Export (0) Print
Expand All
Expand Minimize

Active Directory with Virtual Private Network and Demand Dial Deployments

Published: 1/1/2001;1/1/2001

This guide describes several scenarios that show how a fictitious corporation with multiple domains over multiple sites configures replication of changes to the Microsoft® Active Directory™ service. To accommodate the physical site topology of slow- and low-bandwidth connections between domain controllers, inbound and outbound replication traffic replication is controlled and managed through the replication topology components. Replication is the process by which changes made on one domain controller are synchronized with all other domain controllers in a domain or forest. Active Directory replication uses a connection topology that is created automatically, making optimal use of beneficial network connections.

To demonstrate an efficient Active Directory replication topology over demand dial connections, this walkthrough focuses on three common demand dial scenarios: demand dial over modem, virtual private network (VPN) over the Internet, and VPN over an ISP connection. For each scenario, topics include installing and configuring routing services, using domain name service (DNS), promoting and configuring domain controllers (including configuring sites and site links, and global catalogs), and routine testing and troubleshooting.

For information on Enterprise Services, see http://www.microsoft.com/es

On This Page

Overview
Scenario
Deployment Considerations
How To Use This Walkthrough
Active Directory Replication over Dial-up Topology
Active Directory Replication over the Internet Topology
Active Directory Replication over the Internet through ISP Topology
Configuring Static IP Addresses
Registry Settings for Remote Offices
Parameter Tables
For More Information

Overview

Large organizations deploy a variety of connectivity topologies over a wide area network (WAN), including slow- or low-bandwidth topologies. It is extremely important to design a site structure that both defines domain controllers that are well connected in order to provide fast connections and models sites with lower bandwidth capacity to provide for efficient inter-site replication.

Virtual private network, or VPN, technology allows a corporation to connect to branch offices over a public internetwork (such as the Internet), while still maintaining secure communications. The VPN connection across the Internet logically operates as a WAN link between the sites. The secure connection across the internetwork appears to the user as a private network communication—despite the fact that this communication occurs over a public internetwork—hence the name virtual private network.

In this paper, two methods for using VPNs to connect local area networks at remote sites are discussed:

  • Using the Internet to connect a branch office to a corporate LAN. Rather than using an expensive long-haul dedicated circuit between the branch office and the corporate hub, both the branch office and the corporate routers can use public networks to create a network connection over the Internet.

  • Using a dial-up line to connect a branch office to a corporate LAN. Rather than having a router at the branch office make a long-distance call to a corporate or outsourced network access service, the router at the branch office can call the local ISP. The VPN software uses the connection to the local ISP to create a VPN between the branch office router and the corporate router across the Internet.

With a VPN, data can be sent between two computers in a manner that emulates a point-to-point private link. By using a VPN, the network administrator can ensure that only those users who have appropriate credentials (in this case the remote VPN server) can establish a connection and gain access. A VPN network, therefore, consists of authenticated and encrypted tunnels over a shared network, most typically an IP network such as the Internet.

VPNs have the benefit of reducing cost and management overhead without compromising security, but they can also have some disadvantages. Non-persistent, or dial-on-demand links, by nature, are temporal and have a very high latency in both initialization and communication relative to their always-available counterparts (Ethernet, Fiber, ADSL, and so on). For this reason, an administrator should configure the system to minimize traffic over the dial-up links.

This paper describes how Microsoft® Windows® Active Directory™ replication is accomplished between sites on a WAN, where virtual private network and dial-up links are the method of network connectivity. Although your network configuration may differ from that described here, you can still apply the basic concepts to your network environment. Active Directory uses information stored in the forest-wide configuration directory partition to establish and implement a replication topology. Several configuration objects define the components that are required by replication:

  • The sites and the domain controllers that are associated with them

  • The connections that identify the routes replication takes between domain controllers within sites

  • The links that make replication connections between sites possible

  • The transports that the links use to communicate between sites

An Active Directory site topology is a logical representation of the physical network, defined on a per-forest basis. Active Directory uses the network connection information to generate connection objects that provide efficient replication and fault tolerance.

An Active Directory site is a set of networks with fast, reliable connectivity that allows client computers to first try to communicate with servers located in the same site. An Active Directory site uses site links to connect low-bandwidth or unreliable network connections between two sites. When you create sites and put servers into the sites, you connect the sites with site links and configure the links to reflect the network characteristics in terms of how often you want replication to occur on the link.

The Knowledge Consistency Checker (KCC) is a built-in process that runs on all domain controllers and creates the replication topology for the forest. By default, the KCC runs at 15-minute intervals and designates the replication routes between domain controllers on the basis of the most favorable connections that are available at the time. The KCC automatically creates replication connections between domain controllers in the same site. When you have more than one site, you configure links between the sites; the KCC can then create the connections automatically between the sites as well. When the KCC configures the connection objects for replication between sites, it takes the site link object's settings into account to create the best connection. For example, one of the site link settings is the cost of the connection. When it has a choice, the KCC chooses a remote site whose link has the lowest cost when it forms connections.

Note: It is recommended that you study Chapter 9, "Virtual Private Networking," of the Windows 2000 Resource Kit book Windows 2000 Server: Internetworking Guide. This chapter gives background information on how VPNs work through firewalls on a great technical level, which is not repeated in this paper. Also, this paper assumes that you have knowledge about Active Directory replication on a level as written in the "Active Directory Replication" chapter of the Windows 2000 Resource Kit.

Scenario

Hay Buv Toys manufactures, distributes, and sells children's toys throughout the world. The major engineering and manufacturing sites are located in Los Angeles, Mexico City, and Hong Kong, along with major distribution centers in Los Angeles and Hong Kong. Other distribution centers are located in England and France. A sales office is located in Atlanta. Its corporate headquarters and information technology (IT) organization is in Los Angeles.

Hay Buv Toys uses a geographically based domain model with two master domains: one for America (United States and Mexico), where the company was originally founded, and one for other areas of the world (England, France, and Hong Kong). The domain names reflect the structure: The first domain that was created is CORP. The Mexico City (MEX) and Atlanta (ATL) branches are child domains of CORP. Hong Kong (HKG), for numerous business reasons, was created as a separate tree in the forest.

The Hay Buv Toys enterprise network comprises both a .net and a .com namespace. The international domains use the hay-buv.com namespace, while the American domains use the hay-buv.net namespace. The corp.hay-buv.net and hkg.hay-buv.com are top-level placeholder domains controlling domain user accounts, groups, and corporate resources.

A main driving point for the IT group is network traffic created by Active Directory replication from the forest root in Los Angeles to domains connected by slow, intermittent, or unreliable links. The administrator's goal is to implement Active Directory replication while minimizing the impact on bandwidth. The implementation requirements include configuring the routers, installing Domain Name System (DNS), installing domain controllers (DCs), creating sites and site links, and configuring registry keys.

Bb727069.adbpnd01(en-us,TechNet.10).gif

Figure 1: Hay Buv Toys corporate topology

The Hong Kong office is connected to corporate headquarters using router-to-router VPN connections. Because they will be in the same forest, transitive trusts will automatically be established. The Hong Kong and Los Angeles offices both employ a demilitarized zone (DMZ) in front of their networks. Within each DMZ there is a DNS server. The administrator must configure the routers by installing Microsoft® Windows® 2000 Routing and Remote Access Service and configure VPN routing interfaces. The next step will be to install and configure DNS on the server in both DMZs and on the servers that will become the domain controllers for each domain. Once the installation is done, Hay Buv Toys must promote the server in the Los Angeles office as the first domain controller in the forest. Next the administrator must configure sites, a site link, and define the subnets for Los Angeles and Hong Kong using Active Directory Sites and Services. Lastly, the Hong Kong server will be promoted as the first domain controller in a new tree of the forest. In both offices, all routers and the DNS servers in the DMZs are configured as stand-alone servers.

The Mexico City office also uses a VPN over the Internet, however they connect to Los Angeles via a dial-up ISP connection. Here the administrator must configure the router in Mexico City by installing Windows 2000 Routing and Remote Access Service and configure a dial-up routing interface to the ISP. The next step is to install and configure DNS on the server that will become the domain controller for the child domain. As was the case with the Los Angeles domain controller, a site, site link, and subnet definition must be configured for Mexico City using Active Directory Sites and Services. The last step is to promote the server in Mexico City as the first domain controller in a child domain. The router in Mexico City is configured as a stand-alone server.

The Atlanta office connects to corporate headquarters using a dial-up connection. The administrator must configure routers in both Los Angeles and Atlanta by installing Windows 2000 Routing and Remote Access and configure dial-up routing interfaces. The next step will be to install and configure DNS on the servers that will become the domain controllers for the Atlanta domain. Again referring back to the Los Angeles domain controller, a site, site link, and subnet definition must be configured for Atlanta using Active Directory Sites and Services. The last step is to promote one server as the first domain controller in the ATL child domain, then promote the second server as an additional domain controller. In both offices the routers are configured as stand-alone servers.

Figure 2 depicts the high-level topology of these offices.

Bb727069.adbpnd02(en-us,TechNet.10).gif

Figure 2: Hay Buv Toys enterprise topology

Deployment Considerations

Sites

Sites are well-connected networks that map well to local area networks (LANs); connections between sites are generally slower, periodically unavailable, or unreliable. When you plan your sites, you decide what subnets provide the best connectivity for replication and add them to the same site. Sites should be deployed such that commonly accessed resources are available within the site. When you have slow links between network segments, it is recommended that you create two sites and place domain controllers into the sites according to the following general rules:

  • Deploy at least one global catalog (GC) per site.

  • Deploy DNS servers on a site level.

For example, global catalogs are fundamental to the logon process; and if a GC is not available within the site, clients logging in at one site will need to use an unreliable or slow link to reach a GC in another site.

Site Links

A site link object represents a set of sites that can communicate at uniform cost through some inter-site transport. For IP transport, a typical site link connects just two sites and corresponds to an actual WAN link. An IP site link connecting more than two sites might correspond to an asynchronous transfer mode (ATM) backbone connecting more than two clusters of buildings on a large campus, or several offices in a large metropolitan area connected through leased lines and IP routers.

You create a site link object for a specific inter-site transport (typically IP transport) by specifying:

  • A numeric cost. Higher cost numbers represent more expensive messages, and costs influence the frequency of replication on KCC-configured connections. Cost units must be consistent for all site links in a directory.

  • Two or more sites.

  • A schedule. The schedule declares the time periods during which the link is available. For instance, you might make a site link for a dial-up line unavailable during business hours when phone rates are high.

Global Catalogs

Every site should have at least one global catalog unless there exists another well-connected site that contains a GC. Every domain controller in a forest stores three full, writable directory partitions: a domain directory partition, a schema directory partition, and a configuration directory partition. A global catalog is a domain controller that stores these writable directory partitions, as well as a partial, read-only copy of all other domain directory partitions in the forest. The additional directory partitions are "partial" because, although they collectively contain every object in the directory, only a limited set of specific attributes are included for each object. Having a global catalog server in each site improves search performance because searches do not have to cross site boundaries. Global catalogs play an important role when logging on, performing enterprise-wide searches, and resolving names in the directory. If a site does not have a GC, and it is connected to a WAN via a demand dial route, these operations will result in traffic over the demand dial connection.

Domain Controller

Sites should contain at least one domain controller for each domain within it. Members of a domain frequently need to access data specific to that domain. A domain controller holds a full replica of its domain naming contexts (NCs) and for this reason; a domain controller for each domain should exist in the site so that clients accessing data from that domain's NCs will have a writable copy nearby. In this way, trips over a WAN connection can be avoided for operations such as joining a domain or updating address book information.

The Kerberos Key Distribution Center (KDC) is integrated with other Windows 2000 security services running on the domain controller and uses the domain's Active Directory service as its security account database. Clients use the KDC for authentication when accessing resources and logging on. Having a KDC in each site increases the availability of these critical services to clients in the site. Having more than one KDC provides redundancy and increases robustness.

DNS Servers

The availability of DNS directly affects the availability of Active Directory. Clients rely on DNS to be able to find a domain controller, and domain controllers rely on DNS to find other domain controllers. As a general rule, place at least one DNS server in every site. The DNS servers in the site should be authoritative for the locator records of the domains in the site, so that clients do not need to query off-site DNS servers in order to locate domain controllers that are in a site. Domain controllers will also periodically verify that the entries on the primary master server for each locator record are correct.

It makes sense to maximize the availability of name service on a network. One way to do this is to have more than one DNS server on a given network, especially if the network contains many machines. Whenever possible, it is recommended to have at least two DNS servers per network. In other words, any machine should be connected to at least two DNS servers.

How To Use This Walkthrough

This detailed walkthrough addresses the steps necessary to configure some common virtual private network and demand dial scenarios. The IP, subnet, and network addresses and masks are specific to this walkthrough, as are the routing interface names, filter values and domain names. Although your network configuration may be different than those described here, you can still apply the basic concepts to your network environment.

These steps are universal within our scenarios to configuring low-bandwidth, slow, or unreliable sites for on-demand connectivity. Depending on resources available in a lab environment, this walkthrough can be completed with as few as two sites and a single connectivity topology.

Prerequisites

This walkthrough assumes familiarity with Windows 2000 and Active Directory. There are several references that contain extensive information regarding the design and deployment of Windows 2000 and Active Directory such as the Windows 2000 Resource Kit Deployment Planning Guide. It is highly recommended that these documents be reviewed prior to deploying Windows 2000.

Assumptions:

  • Microsoft® Windows® 2000 Server is the operating system of all servers and workstations.

  • The infrastructure required to support modem, ISP, and Internet connectivity is available, including IP addresses.

  • Minimum modem speed is 28.8 kbps.

About Conventions Used In This Document

Throughout this document certain documentation standards are used.

Whenever it is necessary to navigate through a series of menus and/or tabs the following notation is used:

Start | Programs | Administrative Tools | Routing and Remote Access

This indicates that the user should begin by clicking the Start button on the task bar and continue by clicking each subsequent choice separated by the '|' symbol.

There are many tables and diagrams included in this document. Hyperlinks to where this information is referenced have been added for convenient navigation.

Active Directory Replication over Dial-up Topology

This section describes the steps required for an administrator to install and configure a common virtual private network over a dial-up connection. Where appropriate, tables with the required configuration data are also included for reference.

The Atlanta office connects to the corporate headquarters, Los Angeles, using a dial-up connection. The administrator must configure routers in both Los Angeles and Atlanta by installing Windows 2000 Routing and Remote Access Service and configure dial-up routing interfaces. The next step will be to install and configure DNS on the servers that will become the domain controllers for the Atlanta and Los Angeles domains. Once this is done, the administrator will promote the server in the Los Angeles office as the first domain controller in the forest. Next the administrator will configure the sites and site link, and define the subnets for Los Angeles and Atlanta using Active Directory Sites and Services. The last tasks are to promote one server as the first domain controller in the ATL child domain, then promote the second server as an additional domain controller. In both offices the routers are configured as stand-alone servers.

Bb727069.adbpnd03(en-us,TechNet.10).gif

Figure 3: Hay Buv Toys dial-up topology

Configuring Static IP Addresses

The first task that the Hay Buv Toys administrator must complete is to configure a static IP address for each network interface on every router, domain controller and DNS server within the dial-up topology.

Routers, domain controllers, and DNS servers on each LAN should be configured with static IP addresses or reserved DHCP assigned addresses. Otherwise, DHCP address lease updates could result in servers obtaining a new address, which isn't fully replicated or expired from relevant caches. This situation would result in a server's name not being correctly resolved until the newest information was replicated.

In this scenario there are a total of five servers that must be configured with static IP addresses.

Static IP Addresses

Bb727069.adbpnd99(en-us,TechNet.10).gif

Rename the Local Area Connection icon(s) and then configure static IP addresses for all servers using the information from the Static IP Addresses table:

  1. Right-click My Network Places and select Properties.

  2. Right-click Local Area Connection and select Rename.

  3. Type the IP subnet address (Network Interface Name) of the network the interface is connected to (or a descriptive name for this interface that has meaning in the context of your network).

  4. Right-click the network interface, renamed in the previous step.

  5. Select Properties.

  6. Click Internet Protocol (TCP/IP) and then click Properties.

  7. Select Use the following IP address.

  8. Type the IP address, subnet mask, and default gateway.

    Note: When configuring a router, leave the "Default gateway" blank; otherwise enter a default gateway.

  9. Select Use the following DNS server addresses.

  10. Type the preferred and alternate DNS server IP addresses.

Figure 4: Static IP address for ATL-DC1

Figure 4: Static IP address for ATL-DC1

Configuring Primary DNS Suffix

  1. Right-click My Computer and select Properties.

  2. Click Network Identification tab.

  3. Click Properties.

  4. Click More.

  5. In the Primary DNS suffix of this computer box, type the value from the Static IP Addresses table.

  6. Click OK.

  7. Click OK.

  8. Click OK when prompted for reboot.

  9. Click OK.

  10. Click Yes to reboot.

Figure 5: Primary DNS suffix for ATL-DC1

Figure 5: Primary DNS suffix for ATL-DC1

Configuring the Routers

Once the static IP addresses have been configured, the administrator's next task is to install the routing service. Some of the routers will perform solely as network routers, but others must also be configured with VPN or dial-up interfaces.

The Windows 2000 routing service must be installed and configured on all servers that will serve as routers on the network.

In this scenario, the routers function as network routers and are configured with demand dial interfaces. Tables with the specific data that accompanies the routing installation tasks have been included for convenient reference.

Install Routing Service on RAS / LAN – DOD Routers

In order to create a two-way, initiated demand dial routing connection between the router in the Atlanta office to the router in the Los Angeles office, the administrator must perform the following:

  • Configure the corporate office router to initiate and receive demand dial connections with the branch office router.

  • Configure the branch office router to initiate and receive demand dial connections with the corporate office router.

  • Initiate the demand dial connection from either the branch office router or the corporate office router.

RAS / LAN – DOD Router Configuration

NetBIOS Name

Modem Pool IP Addresses

Los Angeles

 

ATL-RTR2

160.50.10.100 /
160.50.10.110

Atlanta

 

ATL-RTR1

160.50.20.100 /
160.50.20.110

  1. Start | Programs | Administrative Tools | Routing and Remote Access.

  2. Right-click Local computer in the snap-in.

  3. Select Configure and Enable Routing and Remote Access Wizard.

  4. Click Next.

  5. Select Network router.

    Bb727069.adbpnd06(en-us,TechNet.10).gif

    Figure 6: RRAS Wizard common configurations
  6. Click Next.

  7. Accept the defaults for Routed Protocols.

    Bb727069.adbpnd07(en-us,TechNet.10).gif

    Figure 7: RRAS Wizard routed protocols
  8. Click Next.

  9. Select Yes for "Do you want to use demand-dial connections to access remote networks?"

    Bb727069.adbpnd08(en-us,TechNet.10).gif

    Figure 8: RRAS Wizard demand-dial connections
  10. Click Next.

  11. Select From a specified range of addresses.

    Bb727069.adbpnd09(en-us,TechNet.10).gif

    Figure 9: RRAS Wizard IP address assignment
  12. Click Next.

  13. Click New.

  14. Type modem pool IP addresses from RAS/LAN-DOD Router Configuration table in Start IP address and End IP address boxes.

    Figure 10: RRAS Wizard IP address range

    Figure 10: RRAS Wizard IP address range
  15. Click OK.

