What Do You Need to Install Active Directory?
The process of installing an Active Directory domain is quite simple, but if you don’t know your basics you might stumble across a few pitfalls. For additional information about any of the information in this article, refer to the Windows 2000 online Help and the Microsoft Windows 2000 Server Deployment Planning Guide
Chapter 9 of the deployment guide describes the design of the Active Directory structure, which is essential to a successful Windows 2000 Active Directory deployment
By the way, you can download all the guide right HERE (3.91mb)
What do we need in order to successfully install Active Directory on a Windows 2000 or Windows Server 2003 server?
Here is a quick list of what you must have:
- An NTFS partition with enough free space
- An Administrator’s username and password
- The correct operating system version
- A NIC
- Properly configured TCP/IP (IP address, subnet mask and – optional – default gateway)
- A network connection (to a hub or to another computer via a crossover cable)
- An operational DNS server (which can be installed on the DC itself)
- A Domain name that you want to use
- The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder)
- Brains (recommended, not required…)
An NTFS Partition
To successfully install AD you must have at least one NTFS formatted partition, preferably the partition Windows is installed on (This is NOT true when you have performance issues on your mind. You will then install the AD db on another different fast physical disk, but that’s another topic). To convert a partition (C:) to NTFS type the following command in the command prompt window:
The NTFS partition is required for the SYSVOL folder.
Free space on your disk
You need at least 250mb of free space on the partition you plan to install AD on. Of course you’ll need more than that if you plan to create more users, groups and various AD objects.
Local Administrator’s username and password
Only a local Administrator (or equivalent) can install the first domain and thus create the new forest.
If you plan to create another Domain Controller for an existing domain – then you must have Domain Admin right in the domain you’re planning to join.
If you want to create a child domain under an existing domain, or another tree in an existing forest – you must have Enterprise Admin rights.
Windows 2000 Server (or Advanced Server or Data Center Server), or Windows Server 2003 (or Enterprise Server or Data Center)
Duh… you cannot install AD on a Professional computer.
You need a dedicated IP address to install Active Directory. If you do not use a dedicated IP address, DNS registrations may not work and Active Directory functionality may be lost. If the computer is a multi-homed computer, the network adapter that is not connected to the Internet can host the dedicated IP address.
The Active Directory domain controller should point to its own IP address in the DNS server list to prevent possible DNS connectivity issues.
To configure your IP configuration, use the following steps:
- Right-click My Network Places, and then click Properties.
- Right-click Local Area Connection, and then click Properties.
- Click Internet Protocol (TCP/IP), and then click Properties.
- Make sure you have a static and dedicated IP address. If you don’t need Internet connectivity through this specific NIC you can use a Private IP range such as 192.168.0.0 with a Subnet Mask of 255.255.255.0.
- Click Advanced, and then click the DNS tab. The DNS information should be configured as follows:
- Configure the DNS server addresses to point to the DNS server. This should be the computer’s own IP address if it is the first server or if you are not going to configure a dedicated DNS server.
- If the Append these DNS suffixes (in order) option is selected for the resolution of unqualified names, the Active Directory DNS domain name should be listed first, at the top of the list.
- Verify that the information in the DNS Suffix for this connection box is the same as the Active Directory domain name.
- Make sure that the Register this connection’s addresses in DNS check box is selected.
Active Network Connection Required During Installation
The installation of Active Directory requires an active network connection. When you attempt to use Dcpromo.exe to promote a Windows 2000 Server-based computer to a domain controller, you may receive the following error message:
Active Directory Installation Failed
The operation failed with the following error
The network location cannot be reached. For further information about network troubleshooting, see Windows Help.
This problem can occur if the network cable is not plugged into a hub or other network device.
(Sample of a disconnected or un-plugged network cable)
(Screenshot of a connected NIC)
To resolve this problem, plug the network cable into a hub or other network device. If network connectivity is not available and this is the first domain controller in a new forest, you can finish Dcpromo.exe by installing Microsoft Loopback Adapter.
The Microsoft Loopback adapter is a tool for testing in a virtual network environment where access to a network is not feasible. Also, the Loopback adapter is essential if there are conflicts with a network adapter or a network adapter driver. Network clients, protocols, and so on, can be bound to the Loopback adapter, and the network adapter driver or network adapter can be installed at a later time while retaining the network configuration information. The Loopback adapter can also be installed during the unattended installation process. To manually install:
- Click Start, point to Settings, click Control Panel, and then double-click Add/Remove Hardware.
- Click Add/Troubleshoot a device, and then click Next.
- Click Add a new device, and then click Next.
- Click No, I want to select the hardware from a list, and then click Next.
- Click Network adapters, and then click Next.
- In the Manufacturers box, click Microsoft.
- In the Network Adapter box, click Microsoft Loopback Adapter, and then click Next.
- Click Finish.
After the adapter is installed successfully, you can configure its options manually, as with any other adapter. Note that if the TCP/IP properties are configured to use DHCP (the default), the adapter will eventually use an autonet APIPA address (169.254.x.x/16) because it is not actually connected to any physical media.
“Always On” Internet Connection (recommended)
An “always on” connection (for example, a cable modem or digital subscriber line [DSL] line) is recommended (but not required) to enable clients to obtain Internet access. If you do not use an “always on” connection, you must configure a demand-dial interface using Network Address Translation (NAT) for clients to access the Internet.
This is really not a requirement for AD, but if you later want to install and configure Exchange 2000 or other Internet-aware applications or services you’ll need an Internet connection.
A DNS server that supports Active Directory DNS entries (SRV records) must be present for Active Directory to function properly. Read Create a New DNS Server for AD for more info.
You need to keep in mind the following DNS configuration issues when you install Active Directory on a home network: Root Zone entries and DNS Forwarders.
Root zone entries
External DNS queries to the Internet do not work if a root zone entry exists on the DNS server. To resolve this issue, remove the root zone entry. This entry is identified with a dot (.) in the DNS Manager forward lookup zones. To check for the existence of the root zone entry, open the forward lookup zones in the DNS Management console. You should see the entry for the domain. If the “dot” zone exists, delete it. For additional information about the root zone entry, see 260371.
You can also read my No Forwarding or Root Hints on DNS server? tip.
DNS forwarders (recommended)
If you plan to have full Internet connectivity then DNS forwarders are necessary to ensure that all DNS entries are correctly sent to your Internet service provider’s DNS server and that computers on your network will be able to resole Internet addresses correctly. You can only configure DNS forwarders if no root zone entry is present.
To configure forwarders on the DNS server:
- Start the DNS Management console.
- Right-click the name of the server, and then click Properties.
- On the Forwarders tab, click to select the Enable Forwarders check box.
- Type the appropriate IP addresses for the DNS servers that may be accepting forwarded requests from this DNS server. The list reads top-down in order, so place a preferred DNS server at the top of the list.
- It is recommended that you have all the Root Hints (Top Level DNS server) listed in the Root Hints tab.
- If not, copy the Cache.dns file from the %systemroot%\system32\dns\samples folder to the %systemroot%\system32\dns\ folder and restart the DNS service.
- Click OK to accept the changes.
When you have a scenario in which clients on the LAN connect directly to the Internet and not through a NAT device, the clients should connect to the Active Directory domain controller using an internal network on a second network adapter. This prevents any issues that may arise if clients obtain an IP address from your Internet service provider (ISP). You can achieve this configuration with a second network adapter on the server connected to a hub. You can use NAT or ICS to isolate the clients on the local network. The clients should point to the domain’s DNS server to ensure proper DNS connectivity. The DNS server’s forwarder will then allow the clients to access DNS addresses on the Internet.
Do not use ICS (recommended)
Use NAT instead. ICS (Internet Connection Sharing) will break down all the DHCP and DNS functionality on your LAN. Try to avoid ICS at all costs. If you must, make the Domain Controller itself the ICS server, and let all clients obtain their IP configuration automatically. This of course is not a good security decision, because you will expose your Domain Controller to potential Internet threats. Again, and I cannot stress this more, avoid ICS on your corporate LAN and use NAT instead.
NetBIOS Over TCP/IP
A common security consideration with an active connection to the Internet is the restriction of NetBIOS connections on the network adapter that is directly connected to the Internet. If clients connect on a second network adapter, you can safely disable NetBIOS over TCP/IP on the external network adapter, and prevent any attempts of unauthorized NetBIOS access by outside sources.
To disable NetBIOS on the NIC that is connected to the Internet, use the following steps:
- Right-click My Network Places, and then click Properties.
- Right-click the icon of the NIC that is connected to the Internet, and then click Properties.
- Un-check the File and Print Sharing for Microsoft Networks check box.
- Click TCP/IP and then Properties.
- Click Advanced and go to the WINS tab.
- Select the Disable NetBIOS Over TCP/IP radio box.
- Click Ok all the way out.
Do not use Single-Label domain names
As a general rule, Microsoft recommends that you register DNS domain names for internal and external namespaces with Internet authorities. This includes the DNS names of Active Directory domains, unless such names are sub-domains of names that are registered by your organization name, for example, “corp.example.com” is a sub-domain of “example.com”. When you register DNS names with Internet authorities, it prevents possible name collisions should registration for the same DNS domain be requested by another organization, or if your organization merges, acquires or is acquired by another organization that uses the same DNS names.
DNS names that don’t include a period (“dot”, “.”) are said to be single-label (for example, com, net, org, bank, companyname) and cannot be registered on the Internet with most Internet authorities.
Windows 2000 Deployment Planning Guide
Download the Deployment Planning Guide (Complete, 3.91mb)
Troubleshooting Common Active Directory Setup Issues in Windows 2000 – 260371
Setting Up the Domain Name System for Active Directory – 237675
Information About Configuring Windows 2000 for Domains with Single-Label DNS Names – 300684
More in Active Directory
Microsoft Rolls Out Azure AD Verifiable Credentials Service to More Customers
May 11, 2022 | Rabia Noureen
Active Directory vs. Azure AD (and Other Identity Providers)
May 9, 2022 | Michael Taschler
Apple Finally Discontinues Support for macOS Server App
Apr 25, 2022 | Rabia Noureen
Microsoft Issues New Guidance on Securing Domain Controllers
Apr 15, 2022 | Rabia Noureen
Best Practices for Installing Active Directory Domain Controllers in a Virtual Machine
Apr 15, 2022 | Michael Taschler
Microsoft Details Efforts to Fight Russian Cyber Attacks Targeting Ukraine
Apr 8, 2022 | Rabia Noureen
Most popular on petri