Installing a Domain Controller in an Existing Domain
Updated: March 2, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
This task covers the installation of Active Directory onto a Windows Server 2003 system that will become a domain controller in an existing Active Directory domain. To ensure successful installation of a new domain controller, you should verify that all critical services that Active Directory depends on are configured following Microsoft best practices. For more information about best practices for planning, testing, and deploying Active Directory, see Designing and Deploying Directory and Security Services on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=27638).
The following tool is required to perform the procedure for this task:
To complete this task, perform the following procedure:
By default, when a domain controller account is added to the existing Active Directory domain, it is assigned an "Account Ops-FC" access control entry (ACE) that gives members of the Account Operators group full control over this domain controller account, which is not a recommended configuration. For example, members of Account Operators group will be able to reset this domain controller’s password. Because the Account Operators group has significant power in the domain, we recommend that you add members to it with caution. For a detailed description of the Account Operators group, see Default groups (http://go.microsoft.com/fwlink/?LinkID=131422). To modify permissions for Account Operators on a computer account, you can use the Active Directory Users and Computers snap-in and complete the following steps:
You can also install Active Directory from installation media or by performing an unattended installation. For information about completing each of these tasks, see the following: