Adding first Windows Server 2008 R2 Domain Controller within Windows 2003 network     

 

6 Votes

PrerequisitesTo be able to configure Windows Server 2008 R2 Domain Controller within Windows 2003 network

we need to check if Domain Functional Level is set up at least in Windows 2000 native mode. But

preferable Domain Functional Level is Windows Server 2003. When it’s set up in Windows Server

2003 mode, and you have only one domain in a forest or each domains have only Windows 2003

Domain Controllers, you are also able to raise Forest Functional Level to Windows Server 2003 to

use Read-Only Domain Controller (RODC) within your network.

We can check this in domain, where we want to install first 2008 R2 DC. To verify that, we need to

use “Active Directory Users and Computers” or “Active Directory Domains and Trusts”

console.

Using “Active Directory Users and Computers” console, select your domain and click right mouse

button (RMB) on it. Choose “Raise Domain Functional Level” and check that.

If you see screen like this (mixed mode), it means that you need to raiseyour Domain Functional

Level.

Domain Functional Level

But remember, raising Domain Functional Level is one time action and cannot be reverted. Before

you raise it to 2000 native mode, please ensure that all of your Domain Controllers are running at

least on Windows 2000 Server.

Windows 2000 native mode do not support DCs based on earlier Microsoft Windows systems like

NT4.

If your environment doesn’t have any NT4, 2000 Domain Controllers, you can raise Domain

Functional Level to Windows Server 2003 mode.

Now, when you checked that you do not have any pre-2000 OS, select appropriate level and click on

“Raise” button

Raising Domain Functional Level

and accept the change. You will be warned that revert changes won’t be possible!

Warning

information about successful change will be displayed

Information

After successful change, you should see changed domain operation mode.

Veryfication

Another way for that is using Active Directory Domains and Trusts console. Run this console, select

domain for which you want to check Domain Functional Level and choose “Raise Domain Functional

Level”

Follow the same steps as in previous console.

In this place, you can also raise your Forest Functional Level if all of your Domain Controllers in

entire forest are running on Windows Server 2003. If not, please skip below steps and go to Single Master Operation Rolessection.

To raise Forest Functional Level, select “Active Directory Domains and Trusts” node, click on it RMB

and choose “Raise Forest Functional Level”. On the list accept “Windows Server 2003” mode by

clicking on “Raise” button.

Raising Forest Functional Level

You will be notified that it is also not reversible action. Confirm that you know what you are doing

and then verify if your Forest Functional Level is set up to Windows Server 2003

Forest Functional Level

Now, it’s time to determine which Domain Controller(s) hold(s) Single Master Operation Roles. The

most important for preparing environment for 2008 R2 DC are

Schema Master

Infrastructure Master

On that/those DC(s) we have to run Active Directory preparation tool.

To determine which DC(s) hold(s) these roles we need to use:

Active Directory Users and Computers and Active Directory Schema consoles

or

netdom command from Support Tools (Support Tools have to be installed from Windows 2000

Server CD from Support folder)

Determining which DC holds Schema Master we need to run on one of the DCs or workstation with

Administrative Tools installed in command-line

regsvr32 schmmgmt.dll to register Schema snap-in within OS.

Registration ActiveDirectory Schema console

Now, open MMC console from run box

MMC console

Within that console add Active Directory Schema snap-in

Active Directory Schema snap-in

Click RMB on “Active Directory Schema” node and choose “Operation Master”Write down or remember which DC holds it.

Schema Master owner

Close MMC without saving changes.

Now we need to identify Infrastructure Master within your network. To do that, open Active

Directory Users and Computers console, select your domain and click RMB on it. From pop up

menu, choose “Operation Masters”. Select “Infrastructure” tab

Infrastructure Master owner

In my case, both Operation Masters are located on the same DC.

To verify necessary Operation Masters much faster, we can use netdomcommand installed from

Support Tools. Open command-line and go to default installation directory:

C:\Program Files\Support Toolsthen type: netdom query fsmoand identify DC(s) from an output

netdom output

We collected almost all necessary information to start AD preparation for the first Windows Server

2008 R2 Domain Controller. The last and the most important part before we start preparation, is

checking Forest/Domain condition by running:

Dcdiag (from Support Tools)

Repadmin (also from Support Tools)

Run in command-line on a DC where you have installed Support Tools

dcdiag /vand check if there are no errors. If so, please correct them.

An example part of output from dcdiag tool

dcdiag

now run in command-line:

repadmin /showrepl /all /verboseto check if your DCs are replicating data without errors.

repadmin

After those checks, you can start with Active Directory preparation.

Active Directory preparationBefore we start preparing AD for new Windows Server 2008 R2 DC, we need to be sure that we are

members of:

Enterprise Admins group or

Schema Admins group

and we have DVD with Windows Server 2008 R2

Let’s start preparing Active Directory for the first Windows Server 2008 R2 Domain Controller.

Log on to Schema Master owner (we identified it in previous steps) on a user from one of

mentioned above groups and put into DVD-ROM installation media. Run command-line and go to

 <DVD-Drive-Letter>:\support\adprep

example:

d:\support\adprep

You will find there two AD preparation tools:

adprep (64-bit application for 64-bit platforms)

adprep32 (32-bit application for 32-bit platforms)

We need to use adprep32 on Schema Master (because it is 32-bit OS) In case that you have 64-bit

Windows Server 2003 then use adprep. So, type in command-line

adprep32 /forestprep

Forest preparation

as you can see, adprep informs you that all of your Windows 2000 Domain Controllers require at

least SP4 to start extending schema.

Warning

if you followed previous steps of this article, all of your DCs have SP4 installed or you have no 2000

DCs at all. You can continue by pressing Cletter on a keyboard and wait until AD preparation tool will

finish its actions.

adprep32 /forestprep

Your schema in a forest is extended.

You may also wish to run adprep32 /rodcprep if you have Windows Server 2003 at Forest

Functional Level. If not, you would be able to do that any time in the future.

Preparing environment for RODC

If everything would go fine, you will see no errors.

/rodcprep output

The last step before we can introduce 2008 R2 as DC is to prepare domain for it.

Log on to Infrastructure Master owner as Domain Administrator and put DVD installation media

into DVD-ROM. Open command-line and as previously go to \support\adprep directory.

Type then adprep32 /domainprep /gpprep

Preparing domain

and wait until adprep will finish its actions

Congratulations! Your domain is now ready for the first Windows 2008 R2 Domain Controller.

You can check that by using ADSIEdit console or free ADFind command-line tool which can be

downloaded from the Internet.

Open run box and type adsiedit.msc to open ADSI Editor

Running ADSIEdit

Expand “Schema” node and select “Schema” container. Click on it RMB and choose “Properties”.

You will see schema “Attribute Editor” tab. Check “Show only attributes that have values” and

search for “objectVersion” attribute.

Veryfying schema version

Value 47 tells you that your Schema version is Windows Server 2008 R2

Using adfind tool, run in command-line this syntax

adfind –sc schver

Veryfying schema version

Adding first Windows 2008 R2 Domain Controller

Install your new box with Windows Server 2008 R2 and configure its IP address correspondingly to

your network settings.

Remember that it’s very important to properly configure Network Card settings to be able to promote

your new box as domain controller!

 The most important part of configuring NIC is setting up DNS server(s). Point your new box to one

of the existing Domain Controllers where you have installed and configured DNS.

Network card configuration

Log on as local administrator and in command-line type: dcpromo

Running dcpromo

Domain Controller promotion will start automatically. If you haven’t installed Active Directory:

Directory Services role before, it will be done by wizard at this moment.

Active Directory: Directory Services role

When role is installed, you will see DC promotion wizard. I would suggest using advanced mode

during promotion process. So, please check “Use advanced mode installation” and let’s start.

Domain Controller promotion wizard

We are adding new DC within existing forest to the existing domain, so choose appropriate option

and click “Next”

Adding new DC into existing domain

Type DNS Domain name to which you want to add new domain controller and specify Domain Administrator credentials for that process

Adding new DC into existing domain

Choose domain from a list

Adding new DC into existing domain

If you didn’t use previously /rodcprep switch with adprep, you will be notified that you won’t be able

to add Read-Only Domain Controllers. To install RODC within network it’s required to have at least

Windows 2003 Forest Functional Level and you can advertise this option later (before first RODC

installation). Skip this warning and press “yes” to continue.

RODC warning

Select appropriate site for this Domain Controller and continue.

Install on your new DC:

DNS

Global Catalog

They’re suggested by default. Continue and start AD data replication process from the existing DC

within network.

Adding new DC into existing domain

Now, you can select from which Domain Controller data should be replicated or leave choice for the

wizard (use the second option)

Adding new DC into existing domain

Leave default folders for Directory Services data (or change path if you need)

Adding new DC into existing domain

Set up Directory Services Restoration Mode password in case that you would need to use this

mode. Password should be different that domain administrator’s account and should be also

changed periodically.

DSRM password set up

Now you will see summary screen, click “Next” and Domain Controller promotion wizard will start

preparing new DC for you.

Summary screen

To have fully operational DC, you need to reboot it after promotion. So, let’s check “Reboot on

completion” checkbox and wait until it will be up and ready.

Installing Directory Services

Your new Windows Server 2008 R2 Domain Controller is not available in your network!

New DC available

Give DC some time to replicate Directory Services data and you can enjoy with new DC.

Post-Installation stepsNow, you need to do small changes within your environment configuration.

On each server/workstation NIC properties configure alternative DNS server IP address pointing to

the new Domain Controller.

Open DHCP management console and under server/scope options (it depends on your DHCP

configuration) modify option no. 006Add there IP address of your new Domain Controller as DNS server.

DHCP reconfiguration

It’s done