Active Directory Data Storage |
After it verifies all of the required components, the Active Directory Installation Wizard confirms the settings that you have made. When you accept the settings, the process of actually configuring the directory service begins. This process can be cancelled by clicking Cancel.
The Active Directory Installation Wizard copies the directory database file (Ntds.dit) from its location in the %SystemRoot\System32 directory to the destination you have specified, after which the wizard configures the local server to host the directory service. This process includes creating the directory partitions and the default domain security principals.
The following directory partitions are created as default partitions on the first domain controller in a forest and are updated through replication on every subsequent domain controller that is created in the forest:
During the installation of Active Directory, the following services are configured to start automatically:
For more information about Net Logon and the domain controller locator, see "Name Resolution in Active Directory" in this book. For more information about the KDC and the Kerberos v5 authentication protocol, see "Authentication" in this book.
During the installation of Active Directory, security is enabled on directory service and file replication directories for access control, and actions allowed on domain objects are set through Group Policy.
Default access control lists are configured on file and directory objects. Access control lists are also configured for the following registry keys and file system objects, including all child objects:
For more information about access control, see "Access Control" in this book.
Group Policy is replicated from only the first domain controller in a domain to all additional domain controllers. In the case of the first domain controller, default Group Policy is configured by using the following security templates in the
Note
There is a default policy for domains, as well as a default policy for domain controllers. The domain controller policy has precedence over the domain policy. For example, if you want to grant the Add Workstation to Domain privilege to a user, you modify the default domain controller policy rather than the default domain policy.
For more information about domain and domain controller Group Policy settings, see "Group Policy" in this book.
For all types of installation, the Active Directory Installation Wizard provides the option of minimizing permissions to accommodate pre-Windows 2000 applications that require permissions that are less strict than those granted by Windows 2000–based domain controllers. If you have Windows NT 4.0–based Remote Access Service servers or Microsoft SQL Servers that are running on Windows NT 3.x–based or Windows NT 4.0–based computers, or if these applications are running on Windows 2000–based computers that are located in Windows NT 3.x domains or Windows NT 4.0 domains, the Pre-Windows 2000 compatible permissions option provides the permissions that these applications require for anonymous read access to particular user and group object attributes. Pre-Windows 2000 compatible permissions, which is the default setting, adds the Everyone group to the Pre-Windows 2000 Compatible Access local group. This group has access to the user and group object attributes that existed in Windows NT 4.0 and that are required by server applications to function with Active Directory.
Note
The Everyone group contains every user account in the forest, including the Guest account and Anonymous/NullSession. Thus, the Pre-Windows 2000 compatible permissions option allows all users, including anonymous users, to have read access to domain user and group attributes.
Members of the Pre-Windows 2000 Compatible Access group have read access to the following attributes:
If all of your server-based applications are running on Windows 2000–based servers that are members of Windows 2000 domains, select the Windows 2000-only permissions option. This option prevents anonymous users from being able to read user and group information.
For more information about permissions, see "Access Control" in this book. For more information about remote access, see "Routing and Remote Access Service" in the Microsoft® Windows® 2000 Server Resource Kit Internetworking Guide.
If you subsequently upgrade all of your servers and domains to Windows 2000, you can remove the Everyone group from the Pre-Windows 2000 Compatible Access group. Likewise, if you incorporate Windows NT 3.x or Windows NT 4.0 server applications into your Windows 2000 domain or if you add a Windows NT 3.x or Windows NT 4.0 domain to your forest, you can add the Everyone group to the Pre-Windows 2000 Compatible Access group.
Caution
Each time you change the group membership, you must reboot every domain controller in the domain for the change to take effect.
To add or delete the Everyone group to or from the Pre-Windows 2000 Compatible Access group
net localgroup "Pre-Windows 2000 Compatible Access" Everyone /add
net localgroup "Pre-Windows 2000 Compatible Access" Everyone /delete
When a primary domain controller in Windows NT 4.0 is upgraded to Windows 2000, the Active Directory Installation Wizard opens at the end of the setup. Accounts in the registry-based SAM database are migrated to Active Directory; the existing SAM is deleted; and a new, smaller registry-based SAM is created that is used for starting the domain controller in Directory Services Restore Mode for system repair.
Note
In both mixed-mode and native-mode, when you upgrade a primary domain controller in Windows NT 4.0 to a Windows 2000–based domain controller (as the first domain controller in the domain) and when you upgrade a backup domain controller in Windows NT 4.0 to a Windows 2000–based domain controller, the previous SAM database is deleted so that it is not available for password attacks.
On every new domain controller, whether it is upgraded from an existing Windows NT 4.0–based server or freshly installed as a new operating system, you are prompted for an Administrator account password that is to be used for authenticating to this SAM database when the computer is started in Directory Services Restore Mode.
If Active Directory is removed from the server, the new SAM is available for local user and group accounts on the member server. The computer SID does not change during the installation or removal of Active Directory.
When the new domain is not the first domain in a new forest, its creation depends on other domains in the forest. Various new accounts are created; trust relationships are created; and cross-reference objects are created to incorporate the new domain into the forest.
Note
Creating a new forest has no effect on any existing domain and, therefore, does not use a source domain controller during the installation of Active Directory.
Regardless of the type of domain that you are creating, the Active Directory Installation Wizard performs the following operations during the installation process:
<computerName>.<domainName>...<forestRootDomainName>
During the installation of Active Directory, only the directory folders are created. After Active Directory is installed and the domain controller is restarted, File Replication service (FRS) actually creates the system volume objects in the local directory and enables Sysvol replication on the domain controller.
Note
On servers that are upgraded from Windows NT 4.0, files in the original Net Logon share (Repl\Export\Scripts) are moved to the \Sysvol\Sysvol\%Fqdn\Scripts folder in the Sysvol tree.
The following operations occur when you create the forest root domain:
The following operations occur when you create a child domain in an existing tree:
The following operations occur when you create a new domain as a new tree in an existing forest:
For more information about trust relationships, see "Active Directory Logical Structure" in this book. For more information about single-master operations, see "Managing Flexible Single-Master Operations" in this book, and see Windows 2000 Server Help.
To add another domain controller to a domain that already exists, install Active Directory on a computer that is running Windows 2000 Server. The same verification and configuration processes occur during the creation of an additional domain controller that occur during the creation of a new domain. There are no specific namespace or TCP/IP checks. If any of these operations fail, the installation of Active Directory cannot proceed.
If these operations are successful, the wizard begins the replication process.
When you create a new domain in an existing forest, the schema directory partition and the configuration directory partition are always updated on the new domain controller through replication. When you create an additional domain controller in an existing domain, the domain directory partition also is updated through replication in addition to the schema directory partition and configuration directory partition.
The computer on which you are installing Active Directory uses the domain controller Locator to find a domain controller in the parent domain (for a new child domain) or in its own domain (for an additional domain controller in an existing domain) to act as the source domain controller for replication. The computer queries the source domain controller for the distinguished names of the Configuration container and the Schema container by posting an LDAP query that is based on the NULL distinguished name and retrieving the rootDSE attributes. It replicates the schema directory partition and configuration directory partition (in that order), referenced only by their distinguished names. After the directory partitions have been replicated to the computer on which you are installing Active Directory, the GUIDs of the containers are established from the replicated data, although the directory partitions continue to be referenced solely by the distinguished name string for the duration of the installation process.
Note
Failure to fully replicate any of the directory partitions results in the failure to install Active Directory. To ensure complete synchronization, there is a critical point in the replication process beyond which the process cannot be terminated: Prior to replication of the attributes from the domain directory partition, you can cancel the installation process (roll it back). After the replication of the domain directory partition attributes, you cannot cancel the installation process.
For more information about the domain controller Locator, see "Name Resolution in Active Directory" in this book.