Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies To: Windows Server 2008, Windows Server 2008 R2
The following installation scenarios for Active Directory Domain Services (AD DS) are described in this guide. In these scenarios, the new ___domain controllers can be running Windows Server 2008 or Windows Server 2008 R2 and existing ___domain controllers can be running Windows Server 2003 or Windows 2000 Server.
Install a new forest
Install a new ___domain in an existing forest
Install a new ___domain controller in an existing ___domain
Perform a staged RODC installation
Install AD DS from media
Verify AD DS installations
Install a new forest
When you install AD DS to create the first ___domain controller in a new forest, keep the following considerations in mind:
You must make forest and ___domain functional level decisions that determine whether your forest and ___domain can contain ___domain controllers that run Microsoft Windows® 2000 Server, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2.
Domain controllers running the Microsoft Windows NT® Server 4.0 operating system are not supported with Windows Server 2008 or Windows Server 2008 R2.
Servers running Windows NT Server 4.0 are not supported by ___domain controllers that are running Windows Server 2008 or Windows Server 2008 R2.
The first ___domain controller in a forest must be a global catalog server and it cannot be an RODC.
Install a new ___domain in an existing forest
When you install AD DS to create the first ___domain controller in a new ___domain, keep the following considerations in mind:
- Before you create a new Windows Server 2008 or Windows Server 2008 R2 ___domain in a Windows 2000 Server or Windows Server 2003 forest, you must prepare the forest for Windows Server 2008 or Windows Server 2008 R2 by extending the schema (that is, by running adprep /forestprep).
Note
In Windows Server 2008, Adprep.exe is available in the /sources/adprep folder of the installation DVD. In Windows Server 2008 R2, Adprep.exe is located in the /support/adprep folder.
- You must make ___domain functional level decisions that determine whether your ___domain can contain ___domain controllers that run Windows 2000 Server, Windows Server 2003, Windows Server 2008.
We recommend that you host the primary ___domain controller (PDC) emulator operations master role in the forest root ___domain on a ___domain controller that runs Windows Server 2008.
For procedures to install a new ___domain, see Installing a New Child Domain.
Install a new ___domain controller in an existing ___domain
When you install a new Windows Server 2008 or Windows Server 2008 R2 ___domain controller in an existing Windows 2000 Server or Windows Server 2003 ___domain, keep the following considerations in mind:
- If this ___domain controller is the first Windows Server 2008 or Windows Server 2008 R2 ___domain controller in the forest, you must prepare the forest for Windows Server 2008 or Windows Server 2008 R2 by extending the schema (that is, by running adprep /forestprep) on the schema operations master if this has not already been done.
Note
In Windows Server 2008, Adprep.exe is available in the /sources/adprep folder of the installation DVD. In Windows Server 2008 R2, Adprep.exe is located in the /support/adprep folder.
- If this ___domain controller is the first Windows Server 2008 or Windows Server 2008 R2 ___domain controller in a Windows 2000 Server ___domain, you must first prepare the ___domain by running adprep /domainprep /gpprep on the infrastructure master.
Note
If you prepare a Windows Server 2003 ___domain by running adprep /domainprep /gpprep, you can safely disregard the error message that indicates that ___domain updates were not necessary.
If this ___domain controller is the first Windows Server 2008 or Windows Server 2008 R2 ___domain controller in a Windows Server 2003 ___domain, you must prepare the ___domain by running adprep /domainprep on the infrastructure master.
Before you can install an RODC in a Windows 2000 Server or Windows Server 2003 forest, you must prepare the forest by running adprep /rodcprep. You can run adprep /rodcprep on any computer in the forest. You can run it multiple times if necessary. If the operation is unable to reach all the application partitions that must be updated to allow RODC installation, you receive a message that says that not all application partitions have been updated. In this case, rerun the adprep /rodcprep command.
The first Windows Server 2008 or Windows Server 2008 R2 ___domain controller in an existing Windows 2000 Server or Windows Server 2003 ___domain cannot be created as an RODC. After a Windows Server 2008 or Windows Server 2008 R2 ___domain controller exists in the ___domain, additional Windows Server 2008 or Windows Server 2008 R2 ___domain controllers can be created as RODCs.
After you have prepared the forest and the ___domain, you can install AD DS to create a new Windows Server 2008 or Windows Server 2008 R2 ___domain controller.
For procedures to install a new ___domain controller, see Installing an Additional Domain Controller.
Perform a staged RODC installation
AD DS provides a way for you to install an RODC in a branch office in two stages. First, you create an account for the RODC. When you create the account, you can choose who will install and administer the RODC. The delegated RODC administrator can complete the installation by attaching a server to the RODC account you created for it. This eliminates the need to use a staging site for building branch office ___domain controllers and also eliminates the need to use ___domain administrator credentials to build the RODC in the branch office.
When you install an RODC, keep the following considerations in mind:
The RODC must replicate ___domain data from a writeable ___domain controller that runs Windows Server 2008 or Windows Server 2008 R2.
By default, the RODC does not cache the passwords of any ___domain users. This means that by default, user and computer authentications that are handled by an RODC still require connectivity to a writeable ___domain controller that runs Windows Server 2008 or Windows Server 2008 R2. You must modify the default Password Replication Policy (PRP) for the RODC to allow the RODC to authenticate users and their computers when the wide area network (WAN) link to the writeable ___domain controller is offline.
For more information about how the authentication process works with an RODC, see Appendix A: Technical Reference Topics (https://go.microsoft.com/fwlink/?LinkID=128273). For more information about how to modify the PRP, see Administering the Password Replication Policy (https://go.microsoft.com/fwlink/?LinkId=137087).
Install AD DS from media
You can use the install from media (IFM) option to install an additional ___domain controller in an existing ___domain and minimize replication traffic during the installation. Windows Server 2008 and Windows Server 2008 R2 include an improved version of Ntdsutil.exe that you can use to create the installation media.
You can also create installation media by using the Windows Server Backup tool in Windows Server 2008 or Windows Server 2008 R2. In this case, you need to use the wbadmin command-line tool option to create the system state backup and then you need to restore system state backup to an alternate ___location.
However, you should use Ntdsutil.exe because the system state backup includes data, such as the registry, that is not required for AD DS installation.
For the procedure to install a new ___domain controller from media that is created by using Ntdsutil.exe, see Installing AD DS from Media.
Verify AD DS installations
After you install a ___domain controller, you can take the following steps to verify the AD DS installation:
Check the Directory Service log in Event Viewer for errors.
Make sure that the SYSVOL folder is accessible to clients.
Verify DNS functionality.
Verify replication.