Chapter 9 Review 457 tion process to the automatically created delegations the wizard generates. This will familiarize you with the various pages presented by the wizards. ■ Practice 2 Work with zones, creating each of the three supported zone types one after the other. Try as many configuration options as possible. Then, create as many different record types as possible. This will familiarize you with the different dialog boxes and wiz- ards used to configure zones and records. ■ Practice 3 Work with the command-line tools and try as many different switches as possible for each tool. The Dnscmd.exe command, especially, will be present on the exam. Familiarity with this command will help you understand its function better. ■ Practice 4 Work with the DNS event log and tracing log and examine their content. Familiarity with DNS logging is essential for any DNS operator. Take a Practice Test The practice tests on this book’s companion CD offer many options. For example, you can test yourself on just one exam objective, or you can test yourself on all the 70-640 certification exam content. You can set up the test so that it closely simulates the experience of taking a cer- tification exam, or you can set it up in study mode so that you can look at the correct answers and explanations after you answer each question. MORE INFO Practice tests For details about all the practice test options available, see the “How to Use the Practice Tests” sec- tion in this book’s introduction. 459 Chapter 10 Domain Controllers Domain controllers (DCs) host the directory service and perform the services that support identity and access management in a Microsoft Windows enterprise. To this point in the training kit, you have learned to support the logical and management components of an Active Directory Domain Services (AD DS) infrastructure: users, groups, computers, and Group Policy. Each of these components is contained in the directory database and in SYSVOL on domain controllers. In this chapter, you will begin your exploration of the service-level components of Active Directory, starting with the domain controllers themselves. You will learn how to add Windows Server 2008 domain controllers to a forest or domain, how to pre- pare a Microsoft Windows Server 2003 forest or domain for its first Windows Server 2008 DC, how to manage the roles performed by DCs, and how to migrate the replication of SYSVOL from the File Replication Service (FRS) used in previous versions of Windows to the Distrib- uted File System Replication (DFS-R) mechanism that provides more robust and manageable replication. Exam objectives in this chapter: ■ Configure a forest or a domain. ■ Configure Active Directory replication. ■ Configure operations masters. Lessons in this chapter: ■ Lesson 1: Installing Domain Controllers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 ■ Lesson 2: Configuring Operations Masters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478 ■ Lesson 3: Configuring DFS Replication of SYSVOL . . . . . . . . . . . . . . . . . . . . . . . . . . . 494 Before You Begin To complete the practices in this chapter, you must have created a domain controller named SERVER01 in a domain named contoso.com and a member server, with a full installation, joined to the domain named SERVER02. See Chapter 1, “Installation,” for detailed steps for this task. 460 Chapter 10 Domain Controllers Real World Dan Holme Active Directory enables you to configure a domain and a forest with a single domain controller. But that’s not enough. Domain controllers provide functionality critical to the identity and access management requirements of an enterprise, and if a domain control- ler fails, you must have a way to provide continuity of service. That’s why it’s very impor- tant to have at least two DCs in a domain. As soon as you start adding DCs to a domain, you start needing to consider replication, and in this chapter, you’ll learn about one of the exciting new features of Windows Server 2008: DFS-R of SYSVOL. FRS, used by pre- vious versions of Windows and supported by Windows Server 2008 for backward com- patibility, has been a notorious weak spot prone to problems and difficult to troubleshoot. To take advantage of this feature, all domain controllers must be running Windows Server 2008, so you’ll need to know how to prepare an existing forest for its first Windows Server 2008 DC—another objective of this chapter. Finally, as you add domain controllers to an enterprise, you need to consider the placement of single master operations, which are special roles assigned to one DC in a forest or domain. By the time you’re through with this chapter, you’ll have the skills to improve the redundancy, per- formance, and manageability of multiple domain controllers in your enterprise. Lesson 1: Installing Domain Controllers 461 Lesson 1: Installing Domain Controllers In Chapter 1, you used the Add Roles Wizard in Server Manager to install Active Directory Domain Services (AD DS). Then you used the Active Directory Domain Services Installation Wizard to create the first DC in the contoso.com forest. Because DCs are critical to authentica- tion, it is highly recommended to maintain at least two domain controllers in each domain in your forest to provide a level of fault tolerance in the event that one DC fails. You might also need to add domain controllers to remote sites or create new domains or trees in your Active Directory forest. In this lesson, you will learn user-interface, command-line, and unattended methods for installing domain controllers in a variety of scenarios. After this lesson, you will be able to: ■ Install a DC, using the Windows interface, Dcpromo.exe command-line parameters, or an answer file for unattended installation. ■ Add Windows Server 2008 DCs to a domain or forest with Windows Server 2003 and Windows 2000 Server DCs. ■ Create new domains and trees. ■ Perform a staged installation of a read-only domain controller. ■ Install a DC from installation media to reduce network replication. ■ Remove a domain controller. Estimated lesson time: 60 minutes Installing a Domain Controller with the Windows Interface If you want to use the Windows interface to install a domain controller, there are two major steps. First, you must install the AD DS role, which, as you learned in Chapter 1, can be accomplished using the Add Roles Wizard in Server Manager. After the AD DS role installa- tion has copied the binaries required for the role to the server, you must install and config- ure AD DS by launching the Active Directory Domain Services Installation Wizard, using one of these methods: ■ Click Start and, in the Start Search box, type dcpromo and click OK. ■ When you complete the Add Roles Wizard, click the link to launch the Active Directory Domain Services Installation Wizard. ■ After adding the AD DS role, links will appear in Server Manager that remind you to run the Active Directory Domain Services Installation Wizard. Click any of those links. 462 Chapter 10 Domain Controllers The Active Directory Domain Services Installation Wizard is shown in Figure 10-1. Figure 10-1 The Active Directory Domain Services Installation Wizard NOTE All-in-one wizard Microsoft documentation for Windows Server 2008 emphasizes the role-based model, so it recom- mends you add the AD DS role and then run Dcpromo.exe (the Active Directory Domain Services Installation Wizard). However, you can simply run Dcpromo.exe and, as a first step, the wizard detects that the AD DS binaries are not installed and adds the AD DS role automatically. Unattended Installation Options and Answer Files You can also add or remove a domain controller at the command line, using unattended instal- lation supported by the Windows Server 2008 version of Dcpromo.exe. Unattended installa- tion options provide values to the Active Directory Domain Services Installation Wizard. For example, the NewDomainDNSName option specifies a fully qualified domain name (FQDN) for a new domain. These options can be provided at the command line by typing dcpromo /unattendOption:value, for example, dcpromo /newdomaindnsname:contoso.com. Alternatively, you can provide the options in an unattended installation answer file. The answer file is a text file that contains a section heading, [DCINSTALL], followed by options and their values in the option=value form. For example, the following file provides the NewDomainDNSName option: [DCINSTALL] NewDomainDNSName=contoso.com Lesson 1: Installing Domain Controllers 463 The answer file is called by adding its path to the unattend parameter, for example: dcpromo /unattend:"path to answer file" The options in the answer file can be overridden by parameters on the command line. For example, if the NewDomainDNSName option is specified in the answer file and the /New- DomainDNSName parameter is used on the command line, the value on the command line takes precedence. If any required values are neither in the answer file nor on the command line, the Active Directory Domain Services Installation Wizard will prompt for the answers, so you can use the answer file to partially automate an installation, providing a subset of config- uration values to be used during an interactive installation. The wizard is not available when running Dcpromo.exe from the command line in Server Core. In that case, the Dcpromo.exe command will return with an error code. For a complete list of parameters that you can specify as part of an unattended installation of AD DS, open an elevated command prompt and type the following command: dcpromo /?