I was poking around in the lab and playing withÂ dcpromoÂ again.Â Apparently that is the only way to invoke directory services in 2008 R2Â despite having an option to install it via the guiÂ (option is available under add/remove roles).Â If you select the “Active Directory Services” role from the gui, you will still need to run the dcpromo command; soÂ I just skip that stuff and do it all at once.
As usual, theÂ dcpromo commandÂ should be launched from a command prompt (or a run box) which in turn starts a graphical wizard to install the service.Â The graphical interface pops up during the full version of windows 2008 as well as the server core version.Â Also the DNS role gets added automatically and would have to be removed manually if you didn’t want to have DNS on the domainÂ controller; personally I can’t really see a reason to remove it other than reducing the overall security footprint of a DC which is a bit ridiculous so I just leave it in there.Â Besides; have you ever ran AD without integrated DNS?Â I can’t imagine it would be easy to support.
At any rate, I loaded my first DC with DCPromoÂ and followed the prompts.Â Pretty basic stuff, new or existing forest, name the root, netBIOS name (yep, it lives on), functional level,Â add DNS role, location of files/logs/db,Â Â password, summary, finish.Â
I opted to create a second DCÂ in the labÂ and just for variety I chose to use the bare bones installation onÂ server core.Â Pretty basic stuff here as well except that network teaming can prove to be a challenge without a graphical interface (HP team utility required that I had to configure the team on a working graphical DC and then export the XML configuration file and overwrite the server core team file).Â After rebooting and fiddling with netsh a bit to configure the TCP/IP settings everything else was pretty much exactly the same.Â
Pretty cool stuff. I still have to try toÂ install the same thing using and RODC on server core. I wonder if I should try to do it withÂ an encrypted FS such as bit locker just to be fully secure.
Usually I would plan a production deploymentÂ of active directory for many months before running the command; it’s so muchÂ more fun in a test lab 😉 Things to consider would be your sites, subnets, DNS/WINS, backups, trusts, delegations,Â naming conventions among other things.Â Strangely it’s not that complicated but there are so many different ways to do things it is often difficult to get everybody to agree to use MY way!Â
On a more serious note,Â if you ever wanted to remove the domain controller you would run the dcpromoÂ command again. Why is it not called DCDemoteÂ or something like that?Â It’s aÂ bit confusing I think.Â Remember that you shouldn’t just ad hocÂ remove your DCsÂ of course. There are plenty of online MicrosoftÂ resources warning and guiding you through the dangers of doing something like that.Â You would definitelyÂ want to remove your DNS delegations and transfer the FSMO roles at a minimum before killing off a DC.Â If the DC was the first one in your forest it probably holds other services such as the source of time for the entire forest.Â
As usual, be just careful and have fun!Â Happy promoting!