Installing a Domain Controller in an Existing Domain

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This task covers the installation of Active Directory onto a Windows Server 2003 system that will become a domain controller in an existing Active Directory domain. To ensure successful installation of a new domain controller, you should verify that all critical services that Active Directory depends on are configured following Microsoft best practices. For more information about best practices for planning, testing, and deploying Active Directory, see Designing and Deploying Directory and Security Services on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=27638).

Task Requirements

The following tool is required to perform the procedure for this task:

Dcpromo.exe

To complete this task, perform the following procedure:

Note

By default, when a domain controller account is added to the existing Active Directory domain, it is assigned an "Account Ops-FC" access control entry (ACE) that gives members of the Account Operators group full control over this domain controller account, which is not a recommended configuration. For example, members of Account Operators group will be able to reset this domain controller’s password. Because the Account Operators group has significant power in the domain, we recommend that you add members to it with caution. For a detailed description of the Account Operators group, see Default groups (https://go.microsoft.com/fwlink/?LinkID=131422). To modify permissions for Account Operators on a computer account, you can use the Active Directory Users and Computers snap-in and complete the following steps:

  1. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

  2. In the console tree, right-click the affected domain controller account and then click Properties.

  3. On the Security tab, select Account Operators in the Group or user names list, and then modify permissions according to the specifications of your environment.

You can also install Active Directory from installation media or by performing an unattended installation. For information about completing each of these tasks, see the following:

Installing a Domain Controller in an Existing Domain Using Restored Backup Media

Performing an Unattended Installation of Active Directory