Deploying Active Directory for Branch Office Environments

Article
02/20/2014

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Chapter 5 - Creating and Configuring the Staging Domain Controller

Operating System

Deployment and Operations Guide

Abstract

This chapter outlines the steps to install and configure the domain controller for the staging site. After completing these steps, you will have a domain controller in the staging site and be ready to begin the process of staging branch office domain controllers in the staging site.

Introduction

Now that you have your hub site bridgehead servers created, and the pre-staging configuration completed, the next step in the process is to create the staging site domain controller. The staging site domain controller will be the source domain controller during the staging process for the branch office domain controllers. This chapter will step you through the processes that must be performed to create the staging site domain controller. By the end of the chapter, the sample environment will appear as follows:

Chapter Sections

This chapter covers the following procedures:

Installing the staging site source domain controller
Configuring and verifying DNS
Promoting and configuring the domain controller
Creating connection objects
Quality assurance and monitoring of the staging site domain controller

Before looking at these sections in detail, let's consider the prerequisites for those procedures.

Resource Requirements

This section provides the details of the resources that you will need to install the staging site domain controller for your environment.

What You Will Need

To complete the procedures in this chapter, you will need:

All bridgehead servers installed.
Microsoft® Windows® 2000 Server or Windows 2000 Advanced Server
The latest Service Pack
The Microsoft Windows 2000 Resource Kit
The password for the QACheck account for scheduling the QA_Check.cmd script.
The quality assurance scripts.

What You Should Know

To complete the procedures in this chapter, you will need:

The username and password for a user account that is a member of the domain administrators group.
The name of the staging site domain controller.
The IP address settings for the staging site domain controller.
The IP addresses of the root DNS servers.

Process Flowchart

Deployment Considerations

The processes covered in this chapter should be performed at the physical staging location, using the connection from the staging site to your hub site. This will provide verification of the link and link capacity to ensure that the process of staging domain controllers will work successfully.

Manual Connection Objects between the Staging Site and Hub Site

Because the Inter-Site Topology Generator (ISTG) is turned off for all of the sites in your environment, it is necessary to create manual connection objects between the staging site domain controller and a domain controller in the hub.

The connection objects between the staging site and hub should be created between the staging site domain controller and the hub domain controller that is the primary domain controller (PDC) Emulator. Connections objects must not be created with a bridgehead server or they will be deleted when you use Mkdsx.cmd in Chapter 7 to create the manual connection objects between the bridgehead servers and a staged domain controller.

In addition, the replication schedule between the staging site and the hub should be configured for replication to occur every 15 minutes. If the replication interval is set to a period of time longer than 15 minutes, it will delay the staging process as you will have to wait for the replication interval to pass before continuing in certain procedures.

Installing the Staging Site Source Domain Controller

The first process that must be completed to have a working staging site is to install a new server that will be promoted to be the source domain controller for your staging process.

Note: As you perform the procedures in this chapter, you should document the configuration of the servers in the Staging Site Checklist.xls job aid included with this guide.

Installing Windows 2000 in a Workgroup

The first step for installing your staging server is to install Microsoft Windows 2000 in a workgroup, including the components in the below list. One method for automating this is to use the Setup Manager tool in the Microsoft Windows 2000 Resource Kit to create an answer file and Uniqueness Database File (UDF)for the installation of the staging site domain controller.

The DNS Server service
Terminal Services in remote administration mode
The Support Tools from the Windows 2000 Server compact disc
The Microsoft Windows 2000 Resource Kit
Active Perl from the Microsoft Windows 2000 Resource Kit
The Remote Command Service from the Microsoft Windows 2000 Resource Kit
The Recovery console
The latest Windows 2000 Service Pack

Note: The installation of the Support Tools and the Microsoft Windows 2000 Resource Kit can be automated by directly launching the msi file for each with the /qb switch.

The server must be assigned a fixed IP address in the staging site subnet or the DNS server will not start properly.

Copy the Script Files to the Server

To copy the Active Directory branch office script files to the server:

Start a command prompt.
Use the following command to copy the Branch Office scripts to the staging site domain controller:
```
robocopy \\<servername>\ADBranch\BranchDC c:\BranchDC\ /e 
```
Where <servername> is the name of the HUBDC1 server that has the script files shared.
Use the following command to copy the quality assurance scripts to the staging site domain controller:
```
robocopy \\<servername>\ADBranch\ADMonitor c:\ADMonitor\ /e 
```
Where <servername> is the name of the HUBDC1server that has the script files shared.
Use the following command to share the BranchDC folder:
```
net share BranchDC=c:\BranchDC 
```
Use the following command to share the ADMonitor folder:
```
net share ADMonitor=c:\ADMonitor 
```

Install Other Monitoring Tools

If you are using the NetIQ AppManager or Operations Manager tools, the following procedures can be used to install the agents. If you are using another third party monitoring tool, this is the stage at which you should install the tool.

Install AppManager Agent

To install the AppManager Agent:

Insert the AppManager compact disc and run Setup.exe.
Select Next, Select Install AppManager, and click Next.
Select the target directory for the agent and click Next.
Be sure that only AppManager Agent is checked and click Next.
Check boxes of the services that are on the machine and click Next.
Uncheck Authorized Management Server:* and click Next.
Enter the name of the NetIQ AppManager Management Server and click Next.
If the AppManager management server is not online, you will be prompted to retry or skip discovery. You can run discovery later from the management server, so click No. If the management server is installed and available, you will not get this prompt.
Replace the asterisk with the name of the management server and click Next.
Click Next when prompted for Data Access Object/Open Database Connectivity (DAO/ODBC). Installation of the agent will proceed.
Click Yes when asked if you want to append the NetIQ install path to the system path.

Install Operations Manager agent

To install the Operations Manager agent:

Insert the Operations Manager compact disc and run Setup.exe.
Click Manual Agent Setup.
Click Next.
Select the destination directory for the agent and click Next.
Enter the name of the configuration group of which the agent is a member and click Next. Refer to the Operations Manager Installation documentation for an explanation of configuration groups.
Enter the name of the Consolidator computer for this configuration group. If the Consolidator has not been built, you will get a warning indicating that the consolidator version could not be verified. If the Consolidator has already been built, this indicates a problem connecting to the Consolidator computer. If the Consolidator has yet to be staged, click Next.
Select Full for the Agent Manager control level and click Next.
When the file copy is done, click Finish to complete the agent installation.

Configuring and Verifying DNS

Now that the staging server is installed, you must configure DNS and verify that the server can communicate on the network and resolve name resolution queries for the domains in your environment.

Configure the DNS Client

This section describes the necessary steps for configuring TCP/IP on the staging server. The staging server must be configured such that the DNS Client has a bridgehead server as its preferred server and a different bridgehead server as its alternate.

From the desktop, right-click on My Network Places icon.
Select Properties.
Right-click on the Local Area Connection icon. On a multi-homed server, rename each adapter for ease of identification and management.
Select Properties.
Select Internet Protocol (TCP/IP).
Click Properties.
Set the preferred DNS server to be one of the bridgehead DNS servers and the alternate DNS server to a different bridgehead DNS server.

Note: This preferred DNS setting is temporary.
Click OK.
Click OK.
Close the Network and Dial-up Connections window.

Verify Connectivity

To verify that the server has the network connectivity to successfully complete the Active Directory Installation Wizard (Dcpromo.exe):

Open a command prompt.

Type PING*<IP address>* and press ENTER, where <IP address> is the address of the hub/bridgehead server that was configured as the Primary DNS Server. You should see the following result:

Pinging <IP Address> with 32 bytes of data: 
Reply from <IP Address>: bytes=32 time<10ms TTL=128 
Reply from <IP Address>: bytes=32 time<10ms TTL=128 
Reply from <IP Address>: bytes=32 time<10ms TTL=128 
Reply from <IP Address>: bytes=32 time<10ms TTL=128 
Ping statistics for <IP Address>: 
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), 
Approximate round trip times in milli-seconds: 
Minimum = 0ms, Maximum =  0ms, Average =  0ms

If you do not see a successful ping process, check the IP settings to verify that the staging server has the correct default gateway and IP address.

Type nslookup corp.hay-buv.com. and press ENTER. You should see the following result:
```
C:\>nslookup corp.hay-buv.com. 
Server:  bh1.corp.hay-buv.com 
Address:  10.10.20.1 
Name:    corp.hay-buv.com 
Address:  10.10.1.2, 10.10.1.3, 10.10.1.1 
```
If you do not see successful name resolution, check the IP settings to verify that the staging server has a bridgehead server as its preferred DNS server. Verify the DNS records on the bridgehead DNS server. Do not proceed until DNS is working properly.
Type nslookup branches.corp.hay-buv.com. and press ENTER. You should see the following result:
```
C:\>nslookup branches.corp.hay-buv.com. 
Server:  bh1.corp.hay-buv.com 
Address:  10.10.20.1 
Name:    branches.corp.hay-buv.com 
Address:  10.10.20.1, 10.10.20.3, 10.10.20.2, 10.10.20.99 
```
If you do not see successful name resolution, check the IP settings to verify that the staging server has a bridgehead server as its preferred DNS server. Verify the DNS records on the bridgehead DNS server. Do not proceed until DNS is working properly.

Promoting and Configuring the Domain Controller

After configuring and verifying network connectivity and name resolution, you can now promote the server to be the source domain controller for your staging site. When the Active Directory Installation Wizard (Dcpromo.exe) process completes, do not restart the server, as there are configuration changes for DNS that you must make to the server before restarting.

Note: The Dcpromo steps in this guide assume the Active Directory database and log files, as well as SYSVOL, will all be stored on the same physical disk. If you have multiple physical disks in your servers and wish to place these files on different physical disks, modify the location of these files as appropriate for your environment.

Promote the Staging Site Server into the Staging Site

To promote the staging site server to be a domain controller in the staging site:

Click Start, Run, in the Open box type dcpromo and press ENTER.
Click Next.
Select Additional domain controller for an existing domain.
Click Next.
Enter the Administrator credentials for the branches.corp.hay-buv.com domain and enter branches.corp.hay-buv.com as the domain name.
Click Next.
Enter branches.corp.hay-buv.com as the domain name.
Click Next.
Click Next to accept the default locations for the database and log files if you have only a single drive. Otherwise, specify the desired locations for the files.
Click Next to accept the default SYSVOL folder location.
Enter the Directory Services Restore Password and click Next.
Review the settings and click Next to begin the Active Directory Installation Wizard (Dcpromo.exe) configuration process.
Click Finish.
When the process completes, click Don't Restart Now. You will restart the server at the end of these procedures.

Update the Preferred DNS Configuration

To updated the preferred DNS server configuration:

Right-click on My Network Places icon from the desktop.
Select Properties.
Right-click on the Local Area Connection icon.
Select Properties.
Select Internet Protocol (TCP/IP).
Click Properties.
Change the Preferred DNS server to the IP address of the staging server (10.10.30.1).
Click OK.
Click OK.
Close the Network and Dial-up Connections window.

Configure DNS Forwarders

To configure the DNS forwarders for the staging site domain controller:

Start a command prompt and change to the C:\BranchDC folder.
Configure the DNS Forwarders for the staging server by running the Setfwddns.vbs script.
Restart the server.

Configure the Staging Site Domain Controller as a Global Catalog Server

To configure the staging site domain controller as a global catalog server:

Note: If the staging server is not in the staging site in step 2, move the staging server to the staging site before continuing.

Open Active Directory Sites and Services.
In the console tree, expand Sites, expand the Staging site, expand Servers, and then expand the staging site server.
Right-click NTDS Settings, and then click Properties.
Select the Global Catalog check box and then click OK.

Creating Connection Objects

Before restarting the new staging site domain controller, you must first create connection objects. These connection objects will be created between the staging site domain controller and the hub domain controller that is the PDC Emulator. Connections objects must not be created with a bridgehead server or they will be deleted when you use Mkdsx.cmd in Chapter 7 to create the connection objects between the bridgehead servers and a staged domain controller. Because the staging site server is a global catalog server, the staging site server also must have an inbound connection object from one of the root global catalog servers.

In addition, it is important that the replication schedule between the staging site and the hub be configured to replicate every 15 minutes. It is very important that the replication interval be set to 15 minutes, even if there is a slow link between the staging site and the hub site. If the replication interval is set to a period of time longer than 15 minutes, it will delay the staging process as you will have to wait for the replication interval to pass before continuing in certain procedures.

Create Connection Objects to the Hub Site

To create connection objects with the PDC Emulator (HUBDC1) in the hub site:

Log on to the staging server as Administrator.
Start Active Directory Sites and Services and in the console tree, expand Sites, expand the Staging site, expand Servers, and then expand the staging site server.

Note: Verify that Active Directory Sites and Services is connected to the staging server before continuing.
Right-click NTDS Settings, select New, and then click Connection.
In the Find Domain Controllers window, double-click the hub domain controller that is the PDC Emulator (HUBDC1).
In the Name box in the New Object Connection dialog box, type Connection from <Servername> , where <Servername> is the name of the PDC Emulator in the hub (HUBDC1) that was selected in the previous step, and then click OK.
Right-click the connection object created in the previous step and then click Properties.
Click Change Schedule.
Select the entire range, select Four Times per Hour and then click OK.
Click OK.
Right-click NTDS Settings, select New, and then click Connection.
In the Find Domain Controllers window, double-click the first root domain controller (ROOT1).
In the Name box in the New Object Connection dialog box, type Connection from <Servername> , where <Servername> is the name of the first root domain controller (ROOT1) that was selected in the previous step, and then click OK.
Right-click the connection object created in the previous step and then click Properties.
Click Change Schedule.
Select the entire range, select Four Times per Hour and then click OK.
Click OK.
Close Active Directory Sites and Services.
Log on to the PDC Emulator (HUBDC1) as Administrator.
In the Active Directory Sites and Services console tree, expand Sites, expand Hub, expand Servers, and then expand the PDC Emulator (HUBDC1).
Right-click NTDS Settings, select New, and then click Connection.
In the Find Domain Controllers window, double-click the staging server.
In the Name box in the New Object Connection dialog box, type Connection from <StagingServer>, where <StagingServer> is the name of the staging site server, and then click OK.
Right-click the connection object created in the previous step and then click Properties.
Click Change Schedule.
Select the entire range, select Four Times per Hour and then click OK.
Click OK.
Close Active Directory Sites and Services.
Restart the staging site server.

Quality Assurance and Monitoring of the Staging Site Domain Controller

Now that the staging site domain controller has been installed, configured, and has connection objects with the PDC Emulator, you must perform quality assurance checks on the staging site domain controller before staging any domain controllers.

If the replication interval between the staging site and the hub is more than 15 minutes, in step 1 of the below procedure wait for the replication interval plus 30 minutes before proceeding.

Verifying Replication

Verifying replication at the staging site must be performed before staging any domain controllers.

To verify replication:

Wait 30 minutes after the reboot has completed.
Start a command prompt and change to the C:\ADMonitor folder.
Start the QA_Check.cmd script.
After the script completes change to the C:\ADResults folder.
Use Notepad to open the Ds_showreps.txt file in this folder.

Examine the file to ensure that replication has occurred. For example, you should see entries such as the following indicating that replication was successful.

CN=Schema,CN=Configuration,DC=corp,DC=hay-buv,DC=com 
STAGE\HUBDC1 via RPC 
objectGuid: f99e17ed-3b03-4b3e-afa8-2c1e738ddc4d 
Last attempt @ 2000-12-02 07:09.44 was successful.

If the Ds_showreps.txt file does not have a last attempt was successful line for each naming context, restart this procedure at step 1.
If the Ds_showreps.txt file indicates that replication was unsuccessful for any of the naming contexts, troubleshoot and resolve the problem before continuing. See Chapter 11, "Troubleshooting Guidelines for Branch Office Environments," of this guide for more information on troubleshooting errors.
Change to the C:\ADResults\<computername> folder.
Use Notepad to open the text file in this folder.
Examine the file to ensure that there were no errors reported. If there are any errors, the errors must be resolved before continuing. See Chapter 11, "Troubleshooting Guidelines for Branch Office Environments," of this guide for more information on troubleshooting errors.
Document the configuration of the staging site domain controller in the staging site Checklist.xls job aid included with this guide.

Schedule the Quality Assurance Check to Run Every Day

The quality assurance script (QA_Check.cmd) should be run every day in order to verify your staging site domain controller. Some of the Microsoft Windows 2000 Resource Kit utilities used by the quality assurance script must be run using an Administrator account in order to collect their data. Therefore, the Microsoft Windows 2000 Resource Kit utility Srvany.exe is used to run the script as a service and a batch file is scheduled to start and stop the service.

Alternatively, AppManager can run this script on a regular basis and report on problems executing. The agent (NetIQ_mc) should be configured to start under an administrative account to run this script.

To schedule the quality assurance check by using Srvany.exe:

Start a command prompt and use the following command to install Srvany.exe from the Microsoft Windows 2000 Resource Kit as a Windows service:
```
instsrv QACheck "c:\Program Files\Resource Kit\srvany.exe" 
```
Click Start, Programs, Administrative Tools, and select Services.
Right-click the QACheck service you added in step one and select Properties.
On the General tab, set the Startup type as Manual.
On the Log On tab, set the account the service will use when running. You should use the QACheck user account as the service logon account.
Click OK and close the Services MMC.
Click Start, Run, in the Open box, type regedt32, and click OK.
Expand the following path in the Registry Editor: HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \QACheck
On the Edit menu, select Add Key.
In the Add Key dialog box, in the Key Name box, type Parameters and click OK.
Select the Parameters key, on the Edit menu select Add Value.
In the Add Value dialog box, in the Value Name box, type Application, in the Data Type box select REG_SZ and then click OK.
In the String Editor dialog box, type C:\ADMonitor\QA_Check.cmd and click OK.
Select the Parameters key, on the Edit menu select Add Value.
In the Add Value dialog box, in the Value Name box, type AppDirectory, in the Data Type box select REG_SZ and then click OK.
In the String Editor dialog box, type C:\ADMonitor and click OK.
After configuring the registry, to schedule the quality assurance script to run Monday through Friday, enter the following command at a command prompt:
```
at 5:00 /every:m,t,w,th,f "C:\ADMonitor\startqa.cmd" 
```

To schedule the script using AppManager:

Open the AppManager Operator Console.
Navigate to the NT tab in the KS pane (in the middle on the right side).
Drag the RunDOS KS to the server in the list pane on the left.
Configure the schedule to be daily at 11:00 P.M. Continue with step 5 before clicking OK.
Switch the Values tab. Enter C:\ADMonitor\QA_Check.cmd in the DOS Command or Script box. Click OK.

Monitoring the Staging Site

The above verification process should be repeated on a regular basis for the staging site. In addition, the process must be performed before the process for staging a new branch office domain controller is started.

Summary

You have now installed and configured the branch domain controller for the staging site, and you have verified connectivity with the hub site. You are now ready to begin the first phase of the staging of the branch domain controllers.