Windows Server 2008 as a Domain Controller

Member Servers or just standalone servers can be promoted to domain controller. The Active Directory Wizard can help you install and configure components and enables you to provide directory service to network computers and users. Before installing or even considering a domain
controller, however, review the following checklist:

Review the Active Directory topic ‘"Introduction to Active Directory" in your Windows
Server 2008 Help guide.

  • Make sure that you review the role of a domain controller.
  • Review concepts about security.
  • Review concepts about Domain Name Service (DNS) namespace planning and integration with DNS.
  • Verify that the server has an NTFS partition.
  • Verify that DNS is correctly configured.

Promoting member servers to domain controllers either creates new domains or adds additional domain controllers to existing domains. In creating the first domain, you must have already created one domain controller in that domain. The act of creating the domain controller also creates the domain.

If your organization needs additional domains, you must create one domain controller for each additional domain. New domains in a forest must be either a new child domain or the root of a new domain tree. If you decide to create a child domain, the name of the new domain must contain the full name of the parent. To hierarchically organize domains within your organization, make sure that you use the domain tree structure. If you would rather create the root of a new domain tree, make sure that its name is not related to the other domains in the forest.

To improve the availability and reliability of network services, add additional domains to a single domain. You can create new domain controllers across the network or from backup media. Windows Server 2008, Windows Enterprise Server 2008, and Windows Datacenter Server 2008 all support Active Directory. AD uses a structured datastore for logical, hierarchical organization of directory information. The datastore is also known as the directory, and it contains information about Active Directory objects. Active Directory objects include shared resources such as servers, volumes, printers, and the network users and accounts.

Active Directory is tightly integrated with security through logon authentication and access control to objects. This makes managing directory data and organization throughout the network easy for an administrator. Schemas also help administrators with daily tasks by setting constraints and limits on instances of objects. Schemas consist of classes of objects and attributes contained in the directory. Global catalogs consist of the information about each and every object in a directory; therefore, a global catalog provides easy access to directory information regardless of which domain of the directory actually contains the data.

The following list summarizes the Active Directory features that are enabled by default on any domain controller running Windows Server 2008:

  • The selection of multiple user objects and the capability to modify common attributes of multiple user objects at one time.
  • The capability to drag and drop Active Directory objects from container to container or to a desired location in the domain hierarchy. You also have the capability to drag objects to group membership lists.
  • Enhanced search functionality is object-oriented and provides an efficient search that minimizes network traffic associated with browsing objects.
  • The capability to save queries, enabling you to save commonly used search parameters for reuse in Active Directory Users and Computers.
  • Active Directory command-line tools, which give you the capability to run directory-service commands for administration scenarios.
  • You can now create instances of specified classes in the base schema of a forest and instances of several common classes, including country or region, person, organizationalPerson, groupOfNames, device, and certificationAuthority.
  • The inetOrgPerson class is added to the base schema and can be used in the same manner as the user class.
  • You can configure replication scope for application-specific data among domain controllers running Windows Server 2008.
  • The capability to add additional domain controllers to existing domains by using backup media, thus reducing the time necessary for an administrator to create additional domain controllers.
  • Universal group membership caching to help prevent the need to locate a global catalog across a WAN.

Active Directory can provide a companywide network solution with one domain, reduced sign-on capabilities, and one single point of management. Active Directory helps eliminate unnecessary domains and reduces server hardware and maintenance costs.

Two approaches to installing a domain controller are possible. First, you can raise the machine as a member server and promote it post-installation — and even post-burn-in. Alternatively, you can promote it to domain controller status during an automated installation. The latter option naturally requires a script.

We don't recommend the latter option unless you are really confident about your machines and their configuration or you have a huge rollout. If you are an Original Equipment Manufacturer (OEM), you would not need to be concerned about domain controllers and Active Directory because the domain specifics, such as creating a new tree or forest or joining existing trees and forests, is done on the customer's network. Conversely, if you, as a consultant or network engineer, have created an extensive unattended or remote installation regimen that automatically raises the machine as a domain controller, you know what you are doing.

For now, you have several reasons to not promote during or just after initial installation. First, promoting a domain controller is a time-intensive operation. (Active Directory goes through extensive self-configuration before the installation completes.) Second, if you experience a problem with the machine, you must demote the domain controller, which can be a complicated process. Third, after you have installed and raised a domain controller, you do not want to demote it because of a hardware problem or risk trashing your domain controller.

If Active Directory is demoted, it tears down everything that it created and restores the machine to the control of the registry and the local SAM. In fact, it is like watching a movie in reverse. Active Directory asks you for a new administrator account name and password for the rollback. All configuration changes made to the machine, such as desktop settings, are restored to the default, newly created settings. After you reboot the machine, you are back to where you started. You do not even get earlier changes that you made to the registry because the registry is essentially reinstalled after Active Directory comes down (because it is wiped out if you promote the server).

A good reason lies behind this. Everything configured on a domain controller is stored in the directory databases, and after the registry is restored, you can re-promote it from scratch.

To promote a role server into a domain controller, you need to add the following items to your checklist:

  • Domain name
  • An administrator's password
  • Network protocols
  • IP address
  • DNS IP addresses and host names
  • NetBIOS name of host
  • Role service information


The checklist for a domain controller is as follows

  • Domain name. If you are creating a new domain, you need the name of the parent domain that you are installing under or the existing tree name (or the forest name if you are installing a new domain tree). If you are adding a domain controller to an existing domain, you need to have that name handy as well.
  • An administrator's password
  • Network protocols
  • IP address
  • NetBIOS name of host
  • DNS IP addresses and host names




Tags: Active Directory,dns,domain controller,ntfs,netbios

Related Articles

Howto