Re: set up first child DC in a remote site
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Thu, 7 Sep 2006 11:05:58 +0100
Glad to help
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"childDC" <treeleafs@xxxxxxxxxxx> wrote in message
news:%23hohHDl0GHA.1040@xxxxxxxxxxxxxxxxxxxxxxx
Thanks very much Jorge.
Yes, step 4 is the creation of the delegation.
But the step 3. actually is the steps 4-7 in the reference (Manually
create a delegation...).
Since step 3 is done before installing the DNS on it, I think it is
necessary to put the DNS server pointing to the parent domain.
and in my step 8, change it to point itself.
Cheers,
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:%23BpbRch0GHA.4648@xxxxxxxxxxxxxxxxxxxxxxx
Inline
It is always a pleasure to read your reply from which I learned a lot.Thank you.
The reason I put step 3 in front of step 4 is that if the child DC-to-be- Not sure I understand what you mean...
has not set its IP and DNS (points to parent DNS) in the creation of
delegation can the parent DC see the child DC-to-be?
Or in the creation of the delegation does the host of the child domainNo. You can create the delegation by manually providing the FQDN of the
zone have to be reachable?
DC on the Child doamin and it's IP Address, at the moment that you create
the delegation the server doesn't have to be reachable. The important
thing is that BEFORE you run dcpromo on the future child DC, you have the
structure all configured, which means: Site and subnet, delegation on
parent domain, and child zone created as the Conditional forwarding
configured pointing to parent domain. remember the Child DC as the Parent
Domain DC must point to itself on their NIC Preferred DNS. If delegation
and Conditional Forwarding is correctly setup both DCs must be able to
resolve eachother by FQDN.
I have not done this before. If you have successfully done step 4 before-Humm..
step 3 then I will follow.
Ok, I review the steps 3 and 4.
The setp 4 refer to the creation of the delegation, correct?
The setp 3 sounds incorrect because you're saying to configure the DC in
child domain to the DNS server being the DNS server of the parent domain?
So lets review...
DC1(Parent Domain)
DC2(Child of the parent Domain)
You Can Start By DC1
Create New Site and the New Subnet on the Active Directory Sites and
Services.
Make sure that the DC ONLY points to itself under its NIC DNS preferred
DNS. Also make sure that your Clients in the network only use their local
DNS server(s), don't place the ISP DNS Server on their NIC Properties.
Best practices for DNS client settings in Windows 2000 Server and in
Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;825036&sd=RMVP
If you need Internet Resolution you can use Forwarding, check:
How to configure DNS for Internet access in Windows Server 2003
http://support.microsoft.com/kb/323380/
Note: Conditional forwarding isn't the same as Forwarding, OK? You
GENERALLY USE Forwarding to Internet resolution, and You GENERALLY use
Conditional Forwarding to Especific Domain name resolution (Like Parent
domain).
Then Go To DC2, and follow the procedures that I already gave you
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"childDC" <treeleafs@xxxxxxxxxxx> wrote in message
news:eYnEiyg0GHA.3656@xxxxxxxxxxxxxxxxxxxxxxx
Hi Jorge,
It is always a pleasure to read your reply from which I learned a lot.
The reason I put step 3 in front of step 4 is that if the child DC-to-be
has not set its IP and DNS (points to parent DNS) in the creation of
delegation can the parent DC see the child DC-to-be? Or in the creation
of the delegation does the host of the child domain zone have to be
reachable?
I have not done this before. If you have successfully done step 4 before
step 3 then I will follow.
Thanks,
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:eq3XRWb0GHA.4972@xxxxxxxxxxxxxxxxxxxxxxx
Inline
Have read through the second article (KB255248) and your inline
comments.
You did make a good comment at 3b. which is slightly different to the
KB article.
This article explains how to delegate from parent zone to child domain,
and the creation of the child zone itself, by doing this the parent
zone can resolve the child zone, but the child zone also need to to
resolve the parent zone as well (and any other zone that might exist in
the forest), that's why I suggest you the Conditional Forwarding, but
you can choose by other methods, the important thing is to make sure
that each domain in the forest can resolve eachother.
