If you have an existing Active Directory domain which your new domain controller will be joining, you need to prepare the existing Active Directory in advance of the installation.
All these steps must be performed on the existing domain controller
Step 1. Create a new domain admin user
Logon to the existing Domain controller, open Active Directory Users and Computers and Create a domain user account called zynstra-adm. The account needs to be a member of the Domain Admin group.
Keep a note of the zynstra-adm users password, as you will need to give it to our support team.
Step 2. Configure the secondary DNS server
Logon to the existing Domain controller and configure the network card to set the secondary DNS server to be the IP address of ZDC (ZDC is your new domain controller). The support team will be able to tell you the IP address of ZDC. If you need help changing the secondary DNS server IP please view the article: How to change the secondary server IP address
Step 3. Unlink group policies on the Domain Controllers OU
Logon to the existing Domain controller, Open Group Policy Management and remove any group policies linked to the Domain Controllers Organisational Unit (OU)
- If any group policies are linked to the Domain Controllers OU you must remove them. You must ensure that no group policies are applying to the Domain Controllers OU apart from the Default Domain Controllers Policy. You can Re-link the policies to lower OU's as necessary.
Here is a Microsoft Technet article explaining how to Unlink a Group Policy: https://technet.microsoft.com/en-us/library/cc785855(v=ws.10).aspx
Step 4. Check the Default Domain Controllers and Default Domain Policy
Logon to the existing Domain Controller, Open Group Policy Management and check the Default Domain Controllers and Default Domain Policies. If there are any settings for any of the below you must remove them:
4a. Windows Updates settings. You need to ensure that No Windows Updates settings are being applied to the Domain Controllers. The policy settings are here: Computer Configuration > Administrative Template > Windows Components > Windows Update
4b. Software installation. You need to ensure that no software is installed to the Domain Controllers. The policy settings are here: Computer Configuration > Software Settings > Software Installation
4c. NTP Settings. You need to ensure that the domain controllers are not configured to use an external time source. The policy settings are here: Computer Configuration > Administrative Template > System > Windows Time Service.
Step 5. Edit the Default Domain Controllers policy to allow Log on as batch job and logon as a service:
Logon to the existing Domain Controller, Open Group Policy Management, view the Default Domain Controllers policy then drill down to:
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies> User Rights Assignment
- Find the policy Log on as batch job, double click to open it, and add the Administrators group
-
Find the policy Log on as service,double click to open it, and Uncheck "Define these policy settings"
Step 6. Check Forest Functional level
On the existing Domain Controller, ensure the Active Directory Forest Functional level is 2003 or higher. If it is not at 2003 you must raise it.
Here is a Microsoft technet article explaining how to do this: https://technet.microsoft.com/en-gb/library/cc780862(v=ws.10).aspx
If there are any Windows 2000 Domain Controller's, these need to be decommissioned before you can proceed.
Step 7. Additional steps if there is an Small Business Server
If there is an existing Windows Small Business Server (SBS) you need to perform the following steps:
7a. Remove ALL of the SBS login scripts.
- Logon to the existing SBS server.
-
On the Migration Wizard Home page, click Remove legacy group policies and logon settings, and then click Next.
-
Log on to the Source Server with an administrator account and password.
-
On the Source Server, click Start, and then click Run.
-
Type \\localhost\sysvol\<DomainName>.local\scripts, and then press ENTER.
-
Delete or rename SBS_LOGIN_SCRIPT.bat.
Here is a Microsoft Technet article which explains how to do this: https://technet.microsoft.com/en-us/library/cc527605(v=ws.10).aspx
7b. Unlink all SBS policies applied at Domain level and link them to My Business OU
Logon to the existing Domain controller, Open Group Policy Management and remove any SBS group policies linked to the top level domain. You can re-link them to the relevant OU's if necessary.
Here is a Microsoft Technet article explaining how to Unlink a Group Policy: https://technet.microsoft.com/en-us/library/cc785855(v=ws.10).aspx
7c. Run the powershell commands to set the default OU for Users and Computers (replacing domain and local with your own Domain)
redircmp "CN=Computer,DC=zynstra,DC=local"
redirusr "CN=Users,DC=zynstra,DC=local"
Further information is in this Microsoft Technet Article: https://support.microsoft.com/en-us/kb/324949
Step 8. Check the existing Active Directory is healthy
On the existing Domain Controller, Run a DCDIAG on their existing domain controller to verify the existing Active Directory is OK.
Any failures should be investigated and resolved.
Here is a useful article on using DCDIAG to identify any issues: https://redmondmag.com/articles/2014/08/28/dcdiag-with-windows-server.aspx
Here is a Microsoft Technet article on using DCDIAG: https://technet.microsoft.com/en-gb/library/cc731968.aspx