Thursday, October 1, 2015

11 steps to the perfect domain controller


Ways to stable and fast Active Directory


Active Directory is in Windows networks essential basis for a stable operation. In order for the AD function optimally, Administrators should install the domain and the domain controller particularly cautious approach. We show the 11 most important steps when you install new domain controllers.

Step 1: Install and set up DNS for Active Directory

To create a new Active Directory, must be the first planned on the first domain controller to be installed the DNS extension. The software is installed via the Server Manager as a server role. Once installed, the management program for the DNS server in Server Manager is to find "tools" of the area.

With the node "Forward Lookup Zones" and "Reverse Lookup Zones" lay administrators of the areas that requires Active Directory for its operation. The first and most important zone is the "forward lookup zone" of the first domain of Active Directory. Click to create these administrators with the right mouse button on "Forward Lookup Zones" and select in the context menu, select "New Zone" from. When creating new domains in Active Directory exclusively primary domains are needed.

On the next page of the wizard, the name of the new zone is set. Here it is extremely important that the name is used as a zone name exactly who was registered as a DNS suffix of the server and will be used as DNS name of the Active Directory domain.

DNS servers running Windows Server 2012 R2 work with dynamic updates. That is, all server names and IP addresses as well as the SRV records from Active Directory are automatically entered into this zone. The installation wizard of Active Directory must be able to create dozens of messages automatically in a zone. Therefore, when creating a new zone should the option "Allow non-secure and secure dynamic updates" are activated . "Allow only secure dynamic updates" can enable administrators only after the creation of Active Directory.


Step 2: Set reverse lookup and DNS suffix of the server

Following administrators should create a "reverse lookup". This zone is responsible for translating IP addresses to hostnames. These zones are not necessarily required for the stable operation of Active Directory, but belong to a proper name resolution in the network to do so. Here, too, a wizard helps.

The server has not yet registered automatically, administrators can dynamically register by entering the command "ipconfig / registerdns" at the command prompt abut. Thereafter, the IP address of the server in the zone should be registered. This only works if the DNS suffix of the server via "Control Panel / System" and was "security / System / Advanced System Settings / Computer Name / Change" adapted. In the window is clicked to the "More" button and specify the DNS suffix of the server.

Step 3: Verify DNS settings

Before Active Directory is installed on the server, administrators should ensure that all DNS settings are done correctly. This should also be checked whether the server has registered both in the forward and in the reverse lookup zone. Open administrators a command prompt and type the command "nslookup", may be no error messages. It must correct the FQDN of the DNS server and its IP address are displayed.

Step 4: Install the Active Directory Domain Services role

In addition to Server Manager Administrators can use the binaries from Active Directory - including the management tools - even in the PowerShell install. The purpose of the command "Install-WindowsFeature -name AD Domain Services -IncludeManagementTools".

Step 5: Start the installation of Active Directory

After the server role is installed, administrators start setting up the domain. This process starts in Server Manager on the maintenance icon. If the first domain created for the forest, choose administrators the option "Add new forest" from. Next, choose Administrators DNS name of the domain. This must be drawn up with the DNS zone and the DNS suffix of the first domain controller match.

On the next page of the wizard, the functional level of the forest and thus all domains as well as individual domains are set. The functional level of the domain can be configured via the context menu of the domain in the snap-in "Active Directory Users and Computers". The functional level of the forest provide administrators via the snap-in "Active Directory Domains and Trusts" one, also through the context menu. The altering of the functional level cannot be undone. The functional level "Windows Server 2012 R2" enable administrators if only domain controllers running Windows Server 2012 R2 are used. The new domain controller is also home to the first global catalog server.

In the window the password for the Directory Services Restore mode is specified. This is the password of the local administrator when to restore Active Directory server is started in Directory Services Restore Mode.

Step 6: Setting the DNS correctly


On the next page of the wizard for creating Active Directory detected that a zone exists if it has been previously applied. The wizard offers to install a new zone for Active Directory and to integrate them under the existing zone.


This DNS delegation should be activated so that the data from Active Directory in a separate zone are bundled under the conventional zone. For this, the wizard creates a new zone named "_msdcs_ "To. In the original DNS zone, the wizard creates a delegation to the newly created zone. This ensures that adjustments to the DNS zone of the server, the Active Directory does not affect.

Step 7: Completing the configuration

In the next windows administrators specify the NetBIOS name of the new domain and set the location of the database and logs. Following the folder yet to be determined, which is used as Netlogon and SYSVOL share. This folder contains the login script and later the group policies are stored. At the end of testing the wizard the server, and if Active Directory can be installed. After that, you promote the domain controller starts.

Step 8: integrate DNS into Active Directory and configure secure updates


The first measure, which should be performed after the installation of Active Directory, is the integration of DNS zones in Active Directory. Through this integration, the complete data of DNS zones on the Active Directory replication are distributed.

To verify this configuration, first call administrators to DNS snap-in through the Server Manager. In order to integrate the zone in Active Directory, procedure is as follows:

    Click with the right mouse button on the zone and choose the context menu entry "Properties".
    On the "General" tab, you can be integrated into Active Directory by clicking the "Change" button in the "Type" zone.
    In the window "Change Zone Type" "store zone in Active Directory" check box.


Once you have made this setting, you can still in the "Dynamic updates" "Only safe ..." activate the option. With this setting, only computers that successfully authenticate to Active Directory dynamically register in DNS.

Step 9: Set DNS replication

The zone is integrated into Active Directory, administrators can also use the replication of DNS data to adjust. In the properties of a zone is in the area to "replication" to activate the "Change" button. Then administrators can configure which servers on the network, the DNS data to be replicated. By default, the data of a DNS zone to replicate only on the domain controllers of the Windows domain. Replication can, however, be extended to other server readily.

Step 10: Customize DNS IP settings


Give administrators after the completion of the installation of Active Directory on the domain controller in the command prompt "nslookup" one, you may get a little confusing issue: The server returns the address "1".

This issue is caused by a configuration of the network connections. To resolve the problem, proceed as follows:

    Call first to manage your network connections with "ncpa.cpl".
    Look at the features of the IPv6 protocol. Select "Obtain DNS server address automatically" option. With this configuration, you avoid the misleading message in Nslookup.
    Call next to the properties for the IPv4 protocol. Again, the wizard as a preferred DNS server address of the local host deposited (127.0.0.1). In this case, though, queries via DNS, but this configuration is not clean, resulting in an erroneous output at Nslookup. Enter here the correct IPv4 address of the server. Then typing "nslookup" at the command prompt should spend no more errors.

Step 11: Necessary rework by integrating an additional domain controller


Administrators have taken up a new domain controller in the domain, you should still perform some modification in order to optimally integrate the domain controller:

Check whether the data of DNS zones to replicate to the new domain controller.

Enter in the IP settings for each domain controller in each case the other domain controllers as preferred server and as an alternative domain controller the local server, at least when there are both on the same site.

After a few minutes, you should check the replication of the two domain controllers. To do this, start the snap-in "Active Directory Sites and Services" on the "Tools" menu in Server Manager. Navigate to the node of the name of the location and open the node "Server". At this point all the domain controllers should appear.

Click on all servers on the plus sign, you can see below another entry with the label "NTDS Settings". Click this, each replication partner for the domain controller is displayed on the right side.

Click this automatically created links with the right mouse button, you can select the "Replicate Now" from the context menu. Following this, a window that notifies you of the successful replication appears.



No comments:

Post a Comment