Domain controller role: Configuring a

domain controller
Domain controllers store data and manage user and domain interactions, including user
logon processes, authentication, and directory searches. If you plan to use this server to
provide the Active Directory directory service to network users and computers, configure
this server as a domain controller.

To configure a server as a domain controller, install Active Directory on the server. There
are four options available in the Active Directory Installation Wizard. You can create an
additional domain controller in an existing domain, a domain controller for a new child
domain, a domain controller for a new domain tree, or a domain controller for a new
forest. If you are not sure which role you need, read about each role by clicking the role
option.

Notes

 If you have already installed a domain controller role and you want to view next
steps, in the list below, click the domain controller configuration that you
installed, and then click Next steps: Completing additional tasks.
 If you need to reconfigure your server for a different role, you can remove
existing server roles. By removing the domain controller role, you will uninstall
Active Directory from this server. After Active Directory has been uninstalled,
this server will no longer participate in replication of directory objects and
domain-based user authentication requests. For more information, see the sections
below.

Click the type of domain controller role that you want to create:
Creating an additional domain controller for an existing domain
Creating a domain controller for a new forest
Creating a domain controller for a new child domain
Creating a domain controller for a new domain tree

The following table lists the information that you need to know before you add an
additional domain controller.

Before adding an additional

Comments
domain controller role
Determine which sites require a If your network is divided into sites, it is good practice to

domain controller.
Determine whether to add an
additional domain controller
over the network or through
backup media taken from an
existing domain controller.
Determine whether you want
your new domain controller to
host a global catalog.
Domain controllers running
Windows 2000 or Windows
Server 2003 are available.
Obtain the administrative
credentials necessary to add a group or the Enterprise Admins group in Active
domain controller.
Identify the DNS domain name You need to provide the DNS domain name when you
of the Active Directory domain use the Active Directory Installation Wizard.
to which you want to add the
put at least one domain controller in each site to enhance
network performance. When users log on to the network,
a domain controller must be contacted as part of the
logon process. If clients have to connect to a domain
controller located in a different site, the logon process
can take a long time.
With the Windows Server 2003 family, you can install
Active Directory on member servers using a restored
backup taken from a domain controller running Windows
Server 2003. You can store this backup on any backup
media (for example, tape, CD, or DVD) or a shared
network resource. By using restored backup files to
create an additional domain controller, you greatly
reduce the network bandwidth used when you install
Active Directory over a shared network resource. You
still need network connectivity to replicate all new
objects and recent changes for existing objects to the
new domain controller. For more information about
creating an additional domain controller from backup
media, see Creating additional domain controllers.
A global catalog stores a full copy of all objects in the
directory for its host domain and a partial copy of all
objects for all other domains in the forest. To optimize
network performance in a multiple-site environment,
consider adding global catalogs for select sites. In a
single-site environment, a single global catalog is usually
sufficient to cover common Active Directory queries.
However, in a multiple-site environment it is
recommended that you use global catalogs in each site.
For more information about when to add global catalogs
in a multiple site environment, see Global catalogs and
sites.
The domain must have at least one other domain
controller running Windows 2000 or Windows
Server 2003 to add an additional domain controller.
Active Directory domain controllers cannot be
configured as backup domain controllers (BDCs) for
Windows NT domains.
To add an additional domain controller to an existing
domain, you must be a member of the Domain Admins
Directory, or you must have been delegated the
appropriate authority.
additional domain controller.

page, type the user name, password, and domain of the user account you want to use.

Option Comments
Type the name of a user account that has the necessary administrative
User credentials. The user account must be a member of the Domain
name Admins group for the target domain, or a member of the Enterprise
Admins group, or must have been delegated the appropriate authority.
Type the password for the user account. This should always be a
Password
strong password. For more information, see Strong passwords.
Type the full DNS name of the domain in which this user name and
Domain password are valid (for example, child.microsoft.com). This is also the
domain where you want to add an additional domain controller.

The following table lists some of the additional tasks that you might want to perform on
your domain controller.

Task Purpose of task Reference

To ensure that no one can Domain controllers;
Secure the new domain
physically access the domain Securing Active
controller in a locked room.
controllers. Directory
Use strong encryption To secure account password
techniques to secure account information on the new domain The system key utility
passwords. controller.

Creating a domain controller for a new forest

Create a domain controller for a new forest when you want to upgrade a Windows NT
domain to become the first domain in a new forest, segment your network for
administrative autonomy, provide a security boundary to protect sensitive data, isolate the
scope of directory replication, or use a noncontiguous DNS namespace that is different
from an existing forest on your network. For example, as seen in the following
illustration, the microsoft.com forest is the first Active Directory domain in an
organization.
Enlarge figure

This topic explains the basic steps that you must follow to configure a domain controller
for a new forest in your organization.

This process involves using the Configure Your Server Wizard and the Active Directory
Installation Wizard to install Active Directory on this server. When you have finished
setting up your domain controller, you can complete additional configuration tasks.

This topic covers:

Before you begin

Configuring your domain controller

Next steps: Completing additional tasks

Before you begin

Before you configure your server as a domain controller, verify whether or not:

 TCP/IP configuration settings for the server are correct, particularly those used for
DNS name resolution. For more information, see To configure TCP/IP to use
DNS
 All existing disk volumes use the NTFS file system. Active Directory requires at
least one NTFS volume in which to store the SYSVOL folder and its contents.
FAT32 volumes are not secure, and they do not support file and folder
compression, disk quotas, file encryption, or individual file permissions.
The following table lists the information that you need to know before you add a domain
controller for a new forest.

Before adding a new

domain controller Comments
role for a new forest
You need to confirm that DNS is properly configured on your
network and that it supports dynamic updates and service (SRV)
resource records. If you are setting up Active Directory for the first
time in your organization, and you do not currently have a DNS
Verify that DNS is
infrastructure configured, the Active Directory Installation Wizard
properly configured
sets up and configures DNS on this server during the Active
for your organization.
Directory installation process. Active Directory requires DNS to
function and share the same hierarchical domain structure. For
example, microsoft.com is a DNS domain and an Active Directory
domain.
Obtain the
To create a new forest, you must be a member of the
administrative
Administrators group on the local computer, or you must have
credentials necessary
been delegated the appropriate authority.
to create a forest.

Configuring your domain controller

To configure a domain controller, start the Configure Your Server Wizard by doing either
of the following:

 From Manage Your Server, click Add or remove a role. By default, Manage Your
Server starts automatically when you log on. To open Manage Your Server, click
Start, point to Settings, click Control Panel, double-click Administrative Tools,
and then double-click Manage Your Server.
 To open the Configure Your Server Wizard, click Start, point to Settings, click
Control Panel, double-click Administrative Tools, and then double-click
Configure Your Server Wizard.

On the Server Role page, click Domain Controller (Active Directory), and then click
Next.

This section describes each of the steps in this process and outlines the required choices
and decisions you will make as you configure your domain controller. The following
sections cover these configuration steps:

Summary of Selections

Using the Active Directory Installation Wizard

Completing the Configure Your Server Wizard

Removing the domain controller role

Summary of Selections

On the Summary of Selections page of the Configure Your Server Wizard, you can view
and confirm the options that you have selected. If you selected Domain Controller
(Active Directory) on the previous page, the following appears:

 Run the Active Directory Installation Wizard to configure this server as a

domain controller

To apply the selections shown on the Summary of Selections page, click Next.

Using the Active Directory Installation Wizard

After you click Next, the Active Directory Installation Wizard starts automatically. If this
is the first time you have installed Active Directory on a server, click Active Directory
Help for more information about Active Directory.

After you finish reading about Active Directory, click Next. You can return to this page
from any place in the wizard until you click Finish on the last page. On the Operating
System Compatibility page, read the information and then click Next. If this is the first
time you have installed Active Directory on a server running Windows Server 2003, click
Compatibility Help for more information.

This section describes the following steps in the Active Directory Installation Wizard:

Domain Controller Type

Create New Domain

New Domain Name

NetBIOS Domain Name

Database and Log Folders

Shared System Volume

DNS Registration Diagnostics

Permissions

Directory Services Restore Mode Administrator Password

Summary

Domain Controller Type

On the Domain Controller Type page, click Domain controller for a new domain.

After you finish, click Next.

Create New Domain

On the Create New Domain page, click Domain in a new forest.

After you finish, click Next.

New Domain Name

On the New Domain Name page, type the full DNS name for the new domain. Provide a
full DNS name for the new Active Directory forest that you are about to create (for
example, headquarters.example.microsoft.com). A full DNS name is also referred to as a
fully qualified domain name (FQDN). Active Directory domains are named with DNS
names and follow the same hierarchical structure of DNS. When choosing DNS names to
use for your Active Directory forest, start with the registered DNS domain suffix that
your organization has reserved for use on the Internet, such as microsoft.com.

After you finish, click Next.

NetBIOS Domain Name

On the NetBIOS Domain Name page, verify the NetBIOS name. Although Active
Directory domains are named according to DNS naming standards, you still need to
define a NetBIOS name when you create Active Directory domains. NetBIOS names
should match the first label of the DNS domain name whenever possible. When the
Active Directory domain has a first label DNS name that is different from its NetBIOS
name, the FQDN is constructed using the DNS domain name, not the NetBIOS name. For
example, if the first label in the full DNS domain name is "child" (child.microsoft.com is
the FQDN) and the NetBIOS domain name is "sales", the FQDN remains
"child.microsoft.com".

After you finish, click Next.

Database and Log Folders

On the Database and Log Folders page, type the location in which you want to install
the database and log folders, or click Browse to choose a location. To avoid any problems
with installing or removing Active Directory, it is important to confirm that you have
sufficient disk space to host the directory database and log files. The Active Directory
Installation Wizard requires 250 megabytes (MB) of disk space for the Active Directory
database and 50 MB for the log files. It is recommended that you store these files on an
NTFS partition.

After you finish, click Next.

Shared System Volume

On the Shared System Volume page, type the location in which you want to install the
Sysvol folder, or click Browse to choose a location. The Sysvol folder must be stored on
an NTFS volume since it contains files that are replicated between domain controllers in
a domain or forest. These files include scripts, Windows NT 4.0 and earlier system
policies, the NETLOGON and SYSVOL shares, and Group Policy settings.

After you finish, click Next.

DNS Registration Diagnostics

On the DNS Registration Diagnostics page, verify that the DNS settings are correct.

If a diagnostic error appears under Diagnostic Results, click Help for more information
about how to resolve the error.

After you finish, click Next.

Permissions

On the Permissions page, click the level of application compatibility that you want with
pre-Windows 2000, Windows 2000, or Windows Server 2003 operating systems.

On servers running Windows NT 4.0 and earlier, read access for user and group
information is assigned to anonymous users so that existing applications, including
Microsoft BackOffice, SQL Server, and some non-Microsoft applications, function
correctly. In Windows 2000 and the Windows Server 2003 family, members of the
Anonymous Logon group have read access to this information only when the group is
added to the Pre-Windows 2000 Compatible Access group.

Option Comments
Click this option if you want the Anonymous
Permissions compatible with
Logon group and the Everyone security groups
pre-Windows 2000 server
to be added to the Pre-Windows 2000
operating systems
Compatible Access group.
Permissions compatible only Click this option to prevent members of the
with Windows 2000 or Windows Anonymous Logon group from gaining read
Server 2003 operating systems access to user and group information.
After you select one of these options, you can manually switch between the backward
compatible and high-security settings on Active Directory objects. To do this, open
Active Directory Users and Computers, and then add the Anonymous Logon security
group to the pre-Windows 2000 Compatible Access security group.

After you finish, click Next.

