Professional Documents
Culture Documents
How Do I Install Active Directory On My Windows Server 2003 Server
How Do I Install Active Directory On My Windows Server 2003 Server
Note: This article is only good for understanding how to install the FIRST DC in a NEW AD
Domain, in a NEW TREE, in a NEW FOREST. Meaning - don't do it for any other scenario,
such as a new replica DC in an existing domain. In order to install a Windows Server 2003 DC in
an EXISTING Windows 2000 Domain follow the Windows 2003 ADPrep tip.
Windows 2000 Note: If you plan to install a new Windows 2000 DC please read How to Install
Active Directory on Windows 2000.
Windows 2008 Note: Install Active Directory on Windows Server 2008 provides complete
instruction details for working with Windows Server 2008.
Windows Server 2003 Note: If you plan to install a new Windows Server 2003 DC in an
existing AD forest please read the page BEFORE you go on, otherwise you'll end up with the
following error:
4. Click More.
5. In the Primary DNS suffix of this computer box enter the would-be domain name. Make
sure you got it right. No spelling mistakes, no "oh, I thought I did it right...". Although
the domain name CAN be changed after the computer has been promoted to Domain
Controller, this is not a procedure that one should consider lightly, especially because on
the possible consequences. Read more about it on my Windows 2003 Domain Rename
Tool page.
6. Click Ok.
7. You'll get a warning window.
8. Click Ok.
will also be it's own DNS server. If you have another operational
Windows 2000/2003 server that is properly configured as your DNS server (read my
Create a New DNS Server for AD page) - enter that server's IP address instead:
6. Click Advanced.
7. Click the DNS Tab.
8. Select "Append primary and connection specific DNS suffixes"
9. Check "Append parent suffixes of the primary DNS suffix"
10. Check "Register this connection's addresses in DNS". If this Windows 2000/2003-based
DNS server is on an intranet, it should only point to its own IP address for DNS; do not
enter IP addresses for other DNS servers here. If this server needs to resolve names on
This article assumes that you already have the DNS service installed. If this is not the case,
please read Create a New DNS Server for AD.
Furthermore, it is assumed that the DC will also be it's own DNS server. If that is not the case,
you MUST configure another Windows 2000/2003 server as the DNS server, and if you try to
run DCPROMO without doing so, you'll end up with errors and the process will fail.
2. Right click Forward Lookup Zones and choose to add a new zone.
3. Click Next. The new forward lookup zone must be a primary zone so that it can accept
5. Accept the default name for the new zone file. Click Next.
6. To be able to accept dynamic updates to this new zone, click "Allow both nonsecure and
You should now make sure your computer can register itself in the new zone. Go to the
Command Prompt (CMD) and run "ipconfig /registerdns" (no quotes, duh...). Go back to the
DNS console, open the new zone and refresh it (F5). Notice that the computer should by now be
listed as an A Record in the right pane.
If it's not there try to reboot (although if it's not there a reboot won't do much good). Check the
spelling on your zone and compare it to the suffix you created in step 1. Check your IP settings.
click Properties.
3. Click the Forwarders tab.
4. In the IP address box enter the IP address of the DNS servers you want to forward queries
to - typically the DNS server of your ISP. You can also move them up or down. The one
that is highest in the list gets the first try, and if it does not respond within a given time
limit - the query will be forwarded to the next server in the list.
5. Click OK.
3. In the Operating System Compatibility windows read the requirements for the domain's
you've created in step 1. Click Next. This step might take some time
because the computer is searching for the DNS server and checking to see if any naming
conflicts exist.
7. Accept the the down-level NetBIOS domain name, in this case it's KUKU. Click Next
8. Accept the Database and Log file location dialog box (unless you want to change them of
course). The location of the files is by default %systemroot%\NTDS, and you should not
Click Next.
Otherwise, you can accept the default choice and then quit Dcpromo and check steps 1-3.
11. If your DNS settings were right, you'll get a confirmation window. Just
click Next.
12. Accept the Permissions compatible only with Windows 2000 or Windows Server 2003
14. Review your settings and if you like what you see - Click Next.
15. See the wizard going through the various stages of installing AD. Whatever you do -
NEVER click Cancel!!! You'll wreck your computer if you do. If you see you made a
mistake and want to undo it, you'd better let the wizard finish and then run it again to
undo the AD.
16. If all went well you'll see the final confirmation window. Click Finish.
1. First, see that the Administrative Tools folder has all the AD management tools installed.
2. Run Active Directory Users and Computers (or type "dsa.msc" from the Run command).
Open the DNS console. See that you have a zone with the same name as your AD domain
(the one you've just created, remember? Duh...). See that within it you have the 4 SRV
record folders. They must exist.
= Good
To try and fix the problems first see if the zone is configured to accept dynamic updates.
5. Right-click the zone you created, and then click Properties.
6. On the General tab, under Dynamic Update, click to select "Nonsecure and secure" from
the drop-down list, and then click OK to accept the change.You should now restart the
NETLOGON service to force the SRV registration.You can do it from the Services
Or from the command prompt type "net stop netlogon", and after it finishes, type "net
start netlogon".
Let it finish, go back to the DNS console, click your zone and refresh it (F5). If all is ok
you'll now see the 4 SRV record folders.
If the 4 SRV records are still not present double check the spelling of the zone in the
DNS server. It should be exactly the same as the AD Domain name. Also check the
computer's suffix (see step 1). You won't be able to change the computer's suffix after the
AD is installed, but if you have a spelling mistake you'd be better off by removing the
AD now, before you have any users, groups and other objects in place, and then after
repairing the mistake - re-running DCPROMO.
7. Check the NTDS folder for the presence of the required files.
8. Check the SYSVOL folder for the presence of the required subfolders.
9. Check to see if you have the SYSVOL and NETLOGON shares, and their location.
If all of the above is ok, I think it's safe to say that your AD is properly installed.
If not, read Troubleshooting Dcpromo Errors and re-read steps 1-4 in this article.