How Do I Instal Ad 2003

8/8/2019 How Do I Instal Ad 2003

http://slidepdf.com/reader/full/how-do-i-instal-ad-2003 1/35

How do I install Active Directory on my Windows Server 2003server?

Here is a quick list of what you must have:

• An NTFS partition with enough free space• An Administrator's username and password• The correct operating system version• A NIC• Properly configured TCP/IP (IP address, subnet mask and - optional - default

gateway)• A network connection (to a hub or to another computer via a crossover cable)• An operational DNS server (which can be installed on the DC itself)• A Domain name that you want to use• The Windows Server 2003 CD media (or at least the i386 folder)• Brains (recommended, not required...)

Step 1: Configure the computer's suffix

(Not mandatory, can be done via the Dcpromo process).

1. Right click My Computer and choose Properties.

2. Click the Computer Name tab, then Change.



3. Set the computer's NetBIOS name. In Windows Server 2003, this CAN be changedafter the computer has been promoted to Domain Controller.

4. Click More.

5. In the Primary DNS suffix of this computer box enter the would-be domain name. Makesure you got it right. No spelling mistakes, no "oh, I thought I did it right...". Although thedomain name CAN be changed after the computer has been promoted to DomainController, this is not a procedure that one should consider lightly, especially because onthe possible consequences. Read more about it on my Windows 2003 Domain Rename

Tool page.



6. Click Ok.7. You'll get a warning window.8. Click Ok.

9. Check your settings. See if they're correct.



10 Click Ok.

11 You'll get a warning window.

12. Click Ok to restart

Step 2: Configuring the computer's TCP/IP settings

You must configure the would-be Domain Controller to use it's own IP address as theaddress of the DNS server, so it will point to itself when registering SRV records and when

querying the DNS database.

Configure TCP/IP

1. Click Start, point to Settings and then click Control Panel.2. Double-click Network and Dial-up Connections.

3. Right-click Local Area Connection, and then click Properties.



4. Click Internet Protocol (TCP/IP), and then click Properties.



5. Assign this server a static IP address, subnet mask, and gateway address. Enter theserver's IP address in the Preferred DNS server box.Note: This is true if the server itself will also be it's own DNS server.



5. If you have another operational Windows 2000/2003 server that is properlyconfigured as your DNS server (read my Create a New DNS Server for AD page) -

enter that server's IP address instead:



6. Click Advanced.7. Click the DNS Tab.8. Select "Append primary and connection specific DNS suffixes"9. Check "Append parent suffixes of the primary DNS suffix"

10. Check "Register this connection's addresses in DNS". If this Windows 2000/2003-based DNS server is on an intranet, it should only point to its own IP address forDNS; do not enter IP addresses for other DNS servers here. If this server needs toresolve names on the Internet, it should have a forwarder configured.



11 lick OK to close the Advanced TCP/IP Settings properties.

12.Click OK to accept the changes to your TCP/IP configuration.13.Click OK to close the Local Area Connections properties.

Step 3: Configure the DNS Zone

(Not mandatory, can be done via the Dcpromo process).

This article assumes that you already have the DNS service installed. If this is not the

case, please read Create a New DNS Server for AD

Furthermore, it is assumed that the DC will also be it's own DNS server. If that is not thecase, you MUST configure another Windows 2000/2003 server as the DNS server, and if you try to run DCPROMO without doing so, you'll end up with errors and the process willfail.

Creating a Standard Primary Forward Lookup Zone



1. Click Start, point to All Programs, point to Administrative Tools, and then click DNSManager. You see two zones under your computer name: Forward Lookup Zone andReverse Lookup Zone.

2. Right click Forward Lookup Zones and choose to add a new zone.

3. Click Next. The new forward lookup zone must be a primary zone so that it can acceptdynamic updates. Click Primary, and then click Next.



4 The name of the zone must be the same as the name of the Active Directorydomain, or be a logical DNS container for that name. For example, if the ActiveDirectory domain is named "lab.dpetri.net", legal zone names are "lab.dpetri.net","dpetri.net", or "net".



Type the name of the zone, and then click Next.

5. Accept the default name for the new zone file. Click Next.



6. To be able to accept dynamic updates to this new zone, click "Allow both nonsecureand secure dynamic updates". Click Next.

7. Click Finish.



You should now make sure your computer can register itself in the new zone. Go to theCommand Prompt (CMD) and run "ipconfig /registerdns" (no quotes, duh...). Go back tothe DNS console, open the new zone and refresh it (F5). Notice that the computer shouldby now be listed as an A Record in the right pane.

If it's not there try to reboot (although if it's not there a reboot won't do much good).

Check the spelling on your zone and compare it to the suffix you created in step 1. Checkyour IP settings.

Enable DNS Forwarding for Internet connections (Not mandatory)

1. Start the DNS Management Console.

2. Right click the DNS Server object for your server in the left pane of the console, andclick Properties.

3. Click the Forwarders tab.

4. In the IP address box enter the IP address of the DNS servers you want to forward

queries to - typically the DNS server of your ISP. You can also move them up ordown. The one that is highest in the list gets the first try, and if it does not respondwithin a given time limit - the query will be forwarded to the next server in the list.



5. Click OK.

Creating a Standard Primary Reverse Lookup Zone

You can (but you don't have to) also create a reverse lookup zone on your DNS server. Thezone's name will be the same as your TCP/IP Network ID. For example, if your IP address is192.168.0.200, then the zone's name will be 192.168.0 (DNS will append a long name toit, don't worry about it). You should also configure the new zone to accept dynamicupdates. I guess you can do it on your own by now, can't you?



Step 4: Running DCPROMO

After completing all the previous steps (remember you didn't have to do them) and afterdouble checking your requirements you should now run Dcpromo.exe from the Runcommand.

1. Click Start, point to Run and type "dcpromo".

2. The wizard windows will appear. Click Next.

3. In the Operating System Compatibility windows read the requirements for the domain'sclients and if you like what you see - press Next.



4. Choose Domain Controller for a new domain and click Next.

5. Choose Create a new Domain in a new forest and click Next.



6. Enter the full DNS name of the new domain, for example - kuku.co.il - this must be thesame as the DNS zone you've created in step 3, and the same as the computer namesuffix you've created in step 1. Click Next.



This step might take some time because the computer is searching for the DNS serverand checking to see if any naming conflicts exist.

7. Accept the the down-level NetBIOS domain name, in this case it's KUKU. Click Next

8. Accept the Database and Log file location dialog box (unless you want to change them

of course). The location of the files is by default %systemroot%\NTDS, and you should notchange it unless you have performance issues in mind. Click Next.



9. Accept the Sysvol folder location dialog box (unless you want to change it of course).

The location of the files is by default %systemroot%SYSVOL, and you should notchange it unless you have performance issues in mind. This folder must be on an NTFSv5.0 partition. This folder will hold all the GPO and scripts you'll create, and will bereplicated to all other Domain Controllers. Click Next.



10. If your DNS server, zone and/or computer name suffix were not configured correctlyyou will get the following warning:This means the Dcpromo wizard could not contact theDNS server, or it did contact it but could not find a zone with the name of the futuredomain. You should check your settings. Go back to steps 1, 2 and 3. Click Ok.You have anoption to let Dcpromo do the configuration for you. If you want, Dcpromo can install theDNS service, create the appropriate zone, configure it to accept dynamic updates, and

configure the TCP/IP settings for the DNS server IP address.To let Dcpromo do the work foryou, select "Install and configure the DNS server...".

Click Next.

Otherwise, you can accept the default choice and then quit Dcpromo and checksteps 1-3.

11. If your DNS settings were right, you'll get a confirmation window.



Just click Next.

12. Accept the Permissions compatible only with Windows 2000 or Windows Server2003 settings, unless you have legacy apps running on Pre-W2K servers.



13. Enter the Restore Mode administrator's password. In Windows Server 2003 thispassword can be later changed via NTDSUTIL. Click Next.

14. Review your settings and if you like what you see - Click Next.



15. See the wizard going through the various stages of installing AD. Whatever you do -NEVER click Cancel!!! You'll wreck your computer if you do. If you see you made a mistakeand want to undo it, you'd better let the wizard finish and then run it again to undo theAD.



16. If all went well you'll see the final confirmation window. Click Finish.

17. You must reboot in order for the AD to function properly.



Step 5: Checking the AD installation

You should now check to see if the AD installation went well.

1. First, see that the Administrative Tools folder has all the AD management toolsinstalled.



2. Run Active Directory Users and Computers (or type "dsa.msc" from the Run command).See that all OUs and Containers are there.

3. Run Active Directory Sites and Services. See that you have a site named Default-First-Site-Name, and that in it your server is listed.



4. If they don't (like in the following screenshot), your AD functions will be broken (a goodsign of that is the long time it took you to log on. The "Preparing Network Connections"windows will sit on the screen for many moments, and even when you do log on many ADoperations will give you errors when trying to perform them).



= BadThis might happen if you did not manually configure your DNS server and let theDCPROMO process do it for you.Another reason for the lack of SRV records (and of all other records for that matter) is thefact that you DID configure the DNS server manually, but you made a mistake, either withthe computer suffix name or with the IP address of the DNS server (see steps 1 through 3).

Open the DNS console. See that you have a zone with the same name as your AD domain(the one you've just created, remember? Duh...). See that within it you have the 4 SRVrecord folders. They must exist.

= Good

To try and fix the problems first see if the zone is configured to accept dynamicupdates.

5. Right-click the zone you created, and then click Properties.



6. On the General tab, under Dynamic Update, click to select "Nonsecure and secure" fromthe drop-down list, and then click OK to accept the change.You should now restart the

NETLOGON service to force the SRV registration.You can do it from the Services console inAdministrative tools:



Or from the command prompt type "net stop netlogon", and after it finishes, type "netstart netlogon".

Let it finish, go back to the DNS console, click your zone and refresh it (F5). If all is okyou'll now see the 4 SRV record folders.

If the 4 SRV records are still not present double check the spelling of the zone in the DNSserver. It should be exactly the same as the AD Domain name. Also check the computer'ssuffix (see step 1). You won't be able to change the computer's suffix after the AD isinstalled, but if you have a spelling mistake you'd be better off by removing the AD now,before you have any users, groups and other objects in place, and then after repairing themistake - re-running DCPROMO



7. Check the NTDS folder for the presence of the required files.

8. Check the SYSVOL folder for the presence of the required subfolders.



9. Check to see if you have the SYSVOL and NETLOGON shares, and their location.

If all of the above is ok, I think it's safe to say that your AD is properly installed.

How Do I Instal Ad 2003

Documents

Transcript of How Do I Instal Ad 2003