Summary: How to install a Windows Server 2003 server as a domain controller.
Date: Around 2005
Refactor: 20 February 2025: Checked links and formatting.

This is an installation report of a basic installation of Microsoft's Active Directory through the tool dcpromo. The settings are based on a small AD domain design and should be set to your own settings when installing in a production environment.

This page is created for a 2003 AD, if you need an explanation for 2008, look here.

To start the installation go to start → run and type dcpromo. After pressing <enter> you'll get the installation wizard:

Click Next.

Click Next.

We're creating a new Active Directory domain, so keep the default and click Next.

The new domain is also created in a new tree, so keep the default and click Next.

Enter the full DNS name for your domain. I've found it a good practice to set this the same as your internal DNS domain suffix. Click Next when you're done.

Keep the suggested NetBIOS name and click Next.

Keep the defaults, both the database and the log folder won't grow out of proportion, so just click Next.

For our environment the SYSVOL folder can be kept to the default so click Next.

Select to have the wizard install and configure DNS for you. This will create all the needed SRV records for AD, which is something you really don't want to do manually. Click Next.

We don't have any pre-Windows 2000 servers lying around, so keep the default and click Next.

I use my default password 'beheer', but please document the password you use. Without this password it's not possible to start Active Directory in restore mode. Click Next.

Check your settings and click Next.

The installation and configuration starts. Please wait…

Click Finish to close the wizard and REBOOT THE MACHINE. No seriously, please do.

After the installation and after the reboot of the server it's not so wise to rush into any other installation (like Exchange). Unfortunately, Microsoft does not have the best reputation on software installations and that's not without a reason. We're going to verify if our installation went well.

Start → Run → dsa.msc (starts AD Users and Computers)

Check to see if the DC is listed under the 'Domain Controllers' OU.

Start → Run → dssite.msc (starts AD Sites and Services)

Check to see if you have a 'NTDS Settings' under your DC.

Start → Run → dnsmgmt.msc (starts the DNS Management MMC snapin)

Check the DNS configuration and zones.

By default, dcpromo creates a forward lookup zone, but no reverse lookup zone. I recommend to create one right away, this will make some tools behave nice, and prevents you from creating all kind of records manually when you have to add one later on. Right click the reverse lookup zones and select 'Add new zone'. This will give you this wizard so you can select your options:

Select primary zone and click Next.

Keep the default and click Next.

Enter the network id, and click Next.

Keep the default and click Next.

So, now you have a reverse lookup zone as well.

Check these folders to see if the content is correct:

• C:\WINDOWS\NTDS

• The AD database should be created (NTDS.DIT, keeps information stored about user accounts, groups, etc.)

• The edb.chk file is a checkpoint file that points to the last committed checkpoint in the log file. The edb.log file is the name of the current log file and is for the ntds.dit transactions.

• res1.log and res2.log are reserve log files in case the drive runs out of disk space. These files are always 10 MB in size. (In AD 2008 these files are now named edbres00001.jrs and edbres00002.jrs).

• C:\WINDOWS\SYSVOL

• In the SYSVOL\domain\Policies should be two directories containing the 'Default Domain Policy' and the 'Default Domain Controllers Policy'. You won't recognize them as such since they have unique names, for example '6AC1786C-016F-11D2-945F-00C04fB984F9'.