Friday, February 27, 2009

Windows 2008 Answer file

Windows 2008 answer file.

You can use this answer file to future Windows 2008 unattended installations. This file includes the new options for Windows 2008 R2 as described here. I have included the possible values and description for those values. ALL options were disable. You can enable each option by removing the semicolon (;) and the forward slash (/) then configure the correct value for that option. ALL options were commented. Hopefully this will help you to configure the correct options according with your needs.

Open your text editor and copy the text that is between the lines “->Begin” and “->End” to a text file. Save the text file with .txt extension and you’re ready to start the configuration of the existing options in this file. After that configuration, you can use the answer file with dcpromo.exe as follows:

dcpromo /unattend: "path to the answer file"

->Begin

[DCINSTALL]

;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - YES NO
;Default Value - NO
;Description - Specifies whether an existing domain is re-created.

;/AllowDomainReinstall
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - YES NO
;Default Value - NO
;Description - Specifies whether to continue installing this domain controller
; despite the fact that an active domain controller account with
; the same name is detected.
; Specify Yes only if you are sure that the account is no longer
; in use.

;/AllowDomainControllerReinstall
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values- "partition_DN_1 partition_DN_2 ...partition_DN_n"
;Default Value -
;Description - Specifies application partitions to be replicated in the format
; of "partition1" "partition2".
; If * is specified, all application partitions will be replicated.
; Use space-separated (or comma-and-space-separated) distinguished
; names, with the entire string enclosed in quotation marks.

;/ApplicationPartitionsToReplicate
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - (This parameter has been renamed to /InstallDNS)
; - Yes No
;Default Value - Computed automatically based on the environment.
;Description - Specifies whether Domain Name System (DNS) is configured for a
; new domain if Dcpromo detects that the DNS dynamic update protocol
; is not available or if Dcpromo detects an insufficient number of
; DNS servers for an existing domain.

;/InstallDNS
;/AutoconfigDNS
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - child_domain_name
;Default Value -

;Description - Specifies the single-label DNS name of the child domain.

;/ChildName
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - YES NO
;Default Value - Yes, unless you are creating the first domain controller in a
; new child domain or new domain tree.
;Description - Specifies whether the domain controller is a global catalog server.

;/ConfirmGc
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - YES NO
;Default Value - Computed automatically based on the environment.
;Description - Indicates whether to create a DNS delegation that refers to this
; new DNS server. Valid for Active Directory–integrated DNS only.

;/CreateDNSDelegation
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - YES NO
;Default Value - NO
;Description - Specifies whether the promotion operation performs only critical
; replication before reboot and then continues, skipping the
; noncritical (and potentially lengthy) portion of replication.
; The noncritical replication happens after the role installation
; finishes and the computer restarts.

;/CriticalReplicationOnly
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - path_to_database_files
;Default Value - %systemroot%\NTDS
;Description - Specifies the fully qualified, non–Universal Naming Convention
; (UNC) path to a directory on a fixed disk of the local computer
; that contains the domain database, for example, C:\Windows\NTDS.

;/DatabasePath
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - User or group
;Default Value -
;Description - Specifies the name of the user or group who will install and
; administer the read-only domain controller (RODC). If no value is
; specified, only members of the Domain Admins group or Enterprise
; Admins group can install and administer the RODC.

;/DelegatedAdmin
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - Password *
;Default Value -
;Description - Specifies the password for the user name (the account credentials)
; that is used to create or remove the DNS delegation. Specify * to
; prompt the user to enter credentials.

;/DNSDelegationPassword
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - user_name
;Default Value -
;Description - Specifies the user name to be used when the DNS delegation is
; created or removed. If you do not specify a value, the account
; credentials that you specify for the AD DS installation or removal
; are used for the DNS delegation.

;/DNSDelegationUserName
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - YES NO
;Default Value - YES;Description - Specifies whether the DNS Server service is available on the
; network. This parameter is used only when the network adapter for
; this computer is not configured with the name of a DNS server for
; name resolution. Specifying No indicates that the DNS server will
; be installed on this computer for name resolution. Otherwise, the
; network adapter must be configured with a DNS server name first.

