best practice active directory deployment for managing windows networks

8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks

1/123

Best Practice Active Directory Deployment for ManagingWindows Networks

This guide assists architects, project managers, and consultants in deploying an Active Directory service in anetwork operating system (NOS) infrastructure. The best practices deployment methodology encapsulatestechnical expertise from the Microsoft Windows Product Group with lessons learned from customers have

implemented Active Directory in their organizations.

On This Page

Overview of Active Directory Deployment Testing And Verifying the Deployment Process

Configuring DNS for the Forest Root Creating the Forest RootDeploying Regional Domains

Creating a New Regional DomainIn-Place Upgrading of Account Domain

Restructuring Account DomainsRestructuring Resource Domains

Decommissioning the Windows NT 4.0 DomainsImporting Accounts and Data From Other Sources

Overview of Active Directory Deployment

Many organizations are migrating from Microsoft Windows NT version 4.0 to Microsoft Windows 2000 and

the Active Directory. The Windows 2000 and Active Directory deployment process must:

y Allow the organization to continue normal business operations while migrating the network.y Minimize any modifications to the existing network infrastructure.y Allow existing user accounts and resource permissions to be migrated.y Include the migration of services and applications running on existing servers.

This document describes the deployment of Windows 2000 and Active Directory. Specifically, you will learn the

best practices for deploying your Active Directory design by:

y Testing your design assumptions and deployment processes in a lab environment.y Verifying your deployment process in a pilot deployment.y Deploying Active Directory to your production environment.

Prior to performing the tasks in this document, create an Active Directory design for your organization. Formore information about creating an Active Directory design for your organization, see Best Practice ActiveDirectory Design for Managing Windows Networks at

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/bpaddsgn.mspx.

Note: All references to Windows 2000 include both Microsoft Windows 2000 Server and Microsoft

Windows 2000 Advanced Server, unless otherwise specified.

Active Directory Deployment Process

Figure 1 illustrates a flowchart of the Active Directory deployment process presented in this document. You canfollow this as a model for your Active Directory deployment


2/123

Figure 1: Flowchart of the Active Directory deployment processThis document presents the deployment process for existing networks based on Windows NT 4.0 and othernetwork operating systems.

Windows NT 4.0

Use this document to guide your migration from Windows NT 4.0 to Windows 2000 and Active Directory byreading the following sections:

y "Testing and Verifying the Deployment Process"y "Configuring DNS for the Forest Root"y "Creating the Forest Root"y "In-Place Upgrading Account Domain" or "Create a New Regional Domain"y "Restructuring Related Account Domains"y "Restructuring Related Resource Domains"y "Decommissioning Windows NT 4.0 Domains"

Other Network Operating Systems

Use this document to guide your migration from other network operating systems to Windows 2000 and ActiveDirectory by reading the following sections:

y "Testing and Verifying the Deployment Process"y "Configuring DNS for the Forest Root"y "Creating the Forest Root"y "Creating a New Regional Domain"y "Importing Accounts and Data from Other Sources"

Deployment Tools Used in This Document


3/123


4/123

Contoso Pharmaceuticals is a bioelectronics design and manufacturing firm headquartered in Seattle,

Washington. Contoso provides bioelectronics devices (such as pacemakers, defibrillators, and heart-

assist devices). Contoso distributes these devices throughout the world.

y Trey ResearchTrey Research is a research and development firm that specializes in radio frequency (RF) designs.

Trey Research provides outsourced engineering consulting for organizations that manufacture RFdevices used in the aviation industry (such as radio transceivers, global positioning systems (GPSs),

or transponders). Contoso acquired Trey Research to design RF electronic devices (such as in-home

critical-care monitoring systems and mobile electrocardiogram (EKG) and vital statistic monitoring

systems). Trey Research continues to operate as a separate business unit with customers other than

Contoso.

y Fabrikam, Inc.Fabrikam, Inc. is an electronics manufacturing firm located in Asia. Fabrikam provides printed circuit

board fabrication, sheet metal fabrication, injection molding, and electronics assembly services.

Contoso acquired Fabrikam to reduce the manufacturing cost associated with bioelectronics devices

designed and marketed through Contoso and Trey Research. Fabrikam's entire manufacturing capacity

is totally consumed by Contoso and Trey Research. As a result, Fabrikam, Inc. is integrated with the

Contoso business unit.

The characteristics of the business model that exists among the Contoso business units include the following:

y Contoso is the "parent" organization that determines any standards that apply to all business units.y The research and development teams within Contoso work closely with the manufacturing teams in

Fabrikam, Inc.

y The network infrastructure is provided by (or through) Contoso and provides wide area network(WAN) connections between locations in the business units.

y Contoso has standardized on Microsoft Exchange Server version 5.5 for the messaging infrastructurein all business units.

y Trey Research just completed a migration of all clients to Windows 2000 Professional.y The other business units are comprised of clients running a variety of including, Microsoft Windows

NT Workstation version 4.0, Microsoft Windows 95, and Microsoft Windows 98.

Geographic Locations

Figure 2 presents a map of the world that includes the business locations of Contoso, Fabrikam, Inc., and Trey

Research.

Figure 2: Contoso, Fabrikam, and Trey Research locations


5/123

Table 3 lists the Contoso, Fabrikam, and Trey Research locations and business functions performed at each

location. Windows NT 4.0 is currently deployed at all geographic locations.

Table 3 Contoso Locations and Business Functions

Location Business Functions

Contoso

Seattle Headquarters for Contoso where all accounting and administration is performed. A researchand development facility is located in the same building.

Boston Legal department and specialist that obtain government approvals, such as from the Food

and Drug Administration (FDA), for all products.Domestic marketing and sales offices are located in the same building.

Vancouver Research and development facility that designs new products.Headquarters for Canadian engineering and product support (responsible for assisting

customers in using Contoso products).

Montreal Canadian marketing and sales office.

Milan European marketing and sales headquarters.

Seville Headquarters for European engineering and product support (responsible for assisting


Trey

Research

Renton Headquarters for Trey Research where all accounting and administration is performed. A

research and development facility is located in the same building.

Atlanta Research and development facility that designs new products.Headquarters for domestic engineering and product support (responsible for assisting


Fabrikam,Inc.

Hong Kong

SAR

Headquarters for Fabrikam where all accounting and administration is performed. A

manufacturing and testing facility is located in the same building, which is used for smallproduction runs of products or for prototype development.

Tokyo Manufacturing and testing facility used for high-volume production runs.

Top of page

Testing And Verifying the Deployment Process

As you are creating the first draft of your Active Directory design, begin the testing and verification phase.Figure 3 illustrates when testing and verifying occurs in your deployment process. The testing and verificationphase begins during the design phase and continues through the deployment phase.

For more information about the design phase, see Best Practice Active Directory Design for Managing Windows

Networks athttp://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/bpaddsgn.

mspx.


6/123

Figure 3: Testing and verifying in the deployment process

In any Active Directory deployment, you can minimize the impact on normal business operations by including:

y Preliminary testing of the deployment process in a lab environment. Preliminary testing includes:y Design assumption tests.y Deployment process tests.

y Verification of the deployment process in a pilot program.Figure 4 illustrates the life cycle of the design, lab testing, pi lot deployment, and production deployment

phases of your deployment project. Lab testing overlaps the design and pilot deployment phase. The pilotdeployment begins as the design process nears completion and continues on indefinitely.

Figure 4: Lifecycle of design, lab testing, pilot deployment, and production deployment.

Note: The deployment process that you are testing and verifying is the same deployment process discussed inthe remainder of this document.

Testing in a Lab Environment


7/123

Lab testing is the first evaluation of the Active Directory design. During lab testing, you are confirming the

assumptions made by the design architects. When any of the assumptions that you test prove to be incorrect,the design architects must modify their design to reflect the outcome of the lab tests.

As the first draft of the Active Directory design approaches completion, begin testing specific design

assumptions in the deployment process in a lab environment. Your primary objectives for testing thedeployment process in your lab are to:

y Discover any potential design problems that affect the deployment process.y Provide feedback to the design team, prior to the deployment, to correct any problems discovered

during testing.

Ensure that the test lab environment is:

y Isolated from the rest of your organization's production network.y Includes user and group accounts and resources that are exclusively designated for testing (no

production accounts or resources).

y Represents, on a small scale, the hardware and operating system configuration of the computers inyour organization.

y Retained permanently as a training tool and to test new procedures.The deployment team can use the lab environment to learn the specifics of your deployment process and togain familiarity with the deployment and migration tools used during Active Directory deployment.

As previously mentioned, lab testing provides validation for the design assumption and for the deploymentprocess. Typically, the design assumption tests and deployment process tests are performed by different

teams. Table 4 lists the lab tests and team members that perform the tests in the lab.

Table 4 Lab Tests and Corresponding Team Members

Lab Tests Team Members

Testing Design Assumptions

Analyze Active Directory replication and site topology Design team Site topology owner

Deployment team

Test application and desktop compatibility Design team

Testing Deployment Process

Test disaster recovery Domain owner Deployment team

Test account and resource migration Domain owner Deployment team

Evaluate delegation, administration, and management Domain owner

Testing Design Assumptions

During the design process, the design team makes assumptions that are incorporated into the Active Directorydesign (such as Active Directory replication and application compatibility). After a preliminary draft of the

design is complete, the design team must prove these assumptions in the lab environment.

To test the design assumptions in the lab environment:

y Analyze Active Directory replication and site topology.y Verify application and desktop compatibility.

Analyze Active Directory Replication Site Topology


8/123

As part of the Active Directory design, the design team specifies the maximum replication latency between

hubs in the replication site topology. Replication latency is the length of time required to replicate changeswithin the forest.

To analyze Active Directory replication site topology:

1. Ensure that forest-wide replication latency is less than or equal to the maximum replication latencyspecified in the design.

2. Ensure you test from furthest point to furthest point, or a worst-case test, based on the maximumnumber of hops assumed in the design.

Observe the time required for replication convergence when a domain controller or communications

link fails by completing the following steps:

a. Identify the domain controllers that are responsible for intersite replication by using theActive Directory Sites and Services snap-in of Microsoft Management Console (MMC).

b. Disconnect domain controllers or disable communications links that are used in intersitereplication.

c. Allow the Knowledge Consistency Checker (KCC) to automatically configure new replicationtopology.

d. Identify the domain controllers that are now responsible for intersite replication.e. Reconnect the domain controllers or enable communications links.f. Verify that the intersite replication topology returns to the or iginal state, as identified in the

first step.

Note: Replication convergence can take hours to complete, based on the number of

replication changes and the intersite communications links.

For more information about replication convergence and latency design considerations, see Best Practice ActiveDirectory Design for Managing Windows Networks athttp://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/bpaddsgn.mspx.

Verify Application and Desktop Compatibility

As part of the Active Directory design, the design team must determine the compatibility between applications,desktop operating systems, and Active Directory. Typically, the aspects of application testing that are affected

by an Active Directory migration include applications that run on:

y Serversy Desktop computersy Laptop computersy Remote access users

Verify the application and desktop compatibility design assumptions by:

1. Creating a list of all critical applications.2. Ensuring that each application is assigned an individual responsible for testing the application.3. Testing that each application operates properly in a migrated environment.

When verifying application and desktop compatibility, ensure that:

y Existing server applications, currently running on a Windows NT 4.0 backup domain controller (BDC),can run on Windows 2000 domain controllers.


9/123

For example, some server applications running on BDCs take advantage of Shared Local Groups. To

run these server applications on Windows 2000, verify that the applications run properly by using

Active Directory domain local groups.

y Existing server applications can run on Windows 2000 member servers.y Server applications running on a mixture of Windows 2000 and Windows NT 4.0 servers can

interoperate with one another.

For example, make sure a Microsoft SQL Server running on Windows 2000 can interact with a SQL

Server running on Windows NT 4.0.

y Existing desktop applications run correctly when the domain infrastructure is migrated to Windows2000 and Active Directory.

y Existing applications that use integrated Windows security run correctly when the domaininfrastructure is migrated to Windows 2000 and Active Directory.

If you find that a server application cannot be migrated to Windows 2000 domain controller, do one of the

following:

y Leave the application running on the Windows NT 4.0 domain controller.y Run the application on a Windows 2000 member server.y Run the application on a Windows NT 4.0 member server.y Provide feedback to the design team that the server application's domain cannot be in-place upgraded

or consolidated.

The Windows NT 4.0 domain must remain until a version of the application that can run on a Windows

2000 domain controller is available.

As a long-term deployment goal, transition any applications currently running on domain controllers to memberservers.

Testing Deployment Processes

During the deployment process, the deployment team must perform specific tasks that are essential to ensuresuccess (such as testing account and resource migration from Windows NT 4.0 to Windows 2000 and Active

Directory). Before starting the production deployment, the deployment team must verify these tasks in the labenvironment.

To verify the deployment process in the lab environment:

y Test disaster recovery.y Test account and resource migration.y Evaluate delegation, administration, and management.

Test Disaster Recovery

Test disaster recovery in your lab environment to validate:

y The time required to restore a domain controller in the event of a failure.y Users can log on within an acceptable response time until a failed domain controller is restored.

To implement a disaster recovery process in your Active Directory deployment:

y Back up the Active Directory database of at least two domain controllers.Restore the Active Directory database from backup when:


10/123

y A domain controller is the only domain controller in a site connected with a data rate of 128 kilobitsper second (Kbps) or less

y A domain contains more than 20,000 user accounts.y Restore the Active Directory database on a failed domain controller by installi ng a new domain

controller and letting Active Directory replication repopulate the Active Directory database when the

domain controller is connected to other domain controllers with a data rate equal to or greater than128 kilobits per second (Kbps).

Test the following disaster recovery scenarios in the lab environment:

y Restoring a domain controller after any hardware failure.y Restoring a domain controller after any operating system failure.y Recovering a domain controller when the directory services database contains corrupted data.y Recovering data inadvertently deleted from the directory service by performing an authoritative

restore.

Test Account and Resource Migration

Prior to starting the pilot deployment program, test the deployment process for account and resource migrationby using the complete set of procedures outlined in this document.

To test migration of Windows NT 4.0 account and resource domains:

1. In two or more production Windows NT 4.0 account domains, create a new backup domain controllers(BDCs).

2. Remove the new BDCs from the production network.3. Install the new BDCs in the lab environment.4. Promote the new BDCs to primary domain controllers (PDCs).5. Perform in-place upgrades and restructuring of the account domains in your lab6. Verify migrated accounts have access to resources and retain user profiles.

For more information about the migration of Windows NT 4.0 account and resource domains see the followingsections in this document:

y Creating a New Regional Domainy In-place Upgrading of Account Domainsy Restructuring Account Domainsy Restructuring Resource Domains

Evaluate Delegation, Administration, and Management

After you have successfully tested the migration of users and resources in your lab environment, but prior to

starting the pilot deployment program, evaluate the delegation, administration, and management processesby:

1. Creating an organizational unit (OU) structure that reflects the Active Directory design best practices.For more information about creating an OU structure, see Best Practice Active Directory Design for

Managing Windows Networks at

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/b

paddsgn.mspx.

2. Delegating permissions on OUs to specific group accounts used for administration.


11/123

Verifying the success of the delegation by:

a. Logging on as a user that belongs to the group account to which you delegated permissions.b. Performing administration tasks on objects within the OU (such as modifying the properties

of a user in an account OU).

c. Attempting, and subsequently failing, to perform administrative tasks on OUs to which theadministration group does not have delegated permissions.

Verifying in a Pilot Deployment Program

After you complete the testing in the lab environment phase of your deployment process, you can start the

pilot deployment program. In the lab environment, you ensured that the deployment process worked outsideyour production environment on accounts and resources that approximated your production environment. In

the pilot deployment program, you:

y Identify a controlledsubset of the accounts (users, groups, and services) and resources that exist inthe production environment.

y Perform the deployment process on the identified accounts and resources.Deployment Best Practice

In your pilot deployment, begin with users who are involved in the deployment project and then include userswho are representative of your user population.

Use the pilot deployment environment to:

y Extend testing into a subset of the production environment.y Provide a test environment for other design and deployment groups.y Verify process and procedures for network and operating system infrastructure updates.y Verify proper operation of application updates.y Evaluate the impact of monitoring solutions on the network infrastructure and the servers being

monitored.

y Discover any potential problems in the deployment process that are caused by complexities that couldnot be modeled in the lab environment.

y Revise the deployment process to correct any problems you discovered prior to the productiondeployment.

To create a pilot deployment program in your environment

1. Create forest_root_domain(where forest_root_domain is the name of an empty Active Directoryforest root domain created by appending "-test" to the same name of the production forest root

domain).

2. Create regional_domain(where regional_domain is the name of an Active regional domain createdby appending "-test" to the same name of a production regional domain).

3. Establish the appropriate trust relationships between regional_domain(where regional_domain is thename of a regional domain in the pilot program) and winnt_domain(where winnt_domain is an

account or resource domain for migration from Windows NT 4.0-based networks).

4. Migrate selected accounts and resources from winnt_domain(where winnt_domain is an account orresource domain for migration from Windows NT 4.0based networks), or other data sources, to

regional_domain(where regional_domain is the name of a regional domain in the pilot program) by

using the procedures in this document.


12/123

5. Verify that users and administrators can minimally perform the same tasks as they did prior tomigration (resource access, account administration, resource administration, etc.).

Note: When you migrate production users to the pilot, leave the user accounts enabled in the production andthe pilot environments. By leaving the user accounts enabled in the production environment you provide a

fallback plan in the event of any issues in the pilot environment.

Contoso example: Crating a pilot deployment program

Create the Contoso pilot deployment program by using the process described in the previous section and the

information in Table 5.

Table 5 Information For Creating a Pilot Deployment Program

When Prompted For Use

forest_root_domain concorp-test.contoso.com

regional_domain noam-test.concorp-test.contoso.com

winnt_domain USA for account domainsSEATTLE for resource domains

Figure 5 illustrates the pilot deployment configuration.

Figure 5: Pilot deployment configuration.

Completing the Pilot Deployment Program

After you complete the pilot deployment program, retain the pilot deployment environment. Continue to usethe pilot forest to verify new deployment processes, such as adding new applications or schema extensions,

installing operating systems, creating Group Policy settings, or OU restructuring.

Deployment Best Practice

During the production deployment process, always migrate accounts from the production environment. Never

migrate accounts from the pilot environment.

To complete the pilot deployment program in your environment

After you complete the pilot deployment process, users can do one of the following:

y Continue to log on to the pilot domain until their account is migrated during the productiondeployment process.

y Return to the production environment immediately by logging on to their Windows NT 4.0 domain.Contoso example: Completing the pilot deployment program

Figure 6 illustrates the Active Directory pilot program forest after production deployment.


13/123

Figure 6: Comparison of the pilot forest and the production forest

After the completion of the pilot deployment program, you can start the deployment of Windows 2000 andActive Directory into your production environment.

Top of page

Configuring DNS for the Forest Root

The first step in the production deployment process is to configure the DNS domain for the forest root, asshown in Figure 7.

Figure 7: Configuring DNS for the forest root in the deployment processThe DNS administrator of your organization is responsible for delegating the DNS domain used by the forest

root domain.

Important: When no DNS infrastructure exists, skip this step in the deployment process and proceed to thenext step, "Creating the Forest Root." The remainder of this step describes the process of configuring anddelegating a domain in the existing DNS internal namespace.

To configure DNS for the forest root:

1. Review the DNS design worksheet created by the forest root owner and directory architect.2. Review the existing internal DNS namespace.3. Delegate the DNS domain name from the existing DNS internal namespace.

Review the DNS Design Worksheet


14/123

Before you review the existing DNS infrastructure in your design, review the DNS design worksheet prepared

by the forest root owner and the directory architect.

The DNS design worksheet describes:

y DNS domains that must be delegated.y DNS servers that must be modified for the delegation.

Review the Existing DNS Infrastructure

After you review the DNS design worksheet prepared by the forest root owner and the directory architect,review the existing DNS infrastructure.

To review the existing DNS infrastructure in your environment

Review the existing DNS infrastructure by examining current:

y Network diagrams.y DNS domain hierarchy diagrams.y DNS zone configuration.y DNS resource records for delegation and forwarding.y DNS replication.

Contoso example: Reviewing the existing DNS infrastructure

Review the existing DNS infrastructure for the Contoso and Trey Research business units. The existing DNS

infrastructure for Contoso provides name resolution for:

y Any servers (such as Web or mail servers) that reside in the perimeter network and are accessed byInternet users.

y Any computers (or other network devices) that reside in the private network and run an operatingsystem other than Windows NT 4.0 (such as UNIX or Macintosh operating systems).

Note: Windows NT 4.0based computers in the private network use Windows Internet Name Service (WINS)

to provide name resolution.

After Fabrikam, Inc and Trey Research were acquired by Contoso, their existing DNS infrastructure was

integrated into the DNS infrastructure for Contoso. Each business unit in Contoso continues to use its

respective registered DNS domain name. These DNS domain names are:

y Used by each business unit to provide DNS naming for computers that are accessed by Internet users.y Represent the externalDNS namespace for each business unit.y Hosted by the Berkeley Internet Name Domain (BIND) DNS servers (SEA-CON-DNS-01 and SEA-CON-

DNS-02) that are placed in the perimeter network.

Table 6 lists each business unit and the corresponding registered DNS domain name.

Table 6 Registered DNS Domain Names of Contoso Business Units

Business Unit Registered DNS Domain Names

Contoso contoso.com

Trey Research treyresearch.net

Fabrikam, Inc. fabrikam.com

Contoso, Trey Research, and Fabrikam, Inc. also maintain a separate DNS namespace (with the same name asthe external namespace) to resolve internal names. Each geographic location maintains a delegated domain

beneath the corresponding business unit.


15/123

These DNS domain names are:

y Used by each business unit to provide DNS naming for computers within the private network.y Represent the internalDNS namespace for each business unit (and subsequently each geographic

location).

y Hosted by a combination of DNS servers running BIND and Windows NT 4.0 DNS.y Placed within the private network at each geographic location.

Table 7 lists each geographic location and the corresponding internalDNS domain names for each location.

Table 7 Internal DNS Domain Names of Contoso Locations

Location Internal DNS Domain Name

Contoso contoso.com

Seattle seattle.contoso.com

Boston boston.contoso.com

Vancouver vancouver.contoso.com

Montreal montreal.contoso.com

Milan milan.contoso.com

Seville seville.contoso.com

Trey Research treyresearch.net

Renton renton.treyresearch.net

Atlanta atlanta.treyresearch.net

Fabrikam, Inc. fabrikam.com

Hong Kong SAR hongkong.fabrikam.com

Tokyo tokyo.fabrikam.com

Each of the location-specific subdomains contains only the resource records for its location. The DNS serverswithin each respective location:

y Are delegated authority for their domains from the top-level internal DNS servers (SEA-CON-DNS-01and SEA-CON-DNS-02)

y Forward unresolved queries to the top-level internal DNS servers (SEA-CON-DNS-01 and SEA-CON-DNS-02)

Note: The DNS servers (SEA-CON-DNS-01 and SEA-CON-DNS-02) in Seattle host the top-level internaldomain names and secondary copies of the domain names from all locations.

Delegate the DNS Domain for the Forest Root

After you identify the DNS domain names that must be delegated in the existing DNS namespace, you areready to delegate the DNS domain for the forest root.

Note: The delegation that occurs in this step references the first forest root domain controller, which does not

currently exist. The DNS service is installed and configured on the first forest root domain controllers in asubsequent step.

To update the DNS delegation records for the additional domain controller in your environment

1. Create a name server (NS) resource record in the parent_domainzone file (where parent_domain isthe fully qualified domain name of the forest root domain's parent domain).


16/123

2. forest_root_domain IN NS computer_name . forest_root_domain .parent_domain

(where forest_root_domain is the name of the forest root domain, computer_name is the computer

name of the additional domain controller, and parent_domain is the fully qualified domain name of the

forest root domain's parent domain).

3.

Create a host address (A) resource record in the parent_domainzone file (where parent_domain isthe fully qualified domain name of the forest root domain's parent domain).

4. computer_name . forest_root_domain . parent_domain IN Aip_address

(wherecomputer_name is the computer name of the additional domain controller, forest_root_domain

is the name of the forest root domain, parent_domain is the fully qualified domain name of the forest

root domain's parent domain, and ip_address is the IP address of the additional domain controller).

