Windows Server 2003 : Moving from Workgroups to Domain Environments (part 1) - Using dcpromo, Confirming DNS Registration of DC Information

To understand how to administer a network in an AD environment, you should be familiar with the steps taken to initialize and configure the network environment. To accomplish this, you must first set up your servers and ensure that the proper services have been installed. You will be working with the dcpromo tool to "promote" a Windows 2003 server to a domain controller (DC). Once you have properly set up a domain environment with an appropriate number of DCs, you will be reviewing and working with DNS registration and configuring sites.

While the basic information provided here enables you to set up a minimal test network, this discussion is not meant to be an AD planning-and-design primer, nor a substitute for spending time developing the AD solution that meets the needs of your organizations.

To begin working with AD, first ensure that you have DNS services available on the network or plan to install them during dcpromo. Next, install the Windows Server 2003 server software on a computer whose hard drive has been cleaned of any previous software or data. (Do not install Microsoft IIS or other optional components.) You must then configure DNS for each Windows server that will be used as a DC. If the server will become a new DC in an existing domain, join the server to the domain.

With these preliminaries out of the way, you are now ready to begin using the dcpromo tool.

1. Using dcpromo

Any Windows 2000 server or Windows Server 2003 server (except the Windows Server 2003 web server edition) can be used as a domain controller. This process is known as promotion and uses the dcpromo tool . (DCs can be returned to server status as well, which is known as demotion.) Before you can use the dcpromo tool to promote a server, the following conditions must be met:

Administrative privileges are required

Anyone running the dcpromo tool of the first DC in the root of the first domain of a new forest must be a member of the local Administrators group of the server being promoted. (A forest consists of one or more AD domains sharing the same schema, configuration, and global search capabilities. The hierarchical structure of one or more domains in a forest consists of trees.) To create new domains, or add new trees to an existing forest, the administrator using the dcpromo tool must be a member of the Enterprise Admins group, or have been delegated the right to create the domain.

DNS services must provide DNS service (SRV) record support

A DNS SRV record is used to map a service such as LDAP or Kerberos to a computer name. (See RFC 2782, A DNS RR for Specifying the Location of Services.) Windows 2000 and Windows Server 2003 DNS support SRV records, as do DNS BIND server's Version 4.97 and later. If non-Microsoft DNS is used, you should use BIND Version 8.2.1 or later because these also support dynamic updates and incremental zone transfers. If DNS services are not available, the dcpromo process can implement Microsoft DNS services on the server being promoted.

TCP/IP should be correctly configured and operational on the server

TCP/IP configuration should include the address of the DNS server that will store the domain controller SRV records. During the dcpromo process, these records will be dynamically stored on the DNS server if the DNS server supports dynamic updates. If DNS services will be installed on the local server during the dcpromo process, the TCP/IP configuration should point to the local server for DNS services.

Know the new DC's location in the AD hierarchy

The DC can either create a new domain in the forest, or join an existing domain. A new DC can also create a new forest, create a new forest tree, or become an additional domain in an existing tree.

Know the domain name

If the new domain is the root domain of a new forest or a new forest tree, then it might be the registered Internet domain for the organization, or it may not be. If the new domain is a child domain, you must know the parent domain name. The selection of the domain name in either case is not arbitrary, and should not be made up during implementation.

Be at the correct functional level

If the functional level of the domain is Windows Server 2003, a Windows 2000 server cannot become a DC in that domain.

Before running the dcpromo tool, you should check the DNS configuration on the server. The DNS properties page of the TCP/IP configuration shown in Figure 1 should point to the DNS server that will be used by AD. If DNS will be installed on the DC, you may do so during the dcpromo process.

Figure 1. The DC's DNS domain DNS server location for the domain should be recorded as the server's preferred (primary) DNS server

You can initialize the dcpromo process by running the dcpromo command or selecting the Domain Controller role from the Manage Your Server wizard. In our discussion, we will use the command-line initialized wizard to show how to create a forest in the first DC in the root forest domain, how to create a new tree, how to add a child domain to an existing domain, and how to create an additional DC for an existing domain.

1.1. Creating a forest

To create a forest and the first DC in the root forest domain, begin by clicking Start and then Run. Enter dcpromo and then click OK. From the ensuing screen, read the information on Operating System Compatibility. By default, the DC will be configured assuming that all member computers will be Windows XP, Windows 2000, or Windows Server 2003 computers. (If they are not, you may need to select pre-Windows compatibility mode, which we'll discuss later.) Click Next to continue.

