INSTALLING THE ACTIVE DIRECTORY
The installation of Active Directory services is remarkably straightforward. The Active Directory Installation Wizard leads the system administrator through a series of decision points. Whether you are promoting an existing Windows NT PDC or Windows 2000 domain controller to Windows Server 2003 with the Active Directory or creating a new domain tree, the process is largely the same. Always begin with the server that is the root. Once the first Windows Server 2003 with Active Directory is running, all other domains in the tree are treated as its children.NOTEWhen upgrading a domain from Windows NT 4.0 or Windows 2000, it is necessary to update the schema. To do so, update the forest first by invoking the adprep command against /forestprep. Then update the domain using adprep against /domainprep. During the installation process, you will be prompted to perform these tasks before an upgrade to Windows Server 2003 will be successful.A major prerequisite is that DNS be installed with Windows Server 2003 or an existing DNS server be designed prior to the completion of the Active Directory installation. Because of this dependence on DNS, this installation section will walk through the following:
Use of the Active Directory Installation Wizard to create a new domain and in so doing create the first domain tree.
Installation of Microsoft's DNS to support the Active Directory. A third-party DNS server can also be used, providing it supports service resource records (SRV) and dynamic DNS update functionality.
Other dependencies must also be addressed prior to installation. The computer must have an installed version of Windows Server 2003. The NTFS partition or volume must be sufficiently large to accommodate Active Directory requirements. Correct system date, time, and zones should be set. Finally, TCP/IP should be installed. DNS can be preconfigured or installed with the Active Directory; it is required for the Active Directory to function.Before installing the Active Directory, it is important to understand the process. Two primary sets of files are created: the directory store and log files, are located in %systemroot\Ntds; and a Shared System Volume, located in %systemroot\Sysvol, which contains scripts and some group policy objects for the enterprise.NOTEDuring the Active Directory installation you will be asked if you want to configure the server for an additional specialized function. We recommend that you return to this task after you have created a stable Windows Server Active Directory environment.
Active Directory Installation Wizard
The Active Directory is installed by following the steps outlined below. The wizard provides a series of options from which the system administrator must make educated and informed selections.If this is the first system to be configured with Windows Server 2003 and the Active Directory, it will become the root domain controller. During installation of Windows 2000/Server 2003, you will have been prompted to determine whether this is a standalone server or part of a network.If this system is being installed in an existing Windows Server domain or if it is being configured as a child domain, the Active Directory installation process will automatically make the appropriate connections and establish initial default trust relationships. The same process occurs when promoting a Windows NT PDC or BDC to the status of Active Directory domain controllers. Replicas of the Active Directory are then installed on the new domain controller.
ACTIVE DIRECTORY INSTALLATION EXAMPLE
The example of an installation here is based on the first domain controller to be promoted. The creation of child domains and forests is covered in subsequent sections and merely involves a decision to join an existing tree or forest; otherwise, the steps are generally the same.The following steps should be observed when installing the Active Directory:
Launch the Active Directory Installation Wizard (Figure 6.1) by invoking the command prompt dcpromo.exe ENTER. (Alternatively, the Configure Your System dialog is launched as part of the logon process, or it is available via Start Administrative Tools Configure Your Server move through menu until the Server Role screen appears select Domain Controller (Active Directory) Install.
Figure 6.1. The Active Directory Installation Wizard
The text in the first wizard screen is very explicit, stating that the installation of Active Directory services will make the server a domain controller. While you may repeat this process with other servers, this first domain controller becomes the forest root as well as the root of the first tree in the forest.Click Next to continue.The next dialog box provides the choice of making this a controller for a new domain or adding it to an existing domain (Figure 6.2). Since this example assumes a new domain, select the first option and click Next. This option also creates a new child domain or domain tree. The second option is used only to create additional domain controllers in the same domain.
Figure 6.2. Defining Domain Controller Type
Click Next to continue.At this stage you must be able to clearly see the forest for the trees. Therefore, in this example, in the list following Create a new, select Domain in a new forest, as shown in Figure 6.3. The first domain controller is automatically the root domain, tree, and forest. The second option in this dialog box is selected only if you are creating a new tree that is to have a trust relationship with a preexisting domain forest, and/or providing users in an existing forest access to the new domain. Click Next to continue.
