Download pdf - Installing and Configuring Active Directory (v2[1].10.14)

8/7/2019 Installing and Configuring Active Directory (v2[1].10.14)

1/51

Installing and Configuring Active Directory

Revision: 2.10.14

By: Reza [email protected]


2/51


Preparing for Active Directory Installation

There are a number of prerequisites you must consider before you begin installing Active Directory.These prerequisites include the following steps:

The domain structure

The domain name

The storage location of the database and log files

The location of the shared system volume folder

Configuring time service

Determining the Domain Structure

To determine the domain structure, you must:

Determine your company's physical environment

Determine the forest root domain

Determine the number of domains

Organize domains in a hierarchy

Determining the Physical Environment

The physical environment of your organization's network includes:

The current number of users at each location

The current network type used at each location

The current link speed, and percentage of available bandwidth of remote network links

Note Available bandwidth is the amount of bandwidth that remains when you take the totalbandwidth available for a link and subtract the amount of network traffic that occurs on the linkduring peak traffic.

The current TCP/IP subnets at each location

The current location of domain controllers

The current list of servers at each location and the services that run on them

The current location of firewalls (corporate firewalls and not to any host firewalls, such asWindows Firewall) in the network

Tip In addition to your assessment of the organization's physical environment, you should alsoconsider other infrastructures currently employed in the organization. For example, if yourorganization has already has a DNS structure, you should probably retain this structure.

2


3/51


Determining the Forest Root Domain

The forest root domain is the first domain you create in an Active Directory forest. When planning adomain structure, you should start with a dedicated forest root domain. A forest root domain isdedicated when it is set up exclusively to administer the forest infrastructure. So, you should reservethe dedicated forest root domain for forest administration only. Avoid including users or resources notdedicated to forest administration in the forest root domain.

Determining the Number of Domains

After you've planned the dedicated forest root domain, you should begin planning your domainstructure with a single child domain under the root, and add more domains only when the single childdomain model no longer meets your needs. Reasons to create more than one child domain under theforest root include the following:

To optimize replication traffic

To retain Windows NT domains

To establish a distinct namespace

Defining a Domain Hierarchy

If you've determined that your company requires more than one domain, you must organize thedomains into a hierarchy that fits the needs of your organization. Recall that domains in a forest sharethe same schema, and global catalog. As domains are placed in a hierarchy, the two-way transitivetrust relationship allows the domains to share resources.

Determining the Domain Name

In Windows Server 2003, a domain name is a name given to computers that share a commondirectory. Because Active Directory uses DNS as its domain naming, Windows Server 2003 domainnames are also DNS names.

In DNS, names are arranged in a hierarchy. The hierarchy allows parent-child relationships where thename of the child domain is designated by the name of the parent domain, preceded by a label for thechild domain. For example, uk.microsoft.com is a child domain of the microsoft.com domain; for thechild name the "uk" label is placed before the name of the parent domain, microsoft.com. Thus, adomain's name identifies its position in the hierarchy.

Select an easily identifiable name for the forest root domain, which is the basis for its child andgrandchild domains. The following are guidelines for naming domains:

Use only the Internet standard characters. Internet standard characters are defined as: AZ, az,09, and the hyphen (-). Although Windows Server 2003 DNS supports the use of almost anyUnicode character in a name, by using only Internet standard characters you ensure that yourActive Directory domain names will be compatible with other versions of DNS.

Differentiate between internal and external namespaces. Because most organizations have anInternet presence, you should use different names for the internal and external root domains toclearly delineate public resources from private resources.

Never use the same domain name twice. For example, Microsoft should not use the namemicrosoft.com for both its Internet and intranet root domains. If a microsoft.com client attempts

3


4/51


to connect to either the Internet or the intranet microsoft.com site, the domain that answersfirst is the one to which the client is connected.

Use short, meaningful names.

Note If your network is connected to the Internet and you are not using firewalls and proxy servers,the root domain name must be unique in the Internet DNS namespace. you can ensure its uniqueness

by registering your root domain name with an Internet domain name registering authority.

Determining the Storage Location of the Database and Log Files

Installing Active Directory creates the database and log files. The default location for the database andlog files is %Systemroot%\Ntds, where %Systemroot% is the path where the Microsoft WindowsServer 2003 system files are located, typically, C:\Windows. However, you can specify a differentlocation when installing Active Directory. For best performance and fault tolerance, it's recommendedthat you place the database and the log file on separate hard disks that are NTFS drives, althoughNTFS is not required. It's also recommended that you have 1 GB of space to install Active Directory,although the Active Directory Installation Wizard requires only a minimum of 200 MB of disk space forthe Active Directory database and 50 MB for the log files.

Note The directory database is stored in a file named Ntds.dit, which contains all of the informationstored in the Active Directory data store.

Determining the Location of the Shared System Volume Folder

Installing Active Directory creates the Shared System Volume, a folder structure that exists on allWindows Server 2003 domain controllers. It stores public files that must be replicated to other domaincontrollers, such as logon scripts and GPOs, for both the current domain and the enterprise. The defaultlocation for the shared system volume is %Systemroot%\Sysvol. However, you can specify adifferent location during Active Directory installation. The Shared System Volume must be located on a

partition or volume formatted with NTFS.

