2012 Domain Controllers are here, and now is the time to start adding them into your Active Directory environment! Recycling Bin GUI, a Fine Grained Password User Interface, Improved PowerShell Support, Dynamic Access Control, and “Clone able” Domain Controllers are just a few of the new features that come with Server 2012. In this post, it’s all about Active Directory and deploying your first 2012 Domain Controller. Over the following weeks, we will continue looking at 2012 and all the new features.
Forest Functional level:
Before we get started, let talk about what Forest Functional level your Active Directory Environment needs to be at. In order to install a Microsoft 2012 Domain Controller, your Forest Functional level needs to be at a Windows Server 2003 forest functional level or higher. To quickly check your FF level you have a couple options.
Open Active Directory Domains and Trusts:
Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Domains and Trusts.
In the console tree, right-click the Active Directory Domains and Trusts node, and then click Raise Forest Functional Level.
PS C:\> Import-Module ActiveDirectory PS C:\> Get-ADForest
Your Forest Functional Level is listed as “ForestMode”.
If you just want the Forest Functional level returned, try this.
PS C:\> Get-ADForest | Select-Object ForestMode
With Windows Server 2012, the forest functional level does not provide any new functionality over Windows Server 2008 R2.
Domain Functional level:
Like the Forest Functional level, the Domain Functional level also needs to be at a 2003 functional level or higher. If you raise the Domain Functional level to 2012, the only new features you get are KDC support for claims, compound authentication, and Kerberos armoring. With that, I still recommend upgrading the FFL and DFL to 2012. At the very least, a FFL and DFL of 2008 R2 should be considered so you can enable Fine Grain Passwords, Read Only Domain Controllers, and the Recycle Bin.
Promoting your Domain Controller:
DCPROMO is deprecated beginning with Windows Server 2012. Instead you will use the Active Directory Domain Services configuration wizard. Say that 10 times fast! After installing the AD DS Role, you will use either a separate wizard within Server Manager, or using the ADDSDeployment PowerShell module to promote your Domain Controller. In this article we will cover promoting a Domain Controller with the wizard. In a upcoming article, I will use PowerShell.
AD DS Role Installation:
- In Server Manager, click Manage and click Add Roles and Features to start the Add Roles Wizard.
- On the Before you begin page, click Next.
On the Select installation type page, click Role-based or feature-based installation and then click Next.
On the Select destination server page, click Select a server from the server pool, click the name of the server where you want to install AD DS and then click Next.
On the Select server roles page, click Active Directory Domain Services, then on the Add Roles and Features Wizard dialog box, click Add Features, and then click Next.
On the Select features page, select any additional features you want to install and click Next.
On the Active Directory Domain Services page, review the information and then click Next.
On the Confirm installation selections page, click Install.
On the Results page, verify that the installation succeeded, and click Promote this server to a domain controller to start the Active Directory Domain Services Configuration Wizard.
Promote to Domain Controller:
1. On the Deployment Configuration page, you have three choices.
- Add a domain controller to an existing domain
- Add a new domain to an existing forest
- Add a new forest
Since we are just adding a 2012 Domain Controller to our environment, we will select the first option.
2. Click Domain Name System (DNS) server, Global Catalog (GC), or Read Only Domain Controller (RODC) as needed, choose the site name, and type the DSRM password and then click Next.
3. Select the domain controller that you want to replicate the AD DS installation data from (or allow the wizard to select any domain controller).
4. On the Paths page, type the locations for the Active Directory database, log files, and SYSVOL folder (or accept default locations), and click Next.
Note: I always recommend selecting locations other than your system drive. Also keep these paths the SAME on ALL Domain Controllers.
5. On the Review Options page confirm your selections, and click Next.
6. The Prerequisites Check is a new feature in AD DS 2012 domain configuration. This new phase validates that the server configuration is capable of supporting a new AD DS forest. These checks will alert you with suggested repair options. The Checks will also inform you of new security changes that will affect older operating systems. Note: The domain controller promotion process cannot continue until all prerequisite tests pass.
On the Prerequisites Check page, confirm that prerequisite validation completed and then click Install.
7. Clicking install will begin the domain controller promotion process. This is the last opportunity to cancel the entire installation. After it starts, there is no going back. The server will reboot automatically at the end of the promotion. The server will write two logs during the promotion. You can view them at the following locations.
Congratulations! You now have a Windows 2012 Domain Controller in your environment.