Microsoft KB Archive/300921

= HOW TO: Create an Active Directory Server in Windows 2000 =

PSS ID Number: 300921

Article Last Modified on 11/4/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q300921



IN THIS TASK

 * SUMMARY
 * ** Creating the Active Directory
 * Adding Users and Computers to the Active Directory Domain
 * Troubleshooting
 * *** Unable to Open the Active Directory Snap-ins



SUMMARY
This article describes how to install and configure a new Active Directory in a laboratory environment that includes Windows 2000 and Active Directory. Note that you will need two networked servers that are running Windows 2000 Server or Windows 2000 Advanced Server for this purpose in a laboratory environment.

back to the top

Creating the Active Directory
After you have installed Windows 2000 Server or Windows 2000 Advanced Server on a standalone server, run the Active Directory Wizard to create the new Active Directory forest or domain and convert the Windows 2000 server into the first domain controller (DC) in the forest. To convert a Windows 2000 server into the first DC in the forest:  Place the Windows 2000 CD-ROM into the CD-ROM drive. Click Start, click Run, and then type dcpromo . Click OK to start the Active Directory Installation Wizard, and then click Next. Click Domain Controller for a new domain, and then click Next. Click Create a new domain tree, and then click Next. Click Create a new forest of domain trees, and then click Next. Specify the full DNS name for the new Active Directory. Note that because this procedure is for a laboratory environment and you are not integrating this environment into your existing DNS infrastructure, you can use something generic such as mycompany.local for this setting. Click Next.</li> Accept the default domain NetBIOS name (this is &quot;mycompany&quot; if you used the suggestion in step 7). Click Next.</li> Set the database and log file location to the default setting of the c:\winnt\ntds folder, and then click Next.</li> Set the Sysvol folder location to the default setting of the c:\winnt\sysvol folder, and then click Next.</li> Click Install and Configure DNS and then click Next.</li> Click Permissions compatible only with Windows 2000 Servers, and then click Next.</li> Because this is a laboratory environment, leave the password for the &quot;Directory Services Restore Mode Administrator&quot; blank. Note that in a full production environment, this would be set by using a secure password format. Click Next.</li> Review and confirm the options you selected, and then click Next.</li> During the installation of Active Directory, the Configuring Active Directory progress meter appears. Note that this operation may take several minutes.</li> When you are prompted, restart the computer. After the computer restarts, confirm that the DNS service location records for the new domain controller have been created. To confirm that the DNS service location records have been created: <ol style="list-style-type: lower-alpha;"> Click Start, click Programs, click Administrative Tools, and then click DNS to start the DNS Administrator Console.</li> Click the server name, click Forward Lookup Zones, click the domain name, and then expand the domain.</li> Verify that the _msdcs, _sites, _tcp, and _udp folders are present. These folders and the service location records they contain, are critical to Active Directory and Windows 2000 operations.</li></ol> </li></ol>

back to the top

Adding Users and Computers to the Active Directory Domain
When the new Active Directory domain is established, create a user account within that domain to use as an administrative account. When that user is added to the appropriate security groups, use that account to add computers to the domain. <ol> Create a new user: <ol style="list-style-type: lower-alpha;"> Click Start, point to Programs, click Administrative Tools, and then click Active Directory Users and Computers to start the Active Directory Users and Computers console.</li> Click the domain name you created, and then expand the contents.</li> <li>Right-click Users, point to New, and then click User.</li> <li>Type the first name, last name, and user logon name of the new user, and then click Next.</li> <li>Type a new password, confirm the password, and then click to select one of the following check boxes:

<ul> <li>Users must change password at next logon (recommended for most users)</li> <li>User cannot change password</li> <li>Password never expires</li> <li>Account is disabled</li></ul>

Click Next.</li> <li>Review the information you provided and if everything is correct, click Finish.</li></ol> </li> <li>After you create the new user, give this user account membership in a group that allows the user to perform administrative tasks. Because this is a laboratory environment that you are in control of, you can give this user account full administrative access by making it a member of the Schema, Enterprise, and Domain administrators groups. Add the account to the Schema, Enterprise, and Domain administrators groups: <ol style="list-style-type: lower-alpha;"> <li>From the Active Directory Users and Computers console, right-click the new account that you created, and then click Properties.</li> <li>On the Member Of tab, click Add.</li> <li>In the Select Groups dialog box, select a group, and then click Add to add the desired groups to the list.</li> <li>Repeat the selection process for each group in which the user needs account membership.</li> <li>Click OK to finish.</li></ol> </li> <li>The final step in this process is to add a member server to the domain. This process also applies to workstations. To add a computer to the domain: <ol style="list-style-type: lower-alpha;"> <li>Log on to the computer that you want to add to the domain.</li> <li>Right-click My Computer, and then click Properties.</li> <li>On the Network Identification tab, click Properties.</li> <li>In the Identification Changes dialog box, under Member Of, click Domain, and then type the domain name.</li> <li>Type the ID and password of the account that you previously created when you are prompted, and then click OK. A message that welcomes you to the domain is generated.</li> <li>Click OK to return to the Network Identification tab, and then click OK to finish.</li> <li>Restart the computer if you are prompted to do so.</li></ol> </li></ol>

back to the top

Unable to Open the Active Directory Snap-ins
After you have completed the installation of Active Directory, you may find that you are unable to start the Active Directory Users and Computers snap-in, and you may receive an error message that indicates that no authority could be contacted for authentication. This can occur when DNS is not correctly configured. To resolve this issue, check to see that the zones on your DNS server are configured correctly and that your DNS server has authority for the zone that contains the Active Directory domain name. If the zones appear to be correct and the server has authority for the domain, try to start the Active Directory Users and Computers snap-in again. If you receive the same error message, use the DCPROMO utility to remove Active Directory, restart the computer, and then reinstall Active Directory.

back to the top

Keywords: kbhowto kbHOWTOmaster kbnetwork KB300921

Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbWinAdvServSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.