Step by Step Active Directory Installation Guide for Windows Server 2003

7/28/2019 Step by Step Active Directory Installation Guide for Windows Server 2003

1/40

What Do You Need to Install Active

Directory?The process of installing an Active Directory domain is quite simple, but if you don't

know your basics you might stumble across a few pitfalls. For additional information

about any of the information in this article, refer to the Windows 2000 online Help

and the Microsoft Windows 2000 Server Deployment Planning Guide

What do we need in order to successfully install Active Directory on a Windows 2000 or

Windows Server 2003 server?

Here is a quick list of what you must have:

An NTFS partition with enough free space

An Administrator's username and password

The correct operating system version

A NIC

Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway)

A network connection (to a hub or to another computer via a crossover cable)

An operational DNS server (which can be installed on the DC itself)

A Domain name that you want to use

The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder)

Brains (recommended, not required...)

An NTFS Partition

To successfully install AD you must have at least one NTFS formatted partition, preferably the

partition Windows is installed on (This is NOT true when you have performance issues on your

mind. You will then install the AD db on another different fast physical disk, but that's another

topic). To convert a partition (C:) to NTFS type the following command in the command prompt

window:

convert c:/fs:ntfs

The NTFS partition is required for the SYSVOL folder.
http://www.microsoft.com/windows2000/techinfo/reskit/dpghttp://www.microsoft.com/windows2000/techinfo/reskit/dpg


2/40

Free space on your disk

You need at least 250mb of free space on the partition you plan to install AD on. Of course you'llneed more than that if you plan to create more users, groups and various AD objects.

Local Administrator's username and password

Only a local Administrator (or equivalent) can install the first domain and thus create the newforest.

If you plan to create another Domain Controller for an existing domain - then you must have

Domain Admin right in the domain you're planning to join.

If you want to create a child domain under an existing domain, or another tree in an existingforest - you must have Enterprise Admin rights.

Windows 2000 Server (or Advanced Server or Data CenterServer), or Windows Server 2003 (or Enterprise Server or

Data Center)

Duh... you cannot install AD on a Professional computer.

IP Configuration

You need a dedicated IP address to install Active Directory. If you do not use a dedicated IP

address, DNS registrations may not work and Active Directory functionality may be lost. If the

computer is a multi-homed computer, the network adapter that is not connected to the Internetcan host the dedicated IP address.

The Active Directory domain controller should point to its own IP address in the DNS server list

to prevent possible DNS connectivity issues.

To configure your IP configuration, use the following steps:

1. Right-click My Network Places, and then click Properties.2. Right-click Local Area Connection, and then click Properties.

1. Click Internet Protocol (TCP/IP), and then click Properties.
http://www.petri.co.il/images/w2k_netconfig.gif


3/40

1. Make sure you have a static and dedicated IP address. If you don't needInternet connectivity through this specific NIC you can use a Private IP rangesuch as 192.168.0.0 with a Subnet Mask of 255.255.255.0.

1. Click Advanced, and then click the DNS tab. The DNS information should beconfigured as follows:

Configure the DNS server addresses to point to the DNS server. This shouldbe the computer's own IP address if it is the first server or if you are not goingto configure a dedicated DNS server.

If the Append these DNS suffixes (in order) option is selected for theresolution of unqualified names, the Active Directory DNS domain nameshould be listed first, at the top of the list.

Verify that the information in the DNS Suffix for this connection box is thesame as the Active Directory domain name.

Make sure that the Register this connection's addresses in DNS check box isselected.

Active Network Connection Required During Installation

The installation of Active Directory requires an active network connection. When you attempt to

use Dcpromo.exe to promote a Windows 2000 Server-based computer to a domain controller,

you may receive the following error message:
http://www.petri.co.il/images/w2k_netconfig3.gifhttp://www.petri.co.il/images/w2k_netconfig2.gifhttp://www.petri.co.il/images/w2k_netconfig1.gif


4/40

Active Directory Installation Failed

The operation failed with the following error

The network location cannot be reached. For further information about network troubleshooting,

see Windows Help.

This problem can occur if the network cable is not plugged into a hub or other network device.

(Sample of a disconnected or un-plugged network cable)

(Screenshot of a connected NIC)

To resolve this problem, plug the network cable into a hub or other network device. If network

connectivity is not available and this is the first domain controller in a new forest, you can finish

Dcpromo.exe by installing Microsoft Loopback Adapter.

The Microsoft Loopback adapter is a tool for testing in a virtual network environment where

access to a network is not feasible. Also, the Loopback adapter is essential if there are conflictswith a network adapter or a network adapter driver. Network clients, protocols, and so on, can be

bound to the Loopback adapter, and the network adapter driver or network adapter can beinstalled at a later time while retaining the network configuration information. The Loopback

adapter can also be installed during the unattended installation process. To manually install:

1. Click Start, point to Settings, click Control Panel, and then double-clickAdd/Remove Hardware.

2. Click Add/Troubleshoot a device, and then click Next.

3. Click Add a new device, and then click Next.

4. Click No, I want to select the hardware from a list, and then click Next.

5. Click Network adapters, and then click Next.

6. In the Manufacturers box, click Microsoft.

7. In the Network Adapter box, click Microsoft Loopback Adapter, and then clickNext.
http://www.petri.co.il/images/langood.jpghttp://www.petri.co.il/images/lanbad.jpg


5/40

8. Click Finish.

After the adapter is installed successfully, you can configure its options manually, as with anyother adapter. Note that if the TCP/IP properties are configured to use DHCP (the default), the

adapter will eventually use an autonet APIPA address (169.254.x.x/16) because it is not actually

connected to any physical media.

"Always On" Internet Connection (recommended)

An "always on" connection (for example, a cable modem or digital subscriber line [DSL] line) is

recommended (but not required) to enable clients to obtain Internet access. If you do not use an"always on" connection, you must configure a demand-dial interface using Network Address

Translation (NAT) for clients to access the Internet.

DNS Configuration

A DNS server that supports Active Directory DNS entries (SRV records) must be present forActive Directory to function properly.

You need to keep in mind the following DNS configuration issues when you install Active

Directory on a home network: Root Zone entries and DNS Forwarders.