Directory Services Restore Mode Administrator Password

On the Directory Services Restore Mode Administrator Password page, type and
confirm the password that you want to assign to the restore mode Administrator account
for the server. You should use strong passwords for directory restore mode passwords.
For more information, see Strong passwords.

Important

 You must know this password to restore a backup copy of the System State for
this domain controller.

You use this password when the domain controller starts in Directory Services Restore
Mode. If this is the first time you have installed Active Directory on a server, click Active
Directory Help for more information about the restore mode password.

After you finish, click Next.

Summary

On the Summary page, review the information, and then click Next.

After you complete the installation, click Finish. To restart your computer and implement
the changes, click Restart Now.

Completing the Configure Your Server Wizard

After your server restarts, the Configure Your Server Wizard displays the This Server is
Now a Domain Controller page. To review all of the changes made to your server by the
Configure Your Server Wizard or to ensure that a new role was installed successfully,
click Configure Your Server log. The Configure Your Server Wizard log is located at
systemroot\Debug\Configure Your Server.log. To close the Configure Your Server
Wizard, click Finish.

Removing the domain controller role

If you need to reconfigure your server for a different role, you can remove existing server
roles. By removing the domain controller role, you will uninstall Active Directory from
this server. After Active Directory has been uninstalled, this server will no longer
participate in replication of directory objects and domain-based user authentication
requests.

To remove the domain controller role, restart the Configure Your Server Wizard by doing
either of the following:

 From Manage Your Server, click Add or remove a role. By default, Manage Your
Server starts automatically when you log on. To open Manage Your Server, click
Start, point to Settings, click Control Panel, double-click Administrative Tools,
and then double-click Manage Your Server.
 To open the Configure Your Server Wizard, click Start, point to Settings, click
Control Panel, double-click Administrative Tools, and then double-click
Configure Your Server Wizard.

On the Server Role page, click Domain Controller (Active Directory), and then click
Next. On the Role Removal Confirmation page, review the items listed under
Summary, select the Remove the domain controller role check box, click Next, and
then follow the steps in the Active Directory Installation Wizard.

Next steps: Completing additional tasks

After you complete the Active Directory Installation Wizard, the server is configured as a
domain controller. You can use it to store data, manage objects, and provide information
to users, computers and applications. Up to this point, you have created a domain
controller for a new forest.

The following table lists some of the additional tasks that you might want to perform on
your domain controller.

Task Purpose of task Reference

Secure the new To ensure that no one
Domain controllers; Securing Active
domain controller in can physically access the
Directory
a locked room. domain controllers.
To secure account
Use strong
password information on
encryption The system key utility
the new domain
techniques.
controller.
Verify and To enhance forest-wide
authenticate the security by using public Public key infrastructure
validity of each user. key cryptography.
Require all domain To prevent unauthorized
users to use strong access to your Strong passwords
passwords. organization.
 To receive notification of
Enable audit policy. actions that could pose a Auditing policy
security risk.
To decrease the
Enforce account possibility of an attacker
lockouts on user compromising your User and computer accounts
accounts. domain through repeated
logon attempts.
To decrease the
Enforce password
possibility of an attacker
history on user Enforce password history
compromising your
accounts.
domain.
Enforce minimum To decrease the
and maximum possibility of an attacker Minimum password age; Maximum
password ages on compromising your password age
user accounts. domain.
To prevent attacks from
"Using Security Identifier (SID) Filtering
malicious users who
Implement SID to Prevent Elevation of Privilege Attacks"
might try to grant
Filtering. at the Microsoft Web site.
elevated user rights to
(http://www.microsoft.com/)
another user account.
To provide tamper-
Implement smart resistant user
Smart card overview
cards. authentication and e-mail
security.
Restrict user, group,
and computer access
to shared resources To secure resources. Security groups
and filter Group
Policy settings.
To manage the security
relationship between two
Create forest trusts forests, and simplify
Forest trusts
(as appropriate). security administration
and authentication across
forests.
To specifically define the
Assign user rights to User rights assigned to security groups in
administrative role of
new security groups. Active Directory
members in the domain.

The following table lists the information that you need to know before you add a domain
controller.

Before adding a domain Comments

 controller role
Identify the DNS domain
name of the Active Directory You need to provide the DNS domain name for the parent
domain to which you want to domain of this new child domain.
add the domain controller.
Verify that the network The server on which you want to install Active Directory
speed is adequate when and create a child domain should have access to the network
installing Active Directory. over a high-speed connection.
If your network is divided into sites, it is good practice to
put at least one domain controller in each site to enhance
network performance. When users log on to the network, a
Determine which sites
domain controller must be contacted as part of the logon
require a domain controller.
process. If clients have to connect to a domain controller
located in a different site, the logon process can take a long
time.
A global catalog stores a copy of all Active Directory objects
in a forest on a domain controller. The global catalog stores
a full copy of all objects in the directory for its host domain
and a partial copy of all objects for all other domains in the
forest. To optimize network performance in a multiple-site
Determine whether you want
environment, consider adding global catalogs for select sites.
your new domain controller
In a single-site environment, a single global catalog is
to host a global catalog.
usually sufficient to cover common Active Directory
queries. However, in a multiple-site environment it is
recommended that you use global catalogs in each site. For
more information on when to add global catalogs in a
multiple site environment, see Global catalogs and sites.
To add a new child domain, you must be a member of the
Obtain the administrative
Domain Admins group (in the parent domain) or the
credentials necessary to
Enterprise Admins group in Active Directory, or you must
create a child domain.
have been delegated the appropriate authority.

page, type the user name, password, and domain of the user account that you want to
use.

Option Comments
Type the name of a user account that has the necessary administrative
User credentials. The user account must be a member of the Domain
name Admins group (in the parent domain), or a member of the Enterprise
Admins group, or must have been delegated the appropriate authority.
Type the password for the user account. This should always be a
Password
strong password. For more information, see Strong passwords.
Type the full DNS name of the domain in which this user name and
Domain
password are valid.
On servers running Windows NT 4.0 and earlier, read access for user and group
information is assigned to anonymous users so that existing applications, including
Microsoft BackOffice, SQL Server, and some non-Microsoft applications, function
correctly. In Windows 2000 and the Windows Server 2003 family, members of the
Anonymous Logon group have read access to this information only when the group is
added to the Pre-Windows 2000 Compatible Access group.

Option Comments
Click this option if you want the Anonymous
Permissions compatible with
Logon group and the Everyone security groups
pre-Windows 2000 server
to be added to the Pre-Windows 2000
operating systems
Compatible Access group.
Permissions compatible only Click this option to prevent members of the
with Windows 2000 or Windows Anonymous Logon group from gaining read
Server 2003 operating systems access to user and group information.

The following table lists some of the additional tasks that you might want to perform on
your domain controller.

Task Purpose of task Reference

Secure the new To ensure that no one
Domain controllers; Securing Active
domain controller in can physically access
Directory
a locked room. the domain controller.
To secure account
Use strong
password information
encryption The system key utility
on the new domain
techniques.
controller.
Require all domain To prevent unauthorized
users to use strong access to your Strong passwords
passwords. organization.
To receive notification
Enable audit policy. of actions that could Auditing policy
pose a security risk.
To decrease the
Enforce account possibility of an attacker
lockouts on user compromising your User and computer accounts
accounts. domain through
repeated logon attempts.
To decrease the
Enforce password
possibility of an attacker
history on user Enforce password history
compromising your
accounts.
domain.
Enforce minimum To decrease the Minimum password age; Maximum
and maximum possibility of an attacker password age
password ages on compromising your
user accounts. domain.
To prevent attacks from
"Using Security Identifier (SID) Filtering to
malicious users who
Implement SID Prevent Elevation of Privilege Attacks" at
might try to grant
Filtering. the Microsoft Web site.
elevated user rights to
(http://www.microsoft.com/)
another user account.
To provide tamper-
Implement smart resistant user
Smart card overview
cards. authentication and e-
mail security.
Restrict user, group,
and computer
access to shared
To secure resources. Security groups
resources and filter
Group Policy
settings.
To specifically define
Assign user rights
the administrative role User rights assigned to security groups in
to new security
of members in the Active Directory
groups.
domain.

The following table lists the information that you need to know before you add a domain
controller.

Before adding a domain

Comments
controller role
Verify that the network
speed is adequate when The server on which you want to install Active Directory should
installing Active have access to the network over a high-speed connection.
Directory.
A global catalog stores a copy of all Active Directory objects in
a forest on a domain controller. The global catalog stores a full
copy of all objects in the directory for its host domain and a
partial copy of all objects for all other domains in the forest. To
Determine whether you optimize network performance in a multiple-site environment,
want your new domain consider adding global catalogs for select sites. In a single-site
controller to host a environment, a single global catalog is usually sufficient to
global catalog. cover common Active Directory queries. However, in a
multiple-site environment it is recommended that you use global
catalogs in each site. For more information about when to add
global catalogs in a multiple site environment, see Global
catalogs and sites.
Obtain the administrative To create a new domain tree, you must be a member of the
credentials necessary to Domain Admins group (in the forest root domain) or the
 Enterprise Admins group in Active Directory, or you must have
add a new domain tree.
been delegated the appropriate authority.

page, type the user name, password, and user domain of the user account that you want
to use.

Option Comments
Type the name of a user account that has the necessary administrative
credentials. The user account must be a member of the Domain
User
Admins group (in the forest root domain), or a member of the
name
Enterprise Admins group, or must have been delegated the appropriate
authority.
Type the password for the user account. This should always be a
Password
strong password. For more information, see Strong passwords.
Type the full DNS name of the domain in which this user name and
Domain
password are valid.

On servers running Windows NT 4.0 and earlier, read access for user and group
information is assigned to anonymous users so that existing applications, including
Microsoft BackOffice, SQL Server, and some non-Microsoft applications, function
correctly. In Windows 2000 and the Windows Server 2003 family, members of the
Anonymous Logon group have read access to this information only when the group is
added to the Pre-Windows 2000 Compatible Access group.

Option Comments
Click this option if you want the Anonymous
Permissions compatible with
Logon group and the Everyone security groups
pre-Windows 2000 server
to be added to the Pre-Windows 2000
operating systems
Compatible Access group.
Permissions compatible only Click this option to prevent members of the
with Windows 2000 or Windows Anonymous Logon group from gaining read
Server 2003 operating systems access to user and group information.

The following table lists some of the additional tasks that you might want to perform on
your domain controller.

Task Purpose of task Reference

Secure the new To ensure that no one
Domain controllers; Securing Active
domain controller in can physically access
Directory
a locked room. the domain controller.
To secure account
Use strong
password information
encryption The system key utility
on the new domain
techniques.
controller.
Require all domain To prevent unauthorized Strong passwords
users to use strong access to your
passwords. organization.
To receive notification
Enable audit policy. of actions that could Auditing policy
pose a security risk.
To decrease the
Enforce account possibility of an attacker
lockouts on user compromising your User and computer accounts
accounts. domain through
repeated logon attempts.
To decrease the
Enforce password
possibility of an attacker
history on user Enforce password history
compromising your
accounts.
domain.
Enforce minimum To decrease the
and maximum possibility of an attacker Minimum password age; Maximum
password ages on compromising your password age
user accounts. domain.
To prevent attacks from
"Using Security Identifier (SID) Filtering to
malicious users who
Implement SID Prevent Elevation of Privilege Attacks" at
might try to grant
Filtering. the Microsoft Web site.
elevated user rights to
(http://www.microsoft.com/)
another user account.
To provide tamper-
Implement smart resistant user
Smart card overview
cards. authentication and e-
mail security.
Restrict user, group,
and computer
access to shared
To secure resources. Security groups
resources and filter
Group Policy
settings.
To specifically define
Assign user rights
the administrative role User rights assigned to security groups in
to new security
of members in the Active Directory
groups.
domain.