AMSS Windows Server Longhorn Active Directory Installation and Removal

Step-by-Step Guide for Windows Server "Longhorn" Beta 2 AD DS Installation and Removal

Microsoft Corporation

Published: June 2006

Program Manager: Mas Libman

User Assistance Writer: Mary Hillman

Editor: Jim Becker

Abstract

Active Directory® Domain Services (AD DS) is a server role of the Microsoft®

Windows Server® Code Name "Longhorn" operating system. AD DS provides a

distributed directory service that you can use for centralized, secure management of your

network. This guide describes the installation and removal processes for the AD DS

server role. You can use the procedures in this guide to install and remove AD DS on

servers that are running Windows Server "Longhorn" in a test lab environment.

This document supports a preliminary release of a software product that may be changed

substantially prior to final commercial release, and is the confidential and proprietary

information of Microsoft Corporation. It is disclosed pursuant to a non-disclosure

agreement between the recipient and Microsoft. This document is provided for

informational purposes only and Microsoft makes no warranties, either express or

implied, in this document. Information in this document, including URL and other Internet

Web site references, is subject to change without notice. The entire risk of the use or the

results from the use of this document remains with the user. Unless otherwise noted, the

example companies, organizations, products, domain names, e-mail addresses, logos,

people, places, and events depicted herein are fictitious, and no association with any real

company, organization, product, domain name, e-mail address, logo, person, place, or

event is intended or should be inferred. Complying with all applicable copyright laws is

the responsibility of the user. Without limiting the rights under copyright, no part of this

document may be reproduced, stored in or introduced into a retrieval system, or

transmitted in any form or by any means (electronic, mechanical, photocopying,

recording, or otherwise), or for any purpose, without the express written permission of

Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other

intellectual property rights covering subject matter in this document. Except as expressly

provided in any written license agreement from Microsoft, the furnishing of this document

does not give you any license to these patents, trademarks, copyrights, or other

intellectual property.

© 2006 Microsoft Corporation. All rights reserved.

Active Directory, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT,

Windows Server, and Windows Vista are either registered trademarks or trademarks of

Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

Contents

Step-by-Step Guide for Windows Server "Longhorn" Beta 2 AD DS Installation and

Removal......................................................................................................................... 7

In this guide.................................................................................................................... 7

What's new in AD DS installation and removal?.............................................................7

New installation options...............................................................................................8

New options in the Active Directory Domain Services Installation Wizard...............8

New unattend options..............................................................................................9

RODC option............................................................................................................9

DNS installation options...........................................................................................9

Global catalog installation options..........................................................................10

New server operating system installation options......................................................10

Full installation.......................................................................................................10

Server Core installation..........................................................................................10

Known issues for installing and removing AD DS.........................................................11

Scenarios for installing AD DS......................................................................................11

Install a new Windows Server "Longhorn" forest.......................................................12

Install a new Windows Server "Longhorn" domain in an existing

Windows 2000 Server or Windows Server 2003 forest..........................................12

Install a new Windows Server "Longhorn" domain controller in an existing

Windows 2000 Server or Windows Server 2003 domain.......................................13

Install AD DS from restored backup media................................................................14

Verify AD DS installations..........................................................................................15

Scenarios for removing AD DS.....................................................................................15

Remove a domain controller from a domain..............................................................16

Remove the last domain controller in a domain........................................................16

Remove the last domain controller in a forest...........................................................16

Requirements for AD DS installation............................................................................16

Steps for installing AD DS.............................................................................................17

Installing a new Windows Server "Longhorn" forest..................................................18

Installing a new forest by using the Windows interface..........................................18

Installing a new forest by using an answer file.......................................................19

Installing a new forest by entering unattended installation parameters at the

command line.....................................................................................................21

Importing localized display specifiers on a Server Core implementation of a new

forest..................................................................................................................22

Installing a new Windows Server "Longhorn" domain in an existing

Windows Server 2003 or Windows 2000 Server forest..........................................23

Preparing the forest schema for Windows Server "Longhorn"...............................23

Installing a new Windows Server "Longhorn" domain by using the Windows

interface..............................................................................................................24

Installing a new Windows Server "Longhorn" domain unattended by using an

answer file..........................................................................................................26

Installing a new Windows Server "Longhorn" domain by entering unattended

installation parameters at the command line......................................................28

Installing a Windows Server "Longhorn" domain controller in an existing

Windows Server 2003 or Windows 2000 Server domain.......................................28

Preparing the domain for Windows Server "Longhorn"..........................................28

Installing a Windows Server "Longhorn" domain controller by using the Windows

interface..............................................................................................................29

Installing a Windows Server "Longhorn" domain controller by using an answer file

........................................................................................................................... 31

Installing a new Windows Server "Longhorn" domain controller by entering

unattended installation parameters at the command line....................................32

Installing AD DS from restored backup media...........................................................33

Verifying an AD DS installation..................................................................................35

Steps for removing AD DS............................................................................................35

Removing a Windows Server "Longhorn" domain controller from a domain.............36

Removing a Windows Server "Longhorn" domain controller by using the Windows

interface..............................................................................................................36

Removing a Windows Server "Longhorn" domain controller by using an answer file

........................................................................................................................... 37

Removing a Windows Server "Longhorn" domain controller by entering unattended

installation parameters at the command line......................................................38

Removing AD DS binaries.....................................................................................38

Removing the last Windows Server "Longhorn" domain controller in a domain........38

Removing the last Windows Server "Longhorn" domain controller in a domain by

using the Windows interface...............................................................................39


using an answer file............................................................................................40


entering unattended installation parameters at the command line......................41

Removing the last Windows Server "Longhorn" domain controller in a forest...........41

Removing the last Windows Server "Longhorn" domain controller in a forest by

using the Windows interface...............................................................................41


using an answer file............................................................................................43


entering unattended installation parameters at the command line......................43

Appendix of unattended installation parameters...........................................................43

Unattended general options......................................................................................44

Unattended install options.........................................................................................44

Unattended uninstall options.....................................................................................53

Unattended installation return codes.........................................................................54

Success return codes............................................................................................55

Failure return codes...............................................................................................55

Logging bugs and feedback..........................................................................................63

Step-by-Step Guide for Windows Server "Longhorn" Beta 2 AD DS Installation and Removal

Active Directory® Domain Services (AD DS) is a server role of the Microsoft®

Windows Server® Code Name "Longhorn" operating system. AD DS provides a

distributed directory service that you can use for centralized, secure management of your

network.

This guide describes the installation and removal processes for the AD DS server role.

You can use the procedures in this guide to install and remove AD DS on servers that are

running Windows Server "Longhorn" in a test lab environment.

In this guide What's new in AD DS installation and removal?

Known issues for installing and removing AD DS

Key scenarios for installing AD DS

Key scenarios for removing AD DS

Requirements for AD DS installation

Steps for installing AD DS

Steps for removing AD DS

Appendix of unattend parameters

What's new in AD DS installation and removal?AD DS has the following new options in Windows Server "Longhorn":

AD DS installation options

Server operating system installation options

Read-only domain controller (RODC) option

9

Domain Name System (DNS) installation options

Global catalog installation options

New installation options

When you install AD DS, you have several new options in Windows Server "Longhorn",

both in the Active Directory Domain Services Installation Wizard and when you perform

an unattended installation at the command line.

The new AD DS installation options are as follows:

You can specify the following domain controller options:

DNS server: In the Microsoft Windows Server® 2003 operating system, DNS

server installation is offered, if needed. In Windows Server "Longhorn", DNS

installation and configuration is automatic, if needed. When you install DNS on

the first domain controller in a new domain in Windows Server "Longhorn", a

delegation for the new domain is created automatically in DNS.

Global catalog server: As in Windows Server 2003, installing a domain controller

as a global catalog server is not an installation option in the Windows interface.

RODC: This domain controller option is new in Windows Server "Longhorn". It is

available when you add a domain controller in an existing domain. The first

domain controller in the forest or domain cannot be an RODC.

You can specify the site of a new domain controller or use the site that corresponds

to the IP address of the computer.

New options in the Active Directory Domain Services Installation Wizard

You can use the Active Directory Domain Services Installation Wizard to add the AD DS

server role interactively.

The wizard has the following new options:

You can access the Active Directory Domain Services Installation Wizard in new

ways, as follows:

You can click Add Roles in Initial Configuration Tasks, the application that

appears when you first install the operating system.

You can click Add Roles in Server Manager, which is always available on the

Administrative Tools menu and through an icon in the notification area.

10

The advanced installation mode is available in the Active Directory Domain Services

Installation Wizard; you do not have to run dcpromo /adv.

The option to create a new domain tree is available only in advanced mode.

New unattend options

New options for running unattended installation of AD DS are available in

Windows Server "Longhorn". Unlike unattended installation in Windows Server 2003,

unattended installation in Windows Server "Longhorn" does not require a response to any

user interface (UI) prompt, such as to restart the domain controller, which makes the

process truly "unattended."

During an unattended operation, a return code is used to indicate whether or not the

operation was successful.

For a list of all return codes and unattend options for Windows Server "Longhorn",

including allowed values, default values, and descriptions, see the Appendix of

unattended installation parameters.

RODC option

A new type of domain controller can be installed on servers that are running

Windows Server "Longhorn" Beta 2. RODC hosts a read-only replica of the AD DS

database. RODC makes it possible for organizations to deploy a domain controller easily

in remote locations where its physical security cannot be guaranteed.

For information about using RODC, see the Step-by-Step Guide for Planning, Deploying,

and Using a Windows Server "Longhorn" Beta 2 Read-only Domain Controller in this

documentation set.

DNS installation options

The option to install DNS is available, depending on your installation selections and DNS

conditions on the network. In scenarios where DNS is required, the option is not

available, and DNS is installed automatically.

When you select the DNS option or when DNS is installed automatically, DNS creates a

new delegation, or it updates existing delegations for the server automatically.

11

Global catalog installation options

In Windows Server "Longhorn", the global catalog server option is available for all

installations other than the first domain controller in the forest, which must be a global

catalog server. In Windows Server "Longhorn" Beta 2, the global catalog server option is

not compatible with RODCs. However, RODCs will be capable of hosting the global

catalog in future releases of Windows Server "Longhorn".

Global catalog server is the default domain controller option when you are adding a new

domain controller in an existing domain.

New server operating system installation options

Windows Server "Longhorn" provides a new minimal server installation option, called

Server Core installation, in addition to the Full installation option.

Full installation

For ease of management, you can install AD DS on a server that is running the Full

installation of Windows Server "Longhorn". A Full installation of Windows Server

"Longhorn" supports both interactive (wizard) and unattended domain controller

installation.

Server Core installation

A Server Core installation provides a minimal environment for running specific server

roles, which reduces servicing and management requirements and the attack surface for

those server roles. To install AD DS on a Server Core installation of Windows Server

"Longhorn", perform an unattended installation. Server Core installations do not provide

any graphical UI (GUI). They must be managed solely from the command line. A Server

Core installation supports the following server roles:

AD DS

DHCP server

File server

DNS server

For more information about Server Core installations, see Microsoft Windows Server

Code Name "Longhorn" Beta 2 Server Core Step-By-Step Guide in this documentation

set.

12

Known issues for installing and removing AD DSThe following issues affect Beta 2 versions of Windows Server "Longhorn":

When you create a new Windows Server "Longhorn" forest on a Server Core

installation, non-English display specifiers are not installed automatically. You must

import display specifiers manually.

Starting a new domain at, or raising an existing domain to, the Windows Server

"Longhorn" domain level might result in SYSVOL not being replicated. Issues with

migrating from File Replication service (FRS) replication to Distributed File Service

(DFS) Replication will be resolved in subsequent Windows Server "Longhorn"

versions.

When you remove the AD DS server role, the role binaries are not removed

automatically. After you remove AD DS and restart the server, you must remove

AD DS binaries manually.

You cannot create a child domain or additional domain controller with a Japanese

domain name.

You cannot install DNS during installation of an additional domain controller when a

Unicode DNS name is used.

When a domain name includes Unicode or double-byte characters, domain

controllers hosting that domain cannot be located by DNS clients.

For known issues that apply when you deploy an RODC, see the Step-by-Step Guide for

Planning, Deploying, and Using a Windows Server "Longhorn" Beta 2 Read-only Domain

Controller in this documentation set.

Scenarios for installing AD DSThe following AD DS installation scenarios are available in Windows Server "Longhorn":

Install a new Windows Server "Longhorn" forest

Install a new Windows Server "Longhorn" domain in an existing

Windows 2000 Server or Windows Server 2003 forest

Install a new Windows Server "Longhorn" domain controller in an existing

Windows 2000 Server or Windows Server 2003 domain

Install AD DS from restored backup media

13

Verify domain controller installations

Install a new Windows Server "Longhorn" forest

When you install AD DS to create the first domain controller in a new Windows Server

"Longhorn" forest, be aware of the following considerations:

You must make forest and domain functional level decisions that determine whether

your forest and domain can contain domain controllers that run Microsoft

Windows® 2000 Server, Windows Server 2003, or both.

Important

Multiple–domain controller domains that are created at, or raised to, the

Windows Server "Longhorn" functional level are not supported in

Windows Server "Longhorn" Beta 2. As a result of issues with migration from

FRS replication to DFS Replication in Windows Server "Longhorn" Beta 2,

SYSVOL might not replicate properly at the Windows Server "Longhorn"

domain functional level. This condition can prevent a new domain controller

that is added subsequently from advertising itself as a domain controller.

Domain controllers that are running the Microsoft Windows NT® Server 4.0 operating

system are not supported with Windows Server "Longhorn".

Servers running Windows NT Server 4.0 are not supported by domain controllers that

are running Windows Server "Longhorn".

The first Windows Server "Longhorn" domain controller in a forest cannot be an

RODC.

Install a new Windows Server "Longhorn" domain in an existing Windows 2000 Server or Windows Server 2003 forest

When you install AD DS to create the first domain controller in a new Windows Server

"Longhorn" domain, be aware of the following considerations:

Before you create a new Windows Server "Longhorn" domain in a

Windows 2000 Server or Windows Server 2003 forest, you must prepare the forest

for Windows Server "Longhorn" by extending the schema (that is, by running

adprep /forestprep).

14

You must make domain functional level decisions that determine whether your

domain can contain domain controllers that run Windows 2000 Server,

Windows Server 2003, or both.

Important

Multiple–domain controller domains that are created at, or raised to, the

Windows Server Longhorn domain functional level are not supported in

Windows Server "Longhorn" Beta 2. As a result of issues with migration from

FRS replication to DFS Replication in Windows Server "Longhorn" Beta 2,

SYSVOL might not replicate properly at the Windows Server "Longhorn"

domain functional level. This condition can prevent a new domain controller

that is added subsequently from advertising itself as a domain controller.

Windows Server "Longhorn" security principals are not created until the primary domain

controller (PDC) operations master in the forest root domain is running Windows Server

"Longhorn". This requirement is similar to the Windows Server 2003 requirement.

For procedures to install a new domain, see Installing a new Windows Server "Longhorn"

domain in an existing Windows Server 2003 or Windows 2000 Server forest .

Install a new Windows Server "Longhorn" domain controller in an existing Windows 2000 Server or Windows Server 2003 domain

When you install a new Windows Server "Longhorn" domain controller in an existing

Windows 2000 Server or Windows Server 2003 domain, be aware of the following

considerations:

If this domain controller is the first Windows Server "Longhorn" domain controller in

the forest, you must prepare the forest for Windows Server "Longhorn" by extending

the schema (that is, by running adprep /forestprep), on the schema master if this

has not already been done.

If this domain controller is the first Windows Server "Longhorn" domain controller in a

Windows 2000 Server domain, you must prepare the domain by running adprep

/domainprep /gpprep on the infrastructure master.

If this domain controller is the first Windows Server "Longhorn" domain controller in a

Windows Server 2003 domain, you must prepare the domain by running adprep

/domainprep on the infrastructure master.

15

Note

If you prepare a Windows Server 2003 domain by running adprep

/domainprep /gpprep, you can safely disregard the error message that

indicates that domain updates were not necessary.

The first Windows Server "Longhorn" domain controller in an existing

Windows 2000 Server or Windows Server 2003 domain cannot be created as an

RODC. After a Windows Server "Longhorn" domain controller exists in the domain,

subsequent Windows Server "Longhorn" domain controllers can be created as

RODCs. The forest and domain functional level of Windows Server 2003 is required

for creating an RODC.

Note

Do not add an additional Windows Server "Longhorn" domain controller if the

forest or domain functional level is Windows Server "Longhorn". For

Windows Server "Longhorn" Beta 2, the Windows Server "Longhorn"

functional level is not supported for a domain that has multiple domain

controllers.

If you are installing the first RODC in the forest, you must prepare the forest by

running adprep /rodcprep. For more information, see the Step-by-Step Guide for

Planning, Using, and Deploying a Windows Server "Longhorn" Beta 2 Read-Only

Domain Controller in this documentation set.

For the Windows Server "Longhorn" Beta 2 release, changing the domain functional

level to Windows Server "Longhorn" in a pre-existing Windows 2000 Server or

Windows Server 2003 domain after upgrading all domain controllers to

Windows Server "Longhorn" Beta 2 is not supported.

