Installing Active Directory

The wizard begins by asking if you are creating a new domain, or adding a domain controller to an existing domain. The second option is less involved, since the domain will already have been created.

After choosing to create a new domain, we are presented with the option of creating a new domain tree (as we are going to choose since we are creating a new forest root), or creating a child domain.

After choosing to create a new tree, we must choose whether we wish to create an entirely new forest, or add this tree to an existing forest. Note that creating a new forest creates an entirely new AD structure.

The new domain (in our case the root domain) must be named according to DNS naming conventions. Since I have already created the associated DNS zone, I will not be prompted with any errors, and the wizard will not offer to create the zone for me. The second screen after providing the domain name asks for the name is Netbios format (provided by default and truncated to 15 characters if necessary) for older clients such as 95, 98 and NT, who still rely on Netbios for things like logon.

The next decision is with respect to where the AD database and associated log files should be placed. Make note of the fact that for best performance, these should be placed on separate hard disks if possible. By default they are both placed in the %systemroot%\NTDS directory.

The next decision is to choose the location of the SYSVOL, the folder that contains files relating to the domain such as group policy objects, logon scripts, etc. This must be a NTFS partition, and will be replicated by the file replication service (FRS)

The next step is something that you must pay attention to, especially if your environment still has NT 4 –based application services in use (RAS for example). A remote access server will need to check user properties in Active Directory, and if the first option shown below is not chosen, the NT 4 RAS server will not be able access the information, since RAS using a null session to communicate with the domain controller. Note that this ‘loosening’ of permissions could allow an anonymous user to read some information in Active Directory.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.