In part 1 about Sites of series Active Directory Domain Services Domain Controllers, we know the roles of Sites in providing resilient, availability, authentication effective to our domain network; recall that, by dividing our network into transparent zones/branches, we are ensuring that only necessary types of replications/synchronize will be used.
[00:10] This model won't work if additional Domain Controllers aren't taken place in each Site!
So let's explore the process of "Create an additional Domain Controller" by follow the predefined procedure from Microsoft TechNet: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc781792(v=ws.10)
Basically, there are 2 routines before a server can serve as an additional DC:
– Active Directory Domain Services role installation.
– Promote the server a fully functional Domain Controller with AD DS Installation Wizard (dpromo.exe)
[00:24] The role installation of AD DS is quite simple, just make sure membership in the local Administrator account, or equivalent is the minimum required to complete this procedure.
You can follow the step-by-step guide for Windows Server 2008 R2 here:
[00:51] Before you start the promoting DC process, make sure you reviewed this checklist: Creating an additional domain controller in an existing domain.
[00:55] And I have some notes for you:
– The promoting process is slightly different between WS 2008 R2 (dcpromo) and Windows Server 2012 (post-installation wizard)
– Review all DCs are working in your domain by using: dsa.msc console or "dsquery server" tool.
– Take care your domain/forest functional level to check what Windows Server versions can be installed and promoted as Domain Controller.
– Of course, this additional server can reach the main DC via DNS.
[01:04] On the Operating System Compatibility page, read the information and then click Next.
[01:08] Of course, we are adding this DC SnoOpy-Server-3 (WS 2008 R2 to an existing domain: SnoOpy.com which is being ruled by the master DC SnoOpy-Server (WS 2012).
[01:18] In the real scenario, it is recommended that you log-on to that DC with the local account, then obtain permission to promote by providing domain Domain Admins credentials with this dialog.
[01:37] Select the available domain for this additional Domain Controller (forest root domain) then wait for the Wizard to validate domain name and examining Active Directory forest.
With the previous episode about the Site, we created these Sites and their associated subnets.
So, we can leverage the option: "Use the site that corresponds to the IP address of this computer" to navigate this DC into its Site without open up AD Sites and Services console.
Microsoft recommends that all domain controllers provide DNS and GC services for high availability in distributed environments. GC is always selected by default and DNS server is selected by default if the current domain hosts DNS already on its DCs based on Start of Authority query.
[01:56] Every domain controller should have a static IP Address for reliable Domain Name System operation.
Check out my playlists about DNS to see how important it is in our domain infrastructure:
We can configure the DNS server delegation later from the master DC so that this ADC can join the party!
[02:07] For better performance and recoverability, specify paths to separate volumes for the database and log files.
[02:13] Providing or storing a clear text password is not recommended. Anyone running this command in a script or looking over your shoulder knows the DSRM password of that domain controller. With that knowledge, they can impersonate the domain controller itself and elevate their privilege to the highest level in an Active Directory forest.
Take a look about this risk at:
I will stop this AD DS role installation with the GUI at this Summary page (Review your selections) so that I can give an overview look into the relation of GUI and CLI:
If you click Next/Install, there is something like this script will be invoked under the hood.
So, they have equal functions, though, they serve for different scenarios.
Wait for the part 2 to see how to continue to install that AD DS/promote DC with the unattended answer file (which just got exported from Installation Wizard GUI) via CLI (cmd.exe) as well as its application in real scenarios :3