I was wondering if anyone has a way to install Active Directory on a Windows 2003 R2 Server, without any tricks, and have no errors/warnings in the event log.
I have traditionally used an about 15 step "manual" process for installing AD, but I was doing a new server with Windows 2003 R2 and thought I'd try the "Server Manager" way. So after I installed a clean copy of Windows 2003 R2 and loaded SP2, I clicked on Add Role from the Manage Your Server window and ran the Configure Your Server wizard. I chose Typical Configuration for a First Server.
After restarting, I noticed a few issues in the event logs (some familiar):
The DSRestore Filter failed to connect to local SAM server. Error returned is <id:997>.
Fixing this involved removing "dsrestor" fromHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Notification Packages
, then resetting the Directory Services Restore Mode Administrator Account per Q322672 and rebooting.MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings.
This is related to KB923977 and involved just going into Component Services->MyComputer->Properties->MSDTC->Security Configuration->Click OK then stopping and restarting MSDTC.Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source.
Fixing this involved a lengthy process outlined in this article.
I didn't see the DNS error that I usually see that makes you set HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Repl Perform Initial Synchronizations
to 0, which was nice, but, still, 3 issues with a clean install "by the book".
EDIT: The DNS Error just appeared (Error 6702 DNS server has updated its own host (A) records...
) so I had to implement the above fix. So that makes FOUR issues.
So my thought was...Windows 2003 has been around since, well 2003...so over six years ago. It has had innumerable patches, two service packs, even an R2 update. Is it really not possible to have an error free install of Active Directory without tricks? What am I missing?
I've been installing Active Directory on W2K and W2K3 for years without any of the gyrations you're talking about.
Item 1 - That's an event ID 1005 from source DSrestor (per http://www.eventid.net/display.asp?eventid=1005&eventno=4658&source=dsrestor&phase=1). I've got a W2K3 R2 test box in my lab, installed from a slipstreamed W2K3 SP2 VL media and DCPROMO'd immediately after install. I have the full events log back to the OS load and this event isn't in any of them. I also checked out the archived event logs from the first W2K3 domain controller (installed with RTM W2K3 media in 2004) at a Customer site and I don't find this error anywhere. I don't know exactly what you're doing to make this error occur, but I've never seen it anywhere.
Item 2 - Microsoft has never fixed this. I tend to just ignore it. My various event log notification applications have been configured to ignore it, too. Yeah, you can resolve it if you want to. It doesn't bother me.
Item 3 - This isn't an error at all! This is telling you to do something. Configure a time source external to the domain. It's a one command-line procedure, if you don't mind using public NTP servers: "NET TIME /setsntp:pool.ntp.org" (specify any NTP server you want). I have no idea why the article you refer to makes such a big deal about it. You need an external-to-the-forest time source. (BTW: This only happens on the PDC emulator FSMO role-holder in the forest root domain. All subsequent DCPROMOs of all other DCs in the forest won't generate this message...)
You mention an "Item 4" that's a "DNS error", but you're really talking about event ID 1555, source "NTDS replication" I think. This isn't an error either. This article describes how the feature works and it's actually in the product for a utility purpose. If the initial synchronization isn't happening on your FSMO role-holder DC(s) you should really fix the replication problem instead of just squelching the error message. I can understand doing this in a test environment or in a DR dry-run, but in real life you should be fixing initial synchronization issues with your FSMO role-holders.
In summary: I don't know what you're doing to make item 1 happen. I can't tell you why Microsoft hasn't fixed item 2 but I don't care about it. Item 3 isn't an issue. Item 4 is an issue insofar as it's telling you that you need to fix broken initial synchronization.
The NTP one seems to trip a few people up, so here's the deal. If you don't join a domain during the Windows install process, Windows will "helpfully" set your time server to time1.windows.com (or similar). This can happen e.g. if you need to load your NIC driver post-install.
The trick to a clean AD installation is to get all the prep work done before installing AD. This includes setting your FQDN properly, ensuring that the machine can resolve IP-to-name and name-to-IP over your DNS, and setting your time source properly. Most AD install errors happen because one or more of these steps was either missed or done wrong, so doing them right and ensuring that they're right before installing AD is the only sensible solution.
If the prospective DC isn't the first in a new domain, joining it to the domain as a standard member server before installing AD never hurts either.
Regarding time specifically, the way that's tried and trusted for me involves at most two steps, both at the command-line.
This is required for all domain-members and just clears whatever NTP server setting may be there. No need for any registry fiddling. This is a correct config for a domain member, as with no NTP server set it will just pick up it's time from the domain hierarchy.
This is only required on your PDC emulator, you should never explicitly set an NTP server on any other domain member, whether a DC or not. If you do, strange and wonderful things might happen.