Now select Domain Controller for a New Domain and then click Next. Click "Domain in a new forest" and then click Next. From here you will begin entering some important information. Enter the full DNS name for the new domain and then click Next. Verify the NetBIOS name and then click Next. Enter the location to install the database and log folders (or accept the default) and then click Next. Enter the location the location for the sysvol folder (or accept the default) and then click Next.

If DNS is available on the network and the DNS settings for this server are correct, the Installation Wizard should note that. If no DNS is found and DNS is available, you have a problem. Check that the IP address of the DNS server and that the appropriate gateway addresses are correctly entered in the network configuration for this server. 

Do not elect to install DNS on the domain controller if DNS is supposed to be available on the network. If, however, DNS will reside on the DC, then select "Install and configure the DNS server on this computer" and "Set this computer to use this DNS server as its preferred DNS server," and then click Next.

If all member computers are not Windows XP, Windows 2000, or Windows Server 2003 computers, select "Permissions compatible with pre-Windows 2000 server operating systems"; otherwise, select "Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems."

Enter and confirm a password for the Directory Services Restore Mode Administrator account for this computer and then click Next. This is the local Administrator account and will be used if a directory restore is necessary. Ensure that this password is recorded in a safe place with your disaster recovery information.

Finally, review the summary and then click Next to begin the installation. When installation is complete, you must restart the computer

When the dcpromo tool is run to create a new forest, it creates the forest, the first forest tree, and the first DC in the root forest domain. To create additional trees, a new domain must be created. The domain must be created as the first domain in a new tree of an existing forest. Each DC must be created on a different Windows Server 2003 server.

For example, say that your organization, Nomoore, Inc., is located in Boston. A possible design would be to create the Nomoore.local forest by promoting a server to be the first DC of the root forest domain.nomoore.local. Because growth is possible, you create a subdomain, Boston.nomoore.local, to contain and manage the resources and people located in Boston. If you have a new location (say in New York), a new subdomain can easily be created.

This design is common and is often called an "empty root" forest. It consists of creating a forest root domain that merely establishes the forest and houses the forest-wide administrative groups and administrators. Subdomains are created to facilitate administration at different locations or for different divisions. New trees are created to denote distinct entities within the organization or, when registered DNS names will be used, to allow for centralized administration of domains with different root names. In this example, if your organization purchases another company and wants to maintain the new company's autonomy, a new tree of the forest (nada.local) can be added. Note that separate trees of the forest can all be administered by forest administrators (such as members of the Enterprise Admins group). Figure 2 illustrates the final result.

Figure 2. A simple forest created using all dcpromo options

1.2. Creating a new tree

To create the new tree, start the dcpromo process as described earlier. While the process is similar, the following differences exist. First, you must use a username, password, and domain name that already exists in the forest, and the user must be a member of the Enterprise Admins group. Next, during dcpromo, you will click to select "Domain tree in an existing forest." Finally, if DNS is available on the network and the DNS settings for this server are correct, the Installation Wizard should note that. If no DNS is found and DNS is available, you should troubleshoot why this problem is occurring.

1.3. Adding a child domain

A single domain may suit the purposes of many organizations. In this model, all users and all resources reside in the single domain. There are, however, many reasons why this may not be suitable. For example, legal, administrative, political, technical, and even geographical reasons may lead AD designers to create multiple domain forests. Separate domains provide opportunities to decentralize administration to provide separate control over people and resources as required for any of these reasons, while maintaining overall supervision and consistency. Child domains (or subdomains) are created using the dcpromo tool as described shortly. Child domains are named by prepending a name to the parent domain name. The example above, boston.nomoore.local, is an example of naming a child domain.

To add a child domain to an existing domain, use the dcpromo process as described earlier. However, this time you will select "Domain controller for a new domain" and then select "Child domain in an existing domain tree." You will need to enter the username, password, and user domain of the user account to use for this operation and verify the parent domain.

1.4. Creating an additional DC

A domain should have at least two DCs to provide redundancy in the case of failure. Additional DCs may be added for load balancing, or to serve different locations.

Creating an additional DC for an existing domain is similar to creating a forest and the first DC in the root forest domain. However, after you launch dcpromo, in the first screen to appear after the information on Operating System Compatibility, select "Additional Domain Controller for an existing domain" and then click Next.

