Windows Server 2003 : Installing and Configuring Domain Controllers

Planning Your Active Directory Installation

While the processes for promoting a member server to the role of domain controller are relatively straightforward, it is critical that you plan your proposed Active Directory environment in advance. Examples of environment-related information that should already be documented and well understood prior to promoting any server to the role of domain controller include:

• The domain structure for the new or existing forest

• The domain naming scheme to be used

• How Domain Name System (DNS) will be configured to support Active Directory

• Whether the Active Directory environment will need to support servers running previous versions of Windows

Similarly, you will also need to ensure that the specific settings for the server to be promoted have been correctly configured, and that the information required during the promotion process has already been determined and documented. Some issues that need to be considered prior to promoting a domain controller include:

• Domain controllers require static IP address and subnet mask values

• The client DNS settings of the server must be configured correctly

• The storage location of the database and log files should be defined

• The location of the shared system volume folder should be defined

By properly planning and documenting the domain controller promotion process in advance, you greatly reduce the risk of misconfiguration or encountering errors during the installation process.

Installing Active Directory

Four different methods can be used to promote a Windows Server 2003 system to a domain controller. These include:

• Using the Active Directory Installation Wizard (to install Active Directory in most situations)

• Using an answer file to perform an unattended installation (to automate the installation process or install Active Directory remotely)

• Using the network or backup media (to install Active Directory on additional domain controllers in the network by using media rather than relying upon replication)

• Using the Configure Your Server Wizard (an additional way to install the first domain controller in a network only)

The following sections outline the specific steps and considerations associated with installing domain controllers using each of these four methods.

Installing Active Directory Using the Active Directory Installation Wizard

The Active Directory Installation Wizard (Dcpromo.exe) is the main tool used to install Active Directory. Information that must be provided as part of completing the wizard includes:

• Domain controller type, either the first domain controller for a new domain or a new domain controller added to an existing domain

• Domain type—a new domain in a new forest, a child domain in an existing domain tree, or a new domain tree in an existing forest

• Domain name

• NetBIOS name for the domain

• Storage location for the Active Directory database

• Storage location for the Active Directory transaction log files

• Storage location for the shared system volume

• Default Active Directory access permissions

• Directory services restore mode administrator password

After you input this information, the wizard installs Active Directory, creating the database, configuring associated services, and modifying security settings. If a DNS server is not available, you will be given the option to install DNS as part of the Active Directory installation.

One of the most fundamental choices presented by the wizard is whether you want the server to become the first domain controller for an entirely new domain, or to serve as an additional domain controller within an existing domain. Ultimately, the choice you make affects the structure of your Active Directory implementation.

Creating the First Domain Controller for a New Domain

If you choose to create the first domain controller for a new domain, you are actually defining both a new domain controller and a new domain. You will therefore be asked whether you want to create the new domain in a new forest, as a child domain in an existing domain tree, or as a new domain tree in an existing forest. These choices are illustrated in Figure 1.

Figure 1. Creating a new domain using the Active Directory Installation Wizard

When you create a new domain in a new forest, the new domain is either the first domain in the organization or a new domain that you want to be completely independent from an existing forest. When you create a new child domain in an existing domain tree, the new domain becomes a subdomain of an existing domain, within the DNS namespace of its parent domain. If you choose to create a new domain tree in an existing forest, the new domain becomes the root domain of a new tree, with a DNS name that is not contiguous with any other existing domains in the forest.

Adding a New Domain Controller to an Existing Domain

If you use the Active Directory Installation Wizard to add an additional domain controller to an existing domain, you are effectively adding redundancy and authentication load-balancing to a domain in a forest that has already been created. In all cases, an absolute minimum of two domain controllers should be deployed per domain to provide redundancy. In most Active Directory implementations, the number of domain controllers that need to be deployed within a single domain is a function of the number of users that need to be serviced, as well as the number of physical sites that have been implemented.

Off the Record

When implementing Active Directory, each domain should include an absolute minimum of two domain controllers for the purpose of directory redundancy.

