"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Successfully install active directory on a windows 2003
1. The process of installing an Active Directory domain is quite simple, but if you don't know your basics
you might stumble across a few pitfalls. For additional information about any of the information in this
article, refer to the Windows 2000 online Help and the
What do we need in order to successfully install Active Directory on a Windows 2000 or
Windows Server 2003 server?
Here is a quick list of what you must have:
An NTFS partition with enough free space
An Administrator's username and password
The correct operating system version
A NIC
Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway)
A network connection (to a hub or to another computer via a crossover cable)
An operational DNS server (which can be installed on the DC itself)
A Domain name that you want to use
The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder)
Brains (recommended, not required...)
An NTFS Partition
To successfully install AD you must have at least one NTFS formatted partition, preferably the
partition Windows is installed on (This is NOT true when you have performance issues on your
mind. You will then install the AD db on another different fast physical disk, but that's another
topic). To convert a partition (C:) to NTFS type the following command in the command prompt
window:
convert c:/fs:ntfs
The NTFS partition is required for the SYSVOL folder.
Free space on your disk
You need at least 250mb of free space on the partition you plan to install AD on. Of course you'll
need more than that if you plan to create more users, groups and various AD objects.
Local Administrator's username and password
Only a local Administrator (or equivalent) can install the first domain and thus create the new
forest.
2. If you plan to create another Domain Controller for an existing domain - then you must have
Domain Admin right in the domain you're planning to join.
If you want to create a child domain under an existing domain, or another tree in an existing
forest - you must have Enterprise Admin rights.
Windows 2000 Server (or Advanced Server or Data Center
Server), or Windows Server 2003 (or Enterprise Server or
Data Center)
Duh... you cannot install AD on a Professional computer.
IP Configuration
You need a dedicated IP address to install Active Directory. If you do not use a dedicated IP
address, DNS registrations may not work and Active Directory functionality may be lost. If the
computer is a multi-homed computer, the network adapter that is not connected to the Internet
can host the dedicated IP address.
The Active Directory domain controller should point to its own IP address in the DNS server list
to prevent possible DNS connectivity issues.
To configure your IP configuration, use the following steps:
1. Right-click My Network Places, and then click Properties.
2. Right-click Local Area Connection, and then click Properties
3. Click Internet Protocol (TCP/IP), and then click Properties.
3. Click Internet Protocol (TCP/IP), and then click Properties.
Make sure you have a static and dedicated IP address. If you don't need Internet connectivity
through this specific NIC you can use a Private IP range such as 192.168.0.0 with a Subnet Mask
of 255.255.255.0.
1. Click Advanced, and then click the DNS tab. The DNS information should be configured
as follows:
Configure the DNS server addresses to point to the DNS server. This should be the
computer's own IP address if it is the first server or if you are not going to configure a
dedicated DNS server.
If the Append these DNS suffixes (in order) option is selected for the resolution of
unqualified names, the Active Directory DNS domain name should be listed first, at the
top of the list.
Verify that the information in the DNS Suffix for this connection box is the same as the
Active Directory domain name.
Make sure that the Register this connection's addresses in DNS check box is selected.
Active Network Connection Required During Installation
The installation of Active Directory requires an active network connection. When you attempt to
use Dcpromo.exe to promote a Windows 2000 Server-based computer to a domain controller,
you may receive the following error message:
Active Directory Installation Failed
The operation failed with the following error
The network location cannot be reached. For further information about network troubleshooting,
see Windows Help.
This problem can occur if the network cable is not plugged into a hub or other network device.
(Sample of a disconnected or un-plugged network cable)
(Screenshot of a connected NIC)
To resolve this problem, plug the network cable into a hub or other network device. If network
connectivity is not available and this is the first domain controller in a new forest, you can finish
Dcpromo.exe by installing Microsoft Loopback Adapter.
The Microsoft Loopback adapter is a tool for testing in a virtual network environment where
access to a network is not feasible. Also, the Loopback adapter is essential if there are conflicts
with a network adapter or a network adapter driver. Network clients, protocols, and so on, can be
bound to the Loopback adapter, and the network adapter driver or network adapter can be
4. installed at a later time while retaining the network configuration information. The Loopback
adapter can also be installed during the unattended installation process. To manually install:
1. Click Start, point to Settings, click Control Panel, and then double-click Add/Remove
Hardware.
2. Click Add/Troubleshoot a device, and then click Next.
3. Click Add a new device, and then click Next.
4. Click No, I want to select the hardware from a list, and then click Next.
5. Click Network adapters, and then click Next.
6. In the Manufacturers box, click Microsoft.
7. In the Network Adapter box, click Microsoft Loopback Adapter, and then click Next.
8. Click Finish.
After the adapter is installed successfully, you can configure its options manually, as with any
other adapter. Note that if the TCP/IP properties are configured to use DHCP (the default), the
adapter will eventually use an autonet APIPA address (169.254.x.x/16) because it is not actually
connected to any physical media.
"Always On" Internet Connection (recommended)
An "always on" connection (for example, a cable modem or digital subscriber line [DSL] line) is
recommended (but not required) to enable clients to obtain Internet access. If you do not use an
"always on" connection, you must configure a demand-dial interface using Network Address
Translation (NAT) for clients to access the Internet.
This is really not a requirement for AD, but if you later want to install and configure Exchange
2000 or other Internet-aware applications or services you'll need an Internet connection.
DNS Configuration
A DNS server that supports Active Directory DNS entries (SRV records) must be present for
Active Directory to function properly. Read Create a New DNS Server for AD for more info.
You need to keep in mind the following DNS configuration issues when you install Active
Directory on a home network: Root Zone entries and DNS Forwarders.
Root zone entries
External DNS queries to the Internet do not work if a root zone entry exists on the DNS server.
To resolve this issue, remove the root zone entry. This entry is identified with a dot (.) in the
DNS Manager forward lookup zones. To check for the existence of the root zone entry, open the
forward lookup zones in the DNS Management console. You should see the entry for the
domain. If the "dot" zone exists, delete it. For additional information about the root zone entry,
see 260371 .
5. You can also read my No Forwarding or Root Hints on DNS server? tip.
DNS forwarders (recommended)
If you plan to have full Internet connectivity then DNS forwarders are necessary to ensure that
all DNS entries are correctly sent to your Internet service provider's DNS server and that
computers on your network will be able to resole Internet addresses correctly. You can only
configure DNS forwarders if no root zone entry is present.
To configure forwarders on the DNS server:
1. Start the DNS Management console.
2. Right-click the name of the server, and then click Properties.
3. On the Forwarders tab, click to select the Enable Forwarders check box.
4. Type the appropriate IP addresses for the DNS servers that may be accepting forwarded
requests from this DNS server. The list reads top-down in order, so place a preferred
DNS server at the top of the list.
It is recommended that you have all the Root Hints (Top Level DNS server) listed in the Root Hints tab.
1. If not, copy the Cache.dns file from the %systemroot%system32dnssamples folder to
the %systemroot%system32dns folder and restart the DNS service.
2. Click OK to accept the changes.
You can also read Configure DNS Forwarding on Windows 2000.
For additional information about DNS issues go to 237675 .
Client Connections
When you have a scenario in which clients on the LAN connect directly to the Internet and not
through a NAT device, the clients should connect to the Active Directory domain controller
using an internal network on a second network adapter. This prevents any issues that may arise if
clients obtain an IP address from your Internet service provider (ISP). You can achieve this
configuration with a second network adapter on the server connected to a hub. You can use NAT
or ICS to isolate the clients on the local network. The clients should point to the domain's DNS
server to ensure proper DNS connectivity. The DNS server's forwarder will then allow the clients
to access DNS addresses on the Internet.
Do not use ICS (recommended)
Use NAT instead. ICS (Internet Connection Sharing) will break down all the DHCP and DNS
functionality on your LAN. Try to avoid ICS at all costs. If you must, make the Domain
6. Controller itself the ICS server, and let all clients obtain their IP configuration automatically.
This of course is not a good security decision, because you will expose your Domain Controller
to potential Internet threats. Again, and I cannot stress this more, avoid ICS on your corporate
LAN and use NAT instead.
NetBIOS Over TCP/IP
A common security consideration with an active connection to the Internet is the restriction of
NetBIOS connections on the network adapter that is directly connected to the Internet. If clients
connect on a second network adapter, you can safely disable NetBIOS over TCP/IP on the
external network adapter, and prevent any attempts of unauthorized NetBIOS access by outside
sources.
To disable NetBIOS on the NIC that is connected to the Internet, use the following steps:
1. Right-click My Network Places, and then click Properties.
2. Right-click the icon of the NIC that is connected to the Internet, and then click Properties.
3. Un-check the File and Print Sharing for Microsoft Networks check box.
4. Click TCP/IP and then Properties.
5. Click Advanced and go to the WINS tab.
6. Select the Disable NetBIOS Over TCP/IP radio box.
7. Click Ok all the way out.
Do not use Single-Label domain names
As a general rule, Microsoft recommends that you register DNS domain names for internal and
external namespaces with Internet authorities. This includes the DNS names of Active Directory
domains, unless such names are sub-domains of names that are registered by your organization
name, for example, "corp.example.com" is a sub-domain of "example.com". When you register
DNS names with Internet authorities, it prevents possible name collisions should registration for
the same DNS domain be requested by another organization, or if your organization merges,
acquires or is acquired by another organization that uses the same DNS names.
DNS names that don't include a period ("dot", ".") are said to be single-label (for example, com,
net, org, bank, companyname) and cannot be registered on the Internet with most Inter