1. Get the VPN tunnelling (pysical connection) ready;Ok. Make sure that you don't have any need port closed by FW or any
other rules, use the "Portqry.exe" to test if needed ports are open
Active Directory in Networks Segmented by Firewalls
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=en
Description of the Portqry.exe command-line utility
http://support.microsoft.com/kb/310099/
IMHO: Is Important to make sure that any needed ports are available
before trying to setup the domain, because can save you a lot of
trouble by making you think that you're doing things wrong when
actually the problem is being provoked by any FW restrictions that you
might have.
2. On the parent domain, create a new site and a subnet for the childOk, sounds Good...
domain where it physically sits (and associate the two together);
Do you know why Sites are important?
*Sites have two main roles:
- To facilitate authentication, by determining the nearest domain
controller when a user logs on from a workstation
- To facilitate the replication of data between sites Because site
names are used in the records registered in the Domain Name System
(DNS) by the domain locator, they must be valid DNS names.
*Active Directory uses sites to:
-Optimize replication for speed and bandwidth consumption between
domain controllers.
-Locate the closest domain controller for client logon, services, and
directory searches.
-Direct a Distributed File System (DFS) client to the server that is
hosting the requested data within the site.
-Replicate the system volume (SYSVOL), a collection of folders in the
file system that exists on each domain controller in a domain and is
required for implementation of Group Policy.
More info:
Active Directory Sites and Services
http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/adsites/w2kadm39.mspx
Step-by-Step Guide to Active Directory Sites and Services
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/adsrv.mspx
Sites overview
http://technet2.microsoft.com/WindowsServer/en/library/a3970162-368d-4d99-b4f0-76503cc927af1033.mspx?mfr=true
Setps from 3 to 11
I usually do this like:
- On parent domain I Create a delegation for the child domain, by
providing the future FQDN of the Child DC. By doing this you now know
that the Parent domain can resolve the Child Domain.
- Then go to the Child DC and define the FQDN on computer properties,
install DNS service, create the child Zone, configure Conditional
Forwarding to point to the parent domain, point the server to itself
under its NIC Preferred DNS, then reboot.
-Run Dcpromo, create the child domain.
-Reboot.
-Go to the DNS child zone and make it AD Integrated, and accept only
secure updates (better for security).
-Wait for replication or force it by using Active directory sites and
services, repadmin or any other... By patient, this sometimes can take
awhile
-Run Dcdiag and Netdiag tools and check that everything is ok.
-Note: When I say for you to use the Conditional forwarding I'm only
saying that because is the most easy to setup, but you can also choose
by Secondary zones, Replication accross forest, etc.. the important
thing is to make sure that each domain in the forest can resolve
eachother.
-Make the Child DC a GC on ADSS under NTDS Settings.
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"childDC" <treeleafs@xxxxxxxxxxx> wrote in message
news:u$2dMzX0GHA.4972@xxxxxxxxxxxxxxxxxxxxxxx
Hi Jorge,
Have read through the second article (KB255248) and your inline
comments.
You did make a good comment at 3b. which is slightly different to the
KB article.
Now let me try to summarize what I can do:
1. Get the VPN tunnelling (pysical connection) ready;
2. On the parent domain, create a new site and a subnet for the child
domain where it physically sits (and associate the two together);
3. On the child domain DC-to-be, configure a static IP in the new
subnet and configure the DNS server being the DNS server of the parent
domain;
4. On the parent DNS domain, create a new delegation for the child DNS
zone (domain) to the child domain DC-to-be;
(I do not understand why in the article steps 4-7 come after step 3)
5. install DNS service on the child domain DC-to-be;
6. on the child domain DC-to-be, create the new (standard primary)
forward lookup zone - the child DNS zone
7. On the child DC-to-be, enable dynamic updates for the child zone;
(Now the DNS service on the child DC-to-be should be running properly)
8. (Now take Jorge's comment) On child DC-to-be, change the DNS server
(in TCP/IP settings) to point to its own IP address;
9. On child DC-to-be, configure the DNS forwarders so that for
namespace parentdomain.local goes to parent DNS server while all other
namespaces go to external DNS server(s) of ISP (the site has its own
Internet connections); Make sure name resolution works in both
direction.
10. on the child DC-to-be, run dcpromo and choose new domain - child
domain of existing domain;
11. on the new child domain DC, check whether the DNS is
AD-integrated. If not, make it AD-integrated.
Is this sequence ok? (Unfortunately, I do not have a test Lab.)
Cheers,
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:eVzx$gF0GHA.2300@xxxxxxxxxxxxxxxxxxxxxxx
Hi
First read:
How to configure DNS dynamic updates in Windows Server 2003
http://support.microsoft.com/kb/816592
How To Create a Child Domain in Active Directory and Delegate the DNS
Namespace to the Child Domain
http://support.microsoft.com/kb/255248/
How to configure DNS for Internet access in Windows Server 2003
http://support.microsoft.com/kb/323380/
1. setup a VPN tunnelling between two firewalls in two sites;to see firewall configurations check:
Active Directory in Networks Segmented by Firewalls
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=en
2. on the DC of parent domain (the current domain), create a newOk.
site and linked with a new subnet for the remote site;
3b. on the new server in the NIC TCP/IP settings add parent DC asNo.
primary DNS (it's AD-integrated).
Actually you can create in advance (before running dcpromo) the child
DNS domain on the Dc that is going to be at the remote site. Then
configure conditional forwarding in that dc to make sure that he can
resolve the parent domain, poin the DC to itself and verything should
be fine to run DC promo. (Don't forget to delegate the zone in the
parent domain before running dcpromo- Check the links above).
4. on the new server at remote site, on which basic windows serverOk. If DNs is setup correctly you should be fine.
2003 R2 is installed, run dcpromo and select first DC of a child
domain and wait for the AD installed. (the AD is not very big and
has already extended to R2 schema)
5. wait for 15 minutes or 1 hour and check the site replication.well... depends of the amount of the info to replicated, and remember
by default remote siites are setup to replicate every 180minutes=3h.
You can force replication manually or change the default value.
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"childDC" <treeleafs@xxxxxxxxxxx> wrote in message
news:ubVjyB%23zGHA.1268@xxxxxxxxxxxxxxxxxxxxxxx
Hi experts,
I am planing to set up a DC in a remote site. The new server is
alredy sitting in the new site.
This DC will be the first DC in this site and will be a child domain
of the existing domain/forest.
This DC will also run AD integrated DNS service for the domain
childdomain.parentdomain.local.
Could any one tell me what is the sequence of actions I need to do
to achive this goal, or guide me a documentation?
Below is my thoughts:
1. setup a VPN tunnelling between two firewalls in two sites;
2. on the DC of parent domain (the current domain), create a new
site and linked with a new subnet for the remote site;
3a. on the new server at remote site, add the DC of parent domain
into the HOSTS file and add the new server into the HOSTS file on
parent DC, so that name resolution can work both direction.Or if
this does not work
3b. on the new server in the NIC TCP/IP settings add parent DC as
primary DNS (it's AD-integrated).
4. on the new server at remote site, on which basic windows server
2003 R2 is installed, run dcpromo and select first DC of a child
domain and wait for the AD installed. (the AD is not very big and
has already extended to R2 schema)
5. wait for 15 minutes or 1 hour and check the site replication
I guess with step 3b the AD installation will most likely to be
successful. However, I am not sure whether the DNS will work as we
want.
Should I do anything on the parent DC (integrated DNS) for the child
domain before or after runing the dcpromo on the new server?
Will this dcpromote automatically install the DNS service on the new
server?
If it does, with the NIC primary DNS points to parent DC will this
DNS service work and get DNS replicated? What time should the NIC
DNS point to itself?
Thanks in advance!
.
- References:
- set up first child DC in a remote site
- From: childDC
- Re: set up first child DC in a remote site
- From: Jorge Silva
- Re: set up first child DC in a remote site
- From: childDC
- Re: set up first child DC in a remote site
- From: Jorge Silva
- Re: set up first child DC in a remote site
- From: childDC
- Re: set up first child DC in a remote site
- From: Jorge Silva
- Re: set up first child DC in a remote site
- From: childDC
- set up first child DC in a remote site
- Prev by Date: Re: Warning NTDS ISAM Event ID 507 and Event id 508
- Next by Date: how to convert a adc to dc withought roll transfer
- Previous by thread: Re: set up first child DC in a remote site
- Next by thread: Re: hiding contacts from directory search (LDAP)
- Index(es):
Relevant Pages
|
