by Daniel Petri - January 8, 2009 Printer Friendly Version First make sure you read and understand Active Directory Installation e!uirements" I# you don$t com%ly &it' all t'e re!uirements o# t'at article you &ill not be able to set u% your AD (#or e)am%le* you don$t 'ave a +I, or you$re usin- a com%uter t'at$s not connected to a .A+/" Note: 0'is article is only -ood #or understandin- 'o& to install t'e FIRST D in a N!W AD Domain, in a N!W TR!!, in a N!W F"R!ST" 1eanin- - don$t do it #or any ot'er scenario, suc' as a ne& re%lica D, in an e)istin- domain" In order to install a 2indo&s 3erver 2004 D, in an 56I30I+7 2indo&s 2000 Domain #ollo& t'e 2indo&s 2004 ADPre% ti%" Windows 2000 Note: I# you %lan to install a ne& 2indo&s 2000 D, %lease read 8o& to Install Active Directory on 2indo&s 2000" Windows 200# Note: Install Active Directory on 2indo&s 3erver 2008 %rovides com%lete instruction details #or &orkin- &it' 2indo&s 3erver 2008" Windows Server 2003 Note: I# you %lan to install a ne& 2indo&s 3erver 2004 D, in an e)istin- AD #orest %lease read t'e %a-e 95F:5 you -o on, ot'er&ise you$ll end u% &it' t'e #ollo&in- error* 8ere is a !uick list o# &'at you must 'ave* An +0F3 %artition &it' enou-' #ree s%ace An Administrator$s username and %ass&ord 0'e correct o%eratin- system version A +I, Pro%erly con#i-ured 0,P;IP (IP address, subnet mask and - o%tional - de#ault -ate&ay/ A net&ork connection (to a 'ub or to anot'er com%uter via a crossover cable/ An o%erational D+3 server (&'ic' can be installed on t'e D, itsel#/ A Domain name t'at you &ant to use 0'e 2indo&s 3erver 2004 ,D media (or at least t'e i48< #older/ 9rains (recommended, not re!uired"""/ 0'is article assumes t'at all o# t'e above re!uirements are #ul#illed" Ste$ %: on&i'(re t)e com$(ter*s s(&&i+ (+ot mandatory, can be done via t'e Dc%romo %rocess/" =" i-'t click 1y ,om%uter and c'oose Pro%erties" 2" ,lick t'e ,om%uter +ame tab, t'en ,'an-e" 4" 3et t'e com%uter$s +et9I:3 name" In 2indo&s 3erver 2004, t'is ,A+ be c'an-ed a#ter t'e com%uter 'as been %romoted to Domain ,ontroller" >" ,lick 1ore" ?" In t'e Primary D+3 su##i) o# t'is com%uter bo) enter t'e &ould-be domain name" 1ake sure you -ot it ri-'t" +o s%ellin- mistakes, no @o', I t'ou-'t I did it ri-'t"""@" Alt'ou-' t'e domain name AN be c'an-ed a#ter t'e com%uter 'as been %romoted to Domain ,ontroller, t'is is not a %rocedure t'at one s'ould consider li-'tly, es%ecially because on t'e %ossible conse!uences" ead more about it on my 2indo&s 2004 Domain ename 0ool %a-e" <" ,lick :k" A" Bou$ll -et a &arnin- &indo&" 8" ,lick :k" 9" ,'eck your settin-s" 3ee i# t'ey$re correct" =0" ,lick :k" ==" Bou$ll -et a &arnin- &indo&" =2" ,lick :k to restart" Ste$ 2: on&i'(rin' t)e com$(ter*s T,-I, settin's Bou must con#i-ure t'e &ould-be Domain ,ontroller to use it$s o&n IP address as t'e address o# t'e D+3 server, so it &ill %oint to itsel# &'en re-isterin- 3V records and &'en !ueryin- t'e D+3 database" on&i'(re T,-I, =" ,lick 3tart, %oint to 3ettin-s and t'en click ,ontrol Panel" 2" Double-click +et&ork and Dial-u% ,onnections" 4" i-'t-click .ocal Area ,onnection, and t'en click Pro%erties" >" ,lick Internet Protocol (0,P;IP/, and t'en click Pro%erties" ?" Assi-n t'is server a static IP address, subnet mask, and -ate&ay address" 5nter t'e server$s IP address in t'e Pre#erred D+3 server bo)"+ote* 0'is is true i# t'e server itsel# &ill also be it$s o&n D+3 server" I# you 'ave anot'er o%erational 2indo&s 2000;2004 server t'at is %ro%erly con#i-ured as your D+3 server (read my ,reate a +e& D+3 3erver #or AD %a-e/ - enter t'at server$s IP address instead* <" ,lick