Windows 7

Installing Active Directory Domain Services

Any server running Windows Server can act as a domain controller. You configure a server as a domain controller by following a two-part process. You add the Active Directory Domain Services (AD DS) role to the server you want to promote to a domain controller and then configure the services using the Active Directory Domain Services Configuration Wizard.

Active Directory installation options and issues

You have several options for installing Active Directory binaries:

  • Use the Add Roles And Features Wizard in Server Manager to add the Active Directory Domain Services role to the server. On the Select Server Roles page, select Active Directory Domain Services and then tap or click Next twice. Tap or click Install.
  • Enter the following command at an elevated Windows PowerShell prompt: install-windowsfeature ad-domain-services -includemanagementtools.

Both of these installation techniques do the same thing: They prepare the server by installing the AD DS binaries and the related management tools. The AD DS binaries include the Windows components that enable servers to act as domain controllers. The technique you use depends primarily on your personal preference. However, although any administrator can install the AD DS binaries, you might need additional administrator permissions to fully configure a domain controller.

After you install the binaries, you can configure Active Directory Domain Services and promote the server to a domain controller. In Server Manager, you'll have a Notification task labeled Promote This Server To A Domain Controller. Tapping or clicking the related link starts the Active Directory Domain Services Configuration Wizard. At the PowerShell prompt, you use the following cmdlets in the ADDSDeployment module to configure Active Directory Domain Service:

  • Install-ADDSForest:
    Installs a new forest root domain. The -DomainMode and -ForestMode parameters set the domain and forest functional levels, respectively, which have acceptable values of Win2003, Win2008, Win2008R2, and Win2012. The -SafeModeAdministratorPassword parameter sets the recovery password. The -CreateDNSDelegation parameter creates a delegation for the domain in DNS, and the -InstallDNS parameter installs DNS. The basic syntax and an example follow: 
    install-addsforest -domainname DomainName -DomainMode DomMode
-ForestMode ForMode
-CreateDNSDelegation -installdns -SafeModeAdministratorPassword Password

install-addsforest -domainname cpandl.com -DomainMode Win2012
-ForestMode Win2012
-SafeModeAdministratorPassword
(convertto-securestring "Str!F#789" -asplaintext)
  • Install-ADDSDomain:
    Installs a new child or tree domain. The -NewDomainName parameter sets the name of the domain, and the -ParentDomainName parameter sets the name of the parent domain. The -DomainType parameter sets the domain type as either ChildDomain or TreeDomain. The basic syntax and an example follow: 
    install-addsdomain -domainname DomainName -parentdomainname ParentDomain
-SafeModeAdministratorPassword Password -DomainMode DomMode
-DomainType DomType -installdns -CreateDNSDelegation

install-addsdomain -domainname eng -parentdomainname cpandl.com
-SafeModeAdministratorPassword (read-host -prompt "Recovery Password:"
-assecurestring) -DomainMode Win2012 -installdns -CreateDNSDelegation
  • Install-ADDSDomainController:
    Installs an additional domain controller. The -InstallationMediaPath parameter sets the path of the folder to install media from. The -SiteName parameter specifies the Active Directory site for the domain controller. The basic syntax and an example follow: 
    install-addsdomaincontroller -domainname DomainName -CreateDNSDelegation
-installdns -SafeModeAdministratorPassword Password -SiteName Site
-installfrommedia FolderPath

install-addsdomaincontroller -domainname cpandl.com -CreateDNSDelegation
-SafeModeAdministratorPassword (convertto-securestring "Str!F#789"
    -asplaintext)
-installdns -SiteName Seattle-First-Site -installfrommedia d:\Data\ADDS

When you configure Active Directory, you are given the option of setting the domain controller type as a domain controller either for a new domain or as an additional domain controller in an existing domain. If you make the domain controller part of a new domain, you can create a new domain in a new forest, a child domain in an existing domain tree, or a new domain tree in an existing forest. In fact, this is how you extend the Active Directory structure from the first domain in a new forest to include additional domains and domain trees.

