|
|
|
|
|
|
|
about me about server user land webmail |
|
|
|
twice DIGITAL |
|
|
|
lpfountz |
|
|
|
Netgate Q&A 5354AP1 Aries2 |
The DigitalPimp
Ben Pfountz
CPES Active Directory Guide
Installing Your First Active Directory Server
by Ben Pfountz (netprince@vt.edu)
Background
In an Active Directory (AD) based domain, the domain should be run by redundant servers to help prevent disaster. In CPES, we use two AD servers in case one of them fails. It would be nice if both servers could seamlessly replicate each others databases, and when one server fails, the second automaticaly takes over in its place. Unfortunatly, this is not possilbe because of what are called Flexible Single Master Operation (FSMO, pronounced 'fiz-mo') Roles. These FSMO roles need to be run on one, and only one, AD server in the domain.
The problem is simple, if a machine holding a certain FSMO role crashes, another machine must 'seize' its FSMO role. But this is not automatic, and for good reason. Once a FSMO role has been seized, it cannot be given back to the crashed server without a complete re-installation of windows 2000 followed by the neccessary dcpromo operations.
Most of the FSMO operations are not critical to the AD environment. If an AD server holding all the FSMO roles crashes, users will still be able to authenticate against the domain thanks to the second AD server. You probably will not notice the crashed FSMO role holder until you attempt to change the structure of the domain. For example, when a FSMO server has crashed, you cannot add or remove machines from the domain, or change a users password, etc.
If the crashed FSMO role holder can be repaired (for example, by replacing redundant hardware) it is best to let it keep its FSMO roles. There is a fair amount of risk in attempting to seize the FSMO roles, re-install windows on the failed machine, and correctly promote it to a AD controller.
Howto Install Your First AD Server
NOTE: The first AD server you install on your domain will hold all FSMO roles for the domain.
-
Boot from Win2K Server CD
- You will need to press F6 in order to install a driver for the 3ware RAID controller.
- Choose all available free space and format using NTFS
- If no free space is available, you will need to delete a partition.
| Name | CPES |
| Organization | Virginia Tech |
| Per Server Licensing | 500 Licenses |
| Computer Name | AD1 |
| Enter IP, Subnet, Gateway, and Campus DNS Servers | |
| Set DNS suffix | CPES.cpes.vt.edu |
| WINS | Disable NetBIOS over TCP/IP |
- Reboot
- Login and apply all windows patches as soon as possible
- With the hightened threat of viruses, it is very easy to get an infected in the small time between an installation and the time it takes to download and install the latest windows udpates.
- Rename the Administrator account (support2)
- Disable TsInternetUser account ?
- Log off, and Log in under the renamed Administrator account
- Install Antivirus -> attatch to update server?
- Double check DNS suffix: CPES.cpes.vt.edu
- run 'dcpromo'
- new domain
- new domain tree
- new forest of trees
| Full DNS Name for Domain | CPES.cpes.vt.edu |
| NetBIOS Name | CPES |
| Database Location | c:\winnt\ntds (default) |
| Log Location | c:\winnt\ntds (default) |
| Folder Location | c:\winnt\sysvol (default) |
- Warning appears if you do not already have a DNS server running for your
domain.
- choose to install and configure DNS
- Choose permissions compatible only with windows 2000 servers
- Enter domain admin password (support2)
- Wait and Reboot
Howto Configure Your First AD Server
- Configure DNS server
- Start DNS console from Administrative Tools in Control Panel
- Right click computer name and select properties
- Enable Forwarders: 198.82.247.98, 198.82.247.66, 198.82.247.33
- OK
- Right click on Reverse Lookup Zones -> New Zone
- Active Directory Integrated
- Network ID: 128.173.88
- Repeat last step for 2 more zones: 128.173.89, and 128.173.90
- Enable Wins-R on all 3 zones
- Right click on a zone -> WINS-R
- enable 'Use WINS-R lookup'
- Domain to append to returned name: CPES.cpes.vt.edu
- OK
- Change TCP/IP properties on local machine
- Change the DNS server from CNS to Local IP address (not localhost)
- You can set the secondary DNS server to the IP address of your secondary AD controller
- Check global catalog
- Administrative Tools -> AD Sites and Services
- Browse to "NTDS Settings" -> properties
- make sure global catalog is selected on all AD servers (this is important)
- Activate Time Client
- run a command prompt
- 'net time /setsntp: ntp.vt.edu'
- 'net time /querysntp'
- Check that Remote Registry Service starts automaticaly
- Administrative Tools -> Services
- Set Remote Registry Service startup type to 'automatic'
- Update admparse.dll with a version from a windows XP machine
- This fixes a crash in mmc when editing IE's group policy
- first replace file in c:\winnt\system32\dllcache\
- then replace file in c:\winnt\system32\
- You will receive a warning message notifying you of a replaced dll,
and asking for a windows 2000 cd
- Select Cancel
- Restrict RPC Portmapper to selected port range allowed by firewall
- run regedt32.exe
- browse to HKEY_LOCAL_MACHINE\Software\Microsoft\RPC\
- create a new key called 'Internet'
- browse to HKEY_LOCAL_MACHINE\Software\Microsoft\RPC\Internet\
- create 3 new values
Name |
Type |
Value |
| Ports | REG_MULTI_SZ | 5000-5100 |
| PortsInternetAvailable | REG_SZ | Y |
| UseInternetPorts | REG_SZ | Y |