Domain Controllers and Active Directory Domains Part 1

with 9 comments

In this blog post I’ll show you an example of How to introduce the First Domain Controller in Active Directory Domain. This will be the first of many other blog posts that will help you with domain controllers configuration and related services across your forest, I’ll also show you how to introduce new domains and different ways to perform identical tasks. Let’s start qith a quick review about Domain Controllers basics:

A Domain controller (DC) is a server role that has the Active Directory service installed. Domain controllers have a database called “NTDS.dit” that stores information about Active Directory objects. This database is divided in different partitions. Domain partition has all information about the domain where that DC is located and is replicated between all DCs within the same domain, each DC has read/write permission to the domain partition. Schema and Configuration directory partitions that are common to the entire forest and replicated between all Domain Controllers within the same forest, it doesn’t matter if they belong to the same Domain or not, as long as they are in the same Forest they’ll need to have a Schema and Configuration directory partitions (which are only writable by their FSMO masters) + Domain Partition for the domain where the DCs were configured. Depending of the version that you’re running, DCs can also store one or more application directory partitions (this applies to Windows 2003 and later OS).

In addition to Active Directory database, DCs can also hold specific roles needed by Active Directory:
Flexible Single Master Operation “FSMO” (pronounced Fiz-mo). Domain controllers that hold operations master roles are designated to perform specific tasks to ensure consistency and to eliminate the potential for conflicting entries in the Active Directory database. Active Directory defines 5 operations master roles (2 are Forest wide and the other 3 exist in each domain):

Forest operation masters:
– Schema master
– Domain naming master

Domain operation masters:
-Primary domain controller emulator (PDCe)
-Infrastructure master (IM)
-Relative ID master (RID)

– Global Catalog (GC). A global catalog server is a domain controller that, in addition to its full writable domain directory partition replica (does not apply to RODC), also stores a partial, read-only replica of all other domain directory partitions in the forest. The attributes that are replicated to the global catalog are identified in the schema as the partial attribute set (PAS).
GCs are needed when: doing forest wide searches, User logons (when more than one domain exists in that forest), when a user principal name (UPN) is used at logon and the forest has more than one domain, to cache the user membership when is member of a Universal Group (Universal groups are only available when the domain is native mode or later), Exchange Address Book lookups and exchange clients also use global catalog servers to access the global address list (GAL). These are the most common scenarios, but you can also have specific apps that need to contact the GC to function properly.

– DNS: Although DNS is not a component of Active Directory, Active Directory uses DNS as its domain controller location mechanism and leverages the namespace design of DNS in the design of Active Directory domain names. Is possible to have a non-Microsoft DNS solution to support Active Directory, but the DNS server must support service resource records (RFC 2782) and dynamic update protocol (RFC 2136). Active Directory uses DNS as the location mechanism for domain controllers, enabling computers on the network to obtain IP addresses of domain controllers. During the installation of Active Directory, the service (SRV) and address (A) resource records are dynamically registered in DNS. Both types of records are necessary for the functionality of the domain controller locator (Locator) mechanism among other functions.

That being said, now it’s time to setup of the First Domain Controller.

Before start:
· Plan carefully your FQDN (fully qualify domain name), the NetBIOS name and the Domain controller name, this is very important to avoid changes that may crash your entire forest later. Check the Naming conventions at Microsoft KB909264.
· Configure your NIC with a static IP address. Avoid the use of multiple NICs in DCs, this type of configuration may lead to errors and Active Directory communication might fail on multihomed domain controllers, check MS KB 272294 and 191611 for more information.
· Configure the Administrator account with a strong password.
· Install the latest updates from Microsoft website.
· You need to have at least one hard drive formated with NTFS.
· Check your event log for errors and correct them before proceed.
· Consider the use of at least 2 DCs for each domain that you plan to have in your forest, this will give you better redundancy but also a fastest way to recover from server failures.
· Plan and test the Backup strategy for your Active directory Forest.
· At last check the date and time settings, make sure that are correct, and make sure that the server is in sync with a trusted and valid authoritative time server. By Default the first DC will be the authoritative time server for your forest and additional DCs will sync their time with this DC.

Now it’s time to install Active directory in your server, check the video and follow the steps bellow:

Check the next article : How to create the second domain controller in Active Directory

To review all video demonstrations, check video section of Active Directory Windows 2008 and 2008 R2 Documentation

🙂

Written by IT Core

January 19, 2010 at 11:34 PM

Posted in Deployment, How to..., Videos

Tagged with Active Directory