To configure Active Directory, you must use an account with administrator privileges. The administrator privileges and installation requirements are as follows:

  • Creating a domain controller in a new forest:
    If you are creating a domain controller in a new forest, you should log on to the local machine using either the local Administrator account or an account that has administrator privileges on the local machine, and then start the installation. Because you are creating the new forest, the server should have a static IP address. After you install DHCP servers in the new forest, you can assign the domain controller a dynamic IP address.
  • Creating a domain controller in a new domain or a domain tree:
    If you are creating a domain controller in a new domain or a new domain tree in an existing forest, you should log on to the local machine using either the local Administrator account or an account that has administrator privileges on the local machine, and then start the installation. You will also be required to provide the credentials for an account that is a member of the Enterprise Admins group in the forest of which the domain will be a part.
    Because you are creating a new domain or domain tree, the server should have a static IP address. After you install DHCP servers in the new domain or domain tree, you can assign the domain controller a dynamic IP address.
  • Creating an additional domain controller in an existing domain:
    If you are creating an additional domain controller in an existing domain, you should consider whether you want to perform an installation from media rather than creating the domain controller from scratch. With either technique, you need to log on to the local machine using either the local Administrator account or an account that has administrator privileges on the local machine, and then start the installation.
    You will also be required to provide the credentials for an account that is a member of the Domain Admins group in the domain of which the domain controller will be a part. Because you are installing an additional domain controller, the server should already be a member of the domain and must have a valid IP address. The IP address can be a static IP address or a dynamic IP address assigned by a DHCP server.
Note:
Domain controllers that also act as DNS servers should not have dynamic IP addresses. The reason for this is that the IP address of a DNS server should be fixed to ensure reliable DNS operations.
Remember:
The server you want to promote must have appropriately configured TCP/IP settings. This means the server must have an appropriate IP address, as discussed previously. It also might mean that the server needs to have an appropriate subnet mask and default gateway, as well as preferred and alternate DNS server settings.

Before starting an Active Directory installation, you should examine local accounts and check for encrypted files and folders. Because domain controllers do not have local accounts or separate cryptographic keys, making a server a domain controller deletes all local accounts and all certificates and cryptographic keys from the server. Any encrypted data on the server, including data stored using the Encrypting File System (EFS), must be decrypted before installing Active Directory or it will be permanently inaccessible.

FINDING ENCRYPTED FILES

To search an entire volume for encrypted files, change directories to the root directory using the CD command, and then examine the entire contents of the directory by using the EFSInfo utility as follows:

efsinfo /s:DriveDesignator /i | find ": Encrypted"

Here, DriveDesignator is the drive designator of the volume to search, such as C:, as shown in the following example:

efsinfo /s:c: /i | find ": Encrypted"

Here, EFSInfo is used to search the root directory of C and all its subdirectories and display the encryption status of all files and folders. Because you care about only the encrypted files and folders, you pipe the output to the Find utility and search it for the string ": Encrypted", which is a text string that appears only in the output for encrypted files and folders.

To add the first domain controller that runs Windows Server 2012 to an existing Active Directory infrastructure, the Active Directory Domain Services Configuration Wizard automatically runs Adprep.exe as needed for the forest and domain. This is a new feature for Windows Server 2012. Preparing the forest and domain includes updating the Active Directory schema as needed, creating new objects and containers as needed, and modifying security descriptors and access control lists as needed. For forest prep, the account you use must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain. For domain prep, you use an account that can log on to the infrastructure master and is a member of the Domain Admins group. For read-only domain controller (RODC) prep, you must use an account that is a member of the Enterprise Admins group.

Using the Active Directory Domain Services Configuration Wizard

With Windows Server 2012, Active Directory Domain Services installation and configuration tasks are performed via Server Manager. You no longer have to run an installation wizard and a separate command-line promotion task. Instead, you use the Add Roles And Features Wizard to add the Active Directory Domain Services role to the server and then promote the server to a domain controller using the Active Directory Domain Services Configuration Wizard. The basic steps are as follows:

  1. In Server Manager, tap or click Manage and then tap or click Add Roles And Features. This starts the Add Roles And Features Wizard. If the wizard displays the Before You Begin page, read the Welcome message and then tap or click Next.
  2. On the Select Installation Type page, select Role-Based Or Feature-Based Installation and then tap or click Next.
  3. On the Select Destination Server page, the server pool shows servers you added for management. Tap or click the server you are configuring, and then tap or click Next.
  4. On the Select Server Roles page, select Active Directory Domain Services and then tap or click Next twice. Tap or click Install. This runs the Active Directory Domain Services Configuration Wizard.
  5. When the initial installation task completes, you need to tap or click Promote This Server To A Domain Controller to start the Active Directory Domain Services Configuration Wizard. If you closed the Add Roles And Features Wizard window, you need to tap or click the Notifications icon and then tap or click Promote This Server To A Domain Controller.
  6. If the computer is currently a member server, the wizard takes you through the steps needed to install Active Directory Domain Services, which might include running Adprep.exe automatically to prepare the directory schema in the forest and domain for Windows Server 2012. Upgrading the forest requires credentials that include group memberships in Enterprise Admins, Schema Admins and Domain Admins for the forest root domain. Upgrading a domain, other than the forest root domain, requires credentials that include group memberships in Domain Admins.
Note:
The Active Directory Domain Services Configuration Wizard does not run GPPREP. You must run Adprep.exe /gpprep manually for all domains that were not previously prepared for Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. You need to prepare Group Policy only once, not for every upgrade. Group Policy isn't automatically prepared because these preparations can cause all files and folders in the SYSVOL folder to re-replicate on all domain controllers.
Additionally, it's important to point out that the Active Directory Domain Services Configuration Wizard doesn't prepare a domain for RODCs when you install the first writeable Windows Server 2012 domain controller. Instead, domains are prepared for RODCs automatically when you promote the first unstaged RODC in a domain. You also can manually prepare a domain for RODCs by running Adprep.exe /rodcprep.
To automatically create or update a DNS delegation, the account you use must be a member of the DNS Admins group in the domain.

The way you continue depends on whether you are creating an additional domain controller for an existing domain, creating a new domain in a new forest, or creating a new domain tree or domain in an existing forest.

Creating additional domain controllers for an existing domain

To create an additional domain controller for an existing domain, follow these steps:

  1. Start the Active Directory Domain Services Configuration Wizard as discussed previously. On the Deployment Configuration page, choose Add A Domain Controller To An Existing Domain.

    Remember:
    Note the verification error. If the server doesn't have appropriate TCP/IP settings, the wizard won't be able to connect to a domain controller in the target domain and the error you'll see. You can see this same verification error for several other reasons as well: if you type an invalid domain name, or if all the domain controllers in the specified domain are offline. You need to correct the issue before you can continue.
    A verification error also occurs if you enter the wrong password when setting credentials. Here, the error states: "Verification of replica failed. The wizard cannot access the list of domains in the forest. The user name or password is incorrect." Although the wizard checks the credentials when you enter them to ensure the user name and password are valid, the wizard doesn't verify user credential permissions until just before installation.

