Dcpromo 2008

I was poking around in the lab and playing with dcpromo again.  Apparently that is the only way to invoke directory services in 2008 R2 despite having an option to install it via the gui (option is available under add/remove roles).  If you select the “Active Directory Services” role from the gui, you will still need to run the dcpromo command; so I just skip that stuff and do it all at once.

As usual, the dcpromo command should be launched from a command prompt (or a run box) which in turn starts a graphical wizard to install the service.  The graphical interface pops up during the full version of windows 2008 as well as the server core version.  Also the DNS role gets added automatically and would have to be removed manually if you didn’t want to have DNS on the domain controller; personally I can’t really see a reason to remove it other than reducing the overall security footprint of a DC which is a bit ridiculous so I just leave it in there.  Besides; have you ever ran AD without integrated DNS?  I can’t imagine it would be easy to support.

At any rate, I loaded my first DC with DCPromo and followed the prompts.  Pretty basic stuff, new or existing forest, name the root, netBIOS name (yep, it lives on), functional level, add DNS role, location of files/logs/db,  password, summary, finish. 

I opted to create a second DC in the lab and just for variety I chose to use the bare bones installation on server core.  Pretty basic stuff here as well except that network teaming can prove to be a challenge without a graphical interface (HP team utility required that I had to configure the team on a working graphical DC and then export the XML configuration file and overwrite the server core team file).  After rebooting and fiddling with netsh a bit to configure the TCP/IP settings everything else was pretty much exactly the same. 

Pretty cool stuff. I still have to try to install the same thing using and RODC on server core. I wonder if I should try to do it with an encrypted FS such as bit locker just to be fully secure.

Usually I would plan a production deployment of active directory for many months before running the command; it’s so much more fun in a test lab 😉 Things to consider would be your sites, subnets, DNS/WINS, backups, trusts, delegations, naming conventions among other things.  Strangely it’s not that complicated but there are so many different ways to do things it is often difficult to get everybody to agree to use MY way! 

On a more serious note, if you ever wanted to remove the domain controller you would run the dcpromo command again. Why is it not called DCDemote or something like that?  It’s a bit confusing I think.  Remember that you shouldn’t just ad hoc remove your DCs of course. There are plenty of online Microsoft resources warning and guiding you through the dangers of doing something like that.  You would definitely want to remove your DNS delegations and transfer the FSMO roles at a minimum before killing off a DC.  If the DC was the first one in your forest it probably holds other services such as the source of time for the entire forest. 

As usual, be just careful and have fun!  Happy promoting!

~JCF