(2011-11-04) Installing And Uninstalling AD On Windows Server 8 As An RWDC And As An RODC – Part 4

We have installed AD on an RWDC and now it is time to install AD on an RODC. Again the Server Manager or Powershell are the key tools here to achieve that goal! For completeness, let’s go through it again end-to-end to make sure you do not miss anything. Server Manager starts by default after logging on. This can be changed if you want that. When Server Manager starts it looks like as shown below. To install AD on the local server you need to choose the option “add roles”. In previous versions of Windows, you had the options “add roles” and “add features”. In this new version of Windows there is no difference anymore as you are going to install “something”. There is still a difference between roles and features, but there no difference anymore how to install either.

Figure 1: Server Manager Dashboard

–

The following page provides basic information.

Figure 2: The “Before You Begin” Page

–

As you can read below, you will most likely choose the first option as the second option is only supported by the Remote Desktop Services role.

Figure 3: The “Installation Type” Page

–

All servers added to the dashboard of the local server will be shown in the list below. In this case only the local server is listed. If multiple remote servers were listed I could add roles/features to those remote servers from this server. Isn’t that cool!!!???

Figure 4: The “Server Selection” Page

–

To install AD on this version of Windows through the Server Manager you need to select the role called “Active Directory Domain Services” (no shit!, Sherlock! )

Figure 5: The “Server Roles” Page

–

As soon as you tick the role called “Active Directory Domain Services”, you will see the following window pop-up to also add the AD related tools.

Figure 6: Confirmation To Also Install The RSAT For AD

–

After clicking “Add Required Features” above, you will be able to click “Next >” as shown in the screen below. As you can see I now did select DNS explicitly.

Figure 7: The “Server Roles” Page

–

In the following screen you can select features you want to install in addition as needed. I explicitly did not select the “Group Policy Management” feature to be installed. The system will install it automatically during the promotion as the server will become a DC.

Figure 8: The “Features” Page

–

In the following screen you can read basic information about the “Active Directory Domain Services” role

Figure 9: The “Active Directory Domain Services” Role Specific Information Page

–

In the following screen you can also read basic information about the “DNS” role because this role was also selected to be installed.

Figure 10: The “DNS Server” Role Specific Information Page

–

In the following screen you can find a summary of what is going to happen. You need to confirm this to continue. If you want you can have the server to be restarted automatically as required.

Figure 11: The “Confirmation” Page

–

After clicking “Install” the selected role binaries will be installed on the server.

Figure12: The Installation Of The Roles/Features In Progress

–

As was already introduced with Windows Server 2008, the role binaries are first installed and afterwards the server has to be promoted to get a DC up and running. In part 2 of this series I clicked the link to promote the server to an RWDC. In this case for the promotion of the server to an RODC I will use Server Manager and Powershell to perform the second stage of the promotion (the first stage of the RODC promotion was done in part 3).To promote to a DC using Server Manager click on the link called “Promote this server to a domain controller”. Note the remark below the installation progress. If for whatever reason you have closed the “add roles and features wizard” window, you can get it back by clicking on the flag icon on the upper right corner of figure 1. If you want to promote the server to an RODC using powershell, then go to the next picture,

Figure 13: The Installation Of The Roles/Features Finished

–

If you want to go the through the Powershell way, you should NOT click on the “Promote this server to a domain controller” link, but instead you need to open a Powershell command window, import the correct Powershell module and execute the correct CMDlets as shown in picture 16 below. It starts by checking the current status and all the prerequisites.

 

Import-Module ADDSDeployment
$Creds = Get-Credential
Install-ADDSDomainController -DomainName ADCORP.LAB -SafeModeAdministratorPassword $(ConvertTo-SecureString "dsrmPWD!" -AsPlainText -Force) -ApplicationPartitionsToReplicate * -DatabasePath "D:\AD\DB" -LogPath "D:\AD\LOG" -SysvolPath "D:\AD\SYSVOL" -UseExistingAccount -Credential $creds | FL

Figure 14: Validating Input And Checking Prerequisites

–

After that it starts by configuring the local server to host AD.

Figure 15: The Actual Installation Of AD On The Local Server

–

As you can see I’m using the FL shortcut CMDlet to output the result in formatted list instead of a formatted table, which is the default. My main reason is that in the formatted table I would not be able to completely read the message. With the FL shortcut CMDlet I can read everything. The only thing you need to do now is reboot the server and you are done! It’s aliiiiiive!

Figure 16: Promotion Of The Server To An RODC Succeeded

–

If you did click on the “Promote this server to a domain controller” link, the following screen will appear where you need to specify what you want to do. In this case I use the delegated administration credentials. I first clicked on the “Select” button and I was asked to specify credentials. Those credentials should have at least administrator permissions on the new to be RODC. In other words, those credentials should be specified as the delegated admin (directly or indirectly through a security group). The delegated administrators for an RODC as specified on the computer account of the RODC in the “managedBy” attribute (shown in the “Managed By” tab).

Figure 17: Specifying The Credentials Designated As Delegated Administrator

–

Based upon those credentials (<FQDN DOMAIN>\<DELEGATED ACCOUNT>) the AD domains within the AD forest will be listed. An AD domain needs to be selected where the server will become an RODC using a pre-created account in the first promotion stage.

Figure 18: The List Of AD Domains Within The AD Forest

–

Required information is collected as shown below.

Figure 19: Choosing The Deployment Configuration Of The DC

–

As you can see, the process detected that pre-created RODC objects already exists in the selected AD domain. Except for the DSRM administrator password, all the other options (DNS Server, GC, Site Name) are shown that were specified on the first stage of the RODC promotion. In the second stage of the RODC promotion you still need to specify the DSRM administrator password.

Figure 20: The Core Domain Controller Options To Choose From

–

The next screen is weird and should NOT be even displayed for RODCs as you do not want DNS delegations for RODCs. All DNS delegations should be done for RWDCs only. This is a bug and will be changed in later builds.

Figure 21: Specifying DNS Delegation And Credentials

–

The next screen is ALSO weird and should ONLY be even displayed for informational purposes only. It should NOT be possible to edit the designated Delegated Administrators and/or the Password Replication Policy. Although you could edit it here, nothing would happen as that was already done in stage 1 and with the delegated credentials you most likely do not have the permissions to change this (and it should not because this is part of the trusted part of the promotion!). This information is specified during the first stage of the RODC promotion. Although the information was specified in the first stage of the RODC promotion, it still does not list the custom configuration, only the default configuration. All of this is a bug and will be changed in later builds.

Figure 22: The Delegated Administrators And The Password Replication Policy

–

In the next screen you need to specify the AD related folders, the source RWDC (any RWDC or a specific RWDC), the application NCs that should be hosted by the RODC and whether or not you want to use the Install From Media feature. In addition you can select to only replicate critical data only and finish other replication after the reboot. I never choose the option to only replicate critical data only. All the required data needs to be replicated anyway. In the end I do check to automatically reboot the server when done. After the reboot it is a DC and I can use it right away because it has everything it needs.

Figure 23: The AD Related Folders, The Source RWDC, The Application NCs To Host, Usage Of IFM And The Replication Of Critical Data Only Or Not

–

Below you can see the default application NCs in the AD forest. If you have custom application NCs those would also show in the list

Figure 24: The Application NCs Available In The AD Forest Eligible To Be Hosted On The RODC

–

All the information specified and selected.

Figure 25: All The Information Selected And Specified

–

Below you will see a summary of the specified and selected options. Note the fact that it does not show the AD site and it does not list the RODC to be as a GC and also not as a DNS Server. This is most likely a bug. If you remember correctly I did specify that information in the first stage of the RODC promotion. You can also see that in figure 20 above.

Figure 26: Summary Of Selected And Specified Options

–

When you click the “View Script” button, it will show you the powershell equivalent options to promote the server to an RODC in the second stage.

Figure 27: Powershell Equivalent Options To Promote Server To An RODC In The Second Stage

–

Below you see the progress and the results of the promotion in the second stage.

Figure 28a: Progress And Results Of The RODC Promotion In The Second Stage

–

Figure 28b: Progress And Results Of The RODC Promotion In The Second Stage

–

Figure 28c: Progress And Results Of The RODC Promotion In The Second Stage

–

Figure 28d: Progress And Results Of The RODC Promotion In The Second Stage

–

In the NEXT PART we’ll take care of the removal of AD from the DC.

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————