System 800xA training

Chapter 15 Domain Setup

TABLE OF CONTENTS

Chapter 15 Domain Setup................................................................................................................................................................1

15.1 General Information.............................................................................................................................................................2
15.1.1 Objectives.....................................................................................................................................................................2
15.1.2 Legend..........................................................................................................................................................................2
15.2 Active Directory Overview..................................................................................................................................................3
15.2.1 Domains Overview.......................................................................................................................................................3
15.2.2 Domain Trees and Forests Overview............................................................................................................................4
15.2.3 Organizational Units.....................................................................................................................................................5
15.2.4 Domain Name System..................................................................................................................................................6
15.3 Installing Active Directory..................................................................................................................................................9
15.3.1 Requirements................................................................................................................................................................9
15.3.2 How to Install Active Directory..................................................................................................................................10
15.3.3 How to Configure the DNS........................................................................................................................................16
15.3.4 Verify the DNS Configuration....................................................................................................................................19
15.4 Adding Nodes to a Domain...............................................................................................................................................21
15.4.1 How to Add an 800xA Node......................................................................................................................................21
15.4.2 How to Add an Additional Domain Controller..........................................................................................................22
15.4.3 How to Install DNS on the Additional DC.................................................................................................................24
15.5 Maintaining Domain Controllers.......................................................................................................................................25
15.5.1 DcDiag Tool...............................................................................................................................................................25
15.5.2 Backup of Domain Controllers...................................................................................................................................25
15.5.3 Recovering after a Crash of the First Installed Domain Controller............................................................................26
15.6 Windows Workgroups instead of Windows Domain........................................................................................................27
15.6.1 Managing PC Names with Host Files.........................................................................................................................27

1 / 27
 864459717.doc

15.1 General Information

15.1.1 Objectives
On completion of this chapter you will be able to:
 Describe the principles of Active Directory
 Install Active Directory
 Add nodes to the domain
 Verify the correct settings for 800xA

15.1.2 Legend
<> Indicates a key name.
| Indicates when you go from one menu to a sub-menu.
Bold Indicates a menu name or an option in a menu, or file structures
“ “ Indicates dialog box buttons, tabs, instructions etc.

 Indicates start/explanation of student activity

2 / 27
System 800xA training

15.2 Active Directory Overview

Active Directory is the directory service for Windows Server 2003. It stores
information about objects on the network and makes this information easy for
administrators and users to find and use. Active Directory service uses a structured
data store as the basis for a logical, hierarchical organization of directory information.
Security is integrated with Active Directory through logon authentication and access
control to objects in the directory. With a single network logon, administrators can
manage directory data and organization throughout their network, and authorized
network users can access resources anywhere on the network. Policy-based
administration eases the management of even the most complex network.

15.2.1 Domains Overview

The directory includes one or more domains, each having its own security policies and
trust relationships with other domains. Domains provide several benefits:
 Security policies and settings (such as administrative rights and access control
lists) do not cross from one domain to another.
 Delegating administrative authority to domains or organizational units eliminates
the need for a number of administrators with sweeping administrative authority.
 Domains help structure your network to better reflect your organization.
 Each domain stores only the information about the objects located in that domain.
By partitioning the directory this way, Active Directory can scale to very large
numbers of objects.
 Domains are units of replication. All of the domain controllers in a particular
domain can receive changes and replicate those changes to all other domain
controllers in the domain.
 A single domain can span multiple physical locations or sites. Using a single
domain greatly simplifies administrative overhead.

3 / 27
 864459717.doc

15.2.2 Domain Trees and Forests Overview

Multiple domains form a forest. Domains can also be combined into hierarchical
structures called domain trees.

15.2.2.1 Domain Trees

The first domain in a domain tree is called the root domain. Additional domains in the
same domain tree are child domains. A domain immediately above another domain in
the same domain tree is referred to as the parent of the child domain.

ABB.Com

Child.ABB.Com

Grandchild.Child.ABB.Com

All domains that have a common root domain are said to form a contiguous
namespace. This means that the domain name of a child domain is the name of that
child domain, added to the name of the parent domain. In this illustration,
child.microsoft.com is a child domain of abb.com and the parent domain of
grandchild.child.abb.com. The microsoft.com domain is the parent domain of
child.abb.com. It is also the root domain of this domain tree.
Windows 2003 domains in a tree are joined together through two-way, transitive trust
relationships. Because these trust relationships are two-way and transitive, a
Windows 2003 domain newly created in a domain tree or forest immediately has trust
relationships established with every other Windows 2003 domain in the domain tree or
forest. These trust relationships allow a single logon process to authenticate a user on
all domains in the domain tree or forest. This does not necessarily mean that the
authenticated user has rights and permissions in all domains in the domain tree.
Because a domain is an administrative boundary, rights and permissions must be
assigned on a per-domain basis.

4 / 27
System 800xA training

15.2.2.2 Forests
A forest consists of multiple domain trees. The domain trees in a forest do not form a
contiguous namespace. A forest does not have a root domain. Trust relationships allow
users in one domain to be authenticated by a domain controller in another domain.

Trust Relationship

Although it is possible to utilize forests within an 800xA system, it is unusual to use

them, and therefore not covered further in this chapter.

15.2.3 Organizational Units

Organizational units are Active Directory containers into which you can place users,
groups, computers, and other organizational units. An organizational unit cannot
contain objects from other domains.
Domain

OU1

OU2 OU3

5 / 27
 864459717.doc

15.2.4 Domain Name System

The domain name system (DNS) is used to map IP addresses to logical names in a
network. The main reason for this is that users of computer systems identify easily
with names, rather than numbers. For example it is easier to remember a name “Fred”
in a mobile phone, than it is to remember Fred’s telephone number itself.
The domain name system relies on domain name servers locating an IP address in a
lookup table, which maps to a name. Domain name clients query domain name
servers.
An example of a simple query could be “What is the IP address of
ConnectivityServer1?”

DNS Client DNS Server

Lookup table

172.16.0.11 – AspectServer1
172.16.0.12 – AspectServer2
172.16.0.21 – ConnectivityServer1
172.16.0.22 – ConnectivityServer2
172.16.0.51 – BatchManager1
172.16.0.71 – Client1
172.16.0.72 – Client2

6 / 27
System 800xA training

15.2.4.1 Domain Namespace

The domain namespace is a structure that can be used to identify objects using a DNS
name. The top level in a domain name system is the domain root. This is always
referred to as a “dot”. First level domains (also called top level domains) are 2 or 3
letters used to indicate a country or region, or the type of organization using the
domain. For example .COM for a commercial organization, or .EDU for an
educational establishment.

At the second level, another label is given to identify an organization, such as

ABB.com. It is possible to have sub-domains after a second level domain, such as
sales.abb.com. or training.abb.com. Finally, a hostname can be given, such as
server1.sales.abb.com. This is an example of a fully qualified domain name (fqdn).

15.2.4.2 Local Domain with no Internet connection

If there is no connection to the Internet, the domain is a 'local' or 'faked' domain, there
should be a root-entry and corresponding levels all the way down to the Active
Directory domain-name to receive a fully qualified domain name.
Examples:
Don’t name local domain just “IIT1”, this isn’t a fqdn name.
Name the local domain to “IIT1.local” this I a fqdn name.

Replication between redundant domain controllers won’t work if the

domain hasn’t a fully qualified domain name.
Since an IIT 800xA installation seldom, or never, has contact with proper root-servers,
a root server should be installed in the general case. Only under special circumstances
should the root entry be deleted.
In the System Installation Guide there is a general recommendation to delete the root
entry in the newly configured DNS server. This is not always the proper procedure
when installing a DNS server for a new Windows 2003 Domain.

7 / 27
 864459717.doc

8 / 27
System 800xA training

15.3 Installing Active Directory

These notes give the steps required to create a new domain, then create a new forest
and then add a new tree using a Windows 2003 Server machine. Domain controllers
are recommended to have a static IP address.

15.3.1 Requirements
Active Directory can be installed on a Windows 2000 Server or on a Windows Server
2003 machine. If you set up a new system the recommendation is to use the newer
operating system. Therefore this description deals with Windows Server 2003.
Within the Microsoft Windows family, there are 3 main products. Windows Server
2003 Standard Edition, Windows Server 2003 Enterprise Edition, and Windows
Server 2003 Datacenter Server.

Windows Server 2003 Standard Edition is the entry-level version, and is the version
that is recommended for use with System 800xA, as it is the lowest cost.

Please find additional information at:

http://www.microsoft.com/windowsserver2003/default.mspx

9 / 27
 864459717.doc

15.3.2 How to Install Active Directory

Ensure the date and time of the computers are correct before starting.
1. Click Start | Run and type in dcpromo. Press “OK” and this will start the Active
Directory Installation Wizard.

2. Click “Next”.

3. Click “Next”.

10 / 27
System 800xA training

4. Select Domain controller for a new domain and click “Next”.

5. Select Domain in a new forest and click “Next”.

6. Select No, just install and configure DNS on this computer and click “Next”.

11 / 27
 864459717.doc

7. Type in the domain name.

If you are running a separate domain for the System 800xA select a domain name
which does not contain top level domains like .com, .org etc.
Recommended are expressions like .local or .internal. Click “Next”.

