Deploying Active Directory for Branch Office Environments

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Chapter 2 - Building the Forest Root Domain and Central Hub Site

Operating System

Deployment and Operations Guide

Abstract

This chapter outlines the steps required to create and monitor the forest root domain for the branch office scenario. The central hub site will also be created for these services. After completing these steps, the forest root required to support the Microsoft® Active Directory™ directory service for this scenario will be in place. Additionally, procedures for monitoring will have been established.

On This Page

Introduction
Process Flowchart
Deployment Considerations
Topology Overview
Install Windows 2000 Operating System and Services Packs
Install Branch Office Share and Scripts
Configure TCP/IP Settings
Create DNS Zones
Create the Forest Root Domain Controllers
Configure DNS Forwarders
Prepare the Active Directory Forest for Exchange 2000
Creating the Hub Site
Verify the Root Domain Configuration
Summary
For More Information

Introduction

This chapter outlines the steps required to create and monitor the forest root domain for the Microsoft® Windows® 2000 Active Directory™ branch office scenario. The steps in this chapter will guide you through the processes necessary to build the forest root domain and Domain Name System (DNS) for corp.hay-buv.com. After completing these steps, the infrastructure required to support and monitor the root domain and DNS will be in place.

The planning of your Active Directory branch office architecture must be completed prior to beginning the procedures in this chapter.

Resource Requirements

Individuals from the following teams will be required to participate during this phase of the installation:

  • Windows 2000 Active Directory Services Design Team

  • Operations Team

  • A representative from the network team that can provide DNS and other network information.

What You Will Need

  • Branch Office Download Zip file.

  • Active Directory Architecture.

  • Minimum of seven servers.

  • Windows 2000 Server CD and Product Key.

  • Windows 2000 Service Pack 2.

  • Seven static TCP/IP Addresses.

  • Administrator account and password.

  • Enterprise administrator account and password.

What You Should Know

This walk-through assumes that you have a basic knowledge of Windows 2000, Active Directory, and DNS. For a list of additional resources, see the "More Information" section at the end of this document.

Process Flowchart

Deployment Considerations

The availability of DNS directly affects the availability of Active Directory. Clients rely on DNS to find a domain controller, and domain controllers rely on DNS to find other domain controllers. Even if you already have DNS servers deployed on your network today, you might need to adjust the number and placement of servers to meet the needs of your Active Directory branch office deployment.

For more information on best practices for planning the DNS and domain namespace, see Chapter 2, "Structure Planning for Branch Office Environments" in the Active Directory Branch Office Planning Guide.

The following sections provide guidelines for your DNS server configuration, operations masters, and global catalog servers.

DNS Guidelines

The following are high-level design guidelines for designing DNS for the branch office scenario.

  • As a general rule, place at least one DNS server in every site. The DNS servers in the site should be authoritative for the locator records of the domains in the site, so that clients do not need to query DNS servers offsite to locate domain controllers that are in a site.

  • Use Active Directory integrated DNS so that all DNS domains are represented in the local site to minimize WAN traffic to central DNS servers.

  • Configure each forest root domain controller to point to other domain controllers as the preferred and alternate DNS servers.

  • Configure domain controllers for domains other than the forest root to use themselves as their preferred DNS server. An alternate DNS server should also be configured.

    Configure all DNS clients with a preferred DNS and alternate DNS server.

    • The preferred DNS server should be in the same site.

    • The alternate should be located in the central hub site.

  • Some type of regular monitoring should be implemented to check on the health and responsiveness of DNS. For example, NetIQ AppManager provides DNS health checking in the form of monitoring for events, performance data, and regular testing of DNS by doing actual lookups against the DNS servers. DNS problems may take some time to manifest themselves, and any problems that result may accumulate.

Hub Site

The following are design guidelines for designing your hub site for the branch office scenario.

  • Place three root Active Directory servers for the branch domain (one global catalog server and two domain controllers) with Active Directory integrated DNS in the hub site.

  • ROOT1 will be a global catalog server and host the Schema and Domain Naming Master operations master roles. ROOT2 will be a domain controller and host the relative identifier (RID) operations master, Primary Domain Controller Emulator(PDC Emulator), and Infrastructure Master operations master roles. ROOT3 will be a domain controller and serve as a standby operations master server. All three will have Active Directory integrated DNS which will provide high availability of the forest root domain.

  • They each point to another root server for preferred and alternate DNS to avoid the "island" issue (See Chapter 2, "Structure Planning for Branch Office Environments" in the Active Directory Branch Office Planning Guide for a discussion of this issue.)

  • Configure these servers with root hints for Internet addresses.

  • Configure forwarders for other enterprise domains where appropriate.

Branch Office Bridgehead Servers

The following are design guidelines for designing your branch office bridgehead servers.

  • Branch office bridgehead domain controllers should also have Active Directory integrated DNS.

  • The number of bridgehead servers depends on the number of branch offices, replication frequency and traffic, and so on. For more information, see the Chapter 3, "Planning Replication for Branch Office Environments" in the Active Directory Branch Office Planning Guide.

  • For bridgehead servers, configure each to point to itself as the preferred DNS server; the alternate should be one the other bridgehead servers.

  • Configure forwarders to point to root zone DNS servers if there is not an internal root.

Staging Site

The following are design guidelines for designing your staging site for the branch office scenario. Place one domain controller in the staging site, that will.

  • Be the primary seed for building new domain controllers for the branches.

  • Be a global catalog server.

  • Be a member of the branch office domain.

  • Point to itself as its primary DNS server and its secondary DNS server will be one of the servers in the hub site.

  • Have forwarders to point to root zone DNS servers if there is not an internal root.

  • Have DNS server configured to not use recursion.

Branch Office Domain Controller (Branch Office Site)

The following are design guidelines for your branch office sites for the branch office scenario.

  • Configure each branch's primary DNS server to point to itself and the alternate points to one of the bridgehead servers. Configure some branch domain controllers use the first hub/bridgehead server as their alternate, some the second, and some the third, thus load balancing the distribution.

  • Configure forwarders to point to root zone DNS servers if there is not an internal root.

  • Configure the DNS server to not use recursion.

Branch Office Clients

The following are design guidelines for your branch office clients.

  • Clients point to the branch office Active Directory/DNS server as their primary DNS server.

  • Clients in the branch office have their secondary DNS server set to one of the hub bridgehead servers again distributing the load among the hub bridgehead servers.

Placement of the Root Domain

The following are design guidelines for the placement of your root domain for the branch office scenario.

  • Domain controllers use the _msdcs.corp.hay-buv.com zone during replication. It is recommended to have this zone on a local DNS server in the branch. Having the _msdcs.corp.hay-buv.com zone on a local DNS server will allow user queries for a global catalog server at logon to be local as well.

  • If the branch office sites each have a single domain controller, the _msdcs.corp.hay-buv.com domain should be a subdomain (it is set up this way by default) that is part of the Active Directory integrated zone for corp.hay-buv.com domain.

  • If there is a global catalog server or multiple domain controllers in the branch office environment, the _msdcs.corp.hay-buv.com subdomain should be its own Active Directory integrated zone in the root hub site. There should also be a secondary zone on the branch office DNS servers in this situation. This configuration will improve replication performance and reduce queries to the central hub site over the WAN.

Reverse Lookup Zones

The following are design guidelines for your reverse lookup zones.

  • Reverse lookup zones are required for DNS monitoring and troubleshooting. In addition, some prior applications may require reverse lookup zones.

  • Create a standard primary DNS dynamic update protocol reverse lookup zone for each branch office site. Create a standard secondary zone, for each branch office reverse lookup zone, on each of the root DNS servers in the hub site.

Secure Updates - Dynamic DNS

Each Active Directory integrated DNS zone should have Secure Dynamic Updates enabled. Without secure updates enabled, anyone can delete, modify, or create DNS records using a generic dynamic update protocol.

Topology Overview

The procedures in this guide will walk you through setting up the six networks depicted in the above topology.

The TCP/IP addresses above represent the final configuration. The DNS settings configured during server installation are different from those shown in the above diagram, in particular the preferred DNS server and alternate DNS server. After installation, the DNS settings are configured to use the IP addresses shown in the above diagram. Therefore, the procedures should be followed carefully.

Note: This walk-through assumes that a unique dedicated subnet will be assigned to each site. If this scenario will be set up in a lab environment, when creating the sites and subnets for the branch offices either through the Active Directory Sites and Services Microsoft Management Console (MMC) or the script included with this guide, use a subnet mask of 255.255.255.255. Doing so will cause each IP address to be a subnet for each site in Active Directory. This will allow you to emulate a routed network without having to use hardware routers.

Install Windows 2000 Operating System and Services Packs

Use the following steps to install Windows 2000, and recent service packs, on the seven or more servers that will be in your hub site. These steps should be followed to configure the base operating system components in advance on all seven hub site servers for this scenario.

Follow the instructions carefully to ensure proper setup of each server in the scenario.

Note: As you perform the procedures in this chapter, you should document the configuration of the servers in the Hub Site Checklist.xls job aid included with this guide.

Operating System Setup

To install Windows 2000:

  1. Install Microsoft Windows 2000 Server on all servers.

  2. Install the Windows 2000 Support Tools from the Windows 2000 Server CD by using either 2000RKST.MSI or Setup.exe in the SUPPORT\TOOLS directory on the Windows 2000 CD.

  3. Install the Windows 2000 Server Resource Kit utilities from the CD included with the resource kit.

  4. Install Active Perl from the Microsoft Windows 2000 Resource Kit.

Note: The installation of the Support Tools and the Microsoft Windows 2000 Resource Kit can be automated by directly launching the msi file for each with the /qb Switch.

Install DNS and Terminal Services on All Hub Servers

To install DNS and Terminal Services:

  1. Click Start, Settings, Control Panel, Add/Remove Programs.

  2. Click Add/Remove Windows Components.

  3. Scroll down to Networking Services. Don't select the checkbox; instead, highlight the words. (This simplifies the next steps where you select only a few of the Networking Services. Selecting the checkbox results in selecting all Networking Services, and means you will have to deselect a large number of checkboxes under Details.)

  4. Click Details.

  5. Click on the checkbox by Domain Name System (DNS).

  6. Click OK.

  7. Scroll down to Terminal Services and select the checkbox to install Terminal Services.

  8. Click Next.

  9. Select Remote administration mode when the Terminal Services Setup Window appears and then click Next.

  10. If prompted, insert the Windows 2000 Server CD, or use a network share to access the Windows 2000 Server files.

  11. Click Finish.

  12. Close the Add/Remove Programs Window.

  13. Close the Control Panel window.

  14. Reboot as prompted.

Install Service Pack 2

  1. Install Service Pack 2.

  2. When the service pack is installed, click Start, Shut Down, select Restart, and click OK.

Very Important Repeat the above procedures for each of the seven servers in the hub site. If, during the planning process, you determined that your hub site requires more than three bridgehead servers, repeat the above procedures the appropriate number of times to install all of your bridgehead servers.

After completing the above procedures you should have the following servers installed:

  • ROOT1

  • ROOT2

  • ROOT3

  • HUBDC1

  • BH1

  • BH2

  • BH3

Install Branch Office Share and Scripts

A share needs to be established on HUBDC1 that will be used for configuring all of your domain controllers in the hub site. In addition, these files will be copied to the staging site branch domain controller to be used for staging branch office domain controllers.

Creating the Branch Office Scripts Source Share

This procedure only needs to be completed on the HUBDC1 server. To create the branch office scripts source share:

  1. Log on to Hubdc1 as Administrator.

  2. Create a directory named C:\ADBRANCH on HUBDC1 and share the directory as ADBranch.

  3. Create a directory named C:\QASHARE on HUBDC1 and share the directory as QAShare.

  4. Unzip the contents of the Branch Office Zip file included with this guide, into the ADBRANCH directory.

  5. You will have the following subdirectory structure on the HUBDC1 C:\ drive when these steps are completed:

    Directory

    Description

    C:\ADBRANCH\

    Place holder for branch office download files.(Only resides on HUBDC1)

    C:\ADBRANCH\HUB

    Scripts for configuration in the hub site.(Only resides on HUBDC1)

    C:\ADBRANCH\ADMONITOR

    Monitoring and QA Scripts(This directory is copied to each new server including HUBDC1)

    C:\ADBRANCH\BRANCHDC

    Place holder for branch office domain controller install files.(The contents of this directory is copied to the staging server's C:\BRANCHDC directory and is used for staging new branch office domain controllers.)

    C:\ADBRANCH\BRANCHDC\DNS

    DNS Forwarder input files for load balancing

    C:\ADBRANCH\BRANCHDC\MKDSX

    Automated connection object management script

    C:\QASHARE

    QA result files from branch office domain controllers are consolidated here for monitoring and reporting.(Only resides on HUBDC1)

Install Quality Assurance Scripts on Hub Site Servers

The quality assurance scripts must be installed on all servers in the hub site. To install the scripts:

  1. Log on to the server as Administrator.

  2. Start a command prompt.

  3. Use the following command to copy the quality assurance scripts to the server:

    robocopy \\<servername>\ADBranch\ADMonitor C:\ADMonitor /e

    Where <servername> is the name of the HUBDC1 server that has the ADBranch share.

  4. Repeat this process on each of the servers in your hub site, including HUBDC1.

Install Other Monitoring Tools

If you are using the NetIQ AppManager or Operations Manager tools, the following procedures can be used to install the agents. If you are using another third party monitoring tool, this is the stage at which you should install the tool.

Install AppManager Agent

To install the AppManager Agent:

  1. Insert the AppManager compact disc and run Setup.exe.

  2. Select Next, select Install AppManager, and click Next again.

  3. Select the target directory for the agent and click Next.

  4. Be sure that only AppManager Agent is checked and click Next.

  5. Check boxes of the services that are on the machine and click Next.

  6. Uncheck Authorized Management Server* and click Next.

  7. Enter the name of the NetIQ AppManager Management Server and click Next.

  8. If the AppManager Management Server isn't online, you will be prompted to retry or skip discovery. You can run discovery later from the Management Server, so click No. If the Management Server is installed and available, you will not get this prompt.

  9. Replace the asterisk with the name of the Management Server and click Next.

  10. Click Next when prompted for DAO/ODBC. Installation of the agent will proceed.

  11. Click Yes when asked if you want to append the NetIQ install path to the system path.

Install Operations Manager agent

To install the Operations Manager agent:

  1. Insert the Operations Manager compact disc and run Setup.exe.

  2. Click Manual Agent Setup.

  3. Click Next.

  4. Select the destination directory for the agent and click Next.

  5. Enter the name of the Configuration group of which the agent is a member and click Next. Refer to the NetIQ Operations Manager installation documentation for an explanation of Configuration groups.

  6. Enter the name of the Consolidator computer for this Configuration group. If the Consolidator has not been built, you will get a warning indicating that the consolidator version could not be verified. If the Consolidator has already been built, this indicates a problem connecting to the Consolidator computer. If the Consolidator has yet to be staged, click Next.

  7. Select Full for the Agent Manager control level and click Next.

  8. When the file copy is done, click Finish to complete the agent installation.

Configure TCP/IP Settings

This section describes the necessary steps for configuring TCP/IP on each of the servers in the hub site. This procedure is designed for you to start configuring the TCP/IP settings on ROOT1 and then repeat the procedure for the rest of the servers in your hub site, using the correct IP address settings for the other servers.

To configure TCP/IP:

  1. Log on to ROOT1 as Administrator.

  2. From the desktop, right-click on the My Network Places icon.

  3. Select Properties.

  4. Right-click on the Local Area Connection icon.

  5. Select Properties.

  6. Select Internet Protocol (TCP/IP).

  7. Click Properties.

  8. Enter the following parameters.

    IP address: 10.10.1.1

    Subnet mask: 255.255.0.0

    Default gateway: 10.10.1.1

    Preferred DNS Server: 10.10.1.1

    Alternate DNS Server: 10.10.1.3

    This preferred DNS server IP is temporary. The preferred DNS server will be set to ROOT2 after ROOT2 is configured as a domain controller with Active Directory integrated DNS.

  9. Click OK.

  10. Click OK.

  11. Close the Network and Dial-up Connections window.

Note: Repeat the above steps for each server in the hub site, using the TCP/IP settings in the topology diagram at the beginning of this chapter. For the default gateway, you can use 10.10.1.1 for all servers if you are creating the sample topology.

Create DNS Zones

Note: The rest of the procedures in this chapter are performed on only the three root servers. The remaining configuration for the bridgehead servers is performed in Chapter 3, "Building the Branch Office Domain and Bridgehead Servers."

Now that your hub site servers are installed and TCP/IP is configured, the next step in preparing your hub site is to create your forest root and reverse lookup DNS zones.

Creating the Forest Root Zone on ROOT1

To create the forest root zone:

  1. Click Start, Programs, Administrative Tools, DNS.

  2. Select, then right-click on the ROOT1 server icon.

  3. Select New Zone.

  4. Click Next.

  5. Select Standard primary and click Next.

  6. Select Forward lookup zone and click Next.

  7. Enter corp.hay-buv.com as the name of the zone. (Substitute the name of your domain for corp.hay-buv.com throughout the rest of the deployment instructions.)

  8. Click Next.

  9. Click Next to accept the creation of the new zone file.

  10. Click Finish.

Allowing Dynamic Updates to the Forest Root Zone

To configure the forest root zone to allow dynamic updates:

  1. In the DNS console, expand the ROOT1 server icon.

  2. Expand the Forward Lookup Zones folder.

  3. Select, then right-click the corp.hay-buv.com zone and select Properties.

  4. In the Allow Dynamic Updates dropdown box, select Yes.

  5. Click OK.

Adding a Reverse Lookup Zone on ROOT1

To configure the reverse lookup zone:

  1. In the DNS console, expand the ROOT1 server icon.

  2. Select, then right-click on Reverse Lookup Zones and select New Zone.

  3. Click Next.

  4. Click Next.

  5. Enter the IP address range for the zone, which in our example environment is 10.x.x.x. Work with the network team to verify the reverse lookup zone IP range. For this example scenario, entering 10 in the first octet will work.

  6. Click Next.

  7. Click Finish.

  8. Close the DNS console.

Create the Forest Root Domain Controllers

After creating the DNS forest root and reverse lookup DNS zones, you can now promote your three root servers to be domain controllers. After promoting the first server, you will change the forward lookup zone to be Active Directory integrated. Before continuing with the rest of the root servers, it is important to verify that the first server completed successfully.

Note: The Active Directory Installation Wizard (Dcpromo.exe) steps in this guide assume the Active Directory database and log files, as well as SYSVOL, will all be stored on the same physical disk. If you have multiple physical disks in your servers and wish to place these files on different physical disks, modify the location of these files as appropriate for your environment.

Running DCPROMO on ROOT1

To promote the ROOT1 server:

  1. Click Start, Run, type dcpromo and then click OK.

  2. Click Next.

  3. Select Domain controller for a new domain and then click Next.

  4. Select Create a new domain tree and then click Next.

  5. Select Create a new forest of domain trees and then click Next.

  6. Type your root domain name in the Full DNS name for new domain box and then click Next. In the example used in this guide, the root domain name is corp.hay-buv.com.

  7. Click Next to accept the default Domain NETBIOS name.

  8. Click Next to accept the default locations for the database and log files if you have only a single physical disk. Otherwise, specify the desired location for the files.

  9. Click Next to accept the default SYSVOL folder location.

  10. Click OK.

  11. Select No, I will install and configure DNS myself and then click Next.

  12. Click Next to accept the default of Permissions compatible with pre-Windows 2000 servers.

  13. Enter a Directory Services Restore Mode Administrator password and then click Next.

  14. Review the settings and then click Next to begin the Active Directory Installation Wizard (dcpromo.exe) configuration process.

  15. Click Finish.

  16. Click Restart Now when prompted.

Enabling Active Directory Integration of the Forest Root Zone and the Reverse Lookup Zone

To enable Active Directory integration for the forest root zone and Reverse Lookup zone :

  1. Click Start, Programs, Administrative Tools, DNS.

  2. Expand the ROOT1 server icon.

  3. Expand the Forward Lookup Zones folder.

  4. Select, then right-click the corp.hay-buv.com zone and select Properties.

  5. Click Change, to change the zone type.

  6. Select Active Directory-integrated.

  7. Click OK.

  8. Click OK to confirm change of the zone type.

  9. Click OK.

  10. Expand the Reverse Lookup Zone folder.

  11. Right-click the IP address range for the zone, which in our example environment is 10.x.x.x, and select Properties.

  12. Select Change, to change the zone type.

  13. Select Active Directory-integrated.

  14. Click OK.

  15. Click OK to confirm change of the zone type.

  16. Click OK.

Configuring the _msdcs zone

If you are planning to deploy a global catalog server or multiple domain controllers to the branch offices, the _msdcs.corp.hay-buv.com zone should be configured as a separate Active Directory integrated zone. This zone will be configured as a secondary zone on the DNS servers at the branches with multiple domain controllers or a global catalog server.

This scenario assumes that there is a single domain controller at each branch. Therefore, this configuration is not required. The _msdcs.corp.hay-buv.com will be left as a subdomain of the corp.hay-buv.com zone file.

Verify ROOT1 Name Registration

To verify ROOT1:

  1. In the DNS console, expand ROOT1, expand Forward Lookup Zones, and then expand the corp.hay-buv.com domain and verify that the _msdcs, _sites, _tcp, _udp subdomains are registered under the corp.hay-buv.com forward lookup zone.

  2. If the _msdcs, _sites, _tcp, _udp subdomains are not visible in DNS, stop and restart the NETLOGON service to initiate the registration of the records. Start a command prompt and type in the net stop netlogon and net start netlogon commands. Repeat step 1 to verify the subdomains are registered.

Verify DNS Name Resolution on ROOT2

After verifying the first domain controller, use the following steps to verify DNS name resolution on the second server.

  1. Log on to ROOT2 as Administrator.

  2. On ROOT2, open a command prompt.

  3. Type nslookup corp.hay-buv.com and press ENTER. You should see the following result:

    C:\>nslookup corp.hay-buv.com

    Server: root1.corp.hay-buv.com

    Address: 10.10.1.1

    Name: corp.hay-buv.com

    Address: 10.10.1.1

If you do not see successful name resolution, which is the second set of information in the response, check the IP settings on ROOT2 to verify it has 10.10.1.1 (ROOT1) as its preferred DNS server. Nslookup first tells you which server is providing the Nslookup response, and then provides the information found. Verify DNS records on ROOT1's DNS server by examining the records in the DNS MMC forward lookup zone for corp.hay-buv.com. Do not proceed until DNS is working properly. For more information on Nslookup, refer to Online Help, and the Windows 2000 Resource Kit volume "TCP/IP Core Networking Guide."

Running DCPROMO on ROOT2

After verifying DNS name resolution for ROOT2, use the following steps to promote the server to a domain controller:

  1. Click Start, Run, type dcpromo and press ENTER.

  2. Click Next.

  3. Select Additional domain controller for an existing domain and then click Next.

  4. Enter the Enterprise Administrator credentials for the corp.hay-buv.com domain, enter corp.hay-buv.com as the domain name, and then click Next.

  5. Enter corp.hay-buv.com as the Domain name and then click Next.

  6. Click Next to accept the default locations for the database and log files if you have only a single physical disk. Otherwise, specify the desired file location.

  7. Click Next to accept the default SYSVOL folder location.

  8. Enter the Directory Services Restore Mode Administrator Password for this server and click Next.

  9. Review the settings and then click Next to begin the Active Directory Installation Wizard (Dcpromo.exe) configuration process.

  10. Click Finish.

  11. Click Restart Now when prompted.

Verify the ROOT2 Name Registrations

To verify ROOT2:

  1. After restarting, log on as Administrator.

  2. Click Start, Programs, Administrative Tools, DNS. Expand the corp.hay-buv.com domain and verify that records for the new domain controller are visible in the _msdcs, _sites, _tcp, _udp subdomains registered under the corp.hay-buv.com Forward Lookup zone. If they are not visible in DNS, restarting NETLOGON will initiate the registration of the records.

  3. Verify that the Reverse Lookup zone has replicated.

Verify DNS Name Resolution on ROOT3

To verify DNS name resolution on the third root server:

  1. Log on to ROOT3 as Administrator.

  2. On ROOT3, open a command prompt.

  3. Type nslookup corp.hay-buv.com and press ENTER. You should see the following result:

    C:\>nslookup corp.hay-buv.com  
Server: root1.corp.hay-buv.com  
Address: 10.10.1.1  
Name: corp.hay-buv.com  
Address: 10.10.1.1

If you do not see successful name resolution, check the IP settings on ROOT3 to verify that it has 10.10.1.1 (ROOT1) as its preferred DNS server. Verify DNS records on ROOT1's DNS server. Do not proceed until DNS is working properly.

Running DCPROMO on ROOT3

To promote the third root server to a domain controller:

  1. Click Start, Run, type dcpromo and press ENTER.

  2. Click Next.

  3. Select Additional domain controller for an existing domain and then click Next.

  4. Enter the Enterprise Administrator credentials for the corp.hay-buv.com domain, enter corp.hay-buv.com as the domain name, and then click Next.

  5. Enter corp.hay-buv.com as the Domain name and then click Next.

  6. Click Next to accept the default locations for the database and log files if you have only a single physical disk. Otherwise, specify the desired file location.

  7. Click Next to accept the default SYSVOL folder location.

  8. Enter the Directory Services Restore Password for this server and click Next.

  9. Review the settings and then click Next to begin the Active Directory Installation Wizard (Dcpromo.exe) configuration process.

  10. Click Finish.

  11. Click Restart Now when prompted.

Verify the ROOT3 Name Registrations

To verify ROOT3:

  1. After restarting, log on as Administrator.

  2. Click Start, Programs, Administrative Tools, DNS.

  3. Expand the corp.hay-buv.com domain and verify that records for the new domain controller are visible in the _msdcs, _sites, _tcp, _udp subdomains registered under the corp.hay-buv.com forward lookup zone. If they are not visible in DNS, restarting NETLOGON will initiate the registration of the records.

  4. Verify that the Reverse Lookup zone has replicated.

Update the Preferred DNS on ROOT1

Now that the other domain controllers in the root domain have been created and verified, it is necessary to change the Preferred DNS server for the first server, ROOT1. None of the root servers should use themselves as their Preferred DNS server in order to avoid the potential for the "island issue" described in Chapter 2, "Structure Planning for Active Directory Branch Office Environments" of the Active Directory Branch Office Planning Guide.

  1. On ROOT1, right-click on the My Network Places icon on the desktop and select Properties.

  2. Right-click on the Local Area Connection icon. (On a multi-homed server, rename each adapter for ease of identification and management.) and select Properties.

  3. Select Internet Protocol (TCP/IP) and then click Properties.

  4. Change the Preferred DNS server from 10.10.1.1 to 10.10.1.2.

  5. Click OK.

  6. Click OK.

  7. Close the Network and Dial-up Connections window.

Move Domain Operations Master roles to ROOT2

ROOT1 is a Global Catalog server, on which it is not recommended to also have the RID Master, PDC Emulator, or Infrastructure Master operations master roles. Therefore, this procedure provides the steps necessary to move the roles to ROOT2.

To move the operations master roles to ROOT2:

  1. Start Active Directory Users and Computers.

  2. Right-click the top of the Active Directory Users and Computers tree.

  3. Select Connect to Domain Controller.

  4. Select ROOT2 from the list and click OK.

  5. Right-click on the corp.hay-buv.com domain and select Operations Masters.

  6. The RID Master Role will appear by default, select Change.

  7. Click Yes to confirm the transfer.

  8. Click OK.

  9. Repeat the above steps for the PDC Emulator and Infrastructure Master operations masters.

Configure DNS Forwarders

In standalone networks, the DNS server will automatically assume it has root authority, which means it will assume there are no other DNS servers that have greater authority. To add DNS forwarding, you need to delete the root DNS zone and add DNS Forwarder addresses.

Configure Forwarders on ROOT1, ROOT2, and ROOT3

To configure DNS Forwarders on the root servers:

  1. Log on to ROOT1.

  2. Click Start, Programs, Administrative Tools, DNS.

  3. Right-click the "." folder under the Forward Lookup Zones folder and click Delete. This is the root DNS zone.

  4. Right-click the DNS Server name (ROOT1) and click Refresh.

  5. Right-click the DNS Server name again and click Properties.

  6. Click the Forwarders tab and check the Enable forwarders check box.

  7. Enter the IP addresses of the external DNS servers (primary and alternate) for hay-buv.com. These addresses should be obtained from your corporate network team.

  8. Click OK.

  9. Repeat these steps on the ROOT2 and ROOT3 domain controllers.

Note: It is not necessary to delete the "." root domain on ROOT2 and ROOT3 as it was deleted on ROOT1 and the change will replicate to the other servers. You can use Active Directory Sites and Services MMC to force replication, or wait about 15 minutes for replication to complete.

Verify DNS Forwarding

To verify the DNS Forwarder configuration:

  1. Wait at least 15 minutes.

  2. On ROOT1, start a command prompt.

  3. Type nslookup <somedomain.xyz> and press ENTER. <Somedomain.xyz> should represent an internal or external domain that the forwarders should be able to resolve. You should see the following result:

    C:\>nslookup domain.com   
Name: somedomain.xyz  
Addresses: x.x.x.x

  4. Verify the DNS Forwarder IP addresses are correct if you do not see a successful resolution from the forwarders. You may also want to verify the domain name you used for your test.

