Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Installation of Active Directory on Windows Server 2003 Server
1. Installation Guide of Active
Directory on Windows 2003 Server
A detail overview of Active Directory installation and subsequent
configuration on Windows 2003 Server
7/12/2011
TATA CONSULTANCY SERVICES LTD.
Supreme Mandal
Systems Engineer
Associate ID 473199
TATA CONSULTANCY SERVICES Page 1
2. How do I install Active Directory on my Windows
Server 2003 server?
First make sure you read and understand Active Directory Installation Requirements. If you don't comply
with all the requirements of that article you will not be able to set up your AD (for example: you don't
have a NIC or you're using a computer that's not connected to a LAN).
Note: This article is only good for understanding how to install the FIRST DC in a NEW AD Domain, in a
NEW TREE, in a NEW FOREST. Meaning - don't do it for any other scenario, such as a new replica DC in
an existing domain. In order to install a Windows Server 2003 DC in an EXISTING Windows 2000 Domain
follow the Windows 2003 ADPrep tip.
Windows 2000 Note: If you plan to install a new Windows 2000 DC please read How to Install Active
Directory on Windows 2000.
Windows 2008 Note: Install Active Directory on Windows Server 2008 provides complete instruction
details for working with Windows Server 2008.
Windows Server 2003 Note: If you plan to install a new Windows Server 2003 DC in an existing AD
forest please read the page BEFORE you go on, otherwise you'll end up with the following error:
Here is a quick list of what you must have:
An NTFS partition with enough free space
An Administrator's username and password
The correct operating system version
A NIC
Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway)
A network connection (to a hub or to another computer via a crossover cable)
An operational DNS server (which can be installed on the DC itself)
A Domain name that you want to use
TATA CONSULTANCY SERVICES Page 2
3. The Windows Server 2003 CD media (or at least the i386 folder)
Brains (recommended, not required...)
Step 1: Configure the computer's suffix (Not mandatory, can be done via the Dcpromo process).
1. Right click My Computer and choose Properties.
2. Click the Computer Name tab, then Change.
3. Set the computer's NetBIOS name. In Windows Server 2003, this CAN be changed after the computer
has been promoted to Domain Controller.
4. Click More
TATA CONSULTANCY SERVICES Page 3
4. 5. In the Primary DNS suffix of this computer box enter the would-be domain name. Make sure you got it
right. No spelling mistakes, no "oh, I thought I did it right...". Although the domain name CAN be changed
after the computer has been promoted to Domain Controller, this is not a procedure that one should
consider lightly, especially because on the possible consequences. Read more about it on Windows 2003
Domain Rename Tool page.
5. Click Ok.
TATA CONSULTANCY SERVICES Page 4
5. 6. You'll get a warning window.
7. Click Ok.
8. Check your settings. See if they're correct
9. Click Ok.
10. You'll get a warning window.
11. Click Ok to restart.
Step 2: Configuring the computer's TCP/IP settings
You must configure the would-be Domain Controller to use its own IP address as the address of the DNS
server, so it will point to itself when registering SRV records and when querying the DNS database.
Configure TCP/IP
1. Click Start, point to Settings and then click Control Panel.
2. Double-click Network and Dial-up Connections.
3. Right-click Local Area Connection and then click Properties.
TATA CONSULTANCY SERVICES Page 5
6. Click Internet Protocol (TCP/IP), and then click Properties.
Assign this server a static IP address, subnet mask, and gateway address. Enter the server's IP addre ss in
the Preferred DNS server box. Note: This is true if the server itself will also be its own DNS server.
TATA CONSULTANCY SERVICES Page 6
7. If you have another operational Windows 2000/2003 server that is properly configu red as your DNS
server (read Create a New DNS Server for AD page) - enter that server's IP address instead:
TATA CONSULTANCY SERVICES Page 7
8. 1. Click Advanced.
2. Click the DNS Tab.
3. Select "Append primary and connection specific DNS suffixes"
4. Check "Append parent suffixes of the primary DNS suffix"
5. Check "Register this connection's addresses in DNS". If this Windows 2000/2003 -based DNS
server is on an intranet, it should only point to its own IP address for DNS; do not enter IP
addresses for other DNS servers here. If this server needs to resolve names on the Internet, it
should have a forwarder configured.
TATA CONSULTANCY SERVICES Page 8
9. Click OK to close the Advanced TCP/IP Settings properties.
Click OK to accept the changes to your TCP/IP configuration.
Click OK to close the Local Area Connections properties.
Step 3: Configure the DNS Zone
(Not mandatory, can be done via the Dcpromo process).
This article assumes that you already have the DNS service installed. If this is not the case, please read
Create a New DNS Server for AD.
Furthermore, it is assumed that the DC will also be its own DNS server. If that is not the case, you MUST
configure another Windows 2000/2003 server as the DNS server, and if you try to run DCP ROMO
without doing so, you'll end up with errors and the process will fail.
Creating a Standard Primary Forward Lookup Zone
1. Click Start, point to All Programs, point to Administrative Tools, and then click DNS Manager. You
see two zones under your computer name: Forward Lookup Zone and Reverse Lookup Zone.
2. Right click Forward Lookup Zones and choose to add a new zone.
TATA CONSULTANCY SERVICES Page 9
10. 3. Click Next. The new forward lookup zone must be a primary zone so that it can accept dynamic
updates. Click Primary, and then click Next.
TATA CONSULTANCY SERVICES Page 10
11. 4. The name of the zone must be the same as the name of the Active Directory domain, or be a logical
DNS container for that name. For example, if the Active Directory domain is named
"lab.dpetri.net", legal zone names are "lab.dpetri.net", "dpetri.net", or "net".
5.Type the name of the zone, and then click Next.
Accept the default name for the new zone file. Click Next.
TATA CONSULTANCY SERVICES Page 11
13. 6. To be able to accept dynamic updates to this new zone, click "Allow both nonsecure and secure
dynamic updates". Click Next.
Click Finish.
TATA CONSULTANCY SERVICES Page 13
14. You should now make sure your computer can register itself in the new zone. Go to the Command Prompt
(CMD) and run "ipconfig /registerdns" (no quotes, duh...). Go back to the DNS console, open the new zone
and refresh it (F5). Notice that the computer should by now be listed as an A Record in the right pane.
If it's not there try to reboot (although if it's not there a reboot won't do much good). Check the spelling
on your zone and compare it to the suffix you created in step 1. Check your IP settings.
Enable DNS Forwarding for Internet connections (Not
mandatory)
1. Start the DNS Management Console.
2. Right click the DNS Server object for your server in the left pane of the console, and click
Properties.
TATA CONSULTANCY SERVICES Page 14
15. 3. Click the Forwarders tab.
4. In the IP address box enter the IP address of the DNS servers you want to forward queries to -
typically the DNS server of your ISP. You can also move them up or down. The one that is highest
in the list gets the first try, and if it does not respond within a given time limit - the query will be
forwarded to the next server in the list.
TATA CONSULTANCY SERVICES Page 15
16. 5. Click OK.
Creating a Standard Primary Reverse Lookup Zone
You can (but you don't have to) also create a reverse lookup zone on your DNS server. The zone's name
will be the same as your TCP/IP Network ID. For example, if your IP address is 192.168.0.200, then the
zone's name will be 192.168.0 (DNS will append a long name to it, don't worry about it). You should also
configure the new zone to accept dynamic updates. I guess you can do it on your own by now, can't you?
TATA CONSULTANCY SERVICES Page 16
17. Step 4: Running DCPROMO
After completing all the previous steps (remember you didn't have to do them) and after double checking
your requirements you should now run Dcpromo.exe from the Run command.
1. Click Start, point to Run and type "dcpromo".
2. The wizard windows will appear. Click Next.
TATA CONSULTANCY SERVICES Page 17
18. 3. In the Operating System Compatibility windows read the requirements for the domain's clients
and if you like what you see - press Next.
TATA CONSULTANCY SERVICES Page 18
19. 4. Choose Domain Controller for a new domain and click Next.
5. Choose Create a new Domain in a new forest and click Next.
TATA CONSULTANCY SERVICES Page 19
20. 6. Enter the full DNS name of the new domain, for example - kuku.co.il - this must be the same as the
DNS zone you've created in step 3, and the same as the computer name suffix you've created in
step 1. Click Next.
TATA CONSULTANCY SERVICES Page 20
21. This step might take some time because the computer is searching for the DNS server and
checking to see if any naming conflicts exist.
7. Accept the down-level NetBIOS domain name, in this case it's KUKU. Click Next
8. Accept the Database and Log file location dialog box (unless you want to change them of course).
The location of the files is by default %systemroot%NTDS, and you should not change it unless
you have performance issues in mind. Click Next.
TATA CONSULTANCY SERVICES Page 21
22. 9. Accept the Sysvol folder location dialog box (unless you want to change it of course). The location
of the files is by default %systemroot%SYSVOL, and you should not change it unless you have
performance issues in mind. This folder must be on an NTFS v5.0 partition. This folder will hold all
the GPO and scripts you'll create, and will be replicated to all other Domain Controllers. Click Next.
