Windows Domain Setup at the UW
Table of Contents
Introduction
Purpose of this
document
This document is intended for support personnel or
system administrators at the University of Washington.
It covers setting up a Windows 2000 domain controller
that will be linked into the UW's existing DNS
structure. This document does not cover the details of
setting up and using Windows 2000; it assumes that you
are already familiar with the basics of using Windows
2000.
A note about the term
"domain"
Throughout this document the word domain will
sometimes refer to a DNS domain and sometimes refer to a
Microsoft Windows domain. While in the past these two
concepts were separate and non-interchangeable, that is
not as true today. With Windows 2000, Microsoft has
adopted the DNS naming conventions and structures to its
domains. For example, the domain name
"cs.washington.edu" is both the DNS and Windows 2000
domain name for Computer Science. For most
purposes, these terms are now interchangeable.
We recommend that you read
Windows Domain DNS reliance before setting up a
Windows domain.
Chapter 1:
Requirements
The following chapters of this document assume that
you have already performed certain requirements. Those
requirements and how to get more help in fulfilling them
are outlined below.
Authority
to run the domain controllers for your intended DNS
domain
In Windows 2000, the windows domain naming structure
parallels the DNS naming structure. Thus, the authority
and responsibility for the DNS and windows domains are
one and the same. If you are unaware of the contact for
your department's DNS domain, wish to change the contact
person for your department, or wish to register a new
department, send email to
help@uw.edu.
Windows
2000 Servers installed as a stand alone servers
You should have at least two servers ready to act as
domain controllers. These machines should not be used as
workstations or provide other network services since
their stability and availability are paramount. The
reason for having more than one domain controller is that
if all of your domain controllers become simultaneously
unavailable, users cannot log in to your domain.
Additionally, if all of your domain controllers become
simultaneously unrecoverable, your domain will have to be
recreated from scratch.
The domain controllers do not have to have a great
deal of computing horsepower. Two domain controllers,
each with a PIII 450 CPU, 512MB of RAM and a 20GB hard
drive will be more than adequate for typical domains
serving around a hundred users provided they are only
acting as domain controllers. It is easy to add and/or
upgrade domain controllers in the future should you find
that you require more capacity.
A static
IP address and DNS name assigned to your intended
DCs
Since your domain controllers must be found by
workstations wishing to log into your domain, they must
be registered with static IP addresses and have a DNS
name in your intended domain. If you require a new or a
modification to a DNS registration, send email to
netops@uw.edu.
Chapter 2:
Setting Up Your Domain
Authorize your
domain
In order to maintain the domain controllers for a
domain, you must be the domain contact person. Every
existing DNS domain already has a contact person listed.
If you are unsure of your domain contact person, you can
contact Network Operations to find this out. If you are
the domain contact, you can contact Network Operations to
request that your domain controller servers be registered
as such so that other computers can find them. This
process is outlined below.
If you have questions about the DNS domain contact
system, you can send email to help@uw.edu.
Register
your domain controllers
Send email to
help@uw.edu with
the following information:
- The name of your DNS domain
- The full DNS names of your intended domain
controllers
(there should be at least 2)
- Are you planning to upgrade an existing NT 4 domain
or create a new domain?
- Your timeline for the upgrade or installation
- Do you have trusts to other domains?
- The number of users in your domain
Example:
From: Jane Smith <jsmith@u.washington.edu>
To: netops@uw.edu
Subject: New Windows 2000 domain
Hi,
I'm Jane Smith, the domain contact for xyz.washington.edu.
I would like to register:
bert.xyz.washington.edu and ernie.xyz.washington.edu as
Windows 2000 domain controllers for my domain.
I will be upgrading an existing NT 4 domain, which is
used by approximately 50 people. I do not have trust
relationships with any other domains. I'd like to make the
transition to Windows 2000 around the first of
September.
Thanks,
Jane Smith
You will shortly get back a reply that those machines
are OK to use as the domain controllers and a FAQ
outlining the UW's campus-wide domain forest. You should
then decide if you want to join your domain to the campus
forest.
If you decide to join the UW campus forest, you will
need set up an appointment with a UW Technology representative
to set up your domain controllers and join your domain to
the forest. You do not need to continue with this
document. An appointment is necessary because when you
first join the forest, the administrator of the forest
has to perform the join operation. You will not need the
forest administrator to set up subsequent domain
controllers, server, or workstations in that domain.
If you decide not to join the UW campus forest, or are
not setting up the first domain controller in your
domain, continue with these instructions.
Chapter
3: Setting up the domain controllers
For each of your domain controllers, you should follow
the steps in this chapter. Some steps will have
alternate actions depending on if you are joining an
existing forest.
From the Start menu of your domain controller, select
run and enter: DCPROMO
This will start the Active Directory Installation
Wizard.
If this is the first domain controller in your domain,
choose "Domain controller for a new domain". If this is
not the first one you have set up, choose "Additional
domain controller for an existing domain, click next, and
authenticate to your existing domain.