Configuring Time Service

Computers keep the time on their internal clocks, which allows them to perform any function thatrequires the date or time. However, for scheduling purposes, the clocks must be set to the correct dateand time, and they must be synchronized with the other clocks in the network. With tsynchronization, one computer maintains very accurate time, and then all other computers set theirclocks to match that computer. In this way, you can set accurate time on all computers.

When the computers belong to an Active Directory domain, Windows Time Service configures itselfautomatically, using Windows Time Service that is available on domain controllers. Windows Time

Service configures a domain controller within its domain as a reliable time source and synchronizesitself periodically with this source.

A number of Windows Server 2003 family components rely on accurate and synchronized time. Forexample, without clocks that are synchronized to the correct time on all coKerberos authentication protocol might falsely interpret logon requests as intrusion attempts and denyaccess to users.

Another important benefit of time synchronization is the ability to correlate events on differentcomputers in an enterprise. With synchronized clocks on all of your computers, you ensure that youcan correctly analyze events that happen in sequence on multiple computers for success or failure.

4


5/51


By default, the first domain controller that is deployed should be set to synchronize from a validNetwork Time Protocol (NTP) source. If no source is configured, the service will log a message to theevent log, and use the local clock when providing time to clients.

To configure the Windows Time Service on first forest root domain controller

1. Log on to the domain controller.

2. Type the following, where PeerList is a comma-separated list of DNS names or IP addresses ofthe desired time sources:

W32tm /config /manualpeerlist: /syncfromflags:manual

Update the Windows Time Service configuration. At the command line, type:

W32tm /config /update

or

Net stop w32timeNet start w32time

5


6/51


Notes When specifying a manual peer, do not use the DNS name or IP address of a computer that

uses the forest root domain controller as its source for time, such as another domain controller in the

forest. The time service will not operate correctly in this scenario.

Synchronize the client time with a time server

1. Open Command Prompt.

2. Type w32tm /resync

Note This procedure only works on computers that are joined to a domain.

Configure a domain controller in the parent domain as a reliable time source

To perform this procedure locally on the domain controller, you must be a member of theAdministrators group. To perform this procedure from a remote computer, you must be a member ofthe Domain Admins group.

1. Open CommandPrompt.

2. Type the following command and press ENTER:

W32tm /config /reliable:yes /update

6


7/51


7


8/51


Installing and Removing Active Directory

After you've completed your preparation work with the installation prerequisites, you are ready toinstall Active Directory. Removing Active Directory follows a process similar to installation.

Installing Active Directory

There are four ways to install Active Directory:

Using the Active Directory Installation wizard (to install Active Directory in most situations)

Using an answerfile to perform an unattended installation

Using the networkor backup media

Using the Configure Your Server Wizard (an additional way to install the first domaincontroller)

Installing Active Directory Using the Active Directory Installation Wizard

Creating the First Domain Controller for a New Domain

The following table lists the information that you need to know before you add a domain controller.

Before adding adomaincontroller role

Comments

Determine which sitesrequire a domaincontroller.

If your network is divided into sites, it is good practice to put at least onedomain controller in each site to enhance network performance. Whenusers log on to the network, a domain controller must be contacted as partof the logon process. If clients have to connect to a domain controller

located in a different site, the logon process can take a long time.Determine whether toadd an additional domaincontroller over thenetwork or throughbackup media taken froman existing domaincontroller.

With the Windows Server 2003 family, you can install Active Directory onmember servers using a restored backup taken from a domain controllerrunning Windows Server 2003. You can store this backup on any backupmedia (for example, DVD) or a shared network resource. By using thismethod, you greatly reduce the network bandwidth used when you installActive Directory. You still need network connectivity to replicate all newobjects and recent changes for existing objects to the new domaincontroller.

Determine whether youwant your new domaincontroller to host a globalcatalog.

To optimize network performance in a multiple-site environment, consideradding global catalogs for select sites. In a single-site environment, a singleglobal catalog is usually sufficient to cover common Active Directoryqueries. However, in a multiple-site environment it is recommended that

you use global catalogs in each site.

Obtain the administrativecredentials necessary toadd a domain controller.

To add an additional domain controller to an existing domain, you must bea member of the Domain Admins group or the Enterprise Admins group inActive Directory, or you must have been delegated the appropriateauthority.

To install Active Directory for a new domain using the Active Directory Installation Wizard, completethe following steps:

8


9/51


1. Log on to the computer as a member of the Administrators group and open the Active Directory

Installation Wizard by clicking StartRun, and typing dcpromo.

2. You see the Welcome to the Active Directory Installation Wizard screen. As the windowtells you, once you install the Active Directory on your server, the server will become a domaincontroller. Click Next.

3. By default, security settings on domain controllers are configured to help prevent domaincontroller communications from being intercepted by malicious users. To successfully negotiatecommunications with a domain controller running Windows Server 2003, these default securitysettings require that client computers use both Server Message Block (SMB) signing, andencryption or signing of secure channel traffic.

The following OSs do not have built-in support for SMB signing or secure channel encryption andsigning:

Windows 95

Windows NT 4.0

The following table lists the required actions that you need to perform to enable clientcomputers running any of these OSs to successfully log on to the domain and access domainresources:

9


10/51


For clientcomputersrunning

You need to

Windows 95Upgrade the OS (recommended), or install the Active Directoryclient1.

Windows NT 4.0Upgrade the OS (recommended), or install Service Pack 4 (or later).Service Pack 3 provides support for SMB signing, but it does not supportencryption or signing of secure channel traffic.

