Install a New Windows Server 2012 Active Directory Forest (Level 200)

Install a New Windows Server 2012 Active Directory Forest (Level 200)
  • Article
  • 24 minutes to check out

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

This subject describes the brand-new Windows Server 2012 Active Directory Domain Services domain controller promo function at an initial level. In Windows Server 2012, ADVERTISEMENT DS changes the Dcpromo tool with a Server Manager and Windows PowerShell-based release system.

Active Directory Domain Services Simplified Administration

Windows Server 2012 presents the next generation of Active Directory Domain Services Simplified Administration, and is the most extreme domain re-envisioning considering that Windows 2000 Server. ADVERTISEMENT DS Simplified Administration takes lessons gained from twelve years of Active Directory and makes a more supportable, more versatile, more instinctive administrative experience for designers and administrators. This indicated producing brand-new variations of existing innovations in addition to extending the abilities of elements launched in Windows Server 2008 R2.

ADVERTISEMENT DS Simplified Administration is a reimagining of domain implementation. A few of those functions consist of:

  • ADVERTISEMENT DS function implementation is now part of the brand-new Server Manager architecture and permits remote setup.
  • The advertisement DS release and setup engine is now Windows PowerShell, even when utilizing a visual setup.
  • Promotion now consists of requirement monitoring that verifies forest and domain preparedness for the brand-new domain controller, decreasing the possibility of stopped working promos.
  • The Windows Server 2012 forest practical level does not carry out brand-new functions and domain practical level is needed just for a subset of brand-new Kerberos functions, alleviating administrators of the regular requirement for a homogenous domain controller environment.

Purpose and Benefits

These modifications might appear more complicated, not easier. In revamping the advertisement DS implementation procedure however, there was chance to coalesce lots of actions and finest practices into less, much easier actions. This implies, for instance, that the visual setup of a brand-new reproduction domain controller is now 8 dialogs instead of the previous twelve. Developing a brand-new Active Directory forest needs a single Windows PowerShell command with just one argument: the name of the domain.

Why exists such a focus on Windows PowerShell in Windows Server 2012? As dispersed computing develops, Windows PowerShell permits a single engine for setup and upkeep from both visual and command-line user interfaces. It allows completely included scripting of any element with the very same very first class citizenship for an IT Professional that an API grants to designers. As cloud-based computing ends up being common, Windows PowerShell likewise lastly brings the capability to from another location administer a server, where a computer system without any visual user interface has the very same management abilities as one with a display and mouse.

A seasoned advertisement DS administrator need to discover their previous understanding extremely appropriate. A starting administrator will discover a far shallower knowing curve.

Technical Overview

What You Should Know Before You Begin

This subject presumes familiarity with previous releases of Active Directory Domain Services, and does not supply fundamental information around their function and performance. For additional information about advertisement DS, see the TechNet Portal pages connected listed below:

Functional Descriptions

ADVERTISEMENT DS Role Installation

Screenshot that shows the Server Roles page in the Add Roles and Features wizard.

Active Directory Domain Services setup utilizes Server Manager and Windows PowerShell, like all other server functions and functions in Windows Server2012 The Dcpromo.exe program no longer offers GUI setup choices.

You utilize a visual wizard in Server Manager or the ServerManager module for Windows PowerShell in both regional and remote setups. By running several circumstances of those wizards or cmdlets and targeting various servers, you can release advertisement DS to numerous domain controllers all at once, all from one single console. These brand-new functions are not in reverse suitable with Windows Server 2008 R2 or earlier operating systems, you can likewise still utilize the Dism.exe application presented in Windows Server 2008 R2 for regional function setup from the traditional command-line.

Screenshot that shows a Windows PowerShell terminal window.

ADVERTISEMENT DS Role Configuration

Screenshot that shows the Deployment Configuration page in the Active Directory Domain Services Configuration Wizard.

Active Directory Domain Services setup” formerly referred to as DCPROMO” is a now a discrete operation from function setup. After setting up the advertisement DS function, an administrator sets up the server as a domain controller utilizing a different wizard within Server Manager or utilizing the ADDSDeployment Windows PowerShell module.

ADVERTISEMENT DS function setup constructs on twelve years of field experience and now sets up domain controllers based upon the most current Microsoft finest practices. Domain Name System and Global Catalogs set up by default on every domain controller.

The Server Manager advertisement DS setup wizard combines numerous specific dialogs into less triggers and no longer conceals settings in an “sophisticated” mode. The whole promo procedure remains in one broadening dialog box throughout setup. The wizard and the ADDSDeployment Windows PowerShell module reveal you significant modifications and security issues, with links to additional info.