Contoso example: Updating the DNS delegation records for the additional domain controller

Update the DNS delegation records for the additional forest root domain controller in the Contoso example by

using the process described above and the information provided in Table 8.

Table 8 Information for Updating DNS Delegation in the Contoso Example

When Prompted For In Contoso use In Trey Research use

parent_domain contoso.com treyresearch.net

forest_root_domain concorp.contoso.com trccorp.treyresearch.net

computer_name SEA-CON-DC-01 REN-TRC-DC-01

ip_address 172.16.16.21 172.16.20.13

Top of page

Creating the Forest Root

After you delegate the DNS domain for the forest root on the existing DNS servers, you are ready to start theproduction deployment of Active Directory. The first step in the production deployment of Active Directory isthe creation of each forest root. Figure 8 illustrates when creating the forest root occurs in your deployment

process.


17/123

Figure 8: Creating the forest root in the deployment processThe forest owner is responsible for deploying the forest root domain. The forest owner notifies the domainowners of the regional domains when the deployment of the forest root domain is complete.

To create the forest root:

1. Deploy the first domain controller.2. Deploy an additional domain controller in the same site.3. Configure site topology.4. Configure operations master roles.5. Deploy additional domain controllers in other sites.

Deploying the First Forest Root Domain Controller

After you delegate the DNS zone for the forest root on the existing DNS servers, you are ready to deploy thefirst forest root domain controller.

To deploy the first forest root domain controller:

1. Install Windows 2000.2. Install Active Directory.3. Verify the Active Directory installation.4. Configure DNS server recursive name resolution.5. Delegate the _msdcs zone.

After completing the deployment of the first forest root domain controller, you are ready to deploy additionalforest root domain controllers.

Install Windows 2000

The first step in deploying the first forest root domain controller is to install Windows 2000 on the computerthat you want to make the domain controller.


18/123

Note: You can automate the installation of Windows 2000 by using Sysprep.exe, unattended installation, or

any disk imaging method.

To install Windows 2000 on the first forest root domain controller in your environment

Install Windows 2000 on the first domain controller in the primary site of your forest root domain by using the

information listed in Table 9.

Table 9 Information for Installing Windows 2000 on the First Domain Controller in the Forest Root

When PromptedFor Use

Format partitions NTFS

Computer name computer_name(where computer_name is the computer name of the first forest

root domain controller).

IP address ip_address(where ip_address is the fixed IP address that you assign to the firstforest root domain controller).

Subnet mask subnet_mask(where subnet_maskis the subnet mask that you assign to the firstforest root domain controller).

Administrator

password

strong_password(where strong_passwordis any strong password).

Networking

components

DNS

Internet Protocol (TCP/IP)

Primary WINSserver

primary_wins_server(where primary_wins_serveris the IP address of the existingprimary WINS server or leave blank if there is no existing WINS infrastructure).

Secondary WINSserver

secondary_wins_server(where secondary_wins_serveris the IP address of anotherexisting WINS server or leave blank if there is no existing WINS infrastructure).

Preferred DNSserver

preferred_dns_server(where preferred_dns_serveris the IP address of an existingDNS server or leave blank if there is no existing DNS infrastructure).

Contoso example: Installing Windows 2000 on the first forest root domain controller

Install Windows 2000 on the first forest root domain controller for Contoso by using the process described

above and the information provided in Table 12.

Table 10 Information for Installing Windows 2000 in the Contoso Example



ip_address 172.16.16.21 172.16.20.13

subnet_mask 255.255.252.0 255.255.252.0

strong_password Y7#Es-3t OJ2-1Yz8

primary_wins_server 172.16.12.15 172.16.48.15

preferred_dns_server 172.16.4.10 172.16.4.10

Install Active Directory

Install Active Directory on the computer that you want to make the first forest root domain controller byrunning the Active Directory Installation Wizard (Dcpromo.exe).

The Active Directory Installation Wizard:

y Creates the Active Directory database.y Initializes the directory data in the database.


19/123

y Creates an Active Directoryintegrated zone for the forest root domain.Note: When your organization has no existing DNS infrastructure, the Active Directory Installation Wizardautomatically creates an internal root zone (expressed as "."). The new root zone acts as the authoritative rootfor your organization.

You can run the Active Directory Installation Wizard in an unattended scripted mode to automate theinstallation of Active Directory.

To install Active Directory on the first forest root domain controller in your environment

1. From a command prompt, type nslookup parent_ domain(where parent_domain is the fullyqualified domain name of the forest root domain's parent domain).

2. Install Active Directory on the first forest root domain controller by running the Active DirectoryInstallation Wizard and by using the information provided in Table 11 to complete the wizard. Accept

default settings when no information is specified.

Table 11 Information for Installing Active Directory on the Domain Controller

Wizard Page Action

Domain Controller Type Click Domain controller for new domain.

Create Tree or Child Domain Verify that Create a new domain tree is selected.

Create of Join Forest Verify that Create a new forest of domain trees is selected.

New Domain Name In the Full DNS name for new domain box, type

forest_root_domain(where forest_root_domain is the fully qualifieddomain name of the forest root domain)

Configure DNS Click Yes, install and configure DNS on this computer.

Permissions Click Permissions compatible only with Windows 2000 servers.

Directory Services RestoreMode AdministratorPassword

In the Password and Confirm password boxes, typestrong_password(where strong_passwordis any strong password)

Note: When prompted by a message box indicating that the wizard cannot contact the DNS server thathandles the domain, click OK. The Active Directory installation process will install and configure DNS as a part

of the process.

Contoso example: Installing Active Directory on the first forest root domain controller

Install Active Directory on the first forest root domain controller in the Contoso example by using the processdescribed above and the information provided in Table 12.

Table 12 Information for Installing Active Directory in the Contoso Example





Verify the Active Directory Installation

After you run the Active Directory Installation Wizard to install Active Directory, verify the Active Directory

installation.

To verify the Active Directory installation on the first forest root domain controller in yourenvironment

1. Review the Windows 2000 event log for any errors.2. From a command prompt, run Dcdiag.exe and review any errors that are reported.


20/123

3. Run Task Manager to examine that the processor and memory system resources are within acceptablelimits.

Contoso example: Verifying the Active Directory installation on the first forest root domaincontroller

Verify the Active Directory on the first forest root domain controller in the Contoso example by using theprocess described above on:

y SEA-CON-DC-01.concorp.contoso.comy SEA-TRC-DC-01.trccorp.treyresearch.net

Configure DNS Server Recursive Name Resolution

Configure DNS server recursive name resolution based on the recursive name resolution method specified inthe DNS design worksheet provided by your design team. Configure DNS server recursive name resolution by

using the DNS snap-in of Microsoft Management Console (MMC) or Dnscmd.exe.

Note: While running the Active Directory Installation Wizard, if your organization has an existing DNSinfrastructure, ensure that the Preferred DNS server setting is properly configured. When the Active Directory

Installation Wizard finds no existing DNS infrastructure, the wizard automatically creates a new root zone.Subsequently, delete the new root zone, and manually configure a recursive name resolution method.

To configure DNS server recursive name resolution on the first forest root domain controller in yourenvironment

1. Use the DNS snap-in to configure DNS server recursive name resolution based on the information inTable 13.

Table 13 Information to Configure DNS server Recursive Name Resolution

Method Configuration

Recursive name

resolution by roothints

No additional configuration is necessary.

When the DNS server specified as the Preferred DNS server during theinstallation process is properly configured, the root hints are automatically

configured.To verify the root hints by using the DNS snap-in:In the console tree, right-click computer_name(where computer_name is thename of the domain controller), and then click Properties.

In the computer_name Properties dialog box (where computer_name is thename of the domain controller), on the Root Hints page, view the root hints.

Recursive nameresolution by

forwarding

Forward unresolved queries to dns_server, (where dns_serveris the DNS serveror nearest replica, from which the forest root domain is delegated).

See the DNS worksheet provided by your design team for the DNS server.To configure forwarding by using the DNS snap-in:In the console tree, right-click computer_name(where computer_name is thecomputer name of the domain controller), and then click Properties.In the domain_controllerProperties dialog box (where domain_controlleris

the name of the domain controller), on the Forwarders page, select the Enableforwarders check box.In the IP address box, type ip_address(where ip_address is the IP address of

the DNS server or nearest replica, from which the forest root domain isdelegated), click Add, and then click OK

No existing DNS

infrastructure


When no DNS infrastructure exists previously, the forest root domain controllersare the root servers for DNS.

2. From a command prompt, type nslookup parent_domain(where parent_domain is the fully qualifieddomain name of the forest root domain's parent domain).

3. From a command prompt, type nslookup forest_root_domain(where forest_root_domain is thefully qualified domain name of the forest root domain).


21/123

4. From a command prompt, type nslookup computer_name.forest_root_domain(wherecomputer_name is the computer name of the first forest root domain controller and

forest_root_domain is the fully qualified domain name of the forest root domain).

Successful completion of the nslookup command verifies that the DNS forwarding is properly

configured.

Contoso example: Configuring DNS server recursive name resolution on the first forest root domaincontroller

The existing DNS servers in Contoso perform DNS recursive name resolution by using DNS forwarding.

Configure DNS server recursive name resolution on the first forest root domain controller in the Contosoexample by using the process described above and the information provided in Table 14.

Table 14 Information for Configuring DNS server Recursive Name Resolution in the ContosoExample



dns_server 172.16.4.10 172.16.4.10



Delegate _msdcs Zone

After you configuring the DNS settings on the forest root domain controllers, you are ready to delegate the_msdcs zone. Delegate the _msdcs zone by using the DNS snap-in in the Microsoft Management Console

(MMC) or Dnscmd.exe.


Replicate the _msdcs zone to the DNS servers running on every domain controller in the forest. The _msdcs

zone contains the forest-wide locator records. The forest-wide locator records are used by domain controllersto find replication partners and by clients to find global catalog servers.

To delegate the _msdcs zone for the forest root domain in your environment

1. Start an instance of the Microsoft Management Console (MMC) and include the DNS snap-in.2. In the console tree, delete the_msdcs folder beneath the forest_root_domainzone (where

forest_root_domainis the name of the forest root domain).

3. In the console tree, right-click the forest_root_domainzone (where forest_root_domainis thename of the forest root domain), and then click New Delegation.

4. Complete the New Delegation Wizard by using the information supplied in Table 15. Accept the defaultsettings when no information is supplied.

Table 15 Information for Delegating a DNS Domain

WizardPage Action

DelegatedDomainName

In the Delegated Domain box, type _msdcs

Name

Servers

Click Add.

In the New Resource Record dialog box, in the Server name box, typefirst_domain_controller.forest_root_domain(where forest_root_domain is the name of

the forest root domain and first_domain_controlleris the name of the first forest rootdomain controller).

In the New Resource Record dialog box, in the IP address box, type


22/123

first_ip_address(where first_ip_address is the corresponding IP address of the first forestroot domain controller), click Add, and then click OK.

5. In the console tree, right-click first_domain_controller(where first_domain_controlleris the nameof the first forest root domain controller), and then click New Zone.

6. Complete the New Zone Wizard by using the information supplied in Table 29. Accept the defaultsettings when no information is supplied.

Table 29 Information for Creating _msdcs Zone

Wizard Page Action

Zone Type Click Active Directory-integrated.

Forward or Reverse

Lookup Zone

Click Forward lookup zone.

Zone Name In the Name box, type_msdcs.forest_root_domain(whereforest_root_domain is the name of the forest root domain)

7. In the console tree, right-click the_msdcs. forest_root_domainzone (where forest_root_domain isthe name of the forest root domain), and then click Properties.

8. In the_msdcs. forest_root_domain Properties dialog box (where forest_root_domain is the nameof the forest root domain), on the General page, click Aging.

9. In the Zone Aging/Scavenging Properties dialog box, select the Scavenge stale resourcerecords check box, and then click OK.

10. In the_msdcs. forest_root_domain Properties dialog box (where forest_root_domain is the nameof the forest root domain), on the Zone Transfers page, select the Allow zone transfers check box.

11. In the_msdcs. forest_root_domain Properties dialog box (where forest_root_domain is the nameof the forest root domain), click OK.

12. Restart the Netlogon service by using the Computer Management console.Restarting the Netlogon service forces the domain controller to register in the

_msdcs.forest_root_domain zone (where forest_root_domain is the name of the forest root domain).

Contoso example: Delegating the _msdcs zone for the forest root domain

Delegate the _msdcs zone for the first forest root domain controller in the Contoso example by using theprocess described above and the information provided in Table 16.

Table 16 Information for Delegating the _msdcs Zone in the Contoso Example



first_domain_controller SEA-CON-DC-01 REN-TRC-DC-01

first_ip_address 172.16.16.21 172.16.20.13

Deploying an Additional Domain Controller in the Same Site

After you deploy the first forest root domain controller, deploy an additional forest root domain controller in the

same site in the event the first forest root domain controller fails.

To deploy an additional forest root domain controller in the same site:

1. Install Windows 2000.


23/123

2. Install Active Directory.3. Verify the Active Directory installation.4. Configure DNS server recursive name resolution.5. Modify the DNS client settings on the first domain controller.6. Update the DNS delegation.


The first step in deploying and additional root domain controller in the same site is to install Windows 2000 onthe computer that you want to make the domain controller.

Note: You can automate the installation of Windows 2000 by using Sysprep.exe, unattended installation, orany disk imaging method.

To install Windows 2000 on the additional domain controller in your environment

Install Windows 2000 on the additional domain controller in the primary site of your forest root domain byusing the information listed in Table 17.

Table 17 Information for Installing Windows 2000 on the Additional Domain Controller in the Forest

Root

When Prompted

For Use


Computer name computer_name(where computer_name is the computer name of the additionalforest root domain controller).

IP address ip_address(where ip_address is the fixed IP address that you assign to the additionalforest root domain controller).

Subnet mask subnet_mask(where subnet_maskis the subnet mask that you assign to the

additional forest root domain controller).

Administrator

passwordstrong_password(where strong_passwordis any strong password).

Networking

components

DNS


Primary WINS

server

primary_wins_server(where primary_wins_serveris the IP address of the existing

primary WINS server or leave blank if there is no existing WINS infrastructure).

Secondary WINS

server

secondary_wins_server(where secondary_wins_serveris the IP address of another

existing WINS server or leave blank if there is no existing WINS infrastructure).

Preferred DNSserver

preferred_dns_server(where preferred_dns_serveris the IP address of the firstforest root domain controller).

Alternate DNSserver

alternate_dns_server(where alternate_dns_serveris the IP address of this domaincontroller).

Note: Ensure that you configure the first forest root domain controller as the Preferred DNS server and theadditional domain controller as the Alternate DNS server. For another forest root domain controller to receiveits DNS registration, forest root domain controllers must point the Preferred DNS server setting to another

forest root domain controller. Configuring DNS in this manner, you avoid the "Island of Isolation" problem. Formore information about this topic, seeActive Directory Branch Office Planning Guide athttp://www.microsoft.com/technet/archive/windows2000serv/technologies/activedirectory/deploy/adguide/adplan/default.mspx - section10.

Contoso example: Installing Windows 2000 on the additional forest root domain controller

Install Windows 2000 on the additional forest root domain controller in the primary site for Contoso by usingthe process described above and the information provided in Table 18.


24/123




ip_address 172.16.16.22 172.16.20.14

subnet_mask 255.255.252.0 255.255.252.0


primary_wins_server 172.16.12.15 172.16.48.15

preferred_dns_server 172.16.16.21 172.16.20.13

alternate_dns_server 172.16.16.22 172.16.20.14


Install Active Directory on the computer that you want to make the additional forest root domain controller by

running the Active Directory Installation Wizard (Dcpromo.exe).


yCreates the Active Directory database.

y Initializes the directory data in the database.y Creates an Active Directoryintegrated zone for the forest root domain.

Note: When your organization has no existing DNS infrastructure, the Active Directory Installation Wizardautomatically creates an internal root zone (expressed as "."). The new root zone acts as the authoritative root

for your organization.

To install Active Directory on the additional forest root domain controller in your environment

1. Install Active Directory on the additional domain controller in the primary site by running the ActiveDirectory Installation Wizard and by using the information provided in Table 19 to complete the

wizard. Accept default settings when no information is specified.

Table 19 Information for Installing Active Directory on the Additional Domain Controller

Wizard Page Action

Domain Controller Type Click Additional domain controller for an existing domain.

Network Credentials In the User name box, type user_name(where user_name is the name of

an account that is a member of the enterprise admins global group.In the Password box, type password(where passwordis the password ofthe user name).In the Domain box, type forest_root_domain(where forest_root_domain

is the fully qualified domain name of the forest root domain).

Additional Domain

Controller

Click Browse.

In the Browse for Domain dialog box, click forst_root_domain(whereforest_root_domain is the fully qualified domain name of the forest root

domain), and then click OK.

Directory Services RestoreMode Administrator

Password


Contoso example: Installing Active Directory on the additional domain controller

Install Active Directory on the additional forest root domain controller in the primary site for the Contosoexample by using the process described above and the information provided in Table 20.



25/123




first_forest_domain_controller SEA-CON-DC-01 REN-TRC-DC-01

user_name Administrator Administrator

password U9#7Kp- Rw36-R5



After you run the Active Directory Installation Wizard to install Active Directory, verify the Active Directory

installation.

To verify the Active Directory installation on the additional forest root domain controller in your

environment

1. Review the Windows 2000 event log for any errors.2. From a command prompt, run Dcdiag.exe and review any errors that are reported.3. Run Task Manager to examine that the processor and memory system resources are within acceptable

limits.

Contoso example: Verifying the Active Directory installation on the additional forest root domain

controller

Verify the Active Directory on the additional forest root domain controller in the Contoso example by using theprocess described above on:

y SEA-CON-DC-02.concorp.contoso.comy SEA-TRC-DC-02.trccorp.treyresearch.net

Configure DNS Server Recursive Name Resolution

Configure DNS server recursive name resolution based on the recursive name resolution method specified inthe DNS design worksheet provided by your design team. Configure DNS server recursive name resolution byusing the DNS snap-in of Microsoft Management Console (MMC) or Dnscmd.exe.

Note: While running the Active Directory Installation Wizard, if your organization has an existing DNSinfrastructure, ensure that the Preferred DNS server setting is properly configured. When the Active DirectoryInstallation Wizard finds no existing DNS infrastructure, the wizard automatically creates a new root zone.

Subsequently, delete the new root zone, and manually configure a recursive name resolution method.

To configure DNS server recursive name resolution on the additional forest root domain controller

in your environment

1. Use the DNS snap-in to configure DNS server recursive name resolution based on the information inTable 21.

Table 21 Information to Configure DNS server Recursive Name Resolution

Method Configuration

Recursive name

resolution by roothints


When the DNS server specified as the Preferred DNS server during theinstallation process is properly configured, the root hints are automaticallyconfigured.To verify the root hints by using the DNS snap-in:In the console tree, right-click computer_name(where computer_name is the

name of the domain controller), and then click Properties.In the computer_name Properties dialog box (where computer_name is the

name of the domain controller), on the Root Hints page, view the root hints.


26/123

Recursive nameresolution by

forwarding

Forward unresolved queries to ip_address, (where ip_address is IP address ofthe DNS server, or nearest replica, from which the forest root domain is

delegated).

See the DNS worksheet provided by your design team for the DNS server.To configure forwarding by using the DNS snap-in:

In the console tree, right-click computer_name(where computer_name is thecomputer name of the domain controller), and then click Properties.

In the computer_name Properties dialog box (where computer_name is the

computer name of the domain controller), on the Forwarders page, select theEnable forwarders check box.In the IP address box, type ip_address(where ip_address is the IP address ofthe DNS server or nearest replica, from which the forest root domain isdelegated), click Add, and then click OK

No existing DNSinfrastructure

No additional configuration is necessary.When no DNS infrastructure exists previously, the forest root domain controllers

are the root servers for DNS.

Contoso example: Configuring DNS server recursive name resolution on the additional forest rootdomain controller

The existing DNS servers in Contoso perform DNS recursive name resolution by using DNS forwarding.

Configure DNS server recursive name resolution on the first forest root domain controller in the Contosoexample by using the process described above and the information provided in Table 22.

Table 22 Information for Configuring DN

S serverR

ecursiveN

ameR

esolution in the ContosoExample

For In Contoso Use In Trey Research Use


ip_address 172.16.4.10 172.16.4.10

Modifying the DNS Client Settings Of The First Domain Controller

After you configure DNS server recursive name resolution, you are ready to modify the DNS client settings on

the first forest root domain controller. Since no other domain controllers were running when you deployed thefirst forest root domain controller, modify the DNS client settings on the first forest root domain controller to

include the additional domain controller.


When a forest root domain controller is configured to use the DNS server on the domain controller as the

Preferred DNS server, the domain controller can become isolated from other forest root domain controllers.The domain controller can become isolated from other domain controllers because the domain controller

registers only with the DNS server on the domain controller.

To prevent forest root domain controllers from becoming isolated from the other forest root domain controllers,configure the Preferred DNS server setting to point to another forest root domain controller and the Alternate

DNS server setting to the DNS server running locally on the domain controller.

The domain controller isolation problem, also known as the "Island of Isolation," can only occur on forest root

domain controllers. For more information about this topic, see Active Directory Branch Office Planning Guide.

To configure the DNS client settings on the first domain controller in your environment

1. Configure the Preferred DNS server setting to another_domain_controller(whereanother_domain_controlleris the IP address of another forest root domain controller).

2. Configure the Alternate DNS server setting to first_domain_controller(wherefirst_domain_controlleris the IP address of the first forest root domain controller).

Contoso example: Configuring the DNS client settings on the first domain controller

Configure the DNS client settings on the first forest root domain controller in the primary site for the Contosoexample by using the process described above and the information provided in Table 23.

Table 23 Information for Configuring DNS Client Settings in the Contoso Example



27/123

another_domain_controller 172.16.16.22 172.16.20.14

first_domain_controller 172.16.16.21 172.16.20.13

Updating the DNS Delegation

After you modify the DNS Client settings on the first forest root domain controller in the primary site, you are

ready to update the DNS delegation for the forest root domain.

To update the DNS delegation records for the additional domain controller in your environment

1. Create a name server (NS) resource record in the parent_domainzone file (where parent_domain isthe fully qualified domain name of the forest root domain's parent domain).

2. forest_root_domain IN NS computer_name .i. parent_domain(whereforest_root_domain is the name of the forest root domain, computer_name is the computer

name of the additional domain controller, and parent_domain is the fully qualified domain name of the

forest root domain's parent domain).

3. Create a host address (A) resource record in the parent_domainzone file (where parent_domain isthe fully qualified domain name of the forest root domain's parent domain).

4. computer_name . forest_root_domain . parent_domain IN Aip_address

(wherecomputer_name is the computer name of the additional domain controller, forest_root_domain

is the name of the forest root domain, parent_domain is the fully qualified domain name of the forest

root domain's parent domain, and ip_address is the IP address of the additional domain controller).

Contoso example: Updating the DNS delegation records for the additional domain controller

Update the DNS delegation records for the additional forest root domain controller in the Contoso example byusing the process described above and the information provided in Table 24.

Table 24 Information for Updating DNS Delegation in the Contoso Example





ip_address 172.16.16.22 172.16.20.14

Configuring Site Topology

After deploying the additional domain controller in the forest root domains, you are ready to configure the sitetopology for each forest. The site topology owner configures the sites and site topology.

To configure the site topology:

1. Delegate Active Directory site topology administration.2. Create the Active Directory sites.3. Create and assign the subnets in Active Directory.4. Create the Active Directory site links.

Delegate Active Directory Site Topology Administration

Configuring the sites and site topology for each forest starts when the forest owner delegates administration ofthe Active Directory sites and site topology to the site topology owner.


28/123

To delegate Active Directory site topology administration in your environment

1. Create a user named SiteTopologyOwner in the default Users container, in the forest root domain.2. Create a global group named SiteAdmins in the default Users container, in the forest root domain.3. Assign SiteTopologyOwner to the SiteAdmins global group.

4.

In the Active Directory Sites and Services snap-in, right-click the Sites node, and then click DelegateControl.

