The process of installing an Active Directory domain in Windows Server 2008 is quite simple, but some beginners or IT professionals that have never had a chance to get their hands on AD installations and that are not familiar with its requirements might stumble across a few pitfalls.
So, what do we need in order to successfully install Active Directory on a Windows Server 2008?
Here is a quick list of what you must have:
- An NTFS partition with enough free space
- An Administrator’s username and password
- The correct operating system version
- A NIC
- Properly configured TCP/IP (IP address, subnet mask and – optional – default gateway)
- A network connection (to a hub or to another computer via a crossover cable)
- An operational DNS server (which can be installed on the DC itself)
- A Domain name that you want to use
- Brains (recommended, not required…)
After you have all the above go ahead and read my “Installing Active Directory on Windows Server 2008” article.
An NTFS Partition
To successfully install AD you must have at least one NTFS formatted partition. Back in older operating systems this was something that you actually had to tell people about, because *some* administrators had servers that did not have their partitions formatted with NTFS. Nowadays, NTFS is the only way to go in Windows-based servers, but I will nevertheless put it on the writing, just to make sure.
This partition is where the SYSVOL folder is placed, and usually, that is the C:’ partition, but for large AD deployments, this could very well be a different partition.
To convert a partition (C:) to NTFS type the following command in the command prompt window:
Free space on your disk
You need at least 250mb of free space on the partition you plan to install AD on. Of course you’ll need more than that if you plan to create more users, groups and various AD objects.
Local Administrator’s username and password
Remember, only a local Administrator (or equivalent) can install the first domain and thus create the new forest. Other installation scenarios – such as adding additional (replica) DCs require either Domain Admin permissions, or, in case of new domains in the same tree or in new trees – Enterprise Admins permissions.
The right operating system version – Windows Server 2008 Standard, Enterprise or Data Center
Duh… however, note that you CAN install Active Directory on Server Core versions. Please read my “Understanding Windows Server 2008 Server Core” and “Installing Active Directory on Windows 2008 Server Core” articles for more information on Server Core.
While it is possible to install Active Directory on a server that has a dynamically-assigned IP address, it doesn’t make much sense to do so. It’s much better to configure the server with a manual and dedicated IP address. If you do not use a dedicated IP address, DNS registrations may not work and Active Directory functionality may be lost. If the computer is a multi-homed computer, the network adapter that is not connected to the Internet can host the dedicated IP address.
The Active Directory domain controller should point to its own IP address in the DNS server list to prevent possible DNS connectivity issues.
To configure your IP configuration, use the following steps:
Note: IP addresses can be also configured from the Command Prompt by using the NETSH command, but I will not describe that procedure here.
- Right-click Network, and then click Properties.
- In the Control Panel’Network and Sharing Center window, click on the manage Network Connections link on the left.
- In the Control Panel’Network Connections window, right-click Local Area Connection, and then click Properties.
- Click Internet Protocol version 4 (TCP/IPv4), and then click Properties.
- Make sure you have a static and dedicated IP address. If you don’t need Internet connectivity through this specific NIC you can use a Private IP range such as 192.168.101.0 with a Subnet Mask of 255.255.255.0.
- The next step is not required, but I usually recommend checking that the correct configuration is in place. Click Advanced, and then click the DNS tab. The DNS information should be configured as follows:
If you do not have the Network icon visible on your desktop, use Control Panel.
Note: You can get to the same window by typing NCPA.cpl in the run command.
Note: You can also configure the TCP/IPv6 properties, but you do NOT have to, and frankly, unless you require TCP/IPv6 functionality, I’d simply ignore it or disable it. More on that, in a future article.
Configure the DNS server addresses to point to the DNS server. This should be the computer’s own IP address if it is the first server or if you are not going to configure a dedicated DNS server.
- If the Append these DNS suffixes (in order) option is selected for the resolution of unqualified names, the Active Directory DNS domain name should be listed first, at the top of the list.
- Verify that the information in the DNS Suffix for this connection box is the same as the Active Directory domain name.
- Make sure that the Register this connection’s addresses in DNS check box is selected.
Active Network Connection Required During Installation
The installation of Active Directory requires an active network connection. When you attempt to use DCPROMO.exe to promote a Windows Server 2008 computer to a domain controller that doesn’t have a connected and active NIC, you will receive the following error message:
And after hitting Next, this error will appear:
Active Directory Domain Services Installation Wizard The TCP/IP networking protocol must be properly configured. Complete the configuration before you proceed.
This problem can occur if the network cable is not plugged into a hub or other network device. (Screenshot of a connected NIC) (Sample of a disconnected or un-plugged network cable)
To resolve this problem, plug the network cable into a hub or other network device. While highly improbable that the network connection status would be disconnected in a server that is about to be deployed in a production environment, this could be the case when building the server for testing purposes. If network connectivity is not available and this is the first domain controller in a new forest, you can finish DCPROMO.exe by installing Microsoft Loopback Adapter.
A DNS server that supports Active Directory DNS entries (SRV records) must be present for Active Directory to function properly. In my Windows 2000/2003 versions of the Active Directory installation tips I recommended to manually install and configure DNS prior to running DCPROMO. However, in Windows Server 2008, and when installing the FIRST Domain Controller in the Active Directory domain, I tend to recommend that you allow the DCPROMO wizard to automatically build the proper DNS services and configuration.
When considering Internet connectivity, it is recommended (and in most cases, this is the proper and most-used configuration) that the client computers connect to the Internet through a NAT device (i.e. a Router that translates private IP addresses to one public one, and allows connectivity through one ISP-assigned IP address). This prevents any issues that may arise if clients obtain an IP address from your Internet service provider (ISP). In Small Office or Home Office (SOHO) scenarios, this can be achieved by using a second network adapter on the server connected to a hub. You can use NAT and Routing on the server to isolate the clients on the local network. The clients should point to the domain’s INTERNAL DNS server, and NOT to the ISP’s DNS server, to ensure proper DNS connectivity. The internal DNS server’s forwarder will then allow the clients to access DNS addresses on the Internet.
Do not use Single-Label domain names
As a general rule, Microsoft recommends that you register DNS domain names for internal and external namespaces with Internet authorities. This is true for Windows 2000/2003 and for Windows Server 2008. This includes the DNS names of Active Directory domains, unless such names are sub-domains of names that are registered by your organization name, for example, “corp.example.com” is a sub-domain of “example.com”. When you register DNS names with Internet authorities, it prevents possible name collisions should registration for the same DNS domain be requested by another organization, or if your organization merges, acquires or is acquired by another organization that uses the same DNS names.
DNS names that don’t include a period (“dot”, “.”) are said to be single-label (for example, com, net, org, bank, companyname) and cannot be registered on the Internet with most Internet authorities.
Now that you’ve read and made sure you meet all the above requirements, continue by reading my “Installing Active Directory on Windows Server 2008” article.
Recent Windows Server 2008 Forum threads
Got a question? Post it on our Windows Server 2008 forums!