS log files are stored. (The default location is
%windir%\NTDS.)
-
SYSVOL folder Specify where
the AD DS SYSVOL share is located. (The default is
%windir%\SYSVOL.)
A new feature of deploying Windows Server 2012 domain
controllers is a validation phase that is performed just prior to
the promotion process. As Figure 1 illustrates,
this validation phase invokes a series of tests that check whether
all necessary prerequisites have been met to ensure that the domain
controller deployment operation will succeed. This prerequisite
check can be bypassed when deploying domain controllers using
Windows PowerShell, but doing this is not recommended.
Note
Domain controllers
and DNS servers
Unless your organization uses a third-party DNS server such
as BIND on your internal network, you should always have all your
domain controllers also function as DNS servers to ensure high
availability in distributed environments. By default, when you
install the AD DS role on a server and then promote the server to
a domain controller, the DNS Server role is automatically
installed and configured as well.
First domain controller in a new domain
After the first domain of the forest (that is, the forest root
domain) has been created, new child domains or tree domains can be
created if your AD DS design warrants doing so. Installing the first
domain controller for a new child domain or tree domain requires
supplying the credentials of a member of the Enterprise Admins
security group, which is one of two new security groups (the other
is the Schema Admins group) that is created by AD DS when the forest
root domain controller is deployed.
Deployment of domain controllers for new child domains or tree
domains can be performed remotely using Server Manager or Windows
PowerShell. The required information is similar to that listed in
the previous section, with the addition of the following:
-
Domain type Specify whether
to create a new child domain or a new tree domain.
-
Parent domain name Enter
the name of the parent domain of which the new child or tree
domain will be a subdomain.
-
DNS delegation Specify
whether to create a DNS delegation that references the new DNS
server you are installing along with the domain controller. (The
default is determined automatically based on your
environment.)
Additional domain controllers in a domain
After you create a domain created by deploying its first
domain controller, additional domain controllers can be deployed for
fault tolerance and to support the number of users at the location.
Installing additional domain controllers in a domain requires
supplying the credentials of a member of the Domain Admins security
group for that domain.
Deployment of additional domain controllers for a domain can
be performed remotely using Server Manager or Windows PowerShell.
The information you will be required to provide is similar to that
listed in the previous section, with the addition of the
following:
-
Site name Specify the name
of the AD DS site to which the domain controller should be
added.
-
Global catalog Specify
whether the new domain controller should host the global
catalog.
-
Replication source Specify
an existing domain controller to be used as the initial
replication partner for replicating a copy of the directory
database to the new domain controller. (The default is any
available domain controller.)
-
Application partitions to
replicate Specify application partitions on existing
domain controllers that should be replicated to the new domain
controller.
-
Install from media path You
can choose to install the new domain controller using backed-up
media by means of the Install From Media (IFM) deployment
option.
Note
Domain controllers
and the global catalog
The global catalog contains a searchable, partial
representation of every object in every domain in the forest. You
can use the global catalog to quickly locate objects from any
domain in the forest without having to know the name of the
domain. All your domain controllers should also function as global
catalog servers to ensure high availability in distributed
environments. By default, when you promote a server to a domain
controller, the new domain controller is automatically configured
as a global catalog server.
Read-only domain controllers
Read-only domain controllers (RODCs) are
additional domain controllers for a domain and are intended mainly
for deployment in branch office environments that have relatively
few users, few or no IT staff, and a slow wide area network (WAN)
connectivity with the head office, and in environments that lack the
level of physical security controls available at a typical head
office.
RODCs host read-only partitions of the AD DS database. Clients
can authenticate against an RODC but cannot write directory changes
to it. RODCs include additional safeguards that help ensure any
information on the RODC remains confidential if it is stolen or has
its security compromised.
Deployment of an RODC can be performed remotely using Server
Manager or Windows PowerShell. Deploying an RODC requires the
following:
-
Availability of credentials of a member of the Domain
Admins for the domain
-
A forest functional level of Windows Server 2003 or
higher
-
At least one writable domain controller running Windows
Server 2008 or later installed in the domain
Note
RODC on Server
Core installations
Beginning with Windows Server 2008 R2, RODCs can be deployed
on Windows Server Core installations. Doing this helps to further
reduce the attack surface of your RODCs and lower their
maintenance requirements.
Virtualized domain controllers
Virtualized domain controllers are domain
controllers running in virtual machines on Hyper-V hosts. Windows
Server 2012 includes new capabilities that help make domain
controller virtualization much safer and less prone to problems than
previous Windows Server versions. For more information, see the
following “Real World” topic.
Note
Virtualizing
domain controllers
Windows Server 2012 helps enable cloud computing by making
virtualized domain controllers both easier to deploy and less
prone to problems. For example, you can now deploy replica virtual
domain controllers by cloning existing virtual domain controllers
and then deploying them using Server Manager or Windows
PowerShell. Virtualizing domain controllers is also much safer
than it was with previous versions of Windows Server. That’s
because each virtual domain controller has a unique identifier
called a GenerationID that is exposed to the
hypervisor on the host machine. This helps protect the AD DS
directory hosted by a virtual domain controller from unexpected
rollback events caused by the accidental application of snapshots
or other occurrences that caused duplicate directory objects and
other issues in previous Windows Server versions.
