Re: set up first child DC in a remote site
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Thu, 7 Sep 2006 01:46:26 +0100
Inline
It is always a pleasure to read your reply from which I learned a lot.Thank you.
The reason I put step 3 in front of step 4 is that if the child DC-to-be- Not sure I understand what you mean...
has not set its IP and DNS (points to parent DNS) in the creation of
delegation can the parent DC see the child DC-to-be?
Or in the creation of the delegation does the host of the child domainNo. You can create the delegation by manually providing the FQDN of the DC
zone have to be reachable?
on the Child doamin and it's IP Address, at the moment that you create the
delegation the server doesn't have to be reachable. The important thing is
that BEFORE you run dcpromo on the future child DC, you have the structure
all configured, which means: Site and subnet, delegation on parent domain,
and child zone created as the Conditional forwarding configured pointing to
parent domain. remember the Child DC as the Parent Domain DC must point to
itself on their NIC Preferred DNS. If delegation and Conditional Forwarding
is correctly setup both DCs must be able to resolve eachother by FQDN.
I have not done this before. If you have successfully done step 4 before-Humm..
step 3 then I will follow.
Ok, I review the steps 3 and 4.
The setp 4 refer to the creation of the delegation, correct?
The setp 3 sounds incorrect because you're saying to configure the DC in
child domain to the DNS server being the DNS server of the parent domain?
So lets review...
DC1(Parent Domain)
DC2(Child of the parent Domain)
You Can Start By DC1
Create New Site and the New Subnet on the Active Directory Sites and
Services.
Make sure that the DC ONLY points to itself under its NIC DNS preferred DNS.
Also make sure that your Clients in the network only use their local DNS
server(s), don't place the ISP DNS Server on their NIC Properties.
Best practices for DNS client settings in Windows 2000 Server and in Windows
Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036&sd=RMVP
If you need Internet Resolution you can use Forwarding, check:
How to configure DNS for Internet access in Windows Server 2003
http://support.microsoft.com/kb/323380/
Note: Conditional forwarding isn't the same as Forwarding, OK? You GENERALLY
USE Forwarding to Internet resolution, and You GENERALLY use Conditional
Forwarding to Especific Domain name resolution (Like Parent domain).
Then Go To DC2, and follow the procedures that I already gave you
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"childDC" <treeleafs@xxxxxxxxxxx> wrote in message
news:eYnEiyg0GHA.3656@xxxxxxxxxxxxxxxxxxxxxxx
Hi Jorge,
It is always a pleasure to read your reply from which I learned a lot.
The reason I put step 3 in front of step 4 is that if the child DC-to-be
has not set its IP and DNS (points to parent DNS) in the creation of
delegation can the parent DC see the child DC-to-be? Or in the creation of
the delegation does the host of the child domain zone have to be
reachable?
I have not done this before. If you have successfully done step 4 before
step 3 then I will follow.
Thanks,
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:eq3XRWb0GHA.4972@xxxxxxxxxxxxxxxxxxxxxxx
Inline
Have read through the second article (KB255248) and your inline
comments.
You did make a good comment at 3b. which is slightly different to the KB
article.
This article explains how to delegate from parent zone to child domain,
and the creation of the child zone itself, by doing this the parent zone
can resolve the child zone, but the child zone also need to to resolve
the parent zone as well (and any other zone that might exist in the
forest), that's why I suggest you the Conditional Forwarding, but you can
choose by other methods, the important thing is to make sure that each
domain in the forest can resolve eachother.
1. Get the VPN tunnelling (pysical connection) ready;Ok. Make sure that you don't have any need port closed by FW or any other
rules, use the "Portqry.exe" to test if needed ports are open
Active Directory in Networks Segmented by Firewalls
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=en
Description of the Portqry.exe command-line utility
http://support.microsoft.com/kb/310099/
IMHO: Is Important to make sure that any needed ports are available
before trying to setup the domain, because can save you a lot of trouble
by making you think that you're doing things wrong when actually the
problem is being provoked by any FW restrictions that you might have.
2. On the parent domain, create a new site and a subnet for the childOk, sounds Good...
domain where it physically sits (and associate the two together);
Do you know why Sites are important?
*Sites have two main roles:
- To facilitate authentication, by determining the nearest domain
controller when a user logs on from a workstation
- To facilitate the replication of data between sites Because site names
are used in the records registered in the Domain Name System (DNS) by the
domain locator, they must be valid DNS names.
*Active Directory uses sites to:
-Optimize replication for speed and bandwidth consumption between domain
controllers.
-Locate the closest domain controller for client logon, services, and
directory searches.
-Direct a Distributed File System (DFS) client to the server that is
hosting the requested data within the site.
-Replicate the system volume (SYSVOL), a collection of folders in the
file system that exists on each domain controller in a domain and is
required for implementation of Group Policy.
More info:
Active Directory Sites and Services
http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/adsites/w2kadm39.mspx
Step-by-Step Guide to Active Directory Sites and Services
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/adsrv.mspx
Sites overview
http://technet2.microsoft.com/WindowsServer/en/library/a3970162-368d-4d99-b4f0-76503cc927af1033.mspx?mfr=true
Setps from 3 to 11
I usually do this like:
- On parent domain I Create a delegation for the child domain, by
providing the future FQDN of the Child DC. By doing this you now know
that the Parent domain can resolve the Child Domain.
- Then go to the Child DC and define the FQDN on computer properties,
install DNS service, create the child Zone, configure Conditional
Forwarding to point to the parent domain, point the server to itself
under its NIC Preferred DNS, then reboot.
-Run Dcpromo, create the child domain.
-Reboot.
-Go to the DNS child zone and make it AD Integrated, and accept only
secure updates (better for security).
-Wait for replication or force it by using Active directory sites and
services, repadmin or any other... By patient, this sometimes can take
awhile
-Run Dcdiag and Netdiag tools and check that everything is ok.
-Note: When I say for you to use the Conditional forwarding I'm only
saying that because is the most easy to setup, but you can also choose by
Secondary zones, Replication accross forest, etc.. the important thing is
to make sure that each domain in the forest can resolve eachother.
-Make the Child DC a GC on ADSS under NTDS Settings.
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"childDC" <treeleafs@xxxxxxxxxxx> wrote in message
news:u$2dMzX0GHA.4972@xxxxxxxxxxxxxxxxxxxxxxx
Hi Jorge,
Have read through the second article (KB255248) and your inline
comments.
You did make a good comment at 3b. which is slightly different to the KB
article.
Now let me try to summarize what I can do:
1. Get the VPN tunnelling (pysical connection) ready;
2. On the parent domain, create a new site and a subnet for the child
domain where it physically sits (and associate the two together);
3. On the child domain DC-to-be, configure a static IP in the new subnet
and configure the DNS server being the DNS server of the parent domain;
4. On the parent DNS domain, create a new delegation for the child DNS
zone (domain) to the child domain DC-to-be;
(I do not understand why in the article steps 4-7 come after step 3)
5. install DNS service on the child domain DC-to-be;
6. on the child domain DC-to-be, create the new (standard primary)
forward lookup zone - the child DNS zone
7. On the child DC-to-be, enable dynamic updates for the child zone;
(Now the DNS service on the child DC-to-be should be running properly)
8. (Now take Jorge's comment) On child DC-to-be, change the DNS server
(in TCP/IP settings) to point to its own IP address;
9. On child DC-to-be, configure the DNS forwarders so that for namespace
parentdomain.local goes to parent DNS server while all other namespaces
go to external DNS server(s) of ISP (the site has its own Internet
connections); Make sure name resolution works in both direction.
10. on the child DC-to-be, run dcpromo and choose new domain - child
domain of existing domain;
11. on the new child domain DC, check whether the DNS is AD-integrated.
If not, make it AD-integrated.
Is this sequence ok? (Unfortunately, I do not have a test Lab.)
