Implementing a Windows Server 2008 R2 Core Domain Controller into an existing Active Directory Forest is not a daunting task in itself but requires changes in the way many Administrators approach the installation and configuration of the base Windows installation.
Here will go through common configuration steps for integrating Windows Server 2008 R2 Core into an existing corporate Active Directory.
Domain Controllers are prime candidates for Server Core, they provide a smaller OS surface area that in theory at least should ensure there are less vulnerabilities exposed to possible malicious attacks. This means fewer critical hotfixes released by Microsoft are required to be installed on Server Core and can reduce the frequency of maintenance cycles and accompanying reboots, Microsoft estimate if there had been a Server Core edition of Windows Server 2003 it would have required 40% fewer patches than the Gui edition.
Section 1 – Prepare Existing Windows 2000/2003 AD
Section 2 – Configure Windows Server 2008 R2 Core
Section 3 – DCPromo and post DCPromo tasks
Many organisations today still run Windows XP as the standard desktop OS, this is an issue for administrators who support existing AD environments using the Adminpak supplied in Windows 2003. The tools in the Windows Server 2003 Adminpak do not work seamlessly with Windows Server 2008 and the RSAT (Remote Server Administration Tools, the Adminpak replacement for Windows Server 2008) will not run on XP. The RSAT delivered with Windows Server 2008 R1 will run only on Windows Vista Desktops whilst the RSAT delivered with R2 only runs on Windows 7. The RSAT can be installed on a Gui based Windows 2008 server by installing the RSAT feature.
ADPrep needs to be run for both the forest and the individual domain where the Windows Server 2008 R2 Domain Controller will be installed.
Section 1 – Prepare Existing Windows 2000/2003 AD
The ADPrep in Windows Server 2008 adds the RODC (Read Only Domain Controller) ADPrep to the traditional forest and domain ADPreps. In short a RODC contains read-only partitions of the Active Directory Database. Common deployments of RODCs are in branch offices where physical security cannot be guaranteed, benefits offered include improved security, user credential caching meaning faster logon times and make more efficient access to resources on the network. More information on RODCs can be found here. The RODC ADPrep is run once at the forest level.
ADPrep is located on the Windows Server 2008 R2 DVD in the \Support\adprep directory, adprep.exe is the 64 bit version and adprep32.exe is the 32 bit version of the tool. Ensure the command prompt has been started using the “Run As Administrator” if running on a Windows Vista, Windows 7 or Windows Server 2008.
The forest ADPrep requires that the logged in user is a member of the Enterprise Admins and Schema Admins groups as well as being a Domain Admin for the Domain containing the forests Schema Master. The forest ADPrep must be run on the Domain Controller holding the AD forests Schema Master FSMO role, to identify the FSMO roles at a command prompt (on any Domain Controller in the forest) enter, netdom query fsmo To run the forest ADPrep enter the following from the /support/adprep DVD directory.
once completed allow time for the changes to replicate across the entire AD forest before ADPrep’ing any domains in the forest.
The domain ADPrep requires that the logged in user is a member of the Domains Domain Admins group. The Domain ADPrep must be run on the Domain Controller holding the Domains Infrastructure Master FSMO role (see Forest ADPrep on how to identify FSMO roles). To run the Domain ADPrep enter:
adprep /domainprep /gpprep
once completed allow time for the changes to replicate across the entire AD forest before installing any new Domain Controllers in the Domain.
The RODC ADPrep can be run on any computer in the Active Directory Forest and must be able to access all Infrastructure to run successfully. In firewalled/isolated environments it is important to choose a suitable computer on which to run the RODC ADPrep. The user performing the RODC ADPrep must be a member of the Enterprise Admins group. From the /support/adprep directory on the Windows Server 2008 R2 DVD enter:
once completed allow time for the changes to replicate across the entire AD before installing a RODC.
Section 2 – Configure Windows Server 2008 R2 Core
We will now go through the steps to introduce a first Windows Server 2008 R2 Core Domain Controller into an existing Active Directory forest (for information, into a Windows 2003 R2 forest and domain functional level directory). Ordinarily most of the steps detailed for configuring the Windows Server 2008 R2 Core are included in the server provisioning process. Interactively the sconfig utility is available in R2 which is a text based menu system that can be run from the console command prompt and allow a number of system settings such as TCP/IP network configuration to be made.
Detailed below are the command lines that can be included in an automated provisioning environment, a post installation script or typed directly from the console command prompt.
To identify the features that are enabled (and disabled) on Windows Server Core, enter
dism /online /get-features
Install Powershell 2.0
I advocate using PowerShell as the tool of choice for managing Windows (and VMware) environments. To enable PowerShell the dotNet Framework version 2 and version 3/3.5 must first be enabled. (note: dotNet 3.0 and 3.5 are contained within a single feature). In addition on a Windows Server 2008 R2 DC the Active Directory PowerShell cmdlets module can be enabled allowing a more straightforward approach to AD Powershell similar to the Quest PowerShell Commands for Active Directory used by many Administrators.
dism /online /enable-feature /featurename=NetFx2-ServerCore
dism /online /enable-feature /featurename=NetFx3-ServerCore
dism /online /enable-feature /featurename=MicrosoftWindowsPowerShell dism /online /enable-feature /featurename=ActiveDirectory-PowerShell
Powershell 2.0 WOW64 Support (Optional)
If WOW64 (32bit) support is required additional features need to be enabled.
dism /online /enable-feature /featurename=NetFx2-ServerCore-Wow64
dism /online /enable-feature /featurename=MicrosoftWindowsPowershell-Wow64
Install DNS Server
If the Domain Controller will also be configured as a DNS Server as they often are, the DNS-Server-Core-Role can be added using, (DNS Server can also be installed as a part of the DCPromo):
dism /online /enable-feature /featurename=DNS-Server-Core-Role
Assuming the Windows Server Core instance has a single interface and is using the logical name “Local Area Connection”, first disable any other network cards, run the following command for each disconnected network connection.
netsh interface set interface “Local Area Connection 2″ DISABLE
configure the IP address, subnet mask and default gateway.
netsh interface ipv4 set address name=”Local Area Connection” static 172.24.32.10 255.255.255.0 172.24.32.1
configure the dns servers for the network connection, in this instance 3 dns servers are specified, of course ensure that the server is configured to point at existing DNS servers that have access to the AD SRV records.
netsh interface ipv4 set dns name=”Local Area Connection” static 172.24.32.4
netsh interface ipv4 add dns name=”Local Area Connection” 172.24.32.5 index=2
netsh interface ipv4 add dns name=”Local Area Connection” 172.24.22.8 index=3
to disable NetBIOS over TCP/IP first identify the adapters index number using
wmic nicconfig get caption,index,TcpipNetbiosOptions
then using one of the following values:
0 – Use NetBios setting from DHCP
1 – Enable NetBios over TCP/IP
2 – Disable NetBios over TCP/IP
set the required NetBIOS over TCP/IP value to each Nic.
wmic nicconfig where index=1 call SetTcpipNetbios 2
In the above example, index=1 is the index number returned for “Local Area Connection” from the earlier command. configure the primary DNS suffix, whether the suffix should change if domain membership changes and set the DNS suffix search list
reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v Domain /t REG_SZ /d “ad.mydomain.com”
reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v “NV Domain” /t REG_SZ /d “ad.mydomain.com”
reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v “SyncDomainWithMembership” /t REG_DWORD /d 1
reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v “SearchList” /t REG_SZ /d “ad.mydomain.com,mydomain.com,os.mydomain.com”
optionally a nic config can be backed up and restored using netsh, the following commands perform a backup and then a restore, this is useful if you wish to import a config instead of running many individual netsh commands.
netsh -c interface dump > c:\backup.txt
netsh -f c:\backup.txt
Configure Time Zone
to list the time zone names used by the time zone configuration utility run:
then configure the time zone using one of the zone names. “_dstoff” can be appended to a zone name to have Daylight Savings Time disabled; the default enables Daylight Savings Time. To configure for GMT with DST switched off:
tzutil /s “GMT Standard Time_dstoff”
if the server has a temporary name provisioning, it can be renamed using:
Diskpart to Create the NTDS/SYSVOL and Log Partitons
To create on Disk 0 a d: drive 50GB in size, a e: drive of 16GB and a f: drive using the remaining free space:
select disk 0
select partion 3
format FS=NTFS LABEL=”DDrive” QUICK
create partition extended
select partition 0
create partition logical size=16000
format FS=NTFS LABEL=”EDrive” QUICK
create partition logical
format FS=NTFS LABEL=”FDrive” QUICK
The above can be saved as a text file and run using :
Once created view the partitions using:
something similar to the following should be displayed:diskpart
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 8144 KB 16 KB
Partition 2 Primary 124 GB 8160 KB
Partition 3 Primary 48 GB 125 GB
Partition 0 Extended 105 GB 173 GB
Partition 4 Logical 15 GB 173 GB
* Partition 5 Logical 89 GB 189 GBBe sure to have rebooted to make all the above settings stick before proceeding further.
Section 3 – DCPromo and Post Promotion Configuration
Promoting a Windows Server Core instance to a Domain Controller must be done using an unattend answer file, this is because Windows Server Core does not support the DCPromo Gui wizard. If a problem is encountered running DCPromo be aware that DCPromo removes all passwords from the unattend answer file including where ”prompt for password” has been set by setting the password value to “*”. Before re-running DCPromo the unattend file must be edited to reset the values in the password password fields. In the following templates the affected fields are:
All DC configuration scenarios available running DCPromo in Gui mode are supported using an unattend answer file, (creating a new forest, creating a new domain, removing the last Domain Controller in a domain etc.). As this posting is targeted at introducing a Server Core DC into an already running Active Directory Forest only adding a new DC to an existing domain and removing (in the event a fallback is required!) a DC from a domain.
DC Promote Unattend Template
This template contains the parameters for adding a DC to an existing domain. Details of parameters used in DCPromo unattend files can be found in MS KB947034. A DCPromo unattend file can be created by running and completing the DCPromo wizard on an existing Gui Windows server. In the final step of the wizard an export button is displayed, use this to export the unattend file and simply cancel the wizard so the DCPromo is not run. The saved unattend file can be edited in a text editor and used for running DCPromo in unattend mode.
; Run-time flags (optional)
* substitute Password1 to your standard Safe Mode Password
In the above example, the InstallDNS=yes line will install the DNS Server service. The default for installing DNS is dependent on the environment detected when DCPromo is run. MS KB947034 describes in detail all DCPromo Unattend parameters.
DC Demote Unattend Template
This template demotes a running DC back to member server.
* substitute Password1 to your standard local Adminstrator Password
For Domain Controllers Located Behind Firewalls
In environments where domain controllers are separated from other domain controllers or member servers by firewalls it is possible to configure FRS and RPC traffic to use specific ports. Microsoft has the following document and KBs covering this issue.
MS Active Directory in Networks Segmented By Firewalls (Word Document)
MS KB224196, Restricting Active Directory replication traffic to a specific port
MS KB319553, How to restrict FRS traffic o a specific static port
MS KB154596, How to configure RPC dynamic port allocation to work with firewalls
In summary the following registry settings are used to set the ports used by the Active Directory FRS and RPC services.
Port used by FRS for Active Directory Replication:
HKLM\CurrentControlSet\Services\NTDS\ParametersRegistry value: TCP/IPValue type: REG_DWORDValue data: (available port)
Port used for client RPC traffic to a specific port:
HKLM\CurrentControlSet\Services\Netlogon\ParametersRegistry value: DCTcpipPortValue type: REG_DWORDValue data: (available port)
Port used by FRS:
HKLM\CurrentControlSet\Services\NTFRS\ParametersRegistry value: RPC TCP/IP Port AssignmentValue type: REG_DWORDValue data: (available port)
RPC Dynamic Port Range:
HKLM\Software\Microsoft\Rpc\Internet\Ports: REG_MULTI_SZ: 5000-5100PortsInternetAvailable: REG_SZ: YUseInternetPorts: REG_SZ: Y
the above registry settings can be applied on Server Core using regedit /s filename, here is an example regedit file:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters] “TCP/IP Port”=dword:0000422a
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters] “RPC TCP/IP Port Assignment”=dword:0000411c
DNS Server Final Configuration
If the Windows Server Core Domain Controller is running DNS Server all AD integrated zones that are configured to “replicate to all DNS servers in the Domain” or “replicate to all DNS servers in the forest” will be synchronized to the DC. The DNS Server can be configured further, (for example configuring forwarding rules) using DNS Server Management MMC snap-in on either a Windows Server 2008 or Windows 7 (RSAT). One time saving new feature in Windows Server 2008 DNS Server is to set the Conditional Forwarding rules for a DNS server and request that they are replicated to all DNS servers in the Domain.
The dnscmd command line utility also offers comprehensive management of the DNS Server on Windows Server Core.
…and finally, if the new Windows Server Core DC is a replacement for an existing DC that will be decommissioned, remember to update GPOs containing DNS Server IP address assignments to Member Workstations and Servers in the forest.