  2. In the Domain box, type the full DNS name of the domain in the forest where you plan to install the domain controller, such as cpandl.com. To select a domain in the forest from a list of available domains, tap or click Select. Next, in the Select A Domain dialog box, tap or click the domain to use and then tap or click OK.
  3. If you are logged on to a domain in this forest and have the appropriate permissions, you can use your current logged-on credentials to perform the installation. Otherwise, you need to provide alternate credentials. Tap or click Change. In the Windows Security dialog box, type the user name and password for an enterprise administrator account in the previously specified domain and then tap or click OK.
  4. When you tap or click Next, the wizard performs several preliminary checks and then displays the Domain Controller Options page. The wizard does the following:
    • Checks any user credentials you entered to ensure that the user name and password are valid. The wizard doesn't verify user credential permissions until the Prerequisite Checks, which occur just before installation.
    • Determines the available Active Directory sites. The most appropriate site for the server's current subnet is selected by default on the Domain Controller Options page.
  5. As permitted, select additional installation options. The domain controller can be a DNS server, global catalog server, or both. To ensure high availability of directory services, all domain controllers should provide DNS and global catalog services. DNS Server is selected by default if the current domain hosts DNS already on its domain controllers (based on the Start of Authority query in DNS). Global Catalog is always selected by default.
  6. Select the Active Directory site in which you want to locate the domain controller. By default, the wizard selects the site with the most correct subnet. If there is only one site, the wizard selects that site automatically. No automatic selection is made if the server does not belong to an Active Directory subnet and there are multiple sites available.
  7. Type and confirm the password that should be used when you want to start the computer in Directory Services Restore Mode. Be sure to track this password carefully. This special password is used only in Restore mode and is different from the Administrator account password. (It is the local Administrator password, which is in the local database of domain controllers; this database normally is hidden.) To continue, tap or click Next.
  8. The next page you see depends on whether you are installing DNS Server. If you are installing the DNS Server service as an additional option, the wizard next attempts to register a delegation for the DNS server with an authoritative parent zone. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to the DNS server. Otherwise, you can ignore this warning. Tap or click Next to continue.

    Note:
    Before continuing, make sure you check for encrypted files and folders as discussed in the section Active Directory installation options and issues earlier in this tutorial. If you don't do this and there are encrypted files and folders present, you will only be able to decrypt them using previously backed-up recovery agent EFS private keys. If you don't have backups of these keys, you won't be able to decrypt previously encrypted files and folders.

  9. On the Additional Options page, specify whether to replicate the necessary Active Directory data from media or over the network. When you are installing from media, you must specify the folder location of the media before continuing. This folder must be on the local computer and cannot be a mapped network drive.
  10. If you choose to replicate data over the network, you can choose a replication partner for the installation or all replication from any available domain controller. When you install a domain controller and do not use backup media, all directory data is replicated from the replication partner to the domain controller you are installing. Because this can be a considerable amount of data, you typically want to ensure that both domain controllers are located in the same site or connected over reliable, high-speed networks.
  11. On the Paths page, select a location to store the Active Directory database folder, log folder, and SYSVOL. Keep the following in mind when configuring these locations:
    • The default location for the database and log folders is a subfolder of %SystemRoot%\NTDS. As discussed in the section Hardware and configuration considerations for domain controllers earlier in this tutorial, you'll get better performance if these folders are on two separate volumes, each on a separate disk.
    • The default location for the SYSVOL folder is %SystemRoot%\Sysvol. In most cases, you'll want to accept the default because the replication services store their database in a subfolder of the %SystemRoot% folder anyway. By keeping the folders on the same volume, you reduce the need to move files between drives.
  12. If the Active Directory schema must be updated for Windows Server 2012, you'll see the Preparation Options page. You see this page when you are installing the first Windows Server 2012 domain controller in the forest or domain because the forest schema, domain schema, or both must be updated to support Windows Server 2012. When you tap or click Next to continue, the wizard doesn't use Adprep.exe to extend the schema or update the domain. Instead, the wizard does this during the installation phase, just before promoting the domain controller.

    Note:
    If the forest, domain, or both must be prepared, the user credentials are checked on the Preparation Options page. If the user isn't a member of the appropriate groups, you'll see an error message. In this case, click Change. In the Windows Security dialog box, provide the user name and password of an account with sufficient permissions.

