CreatingtheActiveDirectory AfteryouhaveinstalledWindowsServer2003onastandaloneserver,runthe ActiveDirectoryWizardtocreatethenewActiveDirectoryforestordomain,and thenconverttheWindowsServer2003computerintothefirstdomaincontroller intheforest.ToconvertaWindowsServer2003computerintothefirstdomain controllerintheforest,followthesesteps: 1. 2. 3. 4. 5. 6. InserttheWindowsServer2003CDROMintoyourcomputer'sCDROMor DVDROMdrive. ClickStart,clickRun,andthentypedcpromo. ClickOKtostarttheActiveDirectoryInstallationWizard,andthenclick Next. ClickDomaincontrollerforanewdomain,andthenclickNext. ClickDomaininanewforest,andthenclickNext. SpecifythefullDNSnameforthenewdomain.

Notethatbecausethis procedureisforalaboratoryenvironmentandyouarenotintegratingthis environmentintoyourexistingDNSinfrastructure,youcanusesomething generic,suchasmycompany.local,forthissetting.ClickNext. AcceptthedefaultdomainNetBIOSname(thisis"mycompany"ifyouused thesuggestioninstep6).ClickNext. Setthedatabaseandlogfilelocationtothedefaultsettingofthe c:\winnt\ntdsfolder,andthenclickNext. SettheSysvolfolderlocationtothedefaultsettingofthec:\winnt\sysvol folder,andthenclickNext. ClickInstallandconfiguretheDNSserveronthiscomputer,andthenclick Next. ClickPermissionscompatibleonlywithWindows2000orWindowsServer 2003serversoroperatingsystems,andthenclickNext. Becausethisisalaboratoryenvironment,leavethepasswordforthe DirectoryServicesRestoreModeAdministratorblank.Notethatinafull productionenvironment,thispasswordissetbyusingasecurepassword format.ClickNext. Reviewandconfirmtheoptionsthatyouselected,andthenclickNext.

7. 8. 9. 10. 11. 12.

13.

14. 15.

TheinstallationofActiveDirectoryproceeds.Notethatthisoperationmay takeseveralminutes. Whenyouareprompted,restartthecomputer.Afterthecomputer restarts,confirmthattheDomainNameSystem(DNS)servicelocation recordsforthenewdomaincontrollerhavebeencreated.Toconfirmthat theDNSservicelocationrecordshavebeencreated,followthesesteps: a. b. c. ClickStart,pointtoAdministrativeTools,andthenclickDNStostart theDNSAdministratorConsole. Expandtheservername,expandForwardLookupZones,andthen expandthedomain. Verifythatthe_msdcs,_sites,_tcp,and_udpfoldersarepresent. Thesefoldersandtheservicelocationrecordstheycontainare criticaltoActiveDirectoryandWindowsServer2003operations.

AddingUsersandComputerstotheActiveDirectoryDomain AfterthenewActiveDirectorydomainisestablished,createauseraccountin thatdomaintouseasanadministrativeaccount.Whenthatuserisaddedtothe appropriatesecuritygroups,usethataccounttoaddcomputerstothedomain. 1. Tocreateanewuser,followthesesteps: a. ClickStart,pointtoAdministrativeTools,andthenclickActive DirectoryUsersandComputerstostarttheActiveDirectoryUsers andComputersconsole. Clickthedomainnamethatyoucreated,andthenexpandthe contents. RightclickUsers,pointtoNew,andthenclickUser. Typethefirstname,lastname,anduserlogonnameofthenewuser, andthenclickNext. Typeanewpassword,confirmthepassword,andthenclicktoselect oneofthefollowingcheckboxes: Usersmustchangepasswordatnextlogon(recommendedfor mostusers) Usercannotchangepassword Passwordneverexpires

b. c. d. e.

Accountisdisabled ClickNext. f. Reviewtheinformationthatyouprovided,andifeverythingis correct,clickFinish.

Afteryoucreatethenewuser,givethisuseraccountmembershipinagroupthat permitsthatusertoperformadministrativetasks.Becausethisisalaboratory environmentthatyouareincontrolof,youcangivethisuseraccountfull administrativeaccessbymakingitamemberoftheSchema,Enterprise,and Domainadministratorsgroups.ToaddtheaccounttotheSchema,Enterprise,and Domainadministratorsgroups,followthesesteps: . OntheActiveDirectoryUsersandComputersconsole,rightclickthenew accountthatyoucreated,andthenclickProperties. a. ClicktheMemberOftab,andthenclickAdd. b. IntheSelectGroupsdialogbox,specifyagroup,andthenclickOKto addthegroupsthatyouwanttothelist. c. Repeattheselectionprocessforeachgroupinwhichtheuserneeds accountmembership. d. ClickOKtofinish. Thefinalstepinthisprocessistoaddamemberservertothedomain.This processalsoappliestoworkstations.Toaddacomputertothedomain,follow thesesteps: . Logontothecomputerthatyouwanttoaddtothedomain. a. RightclickMyComputer,andthenclickProperties. b. ClicktheComputerNametab,andthenclickChange. c. IntheComputerNameChangesdialogbox,clickDomainunder MemberOf,andthentypethedomainname.ClickOK. d. Whenyouareprompted,typetheusernameandpasswordofthe accountthatyoupreviouslycreated,andthenclickOK. Amessagethatwelcomesyoutothedomainisgenerated. e. ClickOKtoreturntotheComputerNametab,andthenclickOKto finish.

f. Restartthecomputerifyouarepromptedtodoso. Troubleshooting YouCannotOpentheActiveDirectorySnapins AfteryouhavecompletedtheinstallationofActiveDirectory,youmaynotbe abletostarttheActiveDirectoryUsersandComputerssnapin,andyoumay receiveanerrormessagethatindicatesthatnoauthoritycanbecontactedfor authentication.ThiscanoccurifDNSisnotcorrectlyconfigured.Toresolvethis issue,verifythatthezonesonyourDNSserverareconfiguredcorrectlyandthat yourDNSserverhasauthorityforthezonethatcontainstheActiveDirectory domainname.Ifthezonesappeartobecorrectandtheserverhasauthorityfor thedomain,trytostarttheActiveDirectoryUsersandComputerssnapinagain.If youreceivethesameerrormessage,usetheDCPROMOutilitytoremoveActive Directory,restartthecomputer,andthenreinstallActiveDirectory.