Introducing your first Windows 2008 R2 Domain Controller

Windows 2008 R2 has only been out for over a week however I have decided to introduce my first Windows 2008 R2 domain controller (DC) almost immediately into an existing Windows 2008 Active Directory (AD) Domain to eventually have a complete R2 forest functional level to benefit from some of the new R2 features.  For a seasoned IT Pro, introducing new domain controllers is fairly straightforward, however I have decided to provide you with a step by step guide on doing so and the pre-work that is required, so let’s begin!

Now before we delve into the step by step guide I thought I would begin by listing the notable enhancements that come with R2 when it comes to Active Directory.  These are;

AD Recycle Bin – For me this is a long awaited feature providing you with the ability to recover deleted objects.  (Note there are already 3rd party products that have been providing this capability for many years).   In order to activate the AD Recycle Bin, you will require the AD functional level raised to R2, i.e all your domain controllers will need to be R2 providing you with the ability to raise the functional level.
AD Administrative Center – Ease of management for domain(s) providing you with task oriented user interface.  Screen capture located at the end of this post.
Powershell Cmdlets – There are approximately 85 Active Directory related PowerShell cmdlets that replace current Active Directory command line tools.  Whether we like it or not, Microsoft is really pushing Powershell and is a skill that is now required by all system administrators.
Service Account Management – Forget about managing service account passwords as these are now automatically updated for all services when an administrator changes the password.  This is also a welcome enhancement for most administrators.
Active Directory Best Practices Analyser – Know the health of AD based on best practices.  This is similar to “other notable” best practices Analysers that we have come accustomed to from other Microsoft products notably Exchange.  Screen capture located at the end of this post.

So let’s begin by analysing the pre-work that is required before we introduce a Windows 2008 R2 DC.  Because this is the first Windows 2008 R2 DC that is being introduced into an existing domain you will need to run adprep /forestprep command on the server that is holding the schema master operations master.  Note that you will need to do this regardless of whether you are running a Windows 2003 or Windows 2008 domain as the schema database version has changed in R2.  The following KB article from Microsoft http://support.microsoft.com/kb/324801 outlines how to view the Flexible Single Master Operations (FSMO) roles to determine which of your AD servers is holding the schema master operations master.

You will need to run adprep command line utility from the Windows 2008 R2 media which is located under the support\adprep folder.  The below message is what you will receive when trying to run adprep from a DC that is not a schema master operations master.

Once you have located the schema master operations master domain controller, open a command prompt, navigate to the Windows 2008 R2 media support\adprep folder and run the following command;

adprep /forestprep (Word of note, you will notice adprep32.exe is also available to you under the adprep folder if your current schema master operations master DC is a 32 Bit server)

Type C and then press ENTER to continue.

You will notice below that the schema version number for Windows 2008 R2 is 47.

After running forestprep you will need to run the adprep /domainprep /gpprep command on the server that holds the infrastructure operations master.

Once these two commands have been issued you will be ready to deploy your first Windows 2008 R2 domain controller.

We can now invoke the Active Directory Domain Services Installation Wizard by running dcpromo from either command line or Start / Run.

Click Next. The below Operating system compatibility warning is displayed.

Click Next.  We are introducing an additional domain controller into an existing domain as per the below screen capture.

Click Next. It will detect the current forest and current logged on credentials.

A list of domains in the forest will be listed as per the below screen shot.  Select the domain that you will introduce the new DC into and then click next.

You will receive the below warning “You will not be able to install a read-only domain controller in this domain…”.

You must first run “adprep /rodcprep” from a command window on any computer in this forest. The Adprep utility is available on the Windows Server 2008 R2 installation media in the \support\adprep folder.

Click Yes to acknowledge the warning as we are not installing a read-only domain controller at this time.

Select your site for the new domain controller.

Click Next.  The wizard will begin to examine your current DNS configuration.

You will be presented with additional Domain Controller Options that you can select or deselect.  Again we are notified that a domain controller running Windows Server 2008 or Windows Server 2008 R2 could not be located in this domain. To install a read-only domain controller, the domain must have a domain controller running Windows Server 2008 or Windows Server 2008 R2.  I admire Microsoft’s thoroughness and rigorous checks and warnings but they can sometimes be annoying.

Select a location for your database, log files and SYSVOL. It is best practice here to specify a separate disk for your logs and database.

Now specify your Directory Services Restore Mode Administrator Password.

Click Next.  The installation and configuration process now begins.

The below screen appears upon completion.  That’s it!  Reboot your machine and your new Windows 2008 R2 server will have transformed into a domain controller.

At the beginning of this post, I outlined some of the features and enhancements provided by R2 and as promised, below are screen captures of the Best Practices Analyser in action for Windows Active Directory and the new Active Directory Administrative Center.

I will leave you with a link to the TechNet Webcast: Active Directory Domain Services in Windows Server 2008 R2 Technical Overview (Level 300) which is worth watching.

My goal now will be to update the remaining two Active Domain controllers and raise the forest functional level opening the door to the new R2 Active Directory features that I will blog about in future posts.

So what is your favourite or sought after R2 feature when it comes to Active Directory?  I would be more than happy to hear your thoughts.