The ADMINISTRATOR logged on to a newly installed Windows–based server that had been joined to the domain. This created the traffic that is documented in Scenarios 1 and 3.
The ADMINISTRATOR then ran the DCPROMO utility to promote this server to a domain controller and selected the option to have this DC as part of an existing domain (that is, as part of the domain that was created in Scenario 14).
Note This step was at 350 packets into the sniff.
After selecting the Next option, DCPROMO connected to the DC by using a combination of [LDAP], the Kerberos protocol, SMB, and the Directory Services Setup (DSSETUP) Remote Protocol packets in order to set the new DC. It then restarted the server to start up the server in its new mode.
Note When tested, this restart occurred after 1,450 packets.
After the system was restarted, similar traffic occurred with the inclusion of SAM traffic. Eventually, the Windows Remote Registry Protocol values were written to the new DC.
Note When tested, this step occurred at packets 1,970–2,100.
After the registry keys were transferred, similar traffic continued for another 200 packets and file replication started as part of the SYSVOL replication.
Note This step started at about packet 2,300 and went until about packet 2,600.
The newly promoted domain controller was now fully replicated and began handling logon requests.