共用方式為


What Is the Active Directory Installation Wizard?

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

What Is the Active Directory Installation Wizard?

In this section

  • Active Directory Installation Wizard Scenarios

  • Active Directory Installation Wizard Dependencies

  • Related Information

The Active Directory Installation Wizard is used to install and configure Active Directory in Windows Server 2003 and Windows 2000 Server, and to remove Active Directory when a domain controller is decommissioned. Understanding the processes that occur when the Active Directory Installation Wizard runs can help you recognize and troubleshoot issues that might arise during the installation or removal of a domain controller.

Note

This topic explains what the Active Directory Installation Wizard is for Windows Server 2003 and Windows 2000 Server. For information about using the Active Directory Domain Services Installation Wizard in Windows Server 2008 R2 and Windows Server 2008, see AD DS Installation and Removal Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkID=139657).

Active Directory is not installed by default on a computer running Windows Server 2003. When you install Windows Server 2003, the computer assumes the role of a standalone server or a member server that is a part of a domain. For the computer to become a domain controller, you must use the Active Directory Installation Wizard to install and configure Active Directory.

Active Directory Installation Wizard Scenarios

You can create two types of domain controllers by using the Active Directory Installation Wizard:

  • Domain controller for a new domain

  • Additional domain controller for an existing domain

When you create a domain controller for a new domain, the domain can be one of the following types:

  • Domain in a new forest.

    Select this domain type if you are creating the first domain in your organization or if you want the new domain to be independent of your existing forests. This first domain is the forest root domain.

  • Child domain in an existing domain tree.

    Select this domain type if you want the new domain to be a child of an existing domain.

  • Additional domain tree in an existing forest.

    Select this domain type if you want to create a domain tree that is separate from any existing domain trees.

    For more information about the Active Directory logical structure, see “Domains and Forests Technical Reference.”

Active Directory Installation Wizard Dependencies

Active Directory installation has the following dependencies.

Network Configuration

Unstable or problematic network configurations are either recognized during the installation of Active Directory and prohibit you from continuing, or they create complications in your environment after the installation is complete. Before installing Active Directory, ensure that your network is properly configured.

DNS Configuration

Before installing Active Directory, plan your Domain Name System (DNS) namespace to support Active Directory and determine which servers will host the DNS zones. Consider the following DNS configuration options based on your environment:

  1. Allow the Active Directory Installation Wizard to configure the DNS server.

    Consider this option if you do not have DNS configured in your environment or you have a DNS server hosted by an Internet Service Provider (ISP). During the Active Directory installation, the wizard installs and configures DNS.

    If you do not have an existing DNS configuration, the user interface portion of the Active Directory Installation Wizard gives you the opportunity to either configure the DNS client or install the DNS Server service. If the server on which Active Directory is being installed is pointing to an existing DNS server that is hosted by an ISP, that DNS server is added as a forwarder.

  2. Point to an existing DNS server.

    Configure the server on which you are installing Active Directory to point to an existing DNS server in your environment before running the Active Directory Installation Wizard.

  3. Configure DNS yourself.

    Only configure DNS yourself if you have planned your DNS namespace to support Active Directory and understand the process for configuring DNS. If you choose to configure DNS, use the following guidelines:

    • Configure the server with a static IP address.

    • Configure the DNS server settings on the TCP/IP properties page to use the local computer as the preferred DNS server. All DNS server addresses should belong to DNS servers in the forest. Do not configure DNS servers in your forest to point to ISP DNS servers. To view the current IP configuration and verify that the local computer is pointing to itself for its preferred DNS server, type ipconfig /all at the command prompt.

    • Configure the DNS Forward Lookup zone to accept dynamic updates. If dynamic updates are not allowed, all DNS record registration must be completed manually.

    • Configure the DNS server to forward DNS requests to the appropriate ISP or corporate DNS servers to ensure that names outside of the DNS namespace can be resolved.

    • If the Enable Forwarders check box is unavailable, the DNS server is attempting to host a root zone, identified by a zone named only with a period, or dot (.). This root zone is created by default only on Windows 2000–based DNS servers. It is not created by default on DNS servers that are running Windows Server 2003. You must delete the root zone to enable the DNS server to forward DNS requests.

Disk Space Recommendations

At minimum, a domain controller requires available free disk space for the Active Directory database, Active Directory log files, SYSVOL, and the operating system. Use the following guidelines to determine how much disk space to allot for your Active Directory installation:

  • On the drive that will contain the Active Directory database, Ntds.dit, provide 0.4 gigabytes (GB) of storage for each 1,000 users. For example, for a forest with two domains (domain A, domain B), with 10,000 and 5,000 users respectively, provide a minimum of 4 GB of disk space for each domain controller that hosts domain A and a minimum of 2 GB of disk space for each domain controller that hosts domain B.

  • On the drive containing the Active Directory log files, provide at least 500 MB of available space.

  • On the drive containing the SYSVOL shared folder, provide at least 500 MB of available space.

  • On the drive containing the Windows Server 2003 operating system files, to run setup, provide at least 1.25 GB to 2 GB of available space.

To prevent single disk failures, many organizations use a redundant array of independent disks (RAID). For domain controllers that are accessed by fewer than 1,000 users, you can locate all four components on a single RAID 1 array. For domain controllers that are accessed by more than 1,000 users, place the log files on one RAID array and keep the SYSVOL shared folder and the database together on a separate RAID array.

The above figures are recommendations only and should be tested in a lab environment before deploying Active Directory and monitored closely in your production environment. It is always a best practice to allow for future growth of objects in Active Directory. For more information about object growth and database capacity in Active Directory, see “Data Store Technical Reference.”

Client Operations

Windows Server 2003–based domain controllers implement security settings that require clients and other servers to communicate with those domain controllers in a more secure way. Windows 95–based clients and clients running Windows NT 4.0 with service pack 3 or earlier cannot meet the logon or resource access requirements of a Windows Server 2003–based domain controller. Prior to installing Active Directory, take an inventory of your client operating systems and take the necessary actions to ensure continued access to domain controllers in your environment.

For more information about new security settings that are implemented by domain controllers running Windows Server 2003, see “How the Active Directory Installation Wizard Works.”

Administrative Rights

You must be an Administrator on the local computer to run the Active Directory Installation Wizard if you are creating the first domain controller in a forest. If you are creating a child domain or a new tree domain in an existing forest, you must provide the credentials of a member of the Enterprise Admins group.

Availability of the Domain Naming Master

If you are creating an additional domain in an existing forest or removing a domain from a forest, the Active Directory Installation Wizard must access the domain naming operations master or it generates an error. Verify that the domain controller holding the role of domain naming master for the forest is online. If the domain naming master has recently been offline, ensure that inbound replication of the configuration partition has completed since the computer was restarted.

Forest and Domain Preparation

If you are upgrading an existing Windows 2000 domain to Windows Server 2003 or adding a Windows Server 2003–based domain controller to an existing Windows 2000 domain, you must prepare the forest and each domain in the forest by using the Active Directory Preparation Tool (ADPrep.exe). The tool performs the following tasks:

  • Tightens security on resources that use the Everyone group to grant access by:

    • Improving default security descriptors.

    • Changing group memberships; for example, the Anonymous Logon group is no longer a member of the Everyone group.

    • Improving security settings by adding access control entries (ACE) to the following pre-existing, non-schema objects:

      CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=X container

      CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=X container

      CN=Configuration,DC=ForestRootDomain container

  • Creates new objects used by individual applications.

  • Creates new containers that can be used to verify that the preparation was successful.

  • Updates the Active Directory schema.

    The Active Directory Preparation tool merges your current schema with new schema information provided by the tool. Previous schema modifications in your environment are not affected by this operation.

Adprep includes the following two switches: Adprep /forestprep to prepare the forest, and Adprep /domainprep to prepare each domain.

Run Adprep /forestprep on the domain controller holding the schema operations master role for the forest before you install Active Directory on a Windows Server 2003-based member server or standalone server to create an additional domain controller in an existing forest during Active Directory installation. After Adprep /forestprep runs successfully, you can run Adprep /domainprep. However, before running Adprep /domainprep in an existing domain, changes made to the forest after running Adprep /forestprep must have replicated to the infrastructure operations master in that domain.

You must successfully run Adprep /domainprep in each domain before you join a Windows Server 2003–based member server or standalone server to a domain as an additional domain controller.

Adprep /domainprep must run successfully in a domain before you can upgrade existing Windows 2000–based domain controllers to Windows Server 2003.

Domain Controller Configuration

Before installing Active Directory, consider the status of the computer that you will configure as a domain controller. If the computer is running Windows NT 4.0 or Windows 2000, determine whether or not the computer can be upgraded to Windows Server 2003. If you are upgrading, determine if your environment should be prepared for the upgrade and whether it will be necessary to complete the Active Directory Installation Wizard. These decision points are outlined in the following table.

Decision Points for Domain Controller Configuration

Operating System Upgradeable to Windows Server 2003? Use the Active Directory Preparation Tool? Install Active Directory?

Windows NT 4.0 Workstation

NO

N/A

N/A

Windows NT 4.0 Member Server

YES

It is not necessary to run ADPrep.

Only if the computer is to become a domain controller.

Windows NT 4.0

PDC or BDC

YES

It is not necessary to run ADPrep.

YES - Active Directory must be installed.

Windows 2000 Professional

NO

N/A

N/A

Windows 2000 Member Server (SP4)

YES

YES - The upgrade cannot proceed until you run ADPrep.

Only if the computer is to become a domain controller.

Windows 2000 domain controller

YES

YES - The upgrade cannot proceed until you run ADPrep.

NO - Active Directory is installed.

Windows Time Service Configuration

After installing Active Directory on the first domain controller in a new forest, it is important to correctly configure the Windows Time service. The Windows Time service provides time synchronization to peers and clients, ensuring that time is consistent throughout an enterprise. If the Windows Time service is not properly configured, Kerberos authentication will fail, adversely affecting Active Directory replication, user logon, and shared folder access.

By default, the first domain controller deployed holds the PDC emulator operations master role, and should be set to synchronize time with a valid Network Time Protocol (NTP) source. If no source is configured, the service will log a message to the event log, and use the local clock when providing time to clients. Although internet NTP sources are valid for this configuration, we recommend that a dedicated hardware device, such as a GPS, or radio clock be employed in the interest of security.

The following resources contain additional information that is relevant to this section.