Deploying The Windows Server 2003 Forest Root Domain

C H A P T E R 6
Deploying the
Windows
Server 2003 Forest
Root Domain
Deploying your forest root domain is the first step in deploying the Active Directory® directory service
infrastructure in your organization.
In This Chapter
Overview of Deploying the Forest Root Domain..................................................228
Reviewing the Active Directory Design............................................................. ...231
Configuring DNS for the Forest Root Domain....................................................... 235
Creating the Forest Root Domain............................................. ...........................237
Raising the Functional Level........................................................................ ........255
Additional Resources.............................................................................. .............256
Related Information
• For more information about designing the Active Directory logical structure and the Domain
Name System (DNS) infrastructure needed to support Active Directory, see “Designing the
Active Directory Logical Structure” in this book.
• For more information about designing the Active Directory site topology, see “Designing the
Site Topology” in this book.
• For more information about domain controller capacity planning for Active Directory, see
“Planning Domain Controller Capacity” in this book.
• For more information about designing and deploying a DNS infrastructure for name
resolution for your network, see “Deploying DNS” in Deploying Network Services in this
kit.
228 Chapter 6 Deploying the Windows Server 2003 Forest Root Domain
Overview of Deploying the Forest

Root Domain
The first domain that you create in your Active Directory forest is automatically designated as the forest root
domain. The forest root domain provides the foundation for your Active Directory forest infrastructure. You
must create the forest root domain before you create regional domains or upgrade other Microsoft®
Windows NT® 4.0 domains in order to join them to an existing forest. In addition, services that are running
on forest root domain controllers, such as the Kerberos version 5 authentication protocol, must be highly
available to ensure that users maintain access to resources throughout the forest.
Before you deploy your forest root domain, your design team must design your Active Directory logical
structure and site topology and plan your hardware requirements for domain controllers that are running the
Microsoft® Windows® Server 2003, Standard Edition; Windows® Server 2003, Enterprise Edition; and
Windows® Server 2003, Datacenter Edition operating systems. During the forest root domain deployment,
you begin to implement the Active Directory design that your design team has provided, including the DNS
infrastructure that Active Directory requires.
The forest owner is responsible for deploying the forest root domain. After the forest root domain
deployment is complete, deploy the remainder of your Active Directory forest as specified by your Active
Directory design. The tasks that you must perform to deploy the remainder of your Active Directory forest
depend on whether your design specifies a single domain forest or a multiple domain forest.
• Single domain forest. If your Active Directory forest design requires only a single domain,
then the forest root domain will also contain all your users, groups, and resources. To deploy
this model, you can create an organizational unit (OU) structure after the forest root domain
deployment is complete. Then you can restructure Windows NT account and resource
domains into the forest root domain.
• Multiple domain forest. In a multiple domain design, the forest root domain can be a
dedicated root used only for administration of the forest, or it can contain users, groups, and
resources in addition to the forest administration accounts. Once the forest root domain is
deployed, the forest owner will create one or more regional child domains to complete the
Active Directory forest hierarchy. The regional domains can be created either by upgrading
existing Windows NT 4.0 or Microsoft® Windows® 2000 domains or by deploying
additional new domains.
For more information about upgrading Windows NT domains, see “Upgrading Windows NT 4.0 Domains to
Windows Server 2003 Active Directory” in this book. For more information about deploying additional
regional domains, see “Deploying Windows Server 2003 Regional Domains” in this book. For more
information about restructuring Windows NT domains, see “Restructuring Windows NT 4.0 Domains to an
Active Directory Forest” in this book.
Additional Resources 229
Process for Deploying the Forest Root

Domain
Deploying the forest root domain involves completing the tasks that are shown in Figure 6.1. Only
organizations with an existing DNS infrastructure or organizations whose DNS services are provided by an
Internet service provider will configure DNS for the forest root domain. Other organizations will skip the
task, allowing the Active Directory Installation Wizard to automatically create an internal root zone, which
acts as the authoritative root for the organization.
Figure 6.1 Deploying the Forest Root Domain
Background Information for Deploying the

Forest Root Domain
Before you deploy the forest root domain, understand the importance of maintaining the availability of forest
root domain controllers. Also become familiar with how you can save time during the deployment process by
automating installations and by using the Active Directory Installation Wizard.
Forest Root Domain Controller Availability

The forest root domain has different characteristics than other domains in the forest. It is the center of
Kerberos authentication referrals and the domain controllers in the forest root domain host the forest-level
operations master roles, in addition to domain-level operations master roles.
Because it has a unique role in the forest, special considerations must be made to ensure forest root domain
controller availability.
• Because forest root domain controllers are used for Kerberos authentication referrals, ensure
that at least one forest root domain controller is always online.
• Changes to the schema require the schema master to be online.
• Changes to the domain infrastructure, including adding, removing, or renaming domains or
application directory partitions, require the domain naming master to be online.
Maintain current backups of forest root domain controllers. Although corrupted data does not replicate out to
other domains, maintaining current backups allows you to quickly restore a domain controller to its original
state if data on the domain controller ever becomes corrupted.
For information about planning forest root domain controller placement to ensure availability, see “Designing
the Site Topology” in this book.
Automated Installations
You can perform an unattended installation of Active Directory by supplying an answer file when you run the
Active Directory Installation Wizard. For more information about using an answer file to install Active
Directory, in Help and Support Center for Windows Server 2003, click Tools, and click Windows Support
Tools. Search for Ref.chm in the Deploy.cab file for examples and instructions about creating an answer file.
You can also automate the installation of Windows Server 2003 by using Sysprep.exe or an unattended
installation. For more information about automating installations of Windows Server 2003, see Automating
and Customizing Installations in this kit.
The Active Directory Installation Wizard

