In the past two Inside Out columns, I've discussed how to create simple batch files that let you automatically configure machines to set up domain controllers (DCs)—and in the process, domains, trees, and forests. Such batch files are tremendously useful for several reasons. First, a good disaster-recovery plan will mandate this sort of batch file because it lets you start from a freshly installed copy of Windows Server 2003 or Windows 2000 Server. By typing a few commands, you end up with a fully functional forest, rebuilt from scratch. Second, even if you never need disaster-recovery tools, you can still use the batch file to build small test networks that mimic your enterprise network and let you try things out in a safe environment. Third, this batch file effectively illustrates the power of batch automation: On a fresh system, you can type one command, walk away, then return 15 minutes later to find a perfectly configured IP stack, DNS server network, and Active Directory (AD) domain.
So far, I've shown you how to create a batch file that configures an IP stack and a DNS server network. This time, I show you how to use a batch file to create AD domains.
The Answer File
To create a domain, tree, or forest, you simply need to create the first DC in that domain, tree, or forest—and to create a DC, all you need to do is run Dcpromo (aka the Active Directory Installation Wizard). Like all wizards, Dcpromo demands attention, if only to repeatedly click Next. But a script can provide that attention. Microsoft has quietly furnished Dcpromo with full-featured scriptability. You can script Dcpromo in both Windows 2003 and Win2K, although the script commands are a bit different between the two OSs. (I use the Windows 2003 command set for this article's examples.)
To run Dcpromo with a script, you use the /answer option, as follows:
dcpromo /answer:<nameofanswerfile>
The answer file is simply an ASCII text file that contains answers to a few basic but essential questions. In general, answer files are case insensitive, except for any passwords that you might need to include. (You can build an answer file in Notepad quite easily.) The questions that a Dcpromo answer file needs answers to are
Will this DC be the first DC in a domain (thereby creating a domain), or will it simply help out in an existing domain (i.e., will it serve as a replica DC)?
If Dcpromo is creating a domain, what will that domain be called, and how will it fit in the existing forest? Should Dcpromo create not only a new domain but also a new forest?
If Dcpromo isn't creating a domain, do you have the proper credentials to create new DCs in an existing domain or to create a new domain in an existing forest?
In what location should Dcpromo place the AD database file ntds.dit, the transaction log files, and Sysvol?
How should Dcpromo handle DNS errors? If the existing DNS infrastructure is invalid for AD, should Dcpromo create a new DNS structure or simply fail with an error condition?
New Domain
To create a brand-new forest, you can use the answer file that Listing 1 shows. This answer file creates the first DC in the first domain in a forest. Following the example of the past two columns, we'll call that first domain bigfirm.biz.
In just 13 lines, the answer file provides much functionality. It starts with the [DCINSTALL] statement, which starts all Dcpromo answer files. Next is the ReplicaOrNewDomain statement, which specifies whether you're creating a new domain or adding a DC to an existing domain. The acceptable answers are Domain, which creates a new domain, and Replica, which adds a DC to an existing domain. We're creating a new domain rather than a replica DC, so that domain needs a DNS name (e.g., bigfirm.biz), a NetBIOS name (e.g., bigfirm), and a Directory Services Restore Mode (DSRM) password. The NewDomainDNSName, DomainNetBIOSName, and SafeModeAdminPassword statements specify those values.
But where does the new domain fit in a forest? The NewDomain statement has three possible values. Forest tells Dcpromo to create the first domain in a forest, Tree tells Dcpromo to create the first domain in a new tree that's part of an existing forest, and Child tells Dcpromo to create a new child domain in an existing tree (which implies that the tree is a member of an existing forest). In this example, I'm creating the first domain in a forest, so Forest is the correct value.
The next three statements—DatabasePath, LogPath, and SysvolPath—appear in every Dcpromo answer file, no matter what the DC's role, because every DC needs a copy of the AD database (and therefore must know in what location to put the database and log files) and a Sysvol. In this simple example, I've used %systemroot% as the path for each. You almost certainly wouldn't use the same path on a real-world DC; you can dramatically improve a DC's performance by putting the database and log files on separate physical drives. The %systemroot% environment variable simply refers to the drive and directory (e.g., C:\winnt, D:\windows) on which you've installed the OS.
Order Your Fundamentals CD Today! Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.
Implement a Successful Archiving Solution View this web seminar to learn the best practices for creating an email archive that is secure, compliant, and searchable.
Protect Your Company’s Digital Assets Do you know the risks of sending important files over email or FTP? Read this white paper to learn what you can do to safeguard your company’s data.
Prepare Yourself for Exchange Catastrophe Read this white paper to learn how you can keep Exchange server healthy, as well as predict and respond to server failure.
Boost Customer Confidence and Satisfaction Read this eBook to learn how faxing can ease communication with less computer-savvy customers while reducing your security, compliance and support woes.
Previous
Register
devonpaul September 30, 2007 (Article Rating: