Operating System
Chapter 2
Building the Forest Root Domain and Central Hub Site
Deployment and Operations Guide
Abstract
This chapter outlines the steps required to create and monitor the forest root domain for the branch
office scenario. The central hub site will also be created for these services. After completing these
steps, the forest root required to support the Microsoft® Active Directory™ directory service for this
scenario will be in place. Additionally, procedures for monitoring will have been established.
The information contained in this document represents the current view of Microsoft
Corporation on the issues discussed as of the date of publication. Because Microsoft
must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy
of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO
WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without
limiting the rights under copyright, no part of this document may be reproduced,
stored in or introduced into a retrieval system, or transmitted in any form or by any
means (electronic, mechanical, photocopying, recording, or otherwise), or for any
purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other
intellectual property rights covering subject matter in this document. Except as
expressly provided in any written license agreement from Microsoft, the furnishing of
this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
 2000 Microsoft Corporation. All rights reserved.
Microsoft, Windows, and Active Directory are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other
countries/regions.
1200
2.2
Active Directory Branch Office Deployment and Operations Guide
CONTENTS
INTRODUCTION .......................................................................... 1
Resource Requirements
1
What You Will Need
1
What You Should Know
1
PROCESS FLOWCHART .............................................................. 2
DEPLOYMENT CONSIDERATIONS .............................................. 3
DNS Guidelines
3
TOPOLOGY OVERVIEW ............................................................... 6
INSTALL WINDOWS 2000 OPERATING SYSTEM AND SERVICES
PACKS ......................................................................................... 7
Operating System Setup
7
Install DNS and Terminal Services on All Hub Servers
7
Install Service Pack 2
8
INSTALL BRANCH OFFICE SHARE AND SCRIPTS ..................... 9
Creating the Branch Office Scripts Source Share
9
Install Quality Assurance Scripts on Hub Site Servers
10
Install Other Monitoring Tools
10
Install AppManager Agent
10
Install Operations Manager agent
10
CONFIGURE TCP/IP SETTINGS ................................................ 12
CREATE DNS ZONES ................................................................ 13
Creating the Forest Root Zone on ROOT1
13
Allowing Dynamic Updates to the Forest Root Zone
13
Adding a Reverse Lookup Zone on ROOT1
13
CREATE THE FOREST ROOT DOMAIN CONTROLLERS ........... 14
Running DCPROMO on ROOT1
14
Enabling Active Directory Integration of the Forest Root Zone and the Reverse
Lookup Zone
14
Configuring the _msdcs zone
15
Verify ROOT1 Name Registration
15
Verify DNS Name Resolution on ROOT2
15
Running DCPROMO on ROOT2
16
Verify the ROOT2 Name Registrations
16
Verify DNS Name Resolution on ROOT3
17
Running DCPROMO on ROOT3
17
Verify the ROOT3 Name Registrations
17
Update the Preferred DNS on ROOT1
18
Move Domain Operations Master roles to ROOT2
18
Active Directory Branch Office Deployment and Operations Guide 2.3
CONFIGURE DNS FORWARDERS .............................................. 19
Configure Forwarders on ROOT1, ROOT2, and ROOT3
19
Verify DNS Forwarding
19
PREPARE THE ACTIVE DIRECTORY FOREST FOR EXCHANGE
2000 ........................................................................................... 21
Prepare Active Directory Forest for Directory Enable Applications
21
CREATING THE HUB SITE ........................................................ 22
Rename the Default-First-Site
22
Add HUB Subnets to HUB Site
22
VERIFY THE ROOT DOMAIN CONFIGURATION ....................... 23
Final Quality Assurance Check
23
Schedule the Quality Assurance Check to Run Every Day
24
Automating daily QA with NetIQ AppManager
24
SUMMARY ................................................................................. 26
MORE INFORMATION ................................................................ 27
Resource Centers on the Web
27
White Papers
27
INTRODUCTION
This chapter outlines the steps required to create and monitor the forest root
domain for the Microsoft® Windows® 2000 Active Directory™ branch office
scenario. The steps in this chapter will guide you through the processes necessary
to build the forest root domain and Domain Name System (DNS) for corp.haybuv.com. After completing these steps, the infrastructure required to support and
monitor the root domain and DNS will be in place.
The planning of your Active Directory branch office architecture must be completed
prior to beginning the procedures in this chapter.
Resource Requirements
Individuals from the following teams will be required to participate during this phase
of the installation:



Windows 2000 Active Directory Services Design Team
Operations Team
A representative from the network team that can provide DNS and other
network information.
What You Will Need








Branch Office Download Zip file.
Active Directory Architecture.
Minimum of seven servers.
Windows 2000 Server CD and Product Key.
Windows 2000 Service Pack 2.
Seven static TCP/IP Addresses.
Administrator account and password.
Enterprise administrator account and password.
What You Should Know
This walk-through assumes that you have a basic knowledge of Windows 2000,
Active Directory, and DNS. For a list of additional resources, see the "More
Information" section at the end of this document.
Active Directory Branch Office Deployment and Operations Guide 2.1
PROCESS FLOWCHART
Chapter Two
Building the Forest Root Domain and Central
Hub Site
Requirements
in Place
NO
Secure
Requirements
Yes
Install W2K Server
SP2, and
Resource Kits for
all Hub site
servers
Update Preferred
DNS Server on
ROOT1 to be
ROOT2
DCPROMO
ROOT1, Enable
AD Integrated
zone for corp.haybuv.com
Move RID, IM, and
PDC FSMOs from
ROOT1 to ROOT2
Create Branch
Office Install Share
and Files
ROOT1 Name
Registration
Install DNS /
Terminal Services
Restart Netlogon
Service
Configure
Forwarders
NO
Yes
Install QA /
Monitoring Scripts
Multiple DCs or
GC at Branch?
Configure TCP/IP
Settings
NO
Create Forest
Root DNS
Domain, Reverse
Lookup Zone,
Enable DDNS
NO
YES
Configure _msdcs
as Active Directory
Integrated Zone
Verify
Forwarders
Prepare Forest
Schema
ROOT2
Name
Resolution
NO
Verify IP Settings
Rename Default
First SIte to HUB
Yes
DCPROMO
ROOT2
ROOT2
Name
Registration
YES
YES
NO
Restart Netlogon
Service
Final ROOT
Domain QA
YES
ROOT3
Name
Resolution
NO
Verify IP Settings
Yes
DCPROMO
ROOT3
ROOT3
Name
Registration
2.2
NO
Restart Netlogon
Service
Active Directory Branch Office Deployment and Operations Guide
ROOT Domain
Compete and
Bridgehead
Servers have
Operating System
installed
NO
Resolve Issues
DEPLOYMENT
CONSIDERATIONS
The availability of DNS directly affects the availability of Active Directory. Clients
rely on DNS to find a domain controller, and domain controllers rely on DNS to find
other domain controllers. Even if you already have DNS servers deployed on your
network today, you might need to adjust the number and placement of servers to
meet the needs of your Active Directory branch office deployment.
For more information on best practices for planning the DNS and domain
namespace, see Chapter 2, "Structure Planning for Branch Office Environments" in
the Active Directory Branch Office Planning Guide.
The following sections provide guidelines for your DNS server configuration,
operations masters, and global catalog servers.
DNS Guidelines
The following are high-level design guidelines for designing DNS for the branch
office scenario.






As a general rule, place at least one DNS server in every site. The DNS servers
in the site should be authoritative for the locator records of the domains in the
site, so that clients do not need to query DNS servers offsite to locate domain
controllers that are in a site.
Use Active Directory integrated DNS so that all DNS domains are represented
in the local site to minimize WAN traffic to central DNS servers.
Configure each forest root domain controller to point to other domain controllers
as the preferred and alternate DNS servers.
Configure domain controllers for domains other than the forest root to use
themselves as their preferred DNS server. An alternate DNS server should also
be configured.
Configure all DNS clients with a preferred DNS and alternate DNS server.
 The preferred DNS server should be in the same site.
 The alternate should be located in the central hub site.
Some type of regular monitoring should be implemented to check on the health
and responsiveness of DNS. For example, NetIQ AppManager provides DNS
health checking in the form of monitoring for events, performance data, and
regular testing of DNS by doing actual lookups against the DNS servers. DNS
problems may take some time to manifest themselves, and any problems that
result may accumulate.
Hub Site
The following are design guidelines for designing your hub site for the branch office
scenario.


Place three root Active Directory servers for the branch domain (one global
catalog server and two domain controllers) with Active Directory integrated
DNS in the hub site.
ROOT1 will be a global catalog server and host the Schema and Domain
Naming Master operations master roles. ROOT2 will be a domain controller
Active Directory Branch Office Deployment and Operations Guide 2.3



and host the relative identifier (RID) operations master, Primary Domain
Controller Emulator(PDC Emulator), and Infrastructure Master operations
master roles. ROOT3 will be a domain controller and serve as a standby
operations master server. All three will have Active Directory integrated DNS
which will provide high availability of the forest root domain.
They each point to another root server for preferred and alternate DNS to avoid
the "island" issue (See Chapter 2, "Structure Planning for Branch Office
Environments" in the Active Directory Branch Office Planning Guide for a
discussion of this issue.)
Configure these servers with root hints for Internet addresses.
Configure forwarders for other enterprise domains where appropriate.
Branch Office Bridgehead Servers
The following are design guidelines for designing your branch office bridgehead
servers.




Branch office bridgehead domain controllers should also have Active Directory
integrated DNS.
The number of bridgehead servers depends on the number of branch offices,
replication frequency and traffic, and so on. For more information, see the
Chapter 3, "Planning Replication for Branch Office Environments" in the Active
Directory Branch Office Planning Guide.
For bridgehead servers, configure each to point to itself as the preferred DNS
server; the alternate should be one the other bridgehead servers.
Configure forwarders to point to root zone DNS servers if there is not an
internal root.
Staging Site
The following are design guidelines for designing your staging site for the branch
office scenario. Place one domain controller in the staging site, that will.






Be the primary seed for building new domain controllers for the branches.
Be a global catalog server.
Be a member of the branch office domain.
Point to itself as its primary DNS server and its secondary DNS server will be
one of the servers in the hub site.
Have forwarders to point to root zone DNS servers if there is not an internal
root.
Have DNS server configured to not use recursion.
Branch Office Domain Controller (Branch Office Site)
The following are design guidelines for your branch office sites for the branch office
scenario.

2.4
Configure each branch’s primary DNS server to point to itself and the alternate
points to one of the bridgehead servers. Configure some branch domain
Active Directory Branch Office Deployment and Operations Guide


controllers use the first hub/bridgehead server as their alternate, some the
second, and some the third, thus load balancing the distribution.
Configure forwarders to point to root zone DNS servers if there is not an
internal root.
Configure the DNS server to not use recursion.
Branch Office Clients
The following are design guidelines for your branch office clients.


Clients point to the branch office Active Directory/DNS server as their primary
DNS server.
Clients in the branch office have their secondary DNS server set to one of the
hub bridgehead servers – again distributing the load among the hub
bridgehead servers.
Placement of the Root Domain
The following are design guidelines for the placement of your root domain for the
branch office scenario.



Domain controllers use the _msdcs.corp.hay-buv.com zone during replication.
It is recommended to have this zone on a local DNS server in the branch.
Having the _msdcs.corp.hay-buv.com zone on a local DNS server will allow
user queries for a global catalog server at logon to be local as well.
If the branch office sites each have a single domain controller, the
_msdcs.corp.hay-buv.com domain should be a subdomain (it is set up this way
by default) that is part of the Active Directory integrated zone for corp.haybuv.com domain.
If there is a global catalog server or multiple domain controllers in the branch
office environment, the _msdcs.corp.hay-buv.com subdomain should be its own
Active Directory integrated zone in the root hub site. There should also be a
secondary zone on the branch office DNS servers in this situation. This
configuration will improve replication performance and reduce queries to the
central hub site over the WAN.
Reverse Lookup Zones
The following are design guidelines for your reverse lookup zones.


Reverse lookup zones are required for DNS monitoring and troubleshooting. In
addition, some prior applications may require reverse lookup zones.
Create a standard primary DNS dynamic update protocol reverse lookup zone
for each branch office site. Create a standard secondary zone, for each branch
office reverse lookup zone, on each of the root DNS servers in the hub site.
Secure Updates - Dynamic DNS
Each Active Directory integrated DNS zone should have Secure Dynamic Updates
enabled. Without secure updates enabled, anyone can delete, modify, or create
DNS records using a generic dynamic update protocol.
Active Directory Branch Office Deployment and Operations Guide 2.5
TOPOLOGY OVERVIEW
Branch Office Scenario
TCP/IP & DNS Settings
FSMO Role Placement
ROOT1- GC
(SM, DNM FSMO Roles)
corp.hay-buv.com
10.10.1.1
DNS P: 10.10.1.2
DNS A: 10.10.1.3
ROOT2 - DC
(IM, RID, PDC FSMO Roles)
corp.hay-buv.com
10.10.1.2
DNS P: 10.10.1.1
DNS A: 10.10.1.3
ROOT3 - DC
corp.hay-buv.com
10.10.1.3
DNS P: 10.10.1.1
DNS A: 10.10.1.2
HUBDC1 - DC
(IM, RID, PDC FSMO Roles)
branches.corp.hay-buv-com
10.10.20.99
DNS P: 10.10.20.99
BH3 - GC
DNS A: 10.10.20.1
BH1 - GC
branches.corp.hay-buv.com
BH2 - GC
branches.corp.hay-buv-com
10.10.20.3
branches.corp.hay-buv.com
10.10.20.1
DNS P: 10.10.20.3
10.10.20.2
DNS P: 10.10.20.1
DNS A: 10.10.20.1
DNS P: 10.10.20.2
DNS A: 10.10.20.2
Site-HUB
DNS A: 10.10.20.1
Staging - GC
branches.corp.hay-buv.com
10.10.30.1
DNS P: 10.10.30.1
DNS A: 10.10.20.1
Site-Stage
Branch Office
Site-Branch1
BODC1
DC
10.10.21.1
DNS P: 10.10.21.1
DNS A: 10.10.20.1
Branch Office
Site-Branch2
BODC2
DC
10.10.22.1
DNS P: 10.10.22.1
DNS A: 10.10.20.2
Branch Office
Site-Branch3
Branch Office
Site-Branch4
Branch Office
Site-Branch5
BODC3
DC
10.10.23.1
DNS P: 10.10.23.1
DNS A: 10.10.20.3
BODC4
DC
10.10.24.1
DNS P: 10.10.24.1
DNS A: 10.10.20.1
BODC5
DC
10.10.25.1
DNS P: 10.10.25.1
DNS A: 10.10.20.2
All branch office domain controllers are part of
branches.corp.hay-buv.com domain.
The procedures in this guide will walk you through setting up the six networks
depicted in the above topology.
The TCP/IP addresses above represent the final configuration. The DNS settings
configured during server installation are different from those shown in the above
diagram, in particular the preferred DNS server and alternate DNS server. After
installation, the DNS settings are configured to use the IP addresses shown in the
above diagram. Therefore, the procedures should be followed carefully.
Note: This walk-through assumes that a unique dedicated subnet will be assigned to each site. If this
scenario will be set up in a lab environment, when creating the sites and subnets for the branch offices
either through the Active Directory Sites and Services Microsoft Management Console (MMC) or the
script included with this guide, use a subnet mask of 255.255.255.255. Doing so will cause each IP
address to be a subnet for each site in Active Directory. This will allow you to emulate a routed
network without having to use hardware routers.
2.6
Active Directory Branch Office Deployment and Operations Guide
INSTALL WINDOWS 2000
OPERATING SYSTEM
AND SERVICES PACKS
Use the following steps to install Windows 2000, and recent service packs on the
seven or more servers that will be in your hub site. These steps should be followed
to configure the base operating system components in advance on all seven hub
site servers for this scenario.
Follow the instructions carefully to ensure proper setup of each server in the
scenario.
Note: As you perform the procedures in this chapter, you should document the configuration of the
servers in the Hub Site Checklist.xls job aid included with this guide.
Operating System Setup
To install Windows 2000:
1. Install Microsoft Windows 2000 Server on all servers.
2. Install the Windows 2000 Support Tools from the Windows 2000 Server CD by
using either 2000RKST.MSI or Setup.exe in the SUPPORT\TOOLS directory on
the Windows 2000 CD.
3. Install the Windows 2000 Server Resource Kit utilities from the CD included with
the resource kit.
4. Install Active Perl from the Microsoft Windows 2000 Resource Kit.
Note: The installation of the Support Tools and the Microsoft Windows 2000 Resource Kit can be
automated by directly launching the msi file for each with the /qb Switch.
Install DNS and Terminal Services on All Hub Servers
To install DNS and Terminal Services:
1. Click Start, Settings, Control Panel, Add/Remove Programs.
2. Click Add/Remove Windows Components.
3. Scroll down to Networking Services. Don't select the checkbox; instead,
highlight the words. (This simplifies the next steps where you select only a few of
the Networking Services. Selecting the checkbox results in selecting all
Networking Services, and means you will have to deselect a large number of
checkboxes under Details.)
4. Click Details.
5. Click on the checkbox by Domain Name System (DNS).
6. Click OK.
7. Scroll down to Terminal Services and select the checkbox to install Terminal
Services.
8. Click Next.
9. Select Remote administration mode when the Terminal Services Setup
Window appears and then click Next.
10.If prompted, insert the Windows 2000 Server CD, or use a network share to
access the Windows 2000 Server files.
11.Click Finish.
Active Directory Branch Office Deployment and Operations Guide 2.7
12.Close the Add/Remove Programs Window.
13.Close the Control Panel window.
14.Reboot as prompted.
Install Service Pack 2
1. Install Service Pack 2.
2. When the service pack is installed, click Start, Shut Down, select Restart, and
click OK.
Very Important: Repeat the above procedures for each of the seven servers in the hub site. If, during
the planning process, you determined that your hub site requires more than three bridgehead servers,
repeat the above procedures the appropriate number of times to install all of your bridgehead servers.
After completing the above procedures you should have the following servers
installed:







2.8
ROOT1
ROOT2
ROOT3
HUBDC1
BH1
BH2
BH3
Active Directory Branch Office Deployment and Operations Guide
INSTALL BRANCH
OFFICE SHARE AND
SCRIPTS
A share needs to be established on HUBDC1 that will be used for configuring all of
your domain controllers in the hub site. In addition, these files will be copied to the
staging site branch domain controller to be used for staging branch office domain
controllers.
Creating the Branch Office Scripts Source Share
This procedure only needs to be completed on the HUBDC1 server. To create the
branch office scripts source share:
1. Log on to Hubdc1 as Administrator.
2. Create a directory named C:\ADBRANCH on HUBDC1 and share the directory
as ADBranch.
3. Create a directory named C:\QASHARE on HUBDC1 and share the directory as
QAShare.
4. Unzip the contents of the Branch Office Zip file included with this guide, into the
ADBRANCH directory.
5. You will have the following subdirectory structure on the HUBDC1 C:\ drive when
these steps are completed:
Directory
Description
C:\ADBRANCH\
Place holder for branch office
download files.
(Only resides on HUBDC1)
C:\ADBRANCH\HUB
Scripts for configuration in the hub
site.
(Only resides on HUBDC1)
C:\ADBRANCH\ADMONITOR
Monitoring and QA Scripts
(This directory is copied to each
new server including HUBDC1)
C:\ADBRANCH\BRANCHDC
Place holder for branch office
domain controller install files.
(The contents of this directory is
copied to the staging server’s
C:\BRANCHDC directory and is
used for staging new branch office
domain controllers.)
C:\ADBRANCH\BRANCHDC\DNS
DNS Forwarder input files for load
balancing
C:\ADBRANCH\BRANCHDC\MKDSX
Automated connection object
management script
C:\QASHARE
QA result files from branch office
domain controllers are
consolidated here for monitoring
and reporting.
(Only resides on HUBDC1)
Active Directory Branch Office Deployment and Operations Guide 2.9
Install Quality Assurance Scripts on Hub Site Servers
The quality assurance scripts must be installed on all servers in the hub site. To
install the scripts:
1. Log on to the server as Administrator.
2. Start a command prompt.
3. Use the following command to copy the quality assurance scripts to the server:
robocopy \\<servername>\ADBranch\ADMonitor C:\ADMonitor /e
Where <servername> is the name of the HUBDC1 server that has the
ADBranch share.
4. Repeat this process on each of the servers in your hub site, including HUBDC1.
Install Other Monitoring Tools
If you are using the NetIQ AppManager or Operations Manager tools, the following
procedures can be used to install the agents. If you are using another third party
monitoring tool, this is the stage at which you should install the tool.
Install AppManager Agent
To install the AppManager Agent:
1. Insert the AppManager compact disc and run Setup.exe.
2. Select Next, select Install AppManager, and click Next again.
3. Select the target directory for the agent and click Next.
4. Be sure that only AppManager Agent is checked and click Next.
5. Check boxes of the services that are on the machine and click Next.
6. Uncheck Authorized Management Server* and click Next.
7. Enter the name of the NetIQ AppManager Management Server and click Next.
8. If the AppManager Management Server isn’t online, you will be prompted to retry
or skip discovery. You can run discovery later from the Management Server, so
click No. If the Management Server is installed and available, you will not get this
prompt.
9. Replace the asterisk with the name of the Management Server and click Next.
10.Click Next when prompted for DAO/ODBC. Installation of the agent will proceed.
11.Click Yes when asked if you want to append the NetIQ install path to the system
path.
Install Operations Manager agent
To install the Operations Manager agent:
1. Insert the Operations Manager compact disc and run Setup.exe.
2. Click Manual Agent Setup.
3. Click Next.
4. Select the destination directory for the agent and click Next.
5. Enter the name of the Configuration group of which the agent is a member and
click Next. Refer to the NetIQ Operations Manager installation documentation
for an explanation of Configuration groups.
6. Enter the name of the Consolidator computer for this Configuration group. If the
2.10
Active Directory Branch Office Deployment and Operations Guide
Consolidator has not been built, you will get a warning indicating that the
consolidator version could not be verified. If the Consolidator has already been
built, this indicates a problem connecting to the Consolidator computer. If the
Consolidator has yet to be staged, click Next.
7. Select Full for the Agent Manager control level and click Next.
8. When the file copy is done, click Finish to complete the agent installation.
Active Directory Branch Office Deployment and Operations Guide 2.11
CONFIGURE TCP/IP
SETTINGS
This section describes the necessary steps for configuring TCP/IP on each of the
servers in the hub site. This procedure is designed for you to start configuring the
TCP/IP settings on ROOT1 and then repeat the procedure for the rest of the servers
in your hub site, using the correct IP address settings for the other servers.
To configure TCP/IP:
1. Log on to ROOT1 as Administrator.
2. From the desktop, right-click on the My Network Places icon.
3. Select Properties.
4. Right-click on the Local Area Connection icon.
5. Select Properties.
6. Select Internet Protocol (TCP/IP).
7. Click Properties.
8. Enter the following parameters.
IP address: 10.10.1.1
Subnet mask: 255.255.0.0
Default gateway: 10.10.1.1
Preferred DNS Server: 10.10.1.1
Alternate DNS Server: 10.10.1.3
This preferred DNS server IP is temporary. The preferred DNS server will be
set to ROOT2 after ROOT2 is configured as a domain controller with Active
Directory integrated DNS.
9. Click OK.
10. Click OK.
11. Close the Network and Dial-up Connections window.
Note: Repeat the above steps for each server in the hub site, using the TCP/IP settings in the
topology diagram at the beginning of this chapter. For the default gateway, you can use 10.10.1.1 for
all servers if you are creating the sample topology.
2.12
Active Directory Branch Office Deployment and Operations Guide
CREATE DNS ZONES
Note: The rest of the procedures in this chapter are performed on only the three root servers. The
remaining configuration for the bridgehead servers is performed in Chapter 3, "Building the Branch
Office Domain and Bridgehead Servers."
Now that your hub site servers are installed and TCP/IP is configured, the next step
in preparing your hub site is to create your forest root and reverse lookup DNS
zones.
Creating the Forest Root Zone on ROOT1
To create the forest root zone:
1.
2.
3.
4.
5.
6.
7.
Click Start, Programs, Administrative Tools, DNS.
Select, then right-click on the ROOT1 server icon.
Select New Zone.
Click Next.
Select Standard primary and click Next.
Select Forward lookup zone and click Next.
Enter corp.hay-buv.com as the name of the zone. (Substitute the name of your
domain for corp.hay-buv.com throughout the rest of the deployment
instructions.)
8. Click Next.
9. Click Next to accept the creation of the new zone file.
10. Click Finish.
Allowing Dynamic Updates to the Forest Root Zone
To configure the forest root zone to allow dynamic updates:
1.
2.
3.
4.
5.
In the DNS console, expand the ROOT1 server icon.
Expand the Forward Lookup Zones folder.
Select, then right-click the corp.hay-buv.com zone and select Properties.
In the Allow Dynamic Updates dropdown box, select Yes.
Click OK.
Adding a Reverse Lookup Zone on ROOT1
To configure the reverse lookup zone:
1.
2.
3.
4.
5.
6.
7.
8.
In the DNS console, expand the ROOT1 server icon.
Select, then right-click on Reverse Lookup Zones and select New Zone.
Click Next.
Click Next.
Enter the IP address range for the zone, which in our example environment is
10.x.x.x. Work with the network team to verify the reverse lookup zone IP
range. For this example scenario, entering 10 in the first octet will work.
Click Next.
Click Finish.
Close the DNS console.
Active Directory Branch Office Deployment and Operations Guide 2.13
CREATE THE FOREST
ROOT DOMAIN
CONTROLLERS
After creating the DNS forest root and reverse lookup DNS zones, you can now
promote your three root servers to be domain controllers. After promoting the first
server, you will change the forward lookup zone to be Active Directory integrated.
Before continuing with the rest of the root servers, it is important to verify that the
first server completed successfully.
Note: The Active Directory Installation Wizard (Dcpromo.exe) steps in this guide assume the Active
Directory database and log files, as well as SYSVOL, will all be stored on the same physical disk. If
you have multiple physical disks in your servers and wish to place these files on different physical
disks, modify the location of these files as appropriate for your environment.
Running DCPROMO on ROOT1
To promote the ROOT1 server:
1. Click Start, Run, type dcpromo and then click OK.
2. Click Next.
3. Select Domain controller for a new domain and then click Next.
4. Select Create a new domain tree and then click Next.
5. Select Create a new forest of domain trees and then click Next.
6. Type your root domain name in the Full DNS name for new domain box and
then click Next. In the example used in this guide, the root domain name is
corp.hay-buv.com.
7. Click Next to accept the default Domain NETBIOS name.
8. Click Next to accept the default locations for the database and log files if you
have only a single physical disk. Otherwise, specify the desired location for the
files.
9. Click Next to accept the default SYSVOL folder location.
10.Click OK.
11.Select No, I will install and configure DNS myself and then click Next.
12.Click Next to accept the default of Permissions compatible with pre-Windows
2000 servers.
13.Enter a Directory Services Restore Mode Administrator password and then click
Next.
14.Review the settings and then click Next to begin the Active Directory Installation
Wizard (dcpromo.exe) configuration process.
15.Click Finish.
16.Click Restart Now when prompted.
Enabling Active Directory Integration of the Forest Root
Zone and the Reverse Lookup Zone
To enable Active Directory integration for the forest root zone and Reverse Lookup
zone :
1. Click Start, Programs, Administrative Tools, DNS.
2. Expand the ROOT1 server icon.
3. Expand the Forward Lookup Zones folder.
2.14
Active Directory Branch Office Deployment and Operations Guide
4. Select, then right-click the corp.hay-buv.com zone and select Properties.
5. Click Change, to change the zone type.
6. Select Active Directory-integrated.
7. Click OK.
8. Click OK to confirm change of the zone type.
9. Click OK.
10. Expand the Reverse Lookup Zone folder.
11. Right-click the IP address range for the zone, which in our example environment
is 10.x.x.x, and select Properties.
12. Select Change, to change the zone type.
13. Select Active Directory-integrated.
14. Click OK.
15. Click OK to confirm change of the zone type.
16. Click OK.
Configuring the _msdcs zone
If you are planning to deploy a global catalog server or multiple domain controllers
to the branch offices, the _msdcs.corp.hay-buv.com zone should be configured as a
separate Active Directory integrated zone. This zone will be configured as a
secondary zone on the DNS servers at the branches with multiple domain
controllers or a global catalog server.
This scenario assumes that there is a single domain controller at each branch.
Therefore, this configuration is not required. The _msdcs.corp.hay-buv.com will be
left as a subdomain of the corp.hay-buv.com zone file.
Verify ROOT1 Name Registration
To verify ROOT1:
1. In the DNS console, expand ROOT1, expand Forward Lookup Zones, and
then expand the corp.hay-buv.com domain and verify that the _msdcs, _sites,
_tcp, _udp subdomains are registered under the corp.hay-buv.com forward
lookup zone.
2. If the _msdcs, _sites, _tcp, _udp subdomains are not visible in DNS, stop and
restart the NETLOGON service to initiate the registration of the records. Start a
command prompt and type in the net stop netlogon and net start netlogon
commands. Repeat step 1 to verify the subdomains are registered.
Verify DNS Name Resolution on ROOT2
After verifying the first domain controller, use the following steps to verify DNS
name resolution on the second server.
1. Log on to ROOT2 as Administrator.
2. On ROOT2, open a command prompt.
3. Type nslookup corp.hay-buv.com and press ENTER. You should see the
following result:
Active Directory Branch Office Deployment and Operations Guide 2.15
C:\>nslookup corp.hay-buv.com
Server: root1.corp.hay-buv.com
Address: 10.10.1.1
Name: corp.hay-buv.com
Address: 10.10.1.1
If you do not see successful name resolution, which is the second set of information
in the response, check the IP settings on ROOT2 to verify it has 10.10.1.1 (ROOT1)
as its preferred DNS server. Nslookup first tells you which server is providing the
Nslookup response, and then provides the information found. Verify DNS records
on ROOT1’s DNS server by examining the records in the DNS MMC forward lookup
zone for corp.hay-buv.com. Do not proceed until DNS is working properly. For more
information on Nslookup, refer to Online Help, and the Windows 2000 Resource Kit
volume “TCP/IP Core Networking Guide.”
Running DCPROMO on ROOT2
After verifying DNS name resolution for ROOT2, use the following steps to promote
the server to a domain controller:
1.
2.
3.
Click Start, Run, type dcpromo and press ENTER.
Click Next.
Select Additional domain controller for an existing domain and then click
Next.
4. Enter the Enterprise Administrator credentials for the corp.hay-buv.com
domain, enter corp.hay-buv.com as the domain name, and then click Next.
5. Enter corp.hay-buv.com as the Domain name and then click Next.
6. Click Next to accept the default locations for the database and log files if you
have only a single physical disk. Otherwise, specify the desired file location.
7. Click Next to accept the default SYSVOL folder location.
8. Enter the Directory Services Restore Mode Administrator Password for this
server and click Next.
9. Review the settings and then click Next to begin the Active Directory
Installation Wizard (Dcpromo.exe) configuration process.
10. Click Finish.
11. Click Restart Now when prompted.
Verify the ROOT2 Name Registrations
To verify ROOT2:
1.
2.
3.
2.16
After restarting, log on as Administrator.
Click Start, Programs, Administrative Tools, DNS. Expand the corp.haybuv.com domain and verify that records for the new domain controller are
visible in the _msdcs, _sites, _tcp, _udp subdomains registered under the
corp.hay-buv.com Forward Lookup zone. If they are not visible in DNS,
restarting NETLOGON will initiate the registration of the records.
Verify that the Reverse Lookup zone has replicated.
Active Directory Branch Office Deployment and Operations Guide
Verify DNS Name Resolution on ROOT3
To verify DNS name resolution on the third root server:
1. Log on to ROOT3 as Administrator.
2. On ROOT3, open a command prompt.
3. Type nslookup corp.hay-buv.com and press ENTER. You should see the
following result:
C:\>nslookup corp.hay-buv.com
Server: root1.corp.hay-buv.com
Address: 10.10.1.1
Name: corp.hay-buv.com
Address: 10.10.1.1
If you do not see successful name resolution, check the IP settings on ROOT3 to
verify that it has 10.10.1.1 (ROOT1) as its preferred DNS server. Verify DNS
records on ROOT1’s DNS server. Do not proceed until DNS is working properly.
Running DCPROMO on ROOT3
To promote the third root server to a domain controller:
1.
2.
3.
Click Start, Run, type dcpromo and press ENTER.
Click Next.
Select Additional domain controller for an existing domain and then click
Next.
4. Enter the Enterprise Administrator credentials for the corp.hay-buv.com
domain, enter corp.hay-buv.com as the domain name, and then click Next.
5. Enter corp.hay-buv.com as the Domain name and then click Next.
6. Click Next to accept the default locations for the database and log files if you
have only a single physical disk. Otherwise, specify the desired file location.
7. Click Next to accept the default SYSVOL folder location.
8. Enter the Directory Services Restore Password for this server and click
Next.
9. Review the settings and then click Next to begin the Active Directory
Installation Wizard (Dcpromo.exe) configuration process.
12. Click Finish.
13. Click Restart Now when prompted.
Verify the ROOT3 Name Registrations
To verify ROOT3:
1.
2.
3.
4.
After restarting, log on as Administrator.
Click Start, Programs, Administrative Tools, DNS.
Expand the corp.hay-buv.com domain and verify that records for the new
domain controller are visible in the _msdcs, _sites, _tcp, _udp subdomains
registered under the corp.hay-buv.com forward lookup zone. If they are not
visible in DNS, restarting NETLOGON will initiate the registration of the records.
Verify that the Reverse Lookup zone has replicated.
Active Directory Branch Office Deployment and Operations Guide 2.17
Update the Preferred DNS on ROOT1
Now that the other domain controllers in the root domain have been created and
verified, it is necessary to change the Preferred DNS server for the first server,
ROOT1. None of the root servers should use themselves as their Preferred DNS
server in order to avoid the potential for the “island issue” described in Chapter 2,
"Structure Planning for Active Directory Branch Office Environments" of the Active
Directory Branch Office Planning Guide.
1.
2.
3.
4.
5.
6.
7.
On ROOT1, right-click on the My Network Places icon on the desktop and
select Properties.
Right-click on the Local Area Connection icon. (On a multi-homed server,
rename each adapter for ease of identification and management.) and select
Properties.
Select Internet Protocol (TCP/IP) and then click Properties.
Change the Preferred DNS server from 10.10.1.1 to 10.10.1.2.
Click OK.
Click OK.
Close the Network and Dial-up Connections window.
Move Domain Operations Master roles to ROOT2
ROOT1 is a Global Catalog server, on which it is not recommended to also have the
RID Master, PDC Emulator, or Infrastructure Master operations master roles.
Therefore, this procedure provides the steps necessary to move the roles to
ROOT2.
To move the operations master roles to ROOT2:
1. Start Active Directory Users and Computers.
2. Right-click the top of the Active Directory Users and Computers tree.
3. Select Connect to Domain Controller.
4. Select ROOT2 from the list and click OK.
5. Right-click on the corp.hay-buv.com domain and select Operations Masters.
6. The RID Master Role will appear by default, select Change.
7. Click Yes to confirm the transfer.
8. Click OK.
9. Repeat the above steps for the PDC Emulator and Infrastructure Master
operations masters.
2.18
Active Directory Branch Office Deployment and Operations Guide
CONFIGURE DNS
FORWARDERS
In standalone networks, the DNS server will automatically assume it has root
authority, which means it will assume there are no other DNS servers that have
greater authority. To add DNS forwarding, you need to delete the root DNS zone
and add DNS Forwarder addresses.
Configure Forwarders on ROOT1, ROOT2, and ROOT3
To configure DNS Forwarders on the root servers:
1. Log on to ROOT1.
2. Click Start, Programs, Administrative Tools, DNS.
3. Right-click the “.” folder under the Forward Lookup Zones folder and click
Delete. This is the root DNS zone.
4. Right-click the DNS Server name (ROOT1) and click Refresh.
5. Right-click the DNS Server name again and click Properties.
6. Click the Forwarders tab and check the Enable forwarders check box.
7. Enter the IP addresses of the external DNS servers (primary and alternate) for
hay-buv.com. These addresses should be obtained from your corporate network
team.
8. Click OK.
9. Repeat these steps on the ROOT2 and ROOT3 domain controllers.
Note: It is not necessary to delete the “.” root domain on ROOT2 and ROOT3 as it was deleted on
ROOT1 and the change will replicate to the other servers. You can use Active Directory Sites and
Services MMC to force replication, or wait about 15 minutes for replication to complete.
Verify DNS Forwarding
To verify the DNS Forwarder configuration:
1.
2.
3.
Wait at least 15 minutes.
On ROOT1, start a command prompt.
Type nslookup <somedomain.xyz> and press ENTER. <Somedomain.xyz>
should represent an internal or external domain that the forwarders should be
able to resolve. You should see the following result:
C:\>nslookup domain.com
Name: somedomain.xyz
Addresses: x.x.x.x
4.
Verify the DNS Forwarder IP addresses are correct if you do not see a
successful resolution from the forwarders. You may also want to verify the
domain name you used for your test.
If you are still having trouble, make sure that network routing is working
correctly. Check the Routing and Remote Access settings or other network
router settings to ensure servers can PING each other.
Do not proceed until the servers can communicate and DNS is working
properly.
Active Directory Branch Office Deployment and Operations Guide 2.19
5.
2.20
Repeat steps 2 and 3 on all of the root servers.
Active Directory Branch Office Deployment and Operations Guide
PREPARE THE ACTIVE
DIRECTORY FOREST
FOR EXCHANGE 2000
Exchange 2000 has a number of infrastructure requirements and dependencies to
meet when planning an upgrade or deployment. The first phase of the Exchange
upgrade is small but important for the Active Directory administrator.
Two processes need to be completed before Exchange 2000 can be installed on a
server in the forest:

The Active Directory schema must be updated at the root domain.

Appropriate permissions must be assigned.
Exchange 2000 Setup is designed to allow these two processes to be executed
separately from the installation or upgrade of a server. The utility ForestPrep is run
to apply schema changes and DomainPrep is run to set appropriate permissions.
Keep in mind that ForestPrep tags attributes in the schema for replication to the
global catalog. This change causes all global catalogs to set their Update Sequence
Nnumbers to zero. As a result, all objects (not just the changed property) in Active
Directory must replicate to each Global Catalog server. Running ForestPrep early in
the deployment will reduce the replication required for this change.
DomainPrep can be run at any time prior to deploying your first Exchange 2000
server.
It is recommended that ForestPrep be run at this time if Exchange 2000 will be
deployed at some point in the future. Using an account that is a member of the
Enterprise Administrators group, either at the command prompt, or by clicking Start
and pointing to Run, type x:\setup\i386\setup/ forestprep, where x: is the drive
letter of your CD-ROM drive, with the Exchange 2000 CD in the CD-ROM drive.
Prepare Active Directory Forest for Directory Enable
Applications
It is recommended to implement schema extensions or changes for directoryenabled applications as soon as possible when deploying Active Directory. Use
LDIFDE or ADSI to implement these now. You must use an account that is a
member of the Enterprise Administrators group for these operations.
Deploying extensions early will reduce replication and network utilization.
Active Directory Branch Office Deployment and Operations Guide 2.21
CREATING THE HUB
SITE
To make it easier for creating your hub and spoke topology, as well as improving
your ability to easily administer your branch office environment, you should rename
the Default-First-Site. The three root domain controllers you created in this chapter
were automatically placed in the Default-First-Site. The procedures in this section
will guide you through the process of renaming the Default-First-Site to Hub and
creating the correct subnets for the hub site.
Rename the Default-First-Site
To rename the site:
1. Start Active Directory Sites and Services.
2. Expand Sites.
3. Right-click on Default-First-Site-Name and select Rename.
4. Type Hub.
5. Right-click the Subnets folder and select New Subnet.
6. Enter the network address and subnet mask associated with the hub site.
7. Select the Hub site.
8. Click OK.
Add HUB Subnets to HUB Site
To add the subnets to the site:
1. In Active Directory Sites and Services, right-click the Subnets folder and
2.
3.
4.
5.
2.22
select New Subnet.
Enter the address and subnet masks associated with the hub site. In this branch
office scenario, the following subnets should be entered:
10.10.1.0
255.255.0.0
10.10.20.0
255.255.0.0
Select the Hub site.
Click OK.
Close Active Directory Sites and Services.
Active Directory Branch Office Deployment and Operations Guide
VERIFY THE ROOT
DOMAIN
CONFIGURATION
Now that all of your root servers are installed and configured, it is extremely
important to verify them before continuing the process of creating your Active
Directory branch office environment. If problems exist with your root servers and
you continue without first correcting them, the problems are very likely to be
compounded. It is much easier to correct any problems at this stage than to
potentially let them propagate throughout your environment.
Directory and File Replication Service (FRS) replication can take up to 20 minutes
to complete. Therefore, wait at least 30 minutes before performing the procedure in
this section. Erroneous events may appear in the event log during this initial startup
period.
It is also very important to continue to monitor the health of your root servers. The
final procedure shows how to schedule the quality assurance script to run daily on
your root servers.
Final Quality Assurance Check
To perform the final quality assurance check:
1. Wait at least 30 minutes.
2. Log on as Administrator.
3. Clear the event logs on all servers.
4. Start a command prompt and change to the C:\ADMonitor folder.
5. Start the QA_Check.cmd script.
6. After the script completes change to the C:\ADResults folder.
7. Use Notepad to open the Ds_showreps.txt file in this folder.
8. Examine the file to ensure that replication has occurred. For example, you should
see entries such as the following that indicate the replication was successful.
CN=Schema,CN=Configuration,DC=corp,DC=hay-buv,DC=com
HUB\ROOT1 via RPC
objectGuid: f99e17ed-3b03-4b3e-afa8-2c1e738ddc4d
Last attempt @ 2000-12-02 07:09.44 was successful.
9. If the Ds_showreps.txt file does not have a last attempt was successful line for
each naming context, restart this procedure at step 1.
10.If the Ds_showreps.txt file indicates that replication was unsuccessful for any of
the naming contexts, troubleshoot and resolve the problem before continuing.
See Chapter 11 Troubleshooting Guidelines for Branch Office Environments of
this guide for more information on troubleshooting errors.
11.Change to the C:\ADResults\<computername> folder.
12.Use Notepad to open the text file in this folder.
13.Examine the file to ensure that there were no errors reported. If there are any
errors, the errors must be resolved before continuing. See Chapter 11
Troubleshooting Guidelines for Branch Office Environmentsof this guide for more
information on troubleshooting errors.
14.Document the configuration of this server in the Hub Site Checklist.xls job aid
included with this guide.
15.Repeat this procedure for all three of the root domain controllers.
Active Directory Branch Office Deployment and Operations Guide 2.23
Schedule the Quality Assurance Check to Run Every Day
The quality assurance script (QA_Check.cmd) should be run every day in order to
verify your domain controllers. Some of the Microsoft Windows 2000 Resource Kit
utilities used by the quality assurance script must be run using an Administrator
account in order to collect their data. Therefore, the Microsoft Windows 2000
Resource Kit utility Srvany.exe is used to run the script as a service, and a batch file
is scheduled to start and stop the service.
Before performing the following procedure, you should first create a user account,
such as QACheck, that is a member of the Domain Admins group. This will allow
you to configure the service to start using an administrator account.
To schedule the quality assurance check:
1. Start a command prompt and use the following command to install Srvany.exe
from the Microsoft Windows 2000 Resource Kit as a Windows service:
instsrv QACheck “c:\Program Files\Resource Kit\srvany.exe”
2. Click Start, Programs, Administrative Tools, and select Services.
3. Right-click the QACheck service you added in step one and select Properties.
4. On the General tab, set the Startup type as Manual.
5. On the Log On tab, set the account the service will use when running. This
should be the QACheck account that you created.
6. Click OK and close the Services MMC.
7. Click Start, Run, in the Open box, type regedt32, and click OK.
8. Expand the following path in the Registry Editor:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\QACheck
9. On the Edit menu select Add Key.
10.In the Add Key dialog box, in the Key Name box, type Parameters and click
OK.
11.Select the Parameters key, on the Edit menu select Add Value.
12.In the Add Value dialog box, in the Value Name box, type Application, in the
Data Type box select REG_SZ and then click OK.
13.In the String Editor dialog box, type C:\ADMonitor\QA_Check.cmd and click
OK.
14.Select the Parameters key, on the Edit menu select Add Value.
15.In the Add Value dialog box, in the Value Name box, type AppDirectory, in the
Data Type box select REG_SZ and then click OK.
16.In the String Editor dialog box, type C:\ADMonitor and click OK.
17.After configuring the registry, to schedule the quality assurance script to run
Monday through Friday, enter the following command at a command prompt:
at 5:00 /every:m,t,w,th,f "C:\ADMonitor\startqa.cmd"
Automating daily QA with NetIQ AppManager
If you installed NetIQ AppManager, you can use the NTAdmin_RunDOS KS to start
the QA_Check.cmd on a regular basis and the General_Asciilog KS to read the
2.24
Active Directory Branch Office Deployment and Operations Guide
output file and watch for key problem text.
To configure this:
1. In AppManager, navigate to the NTAdmin tab in the KS pane (usually in the
2.
3.
4.
5.
6.
middle on the right of the AppManager Operator console), and drag the RunDOS
KS to the machine or machine group.
When prompted for parameters, configure the KS to run every Monday through
Friday at 11:00pm by selecting the Weekly Schedule option.
Switch to the Values pane and enter C:\ADMonitor\QA_Check.cmd in the DOS
command or Script File field.
Navigate to the General tab in the KS pane and drop the AsciiLog KS onto the
machine or machine group.
When prompted, configure the KS to run every Monday through Friday at
11:30pm.
Navigate to the Values tab and enter the text for the server for which you want to
monitor. Enter C:\ADResults\<computername> in the File Name (full path) field.
Active Directory Branch Office Deployment and Operations Guide 2.25
SUMMARY
2.26
You have now created a root domain, set up the root domain servers, configured
them for DNS, and created a hub site. Your next task is to create the branch
domain, and set up the branch domain bridgehead servers.
Active Directory Branch Office Deployment and Operations Guide
MORE INFORMATION
Resource Centers on the Web
The following external resources on microsoft.com are updated every week with
more information:
Windows 2000 Technical Library
http://www.microsoft.com/windows2000/library/
Technologies in Depth Listings
http://www.microsoft.com/windows2000/library/technologies/default.asp
TechNet: Windows 2000 Technology Center
http://www.microsoft.com/technet/win2000/default.htm
MSDN: Windows 2000 Development Center
http://msdn.microsoft.com/windows2000/
MSPRESS: Windows 2000
http://mspress.microsoft.com/windows2000/
Microsoft Official Curriculum for Windows 2000
http://www.microsoft.com/train_cert/winmoc/win2000_data.htm
Windows 2000 Learning Center
http://www.microsoft.com/train_cert/learncenter/win2000/default.htm
White Papers
Windows 2000 Domain Name System Overview
http://www.microsoft.com/windows2000/library/howitworks/communications/namead
rmgmt/dnsover.asp
Windows 2000 Domain Name System White paper
http://www.microsoft.com/windows2000/library/howitworks/communications/namead
rmgmt/w2kdns.asp
Active Directory Branch Office Deployment and Operations Guide 2.27