The Dcpromo.exe stays in Windows Server 2012 for command-line ignored setups just, and no longer runs the visual setup wizard. It is extremely advised that you stop usage of Dcpromo.exe for ignored installs and change it with the ADDSDeployment module, as the now-deprecated executable will not be consisted of in the next variation of Windows.

These brand-new functions are not in reverse suitable to Windows Server 2008 R2 or older os.

Screenshot that shows a Windows PowerShell terminal window during an installation.

Important

Dcpromo.exe no longer consists of a visual wizard and no longer sets up function or function binaries. Trying to run Dcpromo.exe from the Explorer shell returns:

” The Active Directory Domain Services Installation Wizard is transferred in Server Manager. To find out more, see https://go.microsoft.com/fwlink/?LinkId=220921

Attempting to run Dcpromo.exe/ unattend still sets up the binaries, as in previous os, however cautions:

” The dcpromo ignored operation is changed by the ADDSDeployment module for Windows PowerShell. For additional information, see https://go.microsoft.com/fwlink/?LinkId=220924

Windows Server 2012 deprecates dcpromo.exe and it will not be consisted of with future variations of Windows, nor will it get even more improvements in this os. Administrators ought to cease its usage and switch to the supported Windows PowerShell modules if they want to produce domain controllers from the command-line.

Prerequisite Checking

Domain controller setup likewise carries out a required monitoring stage that examines the forest and domain prior to continuing with domain controller promo. This consists of FSMO function schedule, user opportunities, extended schema compatibility and other requirements. This brand-new style relieves concerns where domain controller promo begins and after that stops midway with a deadly setup mistake. This minimizes the possibility of orphaned domain controller metadata in the forest or a server that improperly thinks it is a domain controller.

Deploying a Forest with Server Manager

This area describes how to set up the very first domain controller in a forest root domain utilizing Server Manager on a visual Windows Server 2012 computer system.

The diagram listed below highlights the Active Directory Domain Services function setup procedure, starting with you running ServerManager.exe and ending right prior to the promo of the domain controller.

Diagram that illustrates the Active Directory Domain Services role installation process, beginning with running ServerManager.exe and ending right before the promotion of the domain controller.

Server Pool and Add Roles

Any Windows Server 2012 computer systems available from the computer system running Server Manager are qualified for pooling. As soon as pooled, you choose those servers for remote setup of advertisement DS or any other setup alternatives possible within Server Manager.

To include servers, select among the following:

  • Click Add Other Servers to Manage on the control panel welcome tile
  • Click the Manage menu and choose Add Servers
  • Right-click All Servers and pick Add Servers

This raises the Add Servers dialog:

Screenshot that shows the Active Directory tab in the Add Servers dialog box.

This offers you 3 methods to include servers to the swimming pool for usage or grouping:

  • Active Directory search (utilizes LDAP, needs that the computer systems come from a domain, permits running system filtering and supports wildcards)
  • DNS search (utilizes DNS alias or IP address by means of ARP or NetBIOS broadcast or WINS lookup, does not permit running system filtering or assistance wildcards)
  • Import (utilizes a text file list of servers separated by CR/LF)

Click Find Now to return a list of servers from that exact same Active Directory domain that the computer system is signed up with to, Click several server names from the list of servers. Click the ideal arrow to include the servers to the Selected list. Utilize the Add Servers dialog to include picked servers to control panel function groups. Or Click Manage, and after that click Create Server Group, or click Create Server Group on the control panel Welcome to Server Manager tile to develop custom-made server groups.

Note

The Add Servers treatment does not confirm that a server is online or available. Any inaccessible servers flag in the Manageability view in Server Manager at the next refresh

You can set up functions from another location on any Windows Server 2012 computer systems included the swimming pool, as revealed:

Screenshot that shows how you can install roles remotely on any Windows Server 2012 computers added the to pool.

You can not totally handle servers running operating systems older than Windows Server2012 The Add Roles and Features choice is running ServerManager Windows PowerShell Module Install-WindowsFeature

Screenshot that shows the Add AD DS to Another Server menu option.

You can likewise utilize the Server Manager Dashboard on a current domain controller to pick remote server advertisement DS setup with the function currently preselected by best clicking the advertisement DS control panel tile and picking Add Advertisement DS to Another Server This is conjuring up Install-WindowsFeature AD-Domain-Services

The computer system you are running Server Manager on swimming pools itself instantly. To set up the advertisement DS function here, just click the Manage menu and click Add Roles and Features

Screenshot that shows how to access the Add Roles and Features menu option.

Installation Type

Screenshot that shows the Installation Type page in teh Add Roles and Features Wizard.

The Installation Type dialog supplies an alternative that does not support Active Directory Domain Services: the Remote Desktop Services circumstance based-installation That alternative just permits Remote Desktop Service in a multi-server dispersed work. If you pick it, ADVERTISEMENT DS can not set up.

Always leave the default choice in location when setting up advertisement DS: Role-based or Feature-based Installation

Server Selection

Screenshot that shows the Server Selection page in the Remove Roles and Features Wizard.

The Server Selection dialog allows you to pick from among the servers formerly contributed to the swimming pool, as long as it is available. The regional server running Server Manager is instantly readily available.

In addition, you can pick offline Hyper-V VHD files with the Windows Server 2012 os and Server Manager includes the function to them straight through part maintenance. This enables you to arrangement virtual servers with the essential elements prior to more configuring them.

Server Roles and Features

Screenshot that shows the Server Roles page in the Add Roles and Features Wizard.

Select the Active Directory Domain Services function if you mean to promote a domain controller. All Active Directory administration functions and needed services set up immediately, even if they are seemingly part of another function or do not appear picked in the Server Manager user interface.

Server Manager likewise provides an educational dialog that reveals which management includes this function implicitly sets up; this is comparable to the – IncludeManagementTools argument.

Screenshot that shows which management features this role implicitly installs; this is equivalent to the -IncludeManagementTools argument.

Screenshot that shows the Features page in the Add Roles and Features Wizard.

Additional Features can be included here as preferred.

Active Directory Domain Services

Screenshot that shows the AD DS page in the Removal Roles and Features Wizard.

The Active Directory Domain Services dialog supplies restricted details on requirements and finest practices. It primarily serves as a verification that you selected the advertisement DS function” if this screen does not appear, you did not choose advertisement DS.

Confirmation

Screenshot that shows the Confirmation page in the Add Roles and Features Wizard.

The Confirmation dialog is the last checkpoint prior to function setup begins. It uses an alternative to reboot the computer system as required after function setup, however advertisement DS setup does not need a reboot.

By clicking Install, you validate you are prepared to start function setup. You can not cancel a function setup once it starts.

Results

Screenshot that shows the Results page in the Add Roles and Features Wizard.

The Results dialog reveals the present setup development and present setup status. Function setup continues despite whether Server Manager is closed.

Verifying the setup results is still a finest practice. If you close the Results dialog prior to setup finishes, you can inspect the outcomes utilizing the Server Manager notice flag. Server Manager likewise reveals a caution message for any servers that have actually set up the advertisement DS function however not been additional set up as domain controllers.

Task Notifications

Screenshot that shows a task notification.

ADVERTISEMENT DS Details

Screenshot that shows where to view AD DS details.

Task Details

Screenshot that shows where to view task details.

Promote to Domain Controller

Screenshot that shows the Promote this server to a domain controller link.

At the end of the advertisement DS function setup, you can continue with setup by utilizing the Promote this server to a domain controller link. This is needed to make the server a domain controller, however is not essential to run the setup wizard right away. You might just desire to arrangement servers with the Advertisement DS binaries prior to sending them to another branch workplace for later setup. By including the advertisement DS function prior to shipping, you conserve time when it reaches its location. You likewise follow the very best practice of not keeping a domain controller offline for days or weeks. This allows you to upgrade elements prior to domain controller promo, conserving you at least one subsequent reboot.

Selecting this link later on conjures up the ADDSDeployment cmdlets: install-addsforest, install-addsdomain, or install-addsdomaincontroller

Uninstalling/Disabling

You eliminate the advertisement DS function like any other function, despite whether you promoted the server to a domain controller. Eliminating the Advertisement DS function needs a reboot on conclusion.

Active Directory Domain Services function elimination is various from setup, because it needs domain controller demotion prior to it can finish. This is needed to avoid a domain controller from having its function binaries uninstalled without correct metadata clean-up in the forest. To learn more, see Demoting Domain Controllers and Domains (Level 200)

Warning

Removing the advertisement DS functions with Dism.exe or the Windows PowerShell DISM module after promo to a Domain Controller is not supported and will avoid the server from booting typically.

Unlike Server Manager or the advertisement DS Deployment module for Windows PowerShell, DISM is a native maintenance system that has no intrinsic understanding of advertisement DS or its setup. Do not utilize Dism.exe or the Windows PowerShell DISM module to uninstall the advertisement DS function unless the server is no longer a domain controller.

Create an Advertisement DS Forest Root Domain with Server Manager

The following diagram shows the Active Directory Domain Services setup procedure, in the event where you have actually formerly set up the advertisement DS function and began the Active Directory Domain Services Configuration Wizard utilizing Server Manager.

Diagram that illustrates the Active Directory Domain Services configuration process, in the case where you have previously installed the AD DS role and started the Active Directory Domain Services Configuration Wizard using Server Manager.

Deployment Configuration

Screenshot that shows the Deployment Configuration.

Server Manager starts every domain controller promo with the Deployment Configuration page. The staying alternatives and needed fields alter on this page and subsequent pages, depending upon which implementation operation you choose.

To produce a brand-new Active Directory forest, click Add a brand-new forest You need to offer a legitimate root domain; the name can not be single-labeled (for instance, the name needs to be contoso.com or comparable and not simply contoso) and need to utilize enabled DNS domain calling requirements.

For more info on legitimate domain, see KB short article Naming conventions in Active Directory for computer systems, domains, websites, and OUs

Warning

Do not develop brand-new Active Directory forests with the very same name as an external DNS name. If your Internet DNS URL is http://contoso.com, you should pick a various name for your internal forest to prevent future compatibility problems. That name needs to be distinct and not likely for web traffic. : corp.contoso.com.

A brand-new forest does not require brand-new qualifications for the domain’s Administrator account. The domain controller promo procedure utilizes the qualifications of the integrated Administrator account from the very first domain controller utilized to develop the forest root. There is no chance (by default) to disable or lock out the integrated Administrator account and it might be the only entry point into a forest if the other administrative domain accounts are unusable. It is vital to understand the password prior to releasing a brand-new forest.

DomainName needs a legitimate totally certified domain DNS name and is needed.

Domain Controller Options

Screenshot that shows the Domain Controller Options in the Active Directory Domain Services Configuration Wizard.

The Domain Controller Options allows you to set up the forest practical level and domain practical level for the brand-new forest root domain. By default, these settings are Windows Server 2012 in a brand-new forest root domain. The Windows Server 2012 forest practical level does not offer any brand-new performance over the Windows Server 2008 R2 forest practical level. The Windows Server 2012 domain practical level is needed just in order to carry out the brand-new Kerberos settings “constantly offer claims” and “Fail unarmored authentication demands.” A main usage for practical levels in Windows Server 2012 is to limit involvement in the domain to domain controllers that satisfy minimum-allowed os requirements. To put it simply, you can define Windows Server 2012 domain practical level just domain controllers that run Windows Server 2012 can host the domain. Windows Server 2012 executes a brand-new domain controller flag called DS_WIN8_REQUIRED in the DSGetDcName function of NetLogon that specifically finds Windows Server 2012 domain controllers. This permits you the versatility of a more uniform or heterogeneous forest in regards to which os are allowed to be worked on domain controllers.

For more info about domain controller Location, evaluation Directory Service Functions

The only configurable domain controller ability is the DNS server choice. Microsoft advises that all domain controllers offer DNS services for high schedule in dispersed environments, which is why this choice is chosen by default when setting up a domain controller in any mode or domain. The Global Catalog and check out just domain controller alternatives are not available when producing a brand-new forest root domain; the very first domain controller should be a GC, and can not be a read just domain controller (RODC).

The defined Directory Services Restore Mode Password should follow the password policy used to the server, which by default does not need a strong password; just a non-blank one. Constantly select a strong, intricate password or ideally, a passphrase.

DNS Options and DNS Delegation Credentials

Screenshot that shows the DNS Options in the Active Directory Domain Services Configuration Wizard.

The DNS Options page allows you to set up DNS delegation and supply alternate DNS administrative qualifications.

You can not set up DNS choices or delegation in the Active Directory Domain Services Configuration Wizard when setting up a brand-new Active Directory Forest Root Domain where you picked the DNS server on the Domain Controller Options page. The Create DNS delegation alternative is readily available when developing a brand-new forest root DNS zone in an existing DNS server facilities. This choice allows you to offer alternate DNS administrative qualifications that have the rights to upgrade DNS zone.

For more info about whether you require to develop a DNS delegation, see Understanding Zone Delegation

Additional Options

Screenshot that shows the Additional Options page in the Active Directory Domain Services Configuration Wizard.

Like this post? Please share to your friends:
Leave a Reply

;-) :| :x :twisted: :smile: :shock: :sad: :roll: :razz: :oops: :o :mrgreen: :lol: :idea: :grin: :evil: :cry: :cool: :arrow: :???: :?: :!: