Deploying Active Directory for Branch Office Environments

Article
02/20/2014

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Chapter 6 - Staging a Branch Office Domain Controller

Deployment and Operations Guide

Abstract

This chapter outlines the steps to create a staged domain controller for a branch office at the staging site. After completing these steps, you will have a staged branch office domain controller ready for the necessary pre-shipment configuration. The pre-configuration steps must be performed right before the domain controller will be shipped to its branch office; these are in the next chapter.

Introduction

Now that the staging site domain controller has been created and configured, you can begin the process of staging domain controllers for your branch offices. This chapter will step you through the first phase of the process of creating a staged domain controller. By the end of the chapter, the sample environment will appear as follows:

After completing the procedures in this chapter, you must complete the second phase procedures in the next chapter just prior to shipping the domain controller to the branch office.

Chapter Sections

This chapter covers the following procedures:

Installing a Staged Branch Office Domain Controller
Verifying DNS
Promoting and Configuring the Branch Office Domain Controller
Post Dcpromo Quality Assurance of the Branch Office Domain Controller

Before beginning the staging steps, ensure that the following prerequisites are available.

Resource Requirements

A representative from the network team that can provide DNS and IP network information.

What You Will Need

To complete the procedures in this chapter, you will need:

All branch domain bridgehead servers installed in the hub site, including the HUBDC1 server.
The staging site branch domain controller installed and replicating with the hub site.
Microsoft® Windows® 2000 Server or Windows 2000 Advanced Server
The latest Service Pack
The Microsoft Windows 2000 Resource Kit
The password for the QACheck account for scheduling the QA_Check.cmd script.
The branch office installation scripts shared on the staging site domain controller.
The quality assurance scripts shared on the staging site domain controller.

What You Should Know

To complete the procedures in this chapter, you will need:

The username and password for a user account that is a member of the branch office domain, Domain Admins group.
An IP address that is valid for the staging site subnet, unless you are using DHCP to assign IP addresses.
The name of the staging site domain controller.

Process Flowchart

Deployment Considerations

The processes covered in this chapter should be performed at the physical staging location, using the staging site branch domain controller, Staging, as the source domain controller for the installation. This will provide the best performance during installation.

The first phase involves installing Microsoft Windows 2000 and configuring the server for DNS. In addition, because we have turned off the intrasite KCC in the staging site, you will be creating manual connection objects between the staging site domain controller and each domain controller you stage. By using manual connection objects for each branch domain controller during staging, you eliminate the possibility that any branch domain controller replicates with another branch domain controller in the staging site, which may be having problems.

Installing a Staged Domain Controller

To stage a domain controller for a branch office, you must first install a new server that will be promoted to be the branch office domain controller.

Note: As you perform the procedures in this chapter, you should document the configuration of the servers in the DC Staging Checklist.xls job aid included with this guide.

Installing Windows 2000 in a Workgroup

The first step for staging a domain controller is to install Windows 2000 in a workgroup, including the components in the below list. One method for automating this is to use the Setup Manager tool in the Microsoft Windows 2000 Resource Kit to create an answer file and Uniqueness Database File (UDF) for the installation of the staging site domain controller.

Note: When you are staging anew domain controller, configure the server during installation with an IP address that is valid for the staging site. The IP addresses that are valid for the staging site were assigned to the staging site in the Sites.csv file created in Chapter 4 of this guide. Using the example in this guide, a domain controller would be installed with an IP address of 10.10.30.2 and so on. Do not assign the server an IP address for a branch office until you reach the procedure in Chapter 7 of this guide.

The DNS Server service
Terminal Services in remote administration mode
The Support Tools from the Windows 2000 Server compact disc
The Microsoft Windows 2000 Resource Kit
Active Perl from the Microsoft Windows 2000 Resource Kit
The Remote Command Service from the Microsoft Windows 2000 Resource Kit
The Recovery Console
The latest Windows 2000 Service Pack

Note: The installation of the Support Tools and the Microsoft Windows 2000 Resource Kit can be automated by directly launching the Msi file for each with the /qb switch.

The server must be assigned a fixed IP address in the staging site subnet or the DNS server will not start properly.

Copy the Script Files to the Server

Log on to the server as Administrator.
Start a command prompt.
Establish a network connection to the staging site domain controller to ensure the commands in steps 5 and 6 function correctly by using the following command:
```
Net use \\<servername>\IPC$ /u:branches\administrator 
```
Where <servername> is the name of the staging site domain controller and branches is your branch office domain name.
If prompted, type the password for the administrator user account on the staging site domain controller.
Use the following command to copy the branch office scripts to the new server:
```
robocopy \\<servername>\BranchDC c:\BranchDC /e 
```
Where <servername> is the name of the staging site domain controller.
Use the following command to copy the quality assurance scripts to the new server:
```
robocopy \\<servername>\ADMonitor c:\ADMonitor /e 
```
Where <servername> is the name of the staging site domain controller.

Configure the Preferred and Alternate DNS Servers

To configure the preferred and alternate DNS servers:

Right-click on My Network Places icon on the desktop.
Select Properties.
Right-click on the Local Area Connection icon. On a multi-homed server, rename each adapter for ease of identification and management.
Select Properties.
Select Internet Protocol (TCP/IP).
Click Properties.
Change the Preferred DNS server to the IP address of the staging server.
Change the Alternate DNS server to the IP address of one of the bridgehead servers in the hub site.
Click OK.
Click OK.
Close the Network and Dial-up Connections window.

Configure DNS Client and Add Registry Entries

In this procedure, you will run a script (Pre-dcpromo.cmd) that will:

Randomly configure the preferred hub domain controller for the server.
Disable Auto Site Coverage.
Disable Name Service record auto-creation.
Configure the names registered by the servers.
Restart the server.

To run this script:
1. Log on as an Administrator.
2. Start a command prompt.
3. Change to the C:\BranchDC folder.
4. At the command prompt type: Pre-dcpromo.cmd and press ENTER. The server will restart automatically at the end of the script.
5. After the server restarts, log on as an Administrator.
6. Click Start, Run, in the Open box type Notepad C:\BranchDC\Pre-Dcpromo.log and then click OK.
7. Verify that the Pre-dcpromo.log file does not contain any errors and that all the commands completed successfully. If a command in Pre-dcpromo.cmd did not complete successfully, resolve the problem and rerun the command.

Install other Monitoring Tools

If you are using the NetIQ AppManager or Operations Manager tools, the following procedures can be used to install the agents. If you are using another third party monitoring tool, this is the stage at which you should install the tool.

Install AppManager Agent

To install the AppManager Agent:

Insert the AppManager compact disc and run Setup.exe.
Select Next, Select Install AppManager, and click Next again.
Select the target directory for the agent and click Next.
Be sure that only AppManager Agent is checked and click Next.
Check boxes of the services that are on the machine and click Next.
Uncheck Authorized Management Server:* and click Next.
Enter the name of the NetIQ AppManager Management Server and click Next.
If the AppManager management server isn't online, you will be prompted to retry or skip discovery. You can run discovery later from the management server, so click No. If the management server is installed and available, you will not get this prompt.
Replace the asterisk with the name of the management server and click Next.
Click Next when prompted for Data Access Object/Open Database Connectivity (DAO/ODBC). Installation of the agent will proceed.
Click Yes when asked if you want to append the NetIQ install path to the system path.

Install Operations Manager agent

To install the Operations Manager agent:

Insert the Operations Manager compact disc and run Setup.exe.
Click Manual Agent Setup.
Click Next.
Select the destination directory for the agent and click Next.
Enter the name of the configuration group of which the agent is a member and click Next. Refer to the Operations Manager Installation documentation for an explanation of configuration groups.
Enter the name of the Consolidator computer for this configuration group. If the Consolidator has not been built, you will get a warning indicating that the consolidator version could not be verified. If the Consolidator has already been built, this indicates a problem connecting to the Consolidator computer. If the Consolidator has yet to be staged, click Next.
Select Full for the Agent Manager control level and click Next.
When the file copy is done, click Finish to complete the agent installation.

Verifying DNS

Now that the server is installed, you must verify that the server can communicate on the network and resolve name resolution queries for the domains in your environment.

Verify Connectivity

After the server has restarted and before starting the process of promoting the server to a domain controller, it is important to verify the server can access the staging server and can resolve names properly.

To do this, complete the following procedure:

Open a command prompt.

Type ping <IP address> and press ENTER, where <IP address> is the address of the staging site server, Staging1, that was configured as the branch domain primary DNS server. You should see the following result:

Pinging <IP Address> with 32 bytes of data: 

Reply from <IP Address>: bytes=32 time<10ms TTL=128 
Reply from <IP Address>: bytes=32 time<10ms TTL=128 
Reply from <IP Address>: bytes=32 time<10ms TTL=128 
Reply from <IP Address>: bytes=32 time<10ms TTL=128 

Ping statistics for <IP Address>: 
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), 
Approximate round trip times in milli-seconds: 
Minimum = 0ms, Maximum =  0ms, Average =  0ms

If you do not see a successful ping process, check the IP settings to verify that the server has the correct IP address, subnet mask, and default gateway.

Type nslookup corp.hay-buv.com. and press ENTER. You should see the following result:
```
C:\>nslookup corp.hay-buv.com. 
Server:  staging.branches.corp.hay-buv.com 
Address:  10.10.30.1 

Name:    corp.hay-buv.com 
Address:  10.10.1.1, 10.10.1.3, 10.10.1.2 
```
If you do not see successful name resolution, check the IP settings to verify that the server has the staging server (10.10.30.1) as its preferred DNS server. Verify the DNS records on the staging DNS server, including the reverse lookup records. Do not proceed until DNS is working properly.
Type nslookup branches.corp.hay-buv.com. and press ENTER. You should see the following result:
```
C:\>nslookup branches.corp.hay-buv.com. 
Server:  staging.branches.corp.hay-buv.com 
Address:  10.10.30.1 

Name:    branches.corp.hay-buv.com 
Address:  10.10.20.1, 10.10.20.3, 10.10.20.2, 10.10.20.99, 10.10.30.1 
```
If you do not see successful name resolution, check the IP settings to verify that the staging server has a bridgehead server as its preferred DNS server. Verify the DNS records on the bridgehead DNS server. Do not proceed until DNS is working properly.
If this process does not complete successfully, verify your DNS configuration and repeat the above process until successful.

Promoting and Configuring the Branch Office Domain Controller

Now that network connectivity and name resolution have been verified, you can now promote the server to be a domain controller. The branch office scripts include a Dcpromo answer file that will promote the server into the correct domain and force the promotion process to use the staging site server as its Dcpromo source.

After the Dcpromo process completes and the server restarts, because the intrasite KCC is disabled you will then create use scripts to create connection objects with the staging site server. This will allow the staged domain controller to replicate with the staging site server while it is in the staging site.

Note: The Dcpromo answer file used to promote the server you are staging assumes the Active Directory database and log files, as well as SYSVOL, will all be stored on the same physical disk. If you have multiple physical disks in your servers and want to place these files on different physical disks, modify the location of these files in C:\BranchDC\Bodcpromo.txt as appropriate for your environment.

Promote the Server to a Branch DC in the Staging Site

In this procedure, you will run a script (Run-dcpromo.cmd) that will:

Run Dcpromo and use the Bodcpromo.txt answer file.
Restart the server.

To run this script:

Log on as an Administrator.
Start a command prompt.
Change to the C:\BranchDC folder
At the command prompt, type: Run-dcpromo.cmd and press ENTER.
After the server restarts, log on as an Administrator.
Click Start, Run, in the Open box type Notepad C:\Winnt\Debug\Dcpromo.log and then click OK.
Verify that the Dcpromo.log file does not contain any errors and that the Dcpromo process completed successfully. If Dcpromo did not complete, resolve the problem and rerun the command.

Create Connection Objects with the Staging Site Server

In this procedure, you will run a script (Post-dcpromo.cmd) that will:

Delete the Bodcpromo.txt file because it contains an administrator password.
Install the Remote Command Server.
Configure DNS forwarders.
Set DNS Recursion to On.
Wait 30 minutes for the domain controller's computer account to replicate to the relative identifier (RID) operations master.
Create connection objects between the branch office domain controller being staged and the staging site server.
Wait 30 minutes for replication to finish.
Restart the server.

To run this script:

Log on as an Administrator.
Start a command prompt.
Change to the C:\BranchDC folder.
At the command prompt, type Post-dcpromo.cmd and press ENTER.
After the server restarts, log on as an Administrator.
Click Start, Run, in the Open box type Notepad C:\BranchDC\Post-dcpromo.log and then click OK.
Verify that the Post-dcpromo.log file does not contain any errors and that all the commands completed successfully. If a command in Post-dcpromo.cmd did not complete successfully, resolve the problem and rerun the command.

Note: If your branch office domain controllers will also be global catalog servers, you should configure the branch office domain controller as a global catalog server at this time. For steps on making a domain controller a global catalog server, see Chapter 5: Creating and Configuring the Staging Domain Controller.

Post DCPROMO Quality Assurance of Branch Office Domain Controller

Now that the new server has been promoted to be a domain controller and you have created connection objects for replication, you must verify that replication is working properly. It is important to perform a quality assurance check to verify replication before continuing the staging process to avoid shipping a domain controller that is not functioning properly to a branch office. In addition, the quality assurance check on the domain controller should be performed on a regular basis in order to detect any problems that might arise in your environment. The last procedure in this section will have you schedule the quality assurance check to run every weekday.

Verifying Replication

To verify that replication has occurred successfully, perform the following steps:

Wait 30 minutes after the reboot has completed.
Start a command prompt.
Change to the C:\ADMonitor folder.
Run QA_Check.cmd.
After the script completes change to the C:\ADResults folder.
Use Notepad to open the Ds_showreps.txt file in this folder.

Examine the file to ensure that replication has occurred. For example, you should see entries such as the following indicating that replication was successful.

CN=Schema,CN=Configuration,DC=corp,DC=hay-buv,DC=com 
STAGE\HUBDC1 via RPC 
objectGuid: f99e17ed-3b03-4b3e-afa8-2c1e738ddc4d 
Last attempt @ 2000-12-02 07:09.44 was successful.

If the Ds_showreps.txt file does not have a last attempt was successful line for each naming context, restart this procedure at step 1.
If the Ds_showreps.txt file indicates that replication was unsuccessful for any of the naming contexts, troubleshoot and resolve the problem before continuing. See Chapter 11, "Troubleshooting Guidelines for Branch Office Environments," of this guide for more information on troubleshooting errors.
Change to the C:\ADResults\<computername> folder.
Use Notepad to open the text file in this folder.
Examine the file to ensure that there were no errors reported. If there are any errors, the errors must be resolved before continuing. See Chapter 11, "Troubleshooting Guidelines for Branch Office Environments," of this guide for more information on troubleshooting errors.
Document the configuration of the branch office domain controller in the DC Staging Checklist.xls job aid included with this guide.

Schedule the Quality Assurance Check to Run Every Day

The quality assurance script (QA_Check.cmd) should be run every day in order to verify your domain controllers. Some of the Microsoft Windows 2000 Resource Kit utilities used by the quality assurance script must be run using an Administrator account in order to collect their data. Therefore, the Microsoft Windows 2000 Resource Kit utility Srvany.exe is used to run the script as a service, and a batch file is scheduled to start and stop the service.

Alternatively, AppManager can run this script on a regular basis and report on problems while executing. The Agent (NetIQ_mc) should be configured to start under an Administrator account to run this script.

To schedule the quality assurance check by using Srvany.exe:

Start a command prompt and use the following command to install Srvany.exe from the Microsoft Windows 2000 Resource Kit as a Windows service:
```
instsrv QACheck "c:\Program Files\Resource Kit\srvany.exe" 
```
Click Start, Programs, Administrative Tools, and select Services.
Right-click the QACheck service you added in step one and select Properties.
On the General tab, set the Startup type as Manual.
On the Log On tab, set the account the service will use when running. You should use the QACheck user account as the service logon account.
Click OK and close the Services MMC.
Click Start, Run, in the Open box, type regedt32, and click OK.
Expand the following path in the Registry Editor: HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \QACheck
On the Edit menu, select Add Key.
In the Add Key dialog box, in the Key Name box, type Parameters and click OK.
Select the Parameters key, on the Edit menu, select Add Value.
In the Add Value dialog box, in the Value Name box, type Application, in the Data Type box select REG_SZ and then click OK.
In the String Editor dialog box, type C:\ADMonitor\QA_Check.cmd and click OK.
Select the Parameters key, on the Edit menu select Add Value.
In the Add Value dialog box, in the Value Name box, type AppDirectory, in the Data Type box select REG_SZ and then click OK.
In the String Editor dialog box, type C:\ADMonitor and click OK.
After configuring the registry, to schedule the quality assurance script to run Monday through Friday, enter the following command at a command prompt:
```
at 5:00 /every:m,t,w,th,f "C:\ADMonitor\startqa.cmd" 
```

To schedule the script using AppManager:

Open the AppManager Operator Console.
Navigate to the NT tab in the KS pane (in the middle on the right side).
Drag the RunDOS KS to the server in the list pane on the left.
Configure the schedule to be daily at 11:00 P.M. Continue with step 5 before clicking OK.
Switch the Values tab. Enter C:\ADMonitor\QA_Check.cmd in the DOS Command or Script box. Click OK.

Summary

You have now completed the first phase of the staging process. Leave the staged branch office domain controllers running in the staging site until just before you are ready to ship them to their respective branches. The lag between the steps in the next phase, as detailed in the following chapter, and when the domain controller is connected in the branch office should be no more than 10 days. In the next phase, you will prepare the staged domain controller for shipment to the branch office, and configure it to replicate with the appropriate hub site bridgehead servers. Once this is done, you will need to ship it to the branch, and plan to turn it on within 10 days. If it is not turned on within 10 days, replication can become out of date and require a large amount of replication between the hub site and branch office, which could negate the benefits of staging the server outside of the branch office.