You are previewing Microsoft® Active Directory® Branch Office Guide Volume 2: Deployment and Operations.
O'Reilly logo
Microsoft® Active Directory® Branch Office Guide Volume 2: Deployment and Operations

Book Description

This guide is aimed at network managers, system integrators, and consultants involved in Active Directory branch office implementations, either in their own organizations or for client companies.

Table of Contents

  1. Microsoft® Active Directory Branch Office Guide, Version 1.1: Deployment and Operations
  2. A Note Regarding Supplemental Files
    1. Content Lead
    2. Key Authors
    3. Reviewers
  3. 1. Overview of Deploying and Operating Active Directory for Branch Office Environments
    1. Introduction
      1. Topology Overview
      2. Chapter Overview
      3. Resource Requirements
        1. Hardware
        2. Software
        3. Personnel
          1. Chief Executive Officer/Managing Director
          2. Chief Information Officer/IT Director
          3. Departmental Heads
          4. Network Manager/System Administrator
          5. Consultants/System Integrators
          6. Technicians/Server Operators
          7. Help Desk/Operations
          8. Pre-Pilot and Pilot Users
        4. Space
    2. Active Directory Implementation Plan
      1. Project Management - Microsoft Solutions Framework (MSF)
        1. MSF Team Model
      2. MSF Process Model
      3. Risk Management
      4. Pilot Planning
      5. Post Implementation Review Phase
    3. More Information
      1. Resource Centers on the Web
      2. White Papers
  4. 2. Building the Forest Root Domain and Central Hub Site
    1. Introduction
      1. Resource Requirements
        1. What You Will Need
        2. What You Should Know
    2. Process Flowchart
    3. Deployment Considerations
      1. DNS Guidelines
        1. Hub Site
        2. Branch Office Bridgehead Servers
        3. Staging Site
        4. Branch Office Domain Controller (Branch Office Site)
        5. Branch Office Clients
        6. Placement of the Root Domain
        7. Reverse Lookup Zones
        8. Secure Updates – Dynamic DNS
    4. Topology Overview
    5. Install Windows 2000 Operating System and Service Packs
      1. Operating System Setup
      2. Install DNS and Terminal Services on All Hub Servers
      3. Install Service Pack 2
    6. Install Branch Office Share and Scripts
      1. Creating the Branch Office Scripts Source Share
      2. Install Quality Assurance Scripts on Hub Site Servers
      3. Install Other Monitoring Tools
        1. Install AppManager Agent
        2. Install Operations Manager Agent
    7. Configure TCP/IP Settings
    8. Create DNS Zones
      1. Creating the Forest Root Zone on ROOT1
      2. Allowing Dynamic Updates to the Forest Root Zone
      3. Adding a Reverse Lookup Zone on ROOT1
    9. Create the Forest Root Domain Controllers
      1. Running DCPROMO on ROOT1
      2. Enabling Active Directory Integration of the Forest Root Zone and the Reverse Lookup Zone
      3. Configuring the _msdcs Zone
      4. Verify ROOT1 Name Registration
      5. Verify DNS Name Resolution on ROOT2
      6. Running DCPROMO on ROOT2
      7. Verify the ROOT2 Name Registrations
      8. Verify DNS Name Resolution on ROOT3
      9. Running DCPROMO on ROOT3
      10. Verify the ROOT3 Name Registrations
      11. Update the Preferred DNS on ROOT1
      12. Move Domain Operations Master Roles to ROOT2
    10. Configure DNS Forwarders
      1. Configure Forwarders on ROOT1, ROOT2, and ROOT3
      2. Verify DNS Forwarding
    11. Prepare the Active Directory Forest for Exchange 2000
      1. Prepare Active Directory Forest for Directory Enabled Applications
    12. Creating the Hub Site
      1. Rename the Default-First-Site
      2. Add HUB Subnets to HUB Site
    13. Verify the Root Domain Configuration
      1. Final Quality Assurance Check
      2. Schedule the Quality Assurance Check to Run Every Day
      3. Automating daily QA with NetIQ AppManager
    14. Summary
  5. 3. Building the Branch Office Domain and Bridgehead Servers
    1. Introduction
      1. Resource Requirements
        1. What You Will Need
        2. What You Should Know
    2. Process Flowchart
    3. Configure DNS Forwarding
      1. Configure DNS Forwarders on Branch Office Bridgehead Servers
      2. Verify DNS Forwarding on Bridgehead Servers
