Why do we need to add additional Domain Controller? This answer is very simple: “for services redundancy” or “for domain authentication improvement in remote Site”.
In case of server failure, we still have another one which can provide necessary services in our network, which avoids business discontinuity.
First of all, we need to install new box or virtual machine with a server operating system that is supported in domain environment. To check what Windows Server versions can be installed and promoted as Domain Controller, we need to check Domain Functional Level.
To do that, we have to open Active Directory Users and Computers on existing DC from Administrative Tools and then select domain name. Click on it right mouse button and choose “Raise domain functional level”
Important! Be careful there, do not change anything in configuration. We need to only check what Domain Functional Level is set up. Changes cannot be reverted!
When you choose this option, you will see a window with information about current Domain Functional Level. If the highest possible DFL will be selected, then you cannot change anything. In case that DFL is lower than the highest possible, you will see a dropdown box, where you can select higher DFL modes. Do not do that! You may disrupt your domain environment.
Check Domain Functional Level
This information tells us that only Windows Server 2008 R2 can be promoted as Domain Controller.
You may find one of these Domain Functional Levels:
- Windows 2000 mixed – this mode supports NT4, Windows 2000 Server, Windows Server 2003
- Windows 2000 native – it doesn’t support NT4 but additionally supports Windows Server 2008 and Windows Server 2008 R2
- Windows Server 2003 – supports Windows Server 2003 and above
- Windows Server 2008 – supports Windows Server 2008 and above
- Windows Server 2008 R2 – only Windows Server 2008 R2 is supported
In this scenario we see that only Windows Server 2008 R2 can be promoted, so we need to use this OS version.
When server is already installed, you have to configure its network card properties to be able to start promotion process. As it is Domain Controller, server requires static IP address from the same subnet or subnet which is routable within a network. As directory services rely on DNS server, you need to properly point where the service is running. In example this server is 192.168.1.1 (a forest root domain DC).
Accept NIC changes and start dcpromo from run box
and follow with Active Directory Installation wizard (use advance mode)
Skip a screen with information about NT4 and 2008 R2 security incompatibility
We are adding new Domain Controller into existing forest and existing domain, so in this case we need to choose the first option
Provide DNS domain name to which you want to add new Domain Controller and specify domain administrator credentials to be able to do that.
Select domain and click “Next”
Point in which Site this DC should be placed (if you are not sure, leave default, you can change it later)
Choose additional roles which should be installed on this DC (leave defaults). If you don’t want to use any of them, you can add them later (but I suggest installing them now). The last unchecked option is only for Read-Only Domain Controller which is not an option of this article, so do not check it.
This DNS server is a part of testenv.local (existing DNS zone), so no action is required. Choose “Yes” and continue
Choose default option to replicate data from other existing DC in a network.
You can select from which Domain Controller data will be replicated, but leave defaults if you don’t need specific one.
At this stage, you have to point where Active Directory database, logs and other AD related data will be stored. You can choose separate drive(s) for that but it’s not necessary.
Set up Directory Services Restoration Mode password. It doesn’t have to be the same as Domain Administrator account or DSRM on other Domain Controller(s). This password is used when you need to boot a server in Directory Services Restoration Mode to do non-authoritative/authoritative restore or Active Directory database maintenance.
and start server promotion by clicking on “Next” button
select “reboot on completion” checkbox to reboot server after AD installation and wait until it will be up and running.
Congratulations! Your additional Domain Controller is ready.
Author: Krzysztof Pytko
This scenario is suitable mostly for test environments because it is very rarely that someone wants to do that in production (because it already exists). But of course, maybe you start creating domain environment for new company which doesn’t have it. Then this article is also for you.
This article describes only single forest, single domain scenario.
We need some details before we will start configuration.
- Company name – which will be helpful in choosing forest/domain name
- Network configuration – valid IP addresses range for our company, router’s IP (as default gateway)
- ISP DNS servers on any public DNS servers – to be able to access the Internet resources from our company
- Services we need to run – what additional services will be required to fulfill a company requirements
Let’s start to prepare them all.
- Company name – Test Environment
- Network configuration – IP addresses range 192.168.1.0/24; the last available IP address is a router (default gateway)
- Public DNS servers – 22.214.171.124 and 126.96.36.199 (Google public DNS servers)
- Services – Active Directory: Directory Services, DNS server(s), DHCP server(s)
Now, we can install our first Windows Server 2008 R2 and configure it. After that we will be able to promote this box as a Domain Controller.
When our server is installed, then we need to log on there on local administrator account and we can start its preparation.