;/DNSOnNetwork
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - 0 2 3 4
;Default Value - Based on levels existing in the forest.
;Description - Specifies the domain functional level when a new domain is created
; in an existing forest, as follows:
; 0 = Windows 2000 native
; 2 = Windows Server 2003
; 3 = Windows Server 2008
; 4 = Windows Server 2008 R2

;/DomainLevel
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - domain_NetBIOS_name
;Default Value - Left-most label of the DNS name.
;Description - Assigns a NetBIOS name to the new domain.

;/DomainNetBiosName
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - 0 2 3 4
;Default Value - 0
;Description - Specifies the forest functional level when a new domain is
; created in a new forest, as follows:
; 0 = Windows 2000
; 2 = Windows Server 2003
; 3 = Windows Server 2008
; 4 = Windows Server 2008 R2
; ForestLevel replaces SetForestVersion in Windows Server 2003.
; Do not use this switch when you are installing a domain controller
; in an existing forest.

;/ForestLevel
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - (This switch replaces /AutoConfigDNS)
; YES NO
;Default Value - Computed automatically based on the environment.
;Description - Specifies whether DNS is configured for a new domain if Dcpromo
; detects that the DNS dynamic update protocol is not available or
; if Dcpromo detects an insufficient number of DNS servers for an
; existing domain.

;/InstallDNS
;/AutoConfigDNS
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - Path_to_log_files
;Default Value - %systemroot%\ NTDS
;Description - Specifies the fully qualified, non-UNC path to a directory on a
; fixed disk of the local computer that contains the domain log
; files, for example, C:\Windows\NTDS."

;/LogPath
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - Forest Tree Child
;Default Value - Forest
;Description - Specifies the type of new domain:
; The root domain of a new forest
; The root domain of a new tree in an existing forest
; A child domain in an existing forest
; The type of new domain must be specified when AD DS is installed
; on a Server Core installation.

;/NewDomain
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - DNS_domain_name
;Default Value -
;Description - Specifies a fully qualified domain name (FQDN) for the new domain.

;/NewDomainDNSName
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - DNS_domain_name;Default Value -
;Description - Specifies the FQDN of an existing parent domain when a child
; domain is installed.

;/ParentDomainDNSName
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - Password *
;Default Value -
;Description - Specifies the password that corresponds to the user name
; (account credentials) that is used to promote the domain
; controller. Specify * to prompt the user to enter credentials.

;/Password
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - Security_Principal NONE
;Default Value -
;Description - Specifies the names of computer and user accounts whose passwords
; can be replicated to this RODC. Specify "None" if you want to keep
; the value empty. By default, no user credentials will be cached
; on this RODC. To specify more than one security principal, add
; the entry multiple times.

;/PasswordReplicationAllowed
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - Security_Principal NONE
;Default Value -
;Description - Specifies the names of user, group, and computer accounts whose
; passwords are not to be replicated to this RODC. Specify None if
; you do not want to deny the replication of credentials of any
; users or computers. To specify more than one security principal,
; add the entry multiple times.

;/PasswordReplicationDenied
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - YES NO
;Default Value - YES
;Description - Specifies whether to restart the computer upon completion,
; regardless of success.

;/RebootOnCompletion
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - Yes No NoAndNoPromptEither
;Default Value - YES
;Description - Specifies whether to restart the computer upon successful
; completion of an operation.

;/RebootOnSuccess
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - DNS_domain_name
;Default Value -
;Description - Specifies the FQDN of the domain in which you want to promote an
; additional domain controller.

;/ReplicaDomainDNSName
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - Replica ReadOnlyReplica Domain
;Default Value - Replica
;Description - Specifies whether to install the domain controller as:
; An additional domain controller in an existing domain
; An RODC in an existing domain
; The first domain controller in a new domain

;/ReplicaOrNewDomain
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - DNS_name_of_source;Default Value -
;Description - Indicates the FQDN of the partner domain controller from which
; Active Directory data is replicated to create the new
; domain controller.