TATA CONSULTANCY SERVICES Page 22
23. 10. If your DNS server, zone and/or computer name suffix were not configured correctly you will get
the following warning:This means the Dcpromo wizard could not contact the DNS server, or it did
contact it but could not find a zone with the name of the future domain. You should check your
settings. Go back to steps 1, 2 and 3. Click Ok.You have an option to let Dcpromo do the
configuration for you. If you want, Dcpromo can install the DNS service, create the appropriate
zone, configure it to accept dynamic updates, and configure the TCP/IP settings for the DNS server
IP address.To let Dcpromo do the work for you, select "Install and configure the DNS server...".
Click Next.Otherwise, you can accept the default choice and then quit Dcpromo and check steps 1 -
3.
TATA CONSULTANCY SERVICES Page 23
24. 11. If your DNS settings were right, you'll get a confirmation window. Just click next.
TATA CONSULTANCY SERVICES Page 24
25. 12. Accept the Permissions compatible only with Windows 2000 or Windows Server 2003 settings,
unless you have legacy apps running on Pre-W2K servers.
13. Enter the Restore Mode administrator's password. In Windows Server 2003 this password can be
later changed via NTDSUTIL. Click Next.
TATA CONSULTANCY SERVICES Page 25
26. 14. Review your settings and if you like what you see - Click Next.
TATA CONSULTANCY SERVICES Page 26
27. 15. See the wizard going through the various stages of installing AD. Whatever you do - NEVER click
Cancel!!! You'll wreck your computer if you do. If you see you made a mistake and want to undo it,
you'd better let the wizard finish and then run it again to undo the AD.
16. If all went well you'll see the final confirmation window. Click Finish.
17. You must reboot in order for the AD to function properly.
TATA CONSULTANCY SERVICES Page 27
28. 18. Click Restart now.
Step 5: Checking the AD installation
You should now check to see if the AD installation went well.
1. First, see that the Administrative Tools folder has all the AD management tools installed.
2. Run Active Directory Users and Computers (or type "dsa.msc" from the Run command). See that
all OUs and Containers are there.
TATA CONSULTANCY SERVICES Page 28
29. 3. Run Active Directory Sites and Services. See that you have a site named Default-First-Site-Name,
and that in it your server is listed.
TATA CONSULTANCY SERVICES Page 29
30. 4. If they don't (like in the following screenshot), your AD functions will be broken (a good sign of
that is the long time it took you to log on. The "Preparing Network Co nnections" windows will sit
on the screen for many moments, and even when you do log on many AD operations will give you
errors when trying to perform them).
5. = BadThis might happen if you did not manually configure your DNS server and let the DCPROMO
process do it for you.
Another reason for the lack of SRV records (and of all other records for that matter) is the fact that
you DID configure the DNS server manually, but you made a mistake, either with the computer
suffix name or with the IP address of the DNS server (see steps 1 through 3).
Open the DNS console. See that you have a zone with the same name as your AD domain (the one
you've just created, remember? Duh...). See that within it you have the 4 SRV record folders. They
TATA CONSULTANCY SERVICES Page 30
31. must exist.
= Good
To try and fix the problems first see if the zone is configured to accept dynamic updates.
6. Right-click the zone you created, and then click Properties.
TATA CONSULTANCY SERVICES Page 31
32. 7. On the General tab, under Dynamic Update, click to select "Nonsecure and secure" from the drop -
down list, and then click OK to accept the change. You should now restart the NETLOGON service
to force the SRV registration. You can do it from the Services console in Administrative tools:
TATA CONSULTANCY SERVICES Page 32
34. Or from the command prompt type "net stop netlogon", and after it finishes, type "net start
netlogon".
Let it finish, go back to the DNS console, click your zone and refresh it (F5). If all is ok you'll now
see the 4 SRV record folders.
If the 4 SRV records are still not present double check the spelling of the zone in the DNS server. It
should be exactly the same as the AD Domain name. Also check the computer's suffix (see step 1).
You won't be able to change the computer's suffix after the AD is installed, but if you have a
spelling mistake you'd be better off by removing the AD now, before you have any users, groups
and other objects in place, and then after repairing the mistake - re-running DCPROMO.
TATA CONSULTANCY SERVICES Page 34
35. 8. Check the NTDS folder for the presence of the required files.
9. Check the SYSVOL folder for the presence of the required subfolders.
TATA CONSULTANCY SERVICES Page 35
36. 10. Check to see if you have the SYSVOL and NETLOGON shares, and their location.
If all of the above is ok, I think it's safe to say that your AD is pro perly installed.
TATA CONSULTANCY SERVICES Page 36
37. If not, read Troubleshooting Dcpromo Errors and re-read steps 1-4 in this article.
Troubleshooting Dcpromo Errors
Some common issues that you may encounter with Active Directory installation and configuration can
cause a partial or complete loss of functionality in Active Directory. These issues may include, but not be
limited to:
Domain Name System (DNS) configuration errors.
Network configuration problems Difficulties when you upgrade from Microsoft Windows NT.
You must configure DNS correctly to ensure that Active Directory will function properly.
Review the following configuration items to ensure that DNS is healthy and that the Active Directory DNS
entries will be registered correctly:
DNS IP configuration
Active Directory DNS registration
Dynamic zone updates
DNS forwarders
DNS IP Configuration
An Active Directory server that is hosting DNS must have its TCP/IP settings configured properly. TCP/IP
on an Active Directory DNS server must be configured to point to itself to allow the server to register
with its own DNS server.
To view the current IP configuration
Open a command window and type
ipconfig /all
to display the details. You can modify the DNS configuration by following these steps:
1. Right-click My Network Places and then click Properties.
2. Right-click Local Area Connection and then click Properties.
3. Click Internet Protocol (TCP/IP), and then click Properties.
4. Click Advanced, and then click the DNS tab. Configure the DNS information as follows: Configure
the DNS server addresses to point to the DNS server. This should be the computer's own IP
address if it is the first server or if no dedicated DNS server will be configured.
5. If the resolution of unqualified names setting is set to Append these DNS suffixes (in order), the
Active Directory DNS domain name should be listed first (at the top of the list).
6. Verify that the DNS Suffix for this connection setting is the same as the Active Directory domain
name.
7. Verify that the Register this connection's addresses in DNS check box is selected.
TATA CONSULTANCY SERVICES Page 37
38. 8. At a command prompt, type
ipconfig /flushdns
to purge the DNS resolver cache, and then type
ipconfig /registerdns
to register the DNS resource records.
9. Start the DNS Management console. There should be a host record (an "A" record in Advanced
view) for the computer name. There should also be a Start of Authority (SOA in Advanced view)
record pointing to the domain controller (DC) as well as a Name Server record (NS in Advan ced
view).
Active Directory DNS Registration
The Active Directory DNS records must be registering in DNS. The DNS zone can be either a standard
primary or an Active Directory-integrated zone. An Active Directory-integrated zone is different from a
standard primary zone in several ways. An Active Directory-integrated zone provides the following
benefits:
The Windows 2000 DNS service stores zone data in Active Directory. This causes DNS replication
to create multiple masters, and it allows any DNS server to accept updates for a directory service-
integrated zone. Using Active
Directory integration also reduces the need to maintain a separate DNS zone transfer replication
topology.
Secure dynamic updates are integrated with Windows security. This allows an administrator to
precisely control which computers can update which names, and it prevents unauthorized
computers from obtaining existing names from DNS.
Use the following steps to ensure that DNS is registering the Active Directory DNS records:
1. Start the DNS Management console.
2. Expand the zone information under the server name.
3. Expand Forward Lookup Zones, right-click the name of the Active Directory domain's DNS zone,
click Properties, and then verify that Allow Dynamic Updates is set to Yes.
TATA CONSULTANCY SERVICES Page 38
39. 4. Four folders with the following names are present when DNS is correctly registering the Active
Directory DNS records. These folders are labeled:
_msdcs _sites _tcp _udp
TATA CONSULTANCY SERVICES Page 39
40. If these folders do not exist, DNS is not registering the Active Directory DNS records. These r ecords are
critical to Active Directory functionality and must appear within the DNS zone. You should repair the
Active Directory DNS record registration.
To repair the Active Directory DNS record registration
Check for the existence of a Root Zone entry. View the Forward Lookup zones in the DNS Management
console.
There should be an entry for the domain. Other zone entries may exist. There should not be a dot (".")
zone. If the dot (".") zone exists, delete the dot (".") zone. The dot (".") zone identifie s the DNS server as a
root server.
Typically, an Active Directory domain that needs external (Internet) access should not be configured as a
root DNS server.
The server probably needs to reregister its IP configuration (by using Ipconfig) after you delete the dot
("."). The Netlogon service may also need to be restarted.
TATA CONSULTANCY SERVICES Page 40
41. Manually repopulate the Active Directory DNS entries. You can use the Windows 2000 Netdiag tool to
repopulate the Active Directory DNS entries. Netdiag is included with the Windows 2000 Support tools.
At a command prompt, type
netdiag /fix
After you run the Netdiag utility, refresh the view in the DNS Management console. The Active Directory
DNS records should then be listed.
