We will now walk through installing and
configuring AD DS for a new domain. This process involves adding the AD
DS role and then running the dcpromo process. After installing AD, we
will explore postinstallation steps. To install AD domain services,
perform the following tasks:
-
Log on to the server with an account with local administrator rights.
-
Open Server Manager and then click on the Roles node in the left pane; then click the Add Roles link. This will launch the Add Roles Wizard. Click Next.
-
Select the Active Directory Domain Services option. You will be prompted to add .Net Framework 3.5.1 Features. Click Add Required Features; then click Next to continue. You will be taken to the AD introduction page. Click Next to continue.
-
Confirm that you do want to install AD DS and then click Install.
After the install completes, you should see a success confirmation
page. Verify whether the install was successful, then click Close.
Now that the AD role has been installed, you need to perform the dcpromo process which will promote the server to a DC. Go to Start | Run. Type dcpromo in the run box and then click OK. This will launch the AD DS Wizard.
-
At the Active Directory Domain Services page (see Figure 1), click Next to begin.
-
You will be taken to the OS compatibility page. Click Next to continue.
-
You must now choose whether this DC will be part of an existing forest or used to establish a new forest (see Figure 2). For our example, choose Create a new domain in a new forest since we are creating a new forest and domain. Click Next.
-
You now need to enter the FQDN for the new domain. Enter it into the text box as seen in Figure 3, then click Next. The wizard will then verify that the chosen domain does not already exist on the network.
-
You now need to select the Forest Functional Level
to use for the new forest being deployed. If you are building a new
domain that will only use Windows Server 2008 R2 DCs, you can select
the Windows Server 2008 R2 functional level (see Figure 4). Then click Next.
-
You can now select whether you want to
include DNS as part of the install as well as set the option to
designate it as a GC (see Figure 5).
Since this is the first DC in a new domain, it is required to be a GC.
If you were adding a DC to an existing domain, you could optionally
check the option to make this an RODC. Ensure that the option for DNS is selected, then click Next.
-
If you receive a warning like the one in Figure 6, click Yes to continue. This warning is notifying you that you should ensure you own the domain you are using for AD.
-
You now need to select the drive and path to install AD files (see Figure 7).
In most simple installations, you can accept the defaults; however, you
may choose to install the AD Database, Log Files, and SYSVOL folder on
different disk drive spindles providing better performance. After
selecting the paths to install AD files, click Next to continue.
-
In the next step, you need to create a
Directory Services Restore Mode password. This password is used to
access the system when you boot it into Active Directory Services
Restore mode. Be sure to use a strong password and keep it somewhere
safe. You will be required to create a Directory Services Restore Mode
password for each DC you install. Click Next to continue.
-
Verify the AD options on the summary page, then click Next to start the dcpromo process.
-
During dcpromo, you can monitor the process from the wizard window as seen in Figure 8.
-
After the dcpromo process completes, you will be taken to the Completing the AD DS Installation Wizard page. Click Finish to complete the wizard.
-
For the dcpromo process to complete, the server needs to be rebooted. Click Restart Now at the restart prompt as seen in Figure 9.
When the server restarts, it will
restart as a DC in the new domain. Log on to the server with the same
credentials used for the administrator account when the server was in a
workgroup. The local administrator will have now been promoted to the
domain administrator account.
If you open Server Manager, you should
now see the AD DS and DNS roles listed under the Roles node. By
expanding the AD DS node, you will see two subnodes named ADUC and AD
Sites and Services (see Figure 10).
By running the BPA,
you can clear up any additional configuration tasks that are necessary
and ensure that no major problems are found with your fresh
installation. The initial run of the BPA will flag a few issues that
should be corrected immediately. These include:
-
The PDC emulator in this forest should synchronize with a valid time source—As a best practice, you should synchronize your PDC emulator with an Internet time server. The BPA will give you the command w32tm/config/computer:<name of your DC>/manualpeerlist.time.windows.com/syncfromflags:manual/update
-
The domain has only one functioning domain controller—You
should immediately deploy a second DC for redundancy. With only one DC
deployed, a DC failure would cause your entire domain to be offline. To
add a second DC, perform the following tasks:
-
Set up a new Windows Server 2008 R2 server.
-
Set a static IP address and set the first DC as the primary DNS server.
-
Install the AD DS role and run dcpromo.
-
When prompted, select the option Add domain controller to an existing domain.
-
Select the existing domain name.
This will promote the DC into the
existing domain. You should then be able to log on to the new DC as the
domain administrator account setup when promoting the first DC. You can
perform the aforementioned steps for each additional DC you want to add
to the domain.
After correcting the aforementioned
initial issues, run the BPA again to ensure they were properly
corrected. Once you have resolved BPA issues, you should have a
reliable and supportable Active Directory Domain.
The task you will need to complete is
setting up your initial AD site. Even if you currently have only one
site, you should define the subnets to properly set up AD's site
configuration.
