To create a new domain or to add a domain controller to an existing domain, you must install the Active Directory Domain Services role on a Windows Server 2012 R2 computer and then run the Active Directory Domain Services Configuration Wizard.
To use a Windows Server 2012 R2 computer as a domain controller, you should configure it to use static IP addresses, not addresses supplied by a Dynamic Host Configuration Protocol (DHCP) server. In addition, if you are creating a domain in an existing forest or adding a domain controller to an existing domain, you must configure the computer to use the Domain Name System (DNS) server that hosts the existing forest or domain, at least during the Active Directory promotion.

Installing the Active Directory Domain Services role
Although it does not actually convert the computer into a domain controller, installing the Active Directory Domain Services role prepares the computer for the conversion process.
To install the role, use the following procedure.
1. In Server Manager, from the Manage menu, select Add Roles And Features. The Add Roles And Features Wizard starts, displaying the Before You Begin page.
2. Click Next. The Select Installation Type page opens.
3. Leave the Role-Based Or Feature-Based Installation option selected and click Next to open the Select Destination Server page.
4. Select the server that you want to promote to a domain controller and click Next. The Select Server Roles page opens.
5. Select the Active Directory Domain Service role. The Add Features That Are Required For Active Directory Domain Services dialog box opens.
6. Click Add Features to accept the dependencies and then click Next. The Select Features page opens.

7. Click Next. The Active Directory Domain Services page opens, displaying information about the role.
8. Click Next. A Confirm Installation Selections page opens.
9. Select from the following optional functions, if desired:
– Restart The Destination Server Automatically If Desired Causes the server to restart automatically when the installation is completed, if the selected roles and features require it.
– Export Configuration Settings Creates an XML script documenting the procedures performed by the wizard, which you can use to install the same configuration on another server using Windows PowerShell.
– Specify An Alternate Source Path Specifies the location of an image file  containing the software needed to install the selected roles and features.
10. Click Install, which displays the Installation Progress page. Once the role has been installed, a Promote This Server To A Domain Controller link appears.
11. Leave the wizard open.

——————-

NOTE: DCPROMO.EXE
The Dcpromo.exe program from previous version of Windows Server has been deprecated in favor of the Server Manager domain controller installation process documented in the following sections. However, it is still possible to automate AD DS installations by running Dcpromo.exe with an answer file. You can also use Windows PowerShell to install a domain controller.

——————-

Once you have installed the role, you can run the Active Directory Domain Services Installation Wizard. The wizard procedure varies, depending on what the function of the new domain controller will be. The following sections describe the procedures for the most common types of domain controller installations.

Creating a new forest
When beginning a new AD DS installation, the first step is to create a new forest, which you do by creating the first domain in the forest, the forest root domain.
To create a new forest, use the following procedure.
1. On the Installation Progress page that appears at the end of the Active Directory Domain Services role installation procedure, click the Promote This Server To A Domain Controller hyperlink. The Active Directory Domain Services Configuration Wizard starts, displaying the Deployment Configuration page.
2. Select the Add A New Forest option, as shown in Figure 5-1, and, in the Root Domain Name text box, type the name of the domain you want to create.

Deploying Active Directory Domain Services

FIGURE 5-1 The Deployment Configuration page of the Active Directory Domain Services Configuration Wizard

3. Click Next. The Domain Controller Options page opens, as shown in Figure 5-2.

Deploying Active Directory Domain Services

FIGURE 5-2 The Domain Controller Options page of the Active Directory Domain Services Configuration Wizard
4. If you plan to add domain controllers running earlier versions of Windows Server to this forest, select the earliest Windows version you plan to install from the Forest Functional Level drop-down list.
5. If you plan to add domain controllers running earlier versions of Windows Server to this domain, select the earliest Windows version you plan to install from the Domain Functional Level drop-down list.
6. If you do not already have a DNS server on your network, leave the Domain Name System (DNS) Server check box selected. If you have a DNS server on the network, and the domain controller is configured to use that server for DNS services, then clear the check box.