Note: The server may need to reregister its IP configuration (by using Ipconfig) after you run Netdiag.
The Netlogon service may also need to be restarted.
TATA CONSULTANCY SERVICES Page 41
42. If the Active Directory DNS records do not appear, you may need to manually re -create the DNS zone.
Manually re-create the DNS zone
1. Start the DNS Management console.
2. Right-click the name of the zone, and then click Delete.
3. Click OK to acknowledge any warnings. The Forward Lookup zones no longer list the deleted zone.
4. Right-click Forward Lookup Zones, and then click New Zone.
5. The New Zone Wizard starts. Click Next to continue.
6. Click the appropriate zone type (either Active Directory-integrated or Standard primary, and then
click Next.
7. Type the name of the zone exactly as it appears in Network Identification, and then click Next.
8. Click the appropriate zone file, or a new zone file. Click Next, and then click Finish to finish the
New Zone Wizard.
9. The newly created zone appears in the DNS Management console.
10. Right-click the newly created zone, click Properties, and then change Allow Dynamic Updates to
Yes.
TATA CONSULTANCY SERVICES Page 42
43. 11. At a command prompt, type
net stop netlogon
and then press ENTER. The Netlogon service is stopped.
12. Type
net start netlogon
and then press ENTER. The Netlogon service is restarted.
TATA CONSULTANCY SERVICES Page 43
44. 13. Refresh the view in the DNS Management console. The Active Directory DNS r ecords should be
listed under the zone.
If the Active Directory DNS records still do not exist, there may be a disjointed DNS namespace.
TATA CONSULTANCY SERVICES Page 44
45. Dynamic Zone Updates
Microsoft recommends that the DNS Lookup zone accept dynamic updates. You can configure this by
right-clicking the name of the zone, and then clicking Properties. On the General tab, the Allow Updates
setting should be set to Yes, or for an Active Directory-integrated zone, either Yes or Only secure updates.
If dynamic updates are not allowed, all host registration must be completed manually.
DNS Forwarders
To ensure network functionality outside of the Active Directory domain (such as browser requests for
Internet addresses), configure the DNS server to forward DNS requests to the appropriate Intern et
service provider (ISP) or corporate DNS servers.
See No Forwarding or Root Hints on Windows 2000 DNS server? for troubleshooting tips.
To configure forwarders on the DNS server:
1. Start the DNS Management console.
2. Right-click the name of the server, and then click Properties.
TATA CONSULTANCY SERVICES Page 45
46. 3. Click the Forwarders tab.
4. Click to select the Enable Forwarders check box.
Note: If the Enable Forwarders check box is unavailable, the DNS server is attempting to host a root zone
(usually identified by a zone named only with a period, or dot ("."). You must delete this zone to enable
the DNS server to forward DNS requests. In a configuration in which the DNS server does not rely on an
ISP DNS server or a corporate DNS server, you can use a root zone entry.
5. Type the appropriate IP addresses for the DNS servers that will accept forwarded requests from
this DNS server. The list reads from the top down in order; if there is a preferred DNS server, place
it at the top of the list.
6. Click OK to accept the changes.
Upgrade Installation Considerations
Earlier (Legacy) DNS Servers - DNS servers that run Windows NT 4.0 cannot dynamically register the
Active Directory DNS records. The best solution in this case is to install DNS on the Active Directory
domain controller to ensure that Active Directory DNS records will be registered for the domain.
TATA CONSULTANCY SERVICES Page 46
47. Disjointed DNS Namespace - You must configure the correct DNS suffix information before you begin a
Windows 2000 upgrade installation. You cannot change the server name and DNS domain information
after Active Directory is installed.
To configure the DNS suffix information in Windows NT before you upgrade the computer to a
Windows 2000-based Active Directory domain controller:
1. Right-click Network Neighborhood and then click Properties.
2. Click the Protocols tab, click TCP/IP Protocol, and then click Properties.
3. Click the DNS tab.
4. In the Domain box, type the complete Active Directory domain name.
5. Click Apply, and then click OK.
6. Click OK to quit the Network tool.
7. Restart the computer.
To verify the settings, open a command window, and then type ipconfig /all. The Host Name line shows
the fully qualified domain name.
If you must change the DNS domain information after you install Active Directory, you must run the
Dcpromo utility on the computer to remove it from the domain and make it a stand-alone server.
To determine if a disjointed namespace exists on an existing Windows 2000-based domain controller:
1. Right-click My Computer and then click Properties.
2. Click the Network Identification tab.
3. Compare the DNS suffix section of the full computer name to that of the domain name listing. The
full computer name reads as follows: hostname. dns_suffix. These two entries should contain
identical suffix information.
If these two entries do not contain identical suffix information, a disjointed DNS namespace exists. This
condition prevents proper registration of any Active Directory DNS records.
Note: The only supported method to recover from a disjointed namespace is to use Dcpromo to remove
the computer from the domain and make it a stand-alone server. You can then correct the DNS
namespace information and run Dcpromo again to promote the computer back to a domain controller.
How to Install a Replica DC in an Existing AD Domain on Windows Server 2003
Note: This article is only good for understanding how to install the SECOND DC in an EXISTING DOMAIN
in and EXISTING AD FOREST.
Note: For the installation of the FIRST DC in the AD Domain read How to Install Active Directory on
Windows 2003.
Here is a quick list of what you must have:
TATA CONSULTANCY SERVICES Page 47
48. An NTFS partition with enough free space
The Domain Admin's username and password
The correct operating system version
A NIC
Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway)
A network connection (to a hub or to another computer via a crossover cable)
A persistent and un-interrupted connection with the domain's existing DC
An operational DNS server which holds the relevant SRV Record information for the AD domain
and forest
The Domain name for the domain that you want to join
The Windows 2003 CD media (or at least the i386 folder)
Brains (recommended, not required...)
This article assumes that all of the above requirements are fulfilled.
For a Windows 2000 version of this article please read How to Install a Replica DC in an Existing AD
Domain on Windows 2000.
Step 1: Configuring the computer's TCP/IP settings
You must configure the would-be Domain Controller to use the IP address of the DNS server, so it will
point to it when registering SRV records and when querying the DNS database.
Configure TCP/IP
1. Click Start, point to Settings and then click Control Panel.
2. Double-click Network and Dial-up Connections.
3. Right-click Local Area Connection and then click Properties.
TATA CONSULTANCY SERVICES Page 48
49. 4. Click Internet Protocol (TCP/IP), and then click Properties.
TATA CONSULTANCY SERVICES Page 49
50. 5. Assign this server a static IP address, subnet mask, and gateway address (optional). Enter the DNS
server's IP address in the Preferred DNS server box.
Note: You MUST have an operational DNS server that already serves as the DNS server of the
domain/forest.
TATA CONSULTANCY SERVICES Page 50
51. 6. Click Advanced.
7. Click the DNS Tab.
8. Select "Append primary and connection specific DNS suffixes"
9. Check "Append parent suffixes of the primary DNS suffix"
10. Check "Register this connection's addresses in DNS". If this Windows 2000-based DNS server is on
an intranet, it should only point to its own IP address for DNS; do not enter IP addresses for other
DNS servers here. If this server needs to resolve names on the Internet, it should have a forwarder
configured.
11. Click OK to close the Advanced TCP/IP Settings properties.
12. Click OK to accept the changes to your TCP/IP configuration.
13. Click OK to close the Local Area Connections properties.
Step 2: Running DCPROMO
After completing all the previous steps and after double checking your requirements you should now run
Dcpromo.exe from the Run command.
Note: In Windows Server 2003, unlike Windows 2000, you can choose to install the Replica DC from a
backed-up media thus saving considerable amounts of time and bandwidth. Read Install DC from Media
in Windows Server 2003 for more inforamation.
TATA CONSULTANCY SERVICES Page 51
52. 1. Click Start, point to Run and type "dcpromo".
2. The wizard windows will appear. Click Next.
3. In the Operating System Compatibility window click Next.
TATA CONSULTANCY SERVICES Page 52
53. 4. Choose Additional Domain Controller for an existing domain and click Next.
TATA CONSULTANCY SERVICES Page 53
54. 5. In the Network Credentials window enter the username and password for a Domain Admin in the
domain you're trying to join. also enter the full DNS domain name. Click Next.
This step might take some time because the computer is searching for the DNS server.
Note: Although the wizard will let you get to the last window and begin to attempt to join the
domain, if you enter the wrong username or password, because of the wrong credentials you'll get
an error message:
TATA CONSULTANCY SERVICES Page 54
55. If you enter the domain name in a wrong way you'll get this error message:
The wizard will not be able to continue past the domain name window.
If you have wrong DNS settings, i.e. the computer "thinks" that it should be "talking" to one DNS
server, while in fact it should be using another DNS server, you'll get an error message like this
one:
TATA CONSULTANCY SERVICES Page 55
56. 6. In the Additional Domain Controller window type or browse to select the domain to which you
want to add the replica DC.
TATA CONSULTANCY SERVICES Page 56
57. 7. Accept the Database and Log file location dialog box (unless you want to change them of course).
The location of the files is by default %systemroot%NTDS, and you should not change it unless
you have performance issues in mind. Click Next.
TATA CONSULTANCY SERVICES Page 57
58. 8. Accept the Sysvol folder location dialog box (unless you want to change it of course). The location
of the files is by default %systemroot%SYSVOL, and you should not change it unless you have
performance issues in mind. This folder must be on an NTFS v5.0 partition. This folder will hold all
the GPO and scripts you'll create, and will be replicated to all other Domain Controllers. Click Next.
9. Enter the Restore Mode administrator's password. Whatever you do - remember it! Without it
you'll have a hard time restoring the AD if you ever need to do so. Click Next.
TATA CONSULTANCY SERVICES Page 58
59. 10. Review your settings and if you like what you see - Click Next.
TATA CONSULTANCY SERVICES Page 59
60. 11. See the wizard going through the various stages of installing AD. Whatever you do - NEVER click
Cancel!!! You'll wreck your computer if you do. If you see you made a mistake and want to undo it,
you'd better let the wizard finish and then run it again to undo the AD.
12. If all went well you'll see the final confirmation window. Click Finish.
13. You must reboot in order for the AD to function properly. Click Restart now.
Step 3: Checking the AD installation
You should now check to see if the AD installation went well.
1. First, see that the Administrative Tools folder has all the AD management tools installed.
2. Run Active Directory Users and Computers (or type "dsa.msc" from the Run command). See that
all OUs and Containers are there. See that your DC is listed in the Domain Controllers Container.
3. Run Active Directory Sites and Services. See that you have a site named Default-First-Site-Name,
and that in it your server is listed along with the other DC in the domain/forest.
4. One reason for the lack of registration of SRV records is the fact the net NETLOGON service has
somehow failed to register the SRV Records in the DNS zone.
You should try to restart the NETLOGON service to force the SRV registration.
TATA CONSULTANCY SERVICES Page 60
61. From the command prompt type "net stop netlogon", and after it finishes, type "net start
netlogon".
Open the DNS console. See that your new DC has registered itself in the 4 SRV Record folders.
Let it finish, go back to the DNS console, click your zone and refresh it (F5). If all is ok you'll now
see the 4 SRV record folders.
5. Check the NTDS folder for the presence of the required files.
TATA CONSULTANCY SERVICES Page 61
62. 6. Check the SYSVOL folder for the presence of the required subfolders.
TATA CONSULTANCY SERVICES Page 62
63. 7. Check to see if you have the SYSVOL and NETLOGON shares, and their location.
If all of the above is ok, I think it's safe to say that your AD is properly installed.
TATA CONSULTANCY SERVICES Page 63
64. Raise Forest Function Level in Windows Server 2003 Active Directory
How can I raise the forest function level in a Windows Server 2003-based Active Directory?
Functional levels are an extension of the mixed/native mode concept introduced in Windows 2000 to
activate new Active Directory features after all the domain controllers in the domain or forest are
running the Windows Server 2003 operating system.
When a computer that is running Windows Server 2003 is installed and promoted to a domain controller,
new Active Directory features are activated by the Windows Server 2003 operating system over its
Windows 2000 counterparts. Additional Active Directory features are available when all domain
controllers in a domain or forest are running Windows Server 2003 and the administrator activates the
corresponding functional level in the domain or forest (read Understanding Function Levels in Windows
Server 2003 Active Directory for more info).
To activate the new domain features, all domain controllers in the domain must be running Windows
Server 2003. After this requirement is met, the administrator can raise the domain functional level to
Windows Server 2003 (read Raise Domain Function Level in Windows Server 2003 Domains for more
info).
To activate new forest-wide features, all domain controllers in the forest must be running Windows
Server 2003, and the current forest functional level must be at Windows 2000 native or Windows Server
2003 domain level. After this requirement is met, the administrator can raise the domain functional level.
Note: Network clients can authenticate or access resources in the domain or forest without being affected
by the Windows Server 2003 domain or forest functional levels. These levels only affect the way that
domain controllers interact with each other.
Important
Do not raise the forest functional level if you have, or will have, any domain
controllers running Windows NT 4.0 or Windows 2000. As soon as the forest
functional level is raised to Windows Server 2003, it cannot be changed back to the
Windows 2000 forest functional level.
To raise the forest functional level, you must be a member of the Enterprise Admins group.
In order to raise the Forest Functional Level:
1. Log on to the PDC of the forest root domain with a user account that is a member of the Enterprise
Administrators group.
TATA CONSULTANCY SERVICES Page 64
65. 2. Open Active Directory Domains and Trusts, click Start, point to All Programs, point to
Administrative Tools, and then click Active Directory Domains and Trusts.
