How do I install Active Directory on my Windows Server 2003 server?by Daniel Petri - January 8, 2009 Printer Friendly Version

First make sure you read and understand Active Directory Installation Requirements. If you don't comply with all the requirements of that article you will not be able to set up your AD (for example: you don't have a NIC or you're using a computer that's not connected to a LAN).

Note: This article is only good for understanding how to install the FIRST DC in a NEW AD Domain, in a NEW TREE, in a NEW FOREST. Meaning - don't do it for any other scenario, such as a new replica DC in an existing domain. In order to install a Windows Server 2003 DC in an EXISTING Windows 2000 Domain follow the Windows 2003 ADPrep tip.

Windows 2000 Note: If you plan to install a new Windows 2000 DC please read How to Install Active Directory on Windows 2000.

Windows 2008 Note: Install Active Directory on Windows Server 2008 provides complete instruction details for working with Windows Server 2008.

Windows Server 2003 Note: If you plan to install a new Windows Server 2003 DC in an existing AD forest please read the  page BEFORE you go on, otherwise you'll end up with the following error:

Here is a quick list of what you must have:

An NTFS partition with enough free space An Administrator's username and password The correct operating system version A NIC Properly configured TCP/IP (IP address, subnet mask and - optional - default

gateway) A network connection (to a hub or to another computer via a crossover cable) An operational DNS server (which can be installed on the DC itself) A Domain name that you want to use The Windows Server 2003 CD media (or at least the i386 folder) Brains (recommended, not required...)

This article assumes that all of the above requirements are fulfilled.

Step 1: Configure the computer's suffix(Not mandatory, can be done via the Dcpromo process).

1. Right click My Computer and choose Properties.

2. Click the Computer Name tab, then Change. 3. Set the computer's NetBIOS name. In Windows Server 2003, this CAN be

changed after the computer has been promoted to Domain Controller.

4. Click More. 5. In the Primary DNS suffix of this computer box enter the would-be domain name.

Make sure you got it right. No spelling mistakes, no "oh, I thought I did it right...". Although the domain name CAN be changed after the computer has been promoted to Domain Controller, this is not a procedure that one should consider lightly, especially because on the possible consequences. Read more about it on

my Windows 2003 Domain Rename Tool page. 6. Click Ok.7. You'll get a warning window.8. Click Ok.

9. Check your settings. See if they're correct. 10. Click Ok.11. You'll get a warning window.12. Click Ok to restart.

Step 2: Configuring the computer's TCP/IP settingsYou must configure the would-be Domain Controller to use it's own IP address as the address of the DNS server, so it will point to itself when registering SRV records and when querying the DNS database.

Configure TCP/IP1. Click Start, point to Settings and then click Control Panel.2. Double-click Network and Dial-up Connections.3. Right-click Local Area Connection, and then click Properties.

4. Click Internet Protocol (TCP/IP), and then click Properties. 5. Assign this server a static IP address, subnet mask, and gateway address. Enter the

server's IP address in the Preferred DNS server box.Note: This is true if the server

itself will also be it's own DNS server. If you have another operational Windows 2000/2003 server that is properly configured as your DNS server (read my Create a New DNS Server for AD page) - enter that server's IP address instead:

6. Click Advanced.7. Click the DNS Tab.8. Select "Append primary and connection specific DNS suffixes"9. Check "Append parent suffixes of the primary DNS suffix"10. Check "Register this connection's addresses in DNS". If this Windows

2000/2003-based DNS server is on an intranet, it should only point to its own IP address for DNS; do not enter IP addresses for other DNS servers here. If this server needs to resolve names on the Internet, it should have a forwarder

configured. 11. Click OK to close the Advanced TCP/IP Settings properties.12. Click OK to accept the changes to your TCP/IP configuration.13. Click OK to close the Local Area Connections properties.

Step 3: Configure the DNS Zone(Not mandatory, can be done via the Dcpromo process).

This article assumes that you already have the DNS service installed. If this is not the case, please read Create a New DNS Server for AD.

Furthermore, it is assumed that the DC will also be it's own DNS server. If that is not the case, you MUST configure another Windows 2000/2003 server as the DNS server, and if you try to run DCPROMO without doing so, you'll end up with errors and the process will fail.

Also see » What's New in Group Policy?

Creating a Standard Primary Forward Lookup Zone1. Click Start, point to All Programs, point to Administrative Tools, and then click

DNS Manager. You see two zones under your computer name: Forward Lookup Zone and Reverse Lookup Zone.

2. Right click Forward Lookup Zones and choose to add a new zone.

3. Click Next. The new forward lookup zone must be a primary zone so that it can

accept dynamic updates. Click Primary, and then click Next. 4. The name of the zone must be the same as the name of the Active Directory

domain, or be a logical DNS container for that name. For example, if the Active Directory domain is named "lab.dpetri.net", legal zone names are "lab.dpetri.net",

"dpetri.net", or "net". Type the name of the zone, and then click Next.

5. Accept the default name for the new zone file. Click Next. 6. To be able to accept dynamic updates to this new zone, click "Allow both

nonsecure and secure dynamic updates". Click Next.

7. Click Finish.

You should now make sure your computer can register itself in the new zone. Go to the Command Prompt (CMD) and run "ipconfig /registerdns" (no quotes, duh...). Go back to the DNS console, open the new zone and refresh it (F5). Notice that the computer should by now be listed as an A Record in the right pane.

If it's not there try to reboot (although if it's not there a reboot won't do much good). Check the spelling on your zone and compare it to the suffix you created in step 1. Check your IP settings.

Enable DNS Forwarding for Internet connections (Not mandatory)

1. Start the DNS Management Console.2. Right click the DNS Server object for your server in the left pane of the console,

and click Properties. 3. Click the Forwarders tab.4. In the IP address box enter the IP address of the DNS servers you want to forward

queries to - typically the DNS server of your ISP. You can also move them up or down. The one that is highest in the list gets the first try, and if it does not respond within a given time limit - the query will be forwarded to the next server in the

list. 5. Click OK.

Creating a Standard Primary Reverse Lookup ZoneYou can (but you don't have to) also create a reverse lookup zone on your DNS server. The zone's name will be the same as your TCP/IP Network ID. For example, if your IP address is 192.168.0.200, then the zone's name will be 192.168.0 (DNS will append a long name to it, don't worry about it). You should also configure the new zone to accept dynamic updates. I guess you can do it on your own by now, can't you?

Step 4: Running DCPROMOAfter completing all the previous steps (remember you didn't have to do them) and after double checking your requirements you should now run Dcpromo.exe from the Run command.

1. Click Start, point to Run and type "dcpromo". 2. The wizard windows will appear. Click Next.

3. In the Operating System Compatibility windows read the requirements for the

domain's clients and if you like what you see - press Next.

4. Choose Domain Controller for a new domain and click Next.

5. Choose Create a new Domain in a new forest and click Next.

6. Enter the full DNS name of the new domain, for example - kuku.co.il - this must be the same as the DNS zone you've created in step 3, and the same as the

computer name suffix you've created in step 1. Click Next. This step might take some time because the computer is searching for the DNS server and checking to see if any naming conflicts exist.

7. Accept the the down-level NetBIOS domain name, in this case it's KUKU. Click

Next 8. Accept the Database and Log file location dialog box (unless you want to change

them of course). The location of the files is by default %systemroot%\NTDS, and you should not change it unless you have performance issues in mind. Click Next.

9. Accept the Sysvol folder location dialog box (unless you want to change it of course). The location of the files is by default %systemroot%SYSVOL, and you should not change it unless you have performance issues in mind. This folder must be on an NTFS v5.0 partition. This folder will hold all the GPO and scripts you'll create, and will be replicated to all other Domain Controllers. Click Next.

10. If your DNS server, zone and/or computer name suffix were not configured correctly you will get the following warning:This means the Dcpromo wizard could not contact the DNS server, or it did contact it but could not find a zone with the name of the future domain. You should check your settings. Go back to steps 1, 2 and 3. Click Ok.You have an option to let Dcpromo do the configuration for you. If you want, Dcpromo can install the DNS service, create the appropriate zone, configure it to accept dynamic updates, and configure the TCP/IP settings for the DNS server IP address.To let Dcpromo do the work for you, select "Install and configure the DNS server...".

Click Next.

Otherwise, you can accept the default choice and then quit Dcpromo and check steps 1-3.

11. If your DNS settings were right, you'll get a confirmation window.

Just click Next.12. Accept the Permissions compatible only with Windows 2000 or Windows Server

2003 settings, unless you have legacy apps running on Pre-W2K servers.

13. Enter the Restore Mode administrator's password. In Windows Server 2003 this

password can be later changed via NTDSUTIL. Click Next.

14. Review your settings and if you like what you see - Click Next. 15. See the wizard going through the various stages of installing AD. Whatever you

do - NEVER click Cancel!!! You'll wreck your computer if you do. If you see you made a mistake and want to undo it, you'd better let the wizard finish and then run it again to undo the AD.

16. If all went well you'll see the final confirmation window. Click Finish.

17. You must reboot in order for the AD to function properly. 18. Click Restart now.

Step 5: Checking the AD installationYou should now check to see if the AD installation went well.

1. First, see that the Administrative Tools folder has all the AD management tools

installed. 2. Run Active Directory Users and Computers (or type "dsa.msc" from the Run

command). See that all OUs and Containers are there.

