Upload
balraj1
View
221
Download
0
Embed Size (px)
Citation preview
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
1/123
Best Practice Active Directory Deployment for ManagingWindows Networks
This guide assists architects, project managers, and consultants in deploying an Active Directory service in anetwork operating system (NOS) infrastructure. The best practices deployment methodology encapsulatestechnical expertise from the Microsoft Windows Product Group with lessons learned from customers have
implemented Active Directory in their organizations.
On This Page
Overview of Active Directory Deployment Testing And Verifying the Deployment Process
Configuring DNS for the Forest Root Creating the Forest RootDeploying Regional Domains
Creating a New Regional DomainIn-Place Upgrading of Account Domain
Restructuring Account DomainsRestructuring Resource Domains
Decommissioning the Windows NT 4.0 DomainsImporting Accounts and Data From Other Sources
Overview of Active Directory Deployment
Many organizations are migrating from Microsoft Windows NT version 4.0 to Microsoft Windows 2000 and
the Active Directory. The Windows 2000 and Active Directory deployment process must:
y Allow the organization to continue normal business operations while migrating the network.y Minimize any modifications to the existing network infrastructure.y Allow existing user accounts and resource permissions to be migrated.y Include the migration of services and applications running on existing servers.
This document describes the deployment of Windows 2000 and Active Directory. Specifically, you will learn the
best practices for deploying your Active Directory design by:
y Testing your design assumptions and deployment processes in a lab environment.y Verifying your deployment process in a pilot deployment.y Deploying Active Directory to your production environment.
Prior to performing the tasks in this document, create an Active Directory design for your organization. Formore information about creating an Active Directory design for your organization, see Best Practice ActiveDirectory Design for Managing Windows Networks at
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/bpaddsgn.mspx.
Note: All references to Windows 2000 include both Microsoft Windows 2000 Server and Microsoft
Windows 2000 Advanced Server, unless otherwise specified.
Active Directory Deployment Process
Figure 1 illustrates a flowchart of the Active Directory deployment process presented in this document. You canfollow this as a model for your Active Directory deployment
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
2/123
Figure 1: Flowchart of the Active Directory deployment processThis document presents the deployment process for existing networks based on Windows NT 4.0 and othernetwork operating systems.
Windows NT 4.0
Use this document to guide your migration from Windows NT 4.0 to Windows 2000 and Active Directory byreading the following sections:
y "Testing and Verifying the Deployment Process"y "Configuring DNS for the Forest Root"y "Creating the Forest Root"y "In-Place Upgrading Account Domain" or "Create a New Regional Domain"y "Restructuring Related Account Domains"y "Restructuring Related Resource Domains"y "Decommissioning Windows NT 4.0 Domains"
Other Network Operating Systems
Use this document to guide your migration from other network operating systems to Windows 2000 and ActiveDirectory by reading the following sections:
y "Testing and Verifying the Deployment Process"y "Configuring DNS for the Forest Root"y "Creating the Forest Root"y "Creating a New Regional Domain"y "Importing Accounts and Data from Other Sources"
Deployment Tools Used in This Document
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
3/123
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
4/123
Contoso Pharmaceuticals is a bioelectronics design and manufacturing firm headquartered in Seattle,
Washington. Contoso provides bioelectronics devices (such as pacemakers, defibrillators, and heart-
assist devices). Contoso distributes these devices throughout the world.
y Trey ResearchTrey Research is a research and development firm that specializes in radio frequency (RF) designs.
Trey Research provides outsourced engineering consulting for organizations that manufacture RFdevices used in the aviation industry (such as radio transceivers, global positioning systems (GPSs),
or transponders). Contoso acquired Trey Research to design RF electronic devices (such as in-home
critical-care monitoring systems and mobile electrocardiogram (EKG) and vital statistic monitoring
systems). Trey Research continues to operate as a separate business unit with customers other than
Contoso.
y Fabrikam, Inc.Fabrikam, Inc. is an electronics manufacturing firm located in Asia. Fabrikam provides printed circuit
board fabrication, sheet metal fabrication, injection molding, and electronics assembly services.
Contoso acquired Fabrikam to reduce the manufacturing cost associated with bioelectronics devices
designed and marketed through Contoso and Trey Research. Fabrikam's entire manufacturing capacity
is totally consumed by Contoso and Trey Research. As a result, Fabrikam, Inc. is integrated with the
Contoso business unit.
The characteristics of the business model that exists among the Contoso business units include the following:
y Contoso is the "parent" organization that determines any standards that apply to all business units.y The research and development teams within Contoso work closely with the manufacturing teams in
Fabrikam, Inc.
y The network infrastructure is provided by (or through) Contoso and provides wide area network(WAN) connections between locations in the business units.
y Contoso has standardized on Microsoft Exchange Server version 5.5 for the messaging infrastructurein all business units.
y Trey Research just completed a migration of all clients to Windows 2000 Professional.y The other business units are comprised of clients running a variety of including, Microsoft Windows
NT Workstation version 4.0, Microsoft Windows 95, and Microsoft Windows 98.
Geographic Locations
Figure 2 presents a map of the world that includes the business locations of Contoso, Fabrikam, Inc., and Trey
Research.
Figure 2: Contoso, Fabrikam, and Trey Research locations
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
5/123
Table 3 lists the Contoso, Fabrikam, and Trey Research locations and business functions performed at each
location. Windows NT 4.0 is currently deployed at all geographic locations.
Table 3 Contoso Locations and Business Functions
Location Business Functions
Contoso
Seattle Headquarters for Contoso where all accounting and administration is performed. A researchand development facility is located in the same building.
Boston Legal department and specialist that obtain government approvals, such as from the Food
and Drug Administration (FDA), for all products.Domestic marketing and sales offices are located in the same building.
Vancouver Research and development facility that designs new products.Headquarters for Canadian engineering and product support (responsible for assisting
customers in using Contoso products).
Montreal Canadian marketing and sales office.
Milan European marketing and sales headquarters.
Seville Headquarters for European engineering and product support (responsible for assisting
customers in using Contoso products).
Trey
Research
Renton Headquarters for Trey Research where all accounting and administration is performed. A
research and development facility is located in the same building.
Atlanta Research and development facility that designs new products.Headquarters for domestic engineering and product support (responsible for assisting
customers in using Contoso products).
Fabrikam,Inc.
Hong Kong
SAR
Headquarters for Fabrikam where all accounting and administration is performed. A
manufacturing and testing facility is located in the same building, which is used for smallproduction runs of products or for prototype development.
Tokyo Manufacturing and testing facility used for high-volume production runs.
Top of page
Testing And Verifying the Deployment Process
As you are creating the first draft of your Active Directory design, begin the testing and verification phase.Figure 3 illustrates when testing and verifying occurs in your deployment process. The testing and verificationphase begins during the design phase and continues through the deployment phase.
For more information about the design phase, see Best Practice Active Directory Design for Managing Windows
Networks athttp://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/bpaddsgn.
mspx.
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
6/123
Figure 3: Testing and verifying in the deployment process
In any Active Directory deployment, you can minimize the impact on normal business operations by including:
y Preliminary testing of the deployment process in a lab environment. Preliminary testing includes:y Design assumption tests.y Deployment process tests.
y Verification of the deployment process in a pilot program.Figure 4 illustrates the life cycle of the design, lab testing, pi lot deployment, and production deployment
phases of your deployment project. Lab testing overlaps the design and pilot deployment phase. The pilotdeployment begins as the design process nears completion and continues on indefinitely.
Figure 4: Lifecycle of design, lab testing, pilot deployment, and production deployment.
Note: The deployment process that you are testing and verifying is the same deployment process discussed inthe remainder of this document.
Testing in a Lab Environment
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
7/123
Lab testing is the first evaluation of the Active Directory design. During lab testing, you are confirming the
assumptions made by the design architects. When any of the assumptions that you test prove to be incorrect,the design architects must modify their design to reflect the outcome of the lab tests.
As the first draft of the Active Directory design approaches completion, begin testing specific design
assumptions in the deployment process in a lab environment. Your primary objectives for testing thedeployment process in your lab are to:
y Discover any potential design problems that affect the deployment process.y Provide feedback to the design team, prior to the deployment, to correct any problems discovered
during testing.
Ensure that the test lab environment is:
y Isolated from the rest of your organization's production network.y Includes user and group accounts and resources that are exclusively designated for testing (no
production accounts or resources).
y Represents, on a small scale, the hardware and operating system configuration of the computers inyour organization.
y Retained permanently as a training tool and to test new procedures.The deployment team can use the lab environment to learn the specifics of your deployment process and togain familiarity with the deployment and migration tools used during Active Directory deployment.
As previously mentioned, lab testing provides validation for the design assumption and for the deploymentprocess. Typically, the design assumption tests and deployment process tests are performed by different
teams. Table 4 lists the lab tests and team members that perform the tests in the lab.
Table 4 Lab Tests and Corresponding Team Members
Lab Tests Team Members
Testing Design Assumptions
Analyze Active Directory replication and site topology Design team Site topology owner
Deployment team
Test application and desktop compatibility Design team
Testing Deployment Process
Test disaster recovery Domain owner Deployment team
Test account and resource migration Domain owner Deployment team
Evaluate delegation, administration, and management Domain owner
Testing Design Assumptions
During the design process, the design team makes assumptions that are incorporated into the Active Directorydesign (such as Active Directory replication and application compatibility). After a preliminary draft of the
design is complete, the design team must prove these assumptions in the lab environment.
To test the design assumptions in the lab environment:
y Analyze Active Directory replication and site topology.y Verify application and desktop compatibility.
Analyze Active Directory Replication Site Topology
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
8/123
As part of the Active Directory design, the design team specifies the maximum replication latency between
hubs in the replication site topology. Replication latency is the length of time required to replicate changeswithin the forest.
To analyze Active Directory replication site topology:
1. Ensure that forest-wide replication latency is less than or equal to the maximum replication latencyspecified in the design.
2. Ensure you test from furthest point to furthest point, or a worst-case test, based on the maximumnumber of hops assumed in the design.
Observe the time required for replication convergence when a domain controller or communications
link fails by completing the following steps:
a. Identify the domain controllers that are responsible for intersite replication by using theActive Directory Sites and Services snap-in of Microsoft Management Console (MMC).
b. Disconnect domain controllers or disable communications links that are used in intersitereplication.
c. Allow the Knowledge Consistency Checker (KCC) to automatically configure new replicationtopology.
d. Identify the domain controllers that are now responsible for intersite replication.e. Reconnect the domain controllers or enable communications links.f. Verify that the intersite replication topology returns to the or iginal state, as identified in the
first step.
Note: Replication convergence can take hours to complete, based on the number of
replication changes and the intersite communications links.
For more information about replication convergence and latency design considerations, see Best Practice ActiveDirectory Design for Managing Windows Networks athttp://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/bpaddsgn.mspx.
Verify Application and Desktop Compatibility
As part of the Active Directory design, the design team must determine the compatibility between applications,desktop operating systems, and Active Directory. Typically, the aspects of application testing that are affected
by an Active Directory migration include applications that run on:
y Serversy Desktop computersy Laptop computersy Remote access users
Verify the application and desktop compatibility design assumptions by:
1. Creating a list of all critical applications.2. Ensuring that each application is assigned an individual responsible for testing the application.3. Testing that each application operates properly in a migrated environment.
When verifying application and desktop compatibility, ensure that:
y Existing server applications, currently running on a Windows NT 4.0 backup domain controller (BDC),can run on Windows 2000 domain controllers.
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
9/123
For example, some server applications running on BDCs take advantage of Shared Local Groups. To
run these server applications on Windows 2000, verify that the applications run properly by using
Active Directory domain local groups.
y Existing server applications can run on Windows 2000 member servers.y Server applications running on a mixture of Windows 2000 and Windows NT 4.0 servers can
interoperate with one another.
For example, make sure a Microsoft SQL Server running on Windows 2000 can interact with a SQL
Server running on Windows NT 4.0.
y Existing desktop applications run correctly when the domain infrastructure is migrated to Windows2000 and Active Directory.
y Existing applications that use integrated Windows security run correctly when the domaininfrastructure is migrated to Windows 2000 and Active Directory.
If you find that a server application cannot be migrated to Windows 2000 domain controller, do one of the
following:
y Leave the application running on the Windows NT 4.0 domain controller.y Run the application on a Windows 2000 member server.y Run the application on a Windows NT 4.0 member server.y Provide feedback to the design team that the server application's domain cannot be in-place upgraded
or consolidated.
The Windows NT 4.0 domain must remain until a version of the application that can run on a Windows
2000 domain controller is available.
As a long-term deployment goal, transition any applications currently running on domain controllers to memberservers.
Testing Deployment Processes
During the deployment process, the deployment team must perform specific tasks that are essential to ensuresuccess (such as testing account and resource migration from Windows NT 4.0 to Windows 2000 and Active
Directory). Before starting the production deployment, the deployment team must verify these tasks in the labenvironment.
To verify the deployment process in the lab environment:
y Test disaster recovery.y Test account and resource migration.y Evaluate delegation, administration, and management.
Test Disaster Recovery
Test disaster recovery in your lab environment to validate:
y The time required to restore a domain controller in the event of a failure.y Users can log on within an acceptable response time until a failed domain controller is restored.
To implement a disaster recovery process in your Active Directory deployment:
y Back up the Active Directory database of at least two domain controllers.Restore the Active Directory database from backup when:
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
10/123
y A domain controller is the only domain controller in a site connected with a data rate of 128 kilobitsper second (Kbps) or less
y A domain contains more than 20,000 user accounts.y Restore the Active Directory database on a failed domain controller by installi ng a new domain
controller and letting Active Directory replication repopulate the Active Directory database when the
domain controller is connected to other domain controllers with a data rate equal to or greater than128 kilobits per second (Kbps).
Test the following disaster recovery scenarios in the lab environment:
y Restoring a domain controller after any hardware failure.y Restoring a domain controller after any operating system failure.y Recovering a domain controller when the directory services database contains corrupted data.y Recovering data inadvertently deleted from the directory service by performing an authoritative
restore.
Test Account and Resource Migration
Prior to starting the pilot deployment program, test the deployment process for account and resource migrationby using the complete set of procedures outlined in this document.
To test migration of Windows NT 4.0 account and resource domains:
1. In two or more production Windows NT 4.0 account domains, create a new backup domain controllers(BDCs).
2. Remove the new BDCs from the production network.3. Install the new BDCs in the lab environment.4. Promote the new BDCs to primary domain controllers (PDCs).5. Perform in-place upgrades and restructuring of the account domains in your lab6. Verify migrated accounts have access to resources and retain user profiles.
For more information about the migration of Windows NT 4.0 account and resource domains see the followingsections in this document:
y Creating a New Regional Domainy In-place Upgrading of Account Domainsy Restructuring Account Domainsy Restructuring Resource Domains
Evaluate Delegation, Administration, and Management
After you have successfully tested the migration of users and resources in your lab environment, but prior to
starting the pilot deployment program, evaluate the delegation, administration, and management processesby:
1. Creating an organizational unit (OU) structure that reflects the Active Directory design best practices.For more information about creating an OU structure, see Best Practice Active Directory Design for
Managing Windows Networks at
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/b
paddsgn.mspx.
2. Delegating permissions on OUs to specific group accounts used for administration.
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
11/123
Verifying the success of the delegation by:
a. Logging on as a user that belongs to the group account to which you delegated permissions.b. Performing administration tasks on objects within the OU (such as modifying the properties
of a user in an account OU).
c. Attempting, and subsequently failing, to perform administrative tasks on OUs to which theadministration group does not have delegated permissions.
Verifying in a Pilot Deployment Program
After you complete the testing in the lab environment phase of your deployment process, you can start the
pilot deployment program. In the lab environment, you ensured that the deployment process worked outsideyour production environment on accounts and resources that approximated your production environment. In
the pilot deployment program, you:
y Identify a controlledsubset of the accounts (users, groups, and services) and resources that exist inthe production environment.
y Perform the deployment process on the identified accounts and resources.Deployment Best Practice
In your pilot deployment, begin with users who are involved in the deployment project and then include userswho are representative of your user population.
Use the pilot deployment environment to:
y Extend testing into a subset of the production environment.y Provide a test environment for other design and deployment groups.y Verify process and procedures for network and operating system infrastructure updates.y Verify proper operation of application updates.y Evaluate the impact of monitoring solutions on the network infrastructure and the servers being
monitored.
y Discover any potential problems in the deployment process that are caused by complexities that couldnot be modeled in the lab environment.
y Revise the deployment process to correct any problems you discovered prior to the productiondeployment.
To create a pilot deployment program in your environment
1. Create forest_root_domain(where forest_root_domain is the name of an empty Active Directoryforest root domain created by appending "-test" to the same name of the production forest root
domain).
2. Create regional_domain(where regional_domain is the name of an Active regional domain createdby appending "-test" to the same name of a production regional domain).
3. Establish the appropriate trust relationships between regional_domain(where regional_domain is thename of a regional domain in the pilot program) and winnt_domain(where winnt_domain is an
account or resource domain for migration from Windows NT 4.0-based networks).
4. Migrate selected accounts and resources from winnt_domain(where winnt_domain is an account orresource domain for migration from Windows NT 4.0based networks), or other data sources, to
regional_domain(where regional_domain is the name of a regional domain in the pilot program) by
using the procedures in this document.
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
12/123
5. Verify that users and administrators can minimally perform the same tasks as they did prior tomigration (resource access, account administration, resource administration, etc.).
Note: When you migrate production users to the pilot, leave the user accounts enabled in the production andthe pilot environments. By leaving the user accounts enabled in the production environment you provide a
fallback plan in the event of any issues in the pilot environment.
Contoso example: Crating a pilot deployment program
Create the Contoso pilot deployment program by using the process described in the previous section and the
information in Table 5.
Table 5 Information For Creating a Pilot Deployment Program
When Prompted For Use
forest_root_domain concorp-test.contoso.com
regional_domain noam-test.concorp-test.contoso.com
winnt_domain USA for account domainsSEATTLE for resource domains
Figure 5 illustrates the pilot deployment configuration.
Figure 5: Pilot deployment configuration.
Completing the Pilot Deployment Program
After you complete the pilot deployment program, retain the pilot deployment environment. Continue to usethe pilot forest to verify new deployment processes, such as adding new applications or schema extensions,
installing operating systems, creating Group Policy settings, or OU restructuring.
Deployment Best Practice
During the production deployment process, always migrate accounts from the production environment. Never
migrate accounts from the pilot environment.
To complete the pilot deployment program in your environment
After you complete the pilot deployment process, users can do one of the following:
y Continue to log on to the pilot domain until their account is migrated during the productiondeployment process.
y Return to the production environment immediately by logging on to their Windows NT 4.0 domain.Contoso example: Completing the pilot deployment program
Figure 6 illustrates the Active Directory pilot program forest after production deployment.
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
13/123
Figure 6: Comparison of the pilot forest and the production forest
After the completion of the pilot deployment program, you can start the deployment of Windows 2000 andActive Directory into your production environment.
Top of page
Configuring DNS for the Forest Root
The first step in the production deployment process is to configure the DNS domain for the forest root, asshown in Figure 7.
Figure 7: Configuring DNS for the forest root in the deployment processThe DNS administrator of your organization is responsible for delegating the DNS domain used by the forest
root domain.
Important: When no DNS infrastructure exists, skip this step in the deployment process and proceed to thenext step, "Creating the Forest Root." The remainder of this step describes the process of configuring anddelegating a domain in the existing DNS internal namespace.
To configure DNS for the forest root:
1. Review the DNS design worksheet created by the forest root owner and directory architect.2. Review the existing internal DNS namespace.3. Delegate the DNS domain name from the existing DNS internal namespace.
Review the DNS Design Worksheet
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
14/123
Before you review the existing DNS infrastructure in your design, review the DNS design worksheet prepared
by the forest root owner and the directory architect.
The DNS design worksheet describes:
y DNS domains that must be delegated.y DNS servers that must be modified for the delegation.
Review the Existing DNS Infrastructure
After you review the DNS design worksheet prepared by the forest root owner and the directory architect,review the existing DNS infrastructure.
To review the existing DNS infrastructure in your environment
Review the existing DNS infrastructure by examining current:
y Network diagrams.y DNS domain hierarchy diagrams.y DNS zone configuration.y DNS resource records for delegation and forwarding.y DNS replication.
Contoso example: Reviewing the existing DNS infrastructure
Review the existing DNS infrastructure for the Contoso and Trey Research business units. The existing DNS
infrastructure for Contoso provides name resolution for:
y Any servers (such as Web or mail servers) that reside in the perimeter network and are accessed byInternet users.
y Any computers (or other network devices) that reside in the private network and run an operatingsystem other than Windows NT 4.0 (such as UNIX or Macintosh operating systems).
Note: Windows NT 4.0based computers in the private network use Windows Internet Name Service (WINS)
to provide name resolution.
After Fabrikam, Inc and Trey Research were acquired by Contoso, their existing DNS infrastructure was
integrated into the DNS infrastructure for Contoso. Each business unit in Contoso continues to use its
respective registered DNS domain name. These DNS domain names are:
y Used by each business unit to provide DNS naming for computers that are accessed by Internet users.y Represent the externalDNS namespace for each business unit.y Hosted by the Berkeley Internet Name Domain (BIND) DNS servers (SEA-CON-DNS-01 and SEA-CON-
DNS-02) that are placed in the perimeter network.
Table 6 lists each business unit and the corresponding registered DNS domain name.
Table 6 Registered DNS Domain Names of Contoso Business Units
Business Unit Registered DNS Domain Names
Contoso contoso.com
Trey Research treyresearch.net
Fabrikam, Inc. fabrikam.com
Contoso, Trey Research, and Fabrikam, Inc. also maintain a separate DNS namespace (with the same name asthe external namespace) to resolve internal names. Each geographic location maintains a delegated domain
beneath the corresponding business unit.
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
15/123
These DNS domain names are:
y Used by each business unit to provide DNS naming for computers within the private network.y Represent the internalDNS namespace for each business unit (and subsequently each geographic
location).
y Hosted by a combination of DNS servers running BIND and Windows NT 4.0 DNS.y Placed within the private network at each geographic location.
Table 7 lists each geographic location and the corresponding internalDNS domain names for each location.
Table 7 Internal DNS Domain Names of Contoso Locations
Location Internal DNS Domain Name
Contoso contoso.com
Seattle seattle.contoso.com
Boston boston.contoso.com
Vancouver vancouver.contoso.com
Montreal montreal.contoso.com
Milan milan.contoso.com
Seville seville.contoso.com
Trey Research treyresearch.net
Renton renton.treyresearch.net
Atlanta atlanta.treyresearch.net
Fabrikam, Inc. fabrikam.com
Hong Kong SAR hongkong.fabrikam.com
Tokyo tokyo.fabrikam.com
Each of the location-specific subdomains contains only the resource records for its location. The DNS serverswithin each respective location:
y Are delegated authority for their domains from the top-level internal DNS servers (SEA-CON-DNS-01and SEA-CON-DNS-02)
y Forward unresolved queries to the top-level internal DNS servers (SEA-CON-DNS-01 and SEA-CON-DNS-02)
Note: The DNS servers (SEA-CON-DNS-01 and SEA-CON-DNS-02) in Seattle host the top-level internaldomain names and secondary copies of the domain names from all locations.
Delegate the DNS Domain for the Forest Root
After you identify the DNS domain names that must be delegated in the existing DNS namespace, you areready to delegate the DNS domain for the forest root.
Note: The delegation that occurs in this step references the first forest root domain controller, which does not
currently exist. The DNS service is installed and configured on the first forest root domain controllers in asubsequent step.
To update the DNS delegation records for the additional domain controller in your environment
1. Create a name server (NS) resource record in the parent_domainzone file (where parent_domain isthe fully qualified domain name of the forest root domain's parent domain).
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
16/123
2. forest_root_domain IN NS computer_name . forest_root_domain .parent_domain
(where forest_root_domain is the name of the forest root domain, computer_name is the computer
name of the additional domain controller, and parent_domain is the fully qualified domain name of the
forest root domain's parent domain).
3.
Create a host address (A) resource record in the parent_domainzone file (where parent_domain isthe fully qualified domain name of the forest root domain's parent domain).
4. computer_name . forest_root_domain . parent_domain IN Aip_address
(wherecomputer_name is the computer name of the additional domain controller, forest_root_domain
is the name of the forest root domain, parent_domain is the fully qualified domain name of the forest
root domain's parent domain, and ip_address is the IP address of the additional domain controller).
Contoso example: Updating the DNS delegation records for the additional domain controller
Update the DNS delegation records for the additional forest root domain controller in the Contoso example by
using the process described above and the information provided in Table 8.
Table 8 Information for Updating DNS Delegation in the Contoso Example
When Prompted For In Contoso use In Trey Research use
parent_domain contoso.com treyresearch.net
forest_root_domain concorp.contoso.com trccorp.treyresearch.net
computer_name SEA-CON-DC-01 REN-TRC-DC-01
ip_address 172.16.16.21 172.16.20.13
Top of page
Creating the Forest Root
After you delegate the DNS domain for the forest root on the existing DNS servers, you are ready to start theproduction deployment of Active Directory. The first step in the production deployment of Active Directory isthe creation of each forest root. Figure 8 illustrates when creating the forest root occurs in your deployment
process.
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
17/123
Figure 8: Creating the forest root in the deployment processThe forest owner is responsible for deploying the forest root domain. The forest owner notifies the domainowners of the regional domains when the deployment of the forest root domain is complete.
To create the forest root:
1. Deploy the first domain controller.2. Deploy an additional domain controller in the same site.3. Configure site topology.4. Configure operations master roles.5. Deploy additional domain controllers in other sites.
Deploying the First Forest Root Domain Controller
After you delegate the DNS zone for the forest root on the existing DNS servers, you are ready to deploy thefirst forest root domain controller.
To deploy the first forest root domain controller:
1. Install Windows 2000.2. Install Active Directory.3. Verify the Active Directory installation.4. Configure DNS server recursive name resolution.5. Delegate the _msdcs zone.
After completing the deployment of the first forest root domain controller, you are ready to deploy additionalforest root domain controllers.
Install Windows 2000
The first step in deploying the first forest root domain controller is to install Windows 2000 on the computerthat you want to make the domain controller.
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
18/123
Note: You can automate the installation of Windows 2000 by using Sysprep.exe, unattended installation, or
any disk imaging method.
To install Windows 2000 on the first forest root domain controller in your environment
Install Windows 2000 on the first domain controller in the primary site of your forest root domain by using the
information listed in Table 9.
Table 9 Information for Installing Windows 2000 on the First Domain Controller in the Forest Root
When PromptedFor Use
Format partitions NTFS
Computer name computer_name(where computer_name is the computer name of the first forest
root domain controller).
IP address ip_address(where ip_address is the fixed IP address that you assign to the firstforest root domain controller).
Subnet mask subnet_mask(where subnet_maskis the subnet mask that you assign to the firstforest root domain controller).
Administrator
password
strong_password(where strong_passwordis any strong password).
Networking
components
DNS
Internet Protocol (TCP/IP)
Primary WINSserver
primary_wins_server(where primary_wins_serveris the IP address of the existingprimary WINS server or leave blank if there is no existing WINS infrastructure).
Secondary WINSserver
secondary_wins_server(where secondary_wins_serveris the IP address of anotherexisting WINS server or leave blank if there is no existing WINS infrastructure).
Preferred DNSserver
preferred_dns_server(where preferred_dns_serveris the IP address of an existingDNS server or leave blank if there is no existing DNS infrastructure).
Contoso example: Installing Windows 2000 on the first forest root domain controller
Install Windows 2000 on the first forest root domain controller for Contoso by using the process described
above and the information provided in Table 12.
Table 10 Information for Installing Windows 2000 in the Contoso Example
When Prompted For In Contoso use In Trey Research use
computer_name SEA-CON-DC-01 REN-TRC-DC-01
ip_address 172.16.16.21 172.16.20.13
subnet_mask 255.255.252.0 255.255.252.0
strong_password Y7#Es-3t OJ2-1Yz8
primary_wins_server 172.16.12.15 172.16.48.15
preferred_dns_server 172.16.4.10 172.16.4.10
Install Active Directory
Install Active Directory on the computer that you want to make the first forest root domain controller byrunning the Active Directory Installation Wizard (Dcpromo.exe).
The Active Directory Installation Wizard:
y Creates the Active Directory database.y Initializes the directory data in the database.
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
19/123
y Creates an Active Directoryintegrated zone for the forest root domain.Note: When your organization has no existing DNS infrastructure, the Active Directory Installation Wizardautomatically creates an internal root zone (expressed as "."). The new root zone acts as the authoritative rootfor your organization.
You can run the Active Directory Installation Wizard in an unattended scripted mode to automate theinstallation of Active Directory.
To install Active Directory on the first forest root domain controller in your environment
1. From a command prompt, type nslookup parent_ domain(where parent_domain is the fullyqualified domain name of the forest root domain's parent domain).
2. Install Active Directory on the first forest root domain controller by running the Active DirectoryInstallation Wizard and by using the information provided in Table 11 to complete the wizard. Accept
default settings when no information is specified.
Table 11 Information for Installing Active Directory on the Domain Controller
Wizard Page Action
Domain Controller Type Click Domain controller for new domain.
Create Tree or Child Domain Verify that Create a new domain tree is selected.
Create of Join Forest Verify that Create a new forest of domain trees is selected.
New Domain Name In the Full DNS name for new domain box, type
forest_root_domain(where forest_root_domain is the fully qualifieddomain name of the forest root domain)
Configure DNS Click Yes, install and configure DNS on this computer.
Permissions Click Permissions compatible only with Windows 2000 servers.
Directory Services RestoreMode AdministratorPassword
In the Password and Confirm password boxes, typestrong_password(where strong_passwordis any strong password)
Note: When prompted by a message box indicating that the wizard cannot contact the DNS server thathandles the domain, click OK. The Active Directory installation process will install and configure DNS as a part
of the process.
Contoso example: Installing Active Directory on the first forest root domain controller
Install Active Directory on the first forest root domain controller in the Contoso example by using the processdescribed above and the information provided in Table 12.
Table 12 Information for Installing Active Directory in the Contoso Example
When Prompted For In Contoso use In Trey Research use
parent_domain contoso.com treyresearch.net
forest_root_domain concorp.contoso.com trccorp.treyresearch.net
strong_password Y7#Es-3t OJ2-1Yz8
Verify the Active Directory Installation
After you run the Active Directory Installation Wizard to install Active Directory, verify the Active Directory
installation.
To verify the Active Directory installation on the first forest root domain controller in yourenvironment
1. Review the Windows 2000 event log for any errors.2. From a command prompt, run Dcdiag.exe and review any errors that are reported.
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
20/123
3. Run Task Manager to examine that the processor and memory system resources are within acceptablelimits.
Contoso example: Verifying the Active Directory installation on the first forest root domaincontroller
Verify the Active Directory on the first forest root domain controller in the Contoso example by using theprocess described above on:
y SEA-CON-DC-01.concorp.contoso.comy SEA-TRC-DC-01.trccorp.treyresearch.net
Configure DNS Server Recursive Name Resolution
Configure DNS server recursive name resolution based on the recursive name resolution method specified inthe DNS design worksheet provided by your design team. Configure DNS server recursive name resolution by
using the DNS snap-in of Microsoft Management Console (MMC) or Dnscmd.exe.
Note: While running the Active Directory Installation Wizard, if your organization has an existing DNSinfrastructure, ensure that the Preferred DNS server setting is properly configured. When the Active Directory
Installation Wizard finds no existing DNS infrastructure, the wizard automatically creates a new root zone.Subsequently, delete the new root zone, and manually configure a recursive name resolution method.
To configure DNS server recursive name resolution on the first forest root domain controller in yourenvironment
1. Use the DNS snap-in to configure DNS server recursive name resolution based on the information inTable 13.
Table 13 Information to Configure DNS server Recursive Name Resolution
Method Configuration
Recursive name
resolution by roothints
No additional configuration is necessary.
When the DNS server specified as the Preferred DNS server during theinstallation process is properly configured, the root hints are automatically
configured.To verify the root hints by using the DNS snap-in:In the console tree, right-click computer_name(where computer_name is thename of the domain controller), and then click Properties.
In the computer_name Properties dialog box (where computer_name is thename of the domain controller), on the Root Hints page, view the root hints.
Recursive nameresolution by
forwarding
Forward unresolved queries to dns_server, (where dns_serveris the DNS serveror nearest replica, from which the forest root domain is delegated).
See the DNS worksheet provided by your design team for the DNS server.To configure forwarding by using the DNS snap-in:In the console tree, right-click computer_name(where computer_name is thecomputer name of the domain controller), and then click Properties.In the domain_controllerProperties dialog box (where domain_controlleris
the name of the domain controller), on the Forwarders page, select the Enableforwarders check box.In the IP address box, type ip_address(where ip_address is the IP address of
the DNS server or nearest replica, from which the forest root domain isdelegated), click Add, and then click OK
No existing DNS
infrastructure
No additional configuration is necessary.
When no DNS infrastructure exists previously, the forest root domain controllersare the root servers for DNS.
2. From a command prompt, type nslookup parent_domain(where parent_domain is the fully qualifieddomain name of the forest root domain's parent domain).
3. From a command prompt, type nslookup forest_root_domain(where forest_root_domain is thefully qualified domain name of the forest root domain).
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
21/123
4. From a command prompt, type nslookup computer_name.forest_root_domain(wherecomputer_name is the computer name of the first forest root domain controller and
forest_root_domain is the fully qualified domain name of the forest root domain).
