Creating the Active Directory
After you have installed Windows 2000 Server or Windows 2000 Advanced
Server on a standalone server, run the Active Directory Wizard to create
the new Active Directory forest or domain and convert the Windows 2000
server into the first domain controller (DC) in the forest. To convert a
Windows 2000 server into the first DC in the forest:
Place the Windows 2000 CD-ROM into the CD-ROM drive.
Click Start, click Run, and then type dcpromo.
Click OK to start the Active Directory Installation Wizard, and then click
Click Domain Controller for a new domain, and then click Next.
Click Create a new domain tree, and then click Next.
Click Create a new forest of domain trees, and then click Next.
Specify the full DNS name for the new Active Directory. Note that because
this procedure is for a laboratory environment and you are not integrating
this environment into your existing DNS infrastructure, you can use
something generic such as mycompany.local for this setting. Click Next.
Accept the default domain NetBIOS name (this is "mycompany" if you used the
suggestion in step 7). Click Next.
Set the database and log file location to the default setting of the
c:\winnt\ntds folder, and then click Next.
Set the Sysvol folder location to the default setting of the
c:\winnt\sysvol folder, and then click Next.
Click Install and Configure DNS and then click Next.
Click Permissions compatible only with Windows 2000 Servers, and then click
Because this is a laboratory environment, leave the password for the
"Directory Services Restore Mode Administrator" blank. Note that in a full
production environment, this would be set by using a secure password
format. Click Next.
Review and confirm the options you selected, and then click Next.
During the installation of Active Directory, the Configuring Active
Directory progress meter appears. Note that this operation may take several
When you are prompted, restart the computer. After the computer restarts,
confirm that the DNS service location records for the new domain controller
have been created. To confirm that the DNS service location records have
Click Start, click Programs, click Administrative Tools, and then click DNS
to start the DNS Administrator Console.
Click the server name, click Forward Lookup Zones, click the domain name,
and then expand the domain.
Verify that the _msdcs, _sites, _tcp, and _udp folders are present. These
folders and the service location records they contain, are critical to
Active Directory and Windows 2000 operations.
back to the top
Adding Users and Computers to the Active Directory Domain
When the new Active Directory domain is established, create a user account
within that domain to use as an administrative account. When that user is
added to the appropriate security groups, use that account to add computers
to the domain.
Create a new user:
Click Start, point to Programs, click Administrative Tools, and then click
Active Directory Users and Computers to start the Active Directory Users
and Computers console.
Click the domain name you created, and then expand the contents.
Right-click Users, point to New, and then click User.
Type the first name, last name, and user logon name of the new user, and
then click Next.
Type a new password, confirm the password, and then click to select one of
the following check boxes:
Users must change password at next logon (recommended for most users)
User cannot change password
Password never expires
Account is disabled
Review the information you provided and if everything is correct, click
After you create the new user, give this user account membership in a group
that allows the user to perform administrative tasks. Because this is a
laboratory environment that you are in control of, you can give this user
account full administrative access by making it a member of the Schema,
Enterprise, and Domain administrators groups. Add the account to the
Schema, Enterprise, and Domain administrators groups:
From the Active Directory Users and Computers console, right-click the new
account that you created, and then click Properties.
On the Member Of tab, click Add.
In the Select Groups dialog box, select a group, and then click Add to add
the desired groups to the list.
Repeat the selection process for each group in which the user needs account
Click OK to finish.
The final step in this process is to add a member server to the domain.
This process also applies to workstations. To add a computer to the domain:
Log on to the computer that you want to add to the domain.
Right-click My Computer, and then click Properties.
On the Network Identification tab, click Properties.
In the Identification Changes dialog box, under Member Of, click Domain,
and then type the domain name.
Type the ID and password of the account that you previously created when
you are prompted, and then click OK. A message that welcomes you to the
domain is generated.
Click OK to return to the Network Identification tab, and then click OK to
Restart the computer if you are prompted to do so.
back to the top
Unable to Open the Active Directory Snap-ins
After you have completed the installation of Active Directory, you may find
that you are unable to start the Active Directory Users and Computers
snap-in, and you may receive an error message that indicates that no
authority could be contacted for authentication. This can occur when DNS is
not correctly configured. To resolve this issue, check to see that the
zones on your DNS server are configured correctly and that your DNS server
has authority for the zone that contains the Active Directory domain name.
If the zones appear to be correct and the server has authority for the
domain, try to start the Active Directory Users and Computers snap-in
again. If you receive the same error message, use the DCPROMO utility to
remove Active Directory, restart the computer, and then reinstall Active
back to the top
This posting is provided "AS IS" with no warranties, and confers no rights.