As described earlier, verify the NetBIOS name and then click Next. Enter the location to install the database and log folders (or accept the default) and then click Next. Enter the location the location for the sysvol folder (or accept the default) and then click Next.

If DNS is available on the network and the DNS settings for this server are correct, the Installation Wizard should note that. If no DNS is found and DNS is available, you should troubleshoot why this problem is occurring in the same manner as described in the earlier discussion on the dcpromo process.

Do not elect to install DNS on the domain controller if DNS is supposed to be available on the network. If, however, DNS will reside on the DC, then select "Install and configure the DNS server on this computer" and "Set this computer to use this DNS server as its preferred DNS server," and then click Next.

If all member computers are not Windows XP, Windows 2000, or Windows Server 2003 computers, select "Permissions compatible with pre-Windows 2000 server operating systems" or "Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems."

Enter and confirm a password for the Directory restore mode Administrator account for this computer and then click Next. This is the local Administrator account and will be used if a directory restore is necessary. Ensure that this password is recorded in a safe place along with your disaster recovery information.

Finally, review the summary and then click Next to begin the installation. When installation is complete, you must restart the computer.

2. Confirming DNS Registration of DC Information

After you create a domain in a forest, the new domain's domain service (SRV) records will be automatically populated on the DNS server. These records must be available in DNS and they must correct. These records are used when computers that are joined to a domain in the forest must communicate with other computers joined to a domain in the forest.

For example, client computers must locate the Kerberos service (a service that runs on every DC) of a domain controller during boot so that they can authenticate to the domain and download Group Policy. User logon must also locate this service. DCs also use DNS to locate other DCs to find replication peers. SRV records added in DNS for domain controllers are stored in the containers shown in Figure 3.

Figure 3. DNS containers for SRV records

The pane on the left of this window shows the following subdomains used to store SRV records:

_msdcs

This is a Microsoft-specific subdomain that stores SRV records for domain controllers with roles in AD. These roles include domain controllers (dc), global catalog servers (gc), and primary domain controller emulators (pdc). Domain controllers include a copy of the domain, infrastructure, and schema partitions of the AD. Global catalog servers include the forest-wide AD data account database for the domain. The forest-wide AD database is a partial attribute database for all objects in the forest. The primary domain controller emulator performs NT 4.0 primary domain controller services for NT 4.0 backup domain controllers joined in the AD domain, as well as special password and time synchronization services for the domain. Domain controllers and global catalog servers are also divided into sites.

_sites

This contains records for domain controllers based on site. Clients can use this record to locate domain controllers and global catalog servers that are in their site, so that they can avoid using services across the WAN.

_tcp

This contains domain controllers in the AD domain.

If clients need to find a DC in a specific site, they will look here. The TCP protocol will be used to request the information, hence the name tcp.

_udp

Kerberos clients can use UDP port 88 to request tickets and port 464 for password changes. Since the UDP protocol is used, the section is named udp.

DomainDnsZones

Zone information that should be replicated to all DCs in the domain that have the DNS service installed.

ForestDnsZones

Zone information that should be replicated to all DCs in the forest that have the DNS service installed.

As shown in Figure 3, when the domain is selected, the right side (or detail pane) of the management console mirrors the list in the left pane and includes the DNS host records .

You have three options to choose from in order to verify that the proper records have been installed for a DC:

• Visually inspect the records in the DNS Manager console.

• View the records in the netlogon.dns file located in the %systemroot%\System32\Config folder; the first records will be the LDAP SRV record in the form ldap.tcp.<domainname>.

• Use nslookup to query for SRV service location records.

To use the third option, nslookup, you must have a reverse lookup zone for the domain. To use this option, begin by opening a command prompt. Type nslookup and then press Enter. Type set type=all and then press Enter. Type ldap.tcp.dc._msdcs.domainname and then press Enter. Repeat this process for as many SRV records as you want to confirm. Figure 4 shows some sample results.

Figure 4. Use nslookup to verify SRV records

Once you have run nslookup, the resulting screen shows you the SRV record if it exists. Note in Figure 7-4 that the correct name for the ldap SRV record for the nomoore.local domain was entered (see the second ">") and that two actual DNS records (one for DC clarissa and one for DC gy101) are returned. If these are the only two DCs in the nomoore.local domain, then you have verified that they have been correctly registered in DNS. However, if you have three DCs in the nomoore.local domain, then one of them is not registered.

When you have successfully verified that the DC information has been registered accurately with DNS, you are ready to begin configuring sites.