Setting up Active Directory (AD) is a lot like chess: You must plan ahead but also strategize as you go, making sure that you don't lose your king because you've become obsessed with your pawns. You might find yourself preoccupied with setting up the domains, organizational units (OUs), groups, and user accounts, but you shouldn't forget a fundamental IT principle: When you make a change, make sure it works. After you promote a Windows 2000 member server to a domain controller (DC), you should run through a checklist to ensure that the promotion went smoothly and make some simple but important configuration changes to ensure that the DC is working when you need it to. Let's review the checklist you should step through as you configure an AD domain.
Check All Event Logs
Each time you run Dcpromo, check for error messages on all the event logs on every DC you promote. I recommend that you perform this step early, before you continue with the process and complicate the environment with other installations and configurations. As with construction, you should address any problems you find with the foundation before you build the rest of the structure on top of it.
Check DNS for SRV Records
AD doesn't work without DNS—period. You must install the DNS service and enable dynamic updates before you even think about installing AD. AD makes heavy use of SRV records, which are a relatively new type of DNS record that identifies servers running specific services on your network. Microsoft uses SRV records to identify the location of AD-related services, such as Lightweight Directory Access Protocol (LDAP) servers.
When you install your first AD DC, the Netlogon service creates several SRV records and the special domain nodes that contain them—but only if your DNS server is capable of dynamic DNS (DDNS). Win2K DNS supports DDNS, but Windows NT 4.0 DNS doesn't. (However, be aware that with Win2K DNS, the DDNS option is disabled by default.) Without DDNS, you must create all the AD nodes and records manually—which is neither fun nor easy.
To make sure that Netlogon has created the SRV records and nodes, open the DNS administration console after the server has booted as a DC for the first time. Under the AD domain name, you should see four new child nodes: _msdcs, _sites, _tcp, and _udp, as Figure 1, page 70, shows. (If the server is a Global Catalog—GC—server, you should also see a _gc node.) Look for SRV records within these nodes. If you select the _tcp node, for example, you should see at least three SRV records for each server: two for Kerberos (_kerberos and _kpasswd) and one for LDAP (_ldap).
If you see the four (or five) nodes and SRV records within them, you're ready to move on. If you don't, wait a few minutes (the Netlogon service might require some time to register the nodes), then refresh the DNS display. If you still don't see the SRV records, verify that DDNS is enabled. To do so, select the DNS forward lookup zone for your AD domain. Right-click the zone, then select Properties. Select the General tab and make sure that Allow dynamic updates is set to Yes, as Figure 2 shows. If it isn't, change the value, then restart the Netlogon service on the DC to force registration of the SRV records.
Check for the Ntds and Sysvol Folders
The AD installation process creates two subfolders—Ntds and Sysvol—within the root of the system folder (usually C:\winnt). When the promotion process finishes, open Windows Explorer and make sure these folders exist.
The Ntds subfolder contains the AD database, ntds.dit, and its supporting files, such as the transaction logs. The Sysvol subfolder is the shared system volume and contains items shared among all DCs, such as the script files that Group Policy uses. The new File Replication Service (FRS)—the next generation of the NT 4.0 Directory Replication service—will automatically replicate the contents of this folder to other DCs in the same domain.
Previous
Register