  13. On the Review Options page, review the installation options. Optionally, tap or click View Script to export the settings to a PowerShell script that you can use to perform automated installation of other domain controllers. When you tap or click Next, the wizard performs preliminary checks to verify that the domain and forest are capable of supporting a new Windows Server 2012 domain controller. The wizard also displays information about security changes that could affect older operating systems.
  14. When you tap or click Install, the wizard will use the options you selected to install and configure Active Directory. This process can take several minutes. Keep the following in mind:
    • If you specified that the DNS Server service should be installed, the server will also be configured as a DNS Server at this time.
    • Because you are installing an additional domain controller in an existing domain, the domain controller needs to obtain updates of all the directory partitions from other domain controllers and will do this by initiating a full synchronization. The only way to avoid this is to make a media backup of Active Directory on an existing domain controller, start the Active Directory Domain Services Configuration Wizard in Advanced mode, and then specify the backup media to use during installation of Active Directory.
  15. When the wizard finishes configuring Active Directory, you receive a prompt informing you that the computer will be restarted. After the server restarts, Active Directory will be completely configured and the server can then act as a domain controller.

After installing Active Directory, you should verify the installation by doing the following (in no particular order):

  • Examine the log of the installation, which is stored in the Dcpromo.log file in the %SystemRoot%\Debug folder. The log is very detailed and takes you through every step of the installation process, including the creation of directory partitions and the securing of the registry for Active Directory.
  • Check for DNS updates in the DNS console. If you added a domain controller to an existing domain, DNS is updated to add SRV records for the server, and these are in the appropriate subfolders of the zone, such as _tcp and _udp. If you created a new domain, DNS is updated to include a forward lookup zone for the domain.
  • Check for updates in Active Directory Users And Computers. For example, check to make sure the new domain controller is listed in the Domain Controllers OU.

If you created a new domain, the following containers are created and populated as appropriate:

  • Builtin contains the built-in accounts for administration, including Administrators and Account Operators.
  • Computers contains computer accounts for the domain.
  • Domain Controllers contains the domain controller accounts and should have an account for the domain controller you installed.
  • ForeignSecurityPrincipals is a container for security principals from other domain trees.
  • Users is the default container for user accounts in the domain.

Creating new domains in new forests

To create a new domain in a new forest, follow these steps:

  1. Start the Active Directory Domain Services Configuration Wizard as discussed previously. The wizard uses the credentials of the built-in Administrator account to create the forest root.

    Note:
    If the server doesn't have an appropriate IP address, you'll see a warning about the invalid IP address or improper network configuration and you need to correct the issue before you can continue.

  2. On the Deployment Configuration page, select Add A New Forest. Type the full DNS name for the new root domain in the new forest. Domain names are not case-sensitive and use the letters A to Z, the numerals 0 to 9, and the hyphen (-) character. The name must have at least two naming components. Each component of the domain name must be separated by a dot (.) and cannot be longer than 63 characters. Following this, thephone-company.com is a valid domain name, but thephone-company is not.
  3. When you tap or click Next, the wizard determines whether the name you entered is already in use on your network. If the name is already in use, you need to enter a different name or go back and make a different configuration selection. Keep in mind the domain should not have the same name as an external DNS name. If the external DNS name is thephone-company.com, you should use a different name for your internal forest to avoid compatibility issues.
  4. On the Domain Controller Options page, choose the desired functional level for the new Active Directory forest. The forest functional level can be set to Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012.
  5. Next, choose the desired functional level for the new domain. The domain functional level cannot be set lower than the forest functional level. For example, if you set the forest functional level to Windows Server 2008 R2, you can set the domain functional level to Windows Server 2008 R2 or Windows Server 2012 only.
  6. As permitted, select additional installation options. When you are creating a new forest root domain, the first domain controller must be a global catalog and cannot be an RODC. The domain controller also can be a DNS server, and the related option is selected by default.
  7. Type and confirm the password that should be used when you want to start the computer in Directory Services Restore Mode. Be sure to track this password carefully. This special password is used only in Restore mode and is different from the Administrator account password. To continue, tap or click Next.
  8. The next page you see depends on whether you are installing DNS Server. If you are installing the DNS Server service as an additional option, the wizard next attempts to register a delegation for the DNS server with an authoritative parent zone. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to the DNS server. Otherwise, you can ignore this warning. Tap or click Next to continue.

    Note:
    If you choose to let the wizard install DNS Server, the DNS Server service will be installed and the domain controller will also act as a DNS server. A primary DNS zone will be created as an Active Directory-integrated zone with the same name as the new domain you are setting up. The wizard will also update the server's TCP/IP configuration so that its primary DNS server is set to itself.

  9. When you tap or click Next, the wizard examines the network environment and attempts to register the domain and the domain controller in DNS. When you are installing a new forest root domain and DNS Server, you can't configure DNS options or DNS delegation. When you elect not to install DNS Server and have existing DNS infrastructure, however, you can create a DNS delegation using the related option and you'll also be able to provide alternate credentials. In this case, the credentials you provide must have the right to update the DNS zone.
  10. The wizard uses the domain name to generate a default NetBIOS name. You can accept the wizard-generated name or type a new NetBIOS name of up to 15 characters and then tap or click Next to continue.
  11. The rest of the installation proceeds as previously discussed. Continue with steps 11-15 and the post-installation checks discussed in the previous section, Creating additional domain controllers for an existing domain.

Creating a new domain or domain tree within an existing forest

To create a new domain or domain tree within an existing forest, follow these steps:

  1. Start the Active Directory Domain Services Configuration Wizard as discussed previously. If the server doesn't have an appropriate IP address, you'll see a warning about the invalid IP address or improper network configuration and you need to correct the issue before you can continue.
  2. On the Deployment Configuration page, you need to choose one of the following:
    • Choose Add A New Domain To An Existing Forest and then choose Child Domain as the domain type:
      Choose these options to establish the first domain controller in a domain that is a child domain of an existing domain. By choosing these options, you are specifying that the necessary parent domain already exists. For example, you would choose this option if the parent domain cpandl.com had already been created and you wanted to create the tech.cpandl.com domain as a child of this domain.
      For Parent Domain Name, type or select the fully-qualified name of the parent domain, such as cpandl.com. Next, type the name of the new child domain in the New Domain Name box. Be sure to provide a valid, single-label name for the child domain, such as tech rather than tech.cpandl.com. The name must follow DNS domain name requirements. This means the name can use the letters A to Z, the numerals 0 to 9, and the hyphen (-) character. Following this, thephone-company
      .com is a valid domain name but thephone-company is not.
    • Choose Add A New Domain To An Existing Forest and then choose Tree Domain as the domain type:
      Choose these options to establish a new domain tree that is separate from any existing trees in the existing Active Directory forest. By choosing these options, you specify that there isn't an existing parent domain with which you want to associate the new domain. For example, you should choose this option if the cohowinery.com domain already exists and you want to establish the cohovineyard.com domain in a new tree in the existing forest.
      For Forest Name, type the fully-qualified name of the forest root domain, such as cpandl.com. Next, type the fully qualified name of the new tree domain in the New Domain Name box. The name must have at least two naming components. Each component of the domain name must be separated by a dot (.) and cannot be longer than 63 characters. Use only the letters A to Z, the numerals 0 to 9, and the hyphen (-) character.
  3. The rest of the installation proceeds as previously discussed. Continue with steps 3-15 and the post-installation checks discussed in the previous section, Creating additional domain controllers for an existing domain. Note that you do not have the option to install from media or replicate from an existing domain controller, so the Additional Options page does not appear.

Additionally, if you created a new domain, you also need to configure DNS so that name resolution works appropriately with any existing domains. Normally, when you create a new domain, a DNS delegation is created automatically during the installation process. This delegation, created in the parent Domain Name System (DNS) zone, transfers name-resolution authority and provides an authoritative referral to other DNS servers and clients of the new zone.

Several resource records, which point to the DNS server as authoritative for the zone, are created as well:

  • A name server (NS) resource record to establish the delegation and specify that the server is an authoritative server for the delegated subdomain
  • A host (A or AAAA) resource record to resolve the name of the server

Creating the delegation ensures that computers in other domains can resolve DNS queries for computers in the subdomain. The wizard can create the delegation records only on Microsoft DNS servers. If the parent DNS domain zone resides on third-party DNS servers, such as Berkeley Internet Name Domain (BIND), you'll see a warning prompt stating the records can't be created and will need to create the records manually.

The wizard creates the required resource records in the parent DNS zone, and then it verifies the records after you click Next on the Domain Controller Options page. If the wizard cannot verify that the records exist in the parent domain, the wizard provides you with the option to either create a new DNS delegation for a new domain or update the existing delegation, and then continue with the new domain controller installation.

Creating a DNS delegation during installation requires credentials that have permissions to update the parent DNS zones. If you don't want to or can't create the delegation during the installation, that's okay as well, because you can manually create and validate the delegation before or after the installation.

CREATING A ZONE DELEGATION FOR A SUBDOMAIN

To create a zone delegation in DNS Manager, press and hold or right-click the parent domain and then click New Delegation.

If zone delegation is not possible at all, you can use other methods for providing name resolution from other domains to the hosts in the subdomain. As an example, the DNS administrator of another domain could configure conditional forwarding, stub zones, or secondary zones in order to resolve names in the subdomain. To enable name resolution for computers within the new domain, you typically want to create secondary zones for all existing domains in the new domain and set up zone transfers. To enable name resolution into the new domain from existing domains, you typically want to create a secondary zone in existing domains for the new domain and set up zone transfers.

Performing an Active Directory installation from media

Whenever you install an additional domain controller in an existing domain, you should consider whether you want to perform an installation from media rather than creating the domain controller from scratch. Doing so allows the Active Directory Domain Services Configuration Wizard to get the initial data for the Configuration, Schema, and Domain directory partitions and, optionally, the SYSVOL from backup media rather than performing a full synchronization over the network.

Not only does this reduce the amount of network traffic, which is especially important when installing domain controllers in remote sites that are connected by low-bandwidth WAN links, it can also greatly speed up the process of installing an additional domain controller and getting the directory partition data synchronized. This means that rather than having to replicate the full data across the network, the domain controller needs to get only the changes made since the backup media was made. This can mean that only several megabytes of replication traffic are generated rather than several gigabytes, and on a busy or low-bandwidth network this can be very important.

Note:
Installing Active Directory from media is not designed to be used to restore failed domain controllers. To restore failed domain controllers, you should use System State restore because this ensures that all the data that needs to be restored is recovered as necessary, including registry settings, Sysvol data, and Active Directory data.

In Windows Server 2008 or later, you can create installation media by restoring a System State backup of a domain controller. Windows Server 2008 or later versions also give you the option of performing an installation from media backup. A media backup is preferred to a System State backup because it includes only directory data. On the other hand, a System State backup includes over 50,000 files that require several gigabytes of space, not including the directory data.

Regardless of which technique you want to use, there are a few guidelines you should follow when installing Active Directory from backup media:

  • Always try to use the most recent media backup of Active Directory as possible. This reduces the number of updates that must replicate to the domain controller, which in turn minimizes the post-installation replication traffic.
  • Always use a backup of a domain controller in the same domain in which the new domain controller is being created, and always use a backup from another domain controller running the same version of Windows Server.
  • Always copy the backup to a local drive on the server for which you are installing Active Directory. You cannot use backup media from Universal Naming Convention (UNC) paths or mapped drives.
  • Never use backup media that is older than the deleted object lifetime of the domain. The default value is 60 days. If you try to use backup media older than 60 days, the Active Directory installation fails.