  16. Click Next.

  17. Click Finish.

  18. In the console tree, right-click Local server and select Properties.

  19. Click the General tab.

  20. Ensure that the Router check box is checked.

  21. Select LAN and demand-dial routing.

  22. Ensure that the Remote Access Server check box is checked.

  23. Click OK.

  24. Click Yes when prompted to restart the routing service.

Figure 11: LAX-RTR1 router properties

Figure 11: LAX-RTR1 router properties

Creating the Demand Dial Interface

Demand Dial Interface Configuration

Bb727069.adbpn100(en-us,TechNet.10).gif

  1. Expand the local server by clicking the +in the console tree.

  2. Right-click Routing Interfaces.

  3. Select New demand dial interface.

  4. Click Next.

  5. In Interface name box, type a name for the remote router from the Remote Interface Name column in the Demand Dial Interface Configuration table.

    Bb727069.adbpnd12(en-us,TechNet.10).gif

    Figure 12: Interface name for the Los Angeles demand dial interface
  6. Click Next.

  7. Select Connect using a modem, ISDN adapter, or other physical device.

  8. Click Next.

  9. Select the modem that will service the demand dial interface.

  10. Click Next.

  11. In Phone number or address box, enter the number of a remote dial-in router interface.

  12. Click Next.

  13. Ensure that Route IP packets on this interface check box is checked.

  14. Ensure that Add a user account so a remote router can dial in check box is checked.

    Bb727069.adbpnd13(en-us,TechNet.10).gif

    Figure 13: Protocols and security
  15. Click Next.

  16. Enter a password for Password and Confirm password boxes.

    Bb727069.adbpnd14(en-us,TechNet.10).gif

    Figure 14: Remote router dial-in credentials
  17. Click Next.

    Important: This creates a user on the local server. The interface name from the previous steps is used as the user name. It will become the account name for the interface created on the remote machine, and used to authenticate the connection.

  18. Type the user name, domain and password for an account on the remote router that this router will dial into. In this case, you will configure the routers as stand alone servers, so the domain will be the server name of the remote router.

    Bb727069.adbpnd15(en-us,TechNet.10).gif

    Figure 15: Dial-out credentials to remote router

    Important: Make note of this user account. This user account must be used as the interface name on the remote router.

  19. Click Next

  20. Click Finish.

Other Configuration Options

Complete this step if idle time or redial attempts must be adjusted.

  1. In the details pane, right-click the new demand dial interface just created.

  2. Select Properties.

  3. Select the Options tab.

  4. Set a new value for Demand dial idle time before hang up box if default (5 minutes) is not acceptable.

  5. Set a new value for Redial attempts box if default (0) is not acceptable.

  6. The Average redial intervals box can be set to any of the available options. Generally the shorter intervals are desirable as they ensure a more rapid connection when a failure occurs. However, this value should not be the same for a pair of routers that dial to each other. Setting staggered intervals ensures that both routers do not dial in sync, making them unable to connect.

  7. Click OK.

Complete this step if you want logging of demand dial statistics:

  1. In the console tree, click Remote Access Logging.

  2. Right-click Local file in the details pane.

  3. Select Properties.

  4. Select all recommended logging options.

Configuring Static Routes

Once the Windows 2000 routing service has been installed and configured, static routes must be added to reach network IDs in other offices in order to control where traffic goes.

The administrator adds static routes so that traffic to the branch office is forwarded using the appropriate demand dial interface. For each route of each branch office, configure the interface, destination, network mask, and metric. The Interface field indicates the network interface that is used when forwarding packets to the network ID; the interface name created earlier is used. The Metric field indicates the cost of a route. If multiple routes exist to a given destination network ID, the metric is used to decide which route is to be taken. The route with the lowest metric is the preferred route.

In our scenario there are two routers to be configured:

Static Routes

Bb727069.adbpn101(en-us,TechNet.10).gif

Referring to ATL-RTR2, the route that corresponds to Atlanta is 160.50.20.0 with a subnet mask of 255.255.255.0. This route becomes the static route with the following configuration:

Interface: ATL-DOD

Destination: 160.50.20.0

Network mask: 255.255.255.0

Metric: 1 (default)

  1. Start | Programs | Administrative Tools | Routing and Remote Access.

  2. Click + to expand the <server name> in the snap-in in the console tree.

  3. Click + to expand IP Routing.

  4. Click Static Routes.

  5. Right-click the details pane and select New static route.

  6. Select the interface name from the drop-down list.

  7. Type the Destination IP address from the Static Routes table.

  8. Type the Network mask IP address from the Static Routes table.

  9. Type the Gateway IP address from the Static Routes table.

  10. Accept the default value for Metric.

  11. Ensure that Use this route to initiate demand dial connections check box is checked.

    Figure 16: Static route for ATL-DOD interface

    Figure 16: Static route for ATL-DOD interface
  12. Click OK.

  13. Restart the Routing and Remote Access Service.

  14. Right-click <server name>.

  15. Click All Tasks.

  16. Click Restart.

Note: Because the demand dial connection is a point-to-point connection, the Gateway IP address is not configurable.

Testing Router Configuration

Once the Hay Buv Toys administrator has completed all routing installation and configuration steps, all routers, highlighted in the following diagram, need to be tested to confirm that they connect correctly. To test TCP/IP connectivity by using the ping command, open command prompt and then ping the desired host using its IP address. If the ping command fails, verify that the host IP address is correct, that the host is operational, and that all the gateways (routers) between this computer and the host are operational. Routing and Remote Access Service provides the ability to connect a routing interface manually.

Using ping

Confirm correct operation of the newly configured routes by pinging from a server on one side to a server on the other. Make certain the demand dial link is down when the ping is initiated. Use the ping '-t' option to ensure that ping continues until the demand dial link is established.

  1. Start | Programs | Accessories | Command Prompt.

  2. Type ping –t <IP>, where <IP> is the static IP address of a remote host (a host that is on a different subnet).

  3. Perform the previous step from at least one server on each side of the route.

Using Routing and Remote Access

A second test is manually connecting the routers using the routing service.

  1. Start | Programs | Administrative Tools | Routing and Remote Access.

  2. Double-click Routing and Remote Access.

  3. Double-click <server name>.

  4. Click Routing Interface.

  5. Right-click <interface name> in the details pane.

  6. Click Connect.

  7. Refresh display (by pressing F5) to verify that the interface is connected.

If the demand dial link fails to come up, or the ping/response is not routed and results in a ping failure, even after the demand dial link is established, then confirm the router configuration steps above, particularly user accounts, IP addresses, modem pool addresses, and static routes.

Bb727069.adbpnd17(en-us,TechNet.10).gif

Figure 17: Dial-up topology

Installing and Configuring DNS

Install the DNS Service

The DNS Server service has been carefully integrated into the design and implementation of Active Directory. There are two significant changes when deploying Windows 2000 DNS servers together with Active Directory:

  • DNS name resolution is required for locating Windows 2000 domain controllers. The Netlogon service uses DNS server support to provide registration of the domain controllers in your DNS domain namespace.

  • Windows 2000 DNS servers can use Active Directory for storing and replicating your zones. By directory integrating your zones, you can take advantage of additional DNS features such as secure dynamic updates and record aging/scavenging features.

If DNS is not available on the network when you install the first domain controller in a domain, you can elect to have DNS installed and configured automatically during the installation of Active Directory.

The Active Directory Installation Wizard asks whether to install and configure the DNS service automatically if either one of the following conditions is true:

  • You are creating a new forest, and the Active Directory Installation Wizard does not find any DNS servers that are running on the network.

  • You are creating a new domain, and dynamic update is not available.

In this scenario it is important that DNS is installed and configured on the appropriate servers before promoting them to domain controllers, rather than using the default configuration that the Active Directory Installation Wizard sets up. This is necessary in order to confirm that DNS configuration is correct and allow for possible troubleshooting without the added complexity of the server also being a domain controller.

The DNS server that is authoritative for the domain will then exist so that Active Directory can locate it. Later, when a server is promoted to the role of a domain controller (DC) for a specified domain, you will be prompted to specify the DNS domain name for the Active Directory domain to which you are joining and promoting the server.

Note: A Windows 2000 installation CD may be required to install the DNS service.

The Hay Buv Toys administrator must now install and configure the DNS service on the servers in the Los Angeles and Atlanta offices that will become domain controllers. The following subsections provide the installation and configuration steps necessary to complete this task for each server.

Use this table to complete the DNS installation and configuration.

DNS Server Parameters

Bb727069.adbpnd92(en-us,TechNet.10).gif

To install DNS on a server:

  1. Start | Settings | Control Panel.

  2. Double-click Add / Remove Programs.

  3. Click Add/Remove Windows Components.

  4. Deselect any unwanted default components.

  5. Click Networking Services.

  6. Click Details.

  7. Select Domain Name System.

    Bb727069.adbpnd18(en-us,TechNet.10).gif

    Figure 18: Subcomponents of networking services
  8. Click OK.

  9. Click Next.

  10. Click Finish (when complete).

  11. Click Yes if prompted to reboot the system.

Create DNS Zones

Once DNS service is installed, the administrator's next tasks are creating primary and secondary zones. The administrator must assure that the forest-wide locator records are available to all DNS servers in every site.

Distributing the Forest Wide Locator Records

Each domain controller in the forest registers two sets of locator records: a set of domain-specific records that end in <DNS-domain-name>, and a set of forest-wide records that end in _msdcs.<DNS-forest-name>. The forest-wide records are important to clients and domain controllers from all parts of the forest. For example, the global catalog locator records, and the records used by the replication system to locate replication partners, are included in the forest-wide records.

For any two domain controllers to replicate between each other, including two DCs from the same domain, they must be able to look up forest-wide locator records. In order for a newly created domain controller to participate in replication, it must be able to register its forest-wide records in DNS, and other domain controllers must be able to look up these records. For this reason, it is important to make the forest-wide locator records available to every DNS server in every site. Additionally, since these records can be configured so that they are rarely changed, there is no significant increase in replication traffic to distribute these records.

To do this, create a separate primary zone called _msdcs.<DNS-forest-name>, and replicate that zone to every DNS server. Generally, it is not sufficient to replicate the zone to only one DNS server per site. If a DNS server does not have a local copy of the _msdcs.<DNS-forest-name> zone, it must use DNS recursion to look up a name in that zone. For a DNS server to perform recursion, it contacts a DNS server that is authoritative for the root of the namespace (called a DNS root server) and proceeds down the delegations in the DNS until it finds the record in question. If there is no DNS root server in a site, and the links between that site and other sites are down, a DNS server cannot perform recursion. Thus, it will not be able to find any DNS servers that are authoritative for _msdcs.<DNS-forest-name>, even if those DNS servers are in the same site.

On servers that host the forest root zone, _msdcs.<DNS-forest-name> can be Directory Service (DS) integrated. Making this zone DS integrated increases the availability of writable copies of the zone. Refer to the DNS Deployment documentation in the Windows 2000 Resource Kit for more information.

On servers that don't host the forest root zone, we accomplish the following by creating a secondary zone for _msdcs.<DNS-forest-name> rather than DS integrated zones:

  • We eliminate replication of unnecessary DNS records to all the domain controllers in the domain.

  • We don't need to replicate these records to domain controllers that are not running DNS since we have moved the records out of the forest root zone.

There are five requirements when configuring a DNS server with this model:

  • Add a primary zone for the server's domain on the DNS server.

  • Add a primary _msdcs zone on the forest root DNS server.

  • Add a delegation for "_msdcs.<DnsForestName>" to the forest root zone.

  • Add delegations for child domains to the parent zone.

Note: Delegations for new trees should be added to the DNS zone to which the zone is subordinate.

  • Add a secondary _msdcs zone to other DNS servers that are also domain controllers.

Create Standard Primary Zone

  1. Start | Programs | Administrative Tools | DNS.

  2. Double-click the server.

  3. Right-click Forward Lookup Zones in the console tree.

  4. Select New zone.

  5. Click Next.

  6. Select Standard Primary in Zone Type box.

  7. Click Next.

  8. For Name box, enter the DNS zone name from the DNS Server Parameters table.

  9. Click Next.

  10. Select Create a new file with this name and accept the default name.

  11. Click Next.

  12. Click Finish.

    Bb727069.adbpnd19(en-us,TechNet.10).gif

    Figure 19: Standard primary zones for LAX-DC1
  13. Right-click the new zone in the console tree.

  14. Select Properties.

  15. Set Allow dynamic updates box to the appropriate value (found in the DNS Server Parameters table).

  16. Select the Zone Transfers tab.

  17. Ensure that the Allow zone transfers check box is checked.

  18. Click Notify.

  19. Ensure that the Automatically notify check box is not checked.

  20. Click the Start Of Authority (SOA) tab.

  21. Set Refresh interval to "1 day."

  22. Click OK.

Create Standard Secondary Zone

  1. Start | Programs | Administrative Tools | DNS.

  2. Right-click Forward Lookup Zones in the console tree.

  3. Select New zone.

  4. Click Next.

  5. Select Standard Secondary in Zone Type box.

  6. Click Next.

  7. For Name box, type DNS zone name from DNS Server Parameters table.

  8. Click Next.

  9. For Master DNS Server box, type the IP address from the table.

  10. Click Next.

  11. Click Finish.

Configure DNS Delegations

The LAX-DC1 server in the Los Angeles office, which will become the domain controller for the enterprise, now needs to be configured with delegations. These are name service records in the parent zone that list the name servers authoritative for the delegated zone.

  1. Start | Programs | Administrative Tools | DNS.

  2. Expand Forward Lookup Zones in the console tree by clicking the +.

  3. Right-click the primary zone under which the delegation will reside.

  4. Select New Delegation.

    Bb727069.adbpnd20(en-us,TechNet.10).gif

    Figure 20: A delegation for LAX-DC1
  5. Click Next.

  6. For Delegated domain box, type the delegated domain name from the DNS Server Parameter table.

  7. Click Next.

  8. Click Add.

  9. Type the server DNS name and IP address that will host the delegated zone.

  10. Click OK.

    Bb727069.adbpnd21(en-us,TechNet.10).gif

    Figure 21: Name server to host the delegated zone
  11. Click Next.

  12. Click Finish.

Repeat for each delegation.

Configure Forwarders

When DNS servers do not know how to resolve a name either because they do not host a copy of the necessary zone or because they have no delegations to the appropriate zone, they can be configured to pass the request on to another machine. This mechanism is called forwarding. The following section outlines the procedure for configuring forwarders for a DNS server.

  1. Start | Programs | Administrative Tools | DNS.

  2. Right-click the server in the console tree and select Properties.

  3. Click the Forwarders tab.

  4. Select Enable Forwarders.

  5. For IP Address box, type forwarder IP address from DNS Server Parameters table.

  6. Click Add.

  7. Select Do not use recursion check box (this prevents dial-up attempts caused by servers recursing to servers in their root hint list).

Figure 22: Enable forwarder to 160.50.10.2 (LAX-DC1)

Figure 22: Enable forwarder to 160.50.10.2 (LAX-DC1)

Testing the DNS Configuration

Once the administrator has completed installing and configuring the DNS servers, highlighted in the diagram below, the administrator must test the servers to confirm that they are correctly resolving DNS names. The Windows 2000 DNS Server service provides the capability to test and monitor DNS by using the DNS console. Nslookup, another diagnostic utility for the DNS Server service, is also available for testing the DNS Server service and testing resource records.

Monitoring a DNS Name Server

You can configure the DNS Server service to perform queries on a scheduled basis to ensure that the service is operating correctly.

In the DNS console, open the Properties dialog box for the server that you want to monitor, and then click the Monitoring tab. You can test a DNS name server by performing two types of queries:

  • Simple query. This type of query performs a local test by using the DNS client to query a DNS name server. Select this option to perform a simple query test of a DNS name server.

  • Recursive query. This type of query tests a DNS name server by forwarding a recursive query to another DNS name server. Select this option to perform a more complex, recursive query test of a DNS name server.

Under Tests Performed, select the Simple query check box, the Recursive query check box, or both, and then click Test Now. The test results appear under Test results in the Properties dialog box for the server.

Using Nslookup

Nslookup is a useful tool for troubleshooting DNS problems, such as host name resolution. When you start Nslookup, it shows the host name and IP address of the DNS server configured for the local system, and then displays a command prompt for further queries. If you type a question mark (?), Nslookup shows all available commands. You can exit the program by typing Exit.

To look up a host's IP address using DNS, type the host name and press ENTER. Nslookup defaults to using the DNS server configured for the computer on which it is running, but you can focus it on a different DNS server by typing server <name> (where <name> is the host name of the server you want to use for future lookups). In some cases, you might see several time-outs reported. This happens when reverse look-up is not configured for DNS servers servicing the same DNS domain as your Active Directory domain.

Nslookup has two modes: interactive and noninteractive.

When you require:

  • More than one piece of data, use interactive mode.

    • To run interactive mode, at the command prompt type Nslookup

    • To exit interactive mode, type Exit.

  • A single piece of data, use noninteractive mode.

    • Type the Nslookup syntax at the command prompt, and the data is returned.

You can use Nslookup to view resource records and direct queries to any DNS name server, including UNIX implementations of DNS.

  1. Start | Programs | Accessories | Command Prompt.

  2. Type Nslookup (interactive mode).

  3. At the command prompt, type commands. For help on commands, type ?.

  4. Type Exit to quit.

The following table describes the Nslookup syntax:

nslookup [ option ...] [computer-to-find | – (server)]

Syntax

Description

-option…

Specify one or more Nslookup commands. For a list of commands, type a question mark (?) to open Help.

computer-to-find

If the computer-to-find is an IP address, Nslookup returns the host name. If the computer-to-find is a host name, Nslookup returns an IP address. If the computer-to-find is a name and does not have a trailing period, the default DNS domain name is appended to the name. To find a computer outside of the current DNS domain, append a period to the name.

-server

Use this server as the DNS name server. If the server is omitted, the currently configured default DNS name server is used.

Using ping

Confirm that DNS names can be resolved by pinging from a server in the Los Angeles office to a server in the Atlanta office. Repeat this test from Atlanta to Los Angeles offices. The demand dial links should be connected before the ping is initiated.

  1. Start | Programs | Accessories | Command Prompt.

  2. Ping servers by DNS name to verify that the DNS server can be accessed and the DNS name can be resolved.

  3. Perform this step for all servers.

Bb727069.adbpnd23(en-us,TechNet.10).gif

Figure 23: Dial-up topology

Promoting the First Domain Controller in the Enterprise

Promoting a server to a domain controller and adding Active Directory are separate operations from installing Windows 2000 Server. You first install Windows 2000 Server; then you promote the servers in order to install Active Directory on the servers you want to use as domain controllers.

Use one of the following options to install Active Directory:

  • The Active Directory Installation Wizard. The Wizard can be started as follows:

In the Windows 2000 Configure Your Server dialog box that appears when you start the server computer, select the Active Directory option for installing Active Directory.

  • Press the Start button and click Run. Type Dcpromo.exe in the Run dialog box.

The domain structure for Hay Buv Toys is diagrammed below. The forest root is corp.hay-buv.net; therefore the first domain controller in the enterprise will be LAX-DC1. All activities in this section will be performed on LAX-DC1 only.

If DNS has not already been configured on this server, refer to "Install and Configure DNS."

Bb727069.adbpnd24(en-us,TechNet.10).gif

Figure 24:

Promote the First Domain in the Enterprise

Server Network Configuration

Bb727069.adbpn102(en-us,TechNet.10).gif

Promoting LAX-DC1:

  1. Start | Run | Dcpromo.exe.

  2. Click Next.

  3. Select Domain controller for a new domain.

  4. Click Next.

  5. Select Create a new domain tree.

  6. Click Next.

  7. Select Create a new forest of domain trees.

  8. Click Next.

  9. In the Full DNS name for the domain box, type the fully qualified DNS domain name of the forest root, corp.hay-buv.net.

  10. Click Next.

  11. For the Domain NetBIOS name box, accept the default, which should be CORP.

  12. Click Next.

  13. Adjust the paths for the Database location and Log location boxes to suit your server's drive configuration, if needed; otherwise accept defaults.

  14. Click Next.

  15. Adjust the path for the Folder location (SYSVOL) box to suit your server's particular drive configuration, if needed; otherwise accept default.

  16. Click Next.

  17. Select Permissions compatible only with Windows 2000 servers.

  18. Click Next.

  19. Type a password for the Administrator account used when booting into DS Repair mode.

  20. Click Next.

  21. At the Summary page, verify that all entries are correct.

  22. Click Next to begin the Active Directory installation.

  23. Click Finish (when installation is completed).

  24. Answer Yes to the prompt to reboot.

Update DNS Zone Types

  1. Start | Programs | Administrative Tools | DNS.

  2. Expand Forward Lookup Zones in the console tree by clicking +.

  3. Expand each primary zone for the server being configured.

  4. Right-click and select Properties for each expanded zone.

  5. Select the General tab.

  6. Ensure that the Type box is set to AD Integrated.

  7. Click Change.

  8. For Select a zone type box, select Active Directory Integrated.

  9. Click OK.

  10. Ensure that the Allow dynamic updates box is set to Secure from the drop-down list.

  11. Click OK.

Create and Configure Sites For Each LAN

The primary purpose of the Microsoft® Windows® 2000 Active Directory™ Sites and Services snap-in is to administer the replication topology both within a site in a local area network (LAN) and between sites in a wide area network (WAN) in an enterprise environment.

A site is a region of a network with high bandwidth connectivity, and is by definition a collection of well-connected computers (based on Internet Protocol (IP) subnets). Because sites control how replication occurs, changes made with the Sites and Services snap-in affect how efficiently domain controllers (DC) that are within one domain, but separated by great distances, can communicate.

A site is separate in concept from Windows 2000-based domains because a site may span multiple domains, and a domain may span multiple sites. Sites are not part of the domain namespace. Sites control replication of domain information and help to determine resource proximity. Sites affect replication traffic and other forms of network traffic related to Active Directory, such as locating a domain controller in response to a request for logon authentication. If a domain controller that offers the requested service is located in the client computer's site, the client is referred to that domain controller, thus using the faster connections within a site.To ensure that the Active Directory service in the Windows 2000 operating system can replicate properly, a service known as the Knowledge Consistency Checker (KCC) runs on all DCs and automatically establishes connections between individual computers in the same site. These are known as Active Directory connection objects. An administrator can establish additional connection objects or remove connection objects, but at any time when replication within a site becomes impossible or has a single point of failure, the KCC steps in and establishes as many new connection objects as necessary to resume Active Directory replication.

Replication between sites is assumed to occur on either higher cost or slower speed connections. As such, the mechanism for inter-site replication permits the selection of alternative transports, and is established by creating site links and site link bridges.

Configuring sites, subnets, and site links before promoting additional servers will allow the system to automatically place each new domain controller in the correct site. Alternatively, domain controllers can be moved between sites through their context menus.

Sites and Subnet Parameters

Bb727069.adbpn103(en-us,TechNet.10).gif

  1. Start | Programs | Administrative Tools | Active Directory Sites and Services.

  2. In the console tree, right-click Sites.

  3. Select New site.

  4. In the Name box, type the first site name from the Sites and Subnet Parameters table.

  5. Select DEFAULFIRSTSITELINK.

  6. Click OK.

  7. Click OK.

Repeat for both sites in the table.

Moving the Domain Controller

When both sites have been created and the first domain controller in the enterprise has been moved from the default site to its target site, the default site object may be deleted by right-clicking the site object and selecting Delete.

  1. Double-click DEFAULT-FIRST-SITE-NAME.

  2. Double-click Servers.

  3. Right-click <server name>.

  4. Click Move.

  5. Select the site that should contain the server.

  6. Click OK.

Configure Subnets

Refer to Sites and Subnet Parameters table to configure the subnets.

  1. Start | Programs | Administrative Tools | Active Directory Sites and Services.

  2. Expand the Sites folder in the console tree by clicking +.

  3. Right-click Subnets.

  4. Click New Subnet.

  5. For the Address box, type the Site 1 Address.

  6. For the Mask box, type the Site 1 Mask.

  7. For the Site Name box, type the Site 1 Site Name.

  8. Click OK.

Repeat for Site 4 in the table.

Note: A subnet object should be defined and associated with a site so that every computer's IP address on your network will map to a subnet.

Create Site Links

For replication to occur between two sites, a link must be established between the sites. Site links are not generated automatically and can be created in Active Directory Sites and Services. Unless a site link is in place, the KCC cannot create connections between computers in the two sites automatically, and replication between the sites cannot take place. Each site link contains the schedule that determines when replication can occur between the sites that it connects. The Active Directory Sites and Services user interface guarantees that every site is placed in at least one site link. A site link can contain more than two sites; in such a case, all the sites are equally well connected.

  1. Start | Programs | Administrative Tools | Active Directory Sites and Services.

  2. Expand the Sites folder in the console tree by clicking +.

  3. Expand the Inter-site Transports folder by clicking +.

  4. Right-click the IP folder.

  5. Select New Site Link.

  6. For the Name box, type LAX-ATL.

  7. Using the Add/Remove, place the sites LosAngeles and Atlanta in the Sites column.

  8. Click OK.

Figure 25: Site link between Los Angeles and Atlanta

Figure 25: Site link between Los Angeles and Atlanta

Note: Once the site link has been created, the default site link object may be deleted by right-clicking the site link object and selecting Delete.

Promoting a Child Domain

In our scenario, atl.corp.hay-buv.net is a child domain of corp.hay-buv.net and requires its own domain controller. The process is similar to promoting the first domain controller in the enterprise and also uses Dcpromo.exe. Here we will be promoting the server, ATL-DC1. Because a dial-up connection is being used, we can either make the connection available prior to promotion or configure the dial-up delay through the registry key.

If DNS has not already been configured on these servers, refer to "Install and Configure DNS."

Bb727069.adbpnd26(en-us,TechNet.10).gif

Figure 26:

Configure Registry Keys

Configure the dial-up delay registry key so that components such as DNS and Netlogon will wait for the dial-up link to be established when performing network operations.

Note: This step can be omitted if the connection will definitely be available prior to the promotion. In this case, this registry key can be managed via group policy after the promotion is competed. If the connection will potentially be demand-initiated, then this registry setting should be configured prior to the promotion. Complete this step on all domain controllers and member servers that will need to go over the dial-up link.

  1. Run RegEdt32.exe.

  2. Navigate to HKEY_LOCAL_MACHINE \System \Current Control Set\Services\Netlogon\Parameters.

  3. Select Edit | Add value.

  4. Type ExpectedDialupDelay in Value name box.

  5. Select REG_DWORD in Data type box.

  6. Click OK.

  7. Enter a time in seconds that is the average time it takes the router to dial and connect to another demand dial router. (for example, 15 seconds). To determine what the value of this key should be:

  8. Ensure the dial-up link is down.

  9. Initiate a dial-up link by pinging a server on the remote network.

  10. Record the amount of time that it takes to establish the dial-up connection.

  11. Use this value for this registry key, perhaps adding a small amount (for example, 5 seconds) to allow for some variation in connection time.

  12. Click OK.

Promote the Child Domain

Server Network Configuration

Bb727069.adbpn104(en-us,TechNet.10).gif

  1. Run Dcpromo.exe.

  2. Click Next.

  3. Select Domain controller for a new domain.

  4. Click Next.

  5. Select Create a new child domain in an existing domain tree.

  6. Click Next.

  7. In User name box, type Administrator.

  8. In Password box, type a password

  9. For Domain box, type the parent NetBIOS domain name, which is CORP.

  10. Click Next.

  11. For Parent domain box, type the full DNS domain name, which is corp.hay-buv.net.

  12. For Child domain box, type the new child domain name, which is atl.

  13. Click Next.

  14. For NetBIOS Domain Name box accept the default, which should be ATL.

  15. Click Next.

  16. Adjust the paths for Database location and Log location boxes to suit your server's drive configuration, if needed; otherwise, accept defaults.

  17. Click Next.

  18. Adjust the path for Folder location (SYSVOL) box to suit your server's particular drive configuration, if needed; otherwise, accept default.

  19. Click Next.

  20. Select Permissions compatible only with Windows 2000 servers.

  21. Click Next.

  22. Type a password for the Administrator account used when booting into DS Repair mode.

  23. Click Next.

  24. At the Summary page, verify that all entries are correct.

  25. Click Next to begin the Active Directory installation.

  26. Click Finish (when installation is completed).

  27. Answer Yes to the prompt to reboot.

Update DNS Zone Types

  1. Start | Programs | Administrative Tools | DNS.

  2. Expand Forward Lookup Zones in the console tree by clicking +.

  3. Expand each primary zone for the server being configured.

  4. Right-click and select Properties for each expanded zone.

  5. Select the General tab.

  6. Ensure that the Type box is set to AD Integrated.

  7. Click the Change button

  8. For Select a zone type box, select Active Directory Integrated.

  9. Click OK.

  10. Ensure that the Allow dynamic updates box is set to Secure from the drop-down list.

  11. Click OK.

Promoting Additional Domain Controllers

In our scenario, atl.corp.hay-buv.net has a second domain controller, ATL-DC2. In this section, we will promote this server by installing an additional domain controller to an existing domain. The process is similar to promoting the first domain controller in the domain and also uses Dcpromo.exe. Because a dial-up connection is used, we can either make the connection available prior to promotion or configure the dial-up delay through the registry key.

If DNS has not already been configured on this server, refer to "Install and Configure DNS."

Bb727069.adbpnd27(en-us,TechNet.10).gif

Figure 27:

Configure Registry Keys

Configure the dial-up delay registry key so that components such as DNS and Netlogon will wait for the dial-up link to be established when performing network operations.

Note: This step can be omitted if the dial-up connection will definitely be available prior to the promotion. In this case, this registry key can be managed via group policy after the promotion is competed. If the connection will potentially be demand initiated, then this registry setting should be configured prior to the promotion. Complete this step on all domain controllers and member servers that will need to go over the dial-up link.

  1. Run RegEdt32.exe.

  2. Navigate to HKEY_LOCAL_MACHINE \System \Current Control Set\Services\Netlogon\Parameters.

  3. Select Edit | Add value.

  4. Type ExpectedDialupDelay in Value name box.

  5. Select REG_DWORD for Data type box.

  6. Click OK.

  7. Enter a time in seconds that represents the average time it takes the router to dial and connect to another demand dial router. (for example, 15 seconds). To determine what the value of this key should be:

  8. Ensure the dial-up link is down.

  9. Initiate a dial-up link by pinging a server on the remote network.

  10. Record the amount of time it takes to establish the dial-up connection.

  11. Use this value for this registry key, perhaps adding a small amount (for example, 5 seconds) to allow for some variation in connection time.

  12. Click OK.

Promote the Additional Domain Controller

The Atlanta office has two domain controllers. Now that we've created the ATL domain we can add the additional domain controller to atl.corp.hay-buv.net.

Server Network Configuration

Bb727069.adbpn105(en-us,TechNet.10).gif

  1. Run Dcpromo.exe.

  2. Click Next.

  3. Select Additional domain controller for an existing domain.

  4. Click Next.

  5. In User name box, type Administrator.

  6. In Password box, type a password.

  7. In Domain box, type the parent NetBIOS domain name, which is CORP.

  8. Click Next.

  9. In Domain Name box, type the full DNS name of the existing domain, which is atl.corp.hay-buv.net.

  10. Click Next.

  11. Adjust the paths for Database location and Log location boxes to suit your server's drive configuration, if needed; otherwise, accept the defaults.

  12. Click Next.

  13. Adjust the path for Folder location (SYSVOL) box to suit your server's particular drive configuration, if needed; otherwise, accept the default.

  14. Click Next.

  15. Type a password for the Administrator account used when booting into DS Repair mode.

  16. Click Next.

  17. At the Summary Page, verify that all entries are correct.

  18. Click Next to begin the Active Directory installation.

  19. Click Finish (when installation is completed).

  20. Answer Yes to the prompt to reboot.

Update DNS Zone Types

  1. Start | Programs | Administrative Tools | DNS.

  2. Expand Forward Lookup Zones in the console tree by clicking +.

  3. Expand each primary zone for the server being configured.

  4. Right-click and select Properties for each expanded zone.

  5. Select the General tab.

  6. Ensure that the Type box is set to AD Integrated.

  7. Click Change.

  8. For Select a zone type box, select Active Directory Integrated.

  9. Click OK.

  10. Ensure that the Allow dynamic updates box is set to Secure from the drop-down list.

  11. Click OK.

Configuring a Global Catalog For Each Site

Earlier in this process one site was created for corporate headquarters and another site for the Atlanta branch office. Now that domain controllers exist in each site, a global catalog should be available for each site as well. The administrator should perform this step for each of the sites from the LAX-DC1 server.

Site Name

Server

LosAngeles

LAX-DC1

Atlanta

ATL-DC2

  1. Start | Programs | Administrative Tools | Active Directory Sites and Services.

  2. Double-click Sites.

  3. Double-click <site name>.

  4. Double-click Servers.

  5. For each server listed in the table:

  6. Double-click the server.

  7. Right-click NTDS Settings.

  8. Click Properties.

  9. Ensure that at least one server in the site has the Global Catalog check box checked.

  10. Click OK.

Bb727069.adbpnd28(en-us,TechNet.10).gif

Figure 28: Configuring a global catalog in each site

Testing Active Directory Replication

The administrator has now completed all the tasks required to implement Active Directory replication over a dial-up link. Throughout this walkthrough the various components were tested as their installations and configurations were completed. The last step is to test Active Directory replication. The administrator should complete test passes for each site link with the routing interfaces connected and another with the routing interfaces disconnected. Use the following steps to initiate and monitor replication.

Change Site Link Schedule

The site link replication schedule default is 180 minutes. Change this to 15 minutes or a reasonably short time period in which to monitor replication.

  1. Start | Programs | Administrative Tools | Active Directory Sites and Services.

  2. Double-click Sites.

  3. Double-click Inter-site Transports.

  4. Double-click IP.

  5. Right-click the appropriate site link.

  6. Click Properties.

  7. In Replicate every box, type 15 minutes.

  8. Click OK.

Initiating Replication

  1. Start | Programs | Administrative Tools | Active Directory Sites and Services.

  2. Double-click Sites.

  3. Double-click <site name>.

  4. Double-click Servers.

  5. Double-click <server name>.

  6. Double-click NTDS Settings.

  7. Right-click the Active Directory connection.

  8. Click Replicate Now.

Viewing Replication Status

Active Directory Replication Monitor (replmon.exe) is a graphical tool that you can use to view low-level status and the performance of replication between Active Directory domain controllers. If you have not already done so, install the support tools from the Microsoft® Windows® 2000 Server CD from the Support/Tools folder. Refer to the online Help for a full explanation of the monitoring and troubleshooting features of the Active Directory Replication Monitor.

  1. Start | Windows 2000 Support Tools | Tools | Active Directory Replication Monitor (or use Start | Run | replmon.exe).

  2. Right-click Monitored Servers.

  3. Click Add Monitored Server.

  4. Accept the default Add the server explicitly by name.

  5. Click Next.

  6. For the Enter the name of the server to monitor explicitly box, type the computer name.

  7. Click Finish.

  8. Click View from the menu bar and ensure that the Details View option is checked.

Selecting each directory partition (also known as naming contexts) will display replication history in the details pane. This history includes the time a refresh was initiated and the update sequence number (USN) of the replication partner, which reflects the value of the last originating change that the monitored server has received.

Bb727069.adbpnd29(en-us,TechNet.10).gif

Figure 29: Active Directory replication monitor

KCC Diagnostic events

HKLM/System/ControlSet001/Services/NTDS/Diagnostics/1 Knowledge Consistency Checker DWORD: 3

Changing the default value to three increases the number of events to be logged in the event viewer Directory Services log. This key should be changed for testing and troubleshooting only because excess events are generated with each replication and could quickly fill the log.

Active Directory Replication over the Internet Topology

This section describes the steps required for an administrator to install and configure a common virtual private network over the Internet. Where appropriate, tables with the required configuration data have also been included in the walkthrough for reference.

The Hong Kong office connects to corporate headquarters located in Los Angeles using a router-to-router VPN connection. Because the offices will be in the same forest, transitive trusts will automatically be established. The Hong Kong and Los Angeles offices both employ a DMZ in front of their networks. Within each DMZ there is a DNS server. The administrator must configure the routers by installing Windows 2000 Routing and Remote Access Service and configure VPN routing interfaces. The next step is to install and configure DNS on the servers in both DMZs and the servers that will become the domain controllers for each domain. Once this is done, the administrator will promote the server in the Los Angeles office as the first domain controller in the forest. Next the administrator must configure sites, a site link, and define the subnets for Los Angeles and Hong Kong using Active Directory Sites and Services. Lastly, the administrator will promote the Hong Kong server as the first domain controller in a new tree of the forest. In both offices, all routers and the DNS servers in the DMZs are configured as stand-alone servers.

Bb727069.adbpnd30(en-us,TechNet.10).gif

Figure 30: VPN over Internet technology

Configuring Static IP Addresses

The first task that the Hay Buv Toys administrator must complete is to configure a static IP address for each network interface on every router, domain controller and DNS server within the Internet topology.

Routers, domain controllers, and DNS servers on each LAN should be configured with static IP addresses or reserved DHCP assigned addresses. Otherwise, DHCP address lease updates could result in servers obtaining a new address, which isn't fully replicated or expired from relevant caches. This situation would result in a server's name not being correctly resolved until the latest information was replicated.

In this scenario there are a total of eight servers, some with multiple network interfaces, which must be configured with static IP addresses.

Note: The information provided in the table to configure the Internet server is for reference only. You need to work with your Internet provider to correctly configure some of the default gateways and preferred DNS servers.

Static IP Addresses

Bb727069.adbpn106(en-us,TechNet.10).gif

Rename the Local Area Connection icon(s) and then configure static IP addresses for all servers using information supplied in the Static IP Addresses table.

  1. Right-click My Network Places and select Properties.

  2. Right-click the Local Area Connection and select Rename.

  3. Type the IP subnet address (Network Interface Name) of the network the interface is connected to (or a descriptive name for this interface that has meaning in the context of your network).

  4. Right-click the network interface, renamed in the previous step.

  5. Select Properties.

  6. Click Internet Protocol (TCP/IP) and then click Properties.

  7. Select Use the following IP address.

  8. Type the IP address, subnet mask, and default gateway.

    Note: When configuring a router leave the Default gateway box blank; otherwise, enter a default gateway.

  9. Select Use the following DNS server addresses.

  10. Type the preferred and alternate DNS server IP addresses.

Figure 31: Static IP address for LAX-DC1

Figure 31: Static IP address for LAX-DC1

Configuring Primary DNS Suffix

  1. Right-click My Computer and select Properties.

  2. Click Network Identification tab.

  3. Click Properties.

  4. Click More.

  5. In the Primary DNS suffix of this computer box, type the DNS Suffix from the Static IP Addresses table.

  6. Click OK.

  7. Click OK.

  8. Click OK when prompted for reboot.

  9. Click OK.

  10. Click Yes to reboot.

Figure 32: Primary DNS suffix for LAX-DC1

Figure 32: Primary DNS suffix for LAX-DC1

Configuring the Routers

Once static IP addresses have been configured, the administrator's next task is to install the routing service. Some of the routers will perform solely as network routers, others must also be configured with VPN interfaces.

The Windows 2000 routing service must be installed and configured on all servers that will serve as routers on the network.

In this scenario, the routers in the Los Angeles and Hong Kong DMZs function solely as network routers while the routers in the Los Angeles and Hong Kong offices are also configured with VPN interfaces. Tables with the specific data accompany the routing installation steps below for convenient reference.

Install Routing Service on LAN Routers

LAN Routers

NetBIOS Name

Los Angeles

LAX-RTR2

Hong Kong

HKG-RTR2

Los Angeles and Hong Kong each have a router in their DMZ that provides the connection to the Internet. They are configured as network routers.

  1. Start | Programs | Administrative Tools | Routing and Remote Access.

  2. In the console tree. right-click Local computer in the snap-in.

  3. Select Configure and Enable Routing and Remote Access Wizard.

  4. Click Next.

  5. Select Network router.

    Bb727069.adbpnd33(en-us,TechNet.10).gif

    Figure 33: RRAS Wizard common configurations
  6. Click Next.

  7. Accept the defaults in Routed Protocols window.

    Bb727069.adbpnd34(en-us,TechNet.10).gif

    Figure 34: RRAS Wizard routed protocols
  8. Click Next.

  9. For "Do you want to use demand-dial connections to access remote networks?" select No.

    Bb727069.adbpnd35(en-us,TechNet.10).gif

    Figure 35: RRAS Wizard demand-dial connections
  10. Click Next.

  11. Click Finish.

Install Routing Service on LAN – DOD Routers

To create a two-way initiated point-to-point tunneling protocol (PPTP)-based router-to-router VPN connection to send private data across the Internet, the administrator must configure the following on the routers in the Los Angeles and Hong Kong offices:

  • Configure the Windows 2000 router at the corporate office to initiate and receive PPTP connections from a branch office router.

  • Configure the Windows 2000 router at the branch office to initiate and receive PPTP connections with the corporate office router.

  • Initiate the connection from either the branch office router or the corporate office router.

LAN – DOD Router Configuration

NetBIOS Name

Modem Pool IP Addresses

Los Angeles

 

LAX-RTR1

160.50.10.111 /
160.50.10.120

Hong Kong

 

HKG-RTR1

160.50.30.100 /
160.50.30.110

For each router:

  1. Start | Programs | Administrative Tools | Routing and Remote Access.

  2. In the console tree, right-click Local computer in the snap-in.

  3. Select Configure and Enable Routing and Remote Access Wizard.

  4. Click Next.

  5. Select Network router.

    Bb727069.adbpnd36(en-us,TechNet.10).gif

    Figure 36: RRAS Wizard common configurations
  6. Click Next.

  7. Accept the defaults in Routed Protocols window.

    Bb727069.adbpnd37(en-us,TechNet.10).gif

    Figure 37: RRAS Wizard routed protocols
  8. Click Next.

  9. Select Yes for "Do you want to use demand-dial connections to access remote networks?"

    Bb727069.adbpnd38(en-us,TechNet.10).gif

    Figure 38: RRAS Wizard demand-dial connections
  10. Click Next.

  11. Select From a specified range of addresses.

    Bb727069.adbpnd39(en-us,TechNet.10).gif

    Figure 39: RRAS Wizard IP address assignment
  12. Click Next.

  13. Click New.

  14. In the Start IP address and End IP address boxes, type the modem pool IP addresses from the LAN –DOD Router Configuration table.

    Figure 40: RRAS Wizard IP address range

    Figure 40: RRAS Wizard IP address range
  15. Click OK.

  16. Click Next.

  17. Click Finish.

Create the VPN Interfaces

VPN Interface Configuration

Bb727069.adbpn107(en-us,TechNet.10).gif

  1. Expand the local server by clicking +in the console tree.

  2. Right-click Routing Interfaces.

  3. Select New Demand-dial Interface.

  4. Click Next.

  5. In Interface name box, type the name for the remote router from the Remote Interface Name column in the VPN Interface Configuration table.

    Bb727069.adbpnd41(en-us,TechNet.10).gif

    Figure 41: Interface name for the Hong Kong demand dial interface
  6. Click Next.

  7. Select Connect using virtual private networking (VPN).

    Bb727069.adbpnd42(en-us,TechNet.10).gif

    Figure 42: RRAS Wizard connection type
  8. Click Next.

  9. Accept default value for VPN Type.

  10. Click Next.

  11. In Destination Address box, type the name or IP address of the remote router to which you are connecting (found in the VPN Interface Configuration table).

  12. Click Next.

  13. Ensure that the Route IP packets on this interface box is checked.

  14. Ensure that the Add a user account so a remote router can dial in box is checked.

    Bb727069.adbpnd43(en-us,TechNet.10).gif

    Figure 43: RRAS Wizard protocols and security
  15. Click Next.

  16. Type a password in the Password and Confirm password boxes.

    Bb727069.adbpnd44(en-us,TechNet.10).gif

    Figure 44: Remote router dial-in credentials
  17. Click Next.

    Important: This creates a user on the local server. The interface name from the previous steps will be used as the user name. It will become the account name for the interface created on the remote machine and will be used to authenticate the connection.

  18. Type the user name, domain and password for an account on the remote router to which this router will dial. In our case, we will configure the routers as stand alone servers, so the domain will be the server name of the remote router.

    Bb727069.adbpnd45(en-us,TechNet.10).gif

    Figure 45: Dial-out credentials to the remote router

    Important: Make note of this user account. This user account must be used as the interface name on the remote router.

  19. Click Next.

  20. Click Finish.

Configuring Static Routes

Once the Windows 2000 routing service has been installed and configured, static routes are added to reach network IDs in other offices in order to control where traffic goes.

The administrator adds static routes so that traffic to the branch office is forwarded using the appropriate demand dial interface. For each route of each branch office, configure the interface, destination, network mask, and metric. The Interface field indicates the network interface used when forwarding packets to the network ID; the interface name created earlier is used. The Metric field indicates the cost of a route. If multiple routes exist to a given destination network ID, the metric is used to decide which route is to be taken. The route with the lowest metric is the preferred route.

In our scenario there are four routers to be configured:

Static Routes

Bb727069.adbpn108(en-us,TechNet.10).gif

With regards to LAX-RTR2, the route that corresponds to the Internet is 0.0.0.0 with a subnet mask of 0.0.0.0. This route becomes the static route with the following configuration:

Interface: 20.0.0.x

Destination: 0.0.0.0

Network mask: 0.0.0.0

Gateway: 20.0.0.4

Metric: 1 (default)

  1. Start | Programs | Administrative Tools | Routing and Remote Access.

  2. In the console tree, click + to expand the <server name> in the snap-in.

  3. Click + to expand IP Routing.

  4. Click Static Routes.

  5. Right-click in the details pane and select New static route.

  6. Select the interface name from the drop-down list.

  7. Type the Destination Network IP address found in the Static Routes table.

  8. Type the Destination Subnet Mask IP address found in the Static Routes table.

  9. Type the Gateway IP address found in the Static Routes table.

  10. Accept the default value for Metric.

  11. Ensure that the Use this route to initiate demand dial connections box is checked

    Figure 46: Static route for 20.0.0.x interface

    Figure 46: Static route for 20.0.0.x interface
  12. Click OK.

  13. Restart the Routing and Remote Access Service.

  14. Right-click the <server name>.

  15. Click All Tasks.

  16. Click Restart.

Note: Because the demand dial connections are point-to-point connections, the Gateway IP address will not be configurable.

Testing Router Configuration

Once the Hay Buv Toys administrator has completed all routing installation and configuration steps, all routers, highlighted in the following diagram, need to be tested to confirm that they connect correctly. To test TCP/IP connectivity by using the ping command, open the command prompt and then ping the desired host using its IP address. If the ping command fails, verify that the host IP address is correct, that the host is operational, and that all the gateways (routers) between this computer and the host are operational. Routing and Remote Access Service provides the ability to connect a routing interface manually.

Using ping

Confirm correct operation of the newly configured routes by pinging from a server on one side to a server on the other. Make certain the demand dial link is down when the ping is initiated. Use the ping '-t' option to ensure that ping continues until the demand dial link is established.

  1. Start | Programs | Accessories | Command Prompt.

  2. Type ping –t <IP>, where <IP> is the static IP address of a remote host (a host that is on a different subnet).

  3. Perform the previous step from at least one server on each side of the route.

Using Routing and Remote Access

A second test is manually connecting the routers using the routing service.

  1. Start | Programs | Administrative Tools | Routing and Remote Access.

  2. Double-click Routing and Remote Access.

  3. Double-click <server name>.

  4. Click Routing Interface.

  5. Right-click <interface name> in the details pane.

  6. Click Connect.

  7. Refresh display (by pressing F5) to verify that interface is connected.

If the demand dial link fails to come up, or the ping / response is not routed and results in a ping failure, even after the demand dial link is established, then confirm the router configuration steps above, particularly the user accounts, IP addresses, modem pool addresses, and static routes.

Bb727069.adbpnd47(en-us,TechNet.10).gif

Figure 47: VPN over Internet technology

Installing and Configuring DNS

Install the DNS Service

The DNS Server service has been carefully integrated into the design and implementation of Active Directory. There are two significant changes when deploying Windows 2000 DNS servers together with Active Directory:

  • DNS name resolution is required for locating Windows 2000 domain controllers. The Netlogon service uses DNS server support to provide registration of the domain controllers in your DNS domain namespace.

  • Windows 2000 DNS servers can use Active Directory to store and replicate your zones. By directory-integrating your zones, you can take advantage of additional DNS features such as secure dynamic updates and record aging/scavenging features.

If DNS is not available on the network when you install the first domain controller in a domain, you can elect to have DNS installed and configured automatically during the installation of Active Directory.

The Active Directory Installation Wizard asks whether to install and configure the DNS service automatically if either one of the following conditions is true:

  • You are creating a new forest, and the Active Directory Installation Wizard does not find any DNS servers that are running on the network

  • You are creating a new domain, and dynamic update is not available.

In this scenario it is important that DNS is installed and configured on the appropriate servers prior to promoting them to domain controllers, rather than using the default configuration that the Active Directory Installation Wizard sets up. These prerequisites are necessary in order to confirm that DNS configuration is correct and to allow for possible troubleshooting without the added complexity of the server also being a domain controller.

The DNS server that is authoritative for the domain will then exist so that Active Directory can locate it. Later, when a server is promoted to the role of a DC for a specified domain, you will be prompted to specify the DNS domain name for the Active Directory domain for which you are joining and promoting the server.

Note: A Windows 2000 installation CD may be required to install the DNS service.

The Hay Buv Toys administrator must now install and configure the DNS service on the server in both the Los Angeles and Hong Kong DMZs, as well as the servers in each office that will become domain controllers. The following subsections provide the installation and configuration steps necessary to complete this task for each server.

Note: The information provided in the table to configure the Internet DNS server is for reference only. You need to work with your Internet provider to correctly configure the delegations and root hints listed.

Use this table to complete the DNS installation and configuration.

DNS Server Parameters

Bb727069.adbpnd93(en-us,TechNet.10).gif

To install DNS on a server:

  1. Start | Settings | Control Panel.

  2. Double-click Add / Remove Programs.

  3. Click Add/Remove Windows Components.

  4. Deselect any unwanted default components.

  5. Click Networking Services.

  6. Click Details.

  7. Select Domain Name System.

    Bb727069.adbpnd48(en-us,TechNet.10).gif

    Figure 48: Subcomponents of networking services
  8. Click OK.

  9. Click Next.

  10. Click Finish (when complete).

  11. Click Yes if prompted to reboot the system.

Create DNS Zones

Once DNS service is installed the administrator's next steps are creating primary and secondary zones. The administrator must assure that the forest-wide locator records are available to all DNS servers in every site.

Distributing the Forest Wide Locator Records

Each domain controller in the forest registers two sets of locator records: a set of domain-specific records that end in <DNS-domain-name>, and a set of forest-wide records that end in _msdcs.<DNS-forest-name>. The forest-wide records are important to clients and domain controllers from all parts of the forest. For example, the global catalog locator records, and the records used by the replication system to locate replication partners, are included in the forest-wide records.

For any two domain controllers to replicate between each other, including two domain controllers from the same domain, they must be able to look up forest-wide locator records. In order for a newly created domain controller to participate in replication, it must be able to register its forest-wide records in DNS, and other domain controllers must be able to look up these records. For this reason, it is important to make the forest-wide locator records available to every DNS server in every site. Additionally, since these records can be configured so that they are rarely changed, there is no significant increase in replication traffic to distribute these records.

To do this, create a separate primary zone called _msdcs.<DNS-forest-name>, and replicate that zone to every DNS server. Generally, it is not sufficient to replicate the zone to only one DNS server per site. If a DNS server does not have a local copy of the _msdcs.<DNS-forest-name> zone, it must use DNS recursion to look up a name in that zone. For a DNS server to perform recursion, it contacts a DNS server that is authoritative for the root of the namespace (called a DNS root server) and proceeds down the delegations in DNS until it finds the record in question. If there is no DNS root server in a site, and the links between that site and other sites are down, a DNS server cannot perform recursion. Thus, it will not be able to find any DNS servers that are authoritative for _msdcs.<DNS-forest-name>, even if those DNS servers are in the same site.

On servers that host the forest root zone, _msdcs.<DNS-forest-name> can be Directory Service (DS) integrated. Making this zone DS integrated increases the availability of writable copies of the zone. Refer to the DNS Deployment documentation in the Windows 2000 Resource Kit for more information.

On servers that don't host the forest root zone, we accomplish the following by creating a secondary zone for _msdcs.<DNS-forest-name>, rather than DS integrated zones:

  • We eliminate replication of unnecessary DNS records to all the domain controllers in the domain.

  • We don't need to replicate these records to domain controllers that are not running DNS by moving records out of the forest root zone.

There are five requirements when configuring a DNS server with this model:

  • Add a primary zone for the server's domain on the DNS server.

  • Add a primary _msdcs zone on the forest root DNS server.

  • Add a delegation for _msdcs.<DnsForestName> to the forest root zone.

  • Add delegations for child domains to the parent zone.

Note: Delegations for new trees should be added to the DNS zone to which the zone is subordinate.

  • Add a secondary _msdcs zone to other DNS servers that are also domain controllers.

Create Standard Primary Zone

  1. Start | Programs | Administrative Tools | DNS.

  2. Double-click the server.

  3. Right-click Forward Lookup Zones in the console tree.

  4. Select New zone.

  5. Click Next.

  6. Select Standard Primary in Zone Type box.

  7. Click Next.

  8. In Name box, type the DNS zone name from the DNS Server Parameters table.

  9. Click Next.

  10. Select Create a new file with this name and accept the default name.

  11. Click Next.

  12. Click Finish.

    Bb727069.adbpnd49(en-us,TechNet.10).gif

    Figure 49: Standard primary zones for LAX-DC1
  13. Right-click the new zone in the console tree.

  14. Select Properties.

  15. Set Allow dynamic updates to the appropriate value.

  16. Select the Zone Transfers tab.

  17. Ensure that the Allow zone transfers box is checked.

  18. Click Notify.

  19. Ensure that the Automatically notify box is not checked.

  20. Click the Start Of Authority (SOA) tab.

  21. Set the Refresh interval box to "1 day."

  22. Click OK.

Create Standard Secondary Zone

  1. Start | Programs | Administrative Tools | DNS.

  2. Right-click Forward Lookup Zones in the console tree.

  3. Select New zone.

  4. Click Next.

  5. Select Standard Secondary in Zone Type box.

  6. Click Next.

  7. In Name box, type the DNS zone name from the DNS Server Parameters table.

  8. Click Next.

  9. In the Master DNS Server box, type the IP address from the DNS Server Parameters table.

  10. Click Next.

  11. Click Finish.

Configure DNS Delegations

The DNS servers in the Los Angeles and Hong Kong DMZs, as well as the LAX-DC1 server in the Los Angeles office, which will become the domain controller for the enterprise, now need to be configured with delegations. Delegations are name service records in the parent zone that list the name servers authoritative for the delegated zone.

  1. Start | Programs | Administrative Tools | DNS.

  2. Expand Forward Lookup Zones in the console tree by clicking +.

  3. Right-click the primary zone under which the delegation will reside.

  4. Select New Delegation.

    Bb727069.adbpnd50(en-us,TechNet.10).gif

    Figure 50: A delegation for LAX-DC1
  5. Click Next.

  6. In Delegated domain box, type the delegated domain name from the DNS Server Parameters table.

  7. Click Next.

  8. Click Add.

  9. Type the server DNS name and IP address that will host the delegated zone.

  10. Click OK.

    Bb727069.adbpnd51(en-us,TechNet.10).gif

    Figure 51: Name server to host the delegated zone
  11. Click Next.

  12. Click Finish.

Repeat for each delegation.

Configure Forwarders

When DNS servers do not know how to resolve a name, either because they do not host a copy of the necessary zone or because they have no delegations to the appropriate zone, they can be configured to pass the request on to another machine. This mechanism is called forwarding. The following section outlines the procedure for configuring forwarders for a DNS server.

  1. Start | Programs | Administrative Tools | DNS.

  2. Right-click the server in the console tree and select Properties.

  3. Click the Forwarders tab.

  4. Select Enable Forwarders.

  5. In the IP Address box, type forwarder IP address.

  6. Click Add.

  7. Select Do not use recursion (this prevents dial-up attempts caused by servers recursing to servers in their root hint list).

Figure 52: Enable forwarder to 22.1.1.2 (LAX-DNS)

Figure 52: Enable forwarder to 22.1.1.2 (LAX-DNS)

Configure Root Hints

When DNS servers need to query root servers to resolve a name query, they use servers in their root hint list. Because all DNS servers that sit within the firewall are configured to use their forwarders and not look up names recursively through their root hints, they don't need special root hint configuration. That is, the default values are okay, since they will be ignored anyway. However, DNS servers that sit in a DMZ should be configured to have root hints that point to root servers. If you will use Internet root servers, then keep the defaults, which are pre-populated Internet root servers. However, if you are hosting your own internal '.' Zone, then configure your root hints accordingly.

  1. Start | Programs | Administrative Tools | DNS.

  2. Right-click the applicable DNS server.

  3. Click Properties.

  4. Click Root Hints.

  5. Click Add.

  6. Type the Internet DNS server name.

  7. Type the Internet DNS server IP address.

  8. Click OK.

  9. Click OK.

Testing the DNS Configuration

Once the administrator has completed installing and configuring the DNS servers, highlighted in the following diagram, the administrator must test the servers to confirm that they are correctly resolving DNS names. The Windows 2000 DNS Server service provides the capability to test and monitor DNS by using the DNS console. Nslookup, an industry-standard utility, is also available for testing the DNS Server service and testing resource records.

Monitoring a DNS Name Server

You can configure the DNS Server service to perform queries on a scheduled basis in order to ensure that the service is operating correctly.

In the DNS console, open the Properties dialog box for the server that you want to monitor, and then click the Monitoring tab. You can test a DNS name server by performing two types of queries:

  • Simple query. This type of query performs a local test by using the DNS client to query a DNS name server. Select this option to perform a simple query test of a DNS name server.

  • Recursive query. This type of query tests a DNS name server by forwarding a recursive query to another DNS name server. Select this option to perform a more complex, recursive query test of a DNS name server.

Under Tests Performed, select the Simple query check box, the Recursive query check box, or both, and then click Test Now. The test results appear under Test results in the Properties dialog box for the server.

Using Nslookup

Nslookup is a useful tool for troubleshooting DNS problems, such as host name resolution. When you start Nslookup, it shows the host name and IP address of the DNS server that is configured for the local system, and then displays a command prompt for further queries. If you type a question mark (?), Nslookup shows all available commands. You can exit the program by typing Exit.

To look up a host's IP address using DNS, type the host name and press ENTER. Nslookup defaults to using the DNS server configured for the computer on which it is running, but you can focus it on a different DNS server by typing server <name> (where <name> is the host name of the server you want to use for future lookups). In some cases, you might see several time-outs reported. This happens when reverse look-up is not configured for DNS servers servicing the same DNS domain as your Active Directory domain.

Nslookup has two modes: interactive and noninteractive.

When you require:

  • More than one piece of data, use interactive mode.

    • To run interactive mode, at the command prompt type Nslookup.

    • To exit interactive mode, type Exit.

  • A single piece of data, use noninteractive mode.

    • Type the Nslookup syntax at the command prompt, and the data is returned.

You can use Nslookup to view resource records and direct queries to any DNS name server, including UNIX implementations of DNS.

  1. Start | Programs | Accessories | Command Prompt.

  2. Type Nslookup (interactive mode).

  3. Type commands. For help with commands, type ?.

  4. Type Exit to quit.

The following table describes the Nslookup syntax:

nslookup [ option ...] [computer-to-find | – (server)]

Syntax

Description

-option…

Specify one or more Nslookup commands. For a list of commands, type a question mark (?) to open Help.

computer-to-find

If the computer-to-find is an IP address, Nslookup returns the host name. If the computer-to-find is a host name, Nslookup returns an IP address. If the computer to find is a name and does not have a trailing period, the default DNS domain name is appended to the name. To find a computer outside of the current DNS domain, append a period to the name.

-server

Use this server as the DNS name server. If the server is omitted, the currently configured default DNS name server is used.

Using ping

Confirm that DNS names can be resolved pinging from a server in the Los Angeles office to a server in the Hong Kong office. The demand dial links should be connected before the ping is initiated.

  1. Start | Programs | Accessories | Command Prompt.

  2. Ping servers by DNS name to verify that the DNS server can be accessed and the DNS name can be resolved.

  3. Perform this step for all servers.

Bb727069.adbpnd53(en-us,TechNet.10).gif

Figure 53: VPN over Internet technology

Promoting the First Domain Controller in the Enterprise

Promoting a server to a domain controller and adding Active Directory are separate operations from installing Windows 2000 Server. You must first install Windows 2000 Server; then you promote the servers in order to install Active Directory on the servers you want to use as domain controllers.

Use one of the following options to install Active Directory:

The Active Directory Installation Wizard. The wizard can be started as follows:

  • In the Windows 2000 Configure Your Server dialog box that appears when you start the server computer, select the Active Directory option for installing Active Directory.

– or –

  • In the Start menu, click Run. Then type Dcpromo.exe in the Run dialog box.

The domain structure for Hay Buv Toys is diagrammed below. The forest root is corp.hay-buv.net and, therefore, the first domain controller in the enterprise will be LAX-DC1. All activities in this section will be performed on LAX-DC1 only.

If DNS has not already been configured on this server, refer to "Install and Configure DNS."

Bb727069.adbpnd54(en-us,TechNet.10).gif

Figure 54: Promote the First Domain in the Enterprise

Server Network Configuration

Bb727069.adbpn109(en-us,TechNet.10).gif

Promoting LAX-DC1:

  1. Start | Run | Dcpromo.exe.

  2. Click Next.

  3. Select Domain controller for a new domain.

  4. Click Next.

  5. Select Create a new domain tree.

  6. Click Next.

  7. Select Create a new forest of domain trees.

  8. Click Next.

  9. In the Full DNS name for the domain box, type the fully qualified DNS domain name of the forest root, corp.hay-buv.net.

  10. Click Next.

  11. In the Domain NetBIOS name box accept the default, which should be CORP.

  12. Click Next.

  13. Adjust the paths for the Database location and Log location boxes to suit your server's drive configuration, if needed; otherwise, accept defaults.

  14. Click Next.

  15. Adjust the path for the Folder location (SYSVOL) box to suit your server's particular drive configuration, if needed; otherwise, accept default.

  16. Click Next.

  17. Select Permissions compatible only with Windows 2000 servers.

  18. Click Next.

  19. Type the password for the Administrator account used when booting into DS Repair mode.

  20. Click Next.

  21. At the Summary page, verify that all entries are correct.

  22. Click Next to begin the Active Directory installation.

  23. Click Finish (when installation is completed).

  24. Answer Yes to the prompt to reboot.

Update DNS Zone Types

  1. Start | Programs | Administrative Tools | DNS.

  2. Expand Forward Lookup Zones in the console tree by clicking +.

  3. Expand each primary zone for the server being configured.

  4. Right-click and select Properties for each expanded zone.

  5. Select the General tab.

  6. Ensure that the Type box is set to AD Integrated.

  7. Click Change.

  8. In the Select a zone type box, select Active Directory Integrated.

  9. Click OK.

  10. Ensure that the Allow dynamic updates box is set to Secure from the drop-down list.

  11. Click OK.

Create and Configure Sites For Each LAN

The primary purpose of the Microsoft® Windows® 2000 Active Directory™ Sites and Services snap-in is to administer the replication topology both within a site in a local area network (LAN) and between sites in a wide area network (WAN) in an enterprise environment.

A site is a region of a network with high bandwidth connectivity, and is by definition a collection of well-connected computers (based on Internet Protocol (IP) subnets). Because sites control how replication occurs, changes made with the Sites and Services snap-in affect how efficiently domain controllers (DC) that are within one domain, but separated by great distances, can communicate.

A site is separate in concept from Windows 2000-based domains because a site may span multiple domains, and a domain may span multiple sites. Sites are not part of the domain namespace. Sites control replication of domain information and help to determine resource proximity. Sites affect replication traffic and other forms of network traffic related to Active Directory, such as locating a domain controller in response to a request for logon authentication. If a domain controller that offers the requested service is located in the client computer's site, the client is referred to that domain controller, thus using the faster connections within a site.

To ensure that the Active Directory service in the Windows 2000 operating system can replicate properly, a service known as the Knowledge Consistency Checker (KCC) runs on all DCs and automatically establishes connections between individual computers in the same site. These are known as Active Directory connection objects. An administrator can establish additional connection objects or remove connection objects, but at any time when replication within a site becomes impossible or has a single point of failure, the KCC steps in and establishes as many new connection objects as necessary to resume Active Directory replication.

Replication between sites is assumed to occur on either higher cost or slower speed connections. As such, the mechanism for inter-site replication permits the selection of alternative transports, and is established by creating site links and site link bridges.

Configuring sites, subnets, and site links before promoting additional servers will allow the system to automatically place each new domain controller in the correct site. Alternatively, domain controllers can be moved between sites through their context menus.

Sites and Subnet Parameters

Bb727069.adbpn110(en-us,TechNet.10).gif

  1. Start | Programs | Administrative Tools | Active Directory Sites and Services.

  2. Right-click Sites in the console tree.

  3. Select New site.

  4. For Name box, type the first site name from the Sites and Subnet Parameters table.

  5. Select DEFAULFIRSTSITELINK.

  6. Click OK.

  7. Click OK.

Repeat for both sites in the table.

Moving the Domain Controller

When all sites have been created and the first domain controller in the enterprise has been moved from the default site to its target site, the default site object may be deleted by right clicking on the site object and selecting delete.

  1. Double-click DEFAULT-FIRST-SITE-NAME.

  2. Double-click Servers.

  3. Right-click <server name>.

  4. Click Move.

  5. Select the site that should contain the server.

  6. Click OK.

Configure Subnets

Refer to Sites and Subnet Parameters table above to configure the subnets.

  1. Start | Programs | Administrative Tools | Active Directory Sites and Services.

  2. Expand the Sites folder in the console tree by clicking +.

  3. Right-click Subnets.

  4. Click New Subnet.

  5. For the Address box, type the Site 1 Address.

  6. For the Mask box, type the Site 1 Mask.

  7. For the Site Name box, type the Site 1 Site Name.

  8. Click OK.

Repeat for Site 2 in the table.

Note: A subnet object should be defined and associated with a site so that every computer's IP address on your network will map to a subnet.

Create Site Links

For replication to occur between two sites, a link must be established between the sites. Site links are not generated automatically and can be created in Active Directory Sites and Services. Unless a site link is in place, the KCC cannot create connections between computers in the two sites automatically, and replication between the sites cannot take place. Each site link contains the schedule that determines when replication can occur between the sites that it connects. The Active Directory Sites and Services user interface guarantees that every site is placed in at least one site link. A site link can contain more than two sites; in such a case, all the sites are equally well connected.

Site Link Parameters

Site Link Name

Sites

Site Link 1

LAX-HKG

LosAngeles
HongKong

  1. Start | Programs | Administrative Tools | Active Directory Sites and Services.

  2. Expand the Sites folder in the console tree by clicking +.

  3. Expand the Inter-site Transports folder by clicking +.

  4. Right-click the IP folder.

  5. Select New Site Link.

  6. For the Name box, type LAX-HKG.

  7. Using Add/Remove, place the sites LosAngeles and HongKong in the Sites column.

  8. Click OK.

Figure 55: Site link between Los Angeles and Hong Kong

Figure 55: Site link between Los Angeles and Hong Kong

Note: Once the site link has been created, the default site link object may be deleted by right-clicking the site link object and selecting Delete.

Promoting a New Tree in the Forest

In our scenario, hkg.hay-buv.com is a tree root of the forest and requires its own domain controller. The process is similar to promoting the first domain controller in the enterprise and also uses Dcpromo.exe. Here, we will be promoting HKG-DC1. Because a VPN connection is being used, we can either make the connection available prior to promotion or configure the delay through the registry key.

If DNS has not already been configured on this server, refer to "Install and Configure DNS."

Bb727069.adbpnd56(en-us,TechNet.10).gif

Figure 56:

Configure Registry Keys

Configure the dial-up delay registry key so that components such as DNS and Netlogon will wait for the dial-up link to be established when performing network operations.

Note: This step can be omitted if the connection will definitely be available prior to the promotion. In this case, this registry key can be managed via group policy after the promotion is competed. If the connection will potentially be demand-initiated, then this registry setting should be configured prior to the promotion. Complete this step on all domain controllers and member servers that will need to go over the dial up link.

  1. Run RegEdt32.exe.

  2. Navigate to HKEY_LOCAL_MACHINE \System \Current Control Set\Services\Netlogon\Parameters.

  3. Select Edit | Add value.

  4. Type ExpectedDialupDelay in Value name box.

  5. Select REG_DWORD in Data type box.

  6. Click OK.

  7. Click OK.

  8. Enter a time in seconds that is the average time it takes the router to dial and connect to another demand dial router. (for example, 15 seconds). To determine what the value of this key should be:

  9. Ensure the dial-up link is down.

  10. Initiate a dial-up link by pinging a server on the remote network.

  11. Record the amount of time that it takes to establish the dial-up connection.

  12. Use this value for this registry key, perhaps adding a small amount (for example, 5 seconds) to allow for some variation in connection time.

  13. Click OK.

Promote the New Tree Root Domain

Server Network Configuration

Bb727069.adbpn111(en-us,TechNet.10).gif

  1. Run Dcpromo.exe.

  2. Click Next.

  3. Select Domain controller for a new domain.

  4. Click Next.

  5. Select Create a new domain tree.

  6. Click Next.

  7. Select Place this new domain tree in an existing forest.

  8. Click Next.

  9. In User name box, type Administrator.

  10. In Password box type a password.

  11. In Domain box, type the parent NetBIOS domain name, which is CORP.

  12. Click Next.

  13. In New Domain Tree box, type full DNS name of the new tree, which is hkg.hay-buv.com.

  14. Click Next.

  15. In NetBIOS Domain Name box, accept the default, which should be HKG.

  16. Click Next.

  17. Adjust the paths for Database location and Log location boxes to suit your server's drive configuration, if needed; otherwise, accept the defaults.

  18. Click Next.

  19. Adjust the path for the Folder location (SYSVOL) box to suit your server's particular drive configuration, if needed; otherwise, accept the default.

  20. Click Next.

  21. Select Permissions compatible only with Windows 2000 servers.

  22. Click Next.

  23. Type a password for the Administrator account used when booting into DS Repair mode

  24. Click Next.

  25. At the Summary Page, verify that all entries are correct.

  26. Click Next to begin the Active Directory installation.

  27. Click Finish (when installation is completed).

  28. Answer Yes to the prompt to reboot.

Update DNS Zone Types

  1. Start | Programs | Administrative Tools | DNS.

  2. Expand Forward Lookup Zones in the console tree by clicking +.

  3. Expand each primary zone for the server being configured.

  4. Right-click and select Properties for each expanded zone.

  5. Select the General tab.

  6. Ensure that the Type box is set to AD Integrated.

  7. Click the Change button

  8. For Select a zone type box, select Active Directory Integrated.

  9. Click OK.

  10. Ensure that the Allow dynamic updates box is set to Secure from the drop-down list.

  11. Click OK.

Configuring a Global Catalog For Each Site

Earlier in this process one site was created for the Los Angeles and another for the Hong Kong office. Now that domain controllers exist in each site, a global catalog should be available for each site as well. The administrator should perform this step on the LAX-DC1 server, for each of the sites.

Site Name

Server

LosAngeles

LAX-DC1

HongKong

HKG-DC1

  1. Start | Programs | Administrative Tools | Active Directory Sites and Services.

  2. Double-click Sites.

  3. Double-click <site name>.

  4. Double-click Servers.

  5. For each server listed in the table:

  6. Double-click the server.

  7. Right-click NTDS Settings.

  8. Click Properties.

  9. Ensure that at least one server in the site has the Global Catalog check box checked.

  10. Click OK.

Bb727069.adbpnd57(en-us,TechNet.10).gif

Figure 57: Configuring a global catalog in each site

Testing Active Directory Replication

The administrator has now completed all the tasks required to implement Active Directory replication over a dial-up link. Throughout this walkthrough the various components were tested as their installations and configurations were completed. The last step is to test Active Directory replication. The administrator should complete test passes for each site link with the routing interfaces connected and another with the routing interfaces disconnected. Use the following steps to initiate and monitor replication.

Change Site Link Schedule

The site link replication schedule default is 180 minutes. Change this to 15 minutes or a reasonably short time period in which to monitor replication.

  1. Start | Programs | Administrative Tools | Active Directory Sites and Services.

  2. Double-click Sites.

  3. Double-click Inter-site Transports.

  4. Double-click IP.

  5. Right-click the appropriate site link.

  6. Click Properties.

  7. In Replicate every box, type 15minutes.

  8. Click OK.

Initiating Replication

  1. Start | Programs | Administrative Tools | Active Directory Sites and Services.

  2. Double-click Sites.

  3. Double-click <site name>.

  4. Double-click Servers.

  5. Double-click <server name>.

  6. Double-click NTDS Settings.

  7. Right-click the Active Directory connection.

  8. Click Replicate Now.

Viewing Replication Status

Active Directory Replication Monitor (replmon.exe) is a graphical tool that you can use to view low-level status and the performance of replication between Active Directory domain controllers. If you have not already done so, install the support tools from the Microsoft® Windows® 2000 Server CD from the Support/Tools folder. Refer to the online Help for a full explanation of the monitoring and troubleshooting features of the Active Directory Replication Monitor.

  1. Start | Windows 2000 Support Tools | Tools | Active Directory Replication Monitor (or use Start | Run | replmon.exe).

  2. Right-click Monitored Servers.

  3. Click Add Monitored Server.

  4. Accept the default Add the server explicitly by name.

  5. Click Next.

  6. For the Enter the name of the server to monitor explicitly box, type the computer name.

  7. Click Finish.

  8. Click View from the menu bar and ensure that the Details View option is checked.

Selecting each directory partition (also known as naming contexts) will display replication history in the details pane. This history includes the time a refresh was initiated and the USN of the replication partner, which reflects the value of the last originating change that the monitored server has received.

Bb727069.adbpnd58(en-us,TechNet.10).gif

Figure 58: Active Directory replication monitor

KCC Diagnostic events

HKLM/System/ControlSet001/Services/NTDS/Diagnostics/1 Knowledge Consistency Checker DWORD: 3

Changing the default value to three increases the number of events to be logged in the event viewer Directory Services log. This key should be changed for testing and troubleshooting only because excess events are generated with each replication and could quickly fill the log.

Active Directory Replication over the Internet through ISP Topology

This section describes the steps required for an administrator to install and configure a common virtual private network over the Internet through an ISP. Where appropriate, tables with the required configuration data have also been included in the walkthrough for reference.

The Mexico City office is connected to corporate headquarters using a VPN over the Internet; however, they connect to Los Angeles using a dial-up ISP connection. In this case, the administrator must configure the router in Mexico City by installing Windows 2000 Routing and Remote Access Service and configuring a dial-up routing interface to the ISP. The Los Angeles office employs a DMZ in front of its network. The administrator must configure this router by installing Windows 2000 Routing and Remote Access Service and configure VPN routing interfaces.

The next step is to install and configure DNS on the server in the DMZ and the servers that will become the domain controllers for each domain. Once this is done, the administrator will promote the server in the Los Angeles office as the first domain controller in the forest. Next the administrator must configure the sites, a site link, and define the subnets for Los Angeles and Mexico City using Active Directory Sites and Services. Lastly, the Mexico City server will be promoted as the first domain controller in a child domain. Because they will be in the same forest, transitive trusts will automatically be established.

In both offices, all routers and the DNS server in the Los Angeles DMZ are configured as stand-alone servers.

Bb727069.adbpnd59(en-us,TechNet.10).gif

Figure 59: VPN over Internet through ISP topology

Configuring Static IP Addresses

The first task that the Hay Buv Toys administrator must complete is to configure a static IP address for each network interface on every router, domain controller and DNS server within the ISP/Internet topology.

Routers, domain controllers, and DNS servers on each LAN should be configured with static IP addresses or reserved DHCP assigned addresses. Otherwise, DHCP address lease updates could result in servers obtaining a new address, which isn't fully replicated or expired from relevant caches. This situation would result in a server's name not being correctly resolved until the latest information was replicated.

In this scenario there are a total of six servers, some with multiple network interfaces, which must be configured with static IP addresses.

Note: The Internet and ISP static IP addresses in the table are for reference only. One of the prerequisites of this walkthrough is that the infrastructure to support Internet and ISP connectivity be available, including providing IP addresses for external connectivity. In order to complete the following steps you must use the static IP addresses provided by your Internet and ISP providers.

Static IP Addresses

Bb727069.adbpn112(en-us,TechNet.10).gif

Rename the Local Area Connection icon(s) and then configure static IP addresses for all servers using the information supplied in the Static IP Addresses table.

  1. Right-click My Network Places and select Properties.

  2. Right-click Local Area Connection and select Rename.

  3. Type the IP subnet address (Network Interface Name) of the network the interface is connected to (or a descriptive name for this interface that has meaning in the context of your network)

  4. Right-click the network interface, renamed in the previous step.

  5. Select Properties.

  6. Click Internet Protocol (TCP/IP) and then click Properties.

  7. Select Use the following IP address.

  8. Type the IP address, subnet mask, and default gateway.

    Note: When configuring a router, leave the Default gateway box blank; otherwise, enter a default gateway.

  9. Select Use the following DNS server addresses.

  10. Type the preferred and alternate DNS server IP addresses.

Figure 60: Static IP address for LAX-DC1

Figure 60: Static IP address for LAX-DC1

Configuring Primary DNS Suffix

  1. Right-click My Computer and select Properties.

  2. Click Network Identification tab.

  3. Click Properties.

  4. Click More.

  5. Fill in the Primary DNS suffix of this computer box, with the Primary DNS Suffix information from the Static IP Addresses table.

  6. Click OK.

  7. Click OK.

  8. Click OK when prompted for reboot.

  9. Click OK.

  10. Click Yes to reboot.

Figure 61: Primary DNS suffix for LAX-DC1

Figure 61: Primary DNS suffix for LAX-DC1

Configuring the Routers

Once static IP addresses have been configured, the administrator's next task is to install the routing service. Some of the routers will perform solely as network routers, while others must also be configured with VPN or dial-up interfaces.

The Windows 2000 routing service must be installed and configured on all servers that will serve as routers on the network.

In this scenario, the router in the Los Angeles DMZ functions solely as a network router while the routers in the Los Angeles and Mexico City offices also are configured with demand dial interfaces. Tables with the specific data accompanying the routing installation tasks are included for convenient reference.

Install Routing Service on LAN Routers

The Los Angeles router in the DMZ provides the connection to the Internet. It is configured as a network router.

On LAX-RTR2:

  1. Start | Programs | Administrative Tools | Routing and Remote Access.

  2. In the console tree, right-click Local computer in the snap-in.

  3. Select Configure and Enable Routing and Remote Access Wizard.

  4. Click Next.

  5. Select Network router.

    Bb727069.adbpnd62(en-us,TechNet.10).gif

    Figure 62: RRAS Wizard common configurations
  6. Click Next.

  7. Accept the defaults for Routed Protocols.

    Bb727069.adbpnd63(en-us,TechNet.10).gif

    Figure 63: RRAS Wizard routed protocols
  8. Click Next.

  9. For "Do you want to use demand-dial connections to access remote networks?" select No.

    Bb727069.adbpnd64(en-us,TechNet.10).gif

    Figure 64: RRAS Wizard demand-dial connections
  10. Click Next.

  11. Click Finish.

Install Routing Service on LAN – DOD Routers

To create a two-way initiated PPTP-based router-to-router VPN connection to send private data across the Internet, the administrator must configure the following on the routers in the Los Angeles and Mexico City offices:

  • Configure the Windows 2000 router at the corporate office to initiate and receive PPTP connections from a branch office router.

  • Configure the Windows 2000 router at the branch office to initiate and receive PPTP connections with the corporate office router.

  • Initiate the connection from either the branch office router or the corporate office router.

LAN – DOD Router Configuration

NetBIOS Name

Modem Pool IP Addresses

Los Angeles

 

LAX-RTR1

160.50.10.111 /
160.50.10.120

Mexico City

 

MEX-RTR1

160.50.50.100 /
160.50.50.110

For each router:

  1. Start | Programs | Administrative Tools | Routing and Remote Access.

  2. In the console tree, right-click Local computer in the snap-in.

  3. Select. Configure and Enable Routing and Remote Access Wizard.

  4. Click Next.

  5. Select Network router.

    Bb727069.adbpnd65(en-us,TechNet.10).gif

    Figure 65: RRAS Wizard common configurations
  6. Click Next.

  7. Accept the defaults for Routed Protocols.

    Bb727069.adbpnd66(en-us,TechNet.10).gif

    Figure 66: RRAS Wizard Routed Protocols
  8. Click Next.

  9. Select Yes for "Do you want to use demand-dial connections to access remote networks?"

    Bb727069.adbpnd67(en-us,TechNet.10).gif

    Figure 67: RRAS Wizard demand-dial connections
  10. Click Next.

  11. Select From a specified range of addresses.

    Bb727069.adbpnd68(en-us,TechNet.10).gif

    Figure 68: RRAS Wizard IP address assignment
  12. Click Next.

  13. Click New.

  14. Type modem pool addresses from LAN-DOD Router Configuration table in Start IP address and End IP address boxes.

    Figure 69: RRAS Wizard IP Address Range

    Figure 69: RRAS Wizard IP Address Range
  15. Click OK.

  16. Click Next.

  17. Click Finish.

Creating VPN Interfaces on LAN-DOD Routers

VPN Interface Configuration

Bb727069.adbpn113(en-us,TechNet.10).gif

On the Mexico City router, MEX-RTR1:

  1. Expand the Local server by clicking + in the console tree.

  2. Right-click Routing Interfaces.

  3. Select New Demand-dial Interface.

  4. Click Next.

  5. For Interface name box, type the name from the Remote Interface Name column for the remote router.

    Bb727069.adbpnd70(en-us,TechNet.10).gif

    Figure 70: Interface name for the Mexico City demand dial interface
  6. Click Next.

  7. Select Connect using virtual private networking (VPN).

    Bb727069.adbpnd71(en-us,TechNet.10).gif

    Figure 71: RRAS Wizard connection type
  8. Click Next.

  9. Accept default for VPN Type.

  10. Click Next.

  11. In Destination Address box, type the IP address of the remote router to which you are connecting.

  12. Click Next.

  13. Ensure that the Route IP packets on this interface box is checked.

  14. Ensure that the Add a user account so a remote router can dial in box is checked.

    Bb727069.adbpnd72(en-us,TechNet.10).gif

    Figure 72: Remote router dial-in credentials
  15. Click Next.

  16. Type a password in Password and Confirm password boxes.

    Bb727069.adbpnd73(en-us,TechNet.10).gif

    Figure 73: Dial-in credentials
  17. Click Next.

    Important: This creates a user on the local server. The interface name from the previous steps is used as the user name. It will become the account name for the interface created on the remote machine and used to authenticate the connection.

  18. Type the user name, domain and password for an account on the remote router this router will dial into. In our case, we will configure the routers as stand alone servers, so the domain will be the server name of the remote router.

    Bb727069.adbpnd74(en-us,TechNet.10).gif

    Figure 74: Dial-out credentials to the remote router

    Important: Make note of this user account. This user account must be used as the interface name on the remote router.

  19. Click Next.

  20. Click Finish.

Configuring Static Routes

Once the Windows 2000 routing service has been installed and configured, static routes are added to reach network IDs in other offices in order to control where traffic goes.

The administrator adds static routes so that traffic to the branch office is forwarded using the appropriate interface. For each route of the branch offices and DMZ routers, configure the interface, destination, network mask, and metric. The Interface field indicates the network interface that is used when forwarding packets to the network ID; the interface name created earlier is used. The Metric field indicates the cost of a route. If multiple routes exist to a given destination network ID, the metric is used to decide which route is to be taken. The route with the lowest metric is the preferred route.

In our scenario there are three routers to be configured:

Static Routes

Bb727069.adbpn114(en-us,TechNet.10).gif

Referring to LAX-RTR2, the route that corresponds to the Internet is 0.0.0.0 with a subnet mask of 0.0.0.0. This route becomes the static route with the following configuration:

Interface: 20.0.0.x

Destination: 0.0.0.0

Network mask: 255.255.255.0

Gateway: 20.0.0.3

Metric: 1 (default)

  1. Start | Programs | Administrative Tools | Routing and Remote Access.

  2. In the console tree, click + to expand the <server name> in the snap-in.

  3. Click + to expand IP Routing.

  4. Click Static Routes.

  5. Right-click in the details pane and select New static route.

  6. Select the interface name from the drop-down list.

  7. Type the Destination Network IP subnet found in the Static Routes table.

  8. Type the Network mask destination IP subnet found in the Static Routes table.

  9. Type the Gateway IP address found in the Static Routes table.

  10. Accept the default value for Metric.

  11. Ensure that the Use this route to initiate demand dial connections box is checked.

    Figure 75: Static Route for 20.0.0.x Interface

    Figure 75: Static Route for 20.0.0.x Interface
  12. Click OK.

  13. Restart the Routing and Remote Access Service.

  14. Right-click the <server name>.

  15. Click All Tasks.

  16. Click Restart.

Note: Because the demand dial connection is a point-to-point connection, the Gateway IP address is not configurable.

Testing Router Configuration

Once the Hay Buv Toys administrator has completed all routing installation and configuration steps, all routers, highlighted in the following diagram, need to be tested to confirm that they connect correctly. To test TCP/IP connectivity by using the ping command, open the command prompt and then ping the desired host using its IP address. If the ping command fails, verify that the host IP address is correct, that the host is operational, and that all the gateways (routers) between this computer and the host are operational. Routing and Remote Access Service provides the ability to connect a routing interface manually.

Using ping

Confirm correct operation of the newly configured routes by pinging from a server on one side to a server on the other. Make certain the demand dial link is down when the ping is initiated. Use the ping '-t' option to ensure that ping continues until the demand dial link is established.

  1. Start | Programs | Accessories | Command Prompt.

  2. Type ping –t <IP>, where <IP> is the static IP address of a remote host (a host that is on a different subnet).

  3. Perform the previous step from at least one server on each side of the route.

Using Routing and Remote Access

A second test is manually connecting the routers using the routing service.

  1. Start | Programs | Administrative Tools | Routing and Remote Access.

  2. Double-click Routing and Remote Access.

  3. Double-click <server name>.

  4. Click Routing Interface.

  5. Right-click <interface name> in the details pane.

  6. Click Connect.

  7. Refresh display (by pressing F5) to verify that interface is connected.

If the demand dial link fails to come up, or the ping / response is not routed and results in a ping failure, even after the demand dial link is established, then confirm the router configuration steps above, particularly the user accounts, IP addresses, modem pool addresses, and static routes.

Bb727069.adbpnd76(en-us,TechNet.10).gif

Figure 76: VPN over Internet via ISP topology

Installing and Configuring DNS

Install the DNS Service

The DNS Server service has been carefully integrated into the design and implementation of Active Directory. There are two significant changes when deploying Windows 2000 DNS servers together with Active Directory:

  • DNS name resolution is required for locating Windows 2000 domain controllers. The Netlogon service uses DNS server support to provide registration of the domain controllers in your DNS domain namespace.

  • Windows 2000 DNS servers can use Active Directory for storing and replicating your zones. By directory integrating your zones, you can take advantage of additional DNS features such as secure dynamic updates and record aging/scavenging features.

If DNS is not available on the network when you install the first domain controller in a domain, you can elect to have DNS installed and configured automatically during the installation of Active Directory.

The Active Directory Installation Wizard asks whether to install and configure the DNS service automatically if either one of the following conditions is true:

  • You are creating a new forest, and the Active Directory Installation Wizard does not find any DNS servers that are running on the network.

  • You are creating a new domain, and dynamic update is not available.

In this scenario it is important that DNS is installed and configured on the appropriate servers before promoting them to domain controllers, rather than using the default configuration that the Active Directory Installation Wizard sets up. This is necessary in order to confirm that DNS configuration is correct and allow for possible troubleshooting without the added complexity of the server also being a domain controller.

The DNS server that is authoritative for the domain will then exist so that Active Directory can locate it. Later, when a server is promoted to the role of a domain controller (DC) for a specified domain, you will be prompted to specify the DNS domain name for the Active Directory domain to which you are joining and promoting the server.

Note: A Windows 2000 installation CD may be required to install the DNS service.

The Hay Buv Toys administrator must now install and configure the DNS service on the server in the Los Angeles DMZ, as well as on the servers in each branch office that will become the domain controllers. The following subsections provide the installation and configuration steps necessary to complete this task for each server.

Note: The Internet and ISP static IP addresses in the table are for reference only. One of the prerequisites of this walkthrough is that the infrastructure to support Internet and ISP connectivity be available, including providing IP addresses for external connectivity. In order to complete the following steps you must use the static IP addresses provided by your Internet and ISP providers.

Use this table to complete the DNS installation and configuration.

DNS Server Parameters

Bb727069.adbpnd94(en-us,TechNet.10).gif

To install DNS on a server:

  1. Start | Settings | Control Panel.

  2. Double-click Add / Remove Programs.

  3. Click Add/Remove Windows Components.

  4. Deselect any unwanted default components.

  5. Click Networking Services.

  6. Click Details.

  7. Select Domain Name System.

    Bb727069.adbpnd77(en-us,TechNet.10).gif

    Figure 77: Subcomponents of networking services
  8. Click OK

  9. Click Next.

  10. Click Finish (when complete).

  11. Click Yes if prompted to reboot the system.

Create DNS Zones

Once DNS service is installed the administrator's next steps are creating primary and secondary zones. The administrator must assure that the forest-wide locator records are available to all DNS servers in every site.

Distributing the Forest Wide Locator Records

Each domain controller in the forest registers two sets of locator records: a set of domain-specific records that end in <DNS-domain-name>, and a set of forest-wide records that end in _msdcs.<DNS-forest-name>. The forest-wide records are important to clients and domain controllers from all parts of the forest. For example, the global catalog locator records, and the records used by the replication system to locate replication partners, are included in the forest-wide records.

For any two domain controllers to replicate between each other, including two domain controllers from the same domain, they must be able to look up forest-wide locator records. In order for a newly created domain controller to participate in replication, it must be able to register its forest-wide records in DNS, and other domain controllers must be able to look up these records. For this reason, it is important to make the forest-wide locator records available to every DNS server in every site. Additionally, since these records can be configured so that they are rarely changed, there is no significant increase in replication traffic to distribute these records.

To do this, create a separate primary zone called _msdcs.<DNS-forest-name>, and replicate that zone to every DNS server. Generally, it is not sufficient to replicate the zone to only one DNS server per site. If a DNS server does not have a local copy of the _msdcs.<DNS-forest-name> zone, it must use DNS recursion to look up a name in that zone. For a DNS server to perform recursion, it contacts a DNS server that is authoritative for the root of the namespace (called a DNS root server) and proceeds down the delegations in DNS until it finds the record in question. If there is no DNS root server in a site, and the links between that site and other sites are down, a DNS server cannot perform recursion. Thus, it will not be able to find any DNS servers that are authoritative for _msdcs.<DNS-forest-name>, even if those DNS servers are in the same site.

On servers that host the forest root zone, _msdcs.<DNS-forest-name> can be Directory Service (DS) integrated. Making this zone DS integrated increases the availability of writable copies of the zone. Refer to the DNS Deployment documentation in the Windows 2000 Resource Kit for more information.

On servers that don't host the forest root zone, we accomplish the following by creating a secondary zone for _msdcs.<DNS-forest-name>, rather than DS integrated zones:

  • We eliminate replication of unnecessary DNS records to all the domain controllers in the domain.

  • We don't need to replicate these records to domain controllers that are not running DNS by moving records out of the forest root zone.

There are five requirements when configuring a DNS server with this model:

  • Add a primary zone for the server's domain on the DNS server.

  • Add a primary _msdcs zone on the forest root DNS server.

  • Add a delegation for _msdcs.<DnsForestName> to the forest root zone.

  • Add delegations for child domains to the parent zone.

Note: Delegations for new trees should be added to the DNS zone to which the zone is subordinate.

  • Add a secondary _msdcs zone to other DNS servers that are also domain controllers.

Create Standard Primary Zone

  1. Start | Programs | Administrative Tools | DNS.

  2. Double-click the server.

  3. Right-click Forward Lookup Zones in the console tree.

  4. Select New Zone.

  5. Click Next.

  6. Select Standard Primary in Zone Type box.

  7. Click Next.

  8. In Name box, type the DNS zone name.

  9. Click Next.

  10. Select Create a new file with this name and accept the default name.

  11. Click Next.

  12. Click Finish.

    Bb727069.adbpnd78(en-us,TechNet.10).gif

    Figure 78: Standard primary zones for LAX-DC1
  13. Right-click the new zone in the console tree.

  14. Select Properties.

  15. Set Allow dynamic updates to the appropriate value.

  16. Select the Zone Transfers tab.

  17. Ensure that Allow zone transfers check box is checked.

  18. Click Notify.

  19. Ensure that Automatically notify check box is not selected.

  20. Click the Start Of Authority (SOA) tab.

  21. Set the Refresh interval to "1 day."

  22. Click OK.

Create Standard Secondary Zone

  1. Start | Programs | Administrative Tools | DNS.

  2. Right-click Forward Lookup Zones in the console tree.

  3. Select New Zone.

  4. Click Next.

  5. Select Standard Secondary in Zone Type box.

  6. Click Next

  7. In Name box, type DNS zone name.

  8. Click Next.

  9. In Master DNS Server box, type the IP address.

  10. Click Next.

  11. Click Finish.

Configure DNS Delegations

The DNS server in the Los Angeles DMZ and the LAX-DC1 server in the Los Angeles office, which will become the domain controller for the enterprise, now need to be configured with delegations. These are name service records in the parent zone that list the name servers authoritative for the delegated zone.

  1. Start | Programs | Administrative Tools | DNS.

  2. Expand Forward Lookup Zones in the console tree by clicking +.

  3. Right-click the primary zone under which the delegation will reside.

  4. Select New Delegation.

    Bb727069.adbpnd79(en-us,TechNet.10).gif

    Figure 79: A delegation for LAX-DC1
  5. Click Next.

  6. In Delegated domain box, type the delegated domain name.

  7. Click Next.

  8. Click Add.

  9. Type the server DNS name and IP address that will host the delegated zone.

  10. Click OK.

    Bb727069.adbpnd80(en-us,TechNet.10).gif

    Figure 80: Name server to host the delegated zone
  11. Click Next.

  12. Click Finish.

Repeat for each delegation.

Configure Forwarders

When DNS servers do not know how to resolve a name either because they do not host a copy of the necessary zone or because they have no delegations to the appropriate zone, they can be configured to pass the request on to another machine. This mechanism is called forwarding, and the following section outlines the procedure for configuring forwarders for a DNS server.

  1. Start | Programs | Administrative Tools | DNS.

  2. Right-click the server in the console tree and select Properties.

  3. Click the Forwarders tab.

  4. Select Enable Forwarders.

  5. In IP Address box, type forwarder IP address.

  6. Click Add.

  7. Select Do not use recursion (this prevents dial-up attempts caused by servers recursing to servers in their root hint list).

Figure 81: Enable forwarder to 160.50.10.2 (LAX-DC1)

Figure 81: Enable forwarder to 160.50.10.2 (LAX-DC1)

Configure Root Hints

When DNS servers need to query root servers in order to resolve a name, they use servers in their root hint list. Because all DNS servers that sit within the firewall are configured to use their forwarders and not look up names recursively through their root hints, they don't need special root hint configuration. That is, the default values are okay, since they will be ignored anyway. However, DNS servers that sit in a DMZ should be configured to have root hints that point to root servers. If you will use Internet root servers, then simply keep the defaults. These default entries are pre-populated Internet root servers. However, if you are hosting your own internal '.' zone, then configure your root hints accordingly.

  1. Start | Programs | Administrative Tools | DNS.

  2. Right-click the applicable DNS server.

  3. Click Properties.

  4. Click Root Hints.

  5. Click Add.

  6. Type the Internet DNS server name.

  7. Type the Internet DNS server IP address

  8. Click OK.

  9. Click OK.

  10. Test the DNS Configuration

Once the administrator has completed installing and configuring the DNS servers, highlighted in the diagram below, the administrator must test the servers to confirm that they are correctly resolving DNS names. The Windows 2000 DNS Server service provides the capability to test and monitor DNS by using the DNS console. Nslookup, another diagnostic utility for the DNS Server service, is also available for testing the DNS Server service and testing resource records.

Monitoring a DNS Name Server

You can configure the DNS Server service to perform queries on a scheduled basis to ensure that the service is operating correctly.

In the DNS console, open the Properties dialog box for the server that you want to monitor, and then click the Monitoring tab. You can test a DNS name server by performing two types of queries:

  • Simple query. This type of query performs a local test by using the DNS client to query a DNS name server. Select this option to perform a simple query test of a DNS name server.

  • Recursive query. This type of query tests a DNS name server by forwarding a recursive query to another DNS name server. Select this option to perform a more complex, recursive query test of a DNS name server.

Under Tests Performed, select the Simple query check box, the Recursive query check box, or both, and then click Test Now. The test results appear under Test results in the Properties dialog box for the server.

Using Nslookup

Nslookup is a useful tool for troubleshooting DNS problems, such as host name resolution. When you start Nslookup, it shows the host name and IP address of the DNS server configured for the local system, and then displays a command prompt for further queries. If you type a question mark (?), Nslookup shows all available commands. You can exit the program by typing Exit.

To look up a host's IP address using DNS, type the host name and press ENTER. Nslookup defaults to using the DNS server configured for the computer on which it is running, but you can focus it on a different DNS server by typing server < name> (where <name> is the host name of the server you want to use for future lookups). In some cases, you might see several time-outs reported. This happens when reverse look-up is not configured for DNS servers servicing the same DNS domain as your Active Directory domain.

Nslookup has two modes: interactive and noninteractive.

When you require:

  • More than one piece of data, use interactive mode.

    • To run interactive mode, at the command prompt type Nslookup.

    • To exit interactive mode, type Exit.

  • A single piece of data, use noninteractive mode.

    Type the Nslookup syntax at the command prompt, and the data is returned.

You can use Nslookup to view resource records and direct queries to any DNS name server, including UNIX implementations of DNS.

  1. Start | Programs | Accessories | Command Prompt.

  2. Type Nslookup (interactive mode).

  3. At the command prompt, type commands. For help on commands, type ?.

  4. Type Exit to quit.

The following table describes the Nslookup syntax:

nslookup [ option ...] [computer-to-find | – (server)]

Syntax

Description

-option…

Specify one or more Nslookup commands. For a list of commands, type a question mark (?) to open Help.

computer-to-find

If the computer-to-find is an IP address, Nslookup returns the host name. If the computer-to-find is a host name, Nslookup returns an IP address. If the computer to find is a name and does not have a trailing period, the default DNS domain name is appended to the name. To find a computer outside of the current DNS domain, append a period to the name.

-server

Use this server as the DNS name server. If the server is omitted, the currently configured default DNS name server is used.

Using ping

Confirm that DNS names can be resolved by pinging from a server on one side to a server on the other. The demand dial links should be connected before the ping is initiated.

  1. Start | Programs | Accessories | Command Prompt.

  2. Ping servers by DNS name to verify that the DNS server can be accessed and the DNS name can be resolved.

  3. Perform this step for all servers.

Bb727069.adbpnd82(en-us,TechNet.10).gif

Figure 82: VPN over Internet via ISP topology

Promoting the First Domain Controller in the Enterprise

Promoting a server to a domain controller and adding Active Directory are separate operations from installing Windows 2000 Server. You first install Windows 2000 Server; then you promote the servers in order to install Active Directory on the servers you want to use as domain controllers.

Use one of the following options to install Active Directory:

The Active Directory Installation Wizard. The wizard can be started as follows:

  • In the Windows 2000 Configure Your Server dialog box that appears when you start the server computer, select the Active Directory option for installing Active Directory.

– or –

  • Press the Start button and click Run. Type Dcpromo.exe in the Run dialog box.

The domain structure for Hay Buv Toys is diagrammed below. The forest root is corp.hay-buv.net; therefore the first domain controller in the enterprise will be LAX-DC1. All activities in this section will be performed on LAX-DC1 only.

If DNS has not already been configured on this server, refer to "Install and Configure DNS."

Bb727069.adbpnd83(en-us,TechNet.10).gif

Figure 83:

Promote the First Domain in the Enterprise

Server Network Configuration

Bb727069.adbpn115(en-us,TechNet.10).gif

Promoting LAX-DC1:

  1. Start | Run | Dcpromo.exe.

  2. Click Next.

  3. Select Domain controller for a new domain.

  4. Click Next.

  5. Select Create a new domain tree.

  6. Click Next.

  7. Select Create a new forest of domain trees.

  8. Click Next.

  9. In the Full DNS name for the domain box, type the fully qualified DNS domain name of the forest root, corp.hay-buv.net.

  10. Click Next.

  11. For the Domain NetBIOS name box, accept the default, which should be CORP.

  12. Click Next.

  13. Adjust the paths for the Database location and Log location boxes to suit your server's drive configuration, if needed; otherwise accept defaults.

  14. Click Next.

  15. Adjust the path for the Folder location (SYSVOL) box to suit your server's particular drive configuration, if needed; otherwise accept default.

  16. Click Next.

  17. Select Permissions compatible only with Windows 2000 servers.

  18. Click Next.

  19. Type a password for the Administrator account used when booting into DS Repair mode.

  20. Click Next.

  21. At the Summary page, verify that all entries are correct.

  22. Click Next to begin the Active Directory installation.

  23. Click Finish (when installation is completed).

  24. Answer Yes to the prompt to reboot

Update DNS Zone Types

  1. Start | Programs | Administrative Tools | DNS.

  2. Expand Forward Lookup Zones in the console tree by clicking +.

  3. Expand each primary zone for the server being configured.

  4. Right-click and select Properties for each expanded zone.

  5. Select the General tab.

  6. Ensure that the Type box is set to AD Integrated.

  7. Click the Change button.

  8. For Select a zone type box, select Active Directory Integrated.

  9. Click OK.

  10. Ensure that the Allow dynamic updates box is set to Secure from the drop-down list.

  11. Click OK.

Create and Configure Sites For Each LAN

The primary purpose of the Microsoft® Windows® 2000 Active Directory™ Sites and Services snap-in is to administer the replication topology both within a site in a local area network (LAN) and between sites in a wide area network (WAN) in an enterprise environment.

A site is a region of a network with high bandwidth connectivity, and is by definition a collection of well-connected computers (based on Internet Protocol (IP) subnets). Because sites control how replication occurs, changes made with the Sites and Services snap-in affect how efficiently domain controllers (DC) that are within one domain, but separated by great distances, can communicate.

A site is separate in concept from Windows 2000-based domains because a site may span multiple domains, and a domain may span multiple sites. Sites are not part of the domain namespace. Sites control replication of domain information and help to determine resource proximity. Sites affect replication traffic and other forms of network traffic related to Active Directory, such as locating a domain controller in response to a request for logon authentication. If a domain controller that offers the requested service is located in the client computer's site, the client is referred to that domain controller, thus using the faster connections within a site.

To ensure that the Active Directory service in the Windows 2000 operating system can replicate properly, a service known as the Knowledge Consistency Checker (KCC) runs on all DCs and automatically establishes connections between individual computers in the same site. These are known as Active Directory connection objects. An administrator can establish additional connection objects or remove connection objects, but at any time when replication within a site becomes impossible or has a single point of failure, the KCC steps in and establishes as many new connection objects as necessary to resume Active Directory replication.

Replication between sites is assumed to occur on either higher cost or slower speed connections. As such, the mechanism for inter-site replication permits the selection of alternative transports, and is established by creating site links and site link bridges.

Configuring sites, subnets, and site links before promoting additional servers will allow the system to automatically place each new domain controller in the correct site. Alternatively, domain controllers can be moved between sites through their context menus.

Sites and Subnet Parameters

Site Name

Address

Subnet Mask

Subnets

Site 1

LosAngeles

160.50.10.0

255.255.255.0

160.50.10.0

Site 3

MexicoCity

160.50.50.0

255.255.255.0

160.50.50.0

  1. Start | Programs | Administrative Tools | Active Directory Sites and Services.

  2. Right-click Sites in the console tree.

  3. Select New site.

  4. For the Name box, type the first site name from the Sites and Subnet Parameters table.

  5. Select DEFAULFIRSTSITELINK.

  6. Click OK.

  7. Click OK.

Repeat for both sites in the table

Moving the Domain Controller

When both sites have been created and the first domain controller in the enterprise has been moved from the default site to its target site, the default site object may be deleted by right-clicking the site object and selecting Delete.

  1. Double-click DEFAULT-FIRST-SITE-NAME.

  2. Double-click Servers.

  3. Right-click <server name>.

  4. Click Move.

  5. Select the site that should contain the server.

  6. Click OK.

Configure Subnets

Refer to Sites and Subnet Parameters table to configure the subnets.

  1. Start | Programs | Administrative Tools | Active Directory Sites and Services.

  2. Expand the Sites folder in the console tree by clicking +.

  3. Right-click Subnets.

  4. Click New Subnet.

  5. For the Address box, type the Site 1 Address.

  6. For the Mask box, type the Site 1 Mask.

  7. For the Site Name box, type the Site 1 Site Name.

  8. Click OK.

Repeat for Site 3 in the table.

Note: A subnet object should be defined and associated with a site so that every computer's IP address on your network will map to a subnet.

Create Site Links

For replication to occur between two sites, a link must be established between the sites. Site links are not generated automatically and can be created in Active Directory Sites and Services. Unless a site link is in place, the KCC cannot create connections between computers in the two sites automatically, and replication between the sites cannot take place. Each site link contains the schedule that determines when replication can occur between the sites that it connects. The Active Directory Sites and Services user interface guarantees that every site is placed in at least one site link. A site link can contain more than two sites; in such a case, all the sites are equally well connected.

Site Link Parameters

Site Link Name

Sites

Site Link 2

LAX-MEX

LosAngeles
MexicoCity

  1. Start | Programs | Administrative Tools | Active Directory Sites and Services.

  2. Expand the Sites folder in the console tree by clicking +.

  3. Expand the Inter-site Transports folder by clicking +.

  4. Right-click the IP folder.

  5. Select New Site Link.

  6. For the Name box, type LAX-MEX.

  7. Using the Add/Remove, place the sites LosAngeles and MexicoCity in the Sites column.

  8. Click OK.

Repeat for each site link.

Figure 84: Site link between Los Angeles and Mexico City

Figure 84: Site link between Los Angeles and Mexico City

Note: Once the site link has been created, the default site link object may be deleted by right-clicking the site link object and selecting Delete.

Schedule Replication

The last task is to schedule replication between the sites. Because the Los Angeles office cannot initiate a replication request, it is critical that the schedules on each connection object be identical. The Hay Buv administrator has decided that replication will occur at 11 A.M. and at 11 P.M. daily. The administrator will complete this task on the domain controller, LAX-DC1.

  1. Start | Programs | Administrative Tools | Active Directory Sites and Services.

  2. Expand the Sites folder labeled in the console tree by clicking +.

  3. Expand the site labeled LosAngeles by clicking +.

  4. Expand the Servers folder by clicking +.

  5. Expand the server labeled LAX-DC1 by clicking +.

  6. Expand the NTDS Settings object by clicking +.

  7. Right-click the connection object listed in the details pane.

  8. Click Properties.

  9. Click Change Schedule.

  10. Click All, then select the None option button.

  11. Click 10am to 11am then select the Once per Hour option.

  12. Click 10pm to 11pm, then select the Once per Hour option.

  13. Click OK.

  14. Click OK.

  15. Click Yes to set the schedule configuration so that the changes will not be overwritten.

Repeat for the MexicoCity site.

Bb727069.adbpnd85(en-us,TechNet.10).gif

Figure 85: Schedule replication

Promoting a Child Domain

In our scenario, mex.corp.hay-buv.net is a child domain of corp.hay-buv.net and requires its own domain controller. The process is similar to promoting the first domain controller in the enterprise and also uses Dcpromo.exe. Here we will be promoting MEX-DC1. Because a dial-up connection is being used we can either make the connection available prior to promotion or configure the dial-up delay through the registry key.

If DNS has not already been configured on these servers, refer to "Install and Configure DNS."

Bb727069.adbpnd86(en-us,TechNet.10).gif

Figure 86:

Configure Registry Keys

Configure the dial-up delay registry key so that components such as DNS and Netlogon will wait for the dial-up link to be established when performing network operations.

Note: This step can be omitted if the connection will definitely be available prior to the promotion. In this case, this registry key can be managed via group policy after the promotion is competed. If the connection will potentially be demand initiated, then this registry setting should be configured prior to the promotion. Complete this step on all domain controllers and member servers that will need to go over the dial-up link.

  1. Run RegEdt32.exe.

  2. Navigate to HKEY_LOCAL_MACHINE \System \Current Control Set\Services\Netlogon\Parameters.

  3. Select Edit | Add value.

  4. Type ExpectedDialupDelay in Value name box.

  5. Select REG_DWORD in Data type box.

  6. Click OK

  7. Enter a time in seconds that is the average time it takes the router to dial and connect to another demand dial router. (for example, 15 seconds). To determine what the value of this key should be:

  8. Ensure the dial-up link is down.

  9. Initiate a dial-up link by pinging a server on the remote network.

  10. Record the amount of time that it takes to establish the dial-up connection.

  11. Use this value for this registry key, perhaps adding a small amount (for example, 5 seconds) to allow for some variation in connection time.

  12. Click OK.

Promote the Child Domain

Server Network Configuration

Bb727069.adbpn116(en-us,TechNet.10).gif

  1. Run Dcpromo.exe.

  2. Click Next.

  3. Select Domain controller for a new domain.

  4. Click Next.

  5. Select Create a new child domain in an existing domain tree.

  6. Click Next.

  7. In User name box, type Administrator.

  8. In Password box, type a password.

  9. For Domain box, type the parent NetBIOS domain name, which is CORP.

  10. Click Next.

  11. In Parent domain box, type the full DNS domain name, which is corp.hay-buv.net.

  12. In Child domain box, type the new child domain name, which is mex.

  13. Click Next.

  14. For NetBIOS Domain Name box, accept default, which should be MEX.

  15. Click Next.

  16. Adjust the paths for Database location and Log location boxes to suit your server's drive configuration, if needed; otherwise, accept defaults.

  17. Click Next.

  18. Adjust the path for Folder location (SYSVOL) box to suit your server's particular drive configuration, if needed; otherwise, accept default.

  19. Click Next.

  20. Select Permissions compatible only with Windows 2000 servers.

  21. Click Next.

  22. Type a password for the Administrator account used when booting into DS Repair mode.

  23. Click Next.

  24. At the Summary page, verify that all entries are correct.

  25. Click Next to begin the Active Directory installation.

  26. Click Finish (when installation is completed).

  27. Answer Yes to the prompt to reboot.

Update DNS Zone Types

  1. Start | Programs | Administrative Tools | DNS.

  2. Expand Forward Lookup Zones in the console tree by clicking +.

  3. Expand each primary zone for the server being configured.

  4. Right-click and select Properties for each expanded zone.

  5. Select the General tab.

  6. Ensure that the Type box is set to AD Integrated.

  7. Click Change.

  8. In Select a zone type box, select Active Directory Integrated.

  9. Click OK.

  10. Ensure that the Allow dynamic updates box is set to Secure from the drop-down list.

  11. Click OK.

Configuring a Global Catalog For Each Site

Earlier in this process a site was created for Los Angeles and another for the Mexico City office. Now that domain controllers exist in each site, a global catalog should be available for each site as well. The administrator should perform this task for each of the sites on LAX-DC1 server.

Site Name

Server

LosAngeles

LAX-DC1

MexicoCity

MEX-DC1

  1. Start | Programs | Administrative Tools | Active Directory Sites and Services.

  2. Double-click Sites.

  3. Double-click the <site name>.

  4. Double-click Servers.

  5. For each server listed in the table:

  6. Double-click the server.

  7. Right-click NTDS Settings.

  8. Click Properties.

  9. Ensure that at least one server in the site has the Global Catalog box checked.

  10. Click OK.

Bb727069.adbpnd87(en-us,TechNet.10).gif

Figure 87: Configuring a global catalog in each site

Replicating Dial-up Sites

In cases where replication between sites can be initiated by only one side of a site link, such as when a dial-up connection must go through an ISP, a flag can be set on the connection object (based on site link attribute information) to implement two-way replication between the source and destination domain controllers of the connection. The implementation works as follows: The domain controller on the dial-up side of the link opens a connection and initiates replication (requests changes). After it receives the changes from the domain controller it contacted, the dial-up domain controller responds by sending a change notification. The change notification prompts the second domain controller to request changes from the first domain controller. The effect is a two-way replication over the initial connection that was opened by the dial-up side of the site link.

The most common scenario in which reciprocal replication is enabled is replication between the main office and a branch office of a company. In this scenario, the branch office must dial up an ISP before a VPN connection can be established. In this example, the following occurs:

  1. The branch office dials up the ISP.

  2. The branch office establishes a VPN connection to the main office.

  3. The branch office initiates replication by requesting changes from the main office.

  4. After replication, the branch office immediately sends a change notification to the main office.

  5. The main office requests replication changes from the branch office.

  6. The branch office replicates its changes to the main office.

In our scenario, reciprocal replication is required because the Los Angeles office cannot instruct the ISP to first dial up the Mexico City office and, therefore, cannot initiate a connection. Only the Mexico City office can initiate communication to the Los Angeles office. With reciprocal replication enabled, the branch office can initiate replication from that office after the VPN link has been established.

Enabling reciprocal replication between two sites involves modifying the options attribute value on the site link object. With this attribute set on the site link, the KCC creates the connections across the link with the appropriate setting in effect. Use ADSI Edit to enable reciprocal replication.

This procedure should be completed on LAX-DC1 for the LAX-MEX site link.

Installing the Support Tools

ADSIEDIT.MSC is a support tool that is in included in the Windows 2000 Server CD. If you have not already done so, install the support tools from the Support/Tools folder on the CD.

  1. Start | Programs | Administrative Tools | Configure Your Server.

  2. Click Advanced in the left column.

  3. Click Support Tools.

  4. Follow the instructions that are displayed to install the Support Tools.

Enabling Reciprocal Replication

The following procedure outlines how to enable reciprocal replication on a site link object.

  1. Start | Programs | Windows 2000 Support Tools | ADSI Edit.

  2. In the leftmost pane:

  3. Click + to expand Configuration Container.

  4. Click + to expand CN=Configuration,DC=corp,DC=hay-buv,DC=net.

    Bb727069.adbpnd88(en-us,TechNet.10).gif

    Figure 88: ADSI Edit hay-buv.net configuration
  5. Click + to expand CN=Sites.

  6. Click + to expand CN=Inter-Site Transports.

  7. Click CN = IP.

    Bb727069.adbpnd89(en-us,TechNet.10).gif

    Figure 89: ADSI Edit IP container
  8. In the details pane: Right-click the site link object LAX - MEX.

  9. Select Properties.

  10. In the Select a property to view box, use the drop down-list to select Options.

  11. In the Edit Attribute box, if the Value(s) box shows "<not set>," type 2 in Edit attribute box.

    Figure 90: ADSI Edit options value

    Figure 90: ADSI Edit options value

    Note: If the Value(s) box already contains a value, you must derive the new value by using a Boolean BITWISE-OR calculation on the old value, as follows: old_value BITWISE-OR 2. For example, if the value in the Value(s) box is 1, calculate 0001 OR 0010 to equal 0011. Type the integer value of the result in the Edit Attribute box; for this example, the value is 3.

  12. Click Set.

  13. Click OK.

  14. Exit ADSIEDIT by closing the window.

Testing Active Directory Replication

The administrator has now completed all the tasks required to implement Active Directory replication over VPN and dial-up links. Throughout this walkthrough the various components were tested while installation and configuration were completed. The last step is to test Active Directory replication. The administrator should complete test passes for each site link with the routing interfaces connected and another with the routing interfaces disconnected. Use the following steps to initiate and monitor replication.

Change Site Link Schedule

The site link replication schedule default is 180 minutes. Change this to 15 minutes or a reasonably short time period in which to monitor replication.

  1. Start | Programs | Administrative Tools | Active Directory Sites and Services.

  2. Double-click Sites.

  3. Double-click Inter-site Transports.

  4. Double-click IP.

  5. Right-click the appropriate site link.

  6. Click Properties.

  7. Adjust Replicate every box to 15minutes.

  8. Click OK.

Initiating Replication

  1. Start | Programs | Administrative Tools | Active Directory Sites and Services.

  2. Double-click Sites.

  3. Double-click <site name>.

  4. Double-click Servers.

  5. Double-click <server name>.

  6. Double-click NTDS Settings.

  7. Right-click the Active Directory connection.

  8. Click Replicate Now.

Viewing Replication Status

Active Directory Replication Monitor (replmon.exe) is a graphical tool that you can use to view low-level status and performance of replication between Active Directory domain controllers. If you have not already done so, install the support tools from the Windows 2000 Server CD from the Support/Tools folder. Refer to online Help for a full explanation of the monitoring and troubleshooting features of the Active Directory Replication Monitor.

