Improving Domain Controller Installation

Those who have installed Active Directory in a Windows 2000 environment realize that the process by which Active Directory is implemented is unique from the installation of the server operating system. A member server becomes a domain controller in an Active Directory domain through the use of the DCPromo utility, or the Active Directory Installation Wizard, after the operating system is installed. A domain controller provides network users and computers with the Active Directory directory service, which stores and replicates directory data and manages user interactions with the domain, including user logon processes, authentication, and directory searches. Every domain must contain at least one domain controller. This section provides information on how to use the DCPromo utility to build Windows Server 2003 domain controllers in new and existing directory service environments.

Promoting a Member Server

When executed, the DCPromo utility enables you to promote a Windows Server 2003 member server to a domain controller. It also allows a domain controller to be demoted back to a member server.

The common tasks you can perform in promoting a member server to a domain controller are as follows :

• Creating a new forest (also creating a new domain). In this scenario, the server will be the first domain controller created for Active Directory.

• Creating a new tree in an existing forest. This scenario comes into play when creating a peer root Active Directory forest.

• Creating a child domain. A child domain creates a domain boundary within a forest while maintaining a contiguous namespace.

• Creating an additional domain controller in an existing domain. This is a common strategy for fault tolerance and load balancing.

Each of these domain controller roles has unique installation considerations depending on the overall Active Directory design for the organization(s). For design tips, see Chapter 10, "Advanced Active Directory Design." For any of these installation paths, though, keep the following in mind:

• The partition on which the server operating system is installed must be formatted with the NTFS file system.

• If DNS is not present or available, DCPromo will prompt the user with the option to have it configured automatically. Verify that DNS is installed and configured correctly before promoting the server.

• In any Active Directory installation that involves a domain controller that is not the first domain controller in the forest, there must be some method by which the server being promoted can transfer Active Directory information. In addition to transferring this information over the network, Windows Server 2003 allows Active Directory to be transferred from a backup copied to media. This feature is detailed later in this chapter.

• Verify that the installer has the proper level of administrative access to perform the operation. Creating a new domain in a new forest, the administrator need only have the local administrator level permission on the server. To create a new tree in an existing forest, the installer must be a member of the Enterprise Admins group or the Domain Admins group of the root domain. To create a child domain, the installer must be a member of the Enterprise Admins group or the Domain Admins group of the parent domain. To create an additional domain controller in an existing domain, the installer needs to be a member of the Domain Admins group of the existing domain.

Demoting a Domain Controller

The ability to demote a domain controller to a member server was first made available with Windows 2000. This useful feature can still be leveraged in a Windows Server 2003 environment by using the DCPromo utility. Performing a domain controller demotion is a simple task, but it can have some far-reaching consequences if particular considerations are not taken into account.

To demote a domain controller, follow these steps:

1. On a domain controller, click Start, and then click Run.

2. In the Open box, type dcpromo to open the Active Directory Installation Wizard, and then click Next.

3. On the Remove Active Directory page, click Next, and then continue to follow the wizard.

It is important to verify that there will still be a global catalog server available for users before the demotion of a domain controller is completed. If you choose to demote a global catalog server, the DCPromo process will prompt the user with a warning.

Also, if the server to be demoted holds any operation master roles, those roles should be transferred to another domain controller before a demotion takes place.

If the domain controller being demoted is the last domain controller in a domain, that Active Directory domain will be completely removed from the forest. Further, if this is the last domain controller in the forest, the demotion will also delete the forest. To delete a domain or forest using DCPromo, click the check box indicating this is the last domain controller in the domain as shown in Figure 12.1.

Creating Replicas from Media

Traditionally when a domain controller is added to an existing forest or domain, the Active Directory information that gets installed during the process is transferred over the network from an existing domain controller. This transfer presents a potential bottleneck, especially for building new domain controllers in remote sites connected by a slow WAN connection. One option for avoiding the bottleneck is to build the new domain controller locally, and then ship it to the remote location where only updates will be transferred over the WAN. Windows Server 2003 provides a new method to alleviate the bottleneck by enabling you to install Active Directory (and a global catalog server) from a backup copied to removable media.

The process of creating a domain controller from backup is fairly simple. By using the NTBackup utility provided with the operating system, a system-state backup can be performed on an existing domain controller. The backup is then copied to removable media such as a CD or tape. The media is then shipped to the remote location where the new domain controller is being built.

On the remote system, you run DCPromo with an /adv switch, which will activate the option to install the Active Directory database from media, as shown in Figure 12.2.

After the DCPromo process completes on the remote system, only incremental changes to the Active Directory database are transferred over the WAN.