;/ReplicationSourceDC
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - path_to_installation_media;Default Value -
;Description - Indicates the location of the installation media that will be
; used to install a new domain controller.

;/ReplicationSourcePath
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - password NONE
;Default Value -
;Description - The password for the administrator account to use when you start
; the computer in Safe Mode or a variant of Safe Mode, such as
; Directory Service Restore Mode (DSRM). You cannot specify a
; blank password.

;/SafeModeAdminPassword
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - site_name
;Default Value - (The default value for the /SiteName parameter depends on the
; type of installation. For a new forest, the default is
; Default-First-Site-Name. For all other writable domain controller
; installations, the default is the site that is associated with
; the subnet that includes the IP address of this server.
; If no such site exists, the default is the site of the replication
; source domain controller. For an RODC installation, you must
; specify the site name where the RODC will be installed)
;Description - The name of an existing site where you can place the new
; domain controller.

;/SiteName
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - No value is required.
;Default Value -
;Description - This switch is for expert users who want to skip automatic
; configuration of client settings, forwarders, and root hints.
; The switch is in effect only if the DNS Server service is already
; installed on the server, in which case you will receive an
; informational message confirming that the automatic configuration
; of DNS was skipped. Otherwise, this switch is ignored. If you
; specify this switch, ensure that zones are created and properly
; configured before you install AD DS or the domain controller will
; not operate correctly. This switch does not skip automatic creation
; of the DNS delegation in the parent DNS zone. To control DNS
; delegation creation, use the /CreateDNSDelegation switch.

;/SkipAutoConfigDNS
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - NONE system key
;Default Value -
;Description - Specifies the system key for the media from which you
; replicate the data.

;/Syskey
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - path_to_SYSVOL_folder
;Default Value - %systemroot%\ sysvol
;Description - Specifies the fully qualified, non-UNC path to a directory on a
; fixed disk of the local computer, for example, C:\\Windows\SYSVOL.

;/SysVolPath
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - YES NO
;Default Value - NO
;Description - Specifies whether to transfer the infrastructure master role to
; this domain controller, in case it is currently hosted on a global
; catalog server and you do not plan to make this domain controller
; a global catalog server. Choose Yes to transfer the infrastructure
; master role to this domain controller in case this is needed.
; If you choose Yes, be sure to specify /ConfirmGC:No.

;/TransferIMRoleIfNeeded
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - domain_name;Default Value -
;Description - Specifies the domain name for the user name (account credentials)
; that is used for promoting a domain controller.

;/UserDomain
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------
;Possible Values - Domain\user_name;Default Value -
;Description - Specifies the user name (account credentials) that is used for
; promoting a domain controller. We recommend that you specify the
; account credentials in the domain\user_name format.

;/UserName
;****************************************************************************************
;----------------------------------------------------------------------------------------
;----------------------------------------------------------------------------------------

->End

How to add the second domain controller in Active Directory (Windows 2008 R2) part 2

If you miss part one of this article please click here to review it.

The Answer File:

- The following list includes the installation options (including the new options for R2 versions of Windows 2008) to use with dcpromo and an answer file. For more information about each option click here.

- It’s also important to know the meaning of unattended installation return codes. You can check that clicking here. For return codes keep in mind that:
o 1-10 = refer to success return codes
o 11-100 = refer to failure return codes

- Note: The following options are available for the Promotion operation during an unattended installation of Active Directory Domain Services (AD DS) in Windows Server 2008 and Windows Server 2008 R2. Options that are new appear in bold text.

I would like to comment one of the available options mentioned in the answer file. The option is “/TransferIMRoleIfNeeded”. According with the option description, this option is to be used when we want to transfer the Infrastructure Master Role to the server that we’re setting up. The description warns that we should only do this if the DC that you’re setting up is NOT a GC. This does NOT have to be like that.

