1
00:00:00,840 --> 00:00:04,210
In this demonstration, I'm going to show you how to use install for medium,

2
00:00:04,210 --> 00:00:06,530
or IFM, to promote a domain controller.

3
00:00:06,530 --> 00:00:07,230
Specifically,

4
00:00:07,230 --> 00:00:10,920
it's going to be a domain controller running read‑only domain controller,

5
00:00:10,920 --> 00:00:11,990
RODC.

6
00:00:11,990 --> 00:00:15,450
I am, as you see here, I'm on one of my server systems.

7
00:00:15,450 --> 00:00:19,510
I'm on cdc1.child.timw.info,

8
00:00:19,510 --> 00:00:23,240
and I'm signed in as a domain administrator in that child domain.

9
00:00:23,240 --> 00:00:26,150
The RODC is going to be called CRODC1.

10
00:00:26,150 --> 00:00:28,890
I've already got it set up and joined to the domain,

11
00:00:28,890 --> 00:00:30,220
it's ready to be promoted,

12
00:00:30,220 --> 00:00:32,760
but the idea is that I want to create an offline

13
00:00:32,760 --> 00:00:34,880
install for media set on this machine.

14
00:00:34,880 --> 00:00:35,720
How do we do that?

15
00:00:35,720 --> 00:00:37,500
I am on a read/write domain controller.

16
00:00:37,500 --> 00:00:39,950
While I bring up ntdsutil,

17
00:00:39,950 --> 00:00:42,560
which is a command line tool that gives us a deeper

18
00:00:42,560 --> 00:00:44,880
access into Active Directory,

19
00:00:44,880 --> 00:00:49,960
and I'm going to do activate instance ntds and I'm going to go into ifm

20
00:00:49,960 --> 00:00:52,660
and then run help where you can see the syntax here.

21
00:00:52,660 --> 00:00:54,870
The install for media subsection,

22
00:00:54,870 --> 00:01:00,030
we're going to do a Create Sysvol RODC and we're going to put it

23
00:01:00,030 --> 00:01:03,070
in folder at the root of drive C called IFM.

24
00:01:03,070 --> 00:01:03,880
Now, you know something,

25
00:01:03,880 --> 00:01:06,570
I don't think I have that folder created so let me

26
00:01:06,570 --> 00:01:08,810
quickly race to the root of drive C.

27
00:01:08,810 --> 00:01:10,710
No I, oh I do, there it is right there.

28
00:01:10,710 --> 00:01:11,160
Okay.

29
00:01:11,160 --> 00:01:14,550
So that looks pretty good, Create Sysvol RODC.

30
00:01:14,550 --> 00:01:17,920
So this is going to put both the Active Directory database,

31
00:01:17,920 --> 00:01:22,300
as well as the Sysvol folder in that CIFM directory,

32
00:01:22,300 --> 00:01:25,550
and there it is, IFM media created successfully.

33
00:01:25,550 --> 00:01:28,600
It's important to note that you can do IFM for read/write,

34
00:01:28,600 --> 00:01:30,580
as well as RODC installations,

35
00:01:30,580 --> 00:01:35,120
but I'm making specifically a read‑only IFM set because,

36
00:01:35,120 --> 00:01:38,340
of course, I'm targeting it on a read‑only domain controller.

37
00:01:38,340 --> 00:01:41,840
What you see on my screen in the background is Server Manager where I've

38
00:01:41,840 --> 00:01:46,760
used the Add server function to bring in my CRODC1 machine, and then from

39
00:01:46,760 --> 00:01:51,820
here on CDC1, I right‑clicked and I'm doing an add role operation to

40
00:01:51,820 --> 00:01:54,290
install Active Directory on this machine.

41
00:01:54,290 --> 00:01:58,860
It's going to be during the promotion process that the install for media

42
00:01:58,860 --> 00:02:03,050
becomes really relevant. Specifically, now I've used File Explorer to

43
00:02:03,050 --> 00:02:07,560
connect on the left to my local C drive and I'm going to now copy the

44
00:02:07,560 --> 00:02:10,150
IFM folder over across the network.

45
00:02:10,150 --> 00:02:15,850
I've made a UNC path connection to \\crodc1\C$ the

46
00:02:15,850 --> 00:02:17,780
administrative share on the C drive.

47
00:02:17,780 --> 00:02:22,260
Now you'd use robocopy or some more robust method if this were a

48
00:02:22,260 --> 00:02:26,600
working active Active Directory system, but mine is brand new so

49
00:02:26,600 --> 00:02:28,900
it's effectively empty, very small.

50
00:02:28,900 --> 00:02:29,850
And if you go in there,

51
00:02:29,850 --> 00:02:35,140
you can see I've got Active Directory, there is the ntds.dit file, about 25 MB,

52
00:02:35,140 --> 00:02:39,890
and then we have our SYSVOL directory that's got our Group Policies and log on

53
00:02:39,890 --> 00:02:41,940
scripts in there, which again, it's all empty.

54
00:02:41,940 --> 00:02:43,570
Now here is the money for IFM.

55
00:02:43,570 --> 00:02:46,740
Now remember, I'm connected to CRODC1. We'll promote

56
00:02:46,740 --> 00:02:48,570
this server as a domain controller.

57
00:02:48,570 --> 00:02:52,740
We're adding a domain controller to an existing domain and that domain is our

58
00:02:52,740 --> 00:02:58,240
child domain, child.timw.info. We'll provide the administrative credentials,

59
00:02:58,240 --> 00:03:00,940
and once I authenticate as a domain administrator,

60
00:03:00,940 --> 00:03:04,770
we specify number one, this is going to be a read‑only domain controller.

61
00:03:04,770 --> 00:03:09,240
We specify our directory restore mode password, Next. Now when

62
00:03:09,240 --> 00:03:12,570
you've got a RODC, you've got to determine which accounts in the

63
00:03:12,570 --> 00:03:16,340
domain will have their credentials cached into the RODC and

64
00:03:16,340 --> 00:03:17,640
notice that administrators,

65
00:03:17,640 --> 00:03:21,100
server operators, and backup operators never have their credentials

66
00:03:21,100 --> 00:03:25,070
cached. And what you'll do is populate the built‑in allowed RODC

67
00:03:25,070 --> 00:03:28,990
password replication group, that's your default group, to contain user

68
00:03:28,990 --> 00:03:32,350
accounts who would be in that branch office and whose credentials

69
00:03:32,350 --> 00:03:34,100
would be allowed to be cached.

70
00:03:34,100 --> 00:03:37,570
You could also create a delegated administrator account as well.

71
00:03:37,570 --> 00:03:38,590
Let me click Next.

72
00:03:38,590 --> 00:03:40,730
This is the install from media piece.

73
00:03:40,730 --> 00:03:44,120
We choose Install from media and type the path, hit

74
00:03:44,120 --> 00:03:46,220
Verify. Once that's verified,

75
00:03:46,220 --> 00:03:50,230
you choose are you going to complete the replication from any domain

76
00:03:50,230 --> 00:03:56,310
controller in the domain, or specifically, cdc1.child.timw.info. Click

77
00:03:56,310 --> 00:03:59,420
Next. Here, we're verifying our folders, Next.

78
00:03:59,420 --> 00:04:03,370
All prerequisite checks passed successfully, Install. So as we've seen

79
00:04:03,370 --> 00:04:07,510
so far, once the machine is upgraded, it will automatically restart,

80
00:04:07,510 --> 00:04:13,630
in which case, crodc1.child.timw.info will be a read‑only domain

81
00:04:13,630 --> 00:04:20,000
controller that was installed through install from media offline installation. Done and done.