By InterServer Staff on October 23rd, 2015
Installing Active Directory on Windows Server 2008 R2
Active Directory, introduced with the Windows 2000 server is a directory service, which stores information about the network components, authenticates network users, and enforces security policies. It works by tracking “objects,” which can be users, services, resources, or systems, and then resolving their names to the actual objects. The advantages of Active Directory are the better security management, easier administration, easier assignment of permissions to object, and the use of single source that can find any object on the network.
Active Directory has several different components (you can learn more about the active directory architecture by going to this page) and the Active Directory service is closely integrated with the Domain Name System (DNS). The directory service in Windows Server 2008 and later is called Active Directory Domain Services (ADDS).
Installing Active Directory Domain Services (ADDS) in Windows 2008 R2
Start the Server Manager console (type servermanager.msc in the search box and press Enter or click Start -> Administrative tools -> Server Manager). Select Roles from the left pane and then click Add roles:
Select Active Directory
If you see the following prompt, click Add required features
Click Next, Next again, and then the Install button
Wait for the installation to finish and click the Close button
Reboot the server. Once Active Directory Domain Service is successfully installed, you should see it under Roles in the Server Manager console. Note the message under Active Directory Domain Services “This server is not yet running as a domain controller” and click the link that follows the message in order to start the installation wizard (dcpromo.exe).
Once the Installation Wizard starts, click Next
Click on Next again
When installing a new domain Controller, select Create mew domain in a new forest and click Next
Type in the fully qualified domain name (FQDN) and click Next
Under Forest functional level select Windows Server 2008 R2 or Windows Server 2008 (you can learn more about the available features by flowing this link).
Click Next, then Next again. If you have already installed the DNS Server service, the DNS server option will be grayed out, if not, select it and click Next. If you see a popup message to create manually a delegation to the DNS server, click Yes
Next, choose the Database, Log files, and SYSVOL folders.
Choose a strong password, confirm it, and click Next, then Next again.
Wait for the installation to complete and click the Finish button.
- Published: June 2, 2012 2:01 PM Updated: October 23, 2016 2:42 PM
- Author Bipin
Active Directory Domain Controller is a critical part of Microsoft Server infrastructure. Active Directory is a directory which stores all the information about resources of a domain in a database. The Active Directory database is NTDS.dit and is stored in server with Active Directory Domain Services server role installed. Resources can be objects like users, computers, groups, printers and so on. Active Directory allows you to manage users, computers, and resources from central location. Before you install Active Directory Domain Controller in your network, it is better to know about logical structure of Active Directory in Server 2008. This article shows steps to install Active Directory Domain Controller in Windows Server 2008 R2.
Install Active Directory Domain Controller in Windows Server 2008 R2
The diagram below shows an example of network with domain controller. MBG-DC01 will be Active Directory Domain Controller once the role is installed. PC1 and PC2 will be joined to domain.
After installing Windows Server 2008, the very first thing you should do is rename the Server name and assign static IP address. Open Server Manager.
Select Roles and click Add Roles button as shown above. Click Next on before you begin page.
On Select Server Roles page, check Active Directory Domain Services role from the list. This role requires .Net Framework 3.5.1 so click Add Required Feature. Click Next. Introduction to Active Directory page is displayed. Read the introduction and click Next.
Click Install. The installation will now begin.
After installation is complete, click the dcpromo link.
AD DS installation wizard will open. Check use advanced mode installation option. Click Next.
Read the OS compatibility page. Older operating systems like Windows NT that do no support new stronger cryptography algorithms may not be able to connect to Windows Server 2008 or 2008 R2. Click Next.
Choose option, create a new domain in a new forest. Click Next.
Type the root domain name. Here the root domain name is, mustbegeek.com. Click Next.
NetBIOS name is automatically selected as shown above. Click Next.
Choose forest functional level. Since this server is the forest root domain I will choose Server 2008 R2 as forest functional level. Click Next.
DCpromo tries to find the DNS server, if it doesn’t find it will prompt you to setup DNS server. It is good idea to make Active Directory as DNS server too. DNS is required for many components of Windows Server to work properly. So check DNS server. This will create AD integrated DNS zone. Click Next.
You now have option to specify installation location for Database, Log and Sysvol folders. Database folder is where the NTDS.DIT database file will be stored. Log folder is where the logs of the database are stored. SYSVOL is the folder where all the replication information are stored. I will leave the default installation location and click Next.
Type the directory services restore mode administrator password and click Next. This password comes in handy while restoring the Active Directory should the server fail for some reason.
Review the summary page and click Next.
The installation will now start.
Click Finish to complete the installation. The server will now reboot to complete the installation. After server reboots, you can open Active Directory Users and Computers to verify the installation of domain controller. You can now create user accounts and join hosts to the domain. You can manage Active Directory using various tools like, Active Directory Users and Computer, Active Directory Sites and Services and Active Directory Domains and Trusts.
I want to install the administration tools on a Windows Server 2008 (R1) machine. On Windows 2003 you installed adminpak.msi, but I can’t find such a file for 2008.
Is this a “feature” in Server Manager? If so what is it named?
—UPDATE— So I drilled into the server Features list and I have “Remote Server Administration Tools” but it only includes File Services, Print Services and Web Server.
This is a member server in a domain but not a domain controller. It is Windows 2008 (original) not R2. Still, why can’t it run AD users and computers from this machine?
6 Answers 6
From Server Manager (available under Administrative Tools), go to “Features”, then “Add Features”.
Windows Server 2008 Standard Instructions:
- Remote Server Administration Tools
- Role Administration Tools
- Active Directory Domain Services Tools
- Role Administration Tools
Then check Active Directory Domain Controller Tools .
Windows Server 2008 R2 Instructions:
- Remote Server Administration Tools
- Role Administration Tools
- AD DS and AD LDS Tools
- AD DS Tools
- AD DS and AD LDS Tools
- Role Administration Tools
Then check AD DS Snap-Ins and Command-Line Tools .
- Active Directory Users and Computers
- Active Directory Domains and Trusts
- Active Directory Sites and Services
The first answer from Mathieu Chateau was basically correct, you do not have to dcpromo to get this. however, the role option is “AD DS and AD LDS Tools” not “Active Directory Domain Services Tools”
I think you’re right and that it’s a feature under Server Manager. If you dcpromo it, I think they show up automatically based on the roles you give it. But if it’s just a member server, you have to install the feature “Remoter Server Administrator Tools”. When you expand the tree, you can select AD Domain Services Tools, DNS Server Tools, DHCP, etc. Try looking there, and then make sure that you customize the Start Menu setting so that it shows up.
Edit: Bah, Joe said it while I was typing this up.
This should do the trick:
I believe the MS answer is “Don’t manage a domain from a server”.
The reason the RSAT tools are only available for download for the client OS is because that’s how you’re supposed to manage the whole domain. If you’re logging in to a server to do basic domain administrative tasks, you’re doing it wrong. The only reason they exist on the DC is because they must be there for initial domain configuration and for troubleshooting and recovery. The general idea is that the only real reason to log on to a server is to install or configure software or updates. Otherwise, if it can be done remotely, do it that way. Honestly, MS should install a “log on reason” just like they have the “shutdown/reboot reason”.
To make a long story short, set up Vista or 7 and administer from there.
Launch the server manager and click on the Features See the screenshot
Not the answer you’re looking for? Browse other questions tagged windows-server-2008 or ask your own question.
Hot Network Questions
To subscribe to this RSS feed, copy and paste this URL into your RSS reader.
site design / logo © 2021 Stack Exchange Inc; user contributions licensed under cc by-sa. rev 2021.7.19.39792
Active Directory is the backbone of most networks. It stores all the setting, user accounts, and computer information. The following guide will show you how to install it onto Windows Server 2008 R2.
There are a few prerequisites that you must first sort out, before starting the installation.
– Windows must be running on an NTFS volume.
– Have a NIC installed, and connected to the network.
– Be logged on as the local administrator.
– Have decided on a Domain Name to use.
– Performed the basic server configuration, such as Server Name, etc.
Once you have sorted out these requirements, you can move onto step 1.
Unlike installing Active Directory on Windows Server 2003, you must start the installation from the Server Manager. This will install the required components required for the installation process, and key settings required.
Begin by launching Server Manager, and navigating to Roles. You will now see a list of installed Roles on your sever. Click on Add Roles, this will launch the Wizard that allows you to installed the required roles. Check the Role called Active Directory Domain Services, you may be prompted to also install .NET Framework. Then click next, and next again, and finally install. Windows will now prepare for the installation of Active Directory. Once this has finished, close down Server Manager.
Now we come to the main installation process. Start by typing DCPROMO at the run command. For those who are used to running this on Windows Server 2003, you will notice a new option called Advanced Mode. This will provide additional configuration options, that I wont discuss.
Click next, and next again, you will now be asked if you want to create a new forest. Since this is the first Domain Controller, you must create a new forest. Then click next.
You will now be asked to type the FQDN that you would like to use. This would normally be the domain name of you company. Once youâ€™ve entered your FQDN, click next.
Now you must choose you Forest Functional level, the different levels will provide additional features. But will require clients and servers to be running updated operating systems.
The setup wizard will now exam your DNS configuration. In most cases you will install the DNS server onto your Domain Controllers. The wizard should automatically select this option for you, but requires confirmation that that you want this to happen. Click next to continue.
You may be prompted that you are using a Dynamic IP Address, it is strongly advised that you set a Manual IP Address for your server. When assigning an Static IP Address, you must make sure that the DNS Server Address is pointing to your servers IP Address.
You will now be asked where you want to store the Active Directory Database, and Log files. Itâ€™s recommended that you store them on different volume, but it works just fine using the default location on the System volume. Once again click next.
Now you will need to enter a Restore Mode password, this is used when you need to boot up in AD restore mode. Then click next.
At this point you will be presented with a summary screen, of all the setting you have chosen. Verify these are correct, if not go back and change them. When you are happy with everything, click next to begin the install.
Once completed, you must reboot to finish the installation process. After the reboot, sign on. And you should see several new items under Administrate Tools, for managing your Domain. Start by opening Active Directory Users and Computers, this will allow you to manage the users in the Domain.
- The Unofficial M365 Changelog
- Podcasts Toggle children
- Enterprise Dish
- M365 Knowledge
- MJF Chat
- Petri Dish
- Resources Toggle children
Why Learn the Active Directory Administrative Center?
How to Get User and Computer Objects Information with the Active Directory Administrative Center
How to Manage a Windows Server 2008 DC Using the Active Directory Administrative Center (ADAC)
The Active Directory Administrative Center (ADAC) was introduced in Windows Server 2008 R2, and has been improved in subsequent releases. In this Ask the Admin, I’ll show you how to use ADAC to remotely manage earlier versions of Windows Server.
Active Directory Web Service
Windows Server 2008 R2 included for the first time the Active Directory Web Service, which allows PowerShell to interact with Active Directory (AD), also enabling the Active Directory Administrative Center because it uses PowerShell behind the scenes. To manage DCs (both writeable and read-only) that run earlier versions of Windows Server using the AD PowerShell module or ADAC, you need to install the Active Directory Management Gateway Service.
The gateway allows management of full Active Directory Domain Services (AD DS), Active Directory Lightweight Directory Services (AD LDS), and Active Directory Application Mode (ADAM) on DCs running Windows Server 2003 SP2 or later.
Subscribe to Petri Newsletters This Week in IT
! Already a Petri.com member? Login here for 1-click registration.
