What happens when you need to deploy a new Domain Controller in a different country, but your NTDS.DIT file is over 180 Gigabytes, and your WAN is as slow as your grandmother? Well I don’t know what you call it, but I call it a perfect storm of failure. This is the exact situation one of my customers was facing. Waiting for 180 gigs of data to replicate around a SLOOOW WAN isn’t my idea of a fun time! Instead we deployed the additional Domain Controller using the install from media (IFM) method.
Using the IFM method, you can dramatically reduce the amount of replication traffic that is introduced during the installation of an additional DC. Only objects that were modified, added, or deleted since the installation media was created will be replicated. This leads me to my next topic.
Deploy your additional Domain Controller ASAP from the date when you created your media. The longer you wait, the more you will have to replicate. You will also need to deploy your IFM media before the Tombstone Life Time (TSL) of your forest. If you go pass the TSL, then the “DCPROMO” will fail. Unless you changed it, your TSL is set by the OS version you created your forest on.
Tombstone Life Time
- Windows Server 2000 = 60 Days
- Windows Server 2003 = 60 Days
- Windows Server 2003 (SP1) = 180 Days
- Windows Server 2003 R2 (SP1) = 60 Days
- Windows Server 2003 R2 (SP2) = 180 Days
- Windows Server 2008 / 2008 R2 = 180 Days
Personally, I would never deploy a Domain Controller from IFM older than 30 days. I know in the retail space this happens all the time. You ship out a Domain Controller to a new store, and it sits in the backroom until the engineer arrives the night before the grand opening to install it. The point is, try not to let this happen. We want to save replication time, not add to it.
Okay enough talking, lets start IFM-ing!
Install From Media Creation
Starting in Windows Server 2008 R2 you can use “NTDSUTIL” to create your IFM media with SYSVOL. There are four types of installation media.
- Type 1: Full (writable) domain controller
Creates installation media for a writable domain controller.
- Type 2: RODC
Creates installation media for an Read Only Domain Controller (RODC).
- Type 3: Full (or writable) domain controller with SYSVOL
Creates installation media for a writable domain controller with SYSVOL.
- Type 4: RODC with SYSVOL
Creates installation media for an Read Only Domain Controller (RODC) with SYSVOL.
For this tutorial, I’m going to use “Full (or writable) domain controller with SYSVOL”. Doing so will copy my NTDS.DIT, and my SYSVOL for a writeable Domain Controller.
1. Open a command prompt (cmd.exe), and type “ntdsutil”. Then hit ENTER.
2. Type the following command “activate instance ntds”, and hit ENTER. You will see the following response.
3. Type “IFM”, and hit ENTER.
4. Type “create sysvol full <Drive>: File Location“.
5. Now copy the installation media you just created to the destination domain controller.
Promoting your new Domain Controller with IFM
I’ll be promoting a 2012 Domain Controller, but it’s the same idea in 2008. In 2008, just make sure you select “Use advanced mode installation” after running DCPROMO.
1. After you install the AD DS Role, select “Promote this server to a domain controller”.
2. Configure all the correct settings for all the screens until you get to the “Additional Options” screen. Then select “Install from media”, and set your path.
3. Complete the remaining pages of the Active Directory Domain Services Installation Wizard.
4. After the promotion completes, reboot the server. I also recommend removing the folder that contains the IFM media.
Things to remember
- If you are deploying your first Domain Controller in the domain, you cannot use IFM.
- If you are creating a DC that will be a Global Catalog Server, create your IFM on a Global Catalog Server.
- If you are creating a DC that will be a DNS Server, create your IFM on a DNS Server.
- If you want to copy the SYSVOL, the DC on which you generate the installation media and the new DC must be at least running Windows Server 2008 with Service Pack 2 or Windows Server 2008 R2.
- Membership of the Domain Admins group, or the equivalent is the minimum required to install additional Domain Controllers using IFM.
I deliberately left out IFM for Windows Server 2003. Hopefully you will be using this tutorial to promote new 2008 R2, or 2012 Domain Controllers in place of 2003 DC’s. However, if you still have a need to deploy 2003 Domain Controllers, (God help your soul) follow this link.