Archive | September 2011

Adding additional Domain Controller


Why do we need to add additional Domain Controller? This answer is very simple: “for services redundancy” or “for domain authentication improvement in remote Site”.

In case of server failure, we still have another one which can provide necessary services in our network, which avoids business discontinuity.

First of all, we need to install new box or virtual machine with a server operating system that is supported in domain environment. To check what Windows Server versions can be installed and promoted as Domain Controller, we need to check Domain Functional Level.

To do that, we have to open Active Directory Users and Computers on existing DC from Administrative Tools and then select domain name. Click on it right mouse button and choose “Raise domain functional level”

Domain Functional Level

Important! Be careful there, do not change anything in configuration. We need to only check what Domain Functional Level is set up. Changes cannot be reverted!

When you choose this option, you will see a window with information about current Domain Functional Level. If the highest possible DFL will be selected, then you cannot change anything. In case that DFL is lower than the highest possible, you will see a dropdown box, where you can select higher DFL modes. Do not do that! You may disrupt your domain environment.

Check Domain Functional Level

Domain Functional Level

This information tells us that only Windows Server 2008 R2 can be promoted as Domain Controller.

You may find one of these Domain Functional Levels:

  • Windows 2000 mixed – this mode supports NT4, Windows 2000 Server, Windows Server 2003
  • Windows 2000 native – it doesn’t support NT4 but additionally supports Windows Server 2008 and Windows Server 2008 R2
  • Windows Server 2003 – supports Windows Server 2003 and above
  • Windows Server 2008 – supports Windows Server 2008 and above
  • Windows Server 2008 R2 – only Windows Server 2008 R2 is supported

In this scenario we see that only Windows Server 2008 R2 can be promoted, so we need to use this OS version.

When server is already installed, you have to configure its network card properties to be able to start promotion process. As it is Domain Controller, server requires static IP address from the same subnet or subnet which is routable within a network. As directory services rely on DNS server, you need to properly point where the service is running. In example this server is (a forest root domain DC).

Network card configuration

Accept NIC changes and start dcpromo from run box

Running dcpromo

and follow with Active Directory Installation wizard (use advance mode)

Active Directory Installation wizard

Skip a screen with information about NT4 and 2008 R2 security incompatibility

NT4 security incompatibility warning

We are adding new Domain Controller into existing forest and existing domain, so in this case we need to choose the first option

Adding DC into existing forest

Provide DNS domain name to which you want to add new Domain Controller and specify domain administrator credentials to be able to do that.

Choosing domain

Select domain and click “Next”

Choosing domain

Point in which Site this DC should be placed (if you are not sure, leave default, you can change it later)

Selecting a Site for DC

Choose additional roles which should be installed on this DC (leave defaults). If you don’t want to use any of them, you can add them later (but I suggest installing them now). The last unchecked option is only for Read-Only Domain Controller which is not an option of this article, so do not check it.

Additional roles on a DC

This DNS server is a part of testenv.local (existing DNS zone), so no action is required. Choose “Yes” and continue

DNS delegation warning

Choose default option to replicate data from other existing DC in a network.

Active Directory data replication

You can select from which Domain Controller data will be replicated, but leave defaults if you don’t need specific one.

At this stage, you have to point where Active Directory database, logs and other AD related data will be stored. You can choose separate drive(s) for that but it’s not necessary.

Active Directory database location

Set up Directory Services Restoration Mode password. It doesn’t have to be the same as Domain Administrator account or DSRM on other Domain Controller(s). This password is used when you need to boot a server in Directory Services Restoration Mode to do non-authoritative/authoritative restore or Active Directory database maintenance.

DSRM password

and start server promotion by clicking on “Next” button

Summary screen

select “reboot on completion” checkbox to reboot server after AD installation and wait until it will be up and running.

Congratulations! Your additional Domain Controller is ready.

Additional Domain Controller

It’s done.

Author: Krzysztof Pytko

Configuring a forest root domain on Windows Server 2008 R2


This scenario is suitable mostly for test environments because it is very rarely that someone wants to do that in production (because it already exists). But of course, maybe you start creating domain environment for new company which doesn’t have it. Then this article is also for you.

This article describes only single forest, single domain scenario.

We need some details before we will start configuration.

  • Company name – which will be helpful in choosing forest/domain name
  • Network configuration – valid IP addresses range for our company, router’s IP (as default gateway)
  • ISP DNS servers on any public DNS servers –  to be able to access the Internet resources from our company
  • Services we need to run –  what additional services will be required to fulfill a company requirements

Let’s start to prepare them all.

  • Company name – Test Environment
  • Network configuration – IP addresses range; the last available IP address is a router (default gateway)
  • Public DNS servers – and (Google public DNS servers)
  • Services – Active Directory: Directory Services, DNS server(s), DHCP server(s)

Now, we can install our first Windows Server 2008 R2 and configure it. After that we will be able to promote this box as a Domain Controller.

When our server is installed, then we need to log on there on local administrator account and we can start its preparation.