    4. Delegate and Create branches.corp.hay-buv.com domain
      1. Delegate branches.corp.hay-buv.com Domain to BH1
      2. Create the DNS Domain for branches.corp.hay-buv.com
    5. Creating the Bridgehead Domain Controllers
      1. Running Dcpromo.exe on BH1
      2. Verify Name Registration
      3. Enabling Active Directory Integration of Branches Zone
      4. Running Dcpromo.exe on BH2, BH3 and HUBDC1
      5. Verify Name Registration
      6. Verify the DNS Server Settings for the Bridgehead Domain Controllers
      7. Delegate branches.corp.hay-buv.com Domain to the Remaining Bridgehead Servers
    6. Transfering OPerations Master Roles and Creating Global Catalog Servers
      1. Transfer Operations Master Roles from BH1 to HUBDC1
      2. Configure BH1, BH2, and BH3 as Global Catalog Servers
    7. Verify the Branch Office Domain Configuration
      1. Final Quality Assurance Check
      2. Schedule the Quality Assurance Check to Run Every Day
    8. Summary
  6. 4. Pre-Staging Configuration at the Hub
    1. Introduction
      1. Resource Requirements
        1. What You Will Need
        2. What You Should Know
    2. Process Flowchart
    3. Deployment Considerations
      1. Disabling Automatic Site-Link Bridging
      2. Creating Sites and Subnets
      3. Disabling the Inter-Site Topology Generator(ISTG)
      4. Creating a Hub and Spoke Topology
      5. Permissions for the Creation of Replica Domain Controllers
    4. Disabling Automatic Site-Link Bridging
      1. Related Topics
    5. Creating the Staging Site and the Branch Office Sites
      1. Creating the Staging and Branch Office Sites
      2. Related Topics
    6. Disabling the Inter-Site Topology Generator
      1. Verifying the ISTG is Disabled
      2. Related Topics
    7. Disabling the Intrasite KCC for the Staging Site
      1. Related Topics
    8. Creating Your Hub and Spoke Topology
      1. Mkdsx Switches
      2. Creating the Server List File (Topo.dat)
      3. Creating the Topology File
    9. Configure the Branch Domain Controller Installation Scripts
      1. Configure the Sethubdc.vbs File
      2. Configure the Bodcpromo.txt File
      3. Configure the DNS-fwdx.cmd Files
      4. Configure the Setfwddns.vbs File
      5. Configure the Stageco.cmd File
      6. Configure the Stagetopo.dat File
      7. Configure the Pre-ship.cmd File
      8. Configure the QA_Check.cmd File
    10. Summary
  7. 5. Creating and Configuring the Staging Domain Controller
    1. Introduction
      1. Chapter Sections
      2. Resource Requirements
        1. What You Will Need
        2. What You Should Know
    2. Process Flowchart
    3. Deployment Considerations
      1. Manual Connection Objects between the Staging Site and Hub Site
    4. Installing the Staging Site Source Domain Controller
      1. Installing Windows 2000 in a Workgroup
      2. Copy the Script Files to the Server
      3. Install Other Monitoring Tools
        1. Install AppManager Agent
        2. Install Operations Manager agent
    5. Configuring and Verifying DNS
      1. Configure the DNS Client
      2. Verify Connectivity
    6. Promoting and Configuring the Domain Controller
      1. Promote the Staging Site Server into the Staging Site
      2. Update the Preferred DNS Configuration
      3. Configure DNS Forwarders
      4. Configure the Staging Site Domain Controller as a Global Catalog Server
    7. Creating Connection Objects
      1. Create Connection Objects to the Hub Site
    8. Quality Assurance and Monitoring of the Staging Site Domain Controller
      1. Verifying Replication
      2. Schedule the Quality Assurance Check to Run Every Day
      3. Monitoring the Staging Site
    9. Summary
  8. 6. Staging a Branch Office Domain Controller
    1. Introduction
      1. Chapter Sections
      2. Resource Requirements
        1. What You Will Need
        2. What You Should Know
    2. Process Flowchart
    3. Deployment Considerations
    4. Installing a Staged Domain Controller
      1. Installing Windows 2000 in a Workgroup
      2. Copy the Script Files to the Server
      3. Configure the Preferred and Alternate DNS Servers
      4. Configure DNS Client and Add Registry Entries
      5. Install Other Monitoring Tools
        1. Install AppManager Agent
        2. Install Operations Manager Agent
    5. Verifying DNS
      1. Verify Connectivity
    6. Promoting and Configuring the Branch Office Domain Controller
      1. Promote the Server to a Branch DC in the Staging Site
      2. Create Connection Objects with the Staging Site Server
    7. Post DCPROMO Quality Assurance of Branch Office Domain Controller
      1. Verifying Replication
      2. Schedule the Quality Assurance Check to Run Every Day
    8. Summary
  9. 7. Pre-Shipment Configuration of the Branch Office Domain Controller
    1. Introduction
      1. Chapter Sections
      2. Resource Requirements
        1. What You Will Need
        2. What You Should Know
    2. Process Flowchart
    3. Deployment Considerations
      1. Connection Objects Between the Branch Office Domain Controller and the Hub Bridgehead Servers
    4. Verifying the Site and Moving the Domain Controller to its Destination Site
      1. Verify Site and Subnet Information is Correct
      2. Move the Branch Office Domain Controller to the Destination Site
    5. Verifying the ISTG is Off on the Staged Domain Controller
      1. Verifying That the ISTG Is Disabled in the Branch Office Site
    6. Creating the Branch Office Domain Controller’s Connection Objects
      1. Create Connection Objects
      2. Verifying Connection Object Creation
      3. Deleting the Connection Object on the Staging Server for the Staged Domain Controller
    7. Configuring TCP/IP for the Branch Office and FRS for Shipment
      1. Change IP Address to Target Site’s Subnet and Update the Preferred DNS Server
      2. Configure FRS and DNS for Shipment to Branch Office
      3. Shut Down the Domain Controller and Ship It to the Branch Office
    8. Summary
      1. More Information
  10. 8. Quality Assurance of the Domain Controller at the Branch Office
    1. Introduction
      1. Chapter Sections
      2. Resource Requirements
        1. What You Will Need
        2. What You Should Know
    2. Process Flowchart
    3. Deployment Considerations
    4. Final Configuration of the Domain Controller at the Branch Office
      1. Configuration at the Branch Office
      2. Verifying the Domain Controller at the Branch Office
    5. Summary
  11. 9. Post Deployment Monitoring of Domain Controllers
    1. Introduction
      1. Resource Requirements
        1. What You Will Need
        2. What You Should Know
    2. Monitoring Considerations
    3. Using the Quality Assurance Scripts to Monitor Active Directory and FRS
      1. The Quality Assurance Scripts
        1. QA_Check.cmd
        2. QA_Parse.vbs
        3. CheckServers.cmd
        4. CheckServers.vbs
      2. Process for Using the Quality Assurance Scripts
      3. Log Files Generated by QA_Check.cmd
    4. General Domain Controller Monitoring
      1. Processor Utilization
      2. Available Disk Space
      3. Monitoring Domain Controller Performance
      4. NTDS Object Counters
        1. Useful NTDS Counters for Monitoring Active Directory
      5. Database Object Counters
        1. Useful Counters for Monitoring the Active Directory Database
      6. Installing the Database Performance Object
        1. Installing the Database Performance Object
        2. Viewing Database Performance Object Counters
      7. Monitoring FRS Performance
    5. Monitoring Active Directory Replication
      1. What to Monitor
      2. Using Netdiag.exe to Monitor Network Connectivity and DNS
      3. Using Repadmin.exe to Monitor Active Directory Replication
        1. /showreps
        2. /showconn
      4. Using Dcdiag.exe to Monitor Active Directory Replication
      5. Using Replmon.exe to Monitor Active Directory Replication
    6. Monitoring FRS Replication
      1. Examining the FRS Log Files
        1. Configuring the FRS Log Files
        2. Analyzing the FRS Log Files
        3. Contents of the FRS Log Files
      2. Using FRSUTL to Monitor FRS Replication
      3. Scripts for Monitoring FRS Replication
        1. Monitoring FRS Replication with Connstat.cmd
          1. Report Header
          2. Inbound Connections
          3. Outbound Connections
          4. Running CONNSTAT.CMD
        2. Monitoring FRS Replication with Frscheck.cmd
    7. Summary
  12. 10. Disaster Recovery for Branch Office Environments
    1. Introduction
      1. Resource Requirements
        1. What You Will Need
        2. What You Should Know
    2. Active Directory Backup and Restore
      1. Overview of Active Directory Backup
      2. Permissions and User Rights
        1. Best Practices for a Good Backup
          1. Contents
          2. Age
        2. Backup of Domain Controllers in Branch Office Environments
    3. Active Directory Disaster Recovery
      1. Database Corruption
      2. Data Corruption
    4. Restoring Active Directory
      1. Restoring Active Directory Through Reinstallation and Replication
        1. Staging and Shipping Domain Controllers
      2. Restoring Active Directory from Backup Media
        1. System Key (Syskey) and the Active Directory Restore Process
        2. Restoring Active Directory to Dissimilar Hardware
      3. Non-Authoritative Restore
        1. Non-Authoritative Restore Using the Windows 2000 Backup Tool
        2. Restore Active Directory to a Domain Controller in Which Active Directory Has Failed
        3. Implications and Considerations of a Non-Authoritative Restore
      4. Authoritative Restore
        1. Authoritative Restore of FRS
        2. Authoritative Restore Using Ntdsutil
        3. SYSVOL Implications and Considerations of an Authoritative Restore
          1. Authoritative Restoration of Active Directory and SYSVOL
          2. Authoritative Restoration of Specific Active Directory Objects and Corresponding Objects from SYSVOL
        4. Impact on Authoritative Restore of Trust Relationships and Network Connections
      5. Recovery of Operations Masters
      6. Recovery of Global Catalog Servers
    5. Repairing Active Directory
    6. Using Windows 2000 Terminal Services to Remotely Back up and Restore Active Directory
      1. Active Directory Remote Backup Operation
      2. Active Directory Remote Restore Operation
    7. Staging Replacement Domain Controllers for Remote Locations
    8. Summary
      1. More information
  13. 11. Troubleshooting Guidelines for Branch Office Environments
    1. Introduction
      1. Resource Requirements
        1. What You Will Need
        2. What You Should Know
    2. Troubleshooting
    3. TCP/IP AND DNS Configuration
    4. Active Directory Replication Troubleshooting
      1. Checking Replication Partners
        1. Scenario information
        2. Repadmin Tool
      2. Checking Replication Failures
        1. No Inbound Neighbors
        2. Replication Status Error
    5. Troubleshooting No Inbound Neighbors
    6. Troubleshooting Replication Errors
      1. Access Denied
        1. Failure to Establish a Replication Link
        2. Replication Fails and Displays an Error
      2. Resolution Options for Replication Failure
        1. Replication Failure Resolution Option One
          1. Synchronize and Check Replication
          2. Synchronize Each Naming Context
        2. Replication Failure Resolution Option Two
        3. Verification of Success
      3. Authentication Service Is Unknown
        1. The Domain Controller Fails to Establish a Replication Link
        2. Replication Link Already Exists
        3. Target Account Name Is Incorrect
          1. Failure to Create a Replication Link
          2. Replication Link Exists, but Target Name Is Incorrect
      4. RPC Server Not Available
        1. Failure to Create a Replication Link
        2. Replication Link Exists-Connectivity Issues
      5. DNS Lookup Failure
        1. Failure to Create a Replication Link-DNS Lookup Failure
        2. Replication Link Exists-DNS Lookup Failure
      6. Directory Service Too Busy – Duplicate Connection Object
      7. Time Difference / LDAP Error 82
      8. The Replication System Encountered an Internal Error
      9. No More End-Point
      10. LDAP Error 49
      11. Unable to Run Administration Tools
      12. Non-Error Status
    7. Fallback Plans
      1. Fallback Plan Prior to Running the Active Directory Installation Wizard
      2. Fallback Plan After Running the Active Directory Installation Wizard
      3. Failure During the Active Directory Installation Wizard
        1. Option One: Remove the NTDS Settings Object
        2. Option Two: Remove the Server Object from Active Directory
    8. Troubleshooting FRS
    9. Non-authoritative FRS Restore
      1. Restoring Hub Domain Controllers
        1. Restoring Branch Office Domain Controllers
    10. Summary
      1. More Information
  14. About the Author
  15. Copyright