Successful completion of the nslookup command verifies that the DNS forwarding is properly
configured.
Contoso example: Configuring DNS server recursive name resolution on the first forest root domaincontroller
The existing DNS servers in Contoso perform DNS recursive name resolution by using DNS forwarding.
Configure DNS server recursive name resolution on the first forest root domain controller in the Contosoexample by using the process described above and the information provided in Table 14.
Table 14 Information for Configuring DNS server Recursive Name Resolution in the ContosoExample
When Prompted For In Contoso use In Trey Research use
computer_name SEA-CON-DC-01 REN-TRC-DC-01
dns_server 172.16.4.10 172.16.4.10
parent_domain contoso.com treyresearch.net
forest_root_domain concorp.contoso.com trccorp.treyresearch.net
Delegate _msdcs Zone
After you configuring the DNS settings on the forest root domain controllers, you are ready to delegate the_msdcs zone. Delegate the _msdcs zone by using the DNS snap-in in the Microsoft Management Console
(MMC) or Dnscmd.exe.
Deployment Best Practice
Replicate the _msdcs zone to the DNS servers running on every domain controller in the forest. The _msdcs
zone contains the forest-wide locator records. The forest-wide locator records are used by domain controllersto find replication partners and by clients to find global catalog servers.
To delegate the _msdcs zone for the forest root domain in your environment
1. Start an instance of the Microsoft Management Console (MMC) and include the DNS snap-in.2. In the console tree, delete the_msdcs folder beneath the forest_root_domainzone (where
forest_root_domainis the name of the forest root domain).
3. In the console tree, right-click the forest_root_domainzone (where forest_root_domainis thename of the forest root domain), and then click New Delegation.
4. Complete the New Delegation Wizard by using the information supplied in Table 15. Accept the defaultsettings when no information is supplied.
Table 15 Information for Delegating a DNS Domain
WizardPage Action
DelegatedDomainName
In the Delegated Domain box, type _msdcs
Name
Servers
Click Add.
In the New Resource Record dialog box, in the Server name box, typefirst_domain_controller.forest_root_domain(where forest_root_domain is the name of
the forest root domain and first_domain_controlleris the name of the first forest rootdomain controller).
In the New Resource Record dialog box, in the IP address box, type
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
22/123
first_ip_address(where first_ip_address is the corresponding IP address of the first forestroot domain controller), click Add, and then click OK.
5. In the console tree, right-click first_domain_controller(where first_domain_controlleris the nameof the first forest root domain controller), and then click New Zone.
6. Complete the New Zone Wizard by using the information supplied in Table 29. Accept the defaultsettings when no information is supplied.
Table 29 Information for Creating _msdcs Zone
Wizard Page Action
Zone Type Click Active Directory-integrated.
Forward or Reverse
Lookup Zone
Click Forward lookup zone.
Zone Name In the Name box, type_msdcs.forest_root_domain(whereforest_root_domain is the name of the forest root domain)
7. In the console tree, right-click the_msdcs. forest_root_domainzone (where forest_root_domain isthe name of the forest root domain), and then click Properties.
8. In the_msdcs. forest_root_domain Properties dialog box (where forest_root_domain is the nameof the forest root domain), on the General page, click Aging.
9. In the Zone Aging/Scavenging Properties dialog box, select the Scavenge stale resourcerecords check box, and then click OK.
10. In the_msdcs. forest_root_domain Properties dialog box (where forest_root_domain is the nameof the forest root domain), on the Zone Transfers page, select the Allow zone transfers check box.
11. In the_msdcs. forest_root_domain Properties dialog box (where forest_root_domain is the nameof the forest root domain), click OK.
12. Restart the Netlogon service by using the Computer Management console.Restarting the Netlogon service forces the domain controller to register in the
_msdcs.forest_root_domain zone (where forest_root_domain is the name of the forest root domain).
Contoso example: Delegating the _msdcs zone for the forest root domain
Delegate the _msdcs zone for the first forest root domain controller in the Contoso example by using theprocess described above and the information provided in Table 16.
Table 16 Information for Delegating the _msdcs Zone in the Contoso Example
When Prompted For In Contoso use In Trey Research use
forest_root_domain concorp.contoso.com trccorp.treyresearch.net
first_domain_controller SEA-CON-DC-01 REN-TRC-DC-01
first_ip_address 172.16.16.21 172.16.20.13
Deploying an Additional Domain Controller in the Same Site
After you deploy the first forest root domain controller, deploy an additional forest root domain controller in the
same site in the event the first forest root domain controller fails.
To deploy an additional forest root domain controller in the same site:
1. Install Windows 2000.
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
23/123
2. Install Active Directory.3. Verify the Active Directory installation.4. Configure DNS server recursive name resolution.5. Modify the DNS client settings on the first domain controller.6. Update the DNS delegation.
Install Windows 2000
The first step in deploying and additional root domain controller in the same site is to install Windows 2000 onthe computer that you want to make the domain controller.
Note: You can automate the installation of Windows 2000 by using Sysprep.exe, unattended installation, orany disk imaging method.
To install Windows 2000 on the additional domain controller in your environment
Install Windows 2000 on the additional domain controller in the primary site of your forest root domain byusing the information listed in Table 17.
Table 17 Information for Installing Windows 2000 on the Additional Domain Controller in the Forest
Root
When Prompted
For Use
Format partitions NTFS
Computer name computer_name(where computer_name is the computer name of the additionalforest root domain controller).
IP address ip_address(where ip_address is the fixed IP address that you assign to the additionalforest root domain controller).
Subnet mask subnet_mask(where subnet_maskis the subnet mask that you assign to the
additional forest root domain controller).
Administrator
passwordstrong_password(where strong_passwordis any strong password).
Networking
components
DNS
Internet Protocol (TCP/IP)
Primary WINS
server
primary_wins_server(where primary_wins_serveris the IP address of the existing
primary WINS server or leave blank if there is no existing WINS infrastructure).
Secondary WINS
server
secondary_wins_server(where secondary_wins_serveris the IP address of another
existing WINS server or leave blank if there is no existing WINS infrastructure).
Preferred DNSserver
preferred_dns_server(where preferred_dns_serveris the IP address of the firstforest root domain controller).
Alternate DNSserver
alternate_dns_server(where alternate_dns_serveris the IP address of this domaincontroller).
Note: Ensure that you configure the first forest root domain controller as the Preferred DNS server and theadditional domain controller as the Alternate DNS server. For another forest root domain controller to receiveits DNS registration, forest root domain controllers must point the Preferred DNS server setting to another
forest root domain controller. Configuring DNS in this manner, you avoid the "Island of Isolation" problem. Formore information about this topic, seeActive Directory Branch Office Planning Guide athttp://www.microsoft.com/technet/archive/windows2000serv/technologies/activedirectory/deploy/adguide/adplan/default.mspx - section10.
Contoso example: Installing Windows 2000 on the additional forest root domain controller
Install Windows 2000 on the additional forest root domain controller in the primary site for Contoso by usingthe process described above and the information provided in Table 18.
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
24/123
Table 18 Information for Installing Windows 2000 in the Contoso Example
When Prompted For In Contoso use In Trey Research use
computer_name SEA-CON-DC-02 REN-TRC-DC-02
ip_address 172.16.16.22 172.16.20.14
subnet_mask 255.255.252.0 255.255.252.0
strong_password Y7#Es-3t OJ2-1Yz8
primary_wins_server 172.16.12.15 172.16.48.15
preferred_dns_server 172.16.16.21 172.16.20.13
alternate_dns_server 172.16.16.22 172.16.20.14
Install Active Directory
Install Active Directory on the computer that you want to make the additional forest root domain controller by
running the Active Directory Installation Wizard (Dcpromo.exe).
The Active Directory Installation Wizard:
yCreates the Active Directory database.
y Initializes the directory data in the database.y Creates an Active Directoryintegrated zone for the forest root domain.
Note: When your organization has no existing DNS infrastructure, the Active Directory Installation Wizardautomatically creates an internal root zone (expressed as "."). The new root zone acts as the authoritative root
for your organization.
To install Active Directory on the additional forest root domain controller in your environment
1. Install Active Directory on the additional domain controller in the primary site by running the ActiveDirectory Installation Wizard and by using the information provided in Table 19 to complete the
wizard. Accept default settings when no information is specified.
Table 19 Information for Installing Active Directory on the Additional Domain Controller
Wizard Page Action
Domain Controller Type Click Additional domain controller for an existing domain.
Network Credentials In the User name box, type user_name(where user_name is the name of
an account that is a member of the enterprise admins global group.In the Password box, type password(where passwordis the password ofthe user name).In the Domain box, type forest_root_domain(where forest_root_domain
is the fully qualified domain name of the forest root domain).
Additional Domain
Controller
Click Browse.
In the Browse for Domain dialog box, click forst_root_domain(whereforest_root_domain is the fully qualified domain name of the forest root
domain), and then click OK.
Directory Services RestoreMode Administrator
Password
In the Password and Confirm password boxes, typestrong_password(where strong_passwordis any strong password)
Contoso example: Installing Active Directory on the additional domain controller
Install Active Directory on the additional forest root domain controller in the primary site for the Contosoexample by using the process described above and the information provided in Table 20.
Table 20 Information for Installing Active Directory in the Contoso Example
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
25/123
When Prompted For In Contoso use In Trey Research use
parent_domain contoso.com treyresearch.net
forest_root_domain concorp.contoso.com trccorp.treyresearch.net
first_forest_domain_controller SEA-CON-DC-01 REN-TRC-DC-01
user_name Administrator Administrator
password U9#7Kp- Rw36-R5
strong_password Y7#Es-3t OJ2-1Yz8
Verify the Active Directory Installation
After you run the Active Directory Installation Wizard to install Active Directory, verify the Active Directory
installation.
To verify the Active Directory installation on the additional forest root domain controller in your
environment
1. Review the Windows 2000 event log for any errors.2. From a command prompt, run Dcdiag.exe and review any errors that are reported.3. Run Task Manager to examine that the processor and memory system resources are within acceptable
limits.
Contoso example: Verifying the Active Directory installation on the additional forest root domain
controller
Verify the Active Directory on the additional forest root domain controller in the Contoso example by using theprocess described above on:
y SEA-CON-DC-02.concorp.contoso.comy SEA-TRC-DC-02.trccorp.treyresearch.net
Configure DNS Server Recursive Name Resolution
Configure DNS server recursive name resolution based on the recursive name resolution method specified inthe DNS design worksheet provided by your design team. Configure DNS server recursive name resolution byusing the DNS snap-in of Microsoft Management Console (MMC) or Dnscmd.exe.
Note: While running the Active Directory Installation Wizard, if your organization has an existing DNSinfrastructure, ensure that the Preferred DNS server setting is properly configured. When the Active DirectoryInstallation Wizard finds no existing DNS infrastructure, the wizard automatically creates a new root zone.
Subsequently, delete the new root zone, and manually configure a recursive name resolution method.
To configure DNS server recursive name resolution on the additional forest root domain controller
in your environment
1. Use the DNS snap-in to configure DNS server recursive name resolution based on the information inTable 21.
Table 21 Information to Configure DNS server Recursive Name Resolution
Method Configuration
Recursive name
resolution by roothints
No additional configuration is necessary.
When the DNS server specified as the Preferred DNS server during theinstallation process is properly configured, the root hints are automaticallyconfigured.To verify the root hints by using the DNS snap-in:In the console tree, right-click computer_name(where computer_name is the
name of the domain controller), and then click Properties.In the computer_name Properties dialog box (where computer_name is the
name of the domain controller), on the Root Hints page, view the root hints.
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
26/123
Recursive nameresolution by
forwarding
Forward unresolved queries to ip_address, (where ip_address is IP address ofthe DNS server, or nearest replica, from which the forest root domain is
delegated).
See the DNS worksheet provided by your design team for the DNS server.To configure forwarding by using the DNS snap-in:
In the console tree, right-click computer_name(where computer_name is thecomputer name of the domain controller), and then click Properties.
In the computer_name Properties dialog box (where computer_name is the
computer name of the domain controller), on the Forwarders page, select theEnable forwarders check box.In the IP address box, type ip_address(where ip_address is the IP address ofthe DNS server or nearest replica, from which the forest root domain isdelegated), click Add, and then click OK
No existing DNSinfrastructure
No additional configuration is necessary.When no DNS infrastructure exists previously, the forest root domain controllers
are the root servers for DNS.
Contoso example: Configuring DNS server recursive name resolution on the additional forest rootdomain controller
The existing DNS servers in Contoso perform DNS recursive name resolution by using DNS forwarding.
Configure DNS server recursive name resolution on the first forest root domain controller in the Contosoexample by using the process described above and the information provided in Table 22.
Table 22 Information for Configuring DN
S serverR
ecursiveN
ameR
esolution in the ContosoExample
For In Contoso Use In Trey Research Use
computer_name SEA-CON-DC-02 REN-TRC-DC-02
ip_address 172.16.4.10 172.16.4.10
Modifying the DNS Client Settings Of The First Domain Controller
After you configure DNS server recursive name resolution, you are ready to modify the DNS client settings on
the first forest root domain controller. Since no other domain controllers were running when you deployed thefirst forest root domain controller, modify the DNS client settings on the first forest root domain controller to
include the additional domain controller.
Deployment Best Practice
When a forest root domain controller is configured to use the DNS server on the domain controller as the
Preferred DNS server, the domain controller can become isolated from other forest root domain controllers.The domain controller can become isolated from other domain controllers because the domain controller
registers only with the DNS server on the domain controller.
To prevent forest root domain controllers from becoming isolated from the other forest root domain controllers,configure the Preferred DNS server setting to point to another forest root domain controller and the Alternate
DNS server setting to the DNS server running locally on the domain controller.
The domain controller isolation problem, also known as the "Island of Isolation," can only occur on forest root
domain controllers. For more information about this topic, see Active Directory Branch Office Planning Guide.
To configure the DNS client settings on the first domain controller in your environment
1. Configure the Preferred DNS server setting to another_domain_controller(whereanother_domain_controlleris the IP address of another forest root domain controller).
2. Configure the Alternate DNS server setting to first_domain_controller(wherefirst_domain_controlleris the IP address of the first forest root domain controller).
Contoso example: Configuring the DNS client settings on the first domain controller
Configure the DNS client settings on the first forest root domain controller in the primary site for the Contosoexample by using the process described above and the information provided in Table 23.
Table 23 Information for Configuring DNS Client Settings in the Contoso Example
When Prompted For In Contoso use In Trey Research use
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
27/123
another_domain_controller 172.16.16.22 172.16.20.14
first_domain_controller 172.16.16.21 172.16.20.13
Updating the DNS Delegation
After you modify the DNS Client settings on the first forest root domain controller in the primary site, you are
ready to update the DNS delegation for the forest root domain.
To update the DNS delegation records for the additional domain controller in your environment
1. Create a name server (NS) resource record in the parent_domainzone file (where parent_domain isthe fully qualified domain name of the forest root domain's parent domain).
2. forest_root_domain IN NS computer_name .i. parent_domain(whereforest_root_domain is the name of the forest root domain, computer_name is the computer
name of the additional domain controller, and parent_domain is the fully qualified domain name of the
forest root domain's parent domain).
3. Create a host address (A) resource record in the parent_domainzone file (where parent_domain isthe fully qualified domain name of the forest root domain's parent domain).
4. computer_name . forest_root_domain . parent_domain IN Aip_address
(wherecomputer_name is the computer name of the additional domain controller, forest_root_domain
is the name of the forest root domain, parent_domain is the fully qualified domain name of the forest
root domain's parent domain, and ip_address is the IP address of the additional domain controller).
Contoso example: Updating the DNS delegation records for the additional domain controller
Update the DNS delegation records for the additional forest root domain controller in the Contoso example byusing the process described above and the information provided in Table 24.
Table 24 Information for Updating DNS Delegation in the Contoso Example
When Prompted For In Contoso use In Trey Research use
parent_domain contoso.com treyresearch.net
forest_root_domain concorp.contoso.com trccorp.treyresearch.net
computer_name SEA-CON-DC-02 REN-TRC-DC-02
ip_address 172.16.16.22 172.16.20.14
Configuring Site Topology
After deploying the additional domain controller in the forest root domains, you are ready to configure the sitetopology for each forest. The site topology owner configures the sites and site topology.
To configure the site topology:
1. Delegate Active Directory site topology administration.2. Create the Active Directory sites.3. Create and assign the subnets in Active Directory.4. Create the Active Directory site links.
Delegate Active Directory Site Topology Administration
Configuring the sites and site topology for each forest starts when the forest owner delegates administration ofthe Active Directory sites and site topology to the site topology owner.
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
28/123
To delegate Active Directory site topology administration in your environment
1. Create a user named SiteTopologyOwner in the default Users container, in the forest root domain.2. Create a global group named SiteAdmins in the default Users container, in the forest root domain.3. Assign SiteTopologyOwner to the SiteAdmins global group.
4.
In the Active Directory Sites and Services snap-in, right-click the Sites node, and then click DelegateControl.
5. Complete the Delegation of Control Wizard by using the information supplied in Table 25. Selectthe default configuration when no information is supplied.
Table 25 Information for Delegating the Administration of Site Topology
Wizard Page Action
Users or
Groups
Click Add.
In the Select Users, Computers, or Groups dialog box, click SiteAdmins, click Add,and then click OK.
Permissions Select the Full Control check box.
Contoso example: Delegating Active Directory site topology administration
Delegate Active Directory site topology administration by following the deployment process in the previoussection for the following Active Directory forests:
y concorp.contoso.comy trccorp.treyresearch.net
Create Active Directory Sites
The first step in configuring the sites and site topology for each forest is to create the Active Directory sites.The directory planner, site topology owner, and network group determine the sites to create. Create Active
Directory sites by using the Active Directory Sites and Services snap-in.
To create the Active Directory sites in your environment
1.
Review the site topology design worksheet provided by your design team, focusing on the sitessection of the worksheet.
2. Create the sites specified in the site topology worksheet.Contoso example: Creating the Active Directory sites
1. Identify the Contoso locations, Trey Research locations, and the primary communication links betweenlocations as shown in Figure 9 and listed in Table 26.
Figure 9: Map Of Contoso locations and communications links
Table 26 Links Between Locations And The Available Data Rate
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
29/123
LocationLinkedLocation Link Type Available Data Rate
Seattle Boston ISDN (128.8 Kbps) No more than 56 Kbps.
Vancouver T1 (1.544 megabits per
second (Mbps))
No more than 44 Kbps.
Montreal ISDN (128.8 Kbps) No more than 26 Kbps.
Milan T1 (1.544 Mbps) No more than 150 Kbps, but with 450-millisecond latency.
Renton DSL (700 Kbps) No more than 500 Kbps
Atlanta T1 (1.544 Mbps) No more than 60 Kbps
Hong Kong
SAR
T1 (1.544 Mbps) No more than 200 Kbps, but with 450-
millisecond latency.
Milan Seville ISDN (128.8 Kbps) No more than 56 Kbps
Hong KongSAR
Tokyo ISDN (128.8 Kbps) No more than 56 Kbps
2. Create the sites based on the information in Table 27 and Table 28. The information in Table 27 andTable 28 were summarized from the site topology worksheet.
Table 27 Sites to Create and the Locations in the Contoso Forest
Create This Site Which Includes This Location
Seattle Seattle
Boston Boston
Vancouver Vancouver
Montreal Montreal
Milan Milan
Seville Seville
HongKong Hong Kong SAR
Tokyo Tokyo
Table 28 Sites to Create and the Locations in the Trey Research Forest
Create This Site Which Includes This Location
Renton Renton
Atlanta Atlanta
Create and Assign Active Directory Subnets
The next step in configuring the sites and site topology for each forest is to create the Active Directory subnetsand assign them to Active Directory sites. The directory planner, site topology owner, and network group
determine the subnets that you create. Create Active Directory subnets by using the Active Directory Sites andServices snap-in.
To create and assign Active Directory subnets in your environment
1. Review the site topology design worksheet provided by your design team, focusing on the subnetssection of the worksheet.
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
30/123
2. Create the Active Directory subnets specified in the site topology worksheet and assign the ActiveDirectory subnet to the appropriate site.
Contoso example: Creating and assigning Active Directory subnets
1. Identify the IP subnets that exist within each location based on the information in Table 29 and Table30. The information in Table 29 and Table 30 were summarized from the site topology worksheet.
Table 29 Locations and IP Subnets Within Each Contoso Location
Location IP Subnets Within the Location
Seattle 172.16.4.0/22172.16.8.0/22172.16.24.0/22172.16.28.0/22172.16.32.0/22172.16.36.0/22172.16.40
Boston 172.16.52.0/22172.16.56.0/22
Vancouver 172.16.44.0/22172.16.48.0/22
Montreal 172.16.60.0/22172.16.64.0/22
Milan 172.16.128.0/22172.16.132.0/22172.16.136.0/22
Seville 172.16.160.0/22172.16.164.0/22
HongKong SAR
172.16.84.0/22172.16.88.0/22172.16.92.0/22
Tokyo 172.16.76.0/22172.16.78.0/22
Table 30 Locations and IP Subnets Within Each Trey Research Location
Location IP Subnets Within the Location
Renton 172.16.12.0/22172.16.16.0/22172.16.20.0/22
Atlanta 172.16.116.0/22172.16.120.0/22172.16.124.0/22
2. Create the Active Directory subnets in the Contoso forest and the Trey Research forest by using theActive Directory Sites and Services snap-in and the information listed in Table 31 and Table 32.
Table 31 Active Directory Subnets and IP Subnets in the Contoso Forest
Site Active Directory Subnet Address Mask
Seattle 172.16.4.0/22 172.16.4.0 255.255.252.0
172.16.8.0/22 172.16.8.0 255.255.252.0
172.16.24.0/22 172.16.24.0 255.255.252.0
172.16.28.0/22 172.16.28.0 255.255.252.0
172.16.32.0/22 172.16.32.0 255.255.252.0
172.16.36.0/22 172.16.36.0 255.255.252.0
172.16.40.0/22 172.16.40.0 255.255.252.0
Boston 172.16.52.0/22 172.16.52.0 255.255.252.0
172.16.56.0/22 172.16.56.0 255.255.252.0
Vancouver 172.16.44.0/22 172.16.44.0 255.255.252.0
172.16.48.0/22 172.16.48.0 255.255.252.0
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
31/123
Montreal 172.16.60.0/22 172.16.60.0 255.255.252.0
172.16.64.0/22 172.16.64.0 255.255.252.0
Milan 172.16.128.0/22 172.16.128.0 255.255.252.0
172.16.132.0/22 172.16.132.0 255.255.252.0
172.16.136.0/22 172.16.136.0 255.255.252.0
Seville 172.16.160.0/22 172.16.160.0 255.255.252.0
172.16.164.0/22 172.16.164.0 255.255.252.0
HongKong 172.16.84.0/22 172.16.84.0 255.255.252.0
172.16.88.0/22 172.16.88.0 255.255.252.0
172.16.92.0/22 172.16.92.0 255.255.252.0
Tokyo 172.16.76.0/22 172.16.76.0 255.255.252.0
Table 32 Active Directory Subnets and IP Subnets in the Trey Research Forest
Site Active Directory Subnet Address Mask
Renton 172.16.12.0/22 172.16.12.0 255.255.252.0
172.16.16.0/22 172.16.16.0 255.255.252.0
172.16.20.0/22 172.16.20.0 255.255.252.0
Atlanta 172.16.116.0/22 172.16.116.0 255.255.252.0
172.16.120.0/22 172.16.120.0 255.255.252.0
172.16.124.0/22 172.16.124.0 255.255.252.0
Create Active Directory Site Links
The next step in configuring the sites and site topology for each forest is to create the Active Directory sitelinks. The directory planner, site topology owner, and network group determine the site links that you create.Create Active Directory site links by using the Active Directory Sites and Services snap-in.
To create Active Directory site links in your environment
1. Review the site topology design worksheet provided by your design team, focusing on the site linksection of the worksheet.
2. Create the Active Directory site links specified in the site topology worksheet.Contoso example: Creating Active Directory site links
1. Identify the Contoso locations, Trey Research locations, and the primary communication links betweenlocations as shown in Figure 10 and listed in Table 33.
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
32/123
Figure 10: Map Of Contoso locations and communications links
Table 33 Links Between Locations And The Available Data Rate
Location
Linked
Location Link Type Available Data Rate
Seattle Boston ISDN (128.8 Kbps) No more than 56 Kbps.
Vancouver T1 (1.544 megabits persecond (Mbps))
No more than 44 Kbps.
Montreal ISDN (128.8 Kbps) No more than 26 Kbps.
Milan T1 (1.544 Mbps) No more than 150 Kbps, but with 450-
millisecond latency.
Renton DSL (700 Kbps) No more than 500 Kbps
Atlanta T1 (1.544 Mbps) No more than 60 Kbps
Hong KongSAR
T1 (1.544 Mbps) No more than 200 Kbps, but with 450-millisecond latency.
Milan Seville ISDN (128.8 Kbps) No more than 56 Kbps
Hong KongSAR
Tokyo ISDN (128.8 Kbps) No more than 56 Kbps
2. Create the Active Directory site links in the Contoso forest and the Trey Research forest by using theActive Directory Sites and Services snap-in and the information listed in Table 34 and Table 35.
Table 34 Active Directory Site Links in the Contoso Forest
Link Site Site Cost
SEA-BOS Seattle Boston 586
SEA-VAN Seattle Vancouver 644
SEA-MON Seattle Montreal 798
SEA-MIL Seattle Milan 486
SEA-HKG Seattle HongKong 486
MIL-SEV Milan Seville 586
HKG-TOK HongKong Tokyo 586
Table 35 Active Directory Site Links in the Trey Research Forest
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
33/123
Link Site Site Cost
REN-ATL Renton Atlanta 567
Configuring Operations Master Roles
After creating the Active Directory site links, you are ready to configure the operations master roles for thedomain controllers. By default, the first domain controller in the forest root is assigned all operations masterroles. Transfer domain-wide operations master roles to the second domain controller in the forest root.
Deployment Best Practice
In Active Directory, the domain naming master operations master must be a global catalog server. However,the infrastructure master must not be a global catalog. As a result, it is not possible to have all operations
master roles on the same domain controller. As a best practice, configure the forest-wide and domain-wideoperations master roles for different domain controllers and monitor these domain controllers closely.
To configure the operations master roles for the domain controllers in your environment
1. Transfer the following domain-wide roles tosecond_domain_contoller(wheresecond_domain_controlleris the name of the second forest root domain controller in the primary site)
by using the Active Directory Users and Computers snap-in of Microsoft Management Console (MMC):
y Primary domain controller (PDC) operations mastery Relative ID (RID) pool mastery Infrastructure master
2. Verify that the forest-wide roles listed in Table 36 are still on first_domain_controller(wherefirst_domain_controlleris the name of the first forest root domain controller in the primary site) by
using the corresponding verification method.
Table 36 Forest-wide Operations Master Roles and Verification Methods
Operations Master
Role Verification Method
Schema master Active Directory Schema snap-in of Microsoft Management Console (MMC)
Domain naming master Active Directory Domains and Trusts snap-in of Microsoft Management Console(MMC)
For more information about verifying operations master roles, see Windows 2000 Server Help.
Contoso example: Configuring the operations master roles for the domain controllers
Configure the operations master roles for the domain controller in the Contoso example by using the process
described above and the information provided in Table 37.
Table 37 Information for Configuring Operations Master Roles in the Contoso Example
When Prompted For In Contoso Use In Trey Research Use
first_domain_controller SEA-CON-DC-01 REN-TRC-DC-01
second_domain_controller SEA-CON-DC-02 REN-TRC-DC-02
Deploying Additional Domain Controllers in Other Sites
After you deploy the additional forest root domain controller in the same site, deploy additional forest rootdomain controllers in other sites.
To deploy additional forest root domain controllers in other sites:
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
34/123
1. Install Windows 2000.2. Install Active Directory.3. Verify the Active Directory installation.4. Configure DNS server recursive name resolution.5. Update the DNS delegation.
Install Windows 2000
The first step in deploying additional root domain controllers in other sites is to install Windows 2000 on thecomputers that you want to make the domain controllers.
To install Windows 2000 on the additional domain controllers in your environment
Install Windows 2000 on the additional domain controllers in other sites of your forest root domain by usingthe process listed in Table 38.
Table 38 Process for Installing Windows 2000 on the Additional Domain Controller in the ForestRoot
When PromptedFor Use
Format partitions NTFS
Computer name computer_name(where computer_name is the computer name of the additional
forest root domain controller).
IP address ip_address(where ip_address is the fixed IP address that you assign to the additionalforest root domain controller).
Subnet mask subnet_mask(where subnet_maskis the subnet mask that you assign to theadditional forest root domain controller).
Administratorpassword
strong_password(where strong_passwordis any strong password).
Networking
components
DNS
Internet Protocol (TCP/IP)
Primary WINSserver
primary_wins_server(where primary_wins_serveris the IP address of the existingprimary WINS server or leave blank if there is no existing WINS infrastructure).
Secondary WINSserver
secondary_wins_server(where secondary_wins_serveris the IP address of anotherexisting WINS server or leave blank if there is no existing WINS infrastructure).
Preferred DNSserver
preferred_dns_server(where preferred_dns_serveris the IP address of anotherforest root domain controller that is connected through the minimum number of
network segments).
Alternate DNSserver
alternate_dns_server(where alternate_dns_serveris the IP address of this domaincontroller).
Contoso example: Installing Windows 2000 on the additional domain controllers
Install Windows 2000 on additional forest root domain controllers in other sites for Contoso by using theprocess described above and the information provided in Table 39.
Table 39 Information for Installing Windows 2000 in the Contoso Example
When Prompted For In Vancouver Use In Milan Use In Hong Kong SARUse
computer_name VAN-CON-DC-01 MIL-CON-DC-01 HKG-CON-DC-01
ip_address 172.16.48.14 172.16.132.21 172.16.88.13
subnet_mask 255.255.252.0 255.255.252.0 255.255.252.0
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
35/123
strong_password Uj76-3R5 U75tGH#2 H6y-#4uK
primary_wins_server 172.16.48.15 172.16.132.15 172.16.88.15
preferred_dns_server 172.16.16.22 172.16.16.22 172.16.16.22
alternate_dns_server 172.16.48.14 172.16.132.21 172.16.88.13
Install Active Directory
Install Active Directory on the computer that you want to make the additional forest root domain controller by
running the Active Directory Installation Wizard.
The Active Directory Installation Wizard:
y Creates the Active Directory database.y Initializes the directory data in the database.y Creates an Active Directoryintegrated zone for the forest root domain.
Note: When your organization has no existing DNS infrastructure, the Active Directory Installation Wizard
automatically creates an internal root zone (expressed as "."). The new root zone acts as the authoritative root
for your organization.
To install Active Directory on the additional forest root domain controller in your environment
1. From a command prompt, type nslookup parent_domain(where parent_domain is the fully qualifieddomain name of the forest root domain's parent domain).
2. From a command prompt, type nslookup forest_root_domain(where forest_root_domain is thefully qualified domain name of the forest root domain).
3. From a command prompt, type nslookup first_domain_controller.forest_root_domain(wherefirst_domain_controller is the computer name of the first forest root domain controller and
forest_root_domain is the fully qualified domain name of the forest root domain).
Successful completion of the nslookup command verifies that the DNS is properly configured.
4. Install Active Directory on the additional forest root domain controller in th e primary site by runningthe Active Directory Installation Wizard and by using the information provided in Table 40 to complete
the wizard. Accept default settings when no information is specified.
Table 40 Information for Installing Active Directory on the Additional Domain Controller
Wizard Page Action
Domain Controller Type Click Additional domain controller for an existing domain.
Network Credentials In the User name box, type user_name(where user_name is the name of
an account that is a member of the enterprise admins global group.In the Password box, type password(where passwordis the password of
the user name).
In the Domain box, type forest_root_domain(where forest_root_domainis the fully qualifi ed domain name of the forest root domain).
Additional Domain
Controller
Click Browse.
In the Browse for Domain dialog box, click forst_root_domain(whereforest_root_domain is the fully qualified domain name of the forest rootdomain), and then click OK.
Directory Services RestoreMode Administrator
Password
In the Password and Confirm password boxes, typestrong_password(where strong_passwordis any strong password)
Contoso example: Installing Active Directory on the additional domain controller
8/8/2019 Best Practice Active Directory Deployment for Managing Windows Networks
36/123
Install Active Directory on the additional forest root domain controller in the primary site for the Contoso
example by using the process described above and the information provided in Table 41.
Table 41 Information for Installing Active Directory in the Contoso Example
When Prompted For In Vancouver Use In Milan UseIn Hong Kong SARUse
parent_domain contoso.com contoso.com contoso.com
forest_root_domain concorp.contoso.com concorp.contoso.com concorp.contoso.com
first_forest_domain_controller VAN-CON-DC-01 MIL-CON-DC-01 HKG-CON-DC-01
user_name Administrator Administrator Administrator
password U9#yKp- U9#yKp- U9#yKp-
strong_password #32-UpYz Re-3Y34a P23#aR-4
Verify the Active Directory Installation
After you run the Active Directory Installation Wizard to install Active Directory, verify the Active Directoryinstallation.
To verify the Active Directory installation on the additional forest root domain controllers in yourenvironment
1. Review the Windows 2000 event log for any errors.2. From a command prompt, run Dcdiag.exe and review any errors that are reported.3. Run Task Manager to examine that the processor and me