In fact we can have the Infrastructure master role in a Global Catalog when:
- Only one domain exists in your Forest.
- If you’ve only one domain controller for a given domain within your forest.
- If all DCs in the domain are also Global Catalogs
In scenarios previously mentioned you can place the IM (Infrastructure Master Role) in DC (Domain Controller) that is also a GC (Global Catalog).

The setting description applies when:
- You’ve multiple domains in your forest, and the Domain where the Infrastructure master role is has a mixture of DCs that are GCs and non-GCs. In this scenario the IM role should NOT be placed in a GC, and the option “/ConfirmGc “ should be set “/ConfirmGc:NO”.

Check the following video to see how everything it’s done. The basic steps are:

· Because we are introducing the new Windows 2008 R2 in a Windows 2008 Domain, we need to prepare the forest and the domain for the new windows 2008 R2. We need to run the adprep /forestprep in the schema master, and the adprep /domainprep in the Infrastructure master. In order to accomplish that we need to insert the Windows 2008 R2 DVD in the Schema master and in the Infrastructure master domain controller. Additionally (NOT MANDATORY) we’ll also raise the Forest Functional Level to Windows 2003 to latter introduce the new domain controller available in windows 2008 called Read-Only Domain Controller.

Note: If the FSMO owner is a Windows 2008 DC 32Bit version, you need to use the adprep 32bit version (adprep32.exe) from Windows 2008 R2 DVD.

· After upgrading the Forest and Domain, we are ready to add the Windows 2008 R2 as additional DC.

· In this demonstration, SWDC01 has the IP address:10.0.5.16 and this server (SWDC02) has the IP address:10.0.5.17. Configure the SWDC02 NIC preferred DNS server with the SWDC01 IP address.

· Download and configure the answer file. Click here to access to the answer file. Open your text editor and copy the all the lines between “->Begin” and “->End” to a text file. Save the text file with .txt extension and you’re ready to start the configuration of the existing options in this file. After that configuration, you can use the answer file with dcpromo.exe as follows: dcpromo /unattend: "path to the answer file"

· Run dcpromo with the /unattended option and path to the answer file.

· Reboot.

· After reboot, check that everything is working correctly.



Part 1


Part 2


Have fun :)

You might want to have a look at the next article:
(How to add a RODC in a Windows Core installation with IPSec at DMZ using CLI)

How to add the second domain controller in Active Directory (Windows 2008 R2) part 1

After the “How to create the first domain controller in Active Directory (Windows 2008)”, it’s time to consider an additional domain controller to your domain.

Why should you to consider that?

- Redundancy: Having more than one DC for a given domain provides better redundancy for users, computers and apps. Apart to active directory redundancy, you may also have additional roles in those DCs that you want to keep available in case of a DC failure or DC overload. The roles that are most commonly used in DCs are DNS server role and the Global Catalog.

- Workload distribution: Depending of the size of your network, load balancing the users, apps, computers, etc… across multiple DCs prevents the overload of of a single DC.

- Domain hierarchy: The first domain that is created is the Root Domain of the forest. If you lose that domain you lose the entire forest. In a scenario where you have multiple domains within a forest, if you have only one DC for that top Root Domain and you lose that DC forever, you may say goodbye to your entire forest. In sub domains (child domains), if you lose the only DC that you have, you’ll lose that domain plus the child domains of that child domain. Hum… that’s not good… As you already guessed domain hierarchy is very important in Active Directory.

- Recovery/Availability: Consider the following scenario. Your DC suffers a hardware failure, and to recover from that hardware failure you’ll have to wait some time. If you have only one DC, you may have a problem, the apps that use that DC will no longer work until that DC is back online again, the users that use that app will also stop working and your company will lose money because of that down time. Anyway, you recover that DC from hardware failure, but then you discover that the DC cannot start (BSoD-More down time), no problem (you think), you start the Backup Recovery process, but you discover that the backup isn’t enough to recover that DC. Now you’ve a big problem, everyone stopped working and the company isn’t making money because that. Everyone will have to wait until you replace the domain controller with a new one. With a second DC, your down time would be zero, and the dead DC could be replaced easily without affecting users or apps that depend on it.

And if I lose both DCs?
It’s true, you can lose both DCs and you’ll be “dead” anyway, but that is another story with a different planning to a different blog post. The point that I’m trying to make clear is with 2 DCs per domain “at the minimum” you will get a good chance to recover from down times (with good percentage of success) plus better redundancy and distributed workload.

I could give you a lot more reasons to have additional DCs, but keep those in mind and hopefully they should be enough to make you think twice before consider only one DC for your Domain.

Ok, back to the beginning, how to create the second domain controller in Active Directory. Actually is pretty simple, we just need to have healthy domain (run dcdiag tools to check if everything is ok), and if everything is working correctly you are ready to add the 2nd DC to your domain.
In this demonstration I’ll use the Beta release of windows 2008 R2. Instead of using the GUI, I’ll use an answer file to install the DC.

Okay, let’s prepare the additional domain controller and build the answer file that we’ll use with dcpromo.exe to promote the server to an additional domain controller in an existing forest.

Before start:
· Plan carefully your FQDN of the domain controller, make sure that follow the rules of your internal company documentation. Although it’s possible to rename DCs that are running Windows 2003 and latter, I would rather do it correctly at first time preventing latter changes. Check the Naming conventions at Microsoft KB909264.

· Configure your NIC with a static IP address. Avoid the use of multiple NICs in DCs, this type of configuration may lead to errors and Active Directory communication might fail on multihomed domain controllers, check MS KB 272294 and 191611 for more information.

· Make sure that the Administrator account has a strong password. If possible, avoid using the Administrator account and use a dedicated account to perform your everyday work in AD. Think in Administrator account as the SOS account, and try to use it only when no other account solves your problem.

· You must have at least one drive formatted with NTFS.

· Install the latest updates from Microsoft website.

· Check your event log for errors and correct them before proceed.

· Plan and test the Backup strategy for your Active directory Forest. After that take a full backup of the existing DC in case that you need to rollback.

· At last check the date and time settings, make sure that are correct, and make sure that the existing DC is in sync with a trusted and valid authoritative time server. By Default the DC that holds the PDCe will be (by default) the authoritative time server for your forest and additional DCs will sync their time with this DC.



Note: Attention to the preferred DNS configuration in DC2, it must point to the existing DC1 that already has AD in it. Because I want to provide redundancy using both servers, I will install AD and DNS server roles in DC2, but first I need to use an existent DC to add DC2 as additional domain controller to the domain, and for that to happen I need to use a valid existent DNS server that “knows” where my AD is.

Now it’s time to prepare the answer file. Let's see in part 2 of this article:
How to add the second domain controller in Active Directory (Windows 2008 R2) part 2.

Monday, February 23, 2009

How to create the first domain controller in Active Directory (Windows 2008) Part2

Welcome to part 2 of create the first domain controller in Active Directory.

If you miss part one click part 1

In part 2 we'll do some additional configurations to the domain controller. These additional configurations are not mandatory, but I do recommend them.

Basic Steps are:
1- After AD installation and server reboot, go to the NIC, TCP/IP properties and change the preferred DNS value that was set by the wizard to “127.0.0.1”. Change it to the IP address of the server.
2- Create a reverse lookup zone in your DNS server. AD doesn’t need the reverse lookup zone to work, but it’s possible that you might need it for future apps to be installed in your network.
3- Run ipconfig /registerdns to register the PTR records in the new reverse zone.
4- Open DNS snap-in, right-click the DNS server and choose the option “Set Aging/Scavenging for all zones”. This will configure “Aging/Scavenging” for all existing zones at once.
5- Under DNS properties select advanced tab and click the check box “Enable automatic scavenging of stale records”.
6- Additionally you may want to control the interfaces that will respond to DNS queries (remember that is NOT recommended to use multiple NICs in a DC).
7- Under DNS properties select the interfaces tab and select the option “Only the following IP address:”, then select the IP address that server will use to listen for DNS queries.
8- Install latest updates
9- Reboot the server.
10- Run from cmd “dcdiag /e /v /f:c:\dcdiag.log” and check dcdiag.log for output errors that may indicate that your server has problems. Note: It’s normal that you have some warning alerts in the event logs that were generated during dcpromo process or during other actions that you did to configure the server. Dcdiag will also report these errors/warnings during “System Log” test. The reboot that I mentioned before helps you to isolate those errors since last reboot



Have fun :)

You might want to have a look at “How to add the second domain controller in Active Directory (Windows 2008 R2)”.

How to create the first domain controller in Active Directory (Windows 2008) Part1

Domain controller (DC) is a server role that has the Active Directory service installed. By default a domain controller stores one domain directory partition which has all information about the domain in where that DC is located, it also stores the schema and configuration directory partitions that are common to the entire forest. Depending of the version that you're running, DCs can also store one or more application directory partitions (Windows 2003 and later).

In addition to Active Directory database, DCs can also hold specific roles needed by Active Directory:

-Flexible single master operation (pronounced Fiz-mo). Domain controllers that hold operations master roles are designated to perform specific tasks to ensure consistency and to eliminate the potential for conflicting entries in the Active Directory database. Active Directory defines five operations master roles (2 are Forest wide and the other 3 exist in each domain):

- Forest operation masters:
- Schema master
- Domain naming master

-Domain operation masters:
-Primary domain controller emulator (PDCe)
-Infrastructure master (IM)
-Relative ID master (RID)

-Global Catalog (GC). A global catalog server is a domain controller that, in addition to its full writable domain directory partition replica (does not apply to RODC), also stores a partial, read-only replica of all other domain directory partitions in the forest. The attributes that are replicated to the global catalog are identified in the schema as the partial attribute set (PAS).
GCs are needed when: doing forest wide searches, User logons (when more than one domain exists in that forest), when a user principal name (UPN) is used at logon and the forest has more than one domain, to cache the user membership when is member of a Universal Group (Universal groups are only available when the domain is native mode or later), Exchange Address Book lookups, and exchange clients also use global catalog servers to access the global address list (GAL). These are the most common scenarios, but you can also have specific apps that need to contact the GC to function properly.

-DNS: Although DNS is not a component of Active Directory, Active Directory uses DNS as its domain controller location mechanism and leverages the namespace design of DNS in the design of Active Directory domain names. Is possible to have a non-Microsoft DNS solution to support Active Directory, but the DNS server must support service resource records (RFC 2782) and dynamic update protocol (RFC 2136). Active Directory uses DNS as the location mechanism for domain controllers, enabling computers on the network to obtain IP addresses of domain controllers. During the installation of Active Directory, the service (SRV) and address (A) resource records are dynamically registered in DNS. Both types of records are necessary for the functionality of the domain controller locator (Locator) mechanism among other functions.

That being said, now it’s time to setup of the First Domain Controller.

Before start:
· Plan carefully your FQDN (fully qualify domain name), the NetBIOS name and the Domain controller name, this is very important to avoid changes that may crash your entire forest later. Check the Naming conventions at Microsoft KB909264.
· Configure your NIC with a static IP address. Avoid the use of multiple NICs in DCs, this type of configuration may lead to errors and Active Directory communication might fail on multihomed domain controllers, check MS KB 272294 and 191611 for more information.
· Configure the Administrator account with a strong password.
· Install the latest updates from Microsoft website.
· Have one hard drive with NTFS installed.
· Check your event log for errors and correct them before proceed.
· Consider the use of 2 DCs for each domain that you plan to have in your forest, this will give you better redundancy but also a fastest way to recover from server failures.
· Plan and test the Backup strategy for your Active directory Forest.
· At last check the date and time settings, make sure that are correct, and make sure that the server is in sync with a trusted and valid authoritative time server. By Default this DC will be the authoritative time server for your forest and additional DCs will sync their time with this DC.
Now it’s time to install Active directory in your server, check the video and follow the steps bellow:



Let's do some additional configurations in part 2

Have fun :)