Monday, February 23, 2009

How to create the first domain controller in Active Directory (Windows 2008) Part1

Domain controller (DC) is a server role that has the Active Directory service installed. By default a domain controller stores one domain directory partition which has all information about the domain in where that DC is located, it also stores the schema and configuration directory partitions that are common to the entire forest. Depending of the version that you're running, DCs can also store one or more application directory partitions (Windows 2003 and later).

In addition to Active Directory database, DCs can also hold specific roles needed by Active Directory:

-Flexible single master operation (pronounced Fiz-mo). Domain controllers that hold operations master roles are designated to perform specific tasks to ensure consistency and to eliminate the potential for conflicting entries in the Active Directory database. Active Directory defines five operations master roles (2 are Forest wide and the other 3 exist in each domain):

- Forest operation masters:
- Schema master
- Domain naming master

-Domain operation masters:
-Primary domain controller emulator (PDCe)
-Infrastructure master (IM)
-Relative ID master (RID)

-Global Catalog (GC). A global catalog server is a domain controller that, in addition to its full writable domain directory partition replica (does not apply to RODC), also stores a partial, read-only replica of all other domain directory partitions in the forest. The attributes that are replicated to the global catalog are identified in the schema as the partial attribute set (PAS).
GCs are needed when: doing forest wide searches, User logons (when more than one domain exists in that forest), when a user principal name (UPN) is used at logon and the forest has more than one domain, to cache the user membership when is member of a Universal Group (Universal groups are only available when the domain is native mode or later), Exchange Address Book lookups, and exchange clients also use global catalog servers to access the global address list (GAL). These are the most common scenarios, but you can also have specific apps that need to contact the GC to function properly.

-DNS: Although DNS is not a component of Active Directory, Active Directory uses DNS as its domain controller location mechanism and leverages the namespace design of DNS in the design of Active Directory domain names. Is possible to have a non-Microsoft DNS solution to support Active Directory, but the DNS server must support service resource records (RFC 2782) and dynamic update protocol (RFC 2136). Active Directory uses DNS as the location mechanism for domain controllers, enabling computers on the network to obtain IP addresses of domain controllers. During the installation of Active Directory, the service (SRV) and address (A) resource records are dynamically registered in DNS. Both types of records are necessary for the functionality of the domain controller locator (Locator) mechanism among other functions.

That being said, now it’s time to setup of the First Domain Controller.

Before start:
· Plan carefully your FQDN (fully qualify domain name), the NetBIOS name and the Domain controller name, this is very important to avoid changes that may crash your entire forest later. Check the Naming conventions at Microsoft KB909264.
· Configure your NIC with a static IP address. Avoid the use of multiple NICs in DCs, this type of configuration may lead to errors and Active Directory communication might fail on multihomed domain controllers, check MS KB 272294 and 191611 for more information.
· Configure the Administrator account with a strong password.
· Install the latest updates from Microsoft website.
· Have one hard drive with NTFS installed.
· Check your event log for errors and correct them before proceed.
· Consider the use of 2 DCs for each domain that you plan to have in your forest, this will give you better redundancy but also a fastest way to recover from server failures.
· Plan and test the Backup strategy for your Active directory Forest.
· At last check the date and time settings, make sure that are correct, and make sure that the server is in sync with a trusted and valid authoritative time server. By Default this DC will be the authoritative time server for your forest and additional DCs will sync their time with this DC.
Now it’s time to install Active directory in your server, check the video and follow the steps bellow:



Let's do some additional configurations in part 2

Have fun :)

1 comment: