Using the Active Directory Installation Wizard
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Using the Active Directory Installation Wizard
The Active Directory Installation Wizard installs and configures domain controllers, which provide network users and computers access to the Active Directory directory service. You can install Active Directory on any member server (except those with restrictive license agreements) using the Active Directory Installation Wizard. Using the wizard, you will define one of the following roles for the new domain controller:
New forest (also a new domain)
For a checklist about creating a new forest, see Checklist: Creating a new forest.
New child domain
For a checklist about creating a child domain, see Checklist: Creating a new child domain.
New domain tree in an existing forest
For a checklist about creating a new domain tree, see Checklist: Creating a new domain tree.
An additional domain controller in an existing domain.
For a checklist about creating an additional domain controller, see Checklist: Creating an additional domain controller in an existing domain.
Before using the Active Directory Installation Wizard, consider DNS configuration and support for existing applications.
By default, the Active Directory Installation Wizard attempts to locate an authoritative DNS server for the new domain from its list of configured DNS servers that will accept a dynamic update of a service (SRV) resource record. If found, all the appropriate records for the domain controller are automatically registered with the DNS server after the domain controller is restarted.
If a DNS server that can accept dynamic updates is not found, either because the DNS server does not support dynamic updates or dynamic updates are not enabled for the domain, then the Active Directory Installation Wizard will take the following steps to ensure that the installation process is completed with the necessary registration of the SRV resource records:
The DNS service is installed on the domain controller and is automatically configured with a zone based on the Active Directory domain.
For example, if the domain that you chose for your first domain in the forest is example.microsoft.com, then a zone rooted at the DNS domain name of example.microsoft.com is added and configured to use the DNS Server service on the new domain controller.
A text file containing the appropriate DNS resource records for the domain controller is created.
The file called Netlogon.dns is created in the systemroot\System32\Config folder and contains all the records needed to register the resource records of the domain controller. Netlogon.dns is used by the Net Logon service and supports Active Directory on servers running non-Windows Server 2003 DNS.
If you are using a DNS server that supports the SRV resource record but does not support dynamic updates (such as a UNIX-based DNS server or a Windows NT DNS server), you can import the records in Netlogon.dns into the appropriate primary zone file to manually configure the primary zone on that server to support Active Directory.
If no DNS servers are available on the network, you can choose the option to automatically install and configure a local DNS server when you install Active Directory using the Active Directory Installation Wizard. The DNS server will be installed on the server on which you are running the wizard, and the server's preferred DNS server setting will be configured to use the new local DNS server.
Before running the Active Directory Installation Wizard, ensure that the authoritative DNS zone allows dynamic updates and that the DNS server hosting the zone supports the DNS SRV resource record. For more information, see Checklist: Verifying DNS before installing Active Directory.
For more information, see Configure a DNS server for use with Active Directory. For general information about DNS integration with Active Directory, see DNS integration.
Support for existing applications
On servers running Windows NT 4.0 and earlier, read access for user and group information is assigned to anonymous users so that existing applications and some non-Microsoft applications function correctly.
On servers running Windows 2000 and Windows Server 2003, members of the Anonymous Logon group have read access to this information only when the group is added to the Pre-Windows 2000 Compatible Access group.
Using the Active Directory Installation Wizard, you can choose if you want the Anonymous Logon group and the Everyone security groups to be added to the Pre-Windows 2000 Compatible Access group by selecting the Permissions compatible with pre-Windows 2000 Server operating systems option. To prevent members of the Anonymous Logon group from gaining read access to user and group information, choose the Permissions compatible only with Windows Server 2003 operating systems option.
When upgrading a domain controller from Windows 2000 to a Windows Server 2003 operating system, if the Everyone security group is already a member of the pre-Windows 2000 Compatible Access security group (indicating backward compatibility settings), the Anonymous Logon security group will be added as a member of the pre-Windows 2000 Compatible Access security group during the upgrade.
You can manually switch between the backward compatible and high-security settings on Active Directory objects by adding the Anonymous Logon security group to the pre-Windows 2000 Compatible Access security group using Active Directory Users and Computers. For more information about adding members to a group, see Add a member to a group. For more information about default groups, see Default groups and Special identities.
If you select the Permissions compatible only with Windows Server 2003 operating systems check box when installing Active Directory and find that your applications are not functioning correctly, try resolving the problem by manually adding the special group Everyone to the Pre-Windows 2000 Compatible Access security group, and then restarting the domain controllers in the domain. Once you have upgraded to applications compatible with the Windows Server 2003 family, you should return to the more secure Windows Server 2003 operating system configuration by removing the Everyone group from the Pre-Windows 2000 Compatible Access security group and restarting the domain controllers in the affected domain.