Windows server 2003 active directory install

Planning Your Active Directory Installation

While
the processes for promoting a member server to the role of domain
controller are relatively straightforward, it is critical that you plan
your proposed Active Directory environment in advance. Examples of
environment-related information that should already be documented and
well understood prior to promoting any server to the role of domain
controller include:

• The domain structure for the new or existing forest

• The domain naming scheme to be used

• How Domain Name System (DNS) will be configured to support Active Directory

• Whether the Active Directory environment will need to support servers running previous versions of Windows

Similarly,
you will also need to ensure that the specific settings for the server
to be promoted have been correctly configured, and that the information
required during the promotion process has already been determined and
documented. Some issues that need to be considered prior to promoting a
domain controller include:

• Domain controllers require static IP address and subnet mask values

• The client DNS settings of the server must be configured correctly

• The storage location of the database and log files should be defined

• The location of the shared system volume folder should be defined

By
properly planning and documenting the domain controller promotion
process in advance, you greatly reduce the risk of misconfiguration or
encountering errors during the installation process.

Installing Active Directory

Four different methods can be used to promote a Windows Server 2003 system to a domain controller. These include:

• Using the Active Directory Installation Wizard (to install Active Directory in most situations)

• Using
  an answer file to perform an unattended installation (to automate the
  installation process or install Active Directory remotely)

• Using
  the network or backup media (to install Active Directory on additional
  domain controllers in the network by using media rather than relying
  upon replication)

• Using the Configure Your Server Wizard (an additional way to install the first domain controller in a network only)

The
following sections outline the specific steps and considerations
associated with installing domain controllers using each of these four
methods.

Installing Active Directory Using the Active Directory Installation Wizard

The
Active Directory Installation Wizard (Dcpromo.exe) is the main tool
used to install Active Directory. Information that must be provided as
part of completing the wizard includes:

• Domain
  controller type, either the first domain controller for a new domain or
  a new domain controller added to an existing domain

• Domain type—a new domain in a new forest, a child domain in an existing domain tree, or a new domain tree in an existing forest

• Domain name

• NetBIOS name for the domain

• Storage location for the Active Directory database

• Storage location for the Active Directory transaction log files

• Storage location for the shared system volume

• Default Active Directory access permissions

• Directory services restore mode administrator password

After
you input this information, the wizard installs Active Directory,
creating the database, configuring associated services, and modifying
security settings. If a DNS server is not available, you will be given
the option to install DNS as part of the Active Directory installation.

One
of the most fundamental choices presented by the wizard is whether you
want the server to become the first domain controller for an entirely
new domain, or to serve as an additional domain controller within an
existing domain. Ultimately, the choice you make affects the structure
of your Active Directory implementation.

Creating the First Domain Controller for a New Domain

If
you choose to create the first domain controller for a new domain, you
are actually defining both a new domain controller and a new domain.
You will therefore be asked whether you want to create the new domain
in a new forest, as a child domain in an existing domain tree, or as a
new domain tree in an existing forest. These choices are illustrated in
Figure 1.

Figure 1. Creating a new domain using the Active Directory Installation Wizard

Картинка с сайта: programming.wmlcloud.com

When
you create a new domain in a new forest, the new domain is either the
first domain in the organization or a new domain that you want to be
completely independent from an existing forest. When you create a new
child domain in an existing domain tree, the new domain becomes a
subdomain of an existing domain, within the DNS namespace of its parent
domain. If you choose to create a new domain tree in an existing
forest, the new domain becomes the root domain of a new tree, with a
DNS name that is not contiguous with any other existing domains in the
forest.

Adding a New Domain Controller to an Existing Domain

If
you use the Active Directory Installation Wizard to add an additional
domain controller to an existing domain, you are effectively adding
redundancy and authentication load-balancing to a domain in a forest
that has already been created. In all cases, an absolute minimum of two
domain controllers should be deployed per domain to provide redundancy.
In most Active Directory implementations, the number of domain
controllers that need to be deployed within a single domain is a
function of the number of users that need to be serviced, as well as
the number of physical sites that have been implemented.

Off the Record

When
implementing Active Directory, each domain should include an absolute
minimum of two domain controllers for the purpose of directory
redundancy.

Using the Active Directory Installation Wizard

Issuing
the Dcpromo.exe command from the Run dialog box or the command line
starts the Active Directory Installation Wizard. To install Active
Directory for a new domain in a new forest, complete the following
steps:

1.	Click Start and then click Run. In the Run dialog box, type dcpromo in the Open box and click OK.
2.	At the Welcome To The Active Directory Installation Wizard page, click Next.
3.	At the Operating System Compatibility page, click Next.
4.	At the Domain Controller Type page, select Domain Controller For A New Domain, as shown in Figure 2. Click Next. Figure 2. Active Directory Installation Wizard, Domain Controller Type page Картинка с сайта: programming.wmlcloud.com
5.	On the Create New Domain page, ensure that Domain In A New Forest is selected, and then click Next.
6.	If DNS is not configured for this computer, the Install Or Configure DNS page appears. Select No, Just Install And Configure DNS On This Computer, and click Next. Note If you choose to allow the Active Directory Installation Wizard to install and configure DNS, it will create an Active Directory-Integrated zone stored on an application directory partition.
7.	On the New Domain Name page, type the name of your domain in the Full DNS Name For New Domain box, and click Next.
8.	On the NetBIOS Domain Name page, the Active Directory Installation Wizard will suggest a NetBIOS name. Accept the default name provided by clicking Next. Note Clients running versions of Windows prior to Windows 2000 still use the NetBIOS name associated with a domain to access many domain-related functions.
9.	On the Database And Log Folders page, type the location of the Active Directory database in the Database Folder box and the location of the Active Directory log in the Log Folder box, as shown in Figure 3. Similar to Windows 2000, it is recommended that you place the Active Directory database and associated log files on separate disks formatted with the NTFS file system. Click Next. Figure 3. Active Directory Installation Wizard, Database And Log Folders page Картинка с сайта: programming.wmlcloud.com
10.	On the Shared System Volume page, specify the location of the Sysvol folder in the Folder Location box. The Sysvol folder must reside on a partition or volume formatted with the NTFS file system. Click Next.
11.	If DNS is configured for this computer and the wizard is unable to connect to the DNS server, the DNS Registration Diagnostics page appears. Select Install And Configure The DNS Server On This Computer, And Set This Computer To Use This DNS Server As Its Preferred DNS Server, and click Next.
12.	On the Permissions page, read through the available options as shown in Figure 4. Click Next. Figure 4. Active Directory Installation Wizard, Permissions page Картинка с сайта: programming.wmlcloud.com
13.	On the Directory Services Restore Mode Administrator Password page, type the directory services restore mode password you want to assign to this server’s Administrator account in the Restore Mode Password box. Confirm the password in the Confirm Password box. Click Next.
14.	The Summary page displays the options that you have selected during the wizard, as shown in Figure 5. Review the contents of this page for accuracy, and then click Next. The wizard takes a few minutes to configure Active Directory components. You might be prompted for your Windows Server 2003 CD-ROM. If you did not configure this server with a static IP address prior to starting the wizard, you will be prompted to do so. Figure 5. Active Directory Installation Wizard, Summary page Картинка с сайта: programming.wmlcloud.com
15.	When the Completing The Active Directory Installation Wizard page appears, click Finish, and then click Restart Now.

Installing Active Directory Using an Answer File

The steps associated with the Active Directory Installation Wizard can also be automated through the use of an answer file. An answer file
is simply a text file that contains answers to the questions normally
asked when the wizard is completed manually. The answer file must
contain all the parameters that the Active Directory Installation
Wizard normally needs to complete the Active Directory installation
process. Some benefits of promoting domain controllers by using answer
files include:

• The
  ability to automate the domain controller installation process on
  remote servers that might be accessible only via low-bandwidth
  connections

• The
  ability to define and control the exact parameters to be configured
  during the promotion process, saving time and reducing the risk of
  misconfiguration

Figure 6 displays a sample answer file that could be used to promote a Windows Server 2003 system to a domain controller.

Figure 6. A sample answer file used to install Active Directory

To install Active Directory on a Windows Server 2003 system using an answer file, issue the command dcpromo /answer:answer file, where answer file is the name of the text file that contains the necessary parameters to be passed to Dcpromo.exe.

Note

To
create an answer file for use with Dcpromo.exe, refer to the
instructions located in “Microsoft Windows Preinstallation Reference”
found in the Ref.chm file on the Windows Server 2003 CD. The Ref.chm
file is located in the Deploy.cab file in the \Support\Tools folder.
Use the Index tab to search for DCInstall, the help topic that explains
each of the entries that can be specified in the [DCInstall] section of
the file.

Installing Active Directory Using the Network or Backup Media

In
Windows 2000, promoting a member server to become an additional domain
controller in an existing domain required the entire directory database
to be replicated to the new domain controller. In cases where low
network bandwidth or exceptionally large directory databases were
factors, this replication could take hours or sometimes even days to
complete.

A new
feature in Windows Server 2003 helps to make the process of adding a
new domain controller to an existing domain more flexible in situations
like those described. A Windows Server 2003 member server can be
promoted to the role of domain controller using a backup of the
directory database taken from an existing domain controller. This
backup can be restored to the target server from different types of
backup media or from a shared network folder. Ultimately, this approach
helps to reduce much of the replication traffic associated with
deploying new domain controllers, which is especially useful for domain
controllers located in remote sites connected via WAN links. For
example, if a new domain controller needs to be installed in a branch
office connected over a low-speed WAN link, an administrator could back
up the Active Directory database of an existing domain controller to
removable media, and then ship that media to the branch office. The
media could then be used to promote the member server to a domain
controller locally, without the need for full replication of the
directory database to take place over the WAN link. Of course, some
replication will still be necessary to ensure that the remote domain
controller is fully synchronized with existing domain controllers, but
this typically amounts to much less traffic than full synchronization
would incur.

The
amount of replication that is ultimately required to fully synchronize
the remote domain controller depends on the age of the backup used and
the number of changes that have occurred since the backup was taken.
The backup cannot be older than the tombstone lifetime for the domain,
which is set to a default value of 60 days. To minimize the amount of
replication that needs to occur after promotion, a very recent backup
is always preferred.

Note

If
the domain controller from which the backup of Active Directory was
created contained an application directory partition, the partition
will not be restored to the new domain controller.

To install Active Directory using a network share or backup media, complete the following steps:

1.	Click Start, click Run, type dcpromo /adv in the Open box, and then click OK.  Tip To create an additional domain controller in an existing domain from backup media, remember that the Dcpromo.exe command must be issued with the /adv switch.
2.	At the Operating System Compatibility page, click Next.
3.	At the Domain Controller Type page, select Additional Domain Controller For An Existing Domain, and then click Next.
4.	At the Copying Domain Information page shown in Figure 7, select one of the following options: Over The Network From A Domain Controller, to copy domain information to this server over the network From These Restored Backup Files, and then type the path to the backup files in the box to copy domain information to this server from backup files Figure 7. Active Directory Installation Wizard, Copying Domain Information page Картинка с сайта: programming.wmlcloud.com
5.	On the Network Credentials page, specify your user name and password in the User Name and Password boxes, respectively. In the Domain box, type the domain name and then click Next.
6.	On the Additional Domain Controller page, specify the domain name and then click Next.
7.	On the Database And Log Folders page, ensure that the correct locations for the database folder and the log folder appear in the Database Folder box and the Log Folder box, respectively. Click Next.
8.	On the Shared System Volume page, ensure that the correct location for the shared system volume folder appears in the Folder Location box. Click Next.
9.	On the Directory Services Restore Mode Administrator Password page, type the password you want to assign to this server’s Administrator account in the event the computer is started in directory services restore mode in the Restore Mode Password box. Confirm the password in the Confirm Password box. Click Next.
10.	On the Summary page, review your selections and then click Next to proceed with the installation. Restart the computer when prompted.

Installing Active Directory Using the Configure Your Server Wizard

The
Configure Your Server Wizard provides a centralized location from which
you can install many server services, including Active Directory. The
Configure Your Server Wizard is available from the Manage Your Server
page, which opens automatically the first time you log on to a server. Figure 8
shows the Server Role page of the wizard. You can use the Configure
Your Server Wizard to install Active Directory only on the first domain
controller on a network. If you attempt to use the Configure Your
Server Wizard to install additional domain controllers, the wizard will
launch the Active Directory Installation Wizard to perform the
installation.

Figure 8. Configure Your Server Wizard, Server Role page

Картинка с сайта: programming.wmlcloud.com

Although
the Configure Your Server Wizard provides a simplified method for
inexperienced users to install Active Directory, experienced users
should take advantage of the higher degree of flexibility provided by
the Active Directory Installation Wizard.

Configuring Global Catalog Servers

When
a new Active Directory forest is created, only the first domain
controller installed in the forest root domain will be configured as a global catalog server
by default—any additional global catalog servers need to be configured
manually. While a single global catalog server might suffice in very
small environments, at least two are recommended as a minimum for the
purposes of fault tolerance and load balancing. In environments that
include multiple sites connected by WAN links, it is generally
recommended that each remote location have at least one domain
controller configured as a global catalog server, or that the site
implement universal group membership caching.

Because
of the importance of the global catalog in providing universal group
membership information and authenticating logon requests that use user
principal names (UPNs), you will almost certainly need to configure
additional global catalog servers in any Active Directory environment.
As in Windows 2000, global catalog servers are configured via the NTDS
Settings object associated with a domain controller object in the
Active Directory Sites And Services tool.

To configure a Windows Server 2003 domain controller as a global catalog server, follow these steps:

1.	Click Start, select Administrative Tools, and then click Active Directory Sites And Services.
2.	Click the plus sign (+) next to the Sites folder to expand it.
3.	Expand Default-First-Site-Name, the Servers folder, and then the server object.
4.	Right-click the NTDS Settings object, and click Properties.
5.	On the General tab, select the Global Catalog check box, as shown in Figure 9. Figure 9. Configuring a global catalog server from the NTDS Settings Properties General tab Картинка с сайта: programming.wmlcloud.com
6.	Click OK, and then close Active Directory Sites And Services.

Universal
group membership caching is not enabled within a site by default. To
enable universal group membership caching for domain controllers within
a site running Windows Server 2003, you must be a member of the Domain
Admins group in the forest root domain or a member of Enterprise
Admins, or you must have been delegated the appropriate authority.
Because universal group membership caching is site-specific, all
Windows Server 2003 domain controllers within a site use the feature
once it has been enabled.

 Tip

Global
catalog settings are configured on individual domain controllers. In
contrast, universal group membership caching is configured at the site
level, and applies to all domain controllers within a specific site.

In
much the same way that you configure a domain controller to function as
a global catalog server, you configure universal group membership
caching using Active Directory Sites And Services. However, instead of
configuring the NTDS Settings object of a particular domain controller,
you configure universal group membership caching from the properties of
the NTDS Site Settings for a particular site. The following list shows
the steps to configure universal group membership caching within a site.

1.	Click Start, select Administrative Tools, and then click Active Directory Sites and Services.
2.	Click the plus sign (+) next to the Sites folder to expand it.
3.	Click Default-First-Site-Name to view its contents.
4.	Right-click NTDS Site Settings, and click Properties.
5.	On the Site Settings tab, select the Enable Universal Group Membership Caching check box, as shown in Figure 10. Figure 10. Configuring universal group membership caching Картинка с сайта: programming.wmlcloud.com
6.	In the Refresh Cache From drop-down box, choose the site from which domain controllers in this site will attempt to locate a global catalog server. If the <Default> option is selected, domain controllers in this site will attempt to refresh their cache from the nearest site that has a global catalog server.
7.	Click OK, and close Active Directory Sites And Services.

Removing Active Directory from a Domain Controller

Running
Dcpromo.exe on an existing domain controller allows you to remove
Active Directory from a system, demoting it to either a stand-alone
server or a member server. If the system being demoted is the last
domain controller in the domain, it becomes a stand-alone server
because the domain will no longer exist. If other domain controllers
remain in the domain, a demoted server will become a member server
within the existing domain.

To
remove Active Directory from existing domain controllers, you must be a
member of certain groups, depending upon the specific situation that
surrounds the demotion process. The following list outlines the
requirements to remove Active Directory from domain controllers in
different situations.

• To
  remove Active Directory from a system that is the last domain
  controller in any domain except the forest root, you must be a member
  of the Enterprise Admins group.

• To remove Active Directory from the last domain controller in a forest, you must be a member of the Domain Admins group.

• To
  remove Active Directory from a system that is not the last domain
  controller in the domain, you must be a member of either the Domain
  Admins group in that domain or a member of the Enterprise Admins group.

To remove Active Directory from a domain controller, complete the following steps:

1.	Log on as the appropriate administrator.
2.	Click Start, click Run, type dcpromo in the Open box, and then click OK.
3.	On the Welcome To The Active Directory Installation Wizard page, click Next.
4.	If the domain controller is a global catalog server, a message appears telling you to make sure other global catalogs are accessible to users of the domain before removing Active Directory from this computer. Click OK.
5.	On the Remove Active Directory page, select the check box if the server is the last domain controller in the domain. Click Next.
6.	If the server is the last domain controller in the domain, the Application Directory Partitions page appears. If you want to remove all application directory partitions listed on this page, click Next. Otherwise, click Back. If you click Next, the Confirm Deletion page appears. Select the check box if you want the wizard to delete all the application directory partitions on the domain controller, and then click Next. Note Because removing the last replica of an application directory partition will result in the permanent loss of any data contained in the partition, the Active Directory Installation Wizard will not remove application directory partitions unless you confirm the deletion. You must decide when it is safe to delete the last replica of a particular partition. If the domain controller holds a Telephony Application Programming Interface (TAPI) application directory partition, you might need to use the Tapicfg.exe command-line tool to remove the TAPI application directory partition. For more information on using Tapicfg.exe, refer to Windows Server 2003 help.
7.	On the Administrator Password page, type and confirm the administrator password, and then click Next.
8.	On the Summary page, click Next. The Configuring Active Directory progress indicator appears as Active Directory is removed from the server. This process will take several minutes. Click Finish.
9.	On the Active Directory Installation Wizard dialog box, click Restart Now to restart the computer and complete the removal of Active Directory from the computer.