Note that the domain controller will register a variety of service records in DNS. These should be verified, either by viewing them with the DNS tool or by doing an Nslookup query for SRV records as described earlier. It is also worth checking for the existence of the appropriate files in the NTDS directory (as shown below), reviewing the log files in event viewer, and ensuring the existence of the SYSVOL directory.
Note that NTDS.dit is the actual AD database, while the
edb.* files are the transaction logs and checkpoint files. The
res*.log files are reserved log files, used for transaction logging should the server run out of disk space.
The installed domain controller will add a computer object to the domain controllers OU for the domain. It will also add a server object to the appropriate site (depending on what has been created) in Active Directory Sites and Services, based on its subnet address. By default the first domain controller in a new forest will be created in a site called Default-First-Site-Name (literally), and can be moved once you create other sites (discussed later in the series).
A new domain controller holds all three partitions of Active Directory – domain (domain object information), configuration (information about sites and services), and schema (definition of all object and attribute classes). If this is the first domain controller in a forest, it will also be a global catalog server, holding the global catalog partition (all objects in the forest and a subset of attributes) as well.
Note that the first domain controller in the root domain will house all operations master roles:
Domain Naming Master
By the same token, the first domain controller in each new domain will hold the following three roles:
Of course, these roles can be changes to other domain controllers, and often should based on resource usage. As a rule, you should ensure that the Infrastructure Master is not a global catalog server, since this will impact the validity of user-to-group references.
Something else that you should note is that after installing the first domain controller in a domain, the domain will still be in Mixed Mode. Mixed Mode exists for the purpose of backwards compatibility with NT 4 BDCs. However, even if you are installing a new domain from scratch, it will be installed in Mixed Mode. In order to realize many of the benefits of Active Directory, including the ability to
nest groups, use universal groups, and have the SID history attribute saved, you will need to be in Native Mode. This change is made on a domain-by-domain basis, not once for the whole forest as many people mistakenly think. To change a domain from Mixed Mode to Native Mode, use Active Directory Users and Computers (or Active Directory Domains and Trusts) by choosing the domain properties.
Note that the change from Mixed Mode to Native Mode is a one-way process and cannot be reversed.
Active Directory Troubleshooting
A few notes with respect to troubleshooting Active Directory installation problems:
1. There must be sufficient disk space to install Active Directory as outlined above. If you receive an error message stating there is not enough space, you will need to delete files to create space, or create an additional volume. Be sure that there is also an NTFS partition available, and use the convert.exe command on an existing FAT partition if necessary.
2. When creating a new domain, you will need to ensure that the DNS and Netbios names of the domain are unique. If they are not, the creation cannot proceed.
3. You must have the correct privileges to install a domain controller. To create a new forest, you will only need to be a local administrator. By default, to add a child domain to an existing forest (or any new domain), you must be a member of Enterprise Admins. To create a new domain controller in an existing domain, you must be a member of Domain Admins.
4. If you get a domain not found error when adding a domain controller to an existing domain, be sure that at least one domain controller is available and that it has properly registered its SRV records in DNS.
5. In order to remove the last domain controller in a domain, you must be a member of the Domain Admins group for that domain. The last domain controller in the root domain cannot be removed if child domains still exist.
That’s it for another week. Next week we’ll continue in the Active Directory portion of the series with a look at User and Group Administration. Thanks again to all who have contacted me with words of support for the series, I’m glad that you are finding it useful. As always, feel free to contact me with questions and comments, although please note that all technical questions must be posted to my
board, for the benefit of everyone. Until next week, best of luck with your studies.