Deploying the Windows Server 2003 Forest Root Domain

C H A P T E R 6Deploying your forest root domain is the first step in deploying the Active Directory® directory service infrastructure in your organization.

In This Chapter

Overview of Deploying the Forest Root Domain..................................................228Reviewing the Active Directory Design...............................................................231Configuring DNS for the Forest Root Domain......................................................235Creating the Forest Root Domain........................................................................237Raising the Functional Level...............................................................................255Additional Resources...........................................................................................256

Related Information

For more information about designing the Active Directory logical structure and the Domain Name System (DNS) infrastructure needed to support Active Directory, see “Designing the Active Directory Logical Structure” in this book.

For more information about designing the Active Directory site topology, see “Designing the Site Topology” in this book.

For more information about domain controller capacity planning for Active Directory, see “Planning Domain Controller Capacity” in this book.

For more information about designing and deploying a DNS infrastructure for name resolution for your network, see “Deploying DNS” in Deploying Network Services in this kit.

Deploying the Windows Server 2003 Forest Root Domain

228 Chapter 6 Deploying the Windows Server 2003 Forest Root Domain

Overview of Deploying the Forest Root DomainThe first domain that you create in your Active Directory forest is automatically designated as the forest root domain. The forest root domain provides the foundation for your Active Directory forest infrastructure. You must create the forest root domain before you create regional domains or upgrade other Microsoft® Windows NT® 4.0 domains in order to join them to an existing forest. In addition, services that are running on forest root domain controllers, such as the Kerberos version 5 authentication protocol, must be highly available to ensure that users maintain access to resources throughout the forest.

Before you deploy your forest root domain, your design team must design your Active Directory logical structure and site topology and plan your hardware requirements for domain controllers that are running the Microsoft® Windows® Server 2003, Standard Edition; Windows® Server 2003, Enterprise Edition; and Windows® Server 2003, Datacenter Edition operating systems. During the forest root domain deployment, you begin to implement the Active Directory design that your design team has provided, including the DNS infrastructure that Active Directory requires.

The forest owner is responsible for deploying the forest root domain. After the forest root domain deployment is complete, deploy the remainder of your Active Directory forest as specified by your Active Directory design. The tasks that you must perform to deploy the remainder of your Active Directory forest depend on whether your design specifies a single domain forest or a multiple domain forest.

Single domain forest. If your Active Directory forest design requires only a single domain, then the forest root domain will also contain all your users, groups, and resources. To deploy this model, you can create an organizational unit (OU) structure after the forest root domain deployment is complete. Then you can restructure Windows NT account and resource domains into the forest root domain.

Multiple domain forest. In a multiple domain design, the forest root domain can be a dedicated root used only for administration of the forest, or it can contain users, groups, and resources in addition to the forest administration accounts. Once the forest root domain is deployed, the forest owner will create one or more regional child domains to complete the Active Directory forest hierarchy. The regional domains can be created either by upgrading existing Windows NT 4.0 or Microsoft® Windows® 2000 domains or by deploying additional new domains.

For more information about upgrading Windows NT domains, see “Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory” in this book. For more information about deploying additional regional domains, see “Deploying Windows Server 2003 Regional Domains” in this book. For more information about restructuring Windows NT domains, see “Restructuring Windows NT 4.0 Domains to an Active Directory Forest” in this book.

Additional Resources 229

Process for Deploying the Forest Root DomainDeploying the forest root domain involves completing the tasks that are shown in Figure 6.1. Only organizations with an existing DNS infrastructure or organizations whose DNS services are provided by an Internet service provider will configure DNS for the forest root domain. Other organizations will skip the task, allowing the Active Directory Installation Wizard to automatically create an internal root zone, which acts as the authoritative root for the organization.

Figure 6.1 Deploying the Forest Root Domain


Background Information for Deploying the Forest Root DomainBefore you deploy the forest root domain, understand the importance of maintaining the availability of forest root domain controllers. Also become familiar with how you can save time during the deployment process by automating installations and by using the Active Directory Installation Wizard.

Forest Root Domain Controller Availability

The forest root domain has different characteristics than other domains in the forest. It is the center of Kerberos authentication referrals and the domain controllers in the forest root domain host the forest-level operations master roles, in addition to domain-level operations master roles.

Because it has a unique role in the forest, special considerations must be made to ensure forest root domain controller availability.

Because forest root domain controllers are used for Kerberos authentication referrals, ensure that at least one forest root domain controller is always online.

Changes to the schema require the schema master to be online.

Changes to the domain infrastructure, including adding, removing, or renaming domains or application directory partitions, require the domain naming master to be online.

Maintain current backups of forest root domain controllers. Although corrupted data does not replicate out to other domains, maintaining current backups allows you to quickly restore a domain controller to its original state if data on the domain controller ever becomes corrupted.

For information about planning forest root domain controller placement to ensure availability, see “Designing the Site Topology” in this book.

Automated Installations

You can perform an unattended installation of Active Directory by supplying an answer file when you run the Active Directory Installation Wizard. For more information about using an answer file to install Active Directory, in Help and Support Center for Windows Server 2003, click Tools, and click Windows Support Tools. Search for Ref.chm in the Deploy.cab file for examples and instructions about creating an answer file.

You can also automate the installation of Windows Server 2003 by using Sysprep.exe or an unattended installation. For more information about automating installations of Windows Server 2003, see Automating and Customizing Installations in this kit.

The Active Directory Installation Wizard

Windows Server 2003 includes improvements to the Active Directory Installation Wizard. When you install the first domain controller in a domain, you can allow the wizard to automatically install and configure Active Directory–integrated DNS. Even if you need to manually configure some settings later, the wizard saves time and prevents errors during the initial configuration.


Reviewing the Active Directory DesignBegin your forest root domain deployment by reviewing Active Directory design information, as shown in Figure 6.2.

Figure 6.2 Reviewing the Active Directory Design


Review the Active Directory Logical Structure DesignReview the Active Directory logical structure design that your design team completed, including the DNS infrastructure that is planned for supporting Active Directory. If your organization has an existing DNS infrastructure, review current network diagrams and DNS domain hierarchy diagrams. Also review the existing DNS zone configuration, replication, and resource records that are used for delegation and forwarding.

Document the information that you will need to install Windows Server 2003 and to configure DNS on each domain controller in the forest root domain. For a worksheet to assist you in documenting this information, see “Domain Controller Configuration” (DSSDFR_1.doc) on the Microsoft® Windows® Server 2003 Deployment Kit companion CD (or see “Domain Controller DNS Configuration” on the Web at http://www.microsoft.com/reskit).

Example: Reviewing the Active Directory Logical Structure Design for Trey Research

The Active Directory logical structure design for Trey Research requires the deployment team to create a new dedicated forest root domain, trccorp.treyresearch.net. They will then create two regional domains:

A new regional domain, west.trccorp.treyresearch.net.

A regional domain, east.trccorp.treyresearch.net, created by upgrading an existing Windows NT 4.0 domain, and then restructuring several other existing Windows NT 4.0 domains into it.

The deployment team reviews the existing DNS infrastructure for the Trey Research business unit. Their existing DNS infrastructure provides name resolution for all internal resources, including:

Any servers, such as Web or mail servers, residing in the perimeter network (also known as the DMZ) and are accessed by Internet users.

Any computers, or other network devices, that reside in the private network and run a non-Windows operating system, such as UNIX or Macintosh operating systems.


Trey Research’s registered DNS domain name is treyresearch.net. This DNS domain name:

Provides DNS naming for computers that are accessed by Internet users.

Represents the external DNS namespace for the business unit.

Runs on the Berkeley Internet Name Domain (BIND) DNS servers (SEA-TREY-DNS-01 and SEA-TREY-DNS-02) that are placed in the perimeter network.

Figure 6.3 shows an example of a completed domain controller configuration worksheet, showing the TCP/IP client settings for the domain controllers planned for the Trey Research forest root domain. For each domain controller, the preferred DNS server is the local domain controller, and the alternate is the closest DNS server. Initially, however, Trey Research configures the first domain controller in the domain to use a DNS server in its parent DNS domain as its preferred DNS server. During installation of Active Directory on the first domain controller, the preferred DNS server is changed to the local domain controller. Then, after the second domain controller is online, Trey Research reconfigures the first domain controller to use the second domain controller as its alternate DNS server.

Figure 6.3 Example of a Domain Controller Configuration Worksheet

NoteWindows NT 4.0–based computers in the private network use Windows Internet Name Service (WINS) to provide name resolution.


Review Site Topology DesignReview your site topology design information, including:

Site and subnet design.

Site link design.

The site topology design team can provide worksheets that document the site topology information that you will need to configure the site topology for the forest.

Figure 6.4 shows an example of a completed Associating Subnets with Sites worksheet for Trey Research. The worksheet lists the sites that will be created for Trey Research and the corresponding locations and subnets to be included in each site. The Trey Research site topology design specifies that the Phoenix subnets are associated with the Seattle site.

Figure 6.4 Example of an Associating Subnets with Sites Worksheet

Figure 6.5 shows an example of a completed Sites and Associated Site Links worksheet for Trey Research, including the communication links between locations.


Figure 6.5 Example of a Sites and Associated Site Links Worksheet

Review Hardware RequirementsEnsure that each computer that you plan to use as a domain controller meets the hardware requirements for running Windows Server 2003. For more information about assessing the hardware requirements of domain controllers in a Windows Server 2003 domain, see “Planning Domain Controller Capacity” in this book.

Configuring DNS for the Forest Root DomainTo configure DNS for the forest root domain, the DNS administrator of your organization delegates the zone that matches the name of the forest root domain to the DNS servers (domain controllers) that you will be installing in the forest root domain. Figure 6.6 shows when configuring DNS for the forest root domain occurs within the forest root domain deployment process.


Figure 6.6 Configuring DNS for the Forest Root Domain

In preparation for the forest root domain deployment, create a delegation for the DNS servers that will be running on the domain controllers in the forest root domain. Create the delegation by adding DNS name server (NS) and address (A) resource records to the parent DNS zone.

ImportantWhen no DNS infrastructure exists, skip this step in the forest root domain deployment process and proceed to the next step, “Creating the Forest Root Domain.” The remainder of this step describes the process of configuring and delegating a zone in the existing DNS internal namespace.


To delegate the DNS zone for the forest root domain1. Create a name server (NS) resource record in the parent zone. Use the left-most

portion of the forest root domain name, and the full DNS name of the domain controller.

forest_root_domain IN NS domain_controller_name

2. Create a host address (A) resource record in the parent zone. Use the full DNS name of the domain controller.

domain_controller_name IN A domain_controller_ip_address

NoteThe delegation that occurs in this step references the first forest root domain controller, which does not currently exist. The DNS service is installed and configured on the first forest root domain controller in a subsequent step.


For example, the DNS administrator for Trey Research created the following DNS resource records in the parent zone, treyresearch.net:

trccorp IN NS SEA-TRC-DC01.trccorp.treyresearch.net

SEA-TRC-DC01.trccorp.treyresearch.net IN A 172.16.16.2

Creating the Forest Root DomainThe first step in creating the forest root domain is deploying the first forest root domain controller. The forest owner is responsible for deploying the forest root domain.

Figure 6.7 illustrates the process for creating the forest root domain.

Figure 6.7 Creating the Forest Root Domain


Deploy the First Forest Root Domain ControllerTo deploy the first domain controller in the forest root domain, complete the following tasks:

Install Windows Server 2003

Install Active Directory

Verify the Active Directory installation

Configure the Windows Time Service

Verify DNS server recursive name resolution

Install Windows Server 2003 on the First Forest Root Domain ControllerThe first step in deploying the first forest root domain controller is to install Windows Server 2003 on the computer that you want to make the domain controller.

Insert the Windows Server 2003 operating system CD in the CD-ROM drive of the domain controller and select the option to install the operating system, or use an automated installation method. If the Windows Server 2003 media is shared on the network, run the Winnt32.exe command. Use the NTFS file system to format the partitions. Enter the computer name, static IP address, and subnet mask as specified by your design.

In TCP/IP Properties, configure the DNS client settings by using the information documented in the “Domain Controller Configuration” worksheet. The DNS settings are temporary and will be changed after you install Active Directory.

Enable Remote Desktop for Administration (formerly known as Terminal Services in Remote Administration mode) to enable administrators to log on remotely if necessary. To enable Remote Desktop for Administration, in Control Panel, double-click System, select the Remote tab, and then select Allow users to connect remotely to this computer.

Install Windows Support Tools, which are available in the \Support\Tools folder on the Windows Server 2003 operating system CD.

NoteBefore installing Windows Server 2003, ensure that DNS was never previously installed on the computer. If DNS was previously installed, configuration of the DNS resolver and forwarders might fail.


Install Active Directory on the First Forest Root Domain ControllerInstall Active Directory by running the Active Directory Installation Wizard on the computer that you want to make the first forest root domain controller. The Active Directory Installation Wizard creates the Active Directory database and initializes the directory data in the database.

In addition, on the first domain controller in a domain, the wizard also:

Prompts the administrator to verify the installation and configuration of the DNS Server service.

Configures DNS recursive name resolution by forwarding, by adding the IP addresses of the existing entries for Preferred DNS server and Alternate DNS server to the list of DNS servers on the Forwarders tab of the Properties sheet in the DNS snap-in for the domain controller.

Configures DNS recursive name resolution by root hints, by adding the root hints that are configured on the Preferred DNS server

Configures the Preferred DNS server to point to the DNS server that is running locally on the domain controller, and configures the Alternate DNS server to point to the DNS server that is connected through the minimum number of network segments.

Creates two application directory partitions that are used by DNS. The DomainDnsZones application directory partition holds domain-wide DNS data, and the ForestDnsZones application directory partition holds forest-wide DNS data.

To install Active Directory on the first forest root domain controller1. Log on to the Windows Server 2003–based member server.

2. At the command line, type:

dcpromo

– or –

3. Open Administrative Tools and click Configure Your Server Wizard. Select Domain Controller (Active Directory) to configure your domain controller. After the Configure Your Server Wizard finishes, the Active Directory Installation Wizard begins.

NoteIf you want to set different forwarders, or do not want to enable forwarding, you can change this setting manually by using the DNS snap-in.

If your domain controller is multihomed, forwarding is not configured automatically.

For manual configuration instructions, see “Verify DNS Server Recursive Name Resolution on the First Forest Root Domain Controller” later in this chapter.


Use Table 6.1 to complete the Active Directory Installation Wizard. Table 6.1 includes the specific actions taken by Trey Research as they deploy their first forest root domain controller, SEA-TRC-DC01.

Table 6.1 Information to Install Active Directory on the First Forest Root Domain Controller

Wizard Page or Dialog Box Action Example

Domain Controller Type

Select Domain controller for a new domain

Create New Domain Select Domain in a new forest

New Domain Name Type the full DNS name of the domain.

trccorp.treyresearch.net

NetBIOS Domain Name

Confirm or type the NetBIOS name.

TRCCORP

Database and Log Folders

Type the folder locations specified by your design.

Database folder: C:\WINNT\NTDS

Log folder: D:\Logs

Shared System Volume

Confirm or type the location specified by your design.

C:\WINNT\SYSVOL

DNS Registration Diagnostics

For organizations with an existing DNS infrastructure, a message will indicate that the wizard cannot contact the DNS server with which this DC will be registered. This is because the pre-created delegation record points to the local computer and DNS has not been installed on the domain controller at this point.

Select Install and configure the DNS server on this computer and set this computer to use this DNS server as its preferred DNS server.

Before running the Active Directory Installation Wizard, the Trey Research deployment team set the Preferred DNS server to 172.16.24.4, which is the IP address of a DNS server in the parent zone, treyresearch.net. This address will be automatically moved to the list of forwarders, and Preferred DNS server will be set to the local host.

Permissions Select the security level specified by your design:

Permissions compatible with pre-Windows 2000 server operating systems

Because Trey Research currently has server programs running on Windows NT 4.0 servers, they


Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems

selected Permissions compatible with pre-Windows 2000 server operating systems.

Directory Service Restore Mode Administration Password

In the Password and Confirm password boxes, type any strong password.

For more information about installing and removing Active Directory, see the Directory Services Guide of the Microsoft® Windows® Server 2003 Resource Kit (or see the Directory Services Guide on the Web at http://www.microsoft.com/reskit).

Verify the Active Directory Installation on the First Forest Root Domain ControllerTo verify the Active Directory installation on the first forest root domain controller:

1. Review the Windows Server 2003 event log and resolve any errors.

2. At the command line, run Dcdiag.exe and Netdiag.exe and resolve any errors that are reported.

For more information about tests you can perform by using Dcdiag and Netdiag, see the Active Directory link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. Search under “Administration and Configuration Guides” and download the Active Directory Operations Guide.

3. Run Task Manager and verify that the processor and memory system resources are within acceptable limits.

4. Open the DNS snap-in, navigate to Forward Lookup Zones, and verify that the zones _msdcs.forest_root_domain_name and forest_root_domain_name were created. Expand the forest_root_domain_name node and verify that DomainDnsZones and ForestDnsZones were created.

Configure the Windows Time ServiceWhen deploying the forest root domain, it is important to correctly configure the Windows Time Service to meet your organization’s needs. The Windows Time Service provides time synchronization to peers and clients, ensuring consistent time throughout an enterprise.

By default, the first domain controller deployed holds the primary domain controller (PDC) emulator operations master role. Set the PDC emulator to synchronize from a valid Network Time Protocol (NTP) source. If no source is configured, the service will log a message to the event log, and use the local clock when providing time to clients. Although internet NTP sources are valid for this configuration, it is


recommended that a dedicated hardware device, such as a GPS, or Radio clock be employed in the interest of security.

Repeat this operation if you transfer or seize the PDC emulator operations master role to another domain controller in the forest root domain.

To configure the Windows Time Service on first forest root domain controller1. Log on to the domain controller.

2. At the command line, type:

W32tm /config /manualpeerlist:<peers> /syncfromflags:manual

<Peers> is a space delimited list of DNS names and/or IP addresses. When specifying multiple peers, the list must be enclosed in quotes.

3. Update the Windows Time Service configuration. At the command line, type:

W32tm /config /update

– or –

Net stop w32time

Net start w32time

For more information about configuring and deploying the Windows Time Service, see the Distributed Services Guide of the Windows Server 2003 Resource Kit (or see the Distributed Services Guide on the Web at http://www.microsoft.com/reskit).

Verify DNS Server Recursive Name Resolution on the First Forest Root Domain ControllerDNS server recursive name resolution is configured automatically during the Active Directory installation process, as described in “Install Active Directory on the First Forest Root Domain Controller” earlier in this chapter. If your design specifies a different configuration, you can use the DNS snap-in or Dnscmd.exe to modify these settings.

NoteWhen specifying a manual peer, do not use the DNS name or IP address of a computer that uses the forest root domain controller as its source for time, such as another domain controller in the forest. The time service will not operate correctly if there are cycles in the time source configuration.


To verify DNS server recursive name resolution on the first forest root domain controller

Use the DNS snap-in to verify DNS server recursive name resolution for the method used in your organization based on the information in Table 6.2.

Table 6.2 Information to Verify DNS Server Recursive Name Resolution

Method Configuration

Recursive name resolution by root hints

Root hints are the recommended method to use for recursive name resolution in a Windows Server 2003 environment.

No additional configuration is necessary. When the DNS server specified as the Preferred DNS server during the installation process is properly configured, the root hints are automatically configured. To verify the root hints by using the DNS snap-in:

In the console tree, right-click the domain controller name, and then click Properties.

In the Properties sheet for the domain controller, view the root hints on the Root Hints tab.

Recursive name resolution by forwarding

Only use Forwarders if that is what your organization’s design specifies. Root hints are the recommended method to use for recursive name resolution in a Windows Server 2003 environment.

Forward unresolved queries to specified DNS servers. To verify forwarding by using the DNS snap-in:

In the console tree, right-click the domain controller name, and then click Properties.

On the Forwarders tab, in the selected domain’s Forwarders list, verify that the IP addresses match those specified by your design.

No existing DNS infrastructure

No additional configuration is necessary.

In this environment, if you want to configure internal DNS servers to resolve queries for external names, then configure this DNS server to forward unresolved queries to an external server, such as one in your perimeter network, or one hosted by an Internet service provider.


Deploy the Second Domain Controller in the Same SiteAfter you deploy the first forest root domain controller, deploy the second forest root domain controller in the same site, according to the design provided by your design team. To deploy the second forest root domain controller, complete the following tasks:

Install Windows Server 2003

Install Active Directory

Install DNS Server service

Verify the Active Directory installation

Install Windows Server 2003 on the Second Domain ControllerThe first step in deploying the second forest root domain controller is to install Windows Server 2003 on the computer that you want to make the second domain controller.

Insert the Windows Server 2003 operating system CD in the CD-ROM drive of the domain controller and select the option to install the operating system, or use an automated installation method. If the Windows Server 2003 media is shared on the network, run the Winnt32.exe command. Use NTFS to format the partitions. Enter the computer name, static IP address, and subnet mask as specified by your design.

Configure the DNS client settings by using the information documented in the “Domain Controller Configuration” worksheet (DSSDFR_1.doc).

Enable Remote Desktop for Administration (formerly known as Terminal Services in Remote Administration mode) to enable administrators to log on remotely if necessary. To enable Remote Desktop for Administration, in Control Panel, double-click System, select the Remote tab, and then select Allow users to connect remotely to this computer.

Install Windows Support Tools, which are available in the \Support\Tools folder on the Windows Server 2003 operating system CD.

NoteBefore installing Windows Server 2003, ensure that DNS was not previously installed.


Install Active Directory on the Second Domain ControllerInstall Active Directory on the computer that you want to make the second forest root domain controller by running the Active Directory Installation Wizard.

The Active Directory Installation Wizard:

Creates the Active Directory database.

Initializes the directory data in the database.

On domain controllers other than the first domain controller in a domain, installation of DNS is not automatic.

To deploy an additional domain controller in an existing domain, you can either let replication copy domain information from an existing source domain controller over the network or you can use the install from media feature, new in Windows Server 2003. Install from media allows you to pre-populate Active Directory with System State data backed up from an existing domain controller. This backup can be present on local CD, DVD, or hard disk partition. Installing from media drastically reduces the time required to install directory information by reducing the amount of data that is replicated over the network. Installing from media is most beneficial in environments with very large domains or for installing new domain controllers that are connected by a slow network link. To use the install from media feature, you first create a backup of System State from the existing domain controller, and then restore it to the new domain controller by using the Restore to: Alternate location option.

To install Active Directory on the second domain controller1. Log on to the Windows Server 2003–based member server.

2. If you want to copy domain information from restored backup files, at the command line, type:

dcpromo /adv

– or –

If you want to copy domain information over the network, either type dcpromo (without the /adv switch) or open Administrative Tools, click Configure Your Server Wizard, and select Domain Controller (Active Directory) to configure your domain controller. After the Configure Your Server Wizard finishes, the Active Directory Installation Wizard begins.

3. Use Table 6.3 to help you complete the Active Directory Installation Wizard. Table 6.3 also includes the specific actions taken by Trey Research as they deployed their second forest root domain controller, SEA-TRC-DC02.


Table 6.3 Information to Install Active Directory on the Second Forest Root Domain Controller

Wizard Page orDialog Box Action Example

Domain Controller Type

Select Additional domain controller for an existing domain

Copying Domain Information

(This dialog box appears only when you started the Active Directory Installation Wizard by typing dcpromo with the /adv switch at the command line or used the Configure Your Server Wizard.)

Select either:

Over the network from a domain controller

From these restored backup files

Trey Research is copying from the first TRCCORP domain controller, SEA-TRC-DC01, which is in the same location as the new one, so they selected Over the network to copy the information in the shortest time.

Global Catalog (This dialog box appears only when From these restored backup files was selected, if the domain controller that you backed up was a global catalog server.)

Specify whether this domain controller should be configured as a global catalog server.

Network Credentials In the User name box, type a user account that has sufficient rights to add a domain controller, typically a member of Domain Admins.

In the Password box, type the password of the user account.

Additional Domain Controller

(This dialog box appears only when Over the network was selected.)

Confirm or type the full DNS name of the forest root domain.

trccorp.treyresearch.net

Database and Log Folders

Type the folder locations specified by your design.

Database folder: C:\WINNT\NTDS


Log folder: D:\Logs

Shared System Volume

Confirm or type the location specified by your design.

C:\WINNT\SYSVOL

Directory Service Restore Mode Administration Password

In the Password and Confirm password boxes, type any strong password.

Install DNS Server on the Second Domain ControllerAfter Active Directory installation has finished and the computer has restarted, install DNS on the second Windows Server 2003–based domain controller that is added to the domain.

To install DNS on additional domain controllers by using the Windows Components Wizard

1. Click Start, point to Settings, and click Control Panel.

2. Double-click Add or Remove Programs, and then click Add/Remove Windows Components.

3. In Components, select the Networking Services check box, and then click Details.

4. In Subcomponents of Networking Services, select the Domain Name System (DNS) checkbox, click OK, and then click Next.

5. If prompted, in Copy files from, type the full path to the distribution files and then click OK. The required files will be copied to your hard disk.

Verify the Active Directory Installation on the Second Domain ControllerUse the same steps as shown in the procedure for the first domain controller, but instead of verifying that DomainDnsZones and ForestDnsZones were created, use the repadmin /showreps command to verify that the ForestDnsZones and DomainDnsZones application directory partitions are replicated successfully. Use the DNS snap-in to verify that DNS server recursive name resolution is configured according to the method used by your organization.

Reconfigure the DNS ServiceReconfigure the DNS service to account for the addition of the second domain controller in the forest root domain. You can also use these procedures as you deploy additional domain controllers that are running the DNS service. To reconfigure the DNS service:

Enable Aging and Scavenging for DNS

Configure the DNS client settings of the first and subsequent domain controllers


Update the DNS delegation


Enable Aging and Scavenging for DNSEnable aging and scavenging on two Windows Server 2003–based domain controllers running the DNS Server service per domain, to allow automatic cleanup and removal of stale resource records (RRs), which can accumulate in zone data over time.

With dynamic update, RRs are automatically added to zones when computers start on the network. However, in some cases, they are not automatically removed when computers leave the network. For example, if a computer registers its own host (A) RR at startup and is later improperly disconnected from the network, its host (A) RR might not be deleted. If your network has mobile users and computers, this situation can occur frequently.

If left unmanaged, the presence of stale RRs in zone data might cause problems including:

If a large number of stale RRs remain in server zones, they can eventually take up server disk space and cause unnecessarily long zone transfers.

DNS servers loading zones with stale RRs might use outdated information to answer client queries, potentially causing the clients to experience name resolution problems on the network.

The accumulation of stale RRs at the DNS server can degrade its performance and responsiveness.

To enable the aging and scavenging features, perform the following steps to configure the applicable server and its Active Directory–integrated zones:

Enable aging and scavenging at the server. These settings determine the effect of zone-level properties for any Active Directory–integrated zones loaded at the server.

Enable aging and scavenging for selected zones at the DNS server. When zone-specific properties are set for a selected zone, these settings apply only to the applicable zone and its resource records. Unless these zone-level properties are otherwise configured, they inherit their default settings from comparable settings maintained in the DNS server aging/scavenging properties.

CautionBy default, the aging and scavenging mechanism for the DNS Server service is disabled. Enable aging and scavenging only after you understand all parameters. Otherwise, the server could be accidentally configured to delete resource records that should not be deleted. If a resource record is accidentally deleted, not only will users fail to resolve queries for that resource record, but any user can create the resource record and take ownership of it, even on zones configured for secure dynamic update.

For more information about how to configure aging and scavenging, see “Understanding aging and scavenging” in Help and Support Center for Windows Server 2003.


To set aging and scavenging properties for the DNS server1. Log on to the computer that is running the DNS Server service with an account that is

a member of the local Administrators group.

2. In the DNS console tree, right-click the applicable DNS server, and then click Set Aging/Scavenging for all zones.

3. Select the Scavenge stale resource records check box.

4. Modify other aging and scavenging properties as needed.

To set aging and scavenging properties for a zone1. Log on to the computer that is running the DNS Server service with an account that is

a member of the local Administrators group.

2. In the DNS console tree, right-click the applicable zone, then click Properties.

3. On the General tab, click Aging, and then select the Scavenge stale resource records check box.

4. Modify other aging and scavenging properties as needed.

Configure the DNS Client Settings of the First and Subsequent Domain ControllersAfter you have deployed an additional domain controller, modify the DNS client settings on the first forest root domain controller. Because no other domain controllers were running when you deployed the first forest root domain controller, modify the DNS client settings on the first forest root domain controller to include the additional domain controller. As you deploy more domain controllers, you might also need to modify the Alternate DNS server setting specified on existing domain controllers to ensure that this setting points to the DNS server that is connected through the minimum number of network segments.

To configure the DNS client settings on previously installed domain controllers1. Open Network Connections, double-click your Local Area Connection, click

Properties, click Internet Protocol (TCP/IP) to highlight it, and then click Properties.

2. For the Preferred DNS server, type the IP address of the DNS server that is running locally on the domain controller (local host).

3. Determine whether a newly installed domain controller is now closer to this domain controller than the domain controller that you originally specified as the Alternate DNS server. If it is, for Alternate DNS server, type the IP address of the newly installed domain controller.


Update the DNS DelegationAfter you install the DNS Server service on new domain controllers, update the DNS delegation for the forest root domain on a DNS server that is authoritative for the parent zone.

To update the DNS delegation records for the additional domain controller1. Create a name server (NS) resource record in the parent zone. Use the left-most

portion of the forest root domain name, and the full DNS name of the additional domain controller.

forest_root_domain IN NS additional_domain_controller_name

2. Create a host address (A) resource record in the parent zone. Use the full DNS name of the domain controller.

additional_domain_controller_name IN A additional_domain_controller_ip_address

For example, the DNS administrator for Trey Research created the following DNS resource records in the parent zone, treyresearch.net:

trccorp IN NS SEA-TRC-DC02.trccorp.treyresearch.net

SEA-TRC-DC02.trccorp.treyresearch.net IN A 172.16.16.3

Configure Site TopologyThe site topology owner configures the site topology for the forest. Configuring the site topology for the forest involves the following tasks:

Delegate Active Directory site administration

Create Active Directory sites

Create and assign Active Directory subnets

Create Active Directory site links


Delegate Active Directory Site Topology AdministrationConfiguring the site topology for the forest starts when the forest owner delegates administration of the Active Directory sites and site topology to the site topology owner.

To delegate Active Directory site topology administration in your environment1. Create a global group named SiteAdmins in the forest root domain.

2. Add administrative users to the SiteAdmins global group.

1. In Active Directory Sites and Services, right-click the Sites node, and then click Delegate Control.

2. Complete the Delegation of Control Wizard to delegate Full Control of the Sites node to SiteAdmins.

Create Active Directory SitesCreate Active Directory sites by using Active Directory Sites and Services.

To create the Active Directory sites1. Review the site topology design information in the Associating Subnets with Sites

worksheet provided by your design team.

2. Create the sites specified in the site topology design. For more information about how to create site objects, see “Create a site” in Help and Support Center for Windows Server 2003.

Create and Assign Active Directory SubnetsCreate Active Directory subnets by using Active Directory Sites and Services.

To create Active Directory subnets and associate them with sites1. Review the site topology design information in the “Associating Subnets with Sites”


2. Create the Active Directory subnets specified in the worksheet and associate the Active Directory subnet with the appropriate site. For more information about how to create subnet objects and associate subnets to Active Directory sites, see “Create a subnet” and “Associate a subnet with a site” in Help and Support Center for Windows Server 2003.

NoteThe user accounts that you add must reside in the forest root domain. If you want to add users from regional domains to this group, it must be a universal group, and the forest root domain and the regional domain must be operating at the Microsoft® Windows® 2000 native or Windows Server 2003 functional level.


Create Active Directory Site LinksCreate Active Directory site links by using Active Directory Sites and Services.

To create Active Directory site links1. Review the site topology design information in the “Sites and Associated Site Links”


2. Create the Active Directory site links and configure the site link properties as specified in the site topology design. For more information about how to create site link objects, see “Create a site link” in Help and Support Center for Windows Server 2003.

Deploy Additional Domain Controllers in Other SitesIf your design specifies deployment of additional forest root domain controllers in other sites, deploy them by using the procedures in “Deploy the Second Domain Controller in the Same Site” earlier in this chapter.

Configure Operations Master RolesConfigure the forest-level and domain-level operations master roles for the forest root domain. By default, the first domain controller in the forest root domain is assigned all operations master roles.

If your design specifies that all domain controllers in the forest root domain are global catalog servers, leave all five operations master roles on the first domain controller, and designate the second domain controller as the standby.

If any domain controllers in the forest root domain will not be global catalog servers, move all operations master roles from the first domain controller to the second domain controller, and ensure that the second domain controller will never be a global catalog server. Designate the third domain controller as the standby, and never make it a global catalog server.

For a procedure to help you transfer operations master roles, see “Transfer operations master roles” in Help and Support Center for Windows Server 2003.

NoteIn a single domain forest, the database content of a domain controller and a global catalog server are the same. Therefore, to load balance client lookups across global catalog servers in a single domain forest, ensure that all domain controllers are global catalog servers.


If your Active Directory design specifies that you designate a standby operations master for the current operations master role holder, configure the current role holder and the standby as direct replication partners by manually creating a connection object between them. Designating a standby operations master can save some time if you must reassign any operations master roles to the standby operations master.

Of all the operations master roles, the PDC emulator role has the highest impact on the performance of the domain controller hosting that role. In domains with more than 10,000 users, it might be necessary to reduce the number of authentication requests performed by the PDC emulator to decrease its workload and allow it to perform other tasks. If CPU utilization is higher than 50 percent or disk queues remain higher than 2 for several hours or days, reduce the number of client authentication requests received by the PDC emulator.

To reduce the number of client authentication requests that are processed by the PDC emulator, adjust its weight or its priority in the DNS environment. If you want to proportionately reduce the number of client authentication requests received by the PDC emulator, adjust its weight. If you want to ensure that the PDC emulator does not receive any client authentication requests, adjust its priority.

Active Directory assigns a default value of 100 for the weight. By creating a new registry entry for the weight and assigning it a decreased value of 50, you can proportionately reduce the number of client authentication requests sent to the PDC emulator. This ensures that the PDC emulator will authenticate half of the number of clients than it would if the weight value remained at 100.

Active Directory assigns a default value of zero for the priority. By creating a new registry entry for the priority and assigning it an increased value of 200, you can ensure that the PDC emulator will never receive client authentication requests unless it is the only accessible domain controller.

Repeat these procedures if the PDC emulator operations master role is transferred or seized to another domain controller in the forest root domain.

NoteOther factors that can increase the workload on the PDC emulator include pre-Active Directory clients or applications that have been written to contact the PDC emulator.

CautionThe registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back it up first and see the Registry Reference on the Microsoft Windows Server 2003 Deployment Kit companion CD or on the Web at http://www.microsoft.com/reskit.


To change the weight for DNS SRV records by using the registry1. In the Run dialog box, type regedit, and press ENTER.

2. In the registry editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.

3. Click Edit, click New, and then click DWORD value.

4. For the new entry name, type LdapSrvWeight and press ENTER. (The value name is not case sensitive.)

5. Double-click the entry name you just typed to open the Edit DWORD Value dialog box.

6. Choose Decimal as the Base option.

7. Enter a value from 0 through 65535. The recommended value is 50.

8. Click OK.

9. Click File, and then click Exit to close the registry editor.

Adjusting the priority of the domain controller also reduces the number of client referrals. However, rather than reducing it proportionally to the other domain controllers, changing the priority causes DNS to stop referring all clients to this domain controller unless all domain controllers with a lower priority setting are unavailable.

To change the priority for DNS SRV records by using the registry1. In the Run dialog box, type regedit, and press ENTER.

2. In the registry editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

3. Click Edit, click New, and then click DWORD value.

NoteA lower value entered for LdapSrvPriority indicates a higher priority. A domain controller with an LdapSrvPriority setting of 100 has a lower priority than a domain controller with a setting of 10. Therefore, clients attempt to use the domain controller with the setting of 10 first.


4. For the new entry name, type LdapSrvPriority, and press ENTER.

5. Double-click the entry name that you just typed to open the Edit DWORD Value dialog box.

6. Choose Decimal as the Base option.

7. Enter a value from 0 through 65535. The recommended value is 200.

8. Click OK.

9. Click File, and then click Exit to close the registry editor.


For more information about adjusting the weight or the priority of the PDC emulator, see the Active Directory link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. Search under “Administration and Configuration Guides” and download the Active Directory Operations Guide.

Raising the Functional LevelWhen you deploy the first Windows Server 2003–based domain controller in your forest root domain, the forest operates by default at the Windows 2000 forest functional level, and the domain operates by default at the Windows 2000 mixed functional level. If your organization has only Windows NT 4.0 domains and your forest design requires upgrading Windows NT 4.0 domains and joining them to this Active Directory forest, you might want to raise the forest functional level to Windows Server 2003 interim after you deploy the forest root domain and before you begin the process for upgrading your Windows NT 4.0 domain to Windows Server 2003 Active Directory. If you raise the forest functional level to Windows Server 2003 interim, you can take advantage of the advanced features available at that functional level.

Figure 6.8 shows raising the functional level as the last step in the forest root domain deployment process.

Figure 6.8 Raising the Functional Level


Although the Windows Server 2003 domain functional level provides a number of features and advantages, only enable this functional level when your environment is ready and all of your Windows NT 4.0–based backup domain controllers (BDCs) have been upgraded.

Although it is possible for a domain to include both Windows NT 4.0–based and Windows Server 2003–based domain controllers, the Windows Server 2003 domain functional level provides more features.

When you have determined that your environment is ready, use Active Directory Domains and Trusts to enable the Windows Server 2003 domain functional level.

After all domains are operating at the Windows Server 2003 functional level, raise the forest functional level to Windows Server 2003 to take advantage of all Windows Server 2003 forest-level features.

To determine when to raise the functional level, and for procedures to perform those tasks, see “Enabling Advanced Windows Server 2003 Active Directory Features” in this book. For more information about upgrading Windows NT domains to Windows Server 2003 Active Directory, see “Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory” in this book.

Additional ResourcesThese resources contain additional information and tools related to this chapter.

Related Information “Designing the Active Directory Logical Structure” in this book.

“Designing the Site Topology” in this book.

“Enabling Advanced Windows Server 2003 Active Directory Features” in this book.

“Deploying Windows Server 2003 Regional Domains” in this book.

The Active Directory Branch Office Planning Guide link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources for a complete guide to information involving Active Directory branch office implementations.

The Active Directory link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. Search under “Administration and Configuration Guides” and download the Active Directory Operations Guide.


Related Help TopicsFor best results in identifying Help topics by title, in Help and Support Center, under the Search box, click Set search options. Under Help Topics, select the Search in title only checkbox.

“Active Directory” in Help and Support Center for Windows Server 2003.

“Windows Support Tools” under “Tools” in Help and Support Center for Windows Server 2003.

“Configure site settings” in Help and Support Center for Windows Server 2003 for more information about creating site objects, subnet objects, and associating subnets with sites.

“Transfer operations master roles” in Help and Support Center for Windows Server 2003 for a procedure to help you transfer operations master roles.

“Understanding aging and scavenging” in Help and Support Center for Windows Server 2003 for more information about how to configure aging and scavenging of stale resource records.

Related Job Aids “Domain Controller Configuration” (DSSDFR_1.doc) on the Windows Server 2003

Deployment Kit companion CD (or see “Domain Controller Configuration” on the Web at http://www.microsoft.com/reskit).

“Sites and Associated Site Links” (DSSTOPO_5.doc) on the Windows Server 2003 Deployment Kit companion CD (or see “Sites and Associated Site Links” on the Web at http://www.microsoft.com/reskit).

“Associating Subnets with Sites” (DSSTOPO_6.doc) on the Windows Server 2003 Deployment Kit companion CD (or see “Associating Subnets with Sites” on the Web at http://www.microsoft.com/reskit).

Deploying the Windows Server 2003 Forest Root Domain

Documents

Transcript of Deploying the Windows Server 2003 Forest Root Domain