Install Active Directory Forest: The first Active Directory domain on the network is the forest root domain. The forest root domain is critical to the functioning of Active Directory because it needs to remain online and in place for the lifetime of an Active Directory installation. You can add and remove child domains and additional trees as the needs of your organization grow and change, but the forest root domain must remain in place.
You can launch the Active Directory installation Wizard using the dcpromo.exe command-line tool or from the Server Manager utility that’s installed in the Administrative Tools folder of each Windows Tools 2008 server. The Server Manager utility launches automatically at startup after you close the Initial Configuration Tasks utility, or you can access it manually through the shortcut provided in the Administrative Tools folder or directly from the start menu. The advantage of the Server Manager interface is that it will allow you to view any other roles the server might be performing. However, using dcpromo will allow you to script or automate the installation process.
The first domain controller installed in a new Active Directory forest will hold of the Flexible Single Master Operations (FSMO) roles, which are specific server roles that work together to enable the multimaster functionality of Active Directory. The dcpromo process assigns per-forest and per-domain FSMO roles in each new domain that you add to Active Directory. By default, all forest-wide FSMOs will be configured on the first domain controller installed in the entire forest, and all domain-wide FSMOs will be configured on the first domain controller installed in a new domain.
How to Install a New Active Directory Forest
Before installation of Active Directory, ready with the system requirements to install Active Directory. You can follow the below process to install a new Active Directory Forest. You must be logged as a member of the local Administrators group to begin this process; the server computer should be configured with a static IP address.
- Click the Start menu and select Server Manager.
- Click Roles and then click Add Roles under the Roles Summary section.
- Read the before you begin windows and click Next.
- On the select Server Roles window, select Active Directory Domain Services.
- Click Next to continue. You are presented with an introduction to Active Directory Domain Services that provides a number of helpful hints for installing and administering Active Directory. The tips include the following points:
- Be sure to install more than one domain controller in each Active Directory domain so that clients can log on even if a single domain controller fails.
- Active Directory requires an available DNS server on the network.
- Installing Active Directory will also add the following prerequisite services to the servers: DFS Namespace, DFS Replication, and the File Replication Service.
- Click Next after you read the introduction to Ad Domain Services window.
- Click Install to begin the installation process. The Server Manager will appear to pause for a few minutes because the actual executable files or binaries that are needed to install Active Directory are being copied to the system drive. A significant security improvement in Windows 2008 is that these binaries are not actually installed until you choose to install Active Directory; this prevents any viruses or worms from targeting these files if the server is not configured as a domain controller because the files in question are not present on the hard disk.
- After the AD DS binaries have installed, click Close. You are returned to Server Manager. Notice that the Active Directory Domain Services role is listed, but it has a red ‘X’ next to it. This indicates that the AD DS binaries have been installed on the server, but Active Directory has not been completely configured.
- Drill down to the Active Directory Domain Service role.
- Follow the instructions you see on the window and click Run the Active Directory Domain Services Wizard. The Active Directory Domain Services Installation Wizard will launch. Place a checkmark next to Use Advanced Mode Installation.
- Read the information and click Next.
- To create the first domain controller in a new Active Directory forest, select Create a new domain in a new forest and click Next.
- You are prompted to enter the domain name of the Active Directory forest root domain.
You can also launch the Active Directory Domain Services Installation Wizard by clicking Start and keying dcpromo. The dcpromo utility will be crucial in installing Active Directory on Server Core.
- You are prompted to fill in the domain NetBIOS name for this domain. The domain NetBIOS name is limited to 15 characters and is maintained for legacy compatibility with older applications that cannot use DNS for their name resolution. In most cases, this name will simply be the first portion of the fully qualified domain name (FQDN) and click next.
- You are prompted to select the forest functional level (FFL) and domain functional level (DFL) of the new domain and the new forest. Raising the DFL and FFL will enable more functionality within Active Directory because it reduces the need to coexist with legacy operating systems. Select Windows Server 2003 as the forest functional level and then click Next.
- Select Windows Server 2003 as the domain functional level and click Next.
- Next, you could select one or more of the following domain controller options for this domain controller:
- DNS Server: This option is checked by default and will allow the domain controller to perform DNS name resolution. Leave this box selected.
- Global Catalog: This option is selected and grayed out for the first domain controller in a new domain because Active Directory requires that at least one global catalog be installed in each domain.
- Read-only Domain Controller (RODC): This option is unavailable for the first domain controller in a new domain because the first domain controller cannot be an RODC.
- In next screen, you can select the disk locations for the Active Directory database, log files, and the SYSVOL shared folder. Click Next to accept the default locations.
- You are prompted to enter the Directory Services Restore Mode (DSRM) password that is used to access Directory Services Restore Mode to perform maintenance and disaster-recovery operations on your domain controller. Enter a strong password and click Next to continue.
- You see the summary window, which will allow you to review your configuration choices before configuring this server as a domain controller. You can use Export Settings button to create a text file that can be used to automate the installation of additional domain controllers from the command line. Click Next to begin the installation process.
After the installation process has completed, click Finish and Restart Now to reboot the newly configured domain controller when prompted.
Congratulations! You have just created the first domain controller in an Active Directory forest root domain. You will build on this exercise to create additional domain controllers, including Read-only Domain Controllers and domain controllers running Server Core.