Using the Active Directory Installation Wizard

Issuing the Dcpromo.exe command from the Run dialog box or the command line starts the Active Directory Installation Wizard. To install Active Directory for a new domain in a new forest, complete the following steps:

1.	Click Start and then click Run. In the Run dialog box, type dcpromo in the Open box and click OK.
2.	At the Welcome To The Active Directory Installation Wizard page, click Next.
3.	At the Operating System Compatibility page, click Next.
4.	At the Domain Controller Type page, select Domain Controller For A New Domain, as shown in Figure 2. Click Next. Figure 2. Active Directory Installation Wizard, Domain Controller Type page
5.	On the Create New Domain page, ensure that Domain In A New Forest is selected, and then click Next.
6.	If DNS is not configured for this computer, the Install Or Configure DNS page appears. Select No, Just Install And Configure DNS On This Computer, and click Next. Note If you choose to allow the Active Directory Installation Wizard to install and configure DNS, it will create an Active Directory-Integrated zone stored on an application directory partition.
7.	On the New Domain Name page, type the name of your domain in the Full DNS Name For New Domain box, and click Next.
8.	On the NetBIOS Domain Name page, the Active Directory Installation Wizard will suggest a NetBIOS name. Accept the default name provided by clicking Next. Note Clients running versions of Windows prior to Windows 2000 still use the NetBIOS name associated with a domain to access many domain-related functions.
9.	On the Database And Log Folders page, type the location of the Active Directory database in the Database Folder box and the location of the Active Directory log in the Log Folder box, as shown in Figure 3. Similar to Windows 2000, it is recommended that you place the Active Directory database and associated log files on separate disks formatted with the NTFS file system. Click Next. Figure 3. Active Directory Installation Wizard, Database And Log Folders page
10.	On the Shared System Volume page, specify the location of the Sysvol folder in the Folder Location box. The Sysvol folder must reside on a partition or volume formatted with the NTFS file system. Click Next.
11.	If DNS is configured for this computer and the wizard is unable to connect to the DNS server, the DNS Registration Diagnostics page appears. Select Install And Configure The DNS Server On This Computer, And Set This Computer To Use This DNS Server As Its Preferred DNS Server, and click Next.
12.	On the Permissions page, read through the available options as shown in Figure 4. Click Next. Figure 4. Active Directory Installation Wizard, Permissions page
13.	On the Directory Services Restore Mode Administrator Password page, type the directory services restore mode password you want to assign to this server’s Administrator account in the Restore Mode Password box. Confirm the password in the Confirm Password box. Click Next.
14.	The Summary page displays the options that you have selected during the wizard, as shown in Figure 5. Review the contents of this page for accuracy, and then click Next. The wizard takes a few minutes to configure Active Directory components. You might be prompted for your Windows Server 2003 CD-ROM. If you did not configure this server with a static IP address prior to starting the wizard, you will be prompted to do so. Figure 5. Active Directory Installation Wizard, Summary page
15.	When the Completing The Active Directory Installation Wizard page appears, click Finish, and then click Restart Now.

Installing Active Directory Using an Answer File

The steps associated with the Active Directory Installation Wizard can also be automated through the use of an answer file. An answer file is simply a text file that contains answers to the questions normally asked when the wizard is completed manually. The answer file must contain all the parameters that the Active Directory Installation Wizard normally needs to complete the Active Directory installation process. Some benefits of promoting domain controllers by using answer files include:

• The ability to automate the domain controller installation process on remote servers that might be accessible only via low-bandwidth connections

• The ability to define and control the exact parameters to be configured during the promotion process, saving time and reducing the risk of misconfiguration

Figure 6 displays a sample answer file that could be used to promote a Windows Server 2003 system to a domain controller.

Figure 6. A sample answer file used to install Active Directory

To install Active Directory on a Windows Server 2003 system using an answer file, issue the command dcpromo /answer:answer file, where answer file is the name of the text file that contains the necessary parameters to be passed to Dcpromo.exe.

Note

To create an answer file for use with Dcpromo.exe, refer to the instructions located in “Microsoft Windows Preinstallation Reference” found in the Ref.chm file on the Windows Server 2003 CD. The Ref.chm file is located in the Deploy.cab file in the \Support\Tools folder. Use the Index tab to search for DCInstall, the help topic that explains each of the entries that can be specified in the [DCInstall] section of the file.

Installing Active Directory Using the Network or Backup Media

In Windows 2000, promoting a member server to become an additional domain controller in an existing domain required the entire directory database to be replicated to the new domain controller. In cases where low network bandwidth or exceptionally large directory databases were factors, this replication could take hours or sometimes even days to complete.

