Sunday, December 22, 2013

Windows Server 2012 - Active Directory - adding a second domain controller

Best practice, concerning domain controllers, is to have at least two so if one is unavailable, clients can still authenticate to the network. Moreover, both should be global catalog servers since the presence of a global catalog server is a pre-requisite for a successful logon.

Note: if you are interested in the crucial role of the Global Catalog, here is a link with more information on the subject:

Global Catalog information

A second domain controller can be added using Server Manager (Add Roles or Features) or PowerShell cmdlets. In what will be one of my more concise blog posts, I'll demonstrate how a second domain controller can be added at the command line.

Although not strictly necessary, I'll first rename the server (that already happens to be a domain member) so its new name will reflect its status as a domain controller:

We could use the netdom /renamecomputer command but since this is Windows Server 2012, I'll opt for the Powershell cmdlet instead:


PS C:\> Rename-Computer DC-004

WARNING: The changes will take effect after you restart the computer SVR-004.

PS C:\> Restart-Computer



So we indicate the new name of the computer after the Rename-Computer cmdlet and then restart the computer with the aptly named Restart-Computer cmdlet - elementary, obvious and almost self-explanatory.

Once the computer restarts, we'll logon with domain administrator credentials and enter the following Powershell cmdlet to install the necessary files for the domain controller role:

PS C:\> Add-WindowsFeature AD-Domain-Services -IncludeManagementTools


IP address and DNS

We also need to make sure (this may be the case already) that the primary (or secondary) DNS server parameter in the TCP/IP settings designates the first domain controller:

PS C:\> Set-DnsClientServerAddress "Ethernet" -ServerAddresses 10.1.1.10

This is in the context of our single - and soon double - domain controller scenario. If there were other domain controllers, we could designate one of them as well, assuming they are also a DNS server, which is currently the most common domain controller configuration.


Promotion of the server to domain controller

Now we can promote the server to a domain controller with the following command:

Note: we enter the password for Directory Services Restore Mode when prompted.

PS C:\> Install-ADDSDomainController -DomainName machlinkit.biz -SafeModeAdministratorPassword (read-host -prompt "Password:" -AsSecureString)

Password:: **********


In my experience, the above command was enough to create a second domain controller that was also a DNS server and a Global Catalog. It seems that the domain controller promotion default values obtain this result.
 
Here, for example, we can see that the new domain controller is configured as a global catalog server by default:

PS C:\> dsquery server -isgc

"CN=DC-001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz"

"CN=DC-004,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=machlinkit,DC=biz"


Various parameters can be indicated explicitly if we want. We would see many of these if we used the graphic interface to promote the server to domain controller status.
 
We can indicate the database path (or location) for the Active Directory database (the ntds.dit file and associated files):

-DatabasePath 'C:\Windows\NTDS'

We can indicate if we want the domain controller to be a DNS server also. If for some reason we did not, we could change the value below to $false

-InstallDNS:$true

This parameter will eliminate some of the informational messages displayed during the process:

-force:$true

The server will reboot automatically once the initial promotion process is complete. If we do not want the server to reboot, we can enter this:

-NoRebootOnCompletion:$false

Here we can designate the site. In this case, the default site name is used:

-SiteName 'Default-First-Site-Name'

Lastly, we can prevent a newly promoted domain controller from being a global catalog server as well with this parameter:

-NoGlobalCatalog:$false



References:

The Install-ADDSDomainController cmdlet


This link provides a complete list of various parameters, most optional, that can be used with the cmdlet.

No comments:

Post a Comment