Advanced" A" ,lick t'e D+3 0ab" 8" 3elect @A%%end %rimary and connection s%eci#ic D+3 su##i)es@ 9" ,'eck @A%%end %arent su##i)es o# t'e %rimary D+3 su##i)@ =0" ,'eck @e-ister t'is connection$s addresses in D+3@" I# t'is 2indo&s 2000;2004-based D+3 server is on an intranet, it s'ould only %oint to its o&n IP address #or D+3C do not enter IP addresses #or ot'er D+3 servers 'ere" I# t'is server needs to resolve names on t'e Internet, it s'ould 'ave a #or&arder con#i-ured" ==" ,lick :D to close t'e Advanced 0,P;IP 3ettin-s %ro%erties" =2" ,lick :D to acce%t t'e c'an-es to your 0,P;IP con#i-uration" =4" ,lick :D to close t'e .ocal Area ,onnections %ro%erties" Ste$ 3: on&i'(re t)e DNS .one (+ot mandatory, can be done via t'e Dc%romo %rocess/" 0'is article assumes t'at you already 'ave t'e D+3 service installed" I# t'is is not t'e case, %lease read ,reate a +e& D+3 3erver #or AD" Furt'ermore, it is assumed t'at t'e D, &ill also be it$s o&n D+3 server" I# t'at is not t'e case, you 1E30 con#i-ure anot'er 2indo&s 2000;2004 server as t'e D+3 server, and i# you try to run D,P:1: &it'out doin- so, you$ll end u% &it' errors and t'e %rocess &ill #ail" Also see F 2'at$s +e& in 7rou% PolicyG reatin' a Standard ,rimary Forward /oo0($ .one =" ,lick 3tart, %oint to All Pro-rams, %oint to Administrative 0ools, and t'en click D+3 1ana-er" Bou see t&o Hones under your com%uter name* For&ard .ooku% Ione and everse .ooku% Ione" 2" i-'t click For&ard .ooku% Iones and c'oose to add a ne& Hone" 4" ,lick +e)t" 0'e ne& #or&ard looku% Hone must be a %rimary Hone so t'at it can acce%t dynamic u%dates" ,lick Primary, and t'en click +e)t" >" 0'e name o# t'e Hone must be t'e same as t'e name o# t'e Active Directory domain, or be a lo-ical D+3 container #or t'at name" For e)am%le, i# t'e Active Directory domain is named @lab"d%etri"net@, le-al Hone names are @lab"d%etri"net@, @d%etri"net@, or @net@" 0y%e t'e name o# t'e Hone, and t'en click +e)t" ?" Acce%t t'e de#ault name #or t'e ne& Hone #ile" ,lick +e)t" <" 0o be able to acce%t dynamic u%dates to t'is ne& Hone, click @Allo& bot' nonsecure and secure dynamic u%dates@" ,lick +e)t" A" ,lick Finis'" Bou s'ould no& make sure your com%uter can re-ister itsel# in t'e ne& Hone" 7o to t'e ,ommand Prom%t (,1D/ and run @i%con#i- ;re-isterdns@ (no !uotes, du'"""/" 7o back to t'e D+3 console, o%en t'e ne& Hone and re#res' it (F?/" +otice t'at t'e com%uter s'ould by no& be listed as an A ecord in t'e ri-'t %ane" I# it$s not t'ere try to reboot (alt'ou-' i# it$s not t'ere a reboot &on$t do muc' -ood/" ,'eck t'e s%ellin- on your Hone and com%are it to t'e su##i) you created in ste% =" ,'eck your IP settin-s" !na1le DNS Forwardin' &or Internet connections 2Not mandatory3 =" 3tart t'e D+3 1ana-ement ,onsole" 2" i-'t click t'e D+3 3erver obJect #or your server in t'e le#t %ane o# t'e console, and click Pro%erties" 4" ,lick t'e For&arders tab" >" In t'e IP address bo) enter t'e IP address o# t'e D+3 servers you &ant to #or&ard !ueries to - ty%ically t'e D+3 server o# your I3P" Bou can also move t'em u% or do&n" 0'e one t'at is 'i-'est in t'e list -ets t'e #irst try, and i# it does not res%ond &it'in a -iven time limit - t'e !uery &ill be #or&arded to t'e ne)t server in t'e list" ?" ,lick :D" reatin' a Standard ,rimary Reverse /oo0($ .one Bou can (but you don$t 'ave to/ also create a reverse looku% Hone on your D+3 server" 0'e Hone$s name &ill be t'e same as your 0,P;IP +et&ork ID" For e)am%le, i# your IP address is =92"=<8"0"200, t'en t'e Hone$s name &ill be =92"=<8"0 (D+3 &ill a%%end a lon- name to it, don$t &orry about it/" Bou s'ould also con#i-ure t'e ne& Hone to acce%t dynamic u%dates" I -uess you can do it on your o&n by no&, can$t youG Ste$ 4: R(nnin' D,R"5" A#ter com%letin- all t'e %revious ste%s (remember you didn$t 'ave to do t'em/ and a#ter double c'eckin- your re!uirements you s'ould no& run Dc%romo"e)e #rom t'e un command" =" ,lick 3tart, %oint to un and ty%e @dc%romo@" 2" 0'e &iHard &indo&s &ill a%%ear" ,lick +e)t" 4" In t'e :%eratin- 3ystem ,om%atibility &indo&s read t'e re!uirements #or t'e domain$s clients and i# you like &'at you see - %ress +e)t" >" ,'oose Domain ,ontroller #or a ne& domain and click +e)t" ?" ,'oose ,reate a ne& Domain in a ne& #orest and click +e)t" <" 5nter t'e #ull D+3 name o# t'e ne& domain, #or e)am%le - kuku"co"il - t'is must be t'e same as t'e D+3 Hone you$ve created in ste% 4, and t'e same as t'e com%uter name su##i) you$ve created in ste% =" ,lick +e)t" 0'is ste% mi-'t take some time because t'e com%uter is searc'in- #or t'e D+3 server and c'eckin- to see i# any namin- con#licts e)ist" A" Acce%t t'e t'e do&n-level +et9I:3 domain name, in t'is case it$s DEDE" ,lick +e)t 8" Acce%t t'e Database and .o- #ile location dialo- bo) (unless you &ant to c'an-e t'em o# course/" 0'e location o# t'e #iles is by de#ault KsystemrootKL+0D3, and you s'ould not c'an-e it unless you 'ave %er#ormance issues in mind" ,lick +e)t" 9" Acce%t t'e 3ysvol #older location dialo- bo) (unless you &ant to c'an-e it o# course/" 0'e location o# t'e #iles is by de#ault KsystemrootK3B3V:., and you s'ould not c'an-e it unless you 'ave %er#ormance issues in mind" 0'is #older must be on an +0F3 v?"0 %artition" 0'is #older &ill 'old all t'e 7P: and scri%ts you$ll create, and &ill be re%licated to all ot'er Domain ,ontrollers" ,lick +e)t" =0" I# your D+3 server, Hone and;or com%uter name su##i) &ere not con#i-ured correctly you &ill -et t'e #ollo&in- &arnin-*0'is means t'e Dc%romo &iHard could not contact t'e D+3 server, or it did contact it but could not #ind a Hone &it' t'e name o# t'e #uture domain" Bou s'ould c'eck your settin-s" 7o back to ste%s =, 2 and 4" ,lick :k"Bou 'ave an o%tion to let Dc%romo do t'e con#i-uration #or you" I# you &ant, Dc%romo can install t'e D+3 service, create t'e a%%ro%riate Hone, con#i-ure it to acce%t dynamic u%dates, and con#i-ure t'e 0,P;IP settin-s #or t'e D+3 server IP address"0o let Dc%romo do t'e &ork #or you, select @Install and con#i-ure t'e D+3 server"""@" ,lick +e)t" :t'er&ise, you can acce%t t'e de#ault c'oice and t'en !uit Dc%romo and c'eck ste%s =-4" ==" I# your D+3 settin-s &ere ri-'t, you$ll -et a con#irmation &indo&" Just click +e)t" =2" Acce%t t'e Permissions com%atible only &it' 2indo&s 2000 or 2indo&s 3erver 2004 settin-s, unless you 'ave le-acy a%%s runnin- on Pre-22D servers" =4" 5nter t'e estore 1ode administrator$s %ass&ord" In 2indo&s 3erver 2004 t'is %ass&ord can be later c'an-ed via +0D3E0I." ,lick +e)t" =>" evie& your settin-s and i# you like &'at you see - ,lick +e)t" =?" 3ee t'e &iHard -oin- t'rou-' t'e various sta-es o# installin- AD" 2'atever you do - +5V5 click ,ancelMMM Bou$ll &reck your com%uter i# you do" I# you see you made a mistake and &ant to undo it, you$d better let t'e &iHard #inis' and t'en run it a-ain to undo t'e AD" =<" I# all &ent &ell you$ll see t'e #inal con#irmation &indo&" ,lick Finis'" =A" Bou must reboot in order #or t'e AD to #unction %ro%erly" =8" ,lick estart no&" Ste$ 6: )ec0in' t)e AD installation Bou s'ould no& c'eck to see i# t'e AD installation &ent &ell" =" First, see t'at t'e Administrative 0ools #older 'as all t'e AD mana-ement tools installed" 2" un Active Directory Esers and ,om%uters (or ty%e @dsa"msc@ #rom t'e un command/" 3ee t'at all :Es and ,ontainers are t'ere" 4" un Active Directory 3ites and 3ervices" 3ee t'at you 'ave a site named De#ault- First-3ite-+ame, and t'at in it your server is listed" >" I# t'ey don$t (like in t'e #ollo&in- screens'ot/, your AD #unctions &ill be broken (a -ood si-n o# t'at is t'e lon- time it took you to lo- on" 0'e @Pre%arin- +et&ork ,onnections@ &indo&s &ill sit on t'e screen #or many moments, and even &'en you do lo- on many AD o%erations &ill -ive you errors &'en tryin- to %er#orm t'em/" N 9ad0'is mi-'t 'a%%en i# you did not manually con#i-ure your D+3 server and let t'e D,P:1: %rocess do it #or you" Anot'er reason #or t'e lack o# 3V records (and o# all ot'er records #or t'at matter/ is t'e #act t'at you DID con#i-ure t'e D+3 server manually, but you made a mistake, eit'er &it' t'e com%uter su##i) name or &it' t'e IP address o# t'e D+3 server (see ste%s = t'rou-' 4/" :%en t'e D+3 console" 3ee t'at you 'ave a Hone &it' t'e same name as your AD domain (t'e one you$ve Just created, rememberG Du'"""/" 3ee t'at &it'in it you 'ave t'e > 3V record #olders" 0'ey must e)ist" N 7ood 0o try and #i) t'e %roblems #irst see i# t'e Hone is con#i-ured to acce%t dynamic u%dates" ?" i-'t-click t'e Hone you created, and t'en click Pro%erties" <" :n t'e 7eneral tab, under Dynamic E%date, click to select @+onsecure and secure@ #rom t'e dro%-do&n list, and t'en click :D to acce%t t'e c'an-e"Bou s'ould no& restart t'e +50.:7:+ service to #orce t'e 3V re-istration"Bou can do it #rom t'e 3ervices console in Administrative tools* :r #rom t'e command %rom%t ty%e @net sto% netlo-on@, and a#ter it #inis'es, ty%e @net start netlo-on@" .et it #inis', -o back to t'e D+3 console, click your Hone and re#res' it (F?/" I# all is ok you$ll no& see t'e > 3V record #olders" I# t'e > 3V records are still not %resent double c'eck t'e s%ellin- o# t'e Hone in t'e D+3 server" It s'ould be e)actly t'e same as t'e AD Domain name" Also c'eck t'e com%uter$s su##i) (see ste% =/" Bou &on$t be able to c'an-e t'e com%uter$s su##i) a#ter t'e AD is installed, but i# you 'ave a s%ellin- mistake you$d be better o## by removin- t'e AD no&, be#ore you 'ave any users, -rou%s and ot'er obJects in %lace, and t'en a#ter re%airin- t'e mistake - re-runnin- D,P:1:" A" ,'eck t'e +0D3 #older #or t'e %resence o# t'e re!uired #iles" 8" ,'eck t'e 3B3V:. #older #or t'e %resence o# t'e re!uired sub#olders" 9" ,'eck to see i# you 'ave t'e 3B3V:. and +50.:7:+ s'ares, and t'eir location" I# all o# t'e above is ok, I t'ink it$s sa#e to say t'at your AD is %ro%erly installed" I# not, read 0roubles'ootin- Dc%romo 5rrors and re-read ste%s =-> in t'is article" 3i-n E% For t'e Petri I0 Dno&led-ebase 2eekly Di-estM 5-mail Address* Sign Up Now! Search Site Sponsors FR!! Active Directory 5onitorin' 0ake t'e -uess&ork out o# &'ic' 21I counters to use #or a%%s like 1icroso#tO Active DirectoryP and 3'arePointP" 3olar2inds F55 21I 1onitor makes it easyM Download t)is FR!! des0to$ tool now7 (t Networ0 Tro(1les)ootin' Time in Hal&7 0est 3%eed, Per#ormance, 9and&idt' Q 1ore" Free Trial Download Availa1le Here 8 Free om$liance Download V1&are ,om%liance ,'ecker %rovides real time com%liance c'eck a-ainst s%eci#ic standards and best %ractices" Free do&nload" Start 5onitorin' 9o(r Networ0 Now 7et a 40-day trial o# 3olar2inds #la-s'i% net&ork monitorin- solution R :rion +P1" A-entless solution auto discovers net&ork and be-ins monitorin- via 2eb-based console immediately" Valid email re!uired"
A23 Privacy Policy S 3ite In#o S ,ontact S Advertise T20== 9lue 2'ale 2eb Inc" S