Deploying Active Directory for Branch Office Environments

Article
02/20/2014

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Chapter 3 - Building the Branch Office Domain and Bridgehead Servers

Operating System

Deployment and Operations Guide

Abstract

This chapter outlines the steps required to create and monitor the domain controllers for the branch domain. The domain controllers created by using the procedures in this chapter will act as the bridgehead servers for your branch office domain controllers. In addition, procedures for monitoring will be established.

Introduction

This chapter outlines the steps required to create and monitor the branch office bridgehead servers in the central hub site. In the example topology used in this guide, the procedures in this chapter create HUBDC1, BH1, BH2, and BH3. By the end of the chapter, the sample environment will appear as follows:

Resource Requirements

Individuals from the following teams will be required to participate during this phase of the installation:

Microsoft® Windows® 2000 Active Directory™ Directory Services Architecture
Windows 2000 Active Directory Administration
Infrastructure Administration
Network Administration, to provide DNS and other network information

What You Will Need

Completed steps and documentation from Chapter 2, "Building the Forest Root Domain and Central Hub Site."
Your Active Directory branch office architecture plan
The four or more bridgehead servers (HUBDC1, BH1, BH2, and BH3) created in Chapter 2, "Building the Forest Root Domain and Central Hub Site"

What You Should Know

This walk-through assumes that you have a basic knowledge of Windows 2000, Active Directory, and DNS. For a list of additional resources, refer to the More Information section at the end of this document.

Process Flowchart

Configure DNS Forwarding

The first procedure that must be performed on your bridgehead servers is the configuration of the correct DNS forwarders. In an Active Directory branch office environment, do not place this additional load on your bridgehead servers. Instead, use your root servers as the DNS forwarder targets because the root servers will have a significantly smaller load than the bridgehead servers.

Note: As you perform the procedures in this chapter, it is recommended that you document the configuration of the servers in the Hub Site Checklist.xls job aid included with this guide.

Configure DNS Forwarders on Branch Office Bridgehead Servers

To configure DNS forwarders:

Log on to the first bridgehead server as Administrator.
Click Start, Programs, Administrative Tools, and then select DNS.
Select, then right-click on the server name under DNS and select Properties.
Select the Forwarders tab.
Select Enable forwarders.
Enter the Internet Protocol (IP) addresses for forest root servers: 10.10.1.1, 10.10.1.2, and 10.10.1.3.
Click the Do not use recursion check box to disable recursion, and then click OK.
Close the DNS Microsoft Management Console (MMC).
Repeat the above steps on BH2, BH3, and HUBDC1.

Verify DNS Forwarding on Bridgehead Servers

To verify that the DNS forwarders are properly configured:

On BH1, open a command prompt.
At the command prompt, type nslookup corp.hay-buv.com and then press ENTER. The following result should appear:
```
C:\>nslookup corp.hay-buv.com  
*** Can't find server name for address 10.10.20.1: Non-existent domain  
*** Can't find server name for address 10.10.20.2: Non-existent domain  
*** Default servers are not available  
Server: UnKnown  
Address: 10.10.20.1 
Name: corp.hay-buv.com  
Addresses: 10.10.1.1, 10.10.1.3, 10.10.1.2  
```
The DNS query to 10.10.20.1 and 10.10.20.2 will fail because these servers, the branch office domain bridgehead servers, have not been configured with Active Directory and do not have Active Directory integrated DNS zones yet. These errors are expected at this point.

Examine the output and look for the text that begins with "Name: corp.hay-buv.com." Forwarding is working if you see the bolded text above.

If the output contains "Request to Unknown timed out", the DNS forwarders are not configured correctly. Correct your DNS forwarder settings by using the previous procedure and repeat this process to verify the configuration.

If you have verified your DNS forwarder settings are correct and you are still encountering errors, verify that network routing is working.

Note: Do not proceed until the servers can communicate and DNS forwarding is working properly.
Repeat the steps in this section on the remaining bridgehead servers: BH2, BH3, and HUBDC1.

Delegate and Create branches.corp.hay-buv.com Domain

By default, running Dcpromo.exe to create the branches domain will create the branches.corp.hay-buv.com domain as a subdomain in the corp.hay-buv.com zone on ROOT1. In this scenario, it is best to delegate the branches domain to the bridgehead servers.

Delegate branches.corp.hay-buv.com Domain to BH1

To delegate the branches domain:

On ROOT1**,** click Start, Programs, Administrative Tools, and then select DNS.
Right-click corp.hay-buv.com, and then select New Delegation.
Click Next.
Type branches as the name for the child domain, and then click Next.
Click Add.
In the Server name box, type BH1, in the IP address box enter the IP address of BH1, which is 10.10.20.1, and then click Add.
Click OK.
Click Next.
Click Finish.

Create the DNS Domain for branches.corp.hay-buv.com

To create the DNS domain:

Log on to BH1 as Administrator.
Click Start, Programs, Administrative Tools, and then select DNS.
Right-click BH1, and then select New Zone.
Click Next.
Select Standard primary, and then click Next.
Select Forward lookup zone, and then click Next.
Type branches.corp.hay-buv.com as the zone name, and then click Next.
Click Next.
Click Finish.

Creating the Bridgehead Domain Controllers

After the branches.corp.hay-buv.com DNS subdomain has been created and delegated, you can promote your bridgehead servers to be domain controllers in the branches domain.

Note: The Active Directory Installation Wizard (dcpromo.exe) steps in this guide assume the Active Directory database and log files, in addition to SYSVOL, will be stored on the same physical disk. If you have multiple physical disks in your servers and wish to place these files on different physical disks, modify the location of these files as appropriate for your environment.

Running Dcpromo.exe on BH1

Follow these steps to build the branch office child domain.

Click Start, Run, type Dcpromo and then press ENTER.
Click Next.
Select Domain controller for a new domain, and then click Next.
Select Create a new child domain in an existing domain tree, and then click Next.
Enter the Enterprise Administrator credentials, in the Domain box, type corp.hay-buv.com and then press ENTER.
Enter corp.hay-buv.com as the Parent domain.
Enter branches as the Child domain. You should see branches.corp.hay-buv.com as the complete DNS name of the new domain.
Click Next.
Click Next to accept the default Domain NETBIOS name BRANCHES.
Click Next to accept the default locations for the database and log files if you have only a single physical disk. Otherwise, specify the desired location for the files.
Click Next to accept the default location for SYSVOL if you have only a single drive. Otherwise, specify the desired location for the files.
Click OK if you receive a message indicating that the DNS server for the domain was not found. This will occur if there is no A record for the domain yet.
Select No, I will install and configure DNS myself, and then click Next.
Click Next to accept the default for Permissions compatible with pre-Windows 2000 servers.
Enter the Directory Services Restore Mode Administrator Password, and then click Next.
Review the settings, and then click Next to begin the Active Directory Installation Wizard (dcpromo) configuration process.
Click Finish.
To complete the process, click Restart Now when prompted.

Verify Name Registration

To verify the new bridgehead domain controller:

After the server restarts, log on as Administrator in the branches domain.
Click Start, Programs, Administrative Tools, and then select DNS. Expand the branches.corp.hay-buv.com domain, and then verify that records for the new domain controller are visible in the _msdcs, _sites, _tcp, and _udp subdomains that are registered under the branches.corp.hay-buv.com forward lookup zone. If they are not visible in DNS, restarting the Net Logon service initiates the registration of the records.

If the Active Directory DNS records still do not exist after restarting the Net Logon service, check the spelling of the domain in the DNS zone and the network identification. If the spelling is correct, there may be a disjointed DNS namespace. If you suspect that there is a disjointed DNS namespace, see article 255248, "How to Delegate a DNS Namespace to a Child Domain," on the Microsoft Web site.

Enabling Active Directory Integration of Branches Zone

To enable Active Directory integration of the branches zone:

Click Start, Programs, Administrative Tools, and then select DNS.
Expand the BH1 icon.
Expand the Forward Lookup Zones folder.
Select, then right-click the branches.corp.hay-buv.com zone.
Select Properties.
Click Change to change the Zone Type.
Select Active Directory-integrated.
Click OK.
Click OK to confirm change of Zone type.
In the Allow dynamic updates list, select Yes.
Click OK.

Running Dcpromo.exe on BH2, BH3 and HUBDC1

To promote the rest of the bridgehead servers to be domain controllers in the branches domain:

Log on to the server as Administrator.
Click Start, Run, type dcpromo and then press ENTER.
Click Next.
Click Additional domain controller for an existing domain, and then click Next.
Enter the Domain Administrator credentials for the branches.corp.hay-buv.com domain, enter branches.corp.hay-buv.com as the domain name, and then click Next.
Type branches.corp.hay-buv.com as the domain name, and then click Next.
Click Next to accept the default locations for the database and log files if you have only a single physical disk. Otherwise, specify the desired locations for the files.
Click Next to accept the default SYSVOL folder location.
Enter the Directory Services Restore Mode Administrator Password, and then click Next.
Review the settings, and then click Next to begin the Active Directory Installation Wizard (dcpromo) configuration process.
Click Finish.
Click Restart Now to restart the computer.
Repeat the above procedure for each bridgehead server, until all of the servers have been made domain controllers.

