I once came across this question “Impact of running DCPROMO without installing AD DS role in Windows Server 2008 or 2008R2“. Lots of people gave their own views of how DCPROMO relates to AD DS. I see this as simply understanding what actions DCPROMO & AD DS role does when ran. DCPROMO is simply the Active Directory Domain Services installation wizard which resides in System32 folder in Windows. When you run the dcpromo command on a Windows Server 2008 or 2008R2 machine, this will not only install the Active Directory schema hence making the server a domain controller but will also install the AD DS tools.
In an earlier post, we looked at introducing a Windows Server 2012 Domain Controller in an existing Windows Server 2008R2 domain. Next action is moving the FSMO roles off the Windows Server 2008R2 DC to Windows Server 2012 Dc in preparation of decommissioning the Windows Server 2008R2 DC which will be dealt with in later post. You can either transfer the roles via the GUI or Command prompt using ntdsutil but for the purpose of this post, I will be using the GUI for better understanding.
There are two ways to determine your Active Directory Schema version; one is via the dsquery command-let and the other by ‘adsiedit.msc’ tool. 1. Using the dsquery commandlet – Run the following command from within the command prompt: dsquery * cn=schema,cn=configuration,dc=,dc= -scope base -attr objectVersion Replace ‘‘ and ‘‘ with your domain name details The version for Windows Server 2012 shows 56 See full version list for other Windows Servers: Windows Server 2012 56 Windows 2008 R2 47 Windows 2008 44 Windows 2003 R2 31 Windows 2003 30 Windows 2000 13 2.
In this post, I will show us how to install a new Windows Server 2008 R2 (64bit) domain controller in an existing Windows Server 2003 domain (32bit). Sorry that I am not able to provide any screenshots at this point in time but if you simply follow the steps, you won’t miss it 🙂 If this domain controller is the first Windows Server 2008 R2 domain controller in the forest, you must prepare the forest for Windows Server 2008 R2 by extending the schema (that is, by running adprep /forestprep) on the schema operations master if this has not already been done.
Have you ever wondered what firewall ports needs to be opened to your AD network if you have a segmented environment. I have below a simple firewall rule that you need to configure to allow all needed AD ports as listed: 1. Create Service-Object: ASA# object-group service AD-Ports service-object tcp-udp eq 389 (LDAP (Lightweight Directory Access Protocol) service-object tcp-udp eq domain (DNS) service-object tcp-udp eq 88 (Kerberos) service-object tcp eq 445 (SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc)