Documente Academic
Documente Profesional
Documente Cultură
Deploying the
Windows
Server 2003 Forest
Root Domain
Deploying your forest root domain is the first step in deploying the Active Directory® directory service
infrastructure in your organization.
In This Chapter
Overview of Deploying the Forest Root Domain..................................................228
Reviewing the Active Directory Design............................................................. ...231
Configuring DNS for the Forest Root Domain....................................................... 235
Creating the Forest Root Domain............................................. ...........................237
Raising the Functional Level........................................................................ ........255
Additional Resources.............................................................................. .............256
Related Information
• For more information about designing the Active Directory logical structure and the Domain
Name System (DNS) infrastructure needed to support Active Directory, see “Designing the
Active Directory Logical Structure” in this book.
• For more information about designing the Active Directory site topology, see “Designing the
Site Topology” in this book.
• For more information about domain controller capacity planning for Active Directory, see
“Planning Domain Controller Capacity” in this book.
• For more information about designing and deploying a DNS infrastructure for name
resolution for your network, see “Deploying DNS” in Deploying Network Services in this
kit.
228 Chapter 6 Deploying the Windows Server 2003 Forest Root Domain
Automated Installations
You can perform an unattended installation of Active Directory by supplying an answer file when you run the
Active Directory Installation Wizard. For more information about using an answer file to install Active
Directory, in Help and Support Center for Windows Server 2003, click Tools, and click Windows Support
Tools. Search for Ref.chm in the Deploy.cab file for examples and instructions about creating an answer file.
You can also automate the installation of Windows Server 2003 by using Sysprep.exe or an unattended
installation. For more information about automating installations of Windows Server 2003, see Automating
and Customizing Installations in this kit.
Note
Windows NT 4.0–based computers in the private network use Windows
Internet Name Service (WINS) to provide name resolution.
Trey Research’s registered DNS domain name is treyresearch.net. This DNS domain name:
• Provides DNS naming for computers that are accessed by Internet users.
• Represents the external DNS namespace for the business unit.
• Runs on the Berkeley Internet Name Domain (BIND) DNS servers (SEA-TREY-DNS-01
and SEA-TREY-DNS-02) that are placed in the perimeter network.
Figure 6.3 shows an example of a completed domain controller configuration worksheet, showing the TCP/IP
client settings for the domain controllers planned for the Trey Research forest root domain. For each domain
controller, the preferred DNS server is the local domain controller, and the alternate is the closest DNS
server. Initially, however, Trey Research configures the first domain controller in the domain to use a DNS
server in its parent DNS domain as its preferred DNS server. During installation of Active Directory on the
first domain controller, the preferred DNS server is changed to the local domain controller. Then, after the
second domain controller is online, Trey Research reconfigures the first domain controller to use the second
domain controller as its alternate DNS server.
Figure 6.3 Example of a Domain Controller Configuration Worksheet
234 Chapter 6 Deploying the Windows Server 2003 Forest Root Domain
Figure 6.5 shows an example of a completed Sites and Associated Site Links worksheet for Trey Research,
including the communication links between locations.
Additional Resources 235
Important
When no DNS infrastructure exists, skip this step in the forest root
domain deployment process and proceed to the next step, “Creating
the Forest Root Domain.” The remainder of this step describes the
process of configuring and delegating a zone in the existing DNS
internal namespace.
In preparation for the forest root domain deployment, create a delegation for the DNS servers that will be
running on the domain controllers in the forest root domain. Create the delegation by adding DNS name
server (NS) and address (A) resource records to the parent DNS zone.
Note
The delegation that occurs in this step references the first forest root
domain controller, which does not currently exist. The DNS service is
installed and configured on the first forest root domain controller in a
subsequent step.
1. Create a name server (NS) resource record in the parent zone. Use the left-most portion of
the forest root domain name, and the full DNS name of the domain controller.
forest_root_domain IN NS domain_controller_name
2. Create a host address (A) resource record in the parent zone. Use the full DNS name of the
domain controller.
domain_controller_name IN A domain_controller_ip_address
238 Chapter 6 Deploying the Windows Server 2003 Forest Root Domain
For example, the DNS administrator for Trey Research created the following DNS resource
records in the parent zone, treyresearch.net:
• trccorp IN NS SEA-TRC-DC01.trccorp.treyresearch.net
• SEA-TRC-DC01.trccorp.treyresearch.net IN A 172.16.16.2
Note
Before installing Windows Server 2003, ensure that DNS was never
previously installed on the computer. If DNS was previously installed,
configuration of the DNS resolver and forwarders might fail.
