Installing Windows 2008 Active Directory on Server Core (Existing Forest)

Installing Windows 2008 Active Directory on Server Core (Existing Forest)

You can get a nice reference guide of the commands you can easily use to complete most tasks for Windows Server 2008 core from here (just follow the pages through to see all of the commands). But, if all you want to do is get a core DC up and running in an existing Windows 2008 forest then follow this guide. It follows on from my previous post Installing Active Directory on Windows 2008 (New Forest). So, if you’ve followed that, you should already have a DC running in its own forest.
To have a Windows Server Core machine acting as a DC, we first need to install server core and then promote the computer to be a domain controller. The setup screens for installing Server Core are very similar to those for Windows Server and so I have skipped the initial install on the basis that most people will be able to figure this out.
After installing Server Core there are a couple of things we need to do. Change the machine name, assign TCP/IP settings to the network cards etc.
To rename the server we use the netdom utility. The command is

Netdom renamecomputer OldComputerName /newname:NewComputerName

To make life easier, we can tokenise the OldComputerName by passing the command our existing computer name using the %computername% token. So, to change our computer name to “CoreDC” we would use the command
Netdom renamecomputer %computername% /newname:CoreDC

You will be asked to confirm the change as below.

Now the machine has a new name, we need to set its IP address. To do this, we may need to know the name of the interface on the card. This is usually “Local Area Connection”. In a virtualised or multi-card environment then this may not be the correct name. Indeed, there may be some circumstances (though I wouldn’t recommend it for a DC) where you want to have the server sitting in multiple subnets. To do this, we enter the command netsh interface ipv4 show interface to list all the ipv4 enabled interfaces.

To set the IP address for this interface we use the command
netsh interface ipv4 set address name=”Local Area Connection” source=static address=10.1.1.2 mask=255.255.255.0 gateway=10.1.1.254
1
swapping the IP address, subnet mask and gateway for appropriate values and the connection name to the correct value found in the previous step. The 1 at the end of the command signifies the metric for this gateway – setting a metric of 1 sets this as the default gateway. As can be seen from the below, you do not receive an acknowledgement.

IPConfig shows that these values have been set.

We can now set our DNS and WINS values. The commands to use are
Netsh interface ipv4 add dns name=”Local Area Connection” 10.1.1.1

Netsh interface ipv4 add dns name=”Local Area Connection” 10.1.1.3 index=2

The above commands set 10.1.1.1 to be the primary dns server and 10.1.1.3 to be the secondary dns server. This can again be confirmed using IPConfig /all.



Similarly, WINS addresses can also be added and checked.

The server should now be rebooted using shutdown /r /f /t 0 for an immediate reboot.
Once rebooted and logged in, we can check that the server has the new machine name either using IPConfig /all or echo %computername%.

We can now add the computer to the domain, again using the Netdom utility. The command to do this is
Netdom join ComputerName /domain:NameOfDomainToJoin
Again, we can tokenise our computername. My lab has the domain name mydomain.local. Once entered, the command may take several seconds or a minute to complete, just as when you add a computer to the domain via the GUI in Windows 2000/2003. If successful, you will receive a message similar to the below.

We can now reboot the server with the same command as above shutdown /r /f /t 0

Like the GUI version, the AD binaries are not installed. However, unlike the GUI version, the binaries will be automatically installed when we run DCPromo. In the meantime, we may want to install DNS first and we can do this by adding the DNS role to the server using the command line version of Server Manager, OCSetup. To see the list of possible roles that can be installed, enter OCList.

To add the DNS role we can enter the following command
OCSetup DNS-Server-Core-Role

NOTE: This is a case sensitive command – if you mis-enter the command you will receive an error similar to the below.

Running OCList will now show that the DNS Server Core Role is installed

We can now run DCPromo as usual. However, as this is server core, just typing DCPromo merely shows the help file for the command. As we want to promote the server to be a DC in our domain we need to use the /promotion switch. To see the construction of the command we can enter dcpromo /?:Promotion. As this command is quite long you may want to output it to a text file
Dcpromo /?:Promotion > promotion.txt & promotion.txt

This will not only run the command and put it into a file but also open that file in notepad – yes, server core ships with the GUI version of notepad ! To make the text appear you will have to press any key after running the above command. This is because the help file for the promotion event requires you to do this time complete.
To promote the server to be a DC in our domain we can enter the command
Dcpromo /unattend /replicaOrnewDomain:replica
/replicaDomainDNSName:mydomain.local /ConfirmGC:yes
/username:mydomain\administrator /Password:*
/safeModeAdminPassword:LetmeIn123

This will run dcpromo adding our server as a global catalog server to the mydomain.local domain. The Domain restore Mode password will be set to LetMeIn123. We will be asked to enter the domain administrator password when the command is run (by way of the /password:* command)

The server will reboot itself as part of the install. Running OCList will now show Active Directory as being installed.

Alternatively, as we are in an existing forest / domain, you can always use the Users and Computers tool on another server to confirm that your Server Core machine is, in fact, a domain controller.
If you want to demote a Core sever from being a domain controller simply enter the command
Dcpromo /unattend /Administratorpassword:MyNewLocalAdminPassword
If you want to add your domain controllers in different ways, I set our below the RTM version of the Promotion help file which shows the switches to locate the database and sysvol shares on different drives for space and / or performance reasons.

The following is a list of unattend parameters for promotion (default values are enclosed in <>):

/AllowDomainControllerReinstall:{Yes | | NoAndNoPromptEither}

Specifies whether to continue installing this domain controller despite that a domain controller account with the same name is detected. Specify Yes only if you are sure that the account is no longer in use.

/AllowDomainReinstall:{Yes | | NoAndNoPromptEither}

Specifies whether an existing domain is recreated.

/ApplicationPartitionsToReplicate:”"

Specifies application partitions to be replicated in the format of “partition1″ “partition2″. If * is specified, all application partitions will be replicated.

/AutoConfigDNS:{Yes | No} default will be automatically computed based on the environment

Specifies whether Domain Name System (DNS) Server service should be installed.

/ChildName:”child_domain_name”

Specifies the single-label DNS name of the child domain.

/ConfirmGc:{Yes | No}

Specifies whether you want the domain controller to be a global catalog server.

/CreateDNSDelegation:{Yes | No} default will be automatically computed based on the environment

Specifies whether a DNS delegation for this domain should be created in the parent zone.

/CriticalReplicationOnly:{Yes | }

Specifies whether the promotion operation performs only critical replication before reboot, and then continues, skipping the non-critical (and potentially lengthy) portion of replication. The non-critical replication will happen after the role installation has finished and the computer reboots.

/DatabasePath:”path_to_database_files” default is %SYSTEMROOT%\NTDS

Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer that contains the domain database. For example, C:\Windows\NTDS.

/DelegatedAdmin:”name of user or group”

Specifies the name of user or group that will install and administer the read-only domain controller.

/DNSDelegationPassword:{“password” | *}

Specifies the password for the user name (account credentials) to use for creating or removing DNS delegation. Specify * to prompt the user to enter credentials.

/DNSDelegationUserName:”user_name”

Specifies the user name (account credentials) used for creating or removing DNS delegation. If no value is specified, the credentials used for the domain controller installation or removal are used.

/DNSOnNetwork:{ | No}

Specifies whether DNS service is available on the network. This is used only when the network adapter for this computer is not configured with the name of a DNS server for name resolution. Specifying ‘No’ indicates that DNS server will be installed on this computer for name resolution. Otherwise, the network adapter must be configured with a DNS server name first.

/DomainLevel:{0|2|3}

The domain functional level cannot be lower than the forest functional level. Default will be automatically computed and set to the existing forest functional level or the value set for /ForestLevel

Specifies the domain functional level when creating a new domain. A value of 0 specifies Windows 2000. A value of 2 specifies Windows Server 2003. A value of 3 specifies Windows Server 2008.

/DomainNetBiosName:”domain_NetBIOS_name”

Assigns a network basic input/output system (NetBIOS) name to the new domain.

/ForestLevel:{<0>|2|3}

The default forest functional level when creating a new forest is Windows 2000 (0); do not use this switch when promoting a domain controller in an existing forest

Specifies the forest functional level when creating a new forest. A value of 0 specifies Windows 2000. A value of 2 specifies Windows Server 2003. A value of 3 specifies Windows Server 2008.

/InstallDNS:{Yes | No} default will be automatically computed based on the environment

Specifies whether Domain Name System (DNS) should be installed for the domain. This switch replaces /AutoConfigDNS.

/LogPath:”path_to_log_files” default is %SYSTEMROOT%\NTDS

Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer that contains the domain log files. For example, C:\Windows\Logs.

/NewDomain:{Tree | Child | }

Indicates the type of domain that you want to create: a new forest, a new domain tree in an existing forest, or a child of an existing domain.

/NewDomainDNSName:”DNS_name_of_domain”

Specifies the fully qualified domain name for the new domain.

/ParentDomainDNSName:”DNS_name_of_domain”

Specifies the fully qualified domain name of an existing parent domain when installing a child domain.

/Password:{“password” | *}

Specifies the password corresponding to the user name (account credentials) used for the operation. Specify * to prompt the user to enter credentials.

/PasswordReplicationAllowed:{“security_principal” | None}

Specifies the names of user, group, and computer accounts whose passwords can be replicated to this RODC. Specify “None” if you want to keep the value empty. By default, only the Allowed RODC Password Replication Group is allowed, and it is originally created empty.

/PasswordReplicationDenied:{“security_principal” | None}

Specifies the names of users, groups, and computer accounts whose passwords are not to be replicated to this RODC. Specify “None” if you do not want to deny the replication of credentials of any users or computers. By default, Administrators, Server Operators, Backup Operators, Account Operators, and the Denied RODC Password Replication Group are denied. By default, the Denied RODC Password Replication Group includes Cert Publishers, Domain Admins, Enterprise Admins, Enterprise Domain Controllers, Enterprise Read-Only Domain Controllers, Group Policy Creator Owners, the krbtgt account, and Schema Admins.

/RebootOnCompletion:{ | No}

Specifies whether to restart the computer upon completion, regardless of success.

/RebootOnSuccess:{ | No | NoAndNoPromptEither}

Specifies whether to restart the computer upon successful completion.

/ReplicaDomainDNSName:”DNS_name_of_domain”

Specifies the fully qualified domain name of the domain in which you want to promote an additional domain controller.

/ReplicaOrNewDomain:{ | ReadOnlyReplica | Domain}

Specifies whether to install an additional domain controller (writable or RODC), or to create a new domain.

/ReplicationSourceDC:”DNS_name_of_DC”

Indicates the full qualified domain name of the partner domain controller from which you replicate the domain information.

/ReplicationSourcePath:”replication_source_path”

Indicates the location of the installation media that will be used to install a new domain controller.

/SafeModeAdminPassword:”password” default is empty password (it is required that you do not leave this value blank)

Supplies the password for the administrator account when starting the computer in safe mode or a variant of safe mode, such as directory service restore mode.

/SiteName:”site_name”

The default value depends on the type of installation. For a new forest, the default is Default-First-Site-Name. For all other installations, the default is the site that is associated with the subnet that includes the IP address of this server. If no such site exists, the default is the site of the replication source domain controller.

Specifies the name of an existing site where you can place the new domain controller.

/SkipAutoConfigDns

This switch is for expert users who want to skip automatic configuration of DNS, including creation of zones and configuration of client settings, forwarders, and root hints. The switch is only in effect if the DNS Server service is already installed on this server. If you specify this switch, ensure that zones are created and properly configured before you install Active Directory Domain Services (AD DS); otherwise, this domain controller will not operate correctly. If the DNS Server service is not installed on this server, this switch is ignored.

/Syskey:{ | system key}

Specifies the system key for the media from which you replicate the data.

/SysVolPath:”path_to_database_file” default is %SYSTEMROOT%\sysvol

Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer. For example, C:\Windows\SYSVOL.

/TransferIMRoleIfNecessary:{Yes | }

Specifies whether to transfer the infrastructure master (IM) role to this DC, in case it is currently hosted on a global catalog (GC) server, and you do not plan to make this DC a GC. Choose Yes to transfer the IM role to this DC in case this is needed; in that case, make sure to specify “/ConfirmGC:No”. Choose No if you want the IM role to remain where it currently is.

/UserDomain:”domain_name”

Specifies the domain name for the user name (account credentials) used for the operation. It also helps to specify the forest where you plan to install the domain controller or create an RODC account. If no value is specified, the domain of the computer will be used.

/UserName:”user_name”

Specifies the user name (account credentials) used for the operation. If no value is specified, the credentials of the current user are used for the operation.