Choose "Create new domain tree", even if you will be
joining an existing forest.
If you are joining an existing forest, choose "Place
this new domain tree in an existing forest". Otherwise,
choose "Create a new forest of domain trees".
If you are joining an existing forest, you will be
asked for credentials to use to join. You will need to
get this information from the administrator of the forest
you are joining. This account must have authority to add
domains to the forest.
Enter the name of your domain.
Specify a NetBIOS name for your new domain. This name
will be used by older operating systems (Windows 98, NT
4.0, etc.) should you choose to support those operating
systems.
If you have separate physical hard disks, it's a good
idea to keep the database and log on separate disks.
Otherwise, one could slow the other down.
Enter a directory for the public files area of your
Active Directory tree.
At this point, you may see the following message. You
can safely ignore this, as you will be sending DNS
registration information in a later step.
Choose No, you will be configuring this later.
Unless you have a mixed environment with Windows NT
4.0 servers that use Active Directory information, you
should choose to set the more strict Windows 2000 only
permissions.
Enter a password to be used if you must restore the
Active Directory. This will also be your initial
administrator password.
Review your setup and click next to start the
configuration process. You will see a screen similar to
the following for a few minutes.
When the configuration process completes, you will be
directed to restart your computer. After your domain
controller restarts, log in to your new domain as
administrator.
Send DNS
information to Network Operations
Find the file NETLOGON.DNS from your domain
controller's <WINDIR>\SYSTEM32\CONFIG directory.
<WINDIR> will usually be C:\WINNT.
Attach this file in an email message to
help@uw.edu with
a subject or short message of: DNS entries for Windows
2000 domain xyz.washington.edu. (Use your own domain
here of course). Do not edit the file or import it into
the body of the message. Attach it to the message using
a MIME compatible mailer such as Outlook Express or
pine. If you are setting up multiple domain controllers,
you can send them all as attachments to one message.
You will shortly receive an email that this
information has been entered into the UW's DNS servers.
If this is a change to an existing Windows 2000 domain,
it can take up to 24 hours for the old information to be
overwritten. Otherwise, your new domain is ready for use
as soon as you complete the next section.
Turn Off Dynamic
DNS
By default, a Windows 2000 or 2003 domain controller
will try to periodically update its DNS server with new
information. Since the DNS servers at the UW do not
accept dynamic updates, this will cause unnecessary
network traffic and trigger error events in your event
logs.
To turn off dynamic DNS updates on a domain
controller:
You should disable (uncheck) the "Register this
connection's addresses in DNS" setting. This property can
be found in the DNS tab of the Advanced TCP/IP Settings
dialog in the properties of your local area network
connection.
This should be done on every network interface for the
domain controller.
If you would like information on how to turn off DNS
updates on your workstations using group policy objects,
see Microsoft Knowledge Base article
Q294832.
If you are not using the UW's DNS servers and are
running your own DNS servers that support dynamic
updates, you can disregard this section.
Configure a time
server
Since Windows 2000 uses Kerberos authentication,
having the correct time is critical. If this is the
first domain controller you are setting up, you must give
it an external time source as follows:
- Open a command shell as administrator
- Enter: net time
/setsntp:time.u.washington.edu
Chapter 4:
Removing a domain controller
If you wish to remove a domain controller from an
existing doman, follow these steps. NOTE: If you
remove the last remaining domain controller for a domain,
all Active Directory information from that domain will be
permanently lost. In addition, removing the last domain
controller from a domain requires Enterprise
Administrator privileges. If this domain is part of the
UW forest, this means you will need to schedule the
removal through
help@uw.edu
- Click Start , click Run , type dcpromo , and then
click OK .
- This starts the Active Directory Installation
Wizard. Click Next .
- There is a check box in the Remove Active Directory
screen. If this computer is the last domain controller
in the domain, click to select the check box.
Otherwise, click Next .
- In the next screen, set the password for the
administrator account on the server after Active
Directory is removed. Type the appropriate password in
the Password and Confirm Password boxes, and then click
Next .
- In the Summary screen, review and confirm the
options you selected, and then click Next .
- The wizard begins the process of removing Active
Directory from the server. After the process is
finished, a message indicates that Active Directory was
removed from the computer.
- Click Finish to quit the wizard.
- Restart the computer.
- Send an email message to
help@uw.edu from
your DNS domain contact with a short message of:
Please remove all SRV and CNAME records for
dcserver1.xyz.washington.edu (Use your own DC and
domain here of course).
It can take up to 24 hours for the old information to
be overwritten. During this time you may see some errors
as clients and servers try to contact the demoted domain
controller.
Chapter 5: Where to go
from here
There is documentation available for
Windows
at the UW.
For help with a Windows domain that you administer or for general help with Windows at the UW, please send mail
to help@uw.edu.
Please note that UW Technology can only provide support for
the services that it offers and can only respond to
specific questions.