共用方式為


Domain controller role: Configuring a domain controller

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Domain controller role: Configuring a domain controller

This topic is about configuring a domain controller that runs Windows Server 2003. For more information about installing Active Directory Domain Services in Windows Server 2008, see AD DS Installation and Removal Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkID=139657).

Domain controllers store data and manage user and domain interactions, including user logon processes, authentication, and directory searches. If you plan to use this server to provide the Active Directory directory service to network users and computers, configure this server as a domain controller.

To configure a server as a domain controller, install Active Directory on the server. There are four options available in the Active Directory Installation Wizard. You can create an additional domain controller in an existing domain, a domain controller for a new child domain, a domain controller for a new domain tree, or a domain controller for a new forest. If you are not sure which role you need, read about each role by clicking the role option.

Notes

  • If you have already installed a domain controller role and you want to view next steps, in the list below, click the domain controller configuration that you installed, and then click Next steps: Completing additional tasks.

  • If you need to reconfigure your server for a different role, you can remove existing server roles. By removing the domain controller role, you will uninstall Active Directory from this server. After Active Directory has been uninstalled, this server will no longer participate in replication of directory objects and domain-based user authentication requests. For more information, see the sections below.

Click the type of domain controller role that you want to create:

Creating an additional domain controller for an existing domain

Creating a domain controller for a new forest

Creating a domain controller for a new child domain

Creating a domain controller for a new domain tree

Creating an additional domain controller for an existing domain

Create additional domain controllers when you want to improve the availability and reliability of network services. By adding additional domain controllers, you can provide fault tolerance, balance the load of existing domain controllers, provide additional infrastructure support to sites, and improve performance by making it easier for clients to connect to a domain controller when they log on to the network. For example, as seen in the following illustration, by adding a new domain controller (DC2) to the microsoft.com domain, it helps offset the load on other domain controllers.

New domain controller (DC2) offsets load on DC1

This topic explains the basic steps that you must follow to create an additional domain controller in your organization.

This process involves using the Configure Your Server Wizard and the Active Directory Installation Wizard to install Active Directory on this server. When you have finished setting up your domain controller, you can complete additional configuration tasks.

This topic covers:

Before you begin

Configuring your domain controller

Next steps: Completing additional tasks

Before you begin

Before you configure your server as a domain controller, verify whether or not:

  • TCP/IP configuration settings for the server are correct, particularly those used for DNS name resolution. For more information, see Configure TCP/IP to use DNS.

  • All existing disk volumes use the NTFS file system. Active Directory requires at least one NTFS volume in which to store the SYSVOL folder and its contents. FAT32 volumes are not secure, and they do not support file and folder compression, disk quotas, file encryption, or individual file permissions.

  • Windows Firewall is enabled. For more information, see Enable Windows Firewall with no exceptions.

  • The Security Configuration Wizard is installed and enabled. For information about the Security Configuration wizard, see Security Configuration Wizard Overview.

The following table lists the information that you need to know before you add a domain controller.

Before adding a domain controller role Comments

Determine which sites require a domain controller.

If your network is divided into sites, it is good practice to put at least one domain controller in each site to enhance network performance. When users log on to the network, a domain controller must be contacted as part of the logon process. If clients have to connect to a domain controller located in a different site, the logon process can take a long time.

Determine whether to add an additional domain controller over the network or through backup media taken from an existing domain controller.

With the Windows Server 2003 family, you can install Active Directory on member servers using a restored backup taken from a domain controller running Windows Server 2003. You can store this backup on any backup media (for example, tape, CD, or DVD) or a shared network resource. By using restored backup files to create an additional domain controller, you greatly reduce the network bandwidth used when you install Active Directory over a shared network resource. You still need network connectivity to replicate all new objects and recent changes for existing objects to the new domain controller. For more information about creating an additional domain controller from backup media, see Creating an additional domain controller.

Determine whether you want your new domain controller to host a global catalog.

A global catalog stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest. To optimize network performance in a multiple-site environment, consider adding global catalogs for select sites. In a single-site environment, a single global catalog is usually sufficient to cover common Active Directory queries. However, in a multiple-site environment it is recommended that you use global catalogs in each site. For more information about when to add global catalogs in a multiple site environment, see Global catalogs and sites.

Domain controllers running Windows 2000 or Windows Server 2003 are available.

The domain must have at least one other domain controller running Windows 2000 or Windows Server 2003 to add an additional domain controller. Active Directory domain controllers cannot be configured as backup domain controllers (BDCs) for Windows NT domains.

Obtain the administrative credentials necessary to add a domain controller.

To add an additional domain controller to an existing domain, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority.

Identify the DNS domain name of the Active Directory domain to which you want to add the additional domain controller.

You need to provide the DNS domain name when you use the Active Directory Installation Wizard.

Configuring your domain controller

To configure a domain controller, start the Configure Your Server Wizard by doing either of the following:

  • From Manage Your Server, click Add or remove a role. By default, Manage Your Server starts automatically when you log on. To open Manage Your Server, click Start, click Control Panel, double-click Administrative Tools, and then double-click Manage Your Server.

  • To open the Configure Your Server Wizard, click Start, click Control Panel, double-click Administrative Tools, and then double-click Configure Your Server Wizard.

On the Server Role page, click Domain Controller (Active Directory), and then click Next.

This section describes each of the steps in this process and outlines the required choices and decisions you will make as you configure your domain controller.

The following sections cover these configuration steps:

Summary of Selections

Using the Active Directory Installation Wizard

Completing the Configure Your Server Wizard

Removing the domain controller role

Summary of Selections

On the Summary of Selections page of the Configure Your Server Wizard, you can view and confirm the options that you have selected. If you selected Domain Controller (Active Directory) on the previous page, the following appears:

  • Run the Active Directory Installation Wizard to configure this server as a domain controller

To apply the selections shown on the Summary of Selections page, click Next.

Using the Active Directory Installation Wizard

After you click Next, the Active Directory Installation Wizard starts automatically. If this is the first time you have installed Active Directory on a server, on the Welcome page of the Active Directory Installation Wizard, click Active Directory Helpfor more information about Active Directory.

After you finish reading about Active Directory, click Next. You can return to this page from any place in the wizard until you click Finish on the last page. On the Operating System Compatibility page, read the information and then click Next. If this is the first time you have installed Active Directory on a server running Windows Server 2003, click Compatibility Help for more information.

This section describes the following steps in the Active Directory Installation Wizard:

Domain Controller Type

Network Credentials

Additional Domain Controller

Database and Log Folders

Shared System Volume

Directory Services Restore Mode Administrator Password

Summary

Domain Controller Type

On the Domain Controller Type page, click Domain controller for a new domain.

After you finish, click Next.

Network Credentials

On the Network Credentials page, type the user name, password, and user domain of the user account that you want to use.

Option Comments

User name

Type the name of a user account that has the necessary administrative credentials. The user account must be a member of the Domain Admins group (in the forest root domain), or a member of the Enterprise Admins group, or must have been delegated the appropriate authority

Password

Type the password for the user account. This should always be a strong password. For more information, see Strong passwords.

Domain

Type the full DNS name of the domain in which this user name and password are valid.

Additional Domain Controller

On the Additional Domain Controller page, type the full DNS name of the domain to which you want to add this domain controller. A full DNS name is also referred to as a fully qualified domain name (FQDN). Active Directory domains are named with DNS names and follow the same hierarchical structure of DNS.

After you finish, click Next.

Database and Log Folders

On the Database and Log Folders page, type the location in which you want to install the database and log folders, or click Browse to choose a location. To avoid any problems with installing or removing Active Directory, it is important to confirm that you have sufficient disk space to host the directory database and log files. The Active Directory Installation Wizard requires 250 megabytes (MB) of disk space for the Active Directory database and 50 MB for the log files. It is recommended that you store these files on an NTFS partition.

After you finish, click Next.

Shared System Volume

On the Shared System Volume page, type the location in which you want to install the Sysvol folder, or click Browse to choose a location. The Sysvol folder must be stored on an NTFS volume since it contains files that are replicated between domain controllers in a domain or forest. These files include scripts, Windows NT 4.0 and earlier system policies, the NETLOGON and SYSVOL shares, and Group Policy settings.

After you finish, click Next.

Directory Services Restore Mode Administrator Password

On the Directory Services Restore Mode Administrator Password page, type and confirm the password that you want to assign to the restore mode Administrator account for the server. You should use strong passwords for directory restore mode passwords. For more information, see Strong passwords.

Important

  • You must know this password to restore a backup copy of the System State for this domain controller.

You use this password when the domain controller starts in Directory Services Restore Mode. If this is the first time you have installed Active Directory on a server, click Active Directory Help for more information about the restore mode password.

After you finish, click Next.

Summary

On the Summary page, review the information, and then click Next.

After you complete the installation, click Finish. To restart your computer and implement the changes, click Restart Now.

Completing the Configure Your Server Wizard

After your server restarts, the Configure Your Server Wizard displays the This Server is Now a Domain Controller page. To review all of the changes made to your server by the Configure Your Server Wizard or to ensure that a new role was installed successfully, click Configure Your Server log. The Configure Your Server Wizard log is located at systemroot\Debug\Configure Your Server.log. To close the Configure Your Server Wizard, click Finish.

After you complete the Configure Your Server Wizard, be sure to visit Windows Update to download any additional updates that are available. For more information, see Windows Update.

In addition, you should also run the Security Configuration Wizard to further secure your domain controller. You can run Windows Firewall on a domain controller, but only if you run the Security Configuration Wizard to install and configure it. For more information see Security Configuration Wizard.

Removing the domain controller role

If you need to reconfigure your server for a different role, you can remove existing server roles. By removing the domain controller role, you will uninstall Active Directory from this server. After Active Directory has been uninstalled, this server will no longer participate in replication of directory objects and domain-based user authentication requests.

To remove the domain controller role, restart the Configure Your Server Wizard by doing either of the following:

  • From Manage Your Server, click Add or remove a role. By default, Manage Your Server starts automatically when you log on. To open Manage Your Server, click Start, click Control Panel, double-click Administrative Tools, and then double-click Manage Your Server.

  • To open the Configure Your Server Wizard, click Start, click Control Panel, double-click Administrative Tools, and then double-click Configure Your Server Wizard.

On the Server Role page, click Domain Controller (Active Directory), and then click Next. On the Role Removal Confirmation page, review the items listed under Summary, select the Remove the domain controller role check box, click Next, and then follow the steps in the Active Directory Installation Wizard.

--------------------------------------------------------------------------------

Next steps: Completing additional tasks

After you complete the Active Directory Installation Wizard, the server is configured as a domain controller. You can use it to store data, manage objects, and provide information to users, computers and applications. Up to this point, you have created a new domain or additional domain controller for an existing domain.

The following table lists some of the additional tasks that you might want to perform on your domain controller.

Task Purpose of task Reference

Secure the new domain controller in a locked room.

To ensure that no one can physically access the domain controller.

Domain controllers; Securing Active Directory

Use strong encryption techniques.

To secure account password information stored on the new domain controller.

The system key utility

Creating a domain controller for a new forest

Create a domain controller for a new forest when you want to upgrade a Windows NT domain to become the first domain in a new forest, segment your network for administrative autonomy, provide a boundary to administer data, isolate the scope of directory replication, or use a noncontiguous DNS namespace that is different from an existing forest on your network. For example, as seen in the following illustration, the microsoft.com forest is the first Active Directory domain in an organization.

A forest used as the first Active Directory domain

This topic explains the basic steps that you must follow to configure a domain controller for a new forest in your organization.

This process involves using the Configure Your Server Wizard and the Active Directory Installation Wizard to install Active Directory on this server. When you have finished setting up your domain controller, you can complete additional configuration tasks.

This topic covers:

Before you begin

Configuring your domain controller

Next steps: Completing additional tasks

Before you begin

Before you configure your server as a domain controller, verify whether or not:

  • TCP/IP configuration settings for the server are correct, particularly those used for DNS name resolution. For more information, see Configure TCP/IP to use DNS.

  • All existing disk volumes use the NTFS file system. Active Directory requires at least one NTFS volume in which to store the SYSVOL folder and its contents. FAT32 volumes are not secure, and they do not support file and folder compression, disk quotas, file encryption, or individual file permissions.

  • Windows Firewall is enabled. For more information, see Enable Windows Firewall with no exceptions.

  • The Security Configuration Wizard is installed and enabled. For information about the Security Configuration wizard, see Security Configuration Wizard Overview.

The following table lists the information that you need to know before you add a domain controller for a new forest.

Before adding a new domain controller role for a new forest Comments

Verify that DNS is properly configured for your organization.

You need to confirm that DNS is properly configured on your network and that it supports dynamic updates and service (SRV) resource records. If you are setting up Active Directory for the first time in your organization, and you do not currently have a DNS infrastructure configured, the Active Directory Installation Wizard sets up and configures DNS on this server during the Active Directory installation process. Active Directory requires DNS to function and share the same hierarchical domain structure. For example, microsoft.com is a DNS domain and an Active Directory domain.

Obtain the administrative credentials necessary to create a forest.

To create a new forest, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority.

Configuring your domain controller

To configure a domain controller, start the Configure Your Server Wizard by doing either of the following:

  • From Manage Your Server, click Add or remove a role. By default, Manage Your Server starts automatically when you log on. To open Manage Your Server, click Start, click Control Panel, double-click Administrative Tools, and then double-click Manage Your Server.

  • To open the Configure Your Server Wizard, click Start, click Control Panel, double-click Administrative Tools, and then double-click Configure Your Server Wizard.

On the Server Role page, click Domain Controller (Active Directory), and then click Next.

This section describes each of the steps in this process and outlines the required choices and decisions you will make as you configure your domain controller. The following sections cover these configuration steps:

Summary of Selections

Using the Active Directory Installation Wizard

Completing the Configure Your Server Wizard

Removing the domain controller role

Summary of Selections

On the Summary of Selections page of the Configure Your Server Wizard, you can view and confirm the options that you have selected. If you selected Domain Controller (Active Directory) on the previous page, the following appears:

  • Run the Active Directory Installation Wizard to configure this server as a domain controller

To apply the selections shown on the Summary of Selections page, click Next.

Using the Active Directory Installation Wizard

After you click Next, the Active Directory Installation Wizard starts automatically. If this is the first time you have installed Active Directory on a server, on the Welcome page of the Active Directory Installation Wizard click Active Directory Helpfor more information about Active Directory.

After you finish reading about Active Directory, click Next. You can return to this page from any place in the wizard until you click Finish on the last page. On the Operating System Compatibility page, read the information and then click Next. If this is the first time you have installed Active Directory on a server running Windows Server 2003, click Compatibility Help for more information.

This section describes the following steps in the Active Directory Installation Wizard:

Domain Controller Type

Create New Domain

New Domain Name

NetBIOS Domain Name

Database and Log Folders

Shared System Volume

DNS Registration Diagnostics

Permissions

Directory Services Restore Mode Administrator Password

Summary

Domain Controller Type

On the Domain Controller Type page, click Domain controller for a new domain.

After you finish, click Next.

Create New Domain

On the Create New Domain page, click Domain in a new forest.

After you finish, click Next.

New Domain Name

On the New Domain Name page, type the full DNS name for the new domain. Provide a full DNS name for the new Active Directory forest that you are about to create (for example, headquarters.example.microsoft.com). A full DNS name is also referred to as a fully qualified domain name (FQDN). Active Directory domains are named with DNS names and follow the same hierarchical structure of DNS. When choosing DNS names to use for your Active Directory forest, start with the registered DNS domain suffix that your organization has reserved for use on the Internet, such as microsoft.com.

Although Dcpromo.exe in Windows Server 2008 and Windows Server 2003 allows you to create a single-label DNS domain name, you should not use a single-label DNS name for a domain for several reasons. In Windows Server 2008 R2, Dcpromo.exe does not allow you to create a single-label DNS name for a domain. For more information, see https://go.microsoft.com/fwlink/?LinkId=92467.

After you finish, click Next.

NetBIOS Domain Name

On the NetBIOS Domain Name page, verify the NetBIOS name. Although Active Directory domains are named according to DNS naming standards, you still need to define a NetBIOS name when you create Active Directory domains. NetBIOS names should match the first label of the DNS domain name whenever possible. When the Active Directory domain has a first label DNS name that is different from its NetBIOS name, the FQDN is constructed using the DNS domain name, not the NetBIOS name. For example, if the first label in the full DNS domain name is "child" (child.microsoft.com is the FQDN) and the NetBIOS domain name is "sales", the FQDN remains "child.microsoft.com".

After you finish, click Next.

Database and Log Folders

On the Database and Log Folders page, type the location in which you want to install the database and log folders, or click Browse to choose a location. To avoid any problems with installing or removing Active Directory, it is important to confirm that you have sufficient disk space to host the directory database and log files. The Active Directory Installation Wizard requires 250 megabytes (MB) of disk space for the Active Directory database and 50 MB for the log files. It is recommended that you store these files on an NTFS partition.

After you finish, click Next.

Shared System Volume

On the Shared System Volume page, type the location in which you want to install the Sysvol folder, or click Browse to choose a location. The Sysvol folder must be stored on an NTFS volume since it contains files that are replicated between domain controllers in a domain or forest. These files include scripts, Windows NT 4.0 and earlier system policies, the NETLOGON and SYSVOL shares, and Group Policy settings.

After you finish, click Next.

DNS Registration Diagnostics

On the DNS Registration Diagnostics page, verify that the DNS settings are correct.

If a diagnostic error appears under Diagnostic Results, click Help for more information about how to resolve the error.

After you finish, click Next.

Permissions

On the Permissions page, click the level of application compatibility that you want with pre-Windows 2000, Windows 2000, or Windows Server 2003 operating systems.

On servers running Windows NT 4.0 and earlier, read access for user and group information is assigned to anonymous users so that existing applications, including Microsoft BackOffice, SQL Server, and some non-Microsoft applications, function correctly. In Windows 2000 and the Windows Server 2003 family, members of the Anonymous Logon group have read access to this information only when the group is added to the Pre-Windows 2000 Compatible Access group.

Option Comments

Permissions compatible with pre-Windows 2000 server operating systems

Click this option if you want the Anonymous Logon group and the Everyone security groups to be added to the Pre-Windows 2000 Compatible Access group.

Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems

Click this option to prevent members of the Anonymous Logon group from gaining read access to user and group information.

After you select one of these options, you can manually switch between the backward compatible and high-security settings on Active Directory objects. To do this, open Active Directory Users and Computers, and then add the Anonymous Logon security group to the pre-Windows 2000 Compatible Access security group.

After you finish, click Next.

Directory Services Restore Mode Administrator Password

On the Directory Services Restore Mode Administrator Password page, type and confirm the password that you want to assign to the restore mode Administrator account for the server. You should use strong passwords for directory restore mode passwords. For more information, see Strong passwords.

Important

  • You must know this password to restore a backup copy of the System State for this domain controller.

You use this password when the domain controller starts in Directory Services Restore Mode. If this is the first time you have installed Active Directory on a server, click Active Directory Help for more information about the restore mode password.

After you finish, click Next.

Summary

On the Summary page, review the information, and then click Next.

After you complete the installation, click Finish. To restart your computer and implement the changes, click Restart Now.

Completing the Configure Your Server Wizard

After your server restarts, the Configure Your Server Wizard displays the This Server is Now a Domain Controller page. To review all of the changes made to your server by the Configure Your Server Wizard or to ensure that a new role was installed successfully, click Configure Your Server log. The Configure Your Server Wizard log is located at systemroot\Debug\Configure Your Server.log. To close the Configure Your Server Wizard, click Finish.

After you complete the Configure Your Server Wizard, be sure to visit Windows Update to download any additional updates that are available. For more information, see Windows Update.

In addition, you should also run the Security Configuration Wizard to further secure your domain controller. You can run Windows Firewall on a domain controller, but only if you run the Security Configuration Wizard to install and configure it. For more information see Security Configuration Wizard.

Removing the domain controller role

If you need to reconfigure your server for a different role, you can remove existing server roles. By removing the domain controller role, you will uninstall Active Directory from this server. After Active Directory has been uninstalled, this server will no longer participate in replication of directory objects and domain-based user authentication requests.

To remove the domain controller role, restart the Configure Your Server Wizard by doing either of the following:

  • From Manage Your Server, click Add or remove a role. By default, Manage Your Server starts automatically when you log on. To open Manage Your Server, click Start, click Control Panel, double-click Administrative Tools, and then double-click Manage Your Server.

  • To open the Configure Your Server Wizard, click Start, click Control Panel, double-click Administrative Tools, and then double-click Configure Your Server Wizard.

On the Server Role page, click Domain Controller (Active Directory), and then click Next. On the Role Removal Confirmation page, review the items listed under Summary, select the Remove the domain controller role check box, click Next, and then follow the steps in the Active Directory Installation Wizard.

Next steps: Completing additional tasks

After you complete the Active Directory Installation Wizard, the server is configured as a domain controller. You can use it to store data, manage objects, and provide information to users, computers and applications. Up to this point, you have created a domain controller for a new forest.

The following table lists some of the additional tasks that you might want to perform on your domain controller.

Task Purpose of task Reference

Secure the new domain controller in a locked room.

To ensure that no one can physically access the domain controller.

Domain controllers; Securing Active Directory

Use strong encryption techniques.

To secure account password information stored on the new domain controller.

The system key utility

Verify and authenticate the validity of each user.

To enhance forest-wide security by using public key cryptography.

Public Key Infrastructure

Require all domain users to use strong passwords.

To prevent unauthorized access to your organization.

Strong passwords

Enable audit policy.

To receive notification of actions that could pose a security risk.

Auditing Policy

Enforce account lockouts on user accounts.

To decrease the possibility of an attacker compromising your domain through repeated logon attempts.

User and computer accounts

Enforce password history on user accounts.

To decrease the possibility of an attacker compromising your domain.

Enforce password history

Enforce minimum and maximum password ages on user accounts.

To decrease the possibility of an attacker compromising your domain.

Minimum password age; Maximum password age

Implement SID Filtering.

To prevent attacks from malicious users who might try to grant elevated user rights to another user account.

"Using Security Identifier (SID) Filtering to Prevent Elevation of Privilege Attacks" at the Microsoft Web site.(https://www.microsoft.com/)

Implement smart cards.

To provide tamper-resistant user authentication and e-mail security.

Smart cards overview

Restrict user, group, and computer access to shared resources and filter Group Policy settings.

To secure resources.

Group types

Create forest trusts (as appropriate)

To manage the security relationship between two forests, and simplify security administration and authentication across forests.

Forest trusts

Assign user rights to new security groups.

To specifically define the administrative role of members in the domain.

Group types

Creating a domain controller for a new child domain

Create a domain controller for a new child domain when you want to create a domain that shares a contiguous namespace with one or more existing domains. This means that the name of the new domain contains the full name of the parent domain. For example, as seen in the following illustration, child.microsoft.com is a child domain of microsoft.com. As a best practice, create new domains as children of the forest root domain.

A child domain used to form a contiguous namespace

This topic explains the basic steps that you must follow to configure a domain controller for a new child domain in your organization.

This process involves using the Configure Your Server Wizard and the Active Directory Installation Wizard to install Active Directory on this server. When you have finished setting up your domain controller, you can complete additional configuration tasks.

This topic covers:

Before you begin

Configuring your domain controller

Next steps: Completing additional tasks

Before you begin

Before you configure your server as a domain controller, verify whether or not:

  • TCP/IP configuration settings for the server are correct, particularly those used for DNS name resolution. For more information, see Configure TCP/IP to use DNS.

  • All existing disk volumes use the NTFS file system. Active Directory requires at least one NTFS volume in which to store the SYSVOL folder and its contents. FAT32 volumes are not secure, and they do not support file and folder compression, disk quotas, file encryption, or individual file permissions.

  • Windows Firewall is enabled. For more information, see Enable Windows Firewall with no exceptions.

  • The Security Configuration Wizard is installed and enabled. For information about the Security Configuration wizard, see Security Configuration Wizard Overview.

The following table lists the information that you need to know before you add a domain controller.

Before adding a domain controller Comments

Identify the DNS domain name of the Active Directory domain to which you want to add the domain controller.

You need to provide the DNS domain name for the parent domain of this new child domain.

Verify that the network speed is adequate when installing Active Directory.

The server on which you want to install Active Directory and create a child domain should have access to the network over a high-speed connection.

Determine which sites require a domain controller.

If your network is divided into sites, it is good practice to put at least one domain controller in each site to enhance network performance. When users log on to the network, a domain controller must be contacted as part of the logon process. If clients have to connect to a domain controller located in a different site, the logon process can take a long time.

Determine whether you want your new domain controller to host a global catalog.

A global catalog stores a copy of all Active Directory objects in a forest on a domain controller. The global catalog stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest. To optimize network performance in a multiple-site environment, consider adding global catalogs for select sites. In a single-site environment, a single global catalog is usually sufficient to cover common Active Directory queries. However, in a multiple-site environment it is recommended that you use global catalogs in each site. For more information about when to add global catalogs in a multiple site environment, see Global catalogs and sites.

Obtain the administrative credentials necessary to create a child domain.

To add a new child domain, you must be a member of the Domain Admins group (in the parent domain) or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority.

Configuring your domain controller

To configure a domain controller, start the Configure Your Server Wizard by doing either of the following:

  • From Manage Your Server, click Add or remove a role. By default, Manage Your Server starts automatically when you log on. To open Manage Your Server, click Start, click Control Panel, double-click Administrative Tools, and then double-click Manage Your Server.

  • To open the Configure Your Server Wizard, click Start, click Control Panel, double-click Administrative Tools, and then double-click Configure Your Server Wizard.

On the Server Role page, click Domain Controller (Active Directory), and then click Next.

This section describes each of the steps in this process and outlines the required choices and decisions you will make as you configure your domain controller.

The following sections cover these configuration steps:

Summary of Selections

Using the Active Directory Installation Wizard

Completing the Configure Your Server Wizard

Removing the domain controller role

Summary of Selections

On the Summary of Selections page of the Configure Your Server Wizard, you can view and confirm the options that you have selected. If you selected Domain Controller (Active Directory) on the previous page, the following appears:

  • Run the Active Directory Installation Wizard to configure this server as a domain controller

To apply the selections shown on the Summary of Selections page, click Next.

Using the Active Directory Installation Wizard

After you click Next, the Active Directory Installation Wizard starts automatically. If this is the first time you have installed Active Directory on a server, on the Welcome page of the Active Directory Installation Wizard, click Active Directory Helpfor more information about Active Directory.

After you finish reading about Active Directory, click Next. You can return to this page from any place in the wizard until you click Finish on the last page. On the Operating System Compatibility page, read the information and then click Next. If this is the first time you have installed Active Directory on a server running Windows Server 2003, click Compatibility Help for more information.

This section describes the following steps in the Active Directory Installation Wizard:

Domain Controller Type

Create New Domain

Network Credentials

Child Domain Installation

NetBIOS Domain Name

Database and Log Folders

Shared System Volume

DNS Registration Diagnostics

Permissions

Directory Services Restore Mode Administrator Password

Summary

Domain Controller Type

On the Domain Controller Type page, click Domain controller for a new domain.

After you finish, click Next.

Create New Domain

On the Create New Domain page, click Child domain in an existing domain tree.

After you finish, click Next.

Network Credentials

On the Network Credentials page, type the user name, password, and domain of the user account that you want to use.

Option Comments

User name

Type the name of a user account that has the necessary administrative credentials. The user account must be a member of the Domain Admins group (in the parent domain), or a member of the Enterprise Admins group, or must have been delegated the appropriate authority.

Password

Type the password for the user account. This should always be a strong password. For more information, see Strong passwords.

Domain

Type the full DNS name of the domain in which this user name and password are valid.

After you finish, click Next.

Child Domain Installation

On the Child Domain Installation page, verify the parent domain, and then the name for the new child domain. Active Directory domains are named with DNS names and follow the same hierarchical structure of DNS. When choosing DNS names to use for your child domain, consider names with either geographical or divisional scope within your organization (for example, newyork.microsoft.com or sales.microsoft.com).

Following the DNS standards, domain names are fully qualified domain names (FQDN), which consist of the name of the domain appended to the names of the parent domains and root domains using the dot (.) character format. For example, an Active Directory domain named "child" and a parent domain named "microsoft.com" have an FQDN (also referred to as a complete DNS name) of "child.microsoft.com".

After you finish, click Next.

NetBIOS Domain Name

On the NetBIOS Domain Name page, verify the NetBIOS name. Although Active Directory domains are named according to DNS naming standards, you still need to define a NetBIOS name when you create Active Directory domains. NetBIOS names should match the first label of the DNS domain name whenever possible. When the Active Directory domain has a first label DNS name that is different from its NetBIOS name, the FQDN is constructed using the DNS domain name, not the NetBIOS name. For example, if the first label in the full DNS domain name is "child" (child.microsoft.com is the FQDN) and the NetBIOS domain name is "sales", the FQDN remains "child.microsoft.com".

Database and Log Folders

On the Database and Log Folders page, type the location in which you want to install the database and log folders, or click Browse to choose a location, and then click Next. To avoid any problems with installing or removing Active Directory, it is important to confirm that you have sufficient disk space to host the directory database and log files. The Active Directory Installation Wizard requires 250 megabytes (MB) of disk space for the Active Directory database and 50 MB for the log files. It is recommended that you store these files on an NTFS partition.

After you finish, click Next.

Shared System Volume

On the Shared System Volume page, type the location in which you want to install the Sysvol folder, or click Browse to choose a location. The Sysvol folder must be stored on an NTFS volume since it contains files that are replicated between domain controllers in a domain or forest. These files include scripts, Windows NT 4.0 and earlier system policies, the NETLOGON and SYSVOL shares, and Group Policy settings.

After you finish, click Next.

DNS Registration Diagnostics

On the DNS Registration Diagnostics page, verify that the DNS settings are correct.

If a diagnostic error appears under Diagnostic Results, click Help for more information about how to resolve the error.

After you finish, click Next.

Permissions

On the Permissions page, click the level of application compatibility that you want with pre-Windows 2000, Windows 2000, or Windows Server 2003 operating systems.

On servers running Windows NT 4.0 and earlier, read access for user and group information is assigned to anonymous users so that existing applications, including Microsoft BackOffice, SQL Server, and some non-Microsoft applications, function correctly. In Windows 2000 and the Windows Server 2003 family, members of the Anonymous Logon group have read access to this information only when the group is added to the Pre-Windows 2000 Compatible Access group.

Option Comments

Permissions compatible with pre-Windows 2000 server operating systems

Click this option if you want the Anonymous Logon group and the Everyone security groups to be added to the Pre-Windows 2000 Compatible Access group.

Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems

Click this option to prevent members of the Anonymous Logon group from gaining read access to user and group information.

After you select one of these options, you can manually switch between the backward compatible and high-security settings on Active Directory objects. To do this, open Active Directory Users and Computers, and then add the Anonymous Logon security group to the pre-Windows 2000 Compatible Access security group.

After you finish, click Next.

Directory Services Restore Mode Administrator Password

On the Directory Services Restore Mode Administrator Password page, type and confirm the password that you want to assign to the restore mode Administrator account for the server. You should use strong passwords for directory restore mode passwords. For more information, see Strong passwords.

Important

  • You must know this password to restore a backup copy of the System State for this domain controller.

You use this password when the domain controller starts in Directory Services Restore Mode. If this is the first time you have installed Active Directory on a server, click Active Directory Help for more information about the restore mode password.

After you finish, click Next.

Summary

On the Summary page, review the information, and then click Next.

After you complete the installation, click Finish. To restart your computer and implement the changes, click Restart Now.

Completing the Configure Your Server Wizard

After your server restarts, the Configure Your Server Wizard displays the This Server is Now a Domain Controller page. To review all of the changes made to your server by the Configure Your Server Wizard or to ensure that a new role was installed successfully, click Configure Your Server log. The Configure Your Server Wizard log is located at systemroot\Debug\Configure Your Server.log. To close the Configure Your Server Wizard, click Finish.

After you complete the Configure Your Server Wizard, be sure to visit Windows Update to download any additional updates that are available. For more information, see Windows Update.

In addition, you should also run the Security Configuration Wizard to further secure your domain controller. You can run Windows Firewall on a domain controller, but only if you run the Security Configuration Wizard to install and configure it. For more information see Security Configuration Wizard.

Removing the domain controller role

If you need to reconfigure your server for a different role, you can remove existing server roles. By removing the domain controller role, you will uninstall Active Directory from this server. After Active Directory has been uninstalled, this server will no longer participate in replication of directory objects and domain-based user authentication requests.

To remove the domain controller role, restart the Configure Your Server Wizard by doing either of the following:

  • From Manage Your Server, click Add or remove a role. By default, Manage Your Server starts automatically when you log on. To open Manage Your Server, click Start, click Control Panel, double-click Administrative Tools, and then double-click Manage Your Server.

  • To open the Configure Your Server Wizard, click Start, click Control Panel, double-click Administrative Tools, and then double-click Configure Your Server Wizard.

On the Server Role page, click Domain Controller (Active Directory), and then click Next. On the Role Removal Confirmation page, review the items listed under Summary, select the Remove the domain controller role check box, click Next, and then follow the steps in the Active Directory Installation Wizard.

Next steps: Completing additional tasks

After you complete the Active Directory Installation Wizard, the server is configured as a domain controller. You can use it to store data, manage objects, and provide information to users, computers and applications. Up to this point, you have created a new domain or additional domain controller for an existing domain.

The following table lists some of the additional tasks that you might want to perform on your domain controller.

Task Purpose of task Reference

Secure the new domain controller in a locked room.

To ensure that no one can physically access the domain controller.

Domain controllers; Securing Active Directory

Use strong encryption techniques.

To secure account password information stored on the new domain controller.

The system key utility

Require all domain users to use strong passwords.

To prevent unauthorized access to your organization.

Strong passwords

Enable audit policy.

To receive notification of actions that could pose a security risk.

Auditing Policy

Enforce account lockouts on user accounts.

To decrease the possibility of an attacker compromising your domain through repeated logon attempts.

User and computer accounts

Enforce password history on user accounts.

To decrease the possibility of an attacker compromising your domain.

Enforce password history

Enforce minimum and maximum password ages on user accounts.

To decrease the possibility of an attacker compromising your domain.

Minimum password age; Maximum password age

Implement SID Filtering.

To prevent attacks from malicious users who might try to grant elevated user rights to another user account.

"Using Security Identifier (SID) Filtering to Prevent Elevation of Privilege Attacks" at the Microsoft Web site.(https://www.microsoft.com/)

Implement smart cards.

To provide tamper-resistant user authentication and e-mail security.

Smart cards overview

Restrict user, group, and computer access to shared resources and filter Group Policy settings.

To secure resources.

Group types

Assign user rights to new security groups.

To specifically define the administrative role of members in the domain.

Group types

Creating a domain controller for a new domain tree

Create a domain controller for a new domain tree when you want to create a domain that has a DNS namespace that is not related to the other domains in the forest. This means that the name of the tree root domain (and all of its children) does not have to contain the full name of the parent domain. A forest can contain one or more domain trees. For example, as seen in the following illustration, msn.com is a new domain tree in the microsoft.com forest.

Art Image

This topic explains the basic steps that you must follow to configure a domain controller for a new domain tree in your organization.

This process involves using the Configure Your Server Wizard and the Active Directory Installation Wizard to install Active Directory on this server. When you have finished setting up your domain controller, you can complete additional configuration tasks.

This topic covers:

Before you begin

Configuring your domain controller

Next steps: Completing additional tasks

Before you begin

Before you configure your server as a domain controller, verify whether or not:

  • TCP/IP configuration settings for the server are correct, particularly those used for DNS name resolution. For more information, see Configure TCP/IP to use DNS.

  • All existing disk volumes use the NTFS file system. Active Directory requires at least one NTFS volume in which to store the SYSVOL folder and its contents. FAT32 volumes are not secure, and they do not support file and folder compression, disk quotas, file encryption, or individual file permissions.

  • Windows Firewall is enabled. For more information, see Enable Windows Firewall with no exceptions.

  • The Security Configuration Wizard is installed and enabled. For information about the Security Configuration wizard, see Security Configuration Wizard Overview.

  • The following table lists the information that you need to know before you add a domain controller.

Before adding a domain controller role Comments

Verify that the network speed is adequate when installing Active Directory.

The server on which you want to install Active Directory should have access to the network over a high-speed connection.

Determine whether you want your new domain controller to host a global catalog.

A global catalog stores a copy of all Active Directory objects in a forest on a domain controller. The global catalog stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest. To optimize network performance in a multiple-site environment, consider adding global catalogs for select sites. In a single-site environment, a single global catalog is usually sufficient to cover common Active Directory queries. However, in a multiple-site environment it is recommended that you use global catalogs in each site. For more information about when to add global catalogs in a multiple site environment, see Global catalogs and sites.

Obtain the administrative credentials necessary to add a new domain tree.

To create a new domain tree, you must be a member of the Domain Admins group (in the forest root domain) or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority.

Configuring your domain controller

To configure a domain controller, start the Configure Your Server Wizard by doing either of the following:

  • From Manage Your Server, click Add or remove a role. By default, Manage Your Server starts automatically when you log on. To open Manage Your Server, click Start, click Control Panel, double-click Administrative Tools, and then double-click Manage Your Server.

  • To open the Configure Your Server Wizard, click Start, click Control Panel, double-click Administrative Tools, and then double-click Configure Your Server Wizard.

On the Server Role page, click Domain Controller (Active Directory), and then click Next.

This section describes each of the steps in this process and outlines the required choices and decisions you will make as you configure your domain controller. The following sections cover these configuration steps:

Summary of Selections

Using the Active Directory Installation Wizard

Completing the Configure Your Server Wizard

Removing the domain controller role

Summary of Selections

On the Summary of Selections page of the Configure Your Server Wizard, you can view and confirm the options that you have selected. If you selected Domain Controller (Active Directory) on the previous page, the following appears:

  • Run the Active Directory Installation Wizard to configure this server as a domain controller

To apply the selections shown on the Summary of Selections page, click Next.

Using the Active Directory Installation Wizard

After you click Next, the Active Directory Installation Wizard starts automatically. If this is the first time you have installed Active Directory on a server, on the Welcome page of the Active Directory Installation Wizard, click Active Directory Helpfor more information about Active Directory.

After you finish reading about Active Directory, click Next. You can return to this page from any place in the wizard until you click Finish on the last page. On the Operating System Compatibility page, read the information and then click Next. If this is the first time you have installed Active Directory on a server running Windows Server 2003, click Compatibility Help for more information.

This section describes the following steps in the Active Directory Installation Wizard:

Domain Controller Type

Create New Domain

Network Credentials

New Domain Tree

NetBIOS Domain Name

Database and Log Folders

Shared System Volume

DNS Registration Diagnostics

Permissions

Directory Services Restore Mode Administrator Password

Summary

Domain Controller Type

On the Domain Controller Type page, click Domain controller for a new domain.

After you finish, click Next.

Create New Domain

On the Create New Domain page, click Domain tree in an existing forest.

After you finish, click Next.

Network Credentials

On the Network Credentials page, type the user name, password, and user domain of the user account that you want to use.

Option Comments

User name

Type the name of a user account that has the necessary administrative credentials. The user account must be a member of the Domain Admins group (in the forest root domain), or a member of the Enterprise Admins group, or must have been delegated the appropriate authority.

Password

Type the password for the user account. This should always be a strong password. For more information, see Strong passwords.

Domain

Type the full DNS name of the domain in which this user name and password are valid.

New Domain Name

On the New Domain Name page, type the full DNS name for the new domain tree. Provide a full DNS name for the new domain tree that you want to create. Active Directory domains are named with DNS names and follow the same hierarchical structure of DNS.

Following the DNS standards, domain names are fully qualified domain names (FQDN), which consist of the name of the domain appended to the names of the parent domains and root domains using the dot (.) character format.

Although Dcpromo.exe in Windows Server 2008 and Windows Server 2003 allows you to create a single-label DNS domain name, you should not use a single-label DNS name for a domain for several reasons. In Windows Server 2008 R2, Dcpromo.exe does not allow you to create a single-label DNS name for a domain. For more information, see https://go.microsoft.com/fwlink/?LinkId=92467.

Although Dcpromo.exe in Windows Server 2008 and Windows Server 2003 allows you to create a single-label DNS domain name, you should not use a single-label DNS name for a domain for several reasons. In Windows Server 2008 R2, Dcpromo.exe does not allow you to create a single-label DNS name for a domain. For more information, see https://go.microsoft.com/fwlink/?LinkId=92467.

After you finish, click Next.

NetBIOS Domain Name

On the NetBIOS Domain Name page, verify the NetBIOS name. Although Active Directory domains are named according to DNS naming standards, you still need to define a NetBIOS name when you create Active Directory domains. NetBIOS names should match the first label of the DNS domain name whenever possible. When the Active Directory domain has a first label DNS name that is different from its NetBIOS name, the FQDN is constructed using the DNS domain name, not the NetBIOS name. For example, if the first label in the full DNS domain name is "child" (child.microsoft.com is the FQDN) and the NetBIOS domain name is "sales", the FQDN remains "child.microsoft.com".

After you finish, click Next.

Database and Log Folders

On the Database and Log Folders page, type the location in which you want to install the database and log folders, or click Browse to choose a location. To avoid any problems with installing or removing Active Directory, it is important to confirm that you have sufficient disk space to host the directory database and log files. The Active Directory Installation Wizard requires 250 megabytes (MB) of disk space for the Active Directory database and 50 MB for the log files. It is recommended that you store these files on an NTFS partition.

After you finish, click Next.

Shared System Volume

On the Shared System Volume page, type the location in which you want to install the Sysvol folder, or click Browse to choose a location. The Sysvol folder must be stored on an NTFS volume since it contains files that are replicated between domain controllers in a domain or forest. These files include scripts, Windows NT 4.0 and earlier system policies, the NETLOGON and SYSVOL shares, and Group Policy settings.

After you finish, click Next.

DNS Registration Diagnostics

On the DNS Registration Diagnostics page, verify the DNS settings are correct.

If a diagnostic error appears under Diagnostic Results, click Help for more information about how to resolve the error.

After you finish, click Next.

Permissions

On the Permissions page, click the level of application compatibility that you want with pre-Windows 2000 and Windows 2000 or Windows Server 2003 operating systems.

On servers running Windows NT 4.0 and earlier, read access for user and group information is assigned to anonymous users so that existing applications, including Microsoft BackOffice, SQL Server, and some non-Microsoft applications, function correctly. In Windows 2000 and the Windows Server 2003 family, members of the Anonymous Logon group have read access to this information only when the group is added to the Pre-Windows 2000 Compatible Access group.

Option Comments

Permissions compatible with pre-Windows 2000 server operating systems

Click this option if you want the Anonymous Logon group and the Everyone security groups to be added to the Pre-Windows 2000 Compatible Access group.

Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems

Click this option to prevent members of the Anonymous Logon group from gaining read access to user and group information.

After you select one of these options, you can manually switch between the backward compatible and high-security settings on Active Directory objects. To do this, open Active Directory Users and Computers, and then add the Anonymous Logon security group to the pre-Windows 2000 Compatible Access security group.

Directory Services Restore Mode Administrator Password

On the Directory Services Restore Mode Administrator Password page, type and confirm the password that you want to assign to the restore mode Administrator account for the server. You should use strong passwords for directory restore mode passwords. For more information, see Strong passwords.

Important

  • You must know this password to restore a backup copy of the System State for this domain controller.

You use this password when the domain controller starts in Directory Services Restore Mode. If this is the first time you have installed Active Directory on a server, click Active Directory Help for more information about the restore mode password.

After you finish, click Next.

Summary

On the Summary page, review the information, and then click Next.

After you complete the installation, click Finish. To restart your computer and implement the changes, click Restart Now.

Completing the Configure Your Server Wizard

After your server restarts, the Configure Your Server Wizard displays the This Server is Now a Domain Controller page. To review all of the changes made to your server by the Configure Your Server Wizard or to ensure that a new role was installed successfully, click Configure Your Server log. The Configure Your Server Wizard log is located at systemroot\Debug\Configure Your Server.log. To close the Configure Your Server Wizard, click Finish.

After you complete the Configure Your Server Wizard, be sure to visit Windows Update to download any additional updates that are available. For more information, see Windows Update.

In addition, you should also run the Security Configuration Wizard to further secure your domain controller. You can run Windows Firewall on a domain controller, but only if you run the Security Configuration Wizard to install and configure it. For more information see Security Configuration Wizard.

Removing the domain controller role

If you need to reconfigure your server for a different role, you can remove existing server roles. By removing the domain controller role, you will uninstall Active Directory from this server. After Active Directory has been uninstalled, this server will no longer participate in replication of directory objects and domain-based user authentication requests.

To remove the domain controller role, restart the Configure Your Server Wizard by doing either of the following:

  • From Manage Your Server, click Add or remove a role. By default, Manage Your Server starts automatically when you log on. To open Manage Your Server, click Start, click Control Panel, double-click Administrative Tools, and then double-click Manage Your Server.

  • To open the Configure Your Server Wizard, click Start, click Control Panel, double-click Administrative Tools, and then double-click Configure Your Server Wizard.

On the Server Role page, click Domain Controller (Active Directory), and then click Next. On the Role Removal Confirmation page, review the items listed under Summary, select the Remove the domain controller role check box, click Next, and then follow the steps in the Active Directory Installation Wizard.

Next steps: Completing additional tasks

After you complete the Active Directory Installation Wizard, the server is configured as a domain controller. You can use it to store data, manage objects, and provide information to users, computers and applications. Up to this point, you have created a new domain or additional domain controller for an existing domain.

The following table lists some of the additional tasks that you might want to perform on your domain controller.

Task Purpose of task Reference

Secure the new domain controller in a locked room.

To ensure that no one can physically access the domain controller.

Domain controllers; Securing Active Directory

Use strong encryption techniques.

To secure account password information stored on the new domain controller.

The system key utility

Require all domain users to use strong passwords.

To prevent unauthorized access to your organization.

Strong passwords

Enable audit policy.

To receive notification of actions that could pose a security risk.

Auditing Policy

Enforce account lockouts on user accounts.

To decrease the possibility of an attacker compromising your domain through repeated logon attempts.

User and computer accounts

Enforce password history on user accounts.

To decrease the possibility of an attacker compromising your domain.

Enforce password history

Enforce minimum and maximum password ages on user accounts.

To decrease the possibility of an attacker compromising your domain.

Minimum password age; Maximum password age

Implement SID Filtering.

To prevent attacks from malicious users who might try to grant elevated user rights to another user account.

"Using Security Identifier (SID) Filtering to Prevent Elevation of Privilege Attacks" at the Microsoft Web site.(https://www.microsoft.com/)

Implement smart cards.

To provide tamper-resistant user authentication and e-mail security.

Smart cards overview

Restrict user, group, and computer access to shared resources and filter Group Policy settings.

To secure resources.

Group types

Assign user rights to new security groups.

To specifically define the administrative role of members in the domain.

Group types