Domain Controller Installation Notes

I've installed my fair share of Windows 2003 domain controllers over the years and there are always a few things that for some reason aren't configured when running the Active Directory Wizard (DCPromo.exe):

  1. Time Server
  2. COM+ Security
  3. DNS Settings

This whole time server thing is sorta weird. From what I can tell there are at least two timing systems in a Windows enterprise. One seems to use Windows style stuff and the other seems to use standardized stuff. I don't know much about timing but I have figured out that Active Direcory uses Kerberos and Kerberos requires that all the machines using it have synchronized clocks. So at least one Domain Controller must have accurate time and the easiest way to take care of this is to just use the built-in time.windows.com servers. The problem is that by default 2003 doesn't seem to be able to talk to the Windows Time Servers (even though I see XP talking to time.windows.com like all the freekin time) so you have to screw around in the registry and make a slight change. The key is:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

Edit the "Type" field and change it to "NTP". Then run "w32tm /resync /rediscover" just to be safe.

I figured this out by plugging Event ID's into http://EventID.Net and reading how other people solved their timing issues. EventID.Net is a great resource however I have one moral issue with how they run their site. Its basically a collection of user created solutions to events that show up in Windows Event Logs. The issue is that they pulled one of those scams where the entire site was free until the database was populated by users and then later they locked out the users from parts of the site and now charge a "subscription fee". The site is still usable but instead of being able to click directly to MSDN articles and other links, you have to use Google to search for the KB ID's and whatnot since clicking on many of the links just takes you to a "pay now" page. This "bait and switch" story is all too common these days (CDDB, etc.)

Next up is the COM+ settings. This one is easy, just follow David Grant's directions on this page: http://eventid.net/display.asp?eventid=53258&eventno=4493&source=MSDTC&phase=1

And finally the DNS settings. This one took me a while to solve. Basically you have the DC's network device set to use itself as the DNS server (because you have DNS running on this box because its a Domain Controller, right?) but the DNS server can't resolve queries yet because the system is still starting up and the system needs to be able to resolve DNS queries so the solution is to assign extra DNS servers. Generally you'll want to use your secondary Domain Controller or your primary if you're setting up an additional controller.

So, for example, on DC1 set the secondary DNS to the IP of DC2 and on DC2 set the secondary DNS to the IP of DC1. If you're only using one controller (shame on you) find another reliable DNS server (your ISP's or the one built into your router) to use as a secondary.

Now reboot again and again until no more warnings or errors show up in the Event Logs. If you're still getting weird errors, wait 20 minutes before rebooting and if that still doesn't fix the problems, demote the server, remove it from the domain, format the hard drive and start over. Trying to fix a damaged Domain Controller is more hassle than its worth. Its easier to just flatten the box and start over.

Oh and two final notes:

  1. Don't even think about trying to use multiple network devices on a Domain Controller. Although it is possible to set up a DC in this configuration, the amount of work isn't worth the payoff.
  2. Make sure the SP1/R2 firewall is turned off. Since this isn't an Internet-facing machine this shouldn't be too much of an issue, however if you're paranoid you can exclude every port that Active Directory uses. A better solution would be to let the firewall figure out what ports to unblock based on the process (add programs to the exclusion list instead of ports) but I don't know all of the processes that the Active Directory uses so this isn't yet an option. If anyone has a list, go ahead and send it and I'll test the firewall settings with those processes assigned.