Install Active Directory Management Gateway Service on Windows Server 2008 SP2
Download the Active Directory Management Gateway Service from Microsoft. You will need to choose the correct package for your server. In this example, I’m running Windows Server 2008 SP2 64bit edition, so I will download Windows6.0-KB968934-x64.msu. If you are installing the gateway service on Windows Server 2003 or Server 2003 R2, download Windows5.2-KB968934-x64.exe or Windows5.2-KB968934-x86.exe, as appropriate to the architecture of your server’s processor.
Before proceeding, make sure that the .NET Framework 3.5 SP1 (or later) is installed. Additional hotfixes may be required for Windows Server 2003, so see the download page for more information. Run the downloaded package, follow the simple install instructions, and restart the server.
Use ADAC to Manage Windows Server 2008 SP2
When the server has rebooted, you’ll be able to run ADAC from a remote computer to manage AD on the domain controller where you installed the gateway service. Don’t forget that the Active Directory Management Gateway Service doesn’t allow you to use ADAC directly on servers prior to Windows Server 2008 R2. You will need to download the Remote Server Administration Tools (RSAT) and install them on a management server or workstation.
For more information on installing and using RSAT, check out “Remote Server Administration Tools (RSAT) for Windows 8: Download and Install” on Petri.
Remote Server Administration Tools (RSAT) enables IT administrators to remotely manage roles and features in Windows Server from a computer that is running Windows 10, Windows 8.1, Windows 8, Windows 7, or Windows Vista.
You cannot install RSAT on computers that are running Home or Standard editions of Windows. You can install RSAT only on Professional or Enterprise editions of the Windows client operating system. Unless the download page specifically states that RSAT applies to a beta, preview, or other prerelease version of Windows, you must be running a full (RTM) release of the Windows operating system to install and use RSAT. Although some users have found ways of manually cracking or hacking the RSAT MSU to install RSAT on unsupported releases or editions of Windows, this is a violation of the Windows end-user license agreement.
Installing RSAT is similar to installing Adminpak.msi on Windows 2000-based or Windows XP-based client computers. However, there is one major difference: On Windows Vista and Windows 7, the tools are not automatically available after you download and install RSAT. You must enable the tools that you want to use by using Control Panel. To do this, click Start, click Control Panel, click Programs and Features, and then click Turn Windows features on or off. (See the following figure.)
In the RSAT releases for Windows 10, Windows 8.1, and Windows 8, tools are again all enabled by default. You can open Turn Windows features on or off to disable tools that you don’t want to use for Windows Vista and Windows 7.
For RSAT on Windows Vista and Windows 7, you must enable the tools for the roles and features that you want to manage after you run the downloaded installation package. (See the following screen shot.)
Note You cannot do the following changes for RSAT on Windows 8 or later versions.
If you have to install management tools on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 for specific roles or features that are running on remote servers, you don’t have to install additional software. Start the Add Features Wizard in Windows Server 2008 or Windows Server 2008 R2 or the Add Roles and Features Wizard in Windows Server 2012 and later versions. Then, on the Select Features page, expand Remote Server Administration Tools, and then select the tools that you want to install. Complete the wizard to install your management tools. (See the following screen shot.)
I am an application/database developer with no prior knowledge or experience with Windows Server installation or management. Owing to business requirements, we need to set up a few servers at our office, and the task falls on the shoulders of myself – the owner and main IT guy.
We have one physical machine, and since we need to run several roles on this single machine, have configured several Hyper-V virtual machines on it.
The Hyper-V host, is of course the first virtual machine. The second VM guest is being used for installing a domain controller. The third will be used for running a VPN, and the fourth for a web server. The VM guests have all been installed, and the OS has also been installed on all four systems. Since we do not have a very large network of computers, and only plan to have a total of two physical servers (running a total of 5 different virtual servers between them), we’re not using DHCP and are assigning static IPs to all the machines. The static IPs have already been configured. We’ve given them IPs ranging from 192.168.1.2 to 192.168.1.6, on the default subnet 255.255.255.0. The IP 192.168.1.1 is going to be used for the router when we set up one for internet access later.
After configuring the host VM, I turned my attention to installing AD on the first guest VM. Please note – apart from a few settings in Control Panel (like datetime globalization settings, password lockout settings), we haven’t made any major changes to the settings of any of the computers so far.
When I try to install Active Directory Domain Services using the Roles node on the Server Manager, the installation proceeds normally, and then all of a sudden gives me an error message saying the installation failed, and that I need to restart my computer to undo the changes made to the system. It does not give any additional information beyond this.
I tried this three times, and each time got the same result.
1) The first time, I selected the AD DS role from Server Manager, and it said it needed to install Dot Net Framework 3.5.something alongside. I checked it, and clicked Install. (Note – It never asked for installing the DNS role alongside, which I’ve read in Win Server 2008 R2 books that it is needed for the AD DS role to be installed.) The installation failed for both the Dot Net Framework, and the AD DS. The wizard stated no reason, but simply asked to restart the machine to undo changes made during installation.
2) I restarted the machine. This time I tried installing the Dot Net Framework feature first from the Features node of Server Manager. It installed fine. I restarted my machine again just to make sure, and tried installing the AD DS role again. It never asked for the presence of the DNS role this time either. But it started the installation process, and gave the same error message as before once again, asking to restart. I restarted the machine.
3) I then installed the DNS role from Server Manager first. It installed fine. Restarted the machine again. Then tried installing AD DS again, and got the same results.
I tried searching online, and came across this – http://technet.microsoft.com/en-in/library/dd464018(v=ws.10).aspx
It seems my issue ‘may’ be because I haven’t run this utility yet, but I got no clear error message from the system stating this. So I can’t be sure if it will fix my issue.
But first, in order to run this, I have to go to a lot of trouble to shut down all the VMs, install an optical drive to the machine, and then try popping in the OS DVD and trying this.
And after I do that, I have no idea which command switches to run along with adprep for my specific requirement, and need some assistance in determining which command switches to run.
My requirement for my business network is as follows –
We have a database server that serves all of our business data. This resides on a separate physical machine, with no virtualization, and no other roles on the box.
This data is to be accessed by our field personnel through VPN via a web interface.
The database server has a second database, which powers our company website (mainly stuff like news, media galleries, comments, etc).
Our website needs to access data from the website database, as well as the company database in several places.
This means that we do not need to set up a very extensive domain system in place. I just need one domain controller that acts as the server for the other servers on the network which become its clients – namely the database server, the VPN server, and the web server. We’re going to have a few service accounts (most likely virtual accounts) used to run the database server and IIS, ONE common domain administrator account for ALL the servers (me) that can access the servers physically, and possibly 2-5 domain user accounts (for the field personnel to connect over VPN).
I do not have any need for a forest, or a site, or a child domain, or to group objects into schemas or Organizational Units, or a redundant domain controller. And I have no idea on how to actually set up my domain either once AD DS is installed (and I was kinda hoping I’d get some help with that later, since I’ve laid out my full requirements above).
So once again, my question is – is my AD DS installation failing because I haven’t run adprep? And if it is, what command switches do I run it with, considering that this is going to be a very small domain?
Yes, you can have your own Certification Authority (CA), and issue certificates for clients. The bad news is that certificates issued by your internal CA are trusted only by you internal clients, or by clients that have your root certificate imported. For internal applications, sites etc this is gold, because you don’t have to by a commercial certificate, but if you have a public HTTPS site you will need a commercial certificate. Certification authorities can have multiple ramifications or levels, like Root CA, then a Subordinate CA, and the last one is the Issuing CA. Bellow I created a diagram for a better visualization.
Root CA will issue certificates only for Subordinate CA, and the Subordinate CA will issue certificates only for Issuing CA. The Issuing CA is the one that will issue certificates for internal clients. You can, off course create more than three ramifications, but even those commercials Certification Authorities are not going with more than three. Now there are multiple types of Certification Authorities for Windows Domains. The first and the bigger one is Enterprise Root CA, then is Enterprise Subordinate CA. These two types are used only if you have a Windows Domain implemented in your network. The last two are Enterprise Standalone CA, and Subordinate Standalone CA. These are used if you don’t have a Windows Domain implemented. Now the difference between Enterprise and Standalone is that with Enterprise you have certificate templates, and the root certificate will automatically be deployed to all clients. I will end this introduction now, and start working.
For this guide I have a Domain Controller (DC) running Windows Server 2008 R2, and another Windows Server 2008 R2 (named Server-Cert) joined to the domain, which will be our Enterprise Root CA. Yes I’m going with the Enterprise version, because is a Windows Domain, and for small business is more than sufficient a single Enterprise Root CA.
Go to Server-Cert and open Server Manager; right-click Roles and choose Add Roles.
Click Next to skip the Welcome screen. On the Roles screen select the Active Directory Certificate Services and click Next.
Skip the introduction of AD CS. On the Role Services screen we have the option to install more than just the certificate service. For this demonstration I’m going to install the Certification Authority Web Enrollment too. This will give us a web page to request certificates, and it’s great, believe me. As soon as you click the Certification Authority Web Enrollment you will be asked to install some required prerequisites. And off course a web site to function needs a web server. Just click Add Required Roles Services and continue the wizard.
Because this is about installing Enterprise Root CA, just leave the defaults here and click Next.
Again leave the defaults here to install a Root CA.
We need to create a new private key, so click Next to continue.
For Enterprise Root CA I usually choose a length key of 4096 and leave the rest to default.
Give your Root CA a name. I always change the name, because I really hate the default one.
Select a validity period. For Enterprise Root CA I usually type 30 years.
If you have a reason to change the default log and database location, do it using the Browse buttons. Now comes the IIS installation part, just go with the defaults and finish the wizard.
The installation is done. Go to Administrative Tools > Certification Authority to open the Management Console for the Certificate Services. From this console you can revoke certificates and create templates.
To see the root certificate just right-click the server name, choose Properties and hit the button View Certificate
Open a browser and type http://localhost/certsrv, and the Certificates Services Web Enrolment page should open. Using this web page clients can request certificates, if they have the proper permissions.
Want content like this delivered right to your
Why Consider this
The ADWS provides a Web Service interface to instances of the directory service (AD DS and AD LDS) that are running locally on this server. If the service is stopped or disabled, client applications, such as Active Directory PowerShell, will not be able to access or manage any directory service instances that are running locally on the server.
Watch a Customer Engineer explaining the issue
Context & Best Practices
Active Directory Web Services (ADWS), in Windows Server 2008 R2 and later, is a new Windows service that provides a Web service interface to Active Directory domains, Active Directory Lightweight Directory Services (AD LDS) instances, and Active Directory Database Mounting Tool instances that are running on the same server as ADWS. If the ADWS is stopped or disabled, client applications, such as the Active Directory module for Windows PowerShell or the Active Directory Administrative Center will not be able to access or manage any directory service instances that are running on this server. ADWS is installed automatically when you add the AD DS or AD LDS server roles to your Windows Server 2008 R2 or later server. ADWS is configured to run if you make the server a domain controller by running Dcpromo.exe or if you create an AD LDS instance on this server. Unless there is a valid reason not to do so, you should configure the ADWS service to start automatically.
To address this issue, carry out the following actions:
- Configure the ADWS to start automatically on the affected servers.
- Click Start, type Run, type services.msc, and then click OK.
- In the list of services, double-click Active Directory Web Services.
- On the General tab, under Startup type, select Automatic.
- If the Service status does not say Running, click Start.
- Click OK.
- Repeat these steps for all affected servers.
For more information on the Active Directory Web Services service, see What’s New in AD DS: Active Directory Web Services, at https://technet.microsoft.com/library/dd391908.aspx.
For general feedback on the Resource Center or content, submit your response to UserVoice. For specific requests and content updates regarding the Services Hub, contact our Support Team to submit a case.