5. Installing a New Windows Server 2008 Child Domain
If you have an existing domain, you can create a new child
domain by creating a Windows Server 2008 R2 domain controller. If the
forest includes domain controllers running Windows Server 2003, you
must run Adprep /forestprep before installing the first domain
controller running Windows Server 2008 R2.
Then install AD DS and launch the Active Directory Domain
Services Installation Wizard and, on the Choose A Deployment
Configuration page, click Existing Forest and Create A New Domain In An Existing Forest. You are
prompted to select the domain functional level. Because it is the
first DC in the domain, it cannot be an RODC, and it cannot be
installed from media. If you select the Use Advanced Mode Installation
check box on the Welcome page, the wizard presents you with a
Source Domain Controller page on which you specify a
domain controller from which to replicate the configuration and schema
partitions.
Using Dcpromo.exe, you can create a child domain with the
minimal options shown in the following command:
dcpromo /unattend /installDNS:yes
/replicaOrNewDomain:domain /newDomain:child
/ParentDomainDNSName:contoso.com
/newDomainDnsName:subsidiary.contoso.com /childName:subsidiary
/DomainNetbiosName:subsidiary
/databasePath:"e:\ntds" /logPath:"f:\ntdslogs" /sysvolpath:"g:\sysvol"
/safeModeAdminPassword:password /forestLevel:3 /domainLevel:3
/rebootOnCompletion:yes
The following answer file reflects the same minimal
parameters:
[DCINSTALL]
ReplicaOrNewDomain=domain
NewDomain=child
ParentDomainDNSName=FQDN of parent domain
UserDomain=FQDN of user specified by UserName
UserName= DOMAIN\username (in Administrators group of ParentDomainDNSName)
Password=password for user specified by UserName or * for prompt
ChildName=single-label prefix for domain
(Child domain FQDN will be ChildName.ParentDomainDNSName)
DomainNetBiosName=Domain NetBIOS name
DomainLevel=domain functional level (not lower than current forest level)
InstallDNS=yes
CreateDNSDelegation=yes
DNSDelegationUserName=DOMAIN\username with permissions to create
DNS delegation, if different than UserName, above
DNSDelegationPassword=password for DNSDelegationUserName or * for prompt
DatabasePath="path to folder on a local volume"
LogPath="path to folder on a local volume"
SYSVOLPath="path to folder on a local volume"
SafeModeAdminPassword=password
RebootOnCompletion=yes
6. Installing a New Domain Tree
A tree is composed of one or more domains that share
a contiguous DNS namespace. So, for example, the contoso.com and
subsidiary.contoso.com domains would be in a single tree. Additional
trees are simply additional domains in the same forest that are not in
the same namespace. For example, if Contoso, Ltd., bought Tailspin
Toys, the tailspintoys.com domain would be in a separate tree in the
domain. Very little functional difference exists between a child
domain and a domain in another tree, and the process for creating a
new tree is, therefore, very similar to creating a child
domain.
First, you must run Adprep.exe /forestprep. Then
you can install AD DS and run the Active Directory Domain Services
Installation Wizard. You must select Use Advanced Mode Installation on
the Welcome page of the wizard. On the Choose A Deployment
Configuration page, click Existing Forest, select Create A New Domain
In An Existing Forest, and select Create A New Domain Tree Root
Instead Of A New Child Domain. The rest of the process is identical to
creating a new child domain.
The following options provided as parameters to Dcpromo.exe
create a new tree for the tailspintoys.com domain within the
contoso.com forest:
dcpromo /unattend /installDNS:yes
/replicaOrNewDomain:domain /newDomain:tree
/newDomainDnsName:tailspintoys.com /DomainNetbiosName:tailspintoys
/databasePath:"e:\ntds" /logPath:"f:\ntdslogs" /sysvolpath:"g:\sysvol"
/safeModeAdminPassword:password /domainLevel:2
/rebootOnCompletion:yes
The domain functional level is configured at 2—Windows Server
2003 Native—so the domain could include Windows Server 2003 domain
controllers. An unattended installation answer file that creates the
same new tree would look similar to the following:
[DCINSTALL]
ReplicaOrNewDomain=domain
NewDomain=tree
NewDomainDNSName=FQDN of new domain
DomainNetBiosName=NetBIOS name of new domain
UserDomain=FQDN of user specified by UserName
UserName= DOMAIN\username (in Administrators group of ParentDomainDNSName)
Password=password for user specified by UserName or * for prompt
DomainLevel=domain functional level (not lower than current forest level)
InstallDNS=yes
ConfirmGC=yes
CreateDNSDNSDelegation=yes
DNSDelegationUserName=account with permissions to create DNS delegation
required only if different than UserName, above
DNSDelegationPassword=password for DNSDelegationUserName or * for prompt
DatabasePath="path to folder on a local volume"
LogPath="path to folder on a local volume"
SYSVOLPath="path to folder on a local volume"
SafeModeAdminPassword=password
RebootOnCompletion=yes
7. Staging the Installation of an RODC
RODCs are
designed to support branch office scenarios by providing
authentication local to the site while mitigating the security and
data integrity risks associated with placing a DC in a less controlled
environment. Many times, there are few or no IT support personnel in a
branch office. How, then, should a domain controller be created in a
branch office?
To answer this question, Windows Server 2008 R2 allows you to
create a staged, or delegated, installation of an RODC. The process includes two stages:
-
Create the account for the
RODC A member of Domain Admins creates an account for
the RODC in Active Directory. The parameters related to the RODC
are specified at this time: the name, the Active Directory site in
which the RODC will be created, and, optionally, the user or group
that can complete the next stage of the installation.
-
Attach the server to the RODC
account After the account has been created, AD DS is
installed, and the server—which must be a member of a workgroup
and not the domain—is joined to the domain as an RODC attached to
the prestaged account. These steps can be performed by the users
or groups specified when the RODC account was prestaged; these
users do not require any privileged group membership. A server can
also be attached by a member of Domain Admins or Enterprise
Admins, but the ability to delegate this stage to a nonprivileged
user makes it much easier to deploy RODCs in branches without IT
support.
Creating the Prestaged Account for the RODC
To create the account for the RODC, using the Active Directory
Users And Computers snap-in, right-click the Domain Controllers OU and choose Pre-Create Read-Only Domain
Controller Account. A wizard appears that is very similar to the
Active Directory Domain Services Installation Wizard. You are asked
to specify the RODC name and site, and you can also configure the
password replication policy.
On the Delegation Of RODC Installation And Administration
page, you can specify one security principal—user or group—that can
attach the server to the RODC account you create. The user or group
will also have local administrative rights on the RODC after the
installation. It is recommended that you delegate to a group rather
than to a user. If you do not specify a user or group, only members
of the Domain Admins or Enterprise Admins groups can attach the
server to the account.
Attaching a Server to the RODC Account
After you have prestaged the account, the server can be
attached to it.
To attach a server to a prestaged RODC account:
-
Ensure that the server is a member of a workgroup, not a
member of the domain.
Note
PROMOTE FROM A
WORKGROUP
When you create an RODC by using the staged approach—when you
attach an RODC to a prestaged account—the server must be a
member of a workgroup, not the domain, when you launch
Dcpromo.exe or the Active Directory Domain Services Installation Wizard. The wizard looks in the
domain for the existing account with its name and attaches to
that account.
-
Type dcpromo.exe
/UseExistingAccount:attach.
The wizard prompts for network credentials and then finds
the RODC account in the domain indicated by the credentials.
Remaining steps are similar to other domain controller promotion
operations.
To use an answer file, provide the following options and
values:
[DCINSTALL]
ReplicaDomainDNSName=FQDN of domain to join
UserDomain=FQDN of user specified by UserName
UserName=DOMAIN\username (in Administrators group of the domain)
Password=password for user specified by UserName
InstallDNS=yes
ConfirmGC=yes
DatabasePath="path to folder on a local volume"
LogPath="path to folder on a local volume"
SYSVOLPath="path to folder on a local volume"
SafeModeAdminPassword=password
RebootOnCompletion=yes
Run Dcpromo.exe with the /unattend:“answer file
path” and the
/UseExistingAccount:Attach parameters, as in
the following example:
dcpromo /useexistingaccount:attach /unattend:"c:\rodcanswer.txt"
All the options just shown in the answer file can also be
specified or overridden directly on the command line. Just type a
command similar to the following:
dcpromo /unattend /UseExistingAccount:Attach /ReplicaDomainDNSName:contoso.com
/UserDomain:contoso.com /UserName:contoso\dan /password:*
/databasePath:"e:\ntds" /logPath:"f:\ntdslogs" /sysvolpath:"g:\sysvol"
/safeModeAdminPassword:Pa$$w0rd /rebootOnCompletion:yes
