- What’s your ENow AppGov Score? Free Microsoft Entra ID app security assessment - Thu, Nov 30 2023
- Docker logs tail: Troubleshoot Docker containers with real-time logging - Wed, Sep 13 2023
- dsregcmd: Troubleshoot and manage Azure Active Directory (Microsoft Entra ID) joined devices - Thu, Aug 31 2023
Usually, installing a new DC replicates every object from a replica domain controller. On a local area network (LAN) connection, this is generally not a problem. However, when there are slow or bandwidth-restricted links between the corporate office and a DC installed in the remote office location, replicating every object across the connection can impact the service of other business-critical applications used in the remote office.
Starting with Windows Server 2008 and 2008 R2, Microsoft's Ntdsutil has included a new way to create installation media for provisioning a new DC in your Active Directory environment. Using the IFM approach allows loading the Active Directory data from media instead of transferring every object across the network.
It also eliminates the need to perform replication to a domain controller on one network, disconnect the domain controller, ship the DC to the destination network, and then get the domain controller in sync again. A DC that becomes disconnected from the Active Directory replication topology can lead to issues.
Note that any changes that occurred since the IFM set was created require replication. However, the changes are minimal compared to replicating the entire Active Directory database across a slow WAN link connection.
Install secondary DC from media on Server 2019/2022
In remote locations, installing a read-only domain controller (RODC) is the preferred option. It offers additional security and performance benefits, such as storing account credentials only of users who hit the RODC for authentication. When you use IFM to make the installation media for an RODC, it removes cached passwords. The installation media for an RODC can be created on either a writable domain controller or another RODC.
The SYSVOL folder can also be included in the installation media. However, DFS replication for SYSVOL must be used between DCs for the SYSVOL folder to be included in the IFM media.
The IFM media set works by first creating the IFM media to bring your secondary domain controller RODC or a writeable domain controller online. To create the IFM media, type the following commands at an administrator prompt:
ntdsutil activate instance ntds ifm help
Notice the options when viewing the help for the IFM ntdsutil command. We are interested in RODC-specific commands. You can create an RODC with the IFM media set without SYSVOL, or one with SYSVOL. Depending on your needs at the remote site, you can decide whether you need to include SYSVOL.
Launch Ntdsutil and run the IFM command
To create the IFM media, type the option you want and the path to the folder where the media set will be created. In the example below, we create an IFM set, including SYSVOL.
Create Sysvol RODC c:\ifm
Creating the IFM media set for the read only domain controller
With an RODC, you will see an Active Directory folder and a SYSVOL folder if you choose to include SYSVOL. If you are creating a full writeable domain controller, you will also see a registry folder included.
IFM media set successfully created
Now that you have the IFM media set created, the folder will be copied to your new RODC. It can be copied before provisioning at the secondary site or at the time of promotion.
Add the Active Directory Domain Services role
The first step in your RODC is to add the Active Directory Domain Services role. Below, the Add Roles and Features wizard is launched, and the server is selected.
Starting the Add Roles and Features wizard
Select the Active Directory Domain Services role.
Select Active Directory Domain Services
Click the Add Features button to add the required features for ADDS.
Add features required by Active Directory Domain Services
There is nothing further to add on the following Features screen, so just click Next.
Add Feature screen when adding Active Directory Domain Services
Click Next on the AD DS informational screen. On the confirmation screen, click Install. This installs the Active Directory Domain Services role, but it does not promote the server to a domain controller just yet.
Confirm installation of Active Directory Domain Services
Installation of the Active Directory Domain Services role is successful.
Installation successful configuration required for ADDS
Promote the server to a domain controller
Click the informational flag in the top right-hand corner of Server Manager. Then, click Promote this server to a domain controller.
Promote this server to a domain controller
Since we are adding an RODC to an existing Active Directory environment, select Add a domain controller to an existing domain.
Select your deployment configuration
On the Domain Controller Options screen, select the domain controller capabilities and site information. Here, we select the Read only domain controller (RODC) option.
Specify domain controller options
Configure the RODC options you want to set, including the accounts allowed to replicate passwords to the RODC.
Configure your RODC options
On the Additional Options screen, select Install from media and set the path where the IFM media set is located. I have copied the media set to the same directory location on the RODC. You can verify the media set as well. Click Next.
Additional options including the install from media option
Next, specify the locations of the AD DS database, log files, and SYSVOL.
Configure path settings for Active Directory
Note the "directory information will be copied primarily from" information displayed on the Review Options screen. This indicates that we have used the install from media option for the RODC.
Review options of the domain controller to be promoted
The prerequisite check is next. You will see a warning about Windows NT 4.0 compatibility. However, it should succeed. Click Install.
Prerequisite check
After the promotion of the RODC and install from media is complete, you will see your session about to log out. This indicates the installation is done, and the server is about to reboot.
Wrapping up
The IFM option allows companies to eliminate the bulk of replication traffic when bringing an additional domain controller online. It is a useful option in remote locations where WAN bandwidth may be limited.
Subscribe to 4sysops newsletter!
It allows installing AD objects as part of the domain controller promotion process instead of needing to replicate the directory in whole across the network. With RODC, you can copy both the directory and SYSVOL to bring your new RODC online.
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
Hi Brandon
As always a useful article, more than some might think.
So, a few years ago, I followed this method to deploy DCs in a large company for which I only had a bandwidth of 64 Kbits on some sites … and an AD of 2Gb + Sysvol.
Gathering AD + Sysvol (with the method described), copy to a usb key (bootable with a Windows server master on it), send to site, boot on the key, windows server installation and after installation, AD installation from the info on the key . Only the elements modified since the AD collection are synchronized (fast and efficient). In summary, total deployment in less than 1 hour instead of 4 hours just for AD sync. 🙂
Article to keep in mind