How do I install Active Directory on my Windows Server 2003 server?
First make sure you read and understand Active Directory Installation Requirements. If you don’t comply with all the requirements of that article you will not be able to set up your AD (for example: you don’t have a NIC or you’re using a computer that’s not connected to a LAN).
Note: This article is only good for understanding how to install the FIRST DC in a NEW AD Domain, in a NEW TREE, in a NEW FOREST. Meaning – don’t do it for any other scenario, such as a new replica DC in an existing domain. In order to install a Windows Server 2003 DC in an EXISTING Windows 2000 Domain follow the Windows 2003 ADPrep tip.
Windows 2000 Note: If you plan to install a new Windows 2000 DC please read How to Install Active Directory on Windows 2000.
Windows Server 2003 Note: If you plan to install a new Windows Server 2003 DC in an existing AD forest please read the page BEFORE you go on, otherwise you’ll end up with the following error:
Here is a quick list of what you must have:
This article assumes that all of the above requirements are fulfilled.
Step 1: Configure the computer’s suffix
(Not mandatory, can be done via the Dcpromo process).
Step 2: Configuring the computer’s TCP/IP settings
You must configure the would-be Domain Controller to use it’s own IP address as the address of the DNS server, so it will point to itself when registering SRV records and when querying the DNS database.
Note: This is true if the server itself will also be it’s own DNS server.
If you have another operational Windows 2000/2003 server that is properly configured as your DNS server (read my Create a New DNS Server for AD page) – enter that server’s IP address instead:
Step 3: Configure the DNS Zone
(Not mandatory, can be done via the Dcpromo process).
This article assumes that you already have the DNS service installed. If this is not the case, please read Create a New DNS Server for AD.
Furthermore, it is assumed that the DC will also be it’s own DNS server. If that is not the case, you MUST configure another Windows 2000/2003 server as the DNS server, and if you try to run DCPROMO without doing so, you’ll end up with errors and the process will fail.
Creating a Standard Primary Forward Lookup Zone
Type the name of the zone, and then click Next.
You should now make sure your computer can register itself in the new zone. Go to the Command Prompt (CMD) and run “ipconfig /registerdns” (no quotes, duh…). Go back to the DNS console, open the new zone and refresh it (F5). Notice that the computer should by now be listed as an A Record in the right pane.
If it’s not there try to reboot (although if it’s not there a reboot won’t do much good). Check the spelling on your zone and compare it to the suffix you created in step 1. Check your IP settings.
Enable DNS Forwarding for Internet connections (Not mandatory)
Creating a Standard Primary Reverse Lookup Zone
You can (but you don’t have to) also create a reverse lookup zone on your DNS server. The zone’s name will be the same as your TCP/IP Network ID. For example, if your IP address is 192.168.0.200, then the zone’s name will be 192.168.0 (DNS will append a long name to it, don’t worry about it). You should also configure the new zone to accept dynamic updates. I guess you can do it on your own by now, can’t you?
Step 4: Running DCPROMO
After completing all the previous steps (remember you didn’t have to do them) and after double checking your requirements you should now run Dcpromo.exe from the Run command.
This step might take some time because the computer is searching for the DNS server and checking to see if any naming conflicts exist.
This means the Dcpromo wizard could not contact the DNS server, or it did contact it but could not find a zone with the name of the future domain. You should check your settings. Go back to steps 1, 2 and 3. Click Ok.
You have an option to let Dcpromo do the configuration for you. If you want, Dcpromo can install the DNS service, create the appropriate zone, configure it to accept dynamic updates, and configure the TCP/IP settings for the DNS server IP address.
To let Dcpromo do the work for you, select “Install and configure the DNS server…”.
Otherwise, you can accept the default choice and then quit Dcpromo and check steps 1-3.
Just click Next.
Step 5: Checking the AD installation
You should now check to see if the AD installation went well.
If they don’t (like in the following screenshot), your AD functions will be broken (a good sign of that is the long time it took you to log on. The “Preparing Network Connections” windows will sit on the screen for many moments, and even when you do log on many AD operations will give you errors when trying to perform them).
This might happen if you did not manually configure your DNS server and let the DCPROMO process do it for you.
Another reason for the lack of SRV records (and of all other records for that matter) is the fact that you DID configure the DNS server manually, but you made a mistake, either with the computer suffix name or with the IP address of the DNS server (see steps 1 through 3).
To try and fix the problems first see if the zone is configured to accept dynamic updates.
1. Right-click the zone you created, and then click Properties.
2. On the General tab, under Dynamic Update, click to select “Nonsecure and secure” from the drop-down list, and then click OK to accept the change.
You should now restart the NETLOGON service to force the SRV registration.
You can do it from the Services console in Administrative tools:
Or from the command prompt type “net stop netlogon“, and after it finishes, type “net start netlogon“.
Let it finish, go back to the DNS console, click your zone and refresh it (F5). If all is ok you’ll now see the 4 SRV record folders.
If the 4 SRV records are still not present double check the spelling of the zone in the DNS server. It should be exactly the same as the AD Domain name. Also check the computer’s suffix (see step 1). You won’t be able to change the computer’s suffix after the AD is installed, but if you have a spelling mistake you’d be better off by removing the AD now, before you have any users, groups and other objects in place, and then after repairing the mistake – re-running DCPROMO.
If all of the above is ok, I think it’s safe to say that your AD is properly installed.
What is Active Directory? Active Directory is Microsoft’s trademarked directory service, an integral part of the Windows architecture. Like other directory services, such as Novell Directory Services (NDS), Active Directory is a centralized and standardized system that automates network management of user data, security and distributed resources and enables interoperation with other directories. Active Directory is designed especially for distributed networking environments.
Active Directory was new to Windows 2000 Server and further enhanced for Windows Server 2003, making it an even more important part of the operating system. Windows Server 2003 Active Directory provides a single reference, called a directory service, to all the objects in a network, including users, groups, computers, printers, policies and permissions.
For a user or an administrator, Active Directory provides a single hierarchical view from which to access and manage all of the network’s resources.
Why implement Active Directory?
There are many reasons to implement Active Directory. First and foremost, Microsoft Active Directory is generally considered to be a significant improvement over Windows NT Server 4.0 domains or even standalone server networks. Active Directory has a centralized administration mechanism over the entire network. It also provides for redundancy and fault tolerance when two or more domain controllers are deployed within a domain.
Active Directory automatically manages the communications between domain controllers to ensure the network remains viable. Users can access all resources on the network for which they are authorized through a single sign-on. All resources in the network are protected by a robust security mechanism that verifies the identity of users and the authorizations of resources on each access.
Even with Active Directory’s improved security and control over the network, most of its features are invisible to end users; therefore, migrating users to an Active Directory network will require little re-training. Active Directory offers a means of easily promoting and demoting domain controllers and member servers. Systems can be managed and secured via Group Policies. It is a flexible hierarchical organizational model that allows for easy management and detailed specific delegation of administrative responsibilities. Perhaps most importantly, however, is that Active Directory is capable of managing millions of objects within a single domain.
Basic divisions of Active Directory
Active Directory networks are organized using four types of divisions or container structures. These four divisions are forests, domains, organizational units and sites.
Domains serve as containers for security policies and administrative assignments. All objects within a domain are subject to domain-wide Group Policies by default. Likewise, any domain administrator can manage all objects within a domain. Furthermore, each domain has its own unique accounts database. Thus, authenticationis on a domain basis. Once a user account is authenticated to a domain, that user account has access to resources within that domain.
Active Directory requires one or more domains in which to operate. As mentioned before, an Active Directory domain is a collection of computers that share a common set of policies, a name and a database of their members. A domain must have one or more servers that serve as domain controllers (DCs) and store the database, maintain the policies and provide the authentication of domain logons.
With Windows NT, primary domain controller (PDC) and backup domain controller (BDC) were roles that could be assigned to a server in a network of computers that used a Windows operating system. Windows used the idea of a domain to manage access to a set of network resources (applications, printers and so forth) for a group of users. The user need only to log in to the domain to gain access to the resources, which may be located on a number of different servers in the network.
One server, known as the primary domain controller, managed the master user database for the domain. One or more other servers were designated as backup domain controllers. The primary domain controller periodically sent copies of the database to the backup domain controllers. A backup domain controller could step in as primary domain controller if the PDC server failed and could also help balance the workload if the network was busy enough.
With Windows 2000 Server, while domain controllers were retained, the PDC and BDC server roles were basically replaced by Active Directory. It is no longer necessary to create separate domains to divide administrative privileges. Within Active Directory, it is possible to delegate administrative privileges based on organizational units. Domains are no longer restricted by a 40,000-user limit. Active Directory domains can manage millions of objects. As there are no longer PDCs and BDCs, Active Directory uses multi-master replication and all domain controllers are peers.
Organizational units are much more flexible and easier overall to manage than domains. OUs grant you nearly infinite flexibility as you can move them, delete them and create new OUs as needed. However, domains are much more rigid in their existence. Domains can be deleted and new ones created, but this process is more disruptive of an environment than is the case with OUs and should be avoided whenever possible.
By definition, sites are collections of IP subnets that have fast and reliable communication links between all hosts. Another way of putting this is a site contains LAN connections, but not WAN connections, with the general understanding that WAN connections are significantly slower and less reliable than LAN connections. By using sites, you can control and reduce the amount of traffic that flows over your slower WAN links. This can result in more efficient traffic flow for productivity tasks. It can also keep WAN link costs down for pay-by-the-bit services.
The Infrastructure Master and Global Catalog
Among the other key components within Active Directory is the Infrastructure Master. The Infrastructure Master (IM) is a domain-wide FSMO (Flexible Single Master of Operations) role responsible for an unattended process that “fixes-up” stale references, known as phantoms, within the Active Directory database.
Phantoms are created on DCs that require a database cross-referencebetween an object within their own database and an object from another domain within the forest. This occurs, for example, when you add a user from one domain to a group within another domain in the same forest. Phantoms are deemed stale when they no longer contain up-to-date data, which occurs because of changes that have been made to the foreign object the phantom represents, e.g., when the target object is renamed, moved, migrated between domains or deleted. The Infrastructure Master is exclusively responsible for locating and fixing stale phantoms. Any changes introduced as a result of the “fix-up” process must then be replicated to all remaining DCs within the domain.
The Infrastructure Master is sometimes confused with the Global Catalog (GC), which maintains a partial, read-only copy of every domain in a forest and is used for universal group storage and logon processing, among other things. Since GCs store a partial copy of all objects within the forest, they are able to create cross-domain references without the need for phantoms.
Active Directory and LDAP
Microsoft includes LDAP(Lightweight Directory Access Protocol) as part of Active Directory. LDAP is a software protocol for enabling anyone to locate organizations, individuals and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet.
In a network, a directory tells you where in the network something is located. On TCP/IP networks (including the Internet), the domain name system (DNS) is the directory system used to relate the domain name to a specific network address (a unique location on the network). However, you may not know the domain name. LDAP allows you to search for individuals without knowing where they’re located (although additional information will help with the search).
An LDAP directory is organized in a simple “tree” hierarchy consisting of the following levels:
It is important for every administrator to have an understanding of what LDAP is when searching for information in Active Directory and to be able to create LDAP queries is especially useful when looking for information stored in your Active Directory database. For this reason, many admins go to great lengths to master the LDAP search filter.
Group Policy management and Active Directory
It’s difficult to discuss Active Directory without mentioning Group Policy. Admins can use Group Policies in Microsoft Active Directory to define settings for users and computers throughout a network. These setting are configured and stored in what are called Group Policy Objects (GPOs), which are then associated with Active Directory objects, including domains and sites. It is the primary mechanism for applying changes to computers and users throughout a Windows environment.
Through Group Policy management, administrators can globally configure desktop settings on user computers, restrict/allow access to certain files and folders within a network and more.
It is important to understand how GPOs are used and applied. Group Policy Objects are applied in the following order: Local machine policies are applied first, followed by site policies, followed by domain policies, followed by policies applied to individual organizational units. A user or computer object can only belong to a single site and a single domain at any one time, so they will receive only GPOs that are linked to that site or domain.
GPOs are split into two distinct parts: the Group Policy Template (GPT) and the Group Policy Container (GPC). The Group Policy Template is responsible for storing the specific settings created within the GPO and is essential to its success. It stores these settings in a large structure of folders and files. In order for the settings to apply successfully to all user and computer objects, the GPT must be replicated to all domain controllers within the domain.
The Group Policy Container is the portion of a GPO stored in Active Directory that resides on each domain controller in the domain. The GPC is responsible for keeping references to Client Side Extensions (CSEs), the path to the GPT, paths to software installation packages, and other referential aspects of the GPO. The GPC does not contain a wealth of information related to its corresponding GPO, but it is essential to the functionality of Group Policy. When software installation policies are configured, the GPC helps keep the links associated within the GPO. The GPC also keeps other relational links and paths stored within the object attributes. Knowing the structure of the GPC and how to access the hidden information stored in the attributes will pay off when you need to track down an issue related to Group Policy.
For Windows Server 2003, Microsoft released a Group Policy management solution as a means of unifying management of Group Policy in the form of a snap-inknown as the Group Policy Management Console (GPMC). The GPMC provides a GPO-focused management interface, thus making the administration, management and location of GPOs much simpler. Through GPMC you can create new GPOs, modify and edit GPOs, cut/copy/paste GPOs, back up GPOs and perform Resultant Set of Policy modeling.
Expanding on the foundation of the Windows 2000 operating system, the Windows Server 2003 family improves the manageability of Active Directory as well as eases migration and deployment of directory-enabled applications.
Active Directory has been enhanced to reduce total cost of ownership (TCO) and operation within your business. New features and enhancements have been provided at all levels of the product to extend versatility, simplify management, and increase dependability. With Windows Server 2003, organizations can benefit from further reductions in cost while increasing the efficiency in which they share and manage the various elements of their business.
New features and improvements for Active Directory in the Windows Server 2003 family: • Integration and productivity.
• Performance and scalability.
• Administration and configuration management.
• Group Policy features.
• Security enhancements.
Active Directory BasicsActive Directory is the directory service for Windows .NET Standard Server, Windows .NET Enterprise Server, and Windows .NET Datacenter Server. (Active Directory cannot be run on Windows .NET Web Server but it can manage any computer running Windows .NET Web Server.) Active Directory stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information.
Directory Data StoreThis data store is often simply referred to as the directory. The directory contains information about objects such as users, groups, computers, domains, organizational units (OUs), and security policies. This information can be published for use by users and administrators.
The directory is stored on servers known as domain controllers and can be accessed by network applications or services. A domain can have one or more domain controllers. Each domain controller has a writeable copy of the directory for the domain in which it is located. Changes made to the directory are replicated from the originating domain controller to other domain controllers in the domain, domain tree, or forest. Because the directory is replicated, and because each domain controller has a writeable copy of the directory, the directory is highly available to users and administrators throughout the domain.
Directory data is stored in the Ntds.dit file on the domain controller. It is recommended that this file is stored on an NTFS partition. Some data is stored in the directory database file, and some data is stored in a replicated file system, like logon scripts and Group Policies.
There are three categories of directory data replicated between domain controllers:
• Domain data. The domain data contains information about objects within a domain. This is the information typically thought of as directory information such as e-mail contacts, user and computer account attributes, and published resources that are of interest to administrators and users.
For example, when a user account is added to your network, a user account object and attribute data are stored in the domain data. When changes to your organization’s directory objects occur, such as object creation, deletion, or attribute modification, this data is stored in the domain data.
• Configuration data. The configuration data describes the topology of the directory. This configuration data includes a list of all domains, trees, and forests, and the locations of the domain controllers and global catalogs.
• Schema data.The schema is the formal definition of all object and attribute data that can be stored in the directory. Windows Server 2003 includes a default schema that defines many object types, such as user and computer accounts, groups, domains, organizational units, and security policies. Administrators and programmers can extend the schema by defining new object types and attributes, or by adding new attributes for existing objects. Schema objects are protected by access control lists (ACLs), ensuring that only authorized users can alter the schema.
Active Directory and SecuritySecurity is integrated with Active Directory through logon authentication and access control to objects in the directory. With a single network logon, administrators can manage directory data and organization throughout their network, and authorized network users can access resources anywhere on the network. Policy-based administration eases the management of even the most complex network.
Active Directory provides protected storage of user account and group information by using access control on objects and user credentials. Because Active Directory stores not only user credentials but also access control information, users who log on to the network obtain both authentication and authorization to access system resources. For example, when a user logs on to the network, the security system authenticates the user with information stored in Active Directory. Then, when the user attempts to access a service on the network, the system checks the properties defined in the discretionary access control list (DACL) for that service.
Because Active Directory allows administrators to create group accounts, administrators can manage system security more efficiently. For example, by adjusting a file’s properties, an administrator can permit all users in a group to read that file. In this way, access to objects in Active Directory is based on group membership.
Active Directory SchemaThe Active Directory Schema is the set of definitions that defines the kinds of objects—and the types of information about those objects—that can be stored in Active Directory. Because the definitions are themselves stored as objects, Active Directory can manage the schema objects with the same object management operations used for managing the rest of the objects in the directory. There are two types of definitions in the schema: attributes and classes. Attributes and classes are also referred to as schema objects or metadata.
ClassesClasses, also referred to as object classes, describe the possible directory objects that can be created. Each class is a collection of attributes. When you create an object, the attributes store the information that describes the object. The User class, for example, is composed of many attributes, including Network Address, Home Directory, and so on. Every object in Active Directory is an instance of an object class.
The Role of the Global CatalogA global catalog is a domain controller that stores a copy of all Active Directory objects in a forest. In addition, the global catalog stores each object’s most common searchable attributes. The global catalog stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest, which provides efficient searches without unnecessary referrals to domain controllers.
A global catalog is created automatically on the initial domain controller in the forest. You can add global catalog functionality to other domain controllers or change the default location of the global catalog to another domain controller.
A global catalog performs the following directory roles:
• Finds objects. A global catalog enables user searches for directory information throughout all domains in a forest, regardless of where the data is stored. Searches within a forest are performed with maximum speed and minimum network traffic.
When you search for people or printers from the Start menu or choose the Entire Directory option within a query, you are searching a global catalog. Once you enter your search request, it is routed to the default global catalog port 3268 and sent to a global catalog for resolution.
• Supplies user principal name authentication.A global catalog resolves user principal names when the authenticating domain controller does not have knowledge of the account. For example, if a user’s account is located in example1.microsoft.com and the user decides to log on with a user principal name of email@example.com from a computer located in example2.microsoft.com, the domain controller in example2.microsoft.com will be unable to find the user’s account and will then contact a global catalog server to complete the logon process.
• Supplies universal group membership information in a multiple domain environment. Unlike global group memberships, which are stored in each domain, universal group memberships are only stored in a global catalog. For example, when a user who belongs to a universal group logs on to a domain that is set to the Windows 2000 native domain functional level or higher, the global catalog provides universal group membership information for the user’s account.
If a global catalog is not available when a user logs on to a domain running in Windows 2000 native or higher, the computer will use cached credentials to log on the user if the user has logged on to the domain previously. If the user has not logged on to the domain previously, the user can only log on to the local computer.
Efficient Search ToolsAdministrators can use the advanced Find dialogs in the Active Directory Users and Computers snap-in to perform management tasks with greater efficiency and to easily customize and filter data retrieved from the directory. In addition, administrators can add objects to groups quickly and with minimal network impact by utilizing browse-less queries to help find likely members.
Active Directory Replication Replication provides information availability, fault tolerance, load balancing, and performance benefits for the directory. Active Directory uses multimaster replication, enabling you to update the directory at any domain controller, rather than at a single, primary domain controller. The multimaster model has the benefit of greater fault tolerance, since, with multiple domain controllers, replication continues, even if any single domain controller stops working.
A domain controller stores and replicates:• Schema information. This defines the objects that can be created in the directory and what attributes those objects can have. This information is common to all domains in the forest. Schema data is replicated to all domain controllers in the forest.
• Configuration information.This describes the logical structure of your deployment, containing information such as domain structure or replication topology. This information is common to all domains in the forest. Configuration data is replicated to all domain controllers in the forest.
• Domain information. This describes all of the objects in a domain. This data is domain-specific and is not distributed to any other domains. For the purpose of finding information throughout the domain tree or forest, a subset of the properties for all objects in all domains is stored in the global catalog. Domain data is replicated to all domain controllers in the domain.
• Application information.Information stored in the application directory partition is intended to satisfy cases where information needs to be replicated, but not necessarily on a global scale. Application data can be explicitly rerouted to administrator-specified domain controllers within a forest to prevent unnecessary replication traffic, or it can be set to replicate to all domain controllers in the domain.
The Role of Sites in ReplicationSites streamline replication of directory information. Directory schema and configuration information is replicated throughout the forest and domain data is replicated among all domain controllers in the domain and partially replicated to global catalogs. By strategically reducing replication, the strain on your network can be similarly reduced.
Domain controllers use sites and replication change control to optimize replication in the following ways:
• By occasionally re-evaluating which connections are used, Active Directory uses the most efficient network connections.
• Active Directory uses multiple routes to replicate changes, providing fault tolerance.
• Replication costs are minimized by only replicating changed information.
SummaryBuilding on the foundation established in Windows 2000, Active Directory in Windows Server 2003 emphasizes simplified management, versatility, and unmatched dependability. More than ever, Active Directory has become a solid foundation for building enterprise networks unsurpassed in its ability to:
• Take advantage of existing investments and consolidation management of directories.
• Extend administrative control and reduce redundant management tasks.
• Simplify remote integration and use network resources more efficiently.
• Provide a robust development and deployment environment for directory-enabled applications.
• Reduce TCO and improve the leverage of IT resources.
Re: What are FSMO Roles? List them
Flexible Single-Master Operation (FSMO) roles,manage an
aspect of the domain or forest, to prevent conflicts
1.Domain Naming Master, If you want to add a domain to a
forest, the domain?s name must be verifiably unique. The
forest?s Domain Naming Master FSMOs authorize the domain
2.Infrastructure Master, When a user and group are in
different domains, a lag can exist between changes to the
user (e.g., a name change) and the user?s display in the
group. The Infrastructure Master of the group?s domain fixes
the group-to-user reference to reflect the change. The
Infrastructure Master performs its fixes locally and relies
on replication to bring all other replicas of the domain up
3.PDC Emulator,For backward compatibility, one DC in each
Win2K domain must emulate a PDC for the benefit of Windows
NT 4.0 and NT 3.5 DCs and clients.
4.RID Master,The RID Master must be available for you to use
the Microsoft Windows 2000 Resource Kit?s Movetree utility
to move objects between domains.
5.Schema Master,At the heart of Active Directory (AD) is the
schema, which is like a blueprint of all objects and
containers. Because the schema must be the same throughout
the forest, only one machine can authorize schema modifications