Windows Server 2003 includes improvements to the Active Directory Installation Wizard. When you install
the first domain controller in a domain, you can allow the wizard to automatically install and configure
Active Directory–integrated DNS. Even if you need to manually configure some settings later, the wizard
saves time and prevents errors during the initial configuration.
Reviewing the Active Directory

Design
Begin your forest root domain deployment by reviewing Active Directory design information, as shown in
Figure 6.2.
Figure 6.2 Reviewing the Active Directory Design
Review the Active Directory Logical

Structure Design
Review the Active Directory logical structure design that your design team completed, including the DNS
infrastructure that is planned for supporting Active Directory. If your organization has an existing DNS
infrastructure, review current network diagrams and DNS domain hierarchy diagrams. Also review the
existing DNS zone configuration, replication, and resource records that are used for delegation and
forwarding.
Document the information that you will need to install Windows Server 2003 and to configure DNS on each
domain controller in the forest root domain. For a worksheet to assist you in documenting this information,
see “Domain Controller Configuration” (DSSDFR_1.doc) on the Microsoft® Windows® Server 2003
Deployment Kit companion CD (or see “Domain Controller DNS Configuration” on the Web at
http://www.microsoft.com/reskit).
Example: Reviewing the Active Directory Logical Structure Design

for Trey Research
The Active Directory logical structure design for Trey Research requires the deployment team to create a new
dedicated forest root domain, trccorp.treyresearch.net. They will then create two regional domains:
• A new regional domain, west.trccorp.treyresearch.net.
• A regional domain, east.trccorp.treyresearch.net, created by upgrading an existing
Windows NT 4.0 domain, and then restructuring several other existing Windows NT 4.0
domains into it.
The deployment team reviews the existing DNS infrastructure for the Trey Research business unit. Their
existing DNS infrastructure provides name resolution for all internal resources, including:
• Any servers, such as Web or mail servers, residing in the perimeter network (also known as
the DMZ) and are accessed by Internet users.
• Any computers, or other network devices, that reside in the private network and run a non-
Windows operating system, such as UNIX or Macintosh operating systems.
Note
Windows NT 4.0–based computers in the private network use Windows
Internet Name Service (WINS) to provide name resolution.
Trey Research’s registered DNS domain name is treyresearch.net. This DNS domain name:
• Provides DNS naming for computers that are accessed by Internet users.
• Represents the external DNS namespace for the business unit.
• Runs on the Berkeley Internet Name Domain (BIND) DNS servers (SEA-TREY-DNS-01
and SEA-TREY-DNS-02) that are placed in the perimeter network.
Figure 6.3 shows an example of a completed domain controller configuration worksheet, showing the TCP/IP
client settings for the domain controllers planned for the Trey Research forest root domain. For each domain
controller, the preferred DNS server is the local domain controller, and the alternate is the closest DNS
server. Initially, however, Trey Research configures the first domain controller in the domain to use a DNS
server in its parent DNS domain as its preferred DNS server. During installation of Active Directory on the
first domain controller, the preferred DNS server is changed to the local domain controller. Then, after the
second domain controller is online, Trey Research reconfigures the first domain controller to use the second
domain controller as its alternate DNS server.
Figure 6.3 Example of a Domain Controller Configuration Worksheet
Review Site Topology Design

Review your site topology design information, including:
• Site and subnet design.
• Site link design.
The site topology design team can provide worksheets that document the site topology information that you
will need to configure the site topology for the forest.
Figure 6.4 shows an example of a completed Associating Subnets with Sites worksheet for Trey Research.
The worksheet lists the sites that will be created for Trey Research and the corresponding locations and
subnets to be included in each site. The Trey Research site topology design specifies that the Phoenix subnets
are associated with the Seattle site.
Figure 6.4 Example of an Associating Subnets with Sites Worksheet
Figure 6.5 shows an example of a completed Sites and Associated Site Links worksheet for Trey Research,
including the communication links between locations.
Figure 6.5 Example of a Sites and Associated Site Links Worksheet
Review Hardware Requirements

Ensure that each computer that you plan to use as a domain controller meets the hardware requirements for
running Windows Server 2003. For more information about assessing the hardware requirements of domain
controllers in a Windows Server 2003 domain, see “Planning Domain Controller Capacity” in this book.
Configuring DNS for the Forest

Root Domain
To configure DNS for the forest root domain, the DNS administrator of your organization delegates the zone
that matches the name of the forest root domain to the DNS servers (domain controllers) that you will be
installing in the forest root domain. Figure 6.6 shows when configuring DNS for the forest root domain
occurs within the forest root domain deployment process.
Important
When no DNS infrastructure exists, skip this step in the forest root
domain deployment process and proceed to the next step, “Creating
the Forest Root Domain.” The remainder of this step describes the
process of configuring and delegating a zone in the existing DNS
internal namespace.
Figure 6.6 Configuring DNS for the Forest Root Domain
In preparation for the forest root domain deployment, create a delegation for the DNS servers that will be
running on the domain controllers in the forest root domain. Create the delegation by adding DNS name
server (NS) and address (A) resource records to the parent DNS zone.
Note
The delegation that occurs in this step references the first forest root
domain controller, which does not currently exist. The DNS service is
installed and configured on the first forest root domain controller in a
subsequent step.
To delegate the DNS zone for the forest root domain

1. Create a name server (NS) resource record in the parent zone. Use the left-most portion of
the forest root domain name, and the full DNS name of the domain controller.
forest_root_domain IN NS domain_controller_name
2. Create a host address (A) resource record in the parent zone. Use the full DNS name of the
domain controller.
domain_controller_name IN A domain_controller_ip_address
For example, the DNS administrator for Trey Research created the following DNS resource
records in the parent zone, treyresearch.net:
• trccorp IN NS SEA-TRC-DC01.trccorp.treyresearch.net
• SEA-TRC-DC01.trccorp.treyresearch.net IN A 172.16.16.2
Creating the Forest Root Domain

The first step in creating the forest root domain is deploying the first forest root domain controller. The forest
owner is responsible for deploying the forest root domain.
Figure 6.7 illustrates the process for creating the forest root domain.
Figure 6.7 Creating the Forest Root Domain
Deploy the First Forest Root Domain

Controller
To deploy the first domain controller in the forest root domain, complete the following tasks:
• Install Windows Server 2003
• Install Active Directory
• Verify the Active Directory installation
• Configure the Windows Time Service
• Verify DNS server recursive name resolution
Install Windows Server 2003 on the First Forest Root

Domain Controller
The first step in deploying the first forest root domain controller is to install Windows Server 2003 on the
computer that you want to make the domain controller.
Note
Before installing Windows Server 2003, ensure that DNS was never
previously installed on the computer. If DNS was previously installed,
configuration of the DNS resolver and forwarders might fail.
• Insert the Windows Server 2003 operating system CD in the CD-ROM drive of the domain
controller and select the option to install the operating system, or use an automated
installation method. If the Windows Server 2003 media is shared on the network, run the
Winnt32.exe command. Use the NTFS file system to format the partitions. Enter the
computer name, static IP address, and subnet mask as specified by your design.
• In TCP/IP Properties, configure the DNS client settings by using the information
documented in the “Domain Controller Configuration” worksheet. The DNS settings are
temporary and will be changed after you install Active Directory.
• Enable Remote Desktop for Administration (formerly known as Terminal Services in
Remote Administration mode) to enable administrators to log on remotely if necessary. To
enable Remote Desktop for Administration, in Control Panel, double-click System, select
the Remote tab, and then select Allow users to connect remotely to this computer.
• Install Windows Support Tools, which are available in the \Support\Tools folder on the
Windows Server 2003 operating system CD.
Install Active Directory on the First Forest Root Domain

Controller
Install Active Directory by running the Active Directory Installation Wizard on the computer that you want to
make the first forest root domain controller. The Active Directory Installation Wizard creates the Active
Directory database and initializes the directory data in the database.
In addition, on the first domain controller in a domain, the wizard also:
• Prompts the administrator to verify the installation and configuration of the DNS Server
service.
• Configures DNS recursive name resolution by forwarding, by adding the IP addresses of the
existing entries for Preferred DNS server and Alternate DNS server to the list of DNS
servers on the Forwarders tab of the Properties sheet in the DNS snap-in for the domain
controller.
Note
For manual
If you configuration
want to set different
instructions,
forwarders,
see “Verify
or doDNS
not want
Server
to enable
Recursive
forwarding,
Name Resolution
you can change
on thethis
Firstsetting
Forestmanually
Root Domain
by using the DNS
Controller”
snap-in.
later in this chapter.
If your domain controller is multihomed, forwarding is not configured
automatically.
• Configures DNS recursive name resolution by root hints, by adding the root hints that are
configured on the Preferred DNS server
• Configures the Preferred DNS server to point to the DNS server that is running locally on
the domain controller, and configures the Alternate DNS server to point to the DNS server
that is connected through the minimum number of network segments.
• Creates two application directory partitions that are used by DNS. The DomainDnsZones
application directory partition holds domain-wide DNS data, and the ForestDnsZones
application directory partition holds forest-wide DNS data.
To install Active Directory on the first forest root domain controller
1. Log on to the Windows Server 2003–based member server.
2. At the command line, type:
dcpromo
– or –
3. Open Administrative Tools and click Configure Your Server Wizard. Select Domain
Controller (Active Directory) to configure your domain controller. After the Configure
Your Server Wizard finishes, the Active Directory Installation Wizard begins.
Use Table 6.1 to complete the Active Directory Installation Wizard. Table 6.1 includes the
specific actions taken by Trey Research as they deploy their first forest root domain
controller, SEA-TRC-DC01.
Table 6.1 Information to Install Active Directory on the First Forest Root
Domain Controller
Wizard Page or
Action Example
Dialog Box
Domain Controller Select Domain controller for a
Type new domain
Create New Domain Select Domain in a new forest
New Domain Name Type the full DNS name of the trccorp.treyresearch.
domain. net
NetBIOS Domain Confirm or type the NetBIOS TRCCORP
Name name.
Database and Log Type the folder locations Database folder:
Folders specified by your design. C:\WINNT\NTDS
Log folder: D:\Logs
Shared System Confirm or type the location C:\WINNT\SYSVOL
Volume specified by your design.
DNS Registration For organizations with an Before running the
Diagnostics existing DNS infrastructure, a Active Directory
message will indicate that the Installation Wizard,
wizard cannot contact the the Trey Research
DNS server with which this deployment team set
DC will be registered. This is the Preferred DNS
because the pre-created server to 172.16.24.4,
delegation record points to which is the IP
the local computer and DNS address of a DNS
has not been installed on the server in the parent
domain controller at this zone,
point. treyresearch.net.
Select Install and configure This address will be
the DNS server on this automatically moved
computer and set this to the list of
computer to use this DNS forwarders, and
server as its preferred DNS Preferred DNS server
server. will be set to the
local host.
Permissions Select the security level Because Trey
specified by your design: Research currently
• Permissions compatible has server programs
with pre-Windows 2000 running on
server operating systems Windows NT 4.0
servers, they
• Permissions compatible selected

only with Windows 2000 or Permissions
Windows Server 2003 compatible with pre-
operating systems Windows 2000
server operating
systems.
Directory Service In the Password and Confirm
Restore Mode password boxes, type any
Administration strong password.
Password
For more information about installing and removing Active Directory, see the Directory Services Guide of
the Microsoft® Windows® Server 2003 Resource Kit (or see the Directory Services Guide on the Web at
Verify the Active Directory Installation on the First Forest

Root Domain Controller
To verify the Active Directory installation on the first forest root domain controller:
1. Review the Windows Server 2003 event log and resolve any errors.
2. At the command line, run Dcdiag.exe and Netdiag.exe and resolve any errors that are
reported.
For more information about tests you can perform by using Dcdiag and Netdiag, see the
Active Directory link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources. Search under “Administration and
Configuration Guides” and download the Active Directory Operations Guide.
3. Run Task Manager and verify that the processor and memory system resources are within
acceptable limits.
4. Open the DNS snap-in, navigate to Forward Lookup Zones, and verify that the zones
_msdcs.forest_root_domain_name and forest_root_domain_name were created. Expand the
forest_root_domain_name node and verify that DomainDnsZones and ForestDnsZones
were created.
Configure the Windows Time Service

When deploying the forest root domain, it is important to correctly configure the Windows Time Service to
meet your organization’s needs. The Windows Time Service provides time synchronization to peers and
clients, ensuring consistent time throughout an enterprise.
By default, the first domain controller deployed holds the primary domain controller (PDC) emulator
operations master role. Set the PDC emulator to synchronize from a valid Network Time Protocol (NTP)
source. If no source is configured, the service will log a message to the event log, and use the local clock
when providing time to clients. Although internet NTP sources are valid for this configuration, it is
recommended that a dedicated hardware device, such as a GPS, or Radio clock be employed in the interest of
security.
Repeat this operation if you transfer or seize the PDC emulator operations master role to another domain
controller in the forest root domain.
To configure the Windows Time Service on first forest root domain controller
1. Log on to the domain controller.
2. At the command line, type:
W32tm /config /manualpeerlist:<peers> /syncfromflags:manual
<Peers> is a space delimited list of DNS names and/or IP addresses. When specifying
multiple peers, the list must be enclosed in quotes.
3. Update the Windows Time Service configuration. At the command line, type:
W32tm /config /update
– or –
Net stop w32time
Net start w32time
Note
When specifying a manual peer, do not use the DNS name or IP
address of a computer that uses the forest root domain controller as its
source for time, such as another domain controller in the forest. The
time service will not operate correctly if there are cycles in the time
source configuration.
For more information about configuring and deploying the Windows Time Service, see the Distributed
Services Guide of the Windows Server 2003 Resource Kit (or see the Distributed Services Guide on the Web
at http://www.microsoft.com/reskit).
Verify DNS Server Recursive Name Resolution on the First

Forest Root Domain Controller
DNS server recursive name resolution is configured automatically during the Active Directory installation
process, as described in “Install Active Directory on the First Forest Root Domain Controller” earlier in this
chapter. If your design specifies a different configuration, you can use the DNS snap-in or Dnscmd.exe to
modify these settings.
To verify DNS server recursive name resolution on the first forest root domain
controller
• Use the DNS snap-in to verify DNS server recursive name resolution for the method used in
your organization based on the information in Table 6.2.
Table 6.2 Information to Verify DNS Server Recursive Name Resolution
Method Configuration
Recursive Root hints are the recommended method to use for
name recursive name resolution in a Windows Server 2003
resolution by environment.
root hints No additional configuration is necessary. When the DNS
server specified as the Preferred DNS server during the
installation process is properly configured, the root hints
are automatically configured. To verify the root hints by
using the DNS snap-in:
In the console tree, right-click the domain controller name,
and then click Properties.
In the Properties sheet for the domain controller, view the
root hints on the Root Hints tab.
Recursive Only use Forwarders if that is what your organization’s
name design specifies. Root hints are the recommended method
resolution by to use for recursive name resolution in a Windows Server
forwarding 2003 environment.
Forward unresolved queries to specified DNS servers. To
verify forwarding by using the DNS snap-in:
In the console tree, right-click the domain controller name,
and then click Properties.
On the Forwarders tab, in the selected domain’s Forwarders
list, verify that the IP addresses match those specified by
your design.
No existing No additional configuration is necessary.
DNS In this environment, if you want to configure internal DNS
infrastructure servers to resolve queries for external names, then
configure this DNS server to forward unresolved queries to
an external server, such as one in your perimeter network,
or one hosted by an Internet service provider.
Deploy the Second Domain Controller in

the Same Site
After you deploy the first forest root domain controller, deploy the second forest root domain controller in
the same site, according to the design provided by your design team. To deploy the second forest root domain
controller, complete the following tasks:
• Install Windows Server 2003
• Install Active Directory
• Install DNS Server service
• Verify the Active Directory installation
Install Windows Server 2003 on the Second Domain

Controller
The first step in deploying the second forest root domain controller is to install Windows Server 2003 on the
computer that you want to make the second domain controller.
Note
Before installing Windows Server 2003, ensure that DNS was not
previously installed.
• Insert the Windows Server 2003 operating system CD in the CD-ROM drive of the domain
controller and select the option to install the operating system, or use an automated
installation method. If the Windows Server 2003 media is shared on the network, run the
Winnt32.exe command. Use NTFS to format the partitions. Enter the computer name, static
IP address, and subnet mask as specified by your design.
• Configure the DNS client settings by using the information documented in the “Domain
Controller Configuration” worksheet (DSSDFR_1.doc).
• Enable Remote Desktop for Administration (formerly known as Terminal Services in
Remote Administration mode) to enable administrators to log on remotely if necessary. To
enable Remote Desktop for Administration, in Control Panel, double-click System, select
the Remote tab, and then select Allow users to connect remotely to this computer.
• Install Windows Support Tools, which are available in the \Support\Tools folder on the
Windows Server 2003 operating system CD.
Install Active Directory on the Second Domain Controller

Install Active Directory on the computer that you want to make the second forest root domain controller by
running the Active Directory Installation Wizard.
The Active Directory Installation Wizard:
• Creates the Active Directory database.
• Initializes the directory data in the database.
On domain controllers other than the first domain controller in a domain, installation of DNS is not
automatic.
To deploy an additional domain controller in an existing domain, you can either let replication copy domain
information from an existing source domain controller over the network or you can use the install from
media feature, new in Windows Server 2003. Install from media allows you to pre-populate Active Directory
with System State data backed up from an existing domain controller. This backup can be present on local
CD, DVD, or hard disk partition. Installing from media drastically reduces the time required to install
directory information by reducing the amount of data that is replicated over the network. Installing from
media is most beneficial in environments with very large domains or for installing new domain controllers
that are connected by a slow network link. To use the install from media feature, you first create a backup of
System State from the existing domain controller, and then restore it to the new domain controller by using
the Restore to: Alternate location option.
To install Active Directory on the second domain controller
1. Log on to the Windows Server 2003–based member server.
2. If you want to copy domain information from restored backup files, at the command line,
type:
dcpromo /adv
– or –
If you want to copy domain information over the network, either type dcpromo (without the
/adv switch) or open Administrative Tools, click Configure Your Server Wizard, and
select Domain Controller (Active Directory) to configure your domain controller. After the
Configure Your Server Wizard finishes, the Active Directory Installation Wizard begins.
3. Use Table 6.3 to help you complete the Active Directory Installation Wizard. Table 6.3 also
includes the specific actions taken by Trey Research as they deployed their second forest
root domain controller, SEA-TRC-DC02.
Table 6.3 Information to Install Active Directory on the Second Forest Root
Domain Controller
Wizard Page or
Action Example
Dialog Box
Domain Controller Select Additional domain
Type controller for an existing
domain
Copying Domain (This dialog box appears only Trey Research is
Information when you started the Active copying from the
Directory Installation Wizard by first TRCCORP
typing dcpromo with the /adv domain controller,
switch at the command line or SEA-TRC-DC01,
used the Configure Your which is in the
Server Wizard.) same location as
Select either: the new one, so
they selected Over
• Over the network from a
the network to
domain controller
copy the
• From these restored backup information in the
files shortest time.
Global Catalog (This dialog box appears only
when From these restored
backup files was selected, if
the domain controller that you
backed up was a global
catalog server.)
Specify whether this domain
controller should be
configured as a global catalog
server.
Network Credentials In the User name box, type a
user account that has
sufficient rights to add a
domain controller, typically a
member of Domain Admins.
In the Password box, type the
password of the user account.
Additional Domain (This dialog box appears only trccorp.treyresear
Controller when Over the network was ch.net
selected.)
Confirm or type the full DNS
name of the forest root
domain.
Database and Log Type the folder locations Database folder:
Folders specified by your design. C:\WINNT\NTDS
Log folder:
D:\Logs
Shared System Confirm or type the location C:\WINNT\SYSVOL
Volume specified by your design.
Directory Service In the Password and Confirm
Restore Mode password boxes, type any
Administration strong password.
Password
Install DNS Server on the Second Domain Controller

After Active Directory installation has finished and the computer has restarted, install DNS on the second
Windows Server 2003–based domain controller that is added to the domain.
To install DNS on additional domain controllers by using the Windows
Components Wizard
1. Click Start, point to Settings, and click Control Panel.
2. Double-click Add or Remove Programs, and then click Add/Remove Windows
Components.
3. In Components, select the Networking Services check box, and then click Details.
4. In Subcomponents of Networking Services, select the Domain Name System (DNS)
checkbox, click OK, and then click Next.
5. If prompted, in Copy files from, type the full path to the distribution files and then click
OK. The required files will be copied to your hard disk.
Verify the Active Directory Installation on the Second

Domain Controller
Use the same steps as shown in the procedure for the first domain controller, but instead of verifying that
DomainDnsZones and ForestDnsZones were created, use the repadmin /showreps command to verify that
the ForestDnsZones and DomainDnsZones application directory partitions are replicated successfully. Use
the DNS snap-in to verify that DNS server recursive name resolution is configured according to the method
used by your organization.
Reconfigure the DNS Service

Reconfigure the DNS service to account for the addition of the second domain controller in the forest root
domain. You can also use these procedures as you deploy additional domain controllers that are running the
DNS service. To reconfigure the DNS service:
• Enable Aging and Scavenging for DNS
• Configure the DNS client settings of the first and subsequent domain controllers
• Update the DNS delegation

Enable Aging and Scavenging for DNS

Enable aging and scavenging on two Windows Server 2003–based domain controllers running the DNS
Server service per domain, to allow automatic cleanup and removal of stale resource records (RRs), which
can accumulate in zone data over time.
With dynamic update, RRs are automatically added to zones when computers start on the network. However,
in some cases, they are not automatically removed when computers leave the network. For example, if a
computer registers its own host (A) RR at startup and is later improperly disconnected from the network, its
host (A) RR might not be deleted. If your network has mobile users and computers, this situation can occur
frequently.
If left unmanaged, the presence of stale RRs in zone data might cause problems including:
• If a large number of stale RRs remain in server zones, they can eventually take up server
disk space and cause unnecessarily long zone transfers.
• DNS servers loading zones with stale RRs might use outdated information to answer client
queries, potentially causing the clients to experience name resolution problems on the
network.
• The accumulation of stale RRs at the DNS server can degrade its performance and
responsiveness.
Caution
By default, the aging and scavenging mechanism for the DNS Server
service is disabled. Enable aging and scavenging only after you
understand all parameters. Otherwise, the server could be accidentally
configured to delete resource records that should not be deleted. If a
resource record is accidentally deleted, not only will users fail to
resolve queries for that resource record, but any user can create the
resource record and take ownership of it, even on zones configured for
secure dynamic update.
For more information about how to configure aging and scavenging,
see “Understanding aging and scavenging” in Help and Support Center
for Windows Server 2003.
To enable the aging and scavenging features, perform the following steps to configure the applicable server
and its Active Directory–integrated zones:
• Enable aging and scavenging at the server. These settings determine the effect of zone-level
properties for any Active Directory–integrated zones loaded at the server.
• Enable aging and scavenging for selected zones at the DNS server. When zone-specific
properties are set for a selected zone, these settings apply only to the applicable zone and its
resource records. Unless these zone-level properties are otherwise configured, they inherit
their default settings from comparable settings maintained in the DNS server
aging/scavenging properties.
To set aging and scavenging properties for the DNS server

1. Log on to the computer that is running the DNS Server service with an account that is a
member of the local Administrators group.
2. In the DNS console tree, right-click the applicable DNS server, and then click Set
Aging/Scavenging for all zones.
3. Select the Scavenge stale resource records check box.
4. Modify other aging and scavenging properties as needed.
To set aging and scavenging properties for a zone
1. Log on to the computer that is running the DNS Server service with an account that is a
member of the local Administrators group.
2. In the DNS console tree, right-click the applicable zone, then click Properties.
3. On the General tab, click Aging, and then select the Scavenge stale resource records
check box.
4. Modify other aging and scavenging properties as needed.
Configure the DNS Client Settings of the First and

Subsequent Domain Controllers
After you have deployed an additional domain controller, modify the DNS client settings on the first forest
root domain controller. Because no other domain controllers were running when you deployed the first forest
root domain controller, modify the DNS client settings on the first forest root domain controller to include the
additional domain controller. As you deploy more domain controllers, you might also need to modify the
Alternate DNS server setting specified on existing domain controllers to ensure that this setting points to the
DNS server that is connected through the minimum number of network segments.
To configure the DNS client settings on previously installed domain controllers
1. Open Network Connections, double-click your Local Area Connection, click Properties,
click Internet Protocol (TCP/IP) to highlight it, and then click Properties.
2. For the Preferred DNS server, type the IP address of the DNS server that is running locally
on the domain controller (local host).
3. Determine whether a newly installed domain controller is now closer to this domain
controller than the domain controller that you originally specified as the Alternate DNS
server. If it is, for Alternate DNS server, type the IP address of the newly installed domain
controller.
Update the DNS Delegation

After you install the DNS Server service on new domain controllers, update the DNS delegation for the forest
root domain on a DNS server that is authoritative for the parent zone.
To update the DNS delegation records for the additional domain controller
1. Create a name server (NS) resource record in the parent zone. Use the left-most portion of
the forest root domain name, and the full DNS name of the additional domain controller.
forest_root_domain IN NS additional_domain_controller_name
2. Create a host address (A) resource record in the parent zone. Use the full DNS name of the
domain controller.
additional_domain_controller_name IN A additional_domain_controller_ip_address
For example, the DNS administrator for Trey Research created the following DNS resource
records in the parent zone, treyresearch.net:
• trccorp IN NS SEA-TRC-DC02.trccorp.treyresearch.net
• SEA-TRC-DC02.trccorp.treyresearch.net IN A 172.16.16.3
Configure Site Topology

The site topology owner configures the site topology for the forest. Configuring the site topology for the
forest involves the following tasks:
• Delegate Active Directory site administration
• Create Active Directory sites
• Create and assign Active Directory subnets
• Create Active Directory site links
Delegate Active Directory Site Topology Administration

Configuring the site topology for the forest starts when the forest owner delegates administration of the
Active Directory sites and site topology to the site topology owner.
To delegate Active Directory site topology administration in your environment
1. Create a global group named SiteAdmins in the forest root domain.
2. Add administrative users to the SiteAdmins global group.
Note
The user accounts that you add must reside in the forest root domain.
If you want to add users from regional domains to this group, it must be
a universal group, and the forest root domain and the regional domain
must be operating at the Microsoft® Windows® 2000 native or
Windows Server 2003 functional level.
1. In Active Directory Sites and Services, right-click the Sites node, and then click Delegate
Control.
2. Complete the Delegation of Control Wizard to delegate Full Control of the Sites node to
SiteAdmins.
Create Active Directory Sites

Create Active Directory sites by using Active Directory Sites and Services.
To create the Active Directory sites
1. Review the site topology design information in the Associating Subnets with Sites worksheet
provided by your design team.
2. Create the sites specified in the site topology design. For more information about how to
create site objects, see “Create a site” in Help and Support Center for Windows Server 2003.
Create and Assign Active Directory Subnets

Create Active Directory subnets by using Active Directory Sites and Services.
To create Active Directory subnets and associate them with sites
1. Review the site topology design information in the “Associating Subnets with Sites”
worksheet provided by your design team.
2. Create the Active Directory subnets specified in the worksheet and associate the Active
Directory subnet with the appropriate site. For more information about how to create subnet
objects and associate subnets to Active Directory sites, see “Create a subnet” and “Associate
a subnet with a site” in Help and Support Center for Windows Server 2003.
Create Active Directory Site Links

Create Active Directory site links by using Active Directory Sites and Services.
To create Active Directory site links
1. Review the site topology design information in the “Sites and Associated Site Links”
worksheet provided by your design team.
2. Create the Active Directory site links and configure the site link properties as specified in the
site topology design. For more information about how to create site link objects, see “Create
a site link” in Help and Support Center for Windows Server 2003.
Deploy Additional Domain Controllers in

Other Sites
If your design specifies deployment of additional forest root domain controllers in other sites, deploy them
by using the procedures in “Deploy the Second Domain Controller in the Same Site” earlier in this chapter.
Configure Operations Master Roles

Configure the forest-level and domain-level operations master roles for the forest root domain. By default,
the first domain controller in the forest root domain is assigned all operations master roles.
• If your design specifies that all domain controllers in the forest root domain are global
catalog servers, leave all five operations master roles on the first domain controller, and
designate the second domain controller as the standby.
• If any domain controllers in the forest root domain will not be global catalog servers, move
all operations master roles from the first domain controller to the second domain controller,
and ensure that the second domain controller will never be a global catalog server. Designate
the third domain controller as the standby, and never make it a global catalog server.
Note
In a single domain forest, the database content of a domain controller
and a global catalog server are the same. Therefore, to load balance
client lookups across global catalog servers in a single domain forest,
ensure that all domain controllers are global catalog servers.
For a procedure to help you transfer operations master roles, see “Transfer operations master roles” in Help
and Support Center for Windows Server 2003.
If your Active Directory design specifies that you designate a standby operations master for the current
operations master role holder, configure the current role holder and the standby as direct replication partners
by manually creating a connection object between them. Designating a standby operations master can save
some time if you must reassign any operations master roles to the standby operations master.
Of all the operations master roles, the PDC emulator role has the highest impact on the performance of the
domain controller hosting that role. In domains with more than 10,000 users, it might be necessary to reduce
the number of authentication requests performed by the PDC emulator to decrease its workload and allow it
to perform other tasks. If CPU utilization is higher than 50 percent or disk queues remain higher than 2 for
several hours or days, reduce the number of client authentication requests received by the PDC emulator.
Note
Other factors that can increase the workload on the PDC emulator
include pre-Active Directory clients or applications that have been
written to contact the PDC emulator.
To reduce the number of client authentication requests that are processed by the PDC emulator, adjust its
weight or its priority in the DNS environment. If you want to proportionately reduce the number of client
authentication requests received by the PDC emulator, adjust its weight. If you want to ensure that the PDC
emulator does not receive any client authentication requests, adjust its priority.
Active Directory assigns a default value of 100 for the weight. By creating a new registry entry for the
weight and assigning it a decreased value of 50, you can proportionately reduce the number of client
authentication requests sent to the PDC emulator. This ensures that the PDC emulator will authenticate half
of the number of clients than it would if the weight value remained at 100.
Active Directory assigns a default value of zero for the priority. By creating a new registry entry for the
priority and assigning it an increased value of 200, you can ensure that the PDC emulator will never receive
client authentication requests unless it is the only accessible domain controller.
Repeat these procedures if the PDC emulator operations master role is transferred or seized to another
domain controller in the forest root domain.
Caution
The registry editor bypasses standard safeguards, allowing settings
that can damage your system, or even require you to reinstall
Windows. If you must edit the registry, back it up first and see the
Registry Reference on the Microsoft Windows Server 2003
Deployment Kit companion CD or on the Web at
http://www.microsoft.com/reskit.
To change the weight for DNS SRV records by using the registry
1. In the Run dialog box, type regedit, and press ENTER.
2. In the registry editor, navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.
3. Click Edit, click New, and then click DWORD value.
4. For the new entry name, type LdapSrvWeight and press ENTER. (The value name is not
case sensitive.)
5. Double-click the entry name you just typed to open the Edit DWORD Value dialog box.
6. Choose Decimal as the Base option.
7. Enter a value from 0 through 65535. The recommended value is 50.
8. Click OK.
9. Click File, and then click Exit to close the registry editor.
Adjusting the priority of the domain controller also reduces the number of client referrals. However, rather
than reducing it proportionally to the other domain controllers, changing the priority causes DNS to stop
referring all clients to this domain controller unless all domain controllers with a lower priority setting are
unavailable.
Note
A lower value entered for LdapSrvPriority indicates a higher priority. A
domain controller with an LdapSrvPriority setting of 100 has a lower
priority than a domain controller with a setting of 10. Therefore, clients
attempt to use the domain controller with the setting of 10 first.
To change the priority for DNS SRV records by using the registry
1. In the Run dialog box, type regedit, and press ENTER.
2. In the registry editor, navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3. Click Edit, click New, and then click DWORD value.
4. For the new entry name, type LdapSrvPriority, and press ENTER.
5. Double-click the entry name that you just typed to open the Edit DWORD Value dialog
box.
6. Choose Decimal as the Base option.
7. Enter a value from 0 through 65535. The recommended value is 200.
8. Click OK.
9. Click File, and then click Exit to close the registry editor.
For more information about adjusting the weight or the priority of the PDC emulator, see the Active
Directory link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
Search under “Administration and Configuration Guides” and download the Active Directory Operations
Guide.
Raising the Functional Level

When you deploy the first Windows Server 2003–based domain controller in your forest root domain, the
forest operates by default at the Windows 2000 forest functional level, and the domain operates by default at
the Windows 2000 mixed functional level. If your organization has only Windows NT 4.0 domains and your
forest design requires upgrading Windows NT 4.0 domains and joining them to this Active Directory forest,
you might want to raise the forest functional level to Windows Server 2003 interim after you deploy the
forest root domain and before you begin the process for upgrading your Windows NT 4.0 domain to
Windows Server 2003 Active Directory. If you raise the forest functional level to Windows Server 2003
interim, you can take advantage of the advanced features available at that functional level.
Figure 6.8 shows raising the functional level as the last step in the forest root domain deployment process.
Figure 6.8 Raising the Functional Level
Although the Windows Server 2003 domain functional level provides a number of features and advantages,
only enable this functional level when your environment is ready and all of your Windows NT 4.0–based
backup domain controllers (BDCs) have been upgraded.
Although it is possible for a domain to include both Windows NT 4.0–based and Windows Server 2003–
based domain controllers, the Windows Server 2003 domain functional level provides more features.
When you have determined that your environment is ready, use Active Directory Domains and Trusts to
enable the Windows Server 2003 domain functional level.
After all domains are operating at the Windows Server 2003 functional level, raise the forest functional level
to Windows Server 2003 to take advantage of all Windows Server 2003 forest-level features.
To determine when to raise the functional level, and for procedures to perform those tasks, see “Enabling
Advanced Windows Server 2003 Active Directory Features” in this book. For more information about
upgrading Windows NT domains to Windows Server 2003 Active Directory, see “Upgrading
Windows NT 4.0 Domains to Windows Server 2003 Active Directory” in this book.
Additional Resources
These resources contain additional information and tools related to this chapter.
Related Information
• “Designing the Active Directory Logical Structure” in this book.
• “Designing the Site Topology” in this book.
• “Enabling Advanced Windows Server 2003 Active Directory Features” in this book.
• “Deploying Windows Server 2003 Regional Domains” in this book.
• The Active Directory Branch Office Planning Guide link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources for a complete guide to
information involving Active Directory branch office implementations.
• The Active Directory link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources. Search under “Administration and
Configuration Guides” and download the Active Directory Operations Guide.
Related Help Topics

For best results in identifying Help topics by title, in Help and Support Center, under the Search box, click
Set search options. Under Help Topics, select the Search in title only checkbox.
• “Active Directory” in Help and Support Center for Windows Server 2003.
• “Windows Support Tools” under “Tools” in Help and Support Center for Windows
Server 2003.
• “Configure site settings” in Help and Support Center for Windows Server 2003 for more
information about creating site objects, subnet objects, and associating subnets with sites.
• “Transfer operations master roles” in Help and Support Center for Windows Server 2003 for
a procedure to help you transfer operations master roles.
• “Understanding aging and scavenging” in Help and Support Center for Windows
Server 2003 for more information about how to configure aging and scavenging of stale
resource records.
Related Job Aids
• “Domain Controller Configuration” (DSSDFR_1.doc) on the Windows Server 2003
Deployment Kit companion CD (or see “Domain Controller Configuration” on the Web at
• “Sites and Associated Site Links” (DSSTOPO_5.doc) on the Windows Server 2003
Deployment Kit companion CD (or see “Sites and Associated Site Links” on the Web at
• “Associating Subnets with Sites” (DSSTOPO_6.doc) on the Windows Server 2003
Deployment Kit companion CD (or see “Associating Subnets with Sites” on the Web at

Deploying The Windows Server 2003 Forest Root Domain

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Deploying The Windows Server 2003 Forest Root Domain

Încărcat de

Drepturi de autor:

Formate disponibile

C H A P T E R 6

Overview of Deploying the Forest

Process for Deploying the Forest Root

Background Information for Deploying the

Forest Root Domain Controller Availability

The Active Directory Installation Wizard

Reviewing the Active Directory

Review the Active Directory Logical

Example: Reviewing the Active Directory Logical Structure Design

Review Site Topology Design

Figure 6.5 Example of a Sites and Associated Site Links Worksheet

Review Hardware Requirements

Configuring DNS for the Forest

Figure 6.6 Configuring DNS for the Forest Root Domain

To delegate the DNS zone for the forest root domain

Creating the Forest Root Domain

Deploy the First Forest Root Domain

Install Windows Server 2003 on the First Forest Root

Install Active Directory on the First Forest Root Domain

• Permissions compatible selected

Verify the Active Directory Installation on the First Forest

Configure the Windows Time Service

Verify DNS Server Recursive Name Resolution on the First

Deploy the Second Domain Controller in

Install Windows Server 2003 on the Second Domain

Install Active Directory on the Second Domain Controller

Install DNS Server on the Second Domain Controller

Verify the Active Directory Installation on the Second

Reconfigure the DNS Service

• Update the DNS delegation

Enable Aging and Scavenging for DNS

To set aging and scavenging properties for the DNS server

Configure the DNS Client Settings of the First and

Update the DNS Delegation

Configure Site Topology

Delegate Active Directory Site Topology Administration

Create Active Directory Sites

Create and Assign Active Directory Subnets

Create Active Directory Site Links

Deploy Additional Domain Controllers in

Configure Operations Master Roles

Raising the Functional Level

Related Help Topics

S-ar putea să vă placă și