Preparing active directory for windows server 2008

Use Notepad to create an unattend file containing the lines of text shown here and name the file NewTree. For example, if the forest root domain controller of fabrikam. If you plan on installing a Server Core domain controller to create a new domain tree within an existing Active Directory forest running Windows Server or Windows Server , first you must update your Active Directory forest schema. You can use Dcpromo with an unattend file to create a new child domain under an existing domain in an existing forest.

For example, to create a new child domain named research. Use Notepad to create an unattend file containing the lines of text shown here and name the file NewChild. For example, if the domain controller of the parent domain has an IP address of If you plan on installing a Server Core domain controller to create a new child domain within an existing Active Directory forest running Windows Server or Windows Server , first you must update your Active Directory forest schema.

You can use Dcpromo with an unattend file to install a replica additional domain controller within an existing domain in an existing forest. Use Notepad to create an unattend file containing the lines of text shown here and name the file AddReplica. On the Server Core installation on which you want to install the AD DS role, make sure that the Primary DNS Server setting is configured with the IP address of the first domain controller in the domain you want to add your new domain controller to as a replica domain controller.

For example, if the first domain controller of fabrikam. Note that the last paragraph of this command output typically indicates that your server does not have a statically assigned IPv6 address. This warning can safely be ignored in most circumstances. Use the Repadmin command to verify that the new replica domain controller SEA-SC2 has successfully replicated its Active Directory directory database with the first domain controller in the fabrikam.

If you plan on installing a Server Core domain controller as a replicate additional domain controller within an existing domain of an existing Active Directory forest running Windows Server or Windows Server , first you must prepare your existing domain and forest. You can use Dcpromo with an unattend file to remove a domain controller from a domain, including removing the last domain controller from a domain or forest.

You can use Dcpromo with an unattend file to remove a replica domain controller from an existing domain. If your domain controller hosts any Active Directory—integrated DNS zones, those zones are removed and any DNS delegations for those zones that point to your domain controller also are removed. Use Notepad to create an unattend file containing the lines of text shown here and name the file RemoveReplica. You can customize your Dcpromo unattend file in various ways to control how a domain controller running Server Core is demoted.

Table lists the different options you can include in a Dcpromo unattend file used for domain controller demotion, an explanation of what they mean, their possible values, and their default value if any when the option is not included in the unattend file. Specifies that a forced removal should continue even if the domain controller holds an operations master role.

Specifies the password of the user name used for removing the DNS delegation. Specifies the user name to be used for removing the DNS delegation. If unspecified, the credentials that you specified for AD DS removal are used. Specifies the password of the user name used to demote the domain controller. Specifies that the application directory partitions should be removed during the demotion process.

Specifies that domain controller metadata should be retained in the domain after the demotion process. If you forcibly remove a domain controller that hosts FSMO roles, you must update the forest metadata manually afterwards.

As an alternative to the procedure outlined there, you can delete the computer account of the removed domain controller from Active Directory, but you still have to clear out DNS records manually for the removed domain controller. You can use Adprep to perform two kinds of actions:. Preparing an existing Windows Server or Windows Server forest by upgrading the forest schema to the Windows Server level.

Preparing an existing Windows Server or Windows Server domain so you can add domain controllers running Windows Server to the domain. You must prepare an existing Windows Server or Windows Server forest by upgrading the forest schema to the Windows Server level before you install your first Windows Server domain controller into your forest.

To do this, perform these steps:. Be sure that your existing Windows Server and Windows Server domain controllers are at the appropriate service pack levels. Upgrade any existing Microsoft Windows NT 4. You must do this because Windows NT 4. Log on to the domain controller running Windows Server or Windows Server that hosts the schema master FSMO role using a user account that belongs to the following security groups:.

Let the schema update operation finish and then allow the schema changes to replicate to all domain controllers in your forest before you prepare any domains for a Windows Server domain controller. If you plan on having RODCs in your forest, you must make additional changes to your forest using Adprep. You must prepare an existing Windows Server or Windows Server domain before you install your first Windows Server domain controller into your domain.

Upgrade any existing Windows NT 4. Make sure that the domain functional level of your domain is running at a Windows native or later level. To raise the domain functional level, open Active Directory Domains And Trusts, right-click the domain, select Raise Domain Functional Level, and raise the functional level of your domain to the desired level. Log on to the domain controller running Windows Server or Windows Server that hosts the infrastructure master FSMO role using a user account that belongs to the following security groups:.

The next step depends on whether your domain is a Windows Server domain or a Windows Server domain, as follows:. Let the domain preparation operation finish and allow the changes to replicate to all domain controllers in the domain. If you plan on having RODCs in your domain, you must make additional changes to your forest using Adprep.

Raising the forest functional level to Windows Server level provides no additional functionality for replica domain controllers running Windows Server Raising the domain functional level to Windows Server level provides the following new functionalities:.

Last Interactive Logon Information can be used to display the time of the last successful interactive logon for a user, the workstation that the user logged on to, and the number of failed logon attempts since the last logon. You can manage domain controllers running Server Core the same way you manage domain controllers running a Full installation of Windows Server You can use the same tools—namely, Microsoft Management consoles MMCs and command-line utilities—to manage both types of domain controllers.

The only difference is that if you want to manage Server Core domain controllers using MMC consoles, you must do so remotely. You can manage Server Core domain controllers remotely using MMC consoles in several different ways:. Log on to the computer running Windows Vista with SP1 using administrative credentials for the domain.

Active Directory Users And Groups. Used to administer users, groups, computers, and organizational units. Active Directory Domains And Trusts. Used to administer domains, domain trees, forests, and trusts. Active Directory Sites And Services. Used to administer sites, site links, and subnets. You can use either these MMC consoles, which are installed by default on domain controllers or as part of RSAT, or you can create a new empty MMC console and add these snap-ins to your console to create a custom console for administering Active Directory.

You can manage Server Core domain controllers using various command-line utilities. You can do this in several ways:. From the command prompt on a domain controller or member server running a Full installation of Windows Server From an elevated command prompt on an administrative workstation running Windows Vista with SP1. To open an elevated command prompt on Windows Vista, click Start, type cmd , right-click cmd under Programs, and select Run As Administrator.

Table lists some of the command-line utilities that you can use for administering Active Directory. Other tools, such as Dnscmd, which is used for administering DNS an essential part of an Active Directory environment , are discussed in other chapters of this book. Used to display and change permissions access control entries in the access control list ACL of Active Directory objects.

Used to analyze the state of domain controllers in a forest and report any problems for help in troubleshooting Active Directory issues. Used to create, modify, or delete directory objects, extend the schema, export user and group information to other applications or services, and populate Active Directory with data from other directory services.

Used to join computers to a domain, manage computer accounts of domain members, reset the secure channel between a domain member and the domain, manage trusts, and view a list of domain controllers, member servers, workstations, organizational units, or FSMO roles.

Used to perform directory database maintenance, manage FSMO roles, remove metadata left when domain controllers are removed forcibly from the network, and other Active Directory maintenance tasks. Used to diagnose replication problems between domain controllers, view or modify the replication topology as seen from the perspective of each domain controller, force replication between domain controllers, view replication metadata and up-to-dateness vectors, and monitor the general health of an Active Directory forest.

Covering even the most common Active Directory management tasks would require an entire book of its own, but we can cover the basics here. The following sections show how to perform a selection of common administration tasks that you are likely to need to perform in a Windows Server Active Directory environment. These sections focus on tasks that you can perform from the command prompt because this book is mainly about Server Core, and the primary way of administering Server Core is from the command prompt.

When using these commands, you should be logged on as a domain administrator. Some of the command-line tools listed in Table include switches for running them against remote computers. Alternatively, you can connect to a Server Core domain controller using Remote Desktop to run such commands directly on your domain controller.

Or you can use Windows Remote Management WinRM to run commands remotely on the domain controller from your administrator workstation.

To determine which domain controller holds the infrastructure master role, use the Dsquery command from your administrator workstation running Windows Vista SP1 while logged on as a domain administrator, as follows:. Type connect to server SEA-SC2 to connect to the domain controller to which you want to transfer the infrastructure master role. Click Yes when a dialog box asks you if you are sure you want to do this. Type quit twice to leave the ntdsutil: prompt and then type dsquery server -hasfsmo infr to verify that the infrastructure master role has been transferred successfully to SEA-SC To list the members of the Domain Admins security group, use the Dsget command from your administrator workstation running Windows Vista SP1 while logged on as a domain administrator, as follows:.

Assigns kberg as the user logon name. Assigns kberg as the pre—Windows user logon name. Forces the user to change the password on first logon. Creates the account and enables it immediately.

A domain controller changes its invocation ID whenever it is restored or when it re-hosts an application partition. Even if you DID take advantage of one of these options - lets be honest and say it's not Optimal and is a temporary fix at best. Todays post is about a workload that I personally find WAY more critical to the everyday operation of your environment. I have been designing and updating Active Directory Designs since it came out - it was my specialty when I was in consulting.

But now that I work at Microsoft - why not go to the source? Who better to ask then Mr. There are a lot of manual and time sensitive steps that Ned goes through in this demo - but trust me, it's not that bad when you actually get started. The main thing to remember is replication between sites and allowing your changes to replicate or forcing it to speed up. The best part about this approach with integrating another DC into existing sites is that you will be introducing very little disruption to your end users in these sites - due to the multi-master architecture in use for Active Directory.

Did we miss anything yet? You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in. Products 72 Special Topics 41 Video Hub Most Active Hubs Microsoft Teams. Security, Compliance and Identity. Microsoft Edge Insider. Estimated time to complete: minutes or more not including Active Directory replication , depending on organization size and the number of child domains. The computer that you use for these procedures needs to meet the system requirements for Exchange.

Exchange : Exchange Network and directory servers. The computer that you use for all procedures in this topic requires access to Setup. Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server. If you don't have a separate team that manages your Active Directory schema, you can skip this step and go directly to Step 2: Prepare Active Directory. If you skip this step, the requirements will also apply to Step 2.

Your account needs to be a member of the Schema Admins and Enterprise Admins security groups. If you have multiple Active Directory forests, make sure you're logged into the right one.

The computer needs to be a member of the same Active Directory domain and site as the schema master. The only supported way to extend the schema for Exchange is to use Setup. Other ways of extending the schema aren't supported. For example, if the Exchange installation files are available on drive E:, run the following command:. When you run this command, a prerequisite check is performed that will tell you which requirements are missing.

After Setup finishes extending the schema, you'll need to wait while Active Directory replicates the changes to all of your domain controllers before you proceed. To check the progress of the replication, you can use the repadmin tool in Windows Server. For more information about how to use the repadmin tool, see Repadmin. After the Active Directory schema has been extended, you can prepare other parts of Active Directory for Exchange.

During this step, Exchange will create containers, objects, and other items in Active Directory to store information. The collection of the Exchange containers, objects, attributes, and so on, is called the Exchange organization.