|
|
|
|
|
|
|
about me about server user land webmail |
|
|
|
twice DIGITAL |
|
|
|
lpfountz |
|
|
|
Netgate Q&A 5354AP1 Aries2 |
The DigitalPimp
Ben Pfountz
CPES Active Directory Guide
Installing Your Second Active Directory Server
by Ben Pfountz (netprince@vt.edu)
Background
In an Active Directory (AD) based domain, the domain should be run by redundant servers to help prevent disaster. In CPES, we use two AD servers in case one of them fails. It would be nice if both servers could seamlessly replicate each others databases, and when one server fails, the second automaticaly takes over in its place. Unfortunatly, this is not possilbe because of what are called Flexible Single Master Operation (FSMO, pronounced 'fiz-mo') Roles. These FSMO roles need to be run on one, and only one, AD server in the domain.
The problem is simple, if a machine holding a certain FSMO role crashes, another machine must 'seize' its FSMO role. But this is not automatic, and for good reason. Once a FSMO role has been seized, it cannot be given back to the crashed server without a complete re-installation of windows 2000 followed by the neccessary dcpromo operations.
Most of the FSMO operations are not critical to the AD environment. If an AD server holding all the FSMO roles crashes, users will still be able to authenticate against the domain thanks to the second AD server. You probably will not notice the crashed FSMO role holder until you attempt to change the structure of the domain. For example, when a FSMO server has crashed, you cannot add or remove machines from the domain, or change a users password, etc.
If the crashed FSMO role holder can be repaired (for example, by replacing redundant hardware) it is best to let it keep its FSMO roles. There is a fair amount of risk in attempting to seize the FSMO roles, re-install windows on the failed machine, and correctly promote it to a AD controller.
Howto Install Your Second AD Server
NOTE: The second AD server you install in your domain will be installed without any FSMO roles.
-
Boot from Win2K Server CD
- You will need to press F6 in order to install a driver for the 3ware RAID controller.
- Choose all available free space and format using NTFS
- If no free space is available, you will need to delete a partition.
| Name | CPES |
| Organization | Virginia Tech |
| Per Server Licensing | 500 Licenses |
| Computer Name | AD2 |
| Enter IP, Subnet, Gateway, and Campus DNS Servers | |
| Set DNS suffix | CPES.cpes.vt.edu |
| WINS | Disable NetBIOS over TCP/IP |
- Reboot
- Login and apply all windows patches as soon as possible
- With the hightened threat of viruses, it is very easy to get an infected in the small time between an installation and the time it takes to download and install the latest windows udpates.
- Rename the Administrator account (support2)
- Disable TsInternetUser account ?
- Log off, and Log in under the renamed Administrator account
- Install Antivirus -> attatch to update server?
- Double check DNS suffix: CPES.cpes.vt.edu
- Install DNS server
- insert win2k server cd
- control panel -> add/remove programs -> windows components
- networking services -> enable DNS
- OK
- Configure DNS Server
- Control Panel -> Administrative Tools -> DNS
- Right click computer name -> properties
- Enable Forwarders: 198.82.247.98, 198.82.247.66, 198.82.247.33
- OK
- Change TCP/IP properties on local machine
- Change the DNS server from CNS to IP address of Primary Domain Controller
- You set the secondary DNS server to local IP address
- run 'dcpromo'
- additional domain controller
| username | support2 |
| password | * |
| domain | CPES |
| Full DNS Name for Domain | CPES.cpes.vt.edu |
| Database Location | c:\winnt\ntds (default) |
| Log Location | c:\winnt\ntds (default) |
| Folder Location | c:\winnt\sysvol (default) |
- Problems here occur if any network setting is wrong. Double check all network
settings and reboot if an error is found.
- dns suffix: CPES.cpes.vt.edu
- enable "register this connection's address in dns"
- Wait and Reboot
Howto Configure Your Second AD Server
- Check global catalog
- Administrative Tools -> AD Sites and Services
- Browse to "NTDS Settings" -> properties
- make sure global catalog is selected on all AD servers (this is important)
- Activate Time Client
- run a command prompt
- 'net time /setsntp: ntp.vt.edu'
- 'net time /querysntp'
- Check that Remote Registry Service starts automaticaly
- Administrative Tools -> Services
- Set Remote Registry Service startup type to 'automatic'
- Update admparse.dll with a version from a windows XP machine
- This fixes a crash in mmc when editing IE's group policy
- first replace file in c:\winnt\system32\dllcache\
- then replace file in c:\winnt\system32\
- You will receive a warning message notifying you of a replaced dll,
and asking for a windows 2000 cd
- Select Cancel
- Restrict RPC Portmapper to selected port range allowed by firewall
- run regedt32.exe
- browse to HKEY_LOCAL_MACHINE\Software\Microsoft\RPC\
- create a new key called 'Internet'
- browse to HKEY_LOCAL_MACHINE\Software\Microsoft\RPC\Internet\
- create 3 new values
Name |
Type |
Value |
| Ports | REG_MULTI_SZ | 5000-5100 |
| PortsInternetAvailable | REG_SZ | Y |
| UseInternetPorts | REG_SZ | Y |