1. Using dcpromo to Install from Media
When you promote a server to a DC in a
domain that already has a DC, it replicates all Active Directory data
from an existing DC to the replica DC. If this is within a
well-connected network, it’s no problem. However, if the replication
must occur over a slow wide area network (WAN) connection, it can cause
problems. It can overwhelm the connection affecting other users or
simply take an excessively long time to complete.
Instead, you can create a copy of the Active
Directory data to replicate, send the media to the remote location, and
then use the install from media (IFM) option.
The following steps show how to create the installation media with the ntdsutil command.
| Step | Action |
|---|
| 1. | Launch a command prompt with administrative permissions. |
| 2. | Type ntdsutil and press Enter. |
| 3. | Type activate instance ntds and press Enter. |
| 4. | Type ifm and press Enter. |
| 5. | Type create rodc c:\ifm and press Enter. When complete, the display looks similar to Figure 1. |
After you create the installation media, you can copy
it to other media such as a CD or a flash USB drive, and then send it
to the remote office. An administrator at the remote office can then
start dcpromo with the following command:
This launches dcpromo with advanced options. After selecting Additional Domain Controller for an Existing Domain, the Copying Domain Information page appears. The administrator can then specify the location of the media created with ntdsutil.
2. Forcing Removal of Active Directory
There are occasions when you need to remove Active Directory from a system but dcpromo
fails because the system can’t connect to another DC. For example,
imagine that a DC has a hardware failure and you have to seize the RID
Master role while it is down. You shouldn’t connect this DC back to the
network as a DC because there is the potential of having two RID Masters
and duplicate SIDs in your domain.
Note
If you seize the Schema Master, Domain
Naming Master, or RID Master roles from a failed DC, you should not
bring the original DC back online without first removing Active
Directory. The potential for problems to the forest and domain can be
catastrophic.
You can rebuild the failed DC from scratch, but it’d be much easier to simply run dcrpromo to remove Active Directory and then run dcpromo again to add Active Directory again.
You can force the removal of Active Directory with the following command:
Figure 2
shows one of the confirmation screens that might appear. In some
situations, you see one of these for each of the master operations roles
that the server holds. You also see a confirmation screen if the server
is a DNS server, and another one if it’s a global catalog server. After
clicking Yes for each of these screens, the wizard starts.