SMB Signing

SMB is the protocol used for file sharing and other communications between Windowscomputers. SMB signing guarantees the origination of the communication. It is enabled bydefault on Windows Server 2003 computers but must be configured on the other Windows OSs.

Once configured, SMB signing is negotiated during the connection request and systems thatcannot use SMB signing are not able to communicate with those that can.

By default, domain controllers running Windows Server 2003 require that all clients digitally signSMB-based communications.

4. On the Domain Controller Type page select Domain controller for a new domain, andthen click Next.

1With the Active Directory client, many of the Active Directory features available on Windows 2000 Professionalor Windows XP Professional are available to computers running Windows 95, Windows 98, and Windows NT 4.0.

10


11/51


5. On the Create New Domain page, ensure that Domain in a new forest is selected, and thenclick Next.

6. On the Install or Configure DNS window, you can configure or install DNS on your server. Thiswindow appears, when you have not installed DNS or you have not configured DNS addresses in

the TCP/IP Properties dialog box on your server, yet. If you want the Wizard install the DNSserver and configure it automatically; select No, just install and configure DNS on thiscomputer, as shown in the following and then click Next.

11


12/51


If you have a DNS server in your network and do not need your domain controller becomes aDNS server, you must configure the DNS addresses in the TCP/IP Properties dialog box andthen select the Yes, I Will Configure the DNS Client check box and then click Next. If you donot configure the DNS addresses and then select the Yes, I Will Configure the DNS Clientcheck box, a window shown in the following figure appears.

7. On the New Domain Name page, in the Full DNS name for new domain box, type the nameof the domain and then click Next.

12


13/51


8. After a few moments, the NetBIOS Domain Name page appears. The NetBIOS name is takenfrom your root domain name, but you can change it by typing a new name in the dialog box.NetBIOS naming is unnecessary in Windows 2003 networks because DNS is used, but it ismaintained for backward compatibility. Click Next.

Tip Microsoft recommends that you use the default NetBIOS name.

9. Active Directory stores the Active Directory database in two parts: the database itself and atransaction log. It's a good idea to put the transaction log in a different physical hard disk thanthe Active Directory database. (You see them on the same drive in the screen shot because themachine I was doing this on had only one physical hard disk.) Putting the transaction log in adifferent physical drive means that the system can update both the AD database and the logsimultaneously, and believe me, in a production environment, youll see a significant differencein performance by using a two-drive system rather than a one-drive system. you can do thiswith SCSI or EIDE drives, but if you use EIDE drives, make sure they are on different EIDEchannels so that they can run simultaneously without a significant performance hit.

13


14/51


To avoid any problems with installing Active Directory, it is important to confirm that you havesufficient disk space to host the directory database and log files. The Active DirectoryInstallation Wizard requires 250 MB of disk space for the Active Directory database and 50 MBfor the log files. Click Next.

10. In the Shared System Volume page, the installation wizard prompts you to choose a path forthe installation location of the Shared System Volume (SYSVOL). You can accept the listeddefault path, enter a new path manually, or browse to a new location. The shared systemvolume must be located on a partition formatted with NTFS version 5 at a minimum. The versionof NTFS used with Windows NT Server (now referred to as version 4) cannot be used. ClickNext.

11. In the event the Wizard cannot resolve the domain name through an existing DNS server, thedialog box shown in the following figure will appear. View the details of the diagnostic test andthen select the appropriate option, as follows:

14


15/51


If you have configured DNS but there is a problem and you have fixed it, select I havecorrected the problem. Perform the DNS diagnostic test again, and then click Next.

If you have not yet configured DNS and you want the wizard to configure it, select Installand configure the DNS server on this computer, and then click Next.

If you have configured DNS but there is a problem and you would like to correct the problem

later, select I will correct the problem later by configuring DNS manually, and thenclick Next.

12. If you run server-based applications (such as a database) on preWindows 2000/2003 or if yourun server-based applications on Windows 2000/Windows Server 2003 that are members of pre

Windows 2000/2003 domains, then you need to configure your environment to be compatiblewith the needs of those older environments.

Older server-based applications often used an unauthenticated (Null) session for server-to-server or server-to-client connections. These types of connections has been removed fromWindows 2000/2003. To provide backward compatibility, though, you can configure your serverto support them.

15


16/51


13. The next dialog box asks you to provide a password that is used when starting the computer inDirectoryServicesRestoreMode. This password allows the recovery of AD from a backup.

14. The last window provides a summary of the choices you have made in the DCPROMO process.Click Next. The wizard takes a few minutes to configure Active Directory components.

Note If you have not configured a static IP address for the server, you will be prompted to doso.

16


17/51


While the InstallationWizard configures Active Directory, it displays its progress in a window,as shown in the following:

15. When the CompletingTheActiveDirectoryInstallationWizard page appears, click Finish,and then click RestartNow.

Note Let the domain controller restart. If any message indicates that one or more services hasfailed to start, restart the domain controller one more time. If the initial replication cycles havenot had enough time to complete during the first restart on a new domain controller, some

services may be unable to start successfully. If the message appears during additional restarts,examine the event logs in Event Viewer to determine the cause of the problem.

17


18/51


Installing Active Directory Using an Answer File

You can create an answer file to run the Active Directory Installation Wizard without having torespond to the screen prompts. An answer file is a file that contains answers to questions that shouldbe automated during installation. An answer file that is used to install Windows Server 2003 can alsoinclude the installation of Active Directory, or you can create an answer file that installs only ActiveDirectory and is run after the Windows Server 2003 setup is complete and you have logged on to the

system.

To install Active Directory using an answer file, complete the following steps:

1. Restart your computer and log on as Administrator.

2. Click Start and then click Run. In the Run dialog box, type:

dcpromo /answer:%path_to_answer_file%

And then click OK.

3. Youll see a dialog box that says DCPROMO is running in unattended mode. Then, the machinewill reboot.

18


19/51


Installing Active Directory Using the Network or Backup Media

In Windows 2000, promoting a member server to become an additional domain controller in an existingdomain required replicating the entire directory database to the new domain controller. In case of lownetwork bandwidth, this replication could take hours or even days to complete. Servers runningWindows Server 2003 can be promoted using a restored backup taken from a Windows Server 2003domain controller. This backup can be stored on any backup media (Tape, CD, or DVD) or a network

share.

Note The server that is being installed as a domain controller must be running Windows Server 2003,and the version must be the same as the domain controller from which the backup was taken. Forexample, you cannot use backup media from a domain controller running Windows Server 2003 tocreate a domain controller running Windows Server 2003 with SP1. The reverse is also true.

Using backup media to create an additional domain controller in your domain reduces the amount ofreplication required to copy the directory database. This is because Active Directory only needs toreplicate the changes that occurred after that backup was taken.

Caution If the domain controller that was backed up contained an application directory partition, itwill not be restored on the new domain controller, except for Windows Server 2003 with SP1 and later.

Windows Server 2003 with SP1 enables you to include application directory partitions in the backupmedia that you use to install Active Directory. To do this, you raise the forest functional level and theninstall Windows Server 2003 SP1 on the domain controller that you back up and on any servers thatyou intend to install as domain controllers.

Note This method only works for the same domain, so you cannot back up a domain controller indomain A and create a new domain B using that media.

To backup the existing System State on an existing domain controller

1.To start backup, click Start, point to All Programs, point to Accessories, point to SystemTools, and then click Backup.

2. Click the AdvancedMode link on the Backup or Restore Wizard.

19


20/51


3. Click the Backup tab, then click the box next to SystemState.

To restore the System State on the future domain controller

1. Copy your backup-up System State file from the first DC to the server where you want toperform the process. You can do this by copying the file via the network, burn it to CD and copyit to the server, or if you want, just restore it on the original DC but point the restore path to a

mapped network drive that is actually a shared folder on the potential new DC.

2. To start restore, click Start, point to All Programs, point to Accessories, point to SystemTools, and then click Backup.

3. Click the AdvancedMode link on the Backup or Restore Wizard.

4. Click the Restore and Manage Media tab, then click the box next to SystemState.

20


21/51


5. In the "Restore files to" box select "Alternate Location". In the "Alternate Location" typeyour designated restore path. This could be a folder on one of your Hard Drive. I usedC:\Backup. Click Start Restore button.

6. A warning window will appear. Click Ok.

21


22/51


7. A Confirm Restore window will appear. Click Ok.

8. A Restore Progress window will appear. Let it finish, then click Close.

Note You can only use old System State backups no older than 60 days, and that is becauseof the Tombstone attributes involved.

22


23/51


To create an additional domain controller

1. Click Start, click Run, and then type dcpromo /adv to open the Active DirectoryInstallation Wizard with the option to create an additional domain controller from restoredbackup files.

Note The /adv switch is only necessary when you want to create a domain controller from

restored backup files. It is not required when creating an additional domain controller over thenetwork.

2. On the Welcome to the Active Directory Installation Wizard, click Next.

3. On the Operating System Compatibility page, read the information and then click Next.

4. On the Domain Controller Type page, click Additional Domain Controller For An ExistingDomain, and then click Next.

5. On the Copying Domain Information page, do one of the following:

Click Over The Network From A Domain Controller, and then click Next.

23


24/51


Click FromThese Restored Backup Files, and type the location of the restored backupfiles, or click Browse to locate the restored files.

Click Next.

6. If the domain controller from which you restored the System State was also a global catalog, theActive Directory Installation Wizard will ask if you would like this domain controller to become aglobal catalog as well. Make your selection and then click Next.

7. On the Network Credentials page, specify your user name and password in the User Nameand Password boxes, respectively. In the Domain box, type in the domain name and then clickNext.

24


25/51


8. On the Database and Log Folders page, ensure that the correct locations for the databasefolder and the log folder appear in the Database Folder box and the Log Folder box,respectively. Click Next.

9. On the Shared System Volume page, ensure that the correct location for the shared systemvolume folder appears in the Folder Location box. Click Next.

10. On the DirectoryServicesRestoreModeAdministratorPassword page, type thepassword you want to assign to this server's Administrator account in the event the computer isstarted in directory services restore mode in the Restore Mode Password box. Confirm thepassword in the Confirm Password box. Click Next.

11. On the Summary page, review your selections. Click Next to proceed with the installation.Restart the computer when prompted.

Note After the installation operation completes successfully and the computer is restarted, thefolder and subfolders that contain the restored System State can be removed from the localdisk.

25


26/51


Installing Active Directory Using the Configure Your Server Wizard

The Configure Your Server Wizard provides a central location for you to install many services,including Active Directory, on a computer running Windows Server 2003. The Configure Your ServerWizard is available from the Manage Your Server window, which opens automatically the first timeyou log on to a server by using administrative permissions.

If the computer is the first server on the network and has not yet been configured, the Configure YourServer Wizard provides the Configuration Options1 page to promote the server to a domaincontroller and install Active Directory. The Configuration Options page configures your server in thefollowing ways:

Promotes the computer to domain controller.

1 When you use the Configure Your Server Wizard, the Configuration Options page is not available if the followingpoints are true:

The computer is already configured as a DNS or DHCP server.

The computer has been set up to receive a dynamically configured IP address from a DHCP server.

The current session is a remote session.The computer running Routing and Remote Access.

No IP-enabled network adapters are installed.

More than one IP-enabled network adapter has been installed.

The computer does not have at least one NTFS partition.

The computer is joined to a domain.

The computer is already a domain controller.

The computer is a CA.

There is another computer on the network running the Windows Server 2003 family.

The computer is running Windows Server 2003, Datacenter Edition.

The computer is running Windows Server 2003, Web Edition.

26


27/51


Creates a domain name for your network.

Creates a NetBIOS name for your domain controller.

27


28/51


Assigns a DNS forwarder that you specify.

Installs Active Directory, DNS server, and DHCP server.

28


29/51


Assigns a preferred DNS server, if none has been configured on this server. By default, theConfigure Your Server Wizard assigns a preferred DNS server with the same IP address as theone specified for this server.

Authorizes a DHCP server in Active Directory.

Sets up an application-naming context on the domain controller in Active Directory for use byTAPI1 client applications.

1Telephony Application Programming Interface (TAPI) integrates telecommunications with the computer. TAPIsupports both traditional (or PSTN) and IP telephony to provide voice, data, and video communication. TAPI-basedprograms use Active Directory to facilitate H.323 (a standard for packet-based multimedia communications)-basedIP telephony calls and multicast conferencing. TAPI-based programs can use TAPI application directory partitions tostore and retrieve information to facilitate H.323-based IP telephony calls and multicast conferencing.

29


30/51


Note Unlike the Active Directory Installation Wizard, the Configure Your Server Wizard does not allowyou to set the Active Directory database and log folder location or set the shared system volume folderlocation. It also does not allow you to select a Directory Services Restore Mode Administrator Password.

After your server restarts, the Configure Your Server Wizard displays the This Server is Now a DomainController page. To review all of the changes made to your server by the Configure Your Server Wizardor to ensure that a new role was installed successfully, click Configure Your Server log. The ConfigureYour Server Wizard log is located at systemroot\Debug\Configure Your Server.log. To close theConfigure Your Server Wizard, click Finish.

30


31/51


Removing Active Directory Services from a Domain Controller

Removing Active Directory Services by Using the Active Directory InstallationWizard

Running Dcpromo on an existing domain controller allows you to remove Active Directory from the

domain controller and demotes it to either a stand-alone server or a member server. If the domaincontroller is the last domain controller in the domain, it will become a stand-alone server. If otherdomain controllers will remain in the domain, it will become a member server.

If you remove Active Directory from all domain controllers in a domain, you also delete the directorydatabase for the domain. Computers joined to this domain can no longer log on to the domain or usedomain services.

Note If you are using cryptographic keys to authenticate and secure data, you should export the keyinformation before you demote the last domain controller in a domain. Because this information isstored in the Active Directory, any resources locked with these keys become inaccessible once thedatabase is lost as a result of the demotion process.

To remove Active Directory from a domain controller, complete the following steps:

1. Log on as the appropriate administrator.

2. Click Start, click Run, and then type dcpromo in the Open box and then click OK.

3. On the Welcome To The Active Directory Installation Wizard page, click Next.

4. If the domain controller is a global catalog server, a message appears telling you to make sureother global catalogs are accessible to users of the domain before removing Active Directoryfrom this computer. Click OK.

31


32/51


5. On the Remove Active Directory page, select the check box if the server is the last domaincontroller in the domain. Click Next.

6. If the server is the last domain controller in the domain, the Application Directory Partitions

page appears. If you want to remove all application directory partitions listed on this page, clickNext.

32


33/51


Note Because removing the last replica of an application directory partition will result in thepermanent loss of any data contained in the partition, the Active Directory Installation Wizardwill not remove application directory partitions unless you confirm the deletion. If the domaincontroller holds a TAPI application directory partition, you need to use the Tapicfg.execommand-line tool to remove the TAPI application directory partition.

tapicfg remove /directory:PartitionName

If you clicked Next, the Confirm Deletion page appears. Select the check box if you want thewizard to delete all the application directory partitions on the domain controller, and then clickNext.

7.On the Administrator Password page, type and confirm the administrator password, and thenclick Next.

33


34/51


8. On the Summary page, click Next. The Configuring Active Directory progress indicatorappears as Active Directory is removed from the server. This process will take several minutes.Click Finish.

9. On the Active Directory Installation Wizard dialog box, click Restart Now to restart the computerand complete the removal of Active Directory from the computer.

Removing Active Directory Services by Using the Configure Your Server Wizard

To remove the domain controller role, restart the Configure Your Server Wizard do the following:

1. From Manage Your Server, click Add or remove a role. As discussed before, ManageYour Server starts automatically when you log on. To open Manage Your Server, clickStart, point to Administrative Tools, and then click Manage Your Server.

34


35/51


2. On the Server Role page, click Domain Controller (Active Directory), and then clickNext.

3. On the Role Removal Confirmation page, review the items listed under Summary, selectthe Remove The Domain Controller Role check box, and then click Next, and then followthe steps in the Active Directory Installation Wizard.

35


36/51


36


37/51


Verifying Active Directory Installation

There are several verification tasks that can be performed on a computer that Active Directory hasbeen newly installed. You can do this by verifying the following:

Domain configuration

DNS configuration

DNS integration with Active Directory

Installation of the Shared System Volume

Operation of the Directory Services Restore Mode boot option

Verifying Domain Configuration

After the domain controller is installed, various Active Directory administrative tools are added to the

administrativeTools menu. You can verify that Active Directory is functioning properly by openingthe Active Directory Users And Computers console and checking for the presence of the domainand domain controller. To verify domain configuration, complete the following steps:

1. Click Start, point to Administrative Tools, and then click ActiveDirectoryUsersAndComputers.

2. On the Active Directory Users And Computers console, verify that your domain iscorrectly named by finding it in the console tree

3. Double-click the domain. Click the Domain Controllers container. Verify that your domaincontroller appears and is correctly named by finding it in the details pane, as you can see in thefollowing figure.

4. Double-click the server. Verify that all information is correct on the tabs in the Propertiesdialog box for the server.

37


38/51


Verifying the DNS Configuration

If you allow the Active Directory Installation Wizard to configure DNS for you, the Netlogon serviceregisters a set of default SRV resource records on the DNS server, as shown. SRV records are requiredfor clients to find hosts that provide required services.

To verify the DNS configuration, complete the following steps:

1. Click Start, point to AdministrativeTools, and then click DNS.

2. In the DNS console tree, double-click the DNS server, double-click ForwardLookupZones,and double-click the zone. Expand the _msdcs, _sites, _tcp, and _udp folders to view thedefault resource records.

38


39/51


The Netlogon service creates a log file that contains all the SRV records and places the log file in%Systemroot%\System32\Config\Netlogon.dns. If your DNS solution does not support dynamicupdate, you must manually enter these records on your DNS server(s).

Verifying DNS Integration with Active Directory

If you allow the Active Directory Installation Wizard to configure a basic DNS setup for you, the wizardconfigures an Active Directory-integrated forward lookup zone with the name of the domain. Theconfiguration of this zone changes the storage location of zone data from the zone file to ActiveDirectory on the server. You can verify DNS integration by viewing the properties for the DNS zone andthe DNS server.

1. Click Start, point to AdministrativeTools, and then click DNS.

2. In the DNS console tree, double-click the DNS server, double-click ForwardLookupZones,right-click the zone, and select Properties from the menu. The Properties dialog box for thezone appears.

3. In the General Tab, verify that ActiveDirectory-Integrated appears after Type.

39


40/51


4. In the DNS console tree, right-click the DNS server and then select Properties from the menu.The Properties dialog box for the DNS server appears.

5. In the Advanced tab, verify that the Load Zone Data On Startup box is set to From ActiveDirectory And Registry.

40


41/51


Verifying Installation of the Shared System Volume

The Active Directory Installation Wizard builds the shared system volume, Sysvol, during the creationof a domain controller. Sysvol is a tree of folders containing files that need to be available andsynchronized between domain controllers in a domain or forest, including:

Microsoft Windows 9X and Windows NT 4 system policies

Windows 2000 and Windows Server 2003 Group Policy settings

User logon and logoff scripts and so on

You can verify the installation of the Sysvol by viewing the Sysvol folders in the location you specifiedduring Active Directory installation. To verify installation of the shared system volume, complete thefollowing steps:

1. Open MyComputer.

2. Open %Systemroot%\Sysvol or the location you specified during Active Directory installation.

3. Verify that the Sysvol folder contains a shared Sysvol folder. Verify that the shared Sysvolfolder contains a folder for the domain, which contains a shared Scripts and a Policies folder.

41


42/51


Verifying Operation of the Directory Services Restore Mode Boot Option

The DirectoryServicesRestoreMode boot option allows restores of Active Directory on a domaincontroller. You should verify that this boot option is operational and runs with the password youspecified during Active Directory installation to ensure its availability if needed during troubleshootingor restore operations.

To verify operation of the DirectoryServicesRestoreMode boot option, complete the followingsteps:

1. Restart your computer and press F8 when you see the Boot menu.

2. On the WindowsAdvancedOptions menu, use the arrow keys to select Directory ServicesRestore Mode (Windows Domain Controllers Only), and then press ENTER.

3. The Boot menu is displayed again, with the words "Directory Services Restore Mode(Windows Domain Controllers Only)" displayed in color at the bottom. Select the operatingsystem installation that you want to start, and then press ENTER. The computer restarts indirectory services restore mode.

42


43/51


4. On the Welcome To Windows screen, press CTRL+ALT+DELETE. Log on to the computerusing the server's Administrator account name and directory services restoadministrator password (specified during Active Directory installation). Click OK.

Note You cannot use the name and password of the Active Directory administrator becauseActive Directory is offline and account verification cannot occur. Rather, the SAM database isused to control access to Active Directory on the computer while Active Directory is offline.

