Last Update: Sep 17, 2024 | Published: Jan 06, 2009
The process of installing an Active Directory domain is quite simple, but if you don’t know your basics you might stumble across a few pitfalls. For additional information about any of the information in this article, refer to the Windows 2000 online Help and the Microsoft Windows 2000 Server Deployment Planning Guide
Chapter 9 of the deployment guide describes the design of the Active Directory structure, which is essential to a successful Windows 2000 Active Directory deployment
By the way, you can download all the guide right HERE (3.91mb)
What do we need in order to successfully install Active Directory on a Windows 2000 or Windows Server 2003 server?
Here is a quick list of what you must have:
After you have all the above go ahead and read How to Install Active Directory on Windows 2000 and How to Install Active Directory on Windows 2003.
To successfully install AD you must have at least one NTFS formatted partition, preferably the partition Windows is installed on (This is NOT true when you have performance issues on your mind. You will then install the AD db on another different fast physical disk, but that’s another topic). To convert a partition (C:) to NTFS type the following command in the command prompt window:
convert c:/fs:ntfs
The NTFS partition is required for the SYSVOL folder.
You need at least 250mb of free space on the partition you plan to install AD on. Of course you’ll need more than that if you plan to create more users, groups and various AD objects.
Only a local Administrator (or equivalent) can install the first domain and thus create the new forest.
If you plan to create another Domain Controller for an existing domain – then you must have Domain Admin right in the domain you’re planning to join.
If you want to create a child domain under an existing domain, or another tree in an existing forest – you must have Enterprise Admin rights.
Duh… you cannot install AD on a Professional computer.
You need a dedicated IP address to install Active Directory. If you do not use a dedicated IP address, DNS registrations may not work and Active Directory functionality may be lost. If the computer is a multi-homed computer, the network adapter that is not connected to the Internet can host the dedicated IP address.
The Active Directory domain controller should point to its own IP address in the DNS server list to prevent possible DNS connectivity issues.
To configure your IP configuration, use the following steps:
The installation of Active Directory requires an active network connection. When you attempt to use Dcpromo.exe to promote a Windows 2000 Server-based computer to a domain controller, you may receive the following error message:
Active Directory Installation Failed
The operation failed with the following error
The network location cannot be reached. For further information about network troubleshooting, see Windows Help.
This problem can occur if the network cable is not plugged into a hub or other network device.
(Sample of a disconnected or un-plugged network cable)
(Screenshot of a connected NIC)
To resolve this problem, plug the network cable into a hub or other network device. If network connectivity is not available and this is the first domain controller in a new forest, you can finish Dcpromo.exe by installing Microsoft Loopback Adapter.
The Microsoft Loopback adapter is a tool for testing in a virtual network environment where access to a network is not feasible. Also, the Loopback adapter is essential if there are conflicts with a network adapter or a network adapter driver. Network clients, protocols, and so on, can be bound to the Loopback adapter, and the network adapter driver or network adapter can be installed at a later time while retaining the network configuration information. The Loopback adapter can also be installed during the unattended installation process. To manually install:
After the adapter is installed successfully, you can configure its options manually, as with any other adapter. Note that if the TCP/IP properties are configured to use DHCP (the default), the adapter will eventually use an autonet APIPA address (169.254.x.x/16) because it is not actually connected to any physical media.
An “always on” connection (for example, a cable modem or digital subscriber line [DSL] line) is recommended (but not required) to enable clients to obtain Internet access. If you do not use an “always on” connection, you must configure a demand-dial interface using Network Address Translation (NAT) for clients to access the Internet.
This is really not a requirement for AD, but if you later want to install and configure Exchange 2000 or other Internet-aware applications or services you’ll need an Internet connection.
A DNS server that supports Active Directory DNS entries (SRV records) must be present for Active Directory to function properly. Read Create a New DNS Server for AD for more info.
You need to keep in mind the following DNS configuration issues when you install Active Directory on a home network: Root Zone entries and DNS Forwarders.
External DNS queries to the Internet do not work if a root zone entry exists on the DNS server. To resolve this issue, remove the root zone entry. This entry is identified with a dot (.) in the DNS Manager forward lookup zones. To check for the existence of the root zone entry, open the forward lookup zones in the DNS Management console. You should see the entry for the domain. If the “dot” zone exists, delete it. For additional information about the root zone entry, see 260371.
You can also read my No Forwarding or Root Hints on DNS server? tip.
If you plan to have full Internet connectivity then DNS forwarders are necessary to ensure that all DNS entries are correctly sent to your Internet service provider’s DNS server and that computers on your network will be able to resole Internet addresses correctly. You can only configure DNS forwarders if no root zone entry is present.
To configure forwarders on the DNS server:
You can also read Configure DNS Forwarding on Windows 2000.
For additional information about DNS issues go to 237675.
When you have a scenario in which clients on the LAN connect directly to the Internet and not through a NAT device, the clients should connect to the Active Directory domain controller using an internal network on a second network adapter. This prevents any issues that may arise if clients obtain an IP address from your Internet service provider (ISP). You can achieve this configuration with a second network adapter on the server connected to a hub. You can use NAT or ICS to isolate the clients on the local network. The clients should point to the domain’s DNS server to ensure proper DNS connectivity. The DNS server’s forwarder will then allow the clients to access DNS addresses on the Internet.
Use NAT instead. ICS (Internet Connection Sharing) will break down all the DHCP and DNS functionality on your LAN. Try to avoid ICS at all costs. If you must, make the Domain Controller itself the ICS server, and let all clients obtain their IP configuration automatically. This of course is not a good security decision, because you will expose your Domain Controller to potential Internet threats. Again, and I cannot stress this more, avoid ICS on your corporate LAN and use NAT instead.
A common security consideration with an active connection to the Internet is the restriction of NetBIOS connections on the network adapter that is directly connected to the Internet. If clients connect on a second network adapter, you can safely disable NetBIOS over TCP/IP on the external network adapter, and prevent any attempts of unauthorized NetBIOS access by outside sources.
To disable NetBIOS on the NIC that is connected to the Internet, use the following steps:
As a general rule, Microsoft recommends that you register DNS domain names for internal and external namespaces with Internet authorities. This includes the DNS names of Active Directory domains, unless such names are sub-domains of names that are registered by your organization name, for example, “corp.example.com” is a sub-domain of “example.com”. When you register DNS names with Internet authorities, it prevents possible name collisions should registration for the same DNS domain be requested by another organization, or if your organization merges, acquires or is acquired by another organization that uses the same DNS names.
DNS names that don’t include a period (“dot”, “.”) are said to be single-label (for example, com, net, org, bank, companyname) and cannot be registered on the Internet with most Internet authorities.
Windows 2000 Deployment Planning Guide
Download the Deployment Planning Guide (Complete, 3.91mb)
Troubleshooting Common Active Directory Setup Issues in Windows 2000 – 260371
Setting Up the Domain Name System for Active Directory – 237675
Information About Configuring Windows 2000 for Domains with Single-Label DNS Names – 300684