Re: set up first child DC in a remote site

Hi Jorge,
It is always a pleasure to read your reply from which I learned a lot.
The reason I put step 3 in front of step 4 is that if the child DC-to-be has
not set its IP and DNS (points to parent DNS) in the creation of delegation
can the parent DC see the child DC-to-be? Or in the creation of the
delegation does the host of the child domain zone have to be reachable?
I have not done this before. If you have successfully done step 4 before
step 3 then I will follow.
Thanks,

"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:eq3XRWb0GHA.4972@xxxxxxxxxxxxxxxxxxxxxxx
Inline

Have read through the second article (KB255248) and your inline comments.
You did make a good comment at 3b. which is slightly different to the KB
article.

This article explains how to delegate from parent zone to child domain,
and the creation of the child zone itself, by doing this the parent zone
can resolve the child zone, but the child zone also need to to resolve the
parent zone as well (and any other zone that might exist in the forest),
that's why I suggest you the Conditional Forwarding, but you can choose by
other methods, the important thing is to make sure that each domain in the
forest can resolve eachother.

1. Get the VPN tunnelling (pysical connection) ready;
Ok. Make sure that you don't have any need port closed by FW or any other
rules, use the "Portqry.exe" to test if needed ports are open
Active Directory in Networks Segmented by Firewalls
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=en
Description of the Portqry.exe command-line utility
http://support.microsoft.com/kb/310099/

IMHO: Is Important to make sure that any needed ports are available before
trying to setup the domain, because can save you a lot of trouble by
making you think that you're doing things wrong when actually the problem
is being provoked by any FW restrictions that you might have.


2. On the parent domain, create a new site and a subnet for the child
domain where it physically sits (and associate the two together);
Ok, sounds Good...
Do you know why Sites are important?
*Sites have two main roles:
- To facilitate authentication, by determining the nearest domain
controller when a user logs on from a workstation
- To facilitate the replication of data between sites Because site names
are used in the records registered in the Domain Name System (DNS) by the
domain locator, they must be valid DNS names.
*Active Directory uses sites to:

-Optimize replication for speed and bandwidth consumption between domain
controllers.

-Locate the closest domain controller for client logon, services, and
directory searches.

-Direct a Distributed File System (DFS) client to the server that is
hosting the requested data within the site.

-Replicate the system volume (SYSVOL), a collection of folders in the file
system that exists on each domain controller in a domain and is required
for implementation of Group Policy.

More info:

Active Directory Sites and Services

http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/adsites/w2kadm39.mspx

Step-by-Step Guide to Active Directory Sites and Services

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/adsrv.mspx

Sites overview

http://technet2.microsoft.com/WindowsServer/en/library/a3970162-368d-4d99-b4f0-76503cc927af1033.mspx?mfr=true


Setps from 3 to 11

I usually do this like:
- On parent domain I Create a delegation for the child domain, by
providing the future FQDN of the Child DC. By doing this you now know that
the Parent domain can resolve the Child Domain.

- Then go to the Child DC and define the FQDN on computer properties,
install DNS service, create the child Zone, configure Conditional
Forwarding to point to the parent domain, point the server to itself under
its NIC Preferred DNS, then reboot.

-Run Dcpromo, create the child domain.

-Reboot.

-Go to the DNS child zone and make it AD Integrated, and accept only
secure updates (better for security).

-Wait for replication or force it by using Active directory sites and
services, repadmin or any other... By patient, this sometimes can take
awhile

-Run Dcdiag and Netdiag tools and check that everything is ok.
-Note: When I say for you to use the Conditional forwarding I'm only
saying that because is the most easy to setup, but you can also choose by
Secondary zones, Replication accross forest, etc.. the important thing is
to make sure that each domain in the forest can resolve eachother.
-Make the Child DC a GC on ADSS under NTDS Settings.


--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"childDC" <treeleafs@xxxxxxxxxxx> wrote in message
news:u$2dMzX0GHA.4972@xxxxxxxxxxxxxxxxxxxxxxx
Hi Jorge,
Have read through the second article (KB255248) and your inline comments.
You did make a good comment at 3b. which is slightly different to the KB
article.
Now let me try to summarize what I can do:

1. Get the VPN tunnelling (pysical connection) ready;
2. On the parent domain, create a new site and a subnet for the child
domain where it physically sits (and associate the two together);
3. On the child domain DC-to-be, configure a static IP in the new subnet
and configure the DNS server being the DNS server of the parent domain;
4. On the parent DNS domain, create a new delegation for the child DNS
zone (domain) to the child domain DC-to-be;
(I do not understand why in the article steps 4-7 come after step 3)
5. install DNS service on the child domain DC-to-be;
6. on the child domain DC-to-be, create the new (standard primary)
forward lookup zone - the child DNS zone
7. On the child DC-to-be, enable dynamic updates for the child zone;
(Now the DNS service on the child DC-to-be should be running properly)
8. (Now take Jorge's comment) On child DC-to-be, change the DNS server
(in TCP/IP settings) to point to its own IP address;
9. On child DC-to-be, configure the DNS forwarders so that for namespace
parentdomain.local goes to parent DNS server while all other namespaces
go to external DNS server(s) of ISP (the site has its own Internet
connections); Make sure name resolution works in both direction.
10. on the child DC-to-be, run dcpromo and choose new domain - child
domain of existing domain;
11. on the new child domain DC, check whether the DNS is AD-integrated.
If not, make it AD-integrated.

Is this sequence ok? (Unfortunately, I do not have a test Lab.)

Cheers,

"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:eVzx$gF0GHA.2300@xxxxxxxxxxxxxxxxxxxxxxx
Hi
First read:
How to configure DNS dynamic updates in Windows Server 2003
http://support.microsoft.com/kb/816592
How To Create a Child Domain in Active Directory and Delegate the DNS
Namespace to the Child Domain
http://support.microsoft.com/kb/255248/
How to configure DNS for Internet access in Windows Server 2003
http://support.microsoft.com/kb/323380/

1. setup a VPN tunnelling between two firewalls in two sites;
to see firewall configurations check:
Active Directory in Networks Segmented by Firewalls
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=en

2. on the DC of parent domain (the current domain), create a new site
and linked with a new subnet for the remote site;
Ok.

3b. on the new server in the NIC TCP/IP settings add parent DC as
primary DNS (it's AD-integrated).
No.
Actually you can create in advance (before running dcpromo) the child
DNS domain on the Dc that is going to be at the remote site. Then
configure conditional forwarding in that dc to make sure that he can
resolve the parent domain, poin the DC to itself and verything should be
fine to run DC promo. (Don't forget to delegate the zone in the parent
domain before running dcpromo- Check the links above).

4. on the new server at remote site, on which basic windows server 2003
R2 is installed, run dcpromo and select first DC of a child domain and
wait for the AD installed. (the AD is not very big and has already
extended to R2 schema)
Ok. If DNs is setup correctly you should be fine.

5. wait for 15 minutes or 1 hour and check the site replication.
well... depends of the amount of the info to replicated, and remember by
default remote siites are setup to replicate every 180minutes=3h. You
can force replication manually or change the default value.


--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"childDC" <treeleafs@xxxxxxxxxxx> wrote in message
news:ubVjyB%23zGHA.1268@xxxxxxxxxxxxxxxxxxxxxxx
Hi experts,
I am planing to set up a DC in a remote site. The new server is alredy
sitting in the new site.
This DC will be the first DC in this site and will be a child domain of
the existing domain/forest.
This DC will also run AD integrated DNS service for the domain
childdomain.parentdomain.local.

Could any one tell me what is the sequence of actions I need to do to
achive this goal, or guide me a documentation?
Below is my thoughts:
1. setup a VPN tunnelling between two firewalls in two sites;
2. on the DC of parent domain (the current domain), create a new site
and linked with a new subnet for the remote site;
3a. on the new server at remote site, add the DC of parent domain into
the HOSTS file and add the new server into the HOSTS file on parent DC,
so that name resolution can work both direction.Or if this does not
work
3b. on the new server in the NIC TCP/IP settings add parent DC as
primary DNS (it's AD-integrated).
4. on the new server at remote site, on which basic windows server 2003
R2 is installed, run dcpromo and select first DC of a child domain and
wait for the AD installed. (the AD is not very big and has already
extended to R2 schema)
5. wait for 15 minutes or 1 hour and check the site replication

I guess with step 3b the AD installation will most likely to be
successful. However, I am not sure whether the DNS will work as we
want.
Should I do anything on the parent DC (integrated DNS) for the child
domain before or after runing the dcpromo on the new server?
Will this dcpromote automatically install the DNS service on the new
server?
If it does, with the NIC primary DNS points to parent DC will this DNS
service work and get DNS replicated? What time should the NIC DNS point
to itself?

Thanks in advance!












.

Relevant Pages

  • Re: set up first child DC in a remote site
    ... has not set its IP and DNS in the creation of ... delegation can the parent DC see the child DC-to-be? ... and child zone created as the Conditional forwarding configured pointing to ...
    (microsoft.public.windows.server.active_directory)
  • Re: set up first child DC in a remote site
    ... Since step 3 is done before installing the DNS on it, ... necessary to put the DNS server pointing to the parent domain. ... DC on the Child doamin and it's IP Address, at the moment that you create ...
    (microsoft.public.windows.server.active_directory)
  • Re: Replication Headache - Urgent please Assist!
    ... 1.Manually created a delegation for the child domain on our root server DNS ...
    (microsoft.public.windows.server.active_directory)
  • Re: Misconfigured AD
    ... I have a Parent domain with 2 child domains and an exchange server ... I agree with Herb that it's more than likely a DNS misconfiguration. ...
    (microsoft.public.windows.server.active_directory)
  • Re: child domain did not register with parent - help
    ... child domain B ... I joined the parent as a child. ... For child B the following information is in DNS: ... right click, go to NTDS settings, the domain is registered but the server ...
    (microsoft.public.windows.server.dns)
Loading