    If you are still having trouble, make sure that network routing is working correctly. Check the Routing and Remote Access settings or other network router settings to ensure servers can PING each other.

    Do not proceed until the servers can communicate and DNS is working properly.

  5. Repeat steps 2 and 3 on all of the root servers.

Prepare the Active Directory Forest for Exchange 2000

Exchange 2000 has a number of infrastructure requirements and dependencies to meet when planning an upgrade or deployment. The first phase of the Exchange upgrade is small but important for the Active Directory administrator.

Two processes need to be completed before Exchange 2000 can be installed on a server in the forest:

  • The Active Directory schema must be updated at the root domain.

  • Appropriate permissions must be assigned.

Exchange 2000 Setup is designed to allow these two processes to be executed separately from the installation or upgrade of a server. The utility ForestPrep is run to apply schema changes and DomainPrep is run to set appropriate permissions.

Keep in mind that ForestPrep tags attributes in the schema for replication to the global catalog. This change causes all global catalogs to set their Update Sequence Nnumbers to zero. As a result, all objects (not just the changed property) in Active Directory must replicate to each Global Catalog server. Running ForestPrep early in the deployment will reduce the replication required for this change.

DomainPrep can be run at any time prior to deploying your first Exchange 2000 server.

It is recommended that ForestPrep be run at this time if Exchange 2000 will be deployed at some point in the future. Using an account that is a member of the Enterprise Administrators group, either at the command prompt, or by clicking Start and pointing to Run, type x:\setup\i386\setup/ forestprep, where x: is the drive letter of your CD-ROM drive, with the Exchange 2000 CD in the CD-ROM drive.

Prepare Active Directory Forest for Directory Enable Applications

It is recommended to implement schema extensions or changes for directory-enabled applications as soon as possible when deploying Active Directory. Use LDIFDE or ADSI to implement these now. You must use an account that is a member of the Enterprise Administrators group for these operations.

Deploying extensions early will reduce replication and network utilization.

Creating the Hub Site

To make it easier for creating your hub and spoke topology, as well as improving your ability to easily administer your branch office environment, you should rename the Default-First-Site. The three root domain controllers you created in this chapter were automatically placed in the Default-First-Site. The procedures in this section will guide you through the process of renaming the Default-First-Site to Hub and creating the correct subnets for the hub site.

Rename the Default-First-Site

To rename the site:

  1. Start Active Directory Sites and Services.

  2. Expand Sites.

  3. Right-click on Default-First-Site-Name and select Rename.

  4. Type Hub.

  5. Right-click the Subnets folder and select New Subnet.

  6. Enter the network address and subnet mask associated with the hub site.

  7. Select the Hub site.

  8. Click OK.

Add HUB Subnets to HUB Site

To add the subnets to the site:

  1. In Active Directory Sites and Services, right-click the Subnets folder and select New Subnet.

  2. Enter the address and subnet masks associated with the hub site. In this branch office scenario, the following subnets should be entered:

    10.10.1.0

    255.255.0.0

    10.10.20.0

    255.255.0.0

  3. Select the Hub site.

  4. Click OK.

  5. Close Active Directory Sites and Services.

Verify the Root Domain Configuration

Now that all of your root servers are installed and configured, it is extremely important to verify them before continuing the process of creating your Active Directory branch office environment. If problems exist with your root servers and you continue without first correcting them, the problems are very likely to be compounded. It is much easier to correct any problems at this stage than to potentially let them propagate throughout your environment.

Directory and File Replication Service (FRS) replication can take up to 20 minutes to complete. Therefore, wait at least 30 minutes before performing the procedure in this section. Erroneous events may appear in the event log during this initial startup period.

It is also very important to continue to monitor the health of your root servers. The final procedure shows how to schedule the quality assurance script to run daily on your root servers.

Final Quality Assurance Check

To perform the final quality assurance check:

  1. Wait at least 30 minutes.

  2. Log on as Administrator.

  3. Clear the event logs on all servers.

  4. Start a command prompt and change to the C:\ADMonitor folder.

  5. Start the QA_Check.cmd script.

  6. After the script completes change to the C:\ADResults folder.

  7. Use Notepad to open the Ds_showreps.txt file in this folder.

  8. Examine the file to ensure that replication has occurred. For example, you should see entries such as the following that indicate the replication was successful.

    CN=Schema,CN=Configuration,DC=corp,DC=hay-buv,DC=com  
HUB\ROOT1 via RPC  
objectGuid: f99e17ed-3b03-4b3e-afa8-2c1e738ddc4d  
Last attempt @ 2000-12-02 07:09.44 was successful.

  9. If the Ds_showreps.txt file does not have a last attempt was successful line for each naming context, restart this procedure at step 1.