8. Click “Next”.

9. Click “Next”.

12 / 27
System 800xA training

10. Click “Next”.

11. Select Permissions compatible only with Windows 2003 … and click “Next”.

12. Remember the password you type in here. You need it to restore a DC.
Click “Next”.

13 / 27
 864459717.doc

13. Click “Next”.

Insert the Product CD which refers to the OS version you have installed, e.g. if
you are running a Windows Server 2003 SP1 OS you have to insert a Windows
Server 2003 SP1 integrated CD.
For additional Information refer to the link below:
http://technet2.microsoft.com/WindowsServer/en/Library/f35d6656-0554-4833-b913-
29a4e1cc76b81033.mspx?mfr=true > The Integrated Installation

14. Insert the CD and click “OK”.

14 / 27
System 800xA training

15. Click “Next”.

16. Click “Finish”

17. Click on “Restart Now”.

NOTE! Ensure you are logged in as administrator.

15 / 27
 864459717.doc

15.3.3 How to Configure the DNS

1. Open the DNS configuration window.

Don’t delete the root entry if there is no connection to Internet.

2. Add a reverse lookup zone by right click and select “New”.

16 / 27
System 800xA training

3. Click “Next”.

4. Select the type of zone Primary Zone and check Store the zone in Active
Directory. Click “Next”.

5. Click “Next”.

17 / 27
 864459717.doc

6. Enter the IP address of the zone being created and click “Next”.

7. Click “Next”

8. Click “Finish”.

18 / 27
System 800xA training

The result will be a new Reverse Lookup Zone.

If there is a redundant network (the server has 2 network cards), then repeat these
steps for the other network.
If there is a redundant domain controller then repeat these steps, but specify the
domain controller as an Additional domain controller for an existing domain.

15.3.4 Verify the DNS Configuration

Start DOS by typing cmd from the run command.

Type nslookup followed by the name of the computer running the DNS server.

The address should be resolved to an IP address.

Alternatively, an IP address can be entered to resolve an IP address to a name.

19 / 27
 864459717.doc

If this does not work then a pointer needs to be added as below.

NOTE! Please use the browse button when adding pointers
(double clicks required).

The result will look like this:

NOTE! Do not use Ping to verify DNS configuration.

If the IP address of a node is changed, then the DNS server is not notified
immediately. This happens on startup of the node. To force notification use the DOS
command ipconfig /registerdns and to flush the DNS cache use ipconfig /flushdns
There is a Windows Server 2003 setting that may hide the node from browsing on the
network. To change this setting type net config server /hidden:No

20 / 27
System 800xA training

15.4 Adding Nodes to a Domain

All nodes on an 800xA system need to be added to a domain. The steps required to
add a node are simple, but require that the user be logged in on the node that is to be
added to the domain with domain administrator privileges.
Configure the IP address of this node as described in Install and Configure Network
Adapters. Make sure the DNS server address points to the IP address of the DNS
server.

15.4.1 How to Add an 800xA Node

1. From the desktop, right-click on My Computer and choose Properties from the
context menu.

2. Select the “Network Identification” tab and click on “Properties”.

3. Enter the name of your computer. Select this computer to be a Member of

Domain and enter the domain name.

4. Click “OK”.

5. Enter the domain user name and password, and then click “OK”.

21 / 27
 864459717.doc

This displays the message indicating your computer has been added to the domain.

6. Click “OK” to acknowledge this message. This will display another message
indicating that you must reboot for these changes to take affect.
7. Restart the machine.

For more information, Microsoft have a Web page named Windows Server Resources
at http://www.microsoft.com/windows2003/techinfo/planning/server/serversteps.asp

15.4.2 How to Add an Additional Domain Controller

ABB recommends that more than one domain controller exists in a domain. The
benefit of this is that if there is only one domain controller, and that then fails, then
users cannot be authenticated and the security system is weakened.
For small systems, it may be that for cost reasons only one domain controller would be
implemented, but as a system grows in size, then additional domain controllers should
be added.

Perform these steps on the machine that is to be created as an additional domain

controller in an existing domain. This machine must already be installed with
Windows Server 2003.
1. Click Start, Run and type in dcpromo.

2. On the third wizard page, select Additional Domain Controller for an existing
Domain and click “Next”.

3. Type in the Network Credentials and click “Next”.

22 / 27
System 800xA training

4. Browse for the Domain this node should be added to. Click “Next”.

5. On the Database and Log Location page, accept the defaults and click “Next”.

6. On the Shared System Volume page and click “Next”.

7. Type in the Directory Services Restore Mode Administrator password and click
“Next”.

8. On the Summary page, click “Next”. The wizard configures Active Directory.

9. When the Completing Active Directory wizard page appears, click “Finish.

10. Restart Windows.

23 / 27
 864459717.doc

15.4.3 How to Install DNS on the Additional DC

After these steps the new PC is working as an additional DC. DNS is not yet doubled.

1. Select Start | Control Panel | Add or Remove Programs.

2. Select Add/Remove Windows Components.
3. Select Networking Services and click on “Details”.

4. Select Domain Name System (DNS), click “OK” and “Next”.

5. If you are prompted for a Windows Server 2003 CD insert the corresponding OS
version with integrated SP.

NOTE! It takes a while after installation until the DNS data from
the existing DC are replicated to the new one.

24 / 27
System 800xA training

15.5 Maintaining Domain Controllers

15.5.1 DcDiag Tool

Microsoft provides a tool called DcDiag that can perform a number of tests of the
health of a domain controller. DcDiag is included on the Compact Discs for Windows
2000 Advanced Server and Windows 2003 Server. It can also be downloaded from
Microsoft’s web site.
The command dcdiag /a tests all domain controller in the site.

15.5.2 Backup of Domain Controllers

It is possible to use an Image backup (like Ghost or Acronis) for redundant and non
redundant domain controllers, but it is important not to exceed the Active Directory
Tombstone Lifetime, which by default is 60 days, when restoring from such a backup.
A backup that is older than the tombstone lifetime is normally not useful. Microsoft
Knowledge Base Article KB216993 describes more about this topic.
In addition to an Image backup you should create a scheduled weekly system state
backup.
Iit is recommended to create an image backup of the Domain Controller PC just before
it is promoted to be a domain controller (dcpromo). This is a time when the active
directory has not yet been created and this backup is therefore independent of the
tombstone lifetime. When using such a backup the content of the Active Directory
should preferably come from a domain controller that still is working.

25 / 27
 864459717.doc

15.5.3 Recovering after a Crash of the First Installed Domain Controller

It is possible to use multiple Domain Controllers for a Domain. In most of their
operation all domain controllers are equal but there are a number of roles that are only
taken by the first PC that is promoted to be Domain Controller:
 FSMO role Schema Master
 FSMO role Domain Naming Master
 FSMO role PDC
 FSMO role RID master
 FSMO role Infrastructure master
 Global Catalog server

If the first Domain Controller is permanently removed from the network there are
some manual actions to do to make sure that the system keeps working in the long run.
1. Check if the removed server had the 5 FSMO roles.
This is done with the tool ntdsutil. (see below)
2. If necessary, seize the FSMO roles to one of the other servers.
This is described in TechNet article KB255504
3. Create a new Global Catalog.
This is described in TechNet article KB313994
4. Remove the old server from the Active Directory.
This is described in TechNet article KB216498

To find out if the removed server had the 5 FSMO roles do the following at a
command prompt:
ntdsutil: roles
fsmo maintenance: conn
server connections: conn to serv <a working server>
server connections: quit
fsmo maintenance: Select operation target
select operation target: list roles for conn ser

This gives the result if <the working server> knows about 5 roles:
Schema - CN=NTDS Settings,CN=<the removed server>,
CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=demo,DC=net
Domain - CN=NTDS Settings,CN=<the removed server>,
CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=demo,DC=net
PDC - CN=NTDS Settings,CN=<the removed server>,
CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=demo,DC=net
RID - CN=NTDS Settings,CN=<the removed server>,
CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=demo,DC=net
Infrastructure - CN=NTDS Settings,CN=<the removed server>,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=demo,DC=net

26 / 27
System 800xA training

15.6 Windows Workgroups instead of Windows Domain

Small systems can run without a Domain Controller. In that case a Windows Domain
does not handle the PCs and users and instead a Windows Workgroup needs to be
created.
A Windows Workgroup is not managed on a dedicated PC. The workgroup
configuration needs to be done on all PCs that belong to the workgroup. This includes
handling the names and addresses of the PCs and definition of users and groups.
There is no fixed limit for the number of nodes or number of users that can be handled
within a workgroup. Systems with more than 10 PCs or 5 users are normally easier to
manage in a domain.

15.6.1 Managing PC Names with Host Files

In a Windows Workgroup the correlation between node names and IP addresses is
best handled with host files. Create one “host file” with the addresses and names of all
nodes and copy it to all nodes in the network.
In a simple network address and name resolution could be handled with NetBIOS
instead of with host files, but when nodes are connected to more than one network,
e.g. when using a redundant network, it is not possible to control which address a node
name will be associated with. This means that it is not possible to guarantee that the
rule is followed that all applications communicating with nodes that run
RNRP always address the nodes on the primary network. The host file has the name
hosts with no extension. It is located at the directory C:\WINNT\system32\drivers\etc.
It contains rows like this:
127.0.0.1 localhost
172.16.4.11 AS1 # The Aspect Server
172.16.4.21 CS1 # The Connectivity Server
172.16.4.71 C1 # Workplace Client 1
172.16.4.72 C2 # Workplace Client 2
NOTE! Use the nodes’ primary IP addresses on the Client/Server
Network.

Usage of the file hosts is not connected to the check box “Enable LMHOSTS lookup”
in the Advanced TCP/IP settings.

27 / 27