Build the first Domain Controller with Windows Server 2003

To build a domain controller in Windows Server (2000, 2003, and 2008) is easy with wizards, but the more important is to understand the meaning of why we have to implement Active Directory (domain controller) in our network?

Implementing Active Directory is to serve two purposes:

  • Centralized management of resources: user accounts, computer accounts, printers, etc.
  • Centralized management of policies: group policies
  • Single-sign-on (SSO): User need to authenticate once when he logs in to his computer. During his working session, there is no need to type username/password again when accessing other resources. Any Active Directory integrated services could utilize this SSO feature (SharePoint, Exchange Server, File Sharing, Web Server, Proxy Server, etc)

And, there are so many beautiful things about Active Directory. But now, we need to know how to implement Active Directory. To implement Active Directory, you must have at least 1 server to play as a domain controller. Domain controller is a physical server that runs Active Directory services and store Active Directory database. Active Directory (or domain) could exist with only 1 single domain controller with no clients, or one domain controller with 1000 clients (not recommended), or multiple domain controllers with few thousand clients (in this case, domain controllers are called Multi-Master).

Active Directory in an enterprise network

This tutorial is to show you how to install the first domain controller with Windows Server 2003.

Configuring DNS Server

It’s very important to have a DNS Server configured correctly. Please see this post Install and configure DNS Server for Domain Controllers on Windows 2003 to properly configure DNS Server for the first domain controller.

Using DCPROMO to promote a server to a domain controller

DCPROMO is a built-in wizard on all Windows Server platform (at least from Windows 2000, 2003, 2008, and 2008 R2, etc?) that allows you to promote a server to a domain controller. Use this wizard to build the first, or additional domain controllers.

  • Go to RUN menu, type DCPROMO, and press ENTER
  • Click Next to skip the Welcome message
  • Click Next again
  • Leave the default option selected, Domain controller for a new domain.
Configuring the first domain controller
  • Click Next
  • Select default option, Domain in a new forest. Forest is a hierarchical of multiple domains that share the same Schema, but we have not had any domain yet, so this is the new forest with a single domain (that we are building).
Domain in a new forest
  • Click Next
  • Type in the domain name that you want to promote. My DNS Server is configured to resolve the domain plaintutorials.net because I want my Active Directory name as plaintutorials.net. Please note that domain name must be at least level 3. It means something.somthing-else (plaintutorials.local, plaintutorials.net, plaintutorials.something). A single domain name, such as plaintutorials (without .anything) is not acceptable.
Selecting new domain name
  • Click Next
  • DCPROMO will take a while to resolve your DNS Name and check the NetBIOS name for the domain. By default, a NetBIOS domain name is selected by picking the left-most part of the DNS domain name. Plaintutorials.net has PLAINTUTORIALS as NetBIOS domain name. If you have something (computers, printers, wireless routers, etc) that has the same name with this NetBIOS domain name, DCPROMO will automatically select another one for you, or you can type anything here. The length limit for NetBIOS domain name is 15 characters.
NetBIOS Domain Name
  • Click Next
  • Leave everything as default in this window. C:\Windows\NTDS is the location where Active Directory database and logs are stored.
Active Directory database location
  • Click Next
  • Leave the folder location default as C:\Windows\SYSVOL. This shared folder is where domain controller stores its Group Policies.
  • Click Next
  • Click Next
  • Leave the default option, Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems.
  • Click Next
  • Type and re-type the password for Directory Service Restore Mode. This password is important. This password is for the local Administrator account of this domain controller when it boots into Directory Service Restore Mode. In Directory Service Restore Mode, Active Directory on this domain controller is offline. You won’t have access to Active Directory user accounts when you login to this mode. A default Administrator account with this password is used.
Directory Service Restore Mode Password
  • Click Next
  • Click Next again. Active Directory Installation Wizard starts. Wait for about 5-10 minutes for the wizard to complete (in this tutorial, this step took me less than 1 minute).
  • Click Finish and restart your server. Ah, I have to call it domain controller now.

Verifying a domain controller

There are many methods to verify a server is a domain controller, or a domain controller is working properly. But, you actually just need to verify by some basic steps (since you just have a single brand new domain controller)

Login screen

  • After rebooting the server, you are back to Log On to Windows screen.
  • Click Options button
  • Click the drop down list Logon To, and you will see your NetBIOS domain name there, and only it. Your server now is a domain controller.

Verifying a server is a domain controller

If you click Options button and don’t see anything appear, it means your server is not a domain controller.

Active Directory Management Tools

After logging in, go to start menu and select Administrative Tools. You will see some of these Active Directory tools

  • Active Directory Domain and Trusts
  • Active Directory Sites and Services
  • Active Directory Users and Computers

Active Directory Administrative Tools

Click Active Directory Users and Computers. If the tool opens with a domain name there, you have Active Directory now, and your server is a domain controller.

Active Directory Users and Computers management tool

Your new domain should be OK now. The next step is to join clients to this domain. The most basic way to join a client computer to a domain is to manually configure that client, or remotely enforce it to join.

About The Author

Hao Nguyen

Hao Nguyen

Hello! I'm Hao Nguyen and I'm currently working as a Network Engineer for a small firm in Houston. I enjoy writing technical documents and blog, such as PlanTutorials.com

2 Comments

  1. Thai says:

    Hello Hao,

    I like your website

    Can you explain what is the different between using DCPROMO and Manage Your Server to promo a server to DC?

    • Hao Nguyen says:

      Hi Thai,

      It’s is the same way to promote a member server to a domain controller. With DCPROMO, you have more control of the process. But with Manage Your Server is easier for you to promote a server. I prefer DCPROMO wizard rather than Manager Your Server wizard.

      Hao

Leave a Reply