  10. If the Ds_showreps.txt file indicates that replication was unsuccessful for any of the naming contexts, troubleshoot and resolve the problem before continuing. See Chapter 11 Troubleshooting Guidelines for Branch Office Environments of this guide for more information on troubleshooting errors.

  11. Change to the C:\ADResults\<computername> folder.

  12. Use Notepad to open the text file in this folder.

  13. Examine the file to ensure that there were no errors reported. If there are any errors, the errors must be resolved before continuing. See Chapter 11 Troubleshooting Guidelines for Branch Office Environmentsof this guide for more information on troubleshooting errors.

  14. Document the configuration of this server in the Hub Site Checklist.xls job aid included with this guide.

  15. Repeat this procedure for all three of the root domain controllers.

Schedule the Quality Assurance Check to Run Every Day

The quality assurance script (QA_Check.cmd) should be run every day in order to verify your domain controllers. Some of the Microsoft Windows 2000 Resource Kit utilities used by the quality assurance script must be run using an Administrator account in order to collect their data. Therefore, the Microsoft Windows 2000 Resource Kit utility Srvany.exe is used to run the script as a service, and a batch file is scheduled to start and stop the service.

Before performing the following procedure, you should first create a user account, such as QACheck, that is a member of the Domain Admins group. This will allow you to configure the service to start using an administrator account.

To schedule the quality assurance check:

  1. Start a command prompt and use the following command to install Srvany.exe from the Microsoft Windows 2000 Resource Kit as a Windows service:

    instsrv QACheck "c:\Program Files\Resource Kit\srvany.exe"

  2. Click Start, Programs, Administrative Tools, and select Services.

  3. Right-click the QACheck service you added in step one and select Properties.

  4. On the General tab, set the Startup type as Manual.

  5. On the Log On tab, set the account the service will use when running. This should be the QACheck account that you created.

  6. Click OK and close the Services MMC.

  7. Click Start, Run, in the Open box, type regedt32, and click OK.

  8. Expand the following path in the Registry Editor: HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \QACheck

  9. On the Edit menu select Add Key.

  10. In the Add Key dialog box, in the Key Name box, type Parameters and click OK.

  11. Select the Parameters key, on the Edit menu select Add Value.

  12. In the Add Value dialog box, in the Value Name box, type Application, in the Data Type box select REG_SZ and then click OK.

  13. In the String Editor dialog box, type C:\ADMonitor\QA_Check.cmd and click OK.

  14. Select the Parameters key, on the Edit menu select Add Value.

  15. In the Add Value dialog box, in the Value Name box, type AppDirectory, in the Data Type box select REG_SZ and then click OK.

  16. In the String Editor dialog box, type C:\ADMonitor and click OK.

  17. After configuring the registry, to schedule the quality assurance script to run Monday through Friday, enter the following command at a command prompt:

    at 5:00 /every:m,t,w,th,f "C:\ADMonitor\startqa.cmd"

Automating daily QA with NetIQ AppManager

If you installed NetIQ AppManager, you can use the NTAdmin_RunDOS KS to start the QA_Check.cmd on a regular basis and the General_Asciilog KS to read the output file and watch for key problem text.

To configure this:

  1. In AppManager, navigate to the NTAdmin tab in the KS pane (usually in the middle on the right of the AppManager Operator console), and drag the RunDOS KS to the machine or machine group.

  2. When prompted for parameters, configure the KS to run every Monday through Friday at 11:00pm by selecting the Weekly Schedule option.

  3. Switch to the Values pane and enter C:\ADMonitor\QA_Check.cmd in the DOS command or Script File field.

  4. Navigate to the General tab in the KS pane and drop the AsciiLog KS onto the machine or machine group.

  5. When prompted, configure the KS to run every Monday through Friday at 11:30pm.

  6. Navigate to the Values tab and enter the text for the server for which you want to monitor. Enter C:\ADResults\<computername> in the File Name (full path) field.

Summary

You have now created a root domain, set up the root domain servers, configured them for DNS, and created a hub site. Your next task is to create the branch domain, and set up the branch domain bridgehead servers.

For More Information

Resource Centers on the Web

The following external resources on microsoft.com are updated every week with more information:

Windows 2000 Technical Library

https://www.microsoft.com/windows2000/library/

Technologies in Depth Listings

https://www.microsoft.com/windows2000/library/technologies/default.asp

MSDN: Windows 2000 Development Center

https://msdn.microsoft.com/windows2000/

MSPRESS: Windows 2000

https://www.microsoft.com/mspress/windows//

Microsoft Official Curriculum for Windows 2000

https://www.microsoft.com/train_cert/winmoc/win2000_data.htm

Windows 2000 Learning Centerhttps://www.microsoft.com/train_cert/learncenter/win2000/default.htm

White Papers

Windows 2000 Domain Name System Overview

https://www.microsoft.com/windows2000/library/howitworks/communications/nameadrmgmt/dnsover.asp

Windows 2000 Domain Name System White paper

https://www.microsoft.com/windows2000/library/howitworks/communications/nameadrmgmt/w2kdns.asp

1200