Root zone entries

External DNS queries to the Internet do not work if a root zone entry exists on the DNS server.To resolve this issue, remove the root zone entry. This entry is identified with a dot (.) in the

DNS Manager forward lookup zones. To check for the existence of the root zone entry, open the

forward lookup zones in the DNS Management console. You should see the entry for thedomain. If the "dot" zone exists, delete it. For additional information about the root zone entry

DNS forwarders (recommended)

If you plan to have full Internet connectivity then DNS forwarders are necessary to ensure thatall DNS entries are correctly sent to your Internet service provider's DNS server and that

computers on your network will be able to resole Internet addresses correctly. You can only

configure DNS forwarders if no root zone entry is present.

To configure forwarders on the DNS server:

1. Start the DNS Management console.2. Right-click the name of the server, and then click Properties.


6/40

1. On the Forwarders tab, click to select the Enable Forwarders check box.2. Type the appropriate IP addresses for the DNS servers that may be accepting

forwarded requests from this DNS server. The list reads top-down in order, soplace a preferred DNS server at the top of the list.

1. It is recommended that you have all the Root Hints (Top Level DNS server)listed in the Root Hints tab.

1. If not, copy the Cache.dns file from the %systemroot%\system32\dns\samples folder to the %systemroot%\system32\dns\ folderand restart the DNS service.

2. Click OK to accept the changes.

Client Connections

When you have a scenario in which clients on the LAN connect directly to the Internet and notthrough a NAT device, the clients should connect to the Active Directory domain controller

using an internal network on a second network adapter. This prevents any issues that may arise if

clients obtain an IP address from your Internet service provider (ISP). You can achieve thisconfiguration with a second network adapter on the server connected to a hub. You can use NAT

or ICS to isolate the clients on the local network. The clients should point to the domain's DNS

server to ensure proper DNS connectivity. The DNS server's forwarder will then allow the clientsto access DNS addresses on the Internet.

Do not use ICS (recommended)

Use NAT instead. ICS (Internet Connection Sharing) will break down all the DHCP and DNSfunctionality on your LAN. Try to avoid ICS at all costs. If you must, make the Domain

Controller itself the ICS server, and let all clients obtain their IP configuration automatically.

This of course is not a good security decision, because you will expose your Domain Controller

to potential Internet threats. Again, and I cannot stress this more, avoid ICS on your corporateLAN and use NAT instead.
http://www.petri.co.il/images/w2k_dns13.gifhttp://www.petri.co.il/images/w2k_dns12.gif


7/40

NetBIOS Over TCP/IP

A common security consideration with an active connection to the Internet is the restriction ofNetBIOS connections on the network adapter that is directly connected to the Internet. If clients

connect on a second network adapter, you can safely disable NetBIOS over TCP/IP on the

external network adapter, and prevent any attempts of unauthorized NetBIOS access by outsidesources.

To disable NetBIOS on the NIC that is connected to the Internet, use the following steps:

1. Right-click My Network Places, and then click Properties.2. Right-click the icon of the NIC that is connected to the Internet, and then click

Properties.

3. Un-check the File and Print Sharing for Microsoft Networks check box.

1. Click TCP/IP and then Properties.2. Click Advanced and go to the WINS tab.

3. Select the Disable NetBIOS Over TCP/IP radio box.

1. Click Ok all the way out.

Do not use Single-Label domain names

As a general rule, Microsoft recommends that you register DNS domain names for internal and

external namespaces with Internet authorities. This includes the DNS names of Active Directorydomains, unless such names are sub-domains of names that are registered by your organization

name, for example, "corp.example.com" is a sub-domain of "example.com". When you register

DNS names with Internet authorities, it prevents possible name collisions should registration forthe same DNS domain be requested by another organization, or if your organization merges,

acquires or is acquired by another organization that uses the same DNS names.
http://www.petri.co.il/images/w2k_netconfig5.gifhttp://www.petri.co.il/images/w2k_netconfig4.gif


8/40

DNS names that don't include a period ("dot", ".") are said to be single-label (for example, com,

net, org, bank, companyname) and cannot be registered on the Internet with most Internet

authorities.

How do I install Active Directory on myWindows Server 2003 server?

First make sure you read and understandActive Directory Installation Requirements. If you don't

comply with all the requirements of that article you will not be able to set up your AD (for

example: you don't have a NIC or you're using a computer that's not connected to a LAN).

Note: This article is only good for understanding how to install the FIRST DC in a NEW ADDomain, in a NEW TREE, in a NEW FOREST. Meaning - don't do it for any other scenario,

such as a new replica DC in an existing domain. In order to install a Windows Server 2003 DC in

an EXISTING Windows 2000 Domain follow the Windows 2003 ADPrep tip.


An NTFS partition with enough free space

An Administrator's username and password


A NIC

Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway)




The Windows Server 2003 CD media (or at least the i386 folder)


This article assumes that all of the above requirements are fulfilled.

Step 1: Configure the computer's suffix

(Not mandatory, can be done via the Dcpromo process).

1. Right click My Computer and choose Properties.
http://www.petri.co.il/active_directory_installation_requirements.htmhttp://www.petri.co.il/active_directory_installation_requirements.htmhttp://www.petri.co.il/active_directory_installation_requirements.htmhttp://www.petri.co.il/windows_2003_adprep.htmhttp://www.petri.co.il/active_directory_installation_requirements.htmhttp://www.petri.co.il/windows_2003_adprep.htm


9/40

2. Click the Computer Name tab, then Change.

3. Set the computer's NetBIOS name. In Windows Server 2003, this CAN bechanged after the computer has been promoted to Domain Controller.

4. Click More.

5. In the Primary DNS suffix of this computer box enter the would-be domainname. Make sure you got it right. No spelling mistakes, no "oh, I thought I didit right...". Although the domain name CAN be changed after the computerhas been promoted to Domain Controller, this is not a procedure that oneshould consider lightly, especially because on the possible consequences.

5.

6. Click Ok.

7. You'll get a warning window.

8. Click Ok.

9. Check your settings. See if they're correct.

10.Click Ok.

11.You'll get a warning window.

12.Click Ok to restart.
http://www.petri.co.il/images/comp_id2.jpg


10/40

Step 2: Configuring the computer's TCP/IP settings

You must configure the would-be Domain Controller to use it's own IP address as the address ofthe DNS server, so it will point to itself when registering SRV records and when querying the

DNS database.

Configure TCP/IP1. Click Start, point to Settings and then click Control Panel.2. Double-click Network and Dial-up Connections.

3. Right-click Local Area Connection, and then click Properties.


5. Assign this server a static IP address, subnet mask, and gateway address.Enter the server's IP address in the Preferred DNS server box.Note: This is

true if the server itself will also be it's own DNS server. If youhave another operational Windows 2000/2003 server that is properlyconfigured as your DNS server (read my Create a New DNS Server for ADpage) - enter that server's IP address instead:

6. Click Advanced.7. Click the DNS Tab.

8. Select "Append primary and connection specific DNS suffixes"
http://www.petri.co.il/create_a_new_dns_server_for_ad.htmhttp://www.petri.co.il/images/config_lan5.jpghttp://www.petri.co.il/images/config_lan1.jpghttp://www.petri.co.il/create_a_new_dns_server_for_ad.htm


11/40

9. Check "Append parent suffixes of the primary DNS suffix"

10.Check "Register this connection's addresses in DNS". If this Windows2000/2003-based DNS server is on an intranet, it should only point to its ownIP address for DNS; do not enter IP addresses for other DNS servers here. Ifthis server needs to resolve names on the Internet, it should have a

forwarder configured.

11.Click OK to close the Advanced TCP/IP Settings properties.

12.Click OK to accept the changes to your TCP/IP configuration.

13.Click OK to close the Local Area Connections properties.

Step 3: Configure the DNS Zone

(Not mandatory, can be done via the Dcpromo process).

Furthermore, it is assumed that the DC will also be it's own DNS server. If that is not the case,

you MUST configure another Windows 2000/2003 server as the DNS server, and if you try to

run DCPROMO without doing so, you'll end up with errors and the process will fail.

Creating a Standard Primary Forward Lookup Zone

1. Click Start, point to All Programs, point to Administrative Tools, and then clickDNS Manager. You see two zones under your computer name: ForwardLookup Zone and Reverse Lookup Zone.

2. Right click Forward Lookup Zones and choose to add a new zone.

3. Click Next. The new forward lookup zone must be a primary zone so that itcan accept dynamic updates. Click Primary, and then click Next.

4. The name of the zone must be the same as the name of the Active Directorydomain, or be a logical DNS container for that name. For example, if theActive Directory domain is named "lab.dpetri.net", legal zone names are


12/40

"lab.dpetri.net", "dpetri.net", or "net". Type the name of thezone, and then click Next.

5. Accept the default name for the new zone file. Click Next.

6. To be able to accept dynamic updates to this new zone, click "Allow both

nonsecure and secure dynamic updates". Click Next.

7. Click Finish.

You should now make sure your computer can register itself in the new zone. Go to the

Command Prompt (CMD) and run "ipconfig /registerdns" (no quotes, duh...). Go back to theDNS console, open the new zone and refresh it (F5). Notice that the computer should by now be

listed as an A Record in the right pane.

If it's not there try to reboot (although if it's not there a reboot won't do much good). Check thespelling on your zone and compare it to the suffix you created in step 1. Check your IP settings.

Enable DNS Forwarding for Internet connections (Not

mandatory)1. Start the DNS Management Console.2. Right click the DNS Server object for your server in the left pane of the

console, and click Properties.

3. Click the Forwarders tab.

4. In the IP address box enter the IP address of the DNS servers you want toforward queries to - typically the DNS server of your ISP. You can also movethem up or down. The one that is highest in the list gets the first try, and if it


13/40

does not respond within a given time limit - the query will be forwarded to the

next server in the list.

5. Click OK.

Creating a Standard Primary Reverse Lookup Zone

You can (but you don't have to) also create a reverse lookup zone on your DNS server. The

zone's name will be the same as your TCP/IP Network ID. For example, if your IP address is

192.168.0.200, then the zone's name will be 192.168.0 (DNS will append a long name to it, don't

worry about it). You should also configure the new zone to accept dynamic updates. I guess you

can do it on your own by now, can't you?

Step 4: Running DCPROMO

After completing all the previous steps (remember you didn't have to do them) and after doublechecking your requirements you should now run Dcpromo.exe from the Run command.

1. Click Start, point to Run and type "dcpromo".2. The wizard windows will appear. Click Next.

2.

3. In the Operating System Compatibility windows read the requirements for the

domain's clients and if you like what you see - press Next.
http://www.petri.co.il/images/dcpromo.jpghttp://www.petri.co.il/images/int_dns10.jpg


14/40

4. Choose Domain Controller for a new domain and click Next.

5. Choose Create a new Domain in a new forest and click Next.

6. Enter the full DNS name of the new domain, for example - kuku.co.il - thismust be the same as the DNS zone you've created in step 3, and the same as

the computer name suffix you've created in step 1. Click Next.

This step might take some time because the computer is searching for theDNS server and checking to see if any naming conflicts exist.

7. Accept the the down-level NetBIOS domain name, in this case it's KUKU. Click

Next

8. Accept the Database and Log file location dialog box (unless you want tochange them of course). The location of the files is by default %systemroot%\NTDS, and you should not change it unless you have performance issues in

mind. Click Next.

9. Accept the Sysvol folder location dialog box (unless you want to change it ofcourse). The location of the files is by default %systemroot%SYSVOL, and youshould not change it unless you have performance issues in mind. This foldermust be on an NTFS v5.0 partition. This folder will hold all the GPO andscripts you'll create, and will be replicated to all other Domain Controllers.

Click Next.

10.If your DNS server, zone and/or computer name suffix were not configuredcorrectly you will get the following warning:This means the Dcpromo wizardcould not contact the DNS server, or it did contact it but could not find a zonewith the name of the future domain. You should check your settings. Go backto steps 1, 2 and 3. Click Ok.You have an option to let Dcpromo do the


15/40

configuration for you. If you want, Dcpromo can install the DNS service,create the appropriate zone, configure it to accept dynamic updates, andconfigure the TCP/IP settings for the DNS server IP address.To let Dcpromo dothe work for you, select "Install and configure the DNS server...".

Click Next.

Otherwise, you can accept the default choice and then quit Dcpromo and check steps 1-3.

11.If your DNS settings were right, you'll get a confirmation window.

Just click Next.12.Accept the Permissions compatible only with Windows 2000 or Windows

Server 2003 settings, unless you have legacy apps running on Pre-W2K

servers.

13.Enter the Restore Mode administrator's password. In Windows Server 2003

this password can be later changed via NTDSUTIL. Click Next.

14.Review your settings and if you like what you see - Click Next.

15.See the wizard going through the various stages of installing AD. Whateveryou do - NEVER click Cancel!!! You'll wreck your computer if you do. If yousee you made a mistake and want to undo it, you'd better let the wizardfinish and then run it again to undo the AD.
http://www.petri.co.il/images/dcpromo23.jpghttp://www.petri.co.il/images/dcpromo22.jpghttp://www.petri.co.il/images/dcpromo0181.jpg


16/40

16.If all went well you'll see the final confirmation window. Click Finish.

17.You must reboot in order for the AD to function properly.

18.Click Restart now.

Step 5: Checking the AD installation

You should now check to see if the AD installation went well.

1. First, see that the Administrative Tools folder has all the AD management

tools installed.2. Run Active Directory Users and Computers (or type "dsa.msc" from the Run

command). See that all OUs and Containers are there.

3. Run Active Directory Sites and Services. See that you have a site named

Default-First-Site-Name, and that in it your server is listed.

4. If they don't (like in the following screenshot), your AD functions will bebroken (a good sign of that is the long time it took you to log on. The"Preparing Network Connections" windows will sit on the screen for manymoments, and even when you do log on many AD operations will give you

errors when trying to perform them). = BadThis might happen if

you did not manually configure your DNS server and let the DCPROMOprocess do it for you.Another reason for the lack of SRV records (and of all other records for thatmatter) is the fact that you DID configure the DNS server manually, but youmade a mistake, either with the computer suffix name or with the IP addressof the DNS server (see steps 1 through 3).
http://www.petri.co.il/images/int_dns10.jpg


17/40

Open the DNS console. See that you have a zone with the same name as your AD domain

(the one you've just created, remember? Duh...). See that within it you have the 4 SRV

record folders. They must exist.

= Good

To try and fix the problems first see if the zone is configured to accept dynamic updates.

5. Right-click the zone you created, and then click Properties.6. On the General tab, under Dynamic Update, click to select "Nonsecure and

secure" from the drop-down list, and then click OK to accept the change.Youshould now restart the NETLOGON service to force the SRV registration.You

can do it from the Services console in Administrative tools:

Or from the command prompt type "net stop netlogon", and after it finishes, type "net

start netlogon".

Let it finish, go back to the DNS console, click your zone and refresh it (F5). If all is ok

you'll now see the 4 SRV record folders.

If the 4 SRV records are still not present double check the spelling of the zone in theDNS server. It should be exactly the same as the AD Domain name. Also check the

computer's suffix (see step 1). You won't be able to change the computer's suffix after the

AD is installed, but if you have a spelling mistake you'd be better off by removing the

AD now, before you have any users, groups and other objects in place, and then afterrepairing the mistake - re-running DCPROMO.
http://www.petri.co.il/images/checkad6.jpghttp://www.petri.co.il/images/restart_netlogon.jpghttp://www.petri.co.il/images/ad_check4.jpg


18/40

7. Check the NTDS folder for the presence of the required files.8. Check the SYSVOL folder for the presence of the required subfolders.

9. Check to see if you have the SYSVOL and NETLOGON shares, and theirlocation.

If all of the above is ok, I think it's safe to say that your AD is properly installed.

Windows 2003 ADPrep

What do I need to do to prepare my Windows 2000 forest for the installation of the

first Windows Server 2003 DC?

Before you can introduce Windows Server 2003 domain controllers, you must prepare the forest

and domains with the ADPrep utility.

ADPrep /forestprep on the schema master in your Windows 2000 forest.

ADPrep /domainprep on the Infrastructure Master in each AD domain.

ADPrep is located in the i386 directory of the Windows Server 2003 install media.

Note: In Windows Server 2003 R2, ADPrep is not located in the same folder as in the older

Windows Server 2003 media, and instead you need to look for it in the second CD. You see,

Windows Server 2003 R2 comes on two installation disks. Installation disk 1 contains a slip-streamed version of Windows Server 2003 with Service Pack 2 (SP2). Installation disk 2

contains the Windows Server 2003 R2 files.

The correct version of the ADPrep.exe tool for Windows Server 2003 R2 is 5.2.3790.2075.

You can find the R2 ADPrep tool in the following folder on the second CD:

drive:\CMPNENTS\R2\ADPREP\

(where drive is the drive letter of your CD-Rom drive)
http://www.petri.co.il/images/ad_check7.jpg


19/40

Exchange 2000 note: Please make sure you read Windows 2003 ADPrep Fix for Exchange 2000

before installing the first Windows Server 2003 DC in your existing organization.

Microsoft recommends that you have at least Service Pack (SP) 2 installed on your domaincontrollers before running ADPrep. SP2 fixed a critical internal AD bug, which can manifest

itself when extending the schema. There were also some fixes to improve the replication delaythat can be seen when indexing attributes.

Similar to the Exchange setup.exe /forestprep and /domainprep switches.

The Exchange /forestprep command extends the schema and adds some objects in the

Configuration Naming Context.

The Exchange / domainprep command adds objects within the Domain Naming Context

of the domain it is being run on and sets some ACLs.

The ADPrep command follows the same logic and performs similar tasks to prepare for the

upgrade to Windows Server 2003.

The ADPrep /forestprep command extends the schema with quite a few new classes and

attributes. These new schema objects are necessary for the new features supported by Windows

Server 2003.

You can view the schema extensions by looking at the .ldf files in the \i386 directory on the

Windows Server 2003 CD. These files contain LDIF entries for adding and modifying new and

existing classes and attributes.

Since the schema is extended and objects are added in several places in the Configuration NC,

the user running /forestprep must be a member of both the Schema Admins and Enterprise

Admins groups.

The ADPrep /domainprep creates new containers and objects, modifies ACLs on some objects,

and changes the meaning of the Everyone security principal.

Before you can run ADPrep /domainprep, you must be sure that the updates from /forestprephave replicated to all domain controllers in the forest.
http://www.petri.co.il/windows_2003_adprep_fix_for_e2k.htmhttp://www.petri.co.il/images/adprep4.jpghttp://www.petri.co.il/images/adprep3.jpghttp://www.petri.co.il/images/adprep2.jpghttp://www.petri.co.il/images/adprep1.jpghttp://www.petri.co.il/images/adprep.jpghttp://www.petri.co.il/windows_2003_adprep_fix_for_e2k.htm


20/40

/domainprep must be run on the Infrastructure Master of a domain and under the credentials of

someone in the Domain Admins group.

You can view detailed output of the ADPrep command by looking at the log files in the%Systemroot%\system32\debug\adprep\ogs directory.

Each time ADPrep is executed, a new log file is generated that contains the actions taken during

that particular invocation. The log files are named based on the time and date ADPrep was run.

Once youve run both /forestprep and /domainprep and allowed time for the changes to replicate

to all domain controllers, you can then start upgrading your domain controllers to WindowsServer 2003 or installing new Windows Server 2003 domain controllers.

How do I install and configure a newWindows 2000 DNS server to prepare for a

new AD Domain?

The Domain Name System (DNS) is the Active Directory locator in Windows 2000. Active

Directory clients and client tools use DNS to locate domain controllers for administration and

logon. You must have a DNS server installed and configured for Active Directory and theassociated client software to function correctly. This article guides you through the required DNS

configuration.

NetBIOS name resolution (WINS server, LMHOSTS file, or NetBIOS broadcast) is still required

for earlier versions of Windows to resolve network resources on an Active Directory domain.

DNS Server Requirements for Active Directory Support

Microsoft recommends that you use Microsoft DNS Server as supplied with Windows 2000

Server as your DNS server. However, Microsoft DNS is not required.

The DNS server that you use:

Must support the SRV RR (RFC 2052). Supports the dynamic update protocol (RFC 2136).

Version 8.1.2 and later of BIND (a popular DNS server implementation) supports both the SRV

RR and dynamic update. (Version 8.1.1 does support dynamic updates but it has flaws that were

fixed in 8.1.2.) If you are using a version of BIND that does not support dynamic update, youneed to manually add records to the DNS server.
http://www.ietf.org/rfc/rfc2052.txthttp://www.ietf.org/rfc/rfc2136.txthttp://www.ietf.org/rfc/rfc2052.txthttp://www.ietf.org/rfc/rfc2136.txt


21/40

Note: Microsoft Windows NT 4.0 Server DNS does not support the SRV record. Use DNS

Server that is provided with Windows 2000 Server.

Starting with a Windows 2000-Based Stand-Alone Server

This server becomes a DNS server for your network. You can also promote it to the domaincontroller role at a later time.

In the first step, you assign this server a static Internet Protocol (IP) configuration. DNS serversshould not use dynamically assigned IP addresses, because a dynamic change of address could

cause clients to lose contact with the DNS server.

Configure TCP/IP1. Click Start, point to Settings and then click Control Panel.2. Double-click Network and Dial-up Connections.

3. Right-click Local Area Connection, and then click Properties.


1. Assign this server a static IP address, subnet mask, and gateway address.Enter the server's IP address in the Preferred DNS server box.

1. Click Advanced.2. Click the DNS Tab.

3. Select "Append primary and connection specific DNS suffixes"
http://www.petri.co.il/images/w2k_netconfig2.gifhttp://www.petri.co.il/images/w2k_netconfig1.gifhttp://www.petri.co.il/images/w2k_netconfig.gif


22/40

4. Check "Append parent suffixes of the primary DNS suffix"

5. Check "Register this connection's addresses in DNS". If this Windows 2000-based DNS server is on an intranet, it should only point to its own IP addressfor DNS; do not enter IP addresses for other DNS servers here. If this serverneeds to resolve names on the Internet, it should have a forwarder

configured.

1. Click OK to close the Advanced TCP/IP Settings properties.2. Click OK to accept the changes to your TCP/IP configuration.

3. Click OK to close the Local Area Connections properties.

Note: If you receive a warning from the DNS Caching Resolver service, click OK to dismiss the

warning. The caching resolver is trying to contact the DNS server, but you have not finished

configuring the server.

Install the DNS Service

Continue to the next step to install Microsoft DNS Service:

Next, after installing and configuring DNS, proceed to the next 2 steps:

Promote This Server to Domain Controller (Optional -

Recommended)

Promote this server to the domain controller role by using the Dcpromo.exe utility.

After the server has been promoted to the domain controller role, the DNS server can use the

Active Directory Storage Integration feature (this is the recommended path). Proceed to the next

step if you want to use Active Directory Storage Integration for DNS.

Enable Active Directory Integrated DNS (Optional -

Recommended)

Active Directory Integrated DNS uses the directory for the storage and replication of DNS zone

databases. If you decide to use Active Directory Integrated DNS, DNS runs on one or more

domain controllers and you do not need to set up a separate DNS replication topology.
http://www.petri.co.il/images/w2k_netconfig3.gif


23/40

1. In DNS Manager, expand the DNS Server object.2. Expand the Forward Lookup Zones folder.

3. Right-click the zone you created, and then click Properties.

4. On the General tab, the Zone Type value is set to Primary. Click Change to

change the zone type.

5. In the Change Zone Type dialog box, click DS Integrated Primary, and thenclick OK.

6. The DNS server writes the zone database into Active Directory.

7. Right-click the zone named ".", and then click Properties.

8. On the General tab, the Zone Type value is set to Primary. Click Change tochange the zone type.

9. In the Change Zone Type dialog box, DS Integrated Primary, and then click

OK.

Installing Active Directory on Windows

Server 2008

Active Directory on Windows Server 2008Requirements

The process of installing an Active Directory domain in Windows Server 2008 isquite simple, but some beginners or IT professionals that have never had a chanceto get their hands on AD installations and that are not familiar with its requirementsmight stumble across a few pitfalls.

So, what do we need in order to successfully install Active Directory on a Windows Server2008?


An NTFS partition with enough free space An Administrator's username and password


A NIC

Properly configured TCP/IP (IP address, subnet mask and - optional - defaultgateway)


24/40





After you have all the above go ahead and read my "Installing Active Directory on Windows

Server 2008" article.

An NTFS Partition

To successfully install AD you must have at least one NTFS formatted partition. Back in older

operating systems this was something that you actually had to tell people about, because *some*administrators had servers that did not have their partitions formatted with NTFS. Nowadays,

NTFS is the only way to go in Windows-based servers, but I will nevertheless put it on the

writing, just to make sure.

This partition is where the SYSVOL folder is placed, and usually, that is the C:' partition, but forlarge AD deployments, this could very well be a different partition.

To convert a partition (C:) to NTFS type the following command in the command prompt

window:

convert c:/fs:ntfs

Free space on your disk

You need at least 250mb of free space on the partition you plan to install AD on. Of course you'll

need more than that if you plan to create more users, groups and various AD objects.

Local Administrator's username and password

Remember, only a local Administrator (or equivalent) can install the first domain and thus create

the new forest. Other installation scenarios such as adding additional (replica) DCs requireeither Domain Admin permissions, or, in case of new domains in the same tree or in new trees

Enterprise Admins permissions.

The right operating system version - Windows Server 2008Standard, Enterprise or Data Center

Duh... however, note that you CAN install Active Directory on Server Core versions. Please read

my "Understanding Windows Server 2008 Server Core" and "Installing Active Directory on

Windows 2008 Server Core" articles for more information on Server Core.
http://www.petri.co.il/installing-active-directory-windows-server-2008.htmhttp://www.petri.co.il/installing-active-directory-windows-server-2008.htmhttp://www.petri.co.il/understanding-windows-server-2008-core.htmhttp://www.petri.co.il/installing-active-directory-windows-server-2008-core.htmhttp://www.petri.co.il/installing-active-directory-windows-server-2008-core.htmhttp://www.petri.co.il/installing-active-directory-windows-server-2008.htmhttp://www.petri.co.il/installing-active-directory-windows-server-2008.htmhttp://www.petri.co.il/understanding-windows-server-2008-core.htmhttp://www.petri.co.il/installing-active-directory-windows-server-2008-core.htmhttp://www.petri.co.il/installing-active-directory-windows-server-2008-core.htm


25/40

IP Configuration

While it is possible to install Active Directory on a server that has a dynamically-assigned IPaddress, it doesn't make much sense to do so. It's much better to configure the server with a

manual and dedicated IP address. If you do not use a dedicated IP address, DNS registrations

may not work and Active Directory functionality may be lost. If the computer is a multi-homedcomputer, the network adapter that is not connected to the Internet can host the dedicated IP

address.

The Active Directory domain controller should point to its own IP address in the DNS server list

to prevent possible DNS connectivity issues.

To configure your IP configuration, use the following steps:

Note: IP addresses can be also configured from the Command Prompt by using the NETSH

command, but I will not describe that procedure here.

1. Right-click Network, and then click Properties.

If you do not have the Network icon visible on your desktop, use Control Panel.

2. In the Control Panel'Network and Sharing Center window, click on themanage Network Connections link on the left.


26/40

Note: You can get to the same window by typingNCPA.cplin the run command.

3. In the Control Panel'Network Connections window, right-click Local AreaConnection, and then click Properties.
http://www.petri.co.il/images/config-ip-addr-3.gifhttp://www.petri.co.il/images/config-ip-addr-2.gif


27/40

4. Click Internet Protocol version 4 (TCP/IPv4), and then click Properties.

Note: You can also configure the TCP/IPv6 properties, but you do NOT have to, and

frankly, unless you require TCP/IPv6 functionality, I'd simply ignore it or disable it.

More on that, in a future article.

5. Make sure you have a static and dedicated IP address. If you don't needInternet connectivity through this specific NIC you can use a Private IP rangesuch as 192.168.101.0 with a Subnet Mask of 255.255.255.0.


28/40

6. The next step is not required, but I usually recommend checking that thecorrect configuration is in place. Click Advanced, and then click the DNS

tab. The DNS information should be configured as follows:

Configure the DNS server addresses to point to the DNS server. This should be the computer's

own IP address if it is the first server or if you are not going to configure a dedicated DNS

server.

If the Append these DNS suffixes (in order) option is selected for theresolution of unqualified names, the Active Directory DNS domain nameshould be listed first, at the top of the list.

Verify that the information in the DNS Suffix for this connection box is thesame as the Active Directory domain name.

Make sure that the Register this connection's addresses in DNS checkbox is selected.


29/40

Active Network Connection Required During Installation

The installation of Active Directory requires an active network connection. When you attempt to

use DCPROMO.exe to promote a Windows Server 2008 computer to a domain controller thatdoesn't have a connected and active NIC, you will receive the following error message:


30/40

And after hitting Next, this error will appear:

Active Directory Domain Services Installation Wizard The TCP/IP networking protocol must be

properly configured. Complete the configuration before you proceed.

This problem can occur if the network cable is not plugged into a hub or other network device.

(Screenshot of a connected NIC)(Sample of a disconnected or un-plugged network cable)

To resolve this problem, plug the network cable into a hub or other network device. While highlyimprobable that the network connection status would be disconnected in a server that is about to

be deployed in a production environment, this could be the case when building the server for

testing purposes. If network connectivity is not available and this is the first domain controller ina new forest, you can finish DCPROMO.exe by installing Microsoft Loopback Adapter.
http://www.petri.co.il/images/network-connectivity-0.gif


31/40

DNS Configuration

A DNS server that supports Active Directory DNS entries (SRV records) must be present forActive Directory to function properly. In my Windows 2000/2003 versions of the Active

Directory installation tips I recommended to manually install and configure DNS prior to

running DCPROMO. However, in Windows Server 2008, and when installing the FIRSTDomain Controller in the Active Directory domain, I tend to recommend that you allow the

DCPROMO wizard to automatically build the proper DNS services and configuration.

Client Connections

When considering Internet connectivity, it is recommended (and in most cases, this is the proper

and most-used configuration) that the client computers connect to the Internet through a NAT

device (i.e. a Router that translates private IP addresses to one public one, and allowsconnectivity through one ISP-assigned IP address). This prevents any issues that may arise if

clients obtain an IP address from your Internet service provider (ISP). In Small Office or Home

Office (SOHO) scenarios, this can be achieved by using a second network adapter on the serverconnected to a hub. You can use NAT and Routing on the server to isolate the clients on the local

network. The clients should point to the domain's INTERNAL DNS server, and NOT to the ISP's

DNS server, to ensure proper DNS connectivity. The internal DNS server's forwarder will then

allow the clients to access DNS addresses on the Internet.

Do not use Single-Label domain names

As a general rule, Microsoft recommends that you register DNS domain names for internal and

external namespaces with Internet authorities. This is true for Windows 2000/2003 and forWindows Server 2008. This includes the DNS names of Active Directory domains, unless such

names are sub-domains of names that are registered by your organization name, for example,

"corp.example.com" is a sub-domain of "example.com". When you register DNS names withInternet authorities, it prevents possible name collisions should registration for the same DNS

domain be requested by another organization, or if your organization merges, acquires or is

acquired by another organization that uses the same DNS names.

DNS names that don't include a period ("dot", ".") are said to be single-label (for example, com,net, org, bank, companyname) and cannot be registered on the Internet with most Internet

authorities.

Conclusion

Now that you've read and made sure you meet all the above requirements, continue by reading

my "Installing Active Directory on Windows Server 2008" article.
http://www.petri.co.il/installing-active-directory-windows-server-2008.htmhttp://www.petri.co.il/installing-active-directory-windows-server-2008.htm


32/40

Installing Active Directory on Windows

Server 2008

Microsoft Active Directory provides the structure to centralize the network

management and store information about network resources across the entire

domain. Active Directory uses Domain Controllers to keep this centralized storage

available to network users. In order to configure a Windows Server 2008 machine to

act as Domain Controller, several considerations and prerequisites should be taken

into account, and several steps should be performed. In this article I will guide you

through these prerequisites and steps of creating a new Windows Server 2008

Domain Controller for a new Active Directory domain in a new forest.

Considerations when Installing a new Windows Server 2008

forest

When you install AD to create the first domain controller in a new Windows Server 2008 forest,you must keep the following considerations in mind:

You must make forest and domain functional level decisions that determinewhether your forest and domain can contain domain controllers that runWindows 2000 Server, Windows Server 2003, or both. To read more aboutforest and domain functional levels please refer to the links below.

Domain controllers running the Microsoft Windows NT Server 4.0 operatingsystem are NOT supported with Windows Server 2008.

Servers running Windows NT Server 4.0 are NOT supported by domaincontrollers that are running Windows Server 2008, meaning you MUST haveadditional DCs running Windows 2000/2003 to support older NT 4.0 servers.

The first Windows Server 2008 domain controller in a forest must be a globalcatalog server and it cannot be an RODC.

Considerations when Installing a new Windows Server 2008

domain in an existing Windows 2000/2003 forest

When you install AD to create the first domain controller in a new Windows Server 2008

domain, you must keep the following considerations in mind:

Before you create a new Windows Server 2008 domain in a Windows2000/2003 forest, you must prepare the forest for Windows Server 2008 byextending the schema (that is, by running ADPREP /forestprep).


33/40

You must make domain functional level decisions that determine whether your

domain can contain domain controllers that run Windows 2000 Server, Windows Server

2003, or both. To read more about forest and domain functional levels please refer to thelinks below.

I recommend that you host the PDC emulator operations master role in the forest root

domain on a domain controller that runs Windows Server 2008. For more informationabout FSMO Roles

General considerations

Make sure you read and follow the requirements described in my "Active Directory on Windows

Server 2008 Requirements" article.

Windows Server 2008 ADPREP

Before you can introduce Windows Server 2008 domain controllers into existing Windows 2000or Windows Server 2003 domains, you must prepare the forest and domains with the ADPREP

utility. ADPREP.exe is a command-line tool that extends the Active Directory schema, and

updates permissions as necessary to prepare a forest and domain for a domain controller that runsthe Windows Server 2008 operating system.

Note: ADPREP was also available in Windows Server 2003 and Windows Server 2003 R2. In

Windows Server 2008, ADPREP follows the same logic and performs similar tasks to preparefor the upgrade to Windows Server 2003 or Windows Server 2003 R2

ADPREP.exe is a command-line tool that is available on the Windows Server 2008 installation

disc in the 'sources'adprep folder.

When you run it, it must be run ADPREP from an elevated command prompt. To open an

elevated command prompt, clickStart, right-clickCommand Prompt, and then clickRun as

administrator.

Where should I run ADPREP?

ADPREP /forestprep must be run on the Schema Master of a forest and under the credentials of

someone in the Schema Admins and Enterprise Admins groups.

ADPREP /domainprep must be run on the Infrastructure Master of a domain and under thecredentials of someone in the Domain Admins group.

Important: Since at the time of running ADPREP you still do not have any Windows Server

2008 Domain Controllers, it should be made clear that these commands MUST be run on

EXISTING Windows 2000 or Windows Server 2003 Domain Controllers. That is why youMUST make sure you keep a copy of the 32-bit version of the Windows Server 2008 installation

DVD. You cannot use the 64-bit version of the installation media to run ADPREP on 32-bit
http://www.petri.co.il/active-directory-windows-server-2008-requirements.htmhttp://www.petri.co.il/active-directory-windows-server-2008-requirements.htmhttp://www.petri.co.il/active-directory-windows-server-2008-requirements.htmhttp://www.petri.co.il/active-directory-windows-server-2008-requirements.htm


34/40

versions of Windows 2000/2003. Because Windows Server 2008 installation media is 64-bit by

default, remember to request the 32-bit version when you get your copy. In case you don't have

the 32-bit version available, you can also use the evaluation version of Windows Server 2008 32-bit installation media to run ADPREP, sojust download the file from Microsoft's website, and

use it to run ADPREP on your 32-bit Windows 2000/2003 DCs.

What does ADPREP do?

Before running ADPREP, all Windows 2000 Active Directory Domain Controllers in the forestshould be upgraded to Windows 2000 Service Pack 4 (SP4) or later.

ADPREP /forestprep command extends the schema with quite a few new classes and attributes.

These new schema objects are necessary for the new features supported by Windows Server

2008. You can view the schema extensions by looking at the .ldf files in the 'sources'adprepdirectory on the Windows Server 2008 DVD. These files contain LDIF entries for adding and

modifying new and existing classes and attributes.

ADPREP /domainprep creates new containers and objects, modifies ACLs on some objects,

and changes the meaning of the Everyone security principal.

Before you can run ADPREP /domainprep, you must be sure that the updates from /forestprep

have replicated to all domain controllers in the forest.

You can view detailed output of the ADPREP command by looking at the log files in the

%Systemroot%'system32'debug'adprep'logs directory. Each time ADPREP is executed, a newlog file is generated that contains the actions taken during that particular invocation. The log

files are named based on the time and date ADPREP was run.

Once youve run both /forestprep and /domainprep and allowed time for the changes to replicate

to all domain controllers, you can then start upgrading your domain controllers to WindowsServer 2008 or installing new Windows Server 2008 domain controllers.

Running ADPREP

In order to run ADPREP, insert the DVD media of Windows Server 2008 into the DVD drive of

the appropriate Windows 2000/2003 DC, which, as noted above, should be the Schema Master

of a forest.

Lamer note: You can use a network path or even copy the files locally to the server if you don'thave a DVD drive on your DC

If you're prompted to install Windows Server 2008, do NOT install it. Close the window instead.
http://www.microsoft.com/windowsserver2008/en/us/trial-software.aspxhttp://www.microsoft.com/windowsserver2008/en/us/trial-software.aspx


35/40

Browse to the 'sources'adprep directory.

Open a Command Prompt window (ClickStart > Run > CMD > Enter), and drag theADPREP.exe file to the Command Prompt window.
http://www.petri.co.il/images/adprep-2.gifhttp://www.petri.co.il/images/adprep-1.gif


36/40

Lamer note: If you can't drag 'n drop, you can simply type the path duh

In the Command Prompt window, type the following command:

adprep /forestprep

In order to prevent accidental running of the command, you must press the "C" key on yourkeyboard, then press Enter. Command will begin to load a bunch of LDIF files containing all the

necessary changes to the existing AD and Schema. Process will take a few moments.
http://www.petri.co.il/images/adprep-3.gif


37/40

When done, you'll be prompted. Make sure you let the existing Domain Controllers replicate all

the changes throughout the entire forest BEFORE proceeding to the next step.
http://www.petri.co.il/images/adprep-6.gifhttp://www.petri.co.il/images/adprep-5.gifhttp://www.petri.co.il/images/adprep-4.gif


38/40

Next, go to the Infrastructure Master of each domain that you wish to upgrade and insert the

DVD media of Windows Server 2008 into the DVD drive. Repeat the instructions to open the

Command Prompt window, and type:

adprep /domainprep

Unlike the /forestprep action which takes some time, the /domainprep action is almost

instantaneous.

Note: The existing Windows 2000/2003 domain MUST be in Native mode, as not Windows NT

4.0 BDCs are supported by Windows Server 2008 DCs. Therefore, if that is not the case, you'llget this error:

Adprep detected that the domain is not in native mode

[Status/Consequence]

Adprep has stopped without making changes.

[User Action]

Configure the domain to run in native mode and re-run domainprep

Switch your domain to Native mode or above, then repeat the operation.
http://www.petri.co.il/images/adprep-7.gif


39/40

Again, make sure you let the existing Domain Controllers replicate all the changes throughoutthe domain BEFORE proceeding to the next step.
http://www.petri.co.il/images/adprep-9.gifhttp://www.petri.co.il/images/adprep-8.gif


40/40

Repeat the /domainprep action for each domain in the forest that requires new Windows Server

2008 Domain Controllers.

Windows 2000 Domain Notes

When upgrading Windows 2000 domains, an additional command must be run before installingthe first Windows Server 2008 DC.

Go to the Infrastructure Master of each domain that you wish to upgrade and insert the DVD

media of Windows Server 2008 into the DVD drive. Repeat the instructions to open the

Command Prompt window, and type:

adprep /domainprep /gpprep

This command performs similar updates as domainprep. However, this command also providesupdates that are necessary to enable Resultant Set of Policy (RSOP) Planning Mode

functionality. In Active Directory environments that run Microsoft Windows 2000, this

command performs updates during off-peak hours. This minimizes replication traffic that iscreated in those environments by updates to file system permissions and Active Directory

permissions on existing Group Policy objects (GPOs). This command is also available on

Microsoft Windows Server 2003 with Service Pack 1 (SP1) or later.

Windows 2003 Domain and first RODC Notes

In Windows Server 2008, a new Domain Controller installation option is available, called Read

Only domain Controller. I will not go into detail about RODCs in this article (search my site formore information about RODCs), however, in order to enable the installation of the first RODC

in an existing Windows Server 2003 Active Directory forest, where you have already added atleast one Windows Server 2008 regular DC, you must run the following command:

adprep /rodcprep

This command updates permissions on application directory partitions to enable replication of

the partitions to RODCs. This operation runs remotely; it contacts the infrastructure master in

each domain to update the permissions. You need to run this command only once in the forest.You can run this command on any computer in the forest. You must be a member of the

Enterprise Admins group to run this command.

You are now ready to introduce your first Windows Server 2008 Domain Controller. Read my"Installing Active Directory on Windows Server 2008" article for more information on that.
http://www.petri.co.il/installing-active-directory-windows-server-2008-core.htmhttp://www.petri.co.il/installing-active-directory-windows-server-2008-core.htm

Step by Step Active Directory Installation Guide for Windows Server 2003

Documents

Transcript of Step by Step Active Directory Installation Guide for Windows Server 2003