How to promote the first Domain Controller in the forest

First we need to describe the active directory service

Active directory

A directory service provides a centralized location to store information in a distributed environment about networked devices and services and the people who use them. A directory service also implements the services that make this information available to users, computers, and applications. A directory service is both a database storage system (directory store) and a set of services that provide the means to securely add, modify, delete, and locate data in the directory store.



Installing the first Domain controller in the forest

1. Install 2003 OS with service Pack 2
2. Install Antivirus
3. Rename the server and give it name that describe the role owned by this server (locationDC-01) , you can chose you naming convention upon your organization needs
4. Install last updates for windows and antivirus
5. Configure TCP/IP settings
A. If you have multiple NICs on that server please disable them and use on NIC
B. Use static IP for that server (exclude that from your DHCP if exist )
C. Configure the preferred DNS to be the same IP of the server

6. Point to start menu ,open Run and type Dcpromo then press OK
7. In the active directory installation wizard press next
8. Read the operating system compatibility wizard and press next
9. In the domain controller type wizard make sure that Domain controller for new domain check box is selected and press next
10. Select domain in new forest and press next
11. In the new domain name type the full DNS name for new domain and press next (example: Mycompany.loacl) I prefer to use (.loacl) instead of (.com) and that’s called (split-brain DNS)
12. In the NETBIOS Domain Name wizard press next with changing the netbios name
13. In the database and log folder wizard you will be asked where do you want to store the active directory database ,for best performance and recoverability, store the database and the logs on a separate hard disk. Change the Logs Location value to another hard disk. But you can use the default path as well
14. In the shared system volume wizard leave it with the default path and press next
15. In the DNS registration Diagnostics wizard make sure that (install and configure the DNS server on this computer, and set this computer to use this DNS server as its preferred DNS) check box is selected and press next
16. In the permission wizard leave it default and press next
17. In the Directory Serviced Restore Mode Administrative Password screen, specify an administrator password to use when you start the computer in Directory Services Restore mode. You use Directory Services Restore mode when you need to recover the Active Directory database
18. In the summary screen review your settings and press next
19. Click finish after installation completed and chose restart
Note: the local admin password for that server will be used as administrator password for the domain after restart and you can change it

http://support.microsoft.com/kb/238369

Account lockout

User Account keeps locked out
There are many reasons that make domain users locked out and we can list some of those reasons and how can we resolve it
A. Cashed password used by any application or saved manually by user
The above scenario may be case an account to be locked out after changing user password because the application try to use and authenticate using the old password to resolve this issue please follow the below steps to remove all saved passwords
1. Point start and open run
2. In the open filed type (rundll32.exe keymgr.dll, KRShowKeyMgr) and press enter
3. A new GUI named stored user Names and passwords will appear
4. You can use this interface to remove or edit all cashed passwords (remove all of them because this kind of cashed passwords not recommended it may be used against you if anyone have a physical access to this machine
5. After that rest the user password and use the new one

B. Kind of dictionary attack may cause the user account to be locked out
To determine which machine is the root cause of this kind of dictionary attack you need to enable debug logging for Net Logon Service that will help
1. Open run type CMD and press enter
2. In the command line window type nltest /dbflag:0x20000004 and press enter to enable the logging debug
http://support.microsoft.com/default.aspx?scid=kb;en-us;109626

3. Rested the net logon service after that you will find netlogon.log under %systemdrive%\debug
4. Open that log file and observe the information available in that log file
5. Please refer to that table that describe every code number
http://technet.microsoft.com/en-us/library/cc776964(WS.10).aspx


0x0 Successful login
0xC0000064 The specified user does not exist
0xC000006A The value provided as the current password is not correct
0xC000006C Password policy not met
0xC000006D The attempted logon is invalid due to a bad user name
0xC000006E User account restriction has prevented successful login
0xC000006F The user account has time restrictions and may not be logged onto at this time
0xC0000070 The user is restricted and may not log on from the source workstation
0xC0000071 The user account's password has expired
0xC0000072 The user account is currently disabled
0xC000009A Insufficient system resources
0xC0000193 The user's account has expired
0xC0000224 User must change his password before he logs on the first time
0xC0000234 The user account has been automatically locked

6. The last code 0xC0000234 will lead you to the source of that attack
7. After that please scan this machine with update AV to clean that kind of attacks
8. You can disable the logging debug by typing ( nltest /dbflag:0x0) on the command line and then restart the net logon service

At the end you can find a very useful tool provided by Microsoft used to troubleshoot account lockouts
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en