• Insert the Windows Server 2003 operating system CD in the CD-ROM drive of the domain
controller and select the option to install the operating system, or use an automated
installation method. If the Windows Server 2003 media is shared on the network, run the
Winnt32.exe command. Use the NTFS file system to format the partitions. Enter the
computer name, static IP address, and subnet mask as specified by your design.
• In TCP/IP Properties, configure the DNS client settings by using the information
documented in the “Domain Controller Configuration” worksheet. The DNS settings are
temporary and will be changed after you install Active Directory.
• Enable Remote Desktop for Administration (formerly known as Terminal Services in
Remote Administration mode) to enable administrators to log on remotely if necessary. To
enable Remote Desktop for Administration, in Control Panel, double-click System, select
the Remote tab, and then select Allow users to connect remotely to this computer.
• Install Windows Support Tools, which are available in the \Support\Tools folder on the
Windows Server 2003 operating system CD.
240 Chapter 6 Deploying the Windows Server 2003 Forest Root Domain
Note
For manual
If you configuration
want to set different
instructions,
forwarders,
see “Verify
or doDNS
not want
Server
to enable
Recursive
forwarding,
Name Resolution
you can change
on thethis
Firstsetting
Forestmanually
Root Domain
by using the DNS
Controller”
snap-in.
later in this chapter.
If your domain controller is multihomed, forwarding is not configured
automatically.
• Configures DNS recursive name resolution by root hints, by adding the root hints that are
configured on the Preferred DNS server
• Configures the Preferred DNS server to point to the DNS server that is running locally on
the domain controller, and configures the Alternate DNS server to point to the DNS server
that is connected through the minimum number of network segments.
• Creates two application directory partitions that are used by DNS. The DomainDnsZones
application directory partition holds domain-wide DNS data, and the ForestDnsZones
application directory partition holds forest-wide DNS data.
To install Active Directory on the first forest root domain controller
1. Log on to the Windows Server 2003–based member server.
2. At the command line, type:
dcpromo
– or –
3. Open Administrative Tools and click Configure Your Server Wizard. Select Domain
Controller (Active Directory) to configure your domain controller. After the Configure
Your Server Wizard finishes, the Active Directory Installation Wizard begins.
Additional Resources 241
Use Table 6.1 to complete the Active Directory Installation Wizard. Table 6.1 includes the
specific actions taken by Trey Research as they deploy their first forest root domain
controller, SEA-TRC-DC01.
Table 6.1 Information to Install Active Directory on the First Forest Root
Domain Controller
Wizard Page or
Action Example
Dialog Box
Domain Controller Select Domain controller for a
Type new domain
Create New Domain Select Domain in a new forest
New Domain Name Type the full DNS name of the trccorp.treyresearch.
domain. net
NetBIOS Domain Confirm or type the NetBIOS TRCCORP
Name name.
Database and Log Type the folder locations Database folder:
Folders specified by your design. C:\WINNT\NTDS
Log folder: D:\Logs
Shared System Confirm or type the location C:\WINNT\SYSVOL
Volume specified by your design.
DNS Registration For organizations with an Before running the
Diagnostics existing DNS infrastructure, a Active Directory
message will indicate that the Installation Wizard,
wizard cannot contact the the Trey Research
DNS server with which this deployment team set
DC will be registered. This is the Preferred DNS
because the pre-created server to 172.16.24.4,
delegation record points to which is the IP
the local computer and DNS address of a DNS
has not been installed on the server in the parent
domain controller at this zone,
point. treyresearch.net.
Select Install and configure This address will be
the DNS server on this automatically moved
computer and set this to the list of
computer to use this DNS forwarders, and
server as its preferred DNS Preferred DNS server
server. will be set to the
local host.
Permissions Select the security level Because Trey
specified by your design: Research currently
• Permissions compatible has server programs
with pre-Windows 2000 running on
server operating systems Windows NT 4.0
servers, they
242 Chapter 6 Deploying the Windows Server 2003 Forest Root Domain
For more information about installing and removing Active Directory, see the Directory Services Guide of
the Microsoft® Windows® Server 2003 Resource Kit (or see the Directory Services Guide on the Web at
http://www.microsoft.com/reskit).
recommended that a dedicated hardware device, such as a GPS, or Radio clock be employed in the interest of
security.
Repeat this operation if you transfer or seize the PDC emulator operations master role to another domain
controller in the forest root domain.
To configure the Windows Time Service on first forest root domain controller
1. Log on to the domain controller.
2. At the command line, type:
W32tm /config /manualpeerlist:<peers> /syncfromflags:manual
<Peers> is a space delimited list of DNS names and/or IP addresses. When specifying
multiple peers, the list must be enclosed in quotes.
3. Update the Windows Time Service configuration. At the command line, type:
W32tm /config /update
– or –
Net stop w32time
Net start w32time
Note
When specifying a manual peer, do not use the DNS name or IP
address of a computer that uses the forest root domain controller as its
source for time, such as another domain controller in the forest. The
time service will not operate correctly if there are cycles in the time
source configuration.
For more information about configuring and deploying the Windows Time Service, see the Distributed
Services Guide of the Windows Server 2003 Resource Kit (or see the Distributed Services Guide on the Web
at http://www.microsoft.com/reskit).
To verify DNS server recursive name resolution on the first forest root domain
controller
• Use the DNS snap-in to verify DNS server recursive name resolution for the method used in
your organization based on the information in Table 6.2.
Table 6.2 Information to Verify DNS Server Recursive Name Resolution
Method Configuration
Recursive Root hints are the recommended method to use for
name recursive name resolution in a Windows Server 2003
resolution by environment.
root hints No additional configuration is necessary. When the DNS
server specified as the Preferred DNS server during the
installation process is properly configured, the root hints
are automatically configured. To verify the root hints by
using the DNS snap-in:
In the console tree, right-click the domain controller name,
and then click Properties.
In the Properties sheet for the domain controller, view the
root hints on the Root Hints tab.
Recursive Only use Forwarders if that is what your organization’s
name design specifies. Root hints are the recommended method
resolution by to use for recursive name resolution in a Windows Server
forwarding 2003 environment.
Forward unresolved queries to specified DNS servers. To
verify forwarding by using the DNS snap-in:
In the console tree, right-click the domain controller name,
and then click Properties.
On the Forwarders tab, in the selected domain’s Forwarders
list, verify that the IP addresses match those specified by
your design.
No existing No additional configuration is necessary.
DNS In this environment, if you want to configure internal DNS
infrastructure servers to resolve queries for external names, then
configure this DNS server to forward unresolved queries to
an external server, such as one in your perimeter network,
or one hosted by an Internet service provider.
Additional Resources 245
Note
Before installing Windows Server 2003, ensure that DNS was not
previously installed.
• Insert the Windows Server 2003 operating system CD in the CD-ROM drive of the domain
controller and select the option to install the operating system, or use an automated
installation method. If the Windows Server 2003 media is shared on the network, run the
Winnt32.exe command. Use NTFS to format the partitions. Enter the computer name, static
IP address, and subnet mask as specified by your design.
• Configure the DNS client settings by using the information documented in the “Domain
Controller Configuration” worksheet (DSSDFR_1.doc).
• Enable Remote Desktop for Administration (formerly known as Terminal Services in
Remote Administration mode) to enable administrators to log on remotely if necessary. To
enable Remote Desktop for Administration, in Control Panel, double-click System, select
the Remote tab, and then select Allow users to connect remotely to this computer.
• Install Windows Support Tools, which are available in the \Support\Tools folder on the
Windows Server 2003 operating system CD.
246 Chapter 6 Deploying the Windows Server 2003 Forest Root Domain
Table 6.3 Information to Install Active Directory on the Second Forest Root
Domain Controller
Wizard Page or
Action Example
Dialog Box
Domain Controller Select Additional domain
Type controller for an existing
domain
Copying Domain (This dialog box appears only Trey Research is
Information when you started the Active copying from the
Directory Installation Wizard by first TRCCORP
typing dcpromo with the /adv domain controller,
switch at the command line or SEA-TRC-DC01,
used the Configure Your which is in the
Server Wizard.) same location as
Select either: the new one, so
they selected Over
• Over the network from a
the network to
domain controller
copy the
• From these restored backup information in the
files shortest time.
Global Catalog (This dialog box appears only
when From these restored
backup files was selected, if
the domain controller that you
backed up was a global
catalog server.)
Specify whether this domain
controller should be
configured as a global catalog
server.
Network Credentials In the User name box, type a
user account that has
sufficient rights to add a
domain controller, typically a
member of Domain Admins.
In the Password box, type the
password of the user account.
Additional Domain (This dialog box appears only trccorp.treyresear
Controller when Over the network was ch.net
selected.)
Confirm or type the full DNS
name of the forest root
domain.
Database and Log Type the folder locations Database folder:
Folders specified by your design. C:\WINNT\NTDS
248 Chapter 6 Deploying the Windows Server 2003 Forest Root Domain
Log folder:
D:\Logs
Shared System Confirm or type the location C:\WINNT\SYSVOL
Volume specified by your design.
Directory Service In the Password and Confirm
Restore Mode password boxes, type any
Administration strong password.
Password
Caution
By default, the aging and scavenging mechanism for the DNS Server
service is disabled. Enable aging and scavenging only after you
understand all parameters. Otherwise, the server could be accidentally
configured to delete resource records that should not be deleted. If a
resource record is accidentally deleted, not only will users fail to
resolve queries for that resource record, but any user can create the
resource record and take ownership of it, even on zones configured for
secure dynamic update.
For more information about how to configure aging and scavenging,
see “Understanding aging and scavenging” in Help and Support Center
for Windows Server 2003.
To enable the aging and scavenging features, perform the following steps to configure the applicable server
and its Active Directory–integrated zones:
• Enable aging and scavenging at the server. These settings determine the effect of zone-level
properties for any Active Directory–integrated zones loaded at the server.
• Enable aging and scavenging for selected zones at the DNS server. When zone-specific
properties are set for a selected zone, these settings apply only to the applicable zone and its
resource records. Unless these zone-level properties are otherwise configured, they inherit
their default settings from comparable settings maintained in the DNS server
aging/scavenging properties.
Additional Resources 251
Note
The user accounts that you add must reside in the forest root domain.
If you want to add users from regional domains to this group, it must be
a universal group, and the forest root domain and the regional domain
must be operating at the Microsoft® Windows® 2000 native or
Windows Server 2003 functional level.
1. In Active Directory Sites and Services, right-click the Sites node, and then click Delegate
Control.
2. Complete the Delegation of Control Wizard to delegate Full Control of the Sites node to
SiteAdmins.
Note
In a single domain forest, the database content of a domain controller
and a global catalog server are the same. Therefore, to load balance
client lookups across global catalog servers in a single domain forest,
ensure that all domain controllers are global catalog servers.
For a procedure to help you transfer operations master roles, see “Transfer operations master roles” in Help
and Support Center for Windows Server 2003.
Additional Resources 255
If your Active Directory design specifies that you designate a standby operations master for the current
operations master role holder, configure the current role holder and the standby as direct replication partners
by manually creating a connection object between them. Designating a standby operations master can save
some time if you must reassign any operations master roles to the standby operations master.
Of all the operations master roles, the PDC emulator role has the highest impact on the performance of the
domain controller hosting that role. In domains with more than 10,000 users, it might be necessary to reduce
the number of authentication requests performed by the PDC emulator to decrease its workload and allow it
to perform other tasks. If CPU utilization is higher than 50 percent or disk queues remain higher than 2 for
several hours or days, reduce the number of client authentication requests received by the PDC emulator.
Note
Other factors that can increase the workload on the PDC emulator
include pre-Active Directory clients or applications that have been
written to contact the PDC emulator.
To reduce the number of client authentication requests that are processed by the PDC emulator, adjust its
weight or its priority in the DNS environment. If you want to proportionately reduce the number of client
authentication requests received by the PDC emulator, adjust its weight. If you want to ensure that the PDC
emulator does not receive any client authentication requests, adjust its priority.