———————

NOTE: DOMAIN CONTROLLER OPTIONS
The Global Catalog (GC) and Read Only Domain Controller (RODC) options are unavailable because the first domain controller in a new forest must be a Global Catalog server and it cannot be a read-only domain controller

———————

7. In the Password and Confirm Password text boxes, type the password you want to use for Directory Services Restore Mode (DSRM) and click Next. The DNS Options page opens, displaying a warning that a delegation for the DNS server cannot be created, because the DNS Server service is not installed yet.
8. Click Next to open the Additional Options page, which displays the NetBIOS equivalent of the domain name you specified.
9. Modify the name, if desired, and click Next to open the Paths page.
10. Modify the default locations for the AD DS files, if desired, and click Next. The Review Options page opens.
11. Click Next to open the Prerequisites Check page, as shown in Figure 5-3.

Deploying Active Directory Domain Services

FIGURE 5-3 The Prerequisites Check page of the Active Directory Domain Services Configuration Wizard.

12. The wizard performs a number of environment tests to determine if the system can function as a domain controller. The results can appear as cautions, which enable the procedure to continue, or as warnings, which require you to perform certain actions before the server can be promoted. Once the system has passed all the prerequisite checks, click Install. The wizard creates the new forest and configures the server to function as a domain controller.
13. Restart the computer.

With the forest root domain in place, you can create additional domain controllers in that domain or add new domains to the forest.

Adding a domain controller to an existing domain
Every Active Directory domain should have a minimum of two domain controllers. To add a domain controller to an existing Windows Server 2012 R2 domain, use the following procedure.
1. On the Installation Progress page that appears at the end of the Active Directory Domain Services role installation procedure, click the Promote This Server To A Domain Controller hyperlink. The Active Directory Domain Services Configuration Wizard starts, displaying the Deployment Configuration page.
2. Select the Add A Domain Controller To An Existing Domain option and click Select.
3. If you are not logged on to an existing domain in the forest, a Credentials For Deployment Operation dialog box opens, in which you must supply administrative credentials for the domain to proceed. After you are authenticated, the Select A Domain From The Forest dialog box opens.
4. Select the domain to which you want to add a domain controller and click OK. The selected domain name appears in the Domain field.
5. Click Next. The Domain Controller Options page, shown in Figure 5-4, opens.

Deploying Active Directory Domain Services

FIGURE 5-4 The Domain Controller Options page of the Active Directory Domain Services Configuration Wizard

6. If you want to install the DNS Server service on the computer, leave the Domain Name System (DNS) Server check box selected. Otherwise, the domain will be hosted on the DNS server the computer is configured to use.
7. Leave the Global Catalog (GC) check box selected if you want the computer to function as a global catalog server. This is essential if you will be deploying the new domain controller at a site that does not already have a GC server.
8. Select the Read Only Domain Controller (RODC) check box, if desired, to create a domain controller that administrators cannot use to modify AD DS objects.
9. In the Site Name drop-down list, select the site where the domain controller will be located.
10. In the Password and Confirm Password text boxes, type the password you want to use for Directory Services Restore Mode (DSRM) and click Next to move to the Additional Options page, shown in Figure 5-5.

Deploying Active Directory Domain Services

FIGURE 5-5 The Additional Options page of the Active Directory Domain Services Configuration
Wizard

11. To use the Install From Media option, select the Install From Media check box.
12. In the Replicate From drop-down list, select the existing domain controller that the server should use as a data source. Then click Next to open the Paths page.

13. Modify the default locations for the AD DS files, if desired, and click Next. The Review Options page opens.
14. Click Next to move to the Prerequisites Check page.
15. Once the system has passed all the prerequisite checks, click Install. The wizard configures the server to function as a domain controller.
16. Restart the computer.
The domain controller is now configured to service the existing domain. AD DS replication between the two will begin automatically.

