|
Installing a Read Only Domain Controller on Server Core with an Unattend File |
 |
 |
|
A domain controller can be installed with a pre created unattended answer file. This is also useful for installing an Active Directory domain controller on Server Core editions of Windows Server 2008.
In this example a read only domain controller will be deployed using the unattend file below.
1. Create an unattend file.
; DCPROMO unattend file (automatically generated by dcpromo)
; Usage:
; dcpromo.exe /unattend:C:\Users\Administrator\Documents\lon-dc2-rodc.txt
;
; You may need to fill in password fields prior to using the unattend file.
; If you leave the values for "Password" and/or "DNSDelegationPassword"
; as "*", then you will be asked for credentials at runtime.
;
[DCInstall]
; Read-Only Replica DC promotion
ReplicaOrNewDomain=ReadOnlyReplica
ReplicaDomainDNSName=contoso.com
; RODC Password Replication Policy
PasswordReplicationDenied="BUILTIN\Administrators"
PasswordReplicationDenied="BUILTIN\Server Operators"
PasswordReplicationDenied="BUILTIN\Backup Operators"
PasswordReplicationDenied="BUILTIN\Account Operators"
PasswordReplicationDenied="CONTOSO\Denied RODC Password Replication Group"
PasswordReplicationAllowed="CONTOSO\Allowed RODC Password Replication Group"
DelegatedAdmin="CONTOSO\RODC Administrators"
SiteName=Default-First-Site-Name
InstallDNS=Yes
ConfirmGc=Yes
CreateDNSDelegation=No
UserDomain=contoso.com
UserName=contoso.com\administrator
Password=
ReplicationSourceDC=lon-dc1.contoso.com
DatabasePath="C:\Windows\NTDS"
LogPath="C:\Windows\NTDS"
SYSVOLPath="C:\Windows\SYSVOL"
; Set SafeModeAdminPassword to the correct value prior to using the unattend file
SafeModeAdminPassword=
; Run-time flags (optional)
; CriticalReplicationOnly=Yes
RebootOnCompletion=No
2. Run DCPROMO with the unattend file.
dcpromo /unattend:c:\lon-dc2-rodc.txt
3. Check the output as DCPROMO runs.
Checking if Active Directory Domain Services binaries are installed...
Active Directory Domain Services Setup
Validating environment and parameters...
----------------------------------------
The following actions will be performed:
Configure this server as an additional Active Directory domain controller for th
e domain contoso.com.
Site: Default-First-Site-Name
Additional Options:
Read-only domain controller: Yes
Global catalog: Yes
DNS Server: Yes
Update DNS Delegation: No
Source DC: lon-dc1.contoso.com
Password Replication Policy:
Allow: CONTOSO\Allowed RODC Password Replication Group
Deny: BUILTIN\Administrators
Deny: BUILTIN\Server Operators
Deny: BUILTIN\Backup Operators
Deny: BUILTIN\Account Operators
Deny: CONTOSO\Denied RODC Password Replication Group
Delegation for RODC Installation and Administration:
CONTOSO\RODC Administrators
Database folder: C:\Windows\NTDS
Log file folder: C:\Windows\NTDS
SYSVOL folder: C:\Windows\SYSVOL
The DNS Server service will be configured on this computer.
This computer will be configured to use this DNS server as its preferred DNS ser
ver.
----------------------------------------
Starting...
Checking if Group Policy Management Console needs to be installed...
Press CTRL-C to: Cancel
.
Stopping service NETLOGON
.
Copying initial Directory Service database file C:\Windows\system32\ntds.dit to
C:\Windows\NTDS\ntds.dit
.
Installing the Directory Service
Configuring the local computer to host Active Directory Domain Services
....
Replicating the schema directory partition
.
Replicating CN=Schema,CN=Configuration,DC=contoso,DC=com: received 401 out of ap
proximately 1578 objects
Replicating CN=Schema,CN=Configuration,DC=contoso,DC=com: received 801 out of ap
proximately 1578 objects
.
Replicating CN=Schema,CN=Configuration,DC=contoso,DC=com: received 1201 out of a
pproximately 1578 objects
.
Replicated the schema container.
Replicating the configuration directory partition
.
Replicating CN=Configuration,DC=contoso,DC=com: received 400 out of approximatel
y 3193 objects
Replicating CN=Configuration,DC=contoso,DC=com: received 801 out of approximatel
y 3193 objects
.
Replicating CN=Configuration,DC=contoso,DC=com: received 1202 out of approximate
ly 3193 objects
Replicating critical domain information...
.
Replicating secrets for Read-only Domain Controller.
...
Configuring service IsmServ
Setting the computer's DNS computer name root to contoso.com
..
Setting security on the domain controller and Directory Service files and regist
ry keys
.
Securing S-1-5-11
Securing machine\software\microsoft\windows
.......
Securing machine\system\currentcontrolset\services
Securing c:\windows\system32\spool
.
Securing SamSs
Securing Kerberos Policy
.
Replicating data DC=contoso,DC=com: Received 3845 out of approximately 3845 obje
cts and 52 out of approximately 52 distinguished name (DN) values...
Press CTRL-C to: Finish Replication Later
.
The attempted domain controller operation has completed
Configuring the DNS Server service on this computer...
.
Active Directory Domain Services is now installed on this computer for the domai
n contoso.com.
This Active Directory domain controller is assigned to the site Default-First-Si
te-Name. You can manage sites with the Active Directory Sites and Services admin
istrative tool.
Windows Server 2008 domain controllers have a new more secure default for the se
curity setting named "Allow cryptography algorithms compatible with Windows NT 4
.0." This setting prevents Microsoft Windows and non-Microsoft SMB "clients" fro
m using weaker NT 4.0 style cryptography algorithms when establishing security c
hannel sessions against Windows Server 2008 domain controllers. As a result of t
his new default, operations or applications that require a security channel serv
iced by Windows Server 2008 domain controllers might fail.
Platforms impacted by this change include Windows NT 4.0, as well as non-Microso
ft SMB "clients" and network-attached storage (NAS) devices that do not support
stronger cryptography algorithms. Some operations on clients running versions of
Windows earlier than Vista with Service Pack 1 are also impacted, including dom
ain join operations performed by the Active Directory Migration Tool or Windows
Deployment Services.
For more information about this setting, see Knowledge Base article 942564 (http
://go.microsoft.com/fwlink/?LinkId=104751).
You must restart this computer to complete the operation.
4. Restart the server to complete installation.
shutdown -r -t 0
|
Microsoft 
