AD DS: User Interface Improvements

Applies To: Windows Server 2008

To improve the installation and management of Active Directory® Domain Services (AD DS), the Windows Server® 2008 operating system includes an updated Active Directory Domain Services Installation Wizard. Windows Server 2008 also includes changes to the Microsoft Management Console (MMC) snap-in functions that manage AD DS.

What do AD DS user interface improvements do?

AD DS user interface (UI) improvements provide new installation options for domain controllers. Furthermore, the updated Active Directory Domain Services Installation Wizard streamlines and simplifies AD DS installation.

AD DS UI improvements also provide new management options for AD DS features such as read-only domain controllers (RODCs). Additional changes to the management tools improve the ability to find domain controllers throughout the enterprise. They also provide important controls for new features such as the Password Replication Policy for RODCs.

Who will be interested in AD DS UI improvements?

AD DS UI improvements are important for the following users:

  • AD DS administrators who are responsible for managing domain controllers in hub locations and data centers

  • Branch office administrators

  • System builders who perform server installations and decommission servers

Are there any special considerations?

AD DS UI improvements do not require any special considerations. The improvements to the Active Directory Domain Services Installation Wizard are all available by default. However, some wizard pages appear only if the check box for Use advanced mode installation is selected on the Welcome page of the wizard.

Advanced mode installation provides experienced users with more control over the installation process, without confusing newer users with configuration options that might not be familiar. For users who do not select the Use advanced mode installation check box, the wizard uses default options that apply to most configurations.

What new functionality do AD DS UI improvements provide?

The AD DS UI improvements provide new functionality for the Active Directory Domain Services Installation Wizard and MMC snap-in functions.

New Active Directory Domain Services Installation Wizard

You can use the new Active Directory Domain Services Installation Wizard to add the AD DS server role interactively. To access the Active Directory Domain Services Installation Wizard, you can:

  • Use the Add Roles Wizard. You can access the Add Roles Wizard in the following ways:

    • Click Add Roles in Initial Configuration Tasks, the application that appears when you first install the operating system.

    • Click Add Roles in Server Manager, which is always available on the Administrative Tools menu and through an icon in the notification area.

    The Add Roles Wizard installs the files that are required to install and configure AD DS on a server, but it does not start the actual AD DS installation. To start the AD DS installation, you must run dcpromo.exe.

  • Type dcpromo at a command prompt, and then press ENTER, or click Start, type dcpromo, and then press ENTER, or click Start, click Run, type dcpromo, and then click OK, as in previous versions of the Windows Server operating system.

  • Delegate an RODC installation. In this case, different users run the wizard at different times. First, a member of the Domain Admins group creates an RODC account by using the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Either right-click the Domain Controllers container or click the Domain Controllers container and click Action, and then click Pre-create Read-only Domain Controller account to launch the wizard and create the account. When you create the RODC account, you can delegate the installation and administration of the RODC to a user or, preferably, a security group.

    On the server that will become the RODC, the user who has been delegated the permissions to install and administer it can then run dcpromo /UseExistingAccount:Attach at a command prompt to start the wizard.

The Active Directory Domain Services Installation Wizard contains a new option on the Welcome page of the wizard to enable advanced mode as an alternative to running dcpromo with the /adv switch (for example, dcpromo /adv). Advanced mode contains additional options that enable more advanced configurations and that provide experienced users with more control over the operation. The additional installation options in advanced mode include the following:

  • Creating a new domain tree.

  • Using backup media from an existing domain controller in the same domain to reduce network traffic that is associated with initial replication.

  • Selecting the source domain controller for the installation. This enables you to control which domain controller is used to initially replicate domain data to the new domain controller.

  • Modifying the NetBIOS name that the wizard generates by default.

  • Defining the Password Replication Policy for an RODC.

In addition to these changes, the Active Directory Domain Services Installation Wizard has new pages, which are described in the following table.

New wizard page Description

Additional Domain Controller Options

Specifies that during the domain controller installation, the domain controller will also be configured to be a DNS server, global catalog server, or RODC. An RODC can also be a DNS server and a global catalog server.

Select a Domain

Specifies the name of the domain where you are installing an additional domain controller.

Select a Site

Specifies the site in which the domain controller should be installed.

Set Functional Levels

Sets the domain and forest functional level during the installation of a new domain or forest.

Delegation of RODC Installation and Administration

Specifies the name of the user or group who will install and administer the RODC in a branch office.

Password Replication Policy

Specifies which account passwords to allow or deny from being cached on an RODC. This page appears only if the Use advanced mode installation check box is selected.

DNS delegation creation

Provides a default option to create a DNS delegation based on the type of domain controller installation (as specified on the Choose a Deployment Configuration page) and the DNS environment.

Other improvements reduce the chances for error during AD DS installation. For example, if you are installing an additional domain controller, you can select the domain name from a domain tree view rather than typing it.

The new Active Directory Domain Services Installation Wizard also includes the following improvements:

  • By default, the wizard now uses the credentials of the user who is currently logged on if the user is logged on with a domain account. You can specify other credentials if they are needed.

  • On the Summary page of the wizard, you can export the settings that you have selected to a corresponding answer file that you can use as a template for subsequent operations (installations or uninstallations). Any modifications that you make to the answer file are commented out. For example, if you specify a value for the DSRM password in the wizard and then export the settings to an answer file, that DSRM password does not appear in the answer file. You must modify the answer file to include that value.

  • You can now omit your administrator password from the answer file. Instead, type password=* in the answer file to ensure that the user is prompted for account credentials.

  • You can now force the demotion of a domain controller that is started in Directory Services Restore Mode.

Staged installation for RODCs

You can perform a staged installation of an RODC, in which the installation is completed in two stages by different individuals. You can use the Active Directory Domain Services Installation Wizard to complete each stage of the installation.

The first stage of the installation creates an account for the RODC in Active Directory Domain Services (AD DS). The second stage of the installation attaches the actual server that will be the RODC to the account that was previously created for it.

During this first stage, the wizard records all data about the RODC that will be stored in the distributed Active Directory database, such as its domain controller account name and the site in which it will be placed. This stage must be performed by a member of the Domain Admins group.

The user who creates the RODC account can also specify at that time which users or groups can complete the next stage of the installation. The next stage of the installation can be performed in the branch office by any user or group who was delegated the right to complete the installation when the account was created. This stage does not require any membership in built-in groups such as the Domain Admins group. If the user who creates the RODC account does not specify any delegate to complete the installation (and administer the RODC), only a member of the Domain Admins or Enterprise Admins groups can complete the installation.

The second stage of the installation installs AD DS on the server that will become the RODC. This stage typically occurs in the branch office where the RODC is deployed. During this stage, all AD DS data that resides locally, such as the database, log files, and so on, is created on the RODC itself. The installation source files can be replicated to the RODC from another domain controller over the network, or you can use the install from media (IFM) feature. To use IFM, use Ntdsutil.exe to create the installation media.

The server that will become the RODC must not be joined to the domain before you try to attach it to the RODC account. As part of the installation, the wizard automatically detects whether the name of the server matches the names of any RODC accounts that have been created in advance for the domain. When the wizard finds a matching account name, it prompts the user to use that account to complete the RODC installation.

Additional Wizard Improvements

The new Active Directory Domain Services Installation Wizard also includes the following improvements:

  • By default, the wizard now uses the credentials of the user who is currently logged on. You are prompted for additional credentials if they are needed.

  • When you create an additional domain controller in a child domain, the wizard now detects if infrastructure master role is hosted on a global catalog server in that domain, and the wizard prompts you to transfer the infrastructure master role to the domain controller that you are creating if it will not be a global catalog server. This helps prevent misplacement of the infrastructure master role.

  • On the Summary page of the wizard, you can export the settings that you have selected to a corresponding answer file that you can use for subsequent operations (installations or uninstallations).

  • You can now omit your administrator password from the answer file. Instead, type password=* in the answer file to ensure that the user is prompted for account credentials.

  • You can prepopulate the wizard by specifying some parameters on the command line, reducing the amount of user interaction that is required with the wizard.

  • You can now force the demotion of a domain controller that is started in Directory Services Restore Mode.

New MMC snap-in functions

The Active Directory Sites and Services snap-in in Windows Server 2008 includes a Find command on the toolbar and in the Action menu. This command facilitates finding which site a domain controller is placed in, which can help with troubleshooting various replication problems. Previously, Active Directory Sites and Services did not easily indicate which site a given domain controller was placed in. This increased the time that was required to troubleshoot issues such as replication problems.

To help manage RODCs, there is now a Password Replication Policy tab on the domain controller Properties sheet. By clicking the Advanced button on this tab, an administrator can see the following:

  • What passwords have been sent to the RODC

  • What passwords are currently stored on the RODC

  • What accounts have authenticated to the RODC, including accounts that are not currently defined in the security groups that are allowed or denied replication. As a result, the administrator can see who is using the RODC and determine whether to allow or deny password replication.