MCT USE ONLY.

STUDENT USE PROHIBITED

1-1

Module 1
Installing and configuring domain controllers
Contents:
Module Overview 1-1 

Lesson 1: Overview of AD DS 1-2 

Lesson 2: Overview of AD DS domain controllers 1-14 

Lesson 3: Deploying a domain controller 1-23 

Lab: Deploying and administering AD DS 1-34 

Module Review and Takeaways 1-39 

Module Overview
Active Directory Domain Services (AD DS) and its related services form the foundation for enterprise
networks that run Windows operating systems. The AD DS database is the central store of all the domain
objects, such as user accounts, computer accounts, and groups. AD DS provides a searchable, hierarchical
directory and a method for applying configuration and security settings for objects in the enterprise. This
module covers the structure of AD DS and its various components, such as forests, domains, and
organizational units (OUs).
With an increasing focus on cloud and hybrid environments, Windows Server 2016 includes several new
AD DS features that make it easier to manage these environments. This module covers the features and
choices available in Windows Server 2016 for installing AD DS on a server, and it provides an overview of
domain controllers.

Objectives
After completing this module, you will be able to:
 Describe AD DS and its main components.

 Describe the purpose and roles of domain controllers.

 Describe the considerations for deploying domain controllers.

 Deploy a domain controller.

 MCT USE ONLY. STUDENT USE PROHIBITED
1-2 Installing and configuring domain controllers

Lesson 1
Overview of AD DS
The AD DS database stores information on user identity, computers, groups, services, and resources in a
hierarchical structure, called the directory. AD DS domain controllers also host the service that authenticates
user and computer accounts when they sign in to the domain. Because AD DS stores information about all
domain objects, and because all users and computers must connect to AD DS domain controllers at sign-in,
AD DS is the primary way to configure and manage user and computer accounts on your network. This
lesson covers the core logical components and physical components that make up an AD DS deployment.

Lesson Objectives
After completing this lesson, you will be able to:

 Describe the components of AD DS.

 Describe AD DS domains.
 Describe OUs and their purpose.

 Describe AD DS forests and trees and explain how you can deploy them in a network.

 Explain how an AD DS schema provides a set of rules that manage the objects and attributes that the
AD DS domain database stores.

 Describe Microsoft Azure Active Directory (Azure AD).

 Identify the tools available for administering AD DS.

 Describe what is new for on-premises Active Directory Domain Services in Windows Server 2016.

AD DS components
AD DS includes both logical and physical
components. You need to understand how
AD DS components work together so that you
can manage your infrastructure efficiently. In
addition, you can use AD DS options to perform
actions such as:

 Installing, configuring, and updating apps.

 Managing the security infrastructure.

 Enabling Remote Access Service and

DirectAccess.

 Issuing and managing digital certificates.

One of the most used AD DS features is Group Policy, which allows you to configure centralized policies for
managing most objects in AD DS. Understanding the various AD DS components is important for using
Group Policy successfully.

Note: Module 5, “Implementing Group Policy,” will cover Group Policy in more detail.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 1-3

Logical components
AD DS logical components are structures that you use to implement an AD DS design that is appropriate for
an organization. The following table describes the types of logical components that an AD DS database
contains.

Logical component Description

Partition A partition, or naming context, is a portion of the AD DS database.

Although the database is one file named Ndts.dit, different partitions
contain different data. For example, the schema partition contains a copy
of the Active Directory schema. The configuration partition contains the
configuration objects for the forest, and the domain partition contains the
users, computers, groups, and other objects specific to the domain.
Copies of a partition can be stored on multiple domain controllers and
updated through directory replication.

Schema A schema is the set of definitions of the object types and attributes that
you use to define the objects created in AD DS.

Domain A domain is a logical administrative container for objects such as users

and computers. A domain maps to a specific partition and can be
organized with parent-child relationships to other domains.

Domain tree A domain tree is a hierarchical collection of domains that share a common
root domain and a contiguous Domain Name System (DNS) namespace.

Forest A forest is a collection of domains that share a common AD DS root and

schema, which have a two-way trust relationship.

Site A site is a container for AD DS objects, such as computers and services that
are specific to their physical location. This is in comparison to a domain,
which represents the logical structure of objects, such as users and
groups, in addition to computers.

Subnet A subnet is a portion of the network IP addresses of an organization

assigned to computers in a site. A site can have more than one subnet.

OU An OU is a container object for users, groups, and computers that

provides a framework for delegating administrative rights and
administration by linking Group Policy Objects (GPOs).

Container A container is an object that provides an organizational framework for use

in AD DS. Some containers are created by default, or you can create
custom containers. Containers cannot have GPOs linked to them.
 MCT USE ONLY. STUDENT USE PROHIBITED
1-4 Installing and configuring domain controllers

Physical components
The following table describes some of the physical components of AD DS.

Physical component Description

Domain controller A domain controller contains a copy of the AD DS database. For most
operations, each domain controller can process changes and replicate the
changes to all the other domain controllers in the domain.

Data store A copy of the data store exists on each domain controller. The AD DS database
uses Microsoft Jet database technology and stores the directory information in
the Ntds.dit file and associated log files. The C:\Windows\NTDS folder stores
these files by default.

Global catalog server A global catalog server is a domain controller that hosts the global catalog,
which is a partial, read-only copy of all the objects in a multiple-domain forest.
A global catalog speeds up searches for objects that might be stored on domain
controllers in a different domain in the forest.

Read-only domain An RODC is a special, read-only installation of AD DS. RODCs are common in
controller (RODC) branch offices where physical security is not optimal, IT support is less advanced
than in the main corporate centers, or line-of-business applications need to run
on a domain controller.

Additional Reading: For more information on domains and forests, refer to: “Active
Directory Domain Services Overview” at: http://aka.ms/M2lr5a

What is the AD DS schema?

The AD DS schema is the component that defines
all the object classes and attributes that AD DS
uses to store data. All domains in a forest contain a
copy of the schema that applies to that forest. Any
change in the schema replicates to every domain
controller in the forest from the schema master,
which is typically the first domain controller in the
forest.

AD DS stores and retrieves information from a

wide variety of applications and services. It does
this, in part, by standardizing how the AD DS
directory stores data. By standardizing data
storage, AD DS can retrieve, update, and replicate data while helping to maintain data integrity.

Objects
AD DS uses objects as units of storage. The schema defines all object types. Each time the directory handles
data, the directory queries the schema for an appropriate object definition. Based on the object definition
in the schema, the directory creates the object and stores the data.

Object definitions specify both the types of data that the objects can store and the syntax of the data. You
can create only objects that the schema defines. Because objects store data in a rigidly defined format,
AD DS can store, retrieve, and validate the data that it manages, regardless of which application supplies it.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 1-5

Relationships among objects, rules, attributes, and classes

In AD DS, the schema defines the following:

 Objects that store data in the directory

 Rules that define the structure of the objects

 The structure and content of the directory itself

AD DS schema objects consist of attributes, which are grouped together into classes. Each class has rules
that define which attributes are mandatory and which are optional. For example, the user class consists of
more than 400 possible attributes, including cn (the common name attribute), givenName, displayName,
objectSID, and manager. Of these attributes, the cn and objectSID attributes are mandatory. The cn
attribute is a single-value Unicode string that is from 1 through 64 characters long and that replicates to the
global catalog.

Changing the schema

Only members of the Schema Admins group can modify the AD DS schema. You cannot remove anything
from the AD DS schema. You can only extend the AD DS schema by using AD DS schema extensions or by
modifying the attributes of existing objects. For example, when you are preparing to install Microsoft
Exchange Server 2016, you must apply the Exchange Server 2016 Active Directory schema changes. These
changes add or modify hundreds of classes and attributes.
You should change the schema only when necessary, because the schema controls the storage of
information. Any changes made to the schema affect every domain controller. Before you change the
schema, you should review the changes and implement them only after you have performed testing.
This will help ensure that the changes will not adversely affect the rest of the forest or any applications that
use AD DS.

The schema master is one of the operations master roles hosted on a single domain controller in AD DS.
Because it is a single master, you must use the Active Directory Schema snap-in to make changes to the
schema by targeting the domain controller that holds the schema master. To target the schema master in a
separate forest, you will need to target the appropriate forest from within the snap-in.

Note: The “What are operations masters?” topic provides more details about operations
master roles.

What is an AD DS forest?
A forest is a top-level container in AD DS. Each
forest is a collection of one or more domain trees
that share a common directory schema and a
global catalog. A domain tree is a collection of one
or more domains that share a contiguous
namespace. The first domain that you create in the
forest is called the forest root domain. The forest
root domain contains a few objects that do not
exist in other domains in the forest. Because you
always create these objects on the first domain
controller, a forest can consist of as few as one
domain with a single domain controller, or it can
consist of hundreds of domains across multiple domain trees.
 MCT USE ONLY. STUDENT USE PROHIBITED
1-6 Installing and configuring domain controllers

The following objects exist only in the forest root domain:

 The schema master role. This is a special, forest-wide domain controller role. Only one schema master
exists in any forest. You can change the schema only on the domain controller that holds the schema
master.

 The domain naming master role. This is also a special, forest-wide domain controller role. Only one
domain naming master exists in any forest. Only the domain naming master can add new domain
names to the directory.

 The Enterprise Admins group. By default, the Enterprise Admins group has the Administrator
account for the forest root domain as a member. The Enterprise Admins group is a member of the
local Administrators group in every domain in the forest. This allows members of the Enterprise
Admins group to have full control administrative rights to every domain throughout the forest.

 The Schema Admins group. By default, the Schema Admins group has no members. Only members
of the Enterprise Admins group or the Domain Admins group (in the forest root domain), can add
members to the Schema Admins group. Only members of the Schema Admins group can make
changes to the schema.

Security boundary
An AD DS forest is a security boundary. By default, no users from outside the forest can access any
resources inside the forest. Typically, an organization creates only one forest, although you can create
multiple forests to isolate administrative permissions among different parts of the organization.

By default, all the domains in a forest automatically trust the other domains in the forest. This makes it easy
to enable access to resources, such as file shares and websites, for all the users in a forest, regardless of the
domain to which they belong.

Replication boundary
An AD DS forest is the replication boundary for the configuration and schema partitions in the AD DS
database. As a result, all the domain controllers in the forest must share the same schema. Because of this,
organizations that want to deploy applications with incompatible schemas need to deploy additional
forests.

The AD DS forest is also the replication boundary for the global catalog. The global catalog makes it
possible to find objects from any domain in the forest. For example, the global catalog is used whenever
user principal name (UPN) sign-in credentials are used or when Microsoft Exchange Server address books
are used to find users.

What is an AD DS domain?

The AD DS domain is a container

An AD DS domain is a logical container for
managing user, computer, group, and other
objects. The AD DS database stores all domain
objects, and each domain controller stores a copy
of the database.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 1-7

The AD DS database includes many types of objects. The most commonly used objects are user accounts,
computer accounts, and groups. The following list briefly describes these three object types:

 User accounts. User accounts contain information about users, including the information required to
authenticate a user during the sign-in process and build the user's access token.

 Computer accounts. Each domain-joined computer has an account in AD DS. You can use computer
accounts for domain-joined computers in the same way that you can use user accounts for users.

 Groups. Groups organize users or computers to make it easier to manage permissions and Group
Policy in the domain.

The AD DS domain is a replication boundary

When you make changes to any object in the domain, the domain controller where the change occurred
replicates that change to all other domain controllers in the domain. If multiple domains exist in the forest,
only subsets of the changes replicate to other domains. AD DS uses a multimaster replication model that
allows every domain controller to make changes to objects in the domain.

AD DS allows a single domain to contain nearly 2 billion objects. With this much capacity, most
organizations can deploy only a single domain to ensure that all domain controllers contain all domain
information. However, organizations with decentralized administrative structures or multiple locations
might consider implementing multiple domains in the same forest to accommodate their administrative
needs.

The AD DS domain is an administrative center

The domain contains an Administrator account and a Domain Admins group. By default, the
Administrator account is a member of the Domain Admins group, and the Domain Admins group is a
member of every local Administrators group of domain-joined computers. Also, by default, the Domain
Admins group members have full control over every object in the domain. The Administrator account in
the forest root domain has additional rights, as detailed in the “What is an AD DS forest?” topic earlier in
this module.

The AD DS domain provides authentication

Whenever a domain-joined computer starts or a user signs in to a domain-joined computer, AD DS
authenticates it. Authentication helps to verify that the computer or user has the proper credentials for an
AD DS account.

The AD DS domain provides authorization

Windows operating systems use authorization and access control technologies to allow authenticated users
to access resources. Typically, authorization occurs locally at the resource level. Domain-based Dynamic
Access Control enables central access rules to control the access to resources. Central access rules do not
replace the current access control technology, but provide an additional level of control.

Note: Dynamic Access Control is a feature introduced in Windows Server 2012 that allows
administrators to define rules that control access permissions. You can learn more about Dynamic
Access Control in the “Understanding Dynamic Access Control” lesson in Course 20744A, Securing
Windows Server 2016, Module 11: “Limiting access to files and folders.”
 MCT USE ONLY. STUDENT USE PROHIBITED
1-8 Installing and configuring domain controllers

What are OUs?

An organizational unit is a container object within
a domain that you can use to consolidate users,
computers, groups, and other objects. You can link
GPOs directly to an OU to manage the objects
contained in the OU. You can also assign an OU
manager and associate a COM+ partition with an
OU.

You can create new OUs in AD DS by using Active

Directory Administrative Center. There are two
reasons to create an OU:

 To group objects together to make it easier to

manage them by applying GPOs to the whole
group. When you assign GPOs to an OU, the settings apply to all the objects within the OU. GPOs are
policies that administrators create to manage and configure settings for computers or users. You
deploy the GPOs by linking them to OUs, domains, or sites.
 To delegate administrative control of objects within the OU. You can assign management permissions
on an OU, thereby delegating control of that OU to a user or group within AD DS, in addition to the
Domain Admins group.

You can use OUs to represent the hierarchical, logical structures within your organization. For example, you
can create OUs that represent the departments within your organization, the geographic regions within
your organization, or a combination of both departmental and geographic regions. You can use OUs to
manage the configuration and use of user, group, and computer accounts based on your organizational
model.

Generic containers
AD DS contains several built-in containers, or generic containers, such as Users and Computers. These
containers store system objects or act as the default parent objects to new objects that you create. Do not
confuse these generic container objects with OUs. The primary difference between OUs and containers is
the management capabilities. Containers have limited management capabilities. For example, you cannot
apply a GPO directly to a container.

Installing AD DS creates the Domain Controllers OU and several generic container objects by default. AD DS
uses some of these default objects primarily, and they are hidden by default. The following objects are
visible by default within the Active Directory Administrative Center:

 Domain. The top level of the domain organizational hierarchy.

 Builtin container. A container that stores several default groups.

 Computers container. The default location for new computer accounts that you create in the domain.

 Foreign Security Principals container. The default location for trusted objects from domains outside the
AD DS forest that you add to a group in the AD DS domain.

 Managed Service Accounts container. The default location for managed service accounts. AD DS
provides automatic password management in managed service accounts.
 Users container. The default location for new user accounts and groups that you create in the domain.
The Users container also holds the administrator and guest accounts for the domain and for some
default groups.
 Domain Controllers OU. The default location for domain controllers' computer accounts. This is the
only OU that is present in a new installation of AD DS.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 1-9

There are several containers that you can see only when you click Advanced Features on the View menu.
The following objects are hidden by default:

 LostAndFound. This container holds orphaned objects.

 Program Data. This container holds Active Directory data for Microsoft applications, such as Active
Directory Federation Services (AD FS).

 System. This container holds the built-in system settings.

 NTDS Quotas. This container holds directory service quota data.

 TPM Devices. This container is new with Windows Server 2016. It stores the recovery information for
Trusted Platform Module (TPM) devices.

Note: Containers in an AD DS domain cannot have GPOs linked to them. To link GPOs to
apply configurations and restrictions, create a hierarchy of OUs and then link the GPOs to them.

Hierarchy design
The administrative needs of the organization dictate the design of an OU hierarchy. Geographic, functional,
resource, or user classifications could all influence the design. Whatever the order, the hierarchy should
make it possible to administer AD DS resources as effectively and flexibly as possible. For example, if you
need to configure all IT administrators’ computers in a certain way, you can group all the computers in an
OU and then assign a GPO to manage those computers.

You also can create OUs within other OUs. For example, your organization might have multiple offices, each
with its own IT administrator who is responsible for managing user and computer accounts. In addition,
each office might have different departments with different computer-configuration requirements. In this
situation, you can create an OU for each office, and then within each of those OUs, create an OU for the IT
administrators and an OU for each of the other departments.
Although there is no limit to the number of levels in your OU structure, limit your OU structure to a depth
of no more than 10 levels to ensure manageability. Most organizations use five levels or fewer to simplify
administration. Note that applications that work with AD DS can impose restrictions on the OU depth
within the hierarchy for the parts of the hierarchy that they use.

What is new in AD DS in Windows Server 2016?

Windows Server 2016 has several new features as
part of AD DS. These features help you make your
AD DS environment more secure and migrate to
cloud-based or hybrid environments.

Privileged Access Management

Privileged Access Management (PAM) is based on
Microsoft Identity Manager. PAM allows you to
separate the permissions required for certain
administrative activities from the permissions of
the current AD DS environment’s members. With
PAM, users request permission to perform
activities that require privileged access instead of
having that access granted on a permanent basis. Granting those permissions can mean that you should
provide additional authentication steps, such as Multi-Factor Authentication. When the user is gains access,
 MCT USE ONLY. STUDENT USE PROHIBITED
1-10 Installing and configuring domain controllers

the access is granted on a temporary basis through a shadow group in a bastion forest. The bastion forest is
meant to be devoid of any access from hackers or any stolen credentials of privileged users. Because the
user accounts do not have the required permissions on a permanent basis, there is a decrease in the
possibility of a security breach, such as unlawful access by a malicious hacker who has stolen an
administrator’s password.

Additional Reading: For more information on PAM, refer to: “Privileged Access
Management for Active Directory Domain Services” at: http://aka.ms/Ibsyai

Azure AD Join
Azure Active Directory Join (Azure AD Join) supports connecting on-premises, domain-joined devices to
Azure AD for improved cloud-only and hybrid environments. For corporate-owned devices, users no longer
need a personal Microsoft account. Azure AD also supports connecting devices that normally cannot join
an on-premises domain, such as mobile devices. Users can access the Windows Store with their on-premises
accounts and even with their personal devices. Support also exists for mobile device management (MDM),
setting up shared devices, and imaging corporate-owned devices.

Additional Reading: For more information on Azure AD Join, refer to: “Windows 10 for the
enterprise: Ways to use devices for work” at: http://aka.ms/F7dfxe

Microsoft Passport
AD DS in Windows Server 2016 supports Microsoft Passport, which provides a certificate-based approach to
authentication that can replace the use of passwords. Microsoft Passport allows users to authenticate to an
on-premises AD DS account, an Azure AD account, or any service that supports Fast Identity Online
authentication. Course 20744, Securing Windows Server 2016 covers Microsoft Passport in more detail.

Additional Reading: For more information on using Microsoft Passport with AD DS in

Windows Server 2016, refer to: “Authenticating identities without passwords through Microsoft
Passport” at: http://aka.ms/Nyrund

Additional Reading: For more information on the new AD DS features in Windows Server
2016, refer to: “What’s new in Active Directory Domain Services for Windows Server 2016” at:
http://aka.ms/Nzrl6u
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 1-11

What is Azure AD?

Azure AD is a service that provides identity
management and access control for your cloud-
based applications. You use Azure AD when you
subscribe to Microsoft Office 365, Microsoft
SharePoint Online, Exchange Online, or Skype for
Business. Additionally, you can use Azure AD with
Azure apps or Internet-connected apps that
require authentication. You can synchronize your
on-premises AD DS with Azure AD to allow your
users to use the same identity across both internal
resources and cloud-based resources.

Azure AD does not include all the services available

with an on-premises Active Directory solution that uses Windows Server 2016. On-premises Active Directory
in Windows Server 2016 supports five services:

 AD DS
 AD FS

 Active Directory Lightweight Directory Services (AD LDS)

 Active Directory Certificate Services (AD CS)

 Active Directory Rights Management Services (AD RMS)

Azure AD includes only:

 Azure AD, which supports identity management in the cloud.

 Azure Access Control Service, which supports federation with external identity management services,
including your on-premises instance of AD DS.

Azure AD does not support applications that are integrated with on-premises Active Directory. For
applications to integrate with Azure AD, they must be Azure AD–specific.

Note: You cannot create AD DS domain controllers in Azure AD. You can use Azure AD as a
standalone service or integrate it with your existing on-premises Active Directory infrastructure.
However, you do not create or manage the Azure AD systems. Instead, you manage your users in
the Azure AD service.
 MCT USE ONLY. STUDENT USE PROHIBITED
1-12 Installing and configuring domain controllers

Overview of AD DS administration tools

Managing the AD DS environment is one of the
most common tasks an IT professional performs.
You typically manage your domain controllers
remotely, although you can sign in to the
computer either directly or by using Remote
Desktop. The primary tool you will use is the Active
Directory Administrative Center.

Active Directory Administrative Center

The Active Directory Administrative Center
provides a graphical user interface (GUI) that is
Windows PowerShell–based. This enhanced
interface allows you to perform AD DS object
management by using task-oriented navigation, and it replaces the functionality of Active Directory Users
and Computers. Tasks that you can perform by using the Active Directory Administrative Center include:

 Creating and managing user, computer, and group accounts.

 Creating and managing OUs.

 Connecting to and managing multiple domains within a single instance of the Active Directory
Administrative Center.

 Searching and filtering AD DS data by building queries.

 Creating and managing fine-grained password policies.

 Recovering objects from the Active Directory Recycle Bin.

 Managing objects that the Dynamic Access Control feature requires.

You can install the Active Directory Administrative Center only on servers running Windows Server 2008 R2
or later, or on client computers running Windows 7 or later.
Other management tools that you will use to perform AD DS administration include:

 Active Directory Users and Computers. Active Directory Users and Computers is a Microsoft
Management Console (MMC) snap-in that manages most common resources, including users, groups,
and computers. Although many administrators are familiar with this snap-in, the Active Directory
Administrative Center replaces it and provides more capabilities.

 Active Directory Sites and Services. The Active Directory Sites and Services MMC snap-in manages
replication, network topology, and related services.

 Active Directory Domains and Trusts. The Active Directory Domains and Trusts MMC snap-in
configures and maintains trust relationships at the domain and forest functional levels.

 Active Directory Schema snap-in. The Active Directory Schema MMC snap-in examines and modifies
the definitions of AD DS attributes and object classes. You typically do not view or change it very often.
Therefore, by default, the Active Directory Schema snap-in is not fully installed.

 Active Directory module for Windows PowerShell. The Active Directory module for Windows
PowerShell supports AD DS administration, and it is one of the most important management
components. Server Manager and the Active Directory Administration Center are Windows
PowerShell–based and use cmdlets to perform their tasks.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 1-13

Demonstration: Using the Active Directory Administrative Center to

administer and manage AD DS
The Active Directory Administrative Center is the most powerful administrative interface for managing your
AD DS environment. In this demonstration, you will see how to:

 Navigate within the Active Directory Administrative Center.

 Perform an administrative task within the Active Directory Administrative Center.

 Create objects.

 View all object attributes.

 Use the Windows PowerShell History viewer in the Active Directory Administrative Center.

Demonstration Steps

Navigate within the Active Directory Administrative Center

1. On LON-DC1, open the Active Directory Administrative Center.
2. In the navigation pane, select Adatum (local), select Dynamic Access Control, and then select Global
Search.

3. In the navigation pane, switch to the tree view, and then expand Adatum.com.

Perform an administrative task within the Active Directory Administrative Center

1. Go to the Overview view.

2. Reset the password for Adatum\Adam to Pa55w.rd so that the user does not have to change the
password at the next sign-in.

3. Use the Global Search section to find any objects that match the lon search string.

Create an object
 Create a new computer object named LON-CL4 in the Computers container.

View all object attributes

1. Open the Properties page for LON-CL4, scroll down to the Extensions section, and then click the
Attribute Editor tab.

2. View the object’s AD DS attributes.

Use the Windows PowerShell History viewer

1. Open the Windows PowerShell History pane.

2. View the Windows PowerShell cmdlet that you used to perform the most recent task.

3. On LON-DC1, close all open windows.

Question: What are the two main purposes of OUs?

Question: Why would you need to deploy an additional tree in the AD DS forest?
 MCT USE ONLY. STUDENT USE PROHIBITED
1-14 Installing and configuring domain controllers

Lesson 2
Overview of AD DS domain controllers
Because domain controllers authenticate all users and computers in the domain, domain controller
deployment is critical for the network to function correctly. This lesson examines domain controllers, the
sign-in process, and the importance of DNS in that process. In addition, this lesson discusses the purpose of
the global catalog.

All domain controllers are essentially the same, with two exceptions. RODCs contain a read-only copy of the
AD DS database, whereas other domain controllers have a read/write copy. Also, certain operations can be
performed only on specific domain controllers called operations masters, which are discussed at the end of
this lesson.

Lesson Objectives
After completing this lesson, you will be able to:
 Describe the purpose of domain controllers.

 Understand what the SYSVOL folder contains.

 Describe the purpose of the global catalog.

 Describe the AD DS sign-in process and the importance of DNS and service records (SRV records) in
that process.

 Explain the functions of operations masters.

 Describe operations master role transfer and seizing.

What is a domain controller?

A domain controller is a server that stores a copy of
the AD DS directory database (Ntds.dit) and a
copy of the SYSVOL folder. All domain controllers
except RODCs store a read/write copy of both
Ntds.dit and the SYSVOL folder. Ntds.dit is the
database itself, and the SYSVOL folder contains all
the template settings and files for GPOs.

Domain controllers use a multimaster replication

process to copy data from one domain controller
to another. This means that for most operations,
data can be modified on any domain controller,
except for an RODC. The AD DS replication service
then synchronizes the changes to the AD DS database with all the other domain controllers in the domain.
In Windows Server 2016, you can use only Distributed File System (DFS) replication to replicate the SYSVOL
folders. Earlier versions of Windows Server used the file replication service (FRS) to replicate the folders, but
FRS is obsolete for several versions of Windows.

Domain controllers host several other services related to AD DS. These include the Kerberos authentication
service, which user and computer accounts use for sign-in authentication, and the Key Distribution Center
(KDC), which issues the ticket-granting ticket (TGT) to an account that signs in to the AD DS domain.
Optionally, you can configure domain controllers to host a copy of the global catalog.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 1-15

All users in an AD DS domain exist in the AD DS database. If the database is unavailable for any reason, all
operations that depend on domain-based authentication will fail. As a best practice, an AD DS domain
should have at least two domain controllers. This makes the AD DS database more available and spreads
the authentication load during peak sign-in times.

Note: Consider two domain controllers as the absolute minimum for most enterprises, to
ensure high availability and performance.

When you deploy a domain controller in a branch office where physical security is less than optimal, you
can use additional measures to reduce the impact of a breach of security. One option is to deploy an RODC.

The RODC contains a read-only copy of the AD DS database, and by default, it does not cache any user
passwords. You can configure the RODC to cache the passwords for users in the branch office. If an RODC is
compromised, the potential loss of information is much lower than with a full read/write domain controller.
Another option is to use BitLocker Drive Encryption to encrypt the domain controller’s hard drive. If
someone steals the hard drive, BitLocker will help to ensure that a malicious hacker has difficulty getting
any useful information from it.

Note: BitLocker is a drive encryption feature that is available for Windows Server operating
systems and certain Windows client operating systems. BitLocker encrypts the entire drive to help
prevent the computer from starting unless it receives a private key and (optionally) passes an
integrity check. A hard drive remains encrypted even if you transfer it to another computer.

What is a global catalog?

A global catalog is a partial, read-only, searchable
copy of all the objects in the forest. It speeds up
searches for objects that might be stored on
domain controllers in a different domain in the
forest.

Within a single domain, the AD DS database on

each domain controller contains all the
information about every object in that domain.
However, only a subset of this information
replicates on the global catalog servers in other
domains in the forest. Within a domain, a query for
an object is directed to one of the domain
controllers in that domain, but that query does not include results about objects in other domains in the
forest. For a query to include results from other domains in the forest, you must query a domain controller
that is a global catalog server. By default, the first domain controller in the forest root domain is the only
hosted global catalog server. To enhance searching across domains in a forest, you should configure
additional domain controllers to each store a copy of the global catalog.

The global catalog does not contain all the attributes for each object. Instead, the global catalog maintains
the subset of attributes that are most likely to be useful in cross-domain searches. These attributes include
givenName, displayName, and mail. You can modify the set of attributes replicated to the global catalog
by modifying the partial attribute set (PAS) in the schema.
 MCT USE ONLY. STUDENT USE PROHIBITED
1-16 Installing and configuring domain controllers

Searching against a global catalog can be useful in many situations. For example, when a server that is
running Exchange Server receives an incoming email, it needs to search for the recipient’s account so that it
can decide how to route the message. By automatically querying a global catalog, the server can locate the
recipient in a multiple-domain environment. In addition, when users sign in to their Active Directory
accounts, the domain controller that performs the authentication must contact a global catalog to check
for universal group memberships before authenticating the users.

In a single domain, you should configure all the domain controllers to hold a copy of the global catalog.
However, in a multiple-domain environment, the infrastructure master should not be a global catalog
server unless all the domain controllers in the domain are also global catalog servers. When you have
multiple sites, you should also make at least one domain controller at each site a global catalog server, so
that you are not dependent on other sites when you require global catalog queries. Deciding which domain
controllers to configure to hold a copy of the global catalog depends on replication traffic and network
bandwidth. Many organizations opt to make every domain controller a global catalog server.

Overview of domain controller SRV records

When users sign in to AD DS, their computers look
in DNS for SRV records to locate the nearest
domain controller. SRV records specify information
about available services. Each domain controller
dynamically registers its addresses in DNS at
startup by registering an updated SRV record in
DNS. Clients can locate a suitable domain
controller to service their sign-in requests by using
DNS lookups which use these SRV records.

SRV records for AD DS follow the following

pattern:

_Service._Protocol.DomainName

For example, if a client is looking for a server that is running the Lightweight Directory Access Protocol
(LDAP) service in the Adatum.com domain, it queries for _ldap._tcp.Adatum.com.

Sites and SRV records

A client uses sites when it needs to contact a domain controller. It starts by looking up SRV records in DNS.
The response to the DNS query includes:

 A list of the domain controllers in the same site as the client.

 A list of the domain controllers from the next closest site that does not include an RODC, if no domain
controllers were available in the same site and the Try Next Closest Site Group Policy setting is
enabled.

 A random list of available domain controllers in the domain, if there is no domain controller in the next
closest site.

Administrators can define sites in AD DS. When you define sites, you should consider which parts of the
network have good connectivity and bandwidth. For example, if a branch office connects to the main
datacenter through an unreliable wide area network (WAN) link, you should define the branch office and
the datacenter as separate sites.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 1-17

The Net Logon service that runs on each domain controller registers the SRV records in DNS. If the SRV
records are not entered in DNS correctly, you can trigger the domain controller to reregister those records
by restarting the Net Logon service on that domain controller. Note that this process reregisters only the
SRV records. If you want to reregister the host (A) record information in DNS, you must run ipconfig
/registerdns from a command prompt, just as you would for any other computer.

Demonstration: Viewing the SRV records in DNS

This demonstration shows you how to display the various types of SRV records that the domain controllers
register in DNS. These records are crucial to how AD DS operates, because they are used to find domain
controllers for signing in, changing passwords, and editing GPOs. Domain controllers also use SRV records
to find replication partners.

Demonstration Steps

View the SRV records by using DNS Manager

1. On LON-DC1, sign in with the user name Adatum\Administrator and the password Pa55w.rd.
2. Open the DNS Manager window, and then explore the DNS domains that begin with an
underscore (_).

3. View the SRV records that domain controllers have registered.

Note: These records provide alternate paths so that clients can discover them.

AD DS sign-in process
When a user attempts to sign in to a computer, the
computer first searches for a domain controller to
authenticate the user by using DNS lookup. The
computer then sends the user’s name and
password to the domain controller for
authentication. The local security authority (LSA)
on the domain controller handles the actual
authentication process.

If the sign-in succeeds, the LSA builds an access

token for the user that contains the security IDs
(SIDs) for the user and any groups in which the
user is a member. The token provides the access
credentials for any process that the user initiates. For example, after signing in to AD DS, if a user attempts
to open a Microsoft Word file. Word uses the credentials in the user’s access token to verify the level of the
user’s permissions for that file.

Note: A SID is a unique string in the form S-R-X-Y1-Y2-Yn-1-Yn. For example, a user SID can
be S-1-5-21-322346712-1256085132-1900709958-500.
 MCT USE ONLY. STUDENT USE PROHIBITED
1-18 Installing and configuring domain controllers

The following table explains the parts of this SID.

Component Definition In the example

S Indicates that the string is an SID S

R Revision level 1

X Identifier authority value 5 (NT Authority)

Y1-Y2-Yn-1 Domain identifier 21-322346712-1256085132-1900709958

Yn Relative ID (RID) 500

Every user and computer account and every group that you create has a unique SID. The SIDs
differ from each other only because of the unique RID. The SID in the example is a well-known SID
for the domain administrator account. Default accounts and groups use well-known SIDs. The
domain administrator account’s SID always ends with 500.
Although the sign-in process appears to the user as a single event, it consists of two parts:

 The user provides credentials, usually a user account name and password, which are checked against
the AD DS database. If the user account name and password match the information stored in the
AD DS database, the user becomes an authenticated user and the domain controller issues the user a
TGT. At this point, the user does not have access to any resources on the network.

 A secondary process in the background submits the TGT to the domain controller and requests access
to the local computer. The domain controller issues a service ticket to the user, who then can interact
with the local computer. At this point in the process, the user has authenticated to AD DS and signed in
to the local computer.

When a user subsequently attempts to connect to another computer on the network, the secondary
process runs again, and the TGT is submitted to the nearest domain controller. When the domain controller
returns a service ticket, the user can access the computer on the network, which generates a logon event at
that computer.

Note: Remember that a domain-joined computer also signs in to AD DS when it starts. You
do not see the transaction when the computer uses its computer account name and password to
sign in to AD DS. After authentication, the computer becomes a member of the Authenticated
Users group. Although the computer logon event does not have visual confirmation in a GUI, the
event log records it. Also, if you have enabled auditing, the security log of Event Viewer records
additional events.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 1-19

What are operations masters?

Certain operations can be performed only by a
specific role, on a specific domain controller. A
domain controller that holds one of these roles is
an operations master. An operations master role is
also known as a flexible single master operations
(FSMO) role. Five operations master roles exist. You
can locate all five on a single domain controller or
spread them across several domain controllers. By
default, the first domain controller installed in a
forest contains all five roles. However, you can
move these roles after building more domain
controllers. By allowing changes only on a single
domain controller, the operations master roles help to prevent conflicts in AD DS due to replication latency.
When making changes to data on an operations master, you must connect to the domain controller that
holds the role.

The five operations master roles are distributed as follows:

 Each forest has one schema master and one domain naming master.

 Each AD DS domain has one RID master, one infrastructure master, and one primary domain controller
(PDC) emulator.

Forest operations masters

A forest contains the following single master roles:
 Domain naming master. This is the domain controller that you must contact when you add or remove a
domain or make domain name changes.

If the domain naming master is unavailable, you will not be able to add domains to the forest.
 Schema master. This is the domain controller in which you make all schema changes. To make changes,
you typically sign in to the schema master as a member of both the Schema Admins and the
Enterprise Admins groups. A user who is a member of both groups and who has the appropriate
permissions can also edit the schema by using a script.

If the schema master is unavailable, you will not be able to make changes to the schema. This prevents
the installation of applications that require schema changes, such as Exchange Server.

Note: The Windows PowerShell command Get-ADForest, from the Active Directory module
for Windows PowerShell, shows the forest properties, including the current domain naming master
and schema master.

Domain operations masters

A domain contains the following single master roles:

 RID master. Whenever you create an object in AD DS, the domain controller where you created the
object assigns the object a unique identifying number known as a SID. To ensure that no two domain
controllers assign the same SID to two different objects, the RID master allocates blocks of RIDs to each
domain controller within the domain to use when building SIDs.

If the RID master is unavailable, you might experience difficulties adding new objects to the domain. As
domain controllers use their existing RIDs, they eventually run out of them and are unable to create
new objects.
 MCT USE ONLY. STUDENT USE PROHIBITED
1-20 Installing and configuring domain controllers

 Infrastructure master. This role maintains interdomain object references, such as when a group in one
domain contains a member from another domain. In this situation, the infrastructure master is
responsible for maintaining the integrity of this reference. For example, when you look at the Security
tab of an object, the system looks up the listed SIDs and translates them into names. In a
multiple-domain forest, the infrastructure master looks up SIDs from other domains.
If the infrastructure master is unavailable, domain controllers that are not global catalogs will not be
able to check universal group memberships or authenticate users.

The infrastructure role should not reside on a global catalog server, unless you have a single-domain
forest. The exception is when you follow best practices and make every domain controller a global
catalog. In that case, the infrastructure role is not necessary, because every domain controller knows
about every object in the forest.
 PDC emulator master. The domain controller that holds the PDC emulator master is the time source for
the domain. The PDC emulator masters in each domain in a forest synchronize their time with the PDC
emulator master in the forest root domain. You set the PDC emulator master in the forest root domain
to synchronize with a reliable external time source.

The PDC emulator master is also the domain controller that receives urgent password changes. If a
user’s password changes, the domain controller holding the PDC emulator master role receives this
information immediately. This means that if the user tries to sign in, the domain controller in the user’s
current location will contact the domain controller holding the PDC emulator master role to check for
recent changes. This will occur even if the user has been authenticated by a domain controller in a
different location that had not yet received the new password information.

If the PDC emulator master is unavailable, users might have trouble signing in until their password
changes have replicated to all the domain controllers.
The PDC emulator master also plays a role in editing GPOs. When you open a GPO (other than a local
GPO) for editing, the PDC emulator master stores the edited copy. This prevents conflicts if two
administrators attempt to edit the same GPO at the same time on different domain controllers.
However, you can choose to use a specific domain controller to edit the GPOs. This is especially useful
when editing GPOs in a remote office with a slow connection to the PDC emulator.

Note: The Windows PowerShell command Get-ADDomain, from the Active Directory
module for Windows PowerShell, shows the domain properties, including the current RID master,
infrastructure master, and PDC emulator master.

Note: The global catalog is not one of the operations master roles.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 1-21

Transferring and seizing roles

In an AD DS environment where you distribute
FSMO roles among domain controllers, you might
need to move a role from one domain controller to
another. When you plan this role move—for
example, to decommission servers or balance
workloads—the move is known as transferring the
role. If you do not plan the move—for example, in
the case of a hardware or system failure—the
move is known as seizing the role.

When you transfer a role, the latest data from the

domain controller in that role replicates to the
target server. You should seize a role only as a last
resort. When you seize a role, the original domain controller is not available, so the available data might be
incomplete or out of date.

Transferring FSMO roles

You can transfer FSMO roles through the GUI by using the AD DS snap-ins that the following table lists.

Role Snap-in

Schema master Active Directory Schema

Domain naming master Active Directory Domains and Trusts

Infrastructure master Active Directory Users and Computers

RID master Active Directory Users and Computers

PDC emulator Active Directory Users and Computers

Seizing FSMO roles

You cannot use the snap-ins to seize FSMO roles. Instead, you must use the ntdsutil.exe command-line tool
or Windows PowerShell to seize roles. You can also use these tools to transfer roles.

The syntax for transferring a role and seizing a role is similar within Windows PowerShell, as the following
syntax line shows:

Move-ADDirectoryServerOperationsMasterRole -Identity “<servername>” -OperationsMasterRole

<rolenamelist> -Force

For the preceding syntax line, the noteworthy definitions are as follows:

 <servername>. The name of the target domain controller to which you are transferring one or more
roles.
 <rolenamelist>. A comma-separated list of AD DS role names to move to the target server.

 -Force. An optional parameter that you include to seize a role instead of transferring it.

Additional Reading: For more information on using Windows PowerShell to transfer or

seize FSMO roles, refer to: “Move (Transferring or Seizing) FSMO Roles with AD-Powershell
Command to Another Domain Controller” at: http://aka.ms/Rn7kfi
 MCT USE ONLY. STUDENT USE PROHIBITED
1-22 Installing and configuring domain controllers

Additional Reading: For information on using ntdsutil.exe to transfer or seize FSMO roles,
refer to: “Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller” at:
http://aka.ms/Npye86

Question: Should a domain controller be a global catalog?

Question: Verify the correctness of the statement by placing a mark in the column to the right.

Statement Answer

In a multiple-domain forest, a copy of the global

catalog should be stored on every domain controller.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 1-23

Lesson 3
Deploying a domain controller
Sometimes you need to install additional domain controllers in your Windows Server 2016 domain, for
reasons such as:

 You need additional resources at a site because the existing domain controllers are overworked.

 You are opening a new remote office that requires you to deploy one or more domain controllers.

 You are creating an off-site disaster recovery location.

This lesson examines several ways to install additional domain controllers. The installation method that you
use varies with the circumstances. Methods include installing AD DS on a local computer and on a remote
server by using Server Manager, installing AD DS on a Server Core installation, and installing AD DS by
using a snapshot of the AD DS database stored on removable media. This lesson also examines how to
upgrade a domain controller from an earlier Windows operating system to Windows Server 2016. Finally,
the lesson explains Azure AD and how to install a domain controller in Azure.

Lesson Objectives
After completing this lesson, you should be able to:
 Explain how to install a domain controller by using the GUI.

 Explain how to install a domain controller on a Server Core installation of Windows Server 2016.

 Explain how to upgrade a domain controller by installing from media.

 Explain how to install a domain controller by installing from media.

 Describe the process of cloning domain controllers.

 Explain best practices for virtualizing domain controllers.

Installing a domain controller from Server Manager

The domain controller installation and promotion
process has two steps. First, you need to install the
files that the domain controller role uses. You do
this by using Server Manager to install the AD DS
role. At the end of the initial installation process,
you have installed the AD DS files but not yet
configured AD DS on the server.

To configure AD DS, you use the Active Directory

Domain Services Configuration Wizard. You
start the wizard by clicking the AD DS link in
Server Manager. The wizard allows you to do one
of the following:

 Add a domain controller to an existing domain.

 Add a new domain to an existing forest.

 Add a new forest.

 MCT USE ONLY. STUDENT USE PROHIBITED
1-24 Installing and configuring domain controllers

Before installing a new domain controller, you need to answer the questions in the following table.

Question Comments

Are you installing a new forest, a new tree, or an Answering this question determines what
additional domain controller for an existing additional information you might need, such as the
domain? parent domain name.

What is the DNS name for the AD DS domain?
When you create the first domain controller for a
domain, you must specify the fully qualified
domain name (FQDN). When you add a domain
controller to an existing domain or forest, the
wizard provides the existing domain information.

Which level will you choose for the forest
functional level?
The forest functional level determines the forest
features that will be available and the supported
domain controller operating system. This also sets
the minimum domain functional level for the
domains in the forest.

Which level will you choose for the domain The domain functional level determines the
functional level? domain features that will be available and the
supported domain controller operating system.

Will the domain controller be a DNS server? Your DNS must be functioning well to support
AD DS.

Will the domain controller host the global This option is selected by default for the first
catalog? domain controller in a forest, and you cannot
change it.

Will the domain controller be an RODC? This option is not available for the first domain
controller in a forest.

What will the Directory Services Restore Mode This is necessary for recovering the AD DS database
(DSRM) password be? from a backup.

What is the NetBIOS name for the AD DS domain? When you create the first domain controller for a
domain, you must specify the NetBIOS name for
the domain.

Where will the database, log files and SYSVOL By default, the database and log files folder is
folders be created? C:\Windows\NTDS.
By default, the SYSVOL folder is
C:\Windows\SYSVOL.

Note: If you need to restore the AD DS database from a backup, restart the domain
controller in DSRM. To enter DSRM, restart the domain controller, and then press F8 during the
initial startup process. When the domain controller starts, it is not running the AD DS services.
Instead, it is running as a member server in the domain. To sign in to that server in the absence of
AD DS, use the DSRM password.

Note: Windows Server 2016 supports cloning AD DS servers. Before you clone an AD DS
server, it must be a member of the Cloneable Domain Controllers group. Additionally, the
PDC emulator must be online and available to the cloned DC, and it must be running Windows
Server 2016.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 1-25

Note: The Active Directory Domain Services Installation Wizard (dcpromo.exe),

commonly used to install domain controllers in Windows Server 2008 and earlier, is obsolete
starting with Windows Server 2012.

Installing a domain controller on a Server Core installation of Windows

Server 2016
A Windows Server 2016 server that is running a
Server Core installation does not have the Server
Manager GUI, so you need to use alternative
methods to install the files for the domain
controller role and to install the domain controller
role itself. You can use Server Manager, Windows
PowerShell, or Remote Server Administration Tools
(RSAT) installed on a client running Windows 8.1 or
later.

To install the AD DS files on the server, you can do

one of the following:

 Use Server Manager to connect remotely to

the server running the Server Core installation, and then install the AD DS role as described in the
previous topic.

 Use the Windows PowerShell command Install-WindowsFeature AD-Domain-Services to install the

files.
After you install the AD DS files, you can complete the rest of the configuration process, except for the
hardware installation and configuration, in one of the following ways:

 Use Server Manager to start the Active Directory Domain Services Configuration Wizard as
described in the previous topic.

 Run the Windows PowerShell cmdlet Install-ADDSDomainController, supplying the required

information on the command line.

Note: In Windows Server 2016, running a cmdlet automatically loads the cmdlet’s module, if
it is available. For example, running the Install-ADDSDomainController cmdlet automatically
loads the ADDSDeployment module into your current Windows PowerShell session. If a module is
not loaded or available, you will receive an error message when you run the cmdlet to indicate that
it is not a valid cmdlet.

You can still manually import the module that you need. However, in Windows Server 2016, you do
so only when specifically necessary, such when you are pointing to a source to install the module.

Additional Reading: For more information on using the Windows PowerShell cmdlet
Install-ADDSDomainController, refer to: “Install Active Directory Domain Services (Level 100)” at:
http://aka.ms/A9jlvk

Additional Reading: For more information, refer to: “AD DS Deployment Cmdlets in
Windows PowerShell” at: http://aka.ms/Lnxifx
 MCT USE ONLY. STUDENT USE PROHIBITED
1-26 Installing and configuring domain controllers

Upgrading a domain controller

The process for upgrading a domain controller is
the same for any version of Windows Server
starting from Windows Server 2008 through
Windows Server 2016. You can upgrade to a
Windows Server 2016 domain in one of the
following two ways:

 You can upgrade the operating system on

existing domain controllers that are running
Windows Server 2008 or later.
 You can add servers running Windows Server
2016 as domain controllers in a domain that
already has domain controllers running earlier
versions of Windows Server.

We recommend the latter method, because when you finish, you will have a clean installation of the
Windows Server 2016 operating system and the AD DS database. Whenever you add a new domain
controller, the domain DNS records are updated, and clients will immediately find and use this domain
controller.

Upgrading to Windows Server 2016

To upgrade an AD DS domain running at the functional level of an earlier version of Windows Server to an
AD DS domain running at the functional level of Windows Server 2016, you must first upgrade all the
domain controllers to the Windows Server 2016 operating system. You can perform this upgrade by
upgrading all the existing domain controllers to Windows Server 2016. Alternatively, you can introduce new
domain controllers that are running Windows Server 2016 and then phase out the existing domain
controllers.
An in-place operating system upgrade does not perform automatic schema and domain preparation. To
perform an in-place upgrade of a computer that has the AD DS role installed, you must first use the
command-line commands adprep.exe /forestprep and adprep.exe /domainprep to prepare the forest
and domain. The installation media in the \Support\Adprep folder includes adprep.exe. There are no
additional configuration steps after that point, and you can continue to run the Windows Server 2016
operating system upgrade.

When you promote a server running Windows Server 2016 to be a domain controller in an existing domain,
and you have signed in as a member of the Schema Admins and Enterprise Admins groups, the AD DS
schema automatically updates to Windows Server 2016. In this scenario, you do not need to run the
adprep.exe command before you start the installation.

Deploying Windows Server 2016 domain controllers

To upgrade the operating system of a domain controller running Windows Server 2008 or later to Windows
Server 2016, perform the following steps:

1. Insert the installation disk for Windows Server 2016, and then run Setup. The Windows Setup Wizard
opens.

2. Complete the Windows Setup Wizard and choose the option Upgrade: Install Windows and keep
files, settings, and applications.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 1-27

Note: With this type of upgrade, you do not need to preserve users’ settings and reinstall
applications; everything is upgraded in place. Remember to check for hardware and software
compatibility before you perform an upgrade.

To introduce a clean installation of Windows Server 2016 as a domain controller, perform the following
steps:

1. Deploy and configure a new installation of Windows Server 2016, and then join it to the domain.

2. Promote the new server to be a domain controller in the domain by using Server Manager or one of
the other methods described previously.
3. Update the client DNS settings that refer to the old domain controllers to use the new domain
controller.

Installing a domain controller by installing from media

If you have a network connection between sites
that is slow, unreliable, or costly, you might find it
necessary to add another domain controller at a
remote location or branch office. In this scenario, it
is often better to deploy AD DS to a server by
installing it from media rather than by deploying it
over the network.

For example, if you connect to a server that is in a

remote office and use Server Manager to install
AD DS, the entire AD DS database and the SYSVOL
folder will copy to the new domain controller over
a potentially unreliable WAN connection.
Alternatively, to significantly reduce the amount of traffic moving over the WAN link, you can create a
backup of AD DS (perhaps to a USB drive) and take this backup to the remote location. When you are at the
remote location and run Server Manager to install AD DS, you can select the Install from media option.
Most of the copying then occurs locally. In this scenario, only security-related traffic uses the WAN link. The
WAN link also helps ensure that the new domain controller receives any changes made to the central
AD DS after you created the Install from media backup.

To install a domain controller by installing from media, browse to a domain controller that is not an RODC.
Use the ntdsutil command-line tool to create a snapshot of the AD DS database, and then copy the
snapshot to the server that you will promote to a domain controller. Use Server Manager to promote the
server to a domain controller by selecting the Install from Media option and then providing the local path
to the Install from media directory that you previously created.

The procedure is as follows:

1. On the full domain controller, at an administrative command prompt, type the following commands
(where C:\IFM is the destination directory that will contain the snapshot of the AD DS database):

Ntdstil
Activate instance ntds
Ifm
create SYSVOL full C:\IFM
 MCT USE ONLY. STUDENT USE PROHIBITED
1-28 Installing and configuring domain controllers

2. On the server that you are promoting to a domain controller, perform the following steps:

a. Use Server Manager to add the AD DS role.

b. Wait while the AD DS files install.

c. In Server Manager, click the Notification icon, and then under Post-Deployment
Configuration, click Promote this server to a domain controller. The Active Directory
Domain Services Configuration Wizard runs.

d. On the appropriate page of the wizard, select the Install from media option, and then provide
the local path to the snapshot directory. AD DS installs from the snapshot.
3. Note that when the domain controller restarts, it contacts the other domain controllers in the domain
and updates AD DS with any changes made after the creation of the snapshot.

Additional Reading: For more information on the steps required to install AD DS, refer to:
”Install Active Directory Domain Services (Level 100)” at: http://aka.ms/Rvcwlz

Cloning domain controllers

The fastest way to deploy multiple computers with
identically configurations, especially when those
computers run in a virtualized environment such as
Microsoft Hyper-V, is to clone those computers.
Cloning copies the virtual hard disks of the
computers, and changes minor configurations
such as computer names and IP addresses to be
unique. Then the computers are immediately
operational. This process, also referred to as
provisioning computers, is a central technology of
private clouds. Prior to Windows Server 2012, you
could clone domain members, but you were not
able to clone domain controllers. In Windows Server 2016 and Windows Server 2012, you can clone domain
controllers. The following scenarios benefit from virtual domain controller cloning:

 Rapidly deploying additional domain controllers in a new domain.

 Quickly restoring business continuity during disaster recovery. You can restore AD DS capacity by using
cloning to quickly deploy domain controllers.

 Optimizing private cloud deployments. You can leverage the flexible provisioning of domain
controllers to accommodate increased scale requirements.

 Rapidly provisioning test environments. This allows for the deployment and testing of new features and
capabilities before a production rollout.

 Quickly meeting increased capacity needs in branch offices. You can do this either by cloning existing
domain controllers in branch offices or by cloning them in the datacenter and then transferring them
to branches by using Hyper-V.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 1-29

Cloning domain controllers requires the following:

 A hypervisor that supports virtual machine generation identifiers, such as Hyper-V in Windows Server
2012 and later.

 Domain controllers as guest operating systems based on Windows Server 2012 and later.

 A domain controller that you want to clone, or a source domain controller, that must run as a virtual
machine guest on the supported hypervisor.

 A PDC emulator that runs on Windows Server 2012 or later. It is possible to clone domain controllers
running Windows Server 2012 when earlier versions of domain controllers exist in your environment.
However, the domain controller that holds the PDC emulator FSMO role needs to support the cloning
process. The PDC emulator must be online when the virtual domain controller clones start for the first
time.

To help ensure that AD DS administrators authorize cloning virtualized domain controllers, a member of
the Domain Admins group needs to prepare a computer for cloning. Hyper-V administrators are unable to
clone a domain controller without AD DS administrators, and similarly AD DS administrators are unable to
clone a domain controller without Hyper-V administrators.

Preparing the source virtual domain controller

To prepare to deploy virtual domain controllers, follow these steps:
1. Add the source domain controller to the Cloneable Domain Controllers group.

2. Verify that the apps and services on the source domain controller support the cloning process. You can
do this by running the following Windows PowerShell cmdlet:

Get-ADDCCloneingExcludedApplicationList

You must remove or test any apps or services that do not support cloning. If they work after cloning,
put the apps or services in the CustomDCCloneAllowList.xml file. You can create
CustomDCCloneAllowList.xml by using the same cmdlet, appending the parameter GenerateXML.
Optionally, you can append the parameter –Force if you want to overwrite an existing
CustomDCCloneAllowList.xml file, as shown in the following syntax:

Get-ADDCCloneingExcludedApplicationList –GenerateXML [-Force]

3. Create a DCCloneConfig.xml file. You must create this file so that the cloning process recognizes it
and creates a new domain controller from the clone. By creating this file, you can specify a custom
computer name, TCP/IP address settings, and the site name where the new domain controller should
reside. If you do not specify one or all these parameters, a computer name is automatically generated,
and the IP address settings are set to dynamic. This requires a Dynamic Host Configuration Protocol
(DHCP) server on the network and assumes that the domain controller clones reside in the same site as
the source domain controller. You can use Windows PowerShell to create the DCCloneConfig.xml file,
as shown in the following syntax:

New-ADDCCloneConfigFile [-CloneComputerName <String>] [-IPv4DNSResolver <String[]>]

[-Path <String>] [-SiteName <String>]

If you want to create more than one clone, and you want to specify settings such as computer names
and TCP/IP addressing information, you need to modify the DCCloneConfig.xml file. Alternatively,
you can create a new, individual one for each clone prior to starting it for the first time.

4. Export the source virtual domain controller.

 MCT USE ONLY. STUDENT USE PROHIBITED
1-30 Installing and configuring domain controllers

Preparing multiple domain controller clones

If you want to prepare multiple domain controller clones, do not provide any additional parameters, and
allow the automatic generation of the computer name. In addition, use DHCP to provide TCP/IP addressing
information.

Alternatively, you can customize each clone by creating individual DCCloneConfig.xml files. To do this,
follow these steps:

1. Create the cloned virtual hard disks by exporting and importing the virtual computer.

2. Mount the newly cloned virtual hard disks by doing one of the following:

o Double-click them in File Explorer.

o Use Diskpart.exe with the assign command at an elevated command prompt.

o Use the Mount-DiskImage Windows PowerShell cmdlet.

3. Use the -Offline and -Path parameters with the New-ADDCCloneConfigFile cmdlet. Change E to the
drive letter that you used when mounting the .vhdx file in the previous step, as shown in the following
cmdlet:

New-ADDCCloneConfigFile –CloneComputerName <LON-DC3> –Offline –Path <E>:\Windows\NTDS

4. Unmount the virtual hard disk files by using Diskpart.exe or the Dismount-DiskImage Windows
PowerShell cmdlet.

Using dynamically assigned computer names

If you do not configure DCCloneConfig.xml with a static computer name—for example, to create multiple
clones without individual configurations—the computer name of the new clone is automatically generated
based on the following algorithm:
 The prefix consists of the first eight characters of the computer name of the source domain controller.
For example, the source computer name SourceComputer is abbreviated into the prefix SourceCo.

 A unique naming suffix of the format -CLnnnn is appended to the prefix, where nnnn is the next
available value from 0001 through 9999 that the PDC emulator determines is not currently in use.

Creating the virtual domain controller clones

To create the virtual domain controller clones, follow these steps:

1. Ensure that the domain controller, which holds the PDC emulator FSMO role, runs on Windows
Server 2012 or later.

2. Ensure that the PDC emulator and a domain controller hosting the global catalog are online.

3. By using the exported files from the preparation steps, use the import function to create as many
clones as needed. When using Hyper-V, select Copy the virtual machines (create a new unique ID)
to allow you to import multiple individual instances of the same exported computer.

4. Individually configure clones as required, by following the previously outlined steps.

5. Start the clones.

 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 1-31

Finalizing the domain controller cloning

When a new domain controller clone starts, the following steps take place automatically:

1. The clone checks whether a virtual machine generation identifier exists. This is required, and if a virtual
machine generation identifier does not exist, the computer either starts normally when no
DCCloneConfig.xml exists or renames DCCloneConfig.xml and restarts in DSRM. Starting in DSRM is
a safeguard, and a domain administrator needs to pay close attention and fix the issue to make the
domain controller work as intended.

2. The clone checks whether the virtual machine generation identifier changed, and takes one of the
following actions accordingly:

o If it did not change, it is the original source domain controller. If DCCloneConfig.xml exists, it is
renamed. In both cases, a normal startup occurs, and the domain controller is functional again.
o If it did change, the virtualization safeguards trigger, and the process continues.

3. The clone checks whether DCCloneConfig.xml exists. If not, a check for a duplicate IP address
determines whether the computer starts normally or in DSRM. If the DCCloneConfig.xml file exists,
the computer gets the new computer name and IP address settings from the file. The AD DS database
is modified, and the initialization steps continue, thereby creating a new domain controller.

Demonstration: Cloning a domain controller

In this demonstration, you will see how to:

 Prepare a source domain controller for cloning.

 Export the source virtual machine.

 Create and start the cloned domain controller.

Demonstration Steps
Prepare a source domain controller for cloning
1. On LON-DC1, open Active Directory Administrative Center.

2. Add the domain controller LON-DC1 to the Cloneable Domain Controllers group.

3. Verify that the apps and services on LON-DC1 support cloning.

4. Create the DCCloneConfig.xml file, for cloning LON-DC3.

5. Shut down LON-DC1.

Export the source virtual machine

1. On the host computer, in Hyper-V Manager, export LON-DC1.

2. Restart LON-DC1.

Create and start the cloned domain controller

1. Import a new virtual machine by using the exported files.

2. Name the new virtual machine 20742B-LON-DC3, and then select Copy the virtual machine (create
a new unique ID).

3. In Hyper-V Manager, start LON-DC3.

 MCT USE ONLY. STUDENT USE PROHIBITED
1-32 Installing and configuring domain controllers

Best practices for domain controller virtualization

Virtualization provides many benefits, such as
hardware independence, efficient use of resources,
and scalability in private cloud scenarios. It also
provides flexibility when you move virtual
machines across virtualization infrastructures. In
the past, when administrators virtualized domain
controllers, they had to be familiar with AD DS–
specific requirements, so that they could avoid
adding risk to the AD DS infrastructure.

When using virtual domain controllers, consider

the following best practices:

 Avoid single points of failure. Ensure that you

have at least two virtualized domain controllers per domain on different virtualization hosts, which
reduces the risk of losing all domain controllers if a single virtualization host fails. Also, diversify the
hardware, storage networks, and storage systems. Ensure that you maintain domain controllers in
different datacenters or regions to reduce the impact of disasters.

 Verify time services. Ensure that all computers, including the hypervisor host and domain controller
guests, are participating in the same time services infrastructure. Also, ensure that the time on the host
and on the guests does not differ.

 Use virtualization technology that allows for virtual machine generation identifiers. Only virtualization
infrastructures that support the new virtual machine generation identifiers also support the safeguards
and cloning of virtual domain controllers.

 Use Windows Server 2012 or later as the guest operating system for virtual domain controllers. Only
these versions support the safeguards for virtual domain controllers.
 Avoid or disable checkpoints. If the virtualization host or the guest operating systems of the domain
controllers do not support the safeguards for virtualizing domain controllers, disable the possibility of
creating checkpoints. You can do this by using a pass-through disk instead of a virtual hard disk, for
example. When there is support for the safeguards, use a virtual hard disk to support cloning, but avoid
using checkpoints.

 Strive to improve security, by ensuring that the virtualization administrators are as trusted as your
domain admins.

 Consider taking advantage of cloning. Cloning can be a deployment or a recovery strategy. It helps to
provide a fast and simple way to create many domain controllers in a short time.

 Clone in batches of 10 at a maximum. Do not start more than 10 new clones at the same time, because
the file replication used for SYSVOL allows only 10 replication connections at the same time.

 Consider using virtualization technologies that allow you to move virtual machines across site
boundaries. This can be beneficial in your deployment and recovery strategies. For example, you can
create 10 clones in a central location and then move them to remote offices during off-peak hours.

 Adjust your naming strategy to allow for domain controller clones. For example, allow cloned domain
controllers to retain the first eight characters of the source domain controller name, and then attach -
CLnnnn.
 MCT USE ONLY. STUDENT USE PROHIBITED
Identity with Windows Server 2016 1-33

Additional Reading: For more information on virtualizing domain controllers, refer to:
“Running Domain Controllers in Hyper-V” at: http://aka.ms/Tjjl9g

Question: What is the fastest way to replicate domain controllers in a virtualized environment?

Question: What are the two major considerations for deploying domain controllers to Azure?