The process of installing an Active Directory domain in Windows Server 2008 is quite simple, but some beginners or IT professionals that have never had a chance to get their hands on AD installations and that are not familiar with its requirements might stumble across a few pitfalls. So, what do we need in order to successfully install Active Directory on a Windows Server 2008?
Here is a quick list of what you must have:
- An NTFS partition with enough free space
- An Administrator’s username and password
- The correct operating system version
- A NIC
- Properly configured TCP/IP (IP address, subnet mask and – optional – default gateway)
- A network connection (to a hub or to another computer via a crossover cable)
- An operational DNS server (which can be installed on the DC itself)
- A Domain name that you want to use
- Brains (recommended, not required…)
To successfully install AD you must have at least one NTFS formatted partition. Back in older operating systems this was something that you actually had to tell people about, because *some* administrators had servers that did not have their partitions formatted with NTFS. Nowadays, NTFS is the only way to go in Windows-based servers, but I will nevertheless put it on the writing, just to make sure.
This partition is where the SYSVOL folder is placed, and usually, that is the C:’ partition, but for large AD deployments, this could very well be a different partition.
To convert a partition (C:) to NTFS type the following command in the command prompt window:
Local Administrator’s username and password
Remember, only a local Administrator (or equivalent) can install the first domain and thus create the new forest. Other installation scenarios – such as adding additional (replica) DCs require either Domain Admin permissions, or, in case of new domains in the same tree or in new trees – Enterprise Admins permissions.
The right operating system version
Windows Server 2008 Standard, Enterprise or Data Center
While it is possible to install Active Directory on a server that has a dynamically-assigned IP address, it doesn’t make much sense to do so. It’s much better to configure the server with a manual and dedicated IP address. If you do not use a dedicated IP address, DNS registrations may not work and Active Directory functionality may be lost. If the computer is a multi-homed computer, the network adapter that is not connected to the Internet can host the dedicated IP address.
The Active Directory domain controller should point to its own IP address in the DNS server list to prevent possible DNS connectivity issues.
To configure your IP configuration, use the following steps:
Note: IP addresses can be also configured from the Command Prompt by using the NETSH command, but I will not describe that procedure here.
1. Right-click Network, and then click Properties.
If you do not have the Network icon visible on your desktop, use Control Panel.
2. In the Control Panel’Network and Sharing Center window, click on the manage Network Connections link on the left.
Note: You can get to the same window by typing NCPA.cpl in the run command.
3. In the Control Panel’Network Connections window, right-click Local Area Connection, and then click Properties.
4. Click Internet Protocol version 4 (TCP/IPv4), and then click Properties
5. Make sure you have a static and dedicated IP address. If you don’t need Internet connectivity through this specific NIC you can use a Private IP range such as 192.168.101.0 with a Subnet Mask of 255.255.255.0.
6. The next step is not required, but I usually recommend checking that the correct configuration is in place. Click Advanced, and then click the DNS tab. The DNS information should be configured as follows:
Configure the DNS server addresses to point to the DNS server. This should be the computer’s own IP address if it is the first server or if you are not going to configure a dedicated DNS server.
- If the Append these DNS suffixes (in order) option is selected for the resolution of unqualified names, the Active Directory DNS domain name should be listed first, at the top of the list.
- Verify that the information in the DNS Suffix for this connection box is the same as the Active Directory domain name.
- Make sure that the Register this connection’s addresses in DNS check box is selected.
Active Network Connection Required During Installation
The installation of Active Directory requires an active network connection. When you attempt to use DCPROMO.exe to promote a Windows Server 2008 computer to a domain controller that doesn’t have a connected and active NIC, you will receive the following error message:
And after hitting Next, this error will appear:
Active Directory Domain Services Installation Wizard The TCP/IP networking protocol must be properly configured. Complete the configuration before you proceed.
This problem can occur if the network cable is not plugged into a hub or other network device.
(Screenshot of a connected NIC)
(Sample of a disconnected or un-plugged network cable)
To resolve this problem, plug the network cable into a hub or other network device. While highly improbable that the network connection status would be disconnected in a server that is about to be deployed in a production environment, this could be the case when building the server for testing purposes. If network connectivity is not available and this is the first domain controller in a new forest, you can finish DCPROMO.exe by installing Microsoft Loopback Adapter.
A DNS server that supports Active Directory DNS entries (SRV records) must be present for Active Directory to function properly. In my Windows 2000/2003 versions of the Active Directory installation tips I recommended to manually install and configure DNS prior to running DCPROMO. However, in Windows Server 2008, and when installing the FIRST Domain Controller in the Active Directory domain, I tend to recommend that you allow the DCPROMO wizard to automatically build the proper DNS services and configuration.
When considering Internet connectivity, it is recommended (and in most cases, this is the proper and most-used configuration) that the client computers connect to the Internet through a NAT device (i.e. a Router that translates private IP addresses to one public one, and allows connectivity through one ISP-assigned IP address). This prevents any issues that may arise if clients obtain an IP address from your Internet service provider (ISP). In Small Office or Home Office (SOHO) scenarios, this can be achieved by using a second network adapter on the server connected to a hub. You can use NAT and Routing on the server to isolate the clients on the local network. The clients should point to the domain’s INTERNAL DNS server, and NOT to the ISP’s DNS server, to ensure proper DNS connectivity. The internal DNS server’s forwarder will then allow the clients to access DNS addresses on the Internet.
Do not use Single-Label domain names
As a general rule, Microsoft recommends that you register DNS domain names for internal and external namespaces with Internet authorities. This is true for Windows 2000/2003 and for Windows Server 2008. This includes the DNS names of Active Directory domains, unless such names are sub-domains of names that are registered by your organization name, for example, “corp.example.com” is a sub-domain of “example.com”. When you register DNS names with Internet authorities, it prevents possible name collisions should registration for the same DNS domain be requested by another organization, or if your organization merges, acquires or is acquired by another organization that uses the same DNS names.
DNS names that don’t include a period (“dot”, “.”) are said to be single-label (for example, com, net, org, bank, companyname) and cannot be registered on the Internet with most Internet authorities.