Windows Server 2008 R2 Unleashed (260 page)

1314

CHAPTER 32

Optimizing Windows Server 2008 R2 for Branch Office

Communications

FIGURE 32.2

Specifying network credentials for the RODC installation.

NOTE

ptg

If the computer is part of a workgroup and is not associated with an Active Directory

domain, you must specify alternate domain credentials because the existing creden-

tials are associated with the local server.

7. On the Select a Domain page, specify the domain where the new RODC will be

added, and then click Next.

8. On the Select a Site page, specify whether the wizard should add the new RODC to a

site based on the subnet defined in Active Directory Sites and Services. Alternatively,

select a site manually. Click Next to continue.

9. On the Additional Domain Controller Options page, select the additional options for

the domain controller. The options include DNS Server, Global Catalog, and Read-

Only Domain Controller (RODC). Ensure that, at the very least, the RODC option is

selected, as shown in Figure 32.3. Click Next to continue.

NOTE

The RODC option will not be available if a writable domain controller does not already

exist in the domain.

10. At the next step of the installation, the Active Directory Domain Services Wizard

prompts you to enter a user or group on the Delegation of RODC Installation and

Administration page. Ultimately, the user or group you specify will be responsible for

Installing a Read-Only Domain Controller

1315

32

FIGURE 32.3

Ensuring the RODC option is selected.

attaching a server to the RODC account and subsequently managing the RODC after

ptg

the installation is complete. If a user or group is not specified, the installation wizard

will automatically allow the Domain Admin or Enterprise Admin group to attach to

the RODC. Enter a group on the Delegation of RODC Installation and

Administration page, and then click Next, as displayed in Figure 32.4.

FIGURE 32.4

Specifying a group on the Delegation of RODC Installation and Administration

page.

1316

CHAPTER 32

Optimizing Windows Server 2008 R2 for Branch Office

Communications

NOTE

For simplicity, it is a best practice to specify a group and add users to the group as

needed. Each user associated with the group will have the opportunity to log on to the

RODC and will have full control over the server.

11. Enter the folder location of the database, log files, and sysvol files on the Location

for Database, Log Files, and sysvol page, and then click Next to continue.

NOTE

For maximum performance and recoverability, it is a best practice to store the database

and log files on separate volumes.

12. On the next page, enter a Directory Services Restore Mode administration password,

and then click Next.

13. Review the selections on the Summary page, and then click Next to finalize the

ptg

installation.

NOTE

It is possible to export the RODC selections to an answer file if needed. This comes in

handy when creating additional Server Core installation Read-Only Domain Controllers.

14. Click Finish and reboot the new RODC system upon completion of the installa-

tion wizard.

Installing an RODC on a Windows Server 2008 R2 Server Core Installation

As mentioned in Chapter 3, “Installing Windows Server 2008 R2 and Server Core,” one of

the most innovative and anticipated security features of Windows Server 2008 R2 is

Windows Server Core, a scaled-down installation option that uses command-line prompts

instead of graphical user interfaces (GUIs) to manage the server. Because a Server Core

installation is able to provide a minimal environment by only installing a subset of the

Windows Server 2008 R2 binaries, to support server roles, it is especially ideal for remote

locations such as branch offices where only the bare essentials need to be installed.

Operating with a lean server has its benefits. Through Windows Server Core, a minimal

environment is created that decreases the amount of maintenance and management an

administrator is required to perform when running specific server roles such as Active

Directory Domain Services. This comes in handy at branch offices as organizations don’t

typically want inexperienced administrators managing the branch office domain

controller. Therefore, the reduced amount of administration is an advantage. In addition,

Installing a Read-Only Domain Controller

1317

by having a minimal environment, the attack surface for the server roles residing on the

Server Core installation is also reduced. It is also worth mentioning that Server Core is in

line with Microsoft’s Trustworthy Computing initiative.

Unlike installing other Windows Server 2008 R2 roles on a Server Core installation,

installing AD DS—which is part of the RODC installation—on a Server Core installation of

32

Windows Server 2008 R2 requires an unattended answer file to first be created. The unat-

tended answer file provides answers to questions that might be asked during the installa-

tion of an Active Directory Domain Services installation. After the unattended answer file

is created, the next step is to run dcpromo from the RODC and reference the unattended

answer file by using the following syntax at the command prompt: dcpromo

/unattend:.

NOTE

It is possible to create an unattended answer file by exporting settings on the

Summary page when using the Active Directory Domain Services Installation Wizard.

This answer file can be used for creating subsequent installations of Active Directory

domain controllers on Server Core installations.

ptg

The following example depicts installing an RODC on a Server Core installation. The first

step creates the unattended answer file based on settings included in Table 32.1. The

second step conducts the dcpromo process on the Server Core installation by referencing

the answer file created in the first step. This example assumes a Windows Server 2008 R2

Server Core installation already exists at the branch office.

TABLE 32.1

Parameters and Values for Creating an Unattended Answer File

Parameter

Value

Site

Toronto

Additional options

Read-only DC: Yes

Global catalog: Yes

DNS server: Yes

Update DNS delegation

No

Source DC

Any writable domain controller

Password Replication Policy

Allow: COMPANYABC1\Allowed RODC Password Replication

Group

Deny: BUILTIN\Administrators

Deny: BUILTIN\Server Operators

Deny: BUILTIN\Backup Operators

Deny: BUILTIN\Account Operators

Deny: COMPANYABC1\Denied RODC Password Replication

Group

1318

CHAPTER 32

Optimizing Windows Server 2008 R2 for Branch Office

Communications

Delegation for RODC installation

COMPANYABC1\RODC-Admins-BranchOffice-10

and administration

Active Directory file placement

Database folder: c:\Windows\NTDS

Log file folder: c:\Windows\NTDS

sysvol folder: c:\Windows\SYSVOL

DNS server settings

The DNS service will be installed on this computer.

The DNS service will be configured on this computer.

This computer will be configured to use this DNS server as

its preferred DNS server.

NOTE

For more information on understanding and conducting a Server Core installation,

review Chapter 3.

Creating the Unattended Answer File Based on the Values in Table 32.1

1. First create an unattended answer file similar to the following example. The parame-

ters and values found in this example have been summarized in Table 32.1.

ptg

; DCPROMO unattend file (automatically generated by dcpromo)

; Usage:

; dcpromo.exe /unattend:C:\Temp\RODCAnswerFile.txt

;

;

[DCInstall]

; Read-Only Replica DC promotion

ReplicaOrNewDomain=ReadOnlyReplica

ReplicaDomainDNSName=companyabc1.com

ServerAdmin=”COMPANYABC1\RODC-Admins-BranchOffice-10”

SiteName=Toronto

InstallDNS=Yes

ConfirmGc=Yes

DNSDelegation=No

UserDomain=companyabc1.com

UserName=*

Password=*

DatabasePath=C:\Windows\NTDS

LogPath=C:\Windows\NTDS

SYSVOLPath=C:\Windows\SYSVOL

; Set SafeModeAdminPassword to the correct value prior to using the unattend

file

SafeModeAdminPassword=

; Run-time flags (optional)

; CriticalReplicationOnly=Yes

Installing a Read-Only Domain Controller

1319

; RebootOnCompletion=Yes

TransferIMRoleIfNecessary=No

NOTE

This example represents the unattended answer file for the RODC installation, which

32

also includes parameters and values for installing DNS, a global catalog, Password

Replication Policy, administrator delegation, Active Directory file placement, and DNS

settings. Modify the values as needed.

NOTE

You might need to fill in password fields prior to using the unattended file. If you leave

the values for “Password” and/or “DNSDelegationPassword” as “*”, you will be asked

for credentials at runtime.

2. Save the unattended file and copy it to the Windows Server 2008 R2 Server Core

installation system that will be the new branch office RODC server.

ptg

Implementing the RODC on a Server Core Installation by Using an Unattended Answer File

3. Now that the unattended answer file is created, you must run the following syntax

dcpromo /unattend: from a Server Core installation command

prompt.

For a full list of Active Directory Domain Services installation options, review this web

link: http://technet.microsoft.com/en-us/library/cc772074(WS.10).aspx.

Performing a Staged RODC Installation

A staged approach can also be leveraged to install an RODC in a branch office. There are

two steps to the new approach. Each step is described in the following list from a high-

level perspective:

. The first step involves creating a computer account for the RODC in Active

Directory. After the computer account is created, you must delegate its installation

and management to a user at the branch office. The person being delegated does not

require elevated privileged rights within the Active Directory forest like Domain

Administrators or Enterprise Administrators.

. The next step requires branch office personnel to complete the RODC installation by

attaching a server to the RODC account created in the previous step.

By delegating the installation of the RODC to a regular user account at the branch office,

you eliminate the need to stage the RODC in a hub site and physically ship the server to

the branch office. This was a common approach to configuring domain controllers for

branch offices when using previous versions of Windows because administrators did not

want to grant regular users at the branch office elevated administrative privileges to

1320

CHAPTER 32

Optimizing Windows Server 2008 R2 for Branch Office

Communications

conduct the installation. In addition, if the domain controller was traditionally built at

the branch office, using this new staged approach eliminates the need to ship sensitive