Exam 70-410 Objective 5.1 – Install Domain Controllers


Welcome, fellow system admin!

Continuing with our 70-410 exam series that we started, today we will be moving on to another important feature of Windows Server 2012 R2, which is Active Directory Domain Services.

If you are interested in learning more about the entire series, head over to the dedicated page that I have created here.

In today’s 70-410 Objective 5.1, we will be covering:


We will first try to look into the basics of the Active Directory Terminologies and the components that make up the Active Directory Domain to understand this objective better.

Domain: A domain is defined as a logical group of network objects (computers, users, devices) that share the same Active Directory Database.

Forests: An AD forest is the highest level of organization with Ad. Each forest shares a single database, a single global address list, and a security boundary. By default, a user or administrator in one forest cannot access another forest.

Sites: A site is a graphical location of high network connectivity that may connect to other locations that are similarly configured.

Domain Controllers: Domain Controllers are the hosts of Active Directory. They contain the AD database. AD DS is a Multimaster model, where each DC shares changes with each other.

Global Catalogs: Global Catalog provides a subset of total AD domain database. A global catalog is a DC that stores a copy of all AD objects in a forest.

The global catalog stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all the other domains in the forest.

Organizational Units: An OU is a container within a Microsoft AD Domain which can hold users, groups, and computers.

It is the smallest unit to which an administrator can assign Group Policy Settings or account permissions.

Flexible Single Master Operations Roles

Active Directory has five special roles which are vital for the smooth running of AD as a Multimaster system. There are forest-wide roles and domain-wide roles.

The forest-wide roles must appear once, per forest, the domain-wide roles must appear once per domain.

There are five FSMO roles, two per forest, three in every Domain. A brief summary of the role is below.

Forest-Wide Roles

  • Schema Master

    • Performs updates to the AD schema.
    • These updates include Adprep/forestprep, MS Exchange and other applications that must modify the AD schema.
    • Must be online when schema updates are performed.
    • generally placed on the forest root PDC.
  • Domain Naming Master

    • Adds and removes domains and application partitions to and from the AD forest.
    • Must be online when domain and application partitions in a forest are added or removed.
    • Generally placed on the forest root PDC.

Domain-Wide Roles

  • PDC Emulator

    • Manages password changes for computers and user accounts on replica domain controllers.
    • Consulted by replica domain controllers where service authentication requests have mismatched passwords.
    • Target DC for Group Policy updates.
    • Target DC for legacy applications that perform writable operations and for some admin tools.
    • Must be online and accessible at all times.
    • Generally placed on the higher performance hardware in a reliable site alongside other DC’s.
    • Timekeeper for domain and forest.
  • RID Master

    • Allocates active and standby RID pools to replica DC’s in the same domain.
    • Must be online for newly promoted DC’s to obtain a local RID pool or when existing DC’s must update their current or standby RID pool application.
    • Generally placed on forest root PDC.
  • Infrastructure Master

    • Updates cross-domain references from Global Catalog.
    • A separate infrastructure master is created for each partition including the default forest-wide and domain-wide application partitions.

Add or Remove a Domain Controller from Domain

There are various ways to convert a member server to Domain Controller.

From Server Manager > Add Roles and Features > Active Directory Domain Services Role

From PowerShell

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementServices

Once the role is installed, you will now have to promote the machine as Domain Controller.

Read More: Install Domain Controller on Server 2008 R2

To remove a Domain Controller from Domain, we have a couple of ways of doing it.

From Server Manager > Remove Roles and Features > Active Directory Domain Services

But first you will have to demote the Domain Controller.

Kindly find the link to the TechNet article below on how to demote a Domain Controller.

Demoting Domain Controllers

From PowerShell


Install a DC from Install from Media

Install from Media is one of the ways of converting a member server to Domain Controller.

This method comes handy when the DC needs to be added to a remote location having no good network connectivity/

On the server which is already a Domain Controller, type the following by opening up the command prompt as an Administrator

activate instance ntds
create full C:\ifm

Exam 70-410 Objective 5.1 - Install Domain Controllers

It creates a folder called ifm on C drive with the required information.

Now on the target machine where you want to install Domain Controller while installing you need to select Install from Media option.Install ADDS on server core

As we have seen before, installing on ADDS on Server Core is only possible from PowerShell and is a ver easy process.

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Next step is to promote the machine as a Domain Controller.

Install-ADDSDomainController -DomainName enterprisedaddy.com -Credentials (Get-Credential enterprisedddy\Administrator)

You will also have to end up providing the SafeMode Admin Password.

Upgrade a Domain Controller

You will sometimes come across situations wherein you will have to upgrade Domain Controller with a new Operating System like Windows Server 2012 R2.

It is a fairly straight forward process.

  • Make sure that AD environment is healthy (stuff like Replication).
  • Extend the schema.

Let us say that I have the ISO mounted on the D drive.

cd D:\support\adprep

Adprep /forestprep

Adprep /domainprep

Adprep /rodcprep (if you plan to install any RODC’s)

Read Also: Install RODC on Windows Server
Read Also: Configure Password Replication Policy for RODC’s

  • Upgrade the present Domain Controller to New OS.
  • Relocate FSMo roles if necessary.
  • Raise Domain/Forest functional level.

You can raise the Forest/Domain functional level from AD Domains and Trusts.

Exam 70-410 Objective 5.1 - Install Domain Controllers

Resolve DNS SRV Record Registration Issues

DNS is essential for a service like Active Directory. To accommodate directory services such as AD DS, a special resource record is created that enabled clients to locate DC’s and other vital AD DS services.

When a new DC is created, one of the important parts of the process is the registration of the server in the DNS.

If the DNS registration fails, then clients cannot locate the DC. Computers will be unable to use that Dc to join to the domain, existing members may be unable to logon, and other DC’s cannot replicate with it.

To register the DC to the DNS, if dynamic updates are enabled.

ipconfig -registerDNS

If dynamic updates are disabled, then the file netlogon.dns needs to be added to the DNS Server.

It can be found in the directory C:\Windows\System32\config

Configure a Global Catalog Server

The first Domain Controller in a new Domain is always a Global Catalog server.

To check whether the server is Global or not, or make a server Global Catalog, you need to go to Active Directory Sites and Services.

From Server Manager > AD Sites and Services > Servers > ServerName > NTDS Settings > Right click on Properties.

Exam 70-410 Objective 5.1 - Install Domain Controllers

Deploy Active Directory IaaS in Microsoft Azure

I am not really sure as to why Microsoft has included this particular objective in the exam.

I believe it is just to make you aware of the Microsoft’s cloud platform Azure.

In any case, the below is a handy MSDN article that explains how to install Active Directory in Azure.

Deploying Windows Active Directory on Azure VM’s

I hope that this article has been informative and thank you for reading.


About Author

I am Adil Arif, working as a Senior Technical Support Engineer at Rubrik as well as an independent blogger and founder of Enterprise Daddy. In my current role, I am supporting infrastructure related to Windows and VMware datacenters.

Leave A Reply