Creating a new child domain in a forest
Once you have a forest with at least one domain, you can add a child domain beneath any existing domain. The process of creating a new child domain is similar to that of creating a new forest, except that the Deployment Configuration page of the Active Directory Domain Services Configuration Wizard requires you to specify the parent domain beneath which you want to create a child, as shown in Figure 5-6.

Deploying Active Directory Domain Services

FIGURE 5-6 The Deployment Configuration page of the Active Directory Domain Services Configuration
Wizard

——————-

NOTE: TREE DOMAINS
The wizard also supplies the option to create a tree domain, which is a new domain that is not subordinate to an existing domain in the forest.

——————–

Installing AD DS on Server Core
In Windows Server 2012 R2, it is possible to install AD DS on a computer running the Server Core installation option and promote the system to a domain controllerall by using Windows PowerShell.
In Windows Server 2008 and Windows Server 2008 R2, the accepted method for installing AD DS on a computer using the Server Core installation option is to create an answer file and load it from the command prompt by using the Dcpromo.exe program with the /unattend parameter.
In Windows Server 2012 R2, running Dcpromo.exe with no parameters no longer launches the Active Directory Domain Services Configuration Wizard, but administrators who have already invested considerable time in developing answer files for unattended domain controller installations can continue to execute them from the command prompt, although doing so produces this warning: “The dcpromo unattended operation is replaced by the ADDSDeployment module for Windows PowerShell.”
For AD DS installations on Server Core, Windows PowerShell is now the preferred method. As with the wizard-based installation, the Windows PowerShell procedure occurs in two phases: first, you must install the Active Directory Domain Services role; then, you must promote the server to a domain controller.
Installing the Active Directory Domain Services role by using Windows PowerShell is no different from installing any other role. In an elevated Windows PowerShell session, use the following command:

Install-WindowsFeature –name AD-Domain-Services
-IncludeManagementTools
Like other Windows PowerShell role installations, the Install-WindowsFeature cmdlet does not install the management tools for the role, unless you include the –IncludeManagement- Tools parameter in the command.
Once you have installed the role, promoting the server to a domain controller is somewhat more complicated. The ADDSDeployment Windows PowerShell module includes separate cmdlets for the three deployment configurations covered in the previous sections:
– Install-ADDSForest
– Install-ADDSDomainController
– Install-ADDSDomain
Each of these cmdlets has many possible parameters to support the many configuration options you find in the Active Directory Domain Services Configuration Wizard. In its simplest form, the following command would install a domain controller for a new forest called adatum.com:
Install-ADDSForest -DomainName “adatum.com”
The defaults for all of the cmdlet’s other parameters are the same as those in the Active Directory Domain Services Configuration Wizard. Running the cmdlet with no parameters steps through the options,  prompting you for values. You can also display basic syntax information by using the Get-Help command, as shown in Figure 5-7.

Deploying Active Directory Domain Services

FIGURE 5-7 Syntax for the Install-ADDSForest cmdlet in Windows PowerShell

Another way to perform a complex installation by using Windows PowerShell is to use a computer running Windows Server 2012 R2 with the full GUI option to generate a script. Begin by running the Active Directory Domain Services Configuration Wizard, configuring all the  options with your desired settings. When you reach the Review Option page, click View Script to display the Windows PowerShell code for the appropriate cmdlet, as shown in Figure 5-8.

Deploying Active Directory Domain Services

FIGURE 5-8 An installation script generated by the Active Directory Domain Services Configuration Wizard

