Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Install From Media’ Category

(2007-04-22) Windows Server Longhorn – Install From Media (IFM)

Posted by Jorge on 2007-04-22

Installing AD on writable and read-only DCs from a media set

Starting from Windows Server 2003 a new feature was introduced to deploy DCs to, for example, branch offices. That feature, "Install from Media", required at least a "System State" backup of an existing DC. As an additional action that backup needed to be restored on an alternate location. What could be used to install the DC was the IFM set (Active Directory database, Registry information and the SYSVOL) which prevented the DC during promotion to copy everything over the wire. Only the creation of the AD metadata for the promoting DC was created at the sourcing DC and went over the wire and all the information in AD that was added or changed after the backup was taken went over de wire. As you can see a very cool feature to solve problems like:

  • "replication across WAN links taking a considerable amount of time" or
  • "replication across WAN links affecting network performance".

There is one issue to be aware though! Either the backup or the IFM set that is shipped to the branch office must be considered as the physical DC itself! All three contain the writable AD database (which supports multi-master replication) and that database contains the password from all user and computer accounts in the AD domain. All three must therefore be highly secured and used the very trusted administrators (a.k.a. domain/enterprise admins and NO one else!). More information about using "Install from Media" and its requirements and pre-requisites can be found in MS-KBQ311078.

Looking at the "Install from Media" functionality, the basics have not changed. The real change is that it is easier to create an IFM set and that it supports both writable (RWDC) and read-only DCs (RODC).

Instead of creating and restoring a backup (two steps), it is now possible to create an IFM set in one step using ‘NTDSUTIL’ within the ‘IFM’ submenu. Within that submenu you have the option to create an IFM set for both an RWDC and an RODC with or without the SYSVOL (see the picture below). On an RWDC you can create an IFM set for both an RWDC and an RODC that is going to be promoted and on an RODC you can only create an IFM set for another RODC. In all cases NTDSUTIL uses "Volume Shadow Copy" to create a snapshot of AD from the running DC, replays its logs and defrags the AD database (compared to offline defrag). The latter did not occur when using a backup to create an IFM set. In Windows Server Longhorn the size of the AD database is at least the same or even smaller, depending of the amount of white space within the AD database.


When creating an IFM set for an RODC the AD database is converted to read-only (instanceType = 0x4 (writable) à instanceType = 0x0 (read-only)) and the password for all accounts are removed from the AD database. Both actions provide better security for the AD environment and the security of the IFM set for an RODC is less of importance when comparing it with the IFM set for a RWDC. Even in Windows Server Longhorn the security of an IFM set is of utmost important.

The IFM feature in Windows Server Longhorn can be used for both AD (a.k.a. ADDS à "Active Directory Domain Services") and ADAM (a.k.a. AD LDS à "Active Directory Lightweight Directory Services")

NOTE: this information is based upon a beta release of Windows Server Longhorn and thus subject to change in the final RTM release. Do not use Windows Server Longhorn in a production environment without the explicit commitment from Microsoft for help and support.

Additional interesting links:

* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
############### Jorge’s Quest For Knowledge #############
######### ########


Posted in Active Directory Domain Services (ADDS), Beta/RC Stuff, Install From Media, Windows Server | Leave a Comment »

%d bloggers like this: