Building the Forest Root Domain and Central Hub Site

Operating System

Chapter 2

Building the Forest Root Domain and Central Hub Site

Deployment and Operations Guide

Abstract

This chapter outlines the steps required to create and monitor the forest root domain for the branch office scenario. The central hub site will also be created for these services. After completing these steps, the forest root required to support the Microsoft® Active Directory™ directory service for this scenario will be in place. Additionally, procedures for monitoring will have been established.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

 2000 Microsoft Corporation. All rights reserved.

Microsoft, Windows, and Active Directory are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries/regions.

1200

Contents

Introduction......

Resource Requirements

What You Will Need

What You Should Know

Process Flowchart......

Deployment considerations......

DNS Guidelines

TOPOLOGY OVERVIew......

Install Windows 2000 Operating system and services packs..

Operating System Setup

Install DNS and Terminal Services on All Hub Servers

Install Service Pack 2

Install Branch Office Share and Scripts......

Creating the Branch Office Scripts Source Share

Install Quality Assurance Scripts on Hub Site Servers

Install Other Monitoring Tools

Install AppManager Agent

Install Operations Manager agent

Configure TCP/IP Settings......

Create DNS ZONES......

Creating the Forest Root Zone on ROOT1

Allowing Dynamic Updates to the Forest Root Zone

Adding a Reverse Lookup Zone on ROOT1

Create the forest root Domain Controllers......

Running DCPROMO on ROOT1

Enabling Active Directory Integration of the Forest Root Zone and the Reverse Lookup Zone

Configuring the _msdcs zone

Verify ROOT1 Name Registration

Verify DNS Name Resolution on ROOT2

Running DCPROMO on ROOT2

Verify the ROOT2 Name Registrations

Verify DNS Name Resolution on ROOT3

Running DCPROMO on ROOT3

Verify the ROOT3 Name Registrations

Update the Preferred DNS on ROOT1

Move Domain Operations Master roles to ROOT2

Configure DNS FOrwarders......

Configure Forwarders on ROOT1, ROOT2, and ROOT3

Verify DNS Forwarding

Prepare the Active Directory Forest for Exchange 2000......

Prepare Active Directory Forest for Directory Enable Applications

Creating the Hub Site......

Rename the Default-First-Site

Add HUB Subnets to HUB Site

Verify the Root Domain Configuration......

Final Quality Assurance Check

Schedule the Quality Assurance Check to Run Every Day

Automating daily QA with NetIQ AppManager

Summary......

More Information......

Resource Centers on the Web

White Papers

Active Directory Branch Office Deployment and Operations Guide 2.1

Introduction

This chapter outlines the steps required to create and monitor the forest root domain for the Microsoft® Windows® 2000 Active Directory™ branch office scenario. The steps in this chapter will guide you through the processes necessary to build the forest root domain and Domain Name System (DNS) for corp.hay-buv.com. After completing these steps, the infrastructure required to support and monitor the root domain and DNS will be in place.

The planning of your Active Directory branch office architecture must be completed prior to beginning the procedures in this chapter.

Resource Requirements

Individuals from the following teams will be required to participate during this phase of the installation:

• Windows 2000 Active Directory Services Design Team
• Operations Team
• A representative from the network team that can provide DNS and other network information.

What You Will Need

• Branch Office Download Zip file.
• Active Directory Architecture.
• Minimum of seven servers.
• Windows 2000 Server CD and Product Key.
• Windows 2000 Service Pack 2.
• Seven static TCP/IP Addresses.
• Administrator account and password.
• Enterprise administrator account and password.

What You Should Know

This walk-through assumes that you have a basic knowledge of Windows 2000, Active Directory, and DNS. For a list of additional resources, see the "More Information" section at the end of this document.

Process Flowchart

Deployment considerations

The availability of DNS directly affects the availability of Active Directory. Clients rely on DNS to find a domain controller, and domain controllers rely on DNS to find other domain controllers. Even if you already have DNS servers deployed on your network today, you might need to adjust the number and placement of servers to meet the needs of your Active Directory branch office deployment.

For more information on best practices for planning the DNS and domain namespace, see Chapter 2, "Structure Planning for Branch Office Environments" in the Active Directory Branch Office Planning Guide.

The following sections provide guidelines for your DNS server configuration, operations masters, and global catalog servers.

DNS Guidelines

The following are high-level design guidelines for designing DNS for the branch office scenario.

• As a general rule, place at least one DNS server in every site. The DNS servers in the site should be authoritative for the locator records of the domains in the site, so that clients do not need to query DNS servers offsite to locate domain controllers that are in a site.
• Use Active Directory integrated DNS so that all DNS domains are represented in the local site to minimize WAN traffic to central DNS servers.
• Configure each forest root domain controller to point to other domain controllers as the preferred and alternate DNS servers.
• Configure domain controllers for domains other than the forest root to use themselves as their preferred DNS server. An alternate DNS server should also be configured.
• Configure all DNS clients with a preferred DNS and alternate DNS server.
• The preferred DNS server should be in the same site.
• The alternate should be located in the central hub site.
• Some type of regular monitoring should be implemented to check on the health and responsiveness of DNS. For example, NetIQ AppManager provides DNS health checking in the form of monitoring for events, performance data, and regular testing of DNS by doing actual lookups against the DNS servers. DNS problems may take some time to manifest themselves, and any problems that result may accumulate.

Hub Site

The following are design guidelines for designing your hub site for the branch office scenario.

• Place three root Active Directory servers for the branch domain (one global catalog server and two domain controllers) with Active Directory integrated DNS in the hub site.
• ROOT1 will be a global catalog server and host the Schema and Domain Naming Master operations master roles. ROOT2 will be a domain controller and host the relative identifier (RID) operations master, Primary Domain Controller Emulator(PDC Emulator), and Infrastructure Master operations master roles. ROOT3 will be a domain controller and serve as a standby operations master server. All three will have Active Directory integrated DNS which will provide high availability of the forest root domain.
• They each point to another root server for preferred and alternate DNS to avoid the "island" issue (See Chapter 2, "Structure Planning for Branch Office Environments" in theActive Directory Branch Office Planning Guide for a discussion of this issue.)
• Configure these servers with root hints for Internet addresses.
• Configure forwarders for other enterprise domains where appropriate.

Branch Office Bridgehead Servers

The following are design guidelines for designing your branch office bridgehead servers.

• Branch office bridgehead domain controllers should also have Active Directory integrated DNS.
• The number of bridgehead servers depends on the number of branch offices, replication frequency and traffic, and so on. For more information, see the Chapter 3, "Planning Replication for Branch Office Environments" in the Active Directory Branch Office Planning Guide.
• For bridgehead servers, configure each to point to itself as the preferred DNS server; the alternate should be one the other bridgehead servers.
• Configure forwarders to point to root zone DNS servers if there is not an internal root.

Staging Site

The following are design guidelines for designing your staging site for the branch office scenario. Place one domain controller in the staging site, that will.

• Be the primary seed for building new domain controllers for the branches.
• Be a global catalog server.
• Be a member of the branch office domain.
• Point to itself as its primary DNS server and its secondary DNS server will be one of the servers in the hub site.
• Have forwarders to point to root zone DNS servers if there is not an internal root.
• Have DNS server configured to not use recursion.

Branch Office Domain Controller (Branch Office Site)

The following are design guidelines for your branch office sites for the branch office scenario.

• Configure each branch’s primary DNS server to point to itself and the alternate points to one of the bridgehead servers. Configure some branch domain controllers use the first hub/bridgehead server as their alternate, some the second, and some the third, thus load balancing the distribution.
• Configure forwarders to point to root zone DNS servers if there is not an internal root.
• Configure the DNS server to not use recursion.

Branch Office Clients

The following are design guidelines for your branch office clients.

• Clients point to the branch office Active Directory/DNS server as their primary DNS server.
• Clients in the branch office have their secondary DNS server set to one of the hub bridgehead servers – again distributing the load among the hub bridgehead servers.

Placement of the Root Domain

The following are design guidelines for the placement of your root domain for the branch office scenario.

• Domain controllers use the _msdcs.corp.hay-buv.com zone during replication. It is recommended to have this zone on a local DNS server in the branch. Having the _msdcs.corp.hay-buv.com zone on a local DNS server will allow user queries for a global catalog server at logon to be local as well.
• If the branch office sites each have a single domain controller, the _msdcs.corp.hay-buv.com domain should be a subdomain (it is set up this way by default) that is part of the Active Directory integrated zone for corp.hay-buv.com domain.
• If there is a global catalog server or multiple domain controllers in the branch office environment, the _msdcs.corp.hay-buv.com subdomain should be its own Active Directory integrated zone in the root hub site. There should also be a secondary zone on the branch office DNS servers in this situation.This configuration will improve replication performance and reduce queries to the central hub site over the WAN.

Reverse Lookup Zones

The following are design guidelines for your reverse lookup zones.

• Reverse lookup zones are required for DNS monitoring and troubleshooting.In addition, some prior applications may require reverse lookup zones.
• Create a standard primary DNS dynamic update protocol reverse lookup zone for each branch office site.Create a standard secondary zone, for each branch office reverse lookup zone, on each of the root DNS servers in the hub site.

Secure Updates - Dynamic DNS

Each Active Directory integrated DNS zone should have Secure Dynamic Updates enabled. Without secure updates enabled, anyone can delete, modify, or create DNS records using a generic dynamic update protocol.

TOPOLOGY OVERVIew

The procedures in this guide will walk you through setting up the six networks depicted in the above topology.

The TCP/IP addresses above represent the final configuration. The DNS settings configured during server installation are different from those shown in the above diagram, in particular the preferred DNS server and alternate DNS server. After installation, the DNS settings are configured to use the IP addresses shown in the above diagram. Therefore, the procedures should be followed carefully.

Note: This walk-through assumes that a unique dedicated subnet will be assigned to each site. If this scenario will be set up in a lab environment, when creating the sites and subnets for the branch offices either through the Active Directory Sites and Services Microsoft Management Console (MMC) or the script included with this guide, use a subnet mask of 255.255.255.255. Doing so will cause each IP address to be a subnet for each site in Active Directory. This will allow you to emulate a routed network without having to use hardware routers.

Install Windows 2000 Operating system and services packs

Use the following steps to install Windows 2000, and recent service packs on the seven or more servers that will be in your hub site. These steps should be followed to configure the base operating system components in advance on all seven hub site servers for this scenario.

Follow the instructions carefully to ensure proper setup of each server in the scenario.

Note: As you perform the procedures in this chapter, you should document the configuration of the servers in the Hub Site Checklist.xls job aid included with this guide.

Operating System Setup

To install Windows 2000:

1.Install Microsoft Windows 2000 Server on all servers.

2.Install the Windows 2000 Support Tools from the Windows 2000 Server CD by using either 2000RKST.MSI or Setup.exe in the SUPPORT\TOOLS directory on the Windows 2000 CD.

3.Install the Windows 2000 Server Resource Kit utilities from the CD included with the resource kit.

4.Install Active Perl from the Microsoft Windows 2000 Resource Kit.

Note: The installation of the Support Tools and the Microsoft Windows 2000 Resource Kit can be automated by directly launching the msi file for each with the /qb Switch.

Install DNS and Terminal Services on All Hub Servers

To install DNS and Terminal Services:

1.Click Start, Settings, Control Panel, Add/Remove Programs.

2.Click Add/Remove Windows Components.

3.Scroll down to Networking Services. Don't select the checkbox; instead, highlight the words. (This simplifies the next steps where you select only a few of the Networking Services. Selecting the checkbox results in selecting all Networking Services, and means you will have to deselect a large number of checkboxes under Details.)

4.Click Details.

5.Click on the checkbox by Domain Name System (DNS).

6.Click OK.

7.Scroll down to Terminal Services and select the checkbox to install Terminal Services.

8.Click Next.

9.Select Remote administrationmode when the Terminal Services SetupWindowappears and then click Next.

10.If prompted, insert the Windows 2000 Server CD, or use a network share to access the Windows 2000 Server files.

11.Click Finish.

12.Close the Add/Remove Programs Window.

13.Close the Control Panel window.

14.Reboot as prompted.

Install Service Pack 2

1.Install Service Pack 2.

2.When the service pack is installed, click Start, Shut Down, select Restart, and click OK.

Very Important: Repeat the above procedures for each of the seven servers in the hub site. If, during the planning process, you determined that your hub site requires more than three bridgehead servers, repeat the above procedures the appropriate number of times to install all of your bridgehead servers.

After completing the above procedures you should have the following servers installed:

• ROOT1
• ROOT2
• ROOT3
• HUBDC1
• BH1
• BH2
• BH3

A share needs to be established on HUBDC1 that will be used for configuring all of your domain controllers in the hub site. In addition, these files will be copied to the staging site branch domain controller to be used for staging branch office domain controllers.

Creating the Branch Office Scripts Source Share

This procedure only needs to be completed on the HUBDC1 server. To create the branch office scripts source share:

1.Log on to Hubdc1 as Administrator.

2.Create a directory named C:\ADBRANCH on HUBDC1 and share the directory as ADBranch.

3.Create a directory named C:\QASHARE on HUBDC1 and share the directory as QAShare.

4.Unzip the contents of the Branch Office Zip file included with this guide, into the ADBRANCH directory.

5.You will have the following subdirectory structure on the HUBDC1 C:\ drive when these steps are completed: