156

Chapter 4

Installing and Managing Trees and Forests

Using the Active Directory Installation Wizard, you can quickly and easily create new domains by promoting a Windows Server 2008 stand-alone server or a member server to a domain controller. When you install a new domain controller, you can choose to make it part of an existing domain, or you can choose to make it the first domain controller in a new domain. In the following sections and exercises, youll become familiar with the exact steps you need to take to create a domain tree and a domain forest when you promote a server to a domain controller.

Creating a Domain Tree

In the previous chapter (Chapter 3), you saw how to promote the first domain controller in the first domain in a forest, also known as the root. If you dont promote any other domain controllers, then that domain controller simply controls that one domain and only one tree is created. To create a new domain tree, you need to promote a Windows Server 2008 computer to a domain controller. In the Active Directory Installation Wizard, you select the option that makes this domain controller the first machine in a new domain that is a child of an existing domain. As a result, you will have a domain tree that contains two domainsa parent and a child. Before you can create a new child domain, you need the following information: The name of the parent domain (for the exercises, youll use the one you created in the previous chapter) The name of the child domain (the one you are planning to install) The filesystem locations for the Active Directory database, logs, and shared system volume DNS configuration information The NetBIOS name for the new server A domain administrator username and password Exercise 4.1 walks you through the process of creating a new child domain using the Active Directory Installation Wizard. This exercise assumes that you have already created the parent domain and that you are using a server in the domain that is not a domain controller.
EXERCISE 4.1

Creating a New Subdomain

1.
Log on to the computer as a member of the Administrators group and open the Active Directory Installation Wizard by clicking Start Run, and typing dcpromo. After the message about installing the binaries appears, Click Next to begin the wizard.

Creating Domain Trees and Forests

157

EXERCISE 4.1 (continued)

2.

The Choose A Deployment Configuration screen appears. Click Existing Forest and then click Create A New Domain In An Existing Forest. Click Next.

3.

A warning box may appear stating that the local administrator account becomes the domain administrator account for the new domain. If it appears, Click Yes to continue.

4.

On the Network Credentials page, specify the full name of the domain that you installed in the previous chapter. Then click the Set button. In the new Windows Security dialog box that appears, enter the username and password for the domain administrator of the domain you wish to join.

158

Chapter 4

Installing and Managing Trees and Forests

EXERCISE 4.1 (continued)

5.

Click the OK button on the Alternate Credentials screen. The domain administrator account that you used in the previous chapter should now be listed. A warning may appear stating that the current user credentials cannot be selected because they are local to this computer. The warning appears because our local account is the same as our domain administrators account. This warning will not affect the exercise. Click Next.

6.

If the information you entered was correct, you will see the Name The New Domain page. Here, you will be able to confirm the name of the parent domain and then enter the domain name for the child domain. Enter the new child domain name (in the following example, we used NH for the state of New Hampshire). Click Next to continue.

Creating Domain Trees and Forests

159

EXERCISE 4.1 (continued)

7.

If the Select A Site screen appears, choose any site and click Next. (You may not have any sites created on your other domain. This server will then be added to the DefaultFirstSite.)

8.

On the Additional Domain Controller Options page, uncheck any options and click Next.

9.

A warning box appears stating that you have chosen not to install DNS; just click Yes.

160

Chapter 4

Installing and Managing Trees and Forests

EXERCISE 4.1 (continued)

10. On the Location for Database, Log Files, and SYSVOL page, youll need to specify the
database and log locations. These settings specify where the Active Directory database resides on the local machine. As mentioned previously, it is good practice to place the log files on a separate physical hard disk because this increases performance. Enter the path for a local directory (you can also leave the defaults for these exercises), and click Next.

11. In order to be able to recover this server in the event of a loss of Active Directory information, you will need to provide a password on the Directory Services Restore Mode Administrator Password page. This password will allow you to use the built-in recovery features of Windows Server 2008 in the event that the Active Directory database is lost or corrupted. Enter P@ssw0rd, confirm it, and then click Next.

Creating Domain Trees and Forests

161

EXERCISE 4.1 (continued)

12. On the Summary page, you will be given a brief listing of all the choices you made in the
previous steps. Its a good idea to copy this information and paste it into a text document for future reference. Click Next to continue.

13. On the Completing the Active Directory Domain Services Installation Wizard, click Finish.

162

Chapter 4

Installing and Managing Trees and Forests

Joining a New Domain Tree to a Forest

A forest is one or more trees that do not share a contiguous namespace. For example, you could join the organization1.com and organization2.com domains together to create a single Active Directory environment. Any two trees can be joined together to create a forest, as long as the second tree is installed after the first and the trees have noncontiguous namespaces. (If the namespaces were contiguous, you would actually need to create a new domain for an existing tree.) The process of creating a new tree to form or add to a forest is as simple as promoting a server to a domain controller for a new domain that does not share a namespace with an existing Active Directory domain.

The command-line tool adprep.exe is used to prepare a Microsoft Windows 2003 forest or a Windows 2003 domain for the installation of Windows Server 2008 domain controllers. Before you promote a Windows Server 2008 domain controller into a Windows 2003 forest, an administrator should successfully run adprep /forestprep on the schema operations master and run adprep /domainprep on the infrastructure master in the Windows 2003 forest. The forestprep and domainprep processes prepare the Windows 2000 or 2003 network to accept the installation of the Windows Server 2008 servers.

In Exercise 4.2, you will use the Active Directory Installation Wizard to create a new domain tree to add to a forest. In order to add a new domain to an existing forest, you must already have at least one other domain, which is the root domain. Keep in mind that the entire forest structure is destroyed if the original root domain is ever entirely removed. Therefore, you should have at least two domain controllers in the Active Directory root domain; the second serves as a backup in case you have a problem with the first, and it can also serve as a backup solution for disaster recovery and fault tolerance purposes. Such a setup provides additional protection for the entire forest in case one of the domain controllers fails. In order to complete this exercise, you must have already installed another domain controller that serves as the root domain for a forest, and you must use a server in the domain that is not a domain controller.