5. In the Windows Is Running In Safe Mode warning message box, click OKto run the domaincontroller in safe mode.

43


44/51


44


45/51


Troubleshooting Active Directory Installation and Removal

In order to install or remove Active Directory you must be able to troubleshoot Active Directoryinstallation and removal. Troubleshooting Active Directory installation and removal involves using:

Directory Service log

Netdiag.exe: Network Connectivity Tester

Dcdiag.exe: Domain Controller diagnostic tool

Dcpromoui.log, Dcpromos.log, and Dcpromo.log files

Ntdsutil.exe: Active Directory diagnostic tool

Troubleshooting with the Directory Service Log

Active Directory records events, including errors, warnings, and information that Active Directory

generates, in the Directory Service log in Event Viewer. To view the Directory Service log, complete thefollowing steps:

1. Click Start, point to AdministrativeTools, and then click EventViewer.

2. In the console tree, select DirectoryService. In the details pane, Event Viewer displays a listof events and summary information for each item.

3. To view additional information for any event, double-click the event.

45


46/51


Troubleshooting with Netdiag.exe: Network Connectivity Tester

Netdiag is a command-line, diagnostic tool included with the Windows Support Tools on theWindows Server 2003 Setup CD-ROM that helps isolate networking and connectivity problems byperforming a series of tests. Netdiag diagnoses network problems by checking all aspects of a hostcomputer's network configuration and connections.

Netdiaghas the following syntax:

netdiag [/q][/v][/l][/debug][/d:DomainName][/fix][/test:testname][/skip:testname][/?]

Parameter Function

/q Lists only tests that return errors

/v More extensive listing of test data as tests are performed

/l Stores output in Netdiag.log, in the default directory

/debug Complete list of test data with reasons for success or failure

/fix Fixes minor problems

/test:testname Runs only the test specified by testname. For a complete list, typenetdiag /?

/skip:testname Skips the named test

Run Netdiag whenever a computer is having network problems. The utility tries to diagnose theproblem and can even flag problem areas for closer inspection. It can fix simple DNS problems with theoptional /fix switch.

To use Windows Support Tools, including Netdiag, you must first install them on your computer. To

install the Windows Support Tools, complete the following steps:

1. Start Windows Server 2003. You must log on as a member of the Administrators group to installthe support tools.

2. Insert the Windows Server 2003 CD into your CD-ROM drive.

3. Click Start, and then select Run.

4. In the Run dialog box, type E:\Support\Tools\suptools.msi, where E: is the drive letter ofyour CD-ROM drive. Click OK

5. Follow the instructions that appear on your screen.

Note The Setup program requires a maximum of 22 megabytes (MB) of free space to install allWindows Support Tools files onto your hard disk. Setup creates a Support Tools folder within theProgram Files folder on the system drive. Support Tools are available from the Start Menu byselecting All Programs followed by the Windows Support Tools option.

Troubleshooting with Dcdiag.exe: Domain Controller Diagnostic Tool

46


47/51


The Dcdiag is a command-line, diagnostic tool included with the Windows Support Tools on theWindows Server 2003 Setup CD-ROM that analyzes the state of domain controllers and reports anyproblems. Dcdiag runs a series of tests to verify different functional areas of Active Directory. The userspecifies which domain controllers are tested, such as all domain controllers within an enterprise orsite, or just a single domain controller. Although the Dcdiag tool has many other uses, you can use it toperform a test that diagnoses domain controller connectivity, which is a common Active Directoryinstallation troubleshooting issue. The test for connectivity in the Dcdiag tool verifies that:

DNS names for the server are registered

The server can be reached by means of IP at its IP address, LDAP, and a remote procedure call (RPC)

Dcdiag has the following syntax:

dcdiag /s:DomainController [/ n:NamingContext][{/a | /e}][{/q | /v}][/i][/skip:Test]][/test:Test][/fix][{/h|/?}]

Parameter Function

/s:DomainController Uses DomainController as a home server. This is a required parameter.

/n:NamingContextUses NamingContextas the naming context to test. Domains can be specified inNetBIOS, DNS, or distinguished name format

/a Tests all the servers on this site.

/e Tests all the servers in the entire enterprise. Overrides /a.

/q Prints only error messages.

/v Prints extended information.

/skip:Test Skips the specified Test. Must be used with /c. Should not be run in the samecommand line with /test. The only Test that cannot be skipped is Connectivity.

/test:Test Runs only this test. The non-skippable Connectivity test is also run.

/fix Fixes the Service Principal Names (SPNs)1 on the domain controller's Machine Account Object.

Troubleshooting with the Dcpromo Log Files

Windows Server 2003 maintains Dcpromo log files that pertain to Active Directory installation. Wheninstalling or removing Active Directory using the Active Directory Installation Wizard, the following logfiles are created in the %Systemroot%\Debug folder:

Dcpromoui.log

Dcpromos.log

Dcpromo.log

Dcpromoui.log

1A way of referring to a service principle. The SPN structures often include the name of the computer on whichthe service is running.

47


48/51


The Dcpromoui.log file contains a detailed progress report of the Active Directory installation andremoval processes from a graphical interface perspective. Logging begins when the Active DirectoryInstallation Wizard is opened and continues until the summary page appears; regardless of whether itterminated prematurely or completed successfully. If the installation or removal fails, detailed errormessages appear in the log immediately after the step that caused the failure. When the installation orremoval process is successful, the log provides positive confirmation of that fact.

