Preparing For deployment

Two basic scenarios:

  1. Deploying a new forest.
  2. Deploying DC in an existing forest based on AD DS in an earlier version of Windows Server.
New Forest

Technical requirements:

  • Have local Administrator credentials.
  • Have NTFS volumes to store directory database, log files, and SYSVOL share.
  • Configure TCP/IP.
  • DNS server infrastructure.

The Key is plan the entire directory structure of your organization so that you won’t need to make drastic changes(change domain name, modifying hierarchy of OUs) later on.

Information for the first DC:

  • Domain name  Enter the fully qualifed domain name (FQDN) for the root domain of your new forest
  • Domain NetBIOS name  Enter the NetBIOS name for your new forest (required if the FQDN prefx name is longer than 15 characters).
  • Forest functional level.
  • Domain functional level
  • Directory Services Restore Mode (DSRM) password  You must specify this at the time the server is promoted to a domain controller
  • DNS Server  Indicate whether the new domain controller should also be a DNS server (recommended)
  • Database folder  Specify where the AD DS database is stored  (The default location is %windir%\NTDS )
  • Log fles folder  Specify where the AD DS log fles are stored. (The default location is %windir%\NTDS )
  • SYSVOL folder  Specify where the AD DS SYSVOL share is located  (The default is %windir%\SYSVOL )

Additional controllers for the following purposes:
■ Deploy additional domain controllers in your forest root domain for redundancy and load-balancing purposes.
■ Deploy domain controllers that create additional domains within your forest based on your organization’s administrative or geographical structure.
■ Deploy read-only domain controllers (RODCs) at less secure, branch-office sites within your organization.
■ Deploy virtualized domain controllers to provide greater support for private and public cloud-computing environments.

Best practices to keep in mind:

  • Each domain should have at least two functioning writable domain controllers to provide fault tolerance.
  • Each domain in each location should also have a sufficient number of domain controllers to service the needs of users for logging on and accessing network resource.
  • Domain controllers should be dedicated servers that are used only for hosting the AD-DS and DNS Server roles and nothing else.
  • The simplest forest design is to have only one domain.
  • If your organization has multiple sites,at least one DC at each remote office. For best security, domain controllers at remote offices should be
    RODCs
Existing forest deployment

1.  Deploying new Windows Server 2012 domain controllers.

Possible scenarios:

■ Deploying the first domain controller in a new forest (required)
■ Deploying the first domain controller for a new domain (required if additional domains need to be created in the forest)
■ Deploying additional domain controllers in each domain for fault tolerance and to support the number of users at each location (recommended)
■ Deploying read-only domain controllers (RODCs) at remote branch office locations (recommended)
■ Deploying virtualized domain controllers (not recommended for most production environments)

Validation phase

A new feature of deploying Windows Server 2012 domain controllers is a validation phase that is performed just prior to the promotion processes. This feature can be bypassed when deploying domain controllers using Windows PowerShell, but doing this is not recommended.

DNS server

Unless your organization uses a third-party DNS server such as BIND on your internal network, you should always have all your domain controllers also function as DNS servers to ensure high availability in distributed environments. By default, when you install the AD DS role on a server and then promote the server to a domain controller, the DNS Server role is automatically installed and configured as well.

First DC in a new domain

You need supply the credentials of a member of the Enterprise Admins security group, which is one of the two new security groups( the other is Schema admins group).

 Addition information :
■ Domain type:  Specify whether to create a new child domain or a new tree domain.
■ Parent domain name:  Enter the name of the parent domain of which the new child or tree domain will be a sub-domain.
■ DNS delegation: Specify whether to create a DNS delegation that references the new DNS server you are installing along with the domain controller.  (The default is determined automatically based on your environment )

Additional DC

Purpose:  fault tolerance and to support the number of users at the location.

Information needed:

■ Site name:  Specify the name of the AD DS site to which the domain controller should be added.
■ Global catalog:  Specify whether the new domain controller should host the global catalog.  By default, when you promote a server to a domain controller, the new domain controller is automatically confgured as a global catalog server.
■ Replication source:  Specify an existing domain controller to be used as the initial replication partner for replicating a copy of the directory database to the new domain controller  (The default is any available domain controller ).
■ Application partitions to replicate:  Specify application partitions on existing domain controllers that should be replicated to the new domain controller.
■ Install from media path:  You can choose to install the new domain controller using backed-up media by means of the Install From Media (IFM) deployment option.

Read-only Domain Controllers (RODCs)

Environment:

  • Relatively few users
  • Few or no IT staff, and a slow wide area network (WAN) connectivity with the head offce
  • Lack the level of physical security control.

RODCs host read-only partitions of the AD DS database  Clients can authenticate against an RODC but cannot write directory changes to it  RODCs include additional safeguards that help ensure any information on the RODC remains confdential if it is stolen or has its security compromised.

Requirement:
■  Availability of credentials of a member of the Domain Admins for the domain
■  A forest functional level of Windows Server 2003 or higher
■  At least one writable domain controller running Windows Server 2008 or later installed in the domain.

RODC administration: https://technet.microsoft.com/en-us/library/cc755310(v=ws.10).aspx

Server core RODC:

Beginning with Windows Server 2008 R2, RODCs can be deployed on Windows Server Core installations. Doing this helps to further reduce the attack surface of your RODCs and lower their maintenance requirements.

Virtualized DC:

Virtualizing domain
controllers is also much safer than it was with previous versions of Windows Server. That’s because each virtual domain controller has a unique identifer called a GenerationID that is exposed to the hypervisor on the host machine. This helps protect the AD DS directory hosted by a virtual domain controller from unexpected rollback events caused by the accidental application of snapshots or other occurrences that caused duplicate directory
objects and other issues in previous Windows Server versions.

Switch between RODCs to writeable DCs:

By now, there is no shortcut, we must uninstall the AD-DS role then re-join the domain, promote as DC.

2. Upgrading domain controllers running earlier versions of Windows Server to Windows Server 2012

Two basic ways to upgrading: upgrading existing domain controllers; installing additional domain controllers.

Although performing in-place upgrades can help reduce hardware costs, the margin for error is greater. If possible, avoid performing in-place upgrades of your existing domain controllers; instead, introduce new domain controllers and then, if desired, retire your existing domain controllers in the following way:

1. Install Windows Server 2012 on the servers that will become the new domain controllers.
2.  Join the new servers to the domain.
3.  Use Server Manager or Windows PowerShell to install the AD DS role on the new servers, and promote them to domain controllers.

Upgrading existing DC:

1.  Prepare your forest and domains for an upgrade by using the Adprep exe command-line tool to extend the schema  (See Lesson 2 for more information about Adprep )
2.  Verify that the operating system of your existing domain controllers has a supported in-place upgrade path to Windows Server 2012
3.  Verify all prerequisites for upgrading your existing domain controllers to Windows Server 2012  For example, the drive that hosts the AD DS database (NTDS.DIT) must have at least 20 percent free disk space before you begin the operating system upgrade.
4.  Perform an in-place upgrade of all existing domain controllers to Windows Server 2012.

Pages: 1 2 3