Exam Ref 70-417 Upgrading Your Skills to Windows Server 2012 R2 (2014)
Chapter 4. Install and administer Active Directory
The important feature changes that have appeared since Microsoft Windows Server 2008 R2 in the Install and administer Active Directory domain all fall within a single objective, “Install domain controllers.” Within this small area, however, the change could hardly be more significant: The very tool used in pre-Windows Server 2012 versions of Windows Server to install a domain controller, Dcpromo.exe, has been deprecated (which in Microsoft lingo means “officially set on a path to obsolescence”). More specifically, the use of Dcpromo is highly restricted in Windows Server 2012 and Windows Server 2012 R2. You can use it for domain controller promotion only with an answer file. (Dcpromo also retains some specialized uses, such as the force-removal of Active Directory Domain Services with the /ForceRemoval parameter.)
What takes the place of Dcpromo in Windows Server 2012 and Windows Server 2012 R2? A new Active Directory Domain Services Configuration Wizard and a new set of Windows PowerShell cmdlets.
You need to understand these new installation tools well for the 70-417 exam.
Objectives in this chapter:
Objective 4.1: Install domain controllers
Objective 4.1: Install domain controllers
In Windows Server 2008 and Windows Server 2008 R2, you had the option of installing the Active Directory Domain Services server role before promoting the server to a domain controller. In Windows Server 2012 and Windows Server 2012 R2, that step is now mandatory, and as a result, installing a domain controller is now a two-step process.
This section covers the following topics:
Installing domain controllers by using GUI
Installing domain controllers by using Windows PowerShell
Install From Media option without defragmentation
Deploying a domain controller in Windows Azure
Installing domain controllers in the GUI
The first step in deploying a domain controller is to add the Active Directory Domain Services server role. If you perform this first step by using the Add Roles And Features Wizard, the second step in deploying a domain controller is easy: You can just choose the option to promote the server to a domain controller on the final page of this wizard, as shown in Figure 4-1.
FIGURE 4-1 Installing a domain controller after installing the Active Directory Domain Services server role
Make sure the RID Master is online and available whenever you add a new domain controller to an existing domain. If you are installing the first domain controller in a new domain in an existing forest, then the Domain Naming Master must be available.
If you prefer to promote the server later, you can do so using Server Manager. In Server Manager, expand the notifications menu and choose the option to promote the server to a domain controller, as shown in Figure 4-2. (Note that this option appears only if you have added the Active Directory Domain Services server role.)
FIGURE 4-2 Installing a domain controller in Server Manager
Whether you select the option immediately at the end of the Add Roles And Features Wizard or later on the notification menu in Server Manager, the result is the same: The Active Directory Domain Services Configuration Wizard is started. This wizard is very similar to the old Active Directory Domain Services Installation Wizard in Windows Server 2008 and Windows Server 2008 R2, even though the code behind it has been rewritten completely from scratch. The first page of the Active Directory Domain Services Configuration wizard is shown in Figure 4-3.
FIGURE 4-3 The Active Directory Domain Services Configuration Wizard is new to Windows Server 2012 and Windows Server 2012 R2
The options that appear in the wizard are so similar to those that appeared in the corresponding wizard in Windows Server 2008 and Windows Server 2008 R2 that it is not necessary to review them all. However, the Review Options page reveals an interesting change, shown in Figure 4-4. Remember how in Windows Server 2008 and Windows Server 2008 R2, you could export the settings you had selected in the wizard to an answer file to be used with Dcpromo? In Windows Server 2012 and Windows Server 2012 R2, that option is gone and is replaced by a new option to export the settings you have selected to a Windows PowerShell script.
FIGURE 4-4 Exporting domain controller installation settings to a Windows PowerShell script
The following code shows the contents of the exported Windows PowerShell script that results when you choose to add a new domain controller to an existing domain (fabrikam.local):
# Windows PowerShell script for AD DS Deployment
-Credential (Get-Credential) `
-DatabasePath "C:\Windows\NTDS" `
-DomainName "fabrikam.local" `
-LogPath "C:\Windows\NTDS" `
-SiteName "Default-First-Site-Name" `
-SysvolPath "C:\Windows\SYSVOL" `
Here’s another example of the contents of the exported Windows PowerShell script. This version results when you choose to add a first domain controller to a new forest (contoso.local):
# Windows PowerShell script for AD DS Deployment
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "Win2012R2" `
-DomainName "contoso.local" `
-DomainNetbiosName "CONTOSO" `
-ForestMode "Win2012R2" `
-LogPath "C:\Windows\NTDS" `
-SysvolPath "C:\Windows\SYSVOL" `
Remember that if you save the Windows PowerShell script, you should save it as a .ps1 file.
For a detailed walkthrough of the Active Directory Domain Services Configuration Wizard, search for “Introducing the first Windows Server 2012 Domain Controller (Part 1 of 2)” or visit http://blogs.technet.com/b/askpfeplat/archive/2012/09/03/introducing-the-first-windows-server-2012-domain-controller.aspx.
Adprep runs automatically
Windows Server 2012 and Windows Server 2012 R2 introduce another new feature related to the Active Directory Domain Services Configuration Wizard: This wizard runs Adprep /domainprep and Adprep /forestprep automatically as needed. Before Windows Server 2012, if upgrading the schema was necessary to install a new domain controller, you needed to run Adprep beforehand.
In Windows Server 2012 and Windows Server 2012 R2, you still have the option of running Adprep to upgrade the schema, but if you haven’t done so before completing the Active Directory Domain Services Configuration Wizard, the schema is upgraded automatically without prompting you first.
Of course, in a production environment, you wouldn’t want to make such a significant change without testing, preparation, and planning. Extending the schema ahead of time and in a controlled manner is preferred as a way to minimize risk.
Installing domain controllers with Windows PowerShell
The ability to install a domain controller by using Windows PowerShell is new to Windows Server 2012 and Windows Server 2012 R2. As with using the GUI to perform the same task, promoting a domain controller is a two-step process when you use Windows PowerShell.
First, you need to add the Active Directory Domain Services server role by typing the following at an elevated Windows PowerShell prompt:
Install-WindowsFeature -Name AD-Domain-Services –IncludeManagementTools
After the role installation is complete, you can get information about the available cmdlets in the ADDSDeployment module. To do so, type the following:
Get-Command -Module ADDSDeployment
For a listing of the cmdlets in the ActiveDirectory module (as opposed to the ADDSDeployment module), visit http://technet.microsoft.com/en-us/library/hh852274.aspx or type the following at a Windows PowerShell prompt:
Get-Command -Module ActiveDirectory
Table 4-1 shows the 10 cmdlets available in the ADDSDeployment module.
TABLE 4-1 The cmdlets in the ADDSDeployment module
You need to understand the function of all of these cmdlets for the 70-417 exam.
Installing the first domain controller in a new forest
To install a domain controller in a new forest, use the Test-ADDSForestInstallation and Install-ADDSForest cmdlets. (The Test-ADDSForestInstallation cmdlet is optional.)
Use Test-ADDSForestInstallation to verify that your environment meets the prerequisites to install the first domain controller in the new forest with the parameters specified. These same prerequisite tests are run if you use the Install-ADDSForest cmdlet.
For example, the following command runs the prerequisite tests for installing a new forest named corp.contoso.com. Because it doesn’t specify a password with the -SafeModeAdministratorPassword parameter, the user will be prompted to supply a Directory Services Restore Mode (DSRM) password.
Test-ADDSForestInstallation -DomainName "corp.contoso.com"
The following command provides a more complex example. Here, the prerequisite tests are run for installing a new forest with the following specifications:
Create a DNS delegation in the parent contoso.com domain (-CreateDNSDelegation).
Set the domain functional level to Windows Server 2008 (-DomainMode Win2008).
Set the forest functional level to Windows Server 2008 R2 (-ForestMode Win2008R2).
Install the Active Directory database and SYSVOL on the D drive (-DatabasePath “D:\NTDS” -SysvolPath “D:\SYSVOL”).
Install the log files on the E drive (-LogPath “E:\Logs”).
Have the server automatically restart after Active Directory Domain Services installation is complete (No -NoRebootOnCompletion parameter).
Prompt the user to provide and confirm the DSRM password (No -SafeModeAdministratorPassword parameter).
Test-ADDSForestInstallation -DomainName corp.contoso.com -CreateDNSDelegation
-DomainMode Win2008 -ForestMode Win2008R2 -DatabasePath "D:\NTDS" -SysvolPath
"D:\SYSVOL" -LogPath "E:\Logs"
For more information about the Test-ADDSForestInstallation cmdlet, visit http://technet.microsoft.com/en-us/library/hh974717.
After you have tested the new forest creation with the Test-ADDSForestInstallation cmdlet, you are ready to use the Install-ADDSForest cmdlet to install the domain controller and create the new forest.
For example, the following command will create a new forest with the name corp.contoso.com, install a Domain Name System (DNS) server on the new local domain controller, and prompt the user to provide and confirm a DSRM password:
Install-ADDSForest -DomainName "corp.contoso.com" -InstallDNS
Note that in this next, more complex example, all of the same parameters used with the second Test-ADDSForestInstallation example are used again. Running the earlier test gives you assurance that the following command will work:
Install-ADDSForest -DomainName corp.contoso.com -CreateDNSDelegation -DomainMode Win2008
-ForestMode Win2008R2 -DatabasePath "D:\NTDS" -SysvolPath "D:\SYSVOL" -LogPath "E:\Logs"
For more information about the Install-ADDSForest cmdlet, visit http://technet.microsoft.com/en-us/library/hh974720.
Remember that the Netlogon.dns file lists all of the SRV records registered in DNS when a domain controller is installed.
Installing an additional domain controller in an existing domain
To install a domain controller in an existing domain, use the Test-ADDSDomainControllerInstallation and Install-ADDSDomainController cmdlets. (The Test-ADDSDomainControllerInstallation cmdlet is optional.)
This cmdlet runs prerequisite checks that verify that you can use the Install-ADDSDomainController cmdlet to install a domain controller in Active Directory.
For example, the following command runs prerequisite checks to verify the possibility of installing a domain controller in the existing corp.contoso.com domain (using domain administrator credentials). The domain controller will include a DNS server. The user will be prompted to enter and confirm the DSRM password.
Test-ADDSDomainControllerInstallation -InstallDns -Credential (Get-Credential CORP\
Administrator) -DomainName "corp.contoso.com"
For more information about the Test-ADDSDomainControllerInstallation cmdlet, visit http://technet.microsoft.com/en-us/library/hh974725.
If the test completes successfully, you can use the Install-ADDSDomainController cmdlet with the same parameters to install the new domain controller in the existing corp.contoso.com domain:
Install-ADDSDomainController -InstallDns -Credential (Get-Credential CORP\Administrator)
For the 70-417 exam, remember that you first need to use Install-WindowsFeature to install the AD DS binaries. To then promote a server domain controller, use Install-ADDSForest, Install-ADDSDomain, or Install-ADDSDomainController. Finally, to demote a domain controller, use Uninstall-ADDSDomainController. (For a force removal, you can use Uninstall-ADDSDomainController -ForceRemoval or even Dcpromo.exe /ForceRemoval.)
For more information about the Install-ADDSDomainController cmdlet, visit http://technet.microsoft.com/en-us/library/hh974723.
Installing the first domain controller in a new domain in an existing forest
To install the first domain controller in a new domain in an existing forest, use the Test-ADDSDomainInstallation and Install-ADDSDomain cmdlets. (The Test-ADDSDomainInstallation cmdlet is optional.)
This cmdlet runs the prerequisite checks that would be performed if you were to use the Install-ADDSDomain cmdlet to install a new domain controller in a new domain in an existing forest.
The following example runs prerequisite checks that verify the possibility of creating a new child domain named child.corp.contoso.com by using credentials of CORP\EnterpriseAdmin1. Because it doesn’t use the -SafeModeAdministratorPassword parameter, the user will be prompted to provide and confirm the DSRM password to complete the checks. The following example also verifies the possibility of accomplishing the following:
Installing a DNS server (-InstallDNS)
Creating a DNS delegation in the corp.contoso.com domain (-CreateDNSDelegation)
Setting the domain functional level to Windows Server 2003 (-DomainMode Win2003)
Making the domain controller a global catalog server (no -NoGlobalCatalog parameter).
In a site named Houston (-SiteName Houston)
Using DC1.corp.contoso.com as the replication source domain controller (-ReplicationSourceDC DC1.corp.contoso.com)
Installing the Active Directory database and SYSVOL on the D drive (-DatabasePath “D:\NTDS” -SYSVOLPath “D:\SYSVOL”)
Installing the log files on the E drive (-LogPath “E:\Logs”)
Avoiding an automatic restart after the domain installation is complete (-NoRebootOnCompletion)
Test-ADDSDomainInstallation -Credential (Get-Credential CORP\EnterpriseAdmin1)
-NewDomainName child -ParentDomainName corp.contoso.com -InstallDNS -CreateDNSDelegation
-DomainMode Win2003 -ReplicationSourceDC DC1.corp.contoso.com -SiteName Houston
-DatabasePath "D:\NTDS" -SYSVOLPath "D:\SYSVOL" -LogPath "E:\Logs" -NoRebootOnCompletion
For more information about the Test-ADDSDomainInstallation cmdlet, visit http://technet.microsoft.com/en-us/library/hh974715.aspx.
After you have tested the possibility of creating a new domain with the Test-ADDSDomainInstallation cmdlet, you are ready to use the Install-ADDSDomain to install the first domain controller in the new domain in an existing forest.
The following cmdlet creates the domain with the configuration verified in the test:
Install-ADDSDomain -Credential (Get-Credential CORP\EnterpriseAdmin1) -NewDomainName
child -ParentDomainName corp.contoso.com -InstallDNS -CreateDNSDelegation -DomainMode
Win2003 -ReplicationSourceDC DC1.corp.contoso.com -SiteName Houston -DatabasePath
"D:\NTDS" -SYSVOLPath "D:\SYSVOL" -LogPath "E:\Logs" -NoRebootOnCompletion
For more information about the Install-ADDSDomain cmdlet, visit http://technet.microsoft.com/en-us/library/hh974722.
Adding an RODC account
Use the Test-ADDSReadOnlyDomainControllerAccountCreation and Add-ADDSReadOnlyDomainControllerAccount cmdlets to pre-create a computer account for an RODC. (The Test-ADDSReadOnlyDomainControllerAccountCreation is optional.) You can optionally use the -DelegatedAdministratorAccountName parameter to give a non-administrator (or a “delegated administrator”) the rights and permissions required to install the RODC. Once you have added the RODC account, you or the delegated administrator can use the Install-ADDSDomainController cmdlet with the -ReadOnlyReplica switch parameter to install an RODC.
For example, the following command adds a new RODC account to the corp.contoso.com domain using the North America site as the source site for the replication source domain controller, while delegating the rights and permissions required to install the RODC to a user named User1.
Add-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountName RODC1 -DomainName
corp.contoso.com -SiteName NorthAmerica -DelegatedAdministratorAccountName corp.contoso.
Remember that pre-creating an RODC computer account is a way to let you give permission to a non-administrator to install an RODC. If you don’t specify the delegated administrator when the RODC computer account is created, you can specify a user or group account on the Managed By tab of the RODC computer account in Active Directory Users and Computers. In general, it’s recommended that you create a test RODC computer account and review all of its properties tabs before you take the 70-417 exam. For example, you should know that you can specify replication partners for an RODC through the NTDS Settings available on the General tab.
For more info on the Test-ADDSReadOnlyDomainControllerAccountCreation cmdlet and Add-ADDSReadOnlyDomainControllerAccount cmdlet, visit http://technet.microsoft.com/en-us/library/hh974721 and http://technet.microsoft.com/en-us/library/hh974718.
Uninstalling a domain controller
Use the Test-ADDSDomainControllerUninstallation and Uninstall-ADDSDomainController cmdlets to uninstall a domain controller. Unlike the previous cmdlets, these cmdlets can be used without any parameters. If you do so, you will be prompted to supply a local Administrator password.
For more information about the Test-ADDSDomainControllerUninstallation and Uninstall-ADDSDomainController cmdlets, visit http://technet.microsoft.com/en-us/library/hh974716 and http://technet.microsoft.com/en-us/library/hh974714.
Install from Media (IFM) option without defragmentation
Windows Server has included an Install from Media (IFM) option for deploying domain controllers since Windows Server 2003. With this option, Active Directory Domain Services data is stored on a local drive, on removable media such as a DVD, or on a network shared folder. Using IFM allows you to avoid replicating all directory data over the network when you install the new domain controller.
The recommended method for creating Active Directory Domain Services installation media is to use the Ntdsutil.exe tool that is available when the Active Directory Domain Services server role is installed. Ntdsutil includes an IFM subcommand menu that creates the files necessary to install Active Directory Domain Services by using the IFM option.
Windows Server 2012 and Windows Server 2012 R2 introduce two additional options to this IFM menu. These two options allow you to create IFM stores without first performing an offline defrag of the exported NTDS.dit database file. An offline defrag is performed by default, an operation that can be time-consuming. When disk space is not a premium and you do not need to compact the Active Directory database, these two options save time creating the IFM.
Table 4-2 describes the two menu items.
TABLE 4-2 Creating IFM media without defragmentation
Remember that IFM does not work across different operating system versions. If you have a domain controller running Windows Server 2008 R2 and you want to promote a server running Windows Server 2012 or Windows Server 2012 R2 by using IFM, you need to upgrade the domain controller first.
To learn more about how to use Offline Domain Join and Djoin.exe, search for “Offline Domain Join (Djoin.exe) Step-by-Step Guide” or visit http://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step(v=ws.10).aspx.
Windows Server 2008 R2 introduced a feature named Offline Domain Join that relies on a utility called Djoin.exe. Djoin.exe allows you to join a computer to a domain even if there is no live connection to a domain controller. If you earned your current Windows Server 2008 MCSA certification before the release of Windows Server 2008 R2, you might have missed this feature completely. Even though Djoin.exe isn’t new to Windows Server 2012 or Windows Server 2012 R2, it’s a good bet that you’ll see a simple question about it on the 70-417 exam. Note that for this exam, you don’t need to understand the specifics of how to use Djoin.exe; you just should know what it is used for.
Installing a domain controller in Windows Azure
Many companies are starting to use public cloud platforms such as Windows Azure (soon to be renamed Microsoft Azure) to host private servers and applications intended only for use internally within the same company. For example, a multi-branch organization might decide to deploy a line-of-business application in the cloud so that workers in all branch offices can access that application over the Internet. This IT decision then introduces a need for authentication in the cloud. Applications servers need some way to authenticate users, and the authentication provider should normally be local to the application server. A domain controller is often the best answer to provide this authentication.
The procedure of deploying domain controllers in Microsoft’s public cloud is now relevant for the 70-417 exam. In early 2014, the Install Domain Controllers objective was updated to include the task “Deploy Active Directory IaaS in Windows Azure.” IaaS refers to infra-structure-as-a-service, which, in turn, simply refers to a cloud service feature that lets you interact with hosted VMs at the operating system level but that hides the underlying infrastructure from you. So ultimately, “deploying Active Directory IaaS in Windows Azure” isn’t much different from installing a domain controller locally on company premises. However, there are a few Windows Azure-related concepts and preparatory steps that you definitely need to understand for the exam.
Active Directory IaaS is not the only way to authenticate users in Windows Azure. Windows Azure also provides a cloud-based authentication service branded as “Windows Azure Active Directory.” Windows Azure Active Directory is not included in the objectives for 70-417. For now, you just need to know that this alternative authentication service is not AD DS and does not rely on the same set of technologies. Windows Azure Active Directory is most appropriate for applications that are designed to be cloud-based.
Here are the steps required to deploy a domain controller in Windows Azure after you create a Windows Azure account and log on to the Windows Azure Management Portal at http://manage.windowsazure.com:
1. Add an affinity group. An affinity group is one of the Windows Azure-related concepts that you’re most likely to see on the 70-417 exam. An affinity group is a small physical area within one of the Microsoft data centers (“regions”) in which you can place VMs. Creating an affinity group will reduce latency among any virtual machines you later add to that affinity group.
A. To create an affinity group in the Windows Azure Management Portal, select Settings in the blue menu on the left, select Affinity Groups on the right, and then click Add (“+”) on the bottom menu. These options are highlighted in Figure 4-5.
FIGURE 4-5 The first step to adding a new affinity group
B. When you create a new affinity group, you have to specify a name and the Microsoft regional data center in which you want the affinity group to reside, as shown in Figure 4-6.
FIGURE 4-6 The second step to adding a new affinity group
2. Create a storage account. Before you create the VM in Windows Azure that will act as a domain controller, you need to create a storage account. Storage accounts in Windows Azure define the data redundancy type for the VMs later associated with the account. There are three redundancy options.
Locally Redundant Replication ensures that every VM in the storage account is replicated synchronously to two other nodes in the same data center.
Geo-Redundant Replication adds a second level to this baseline redundancy by performing asynchronous replication to a remote data center hundreds of miles away. At the remote, secondary location, three additional copies of the storage are kept.
Read Access - Geo Redundant Replication is like the Geo-Redundant Replication option, except that the data that is replicated to the remote location is stored as read-only.
A. To create a new storage account in the Windows Azure Management Portal, click Storage in the blue menu on the left. On the bottom menu, click +New, as shown in Figure 4-7.
FIGURE 4-7 The first step to creating a storage account
B. In the menu that expands, select Quick Create. This step opens configuration options on the right, as shown in Figure 4-8. You must then specify a unique URL along with an affinity group and choice of replication.
FIGURE 4-8 The second step to creating a storage account
3. Register a DNS server in Windows Azure. To lay the groundwork for the new virtual network that will contain your domain controller in Windows Azure, you first need to register a DNS server address. The new virtual network will use this DNS server. Later, this same internal IP address will be assigned automatically to the first VM in that virtual network.
A. To register the DNS server address in the Windows Azure Management Portal, select Networks in the blue menu on the left. Then click +New in the menu on the bottom, as shown in Figure 4-9.
FIGURE 4-9 Registering a DNS server through the Networks settings
B. Clicking New expands the bottom menu. When you choose Register DNS Server, configuration options that let you choose the name and address of the server appear on the right, as shown in Figure 4-10.
FIGURE 4-10 Registering a DNS server for a virtual network
4. Create a virtual network. A virtual network assigns IPv4 addressing information to an affinity group. When you create the virtual network, you choose a private IPv4 address space (10.---.---.---, 172.16.---.---, or 192.168.---.---), a maximum VM count (defined by a choice of subnet mask), and a DNS server address you have previously registered. Your virtual network will also include automatically configured subnets. Physical connectivity is automatically configured among the members of each subnet.
To create a new virtual network, select Network in the blue menu on the left in the Windows Azure Management Portal and then click New. In the expanded menu that appears, click Quick Create. This step opens the configuration options for the virtual network, as shown in Figure 4-11.
FIGURE 4-11 Creating a new virtual network in Windows Azure
5. Create a new Windows Server 2012 R2 virtual machine. The previous steps create the foundation for the VM that will act as the domain controller, and now you can finally create that VM and assign it to the virtual network and storage accounts you have previously defined.
A. To begin creating the VM, select Virtual Machines in the blue menu on the left in the Windows Azure Management Portal and then click +New on the bottom menu. In the expanded bottom menu that opens, click From Gallery, as shown in Figure 4-12. (Note that at the time of this writing, if you choose the Quick Create option, the VM is assigned to a new storage account with a randomly-generated name, not to your previously created storage account.)
FIGURE 4-12 The first step to creating a new virtual machine in Windows Azure
B. At this point, you can select Windows Server 2012 R2 from the gallery of operating system options. (You won’t have to install the OS yourself on the new VM.) You will then be given an opportunity to specify a name for the VM, along with an administrator account name and password.
C. Next you will see the page in Figure 4-13. Here is where you can assign the new VM to a virtual network, subnet, and storage account. You will also have to assign the VM to a cloud service, which you can create with a name of your choice. You probably don’t need to understand cloud services for the 70-417 exam, but for now, just know that each cloud service is assigned one public IP address.
FIGURE 4-13 The second step to creating a new virtual machine in Windows Azure
6. Connect to the VM and install the domain controller.
A. After you create the VM, you can connect to it by selecting it in the Windows Azure Management Portal and then clicking Connect. This step opens up a Remote Desktop connection to the VM, and you can then log on to the server and interact with it through its desktop.
B. Once you can connect to the VM, you can proceed with installing the domain controller by following the directions at the beginning of this chapter. However, there is one key difference between installing a domain controller on-premises and in Windows Azure. In Windows Azure,you leave the VM with an automatically assigned address. Believe it or not, all servers in Windows Azure should be configured as DHCP clients. The reason this is possible is that DHCP clients in Windows Azure are given extremely long leases, on the order of 99 years or more. In addition, the first server in a virtual network will be assigned the DNS server address that you registered in step 3, so you have in this sense already chosen the address of the domain controller. That address will not change over the lifetime of the VM as long as you perform maintenance shutdowns of the system from within Windows. If you choose the option to shut down the VM from the Windows Azure Management Portal, however, the DHCP lease will be renewed upon restarting, opening the possibility that the address could change.
If you were to assign a static address to a server, you could eventually lose connectivity to that server because of routing changes internal to Windows Azure.
Connecting a Windows Azure domain controller to AD DS on-premises
The previous section described the process of creating a domain controller in a new forest in Windows Azure. Alternatively, you might also want to connect the domain controller to an existing forest or domain located on the company premises. This configuration requires a VPN connection between the domain controller hosted in Azure and the on-premises site. Both site-to-site and point-to-site VPN types can be configured in Windows Azure, but only a point-to-site VPN can be configured on an existing virtual network. A point-to-site VPN, incidentally, is an option in Windows Azure that lets you to set up a VPN connection between an individual computer and a Windows Azure network without the use of a VPN device. However, a site-to-site VPN is more suitable for domain controller connectivity.
The steps involved in configuring VPNs in Windows Azure is beyond the scope of the 70-417 exam, but you should simply know that you need to configure a VPN connection to connect the domain controller hosted in Windows Azure to an existing AD DS on-prem.
Microsoft has announced that Windows Azure is being renamed Microsoft Azure. You can expect the name change to be reflected in the exams when the exams are updated.
Windows Server 2012 and Windows Server 2012 R2 have new procedures for installing a domain controller. To install a domain controller, first install the Active Directory Domain Services server role. You can accomplish this either by using the Add Roles And Features Wizard or by typing the following at an elevated Windows PowerShell prompt:
Install-WindowsFeature -Name AD-Domain-Services –IncludeManagementTools
In the GUI, after you install the Active Directory Domain Services server role, you can choose the option to promote the server to a domain controller that appears both at the end of the Add Roles And Features Wizard and in the notification menu in Server Manager.
In Windows PowerShell, to install the first domain controller in a new forest, use the Install-ADDSForest cmdlet. To install the first domain controller in a new domain in an existing forest, use the Install-ADDSDomain cmdlet. To install a new domain controller in an existing domain, use the Install-ADDSDomainController cmdlet.
Windows Server 2012 and Windows Server 2012 R2 allow you to perform an IFM installation of a domain controller without first performing an offline defrag of the Active Directory database. To achieve this, in the IFM subcommand menu of the Ntdsutil utility, use either the Create Full NoDefrag parameter or the Create Sysvol Full No Defrag parameter.
To deploy a domain controller in Windows Azure, you first need to create an affinity group, create a storage account, pre-register the DNS server address you are going to assign to the domain controller, create a virtual network where the domain controller will be hosted, and finally create the VM with the Windows Server operating system of your choice. The domain controller in Windows Azure should remain a DHCP client. To connect the domain controller to an existing Active Directory forest, you need to configure the virtual network with VPN connectivity.
Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of the chapter.
1. You are a network administrator for Fabrikam.com. You want to set up a new domain that is completely separate from the existing company network. The purpose of the domain is to test functionality and application compatibility in Windows Server 2012 R2.
You have installed Windows Server 2012 R2 on the first server and now want to promote it to a domain controller. Which of the following two commands or cmdlets should you run? (Choose two. Each answer is part of the solution.)
2. You are a network administrator for Fabrikam.com. You want to add a new domain controller to the Fabrikam.com domain by using the Installation from Media (IFM) option.
You select a storage device with 12 GB of space to store the NTDS database and the SYSVOL folder. The contents of the NTDS database amount to 100 MB, and the SYSVOL folder amounts to 30 MB.
At an elevated command prompt on a Windows Server 2012 R2 domain controller, you enter the Ntdsutil utility and activate the instance of NTDS. You then enter the IFM subcommand menu.
Your goal is to write both the NTDS database and SYSVOL to your storage media, and to achieve this as quickly as possible. Which parameter should you use?
A. Create Full NoDefrag
B. Create Sysvol Full NoDefrag
C. Create Full
D. Create Sysvol Full
3. You have installed Windows Server 2012 R2 on a new server named RODC1. You now want to use Windows PowerShell to make RODC1 a Read-Only Domain Controller (RODC) in the Fabrikam.com domain.
Which of the following Windows PowerShell cmdlets is not necessary to run in order to achieve your goal?
4. You are a system administrator for Contoso. The Contoso company network includes a single Active Directory domain named Contoso.com. Currently, all servers are located on the company premises.
The company now wants to deploy two new servers in Windows Azure: an application server and a domain controller. The domain controller should be a member of the Contoso.com domain and will provide authentication for the application server.
You create an account for your organization and sign in to the Windows Azure Management Portal.
Which of the following steps should you take? (Choose all that apply.)
A. Create an affinity group.
B. Assign a static address to the VM that will be the domain controller.
C. Create a site-to-site VPN to connect the servers to the company network.
D. Manually install Active Directory Domain Services on the VM that will be the domain controller.
Thought experiment: Configuring Hyper-V at Contoso
Your company, Contoso.com, is experiencing rapid growth.
As a way to provide scalability to meet the IT demands of continued growth, the company is building a new virtual infrastructure. The IT department has purchased eight physical servers to host virtualized instances of your servers and of client machines. All eight servers are running Windows Server 2012 R2 with the Hyper-V server role installed. All guest servers are currently running Windows Server 2008 R2.
A company goal is to move all of Contoso’s workloads to the virtual infrastructure.
Currently, the network includes a single domain named Contoso.com. Users have complained that login times are slow, especially at the beginning of the workday.
You can find the answers to these questions in the “Answers” section.
1. You create a new virtual machine and install Windows Server 2012 R2. You name the server DC2012A. You now want to promote DC2012A to a new domain controller in the Contoso.com domain. What complete Windows PowerShell command should you run on DC2012A to install the server as an additional domain controller in the Contoso.com domain?
2. You want to promote a computer named DC2012B, which is also running Windows Server 2012 R2. You want DC2012B to be a Read-Only Domain Controller. Which Windows PowerShell cmdlets should you use to create an RODC account for DC2012B and to make it an RODC?
3. The research department has requested the creation of their own domain. You install Windows Server 2012 R2 on a new virtual machine and name the computer ResDC. You now want to promote ResDC to be the first domain controller in a new domain named research.contoso.com. What complete Windows PowerShell command should you run on ResDC to achieve this goal?
This section contains the answers to the Objective Reviews and the Thought Experiment.
Objective 4.1: Review
1. Correct answers: C, D
A. Incorrect: You would use this cmdlet to install the first domain controller in a new domain, but only within an existing forest. You want the new domain to be completely separate from the existing company network.
B. Incorrect: You would use this cmdlet to add an additional domain controller to an existing domain.
C. Correct: You need to use Install-ADDSForest cmdlet because you want to create a new domain that is completely separate from the company network. This cmdlet will automatically promote the server to a domain controller in the new domain.
D. Correct: Before using the Install-ADDSForest cmdlet, you need to add the Active Directory Domain Services server role. This cmdlet helps you accomplish that goal. The full syntax of the command is:
Install-WindowsFeature -Name AD-Domain-Services –IncludeManagementTools
E. Incorrect: This command can be used only with an answer file in Windows Server 2012 and Windows Server 2012 R2. There is no indication that an answer file is available, and if there were, it would most likely provide a configuration for the Fabrikam.com network, from which the new domain controller must be kept separate.
2. Correct answer: B
A. Incorrect: This parameter would copy the NTDS database but not the SYSVOL folder to the media.
B. Correct: This parameter would write both the NTDS database and SYSVOL to the media. In addition, it would achieve the result as quickly as possible because it avoids the step of offline defragmentation of this data. You have ample storage space on your media, so offline defragmentation is not necessary.
C. Incorrect: This parameter would copy the NTDS database but not the SYSVOL folder to the media.
D. Incorrect: This parameter would write both the NTDS database and SYSVOL to the media. However, it would not achieve the result as quickly as possible because offline defragmentation will be performed.
3. Correct answer: A
A. Correct: This cmdlet would help you install the first domain controller in a new domain in an existing forest. You cannot use it to install an RODC because the first domain controller in a domain cannot be an RODC.
B. Incorrect: You need to use this cmdlet to install Active Directory Domain Services before you install the domain controller.
C. Incorrect: You need to use this cmdlet to add an additional domain controller to an existing domain. You would use the -ReadOnlyReplica parameter to make the new domain controller an RODC. Perform this step after you have created a computer account for the RODC.
D. Incorrect: You would use this cmdlet to create a computer account for the RODC in the domain.
4. Correct answers: A, C, D
A. Correct: You want to create an affinity group for the two servers because you want them to be in close physical proximity to each other.
B. Incorrect: You shouldn’t assign static addresses to VMs in Windows Azure.
C. Correct: You need to create a VPN connection to allow communication between the DC in Windows Azure and the domain controllers on the company premises.
D. Correct: You should perform the installation of Active Directory Domain Services on the VM as if it were hosted on the local premises.
1. Install-ADDSDomainController -DomainName “contoso.com”
2. To create the RODC account, use the Add-ADDSReadOnlyDomainControllerAccount cmdlet. To turn the computer into an RODC, use the Install-ADDSDomainController cmdlet with the -ReadOnlyReplica parameter.
3. Install-ADDSDomain -NewDomainName research -ParentDomainName contoso.com