5. Complete the Delegation of Control Wizard by using the information supplied in Table 25. Selectthe default configuration when no information is supplied.

Table 25 Information for Delegating the Administration of Site Topology

Wizard Page Action

Users or

Groups

Click Add.

In the Select Users, Computers, or Groups dialog box, click SiteAdmins, click Add,and then click OK.

Permissions Select the Full Control check box.

Contoso example: Delegating Active Directory site topology administration

Delegate Active Directory site topology administration by following the deployment process in the previoussection for the following Active Directory forests:

y concorp.contoso.comy trccorp.treyresearch.net

Create Active Directory Sites

The first step in configuring the sites and site topology for each forest is to create the Active Directory sites.The directory planner, site topology owner, and network group determine the sites to create. Create Active

Directory sites by using the Active Directory Sites and Services snap-in.

To create the Active Directory sites in your environment

1.

Review the site topology design worksheet provided by your design team, focusing on the sitessection of the worksheet.

2. Create the sites specified in the site topology worksheet.Contoso example: Creating the Active Directory sites

1. Identify the Contoso locations, Trey Research locations, and the primary communication links betweenlocations as shown in Figure 9 and listed in Table 26.

Figure 9: Map Of Contoso locations and communications links

Table 26 Links Between Locations And The Available Data Rate


29/123

LocationLinkedLocation Link Type Available Data Rate

Seattle Boston ISDN (128.8 Kbps) No more than 56 Kbps.

Vancouver T1 (1.544 megabits per

second (Mbps))

No more than 44 Kbps.

Montreal ISDN (128.8 Kbps) No more than 26 Kbps.

Milan T1 (1.544 Mbps) No more than 150 Kbps, but with 450-millisecond latency.

Renton DSL (700 Kbps) No more than 500 Kbps

Atlanta T1 (1.544 Mbps) No more than 60 Kbps

Hong Kong

SAR

T1 (1.544 Mbps) No more than 200 Kbps, but with 450-

millisecond latency.

Milan Seville ISDN (128.8 Kbps) No more than 56 Kbps

Hong KongSAR

Tokyo ISDN (128.8 Kbps) No more than 56 Kbps

2. Create the sites based on the information in Table 27 and Table 28. The information in Table 27 andTable 28 were summarized from the site topology worksheet.

Table 27 Sites to Create and the Locations in the Contoso Forest

Create This Site Which Includes This Location

Seattle Seattle

Boston Boston

Vancouver Vancouver

Montreal Montreal

Milan Milan

Seville Seville

HongKong Hong Kong SAR

Tokyo Tokyo

Table 28 Sites to Create and the Locations in the Trey Research Forest

Create This Site Which Includes This Location

Renton Renton

Atlanta Atlanta

Create and Assign Active Directory Subnets

The next step in configuring the sites and site topology for each forest is to create the Active Directory subnetsand assign them to Active Directory sites. The directory planner, site topology owner, and network group

determine the subnets that you create. Create Active Directory subnets by using the Active Directory Sites andServices snap-in.

To create and assign Active Directory subnets in your environment

1. Review the site topology design worksheet provided by your design team, focusing on the subnetssection of the worksheet.


30/123

2. Create the Active Directory subnets specified in the site topology worksheet and assign the ActiveDirectory subnet to the appropriate site.

Contoso example: Creating and assigning Active Directory subnets

1. Identify the IP subnets that exist within each location based on the information in Table 29 and Table30. The information in Table 29 and Table 30 were summarized from the site topology worksheet.

Table 29 Locations and IP Subnets Within Each Contoso Location

Location IP Subnets Within the Location

Seattle 172.16.4.0/22172.16.8.0/22172.16.24.0/22172.16.28.0/22172.16.32.0/22172.16.36.0/22172.16.40

Boston 172.16.52.0/22172.16.56.0/22

Vancouver 172.16.44.0/22172.16.48.0/22

Montreal 172.16.60.0/22172.16.64.0/22

Milan 172.16.128.0/22172.16.132.0/22172.16.136.0/22

Seville 172.16.160.0/22172.16.164.0/22

HongKong SAR

172.16.84.0/22172.16.88.0/22172.16.92.0/22

Tokyo 172.16.76.0/22172.16.78.0/22

Table 30 Locations and IP Subnets Within Each Trey Research Location

Location IP Subnets Within the Location

Renton 172.16.12.0/22172.16.16.0/22172.16.20.0/22

Atlanta 172.16.116.0/22172.16.120.0/22172.16.124.0/22

2. Create the Active Directory subnets in the Contoso forest and the Trey Research forest by using theActive Directory Sites and Services snap-in and the information listed in Table 31 and Table 32.

Table 31 Active Directory Subnets and IP Subnets in the Contoso Forest

Site Active Directory Subnet Address Mask

Seattle 172.16.4.0/22 172.16.4.0 255.255.252.0

172.16.8.0/22 172.16.8.0 255.255.252.0

172.16.24.0/22 172.16.24.0 255.255.252.0

172.16.28.0/22 172.16.28.0 255.255.252.0

172.16.32.0/22 172.16.32.0 255.255.252.0

172.16.36.0/22 172.16.36.0 255.255.252.0

172.16.40.0/22 172.16.40.0 255.255.252.0

Boston 172.16.52.0/22 172.16.52.0 255.255.252.0

172.16.56.0/22 172.16.56.0 255.255.252.0

Vancouver 172.16.44.0/22 172.16.44.0 255.255.252.0

172.16.48.0/22 172.16.48.0 255.255.252.0


31/123

Montreal 172.16.60.0/22 172.16.60.0 255.255.252.0

172.16.64.0/22 172.16.64.0 255.255.252.0

Milan 172.16.128.0/22 172.16.128.0 255.255.252.0

172.16.132.0/22 172.16.132.0 255.255.252.0

172.16.136.0/22 172.16.136.0 255.255.252.0

Seville 172.16.160.0/22 172.16.160.0 255.255.252.0

172.16.164.0/22 172.16.164.0 255.255.252.0

HongKong 172.16.84.0/22 172.16.84.0 255.255.252.0

172.16.88.0/22 172.16.88.0 255.255.252.0

172.16.92.0/22 172.16.92.0 255.255.252.0

Tokyo 172.16.76.0/22 172.16.76.0 255.255.252.0

Table 32 Active Directory Subnets and IP Subnets in the Trey Research Forest

Site Active Directory Subnet Address Mask

Renton 172.16.12.0/22 172.16.12.0 255.255.252.0

172.16.16.0/22 172.16.16.0 255.255.252.0

172.16.20.0/22 172.16.20.0 255.255.252.0

Atlanta 172.16.116.0/22 172.16.116.0 255.255.252.0

172.16.120.0/22 172.16.120.0 255.255.252.0

172.16.124.0/22 172.16.124.0 255.255.252.0

Create Active Directory Site Links

The next step in configuring the sites and site topology for each forest is to create the Active Directory sitelinks. The directory planner, site topology owner, and network group determine the site links that you create.Create Active Directory site links by using the Active Directory Sites and Services snap-in.

To create Active Directory site links in your environment

1. Review the site topology design worksheet provided by your design team, focusing on the site linksection of the worksheet.

2. Create the Active Directory site links specified in the site topology worksheet.Contoso example: Creating Active Directory site links

1. Identify the Contoso locations, Trey Research locations, and the primary communication links betweenlocations as shown in Figure 10 and listed in Table 33.


32/123

Figure 10: Map Of Contoso locations and communications links

Table 33 Links Between Locations And The Available Data Rate

Location

Linked

Location Link Type Available Data Rate

Seattle Boston ISDN (128.8 Kbps) No more than 56 Kbps.

Vancouver T1 (1.544 megabits persecond (Mbps))

No more than 44 Kbps.

Montreal ISDN (128.8 Kbps) No more than 26 Kbps.

Milan T1 (1.544 Mbps) No more than 150 Kbps, but with 450-

millisecond latency.

Renton DSL (700 Kbps) No more than 500 Kbps

Atlanta T1 (1.544 Mbps) No more than 60 Kbps

Hong KongSAR

T1 (1.544 Mbps) No more than 200 Kbps, but with 450-millisecond latency.

Milan Seville ISDN (128.8 Kbps) No more than 56 Kbps

Hong KongSAR

Tokyo ISDN (128.8 Kbps) No more than 56 Kbps

2. Create the Active Directory site links in the Contoso forest and the Trey Research forest by using theActive Directory Sites and Services snap-in and the information listed in Table 34 and Table 35.

Table 34 Active Directory Site Links in the Contoso Forest

Link Site Site Cost

SEA-BOS Seattle Boston 586

SEA-VAN Seattle Vancouver 644

SEA-MON Seattle Montreal 798

SEA-MIL Seattle Milan 486

SEA-HKG Seattle HongKong 486

MIL-SEV Milan Seville 586

HKG-TOK HongKong Tokyo 586

Table 35 Active Directory Site Links in the Trey Research Forest


33/123

Link Site Site Cost

REN-ATL Renton Atlanta 567

Configuring Operations Master Roles

After creating the Active Directory site links, you are ready to configure the operations master roles for thedomain controllers. By default, the first domain controller in the forest root is assigned all operations masterroles. Transfer domain-wide operations master roles to the second domain controller in the forest root.


In Active Directory, the domain naming master operations master must be a global catalog server. However,the infrastructure master must not be a global catalog. As a result, it is not possible to have all operations

master roles on the same domain controller. As a best practice, configure the forest-wide and domain-wideoperations master roles for different domain controllers and monitor these domain controllers closely.

To configure the operations master roles for the domain controllers in your environment

1. Transfer the following domain-wide roles tosecond_domain_contoller(wheresecond_domain_controlleris the name of the second forest root domain controller in the primary site)

by using the Active Directory Users and Computers snap-in of Microsoft Management Console (MMC):

y Primary domain controller (PDC) operations mastery Relative ID (RID) pool mastery Infrastructure master

2. Verify that the forest-wide roles listed in Table 36 are still on first_domain_controller(wherefirst_domain_controlleris the name of the first forest root domain controller in the primary site) by

using the corresponding verification method.

Table 36 Forest-wide Operations Master Roles and Verification Methods

Operations Master

Role Verification Method

Schema master Active Directory Schema snap-in of Microsoft Management Console (MMC)

Domain naming master Active Directory Domains and Trusts snap-in of Microsoft Management Console(MMC)

For more information about verifying operations master roles, see Windows 2000 Server Help.

Contoso example: Configuring the operations master roles for the domain controllers

Configure the operations master roles for the domain controller in the Contoso example by using the process

described above and the information provided in Table 37.

Table 37 Information for Configuring Operations Master Roles in the Contoso Example

When Prompted For In Contoso Use In Trey Research Use

first_domain_controller SEA-CON-DC-01 REN-TRC-DC-01

second_domain_controller SEA-CON-DC-02 REN-TRC-DC-02

Deploying Additional Domain Controllers in Other Sites

After you deploy the additional forest root domain controller in the same site, deploy additional forest rootdomain controllers in other sites.

To deploy additional forest root domain controllers in other sites:


34/123

1. Install Windows 2000.2. Install Active Directory.3. Verify the Active Directory installation.4. Configure DNS server recursive name resolution.5. Update the DNS delegation.


The first step in deploying additional root domain controllers in other sites is to install Windows 2000 on thecomputers that you want to make the domain controllers.

To install Windows 2000 on the additional domain controllers in your environment

Install Windows 2000 on the additional domain controllers in other sites of your forest root domain by usingthe process listed in Table 38.

Table 38 Process for Installing Windows 2000 on the Additional Domain Controller in the ForestRoot

When PromptedFor Use


Computer name computer_name(where computer_name is the computer name of the additional

forest root domain controller).

IP address ip_address(where ip_address is the fixed IP address that you assign to the additionalforest root domain controller).

Subnet mask subnet_mask(where subnet_maskis the subnet mask that you assign to theadditional forest root domain controller).

Administratorpassword

strong_password(where strong_passwordis any strong password).

Networking

components

DNS


Primary WINSserver

primary_wins_server(where primary_wins_serveris the IP address of the existingprimary WINS server or leave blank if there is no existing WINS infrastructure).

Secondary WINSserver

secondary_wins_server(where secondary_wins_serveris the IP address of anotherexisting WINS server or leave blank if there is no existing WINS infrastructure).

Preferred DNSserver

preferred_dns_server(where preferred_dns_serveris the IP address of anotherforest root domain controller that is connected through the minimum number of

network segments).

Alternate DNSserver

alternate_dns_server(where alternate_dns_serveris the IP address of this domaincontroller).

Contoso example: Installing Windows 2000 on the additional domain controllers

Install Windows 2000 on additional forest root domain controllers in other sites for Contoso by using theprocess described above and the information provided in Table 39.


When Prompted For In Vancouver Use In Milan Use In Hong Kong SARUse

computer_name VAN-CON-DC-01 MIL-CON-DC-01 HKG-CON-DC-01

ip_address 172.16.48.14 172.16.132.21 172.16.88.13

subnet_mask 255.255.252.0 255.255.252.0 255.255.252.0


35/123

strong_password Uj76-3R5 U75tGH#2 H6y-#4uK

primary_wins_server 172.16.48.15 172.16.132.15 172.16.88.15

preferred_dns_server 172.16.16.22 172.16.16.22 172.16.16.22

alternate_dns_server 172.16.48.14 172.16.132.21 172.16.88.13


Install Active Directory on the computer that you want to make the additional forest root domain controller by

running the Active Directory Installation Wizard.


y Creates the Active Directory database.y Initializes the directory data in the database.y Creates an Active Directoryintegrated zone for the forest root domain.

Note: When your organization has no existing DNS infrastructure, the Active Directory Installation Wizard

automatically creates an internal root zone (expressed as "."). The new root zone acts as the authoritative root

for your organization.

To install Active Directory on the additional forest root domain controller in your environment

1. From a command prompt, type nslookup parent_domain(where parent_domain is the fully qualifieddomain name of the forest root domain's parent domain).

2. From a command prompt, type nslookup forest_root_domain(where forest_root_domain is thefully qualified domain name of the forest root domain).

3. From a command prompt, type nslookup first_domain_controller.forest_root_domain(wherefirst_domain_controller is the computer name of the first forest root domain controller and

forest_root_domain is the fully qualified domain name of the forest root domain).

Successful completion of the nslookup command verifies that the DNS is properly configured.

4. Install Active Directory on the additional forest root domain controller in th e primary site by runningthe Active Directory Installation Wizard and by using the information provided in Table 40 to complete

the wizard. Accept default settings when no information is specified.

Table 40 Information for Installing Active Directory on the Additional Domain Controller

Wizard Page Action

Domain Controller Type Click Additional domain controller for an existing domain.

Network Credentials In the User name box, type user_name(where user_name is the name of

an account that is a member of the enterprise admins global group.In the Password box, type password(where passwordis the password of

the user name).

In the Domain box, type forest_root_domain(where forest_root_domainis the fully qualifi ed domain name of the forest root domain).

Additional Domain

Controller

Click Browse.

In the Browse for Domain dialog box, click forst_root_domain(whereforest_root_domain is the fully qualified domain name of the forest rootdomain), and then click OK.

Directory Services RestoreMode Administrator

Password


Contoso example: Installing Active Directory on the additional domain controller


36/123

Install Active Directory on the additional forest root domain controller in the primary site for the Contoso

example by using the process described above and the information provided in Table 41.


When Prompted For In Vancouver Use In Milan UseIn Hong Kong SARUse

parent_domain contoso.com contoso.com contoso.com

forest_root_domain concorp.contoso.com concorp.contoso.com concorp.contoso.com

first_forest_domain_controller VAN-CON-DC-01 MIL-CON-DC-01 HKG-CON-DC-01

user_name Administrator Administrator Administrator

password U9#yKp- U9#yKp- U9#yKp-

strong_password #32-UpYz Re-3Y34a P23#aR-4


After you run the Active Directory Installation Wizard to install Active Directory, verify the Active Directoryinstallation.

To verify the Active Directory installation on the additional forest root domain controllers in yourenvironment

1. Review the Windows 2000 event log for any errors.2. From a command prompt, run Dcdiag.exe and review any errors that are reported.3. Run Task Manager to examine that the processor and me

best practice active directory deployment for managing windows networks

Documents