Deploying AD-DNS-01

Applies To: Windows Server 2008

To deploy AD-DNS-01, which is the computer running Active Directory Domain Services (AD DS) and DNS, you must complete these steps in the following order:

Administrative privileges

If you are installing a small network and are the only administrator for the network, it is recommended that you create a user account for yourself, and then add your user account as a member of both Enterprise Admins and Domain Admins. Doing so will make it easier for you to act as the administrator for all network resources. It is also recommended that you log on with this account only when you need to perform administrative tasks, and that you create a separate user account for performing non-IT related tasks.

If you have a larger organization with multiple administrators, refer to AD DS documentation to determine the best group membership for organization employees.

Domain user accounts vs. user accounts on the local computer

One of the advantages of a domain-based infrastructure is that you do not need to create user accounts on each computer in the domain. This is true whether the computer is a client computer or a server.

Because of this, you should not create user accounts on each computer in the domain. Create all user accounts in Active Directory Users and Computers and use the preceding procedures to assign group membership. By default, all user accounts are members of the Domain Users group.

After you have joined a computer to the domain, members of the Domain Users group can log on to any domain member client computer.


Members of the Domain Users group cannot log on to computers running Windows Server® 2008.

You can configure user accounts to designate the days and times that the user is allowed to log on to the computer. You can also designate which computers each user is allowed to use. To configure these settings, open Active Directory Users and Computers, locate the user account that you want to configure, and double-click the account. In the user account Properties, click the Account tab, and then click either Logon Hours or Log On To.