[:operation] where operation is one of the following: ■ Promotion returns all parameters you can use when creating a domain controller. ■ CreateDCAccount returns all parameters you can use when creating a prestaged account for a read-only domain controller (RODC). ■ UseExistingAccount returns all parameters you can use to attach a new DC to a pre- staged RODC account. ■ Demotion returns all parameters you can use when removing a domain controller. MORE INFO Dcpromo parameters and unattended installation For a complete reference of Dcpromo parameters and unattended installation options, see http:// go.microsoft.com/fwlink/?LinkID=101181. NOTE Generate an answer file When you use the Windows interface to create a domain controller, the Active Directory Domain Services Installation Wizard gives you the option, on the Summary page, to export your settings to an answer file. If you need to create an answer file for use from the command line, for example, on a Server Core installation, you can use this shortcut to create an answer file with the correct options and values. 464 Chapter 10 Domain Controllers Installing a New Windows Server 2008 Forest Chapter 1 discussed the installation of the first Windows Server 2008 DC in a new forest, using the Windows interface. Exercise 3, “Install a New Windows Server 2008 Forest with the Windows Interface,” and Exercise 4, “Install a New Windows Server 2008 Forest,” of Lesson 1, “Installing Active Directory Domain Services,” in that chapter detailed the steps to add the AD DS role to a server by using Server Manager and then to run Dcpromo.exe to promote the server to a domain controller. When creating a new forest root domain, you must specify the forest root Domain Name System (DNS) name, its NetBIOS name, and the forest and domain functional levels. The first domain controller cannot be a read-only domain control- ler and must be a global catalog (GC) server. If the Active Directory Domain Services Instal- lation Wizard detects that it is necessary to install or configure DNS, it does it automatically. You can also use an answer file by typing dcpromo /unattend:“path to answer file”, where the answer file contains unattended installation options and values. The following example con- tains the minimum parameters for an unattended installation of a new Windows Server 2008 domain controller in a new forest: [DCINSTALL] ReplicaOrNewDomain=domain NewDomain=forest NewDomainDNSName=fully qualified DNS name DomainNetBiosName=domain NetBIOS name ForestLevel={0=Windows 2000 Server Native; 2=Windows Server 2003 Native; 3=Windows Server 2008} DomainLevel={0=Windows Server 2000 Native; 2=Windows Server 2003 Native; 3=Windows Server 2008} InstallDNS=yes DatabasePath="path to folder on a local volume" LogPath="path to folder on a local volume" SYSVOLPath="path to folder on a local volume" SafeModeAdminPassword=password RebootOnCompletion=yes You can also specify one or more unattended installation parameters and values at the com- mand line. For example, if you don’t want the Directory Services Restore Mode password in the answer file, leave the entry blank and specify the /SafeModeAdminPassword:password parameter when you run Dcpromo.exe. You can also include all options on the command line itself. The following example creates the first domain controller in a new forest in which you don’t expect to install any Windows Server 2003 domain controllers: dcpromo /unattend /installDNS:yes /dnsOnNetwork:yes /replicaOrNewDomain:domain /newDomain:forest /newDomainDnsName:contoso.com /DomainNetbiosName:contoso Lesson 1: Installing Domain Controllers 465 /databasePath:"e:\ntds" /logPath:"f:\ntdslogs" /sysvolpath:"g:\sysvol" /safeModeAdminPassword:password /forestLevel:3 /domainLevel:3 /rebootOnCompletion:yes Installing Additional Domain Controllers in a Domain If you have a domain with at least one domain controller running Windows 2000 Server, Windows Server 2003, or Windows Server 2008, you can create additional domain controllers to distribute authentication, create a level of fault tolerance in the event any one DC fails, or provide authentication in remote sites. Installing the First Windows Server 2008 Domain Controller in an Existing Forest or Domain If you have an existing forest with domain controllers running Windows Server 2003 or Windows 2000 Server, you must prepare them prior to creating your first Windows Server 2008 domain controller. That’s because there are objects and attributes that Windows Server 2008 adds to the directory that previous versions of Windows don’t understand. Therefore, the schema must be updated. The schema is the definition of the attributes and object classes that can exist within a domain. It is like the catalog for what can be created in other directory partitions. To prepare the forest schema for Windows Server 2008, follow these steps: 1. Log on to the schema master as a member of the Enterprise Admins, Schema Admins, and Domain Admins groups. Lesson 2, “Configuring Operations Masters,” discusses operations masters and provides steps for identifying which domain controller is the schema master. 2. Copy the contents of the \Sources\Adprep folder from the Windows Server 2008 DVD to a folder on the schema master. 3. Open a command prompt and change directories to the Adprep folder. 4. Type adprep /forestprep and press Enter. 5. If you plan to install an RODC in any domain in the forest, type adprep /rodcprep and press Enter. NOTE RODCPREP, anytime You can also run Adprep /rodcprep at any time in a Windows 2000 Server or Windows Server 2003 forest. It does not have to be run in conjunction with /forestprep; however, you must run it and allow its changes to replicate throughout the forest prior to installing the first RODC. You can run Adprep /rodcprep from any DC as long as you are logged on as a member of the Enterprise Admins group. 466 Chapter 10 Domain Controllers Exam Tip The Adprep /rodcprep command is required before installing an RODC into any domain in an existing forest with Windows Server 2003 or Windows 2000 Server domain control- lers. It is not necessary if the forest is a new forest consisting only of Windows Server 2008 domain controllers. You must allow time for the operation to complete. After the changes have replicated through- out the forest, you can continue to prepare the domains for Windows Server 2008. To prepare a Windows 2000 Server or Windows Server 2003 domain for Windows Server 2008, perform these steps: 1. Log on to the domain infrastructure operations master as a member of Domain Admins. Lesson 2 provides steps for identifying which domain controller is the infrastructure operations master. 2. Copy the contents of the \Sources\Adprep folder from the Windows Server 2008 DVD to a folder on the infrastructure master. 3. Open a command prompt and change directories to the Adprep folder. 4. Type adprep /domainprep /gpprep and press Enter. On Windows Server 2003, you might receive an error message stating that updates were unnecessary. You can ignore this message. Allow the change to replicate throughout the forest before you install a domain controller that runs Windows Server 2008. Installing an Additional Domain Controller Additional domain controllers can be added by installing AD DS and launching the Active Directory Domain Services Installation Wizard. You are prompted to choose the deployment configuration; to enter network credentials; to select a domain and site for the new DC; and to configure the DC with additional options such as DNS Server, Global Catalog, or Read-Only Domain Controller. The remaining steps are the same as for the first domain controller: con- figuring file locations and the Directory Services Restore Mode Administrator password. If you have one domain controller in a domain, and if you select the Use Advanced Mode Installation check box on the Welcome To The Active Directory Domain Services Installation Wizard page, you are able to configure advanced options, which are: ■ Install From Media By default, a new domain controller replicates all data for all direc- tory partitions it will host from other domain controllers during the Active Directory Domain Services Installation Wizard. To improve the performance of installation, par- ticularly over slow links, you can use installation media created by existing domain controllers. Installation media is a form of backup. The new DC is able to read data from the installation media directly and then replicate only updates from other [...]... snap-in (Active Directory Domains And Trusts) and choose Operations Master ■ Schema Master: The Active Directory Schema snap-in Right-click the root node of the snap-in (Active Directory Schema) and choose Operations Master NOTE Infrastructure Master: The Active Directory Users And Computers snap-in Registering the Active Directory Schema snap-in You must register the Active Directory Schema snap-in before... answer file for Dcpromo.exe The steps for doing so are detailed at http:// technet2 .microsoft. com/windowsserver2008/en/library/f349e1e7-c3ce-485 0-9 e50d8886c 866 b521033.mspx?mfr=true Attaching a Server to the RODC Account After you have prestaged the account, the server can be attached to it You cannot simply launch the Active Directory Domain Services Installation Wizard You must do so by typing dcpromo... Figure 1 0-2 PDC Operations Master Lesson 2: Configuring Operations Masters ■ 485 RID Master: The Active Directory Users And Computers snap-in Right-click the domain and choose Operations Masters Click the RID tab ■ Right-click the domain and choose Operations Masters Click the Infrastructure tab ■ Domain Naming: The Active Directory Domains And Trusts snap-in Right-click the root node of the snap-in (Active. .. Installing a New Windows Server 2008 Child Domain If you have an existing domain, you can create a new child domain by creating a Windows Server 2008 domain controller Before you do, however, you must run Adprep /forestprep, as described in the “Installing the First Windows Server 2008 Domain Controller in an Existing Forest or Domain” section Then install AD DS and launch the Active Directory Domain... For detailed steps for removing a domain controller, see http://technet2 .microsoft. com /windowsserver2008/en/library/9 260 bb40-a80 8-4 22f-b33b-c3d2330f5eb81033.mspx If a domain controller must be demoted while it cannot contact the domain, you must use the forceremoval option of Dcpromo.exe Type dcpromo /forceremoval, and the Active Directory Domain Services Installation Wizard steps you through the process... RID master, and Infrastructure master 5 Click Close 6 Open the Active Directory Domains And Trusts snap-in 7 Right-click the root node of the snap-in, Active Directory Domains And Trusts, and choose Operations Master The dialog box identifies the domain controller performing the domain naming master role 8 Click Close The Active Directory Schema snap-in does not have a console of its own and cannot be... snap-in 9 Open a command prompt, type regsvr32 schmmgmt.dll, and press Enter 10 Click OK to close the message box that appears 11 Click Start and, in the Start Search box, type mmc.exe, and press Enter 12 Choose Add/Remove Snap-In from the File menu 13 From the Available snap-ins list, choose Active Directory Schema, click Add, and then click OK 14 Right-click the root node of the snap-in, Active Directory. .. of three domains, each of which includes two domain controllers running Windows Server 2003 You want to upgrade one of the domain controllers to Windows Server 2008 What must you do first? A Upgrade the domain controller’s operating system to Windows Server 2008 B Run the Adprep.exe /domainprep /gpprep command C Run the Active Directory Domain Services Installation Wizard D Run the Adprep.exe /forestprep... PDC emulator Then open the Active Directory Users And Computers snap-in, right-click the domain, and choose Change Domain Controller Select SERVER0 2 Right-click the domain and choose Operations Masters Click the PDC tab and click Change The role is transferred When SERVER0 1 comes back online, right-click the domain, choose Change Domain Controller, and select SERVER0 1 Right-click the domain, choose... which you are connected: Active Directory Users And Computers [server0 2.contoso.com] 4 Right-click the contoso.com domain and choose Operations Masters 5 Click the PDC tab The tab indicates that SERVER0 1.contoso.com currently holds the role token SERVER0 2.contoso.com is listed in the second dialog box It should appear similar to Figure 1 0-2 6 Click the Change button An Active Directory Domain Services . ForestLevel={0 =Windows 2000 Server Native; 2 =Windows Server 2003 Native; 3 =Windows Server 2008} DomainLevel={0 =Windows Server 2000 Native; 2 =Windows Server 2003 Native; 3 =Windows Server 2008} . http:// technet2 .microsoft. com/windowsserver2008/en/library/f349e1e7-c3ce-485 0-9 e5 0- d8886c 866 b521033.mspx?mfr=true. Attaching a Server to the RODC Account After you have prestaged the account, the server. replicated through- out the forest, you can continue to prepare the domains for Windows Server 2008. To prepare a Windows 2000 Server or Windows Server 2003 domain for Windows Server 2008, perform these