A new feature in Windows Server 2003 helps to make the process of adding a new domain controller to an existing domain more flexible in situations like those described. A Windows Server 2003 member server can be promoted to the role of domain controller using a backup of the directory database taken from an existing domain controller. This backup can be restored to the target server from different types of backup media or from a shared network folder. Ultimately, this approach helps to reduce much of the replication traffic associated with deploying new domain controllers, which is especially useful for domain controllers located in remote sites connected via WAN links. For example, if a new domain controller needs to be installed in a branch office connected over a low-speed WAN link, an administrator could back up the Active Directory database of an existing domain controller to removable media, and then ship that media to the branch office. The media could then be used to promote the member server to a domain controller locally, without the need for full replication of the directory database to take place over the WAN link. Of course, some replication will still be necessary to ensure that the remote domain controller is fully synchronized with existing domain controllers, but this typically amounts to much less traffic than full synchronization would incur.

The amount of replication that is ultimately required to fully synchronize the remote domain controller depends on the age of the backup used and the number of changes that have occurred since the backup was taken. The backup cannot be older than the tombstone lifetime for the domain, which is set to a default value of 60 days. To minimize the amount of replication that needs to occur after promotion, a very recent backup is always preferred.

Note

If the domain controller from which the backup of Active Directory was created contained an application directory partition, the partition will not be restored to the new domain controller.

To install Active Directory using a network share or backup media, complete the following steps:

1.	Click Start, click Run, type dcpromo /adv in the Open box, and then click OK.  Tip To create an additional domain controller in an existing domain from backup media, remember that the Dcpromo.exe command must be issued with the /adv switch.
2.	At the Operating System Compatibility page, click Next.
3.	At the Domain Controller Type page, select Additional Domain Controller For An Existing Domain, and then click Next.
4.	At the Copying Domain Information page shown in Figure 7, select one of the following options: Over The Network From A Domain Controller, to copy domain information to this server over the network From These Restored Backup Files, and then type the path to the backup files in the box to copy domain information to this server from backup files Figure 7. Active Directory Installation Wizard, Copying Domain Information page
5.	On the Network Credentials page, specify your user name and password in the User Name and Password boxes, respectively. In the Domain box, type the domain name and then click Next.
6.	On the Additional Domain Controller page, specify the domain name and then click Next.
7.	On the Database And Log Folders page, ensure that the correct locations for the database folder and the log folder appear in the Database Folder box and the Log Folder box, respectively. Click Next.
8.	On the Shared System Volume page, ensure that the correct location for the shared system volume folder appears in the Folder Location box. Click Next.
9.	On the Directory Services Restore Mode Administrator Password page, type the password you want to assign to this server’s Administrator account in the event the computer is started in directory services restore mode in the Restore Mode Password box. Confirm the password in the Confirm Password box. Click Next.
10.	On the Summary page, review your selections and then click Next to proceed with the installation. Restart the computer when prompted.

Installing Active Directory Using the Configure Your Server Wizard

The Configure Your Server Wizard provides a centralized location from which you can install many server services, including Active Directory. The Configure Your Server Wizard is available from the Manage Your Server page, which opens automatically the first time you log on to a server. Figure 8 shows the Server Role page of the wizard. You can use the Configure Your Server Wizard to install Active Directory only on the first domain controller on a network. If you attempt to use the Configure Your Server Wizard to install additional domain controllers, the wizard will launch the Active Directory Installation Wizard to perform the installation.

Figure 8. Configure Your Server Wizard, Server Role page

Although the Configure Your Server Wizard provides a simplified method for inexperienced users to install Active Directory, experienced users should take advantage of the higher degree of flexibility provided by the Active Directory Installation Wizard.

Configuring Global Catalog Servers

When a new Active Directory forest is created, only the first domain controller installed in the forest root domain will be configured as a global catalog server by default—any additional global catalog servers need to be configured manually. While a single global catalog server might suffice in very small environments, at least two are recommended as a minimum for the purposes of fault tolerance and load balancing. In environments that include multiple sites connected by WAN links, it is generally recommended that each remote location have at least one domain controller configured as a global catalog server, or that the site implement universal group membership caching.

Because of the importance of the global catalog in providing universal group membership information and authenticating logon requests that use user principal names (UPNs), you will almost certainly need to configure additional global catalog servers in any Active Directory environment. As in Windows 2000, global catalog servers are configured via the NTDS Settings object associated with a domain controller object in the Active Directory Sites And Services tool.

To configure a Windows Server 2003 domain controller as a global catalog server, follow these steps:

1.	Click Start, select Administrative Tools, and then click Active Directory Sites And Services.
2.	Click the plus sign (+) next to the Sites folder to expand it.
3.	Expand Default-First-Site-Name, the Servers folder, and then the server object.
4.	Right-click the NTDS Settings object, and click Properties.
5.	On the General tab, select the Global Catalog check box, as shown in Figure 9. Figure 9. Configuring a global catalog server from the NTDS Settings Properties General tab
6.	Click OK, and then close Active Directory Sites And Services.

Universal group membership caching is not enabled within a site by default. To enable universal group membership caching for domain controllers within a site running Windows Server 2003, you must be a member of the Domain Admins group in the forest root domain or a member of Enterprise Admins, or you must have been delegated the appropriate authority. Because universal group membership caching is site-specific, all Windows Server 2003 domain controllers within a site use the feature once it has been enabled.

 Tip

Global catalog settings are configured on individual domain controllers. In contrast, universal group membership caching is configured at the site level, and applies to all domain controllers within a specific site.

In much the same way that you configure a domain controller to function as a global catalog server, you configure universal group membership caching using Active Directory Sites And Services. However, instead of configuring the NTDS Settings object of a particular domain controller, you configure universal group membership caching from the properties of the NTDS Site Settings for a particular site. The following list shows the steps to configure universal group membership caching within a site.

1.	Click Start, select Administrative Tools, and then click Active Directory Sites and Services.
2.	Click the plus sign (+) next to the Sites folder to expand it.
3.	Click Default-First-Site-Name to view its contents.
4.	Right-click NTDS Site Settings, and click Properties.
5.	On the Site Settings tab, select the Enable Universal Group Membership Caching check box, as shown in Figure 10. Figure 10. Configuring universal group membership caching
6.	In the Refresh Cache From drop-down box, choose the site from which domain controllers in this site will attempt to locate a global catalog server. If the <Default> option is selected, domain controllers in this site will attempt to refresh their cache from the nearest site that has a global catalog server.
7.	Click OK, and close Active Directory Sites And Services.

Removing Active Directory from a Domain Controller

Running Dcpromo.exe on an existing domain controller allows you to remove Active Directory from a system, demoting it to either a stand-alone server or a member server. If the system being demoted is the last domain controller in the domain, it becomes a stand-alone server because the domain will no longer exist. If other domain controllers remain in the domain, a demoted server will become a member server within the existing domain.

To remove Active Directory from existing domain controllers, you must be a member of certain groups, depending upon the specific situation that surrounds the demotion process. The following list outlines the requirements to remove Active Directory from domain controllers in different situations.

• To remove Active Directory from a system that is the last domain controller in any domain except the forest root, you must be a member of the Enterprise Admins group.

• To remove Active Directory from the last domain controller in a forest, you must be a member of the Domain Admins group.

• To remove Active Directory from a system that is not the last domain controller in the domain, you must be a member of either the Domain Admins group in that domain or a member of the Enterprise Admins group.

To remove Active Directory from a domain controller, complete the following steps:

1.	Log on as the appropriate administrator.
2.	Click Start, click Run, type dcpromo in the Open box, and then click OK.
3.	On the Welcome To The Active Directory Installation Wizard page, click Next.
4.	If the domain controller is a global catalog server, a message appears telling you to make sure other global catalogs are accessible to users of the domain before removing Active Directory from this computer. Click OK.
5.	On the Remove Active Directory page, select the check box if the server is the last domain controller in the domain. Click Next.
6.	If the server is the last domain controller in the domain, the Application Directory Partitions page appears. If you want to remove all application directory partitions listed on this page, click Next. Otherwise, click Back. If you click Next, the Confirm Deletion page appears. Select the check box if you want the wizard to delete all the application directory partitions on the domain controller, and then click Next. Note Because removing the last replica of an application directory partition will result in the permanent loss of any data contained in the partition, the Active Directory Installation Wizard will not remove application directory partitions unless you confirm the deletion. You must decide when it is safe to delete the last replica of a particular partition. If the domain controller holds a Telephony Application Programming Interface (TAPI) application directory partition, you might need to use the Tapicfg.exe command-line tool to remove the TAPI application directory partition. For more information on using Tapicfg.exe, refer to Windows Server 2003 help.
7.	On the Administrator Password page, type and confirm the administrator password, and then click Next.
8.	On the Summary page, click Next. The Configuring Active Directory progress indicator appears as Active Directory is removed from the server. This process will take several minutes. Click Finish.
9.	On the Active Directory Installation Wizard dialog box, click Restart Now to restart the computer and complete the removal of Active Directory from the computer.