You can choose additional installation options for a domain controller during Active Directory Domain Services (AD DS) installation. For example, you can install the DNS Server service or make the server a global catalog server or a read-only domain controller (RODC). The following sections explain these additional installation options in more detail. These sections also explain how the options interact with each other.

DNS server option

Installing the DNS Server service on a domain controller makes that domain controller a Domain Name System (DNS) server. The default setting for the DNS server option depends on the following factors:

  • The deployment configuration that you choose, for example, adding a new domain or adding an additional domain controller for an existing domain

  • Your current DNS environment

The following table lists the default settings for installing a DNS server for the various AD DS deployment configurations.

Deployment configuration Default setting for DNS server installation

New forest

The DNS server is installed by default.

New domain

The DNS server is installed by default if the wizard detects a DNS infrastructure in the parent domain.

The DNS server is not installed by default if the wizard does not detect a DNS infrastructure.

New domain tree

The DNS server is installed by default if the wizard detects a DNS infrastructure in the forest root domain.

The DNS server is not installed by default if the wizard does not detect a DNS infrastructure.

Additional domain controller

The DNS server is installed by default if the wizard detects a DNS infrastructure in the domain.

The DNS server option is not available if the wizard does not detect a DNS infrastructure in the domain.

Note

If the DNS server is already installed before you start the Active Directory Domain Services Installation Wizard but the Active Directory domain does not have a DNS infrastructure, the DNS server continues to resolve names for any file-based zones that it hosts but it will not host any Active Directory–integrated DNS zones for the domain in which it is a domain controller.

DNS client settings

When you install an additional domain controller in an existing domain, the Active Directory Domain Services Installation Wizard verifies that the DNS client settings are correctly configured on the server. If the DNS client settings are not correctly configured with the IP address of a preferred DNS server, the wizard returns an error and you must correct the problem before you can continue.

You can then choose to manually configure the DNS client settings correctly. If you are creating a new forest that does not have an existing DNS infrastructure, you can also choose to have the wizard automatically install the DNS Server service and configure the DNS client settings with the IP address of the local DNS server.

If you choose to have the wizard configure DNS client settings when it installs the DNS Server service (an option that is available only when you are creating a new forest), the DNS server check box on the Additional Domain Controller Options page is selected and it cannot be cleared. You must install the DNS Server service at this point or click Back through the wizard until you are again provided the option to manually configure the DNS client settings.

Global catalog option

Because the first domain controller in a forest must be a global catalog server, the Global catalog check box is selected and it cannot be cleared when you create a forest. The check box is also selected by default when you install an additional domain controller in an existing domain. However, you can clear this check box if you do not want the additional domain controller to be a global catalog server.

When you create a new child domain or domain tree, the Global catalog check box is not selected by default because the first domain controller in the new domain hosts all domain-wide operations master roles (also known as flexible single master operations or FSMO roles), including the infrastructure operations master role. In a multidomain forest, you may encounter problems if you host the infrastructure master role on a global catalog server, unless all of the domain controllers in the domain are global catalog servers.

Therefore, if you decide to install the global catalog on the first domain controller in a new child domain or domain tree, either transfer the infrastructure master role after you install additional domain controllers in the domain or ensure that all the additional domain controllers that you install in the domain are also global catalog servers.

As you install additional writable domain controllers, the Active Directory Domain Services Installation Wizard validates that the infrastructure master is hosted on a suitable domain controller and it provides you with options to remedy any problems that can arise with the installation options that you choose. For more information, see Validation checks for the options that you select.

RODC option

In a staged installation of an RODC, the Read-only domain controller check box is selected and it cannot be cleared when you create the RODC account. The Additional Domain Controller Options page does not appear when you attach the server to the RODC account.

If you are installing an additional domain controller in a domain but you are not performing a staged installation, the Read-only domain controller check box is cleared by default. You can select it unless conditions in your environment prevent RODC installation. If conditions in your environment do prevent RODC installation, the RODC check box is cleared and it cannot be selected. The following conditions prevent RODC installation:

  • You are installing the first domain controller in a new forest.

  • You are installing the first domain controller in a new domain.

  • The forest functional level is not Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2.

  • There are no writable domain controllers running Windows Server 2008 or Windows Server 2008 R2 in the domain in which you want to install the RODC.

How additional installation options interact

If you select the Read-only domain controller check box, the wizard automatically selects the DNS server check box unless this option cannot be selected, for example, when no current DNS infrastructure exists for that domain. If you clear the DNS server check box after the wizard selects it, the wizard warns you that clients in the branch office might not be able to locate the RODC if you do not also install the DNS server.

The Global catalog check box might also be selected by default, depending on the other installation options that you select. By default, if you select the Read-only domain controller check box, the wizard automatically selects the Global catalog check box. For more information about other installation options in which the Global catalog check box is selected by default, see Global catalog option earlier in this topic.

Additional information about the options that you select

The Active Directory Domain Services Installation Wizard updates the Additional information text box with information about your environment, based on the default selections and the options that you select on the Additional Domain Controller Options page. As you change your selections, the wizard dynamically updates the messages that appear in this text box.

For example, if you select the Global catalog check box, the wizard updates the Additional information text box to indicate how many other global catalog servers are deployed in the domain and site. This information can help you confirm that you are installing AD DS with the options that you planned.

The wizard also updates the Additional information text box to indicate if any existing conditions in your environment currently prevent any of the options from being available. For example, if no writable domain controller in your domain is running Windows Server 2008 or Windows Server 2008 R2, the wizard clears the Read-only domain controller check box, makes this option unavailable, and writes a message in the Additional information text box that states that there must be a writable domain controller running Windows Server 2008 or Windows Server 2008 R2 in the domain to install an RODC.

Validation checks for the options that you select

After you select your options on the Additional Domain Controller Options page and then click Next, the wizard performs the following validation checks before it continues:

Infrastructure master check

If you select the option to install an additional domain controller in a domain, the Active Directory Domain Services Installation Wizard selects the Global catalog check box by default. If you are installing a writable domain controller (the Read-only domain controller check box is cleared) and you also clear the Global catalog check box, the wizard checks whether the infrastructure master role is currently hosted on a global catalog server in the domain. If it is, the wizard prompts you to transfer the role to the domain controller that you are installing. You can either click Yes to transfer the infrastructure master role to this domain controller or click No to correct the configuration later.

Adprep /rodcprep check

If you are installing an RODC, the wizard verifies that the adprep /rodcprep command completed successfully and that the changes that result from the command are replicated throughout the forest. If the adprep /rodcprep command does not complete successfully or the changes are not yet replicated, you receive an error message that states that the command must be run before you can continue with the installation. If you receive this message, run adprep /rodcprep again on any computer in the forest or wait until the changes are replicated throughout the forest.

Validation of static IP address

If you select the DNS server check box, the Active Directory Domain Services Installation Wizard verifies that all of the physical network adapters for the server have a static address, including a static IP version 4 (IPv4) address and a static IP version 6 (IPv6) address if they are both available. Although you can complete the AD DS installation without using a static IP address, this is not recommended because clients can have trouble contacting the domain controller if its IP address changes. For more information about setting a static IP address, see Configuring TCP/IP and DNS Client Settings.