When you install Active Directory Domain Services (AD DS), you must provide credentials that correspond to a domain user account that has sufficient privileges for the deployment configuration that you choose for the domain controller, such as a new forest, a new domain, or an additional domain controller for an existing domain. The Active Directory Domain Services Installation Wizard also examines the credentials that you provide to determine the forest where the domain controller will be installed.

If the credentials for the user account with which you are currently logged on (or the alternate credentials that you provide) indicate the target forest for the domain controller that you are installing, the wizard automatically specifies that forest name on the Network Credentials page. By specifying the forest name on this page, the wizard can enumerate all the domains for that forest on the Select a Domain page later in the wizard.

The wizard cannot always detect the target forest based on the credentials that you provide. For example, if you provide credentials by using a smart card or by using a user principal name (UPN), the wizard might not be able to detect the target forest. In this case, you must specify the name of the target forest on the Network Credentials page. The name of the target forest is the name of the forest root domain for that forest.

In cases in which the wizard successfully detects the target forest name based on the credentials that you provide, you can overwrite the name that the wizard provides to specify the name of another target forest in which you have sufficient privileges to install AD DS.

On networks that run IP version 6 (IPv6) only, you must specify the fully qualified domain name (FQDN) for the user account credentials instead of the single-label domain name. For example, you must specify corp.contoso.com\user_name or user_name@corp.contoso.com, instead of contoso\user_name.

Network credential requirements

The network credentials that the Active Directory Domain Services Installation Wizard requires are different for different deployment configurations. For example, to install a new Active Directory forest, you only have to be a member of the local Administrators group on the server that will become the first domain controller in the forest. To add a new domain to an existing forest or remove a domain, however, you must be a member of the Enterprise Admins group or the Domain Admins group in the parent domain of the domain that you want to add or remove. The Active Directory Domain Services Installation Wizard verifies that the credentials you supply are sufficient to implement the deployment configuration that you specify in the wizard.

The following table lists the network credentials that are required for each deployment configuration.

Note

If you are preparing an existing Active Directory environment for a domain controller that runs Windows Server 2008 R2, you must run Adprep.exe, which is available on the Windows Server 2008 R2 installation media in the support\adprep folder. Running Adprep may require additional credentials that are not listed in the following table.

Deployment configuration Required credentials

Add a new forest

Local Administrators group on the server where you are installing AD DS

Add an additional child domain

Enterprise Admins

Depending on security settings, Domain Admins might also be allowed to add a domain.

To create a Domain Name System (DNS) delegation, you also need Domain Admins credentials in the parent domain.

Add a new domain tree

Enterprise Admins

Depending on security settings, Domain Admins might also be allowed to add a domain tree.

Add an additional domain controller to a domain

Enterprise Admins or Domain Admins

Add a read-only domain controller (RODC) in a normal installation

Enterprise Admins or Domain Admins

Enterprise Admins credentials are required to run adprep /rodcprep.

Add an RODC in a staged installation

Enterprise Admins or Domain Admins to create the RODC account

Domain Admins or delegated permissions to attach a server to the RODC account

Enterprise Admins credentials are required to run adprep /rodcprep.

Remove an additional domain controller from a domain

Enterprise Admins or Domain Admins

Remove an RODC

Delegated RODC administrator, Enterprise Admins, or Domain Admins

Remove a domain

Enterprise Admins

Depending on security settings, Domain Admins might also be allowed to remove a domain, but they might not be able to remove the DNS delegations that were created in the parent DNS domain.

Remove a forest

Enterprise Admins

See Also