1 70- 742 Identity with Windows Server 2016

Lesson 3
Deploying a domain controller
Sometimes you need to install additional domain controllers in your Windows Server 2016 domain.
Several reasons exist for why you might want to do this:
 You need additional resources at a site because the existing domain controllers are overworked.
 You are opening a new remote office that requires you to deploy one or more domain controllers.
 You are creating an off-site disaster recovery location.
The installation method that you use varies with the circumstances.
This lesson examines several ways to install additional domain controllers. These include installing AD DS on a local
computer and on a remote server by using Server Manager, installing AD DS on a Server Core installation, and installing
AD DS by using a snapshot of the AD DS database that is stored on removable media. This lesson also examines how to
upgrade a domain controller from an earlier Windows operating system to Windows Server 2016. Finally, the lesson
discusses Azure AD and how to install a domain controller in Azure.
Lesson Objectives
After completing this lesson, you should be able to:
• Explain how to install a domain controller by using the GUI.
• Explain how to install a domain controller on a Server Core installation of Windows Server 2016.
• Explain how to upgrade a domain controller by installing from media.
• Explain how to install a domain controller by installing from media.
• Describe the process of cloning domain controllers.
• Explain best practices for virtualizing domain controllers.
Installing a domain controller from Server Manager
The domain controller installation and promotion have two steps. First, you need to install
the files that the domain controller role uses. You do this by installing the AD DS role
using Server Manager. At the end of the initial installation process, the AD DS files are
installed but AD DS is not yet configured on the server.
To configure AD DS, you use the Active Directory Domain Services Configuration
Wizard. You start the wizard by clicking the AD DS link in Server Manager. The wizard
allows you to do one of the followings:
• Add a domain controller to an existing domain.
• Add a new domain to an existing forest.
• Add a new forest.
Before installing a new domain controller, you need to have answers to the questions in the following table.
Question Comments
Are you installing a new forest, a new tree, or an additional Answering this question determines what additional information you
domain controller for an existing domain? might need, such as the parent domain name
What is the DNS name for the AD DS domain? When you create the first domain controller for a domain, you must
specify the fully qualified domain name (FQDN). When you add a
domain controller to an existing domain or forest, the wizard
provides the existing domain information.
What will you set the forest functional level at? The forest functional level determines the forest features that will be
available and the supported domain controller operating system. This
also sets the minimum domain functional level for the domains in the
forest.
What will you set the domain functional level at? The domain functional level determines the domain features that will
be available and the supported domain controller operating system.
Will the domain controller be a DNS server? Your DNS must be functioning well to support AD DS.
Will the domain controller host the global catalog? This option is selected by default for the first domain controller in a
forest, and it cannot be changed.
Will the domain controller be an RODC? This option is not available for the first domain controller in a forest.
What will the Directory Services Restore Mode (DSRM) This is required to recover the AD DS database from a backup.
password be?
What is the NetBIOS name for the AD DS domain? When you create the first domain controller for a domain, you must
specify the NetBIOS name for the domain.

Trainer: Muhammad Muazzam M1 - Lesson 3 Deploying a domain controller

 2 70- 742 Identity with Windows Server 2016

Where will the database, log files, and SYSVOL folders By default, the database and log files folder are C:\Windows\NTDS.
be created? By default, the SYSVOL folder is C:\Windows\SYSVOL.
.
Note: If you need to restore the AD DS database from a backup, restart the domain controller in DSRM. The typical
process to enter DSRM is to restart the domain controller and then press F8 during the initial startup process. When the
domain controller starts, it is not running the AD DS services. Instead, it is running as a member server in the domain. To
sign in to that server in the absence of AD DS, use the DSRM password.
Note: Windows Server 2016 supports cloning AD DS servers. Before it is cloned, an AD DS server must be a member
of the Cloneable Domain Controllers group. Additionally, the PDC emulator must be online and available to the cloned
DC, and it must be running Windows Server 2016.
Note: The Active Directory Domain Services Installation Wizard (dcpromo.exe), commonly used to install domain
controllers in Windows Server 2008 and earlier, is obsolete starting with Windows Server 2012.
Installing a domain controller on a Server Core installation of Windows Server 2016
A Windows Server 2016 server that is running a Server Core installation does not
have the Server Manager GUI, so you need to use alternative methods to install the
files for the domain controller role and to install the domain controller role itself.
You can use Server Manager, Windows PowerShell, or Remote Server
Administration Tools (RSAT) installed on a client running Windows 8.1 or later.
To install the AD DS files on the server, you can do one of the followings:
 Use Server Manager to connect remotely to the server running the Server
Core installation, and then install the AD DS role as described in the
previous topic.
 Use the Windows PowerShell command Install-WindowsFeature AD-Domain-Services to install the files.
 After you install the AD DS files, you can complete everything, except for the hardware installation and
configuration, in one of the following ways:
 Use Server Manager to start the Active Directory Domain Services Configuration Wizard as described in the
previous topic.
 Run the Windows PowerShell cmdlet Install-ADDSDomainController, supplying the required information on the
command line.
Note: In Windows Server 2016, running a cmdlet automatically loads the cmdlets’ module if it is available. For example,
running the Install-ADDSDomainController cmdlet automatically loads the ADDSDeployment module into your current
Windows PowerShell session. If a module is not loaded or available, you will receive an error message when you run the
cmdlet that says it is not a valid cmdlet. You can still manually import the module that you need. However, you do not need
to do this in Windows Server 2016, unless you have an explicit need to do so, such as pointing to a particular source to
install the module.
Upgrading a domain controller
The process for upgrading a domain controller is the same for any version of Windows Server starting from Windows
Server 2008 through Windows Server 2016. You can upgrade to a Windows Server 2016 domain in one of the following
two ways.
• You can upgrade the operating system on existing domain controllers that are running Windows Server 2008 or
later.
• You can add servers running Windows Server 2016 as domain controllers in a domain that already has domain
controllers running earlier versions of Windows Server.
Of the two methods, the latter is preferred because when you finish, you will have a clean installation of the Windows
Server 2016 operating system and the AD DS database. Whenever a new domain controller is added, the domain DNS
records are updated, and clients will immediately find and use this domain controller.
Upgrading to Windows Server 2016
To upgrade an AD DS domain running at the functional level of an earlier version of
Windows Server to an AD DS domain running at the functional level of Windows
Server 2016, you must first upgrade all the domain controllers to the Windows Server
2016 operating system. You can perform this upgrade by upgrading all of the existing
domain controllers to Windows Server 2016 or by introducing new domain controllers
that are running Windows Server 2016 and then phasing out the existing domain
controllers. An in-place operating system upgrade does not perform automatic schema
and domain preparation. To perform an in-place upgrade of a computer that has the AD DS role installed, you must first

Trainer: Muhammad Muazzam M1 - Lesson 3 Deploying a domain controller

 3 70- 742 Identity with Windows Server 2016

use the command-line commands adprep.exe /forestprep and adprep.exe /domainprep to prepare the forest and domain.
The adprep tool is included on the installation media in the \Support\Adprep folder. No additional configuration steps exist
after that point, and you can continue to run the Windows Server 2016 operating system upgrade.
When you promote a server running Windows Server 2016 to be a domain controller in an existing domain, and you are
signed in as a member of the Schema Admins and Enterprise Admins groups, the AD DS schema automatically updates to
Windows Server 2016. In this scenario, you do not need to run the adprep command before you start the installation.
Deploying Windows Server 2016 domain controllers
To upgrade the operating system of a domain controller running Windows Server 2008 or later to Windows Server 2016,
perform the following steps:
1. Insert the installation disk for Windows Server 2016, and then run Setup. The Windows Setup Wizard opens.
2. After the Language Selection page appears, click Install now.
3. After the Operating System Selection page and the License Acceptance page appears, on the Which type of
installation do you want? page, click Upgrade: Install Windows and keep files, settings, and applications.
Note: With this type of upgrade, you do not need to preserve users’ settings and reinstall applications; everything is
upgraded in place. Remember to check for hardware and software compatibility before you perform an upgrade. To
introduce a clean installation of Windows Server 2016 as a domain controller, perform the following steps:
1. Deploy and configure a new installation of Windows Server 2016, and then join it to the domain.
2. Promote the new server to be a domain controller in the domain by using Server Manager or one of the other
methods described previously.
3. Update the client DNS settings that refer to the old domain controllers to use the new domain controller.
Installing a domain controller by installing from media
If you have a network connection between sites that is slow, unreliable, or costly,
you might find it necessary to add another domain controller at a remote location or
branch office. In this scenario, it is often better to deploy AD DS to a server by
installing it from media rather than by deploying it over the network. For example,
if you connect to a server that is in a remote office and use Server Manager to install
AD DS, the entire AD DS database and the SYSVOL folder will be copied to the
new domain controller over a potentially unreliable WAN connection. As an
alternative and to significantly reduce the amount of traffic moving over the WAN
link, you can create a backup of AD DS (perhaps to a USB drive) and take this backup to the remote location. When you
are at the remote location and run Server Manager to install AD DS, you can select the Install from media option. Most of
the copying is then done locally, and the WAN link is used only for security related traffic and to help ensure that the new
domain controller receives any changes that were made to the central AD DS after you created the Install from media
backup.
To install a domain controller by installing from media, browse to a domain controller that is not an RODC. Use the ntdsutil
command-line tool to create a snapshot of the AD DS database, and then copy the snapshot to the server that will be
promoted to a domain controller. Use Server Manager to promote the server to a domain controller by selecting the Install
from Media option and then providing the local path to the Install from media directory that you previously created. The
procedure is as follows:
1. On the full domain controller, at an administrative command prompt, type the following commands (where C:\IFM
is the destination directory that will contain the snapshot of the AD DS database).
Ntdsutil
Activate instance ntds
Ifm
create SYSVOL full C:\IFM

Trainer: Muhammad Muazzam M1 - Lesson 3 Deploying a domain controller

 4 70- 742 Identity with Windows Server 2016

2. On the server that you are promoting to a domain controller, perform the following steps:
a. Use Server Manager to add the AD DS role.
b. Wait while the AD DS files install.
c. In Server Manager, click the Notification icon, and then under Post-Deployment Configuration, click
Promote this server to a domain controller.
The Active Directory Domain Services Configuration Wizard runs.
d. On the appropriate page of the wizard, select the Install from media option, and then provide the local path to
the snapshot directory.
AD DS installs from the snapshot.
3. Note that when the domain controller restarts, it contacts the other domain controllers in the domain and updates
AD DS with any changes that were made after the snapshot was created.
Cloning domain controllers
The fastest way to deploy multiple computers that are identically configured, especially
when those computers run in a virtualized environment such as Microsoft Hyper-V, is to
clone those computers. Cloning means that the virtual hard disks of the computers are
copied, and minor configurations such as computer names and IP addresses are changed to
be unique. Then the computers are instantly operational. This process, also referred to as
provisioning computers, is one main technology of private clouds. Prior to Windows Server
2012, you were able to clone domain members, but you were not able to clone domain
controllers. In Windows Server 2016, as in Windows Server 2012, you are able to clone domain controllers.
The following scenarios benefit from virtual domain controller cloning:
 Rapidly deploying additional domain controllers in a new domain.
 Quickly restoring business continuity during disaster recovery by restoring AD DS capacity via the rapid
deployment of domain controllers by using cloning.
 Optimizing private cloud deployments by taking advantage of the flexible provisioning of domain controllers to
accommodate increased scale requirements.
 Rapidly provisioning test environments, which allows for the deployment and testing of new features and
capabilities before a production rollout.
 Quickly meeting increased capacity needs in branch offices either by cloning existing domain controllers in branch
offices or by cloning them in the datacenter and then transferring them to branches by using Hyper-V.
Cloning domain controllers requires the following:
 A hypervisor that supports virtual machine generation identifiers, such as Hyper-V in Windows Server 2012 and
later.
 Domain controllers as guest operating systems based on Windows Server 2012 and later.
 The domain controller to clone, or a source domain controller, that must run as a virtual machine guest on the
supported hypervisor.

Trainer: Muhammad Muazzam M1 - Lesson 3 Deploying a domain controller

 5 70- 742 Identity with Windows Server 2016

 A PDC emulator that runs on Windows Server 2012 or later. Although it is possible to clone domain controllers
running Windows Server 2012 when earlier versions of domain controllers exist, the domain controller that holds
the PDC emulator FSMO role needs to support the cloning process. The PDC emulator must be online when the
virtual domain controller clones start for the first time. To help ensure that cloning virtualized domain controllers
is authorized by the AD DS administrators, a member of the Domain Admins group needs to prepare a computer
to be cloned. Hyper-V administrators are unable to clone a domain controller without AD DS administrators, and
vice versa.
Preparing the source virtual domain controller
To prepare to deploy virtual domain controllers, follow these steps:
1. Add the source domain controller to the group Cloneable Domain Controllers.
2. Verify that the apps and services on the source domain controller support the cloning process. You can do this by
running the following Windows PowerShell cmdlet.
Get-ADDCCloneingExcludedApplicationList
If apps or services that do not support cloning exist, you need to remove or test them first. If they work after cloning, put
the apps or services in the CustomDCCloneAllowList.xml file. You can create CustomDCCloneAllowList.xml by using
the same cmdlet, appending the parameter GenerateXML, and optionally appending the parameter –Force if an existing
CustomDCCloneAllowList.xml file should be overwritten, as shown in the following syntax.
Get-ADDCCloneingExcludedApplicationList –GenerateXML [-Force]
3. Create a DCCloneConfig.xml file. You need to create this file so that the cloning process recognizes it and creates
a new domain controller from the clone. By creating this file, you can specify a custom computer name, TCP/IP
address settings, and the site name where the new domain controller should reside. If you do not specify one or all
of these parameters, a computer name is automatically generated, and the IP address settings are set to dynamic.
This requires a Dynamic Host Configuration Protocol (DHCP) server on the network and assumes that the domain
controller clones reside in the same site as the source domain controller. You can use Windows PowerShell to
create the DCCloneConfig.xml file, as shown in the following syntax.
New-ADDCCloneConfigFile [-CloneComputerName <String>] [-IPv4DNSResolver <String[]>]
[-Path <String>] [-SiteName <String>]
If you want to create more than one clone, and you want to specify settings such as computer names and TCP/IP addressing
information, you need to modify the DCCloneConfig.xml file or create a new, individual one for each clone prior to starting
it for the first time.
4. Export the source virtual domain controller.
Preparing multiple domain controller clones
If you want to prepare multiple domain controller clones, do not provide any additional parameters, and let the computer
name be automatically generated. In addition, use DHCP to provide TCP/IP addressing information. Alternatively, you can
customize each clone by creating individual DCCloneConfig.xml files. To do this, follow these steps:
1. Create the cloned virtual hard disks by exporting and importing the virtual computer.
2. Mount the newly cloned virtual hard disks by doing one of the following:
o Double-click them in File Explorer.
o Use Diskpart.exe with the assign command at an elevated command prompt.
o Use the Mount-DiskImage Windows PowerShell cmdlet.
3. Use the -Offline and -Path parameters with the New-ADDCCloneConfigFile cmdlet. Change E to the drive letter
that you used when mounting the .vhdx file in the previous step, as shown in the following cmdlet.
New-ADDCCloneConfigFile –CloneComputerName <LON-DC3> –Offline –Path
<E>:\Windows\NTDS
4. Unmount the virtual hard disk files by using Diskpart.exe or the Dismount-DiskImage Windows PowerShell
cmdlet.
Using dynamically assigned computer names
If you do not configure DCCloneConfig.xml with a static computer name—for example, to create multiple clones without
individual configurations—the computer name of the new clone is automatically generated based on the following
algorithm:
 The prefix consists of the first eight characters of the computer name of the source domain controller. For example,
the source computer name SourceComputer is abbreviated into the prefix SourceCo.
 A unique naming suffix of the format -CLnnnn is appended to the prefix, where nnnn is the next available value
from 0001 through 9999 that the PDC emulator determines is not currently in use.
Creating the virtual domain controller clones
To create the virtual domain controller clones, follow these steps:

Trainer: Muhammad Muazzam M1 - Lesson 3 Deploying a domain controller

 6 70- 742 Identity with Windows Server 2016

1. Ensure that the domain controller, which holds the PDC emulator FSMO role, runs on Windows Server 2012 or
later.
2. Ensure that the PDC emulator and a domain controller hosting the global catalog are online.
3. By using the exported files from the preparation steps, use the import function to create as many clones as needed.
When using Hyper-V, select Copy the virtual machines (create a new unique ID) to allow you to import multiple
individual instances of the same exported computer.
4. Individually configure clones as required by following the previously outlined steps.
5. Start the clones.
Finalizing the domain controller cloning
When a new domain controller clone starts, the following steps are automatically performed:
1. The clone checks whether a virtual machine generation identifier exists. This is required, and if a virtual machine
generation identifier does not exist, the computer either starts normally when no DCCloneConfig exists or renames
DCCloneConfig and restarts in DSRM. Starting in DSRM is a safeguard, and a domain administrator needs to pay
close attention and fix the issue to make the domain controller work as intended.
2. The clone checks whether the virtual machine generation identifier changed, and takes one of the following actions,
accordingly:
o If it did not change, it is the original source domain controller. If DCCloneConfig exists, it is renamed. In both
cases, a normal startup occurs, and the domain controller is functional again.
o If it did change, the virtualization safeguards trigger, and the process continues.
3. The clone checks whether DCCloneConfig exists. If not, a check for a duplicate IP address decides whether to
start normally or in DSRM. If the DCCloneConfig file exists, the computer gets the new computer name and IP
address settings from the file. The AD DS database is modified, and the initialization steps are performed so that
a new domain controller is created.
Demonstration: Cloning a domain controller
In this demonstration, you will learn how to:
 Prepare a source domain controller to be cloned.
 Export the source virtual machine.
 Create and start the cloned domain controller.
Demonstration Steps
Prepare a source domain controller to be cloned
1. On LON-DC1 open Active Directory Administrative Center.
2. Add the domain controller LON-DC1 to the group Cloneable Domain Controllers.
3. Verify that the apps and services on LON-DC1 support cloning.
4. Create the DCCloneConfig.xml file, for cloning LON-DC3.
5. Shut down LON-DC1.
Export the source virtual machine
1. On the host computer, in Hyper-V Manager, export LON-DC1.
2. Restart LON-DC1.
Create and start the cloned domain controller
1. Import a new virtual machine by using the exported files.
2. Name the new virtual machine 20742A-LON-DC3, and then select Copy the virtual machine (create a new
unique ID).
3. In Hyper-V Manager, start LON-DC3.
Best practices for domain controller virtualization
Virtualization provides many benefits, such as hardware independence, the
efficient use of resources, and scalability in private cloud scenarios. It also
provides flexibility when you move virtual machines across virtualization
infrastructures. In the past, virtualizing domain controllers required the
administrators of the virtual infrastructure to know the requirements specific
to AD DS and to take precautions to prevent adding risks to an AD DS
infrastructure. When considering virtual domain controllers, you should
know about the following best practices:
 Avoid single points of failure. Ensure that you have at least two
virtualized domain controllers per domain on different virtualization hosts, which reduces the risk of losing all domain
controllers if a single virtualization host fails. Also, diversify the hardware, storage networks, and storage systems.
Ensure that you maintain domain controllers in different datacenters or regions to reduce the impact of disasters.

Trainer: Muhammad Muazzam M1 - Lesson 3 Deploying a domain controller

 7 70- 742 Identity with Windows Server 2016

 Verify time services. Ensure that all computers, including the hypervisor host and domain controller guests, are
participating in the same time services infrastructure. Also, ensure that the time on the host and on the guests does not
differ.
 Use virtualization technology that allows for virtual machine generation identifiers. Only virtualization infrastructures
that support the new virtual machine generation identifiers also support the safeguards and cloning of virtual domain
controllers.
 Use Windows Server 2012 or later as the guest operating system for virtual domain controllers. Only these versions
support the safeguards for virtual domain controllers.
 Avoid or disable checkpoints. If the virtualization host or the guest operating systems of the domain controllers do
not support the safeguards for virtualizing domain controllers, disable the possibility of creating checkpoints—for
example, by using a pass-through disk instead of a virtual hard disk. When the safeguards are supported, use a virtual
hard disk to support cloning, but avoid using checkpoints.
 Be aware of improving security and help to ensure that the virtualization administrators are as trusted as your domain
admins.
 Consider taking advantage of cloning. Cloning can be a deployment or a recovery strategy. It helps to provide a fast
and simple way to create many domain controllers in a short time.
 Clone in batches of 10 at a maximum. Do not start more than 10 new clones at the same time, because the file
replication used for SYSVOL allows only 10 replication connections at the same time.
 Consider using virtualization technologies that allow you to move virtual machines across site boundaries. This can
be beneficial in your deployment and recovery strategies. For example, you can create 10 clones in a central location
and then move them to remote offices during off-peak hours.
 Adjust your naming strategy to allow for domain controller clones. It might be possible to adjust your naming strategy
to allow cloned domain controllers to retain the first eight characters of the source domain controller name, and then
have -CLnnnn attached.

Trainer: Muhammad Muazzam M1 - Lesson 3 Deploying a domain controller