Deploying Active Directory for Branch Office Environments

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Chapter 7 - Pre-shipment Configuration of the Branch Office Domain Controller

Operating System

Deployment and Operations Guide

Abstract

This chapter outlines the steps to perform the pre-shipment configuration on a staged domain controller. The procedures in this chapter should be completed only when you are about to ship a staged domain controller. After completing these steps, the staged domain controller will be ready to be shut down and shipped to its destination branch office.

On This Page

Introduction
Process Flowchart
Deployment Considerations
Verifying the Site and Moving the Domain Controller to its Destination Site
Verifying the ISTG is Off on the Staged Domain Controller
Creating the Branch Office Domain Controller's Connection Objects
Configuring TCP/IP for the Branch Office and FRS for Shipment
Summary

Introduction

After a domain controller has been staged and has successfully replicated, it can then be prepared for shipment to the branch office. This chapter will step you through the processes to verify and prepare the staged domain controller for shipment to the branch office. By the end of the chapter, the sample environment will appear as follows:

Note: The procedures in this chapter should not be completed until you are ready to ship the domain controller.

Chapter Sections

This chapter covers the following procedures:

  • Verifying the configuration of the branch office site

  • Moving the staged domain controller to the branch office site

  • Verifying the Intersite Topology Generator (ISTG) is disabled on the staged domain controller

  • Creating the branch office domain controller's connection objects

  • Configuring Domain Name System (DNS) on the branch office domain controller

  • Configuring File Replication service (FRS) on the branch office domain controller

  • Configuring Transmission Control Protocol/Internet Protocol (TCP/IP) on the branch office domain controller

Before looking at these sections in detail, let's consider the prerequisites for the procedures.

Resource Requirements

Your Infrastructure Team will require a point of contact at the branch office to receive shipment of the staged domain controller.

What you Will Need

To complete the procedures in this chapter, you will need:

  • The staging site domain controller installed and replicating with the hub site.

  • A staged domain controller.

  • The branch office site created.

  • The ISTG disabled in the destination site.

  • The branch office installation scripts.

  • The Mkdsx scripts to create connection objects.

  • The quality assurance (QA) scripts.

What you Should Know

To complete the procedures in this chapter, you will need:

  • The user name and password for a user account that is a member of the Domain Administrators group.

  • An Internet Protocol (IP) address that is valid for the destination branch office site subnet, unless you are using Dynamic Host Configuration Protocol (DHCP) to assign IP addresses.

  • The names of the bridgehead servers in the hub site.

Process Flowchart

Deployment Considerations

Do not begin the procedures in this chapter until you are ready to ship the domain controller to the branch office. If you are not prepared to ship the domain controller, do not perform these procedures yet. Instead, the domain controller should be left running on the staging site network so that it will remain up to date with any changes made to the Active Directory directory service.

When you are ready to ship the domain controller, perform the procedures in this chapter. After shutting off the domain controller at the end of this chapter, it should immediately be shipped to the branch office and turned on at the branch office in 10 days or less. For more information on the reasons behind this limitation, see Chapter 6: Planning for Building and Deploying Branch Office Domain Controllers in the Active Directory Branch Office Planning Guide.

Connection Objects Between the Branch Office Domain Controller and the Hub Bridgehead Servers

Because the ISTG is disabled for all sites, it is necessary to use scripts to create connection objects between the branch office domain controllers and bridgehead servers in the hub site. Similar steps were performed when configuring the staging site domain controller in Chapter 5, "Creating and Configuring the Staging Domain Controller" of this guide.

Verifying the Site and Moving the Domain Controller to its Destination Site

The first step in preparing to ship a staged domain controller to its destination branch office is to move it to the branch office site in Active Directory Sites and Services. However, before moving the domain controller, it is important to first verify that the site and subnet information is correct for the branch office site.

Note: As you perform the procedures in this chapter, document the configuration of the servers in the DC Staging Checklist.xls job aid included with this guide.

Verify Site and Subnet Information is Correct

To verify the site and subnet:

  1. On the staging site server, log on as an Administrator.

  2. Start Active Directory Sites and Services.

  3. Expand Sites, expand Subnets, right-click the subnet for the destination site of the staged branch office domain controller, and then select Properties.

  4. Verify that the Site box contains the site name for this branch office. If the site name is not correct for this subnet, contact the organization's administrators to correct the site to subnet mapping.

  5. Close Active Directory Sites and Services.

Note: Do not proceed until the site to subnet mapping is correct.

Move the Branch Office Domain Controller to the Destination Site

To move the staged domain controller to its destination branch office site:

  1. Log on to the staged domain controller as Administrator.

  2. Open a command prompt.

  3. Change to the C:\BranchDC folder.

  4. Run the Movesite.vbs script to move the staged domain controller to its destination site by using the following syntax:

    Cscript movesite.vbs <current site> <destination site> <computername>

    Where <current site> is the name of the staging site, <destination site> is the name of the branch office site where the domain controller is being shipped, and <computername> is the name of the domain controller being shipped. You can use %computername% for <computername>, which will expand the environment variable (%computername%) to the current computer name and not require you to type the computer name.

  5. Wait 30 minutes.

  6. Open Active Directory Sites and Services.

  7. In the console tree, expand Sites, expand the destination site for this domain controller, and then expand Servers.

  8. Verify that the domain controller is now listed under its destination site. If not, repeat this procedure, starting at step 5.

  9. Close Active Directory Sites and Services.

Verifying the ISTG is Off on the Staged Domain Controller

After moving the staged domain controller to its destination site, it is then necessary to verify that the ISTG has been disabled for the branch office site.

Verifying That the ISTG Is Disabled in the Branch Office Site

To verify that the ISTG is disabled in the branch office site:

  1. Click Start, Run, in the Open box, type Ldp.exe and then click OK.

  2. On the Connection menu, click Connect.

  3. Type the server name of a domain controller in the enterprise, verify that the port setting is 389, clear the Connectionless check box, and then click OK. After the connection is complete, server-specific data is displayed in the right pane.

  4. On the Connection menu, click Bind. Type the user name, password, and domain name (in DNS format) in the appropriate boxes (you may need to select the Domain check box), and then click OK. If the binding is successful, you should receive a message in the right pane that is similar to the following example:

    Authenticated as dn:YourUserID

  5. On the View menu, click Tree.

  6. In the BaseDN box, type the distinguished name of the site object for the site of the branch office domain controller in the configuration container of the forest. For example, for the BOSite1 site in the Corp.Hay-buv.com forest, the distinguished name of the site object would look like the following example:

    CN=BOSITE1,CN=Sites,CN=Configuration,DC=corp,DC=hay-buv,DC=com

    If this object is located, Ldp.exe should display the object in the left pane.

  7. Expand the view. One of the child objects should begin with CN=NTDS Site Settings. Double-click this object. In the right pane, Ldp.exe should output the current settings for the attributes for this object. Each attribute is preceded by a number and then an angle bracket (>). The number represents the number of values the attribute contains.

  8. Look for the "options" attribute. The "options" attribute should be set to 16, indicating the ISTG is disabled.

  9. If the "options" attribute is not set to 16, contact the organization's administrators to disable the ISTG for the site.

  10. Close Ldp.exe.

Creating the Branch Office Domain Controller's Connection Objects

After the staged domain controller has been moved in Active Directory Sites and Services to its destination site and you have verified that the ISTG is disabled, the next step in the pre-shipment process is to create the new connection objects for the staged domain controller. The new connection objects will be between the staged domain controller and one or more bridgehead servers in the hub site. The scripts included with this guide create connection objects between the staged domain controller and two bridgehead servers. When the new connection objects are created, the connection objects with the staging site domain controller are removed.

Create Connection Objects

To create the connection objects with the bridgehead servers in the hub site:

Note: Only complete this process if this is the first domain controller for this branch office site. For the second and any other domain controllers for a branch office, proceed to the next procedure.

  1. Log on to the staging site server as a Domain Administrator.

  2. Open a command prompt, and then change to the C:\BranchDC\Mkdsx folder.

  3. Create the connection objects for the domain controller by using the following syntax:

    Mkdsx mkdsx.dat

  4. As the script progresses, output is displayed in the command prompt detailing the script's progress.

Note: Because the Mkdsx.dat file contains entries for at least one domain controller for each branch office, you will see errors when running this command unless you are running this for the last domain controller being staged. If you scroll through the output from this command in the command prompt, you should not see any errors for the domain controller you are currently preparing for shipment.

Verifying Connection Object Creation

To verify the connection objects were created properly:

  1. Open a command prompt, and then change to the C:\ADMonitor folder.

  2. Start the QA_Check.cmd script.

  3. After the script completes, change to the C:\ADResults\<computername> folder.

  4. Use Notepad to open the text file in this folder.

  5. Locate the Active Directory Replication Connection Objects section of the file. Verify that this section no longer contains any connection objects with the staging server. All connection objects listed should be with a bridgehead server. If the connection objects are not correct, repeat the previous procedure. If after repeating the previous procedure the connection objects are still not correct, contact the organization's administrators to ensure the Mkdsx.dat file contains this branch office domain controller.

  6. Document the configuration of the branch office domain controller in the DC Staging Checklist.xls job aid included with this guide.

Note: If you also run a quality assurance check on the bridgehead servers at this time, the bridgehead servers may not contain all the connection objects you expect to see. It will take a few minutes for the connection objects between the bridgehead servers to be built.

Deleting the Connection Object on the Staging Server for the Staged Domain Controller

Now that the staged domain controller has connection objects with bridgehead servers in the hub site, you need to remove the connection object on the staging server for the staged domain controller.

To delete the connection object on the staging server:

  1. Log on to the staging server as Administrator.

  2. Open Active Directory Sites and Services.

  3. In the console tree, expand Sites, expand the Staging site, expand Servers, expand the staging site server name (Staging1), and then select NTDS Settings.

  4. Right-click the connection object with the name From-<Staging site>-<Domain Controller being moved> (for example From-Staging-BODC1), and then select Delete.

  5. Click Yes.

Configuring TCP/IP for the Branch Office and FRS for Shipment

The final procedure for preparing a staged domain controller for shipment involves running a script to replicate the domain controller, change the IP address configuration to the correct IP address for the destination branch office, and configure FRS for shipment. In addition, the script runs ipconfig for a final verification of the IP address and runs Active Directory Sites and Services for a final verification that the staged domain controller was moved to the correct site.

Note: If you require reverse lookup zones for each branch office, before continuing you should create the reverse lookup zone for the branch office site to which this domain controller will be shipped. The reverse lookup zone should be created on the domain controller and should be a standard primary zone. In addition, you may want to create a secondary zone on each of the root DNS Servers.

Change IP Address to Target Site's Subnet and Update the Preferred DNS Server

To change the IP address and preferred DNS Server:

  1. On the desktop, right-click the My Network Places icon.

  2. Select Properties.

  3. Right-click the Local Area Connection icon.

  4. Select Properties.

  5. Select Internet Protocol (TCP/IP).

  6. Click Properties.

  7. Change the IP Address, Subnet mask, and Default gateway settings to the correct values for the destination branch office.

  8. Change the Preferred DNS server to the server's new IP Address.

  9. Click OK twice.

  10. Close the Network and Dial-up Connections window.

Configure FRS and DNS for Shipment to Branch Office

In this procedure, you will run a script (Pre-ship.cmd) that will:

  • Use repadmin -kcc to pick up new replication connections as replication links.

  • Replicate with the bridgehead servers.

  • Push the new IP address to the DNS servers.

  • Display the IP address configuration so that it can be confirmed.

  • Start Active Directory Sites and Services.

  • Configure FRS to start manually.

To run this script:

  1. Log on as an Administrator.

  2. Open a command prompt.

  3. Change to the C:\BranchDC folder.

  4. Run Pre-ship.cmd, which will start the Active Directory Sites and Services console.

  5. In the command prompt, verify that the IP address configuration is correct for this branch office domain controller.

  6. In the console tree in Active Directory Sites and Services, expand Sites, expand the site for the branch office domain controller being prepared for shipment, and then expand Servers.

  7. Under Servers, verify that the branch office domain controller being prepared for shipment appears. If the branch office domain controller being prepared for shipment does not appear, repeat the procedures in this chapter.

  8. Close the Active Directory Sites and Services console.

  9. Click Start, Run, in the Open box, type Notepad C:\BranchDC\Pre-Ship.log and then click OK.

  10. In the Pre-Ship.log file, you should see six successful syncs, three for each naming context from each of the bridgehead servers the domain controller has connection objects with. You will also see three errors for any bridgehead servers the domain controller does not have a connection object with. A simple way to determine the number of errors you should see is with the following formula:

    (# of bridgehead servers hubredundancy setting in topo.dat) x 3.

    In the sample environment in this guide, there are three bridgehead servers and a hub redundancy setting of 2 in Topo.dat. By using the above formula, there will be three errors.

Verify that the Pre-Ship.log file does not contain any other errors and that all commands completed successfully. If a command in Pre-Ship.cmd did not complete successfully, resolve the problem and rerun the command.

Shut Down the Domain Controller and Ship It to the Branch Office

After completing and verifying the procedures in this chapter, you can now shut down the domain controller and ship it to the branch office. The domain controller should be shipped and turned back on at the branch office in 10 days or less. For a review of the issues that may be encountered with a longer shutdown, see Chapter 6 "Planning for Building and Deploying Branch Office Domain Controllers" of the Active Directory Branch Office Planning Guide.

Summary

You have now completed all of the steps that must be performed before shipping a staged domain controller to a branch office site. Remember that this server should be shipped to the branch office and turned on within 10 days of completing these tasks. In the next phase of deployment you will complete some post-shipment tasks and verify that all tasks were completed successfully.

More Information

For more information, see to the resource list at the end of Chapter 2, "Building the Forest Root Domain and Central Hub Site."