Friday, March 13, 2009

DCPromo and some DNS Best Practices

Below are the steps to promote a member server to be the domain controller in the existing forest. I am listing some best practices and recommendations going forward. Most of the listings below are pretty basic nothing advance. I am surprised to find many people are no aware of the basic and hence I am putting all these one more time to my student's attention.

**Here is the Doc version if you wish to download**

  • Make sure the server has configured correctly, the TCP/IP stack and DNS server is pointing to ***Existing DC/DNS***
  • After initial replication point the DC/DNS to itself as primary DNS server and to its neighbor DC/DNS server as secondary preferred DNS
  • ***Never*** point DC/DNS servers to ISP DNS server as their primary or secondary DNS ( most command killing mistake)
  • Don't use more than 1 NIC, DC's don't like multiple NIC cards
  • Forward the recursive queries which your domain is not authoritative for to the ISP DNS servers and let them do the heavy work.
  • Go to your DNS, forward lookup zone locate _msdcs.yourDomain.org , go to properties , click on name servers and make sure all the servers listed there are domain controller and they are functioning properly.
  • Tune up your DNS as it is explained in this article.
  • Make sure you have added the server into domain prior running DCPromo (optional), this ensures proper communication with domain , created A record for the server in the DNS database on the existing domain.
  • Run DCPromo as always to install ***.DIT*** database and remember the .DIT database is partitioned database ( domain, configuration, schema, application)
  • Remember best practices for deciding RAID and distributing the database, logs and the SysVol.

Component

Operations Performed

RAID System

Operating system files

Read and write operations

RAID 1

Active Directory log files

Mostly write operations

RAID 1

Active Directory database and SYSVOL shared folder

Mostly read operations

  • The logs kept to be by itself
  • Active Directory database and SYSVOL shared folder kept together on the same drive

*** The reality many companies (enterprise) goes with 2 RAID one set*** if you end up installing all on the same drive and you have multiple DC"s that is fine as well, when budged is suitable fallow the best practices to have less headache and good performance.

After DCPromo make sure

The new DC is functioning as DC

  • Check Site and services to make sure the new DC appears , click start,run,dssite.msc , and under sites default-First-Site-Name, expend servers folder
  • Make sure the server objects is there, NTDS settings , KCC has replication connections to other DC's
  • Click start, run, cmd and type **net Share** configure the SysVol folder is visible
  • Check the logs to make sure DC is healthy.



Oz Casey Dedeal

MVP (Exchange)

MCITP (EMA), MCITP (SA)

MCSE 2003, M+, S+, MCDST Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

3 comments:

Bert Mills said...

Thanks for the info. I've read a lot of conflicting things about pointing the DNS server to itself (as the it's primary DNS). Are there any Microsoft docs on this, or is this something the community just had to figure out?

Bert Mills said...

I should probably clarify. I'm referring to a multi-server AD/DNS deployment. I read a few places say that only the "primary" DNS server should point to itself (and have no alternate DNS), while all the rest point to the primary DNS first, then to each other for the alternate.

Oz Casey, Dedeal said...

The AD is multimaster replication model so there is no primary and secondary DC concept exist anymore. AD integrated DNS means DNS is part of .dit database and it gets replicated to every other AD integrated DNS servers via AD replication.
All domain controllers are authoritative for their DNs name space, and DNS is part of again the .dit database, it makes sense to point the DC/DNS serer itself as Primary DNS since DC/DNS server has the full DNS zone data within the database, choosing closest neighbor as alternative DNS is also very good practice.
I manage medium and large networks and all configured this was, and working flawless (-: so far over years

There are many articles will tell you do it the same way
Check out the George website he has great links to most good KB’s
http://blogs.dirteam.com/blogs/jorge/archive/2006/06/16/How-to-use-and-configure-DNS-in-an-AD-environment_3F00_.aspx

Thanks for reading my blog
best
oz