Installing Domain Controllers

Active Directory can only be installed on an existing Windows 2000/.NET Server. Active Directory installation is a process independent from installing/upgrading the operating system itself. Moreover, you can demote a domain controller (or uninstall Active Directory) to a member (or standalone) server (and promote it again if you wish). The Active Directory Installation Wizard is used in both operations. This behavior differs principally from the Windows NT 4.0 "rules", where the role of a server (member server, Primary Domain Controller (PDC), or Backup Domain Controller (BDC)) is specified during installation, and typically cannot be changed without full system re-installation.

Therefore, you can create an Active Directory domain controller (DC) in the following ways:

• Start the Active Directory Installation Wizard on a Windows 2000/.NET Server (standalone or member server) that has already been installed. The DCpromo.exe utility is used in such cases. You can work with it either interactively or in unattended mode (discussed later in this chapter). The result will be a DC in a new domain or an additional DC in an existing domain.

• Upgrade a Windows NT 4.0-based domain controller (PDC or BDC). You can also upgrade a Windows 2000-based DC to Windows .NET. The DCpromo.exe utility will start automatically after the upgrade to Windows 2000/.NET Server has been completed and the computer has been rebooted.

  • A Windows NT 4.0 PDC can only be upgraded to a DC in a new domain.

  • A Windows NT 4.0 BDC can be upgraded to an additional DC in an existing domain, or to a member server (if one chooses not to install Active Directory).

Upgrading from a Windows NT/2000 Domain

We will not discuss this topic in detail, since all the necessary information pertaining to it can be found quite easily in the Help and Support Center. Let us note the most important aspects only.

To upgrade a Windows NT domain to Windows 2000/.NET, you must upgrade the Primary Domain Controller (PDC) first. This ensures that you will keep all existing users and groups. If the DNS service was not used in the Windows NT environment, you must plan a DNS namespace and install a DNS server (of any type). It is also possible to use a legacy DNS with the Windows 2000/.NET DNS Server (see an example in Chapter 4, "Windows .NET DNS Server"). Provide a recovery plan in case of an unsuccessful upgrade.

To upgrade a Windows 2000 domain to Windows .NET, or to install a Windows .NET-based domain controller within a Windows 2000 domain, you must upgrade the schema first, or in other words, prepare the forest and domains.

At first, you need to prepare the forest with the adprep /forestprep command that should be run on the Schema Master. All changes must be replicated within the forest. If the command has run without errors, continue the procedure.

During your second step, you will need to prepare each domain with the adprep /domainprep command that should be run on the Infrastructure Masters separately.

You may also consider migrating Windows NT or Windows 2000 domains to a pristine Active Directory domain by using such tools as Active Directory Migration Tool (ADMT) and ClonePrincipal (see Chapter 13, "Migration and Directory Reorganization Tools").

Adding Windows 2000 Domain Controllers to a Windows .NET Domain

You can promote a Windows 2000 server to be a domain controller in a Windows .NET domain running at the Windows 2000 mixed or Windows 2000 native functional levels only. Keep in mind that in this case, the new Windows 2000 DC will support the Windows .NET schema version (26 or higher) rather than the schema version 13 designated for pure Windows 2000 domains.

If you try to add a Windows 2000 DC to a Wndows .NET (version 2002) level domain, or to create a Windows 2000 domain within a Windows .NET (version 2002) level forest, the Active Directory installation will fail. The system reports "An error with no description has occurred" in the former case, or "Indicates two revision levels are incompatible" in the latter.

Adding Windows .NET Domain Controllers to a Windows 2000 Domain

A Windows .NET server can be promoted to be a domain controller only in a forest (domain) that supports the Windows .NET schema version. You can upgrade the schema by using the adprep /forest and adprep /domain commands, and create a Windows .NET domain controller; however in such a case, one should speak about a Windows .NET forest (running at the Windows 2000 mixed functional level) rather than a pure Windows 2000 forest (domain).

Note

See also the section entitled "Adding a Windows NT 4.0 BDC to a Windows 2000/.NET Domain."

Requirements and Restrictions

The Active Directory can be installed only if several critical conditions are met. The Active Directory Installation Wizard (DCpromo.exe) will check different parameters depending on the type of DC that is being created. Among these conditions are the following:

• Active Directory can be installed only on a NTFS 5.0 formatted disk partition.

• This partition must have at least 250 MB of free space. (This does not mean that all that space will be employed at once; the default size of the Active Directory database including the log files is about 40 Mbytes. However, the system must have reserved space for normal work.)

• If the server is a standalone computer, only a user that is a member of the local Administrators group can start DCpromo.exe. If the server is a member of a domain, members of the Domain Admins and Enterprise Admins groups can also initiate promotion.

  Important

  Remember that you cannot add a Windows NT 4.0 BDC to a native mode Windows 2000 domain or create a Windows 2000-based domain controller in a Windows .NET domain running at the Windows .NET (version 2002) domain functional level. It is also not possible to create a Windows 2000 domain in a Windows .NET forest running at the Windows .NET (version 2002) forest functional level (see details in Chapter 2, "Active Directory Terminology and Concepts"). If you create a new Windows .NET domain in a forest running at the Windows .NET (version 2002) forest functional level, the domain functional level of the new domain will automatically be raised to the same level.

• When a new DC is created in an existing forest, any user that is not logged on as a domain or enterprise administrator must provide sufficient credentials (a pre-Windows 2000 logon name and a password; names in UPN form, e.g., admin@net.dom, are not acceptable):

  • Only members of the Enterprise Admins group can create new domains (child domains or new trees). It is possible to have a pre-created new domain in the forest (see the description of NTDSutil.exe in Chapter 10, "Diagnosing and Maintaining Domain Controllers").

  • The members of the Domain Admins and the Enterprise Admins groups are permitted to add a DC to an existing domain. The privileges to join a computer to the domain and create the appropriate replication objects can also be given to some user accounts.

• TCP/IP protocol must be installed and configured on the computer. Typically, domain controllers have static IP addresses (however, conceptually this does not necessarily have to be the case).

  Important

  It is possible to safely change the IP address of a domain controller and then re-register all SRV records (see the previous chapter). Sometimes, this change can affect directory replication, since the controller's replication partners have to learn the new IP address. However, this is not a crucial issue. Remember also that the caching of DNS requests on the preferred DNS server and clients can prevent the new address from "propagating" in a moment.

• The computer should have the primary DNS suffix (see the previous chapter). This is a critical requirement if the computer is also going to act as a DNS server. For an ordinary domain controller, the Change primary DNS suffix when domain membership changes checkbox must at least be set. The suffix will be properly set if the computer is a member of a domain, and you need not change anything.

• An already deployed DNS service must be available. If a legacy or third party DNS server is used, it should meet the Active Directory requirements and be properly configured. If the promoted server is the first DC and there is no DNS server in the network, you must allow the Active Directory Installation Wizard to install and configure the Windows DNS server.

  Important

  If you create the first DC and enable the DNS installation and configuration on the same computer, you must assign an applicable IP address (e.g., 192.168.1.1) to the computer and specify that address as the preferred DNS server address. The Active Directory Installation Wizard will not do this itself, and as a result, the new domain (forest) will not be operational!

  Note

  A reverse DNS zone is not required for Active Directory. Nevertheless, it is recommended that you configure one for the other applications that use it.

• The server NetBIOS name must be unique in the domain. The NetBIOS (pre-Windows 2000) name of new domain must be unique in the forest.

• If a child domain (or a new tree) is created, the parent and forest root domains must exist and be accessible. This means that you cannot create a child domain — e.g., subdom.net.dom — if the net.dom domain does not exist.

• Without going into detail and in order to considerably simplify the situation, it is possible to say that all FSMO masters should be available for starting and successfully completing server promotion. Otherwise, you should always know and remember which FSMO masters are required for each specific type of domain controller created (an additional DC, a new tree, and so on).

Note

By default, all domain controllers will be created in the Domain Controllers OU in the domain partition.

Note

The computer SID remains the same after the Active Directory installation or removal.

Note

Let us suppose a server was previously a domain controller and has been demoted, and that you wish to install the Active Directory on to it again. It may be useful to make sure that the folders where the Active Directory files (the database and logs) were stored have been deleted (by default, the %SystemRoot%\NTDS folder is used). Moreover, if the Distributed File System (DFS) is not used on this computer, stop the File Replication Service by using the net stop ntfrs command and delete the contents of the %SystemRoot%\ntfrs\jet folder. Then restart the service: net start ntfrs.

Important

During one of the preliminary steps, the Active Directory Installation Wizard asks for your "Directory Services Restore Mode Administrator Password". This password is only used in the logon process after you have pressed the <F8> key in the boot menu and selected the Directory Services Restore Mode. The password is not used often, so try not to forget it (this does happen!).

Verifying DNS Configuration

DNS testing is one of the most important steps in preparing a server for promotion. Any undetected errors in DNS configuration may result in an inoperable domain controller. The following DNS related faults are possible:

• The computer has no settings for the preferred DNS server.

• The specified DNS server does not host the specified authoritative zone (domain name).

• The authoritative zone exists, but is not updatable.

Microsoft has done a great job in extending the initial functionality of the DCdiag and NetDiag utilities from the Support Tools to allow an administrator to verify the DNS configuration in a few seconds. (For a Windows 2000 environment, you can download updated versions from the Microsoft website. For additional information on these tools, see Chapter 10, "Diagnosing and Maintaining Domain Controllers" and Chapter 11, "Verifying Network and Distributed Services.")

A further step has been taken in the Windows .NET Server family: the Active Directory Installation Wizard diagnoses DNS-related and forest configuration issues and stops server promotion if any problems exist. Nevertheless, you can use the DCdiag and NetDiag utilities on computers running Windows .NET, too.

Important

All tests described below verify DNS only; connectivity with existing domain controllers is not checked. The Active Directory Installation Wizard verifies both DNS and connectivity (including authentication) issues.

If a preferred DNS server's IP address is not specified on the tested computer in the TCP/IP Properties window, the dcdiag /test:DcPromo or dcdiag /test:RegisterInDNS command outputs a message with the error 9852, which means "No DNS servers configured for local system."

The following command reports that you can safely create an additional domain controller in an existing Windows 2000 or Windows .NET domain (net.dom in this example):

    C:\>dcdiag /test:DcPromo /DnsDomain:net.dom /ReplicaDC       Starting test: DcPromo          The DNS configuration is sufficient to allow this computer to be          promoted as a replica domain controller in the net.dom domain.    ...       DNS configuration is sufficient to allow this domain controller to       dynamically register the domain controller Locator records in DNS.       The DNS configuration is sufficient to allow this computer to       dynamically register the A record corresponding to its DNS name.       ......................... netdc4 passed test DcPromo 

In such a case, you can begin to promote the server. (For compactness, some lines are skipped in this output. When the Windows 2000 version of the tool is used, all tests executed (both successful and failed) end with the same "passed test" line. The Windows .NET version reports results more correctly.)

The following output indicates that the authoritative zone (w2000.dom) exists, but there are no SRV records registered by the existing domain controller(s):

    C:\> dcdiag /test:DcPromo /DnsDomain:w2000.dom /ReplicaDC       Starting test: DcPromo          This computer cannot be promoted as a domain controller of the          w2000.dom domain. This is because either the DNS SRV record for          _ldap._tcp.dc._msdcs.w2000.dom is not registered in DNS, or some          zone from the following list of DNS zones doesn't include          delegation to its child zone: w2000.dom, dom and the root zone.          Ask your network/DNS administrator to perform the following          actions: To find out why the SRV record for          _ldap._tcp.dc._msdcs.w2000.dom is not registered in DNS, run the          dcdiag command prompt tool with the command RegisterInDNS on the          domain controller that did not perform the registration.    ...          DNS configuration is sufficient to allow this domain controller to          dynamically register the domain controller Locator records in DNS.          The DNS configuration is sufficient to allow this computer to          dynamically register the A record corresponding to its DNS name.          ......................... netdc4 failed test DcPromo 

This might be a serious problem: the existing DC for the specified domain could be promoted incorrectly. You should verify the DNS configuration and make the DC re-register all its SRV records. Then run DCdiag on that DC.

In all cases when updating of an authoritative zone is not enabled on the DNS server (or the server does not support dynamic updates), the command output will be similar to the following:

    C:\>dcdiag /test:DcPromo /DnsDomain:dotnet.dom /ReplicaDC       Starting test: DcPromo          The DNS configuration is sufficient to allow this computer to be          promoted as a replica domain controller in the dotnet.dom domain.          Messages logged below this line indicate whether this domain          controller will be able to dynamically register DNS records          required for the location of this DC by other devices on the          network. If any misconfiguration is detected, it might prevent          dynamic DNS registration of some records, but does not prevent          successful completion of the Active Directory Installation Wizard.          However, we recommend fixing the reported problems now, unless you          plan to manually update the DNS database.          This domain controller cannot register domain controller Locator          DNS records. This is because either the DNS server with IP address          192.168.1.2 does not support dynamic updates or the zone          dotnet.dom is configured to prevent dynamic updates.    ...          ............. netdc4 failed test DcPromo 

Detailed instructions on configuring the DNS server are also displayed. You must follow them. To check whether a zone is updatable, it is also possible to use the command

    dcdiag /test:RegisterInDNS /DnsDomain:dotnet.dom 

which produces a similar output.

Other parameters of the dcdiag /test:DcPromo command allow you to test whether you can create a child domain, new tree, or new forest in the current domain structure. The command's messages are clear, and it is not necessary to place them all here.

If the preferred DNS server is specified incorrectly or not accessible, or if the authoritative zone did not configure on the server, the following command will discover the problem and instruct you on what to do:

    C:\>dcdiag /test:RegisterInDNS /DnsDomain: net2.dom       Starting test: RegisterInDNS          Please verify that the network connections of this computer are          configured with correct IP addresses of the DNS servers to be used          for name resolution. If the DNS resolver is configured with its          own IP address and the DNS server is not running locally, the          DcPromo will be able to install and configure local DNS server,          but it will be isolated from the existing DNS infrastructure (if          any). To prevent this, either configure local DNS resolver to          point to existing DNS server or manually configure the local DNS          server (when running) with correct root hints.          If the DNS resolver is configured with its own IP address and the          DNS server is not running locally, the Active Directory          Installation Wizard can install and configure the local DNS          server. However, if this server is not connected to the network          during domain controller promotion then admin needs to          appropriately configure root hints of the local DNS server after          the completion of the domain controller promotion.          DnsUpdateTest returned 1460. The A record test is thus          inconclusive.          ......................... netdc4 passed test RegisterInDNS 

Do not forget that you should also test the DNS configuration (registration of the SRV records) after the server promotion has been completed.

Running the Active Directory Installation Wizard

There are two ways to start the Active Directory Installation Wizard in interactive mode:

• Choose the Start | All Programs | Administrative Tools | Configure Your Server Wizard command, and then assign the domain controller role to the server.

• Open the Run window and enter dcpromo.exe.

In general, you have four options for installing the Active Directory; these are graphically represented in Fig. 5.1. (Installation from a backup media is described later in this chapter.) The selections, which you should consequently make on the wizard's pages^[1], are listed below for each option:

Fig. 5.1: Four scenarios for creating a new domain controller

1. The first Active Directory installation in the network, or creating a new forest:

   • Domain controller for a new domain

   • Domain in a new forest

   Note

   Creating a new forest is the only option that does not require any existing domain (or domain controller). In all other cases, the Schema and the Configuration partitions are replicated from a source domain controller located in either an existing domain (for an additional DC), the parent (for a child domain), or the root domain (for a new tree). Even if you are installing a Windows .NET-based DC from backup media, some other domain controllers must be accessible (dealt with later in this chapter).

2. Additional DC in any existing domain:

   • Additional domain controller for an existing domain

3. Creating a new child domain:

   • Domain controller for a new domain

   • Child domain in an existing domain tree

4. Creating a new tree (a root domain with a non-contiguous DNS name) in an existing forest:

   • Domain controller for a new domain

   • Domain tree in an existing forest

Depending on the selected option, the wizard will ask you to enter a domain name. It can be the name of an existing domain, parent domain, or forest root domain. In Windows 2000, it is always recommended that you specify a DNS name because DNS name resolving must already be operational at this stage. (Although the wizard can sometimes accept NetBIOS domain names, this does not guarantee successful execution of the subsequent Active Directory installation steps.) In Windows .NET, you simply have no alternatives.

Caution

During the next step, you must specify the domain NetBIOS name. You can choose a name different from the one offered by default if you like (e.g., if the DNS domain name is net.dom, then the default NetBIOS name will be NET). If Service Pack 1 or later is not installed on a server running Windows 2000, you will get an error when publishing a printer in Active Directory (see Chapter 8, "Common Administrative Tasks").

Note

During Active Directory installation, synchronization with existing domain controllers is carried out. It is possible to stop that process by clicking the Finish Replication Later button in the wizard window. The domain controller will be advertised when the replication is completed (after the computer has been rebooted).

DNS Issues

In Windows .NET, the Active Directory Installation Wizard will stop if a preferred DNS server address is not configured on the computer and you simply will not be able to continue with Active Directory installation.

In Windows 2000, the message shown in Fig. 5.2 may appear at a certain moment during the execution of Active Directory Installation Wizard. It means one of the following:

• There is no DNS server in the network (you are going to install the DNS server and the domain controller on the same server).

• No address or an incorrect preferred DNS server address has been entered in the computer's TCP/IP Properties window. (This is a configuration error that the system identifies as the absence of a DNS server.)

• There is no authoritative zone for the new domain on the specified DNS server.

Fig. 5.2: This window displays warnings about potential problems with the preferred DNS server

The warning window will not appear if a DNS server address has been entered correctly and the authoritative zone has been configured on this server. However, this zone may not allow dynamic updates. In such a case, the wizard page "Configure DNS" (Fig. 5.3) will be next. A similar window will appear on a Windows. NET server that has no preferred DNS server and is promoted to be the first forest domain controller.

Fig. 5.3: At this point, you must decide whether or not to install the DNS server

This step is a critical point in the installation process, because whether the new domain configuration will work or not depends on what you do here. You only have three options:

• Click Cancel, which will terminate the wizard, and verify the DNS configuration. You must select this option if the promoted server is not the first controller in the domain (forest). If you do not, the Active Directory installation on this server will definitely be unsuccessful: the server will not be able to locate other domain controllers and replicate the Active Directory information from them.

• Agree with the default option and install the DNS server and domain controller on the same computer.

• If you are using a legacy DNS service and have the required sub-zones delegated to a DNS server that allows dynamic updates, select the No, I will install and configure DNS myself option and continue the Active Directory installation.

You may also refuse the default option and continue the installation process if the promoting server is the only DC in the network and if for some reason, you are planning to connect it to a fully configured DNS server only after installing Active Directory and before the first DC reboot. This approach may not seem very logical, but is technically quite possible. When the domain controller boots for the first time, it will register all necessary resource records on the DNS server (but in the forward zone only, since the wizard does not create a reverse zone).

And only if the DNS configuration fully meets all the necessary requirements, you will not see any of the wizard pages described above, and the wizard will go onto the subsequent steps.

The Active Directory Installation Wizard on a Windows .NET server provides an exhaustive DNS diagnostic that allows an administrator to easily locate possible problems. Basically, problem origins and an administrator's actions are the same as those described above. For example, if the wizard cannot find the authoritative zone for a new specified domain, you will see results of DNS queries performed (Fig. 5.4). Depending on the situation, you can verify the DNS configuration and re-run the DNS test, or install the DNS server.

Fig. 5.4: DNS diagnostics reveal name resolution problems for a future domain controller

If you add a DC to an existing domain and the wizard could not get the DNS name of a DC located in that domain, you will see a window similar to the one shown in Fig. 5.5. The domain name (net.dom) as well as the preferred DNS server address (192.168.1.2) are displayed here, and should be verified.

Fig. 5.5: Failed DNS diagnostics for a server promoted to be an additional domain controller

Fig. 5.6: An example of a successful DNS test

Fig. 5.5 illustrates an example of a successful DNS test. Normally, every promotion operation should be completed with a similar result. In such a case, you can be sure that the new domain controller will not have name resolution problems.

Completing and Testing the Installation

After completing the Active Directory installation, the system automatically installs and configures the Windows DNS Server if this operation has been requested.

After system restart, you can logon to the created domain with the local administrator credentials. The local administrator of the server that has been promoted to the first domain controller in a new forest will become a member of the following groups:

• Administrators (built-in local group)

• Domain Admins (is a member of the Administrators group)

• Domain Users (is a member of the built-in local Users group)

• Enterprise Admins (is a member of the Administrators group)

• Group Policy Creator Owners

• Schema Admins

Note

Sometimes, while working on domain controllers in the test environments, administrators attempt to logon to a domain using a domain user account, and encounter the "The local policy of this system does not permit you to logon interactively" message. Open the Default Domain Controllers Policy GPO, and click the Computer Configuration | Windows Settings | Security Setting | Local Policies | User Rights Assignment node. Find the Log on locally policy. This policy is defined by default, and only the following groups can logon locally: Account Operators, Administrators, Backup Operators, Print Operators, and Server Operators. Therefore, "normal" users cannot logon on domain controllers. If you wish (and if security requirements permit), add the Authenticated Users or Everyone group to this list, and you will be able to logon locally using any account.

If any applications are running on a Windows NT 4.0-based server that is a member of an Active Directory domain, verify that the Everyone group has been included in the Pre-Windows 2000 Compatible Access group with the net localgroup "Pre-Windows 2000 Compatible Access" command. If not, type net localgroup "Pre-Windows 2000 Compatible Access" everyone /add at the command prompt on a domain controller computer and then restart the domain controller computer. Do not perform this operation by using the Active Directory Users and Groups snap-in!

On Windows .NET domain controllers, the Everyone group does not include the NT AUTHORITY\ANONYMOUS LOGON group. Therefore, if backward compatibility is required, add both security groups to the Pre-Windows 2000 Compatible Access group.

You can manage backward compatibility during a server promotion (by selecting the appropriate permissions option), as well as at any moment (manually, by using the net localgroup command).

Log Files

The events that have taken place during Active Directory installation are written in the logs located in the %SystemRoot%\Debug folder (and are especially useful if the installation has crashed):

• csv.log

• DCPROMO.LOG

• dcpromohelp.log

• dcpromoui.log

• NetSetup.LOG

• NtFrs_xxxx.log

• NtFrsApi.log

Installation from a Backup Media

A Windows .NET server can be promoted using the System State data from an existing Windows .NET domain controller. (Such a feature is absent in Windows 2000 domains.) This approach considerably reduces the initial replication time if slow dial-up lines are used or the Active Directory database is large enough. However, the promotion process still requires network connectivity with the existing domain!

The only restriction of this approach is that the replicas of any application partitions existing on the backed up domain controller will not be created automatically on the new DC. You should manage the application partitions manually (see the NTDSutil description in Chapter 10, "Diagnosing and Maintaining Domain Controllers").

To install an additional DC in an existing domain:

1. Backup the System State of a DC located in the domain where you are creating an additional DC. Make sure that the Automatically backup System Protected Files with the System State box is cleared (you do not need the system files!). (See additional information on system backup in Chapter 8, "Common Administrative Tasks.")

2. Copy the backup file to the server that is to be promoted.

3. Restore the System State data to any empty folder on the target server.

4. To do so, start the NTBackup utility, click Catalog a backup file on the Tools menu, and enter the backup file name. Check the System State box, select Alternate location from the Restore files to list, and enter the target folder name (Fig. 5.7). Click Start Restore. In the Confirm Restore window, click OK.

   
   Fig. 5.7: Restoring the System State to an alternate location

5. When the restore operation is completed, enter dcpromo /adv in the Run window (click Start | Run). The Active Directory Installation Wizard will start.

6. On the "Domain Controller Type" wizard page, select the Additional domain controller for an existing domain option and click Next. If you select the other option, a normal DC creation procedure will begin.

7. On the "Copying Domain Information" page, select the From these restored backup files option, enter the backup file name, and click Next.

8. If the System State was backed up from a DC that was a Global Catalog server, the wizard will ask you whether to configure the new DC as a GC server ("No" by default).

Then, the installation process will proceed as a usual server promotion.

^[1]The Active Directory Installation Wizard pages in Windows .NET are slightly differ from the wizard's pages in Windows 2000; however, all operations' general concepts are the same in both versions.