Verify Name Registration

To verify the new bridgehead domain controllers:

After the server restarts, on BH1, log on as Administrator in the branches domain.
Click Start, Programs, Administrative Tools, and then select DNS. Expand the branches.corp.hay-buv.com domain and verify that records for the new Domain Controller are visible in the _msdcs, _sites, _tcp, _udp subdomains registered under the branches.corp.hay-buv.com forward lookup zone. If they are not visible in DNS, restarting Net Logon service will initiate the registration of the records.

If the Active Directory DNS records still do not exist after restarting Net Logon service, check the spelling of the domain in the DNS zone and the network identification. If the spelling is correct, there may be a disjointed DNS namespace. If you suspect that there is a disjointed DNS namespace, see article 255248, "How to Delegate a DNS Namespace to a Child Domain," on the Microsoft Web site.
Repeat the above procedure for each new bridgehead domain controller.

Verify the DNS Server Settings for the Bridgehead Domain Controllers

To verify the DNS Server settings:

Right-click on the My Network Places icon, and then select Properties.
Right-click the appropriate network connection, and then select Properties.
Select Internet Protocol (TCP/IP), and then click Properties.
Verify that the Preferred DNS server is configured with this server's IP address and that the Alternate DNS server is configured with the IP address of one of the other bridgehead servers.
Repeat the above procedure for each new bridgehead domain controller.

Delegate branches.corp.hay-buv.com Domain to the Remaining Bridgehead Servers

To delegate the branches domain:

On ROOT1, click Start, Programs, Administrative Tools, and then select DNS.
Right-click corp.hay-buv.com, and then select New Delegation.
Click Next.
Type branches as the name for the child domain, and then click Next.
Click Add.
In the Server name box, type BH2, in the IP address box enter the IP address of BH1, which is 10.10.20.2, and then click Add.
Click OK.
Repeat steps 5 through 7 for BH3. If you have additional bridgehead servers in your plan, repeat steps 5 through 7 for those servers. Do not include the Primary Domain Controller (PDC) Emulator, HUBDC1, in this list of bridgehead servers.
Click Next.
Click Finish.

Transfering Operations Master Roles and Creating Global Catalog Servers

The final configuration required for the bridgehead servers is to transfer all of the Operations Master roles to the HUBDC1 server. After that has been completed, the rest of the bridgehead servers are made global catalog servers.

Transfer Operations Master Roles from BH1 to HUBDC1

BH1 is a global catalog server on which it is not recommended to also have the Infrastructure Master role. To remove the load from the bridgehead servers, you should also move the relative identifier (RID) operations master and PDC Emulator roles. Therefore, this procedure provides the steps necessary to move the roles to HUBDC1.

To move the Operations Master roles to HUBDC1:

Start Active Directory Users and Computers.
Right-click the top of the Active Directory Users and Computers tree.
Select Connect to Domain Controller.
In the list, select HUBDC1, and then click OK.
Right-click the branches.corp.hay-buv.com domain, and then select Operations Masters.
The RID Master role appears by default. Click Change.
Click Yes to confirm the transfer.
Click OK.
Repeat the above steps for the PDC Emulator and Infrastructure Master roles.

Configure BH1, BH2, and BH3 as Global Catalog Servers

To configure the bridgehead servers as global catalog servers:

Click Start, Programs, Administrative Tools, and then select Active Directory Sites and Services.
Expand the Hub site.
Expand the Servers folder.
Expand the BH1 server object.
Right-click the NTDS Settings object, and then select Properties.
Select the Global Catalog check box, and then click OK.
Repeat the above steps for BH2, BH3, and any other bridgehead servers you created. However, do not repeat these steps on HUBDC1.

Verify the Branch Office Domain Configuration

Now that all of your branch office domain bridgehead servers are installed and configured, it is necessary to verify the servers before creating the staging site and staging branch office domain controllers. If problems exist with your bridgehead servers and you continue without first correcting them, you will not have a successful Active Directory branch office deployment. It is much easier to correct any problems at this stage than to potentially let them propagate throughout your environment.

Active Directory and File Replication service (FRS) replication can take up to 20 minutes to complete. Therefore, all the bridgehead servers should sit for at least 30 minutes before performing the procedure in this section. Erroneous events may appear in the event log during this initial startup period.

It is also very important to continue to monitor the health of your bridgehead servers. The final procedure in this chapter guides you through the process of scheduling the quality assurance (QA) script to run daily on your bridgehead servers.

Final Quality Assurance Check

To perform the final quality assurance check:

Wait for at least 30 minutes.
Log on as Administrator.
Clear the event logs on all servers.
Open a command prompt, and then change to the C:\ADMonitor folder.
Start the QA_Check.cmd script.
After the script completes, change to the C:\ADResults\<computername> folder, where <computername> is the name of the computer.
Use Notepad to open the text file in this folder.

Examine the file to ensure that replication has occurred. For example, you should see entries, such as the following, indicating that replication was successful.

CN=Schema,CN=Configuration,DC=corp,DC=hay-buv,DC=com  
HUB\BH1 via RPC  
objectGuid: f99e17ed-3b03-4b3e-afa8-2c1e738ddc4d  
Last attempt @ 2000-12-02 07:09.44 was successful.

If the Ds_showreps.txt file does not have a "last attempt was successful" line for each naming context, restart this procedure at step 1.
If the Ds_showreps.txt file indicates that replication was unsuccessful for any of the naming contexts, troubleshoot and resolve the problem before continuing. For more information on troubleshooting errors, see Chapter 11, "Troubleshooting Guidelines for Branch Office Environments" of this guide.
Change to the C:\ADResults\<computername> folder.
Use Notepad to open the text file in this folder.
Examine the file to ensure that there were no errors reported. If there are any errors, the errors must be resolved before continuing. For more information on troubleshooting errors, see Chapter 11, "Troubleshooting Guidelines for Branch Office Environments".
Document the configuration of this server in the Hub Site Checklist.xls job aid included with this guide.
Repeat this procedure for BH1, BH2, BH3, HUBDC1, and any other bridgehead domain controllers in your hub site.

Schedule the Quality Assurance Check to Run Every Day

The quality assurance script (QA_Check.cmd) should be run every day to verify your domain controllers. Some of the Microsoft Windows 2000 Resource Kit utilities used by the quality assurance script must be run by using an Administrator account to collect their data. Therefore, the Microsoft Windows 2000 Resource Kit utility Srvany.exe is used to run the script as a service, and a batch file is scheduled to start and stop the service.

Alternatively, AppManager can run this script on a regular basis and report on problems with executing. The Agent (NetIQ_mc) should be configured to start under an administrative account to run this script.

Before performing the following procedure, you should first create a user account, such as QACheck, that is a member of the domain admins group. This will allow you to configure the service to start using an administrator account.

To schedule the running of QA_check.cmd by using Srvany.exe:

Open a command prompt, and then type the following command to install Srvany from the Microsoft Windows 2000 Resource Kit as a Windows service:

instsrv QACheck "c:\Program Files\Resource Kit\srvany.exe"
Click Start, Programs, Administrative Tools, and then select Services.
Right-click the QACheck service you added in step 1, and then select Properties.
On the General tab, set the Startup type as Manual.
On the Log On tab, set the account the service will use when running. You should create a QACheck user account that is a member of the domain admins group and use this account as the service logon account.
Click OK, and then close the Services MMC.
Click Start, Run, in the Open box, type regedt32 and then click OK.
Expand the following path in the Registry Editor: HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \QACheck
On the Edit menu, select Add Key.
In the Add Key dialog box, in the Key Name box, type Parameters and then click OK.
Select the Parameters key, and then on the Edit menu, select Add Value.
In the Add Value dialog box, in the Value Name box, type Application and in the Data Type box, select REG_SZ, and then click OK.
In the String Editor dialog box, type C:\ADMonitor\QA_Check.cmd and then click OK.
Select the Parameters key, and then on the Edit menu, select Add Value.
In the Add Value dialog box, in the Value Name box, type AppDirectory and in the Data Type box, select REG_SZ, and then click OK.
In the String Editor dialog box, type C:\ADMonitor and then click OK.
After configuring the registry, to schedule the QA script to run Monday through Friday, enter the following command at a command prompt:

at 5:00 /every:m,t,w,th,f "C:\ADMonitor\startqa.cmd"

To schedule the script by using AppManager:

Open the AppManager Operator Console.
Navigate to the NT tab in the KS pane (in the middle on the right side).
Drag the RunDOS KS to the server in the list pane on the left.
Configure the schedule to be daily at 11:00 P.M. Continue with step 5 before clicking OK.
On the Values tab, in the DOS Command or Script field, type C:\ADMonitor\QA_Check.cmd and then click OK.

Summary

At the end of this chapter, you will have configured the branch domain servers at the hub site. The hub servers now have the correct DNS configuration, and you have created a DNS zone for branches.corp.hay-buv.com and have created a child Active Directory domain called branches by running Dcpromo.exe on your first child domain controller. You have promoted the other bridgehead servers and the hub bridgehead server for the staging site. After verifying these steps, you have transferred the Operations Master roles from your first bridgehead server to the hub bridgehead server for the staging site, and all but the staging bridgehead are now also global catalog servers.