After you have at least one Windows 2000 Server up and running, you can get started with Active Directory. You’ll need to do a bit of planning first. The best way to get started is to take an inventory of all the hardware and map out the physical network connections.
If all the network administration tasks are handled from one location, this process can be relatively simple. If you are configuring an Active Directory that spans multiple physical locations across WAN links, it will get quite complex.
Every Windows 2000 domain and its Active Directory can consist of millions of objects. Instead of adding new domains for each location, you should consider breaking down a single large domain into Organizational Units (OU), which are covered in detail later in this chapter.
There are a few cases where multiple domains would be a better solution. If two locations have different Internet domain names, they’ll probably want to keep their identities separate on the private portions of their networks, too.
If you have slow WAN connections between physical locations or very strict security requirements in a certain location, you probably want to use separate domains to reduce replication and authentication traffic across those links. Otherwise, keep it as simple as possible by using one domain.
Microsoft recommends that you register at least one domain name for your network from an official naming organization, like Network Solutions. You can choose to register a single domain name for use inside and outside a firewall, or you can register two separate domain names. There are advantages and disadvantages to both methods.
If you choose to use the same domain for the private portion of your network as you do for your Internet presence, you have to be very careful not to allow access to your private data from the public Internet. With the sheer number of security holes in all network operating systems, including Windows 2000, this can be a serious issue. Because of the additional security concerns, it is generally more complex to successfully manage a domain using this naming scheme.
If you choose to use a different domain name inside your network than you use for your Internet presence, it is much easier to figure out whether a resource is public or private. This makes the security a bit easier to manage.
If you’ve just finished installing Windows 2000 Server on the first computer in the domain and the Configure Your Server window is displayed, choose the Active Directory Installation Wizard. Otherwise, you can open the Configure Your Server window by choosing it from the Start → Programs → Administrative Tools menu.
When you begin the installation with the Active Directory Installation Wizard, you’ll have the choice of creating a new domain controller for a new domain or adding a domain controller to an existing domain.
If you choose to create a new domain controller, you’ll have the choice of either starting a new tree or joining an existing tree as a subdomain. Active Directory requires a DNS server to function properly. The Active Directory Installation Wizard allows you to make the current computer the DNS server during the installation process. Following is a description of the steps involved in running the wizard:
Start the Active Directory Installation Wizard from the Configure Your Server dialog box. During the install, you’ll have to click the Next button to move between screens.
You’ll see the Domain Controller Type screen. Here’s where you’ll have to choose to either create a domain controller for a new domain or add a domain controller to an existing domain. I’ll assume you’re starting from scratch and want to create a new domain.
You’ll see the Create Tree or Child Domain screen. Create a new tree.
You’ll see the Create or Join Forest screen. Create a new forest.
You’ll see the New Domain Name screen. Type your registered domain name in the Full DNS Name for New Domain box.
For some reason, Microsoft didn’t kill off NetBIOS completely, so the next screen you’ll see will show you the shortened DNS domain name as a Domain NetBIOS name.
You’ll see the Database and Log Locations screen. You should see the path WINNTNTDS.
You’ll see the Shared System Volume screen. You should see the path WINNTSYSVOL.
You’ll get a warning screen about the need for a DNS server. Click OK, and the Configure DNS Wizard will start.
Choose Install and Configure DNS on This Computer.
You’ll see the Permissions screen. Choose Permissions Compatible Only with Windows 2000 Servers.
You’ll see the Directory Services Restore Mode Administrative Password screen. Type in the password that will be required if you ever have to restore Active Directory.
You’ll see a report of all the choices you’ve made so far.
After you’ve accepted the configuration, the wizard will actually start the configuration process. You’ll see a progress bar, and it could take a few minutes to finish.
You’ll see the Completing the Active Directory Installation Wizard screen. Click Finish, then click Restart. When the computer reboots, you should be all set.
There are a couple of quick tests to be sure that Active Directory and DNS are working. Look for the new domain you created in My Network Places. If you see your domain name, you should be okay. You can also look for your domain using the Active Directory Users and Computers MMC snap-in:
Choose Start → Programs → Administrative Tools → Active Directory Users and Computers. The Users and Computers MMC snap-in is displayed, as shown in Figure 13-1.
There should be a directory tree with your domain name listed; double-click it and it should expand.
Double-click on Domain Controllers and be sure the name of the server you installed AD on is listed.
If both of these tests work out well, your last step is to make sure DNS is set up properly. Windows 2000 has a built-in testing utility to make sure DNS is working. You should definitely try this before moving on:
Choose Start → Programs → Administrative Tools → DNS.
You should see the name of your server listed. Right-click and choose Properties, then choose the Monitoring tab.
Click in the A Simple Query Against This DNS Server check-box. If you already have the server connected to other DNS servers, you can also choose the A Recursive Query to Other DNS Servers checkbox.
Click on the Test Now button. In the results, you should see that the server passed the test or tests.