You are on page 1of 16

How do I install Active Directory on my

Windows Server 2003 server?

by Daniel Petri - January 8, 2009
Printer Friendly Version
First make sure you read and understand Active Directory Installation e!uirements" I#
you don$t com%ly &it' all t'e re!uirements o# t'at article you &ill not be able to set u%
your AD (#or e)am%le* you don$t 'ave a +I, or you$re usin- a com%uter t'at$s not
connected to a .A+/"
Note: 0'is article is only -ood #or understandin- 'o& to install t'e FIRST D in a
N!W AD Domain, in a N!W TR!!, in a N!W F"R!ST" 1eanin- - don$t do it #or
any ot'er scenario, suc' as a ne& re%lica D, in an e)istin- domain" In order to install a
2indo&s 3erver 2004 D, in an 56I30I+7 2indo&s 2000 Domain #ollo& t'e 2indo&s
2004 ADPre% ti%"
Windows 2000 Note: I# you %lan to install a ne& 2indo&s 2000 D, %lease read 8o& to
Install Active Directory on 2indo&s 2000"
Windows 200# Note: Install Active Directory on 2indo&s 3erver 2008 %rovides
com%lete instruction details #or &orkin- &it' 2indo&s 3erver 2008"
Windows Server 2003 Note: I# you %lan to install a ne& 2indo&s 3erver 2004 D, in an
e)istin- AD #orest %lease read t'e %a-e 95F:5 you -o on, ot'er&ise you$ll end u%
&it' t'e #ollo&in- error*
8ere is a !uick list o# &'at you must 'ave*
An +0F3 %artition &it' enou-' #ree s%ace
An Administrator$s username and %ass&ord
0'e correct o%eratin- system version
A +I,
Pro%erly con#i-ured 0,P;IP (IP address, subnet mask and - o%tional - de#ault
A net&ork connection (to a 'ub or to anot'er com%uter via a crossover cable/
An o%erational D+3 server (&'ic' can be installed on t'e D, itsel#/
A Domain name t'at you &ant to use
0'e 2indo&s 3erver 2004 ,D media (or at least t'e i48< #older/
9rains (recommended, not re!uired"""/
0'is article assumes t'at all o# t'e above re!uirements are #ul#illed"
Ste$ %: on&i'(re t)e com$(ter*s s(&&i+
(+ot mandatory, can be done via t'e Dc%romo %rocess/"
=" i-'t click 1y ,om%uter and c'oose Pro%erties"
2" ,lick t'e ,om%uter +ame tab, t'en ,'an-e"
4" 3et t'e com%uter$s +et9I:3 name" In 2indo&s 3erver 2004, t'is ,A+ be
c'an-ed a#ter t'e com%uter 'as been %romoted to Domain ,ontroller"
>" ,lick 1ore"
?" In t'e Primary D+3 su##i) o# t'is com%uter bo) enter t'e &ould-be domain name"
1ake sure you -ot it ri-'t" +o s%ellin- mistakes, no @o', I t'ou-'t I did it
ri-'t"""@" Alt'ou-' t'e domain name AN be c'an-ed a#ter t'e com%uter 'as been
%romoted to Domain ,ontroller, t'is is not a %rocedure t'at one s'ould consider
li-'tly, es%ecially because on t'e %ossible conse!uences" ead more about it on
my 2indo&s 2004 Domain ename 0ool %a-e"
<" ,lick :k"
A" Bou$ll -et a &arnin- &indo&"
8" ,lick :k"
9" ,'eck your settin-s" 3ee i# t'ey$re correct"
=0" ,lick :k"
==" Bou$ll -et a &arnin- &indo&"
=2" ,lick :k to restart"
Ste$ 2: on&i'(rin' t)e com$(ter*s T,-I, settin's
Bou must con#i-ure t'e &ould-be Domain ,ontroller to use it$s o&n IP address as t'e
address o# t'e D+3 server, so it &ill %oint to itsel# &'en re-isterin- 3V records and
&'en !ueryin- t'e D+3 database"
on&i'(re T,-I,
=" ,lick 3tart, %oint to 3ettin-s and t'en click ,ontrol Panel"
2" Double-click +et&ork and Dial-u% ,onnections"
4" i-'t-click .ocal Area ,onnection, and t'en click Pro%erties"
>" ,lick Internet Protocol (0,P;IP/, and t'en click Pro%erties"
?" Assi-n t'is server a static IP address, subnet mask, and -ate&ay address" 5nter t'e
server$s IP address in t'e Pre#erred D+3 server bo)"+ote* 0'is is true i# t'e server
itsel# &ill also be it$s o&n D+3 server" I# you 'ave anot'er
o%erational 2indo&s 2000;2004 server t'at is %ro%erly con#i-ured as your D+3
server (read my ,reate a +e& D+3 3erver #or AD %a-e/ - enter t'at server$s IP
address instead*
<" ,lick Advanced"
A" ,lick t'e D+3 0ab"
8" 3elect @A%%end %rimary and connection s%eci#ic D+3 su##i)es@
9" ,'eck @A%%end %arent su##i)es o# t'e %rimary D+3 su##i)@
=0" ,'eck @e-ister t'is connection$s addresses in D+3@" I# t'is 2indo&s
2000;2004-based D+3 server is on an intranet, it s'ould only %oint to its o&n IP
address #or D+3C do not enter IP addresses #or ot'er D+3 servers 'ere" I# t'is
server needs to resolve names on t'e Internet, it s'ould 'ave a #or&arder
==" ,lick :D to close t'e Advanced 0,P;IP 3ettin-s %ro%erties"
=2" ,lick :D to acce%t t'e c'an-es to your 0,P;IP con#i-uration"
=4" ,lick :D to close t'e .ocal Area ,onnections %ro%erties"
Ste$ 3: on&i'(re t)e DNS .one
(+ot mandatory, can be done via t'e Dc%romo %rocess/"
0'is article assumes t'at you already 'ave t'e D+3 service installed" I# t'is is not t'e
case, %lease read ,reate a +e& D+3 3erver #or AD"
Furt'ermore, it is assumed t'at t'e D, &ill also be it$s o&n D+3 server" I# t'at is not t'e
case, you 1E30 con#i-ure anot'er 2indo&s 2000;2004 server as t'e D+3 server, and i#
you try to run D,P:1: &it'out doin- so, you$ll end u% &it' errors and t'e %rocess
&ill #ail"
Also see F 2'at$s +e& in 7rou% PolicyG
reatin' a Standard ,rimary Forward /oo0($ .one
=" ,lick 3tart, %oint to All Pro-rams, %oint to Administrative 0ools, and t'en click
D+3 1ana-er" Bou see t&o Hones under your com%uter name* For&ard .ooku%
Ione and everse .ooku% Ione"
2" i-'t click For&ard .ooku% Iones and c'oose to add a ne& Hone"
4" ,lick +e)t" 0'e ne& #or&ard looku% Hone must be a %rimary Hone so t'at it can
acce%t dynamic u%dates" ,lick Primary, and t'en click +e)t"
>" 0'e name o# t'e Hone must be t'e same as t'e name o# t'e Active Directory
domain, or be a lo-ical D+3 container #or t'at name" For e)am%le, i# t'e Active
Directory domain is named @lab"d%etri"net@, le-al Hone names are @lab"d%etri"net@,
@d%etri"net@, or @net@" 0y%e t'e name o# t'e Hone, and t'en click
?" Acce%t t'e de#ault name #or t'e ne& Hone #ile" ,lick +e)t"
<" 0o be able to acce%t dynamic u%dates to t'is ne& Hone, click @Allo& bot'
nonsecure and secure dynamic u%dates@" ,lick +e)t"
A" ,lick Finis'"
Bou s'ould no& make sure your com%uter can re-ister itsel# in t'e ne& Hone" 7o to t'e
,ommand Prom%t (,1D/ and run @i%con#i- ;re-isterdns@ (no !uotes, du'"""/" 7o back to
t'e D+3 console, o%en t'e ne& Hone and re#res' it (F?/" +otice t'at t'e com%uter s'ould
by no& be listed as an A ecord in t'e ri-'t %ane"
I# it$s not t'ere try to reboot (alt'ou-' i# it$s not t'ere a reboot &on$t do muc' -ood/"
,'eck t'e s%ellin- on your Hone and com%are it to t'e su##i) you created in ste% =" ,'eck
your IP settin-s"
!na1le DNS Forwardin' &or Internet connections 2Not
=" 3tart t'e D+3 1ana-ement ,onsole"
2" i-'t click t'e D+3 3erver obJect #or your server in t'e le#t %ane o# t'e console,
and click Pro%erties"
4" ,lick t'e For&arders tab"
>" In t'e IP address bo) enter t'e IP address o# t'e D+3 servers you &ant to #or&ard
!ueries to - ty%ically t'e D+3 server o# your I3P" Bou can also move t'em u% or
do&n" 0'e one t'at is 'i-'est in t'e list -ets t'e #irst try, and i# it does not res%ond
&it'in a -iven time limit - t'e !uery &ill be #or&arded to t'e ne)t server in t'e
?" ,lick :D"
reatin' a Standard ,rimary Reverse /oo0($ .one
Bou can (but you don$t 'ave to/ also create a reverse looku% Hone on your D+3 server"
0'e Hone$s name &ill be t'e same as your 0,P;IP +et&ork ID" For e)am%le, i# your IP
address is =92"=<8"0"200, t'en t'e Hone$s name &ill be =92"=<8"0 (D+3 &ill a%%end a
lon- name to it, don$t &orry about it/" Bou s'ould also con#i-ure t'e ne& Hone to acce%t
dynamic u%dates" I -uess you can do it on your o&n by no&, can$t youG
Ste$ 4: R(nnin' D,R"5"
A#ter com%letin- all t'e %revious ste%s (remember you didn$t 'ave to do t'em/ and a#ter
double c'eckin- your re!uirements you s'ould no& run Dc%romo"e)e #rom t'e un
=" ,lick 3tart, %oint to un and ty%e @dc%romo@"
2" 0'e &iHard &indo&s &ill a%%ear" ,lick +e)t"
4" In t'e :%eratin- 3ystem ,om%atibility &indo&s read t'e re!uirements #or t'e
domain$s clients and i# you like &'at you see - %ress +e)t"
>" ,'oose Domain ,ontroller #or a ne& domain and click +e)t"
?" ,'oose ,reate a ne& Domain in a ne& #orest and click +e)t"
<" 5nter t'e #ull D+3 name o# t'e ne& domain, #or e)am%le - kuku"co"il - t'is must
be t'e same as t'e D+3 Hone you$ve created in ste% 4, and t'e same as t'e
com%uter name su##i) you$ve created in ste% =" ,lick +e)t" 0'is
ste% mi-'t take some time because t'e com%uter is searc'in- #or t'e D+3 server
and c'eckin- to see i# any namin- con#licts e)ist"
A" Acce%t t'e t'e do&n-level +et9I:3 domain name, in t'is case it$s DEDE" ,lick
8" Acce%t t'e Database and .o- #ile location dialo- bo) (unless you &ant to c'an-e
t'em o# course/" 0'e location o# t'e #iles is by de#ault KsystemrootKL+0D3, and
you s'ould not c'an-e it unless you 'ave %er#ormance issues in mind" ,lick +e)t"
9" Acce%t t'e 3ysvol #older location dialo- bo) (unless you &ant to c'an-e it o#
course/" 0'e location o# t'e #iles is by de#ault KsystemrootK3B3V:., and you
s'ould not c'an-e it unless you 'ave %er#ormance issues in mind" 0'is #older
must be on an +0F3 v?"0 %artition" 0'is #older &ill 'old all t'e 7P: and scri%ts
you$ll create, and &ill be re%licated to all ot'er Domain ,ontrollers" ,lick +e)t"
=0" I# your D+3 server, Hone and;or com%uter name su##i) &ere not con#i-ured
correctly you &ill -et t'e #ollo&in- &arnin-*0'is means t'e Dc%romo &iHard
could not contact t'e D+3 server, or it did contact it but could not #ind a Hone
&it' t'e name o# t'e #uture domain" Bou s'ould c'eck your settin-s" 7o back to
ste%s =, 2 and 4" ,lick :k"Bou 'ave an o%tion to let Dc%romo do t'e
con#i-uration #or you" I# you &ant, Dc%romo can install t'e D+3 service, create
t'e a%%ro%riate Hone, con#i-ure it to acce%t dynamic u%dates, and con#i-ure t'e
0,P;IP settin-s #or t'e D+3 server IP address"0o let Dc%romo do t'e &ork #or
you, select @Install and con#i-ure t'e D+3 server"""@"
,lick +e)t"
:t'er&ise, you can acce%t t'e de#ault c'oice and t'en !uit Dc%romo and c'eck
ste%s =-4"
==" I# your D+3 settin-s &ere ri-'t, you$ll -et a con#irmation &indo&"
Just click +e)t"
=2" Acce%t t'e Permissions com%atible only &it' 2indo&s 2000 or 2indo&s 3erver
2004 settin-s, unless you 'ave le-acy a%%s runnin- on Pre-22D servers"
=4" 5nter t'e estore 1ode administrator$s %ass&ord" In 2indo&s 3erver 2004 t'is
%ass&ord can be later c'an-ed via +0D3E0I." ,lick +e)t"
=>" evie& your settin-s and i# you like &'at you see - ,lick +e)t"
=?" 3ee t'e &iHard -oin- t'rou-' t'e various sta-es o# installin- AD" 2'atever you
do - +5V5 click ,ancelMMM Bou$ll &reck your com%uter i# you do" I# you see you
made a mistake and &ant to undo it, you$d better let t'e &iHard #inis' and t'en run
it a-ain to undo t'e AD"
=<" I# all &ent &ell you$ll see t'e #inal con#irmation &indo&" ,lick Finis'"
=A" Bou must reboot in order #or t'e AD to #unction %ro%erly"
=8" ,lick estart no&"
Ste$ 6: )ec0in' t)e AD installation
Bou s'ould no& c'eck to see i# t'e AD installation &ent &ell"
=" First, see t'at t'e Administrative 0ools #older 'as all t'e AD mana-ement tools
2" un Active Directory Esers and ,om%uters (or ty%e @dsa"msc@ #rom t'e un
command/" 3ee t'at all :Es and ,ontainers are t'ere"
4" un Active Directory 3ites and 3ervices" 3ee t'at you 'ave a site named De#ault-
First-3ite-+ame, and t'at in it your server is listed"
>" I# t'ey don$t (like in t'e #ollo&in- screens'ot/, your AD #unctions &ill be broken
(a -ood si-n o# t'at is t'e lon- time it took you to lo- on" 0'e @Pre%arin- +et&ork
,onnections@ &indo&s &ill sit on t'e screen #or many moments, and even &'en
you do lo- on many AD o%erations &ill -ive you errors &'en tryin- to %er#orm
t'em/" N 9ad0'is mi-'t 'a%%en i# you did not manually con#i-ure
your D+3 server and let t'e D,P:1: %rocess do it #or you"
Anot'er reason #or t'e lack o# 3V records (and o# all ot'er records #or t'at
matter/ is t'e #act t'at you DID con#i-ure t'e D+3 server manually, but you made
a mistake, eit'er &it' t'e com%uter su##i) name or &it' t'e IP address o# t'e D+3
server (see ste%s = t'rou-' 4/"
:%en t'e D+3 console" 3ee t'at you 'ave a Hone &it' t'e same name as your AD
domain (t'e one you$ve Just created, rememberG Du'"""/" 3ee t'at &it'in it you
'ave t'e > 3V record #olders" 0'ey must e)ist"
N 7ood
0o try and #i) t'e %roblems #irst see i# t'e Hone is con#i-ured to acce%t dynamic
?" i-'t-click t'e Hone you created, and t'en click Pro%erties"
<" :n t'e 7eneral tab, under Dynamic E%date, click to select @+onsecure and
secure@ #rom t'e dro%-do&n list, and t'en click :D to acce%t t'e c'an-e"Bou
s'ould no& restart t'e +50.:7:+ service to #orce t'e 3V re-istration"Bou
can do it #rom t'e 3ervices console in Administrative tools*
:r #rom t'e command %rom%t ty%e @net sto% netlo-on@, and a#ter it #inis'es, ty%e
@net start netlo-on@"
.et it #inis', -o back to t'e D+3 console, click your Hone and re#res' it (F?/" I# all
is ok you$ll no& see t'e > 3V record #olders"
I# t'e > 3V records are still not %resent double c'eck t'e s%ellin- o# t'e Hone in
t'e D+3 server" It s'ould be e)actly t'e same as t'e AD Domain name" Also
c'eck t'e com%uter$s su##i) (see ste% =/" Bou &on$t be able to c'an-e t'e
com%uter$s su##i) a#ter t'e AD is installed, but i# you 'ave a s%ellin- mistake
you$d be better o## by removin- t'e AD no&, be#ore you 'ave any users, -rou%s
and ot'er obJects in %lace, and t'en a#ter re%airin- t'e mistake - re-runnin-
A" ,'eck t'e +0D3 #older #or t'e %resence o# t'e re!uired #iles"
8" ,'eck t'e 3B3V:. #older #or t'e %resence o# t'e re!uired sub#olders"
9" ,'eck to see i# you 'ave t'e 3B3V:. and +50.:7:+ s'ares, and t'eir
I# all o# t'e above is ok, I t'ink it$s sa#e to say t'at your AD is %ro%erly installed"
I# not, read 0roubles'ootin- Dc%romo 5rrors and re-read ste%s =-> in t'is article"
3i-n E% For t'e Petri I0 Dno&led-ebase 2eekly Di-estM
5-mail Address*
Sign Up Now!
Search Site
FR!! Active Directory 5onitorin' 0ake t'e
-uess&ork out o# &'ic' 21I counters to use #or a%%s like 1icroso#tO Active
DirectoryP and 3'arePointP" 3olar2inds F55 21I 1onitor makes it easyM
Download t)is FR!! des0to$ tool now7
(t Networ0 Tro(1les)ootin' Time in Hal&7
0est 3%eed, Per#ormance, 9and&idt' Q 1ore" Free Trial Download Availa1le
Here 8
Free om$liance Download V1&are ,om%liance
,'ecker %rovides real time com%liance c'eck a-ainst s%eci#ic standards and best
%ractices" Free do&nload"
Start 5onitorin' 9o(r Networ0 Now 7et a 40-day trial
o# 3olar2inds #la-s'i% net&ork monitorin- solution R :rion +P1" A-entless
solution auto discovers net&ork and be-ins monitorin- via 2eb-based console
immediately" Valid email re!uired"

A23 Privacy Policy S 3ite In#o S ,ontact S Advertise T20== 9lue 2'ale 2eb Inc" S