Figure 6.3. Joining or Creating a Forest
Chapters 5 and 14 before completing this step.) In the text box shown in Figure 6.4, type the full name of the domain; in our example, the user typed EntCert.com. Click Next to continue.
Figure 6.4. Designating the Name of the Domains
The Active Directory Installation Wizard should automatically take you to the Configure DNS screen (Figure 6.5). Click Yes, then click Next to continue. (If you select N or if you want to configure DNS prior to installing the Active Directory, select Start Administrative Tools Configure Your Server Networking DNS Install.)
Figure 6.5. Configuring DNS
For complete instructions on configuring the TCP/IP network with DNS, please turn to Chapter 12.You will then be presented a set of wizard screens to set permissions levels and establish administrative passwords.NOTEWindows Server 2003 offers an alternative approach to DC promotion. We recommend that this function be used only when the production-level Active Directory is stable and applies to downlevel domain controllers. This feature enables faster creation of replica DCs of a preexisting domain. Instead of replicating a complete copy of the database over the network, an administrator can initially source the new DC with an initial replication from files created when backing up an existing DC or Global Catalog server. To achieve this type of promotion, run the Active Directory Installation Wizard in Advanced Mode or from the command line, type promo.exe/adv.
INSTALLATION OF DIFFERENT STRUCTURES
The example just completed assumed that the installation was being carried out on the first domain Active Directory. There are some variations when creating additional domain controllers, child domains, and trees within an existing forest (Figure 6.6). These are described in the following sections.
Figure 6.6. Optional Domain Controller Installations
Adding Domain Controllers to Existing Domains
After the domain is created, domain controllers can be added by running dcpromo.exe from the new Windows Server. The Active Directory Installation Wizard will prompt you to determine the domain controller type. Select Additional domain controller for an existing domain. You will need to specify the user name, password, and domain name of a user account that has rights to create domain controllers. The DNS name for the domain must also be provided. Finally, you will need to establish where database and log files, together with the Shared System Volume, are to be located. Generally, the default location will be used. All other installation questions will be the same as in the walk-through example.
Creating a Child Domain
The creation of a child domain also involves executing dcpromo.exe from the new Windows Server 2003 or installing Active Directory directly. The Active Directory Installation Wizard will prompt you to determine the domain controller type. Select Domain controller for a new domain. In the next screen, which allows you to create trees or child domains, select Child domain in an existing domain tree. You will need to specify the user name, password, and domain name of a user account in the Enterprise Admins group that has rights to create domains. You will also need to supply the parent's DNS name and the name of the new child domain. Remember that the child name is added to the front of the parent DNS name, separated by a period. Also specified here is the NetBIOS name for the new domain. After the root domain has been created, child domains can be logically added. As before, you will need to establish where database and log files, together with the Shared System Volume, will reside. Generally, the default location will be used.Finally, you will need to determine whether to weaken permissions in order to provide Windows NT 4.0 RAS access. This is generally not recommended unless you plan to continue using Windows NT for a substantial period. All other installation questions will be the same as in the walk-through example.
Creating a Tree in an Existing Forest
Once the root domain tree is created, it is possible to add a tree to the forest by running dcpromo.exe from the new Windows Server. The Active Directory Installation Wizard will prompt you to determine the domain controller type. Select Domain controller for a new domain. In the next screen, where you can create trees or child domains, select Create a new domain tree. From the next screen, select Place this new domain tree in an existing forest. You will need to specify the username, password, and domain name of a user account in the Enterprise Admins group that has rights to create domains. You will also need to supply the new tree's DNS name and specify the NetBIOS name for the new domain. After the root domain has been created, child domains can logically be added.You will need to establish where database and log files, together with the Shared System Volume, are to be locatedgenerally, the default location will be used. Finally, you will need to determine whether to weaken permissions in order to provide Windows NT 4.0 RAS access. This is generally not recommended unless you plan on using Windows NT for a substantial period. All other installation questions will be the same as in the walk-through example.