Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2011-11-04) Installing And Uninstalling AD On Windows Server 8 As An RWDC And As An RODC – Part 4

Posted by Jorge on 2011-11-04

We have installed AD on an RWDC and now it is time to install AD on an RODC. Again the Server Manager or Powershell are the key tools here to achieve that goal! For completeness, let’s go through it again end-to-end to make sure you do not miss anything. Server Manager starts by default after logging on. This can be changed if you want that. When Server Manager starts it looks like as shown below. To install AD on the local server you need to choose the option “add roles”. In previous versions of Windows, you had the options “add roles” and “add features”. In this new version of Windows there is no difference anymore as you are going to install “something”. There is still a difference between roles and features, but there no difference anymore how to install either.


Figure 1: Server Manager Dashboard

The following page provides basic information.


Figure 2: The “Before You Begin” Page

As you can read below, you will most likely choose the first option as the second option is only supported by the Remote Desktop Services role.


Figure 3: The “Installation Type” Page

All servers added to the dashboard of the local server will be shown in the list below. In this case only the local server is listed. If multiple remote servers were listed I could add roles/features to those remote servers from this server. Isn’t that cool!!!???


Figure 4: The “Server Selection” Page

To install AD on this version of Windows through the Server Manager you need to select the role called “Active Directory Domain Services” (no shit!, Sherlock! clip_image005[4])


Figure 5: The “Server Roles” Page

As soon as you tick the role called “Active Directory Domain Services”, you will see the following window pop-up to also add the AD related tools.


Figure 6: Confirmation To Also Install The RSAT For AD

After clicking “Add Required Features” above, you will be able to click “Next >” as shown in the screen below. As you can see I now did select DNS explicitly.


Figure 7: The “Server Roles” Page

In the following screen you can select features you want to install in addition as needed. I explicitly did not select the “Group Policy Management” feature to be installed. The system will install it automatically during the promotion as the server will become a DC.


Figure 8: The “Features” Page

In the following screen you can read basic information about the “Active Directory Domain Services” role


Figure 9: The “Active Directory Domain Services” Role Specific Information Page

In the following screen you can also read basic information about the “DNS” role because this role was also selected to be installed.


Figure 10: The “DNS Server” Role Specific Information Page

In the following screen you can find a summary of what is going to happen. You need to confirm this to continue. If you want you can have the server to be restarted automatically as required.


Figure 11: The “Confirmation” Page

After clicking “Install” the selected role binaries will be installed on the server.


Figure12: The Installation Of The Roles/Features In Progress

As was already introduced with Windows Server 2008, the role binaries are first installed and afterwards the server has to be promoted to get a DC up and running. In part 2 of this series I clicked the link to promote the server to an RWDC. In this case for the promotion of the server to an RODC I will use Server Manager and Powershell to perform the second stage of the promotion (the first stage of the RODC promotion was done in part 3).To promote to a DC using Server Manager click on the link called “Promote this server to a domain controller”. Note the remark below the installation progress. If for whatever reason you have closed the “add roles and features wizard” window, you can get it back by clicking on the flag icon on the upper right corner of figure 1. If you want to promote the server to an RODC using powershell, then go to the next picture,


Figure 13: The Installation Of The Roles/Features Finished

If you want to go the through the Powershell way, you should NOT click on the “Promote this server to a domain controller” link, but instead you need to open a Powershell command window, import the correct Powershell module and execute the correct CMDlets as shown in picture 16 below. It starts by checking the current status and all the prerequisites.


Import-Module ADDSDeployment $Creds = Get-Credential Install-ADDSDomainController -DomainName ADCORP.LAB -SafeModeAdministratorPassword $(ConvertTo-SecureString "dsrmPWD!" -AsPlainText -Force) -ApplicationPartitionsToReplicate * -DatabasePath "D:\AD\DB" -LogPath "D:\AD\LOG" -SysvolPath "D:\AD\SYSVOL" -UseExistingAccount -Credential $creds | FL


Figure 14: Validating Input And Checking Prerequisites

After that it starts by configuring the local server to host AD.


Figure 15: The Actual Installation Of AD On The Local Server

As you can see I’m using the FL shortcut CMDlet to output the result in formatted list instead of a formatted table, which is the default. My main reason is that in the formatted table I would not be able to completely read the message. With the FL shortcut CMDlet I can read everything. The only thing you need to do now is reboot the server and you are done! It’s aliiiiiive!