This feature works as it does because Server Manager is actually based on Windows PowerShell, so the script contains the cmdlets and parameters that are running when the wizard performs an installation. You can also use this scripting capability with the Install-ADDSDomainController cmdlet to deploy multiple domain controllers for the same domain.
Using Install from Media (IFM)
Earlier in this objective, in the procedure for installing a replica domain controller, the Additional Options page of the Active Directory Domain Services Configuration Wizard included an Install From Media check box. This is an option that enables administrators to streamline the process of deploying replica domain controllers to remote sites.
Usually, installing a domain controller to an existing domain creates the AD DS database structure, but there is no data in it until the server is able to receive replication traffic from the other domain controllers. When the domain controllers for a particular domain are well connected, such as by LAN, replication occurs almost immediately after the new domain controller is installed, and is entirely automatic.
When installing a domain controller at a remote location, however, the connection to the other domain controllers is most likely a WAN link, which is typically slower and more expensive than a LAN connection. In this case, the initial replication with the other domain controllers can be much more of a problem. The slow speed of the WAN link might cause the replication to take a long time, and it might also flood the connection, delaying regular traffic.
If the domain controllers are located in different AD DS sites without an appropriate site link, no replication will occur until an administrator creates and configures the required links.

——————-

NOTE: REPLICATION
The first replication that occurs after the installation of a new domain controller is the only one that requires the servers to exchange a complete copy of the AD DS database. In subsequent replications, the domain controllers only exchange information about the objects and attributes that have changed since the last replication.

———————

By using a command-line tool called Ntdsutil.exe, administrators can avoid these problems by creating domain controller installation media that includes a copy of the AD DS database.
By using this media when installing a remote domain controller, the data is installed along  with the database structure and a full replication is not necessary.
To create IFM media, you must run the Ntdsutil.exe program on a domain controller running the same version of Windows that you intend to deploy. The program is interactive, requiring you to enter a sequence of commands like the following:
Ntdsutil Launches the program
Activate instance ntds Focuses the program on the installed AD DS instance

Ifm Switches the program into IFM mode

Create Full|RODC <path name> Creates media for either a full read/write domain controller or a read-only domain controller and saves it to the folder specified by the path name variable

——————–

NOTE: NTDSUTIL.EXE PARAMETERS
The Ntdsutil.exe create command also supports parameters that include the contents of the SYSVOL volume with the AD DS data. The Windows Server 2012 R2 version of the program adds a nodefrag parameter that speeds up the media creation process by skipping the defragmentation.

———————

When you execute these commands, the Ntdsutil.exe program creates a snapshot of the AD DS database, mounts it as a volume to defragment it, and then saves it to the specified folder along with a copy of the Windows Registry, as shown in Figure 5-9.

Deploying Active Directory Domain Services

FIGURE 5-9 An Ntdsutil.exe command sequence

Once you have created the IFM media, you can transport it to the servers you intend to deploy as domain controllers by using any convenient means. To use the media, you run the Active Directory Domain Services Configuration Wizard in the usual way, select the Install From Media check box and specify the path to the location of the folder.

Upgrading Active Directory Domain Services
Introducing Windows Server 2012 R2 onto an existing AD DS installation is easier than it has ever been in previous versions of the operating system.
There are two ways to upgrade an AD DS infrastructure. You can upgrade the existing down-level domain controllers to Windows Server 2012 R2 or you can add a new Windows Server 2012 R2 domain controller to your existing environment.

There are few upgrade paths to Windows Server 2012 R2. You can upgrade a Windows Server 2008 or Windows Server 2008 R2 domain controller to Windows Server 2012 R2, but no earlier versions are upgradable.
In the past, if you wanted to add a new domain controller to an existing AD DS installation based on previous Windows versions, you had to run a program called Adprep.exe to upgrade the domains and forest. Depending on the complexity of the installation, this could involve logging on to various domain controllers using different credentials, locating different versions of Adprep.exe, and running the program several times using the /domainprep parameter for each domain and the /forestprep parameter for the forest.
In Windows Server 2012 R2, the Adprep.exe functionality has been fully incorporated into Server Manager in the Active Directory Domain Services Configuration Wizard. When you install a new Windows Server 2012 R2 domain controller, you only have to supply appropriate credentials; the wizard takes care of the rest.

———————

NOTE: GROUP MEMBERSHIPS
To install the first Windows Server 2012 R2 domain controller onto a down-level AD DS installation, you must supply credentials for a user who is a member of the Enterprise Admins and Schema Admins groups and a member of the Domain Admins group in the domain that hosts the schema master.

———————

Deploying Active Directory IaaS on Windows Azure
In addition to running Windows Server 2012 R2 on physical computers and locally hosted virtual machines, Microsoft’s Windows Azure service enables administrators to create virtual machines using leased cloud resources provided by Microsoft. This capability, called Infrastructure as a Service (IaaS), enables administrators to run applications in the cloud while maintaining full control over the virtual machines themselves.
Windows Azure resources can be self-contained in the cloud and administrators can create a virtualized AD DS forest to organize and manage them. It is also possible to configure Windows Azure resources as an extension to the existing physical and virtual resources hosted on a private network. For example, after creating a virtual network in the Windows Azure cloud and connecting it to your private network with a site-to-site link using a virtual private networking (VPN) device, you can create a Windows Server 2012 R2 virtual machine in the cloud and configure it as a domain controller for an existing domain.
The process of installing AD DS on a Windows Azure virtual machine and promoting it to a domain controller is no different from that of a private network server. You use the Add Roles And Features Wizard to install the AD DS role and then use the Active Directory Domain Services Configuration Wizard to configure the domain controller. The complicated part of the process is the configuration of the virtual network infrastructure to allow communication between the cloud network and your physical network.

Windows Azure is an ideal platform for AD DS domain controller replicas because it provides IP address consistency in a new way. Windows Azure virtual machines must obtain IP addresses from DHCP serversyou cannot assign static IP addresses to thembut unlike standard DHCP address leases that can expire, causing the address to change, a cloud VM retains its IP address lease for its lifetime.

———————

NOTE: AD DS AND WINDOWS AZURE AD
You can install Active Directory Domain Services on any Windows Azure VM running Windows Server. AD DS is part of the operating system and requires no special resources other than those needed to provision the virtual machine, such as sufficient disk space for the AD DS database. However, there is also a cloud service called Windows Azure Active Directory (Windows Azure AD) that can provide identity and access management within the cloud. Although the two can interact, Windows Azure AD is not the same as the AD DS service supplied with Windows Server 2012 R2

———————-

Removing a domain controller
With the deprecation of Dcpromo.exe, the process of demoting a domain controller has changed and is not immediately intuitive.
To remove a domain controller from an AD DS installation, you must begin by running the Remove Roles And Features Wizard, as shown in the following procedure.
1. In Server Manager, launch the Remove Roles And Features Wizard and remove the Active Directory Domain Services role and its accompanying features. A Validation Results dialog box opens, as shown in Figure 5-10.

Deploying Active Directory Domain Services

FIGURE 5-10 The Validation Results dialog box of the Remove Roles And Features Wizard

2. Click the Demote This Domain Controller hyperlink. The Active Directory Domain Services Configuration Wizard starts, displaying the Credentials page.
3. Select the Force The Removal Of This Domain Controller check box and click Next to open the New Administrator Password page.
4. In the Password and Confirm Password text boxes, type the password you want the server to use for the local Administrator account after the demotion. Then click Next.
The Review Options page opens.
5. Click Demote. The wizard demotes the domain controller and restarts the system.
6. Log on using the local Administrator password you specified earlier.
7. Launch the Remove Roles And Features Wizard again and repeat the process of removing the Active Directory Domain Services role and its accompanying features.
8. Close the wizard and restart the server.

———————-

NOTE: USING WINDOWS POWERSHELL
To demote a domain controller by using Windows PowerShell, use the following command:
Uninstall-ADDSDomainController –ForceRemoval
–LocalAdministratorPassword <password> –Force

————————-

Configuring the global catalog
The global catalog is an index of all the AD DS objects in a forest that prevents systems from having to perform searches among multiple domain controllers. The importance of the global catalog varies depending on the size of your network and its site configuration.
For example, if your network consists of a single domain, with domain controllers that are all located at one site and are well connected, the global catalog serves little purpose other than universal group searches. You can make all your domain controllers global catalog servers if you wish. The searches will be load balanced and the replication traffic will likely not overwhelm the network.
However, if your network consists of multiple domains, with domain controllers located at multiple sites connected by WAN links, then the global catalog configuration is critical.
If possible, you do not want users performing AD DS searches that must reach across slow, expensive WAN links to contact domain controllers at other sites. Placing a global catalog server at each site is recommended in this case. The initial replication might generate a lot of traffic, but the savings in the long run should be significant.

When you promote a server to a domain controller, you have the option of making the domain controller a global catalog server. If you decline to do so at that time, you can make any domain controller a global catalog server by using the following procedure.
1. In Server Manager, on the Tools menu, select Active Directory Sites And Services. The Active Directory Sites And Services console opens.
2. Expand the site where the domain controller you want to function as a global catalog server is located. Then expand the Servers folder and select the server you want to configure.
3. Right-click the NTDS Settings node for the server and, from the shortcut menu, select Properties to open the NTDS Settings Properties sheet.
4. Select the Global Catalog check box and click OK.
5. Close the Active Directory Sites And Services console.

Troubleshooting DNS SRV registration failure
DNS is essential to the operation of Active Directory Domain Services. To accommodate directory services such as AD DS, a special DNS resource record was created that enables clients to locate domain controllers and other vital AD DS services.
When you create a new domain controller, one of the most important parts of the process is the registration of the server in the DNS. This automatic registration is the reason an AD DS forest must have access to a DNS server that supports the Dynamic Updates standard defined in Request for Comments (RFC) 2136.
If the DNS registration process fails, then computers on the network will not be able to locate that domain controller, the consequences of which can be serious. Computers will be unable to use that domain controller to join the domain, existing domain members might be unable to log on, and other domain controllers will be unable to replicate with it.
DNS problems are, in most cases, due to general networking faults or DNS client configuration error. The first steps you should take are to try pinging the DNS server and to make sure that the TCP/IP client configuration has the correct addresses for the DNS servers it should be using.
To confirm that a domain controller has been registered in the DNS, open a command prompt window with Administrative privileges and enter the following command:
dcdiag /test:registerindns /dnsdomain:<domain name>

This article is a part of 70-410 Installing and Configuring Windows Server 2012 Prep course, more articles in this course are :

Understanding Active Directory

Active Directory and its Features: Active Directory is the name given to a collection of services created by Microsoft that ...
Read More

Active Directory GUI Installation

Before we get to the installation, there are a few things to check to make sure the server is ready ...
Read More

Understanding DNS Server

DNS Server is being used too maintain and configure the DNS which is a name resolution service. Public DNS services ...
Read More

Maintaining and configuring DNS Forwarding

The act of DNS forwarding refers to the relaying of a DNS request from one server to another one when ...
Read More

Planning for a server installation

In versions of Windows Server prior to Windows Server 2008 R2, installation planning could be a complex task. You had ...
Read More

Choosing installation options

Many enterprise networks today use servers that are dedicated to a particular role. When a server is performing a single ...
Read More

Upgrading servers

An in-place upgrade is the most complicated form of Windows Server 2012 R2 installation. It is also the lengthiest and ...
Read More

Migrating roles

Migration is the preferred method of replacing an existing server with one running Windows Server 2012 R2. Unlike an in-place ...
Read More

Completing postinstallation tasks

As part of the new emphasis on cloud-based services in Windows networking, Windows Server 2012 R2 contains a variety of ...
Read More

Using Server Manager

The Server Manager tool in Windows Server 2012 R2 is an application that is the most obvious evidence of a ...
Read More

70-410 Installing and Configuring Windows Server 2012 Prep course includes following practice tests:

Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 1

Instructions for Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 1 This page shows the instructions for Exam ...
Read More

Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 2

Instructions for Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 2 This page shows the instructions for Exam ...
Read More

Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 3

Instructions for Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 3 This page shows the instructions for Exam ...
Read More

Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 4

Instructions for Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 4 This page shows the instructions for Exam ...
Read More

Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 5

Instructions for Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 5 This page shows the instructions for Exam ...
Read More