After you have prepared the forest and the domain, you can install AD DS to create a

new Windows Server "Longhorn" domain controller. Use Server Manager to install the

Active Directory Domain Services server role.

For procedures to install a new domain controller, see Installing a Windows Server

"Longhorn" domain controller in an existing Windows Server 2003 or Windows 2000

Server domain.

Install AD DS from restored backup media

As with Windows Server 2003, you can use restored backup media to minimize

replication traffic during AD DS installation on a server that is running Windows Server

"Longhorn". You can use this installation method to install a new domain controller in an

existing domain. The installation media that you use must be prepared from the same

16

type of domain controller that you are installing. The following aspects of the domain

controller source and target must be identical:

Domain controller option: Writeable or read-only

Operating system: Windows 2000 Server, Windows Server 2003, or Windows Server

"Longhorn"

Platform: x86, IA64, or x64

A Server Core installation can be the source for installing a new domain controller on a

Full installation of Windows Server "Longhorn".

Note

For Windows Server "Longhorn" Beta 2, you cannot use restored backup media

to install AD DS on a Server Core installation of Windows Server "Longhorn".

For information about creating the backup media, see the Step-by-Step Guide for

Windows Server "Longhorn" Beta 2 Active Directory Domain Services Backup and

Recovery in this documentation set.

For the procedure to install a new domain controller by using backup media, see

Installing AD DS from restored backup media .

Verify AD DS installations

You can perform verification steps after you install a domain controller, including the

following:

Check the directory service event log for errors.

Make sure that the SYSVOL folder is accessible to clients.

Verify DNS functionality.

Verify replication.

Scenarios for removing AD DSYou can remove the AD DS server role by using the Active Directory Domain Services

Installation Wizard or by performing an unattended removal. Server Core installations are

always removed through an unattended removal.

Unattended options provide the ability to remove AD DS without having to provide any

information other than the information that is contained in the answer file. For information

17

about unattended AD DS removal return codes, see the Appendix of unattended

installation parameters.

Although processes for removing AD DS are essentially unchanged from

Windows Server 2003, they are included here for completeness. For more information

about removing domain controllers, domains, and forests, including forced removal, see

Administering Domain Controllers (http://go.microsoft.com/fwlink/?LinkId=68642).

Remove a domain controller from a domain

For procedures to remove a domain controller from an existing domain, see Removing a

Windows Server "Longhorn" domain controller from a domain.

Remove the last domain controller in a domain

For procedures to remove the last domain controller in a domain, see Removing the last

Windows Server "Longhorn" domain controller in a domain.

Remove the last domain controller in a forest

For procedures to remove the last domain controller in a forest, see Removing the last

Windows Server "Longhorn" domain controller in a forest.

Requirements for AD DS installationFor Windows Server "Longhorn" hardware requirements, see the Windows Server

"Longhorn" Beta 2 release notes.

The following software requirements apply to both Full installations and Server Core

installations:

Windows Server "Longhorn" Beta 2 operating system

Appropriate TCP/IP and DNS server addresses configured

When you use an answer file to perform an unattended installation of AD DS, a

[DCINSTALL] unattend.txt file with appropriate parameters specified. For a list of

entries for the [DCINSTALL] answer file, see Appendix of unattended installation

parameters.

Schema preparation: Before you can add AD DS to a server that is running

Windows Server "Longhorn" in a Windows Server 2003 or Windows 2000 Server

18

http://go.microsoft.com/fwlink/?LinkId=68642

forest, you must update the schema on the schema operations master in the forest

by running adprep /forestprep.

Domain preparation: Before you can add AD DS to a server that is running

Windows Server "Longhorn" in a Windows Server 2003 or Windows 2000 Server

domain, you must update the infrastructure master in the domain by running

adprep /domainprep /gpprep.

RODC preparation: Before you can install AD DS to create an RODC, you must

prepare the forest by running adprep /rodcprep.

DNS infrastructure: Before you add AD DS to create a domain or forest, be sure that

a DNS infrastructure is in place on your network. When you install AD DS, you can

include DNS server installation, if needed. When you create a new domain, a DNS

delegation is created automatically during the installation process.

For information about configuring a Server Core installation, see the Microsoft Windows

Server Code Name "Longhorn" Beta 2 Server Core Step-By-Step Guide in this

documentation set.

Steps for installing AD DSThe following sections provide step-by-step instructions for installing AD DS in all

configurations, including methods for installing it on both Full Windows Server "Longhorn"

installations and Server Core Windows Server "Longhorn" installations. These sections

provide both the Windows interface and command-line methods for performing

installations.

The process for performing an unattended installation of AD DS is the same for a server

that is running a Full installation of Windows Server "Longhorn" and for a Server Core

installation of Windows Server "Longhorn". The unattended method of installation is

required for Server Core operating systems.

Procedures for installing AD DS are provided for the following scenarios:

Installing a new Windows Server "Longhorn" forest


Windows Server 2003 or Windows 2000 Server forest

Installing a Windows Server "Longhorn" domain controller in an existing

Windows Server 2003 or Windows 2000 Server domain

Installing AD DS from restored backup media

Verifying AD DS installations

19

Installing a new Windows Server "Longhorn" forest

You can install a new Windows Server "Longhorn" forest by using the following methods:

Interactively, by using the Windows interface

Unattended, by using an answer file

Unattended, by entering unattend parameters at the command line

Important

If you create a new forest by installing AD DS on a Server Core installation of

Windows Server "Longhorn", you must install display specifiers manually after

AD DS installation.

Installing a new forest by using the Windows interface

The Windows interface provides wizards that step you through the AD DS installation

process.

Administrative credentials

You must be logged on as the local administrator for the computer.

To install a new forest by using the Windows interface

1. In Initial Configuration Tasks or Server Manager, click Add roles.

2. In the Add Roles Wizard, on the Before You Begin page, review the preliminary

verification steps. When you complete all the preliminary steps, click Next.

3. On the Select Server Roles page, select Active Directory Domain Services,

and then click Next.

4. On the Active Directory Domain Services page, review the introductory notes,

and then click Next to confirm your selections, or click Install to proceed with

installation.

5. On the Welcome to the Active Directory Domain Services Installation Wizard

page, click Next.

When you create the first domain controller in a new forest, there are no

additional advanced options.

6. On the Choose a Deployment Configuration page, click New forest, and then

click Next.

7. On the New Domain Name page, type the full DNS name for the forest root

20

domain, and then click Next.

8. On the Set Forest Functional Level page, select the forest functional level that

accommodates the domain controllers that you plan to install anywhere in the

forest, and then click Next.

9. On the Set Domain Functional Level page, select the domain functional level

that accommodates the domain controllers that you plan to install anywhere in

the domain, and then click Next.

10. On the Additional Options page, DNS server is selected by default so that your

forest DNS infrastructure can be created during AD DS installation. If you plan to

use Active Directory–integrated DNS, click Next. If you have an existing DNS

infrastructure and you do not want this domain controller to be a DNS server,

select DNS server to clear the check box, and then click Next.

11. On the Location for Database, Log Files and SYSVOL page, type or browse to

the volume and folder locations for the database file, the directory service log

files, and the system volume (SYSVOL) files, and then click Next.

Windows Server Backup backs up the directory service by volume. For backup

and recovery efficiency, store these files on separate volumes that do not contain

applications or other nondirectory files.

12. On the Active Director Domain Services Restore Mode Administrator

Password page, type and confirm the restore mode password, and then click

Next. This password must be used to start AD DS in Directory Service Restore

Mode for tasks that must be performed offline.

13. On the Summary page, review your selections. Click Back to change any

selections, if necessary. When you are sure that your selections are accurate,

click Next to install AD DS.

14. When you are prompted, restart the server to complete the AD DS installation.

Installing a new forest by using an answer file

You can use the unattended method to install AD DS to create a new forest on a Full

installation of Windows Server "Longhorn" or on a Server Core installation of

Windows Server "Longhorn". To use the unattended method of installation, you must first

prepare an answer file that contains configuration values.

Use the following procedure to create the answer file. This procedure identifies only the

essential answer file entries for creating a new Windows Server "Longhorn" forest. For a

21

complete list of unattended installation options, including default values, allowed values,

and descriptions, see Unattended install options.


To perform this procedure, you can use any account that has Read and Write privileges

for the text editor application.

To create an answer file for installing a new forest

1. Open Notepad or any other text editor.

2. On the first line, type [DCINSTALL], and then press ENTER.

3. Type the following entries, one entry on each line:

AutoConfigDNS=yes

NewDomain=forest

NewDomainDNSName=<fully qualified DNS name>

DomainNetBiosName=<first label of the fully qualified DNS name, by default>

ReplicaOrNewDomain=domain

ForestLevel=<forest functional level number>

DomainLevel=<domain functional level number>

DatabasePath=<path to a folder on a local volume, surrounded by double

quotation marks>

LogPath=<path to a folder on a local volume, surrounded by double quotation

marks>

SYSVOLPath=<path to a folder on a local volume, surrounded by double

quotation marks>

SafeModeAdminPassword=<password>

RebootOnCompletion=yes

4. Save the answer file to the location on the installation server from which it is to be

called by Dcpromo, or save the file to a network shared folder or removable

media for distribution.

After you create the answer file, use the following procedure to perform the unattended

installation. Use this procedure to install AD DS on either a Full installation of

Windows Server "Longhorn" or a Server Core installation of Windows Server "Longhorn".

22

Note

If you are performing this procedure on a server that is running a Server Core

installation of Windows Server "Longhorn" Beta 2, you must also perform the

procedure in Importing localized display specifiers on a Server Core

implementation of a new forest.


You must be logged on to the server with the local administrator account.

To install a new domain controller by using an answer file

At the command prompt, type the following, and then press ENTER:

dcpromo /unattend:answerFileLocation

Installing a new forest by entering unattended installation parameters at the command line

If you have a list of the unattend options and parameter values that you want to use to

create a new forest, you can type the options and values directly into the command line

rather than using an answer file.

Use the following procedure to install a new forest unattended from the command line. If

you are performing this procedure on a server that is running a Server Core installation of

Windows Server "Longhorn" Beta 2, you must also perform the procedure in Importing

localized display specifiers on a Server Core implementation of a new forest.


You must be logged on to the server with the local administrator account.

To install a new domain controller by entering unattended installation parameters at the command line

1. At a command prompt, type the following, and then press ENTER:

dcpromo /unattend /unattendOption:value /unattendOption:value ...

Where

unattendOption is an option in the Unattend install options table. Separate

each option:value pair with a space.

value is the configuration instruction for the option

23

The following example creates the first domain controller in a new forest where

you expect to install at least some Windows Server 2003 domain controllers:

dcpromo /autoConfigDns:yes /dnsOnNetwork:yes

/replicaOrNewDomain:domain /newDomain:forest

/newDomainDnsName:contoso.com /DomainNetbiosName:contoso

/databasePath:"e:\ntds" /logPath:"e:\ntdslogs" /sysvolpath:"g:\sysvol"

/safeModeAdminPassword:FH#3573.cK /forestLevel:2 /domainLevel:2

/rebootOnCompletion:yes

2. When you have typed all the options that are required to create the forest, press

ENTER.

Importing localized display specifiers on a Server Core implementation of a new forest

For Windows Server "Longhorn" Beta 2 only, if you create a new AD DS on a computer

that is running a Server Core installation of Windows Server "Longhorn", the non-English

display specifiers are not imported automatically as they are for a new forest that is

created on a server that is running a Full installation of Windows Server "Longhorn". As a

result, some areas of the UI might appear in English instead of another language.

To correct this problem, you must manually import the display specifiers from the Server

Core domain controller from which you created the forest.


Administrator account in the forest root domain.

To import localized display specifiers on a Server Core forest root domain controller

1. Log on to the first domain controller that was created in a forest and that is

installed on a server running a Server Core installation of Windows Server

"Longhorn".

2. Open a command prompt, type the following command, and then press ENTER:

%windir%\system32\dcphelp.exe

3. Immediately after running dcphelp.exe, verify that the operation was successful

by checking the error level returned by dcphelp.exe. Type the following

command, and then press ENTER:

echo %errorlevel%

24

4. Check the returned value, and then do one of the following:

If the returned value equals 0, check %windir%\debug\csv.log to see the

import result.

If a value other than 0 is returned, check %windir%\debug\dcpromohelp.log

for more information to help troubleshoot the issue.

Installing a new Windows Server "Longhorn" domain in an existing Windows Server 2003 or Windows 2000 Server forest

Before you install the first Windows Server "Longhorn" domain in an existing

Windows Server 2003 or Windows 2000 Server forest, you must do the following:

If this domain controller is the first Windows Server "Longhorn" domain controller that

you are adding to the forest, prepare the forest by updating the schema.

If you plan to install an RODC in the forest after you install the initial Windows Server

"Longhorn" domain controller, you must also run the command adprep /rodcprep.

For additional requirements for installing an RODC in a Windows Server 2003 forest,

see the Step-by-Step Guide for Planning, Deploying, and Using a Windows Server

"Longhorn" Beta 2 Read-only Domain Controller in this documentation set.

You can install a new Windows Server "Longhorn" domain in an existing

Windows Server 2003 or Windows 2000 Server forest by using the following procedures:

Prepare the forest schema for Windows Server "Longhorn".

Install a new domain, as follows:

Interactively, by using the Windows interface

Unattended, by using an answer file

Unattended, by entering unattended installation parameters at the command line

Preparing the forest schema for Windows Server "Longhorn"

Before you can add a domain controller that is running Windows Server "Longhorn" to an

Active Directory environment running Windows 2000 Server or Windows Server 2003,

you must update the schema. You must update the Active Directory schema from the

domain controller that hosts the schema operations master role. If you are performing an

unattended installation of AD DS with Windows Server "Longhorn", you must update the

schema before you install the operating system. For normal installations, you must

25

update the schema after you run Setup and before you install AD DS. Use the following

procedure to update the Windows Server 2003 or Windows 2000 Server Active Directory

schema for Windows Server "Longhorn".


You must use an account that has membership in all of the following groups: Enterprise

Admins, Schema Admins, and Domain Admins. By default, Domain Admins is a member

of Enterprise Admins.

To prepare the forest schema for Windows Server "Longhorn"

1. Log on to the schema master as a member of the Enterprise Admins, Schema

Admins, and Domain Admins groups.

2. Insert the Windows Server "Longhorn" DVD into the CD or DVD drive. Copy the

contents of the \sources\adprep folder to an Adprep folder on the schema master.

3. Open a command prompt, and then change directories to the Adprep folder.

4. At the command prompt, type the following, and then press ENTER:

adprep /forestprep

5. Allow the operation to complete, and then allow the changes to replicate before

performing the next procedure.

Installing a new Windows Server "Longhorn" domain by using the Windows interface

The Windows interface provides wizards that step you through the AD DS installation

process.


You must be a member of the Domain Admins group in the parent domain, or you must

be a member of the Enterprise Admins group in the forest.

To install a new domain by using the Windows interface




3. On the Select Server Roles page, select AD DS, and then click Next.


26


installation.


page, click Next, or, to use the advanced option if you want to identify the source

domain controller for AD DS replication, select Use Advanced mode

installation.

6. On the Choose a Deployment Configuration page, click Existing forest and

New domain, and then click Next.

7. On the Network credentials page, provide the user name and password for an

account that has at least Domain Admins privileges in the parent domain, and

then click Next.

8. On the Name the New Domain page, type the parent and child domain names

according to the instructions, and then click Next.

9. On the Domain NetBIOS Name page, change the name, if necessary, and then

click Next.

10. On the Set Domain Functional Level page, select the domain functional level

that accommodates the domain controllers that you plan to install anywhere in

the domain, and then click Next.

11. On the Select Site page, select a site from the list or select the option to install

the domain controller in the site that corresponds to its IP address, and then click

Next.

12. On the Additional Options page, make the following selections, and then click

Next:

DNS server: This option is selected by default so that your domain controller

can function as a DNS server and a delegation is created in DNS for this

domain.

Global Catalog: This option adds the global catalog, read-only directory

partitions to the domain controller and enables global catalog search

functionality.

13. If you have selected the advanced installation mode, on the Source Domain

Controller page, specify a domain controller from which to replicate the

configuration and schema directory partitions, and then click Next.




27




15. On the Active Director Domain Services Restore Mode Administrator





selections, if necessary, and when you are sure that your selections are accurate,



Installing a new Windows Server "Longhorn" domain unattended by using an answer file

You can use the unattended method to install AD DS to create a new domain on a Full

installation of Windows Server "Longhorn" or on a Server Core installation of

Windows Server "Longhorn". To use the unattended method of installation, you must first

prepare an answer file that contains configuration values.

You can use the following procedure to create the answer file. This procedure identifies

only the essential answer file entries for creating a new Windows Server "Longhorn"

domain. For a complete list of unattended installation options, including default values,

allowed values, and return codes, see Unattended install options.




To create an answer file for installing a new domain

1. Open Notepad or any text editor.

2. On the first line, type [DCINSTALL] and then press ENTER.

3. Create the following entries, one entry on each line. These options are the

minimum options that are required for a new domain installation with DNS

configured automatically. For a complete list of unattended installation options,

including default values, allowed values, and descriptions, see Unattended install

options.

28

ParentDomainDNSName=<fully qualified DNS name of parent domain>

UserName=<administrative account in parent domain>

Password=<password for the account in UserName>

NewDomain=child

ChildName=<fully qualified DNS name of new domain>

NewDomainDNSName=<fully qualified DNS name of new domain>

DomainNetBiosName=<usually, first label of the fully qualified DNS name>

ReplicaOrNewDomain=domain

DomainLevel=<domain functional level number>

DatabasePath=<path to a folder on a local volume, surrounded by double

quotation marks>


marks>


quotation marks>

AutoConfigDNS=yes

DNSDelegation=yes

DNSDelegationUserName=<if different from the account that is being used to

install AD DS, the account in the parent domain that has the privileges that are

required to create a DNS delegation>

DNSDelegationPassword=<if using a different account for

DNSDelegationUserName, the password for the account>

DNSOnNetwork=yes


RebootOnCompletion=yes


called by Dcpromo, or save the file to a network share or removable media for

distribution.

5. Use the procedure "To install a new domain controller by using an answer file" to

install the new domain.

29

Installing a new Windows Server "Longhorn" domain by entering unattended installation parameters at the command line

Use the procedure "To install a new domain controller by entering unattended installation

parameters at the command line" to install the new domain, but use the unattend options

that are appropriate for creating a new domain.

Installing a Windows Server "Longhorn" domain controller in an existing Windows Server 2003 or Windows 2000 Server domain

Before you install the first Windows Server "Longhorn" domain controller in an existing

Windows Server 2003 or Windows 2000 Server domain, you must do the following:

Prepare the forest by updating the schema, if necessary. For instructions to prepare

the forest, see "Prepare the forest schema for Windows Server "Longhorn"" in


Windows Server 2003 or Windows 2000 Server forest .

Prepare the domain by running adprep /domainprep on the infrastructure operations

master.

If you are installing an RODC in an existing Windows Server 2003 domain, you must

also run the adprep /rodcprep command. For information about installing an RODC,

see the Step-by-Step Guide for Planning, Deploying, and Using a Windows Server

"Longhorn" Beta 2 Read-only Domain Controller in this documentation set.

You also have the option to use the install from media (IFM) method of installation. For

this option, you must have prepared installation media from a restored backup of a

domain controller in the same domain. For information about using IFM to install a

domain controller in an existing domain, see Installing AD DS from restored backup

media.

Preparing the domain for Windows Server "Longhorn"

Use the following procedure to prepare the domain for Windows Server "Longhorn".


You must be a member of the Domain Admins group to perform this procedure.

To prepare the domain for Windows Server "Longhorn"

1. Identify the domain infrastructure operations master role holder as follows:

30

In Active Directory Users and Computers, right-click the domain object, click

Operations Masters, and then click Infrastructure.

2. Log on to the infrastructure master as a member of the Domain Admins group.

3. Insert the Windows Server "Longhorn" DVD into the CD or DVD drive. Copy the

contents of the \sources\adprep folder to an Adprep folder on the infrastructure

master.

4. Open a command prompt, and then change directories to the Adprep folder

5. If this domain controller is the first Windows Server "Longhorn" domain controller

in a Windows 2000 Server domain, type the following, and then press ENTER:

adprep /domainprep /gpprep

6. If this domain controller is the first Windows Server "Longhorn" domain controller

in a Windows Server 2003 domain, type the following, and then press ENTER:

adprep /domainprep

If you prepare a Windows Server 2003 domain by running adprep

/domainprep /gpprep, you can safely disregard the error that indicates that

domain updates were not necessary.

7. Allow the operation to complete, and then allow the changes to replicate before

performing the next procedure.

Installing a Windows Server "Longhorn" domain controller by using the Windows interface

You can use the Active Directory Domain Services Installation Wizard to create a domain

controller in an existing domain. If you use the advanced options in the wizard, you can

control how AD DS is installed on the server, either by IFM or by replication:

IFM: You can provide a location for installation media that you have restored from a

backup of a similar domain controller in the same domain.

Replication: You can specify a domain controller in the domain from which to replicate

AD DS.


To perform this procedure, you must be a member of the Domain Admins group in the

domain that is being installed.

31

To install a domain controller in an existing domain by using the Windows interface








installation.


page, click Next, or, if you want to perform an IFM installation or identify the

source domain controller for AD DS replication, select Use Advanced mode

installation.


Existing domain, and then click Next.


account that has at least Domain Admins privileges in the domain to which you

are adding the domain controller, specify the domain name, and then click Next.

8. On the Select Domain page, select the domain of the new domain controller, and

then click Next.



Next.

10. On the Additional Options page, make the following selections, and then click

Next:

DNS server: This option is selected by default so that your domain controller

can function as a DNS server. If you do not want the domain controller to be

a DNS server, clear this option.

Global Catalog: This option adds the global catalog, read-only directory

partitions to the domain controller, and it enables global catalog search

functionality.

Read-only domain controller. This option is not compatible with the global

catalog. For information about installing a read-only domain controller, see

the Step-by-Step Guide for Planning, Deploying, and Using a Windows

32

Server "Longhorn" Beta 2 Read-only Domain Controller in this documentation

set.

11. If you selected the advanced installation mode, you can specify the following

advanced options:

a. On the Install from Media? page, you can provide the location of installation

media to be used to create the domain controller and configure AD DS, or

you can allow replication over the network. For information about using this

method to install the domain controller, see Installing AD DS from restored

backup media.

b. On the Source Domain Controller page, you can specify a domain

controller from which to replicate the configuration and schema directory

partitions. If you select This specific domain controller, you can select the

domain controller that you want to provide source replication to create the

new domain controller, and then click Next.







13. On the Active Directory Domain Services Restore Mode Administrator








Installing a Windows Server "Longhorn" domain controller by using an answer file

The answer file that you use to create a new domain controller must have the replica

options specified. Use the following procedure to create the answer file.


33



To create an answer file for installing a new domain controller



3. Create the following entries, one entry on each line. These options are the

minimum options that are required for a new domain controller installation with

DNS configured automatically. For a complete list of unattended installation

options, including default values, allowed values, and descriptions, see

Unattended install options.

UserName=<administrative account in the domain of the new domain controller>

UserDomain=<name of the domain of the new domain controller>


ReplicaOrNewDomain=replica


marks>


quotation marks>

DNSOnNetwork=yes


RestartOnCompletion=yes



distribution.

5. Use the procedure "To install a new domain controller by using an answer file" to

install the new domain controller.

Installing a new Windows Server "Longhorn" domain controller by entering unattended installation parameters at the command line

Use the procedure "To install a new domain controller by entering unattended installation

parameters at the command line" to install the new domain controller, but use unattended

options that are appropriate for creating a new domain controller in an existing domain.

34

Installing AD DS from restored backup media

You can use installation media from a restored backup of an existing domain controller in

the domain to install a new domain controller in the same domain. IFM is an effective

method for minimizing replication of all directory data when you install AD DS, such as on

the first domain controller in a remote site. For information about how to prepare

installation media from a restored AD DS backup, see the Step-by-Step Guide for

Windows Server "Longhorn" Beta 2 Active Directory Domain Services Backup and

Recovery in this documentation set.

Requirements for installing from restored backup media include the following:

You must have restored backup media that is prepared from a similar domain

controller in the same domain, as follows:

For Windows Server "Longhorn" Beta 2 only, you can use restored backups of

only Full installation domain controllers to install AD DS on Full installation

servers. You cannot use IFM to install AD DS on a Server Core installation.

You can use backup media from an RODC to install only other RODCs.

Backup media must be created from a domain controller that has the same

operating system version and platform as the target server.

For Windows Server "Longhorn" Beta 2 only, you can install AD DS from backup

media only by using the Windows interface. You cannot use an unattended

installation to install a domain controller from backup media.

Use the following procedure to use the IFM method of installing AD DS on a server in the

same domain.



domain that is being installed.

To install a domain controller from backup media by using the Windows interface

1. Prepare backup media according to instructions in the Step-by-Step Guide for

Windows Server "Longhorn" Beta 2 Active Directory Domain Services Backup

and Recovery in this documentation set.




35





installation.


page, select Use Advanced mode installation.


Existing domain, and then click Next.


account that has at least Domain Admins privileges in the domain to which you

are adding the domain controller, specify the domain name, and then click Next.

9. On the Select Domain page, select the domain of the new domain controller, and

then click Next.



Next.

11. On the Additional Options page, select additional options according to the

configuration of the backup domain controller, and then click Next:

12. On the Install from Media? page, click Install from media at the location

below.

13. In Location, type or browse to the disk drive location of the installation media.







15. On the Active Directory Domain Services Restore Mode Administrator






36


17. When you are prompted, restart the server to complete AD DS installation.

Additional considerations

Dcpromo.exe installs AD DS using the data in the restored files, which eliminates the

need to replicate every object from a partner domain controller. However, objects that

were modified, added, or deleted since the backup was taken must be replicated. If

the backup was recent, the amount of replication that is required will be considerably

less than the amount of replication that is required for a regular AD DS installation.

Verifying an AD DS installation

After you install AD DS, verify key functionality such as DNS resource record registrations

and SYSVOL replication. For verification steps to perform after installing AD DS, see

Verifying Active Directory Installation (http://go.microsoft.com/fwlink/?LinkId=68736).

Steps for removing AD DSThe following sections provide step-by-step instructions for removing AD DS in all

configurations, including methods for removing the server role on both Full

Windows Server "Longhorn" installations and Server Core Windows Server "Longhorn"

installations. Methods are described for performing installations by using both the

Windows interface and the command line.

The unattended method of removing AD DS is required for Server Core operating

systems. The process for performing an unattended removal of AD DS is the same for a

server that is running a Full installation of Windows Server "Longhorn" or a Server Core

installation of Windows Server "Longhorn".

For Windows Server "Longhorn" Beta 2 installations only, you must uninstall the directory

service binaries manually when you use an unattended method to remove AD DS.

Procedures to remove AD DS are provided for the following scenarios:

Removing a Windows Server "Longhorn" domain controller from a domain

Removing the last Windows Server "Longhorn" domain controller in a domain

Removing the last Windows Server "Longhorn" domain controller in a forest

37


Removing a Windows Server "Longhorn" domain controller from a domain

The procedures in this section describe the methods for removing the last domain

controller in the domain.

Removing a Windows Server "Longhorn" domain controller by using the Windows interface

You can use the Active Directory Domain Services Installation Wizard to remove a

domain controller from an existing domain.



domain.

To remove a domain controller by using the Windows interface

1. On the Start menu, click Administrative Tools, and then click Server Manager.

2. Under Roles Summary, click Remove roles.

3. In the Remove Roles Wizard, under Roles, select Active Directory Domain

Services, and then click Next.

4. On the Confirm Removal Options page, confirm the removal options, and then

click Remove.

5. In the Welcome to the Active Directory Domain Services Installation Wizard

page, click Next.

6. On the Delete Domain? page, make no selection, and click Next.

7. If the domain controller has application directory partitions, on the Application

Directory Partitions page, view the application directory partitions in the list, and

then remove or retain application directory partitions, as follows:

If you do not want to retain any application directory partitions that are stored

on the domain controller, click Next.

If you want to retain any application directory partition that an application has

created on the domain controller, use the application that created the partition

to remove it, and then click Update to update the list.

8. On the Confirm Deletion page, select the option to delete all application

directory partitions on the domain controller, and then click Next.

38

9. On the Administrator Password page, type and confirm a secure password for

the local Administrator account, and then click Next.

10. On the Summary page, review your selections, and then click Next to remove

AD DS.

11. When you are prompted, restart the server to complete AD DS removal.

Removing a Windows Server "Longhorn" domain controller by using an answer file

The answer file that you use to remove a domain controller in a domain where other

domain controllers exist requires only Domain Admin credentials. You can also create the

password for the local Administrator account for the member server. If you do not specify

the password in the answer file, the administrator password is blank.



domain.

To create an answer file for removing a domain controller



3. Create the following entries, one entry on each line. For a complete list of

unattended installation options, including default values, allowed values, and

descriptions, see Unattended install options.

username=<administrative account in the domain>

password=<password for the account in UserName>

administratorpassword=<local administrator password for server>

removeapplicationpartitions=yes


called by Dcpromo, or save the file to a network shared folder or removable

media for distribution.

5. The Dcpromo command to use an answer file is the same for both removing and

installing a domain controller. Use the procedure "To install a new domain

controller by using an answer file" to remove the domain controller.

39

Removing a Windows Server "Longhorn" domain controller by entering unattended installation parameters at the command line

The Dcpromo command that you use to enter unattended installation parameters at the

command line is the same for both removing and installing a domain controller. Use the

procedure "To install a new domain controller by entering unattended installation

parameters at the command line" to remove the domain controller, but use unattend

options that are appropriate for removing a domain controller from an existing domain.

Removing AD DS binaries

After you remove AD DS from a domain controller running Windows Server "Longhorn"

Beta 2, you must manually remove the AD DS binary files. This is a known issue for

Windows Server "Longhorn" Beta 2, but it will not be required in further Windows Server

"Longhorn" Beta releases.

Caution

Do not run this command on an installed domain controller. Be sure to restart the

server after removing AD DS before you run this command. Running this

command on an installed domain controller results in data loss on the domain

controller and requires a reinstallation of the operating system.


To perform this procedure, you must be a member of the local Administrators group on

the member server.

To remove AD DS binaries

1. Remove AD DS from the server, and then restart the server.

2. At a command prompt, type the following, and then press ENTER:

start /w pkgmgr /uu:DirectoryServices-DomainController /l:dcuninstall.log

start /w is optional if you want to retain the command prompt until the process

completes.

Removing the last Windows Server "Longhorn" domain controller in a domain

The procedures in this section describe the methods for removing the last domain

controller in the domain.

40

Removing the last Windows Server "Longhorn" domain controller in a domain by using the Windows interface

The Active Directory Domain Services Installation Wizard provides all the steps that you

need to remove the domain. During domain removal, the Active Directory Domain

Services Installation Wizard displays a list of all the application directory partitions that

are stored on the domain controller. If there are application directory partitions that were

created by an application other than AD DS, you can use the appropriate application to

remove these directory partitions, or you can let the Active Directory Domain Services

Installation Wizard remove them.

Application directory partitions that are created by AD DS, such as the DomainDNSZones

and ForestDNSZones application directory partitions, cannot be retained if you remove

AD DS.


To complete this procedure, you must be a member of the Domain Admins group in the

parent domain or a member of the Enterprise Admins group in the forest.

To remove the last domain controller in a domain by using the Windows interface






click Remove.

5. In the Welcome to the Active Directory Domain Services Installation Wizard

page, click Next.

6. On the Delete Domain? page, select the option to delete the domain. Before you

continue, read the instructions for managing the removal of cryptographic keys

and the decryption of Encrypting File System (EFS)–encrypted files, and perform

these actions, if necessary. When you are sure that you have completed all

security tasks, click Next.


Directory Partitions page, view the application directory partitions in the list and

remove or retain application directory partitions, as follows:


41










AD DS.


For information about cryptographic keys and certificate management, see

Windows Server 2003 PKI Operations Guide (http://go.microsoft.com/fwlink/?

LinkId=68752). For information about EFS, see Encrypting File System Technical

Reference (http://go.microsoft.com/fwlink/?LinkId=68751).

Removing the last Windows Server "Longhorn" domain controller in a domain by using an answer file

The answer file that specifies that you are removing the last domain controller in the

domain must include that instruction, and it must specify the parent domain.



parent domain or a member of the Enterprise Admins group in the forest.

To create an answer file for removing the last domain controller in a domain


2. Create the following entries, one entry on each line. For a complete list of

unattend installation options, including default values, allowed values, and

descriptions, see Unattended install options.

ParentDomainDNSName=<fully qualified DNS name of parent domain>

UserName=<administrative account in parent domain>


IsLastDCInDomain=yes

42




AdministratorPassword=<local administrator password for server>

RemoveApplicationPartitions=<yes if you want to remove the partitions. If you

want to retain them, you do not need this entry.>



distribution.

4. The Dcpromo command to use an answer file is the same for both removing and

installing a domain controller. Use the procedure "To install a new domain

controller by using an answer file" to remove the domain controller.

Removing the last Windows Server "Longhorn" domain controller in a domain by entering unattended installation parameters at the command line

The Dcpromo command that you use to enter unattended installation parameters at the

command line is the same for both removing and installing a domain controller. Use the

procedure "To install a new domain controller by entering unattended installation

parameters at the command line" to remove the domain controller, but use unattend

options that are appropriate for removing the last domain controller in the domain.

Removing the last Windows Server "Longhorn" domain controller in a forest

The procedures in this section describe the methods that you can use to remove the last

domain controller in an AD DS forest.

Removing the last Windows Server "Longhorn" domain controller in a forest by using the Windows interface

Use the following procedure to remove the forest.



forest root domain or the Enterprise Admins group in the forest.

To remove the last domain controller in a forest by using the Windows interface


43





click Remove.


page, click Next.

6. On the Delete Domain? page, select the option to delete the domain and forest.

Before you continue, read the instructions for managing the removal of

cryptographic keys and the decryption of EFS-encrypted files, and perform these

actions, if necessary. When you are sure that you have completed all security

tasks, click Next.


Directory Partitions page, view the application directory partitions in the list, and

then remove or retain application directory partitions, as follows:











AD DS.


Removing the last Windows Server "Longhorn" domain controller in a forest by using an answer file

The Dcpromo unattend options for removing the last domain controller in a forest are the

same as the unattend options for removing the last domain controller in a domain. Use

the procedure "To create an answer file for removing the last domain controller in a

domain" to create the answer file for removing the last domain controller in the forest.

44

Use the procedure "To install a new domain controller by using an answer file" to remove

the domain controller.

Removing the last Windows Server "Longhorn" domain controller in a forest by entering unattended installation parameters at the command line

The Dcpromo command that you use to enter unattend parameters at the command line

is the same for both removing and installing a domain controller. Use the procedure "To

install a new domain controller by entering unattended installation parameters at the

command line" to remove the domain controller, but use unattend options that are

appropriate for removing the last domain controller in the domain. Because the forest root

domain is the domain that you are removing, the options for removing the domain

effectively remove the forest itself.

Appendix of unattended installation parametersThe tables in this appendix provide the information that you need to create an answer file

for installing or uninstalling AD DS in unattended mode.

Dcpromo.exe accepts these parameters either directly from the command line or as

entered in a text file that is formatted in standard.INI format. The text file must contain a

section heading [DCINSTALL] followed by AD DS (domain controller) server role

unattended installation parameters.

Create a text file that contains the [DCINSTALL] heading and in which each line in the file

contains an option and its value in the form option=value. To use the options directly from

the command line, precede each option:value pair with a forward slash (/) and separate

each /option=value pair with a space. At the command line, you can also use a colon (:)

to separate the option and the value (/option:value).

The following are example lines in an answer text file:

[DCINSTALL]

The following is an example set of the same options as typed in the Dcpromo.exe

command line:

dcpromo /unattend /username:Jsmith /password:SP#f357.2 ...

45

Unattended general options

The option in the following table is available for unattended installation and removal of

AD DS. This option is new in Windows Server "Longhorn".

General options Parameters Default value Description

/RebootOnCompletion Yes | No Yes Restart the

computer when

the operation is

complete, whether

or not the

operation is

successful.

Unattended install options

The following new options are available for unattended installations of AD DS. Options

that are new in Windows Server "Longhorn" appear in bold text.

Install options Parameters Default value Description

/AdministratorPassword password Specifies a local

Administrator account

password for the

computer after AD DS

is removed.

/AllowDomainReinstall Yes | No No If Dcpromo detects

that the domain

already exists,

specifies whether to

recreate the domain.

AllowDomainControllerReinstall Yes | No No When a replica

domain controller is

added, if Dcpromo

detects that the

domain controller

already exists,

specifies whether to

46


overwrite the domain

controller data of the

existing domain

controller.

/ApplicationPartitionsToReplicate "partition_DN_1

partition_DN_2 ...partition_

DN_n"

Space-separated (or

comma-and-space-

separated)

distinguished names,

with the entire string

enclosed in quotation

marks, of application

directory partitions

that you want to

include when you use

restored backup

media to install AD DS

(or * to include all

application directory

partitions).

/AutoConfigDNS Yes | No Yes Specifies whether

DNS is configured for

a new domain if

Dcpromo detects that

the DNS dynamic

update protocol is not

available, or if

Dcpromo detects an

insufficient number of

DNS servers for an

existing domain.

/ChildName child_domain_name Specifies whether to

append the DNS label

for the new domain at

the beginning of the

name of an existing

directory service

domain when

47


installing a child

domain.

/ConfirmGc Yes | No Yes Specifies whether the

domain controller is a

global catalog server.

/CriticalReplicationOnly Yes | No Yes Specifies whether to

skip noncritical (and

potentially lengthy)

portions of replication

and allow Dcpromo to

complete before

replication is

complete.

/DatabasePath path_to_database_files %systemroot%\

NTDS

Location of the

Ntds.dit file.

/DisableCancelForDnsInstall Yes | No No Specifies whether to

disable the Cancel

button during a DNS

installation. This

option is retained for

backward compatibility

with

Windows Server 2003

unattend files. It is

ignored if it is used for

Windows Server

"Longhorn".

/DNSDelegation Yes | No Computed

automatically

based on the

environment.

Indicates whether to

create a DNS

delegation that

references this new

DNS server. Valid for

Active Directory–

integrated DNS only.

/DNSDelegationUserName user_name The user name to be

48


used when the DNS

delegation is created

in the parent zone and

credentials are

different from the

credentials provided

for AD DS role

installation or removal.

/DNSDelegationPassword Password The password for the

user name that is

used to create the

DNS delegation.

/DNSOnNetwork Yes | No Yes Specifies whether to

set DNS server

addresses

automatically.

/DomainLevel 0 | 2 | 3 Based on

levels existing

in the forest

Specifies the domain

functional level when

a new domain is

created in an existing

forest, as follows:

0 = Windows 2000

Server Native

2 = Windows

Server 2003 Native

3 = Windows Server

"Longhorn"

/DomainNetBiosName domain_NetBIOS_name First label of

DNS name

Assigns a network

basic input/output

system (NetBIOS)

name to the new

domain.

/ForestLevel 0 | 2 | 3 0 Specifies the forest

functional level when

a new domain is

49


created in a new

forest, as follows:

0 = Windows 2000

Server Native

2 = Windows

Server 2003 Native

3 = Windows Server

"Longhorn"

ForestLevel replaces

SetForestVersion in

Windows Server 2003.

/LogPath Path_to_log_files %systemroot%\

NTDS

Specifies the location

of the database log

files

/NewDomain Forest | Tree | Child Forest Specifies the type of

new domain:

The root domain

of a new forest

The root domain

of a new tree in an

existing forest

A child domain in

an existing forest

The type of new

domain must be

specified when AD DS

is installed on a

Windows Server

"Longhorn" Server

Core installation.

/NewDomainDNSName DNS_domain_name The required name of

a new forest or a new

tree in an existing

50


forest.

/OnDemandAllowed Security_Principal | NONE The name of one or

more security

principals that are

replicated to this

RODC, specified

within quotation

marks. To specify

more than one

security principal, add

the entry multiple

times.

In Windows Server

"Longhorn" Beta 2, if

you have no security

principals to add,

leave this entry blank.

Using the value

"NONE" causes the

unattended RODC

installation to fail. This

issue will be resolved

for Windows Server

"Longhorn" Beta 3.

/OnDemandDenied Security_Principal | NONE The name of one or

more security

principals that are not

to be replicated to this

RODC. To specify

more than one

security principal, add

the entry multiple

times.

/ParentDomainDNSName DNS_domain_name The DNS domain

name of an existing

parent domain when a

51


child domain is

removed or installed.

/Password password The password for the

account name (the

value in UserName) to

use for installing or

removing AD DS.

Dcpromo deletes this

value after installation.

/ReplicaDomainDNSName DNS_domain_name The DNS domain

name of the domain to

replicate to this new

domain controller

replica.

/ReplicaOrNewDomain Replica |

Read_only_replica |

Domain

Replica Specifies whether to

install the domain

controller as:

An additional

domain controller

in an existing

domain

An RODC in an

existing domain

The first domain

controller in a new

domain

/ReplicationSourceDC DNS_name_of_source Indicates the full DNS

name of the domain

controller from which

AD DS data is

replicated to create

the new domain

controller.

/ReplicationSourcePath path_to_installation_media The location of the

files that are used to

52


install a new domain

controller by using

restored backup

media.

/SafeModeAdminPassword password | NONE The password for the

administrator account

to use when starting

the computer in Safe

Mode or a variant of

Safe Mode, such as

Directory Service

Restore Mode.

/SiteName site_name The name of an

existing site where

you can place the new

domain controller.

/Syskey NONE | system key Indicates that the user

must provide the

system key.

/SysVolPath path_to_SYSVOL_folder %systemroot%\

sysvol

The path to the

SYSVOL folder, which

must be on a fixed

disk on the local

computer.

/UserDomain domain_name The domain name for

the user account that

is used to install

AD DS on a member

server.

/UserName user_name The account name of

the user who is

installing AD DS.

53

Unattended uninstall options

The new options in the following table are available for unattended removal of AD DS.

Options that are new in Windows Server "Longhorn" are shown in bold type.

Uninstall options Parameters Default

value

Description

/AdministratorPassword admin_password Sets the local

administrator

password for the

computer during

removal of a

domain controller.

/DemoteFSMO Yes | No No Indicates that a

forced removal

should continue

even if an

operations master

role is held by the

domain controller.

/ForceDemotion Indicates that the

removal proceeds

if the domain

controller is offline.

Caution: The

/ForceDemotion

switch results in

data loss on the

domain controller.

/IgnoreIsLastDcInDomainMismatch Yes | No No If you have set

IsLastDCInDomain

to Yes but there is

actually one or

more other domain

controllers in the

domain, this option

specifies whether

to continue with the

54

Uninstall options Parameters Default

value

Description

removal as

configured.

/IsLastDCInDomain Yes | No No Indicates whether

the computer on

which Dcpromo is

running is the last

domain controller

in the domain.

/RemoveApplicationPartitions Yes | No No Specifies whether

to remove

application

directory partitions

during removal of a

domain controller.

Unattended installation return codes

When the unattended installation completes, Dcpromo returns one of the following codes

to indicate the status of the operation to the user. Unused numbers are reserved for

future use.

1-10 = success return codes

11-100 = failure return codes

Success return codes

The codes in the following table indicate successful completion of an AD DS installation

or removal operation.

Value Case Description

1 ExitSuccess The operation

succeeded.

2 ExitSuccessNeedReboot The operation

succeeded, and the

55


server must be restarted

manually.

3 ExitSuccessWithNonCriticalFailure The operation

succeeded, but there has

been a failure, such as a

failure with DNS

installation or delegation

configuration. Check

Dcpromoui log files, and

investigate further.

Failure return codes

The codes in the following table indicate failed completion of an AD DS installation or

removal operation.


11 ExitAlreadyRunning DcPromo is already

running.

12 ExitMustBeAdministrator The user must be an

administrator.

13 ExitCertSvcInstalled Certificate Server is

installed.

14 ExitInSafeBootMode The server is running

in Safe Mode.

15 ExitRoleChangePending A role change is in

progress or requires

that the server be

restarted.

16 ExitIncorrectPlatform The server is running

on wrong platform.

17 ExitNeedNTFS5Drive No drives are

formatted for NTFS 5.

56


18 ExitInsufficientWinDirSpace %windir% does not

have enough space.

19 ExitNameChangeNeedsReboot A name change is

pending.

20 ExitBadComputerName The computer name

uses invalid syntax.

21 ExitHoldsFSMOs This domain controller

holds an operations

master role, is a global

catalog server, or is a

DNS server.

22 ExitNeedToInstallTcpIp TCP/IP must be

installed or is not

functioning.

23 ExitNeedToConfigDnsFirst The DNS client must

be configured first.

24 ExitBadCredentials The supplied

credentials are not

valid or are missing

required elements.

25 ExitDcNotFound A domain controller for

the specified domain

could not be located.

26 ExitUnableReadDomainList The list of domains

could not be read from

the forest.

27 ExitMustSpecifyDomain A domain name is

missing (parent, child,

tree, or forest).

28 ExitBadDomainName The domain name is

not valid.

29 ExitParentDomainNotExists The parent domain

does not exist.

57


30 ExitDomainNotInForest The specified domain

is not found in the

forest.

31 ExitChildDomainExists The child domain

already exists.

32 ExitBadNetbiosDomainName The NetBIOS name is

not valid.

33 ExitBadIFMPath The path to the IFM

files is not valid.

34 ExitBadIFMDatabase The IFM database is

bad.

35 ExitNoSyskeyForIFM A system key is

required for the IFM

database.

37 ExitBadDBPath The database path or

database log path is

not valid.

38 ExitInsuffSpaceForDB The volume does not

have enough space

for the database or the

database log.

39 ExitBadSysVolPath The SYSVOL path is

not valid.

40 ExitBadSiteName The site name is not

valid.

41 ExitMustSpecifySafeModePwd You must specify a

password for Safe

Mode.

42 ExitBadSafeModePwd The Safe Mode

password does not

meet password

criteria.

43 ExitBadAdminPwd The administrator

58


password does not

meet criteria.

44 ExitBadForestName The specified forest

name is not valid.

45 ExitForestExists A forest with the

specified name

already exists.

46 ExitBadTreeName The specified name

for the tree is not

valid.

47 ExitTreeExists A tree with the

specified name

already exists.

48 ExitTreeNotFitInForest The tree name does

not fit into the forest

structure.

49 ExitDomainNotExists The specified domain

does not exist.

50 ExitLastDcMismatch This is not the last

domain controller.

51 ExitUnconfirmedAppPartitions Application partitions

exist on this domain

controller.

52 ExitRequiredParameterMissing An answer file or

command-line

unattend parameters

were not provided.

53 ExitPromoDemotFailedNeedReboot The installation or

removal failed and the

server must be

restarted.

54 ExitPromoDemotFailed The installation or

removal failed.

59


55 ExitPromoDemoteFailedBecauseUserCancelled The installation or

removal failed

because it was

canceled by the user.

56 ExitPromoDemotFailedBecauseUserCancelledNeedReboot The installation or

removal failed

because it was

canceled by the user.

The computer must be

restarted to return to

the previous state.

57 ExitDomainReadOnlyReplicaGroupNotSpecified The operator failed to

specify one of the

required RODC

groups

(allowed/denied).

58 ExitDomainReadOnlyReplicaSiteNotSpecified The operator failed to

specify the site name

for an RODC.

59 ExitLastDnsServer The domain controller

appears to be the last

DNS server for one of

its Active Directory–

integrated zones.

60 ExitDomainReadOnlyReplicaPdcNotLonghorn The Primary Domain

Controller (PDC)

emulator for the

domain is not running

Windows Server

"Longhorn".

61 ExitInstallDNSNotAllowed You cannot install

AD DS with DNS in an

existing domain that

does not already host

DNS.

60


62 ExitAnswerFileMissingSectionName The answer file does

not have a [DCInstall]

section.

63 ExitInsufficientForestFunctionalLevelForRodc The forest functional

level is less than

Windows Server 2003.

64 ExitPromoFailedBecauseComponentBinaryDetectionFailed The installation failed

because the

installation of the

AD DS binaries on the

server could not be

determined.

65 ExitPromoFailedBecauseComponentBinaryInstallationFailed The installation failed

because the AD DS

binaries could not be

installed.

66 ExitPromoFailedBecauseOSDetectionFailed The installation failed

because the operating

system installation

option (whether

Server Core

installation or Full

installation) could not

be determined.

67 ExitRodcCannotBeAGC The RODC cannot be

a global catalog server

68 ExitInvalidReplicationPartner The replication partner

is not valid.

69 ExitRequiredPortInUse The required port is

already in use by

some other

application.

70 ExitForestRootDcMustBeGc The first forest root

domain controller

61


must be a global

catalog server.

71 ExitDnsAlreadyInstalled DNS server is already

installed.

72 ExitIsAppServer The installation failed

because the server is

a Terminal Services

application server.

73 ExitInvalidForestFunctionalLevel The specified forest

functional level is not

valid.

74 ExitInvalidDomainFunctionalLevel The specified domain

functional level is not

valid.

75 ExitDefaultPasswordReplicationPolicyCannotBeDetermined Unable to determine

the default password

replication policy.

76 ExitInvalidPasswordReplicationPolicy Specified allowed and

denied security groups

for the password

replication policy are

not valid.

77 ExitInvalidArgument The specified

argument is not valid.

78 ExitForestCheckFailed The installation failed

because the Active

Directory forest could

not be examined.

79 ExitRodcNDNCNotPrepped An RODC cannot be

installed because

adprep /rodcprep

has not been

performed.

80 ExitDomainNotPrepped The installation failed

62


because

adprep/domainprep

has not been

performed.

81 ExitForestNotPrepped The installation failed

because

adprep/forestprep

has not been

performed.

82 ExitForestSchemaMismatch The installation failed

because there is a

forest schema

mismatch.

83 ExitUnsupportedSku The installation failed

because the operating

system edition does

not supported AD DS.

Logging bugs and feedbackYour feedback is very important to help us improve this feature in future releases of

Windows Server "Longhorn". Please provide feedback regarding your experience

installing AD DS, problems that you encounter, and whether this document was helpful.

We are also interested in feature requests and general feedback about AD DS installation

and removal.

To provide feedback for this step-by-step guide, follow the instructions on the Microsoft

Web site (http://go.microsoft.com/fwlink/?linkid=55105). Please note that, in the comment

area on the Web site, you will need to provide the name of this step-by-step guide.

63

http://go.microsoft.com/fwlink/?linkid=55105

AMSS Windows Server Longhorn Active Directory Installation and Removal

Documents

Transcript of AMSS Windows Server Longhorn Active Directory Installation and Removal