The Ultimate Windows Server 1002003 System Administrators Guide [Electronic resources] نسخه متنی

INSTALLING THE ACTIVE DIRECTORY

The installation of Active Directory services is remarkably straightforward. The Active Directory Installation Wizard leads the system administrator through a series of decision points. Whether you are promoting an existing Windows NT PDC or Windows 2000 domain controller to Windows Server 2003 with the Active Directory or creating a new domain tree, the process is largely the same. Always begin with the server that is the root. Once the first Windows Server 2003 with Active Directory is running, all other domains in the tree are treated as its children.

NOTEWhen upgrading a domain from Windows NT 4.0 or Windows 2000, it is necessary to update the schema. To do so, update the forest first by invoking the adprep command against /forestprep. Then update the domain using adprep against /domainprep. During the installation process, you will be prompted to perform these tasks before an upgrade to Windows Server 2003 will be successful.

A major prerequisite is that DNS be installed with Windows Server 2003 or an existing DNS server be designed prior to the completion of the Active Directory installation. Because of this dependence on DNS, this installation section will walk through the following:

Use of the Active Directory Installation Wizard to create a new domain and in so doing create the first domain tree.

Installation of Microsoft's DNS to support the Active Directory. A third-party DNS server can also be used, providing it supports service resource records (SRV) and dynamic DNS update functionality.

Other dependencies must also be addressed prior to installation. The computer must have an installed version of Windows Server 2003. The NTFS partition or volume must be sufficiently large to accommodate Active Directory requirements. Correct system date, time, and zones should be set. Finally, TCP/IP should be installed. DNS can be preconfigured or installed with the Active Directory; it is required for the Active Directory to function.

Before installing the Active Directory, it is important to understand the process. Two primary sets of files are created: the directory store and log files, are located in %systemroot\Ntds; and a Shared System Volume, located in %systemroot\Sysvol, which contains scripts and some group policy objects for the enterprise.

NOTEDuring the Active Directory installation you will be asked if you want to configure the server for an additional specialized function. We recommend that you return to this task after you have created a stable Windows Server Active Directory environment.

Active Directory Installation Wizard

The Active Directory is installed by following the steps outlined below. The wizard provides a series of options from which the system administrator must make educated and informed selections.

If this is the first system to be configured with Windows Server 2003 and the Active Directory, it will become the root domain controller. During installation of Windows 2000/Server 2003, you will have been prompted to determine whether this is a standalone server or part of a network.

If this system is being installed in an existing Windows Server domain or if it is being configured as a child domain, the Active Directory installation process will automatically make the appropriate connections and establish initial default trust relationships. The same process occurs when promoting a Windows NT PDC or BDC to the status of Active Directory domain controllers. Replicas of the Active Directory are then installed on the new domain controller.

ACTIVE DIRECTORY INSTALLATION EXAMPLE

The example of an installation here is based on the first domain controller to be promoted. The creation of child domains and forests is covered in subsequent sections and merely involves a decision to join an existing tree or forest; otherwise, the steps are generally the same.

The following steps should be observed when installing the Active Directory:

Launch the Active Directory Installation Wizard (Figure 6.1) by invoking the command prompt dcpromo.exe ENTER. (Alternatively, the Configure Your System dialog is launched as part of the logon process, or it is available via Start Administrative Tools Configure Your Server move through menu until the Server Role screen appears select Domain Controller (Active Directory) Install.

The text in the first wizard screen is very explicit, stating that the installation of Active Directory services will make the server a domain controller. While you may repeat this process with other servers, this first domain controller becomes the forest root as well as the root of the first tree in the forest.

Click Next to continue.

The next dialog box provides the choice of making this a controller for a new domain or adding it to an existing domain (Figure 6.2). Since this example assumes a new domain, select the first option and click Next. This option also creates a new child domain or domain tree. The second option is used only to create additional domain controllers in the same domain.

Click Next to continue.

At this stage you must be able to clearly see the forest for the trees. Therefore, in this example, in the list following Create a new, select Domain in a new forest, as shown in Figure 6.3. The first domain controller is automatically the root domain, tree, and forest. The second option in this dialog box is selected only if you are creating a new tree that is to have a trust relationship with a preexisting domain forest, and/or providing users in an existing forest access to the new domain. Click Next to continue.

The next dialog box identifies your NetBIOS name, which is used by Windows clients that employ WINS to resolve system names. In this case, the ENTCERT NetBIOS name was automatically inserted. Note that if your domain name is longer than 15 characters, it will be truncated to the maximum length for NetBIOS names. Click Next to continue.

The next dialog box allows you to select the location of the Active Directory database and log. The default location for the database and log in which Windows Server 2003 is installed in \WINNT is %systemroot%\ \NTDS. Ordinarily, the default location is recommended. Click Next to continue.

The next dialog box gives you the opportunity to select the location of the Shared System Volume, which stores all the shared information that is replicated between domain controllers. The default is %systemroot% \SYSVOL. If you choose to accept this, click Next to continue.

The next wizard screen provides a way to change the permissions associated with the RAS Server. Unless you have a specific reason to make changes at this time, click No. Click Next to continue.

You will then be presented a set of wizard screens to set permissions levels and establish administrative passwords. Insert the response appropriate to your installation. The Active Directory Review Setting page should now appear. Take a moment to review this information. If anything is incorrect, use the Back button to return to the screen that requires a change and make the appropriate modifications. If everything appears correct, click Next to continue.

Active Directory is now being configured on your system, which can take a few minutes. The final wizard screen in the basic installation process should then appear. Click Finish. You will see the prompt to Restart the computer. Select this option now if you have already configured DNS; but if you have not, proceed to DNS installation. The Active Directory cannot be configured without DNS.

The Active Directory Installation Wizard should automatically take you to the Configure DNS screen (Figure 6.5). Click Yes, then click Next to continue. (If you select N or if you want to configure DNS prior to installing the Active Directory, select Start Administrative Tools Configure Your Server Networking DNS Install.)

For complete instructions on configuring the TCP/IP network with DNS, please turn to Chapter 12.

You will then be presented a set of wizard screens to set permissions levels and establish administrative passwords.

NOTEWindows Server 2003 offers an alternative approach to DC promotion. We recommend that this function be used only when the production-level Active Directory is stable and applies to downlevel domain controllers. This feature enables faster creation of replica DCs of a preexisting domain. Instead of replicating a complete copy of the database over the network, an administrator can initially source the new DC with an initial replication from files created when backing up an existing DC or Global Catalog server. To achieve this type of promotion, run the Active Directory Installation Wizard in Advanced Mode or from the command line, type promo.exe/adv.

INSTALLATION OF DIFFERENT STRUCTURES

The example just completed assumed that the installation was being carried out on the first domain Active Directory. There are some variations when creating additional domain controllers, child domains, and trees within an existing forest (Figure 6.6). These are described in the following sections.

Adding Domain Controllers to Existing Domains

After the domain is created, domain controllers can be added by running dcpromo.exe from the new Windows Server. The Active Directory Installation Wizard will prompt you to determine the domain controller type. Select Additional domain controller for an existing domain. You will need to specify the user name, password, and domain name of a user account that has rights to create domain controllers. The DNS name for the domain must also be provided. Finally, you will need to establish where database and log files, together with the Shared System Volume, are to be located. Generally, the default location will be used. All other installation questions will be the same as in the walk-through example.

Creating a Child Domain

The creation of a child domain also involves executing dcpromo.exe from the new Windows Server 2003 or installing Active Directory directly. The Active Directory Installation Wizard will prompt you to determine the domain controller type. Select Domain controller for a new domain. In the next screen, which allows you to create trees or child domains, select Child domain in an existing domain tree. You will need to specify the user name, password, and domain name of a user account in the Enterprise Admins group that has rights to create domains. You will also need to supply the parent's DNS name and the name of the new child domain. Remember that the child name is added to the front of the parent DNS name, separated by a period. Also specified here is the NetBIOS name for the new domain. After the root domain has been created, child domains can be logically added. As before, you will need to establish where database and log files, together with the Shared System Volume, will reside. Generally, the default location will be used.

Finally, you will need to determine whether to weaken permissions in order to provide Windows NT 4.0 RAS access. This is generally not recommended unless you plan to continue using Windows NT for a substantial period. All other installation questions will be the same as in the walk-through example.

Creating a Tree in an Existing Forest

Once the root domain tree is created, it is possible to add a tree to the forest by running dcpromo.exe from the new Windows Server. The Active Directory Installation Wizard will prompt you to determine the domain controller type. Select Domain controller for a new domain. In the next screen, where you can create trees or child domains, select Create a new domain tree. From the next screen, select Place this new domain tree in an existing forest. You will need to specify the username, password, and domain name of a user account in the Enterprise Admins group that has rights to create domains. You will also need to supply the new tree's DNS name and specify the NetBIOS name for the new domain. After the root domain has been created, child domains can logically be added.

You will need to establish where database and log files, together with the Shared System Volume, are to be locatedgenerally, the default location will be used. Finally, you will need to determine whether to weaken permissions in order to provide Windows NT 4.0 RAS access. This is generally not recommended unless you plan on using Windows NT for a substantial period. All other installation questions will be the same as in the walk-through example.