Installing a domain controller

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Installing a domain controller

Domain controllers provide network users and computers with the Active Directory directory service, which stores and replicates directory data and manages user interactions with the domain, including user logon processes, authentication, and directory searches. Every domain must contain at least one domain controller. You install a domain controller by installing Active Directory on any member or stand-alone server (except those with restrictive license agreements).

When you install the first domain controller in your organization, you are creating the first domain (also called the root domain) and the first forest. You can add additional domain controllers to an existing domain to provide fault tolerance, improve service availability, and balance the load of existing domain controllers.

You can also install a domain controller to create a new child domain or new domain tree. Create a new child domain when you want a new domain that shares a contiguous namespace with one or more domains. This means that the name of the new domain contains the full name of the parent domain. For example, sales.microsoft.com would be a child domain of microsoft.com. Create a new domain tree only when you need a domain whose Domain Name System (DNS) namespace is not related to the other domains in the forest. This means that the name of the new domain tree’s root domain (and all of its children) does not contain the full name of the parent domain. A forest can contain one or more domain trees.

Before installing a new domain controller, you will need to consider pre-Windows 2000 compatible security levels and identify the DNS name of the domain. For more information, see Checklist: Creating an additional domain controller in an existing domain.

The most commonly performed tasks when installing a domain controller are creating a new domain in a new forest, creating a new child domain in an existing domain tree, creating a new domain tree in an existing forest, and adding a domain controller to an existing domain.

For information about important decisions you need to make when installing a domain controller, see Using the Active Directory Installation Wizard.

To create a new domain in a new forest

  1. Open the Active Directory Installation Wizard.

  2. On the Domain Controller Type page, click Domain controller for a new domain, and then click Next.

  3. On the Create New Domain page, click Domain in a new forest, and then click Next.

  4. On the New Domain Name page, type the full DNS name for the new domain, and then click Next.

  5. On the NetBIOS Domain Name page, verify the NetBIOS name, and then click Next.

  6. On the Database and Log Folders page, type the location in which you want to install the database and log folders, or click Browse to choose a location, and then click Next.

  7. On the Shared System Volume page, type the location in which you want to install the Sysvol folder, or click Browse to choose a location, and then click Next.

  8. On the DNS Registration Diagnostics page, verify if an existing DNS server will be authoritative for this forest or, if necessary, choose to install and configure DNS on this server by clicking Install and configure the DNS server on this computer, and set this computer to use this DNS server as its preferred DNS server, and then click Next.

  9. On the Permissions page, select one of the following:

    • Permissions compatible with pre-Windows 2000 Server operating systems

    • Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems

  10. Review the Summary page, and then click Next to begin the installation.

  11. Restart the computer.

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • The server on which you perform this procedure will be promoted to the first domain controller in the forest root domain.

  • The wizard options on the Permissions page affect application compatibility with pre-Windows 2000 and Windows Server 2003 operating systems and are not related to domain functionality.

  • The Active Directory Installation Wizard allows Active Directory domain names up to 64 characters or up to 155 bytes. Although the limit of 64 characters is usually reached before the limit of 155 bytes, the opposite could be true if the name contains Unicode characters consuming three bytes. These limits do not apply to computer names.

To create a new child domain in an existing domain tree

  1. Open the Active Directory Installation Wizard.

  2. On the Domain Controller Type page, click Domain controller for a new domain, and then click Next.

  3. On the Create New Domain page, click Child domain in an existing domain tree, and then click Next.

  4. On the Network Credentials page, type the user name, password, and user domain of the user account you want to use for this operation, and then click Next.

  5. On the Child Domain Installation page, verify the parent domain and type the new child domain name, and then click Next.

  6. On the NetBIOS Domain Name page, verify the NetBIOS name, and click Next.

  7. On the Database and Log Folders page, type the location in which you want to install the database and log folders, or click Browse to choose a location, and then click Next.

  8. On the Shared System Volume page, type the location in which you want to install the Sysvol folder, or click Browse to choose a location, and then click Next.

  9. On the DNS Registration Diagnostics page, verify the DNS configuration settings are accurate, and then click Next.

  10. On the Permissions page, select one of the following:

    • Permissions compatible with pre-Windows 2000 Server operating systems

    • Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems

  11. On the Directory Services Restore Mode Administrator Password page, type and confirm the password you want to assign to this server's Administrator account that will be used when the computer is started in Directory Services Restore Mode, and then click Next.

  12. Review the Summary page, and then click Next to begin the installation.

  13. Restart the computer.

Notes

  • To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • The server on which you perform this procedure will be promoted to the first domain controller in a new child domain.

  • When a child domain is added to an existing tree domain, a two-way, transitive, parent and child trust is established by default.

  • The wizard options on the Permissions page affect application compatibility with pre-Windows 2000 and Windows Server 2003 operating systems and are not related to domain functionality.

  • The Active Directory Installation Wizard allows Active Directory domain names up to 64 characters or up to 155 bytes. Although the limit of 64 characters is usually reached before the limit of 155 bytes, the opposite could be true if the name contains Unicode characters consuming three bytes. These limits do not apply to computer names.

To create a new domain tree in an existing forest

  1. Open the Active Directory Installation Wizard.

  2. On the Domain Controller Type page, click Domain controller for a new domain, and then click Next.

  3. On the Create New Domain page, click Domain tree in an existing forest.

  4. On the Network Credentials page, type the user name, password, and user domain of the user account you want to use for this operation, and then click Next.

  5. On the New Domain Tree page, type the full DNS name for the new domain, and then click Next.

  6. On the NetBIOS Domain Name page, verify the NetBIOS name, and then click Next.

  7. On the Database and Log Folders page, type the location in which to install the database and log folders, or click Browse to choose a location, and then click Next.

  8. On the Shared System Volume page, type the location in which to install the Sysvol folder, or click Browse to choose a location, and then click Next.

  9. On the DNS Registration Diagnostics page, verify if an existing DNS server will be authoritative for this forest or, if necessary, choose to install and configure DNS on this server by clicking Install and configure the DNS server on this computer, and set this computer to use this DNS server as its preferred DNS server, and then click Next.

  10. On the Permissions page, select one of the following:

    • Permissions compatible with pre-Windows 2000 Server operating systems

    • Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems

  11. On the Directory Services Restore Mode Administrator Password page, type and confirm the password you want to assign this server's Administrator account that will be used when the computer is started in Directory Services Restore Mode, and then click Next.

  12. Review the Summary page, and then click Next to begin the installation.

  13. Restart the computer.

Notes

  • To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • The server on which you perform this procedure will be promoted to the first domain controller in a new domain tree.

  • When a new domain tree is created in an existing forest, a two-way, transitive, tree root trust is established by default.

  • The wizard options on the Permissions page affect application compatibility with pre-Windows 2000 and Windows Server 2003 operating systems and are not related to domain functionality.

  • The Active Directory Installation Wizard allows Active Directory domain names up to 64 characters or up to 155 bytes. Although the limit of 64 characters is usually reached before the limit of 155 bytes, the opposite could be true if the name contains Unicode characters consuming three bytes. These limits do not apply to computer names.

To install an additional domain controller in an existing domain

  1. Open the Active Directory Installation Wizard.

  2. On the Domain Controller Type page, click Additional domain controller for an existing domain , and then click Next .

  3. On the Network Credentials page, type the user name, password, and user domain of the user account you want to use for this operation, and then click Next . See Note below for more information.

  4. On the Additional Domain Controller page, enter the full DNS name of the existing domain for which the server will become a domain controller, and then click Next .

  5. On the Database and Log Folders page, type the location in which you want to install the database and log folders, or click Browse to choose a location, and then click Next .

  6. On the Shared System Volume page, type the location in which you want to install the Sysvol folder, or click Browse to choose a location, and then click Next .

  7. On the Directory Services Restore Mode Administrator Password page, type and confirm the password you want to assign to this server's Administrators account that will be used when the computer is started in Directory Services Restore Mode, and then click Next.

  8. Review the Summary page, and then click Next to begin the installation.

  9. Restart the computer.

Notes

  • To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To create an additional domain controller from restored backup files, start the Active Directory Installation Wizard by typing dcpromo /adv at a command prompt.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.