Open Network Card configuration and set up static IP address for your server (in this case it’s 192.168.1.1 with 255.255.255.0 network mask)
This is very important part of network configuration before promoting server as a Domain Controller. In DNS preferred IP address type 127.0.0.1 (loopback interface) or the same IP address as server is configured 192.168.1.1 to point the server to DNS itself.
Accept configuration and start promoting server by typing in run box dcpromo
You should see Active Directory Domain Services Installation wizard. Select “Use advanced mode installation” checkbox and follow with its instructions.
This warning is not so important for us, because we have no older operating systems as Domain Controllers within network. It’s about security incompatibility between NT4 and 2008/2008R2, so let’s skip this screen.
At this point, we have to choose what we want to do with domain configuration. As this article is about forest root domain, we don’t have to consider another option, now. We are creating completely new domain in a new forest.
You will see a window with question about forest root domain name. It’s good to set up name related with your company. This is so called FQDN (Fully Qualified Domain Name or also known as DNS Domain Name). Create internal domain name to separate it from your external (if it would be necessary, i.e. for e-mail) with .local or .private suffix. These suffixes suggest that DNS domain is for local resources and this is also connected with your local DNS zone name.
now, specify NetBIOS domain name
Now, you need to choose Forest Functional Level
Setting up FFL will also configure Domain Functional Level in the same mode.
This is very important step in forest/domain configuration. This setting determines which operating systems can be promoted to Domain Controllers. As we are configuring the only single forest/domain environment it is not so difficult.
Domain Functional Level determines which operating systems can act as Domain Controllers within that particular domain. By default (in new forest/domain configuration) it suggests Windows Server 2003 which means that older OSes cannot be promoted as DCs. So, NT4 and Windows 2000 Server cannot be used in a network with AD:DS role. They still can be a domain member servers but not Domain Controllers.
When you change DFL to Windows Server 2008 then only Windows Server 2008 and 2008 R2 can be promoted to be DCs. And the last choice is Windows Server 2008 R2 – the only possible operating system for Domain Controllers is Windows Server 2008 R2.
Each domain can be set up on a different Domain Functional Levels. But they have to fulfill Forest Functional Level to be able to operate within a forest.
If you have more than one domain in a forest then you have to evaluate which one work in the lowest mode. The lowest Domain Functional Level in a forest determines the highest Forest Functional Level.
Forest Functional Level determines that all Domain Controllers in each domain cannot work on older operating system than it’s specified in FFL.
If your FFL is set up to Windows Server 2003 that means, all of Domain Controllers in a forest are based on at least Windows Server 2003.
It’s similar to other modes (2008/2008 R2)
Important! When you set up Domain/Forest Functional level it cannot be changed to lower mode, so be careful when you choose them. If you are not sure which functional level is adequate for you, choose the lower one. You can always raise it without any business continuity disruption later.
As we don’t want to use older OSes as DCs, we plan to use only Windows Server 2008 R2, we can change Forest Functional Level to Windows Server 2008 R2. Domain Functional Level will be set up on the same level automatically.
This is our first domain and first Domain Controller, so we need to also set up new internal DNS server to be able to use Active Directory. Whole Active Directory services rely on DNS services, so they have to be always available.
We are configuring our first DNS server, so it doesn’t exist right now, don’t worry and continue
Specify Active Directory database, logs location (you can leave defaults, those files are not so huge and if server act as AD,DNS only, that’s enough space)
Set up password for Directory Services Restoration Mode which will be used in case of non-authoritative/authoritative restore or other AD database maintenance. This password should be different than Domain Administrator password and should be also changed regularly.
On the summary screen, you can review chosen settings and start server promotion process
After all, server reboot it’s required. You can do it manually, or select “Reboot on completion” checkbox and wait until promotion will be done
Congratulations! Your Domain Controller for a forest root domain is ready! You can log on, on it, using password specified during promotion process (the same password as Directory Services Restoration Mode)
Log on, using domain administrator credentials into your new Domain Controller. We have to configure DNS server to send unresolved DNS queries to ISP DNS server(s) or any other public DNS server(s). This configuration is necessary to be able to access the Internet resources from our internal network.
Open DNS management console from Administrative Tools and select server name. In the right pane at the bottom of that window, double click on Forwarders
You should see a window, where you can put ISP or public DNS servers. Click on “Edit” button to add those servers IP address
Enter IP addresses of external DNS servers and wait for their validation. If everything is ok, you would see green shield next to IP addresses.
Close DNS management console.
After all, you should consider Domain Controller and DNS server redundancy in your network by placing additional server with these roles. Another very important part is performing System State backup of Domain Controllers regularly.
In case of lack hardware resources in your network, you can consider placing DHCP server on this Domain Controller. However, it’s not recommended to install additional roles on DCs because of security reasons.
Above, topics would be described in another articles.
Author: Krzysztof Pytko