  1. Start | Windows 2000 Support Tools | Tools | Active Directory Replication Monitor (or use Start | Run | replmon.exe).

  2. Right-click Monitored Servers.

  3. Click Add Monitored Server.

  4. Accept the default Add the server explicitly by name.

  5. Click Next.

  6. In Enter the name of the server to monitor explicitly box, type the computer name.

  7. Click Finish.

  8. Click View from the menu bar and ensure that Details View is selected.

Selecting each directory partition (also known as naming contexts) will display replication history in the details pane. This history includes the time a refresh was initiated and the USN of the replication partner, which reflects the value of the last originating change that the monitored server has received.

Bb727069.adbpnd91(en-us,TechNet.10).gif

Figure 91: Active Directory replication monitor

KCC Diagnostic events

HKLM/System/ControlSet001/Services/NTDS/Diagnostics/1 Knowledge Consistency Checker DWORD: 3

Changing the default value to three increases the number of events to be logged in the event viewer Directory Services log. This key should be changed for testing and troubleshooting only, since excess events are generated with each replication and could quickly fill the log.

Registry Settings for Remote Offices

Registry keys can be used to reduce the wire traffic across a dial-up link, or alter the behavior of system components to be more demand dial friendly. This section details some recommended configuration settings on the following registry keys on all servers in a site with a dial-up link (except where otherwise noted). For instance, the registry key "XfrConnectTimeout" should only be set on DNS servers. Where available, a key's description will contain a system default value as well as a recommended default value to use in demand dial deployments.

Note: All numerical default and recommended demand dial settings are expressed in decimal.

Primary Domain Controller Communications

Avoid PDC on WAN

Prevents the Backup Domain Controller (BDC) from sending new password information to a remote Primary Domain Controller (PDC). Also, if a client password fails to authenticate on the BDC, the BDC does not attempt to authenticate that password on the remote PDC. Instead of Net Logon, the PDC and BDC use Active Directory replication to update password information.

This entry does not affect password sharing between BDCs and PDCs residing on the same site. If the BDC and PDC are on the same site, the BDC sends password information regardless of the value of this entry.

Setting this value to 1 can reduce WAN traffic between domain controllers at remote locations, but PDCs might not always have the most current password data. As a result, legitimate users might not be authenticated. The recommended setting is 1.

HKLM/SYSTEM/CurrentControlSet/Services/Netlogon/Parameters/AvoidPdcOnWan DWORD: 1

Data Type

Range

Default Value

REG_DWORD

0 | 1

0

Value

Meaning

0

BDC sends password information to remote PDC

1

BDC sends password information to PDCs within the site

Note: Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.

Master Periodicity

This key instructs the browser service to adjust its default interval for contacting a domain master browser. A network with a demand dial route is configured with broadcast traffic filters to prevent the dial-up link from being established due to broadcast traffic; thus, a master browser will be elected on that network. This is because any master browsers on other networks are unreachable through broadcast due to the filter. The PDC is always the domain master browser, so a master browser on a network that doesn't host the PDC for the domain will cause demand dial links due to attempts to locate the PDC. The default interval can be overridden by setting this key to the desired interval. By default, MasterPeriodicity is not present and the internal default is 720 seconds (twelve minutes), and the minimum is 300 seconds (five minutes). The maximum is 4,294,967 seconds (or 0x418937 hex), which is 49 days and 8 hours. The recommended default for demand dial deployments is 86400 seconds (1 day).

HKLM/SYSTEM/CurrentControlSet/Services/Browser/Parameters/MasterPeriodicity DWORD: 86400

Data Type

Range

Default Value

REG_DWORD

300 – 4,294,967 seconds

720

Note: Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.

Maintain Server List

By enabling servers to participate as browsers and potentially be elected as a master browser for its network, those servers will periodically contact the PDC for its domain. By default, MaintainServerList, is set to "Auto." The recommended value is "No" unless you need to have browser functionality on your network. If this is the case, then set this value to "Yes," but configure the Master Periodicity interval to a large enough interval in order to reduce the number of trips to the PDC.

HKLM/SYSTEM/CurrentControlSet/Services/Browser/Parameters/MaintainServerList REG_SZ: No

Data Type

Range

Default Value

REG_DWORD

Auto | Yes | No

Auto

Value

Meaning

Auto

This server may or may not become a browse server

Yes

This server is a browse server

No

This server is not a browse server

Group Policy DC Option

By default the Group Policy snap-in reads and writes changes to the domain controller designated as the PDC Operations Master for the domain. It is recommended that this value be changed so Group Policy snap-in reads and writes changes to the domain controller that Active Directory Users and Computers or Active Directory Sites and Services snap-ins is using. The recommended value is 2.

HKLM/Software/Policies/Microsoft/Windows/Group Policy Editor/DCOption DWORD: 2

Data Type

Range

Default Value

REG_DWORD

1 | 2 | 3

1

Value

Meaning

1 (or not in registry)

Use the Primary Domain Controller. The Group Policy snap-in reads and writes changes to the domain controller designated as the PDC Operations Master for the domain

2

Inherit from the Active Directory Snap-ins. The Group Policy snap-in reads and writes changes to the domain controller that Active Directory Users and Computers or Active Directory Sites and Services snap-ins use

3

Use any available domain controller. The Group Policy snap-in can read and write changes to any available domain controller

Dial-up Latency

Expected Dial-up Delay

This parameter specifies the time it takes for a dial-up router to dial when sending a message from a client machine to a domain trusted by this client machine across a slow link. Typically, Netlogon assumes a domain controller is reachable in a short period of time (fifteen seconds). Setting ExpectedDialupDelay informs Netlogon to expect an additional delay. The recommended value for this setting is the average amount of time in seconds required for the demand dial link to be established plus a constant of 5 for variance.

When locating a domain controller in a trusted domain, such as when authenticating a user's logon credentials, Netlogon allows fifteen seconds, plus the value of ExpectedDialupDelay for the domain controller to respond. The timer begins when the first of three datagrams is sent to the domain controller.

Timeout = 15 seconds + ExpectedDialupDelay seconds

HKLM/SYSTEM/CurrentControlSet/Services/Netlogon/Parameters/ExpectedDialupDelay DWORD: (seconds)

Data Type

Range

Default Value

REG_DWORD

0 – 600 seconds

0

Note: Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.

Net Logon Settings

The following registry keys concern the domain controller locator service, or call to the DsGetDC API. Changing the registry keys will affect all applications that use the locator service.

Negative Cache Period

It specifies the amount of time that a client will remember that a DC couldn't be found in a domain. If a subsequent attempt is made by an application within this time, the client call will immediately fail without attempting to find the same DC again. By default NegativeCachePeriod is set to 45 seconds. The recommended value is 84600 seconds (1 day).

HKLM/SYSTEM/CurrentControlSet/Services/Netlogon/Parameters/NegativeCachePeriod DWORD: 84600

Data Type

Range

Default Value

REG_DWORD

0 – 604800 seconds

45

Note: Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.

Background Retry Interval

Some applications periodically try to find a DC. If the DC isn't available, these periodic retries can be costly in dial-on-demand scenarios. The value only affects clients that have specified the DS_BACKGROUND_ONLY flag.

If the value is smaller than NegativeCachePeriod, then the NegativeCachePeriod will be used. This registry value defines the minimum amount of elapsed time before the first retry will occur.

If the value is too large, a client will never try to find a DC again if the DC is initially unavailable; if the value is too small, periodic DC discovery traffic may be excessive in cases where the DC will never become available.

By default BackgroundRetryInitialPeriod is not present and behaves as if set to 600 seconds (10 minutes), which is the recommended value for demand dial deployments.

HKLM/SYSTEM/CurrentControlSet/Services/Netlogon/Parameters/BackgroundRetryInitialPeriod DWORD: 600

Data Type

Range

Default Value

REG_DWORD

0 – 4233600 seconds

600

Note: Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.

Background Retry Back off Period

This registry value defines the maximum period between background retry attempts to locate a DC. That is, if the first retry is after 10 minutes, the second will be after 20 minutes, and the third after 40 minutes. This continues until the BackgroundRetryMaximumPeriod is reached. Then this interval will be used until BackgroundRetryQuitTime is reached. By default BackgroundRetryMaximumPeriod is not present and behaves as if set to 3600 seconds (60 minutes).

This value only affects clients that have specified the DS_BACKGROUND_ONLY flag.

If a value smaller than the BackgroundRetryInitialPeriod is specified, the BackgroundRetryInitialPeriod will be used.

If the value is too large, a client will try very infrequently after a sufficient number of consecutive failures resulting in a back off to BackgroundRetryMaximumPeriod. If the value is too small, periodic DC discovery traffic may be excessive in cases where the DC will never become available. The recommended value is 84600 seconds (1 day).

HKLM/SYSTEM/CurrentControlSet/Services/Netlogon/Parameters/BackgroundRetryMaximumPeriod DWORD: 84600

Data Type

Range

Default Value

REG_DWORD

0 – 4,233,600 (49 days) seconds

3600

Note: Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.

Background Retry Quit Time

This registry value defines when an application should quit attempting to locate a DC. By default BackgroundRetryQuitTime is not present and behaves as if set to 0, which is to never quit trying.

The value only affects clients that have specified the DS_BACKGROUND_ONLY flag.

If a value smaller that BackgroundRetryMaximumPeriod is specified, BackgroundRetryMaximumPeriod will be used.

If this value is too large, a client will eventually stop trying to find a DC. The recommended value for demand dial deployments is 600 seconds (10 minutes).

HKLM/SYSTEM/CurrentControlSet/Services/Netlogon/Parameters/BackgroundRetryQuitTime DWORD: 600

Data Type

Range

Default Value

REG_DWORD

0 – 4,233,600 (49 days) seconds

0

Note: Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.

Scavenge Interval

This parameter defines the time interval during which Netlogon does miscellaneous work (on the PDC and on the BDCs), such as the following:

  • Finding a domain controller

  • Determining if a password on a secure channel needs to be changed

  • Determining if a secure channel has been idle for too long

  • Sending a mailslot message to each trusted domain for a domain controller (DC) that hasn't been discovered on domain controls

  • Attempting to add the <DomainName>[1B] NETBIOS name if it already has not been added on the PDC.

The default value is optimal for most systems. However, in rare cases, such as when a trusted domain is connected by an expensive connection, you might add this entry to increase the time between operations. The recommended value is 84600 seconds (1 day).

HKLM/SYSTEM/CurrentControlSet/Services/Netlogon/Parameters/ScavengeInterval DWORD: 86400

Data Type

Range

Default Value

REG_DWORD

0 – 172,800 seconds (1 minute – 2 days)

900 (15 minutes)

Note: Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.

DNS Refresh Interval

This parameter specifies how frequently Netlogon will re-register DNS names that have already been registered. The actual refresh interval starts at ScavengeInterval then increases by ScavengeInterval increments to DnsRefreshInterval. A DnsRefreshInterval of 0 indicates that successfully registered names should not be re-registered. The recommended value is 84600 seconds (1 day).

HKEY_LOCALMACHINE/SYSTEM/CurrentControlSet/Services/Netlogon/Parameters/DnsRefreshInterval DWORD: 86400

Data Type

Range

Default Value

REG_DWORD

0x0 | 0x1 – 0x418937 seconds

0xE10 (1 hour)

Value

Meaning

0x0

Net Logon does not re-register DNS names

0x1 – 0x418937 seconds

Specifies the maximum time between repeated registration of DNS names

Note: Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.

Reduce Router Filtered Traffic

This parameter specifies the minimum amount of time that must separate mailslot messages received by the Netlogon service. If Netlogon receives two mailslot messages within an interval that is less than or equal to the value of this entry, the system considers the messages to be duplicates and ignores the second message

Set this parameter to zero to disable this feature. A value of 0 is appropriate when Netlogon must recognize and respond to messages that might appear to be duplicates. For example, when a domain controller is separated from a client computer by a bridge/router, the bridge/router filters outgoing NBF broadcasts but allows incoming broadcasts. Netlogon must respond to the NBF mailslot message that is filtered out by the bridge/router and to the actual, unfiltered mailslot message the system receives.

If the value of this entry is too high, Netlogon might ignore retry attempts from a client.

If the value of this entry is too high, Netlogon might ignore retry attempts from a client. The recommended value is the default value of 2.

HKLM/SYSTEM/CurrentControlSet/Services/Netlogon/Parameters/MailslotDuplicateTimeout DWORD:

Data Type

Range

Default Value

REG_DWORD

0 | 1 –5 seconds

2

Value

Meaning

0

Net Logon does not ignore mailslot messages, regardless of the interval between messages

1 - 5 seconds

The time that must elapse between mailslot messages for both to be processed

Note: Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.

DNS Settings

DNS Connection Time-out

The parameter will adjust how long a DNS server will wait before timing out when transferring zone data. This key should be set on every DNS server that will transfer zones over dial-up links; however, it is not required when the DNS zone is integrated with the Active Directory.

HKLM/SYSTEM/CurrentControlSet/Services/DNS/Parameters/XfrConnectTimeout DWORD: (seconds)

Data Type

Range

Default Value

REG_DWORD

0x0 – 0xFFFFFFFF seconds

1E (30seconds)

Note: The DNS server does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.

Time to Live

This parameter specifies the "Time To Live" for all DNS records registered by Netlogon. The "Time To Live" specifies the amount of time a client can safely cache the DNS record. This value applies to all records regardless of how frequently or how recently they might be referenced. It ensures that client records are always current. A value of zero indicates that the record will not be cached on the client. The default value is 10 minutes (600 seconds). Increasing the value of this entry might improve performance. However, if this value is too large, the DNS record might not be updated often enough. The recommended value is 1800 seconds (30 minutes).

HKLM/SYSTEM/CurrentControlSet/Services/Netlogon/Parameters/DnsTtl DWORD: 1800

Data Type

Range

Default Value

REG_DWORD

0x0 | 0x7FFFFFFF seconds

0x258 (10 minutes)

Value

Meaning

0x0

DNS records registered by Net Logon are not cached

0x1 – 0x7FFFFFFF seconds

Specifies the maximum time a record is saved in the cache

Note: Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.

Workstation Services

Reduce Distributed File System Traffic

This key specifies the time interval, in seconds, that the Distributed File System Service will contact a domain controller to look for configuration updates. The recommended value is the default value of 900 seconds.

HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/LanmanWorkstation/Parameters/DfsDcNameDelay DWORD: 900

Data Type

Range

Default Value

REG_DWORD

900 – 4,294,920 seconds

900 seconds

Group Policy Refresh Interval

Group Policy Refresh Interval for Computers

This specifies how often Group Policy for computers is updated while the computer is in use. This policy specifies a background update rate only for Group Policies in the Computer Configuration folder.

By default, computer Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes. In addition to background updates, Group Policy for the computer is always updated when the system starts.

You can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations.

The Group Policy refresh interval for computers policy also lets you specify how much the actual update interval varies. To prevent clients with the same update interval from requesting updates simultaneously, the system varies the update interval for each client by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that client requests overlap. However, updates might be delayed significantly.

If you disable this policy, Group Policy is updated every 90 minutes (the default). To specify that Group Policy should never be updated while the computer is in use, enable the Disable background refresh of Group Policy.

Important: If the Disable background refresh option in Group Policy is enabled, this policy is ignored.

Group Policy Refresh Interval for Domain Controllers

Specifies how often Group Policy is updated on domain controllers while they are running. The updates specified by this policy occur in addition to updates performed when the system starts.

By default, Group Policy on the domain controllers is updated every five minutes.

You can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the domain controller tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations.

This policy also lets you specify how much the actual update interval varies. To prevent domain controllers with the same update interval from requesting updates simultaneously, the system varies the update interval for each controller by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that update requests overlap. However, updates might be delayed significantly.

If you disable this policy, the domain controller updates Group Policy every 5 minutes (the default). To specify that Group Policy for domain controllers should never be updated while the computer is in use, enable the Disable background refresh of Group Policy.

Note: This policy is used only when you are establishing policy for a domain, site, organizational unit (OU), or customized group. If you are establishing policy for a local computer only, the system ignores this policy.

Group Policy Refresh Interval for Users

Specifies how often Group Policy for users is updated while the computer is in use.

This policy specifies a background update rate only for the Group Policies in the User Configuration folder. In addition to background updates, Group Policy for users is always updated when they log on.

By default, user Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes.

You can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update user Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations.

If you disable this policy, user Group Policy is updated every 90 minutes (the default). To specify that Group Policy for users should never be updated while the computer is in use, select the Disable background refresh of Group Policy.

This policy also lets you specify how much the actual update interval varies. To prevent clients with the same update interval from requesting updates simultaneously, the system varies the update interval for each client by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that client requests overlap. However, updates might be delayed significantly.

Note: If the Disable background refresh of Group Policy is enabled, this policy is ignored.

Group Policy Refresh Interval Setup

  1. Start | Run.

  2. Type gpedit.msc.

  3. Navigate to Computer Configuration\Administrative Templates\System\Group Policy.

  4. Double-click Group Policy refresh interval for computers to make changes.

  5. Click OK.

  6. Double-click Group Policy refresh interval for domain controllers to make changes.

  7. Click OK.

  8. Navigate to User Configuration\Administrative Templates\System\Group Policy.

  9. Double-click Group Policy refresh interval for users to make changes.

  10. Click OK.

  11. Close Group Policy Editor.

Note: Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs users can run, might interfere with tasks in progress.

Parameter Tables

This section contains various figures, diagrams and tables depicting the network topology and specifying the parameters of the machines in this topology. This information is intended as a reference to the various network configuration walkthroughs in previous sections.

Server Network Parameters Table

This table contains consolidated information about all network parameters for each server in each scenario.

Server Network Parameters

Bb727069.adbpnd95(en-us,TechNet.10).gif

Router Configuration Parameters Table

This table contains information about all routing parameters for each router on the network.

Router Configuration Parameters

Bb727069.adbpnd96(en-us,TechNet.10).gif

Static Routes Configuration Parameters

This table contains information about all static route configuration parameters.

Static Routes Configuration Parameters

Bb727069.adbpnd97(en-us,TechNet.10).gif

DNS Server Parameters Table

This table contains information about all DNS server configuration parameters.

DNS Server Parameters

Bb727069.adbpnd98(en-us,TechNet.10).gif

Sites and Subnet Parameters

This table contains information about all site and subnet configuration parameters.

Sites and Subnet Parameters

Site Name

Address

Subnet Mask

Subnets

Site 1

LosAngeles

160.50.10.0

255.255.255.0

160.50.10.0

Site 2

HongKong

160.50.30.0

255.255.255.0

160.50.30.0

Site 3

MexicoCity

160.50.50.0

255.255.255.0

160.50.50.0

Site 4

Atlanta

160.50.20.0

255.255.255.0

160.50.20.0

Site Link Parameters

This table contains information about all site link configuration parameters.

Site Link Parameters

Site Link Name

Sites

Site Link 1

LAX-HKG

LosAngeles
HongKong

Site Link 2

LAX-MEX

LosAngeles
MexicoCity

Site Link 3

LAX-ATL

LosAngeles
Atlanta

For More Information

For the latest information on Microsoft® Windows® 2000 Server, go to: http://www.microsoft.com/windows/server/

To read more on the Active Directory Branch Office Guide, go to: http://www.microsoft.com/windows2000/technologies/directory/AD/default.asp.

Before You Call for Support

Please keep in mind that Microsoft does not support these walkthroughs. The purpose of the walkthroughs is to facilitate your initial evaluation of the Microsoft Windows 2000 features. For this reason, Microsoft cannot respond to questions you may have regarding specific steps and instructions.

Reporting Problems

Problems with Microsoft Windows 2000 should be reported through the appropriate bug reporting channels and aliases. Please make sure to adequately describe the problem so that the testers and developers can reproduce it and fix it. See the Release Notes included in the Windows 2000 distribution materials for some of the known issues.© 2001 Microsoft Corporation. All rights reserved.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft