When you install Active Directory Domain Services (AD DS), you choose one of the following possible deployment configurations:
Adding a new domain controller to a domain
Adding a new child domain to a forest, or, as an option, adding a new domain tree
The option to install a new domain tree appears only if you select the Use advanced mode installation check box on the Welcome to the Active Directory Domain Services Installation Wizard page of the Active Directory Domain Services Installation Wizard.
Creating a new forest
The following sections describe each of these deployment configurations in detail.
Adding a new domain controller to a domain
If you already have one domain controller in a domain, you can add additional domain controllers to the domain to improve the availability and reliability of network services. Adding additional domain controllers can help provide fault tolerance, balance the load of existing domain controllers, and provide additional infrastructure support to sites.
More than one domain controller in a domain makes it possible for the domain to continue to function if a domain controller fails or must be disconnected. Multiple domain controllers can also improve performance by making it easier for clients to connect to a domain controller when they log on to the network.
Preparing an existing domain
Before you add a domain controller running Windows Server 2008 R2 to an existing Active Directory domain, you have to prepare the forest and the domain by running Adprep.exe. Be sure to run the version of Adprep that is included with your Windows Server 2008 R2 installation media. This version of Adprep adds schema objects and attributes that are required by domain controllers that run Windows Server 2008 R2, and it modifies permissions on new and existing objects.
Run the following adprep parameters as necessary for your environment:
Run adprep /forestprep once on the domain controller in the forest that holds the schema operations master role (the schema master) before you add a domain controller that runs Windows Server 2008 R2. To run this command, you must be a member of the Enterprise Admins group, the Schema Admins group, and the Domain Admins group of the domain that includes the schema master.
In addition, run adprep /domainprep /gpprep once on the domain controller that holds the infrastructure operations master role (the infrastructure master) in each domain in which you plan to add a domain controller that runs Windows Server 2008 R2. To run this command, you must be a member of the Domain Admins group.
If you plan to deploy a read-only domain controller (RODC) in any domain in the forest, you also must run adprep /rodcprep once in the forest. You can run this command on any computer in the forest. To run this command, you must be a member of the Enterprise Admins group. For more information, see Prepare a Forest for a Read-Only Domain Controller (
Installing from media
When you install a new domain controller in an existing domain, you can choose to install from media (IFM), in which the domain database is copied from the media rather than over the network. This option is available in the Active Directory Domain Services Installation Wizard only if you select the Use advanced mode installation check box on the Welcome page. The recommended tool for creating the installation media is the ntdsutil ifm subcommand. For more information about using IFM, see Installing from Media.
Adding a new domain to a forest
By default, the new forest that you create will contain one domain, which is known as the forest root domain. This single domain can accommodate thousands of users even if only a small amount of network bandwidth is available for Active Directory replication. Therefore, a single domain is typically sufficient for most small organizations and medium-sized organizations. Adding more domains to the forest greatly increases the administration requirements for the forest.
Larger organizations, however, may decide to add child domains to the forest so that domain data is replicated only where it is needed. A child domain shares a contiguous namespace with its parent domain. For example, sales.contoso.com is a child domain of contoso.com. A child domain automatically has a two-way, transitive trust with its parent domain.
A new domain that does not share a contiguous namespace with its parent domain is known as a new domain tree. For more information about creating a new domain tree, see Creating a new domain tree later in this topic.
When you add domains to the forest, you are partitioning AD DS, which allows data to be replicated only where it is needed. In this way, a single Active Directory forest can scale globally to accommodate hundreds of thousands—or even millions—of users on a network that has limited bandwidth.
Requirements for creating a new domain
When you create a new child domain, you must be a member of the Domain Admins group in the parent domain or the Enterprise Admins group to proceed. When you create a new domain tree, you must be a member of the Enterprise Admins group.
The Active Directory Domain Services Installation Wizard allows Active Directory domain names up to 64 characters or up to 155 bytes. Although the limit of 64 characters is usually reached before the limit of 155 bytes, the opposite could be true if the name contains Unicode characters that consume three bytes. These limits do not apply to computer names.
During installation, a Domain Name System (DNS) zone delegation is created by Dcpromo.exe. If DNS zone delegation creation fails or you choose not to create it (which is not recommended), you must create a zone delegation manually. For more information about creating a zone delegation, see Creating or Updating a DNS Delegation.
Before you can add a domain to a forest, a DNS delegation must be created for the DNS zone that matches the name of the Active Directory domain that you are adding. The Active Directory Domain Services Installation Wizard verifies that the DNS delegation exists. If it does not exist, the wizard provides an option to create the DNS delegation automatically during the creation of the new domain.
Creating a new domain tree
You should create a new domain tree only when you need to create a domain whose DNS namespace is not related to the other domains in the forest. This means that the name of the tree root domain (and any child domain below it) does not have to contain the full name of the parent domain.
For example, treyresearch.net can be a domain tree in the contoso.com forest. New domain trees are most commonly created as part of a business acquisition or a merger of multiple organizations. A forest can contain one or more domain trees.
Before you create a new domain tree, consider creating another forest when you want a different DNS namespace. Multiple forests provide administrative autonomy, isolation of the schema and configuration directory partitions, separate security boundaries, and the flexibility to use an independent namespace design for each forest.
Creating a new forest
To create a new forest, you must be a member of the local Administrators group on the server where you are installing AD DS.
DNS and NetBIOS names
Before you create a new forest, be sure that you have completely planned your DNS infrastructure. To create a new forest, you must know the full DNS name for it. You can install the DNS Server service before you install AD DS or, preferably, you can choose to have the Active Directory Domain Services Installation Wizard install the DNS Server service for you.
If you have the wizard install the DNS Server service, the wizard uses the DNS name that you provide to automatically generate a NetBIOS name for the first domain in the forest. The wizard verifies that the DNS name and the NetBIOS name are unique on the network before it continues. You must select the Use advanced mode installation check box on the Welcome to the Active Directory Domain Services Installation Wizard page to specify a different NetBIOS name than the name that is generated automatically by the wizard.
The Domain NetBIOS Name wizard page also appears if the automatically generated NetBIOS name conflicts with an existing name.
By default, the DNS Server service is installed on the first domain controller in a forest. If you already have a DNS infrastructure set up to support name resolution for the new forest, you can clear the DNS server check box on the Additional Options wizard page. However, if you do not have a supporting DNS infrastructure already in place, accept the default setting to have the wizard install the DNS Server service on the first domain controller in the forest.
When you click Next to continue, the Active Directory Domain Services Installation Wizard examines your existing DNS infrastructure. If you cleared the DNS server check box, the wizard performs diagnostic tests to verify that the supporting DNS infrastructure is in place. If the diagnostic tests fail, you again have the option to install the DNS Server service by using the wizard.
For a new forest, the default forest functional level is Windows 2000 and the domain functional level is Windows 2000 native. These are the lowest possible functional levels, and they allow domain controllers to run Windows Server 2003, Windows® 2000 Server, Windows Server 2008, or Windows Server 2008 R2.
If you do not plan to add domain controllers that run these earlier versions of Windows Server, select higher functional levels to enable advanced features. If you select Windows Server 2008 R2 as the forest functional level, all domains that are subsequently added to the forest will be created at the Windows Server 2008 R2 domain functional level. Therefore, the Set Domain Functional Level page does not appear in the Active Directory Domain Services Installation Wizard. If you select a different forest functional level, you can set the domain functional level independently for each domain in the forest. For more information about functional levels, see Setting the Domain or Forest Functional Level.
Operations master roles
The first domain controller for this domain hosts all the operations master roles (also known as flexible single master operations or FSMO) for the forest.
Additional domain controllers in the domain are recommended to improve the availability and fault tolerance of AD DS. After you create additional domain controllers, you may want to transfer some of the operations master roles that are hosted on the first domain controller to these other domain controllers. If you plan to create a multidomain forest and any domain controller in your forest root domain will not be a global catalog server, then you should transfer at least the infrastructure master role in the forest root domain to another domain controller in the domain that is not a global catalog server.
For more information about managing operations master roles, see Ensure Successful Active Directory Operations by Managing Operations Master Roles.