3. Run Active Directory Sites and Services. See that you have a site named Default-

First-Site-Name, and that in it your server is listed. 4. If they don't (like in the following screenshot), your AD functions will be broken

(a good sign of that is the long time it took you to log on. The "Preparing Network Connections" windows will sit on the screen for many moments, and even when you do log on many AD operations will give you errors when trying to perform

them). = BadThis might happen if you did not manually configure your DNS server and let the DCPROMO process do it for you.Another reason for the lack of SRV records (and of all other records for that matter) is the fact that you DID configure the DNS server manually, but you made a mistake, either with the computer suffix name or with the IP address of the DNS server (see steps 1 through 3).

Open the DNS console. See that you have a zone with the same name as your AD domain (the one you've just created, remember? Duh...). See that within it you have the 4 SRV record folders. They must exist.

= Good

To try and fix the problems first see if the zone is configured to accept dynamic updates.

5. Right-click the zone you created, and then click Properties. 6. On the General tab, under Dynamic Update, click to select "Nonsecure and

secure" from the drop-down list, and then click OK to accept the change.You should now restart the NETLOGON service to force the SRV registration.You

can do it from the Services console in Administrative tools:

Or from the command prompt type "net stop netlogon", and after it finishes, type "net start netlogon".

Let it finish, go back to the DNS console, click your zone and refresh it (F5). If all is ok you'll now see the 4 SRV record folders.

If the 4 SRV records are still not present double check the spelling of the zone in the DNS server. It should be exactly the same as the AD Domain name. Also check the computer's suffix (see step 1). You won't be able to change the computer's suffix after the AD is installed, but if you have a spelling mistake you'd be better off by removing the AD now, before you have any users, groups and other objects in place, and then after repairing the mistake - re-running DCPROMO.

7. Check the NTDS folder for the presence of the required files. 8. Check the SYSVOL folder for the presence of the required subfolders.

9. Check to see if you have the SYSVOL and NETLOGON shares, and their location.

If all of the above is ok, I think it's safe to say that your AD is properly installed.

If not, read Troubleshooting Dcpromo Errors and re-read steps 1-4 in this article.

Sign Up For the Petri IT Knowledgebase Weekly Digest!

E-mail Address:

Search Site

Sponsors

FREE Active Directory Monitoring Take the guesswork out of which WMI counters to use for apps like Microsoft® Active Directory™ and SharePoint™. SolarWinds FREE WMI Monitor makes it easy! Download this FREE desktop tool now!

Cut Network Troubleshooting Time in Half! Test Speed, Performance, Bandwidth & More. Free Trial Download Available Here »

Free Compliance Download VMware Compliance Checker provides real time compliance check against specific standards and best practices. Free download.

Start Monitoring Your Network Now Get a 30-day trial of SolarWinds flagship network monitoring solution – Orion NPM. Agentless solution auto discovers network and begins monitoring via Web-based console immediately. Valid email required.

http://www.petri.co.il/uri/?id=251&host=technet.microsoft.com

AWS Privacy Policy | Site Info | Contact | Advertise  ©2011 Blue Whale Web Inc. |

How To Create an Active Directory Server in Windows Server 2003View products that this article applies to.

System TipThis article applies to a different version of Windows than the one you are using. Content in this article may not be relevant to you.Visit the Windows 7 Solution CenterThis article was previously published under Q324753

On This Page

SUMMARYo Creating the Active Directoryo Adding Users and Computers to the Active Directory Domaino Troubleshooting

You Cannot Open the Active Directory Snap-ins

Expand all | Collapse all

SUMMARY

This article describes how to install and configure a new Active Directory inst...

This article describes how to install and configure a new Active Directory installation in a laboratory environment that includes Windows Server 2003 and Active Directory. Note that you will need two networked servers that are running Windows Server 2003 for this purpose in a laboratory environment.

Back to the top

Creating the Active DirectoryAfter you have installed Windows Server 2003 on a stand-alone server, run the Active

Directory Wizard to create the new Active Directory forest or domain, and then convert the Windows Server 2003 computer into the first domain controller in the forest. To convert a Windows Server 2003 computer into the first domain controller in the forest, follow these steps:

1. Insert the Windows Server 2003 CD-ROM into your computer's CD-ROM or DVD-ROM drive.

2. Click Start, click Run, and then type dcpromo.3. Click OK to start the Active Directory Installation Wizard, and then click Next.4. Click Domain controller for a new domain, and then click Next. 5. Click Domain in a new forest, and then click Next.6. Specify the full DNS name for the new domain. Note that because this procedure

is for a laboratory environment and you are not integrating this environment into your existing DNS infrastructure, you can use something generic, such as mycompany.local, for this setting. Click Next.

7. Accept the default domain NetBIOS name (this is "mycompany" if you used the suggestion in step 6). Click Next.

8. Set the database and log file location to the default setting of the c:\winnt\ntds folder, and then click Next.

9. Set the Sysvol folder location to the default setting of the c:\winnt\sysvol folder, and then click Next.

10. Click Install and configure the DNS server on this computer, and then click Next.

11. Click Permissions compatible only with Windows 2000 or Windows Server 2003 servers or operating systems, and then click Next.

12. Because this is a laboratory environment, leave the password for the Directory Services Restore Mode Administrator blank. Note that in a full production environment, this password is set by using a secure password format. Click Next.

13. Review and confirm the options that you selected, and then click Next.14. The installation of Active Directory proceeds. Note that this operation may take

several minutes.15. When you are prompted, restart the computer. After the computer restarts,

confirm that the Domain Name System (DNS) service location records for the new domain controller have been created. To confirm that the DNS service location records have been created, follow these steps:

a. Click Start, point to Administrative Tools, and then click DNS to start the DNS Administrator Console.

b. Expand the server name, expand Forward Lookup Zones, and then expand the domain.

c. Verify that the _msdcs, _sites, _tcp, and _udp folders are present. These folders and the service location records they contain are critical to Active Directory and Windows Server 2003 operations.

Back to the top

Adding Users and Computers to the Active Directory DomainAfter the new Active Directory domain is established, create a user account in that

domain to use as an administrative account. When that user is added to the appropriate security groups, use that account to add computers to the domain.

1. To create a new user, follow these steps:

a. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers to start the Active Directory Users and Computers console.

b. Click the domain name that you created, and then expand the contents.c. Right-click Users, point to New, and then click User.d. Type the first name, last name, and user logon name of the new user, and

then click Next.e. Type a new password, confirm the password, and then click to select one

of the following check boxes: Users must change password at next logon (recommended for most

users) User cannot change password Password never expires Account is disabled

Click Next.

f. Review the information that you provided, and if everything is correct, click Finish.

2. After you create the new user, give this user account membership in a group that permits that user to perform administrative tasks. Because this is a laboratory environment that you are in control of, you can give this user account full administrative access by making it a member of the Schema, Enterprise, and Domain administrators groups. To add the account to the Schema, Enterprise, and Domain administrators groups, follow these steps:

a. On the Active Directory Users and Computers console, right-click the new account that you created, and then click Properties.

b. Click the Member Of tab, and then click Add.c. In the Select Groups dialog box, specify a group, and then click OK to

add the groups that you want to the list.d. Repeat the selection process for each group in which the user needs

account membership.e. Click OK to finish.

2. The final step in this process is to add a member server to the domain. This process also applies to workstations. To add a computer to the domain, follow these steps:

a. Log on to the computer that you want to add to the domain.b. Right-click My Computer, and then click Properties.c. Click the Computer Name tab, and then click Change.d. In the Computer Name Changes dialog box, click Domain under

Member Of, and then type the domain name. Click OK.e. When you are prompted, type the user name and password of the account

that you previously created, and then click OK.

A message that welcomes you to the domain is generated.f. Click OK to return to the Computer Name tab, and then click OK to

finish. g. Restart the computer if you are prompted to do so.

Back to the top

Troubleshooting

You Cannot Open the Active Directory Snap-insAfter you have completed the installation of Active Directory, you may not be able to

start the Active Directory Users and Computers snap-in, and you may receive an error message that indicates that no authority can be contacted for authentication. This can occur if DNS is not correctly configured. To resolve this issue, verify that the zones on your DNS server are configured correctly and that your DNS server has authority for the zone that contains the Active Directory domain name. If the zones appear to be correct and the server has authority for the domain, try to start the Active Directory Users and

Computers snap-in again. If you receive the same error message, use the DCPROMO utility to remove Active Directory, restart the computer, and then reinstall Active Directory.

For additional information about configuring DNS on Windows Server 2003, click the following article numbers to view the articles in the Microsoft Knowledge Base: 323380  (http://support.microsoft.com/kb/323380/EN-US/ ) How To Configure DNS for Internet Access in Windows Server 2003 324259  (http://support.microsoft.com/kb/324259/EN-US/ ) How To Configure DNS in a New Workgroup Environment in Windows Server 2003 323418  (http://support.microsoft.com/kb/323418/EN-US/ ) How To Integrate DNS with an Existing DNS Infrastructure If Active Directory Is Enabled in Windows Server 2003 323417  (http://support.microsoft.com/kb/323417/EN-US/ ) How To Integrate Windows Server 2003 DNS with an Existing DNS Infrastructure in Windows Server 2003 324260  (http://support.microsoft.com/kb/324260/EN-US/ ) How To Configure DNS Records for Your Web Site in Windows Server 2003 323445  (http://support.microsoft.com/kb/323445/EN-US/ ) How To Create a New Zone on a DNS Server in Windows Server 2003

Back to the topNote This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use (http://go.microsoft.com/fwlink/?LinkId=151500) for other considerations.