Dcpromos.log

The Dcpromos.log file is similar to Dcpromoui.log. Dcpromos.log is created by the user interface duringthe graphical user interface mode setup when a Microsoft Windows 3.xbased or Microsoft Windows NT4based domain controller is promoted to a Windows 2000 domain controller.

Dcpromo.log

The Dcpromo.log file records settings used for promotion or demotion, such as the site name, the pathfor the Active Directory database and log files, time synchronization, and information about thecomputer account. The Dcpromo.log file captures the creation of the Active Directory database, Sysvoltrees and the installation, modification, and removal of services. This file is created by using the ActiveDirectory Installation Wizard.

Troubleshooting with Ntdsutil.exe: Active Directory Diagnostic Tool

The Active Directory diagnostic tool (Ntdsutil) is a command-line tool that provides managementfacilities for Active Directory. You can use Ntdsutil to remove metadata left behind by domaincontrollers that were removed from the network without being properly uninstalled

Tip In a production environment, it's recommended that you have a current backup of the systemstate data before using Ntdsutil.

As part of the removal of Active Directory from a domain controller, the Active Directory InstallationWizard removes the configuration data for the domain controller from Active Directory. This data takesthe form of the NTDS Settings object, which exists as a child of the server object. You can view theseobjects in the Sites container in the Active Directory Sites And Services console. The NTDS Settingsobject is also a container that can have child objects that represent the domain controller's directreplication partners. This data is required for the domain controller to operate within the environment,but the NTDS Settings object is removed upon the removal of Active Directory.

Removing Orphaned Metadata

If the NTDS Settings object is not properly removed during the process of removing Active Directory,you can use Ntdsutil with the MetadataCleanup option to manually remove the NTDS Settings

object. Windows Server 2003 with SP1 significantly improves the functionality of the NTDS MetadataCleanup option. Before manually removing the NTDS Settings object from any server, you must alsocheck if replication has occurred because of the removal of Active Directory.

Removing the Domain Controller Object

After you remove Active Directory from a domain controller, the object that represents the server inthe Active Directory Sites and Services console remains. This condition occurs because the serverobject is a container object that can hold child objects that represent configuration data for otherservices installed on your computer. For this reason, the wizard does not automatically remove theserver object.

48


49/51


If the server object contains any child objects named NTDS Settings, these objects represent the serveras a domain controller and must be removed automatically when Active Directory is removed. If theseobjects are not removed automatically, or if removal of Active Directory cannot be performed (forexample, if a computer has malfunctioning hardware), these objects must be removed by usingNtdsutil before you can delete the server object. You can safely delete the server object in the ActiveDirectory Sites And Services console only after all services have been removed and no child objectsexist. To remove the domain controller object, complete the following steps:

1. Click Start, point to AdministrativeTools, and then click ActiveDirectorySitesAndServices.

2. In the ActiveDirectorySitesAndServices console, double-click the Sites container toexpand it, and then double-click the appropriate site object (the site in which the server resides)to expand the site object.

3. Double-click the Servers container, right-click the server object, and then click Delete.

4. When you are prompted to confirm deleting the object, click Yes. This process might notcomplete successfully for either of the following reasons:

If you receive a message that states the server is a container that contains other objects,verify that the appropriate services have been stopped before you continue.

49


50/51


If you receive a message that states the NTDS Settings object cannot be deleted, youmight be attempting to delete an active domain controller. However, this message wouldonly occur if the NTDS Settings object is the computer that you are trying to delete.Otherwise, the delete operation will succeed.

Troubleshooting Scenarios

Error: The computer successfully resolved the DNS service (SRV) resource record requiredto locate a domain controller, but it failed to locate a domain controller for the ActiveDirectory domain.

Cause: The required A (address) resource records that map the name of the domain controller to its IPaddress do not exist in DNS.Solution: Verify that the required A resource records exist in DNS by using Nslookup.

Cause: The domain controller advertised in DNS might not be connected to the network or isconnected to the network but is not running.Solution: Verify connectivity using ping and then verify that the domain controller is running

Error: The server could not dynamically register Domain Controller Locator records becausethe DNS servers it uses for name resolution did not find a primary authoritative zone forthese resource records

Cause: The preferred or alternate DNS servers used by this computer for name resolution containincorrect root hints.Solution: Update the root hints for the DNS servers.

Cause: There are incorrect delegations in the DNS zones starting at the root and descending to thezone with same name as the Active Directory domain name you specified.Solution: Verify DNS zone delegations by using Nslookup.

Error: The computer receives "Domain not found," "Server not found," or "RPC server isunavailable" messages.

Cause: Name registration or name resolution is not functioning correctly. This could be caused by aNetBIOS or DNS name registration or resolution problem, or a network connectivity problem.Solution: Run Netdiag /debug on the server that is experiencing the problem to evaluate NetBIOS,

DNS, registration, and services. Run Dcdiag on the domain controller to evaluate network connectivity

Error: This computer could not locate a domain controller for the Active Directory domaindisplayed in the error message because the DNS servers used by this computer for nameresolution failed to look up the service (SRV) resource record.

Cause: The DNS SRV resource record is not registered in DNS.Solution: Verify that the SRV resource record for the requested domain and service type exists in DNSby using Nslookup on a domain controller for the Active Directory domain you entered.Cause: One or more of the zones listed in the error message do not include a delegation to its childzone.

50


51/51


Solution: Verify DNS zone delegations by using Nslookup.