3. In the console tree, right-click Active Directory Domains and Trusts, and then click Raise Forest
Functional Level.
1. Under Select an available forest functional level, click Windows Server 2003.
TATA CONSULTANCY SERVICES Page 65
66. and then click Raise to raise the forest functional level to Windows Server 2003.
1. Read the warning message, and if you wish to perform the action, click Ok.
TATA CONSULTANCY SERVICES Page 66
67. 1. You will receive an acknowledgement message telling you that the operation was completed
successfully. Click Ok.
1. You can check the function level by performing step 3 again and viewing the current function
level.
TATA CONSULTANCY SERVICES Page 67
68. Note: To raise the forest functional level, you must upgrade (or demote) all existing Windows 2000
domain controllers in your forest.
If you cannot raise the forest functional level, you can click Save As in the Raise Forest Functional Level
dialog box to save a log file that specifies which domain controllers in the forest still must be upgraded
from Windows NT 4.0 or Windows 2000.
If you receive a message that indicates you cannot raise the forest functional level, use the report
generated by "Save As" to identify all domains and domain controllers that do not meet the requirements
for the requested increase.
The current forest functional level appears under Current fo rest functional level in the Raise Forest
Functional Level dialog box. After the forest level is successfully increased and replicated to the PDCs in
the domains, the PDCs for each domain automatically increase their domain level to the current forest
level. The level increase is performed on the Schema FSMO and requires Enterprise Administrator
credentials.
Raise Domain Function Level in Windows Server 2003 Domains
TATA CONSULTANCY SERVICES Page 68
69. Functional levels are an extension of the mixed/native mode concept introduced in Windows 2 000 to
activate new Active Directory features after all the domain controllers in the domain or forest are
running the Windows Server 2003 operating system.
When a computer that is running Windows Server 2003 is installed and promoted to a domain controlle r,
new Active Directory features are activated by the Windows Server 2003 operating system over its
Windows 2000 counterparts. Additional Active Directory features are available when all domain
controllers in a domain or forest are running Windows Server 2003 and the administrator activates the
corresponding functional level in the domain or forest (read Understanding Function Levels in Windows
Server 2003 Active Directory for more info).
To activate the new domain features, all domain controllers in the domain must be running Windows
Server 2003. After this requirement is met, the administrator can raise the domain functional level to
Windows Server 2003.
To activate new forest-wide features, all domain controllers in the forest must be running Windows
Server 2003, and the current forest functional level must be at Windows 2000 native or Windows Server
2003 domain level. After this requirement is met, the administrator can raise the domain functional level
(read Raise Forest Function Level in Windows Server 2003 Active Directory for more info).
Note: Network clients can authenticate or access resources in the domain or forest without being affected
by the Windows Server 2003 domain or forest functional levels. These levels only affect the way that
domain controllers interact with each other.
Important
Raising the domain and forest functional levels to Windows Server 2003 is a
nonreversible task and prohibits the addition of Windows NT 4.0–based or
Windows 2000–based domain controllers to the environment. Any existing
Windows NT 4.0 or Windows 2000–based domain controllers in the environment
will no longer function. Before raising functional levels to take advantage of
advanced Windows Server 2003 features, ensure that you will never need to install
domain controllers running Windows NT 4.0 or Windows 2000 in your
environment.
To raise the domain functional level, you must be a member of the Domain Administrators group.
In order to raise the Domain Functional Level:
1. Log on the PDC of the domain with domain administrator credentials.
2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers
(you can also perform this action from the Active Directory Domains and Trusts snap -in).
3. In the console tree, right-click the domain node and then click Raise Domain Functional Level.
TATA CONSULTANCY SERVICES Page 69
70. 1. Under Select an available domain functional level, do one of the following:
Click Windows 2000 native, and then click Raise to raise the domain functional level to Windows 2000
native or Click Windows Server 2003
TATA CONSULTANCY SERVICES Page 70
71. and then click Raise to raise the domain functional level to Windows Ser ver 2003.
1. Read the warning message, and if you wish to perform the action, click Ok.
TATA CONSULTANCY SERVICES Page 71
72. 1. You will receive an acknowledgement message telling you that the operation was completed
successfully. Click Ok.
TATA CONSULTANCY SERVICES Page 72
73. 1. You can check the function level by performing step 3 again and viewing the current function level.
TATA CONSULTANCY SERVICES Page 73
74. Note: The current domain functional level appears under Current domain functional level in the Raise Domain
Functional Level dialog box. The level increase is performed on the PDC FSMO and requires the domain
administrator.
TATA CONSULTANCY SERVICES Page 74