Those who have installed Active Directory in a Windows 2000 environment realize that the process by which Active Directory is implemented is unique from the installation of the server operating system. A member server becomes a domain controller in an Active Directory domain through the use of the DCPromo utility, or the Active Directory Installation Wizard, after the operating system is installed. A domain controller provides network users and computers with the Active Directory directory service, which stores and replicates directory data and manages user interactions with the domain, including user logon processes, authentication, and directory searches. Every domain must contain at least one domain controller. This section provides information on how to use the DCPromo utility to build Windows Server 2003 domain controllers in new and existing directory service environments. Promoting a Member ServerWhen executed, the DCPromo utility enables you to promote a Windows Server 2003 member server to a domain controller. It also allows a domain controller to be demoted back to a member server. The common tasks you can perform in promoting a member server to a domain controller are as follows :
Each of these domain controller roles has unique installation considerations depending on the overall Active Directory design for the organization(s). For design tips, see Chapter 10, "Advanced Active Directory Design." For any of these installation paths, though, keep the following in mind:
Demoting a Domain ControllerThe ability to demote a domain controller to a member server was first made available with Windows 2000. This useful feature can still be leveraged in a Windows Server 2003 environment by using the DCPromo utility. Performing a domain controller demotion is a simple task, but it can have some far-reaching consequences if particular considerations are not taken into account. To demote a domain controller, follow these steps:
Before Performing a Domain Controller Demotion... Before performing a domain controller demotion, make sure that the server is not the last global catalog server in the domain, and also that it does not contain any operation master roles. It is important to verify that there will still be a global catalog server available for users before the demotion of a domain controller is completed. If you choose to demote a global catalog server, the DCPromo process will prompt the user with a warning. FSMO Roles Can be Transferred by Using NTDSUtil.exe Flexible Single-Master Operations (FSMO) roles can be transferred by using the NTDSUtil.exe command line utility. Also, if the server to be demoted holds any operation master roles, those roles should be transferred to another domain controller before a demotion takes place. If the domain controller being demoted is the last domain controller in a domain, that Active Directory domain will be completely removed from the forest. Further, if this is the last domain controller in the forest, the demotion will also delete the forest. To delete a domain or forest using DCPromo, click the check box indicating this is the last domain controller in the domain as shown in Figure 12.1. Figure 12.1. Deleting a domain with DCPromo.
Creating Replicas from MediaTraditionally when a domain controller is added to an existing forest or domain, the Active Directory information that gets installed during the process is transferred over the network from an existing domain controller. This transfer presents a potential bottleneck, especially for building new domain controllers in remote sites connected by a slow WAN connection. One option for avoiding the bottleneck is to build the new domain controller locally, and then ship it to the remote location where only updates will be transferred over the WAN. Windows Server 2003 provides a new method to alleviate the bottleneck by enabling you to install Active Directory (and a global catalog server) from a backup copied to removable media. Any Encrypted Files in a Domain Should Be Decrypted Before Deleting a Domain Deleting a domain deletes all user accounts. Computers will no longer be able to log in and access domain resources. Also, any encrypted files in a domain should be decrypted before deleting a domain. The process of creating a domain controller from backup is fairly simple. By using the NTBackup utility provided with the operating system, a system-state backup can be performed on an existing domain controller. The backup is then copied to removable media such as a CD or tape. The media is then shipped to the remote location where the new domain controller is being built. On the remote system, you run DCPromo with an /adv switch, which will activate the option to install the Active Directory database from media, as shown in Figure 12.2. Figure 12.2. DCPromo from media.
After the DCPromo process completes on the remote system, only incremental changes to the Active Directory database are transferred over the WAN. Use an Up-to-Date Backup When installing Active Directory from media, it is important to use an up-to-date backup. If the backed up copy of the global catalog information is older than the tombstone date for objects in Active Directory (by default, 30 days), this type of DCPromo will fail. |