When you install an additional domain controller, you can install from media (IFM) instead of replicating all directory data over the network. The installation media can be stored on a local drive, removable media such as a DVD, or on a network shared folder.

Performing an IFM operation to create an additional domain controller greatly reduces the network bandwidth that is used when you install Active Directory Domain Services (AD DS). However, network connectivity is still necessary so that all new objects and recent changes to existing objects are replicated to the new domain controller.

If you select the option to copy domain information over the network, all AD DS data will be copied over your network connection. If you need to replicate information for a large domain, to postpone noncritical replication you can click Finish Replication Later on the progress page that appears after you finish the wizard. If you decide to postpone noncritical replication, the Active Directory Domain Services Installation Wizard will continue to complete Domain Name System (DNS) installation and configuration. The wizard will also install the Group Policy Management Console.

Creating AD DS installation media

The recommended method for creating AD DS installation media is to use the Ntdsutil.exe tool that is built into Windows Server 2008 R2 and available when the AD DS server role is installed. The ntdsutil tool includes an ifm subcommand that creates only the files that are necessary to install AD DS.

As an alternative to using Ntdsutil.exe, you can restore a system state backup and use it as installation media, but a system state backup of a domain controller typically includes more data than is required to perform an IFM operation.

We also recommend the ntdsutil ifm subcommand because you can use it to remove secrets, such as passwords, from the AD DS database so that you can install a read-only domain controller (RODC). When you remove these secrets, the RODC installation media is more secure if it must be transported to a branch office for an RODC installation.

You must use RODC installation media to install an RODC. You can create RODC installation media on either an RODC or a writeable domain controller. You must use writeable domain controller installation media to install a writeable domain controller. You can create writeable domain controller installation media only on a writeable domain controller. In the ntdsutil ifm subcommand, the writeable domain controller installation media is denoted as "full" media. For more information about using the ntdsutil ifm subcommand, see Installing AD DS from Media (https://go.microsoft.com/fwlink/?LinkId=93104).

If you use a backup of another domain controller as AD DS installation media, use the most recent backup available. Older backups require more network bandwidth for replication. The backup that you use cannot be older than the tombstone lifetime of the domain, which is set to a default value of 180 days (60 days in a forest that is created on a server running Windows Server 2003 or earlier).

When you choose the option to copy domain information from restored backup files, you first must create a system state backup of a domain controller from the domain in which this member server will become an additional domain controller. Then, you must restore the backup locally on the server on which you are installing AD DS.

If you want to use the application partitions that are available on the installation media, you can specify the /ApplicationPartitionsToReplicate parameter when you start dcpromo during an unattended installation. Specify * to include all available application partitions. For example, to use all available applications for the additional domain controller, you can type the following command at a command prompt, and then press ENTER:

dcpromo /unattend /ReplicaOrNewDomain:Replica /ApplicationPartitionsToReplicate:*

If you want the new domain controller to be a global catalog server, you can either use installation media that is created from a global catalog server or replicate the global catalog data to the new domain controller over the network.


Table Of Contents