Installation 2008 AD

8/3/2019 Installation 2008 AD

1/24

Installing Active Directory on Windows

Server 2008

by Daniel Petri - January 8, 2009Printer Friendly Version

Microsoft Active Directory provides the structure to centralize the network management and

store information about network resources across the entire domain. Active Directory uses

Domain Controllers to keep this centralized storage available to network users. In order toconfigure a Windows Server 2008 machine to act as Domain Controller, several considerations

and prerequisites should be taken into account, and several steps should be performed. In thisarticle I will guide you through these prerequisites and steps of creating a new Windows Server

2008 Domain Controller for a new Active Directory domain in a new forest.

Wouldn't you love it if you could automatically discover and restart an FTP service before even30 seconds of it being down?

OpManager through over 500 built-in monitors, event log rules, SNMP traps and remotetroubleshooting tools, gives admins a tight grip over Windows server performance, including

even MS Exchange, SQL and Active Directory.

Monitor 10 Servers for Free! Download a 30-day Trial Here

Considerations when Installing a new Windows Server 2008

forest

When you install AD to create the first domain controller in a new Windows Server 2008 forest,

you must keep the following considerations in mind:

y You must make forest and domain functional level decisions that determine whether yourforest and domain can contain domain controllers that run Windows 2000 Server,Windows Server 2003, or both. To read more about forest and domain functional levels

please refer to the links below.y Domain controllers running the Microsoft Windows NT Server 4.0 operating system are

NOT supported with Windows Server 2008.y Servers running Windows NT Server 4.0 are NOT supported by domain controllers that

are running Windows Server 2008, meaning you MUST have additional DCs runningWindows 2000/2003 to support older NT 4.0 servers.

y The first Windows Server 2008 domain controller in a forest must be a global catalogserver and it cannot be an RODC.


2/24

Considerations when Installing a new Windows Server 2008

domain in an existing Windows 2000/2003 forest

When you install AD to create the first domain controller in a new Windows Server 2008

domain, you must keep the following considerations in mind:

y Before you create a new Windows Server 2008 domain in a Windows 2000/2003 forest,you must prepare the forest for Windows Server 2008 by extending the schema (that is,by running ADPREP /forestprep). To read more about ADPREP please refer to the links

below or my "Windows Server 2008 ADPREP" article.y You must make domain functional level decisions that determine whether your domain

can contain domain controllers that run Windows 2000 Server, Windows Server 2003, orboth. To read more about forest and domain functional levels please refer to the links

below.y I recommend that you host the PDC emulator operations master role in the forest root

domain on a domain controller that runs Windows Server 2008. For more informationabout FSMO Roles, please read my "Understanding FSMO Roles in Active Directory"

and "Transferring FSMO Roles" articles.

General considerations

Make sure you read and follow the requirements described in my "Active Directory on WindowsServer 2008 Requirements" article.

Installing Active Directory Domain Services (AD-DS)

In Windows Server 2008, unlike previous server operating Systems, there is an additional stepthat needs to be taken before running DCPROMO to promote the server to Domain Controller

and installing Active Directory on it. This step is the installation of Active Directory DomainServices (AD-DS) role on the server. In fact, the AD-DS role is what enables the server to act as

a Domain Controller, but you will still need to run DCPROMO the regular way.

AD-DS can be installed in one of 3 methods:

Method 1 Server Manager/Initial Configuration Tasks

Roles can and should be added from Server Manager (but they can also be initiated from theInitial Configuration Tasks wizard that auto-opens the first time you log on to the server).

1. Open Server Manager by clicking the icon in the Quick Launch toolbar, or from theAdministrative Tools folder.

2. Wait till it finishes loading, then click on Roles > Add Roles link.


3/24

3. In the Before you begin window, clickNext.

4. In the Select Server Roles window, click to select Active Directory Domain Services,and then clickNext.


4/24

5. In the Active Directory Domain Services window read the provided information if youwant to, and then clickNext.


5/24

6. In the Confirm Installation Selections, read the provided information if you want to, andthen clickNext.

7. Wait till the process completes.


6/24

8. When it ends, clickClose.

9. Going back to Server Manager, click on the Active Directory Domain Services link,and note that there's no information linked to it, because the DCPROMO command has

not been run yet.

10.Now you can click on the DCPROMO link, or read on.


7/24

1. To run DCPROMO, enter the command in the Run command, or click on theDCPROMO link from Server Manager > Roles > Active Directory Domain

Services.

2. Depending upon the question if AD-DS was previously installed or not, theActive Directory Domain Services Installation Wizard will appear immediately or

after a short while. ClickNext.


8/24

Note: The Advanced features of DCPROMO will be discussed in a future article.

Also see Have you tried Internet Explorer 9 yet?

3. In the Operating System Compatibility window, read the provided informationand clickNext.


9/24

4. In the Choosing Deployment Configuration window, click on "Create a newdomain in a new forest" and clickNext.


10/24

5. Enter an appropriate name for the new domain. Make sure you pick the rightdomain name, as renaming domains is a task you will not wish to perform on adaily basis. ClickNext.


