Directory Service Configuration
After it verifies all of the required components, the Active Directory Installation Wizard confirms the settings that you have made. When you accept the settings, the process of actually configuring the directory service begins. This process can be cancelled by clicking Cancel .
For all types of installation, the wizard performs the following operations:
Sets the values registry entries.
Sets up Active Directory performance counters
Configures the computer to automatically enroll for an X.509 domain controller certificate from the first certificate authority that processes the computer. This certificate is required for SMTPbased replication. (For more information about certificates and certification authorities, see "Authentication" and "Windows 2000 Certificate Services and Public Key Infrastructure" in this book.)
Starts the Kerberos v5 authentication service. (For more information about Kerberos authentication, see "Authentication" in this book.)
Sets the LSA policy to be a domain controller when the computer is restarted. When you upgrade a primary domain controller, the wizard sets up domain security principals, local security principals, and LSA membership of the computer.
Installs shortcuts to the Active Directory administration tools.
Configuring Directory Partitions
The Active Directory Installation Wizard copies the directory database file (Ntds.dit) from its location in the %SystemRoot\System32 directory to the destination you have specified, after which the wizard configures the local server to host the directory service. This process includes creating the directory partitions and the default domain security principals.
The following directory partitions are created as default partitions on the first domain controller in a forest and are updated through replication on every subsequent domain controller that is created in the forest:
The schema directory partition is created as cn=schema,cn=configuration,dc= forestRootDomain . Schema.ini is used to create default directory objects and display specifiers and to implement default security on the directory database.
The configuration directory partition is created as cn=configuration,dc= forestRootDomain .
The domain directory partition is created as dc= domainName and contains the security principals for the domain.
When you create a new domain, the wizard creates a new directory partition that contains all of the default domain objects.
When you create an additional domain controller in an existing domain, the objects are updated through replication. The wizard does not create the default domain directory partition objects.
When you upgrade a primary domain controller in Windows NT 4.0, the wizard creates domain security principals and local security principals. It also migrates LSA memberships and existing accounts.
Setting Services to Start Automatically
During the installation of Active Directory, the following services are configured to start automatically:
RPCLocator, which allows distributed applications to use the Microsoft RPC name service. The RPC Locator manages the RPC name service database. (For more information about the RPC Locator, see "Service Publication in Active Directory" in this book.)
The Net Logon service, which runs the domain controller Locator algorithm. Net Logon also is responsible for creating a secure channel between clients and domain controllers during the logon process, registering service (SRV) resource records in DNS, and supporting the Windows NT 4.0 replication protocol (LMRepl).
The KDC service, which runs on a physically secure server and maintains a database with account information for all security principals in its realm — the Kerberos v5 authentication protocol equivalent of a Windows 2000 domain.
IsmServ (Intersite Messaging [ISM]service), which is used for mail-based replication between sites. Active Directory includes support for replication between sites by using SMTP over IP transport. SMTP support is provided by the SMTP service, which is a component of IIS. The set of transports that are used for communication between sites must be extensible; therefore, each transport is defined in a separate add-in DLL. These add-in DLLs are loaded into the ISM service, which runs on all domain controllers that are candidates for performing communication between sites. The ISM service directs send requests and receive requests to the appropriate transport add-in DLLs, which then route the messages to the ISM service on the destination computer.
TrkSvr (Distributed Link Tracking Server service), which runs on each domain controller in a domain. This service enables client applications to track linked documents that have been moved to a location in another NTFS v5 volume in the same domain, in another domain, or in a workgroup. The Distributed Link Tracking Server service helps resolve shortcuts and OLE links to NTFS-resident files that have undergone a name change, a path change, or both.
W32time (distributed time service), which synchronizes clocks between clients and servers that run Windows 2000. Time synchronization is automatic.
For more information about Net Logon and the domain controller locator, see "Name Resolution in Active Directory" in this book. For more information about the KDC and the Kerberos v5 authentication protocol, see "Authentication" in this book.
During the installation of Active Directory, security is enabled on directory service and file replication directories for access control, and actions allowed on domain objects are set through Group Policy.
Default access control lists are configured on file and directory objects. Access control lists are also configured for the following registry keys and file system objects, including all child objects:
For more information about access control, see "Access Control" in this book.
Group Policy is replicated from only the first domain controller in a domain to all additional domain controllers. In the case of the first domain controller, default Group Policy is configured by using the following security templates in the %Windir%\Inf directory:
DCFirst.inf is used to define the default Password, Lockout, and Kerberos Group Policy settings for the default Group Policy object for the domain.
DefltDC.inf is used to define the Audit and User Rights Group Policy settings for the default Group Policy object for the domain controller.
DCUp.inf is used to define Windows 2000–specific settings during the upgrade of a Windows NT 4.0–based domain controller.
There is a default policy for domains, as well as a default policy for domain controllers. The domain controller policy has precedence over the domain policy. For example, if you want to grant the Add Workstation to Domain privilege to a user, you modify the default domain controller policy rather than the default domain policy.
For more information about domain and domain controller Group Policy settings, see "Group Policy" in this book.
Pre-Windows 2000 Security
For all types of installation, the Active Directory Installation Wizard provides the option of minimizing permissions to accommodate pre-Windows 2000 applications that require permissions that are less strict than those granted by Windows 2000–based domain controllers. If you have Windows NT 4.0–based Remote Access Service servers or Microsoft SQL Servers that are running on Windows NT 3. x –based or Windows NT 4.0–based computers, or if these applications are running on Windows 2000–based computers that are located in Windows NT 3. x domains or Windows NT 4.0 domains, the Pre-Windows 2000 compatible permissions option provides the permissions that these applications require for anonymous read access to particular user and group object attributes. Pre-Windows 2000 compatible permissions , which is the default setting, adds the Everyone group to the Pre-Windows 2000 Compatible Access local group. This group has access to the user and group object attributes that existed in Windows NT 4.0 and that are required by server applications to function with Active Directory.
The Everyone group contains every user account in the forest, including the Guest account and Anonymous/NullSession. Thus, the Pre-Windows 2000 compatible permissions option allows all users, including anonymous users, to have read access to domain user and group attributes.
Members of the Pre-Windows 2000 Compatible Access group have read access to the following attributes:
All attributes on user objects that existed in Windows NT 4.0 (for example, SID, Name, logon hours, user account control).
All attributes on group objects.
If all of your server-based applications are running on Windows 2000–based servers that are members of Windows 2000 domains, select the Windows 2000-only permissions option. This option prevents anonymous users from being able to read user and group information.
For more information about permissions, see "Access Control" in this book. For more information about remote access, see "Routing and Remote Access Service" in the Microsoft ® Windows ® 2000 Server Resource Kit Internetworking Guide .
Changing Pre-Windows Permissions After Active Directory Installation
If you subsequently upgrade all of your servers and domains to Windows 2000, you can remove the Everyone group from the Pre-Windows 2000 Compatible Access group. Likewise, if you incorporate Windows NT 3. x or Windows NT 4.0 server applications into your Windows 2000 domain or if you add a Windows NT 3. x or Windows NT 4.0 domain to your forest, you can add the Everyone group to the Pre-Windows 2000 Compatible Access group.
Each time you change the group membership, you must reboot every domain controller in the domain for the change to take effect.
To add or delete the Everyone group to or from the Pre-Windows 2000 Compatible Access group
On the Start menu, point to Programs , Accessories , and then click Command Prompt .
To add the Everyone group, at the command prompt, type:
net localgroup " Pre-Windows 2000 Compatible Access " Everyone /add
To delete the Everyone group, at the command prompt, type:
net localgroup " Pre-Windows 2000 Compatible Access " Everyone /delete
When a primary domain controller in Windows NT 4.0 is upgraded to Windows 2000, the Active Directory Installation Wizard opens at the end of the setup. Accounts in the registry-based SAM database are migrated to Active Directory; the existing SAM is deleted; and a new, smaller registry-based SAM is created that is used for starting the domain controller in Directory Services Restore Mode for system repair.
In both mixed-mode and native-mode, when you upgrade a primary domain controller in Windows NT 4.0 to a Windows 2000–based domain controller (as the first domain controller in the domain) and when you upgrade a backup domain controller in Windows NT 4.0 to a Windows 2000–based domain controller, the previous SAM database is deleted so that it is not available for password attacks.
On every new domain controller, whether it is upgraded from an existing Windows NT 4.0–based server or freshly installed as a new operating system, you are prompted for an Administrator account password that is to be used for authenticating to this SAM database when the computer is started in Directory Services Restore Mode.
If Active Directory is removed from the server, the new SAM is available for local user and group accounts on the member server. The computer SID does not change during the installation or removal of Active Directory.
Creating a New Domain
When the new domain is not the first domain in a new forest, its creation depends on other domains in the forest. Various new accounts are created; trust relationships are created; and cross-reference objects are created to incorporate the new domain into the forest.
Creating a new forest has no effect on any existing domain and, therefore, does not use a source domain controller during the installation of Active Directory.
Regardless of the type of domain that you are creating, the Active Directory Installation Wizard performs the following operations during the installation process:
Sets the computer Domain Name System (DNS) root domain name to the name of the new domain by using this format:
< computerName >.< domainName >...< forestRootDomainName >
Determines whether the server is joined to a domain. If the computer is a member of a domain (member server), the wizard either removes the computer from the domain and reuses the account or alerts you that the computer account for the server must be removed from the domain by an administrator.
Creates a computer account in the Domain Controllers container in the new domain. The account is added to the Domain Controllers global group in the Users container. This account allows the computer to authenticate to other domain controllers.
Applies the password you have provided for the administrator account that is used when the domain controller is started in Directory Services Restore Mode.
Creates a cross-reference object in the Configuration container. When the configuration directory partition is replicated to the new domain controller, a cross-reference object is created on the domain naming master and is then replicated throughout the forest. This object is used by LDAP to locate resources in other domains. (For more information about cross-reference objects, see "Name Resolution in Active Directory" in this book.)
Removes the Start menu shortcut to the local security settings and adds two new shortcuts to the following Group Policy security setting nodes:
Domain security settings for all users and computers.
Security settings that are specifically targeted at domain controllers.
Creates the Sysvol folder that contains the following:
Net Logon shares. (These usually host logon scripts and policy objects for non-Windows 2000–based network clients.)
File system junctions.
User logon scripts for Windows 2000–based clients and clients that are running Windows 95, Windows 98, or Windows NT 4.0.
Windows 2000 Group Policy.
File Replication service (FRS) staging directories and files that are required to be available and synchronized between domain controllers.
During the installation of Active Directory, only the directory folders are created. After Active Directory is installed and the domain controller is restarted, File Replication service (FRS) actually creates the system volume objects in the local directory and enables Sysvol replication on the domain controller.
On servers that are upgraded from Windows NT 4.0, files in the original Net Logon share (Repl\Export\Scripts) are moved to the \Sysvol\Sysvol\%Fqdn\Scripts folder in the Sysvol tree.
Operations for the Forest Root Domain
The following operations occur when you create the forest root domain:
The Schema container and the Configuration container are created.
The Active Directory Installation Wizard assigns the PDC emulator, RID master, domain naming master, schema master, and infrastructure master roles to the domain controller.
Operations for a New Child Domain
The following operations occur when you create a child domain in an existing tree:
Verification of the name that you provide as a valid child domain name.
Location of a source domain controller in the parent domain and synchronization of the system time of the child domain with the system time of the source domain controller.
Creation of parent-child trust objects in the System folder on both the parent domain and the child domain. These objects (class trustedDomain ) identify two-way transitive trust relationships between the child domain and the parent domain.
Replication of the Active Directory Schema container and the Configuration container from the parent domain.
Operations for a New Tree-Root Domain in an Existing Forest
The following operations occur when you create a new domain as a new tree in an existing forest:
Location of a source domain controller in the forest root domain and synchronization of domain system time with the system time of the source domain controller.
Creation of a tree-root trust relationship between the tree root domain and the forest root domain, and creation of a trustedDomain object in both domains. The tree-root trust relationship is two-way and transitive.
Assignment of the PDC emulator, relative identifier, and infrastructure single-master operation roles to the domain controller by the Active Directory Installation Wizard.
For more information about trust relationships, see "Active Directory Logical Structure" in this book. For more information about single-master operations, see "Managing Flexible Single-Master Operations" in this book, and see Windows 2000 Server Help.
Operations for an Additional Domain Controller
To add another domain controller to a domain that already exists, install Active Directory on a computer that is running Windows 2000 Server. The same verification and configuration processes occur during the creation of an additional domain controller that occur during the creation of a new domain. There are no specific namespace or TCP/IP checks. If any of these operations fail, the installation of Active Directory cannot proceed.
Joining of the computer to the domain. If the computer already is joined to the domain, the computer account is joined. If the computer has an account in a different domain, it's unjoined.
Forced synchronization from the source server to the RID master, which ensures that a relative identifier pool is quickly provided to the new domain controller. The RID master does not have to be available during the installation of Active Directory, but it must be available at some point after the installation to transfer relative identifiers to the new domain controller.
If these operations are successful, the wizard begins the replication process.
Replicating Directory Partitions
When you create a new domain in an existing forest, the schema directory partition and the configuration directory partition are always updated on the new domain controller through replication. When you create an additional domain controller in an existing domain, the domain directory partition also is updated through replication in addition to the schema directory partition and configuration directory partition.
The computer on which you are installing Active Directory uses the domain controller Locator to find a domain controller in the parent domain (for a new child domain) or in its own domain (for an additional domain controller in an existing domain) to act as the source domain controller for replication. The computer queries the source domain controller for the distinguished names of the Configuration container and the Schema container by posting an LDAP query that is based on the NULL distinguished name and retrieving the rootDSE attributes. It replicates the schema directory partition and configuration directory partition (in that order), referenced only by their distinguished names. After the directory partitions have been replicated to the computer on which you are installing Active Directory, the GUIDs of the containers are established from the replicated data, although the directory partitions continue to be referenced solely by the distinguished name string for the duration of the installation process.
Failure to fully replicate any of the directory partitions results in the failure to install Active Directory. To ensure complete synchronization, there is a critical point in the replication process beyond which the process cannot be terminated: Prior to replication of the attributes from the domain directory partition, you can cancel the installation process (roll it back). After the replication of the domain directory partition attributes, you cannot cancel the installation process.
For more information about the domain controller Locator, see "Name Resolution in Active Directory" in this book.