Troubleshooting Dcpromo Errors

What are the most common DNS related Dcpromo errors? How do I fix them?

Some common issues that you may encounter with Active Directory installation and configuration can cause a partial or complete loss of functionality in Active Directory. These issues may include, but not be limited to:

Domain Name System (DNS) configuration errors.

Network configuration problems Difficulties when you upgrade from Microsoft Windows NT.

You must configure DNS correctly to ensure that Active Directory will function properly.

Review the following configuration items to ensure that DNS is healthy and that the Active Directory DNS entries will be registered correctly:

DNS IP configuration

Active Directory DNS registration

Dynamic zone updates

DNS forwarders

DNS IP Configuration

An Active Directory server that is hosting DNS must have its TCP/IP settings configured properly. TCP/IP on an Active Directory DNS server must be configured to point to itself to allow the server to register with its own DNS server.

To view the current IP configuration

Open a command window and type

ipconfig /all

to display the details. You can modify the DNS configuration by following these steps:

1. Right-click My Network Places, and then click Properties.

2. Right-click Local Area Connection, and then click Properties.

3. Click Internet Protocol (TCP/IP), and then click Properties.

4. Click Advanced, and then click the DNS tab. Configure the DNS information as follows: Configure the DNS server addresses to point to the DNS server. This should be the computer's own IP address if it is the first server or if no dedicated DNS server will be configured.

5. If the resolution of unqualified names setting is set to Append these DNS suffixes (in order), the Active Directory DNS domain name should be listed first (at the top of the list).

6. Verify that the DNS Suffix for this connection setting is the same as the Active Directory domain name.

7. Verify that the Register this connection's addresses in DNS check box is selected.

8. At a command prompt, type

ipconfig /flushdns

to purge the DNS resolver cache, and then type

ipconfig /registerdns

to register the DNS resource records.

9. Start the DNS Management console. There should be a host record (an "A" record in advanced view) for the computer name. There should also be a Start of Authority (SOA in Advanced view) record pointing to the domain controller (DC) as well as a Name Server record (NS in Advanced view).

Active Directory DNS Registration

The Active Directory DNS records must be registering in DNS. The DNS zone can be either a standard primary or an Active Directory-integrated zone. An Active Directory-integrated zone is different from a standard primary zone in several ways. An Active Directory-integrated zone provides the following benefits:

The Windows 2000 DNS service stores zone data in Active Directory. This causes DNS replication to create multiple masters, and it allows any DNS server to accept updates for a directory service-integrated zone. Using Active

Directory integration also reduces the need to maintain a separate DNS zone transfer replication topology.

Secure dynamic updates are integrated with Windows security. This allows an administrator to precisely control which computers can update which names, and it prevents unauthorized computers from obtaining existing names from DNS.

Use the following steps to ensure that DNS is registering the Active Directory DNS records:

1. Start the DNS Management console.

2. Expand the zone information under the server name.

3. Expand Forward Lookup Zones, right-click the name of the Active Directory domain's DNS zone, click Properties, and then verify that Allow Dynamic Updates is set to Yes.

4. Four folders with the following names are present when DNS is correctly registering the Active Directory DNS records. These folders are labeled:

_msdcs _sites _tcp _udp

If these folders do not exist, DNS is not registering the Active Directory DNS records. These records are critical to Active Directory functionality and must appear within the DNS zone. You should repair the Active Directory DNS record registration.

To repair the Active Directory DNS record registration

Check for the existence of a Root Zone entry. View the Forward Lookup zones in the DNS Management console.

There should be an entry for the domain. Other zone entries may exist. There should not be a dot (".") zone. If the dot (".") zone exists, delete the dot (".") zone. The dot (".") zone identifies the DNS server as a root server.

Typically, an Active Directory domain that needs external (Internet) access should not be configured as a root DNS server.

The server probably needs to reregister its IP configuration (by using Ipconfig) after you delete the dot ("."). The Netlogon service may also need to be restarted.

Manually repopulate the Active Directory DNS entries. You can use the Windows 2000 Netdiag tool to repopulate the Active Directory DNS entries. Netdiag is included with the Windows 2000 Support tools. At a command prompt, type

netdiag /fix

After you run the Netdiag utility, refresh the view in the DNS Management console. The Active Directory DNS records should then be listed.

Note: The server may need to reregister its IP configuration (by using Ipconfig) after you run Netdiag. The Netlogon service may also need to be restarted.

If the Active Directory DNS records do not appear, you may need to manually re-create the DNS zone.

Manually re-create the DNS zone

1. Start the DNS Management console.

2. Right-click the name of the zone, and then click Delete.

3. Click OK to acknowledge any warnings. The Forward Lookup zones no longer list the deleted zone.

4. Right-click Forward Lookup Zones, and then click New Zone.

5. The New Zone Wizard starts. Click Next to continue.

6. Click the appropriate zone type (either Active Directory-integrated or Standard primary, and then click Next.

7. Type the name of the zone exactly as it appears in Network Identification, and then click Next.

8. Click the appropriate zone file, or a new zone file. Click Next, and then click Finish to finish the New Zone Wizard.

9. The newly created zone appears in the DNS Management console.

10. Right-click the newly created zone, click Properties, and then change Allow Dynamic Updates to Yes.

11. At a command prompt, type

net stop netlogon

and then press ENTER. The Netlogon service is stopped.

12. Type

net start netlogon

and then press ENTER. The Netlogon service is restarted.

13. Refresh the view in the DNS Management console. The Active Directory DNS records should be listed under the zone.

If the Active Directory DNS records still do not exist, there may be a disjointed DNS namespace.

Dynamic Zone Updates

Microsoft recommends that the DNS Lookup zone accept dynamic updates. You can configure this by right-clicking the name of the zone, and then clicking Properties. On the General tab, the Allow Updates setting should be set to Yes, or for an Active Directory-integrated zone, either Yes or Only secure updates. If dynamic updates are not allowed, all host registration must be completed manually.

DNS Forwarders

To ensure network functionality outside of the Active Directory domain (such as browser requests for Internet addresses), configure the DNS server to forward DNS requests to the appropriate Internet service provider (ISP) or corporate DNS servers.

See No Forwarding or Root Hints on Windows 2000 DNS server? for troubleshooting tips.

To configure forwarders on the DNS server:

1. Start the DNS Management console.

2. Right-click the name of the server, and then click Properties.

3. Click the Forwarders tab.

4. Click to select the Enable Forwarders check box.

Note: If the Enable Forwarders check box is unavailable, the DNS server is attempting to host a root zone (usually identified by a zone named only with a period, or dot ("."). You must delete this zone to enable the DNS server to forward DNS requests. In a configuration in which the DNS server does not rely on an ISP DNS server or a corporate DNS server, you can use a root zone entry.

5. Type the appropriate IP addresses for the DNS servers that will accept forwarded requests from this DNS server. The list reads from the top down in order; if there is a preferred DNS server, place it at the top of the list.

6. Click OK to accept the changes.

Upgrade Installation Considerations

Earlier (Legacy) DNS Servers - DNS servers that run Windows NT 4.0 cannot dynamically register the Active Directory DNS records. The best solution in this case is to install DNS on the Active Directory domain controller to ensure that Active Directory DNS records will be registered for the domain.

Disjointed DNS Namespace - You must configure the correct DNS suffix information before you begin a Windows 2000 upgrade installation. You cannot change the server name and DNS domain information after Active Directory is installed.

To configure the DNS suffix information in Windows NT before you upgrade the computer to a Windows 2000-based Active Directory domain controller:

1. Right-click Network Neighborhood, and then click Properties.

2. Click the Protocols tab, click TCP/IP Protocol, and then click Properties.

3. Click the DNS tab.

4. In the Domain box, type the complete Active Directory domain name.

5. Click Apply, and then click OK.

6. Click OK to quit the Network tool.

7. Restart the computer.

To verify the settings, open a command window, and then type ipconfig /all. The Host Name line shows the fully qualified domain name.

If you must change the DNS domain information after you install Active Directory, you must run the Dcpromo utility on the computer to remove it from the domain and make it a stand-alone server.

To determine if a disjointed namespace exists on an existing Windows 2000-based domain controller:

1. Right-click My Computer, and then click Properties.

2. Click the Network Identification tab.

3. Compare the DNS suffix section of the full computer name to that of the domain name listing. The full computer name reads as follows: hostname. dns_suffix. These two entries should contain identical suffix information.

If these two entries do not contain identical suffix information, a disjointed DNS namespace exists. This condition prevents proper registration of any Active Directory DNS records.

Note: The only supported method to recover from a disjointed namespace is to use Dcpromo to remove the computer from the domain and make it a stand-alone server. You can then correct the DNS namespace information and run Dcpromo again to promote the computer back to a domain controller.

What Do You Need to Install Active Directory?

The process of installing an Active Directory domain is quite simple, but if you don't know your basics

you might stumble across a few pitfalls. For additional information about any of the information in this

article, refer to the Windows 2000 online Help and the Microsoft Windows 2000 Server Deployment

Planning Guide

Chapter 9 of the deployment guide describes the design of the Active Directory structure, which is essential to a successful Windows 2000 Active Directory deployment

By the way, you can download all the guide right HERE (3.91mb)

What do we need in order to successfully install Active Directory on a Windows 2000 or Windows Server 2003 server?

Here is a quick list of what you must have:

An NTFS partition with enough free space An Administrator's username and password The correct operating system version A NIC Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway) A network connection (to a hub or to another computer via a crossover cable) An operational DNS server (which can be installed on the DC itself) A Domain name that you want to use The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder) Brains (recommended, not required...)

After you have all the above go ahead and read How to Install Active Directory on Windows 2000 and How to Install Active Directory on Windows 2003.

An NTFS Partition

To successfully install AD you must have at least one NTFS formatted partition, preferably the partition Windows is installed on (This is NOT true when you have performance issues on your mind. You will then install the AD db on another different fast physical disk, but that's another topic). To convert a partition (C:) to NTFS type the following command in the command prompt window:

convert c:/fs:ntfs

The NTFS partition is required for the SYSVOL folder.

Free space on your disk

You need at least 250mb of free space on the partition you plan to install AD on. Of course you'll need more than that if you plan to create more users, groups and various AD objects.

Local Administrator's username and password

Only a local Administrator (or equivalent) can install the first domain and thus create the new forest.

If you plan to create another Domain Controller for an existing domain - then you must have Domain Admin right in the domain you're planning to join.

If you want to create a child domain under an existing domain, or another tree in an existing forest - you must have Enterprise Admin rights.

Windows 2000 Server (or Advanced Server or Data Center Server), or Windows Server 2003 (or Enterprise Server or Data Center)

Duh... you cannot install AD on a Professional computer.

IP Configuration

You need a dedicated IP address to install Active Directory. If you do not use a dedicated IP address, DNS registrations may not work and Active Directory functionality may be lost. If the computer is a multi-homed computer, the network adapter that is not connected to the Internet can host the dedicated IP address.

The Active Directory domain controller should point to its own IP address in the DNS server list to prevent possible DNS connectivity issues.

To configure your IP configuration, use the following steps:

1. Right-click My Network Places, and then click Properties.2. Right-click Local Area Connection, and then click Properties.

1. Click Internet Protocol (TCP/IP), and then click Properties.

1. Make sure you have a static and dedicated IP address. If you don't need Internet connectivity through this specific NIC you can use a Private IP range such as 192.168.0.0 with a Subnet Mask of 255.255.255.0.

1. Click Advanced, and then click the DNS tab. The DNS information should be configured as follows:

Configure the DNS server addresses to point to the DNS server. This should be the computer's own IP address if it is the first server or if you are not going to configure a dedicated DNS server.

If the Append these DNS suffixes (in order) option is selected for the resolution of unqualified names, the Active Directory DNS domain name should be listed first, at the top of the list.

Verify that the information in the DNS Suffix for this connection box is the same as the Active Directory domain name.

Make sure that the Register this connection's addresses in DNS check box is selected.

Active Network Connection Required During Installation

The installation of Active Directory requires an active network connection. When you attempt to use Dcpromo.exe to promote a Windows 2000 Server-based computer to a domain controller, you may receive the following error message:

Active Directory Installation Failed

The operation failed with the following error

The network location cannot be reached. For further information about network troubleshooting, see Windows Help.

This problem can occur if the network cable is not plugged into a hub or other network device.

(Sample of a disconnected or un-plugged network cable)

(Screenshot of a connected NIC)

To resolve this problem, plug the network cable into a hub or other network device. If network connectivity is not available and this is the first domain controller in a new forest, you can finish Dcpromo.exe by installing Microsoft Loopback Adapter.

The Microsoft Loopback adapter is a tool for testing in a virtual network environment where access to a network is not feasible. Also, the Loopback adapter is essential if there are conflicts with a network adapter or a network adapter driver. Network clients, protocols, and so on, can be bound to the Loopback adapter, and the network adapter driver or network adapter can be installed at a later time while retaining the network configuration information. The Loopback adapter can also be installed during the unattended installation process. To manually install:

1. Click Start, point to Settings, click Control Panel, and then double-click Add/Remove Hardware.

2. Click Add/Troubleshoot a device, and then click Next.3. Click Add a new device, and then click Next.4. Click No, I want to select the hardware from a list, and then click Next.5. Click Network adapters, and then click Next.6. In the Manufacturers box, click Microsoft.7. In the Network Adapter box, click Microsoft Loopback Adapter, and then click Next.8. Click Finish.

After the adapter is installed successfully, you can configure its options manually, as with any other adapter. Note that if the TCP/IP properties are configured to use DHCP (the default), the adapter will eventually use an autonet APIPA address (169.254.x.x/16) because it is not actually connected to any physical media.

"Always On" Internet Connection (recommended)

An "always on" connection (for example, a cable modem or digital subscriber line [DSL] line) is recommended (but not required) to enable clients to obtain Internet access. If you do not use an "always on" connection, you must configure a demand-dial interface using Network Address Translation (NAT) for clients to access the Internet.

This is really not a requirement for AD, but if you later want to install and configure Exchange 2000 or other Internet-aware applications or services you'll need an Internet connection.

DNS Configuration

A DNS server that supports Active Directory DNS entries (SRV records) must be present for Active Directory to function properly. Read Create a New DNS Server for AD for more info.

You need to keep in mind the following DNS configuration issues when you install Active Directory on a home network: Root Zone entries and DNS Forwarders.

Root zone entries

External DNS queries to the Internet do not work if a root zone entry exists on the DNS server. To resolve this issue, remove the root zone entry. This entry is identified with a dot (.) in the DNS Manager forward lookup zones. To check for the existence of the root zone entry, open the forward lookup zones in the DNS Management console. You should see the entry for the domain. If the "dot" zone exists, delete it. For additional information about the root zone entry, see 260371 .

You can also read my No Forwarding or Root Hints on DNS server? tip.

DNS forwarders (recommended)

If you plan to have full Internet connectivity then DNS forwarders are necessary to ensure that all DNS entries are correctly sent to your Internet service provider's DNS server and that computers on your network will be able to resole Internet addresses correctly. You can only configure DNS forwarders if no root zone entry is present.

To configure forwarders on the DNS server:

1. Start the DNS Management console.2. Right-click the name of the server, and then click Properties.

1. On the Forwarders tab, click to select the Enable Forwarders check box.2. Type the appropriate IP addresses for the DNS servers that may be accepting forwarded

requests from this DNS server. The list reads top-down in order, so place a preferred DNS server at the top of the list.

1. It is recommended that you have all the Root Hints (Top Level DNS server) listed in the Root Hints tab.

1. If not, copy the Cache.dns file from the %systemroot%\system32\dns\samples folder to the %systemroot%\system32\dns\ folder and restart the DNS service.

2. Click OK to accept the changes.

You can also read Configure DNS Forwarding on Windows 2000.

For additional information about DNS issues go to 237675 .

Client Connections

When you have a scenario in which clients on the LAN connect directly to the Internet and not through a NAT device, the clients should connect to the Active Directory domain controller using an internal network on a second network adapter. This prevents any issues that may arise if clients obtain an IP address from your Internet service provider (ISP). You can achieve this configuration with a second network adapter on the server connected to a hub. You can use NAT or ICS to isolate the clients on the local network. The clients should point to the domain's DNS server to ensure proper DNS connectivity. The DNS server's forwarder will then allow the clients to access DNS addresses on the Internet.

Do not use ICS (recommended)

Use NAT instead. ICS (Internet Connection Sharing) will break down all the DHCP and DNS functionality on your LAN. Try to avoid ICS at all costs. If you must, make the Domain Controller itself the ICS server, and let all clients obtain their IP configuration automatically. This of course is not a good security decision, because you will expose your Domain Controller to potential Internet threats. Again, and I cannot stress this more, avoid ICS on your corporate LAN and use NAT instead.

NetBIOS Over TCP/IP

A common security consideration with an active connection to the Internet is the restriction of NetBIOS connections on the network adapter that is directly connected to the Internet. If clients connect on a second network adapter, you can safely disable NetBIOS over TCP/IP on the external network adapter, and prevent any attempts of unauthorized NetBIOS access by outside sources.

To disable NetBIOS on the NIC that is connected to the Internet, use the following steps:

1. Right-click My Network Places, and then click Properties.

2. Right-click the icon of the NIC that is connected to the Internet, and then click Properties.3. Un-check the File and Print Sharing for Microsoft Networks check box.

1. Click TCP/IP and then Properties.2. Click Advanced and go to the WINS tab.3. Select the Disable NetBIOS Over TCP/IP radio box.

1. Click Ok all the way out.

Do not use Single-Label domain names

As a general rule, Microsoft recommends that you register DNS domain names for internal and external namespaces with Internet authorities. This includes the DNS names of Active Directory domains, unless such names are sub-domains of names that are registered by your organization name, for example, "corp.example.com" is a sub-domain of "example.com". When you register DNS names with Internet authorities, it prevents possible name collisions should registration for the same DNS domain be requested by another organization, or if your organization merges, acquires or is acquired by another organization that uses the same DNS names.

DNS names that don't include a period ("dot", ".") are said to be single-label (for example, com, net, org, bank, companyname) and cannot be registered on the Internet with most Internet authorities.

References

How do I install Active Directory on my Windows Server 2003 server?

First make sure you read and understand Active Directory Installation Requirements. If you don't comply with all the requirements of that article you will not be able to set up your AD (for example: you don't have a NIC or you're using a computer that's not connected to a LAN).

Note: This article is only good for understanding how to install the FIRST DC in a NEW ADDomain, in a NEW TREE, in a NEW FOREST. Meaning - don't do it for any other scenario, such as a new replica DC in an existing domain. In order to install a Windows Server 2003 DC in an EXISTING Windows 2000 Domain follow the Windows 2003 ADPrep tip.

Windows 2000 Note: If you plan to install a new Windows 2000 DC please read How to Install Active Directory on Windows 2000.

Windows 2008 Note: Install Active Directory on Windows Server 2008 provides complete instruction details for working with Windows Server 2008.

Windows Server 2003 Note: If you plan to install a new Windows Server 2003 DC in an existing AD forest please read the  page BEFORE you go on, otherwise you'll end up with the following error:

Here is a quick list of what you must have:

An NTFS partition with enough free space An Administrator's username and password The correct operating system version A NIC Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway) A network connection (to a hub or to another computer via a crossover cable) An operational DNS server (which can be installed on the DC itself) A Domain name that you want to use The Windows Server 2003 CD media (or at least the i386 folder) Brains (recommended, not required...)

This article assumes that all of the above requirements are fulfilled.

Step 1: Configure the computer's suffix

(Not mandatory, can be done via the Dcpromo process).

1. Right click My Computer and choose Properties.

2. Click the Computer Name tab, then Change.3. Set the computer's NetBIOS name. In Windows Server 2003, this CAN be changed after the

computer has been promoted to Domain Controller.

4. Click More.5. In the Primary DNS suffix of this computer box enter the would-be domain name. Make

sure you got it right. No spelling mistakes, no "oh, I thought I did it right...". Although the domain name CAN be changed after the computer has been promoted to Domain Controller, this is not a procedure that one should consider lightly, especially because on the possible consequences. Read more about it on my Windows 2003 Domain Rename

Tool page.6. Click Ok.7. You'll get a warning window.8. Click Ok.

9. Check your settings. See if they're correct.10. Click Ok.11. You'll get a warning window.12. Click Ok to restart.

Step 2: Configuring the computer's TCP/IP settings

You must configure the would-be Domain Controller to use it's own IP address as the address of the DNS server, so it will point to itself when registering SRV records and when querying the DNS database.

Configure TCP/IP

1. Click Start, point to Settings and then click Control Panel.2. Double-click Network and Dial-up Connections.3. Right-click Local Area Connection, and then click Properties.

4. Click Internet Protocol (TCP/IP), and then click Properties.5. Assign this server a static IP address, subnet mask, and gateway address. Enter the server's

IP address in the Preferred DNS server box.Note: This is true if the server itself will also be

it's own DNS server. If you have another operational Windows 2000/2003 server that is properly configured as your DNS server (read my Create a New DNS Server for AD page) - enter that server's IP address instead:

6. Click Advanced.7. Click the DNS Tab.8. Select "Append primary and connection specific DNS suffixes"9. Check "Append parent suffixes of the primary DNS suffix"

10. Check "Register this connection's addresses in DNS". If this Windows 2000/2003-based DNS server is on an intranet, it should only point to its own IP address for DNS; do not enter IP addresses for other DNS servers here. If this server needs to resolve names on the

Internet, it should have a forwarder configured.11. Click OK to close the Advanced TCP/IP Settings properties.12. Click OK to accept the changes to your TCP/IP configuration.13. Click OK to close the Local Area Connections properties.

Step 3: Configure the DNS Zone

(Not mandatory, can be done via the Dcpromo process).

This article assumes that you already have the DNS service installed. If this is not the case, please read Create a New DNS Server for AD.

Furthermore, it is assumed that the DC will also be it's own DNS server. If that is not the case, you MUST configure another Windows 2000/2003 server as the DNS server, and if you try to run DCPROMO without doing so, you'll end up with errors and the process will fail.

Also see » Deploying Windows 7 - Top 10 Things to Do First

Creating a Standard Primary Forward Lookup Zone

1. Click Start, point to All Programs, point to Administrative Tools, and then click DNS Manager. You see two zones under your computer name: Forward Lookup Zone and Reverse Lookup Zone.

2. Right click Forward Lookup Zones and choose to add a new zone.3. Click Next. The new forward lookup zone must be a primary zone so that it can accept

dynamic updates. Click Primary, and then click Next.

4. The name of the zone must be the same as the name of the Active Directory domain, or be a logical DNS container for that name. For example, if the Active Directory domain is named

"lab.dpetri.net", legal zone names are "lab.dpetri.net", "dpetri.net", or "net".Type the name of the zone, and then click Next.

5. Accept the default name for the new zone file. Click Next.6. To be able to accept dynamic updates to this new zone, click "Allow both nonsecure and

secure dynamic updates". Click Next.

7. Click Finish.

You should now make sure your computer can register itself in the new zone. Go to the Command Prompt (CMD) and run "ipconfig /registerdns" (no quotes, duh...). Go back to the DNS console, open the new zone and refresh it (F5). Notice that the computer should by now be listed as an A Record in the right pane.

If it's not there try to reboot (although if it's not there a reboot won't do much good). Check the spelling on your zone and compare it to the suffix you created in step 1. Check your IP settings.

Enable DNS Forwarding for Internet connections (Not mandatory)

1. Start the DNS Management Console.2. Right click the DNS Server object for your server in the left pane of the console, and click

Properties.3. Click the Forwarders tab.4. In the IP address box enter the IP address of the DNS servers you want to forward queries

to - typically the DNS server of your ISP. You can also move them up or down. The one that

is highest in the list gets the first try, and if it does not respond within a given time limit -

the query will be forwarded to the next server in the list.5. Click OK.

Creating a Standard Primary Reverse Lookup Zone

You can (but you don't have to) also create a reverse lookup zone on your DNS server. The zone's name will be the same as your TCP/IP Network ID. For example, if your IP address is 192.168.0.200, then the zone's name will be 192.168.0 (DNS will append a long name to it, don't worry about it). You should also configure the new zone to accept dynamic updates. I guess you can do it on your own by now, can't you?

Step 4: Running DCPROMO

After completing all the previous steps (remember you didn't have to do them) and after double checking your requirements you should now run Dcpromo.exe from the Run command.

1. Click Start, point to Run and type "dcpromo".2. The wizard windows will appear. Click Next.

1. In the Operating System Compatibility windows read the requirements for the domain's clients

and if you like what you see - press Next.

2. Choose Domain Controller for a new domain and click Next.

3. Choose Create a new Domain in a new forest and click Next.4. Enter the full DNS name of the new domain, for example - kuku.co.il - this must be the same as

the DNS zone you've created in step 3, and the same as the computer name suffix you've

created in step 1. Click Next. This step might take some time because the computer is searching for the DNS server and checking to see if any naming conflicts exist.

5. Accept the the down-level NetBIOS domain name, in this case it's KUKU. Click Next

6. Accept the Database and Log file location dialog box (unless you want to change them of course). The location of the files is by default %systemroot%\NTDS, and you should not change it unless

you have performance issues in mind. Click Next.7. Accept the Sysvol folder location dialog box (unless you want to change it of course). The location

of the files is by default %systemroot%SYSVOL, and you should not change it unless you have performance issues in mind. This folder must be on an NTFS v5.0 partition. This folder will hold all the GPO and scripts you'll create, and will be replicated to all other Domain Controllers. Click

Next.8. If your DNS server, zone and/or computer name suffix were not configured correctly you will get

the following warning:This means the Dcpromo wizard could not contact the DNS server, or it did contact it but could not find a zone with the name of the future domain. You should check your settings. Go back to steps 1, 2 and 3. Click Ok.You have an option to let Dcpromo do the configuration for you. If you want, Dcpromo can install the DNS service, create the appropriate zone, configure it to accept dynamic updates, and configure the TCP/IP settings for the DNS server IP address.To let Dcpromo do the work for you, select "Install and configure the DNS server...".

Click Next.

Otherwise, you can accept the default choice and then quit Dcpromo and check steps 1-3.

9. If your DNS settings were right, you'll get a confirmation window. Just click Next.

10. Accept the Permissions compatible only with Windows 2000 or Windows Server 2003 settings,

unless you have legacy apps running on Pre-W2K servers.11. Enter the Restore Mode administrator's password. In Windows Server 2003 this password can be

later changed via NTDSUTIL. Click Next.

12. Review your settings and if you like what you see - Click Next.13. See the wizard going through the various stages of installing AD. Whatever you do - NEVER click

Cancel!!! You'll wreck your computer if you do. If you see you made a mistake and want to undo it, you'd better let the wizard finish and then run it again to undo the AD.

14. If all went well you'll see the final confirmation window. Click Finish.

15. You must reboot in order for the AD to function properly.16. Click Restart now.

Step 5: Checking the AD installation

You should now check to see if the AD installation went well.

1. First, see that the Administrative Tools folder has all the AD management tools installed.

2. Run Active Directory Users and Computers (or type "dsa.msc" from the Run command). See that

all OUs and Containers are there.3. Run Active Directory Sites and Services. See that you have a site named Default-First-Site-Name,

and that in it your server is listed.4. If they don't (like in the following screenshot), your AD functions will be broken (a good sign of

that is the long time it took you to log on. The "Preparing Network Connections" windows will sit on the screen for many moments, and even when you do log on many AD operations will give

you errors when trying to perform them). = BadThis might happen if you did not manually configure your DNS server and let the DCPROMO process do it for you.Another reason for the lack of SRV records (and of all other records for that matter) is the fact that you DID configure the DNS server manually, but you made a mistake, either with the computer suffix name or with the IP address of the DNS server (see steps 1 through 3).

Open the DNS console. See that you have a zone with the same name as your AD domain (the one you've just created, remember? Duh...). See that within it you have the 4 SRV record folders. They must exist.

= Good

To try and fix the problems first see if the zone is configured to accept dynamic updates.

5. Right-click the zone you created, and then click Properties.6. On the General tab, under Dynamic Update, click to select "Nonsecure and secure" from the

drop-down list, and then click OK to accept the change.You should now restart the NETLOGON service to force the SRV registration.You can do it from the Services console in Administrative

tools:

Or from the command prompt type "net stop netlogon", and after it finishes, type "net start netlogon".

Let it finish, go back to the DNS console, click your zone and refresh it (F5). If all is ok you'll now see the 4 SRV record folders.

If the 4 SRV records are still not present double check the spelling of the zone in the DNS server. It should be exactly the same as the AD Domain name. Also check the computer's suffix (see step 1). You won't be able to change the computer's suffix after the AD is installed, but if you have a spelling mistake you'd be better off by removing the AD now, before you have any users, groups and other objects in place, and then after repairing the mistake - re-running DCPROMO.

7. Check the NTDS folder for the presence of the required files.

8. Check the SYSVOL folder for the presence of the required subfolders.9. Check to see if you have the SYSVOL and NETLOGON shares, and their location.

If all of the above is ok, I think it's safe to say that your AD is properly installed.