Open Network Card configuration and set up static IP address for your server (in this case it’s with network mask)

This is very important part of network configuration before promoting server as a Domain Controller. In DNS preferred IP address type (loopback interface) or the same IP address as server is configured to point the server to DNS itself.

Network card configuration

Accept configuration and start promoting server by typing in run box dcpromo

Running DC promotion

You should see Active Directory Domain Services Installation wizard. Select “Use advanced mode installation” checkbox and follow with its instructions.

Active Directory Installation wizard

This warning is not so important for us, because we have no older operating systems as Domain Controllers within network. It’s about security incompatibility between NT4 and 2008/2008R2, so let’s skip this screen.

OS security incompatibility warning

At this point, we have to choose what we want to do with domain configuration. As this article is about forest root domain, we don’t have to consider another option, now. We are creating completely new domain in a new forest.

A forest root domain creation

You will see a window with question about forest root domain name. It’s good to set up name related with your company. This is so called FQDN (Fully Qualified Domain Name or also known as DNS Domain Name). Create internal domain name to separate it from your external (if it would be necessary, i.e. for e-mail) with .local or .private suffix. These suffixes suggest that DNS domain is for local resources and this is also connected with your local DNS zone name.

DNS domain name

now, specify NetBIOS domain name

NetBIOS domain name

Now, you need to choose Forest Functional Level

Setting up FFL will also configure Domain Functional Level in the same mode.

This is very important step in forest/domain configuration. This setting determines which operating systems can be promoted to Domain Controllers. As we are configuring the only single forest/domain environment it is not so difficult.

Domain Functional Level determines which operating systems can act as Domain Controllers within that particular domain. By default (in new forest/domain configuration) it suggests Windows Server 2003 which means that older OSes cannot be promoted as DCs. So, NT4 and Windows 2000 Server cannot be used in a network with AD:DS role. They still can be a domain member servers but not Domain Controllers.

When you change DFL to Windows Server 2008 then only Windows Server 2008 and 2008 R2 can be promoted to be DCs. And the last choice is Windows Server 2008 R2 – the only possible operating system for Domain Controllers is Windows Server 2008 R2.

Each domain can be set up on a different Domain Functional Levels. But they have to fulfill Forest Functional Level to be able to operate within a forest.

If you have more than one domain in a forest then you have to evaluate which one work in the lowest mode. The lowest Domain Functional Level in a forest determines the highest Forest Functional Level.

Forest Functional Level determines that all Domain Controllers in each domain cannot work on older operating system than it’s specified in FFL.

If your FFL is set up to Windows Server 2003 that means, all of Domain Controllers in a forest are based on at least Windows Server 2003.

It’s similar to other modes (2008/2008 R2)

Important! When you set up Domain/Forest Functional level it cannot be changed to lower mode, so be careful when you choose them. If you are not sure which functional level is adequate for you, choose the lower one. You can always raise it without any business continuity disruption later.

As we don’t want to use older OSes as DCs, we plan to use only Windows Server 2008 R2, we can change Forest Functional Level to Windows Server 2008 R2. Domain Functional Level will be set up on the same level automatically.

Forest Functional Level

This is our first domain and first Domain Controller, so we need to also set up new internal DNS server to be able to use Active Directory. Whole Active Directory services rely on DNS services, so they have to be always available.

Additional roles for DC

We are configuring our first DNS server, so it doesn’t exist right now, don’t worry and continue

DNS warning

Specify Active Directory database, logs location (you can leave defaults, those files are not so huge and if server act as AD,DNS only, that’s enough space)

Active Directory files location

Set up password for Directory Services Restoration Mode which will be used in case of non-authoritative/authoritative restore or other AD database maintenance. This password should be different than Domain Administrator password and should be also changed regularly.

DSRM password

On the summary screen, you can review chosen settings and start server promotion process

Summary screen

After all, server reboot it’s required. You can do it manually, or select “Reboot on completion” checkbox and wait until promotion will be done

Active Directory:Directory Services installation

Congratulations! Your Domain Controller for a forest root domain is ready! You can log on, on it, using password specified during promotion process (the same password as Directory Services Restoration Mode)

A forest root Domain Controller

Log on, using domain administrator credentials into your new Domain Controller. We have to configure DNS server to send unresolved DNS queries to ISP DNS server(s) or any other public DNS server(s). This configuration is necessary to be able to access the Internet resources from our internal network.

Open DNS management console from Administrative Tools and select server name. In the right pane at the bottom of that window, double click on Forwarders

Configuring forwaders on DNS server

You should see a window, where you can put ISP or public DNS servers. Click on “Edit” button to add those servers IP address

Configuring forwarders on DNS server

Enter IP addresses of external DNS servers and wait for their validation. If everything is ok, you would see green shield next to IP addresses.

Configuring forwarders on DNS server

Close DNS management console.

After all, you should consider Domain Controller and DNS server redundancy in your network by placing additional server with these roles. Another very important part is performing System State backup of Domain Controllers regularly.

In case of lack hardware resources in your network, you can consider placing DHCP server on this Domain Controller. However, it’s not recommended to install additional roles on DCs because of security reasons.

Above, topics would be described in another articles.

It’s done.

Author: Krzysztof Pytko