8/13/2019 01 Administering
1/21
www
.technocorp.co.in
Administering
AD DS Domain Controller
8/13/2019 01 Administering
2/21
www
.technocorp.co.in
Module Overview
Domain Controller Installation Options Install a Server Core DC
Manage Operations Masters
Configure DFS-R Replication of SYSVOL
8/13/2019 01 Administering
3/21
8/13/2019 01 Administering
4/21
www
.technocorp.co.in
Install a Domain Controller by UsingWindows Interface
To install a DC:1. Add the AD DS role by using Server Manager2. Install and configure AD DS with the Active Directory Domain Services Installation Wizard
DCPROMO.exe Installs the AD DS role if it is not already installed
8/13/2019 01 Administering
5/21
www
.technocorp.co.in
Unattended Installation Options andAnswer Files Options can be specified at the command line
/option:valuefor example, /newdnsdomainname:contoso.com
dcpromo.exe /?[:operation] for help
Options can be specified in an answer file
Answer file can be called by usingdcpromo.exe /unattend:path to answer file
Options on command line will override answer file Options not specified will be prompted by wizard
Except in Server Core
Recommendation: Use dcpromo.exe on full installation and expofile for command line or Server Core
[DCINSTALL]NewDomainDNSName=contoso.com
8/13/2019 01 Administering
6/21
www
.technocorp.co.in
Install a New Windows Server 2008Forest
[DCINSTALL]
ReplicaOrNewDomain=domainNewDomain=forestNewDomainDNSName=fqdnDomainNetBiosName=nameForestLevel={0, 2, 3}DomainLevel={0, 2,3}InstallDNS=yesDatabasePath="path"
LogPath="path"SYSVOLPath="path"SafeModeAdminPassword=pwdRebootOnCompletion=yes
dcpromo.exe /unattend/installDNS:yes /dnsOnNetwork:/replicaOrNewDomain:domain/newDomain:forest/newDomainDnsName:contoso.c/DomainNetbiosName:contoso/databasePath:"e:\ntds"/logPath:"f:\ntdslogs"/sysvolpath:"g:\sysvol"/safeModeAdminPassword:passw
/forestLevel:3 /domainLevel:3/rebootOnCompletion:yes
dcpromo.exe
/unattend:path
8/13/2019 01 Administering
7/21
8/13/2019 01 Administering
8/21
www
.technocorp.co.in
Install an Additional DC in a Domain
[DCINSTALL]ReplicaOrNewDomain=replicaReplicaDomainDNSName=fqdnUserDomain=fqdnUserName=DOMAIN\username*Password=password*InstallDNS=yesConfirmGC=yes
DatabasePath="path"LogPath="path"SYSVOLPath="path"SafeModeAdminPassword=pwdRebootOnCompletion=yes
dcpromo.exe /unattend
/replicaOrNewDomain:replica/replicaDomainDNSName:contoso/installDNS:yes /confirmGC:yes/databasePath:"e:\ntds"/logPath:"f:\ntdslogs"/sysvolpath:"g:\sysvol"/safeModeAdminPassword:passw/rebootOnCompletion:yes
dcpromo.exe/unattend:path
8/13/2019 01 Administering
9/21
www.technocorp.co.in
Install a New Windows Server 2008Domain[DCINSTALL]
ReplicaOrNewDomain=domainNewDomain=childParentDomainDNSName=fqdn
UserDomain=fqdnUserName= DOMAIN\username*Password=password*ChildName=name*DomainNetBiosName=nameDomainLevel={0,2,3}*InstallDNS=yesCreateDNSDelegation=yesDNSDelegationUserName=DOMAIN\usernameDNSDelegationPassword=password*DatabasePath="path"LogPath="path"SYSVOLPath="path"SafeModeAdminPassword=pwd
RebootOnCompletion=yes
dcpromo.exe /una/installDNS:yes/replicaOrNewDoma/newDomain:child/ParentDomainDNS/newDomainDnsNa/childName:subsidia/DomainNetbiosNam/databasePath:"e:\n/logPath:"f:\ntdslog/sysvolpath:"g:\sys/safeModeAdminPas/forestLevel:3 /dom
/rebootOnCompletio
dcpromo.ex/unattend:
8/13/2019 01 Administering
10/21
8/13/2019 01 Administering
11/21
www.technocorp.co.in
Stage the Installation of an RODC
Create the account for the RODC Right-click the Domain Controllers OUPre-Create Read-only Domain Controller Accou
Delegation of RODC Installation and Administration
Delegate to a group
Members of the group can join RODC to domain
Members of the group are local Administrators after join
Attach the server to the RODC account Server must be a member of a workgroup
dcpromo /UseExistingAccount:attach
Att h S t P t d ROD
8/13/2019 01 Administering
12/21
www.technocorp.co.in
Attach a Server to a Prestaged RODAccount
GUI Active DirectoryDomain Services Wizard:dcpromo.exe/useexistingaccount:attach
[DCINSTALL]ReplicaDomainDNSName=fqdnUserDomain=fqdn
UserName= DOMAIN\username*Password=password*InstallDNS=yesConfirmGC=yesDatabasePath="path"LogPath="path"SYSVOLPath="path"SafeModeAdminPassword=pwdRebootOnCompletion=yes
dcpromo.exe /unattend/UseExistingAccount:Attach
/ReplicaDomainDNSName:conto
/UserDomain:contoso.com/UserName:contoso\dan/password:*/databasePath:"e:\ntds"/logPath:"f:\ntdslogs"/sysvolpath:"g:\sysvol"/safeModeAdminPassword:passw/rebootOnCompletion:yes
dcpromo.exe/useexistingaccount
/unattend:path
8/13/2019 01 Administering
13/21
www.technocorp.co.in
Install AD DS from Media
Install from media (IFM)
Create installation mediaa specialized backup of AD DS
Use installation media for creation of DC Significantly reduce over-the-network replication
DC will need to replicate changes since backup was made
ntdsutilactivate instance ntdsifm create sysvol fullpath : media with sysvol for writable DC
create fullpath : media without sysvol for writable DC create sysvol rodcpath : media with sysvol for read-only DC
create rodcpath : media without sysvol for read-only DC
Active Directory Domain Services Installation Wizard, select Use Mode
ReplicationSourcePath option/switch
8/13/2019 01 Administering
14/21
www.technocorp.co.in
Remove a Domain Controller
GUI Active Directory Domain
Services Wizard:dcpromo.exe
Command line:dcpromo.exe /uninstallbinaries
If DC cannot contact the domaindcpromo /forceremoval
Then you must clean up metadata: KB 216498
[DCINSTALL]UserName= DOMAIN\username*UserDomain=fqdnPassword=password*
AdministratorPassword=password*RemoveApplicationPartitions=yesRemoveDNSDelegation=yesDNSDelegationUserName=DOMAIN\usernameDNSDelegationPassword=password* dcpromo.exe /unattend
/uninstallbinaries/UserName:contoso\dan
/password:*/administratorpassword:Pa$
dcpromo.exe/uninstallbinaries/unattend:path
8/13/2019 01 Administering
15/21
www.technocorp.co.in
Manage Operations Masters
Understand Single Master Operations Operations Master Roles
Optimize the Placement of Operations Masters
Identify Operations Masters
Transfer Operations Master Roles
Seize Operations Master Roles
8/13/2019 01 Administering
16/21
www.technocorp.co.in
Understand Single Master Operatio
In any multimaster replication topology, some operations msingle master
Many terms used for single master operations in AD DS Operations master (or operations master roles)
Single master roles
Operations tokens
Flexible single master operations (FSMOs)
Roles
ForestDomain namingSchema
DomainRelative identifier (RID)InfrastructurePDC Emulator
8/13/2019 01 Administering
17/21
www.technocorp.co.in
Operations Master Roles
Forest-wide Domain naming: Adds/removes domains to/from the forest Schema: Makes changes to the schema
Domain-wide RID: Provides pools of RIDs to DCs, which use them for SIDs
Infrastructure: Tracks changes to objects in other domains that are members of groups i
PDC: Plays several very important roles
Emulates a Primary Domain Controller (PDC): compatibility
Special password update handling
Default target for Group Policy updates
Master time source for domain
Domain master browser
8/13/2019 01 Administering
18/21
8/13/2019 01 Administering
19/21
ww
w.technocorp.co.in
Identify Operations Masters
User interface tools PDC Emulator: Active Directory Users And Computers
RID: Active Directory Users And Computers
Infrastructure: Active Directory Users And Computers
Schema: Active Directory Schema
Domain Naming: Active Directory Domains and Trusts
Command line tools NTDSUtil
DCDiag
netdom query fsmo
8/13/2019 01 Administering
20/21
ww
w.technocorp.co.in
Transfer Operations Master Roles
Scenarios for transferring roles To distribute roles away from the forest domain root DC
Prior to taking a role holding DC offline for maintenance
Prior to demoting a role holding DC
Procedure for transferring roles Ensure that the new role holder is up to date with replication from the current role hold
Open the appropriate administrative snap-in
Connect to the targetdomain controllers
Open the Operations Master dialog box and click Change
Oruse NTDSUtil to change transfer the master
8/13/2019 01 Administering
21/21
ww
w.technocorp.co.in
Seize Operations Master Roles
Recognize operations master failures Typically you notice when you attempt to perform an action for which the master is resp
receive an error
Respond to an operations master failure Determine whether the DC can be brought online, and when
Evaluate whether the enterprise can continue to function temporarily without the DC
Seize the role by using NTDSUtil Return a role to its original holder?
Only for PDC and Infrastructure tokens
If Schema, RID, or domain naming have been seized, you must decommission the failed promote it again
Top Related