With these guidelines in mind, you can create an additional domain controller from backup media by completing the following steps:

  1. Open an elevated command prompt window. At the command prompt, type ntdsutil. This starts the Directory Services Management Tool.
  2. At the ntdsutil prompt, type activate instance ntds. This sets Active Directory as the directory service instance to work with.
  3. Type ifm to access the install from a media prompt, and then type one of the following commands, where FolderPath is the full path to the folder in which to store the Active Directory backup media files:
    • Create Full FolderPath Creates a full writeable installation media backup of Active Directory. You can use the media to install a writeable domain controller or a read-only domain controller.
    • Create RODC FolderPath Creates a read-only installation media backup of Active Directory. You can use the media to install a read-only domain controller. The backup media does not contain security credentials, such as passwords.
    • Create Sysvol Full FolderPath Creates a full writeable installation media backup of Active Directory and the Sysvol. You can use the media to install a writeable domain controller or a read-only domain controller. The Sysvol files include computer and user scripts, as well as Group Policy settings.
    • Create Sysvol RODC FolderPath Creates a read-only installation media backup of Active Directory and the Sysvol. You can use the media to install a read-only domain controller.
  4. Ntdsutil then creates snapshots of Active Directory partitions. When it is finished creating the snapshots, Ntdsutil mounts the snapshots as necessary and then defragments the media backup of the Active Directory database. The progress of the defragmentation is shown as a percentage complete.
  5. Next, Ntdsutil copies registry data related to Active Directory. If you are creating backup media for the Sysvol, Ntdsutil also creates backups of all policy settings, scripts, and other data stored on the Sysvol. When it finishes this process, Ntsdsutil unmounts any snapshots it was working with. The backup process should complete successfully. If it doesn't, note and resolve any issues that prevented successful creation of the backup media, such as the target disk running out of space or insufficient permissions to copy to the folder path.
  6. Type quit at the ifm prompt, and type quit at the ntdsutil prompt.
  7. Copy the backup media to a local drive on the server for which you are installing Active Directory.
  8. On the server you want to make a domain controller, start the Active Directory Domain Services Configuration Wizard. Follow all the same steps as you would if you were adding a domain controller to the domain without media. After you select additional domain controller options and get past any DNS prompts, you see the Additional Options page. On this page, select Install From Media, and then type the folder location of the backup media files or tap or click the options button to find this location.
  9. You can now complete the rest of the installation as discussed in the section Creating additional domain controllers for an existing domain earlier in this tutorial. Continue with the rest of the steps, and perform the post-installation checks as well.

You can create an additional domain controller using a System State backup media by completing the following steps:

  1. Create a System State backup on a domain controller in the domain using Windows Backup or by typing the following at an elevated command prompt: 
    wbadmin start systemstatebackup -backupTarget:VolumeName
    Here, VolumeName is the storage location for the backup, such as F:.
  2. Restore the System State backup to an alternate location using Windows Backup or by typing the following at an elevated command prompt: 
    wbadmin start systemstaterecovery -backupTarget:VolumeName
-recoveryTarget:OtherLocation
    Here, VolumeName is the storage location that contains the System State backup you want to recover, such as F:, and OtherLocation is the alternate folder location in which the backup should be restored, such as F:\NTDSRestore.
  3. Copy the backup media to a local drive on the server for which you are installing Active Directory.
  4. On the server you want to make a domain controller, start the Active Directory Domain Services Configuration Wizard in Advanced Installation mode. Follow all the same steps as you would if you were adding a domain controller to the domain without media. After you select additional domain controller options and get past any DNS prompts, you see the Additional Options page. On this page, select Install From Media, and then type the folder location of the backup media files or tap or click the options button to find this folder.
  5. You can now complete the rest of the installation as discussed in the section Creating additional domain controllers for an existing domain earlier in this tutorial. Continue with the rest of the steps, and perform the post-installation checks as well.
[Content] [Next]

In this tutorial:

  1. Implementing Active Directory Domain Services
  2. Installing Active Directory Domain Services
  3. Cloning virtualized domain controllers
  4. Uninstalling Active Directory
  5. Creating and managing organizational units
  6. Delegating the administration of domains and OUs