Cheers,
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:eVzx$gF0GHA.2300@xxxxxxxxxxxxxxxxxxxxxxx
Hi
First read:
How to configure DNS dynamic updates in Windows Server 2003
http://support.microsoft.com/kb/816592
How To Create a Child Domain in Active Directory and Delegate the DNS
Namespace to the Child Domain
http://support.microsoft.com/kb/255248/
How to configure DNS for Internet access in Windows Server 2003
http://support.microsoft.com/kb/323380/
1. setup a VPN tunnelling between two firewalls in two sites;to see firewall configurations check:
Active Directory in Networks Segmented by Firewalls
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=en
2. on the DC of parent domain (the current domain), create a new siteOk.
and linked with a new subnet for the remote site;
3b. on the new server in the NIC TCP/IP settings add parent DC asNo.
primary DNS (it's AD-integrated).
Actually you can create in advance (before running dcpromo) the child
DNS domain on the Dc that is going to be at the remote site. Then
configure conditional forwarding in that dc to make sure that he can
resolve the parent domain, poin the DC to itself and verything should
be fine to run DC promo. (Don't forget to delegate the zone in the
parent domain before running dcpromo- Check the links above).
4. on the new server at remote site, on which basic windows serverOk. If DNs is setup correctly you should be fine.
2003 R2 is installed, run dcpromo and select first DC of a child
domain and wait for the AD installed. (the AD is not very big and has
already extended to R2 schema)
5. wait for 15 minutes or 1 hour and check the site replication.well... depends of the amount of the info to replicated, and remember
by default remote siites are setup to replicate every 180minutes=3h.
You can force replication manually or change the default value.
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"childDC" <treeleafs@xxxxxxxxxxx> wrote in message
news:ubVjyB%23zGHA.1268@xxxxxxxxxxxxxxxxxxxxxxx
Hi experts,
I am planing to set up a DC in a remote site. The new server is alredy
sitting in the new site.
This DC will be the first DC in this site and will be a child domain
of the existing domain/forest.
This DC will also run AD integrated DNS service for the domain
childdomain.parentdomain.local.
Could any one tell me what is the sequence of actions I need to do to
achive this goal, or guide me a documentation?
Below is my thoughts:
1. setup a VPN tunnelling between two firewalls in two sites;
2. on the DC of parent domain (the current domain), create a new site
and linked with a new subnet for the remote site;
3a. on the new server at remote site, add the DC of parent domain into
the HOSTS file and add the new server into the HOSTS file on parent
DC, so that name resolution can work both direction.Or if this does
not work
3b. on the new server in the NIC TCP/IP settings add parent DC as
primary DNS (it's AD-integrated).
4. on the new server at remote site, on which basic windows server
2003 R2 is installed, run dcpromo and select first DC of a child
domain and wait for the AD installed. (the AD is not very big and has
already extended to R2 schema)
5. wait for 15 minutes or 1 hour and check the site replication
I guess with step 3b the AD installation will most likely to be
successful. However, I am not sure whether the DNS will work as we
want.
Should I do anything on the parent DC (integrated DNS) for the child
domain before or after runing the dcpromo on the new server?
Will this dcpromote automatically install the DNS service on the new
server?
If it does, with the NIC primary DNS points to parent DC will this DNS
service work and get DNS replicated? What time should the NIC DNS
point to itself?
Thanks in advance!
.
- Follow-Ups:
- Re: set up first child DC in a remote site
- From: childDC
- Re: set up first child DC in a remote site
- References:
- set up first child DC in a remote site
- From: childDC
- Re: set up first child DC in a remote site
- From: Jorge Silva
- Re: set up first child DC in a remote site
- From: childDC
- Re: set up first child DC in a remote site
- From: Jorge Silva
- Re: set up first child DC in a remote site
- From: childDC
- set up first child DC in a remote site
- Prev by Date: Re: Repadmin show (Deleted DSA). Replmon show **deleted server #1
- Next by Date: Re: web authentication methods... ADFS vs Radius
- Previous by thread: Re: set up first child DC in a remote site
- Next by thread: Re: set up first child DC in a remote site
- Index(es):
Relevant Pages
|