11/24

Note: Do NOT use single label domain names such as "mydomain" or similar.

You MUST pick a full domain name such as "mydomain.local" or"mydomain.com" and so on.

The wizard will perform checks to see if the domain name is not already in use onthe local network.


12/24

6. Pick the right forest function level. Windows 2000 mode is the default, and itallows the addition of Windows 2000, Windows Server 2003 and WindowsServer 2008 Domain Controllers to the forest you're creating. Read my

"Understanding Windows Server 2008 Active Directory Domain and ForestFunctional Levels" article for more information on that.


13/24

7. Pick the right domain function level. Windows 2000 Native mode is the default,and it allows the addition of Windows 2000, Windows Server 2003 and WindowsServer 2008 Domain Controllers to the domain you're creating.


14/24

Note: If you select "Windows Server 2008" for the forest function level, you will

Not be prompted to pick a domain function level. Read more about domain andforest function levels on my "Understanding Windows Server 2008 Active

Directory Domain and Forest Functional Levels" article.

8. The wizard will perform checks to see if DNS is properly configured on the localnetwork. In this case, no DNS server has been configured, therefore, the wizardwill offer to automatically install DNS on this server.


15/24


16/24

Note: The first DCs must also be a Global Catalog. Also, the first DCs in a forest

cannot be a Read Only Domain controller.

9. It's most likely that you'll get a warning telling you that the server has one or moredynamic IP Addresses. Running IPCONFIG /all will show that this is not thecase, because as you can clearly see, I have given the server a static IP Address.

So, where did this come from? The answer is IPv6. I did not manually configurethe IPv6 Address, hence the warning. In a network where IPv6 is not used, you

can safely ignore this warning.


17/24

10.You'll probably get a warning about DNS delegation. Since no DNS has beenconfigured yet, you can ignore the message and clickYes.


18/24

11.Next, change the paths for the AD database, log files and SYSVOL folder. Forlarge deployments, carefully plan your DC configuration to get the maximumperformance. When satisfied, clickNext.

12.Enter the password for the Active Directory Recovery Mode. This password mustbe kept confidential, and because it stays constant while regular domain user


19/24

passwords expire (based upon the password policy configured for the domain, thedefault is 42 days), it does not. This password should be complex and at least 7

characters long. I strongly suggest that you do NOT use the regularadministrator's password, and that you write it down and securely store it. Click

Next.

13.In the Summary window review your selections, and if required, save them to anunattend answer file. When satisfied, clickNext.


20/24

14.The wizard will begin creating the Active Directory domain, and when finished,you will need to press Finish and reboot your computer.


21/24


22/24

Note:You can automate the rebooting process by checking the Reboot on

Completion checkbox.

To automate domain controller installations, you can use an answer file or youcan specify unattended installation parameters at the command line. More on that

in my "Creating an Unattend Installation File for DCPROMO in Windows Server2008" article.

Note: As written in my "Installing Active Directory on Windows 2008 ServerCore" article, configuring a Windows Server 2008 Server Core machine

REQUIRES you to perform an automated installation of Active Directory on thatserver, as there is NOT DCPROMO GUI on Server Core.

Your server now acts as a Domain Controller. Make sure you properly back it up.

You can test functionality by using AD management tools such as ActiveDirectory Users and Computers, examine the Event Logs, services and folders

and shares that have been created.

Links

AD DS Installation and Removal Step-by-Step Guide


23/24

Method 2 Servermanagercmd.exe

Servermanagercmd.exe is the command prompt equivalent of the Add Roles and AddFeatures wizards in Server Manager. Through the use of various command line options,

you can quickly and easily add or remove features and roles to or from your server,including the AD-DS role.

To install AD-DS by using Servermanagercmd.exe, simply enter the following command

in the Command Prompt window:

Servermanagercmd.exe I ADDS-Domain-Controller

Let the command run and when it finishes, AD-DS will be installed on the server.

Method 3 Letting DCPROMO do the job

Oh yes. If you forget to install AD-DS or simply want to skip clicking on some windows,

you can run DCPROMO from the Run command and before it is executed, the server willcheck to see if the AD-DS binaries are installed. Since they are not, they will auto-install.


24/24

After you complete the Add Roles Wizard, either click the link to start the Active

Directory Domain Services Installation Wizard, or close Server Manager and manuallyrun DCPROMO from the Run command.

Running DCPROMO

After installing the AD-DS role, we need to run DCPROMO to perform the actual ActiveDirectory database and function installation.

Note: This guide assumes this is the first Domain controller in the forest, thus creating anew domain in a new forest. For a guide on how to add additional Domain Controllers to

existing domains, please read my upcoming "Installing Additional Windows Server 2008

Domain Controllers in your Existing Active Directory Domain" article.

Documents

Installation 2008 AD