Active Directory assigns a default value of 100 for the weight. By creating a new registry entry for the
weight and assigning it a decreased value of 50, you can proportionately reduce the number of client
authentication requests sent to the PDC emulator. This ensures that the PDC emulator will authenticate half
of the number of clients than it would if the weight value remained at 100.
Active Directory assigns a default value of zero for the priority. By creating a new registry entry for the
priority and assigning it an increased value of 200, you can ensure that the PDC emulator will never receive
client authentication requests unless it is the only accessible domain controller.
Repeat these procedures if the PDC emulator operations master role is transferred or seized to another
domain controller in the forest root domain.
Caution
The registry editor bypasses standard safeguards, allowing settings
that can damage your system, or even require you to reinstall
Windows. If you must edit the registry, back it up first and see the
Registry Reference on the Microsoft Windows Server 2003
Deployment Kit companion CD or on the Web at
http://www.microsoft.com/reskit.
256 Chapter 6 Deploying the Windows Server 2003 Forest Root Domain
To change the weight for DNS SRV records by using the registry
1. In the Run dialog box, type regedit, and press ENTER.
2. In the registry editor, navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.
3. Click Edit, click New, and then click DWORD value.
4. For the new entry name, type LdapSrvWeight and press ENTER. (The value name is not
case sensitive.)
5. Double-click the entry name you just typed to open the Edit DWORD Value dialog box.
6. Choose Decimal as the Base option.
7. Enter a value from 0 through 65535. The recommended value is 50.
8. Click OK.
9. Click File, and then click Exit to close the registry editor.
Adjusting the priority of the domain controller also reduces the number of client referrals. However, rather
than reducing it proportionally to the other domain controllers, changing the priority causes DNS to stop
referring all clients to this domain controller unless all domain controllers with a lower priority setting are
unavailable.
Note
A lower value entered for LdapSrvPriority indicates a higher priority. A
domain controller with an LdapSrvPriority setting of 100 has a lower
priority than a domain controller with a setting of 10. Therefore, clients
attempt to use the domain controller with the setting of 10 first.
To change the priority for DNS SRV records by using the registry
1. In the Run dialog box, type regedit, and press ENTER.
2. In the registry editor, navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3. Click Edit, click New, and then click DWORD value.
4. For the new entry name, type LdapSrvPriority, and press ENTER.
5. Double-click the entry name that you just typed to open the Edit DWORD Value dialog
box.
6. Choose Decimal as the Base option.
7. Enter a value from 0 through 65535. The recommended value is 200.
8. Click OK.
9. Click File, and then click Exit to close the registry editor.
Additional Resources 257
For more information about adjusting the weight or the priority of the PDC emulator, see the Active
Directory link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
Search under “Administration and Configuration Guides” and download the Active Directory Operations
Guide.
Although the Windows Server 2003 domain functional level provides a number of features and advantages,
only enable this functional level when your environment is ready and all of your Windows NT 4.0–based
backup domain controllers (BDCs) have been upgraded.
Although it is possible for a domain to include both Windows NT 4.0–based and Windows Server 2003–
based domain controllers, the Windows Server 2003 domain functional level provides more features.
When you have determined that your environment is ready, use Active Directory Domains and Trusts to
enable the Windows Server 2003 domain functional level.
After all domains are operating at the Windows Server 2003 functional level, raise the forest functional level
to Windows Server 2003 to take advantage of all Windows Server 2003 forest-level features.
To determine when to raise the functional level, and for procedures to perform those tasks, see “Enabling
Advanced Windows Server 2003 Active Directory Features” in this book. For more information about
upgrading Windows NT domains to Windows Server 2003 Active Directory, see “Upgrading
Windows NT 4.0 Domains to Windows Server 2003 Active Directory” in this book.
Additional Resources
These resources contain additional information and tools related to this chapter.
Related Information
• “Designing the Active Directory Logical Structure” in this book.
• “Designing the Site Topology” in this book.
• “Enabling Advanced Windows Server 2003 Active Directory Features” in this book.
• “Deploying Windows Server 2003 Regional Domains” in this book.
• The Active Directory Branch Office Planning Guide link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources for a complete guide to
information involving Active Directory branch office implementations.
• The Active Directory link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources. Search under “Administration and
Configuration Guides” and download the Active Directory Operations Guide.
Additional Resources 259