70-240 in 15 minutes a week: Active Directory and DNS - Part 2 Page 3

Installing Active Directory

One of the major improvements between Windows 2000 and Windows NT 4 is the fact that the decision on whether or not a server becomes a domain controller is made independent of the actual OS installation. As such, turning a member server into a domain controller (or vice-versa) is something that can be done without needing a complete reinstallation. The tool used to install (or uninstall) Active Directory on a server is the Active Directory Installation Wizard, dcpromo.exe. The section takes a look at the various decisions to be made throughout the wizard. 

Before getting started, there are a few important requirements that you need to be aware of, as listed below:

- The system must be running Windows 2000 Server, Advanced Server, or Datacenter Server
- AD installation requires a minimum of 200 MB disk space for the AD database, and 50 MB for the transaction log files. These can be placed on FAT. FAT32, or NTFS partitions
- The server must have at least one NTFS partition, to house the SYSVOL folder.
- TCP/IP installed and configured to use DNS is required
- Appropriate administrative privileges are required.

The Active Directory installation wizard can be used for a few different purposes, and you should be aware of the reasons. These include creating a new forest (a new root domain), adding a domain controller to an existing domain, creating a new tree, and creating a new child domain. It is very important to pay attention during the wizard to ensure that you are making the correct choices, especially when creating the root domain of the forest, since this cannot be renamed for example. For the purpose of this article, I will cover the installation of a new root domain. You should familiarize yourself with the other options, however.

The wizard begins by asking if you are creating a new domain, or adding a domain controller to an existing domain. The second option is less involved, since the domain will already have been created. 

After choosing to create a new domain, we are presented with the option of creating a new domain tree (as we are going to choose since we are creating a new forest root), or creating a child domain.

After choosing to create a new tree, we must choose whether we wish to create an entirely new forest, or add this tree to an existing forest. Note that creating a new forest creates an entirely new AD structure.

The new domain (in our case the root domain) must be named according to DNS naming conventions. Since I have already created the associated DNS zone, I will not be prompted with any errors, and the wizard will not offer to create the zone for me. The second screen after providing the domain name asks for the name is Netbios format (provided by default and truncated to 15 characters if necessary) for older clients such as 95, 98 and NT, who still rely on Netbios for things like logon.

The next decision is with respect to where the AD database and associated log files should be placed. Make note of the fact that for best performance, these should be placed on separate hard disks if possible. By default they are both placed in the %systemroot%\NTDS directory.

The next decision is to choose the location of the SYSVOL, the folder that contains files relating to the domain such as group policy objects, logon scripts, etc. This must be a NTFS partition, and will be replicated by the file replication service (FRS)

The next step is something that you must pay attention to, especially if your environment still has NT 4 -based application services in use (RAS for example). A remote access server will need to check user properties in Active Directory, and if the first option shown below is not chosen, the NT 4 RAS server will not be able access the information, since RAS using a null session to communicate with the domain controller. Note that this 'loosening' of permissions could allow an anonymous user to read some information in Active Directory.

You will also need to choose a password to be used when this server's administrator account for the purpose of accessing directory services restore mode (from the advanced startup menu)

After all of the information has been entered, you are given an opportunity to review what has been selected, and upon confirming the domain is created. The domain controller installation process can also be automated with an unattended install. The syntax is dcpromo.exe /answer:answerfilename. For a look at the syntax of the dcpromo answer file, check the file unattend.doc in the deploy.cab file found in the \support\tools directory of the Windows 2000 CD.

This article was originally published on May 15, 2001
Page 3 of 4

Thanks for your registration, follow us on our social networks to keep up-to-date