Figure 16: Promotion Of The Server To An RODC Succeeded

If you did click on the “Promote this server to a domain controller” link, the following screen will appear where you need to specify what you want to do. In this case I use the delegated administration credentials. I first clicked on the “Select” button and I was asked to specify credentials. Those credentials should have at least administrator permissions on the new to be RODC. In other words, those credentials should be specified as the delegated admin (directly or indirectly through a security group). The delegated administrators for an RODC as specified on the computer account of the RODC in the “managedBy” attribute (shown in the “Managed By” tab).


Figure 17: Specifying The Credentials Designated As Delegated Administrator

Based upon those credentials (<FQDN DOMAIN>\<DELEGATED ACCOUNT>) the AD domains within the AD forest will be listed. An AD domain needs to be selected where the server will become an RODC using a pre-created account in the first promotion stage.


Figure 18: The List Of AD Domains Within The AD Forest

Required information is collected as shown below.


Figure 19: Choosing The Deployment Configuration Of The DC

As you can see, the process detected that pre-created RODC objects already exists in the selected AD domain. Except for the DSRM administrator password, all the other options (DNS Server, GC, Site Name) are shown that were specified on the first stage of the RODC promotion. In the second stage of the RODC promotion you still need to specify the DSRM administrator password.


Figure 20: The Core Domain Controller Options To Choose From

The next screen is weird and should NOT be even displayed for RODCs as you do not want DNS delegations for RODCs. All DNS delegations should be done for RWDCs only. This is a bug and will be changed in later builds.


Figure 21: Specifying DNS Delegation And Credentials

The next screen is ALSO weird and should ONLY be even displayed for informational purposes only. It should NOT be possible to edit the designated Delegated Administrators and/or the Password Replication Policy. Although you could edit it here, nothing would happen as that was already done in stage 1 and with the delegated credentials you most likely do not have the permissions to change this (and it should not because this is part of the trusted part of the promotion!). This information is specified during the first stage of the RODC promotion. Although the information was specified in the first stage of the RODC promotion, it still does not list the custom configuration, only the default configuration. All of this is a bug and will be changed in later builds.


Figure 22: The Delegated Administrators And The Password Replication Policy

In the next screen you need to specify the AD related folders, the source RWDC (any RWDC or a specific RWDC), the application NCs that should be hosted by the RODC and whether or not you want to use the Install From Media feature. In addition you can select to only replicate critical data only and finish other replication after the reboot. I never choose the option to only replicate critical data only. All the required data needs to be replicated anyway. In the end I do check to automatically reboot the server when done. After the reboot it is a DC and I can use it right away because it has everything it needs.


Figure 23: The AD Related Folders, The Source RWDC, The Application NCs To Host, Usage Of IFM And The Replication Of Critical Data Only Or Not

Below you can see the default application NCs in the AD forest. If you have custom application NCs those would also show in the list


Figure 24: The Application NCs Available In The AD Forest Eligible To Be Hosted On The RODC

All the information specified and selected.


Figure 25: All The Information Selected And Specified

Below you will see a summary of the specified and selected options. Note the fact that it does not show the AD site and it does not list the RODC to be as a GC and also not as a DNS Server. This is most likely a bug. If you remember correctly I did specify that information in the first stage of the RODC promotion. You can also see that in figure 20 above.


Figure 26: Summary Of Selected And Specified Options

When you click the “View Script” button, it will show you the powershell equivalent options to promote the server to an RODC in the second stage.


Figure 27: Powershell Equivalent Options To Promote Server To An RODC In The Second Stage

Below you see the progress and the results of the promotion in the second stage.


Figure 28a: Progress And Results Of The RODC Promotion In The Second Stage


Figure 28b: Progress And Results Of The RODC Promotion In The Second Stage


Figure 28c: Progress And Results Of The RODC Promotion In The Second Stage


Figure 28d: Progress And Results Of The RODC Promotion In The Second Stage

In the NEXT PART we’ll take care of the removal of AD from the DC.




* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!



############### Jorge’s Quest For Knowledge #############

######### ########



2 Responses to “(2011-11-04) Installing And Uninstalling AD On Windows Server 8 As An RWDC And As An RODC – Part 4”

  1. […] the NEXT PART we’ll take care of installation the AD binaries on the server that will become the actual […]

  2. […] Part – 4 […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: