Domain Controller Installation Summary – Systems Engineering & Integration

Promoting a domain controller refers to the process of installing Active Directory on a member server. The following list contains the requirements for installing Active Directory Domain Services (AD DS):

You must have membership in the Domain Admins, Schema Admins, and Enterprise Admins group.
You must have properly configured static IP addresses and Domain Name System (DNS) server addresses.
You must verify that a DNS infrastructure is in place on your network before you add AD DS to create a domain or forest.
Use local, fixed disks for the volumes that store the database, log files, and SYSVOL folder for AD DS.
For added security, place the database and log files on a volume with the NTFS file system.
Because Active Directory is time sensitive, ensure that the time zone and time are correct.

After installing Active Directory, you cannot change the name of the server.

There are four methods for Active Directory Domain Services (AD DS) installation:

Method	Description
Active Directory Domain Services Installation Wizard	AD DS installation using wizards requires the following actions: For Windows Server 2008 and 2008 R2: In Server Manager, run the Add Roles Wizard to install the Active Directories binaries. Run dcpromo.exe when prompted. The dcpromo command launches the Active Directory Domain Services Installation Wizard. This wizard can be used to install new 2008 forests, trees, domains, and domain controllers. For Windows Server 2012: In Server Manager, run the Add Roles and Features Wizard to install the Active Directory Domain Services role to the server. You will then have the option to Promote this server to a domain controller. Select this option to launch the Active Directory Domain Services Installation Wizard. This wizard can be used to install a Windows Server 2012 domain controller on a new or existing forest, tree, domain, or domain controller. Server Manager begins every domain controller promotion with the Deployment Configuration page. The deployment operation you select determines the options and required fields you see during the rest of the wizard. To remove Active Directory, you can open Server Manager, click the Manage menu, and then select Remove Roles and Features and uncheck the Active Directory Domain Services role. You then have the option to demote the domain controller.
Command Line	In Windows Server 2008, use the dcpromo command combined with unattended installation switches and parameter values to create forests, domains, and domain controllers. For a complete list of unattended installation switches—including default values, allowed values, and descriptions—type dcpromo /?:Promotion at the command prompt.In Windows Server 2012, you can install roles and features using the Install-WindowsFeature cmdlet. For example, use the following to install the Active Directory Domain Services role, including management tools: Install-WindowsFeature -Name AD-Domain-Services -includemanagementtools In Windows Server 2012, the dcpromo unattended operation is replaced by the ADDSDeployment module for Windows PowerShell. When using Windows PowerShell to promote a domain controller, you can use one of the following three cmdlets: Install-AddsForest Install-AddsDomainController Install-AddsDomain When you run any one of these cmdlets without parameters, you will be prompted for the values needed to set up the domain controller. To easily obtain a PowerShell script, install a domain controller on Windows Server 2012 with a GUI and then export the PowerShell script.
Answer file	An answer file, also referred to as an unattended install file, is a list of Active Directory configuration values in a text file which is used to install AD DS on either a full installation of Windows Server 2008 or a Server Core installation. To create an answer file, you can: Run the Active Directory Domain Services Installation Wizard and export your choices to a file. Create or edit the answer file directly using a text editor. To perform the install using the answer file, run dcpromo /unattend:C:\unattend.txt, using the name of the answer file you created. Using dcpromo with an answer file will work in Windows Server 2012; however, it is not recommended and a warning message will be generated.
AD DS installation from media	Install from media (IFM) is an alternate method of AD DS installation. The media contains the unattended installation parameters which will create additional domain controllers, as well as the Active Directory database. During installation, the Active Directory database is copied from the media instead of replicated from another domain controller. Use the media installation method if you need to perform a domain controller install where the domain controller will not be able to contact another domain controller during installation.Use one of the following to create the installation media: Run ntdsutil.exe. Run Windows Server backup in Windows Server 2008 or Windows Server 2012. A critical-volumes backup includes all files on the volumes that are required to recover AD DS, which requires significantly more space than is required for AD DS installation. To install a domain controller using media, use one of the following methods: In the Active Directory Domain Services Installation Wizard, use the Install from Media page to refer to the location of the shared folder or removable media. Use the /ReplicationSourcePath parameter during an unattended installation to specify the location of the shared folder or removable media.

When upgrading domain controllers to Windows Server 2012 or Windows Server 2012 R2, know that:

Only Windows Server 2008 and 2008 R2 domain controllers can be upgraded to Windows Server 2012 or Windows Server 2012 R2. Upgrade from Windows Server 2003 is not supported.
The domain controllers must have the latest service packs installed and the editions must be the same.
Windows Server 2012 and Windows Server 2012 R2 do not support 32-bit operating systems; this means that you cannot upgrade a 32-bit domain controller.

Active Directory on Windows Azure

Active Directory domain controllers are typically deployed on physical hardware in a data center. However, they can also be implemented in the cloud using Windows Azure. Using a cloud-based Active Directory deployment on Windows Azure would be beneficial for:

Improving authentication performance at remote locations where a WAN link is not a suitable option and the cost and lack of technical expertise do not allow for an on-site domain controller.
Providing a disaster recovery site.
Deploying network applications.

Deploying Active Directory via Windows Azure can be done in two ways:

Implementing Active Directory domain controllers on Windows Azure virtual machines (VMs) in the cloud
Using the Windows Azure Active Directory SaaS cloud service

Using the first option, you deploy virtual machines in the Azure cloud, install Windows Server on those virtual machines, and then make them domain controllers. These cloud-based domain controllers are connected to an organization’s local data center. Below is an example diagram of this option:

In the figure above, two cloud-based domain controllers are running on Azure virtual machines. These VMs are connected using the Azure virtual network (VNET) that is connected to an organization’s local datacenter using a virtual private network (VPN) connection. The Azure domain controller VMs function as if they were local domain controllers located on a different subnet somewhere else in the network. In this scenario, users at a branch office without a locally-installed domain controller can authenticate using the cloud-based domain controllers over the Internet. No expensive WAN connectivity to the home office is required.

When using cloud-based virtual domain controllers, you should be aware of the following:

User authentication requests should go to the cloud only when necessary. This is because an Internet connection is slower than the local network connection. For example, in the figure above, users at the company’s home office should always use the local domain controllers for authentication unless they are unreachable for some reason.
Cloud-based domain controllers should be installed in their own Active Directory site. This allows you to configure how often replication occurs.
With Windows Azure, you are charged for outbound traffic but not for inbound traffic. To reduce outbound traffic, consider deploying cloud domain controllers as Read Only Domain Controllers (RODC).
Running domain controllers on Azure virtual machines requires that you manually configure your own cloud-based DNS servers.

Alternatively, you can also use Azure Active Directory. Because Azure Active Directory is provided as a cloud service, there is no need to set up virtual machines and install Windows Server. An example deployment is shown in the diagram below:

This deployment option is particularly useful because it can be leveraged to give users single sign-on access to other SaaS applications, such as Office365 and SharePoint. You can use the cloud directory as your organization’s sole directory service or you can connect your local Active Directory implementation to the cloud directory service. However, be aware that the cloud directory uses a simplified schema and doesn’t support Group Policy. Therefore, it is recommended that you use Azure Active Directory in conjunction with a locally-installed Active Directory deployment.