====== Windows Domain Controller Notes ======

http://srvcore.wordpress.com/2010/02/06/active-directory-windows-2008-and-2008-r2-useful-documentation/

===== Remote Sites =====

http://www.jppinto.com/2010/07/dcpromo-on-windows-server-2008/

==== Overview ====

Branch site will have a Domain Controller including Global Catalog (GC) and DNS server.

=== On Main Site DC ===

  - Verify intra-site replication first
    - http://technet.microsoft.com/en-us/library/cc736355%28WS.10%29.aspx
    - Requires install of Support Tools
    - http://technet.microsoft.com/en-us/library/cc755360%28WS.10%29.aspx
    - ''repadmin /showrepl''
    - ''repadmin /showrepl backupdcname''
  - Prepare the forest and domain for the new 2008 DC
    - Use the 2008 (R2) media on 2003 PDC
      - You can use the free MagicISO to mount the ISO file
    - ''d:\support\adprep\adprep32 /forestprep''
    - ''d:\support\adprep\adprep32 /domainprep /gpprep''
  - Use ADSS to verify main and branch sites are created
  - Verify correct subnets assigned to both sites
  - Use DNS Manager to create reverse lookup zones (AD integrated) for each subnet
  - If you can, build the branch office DC and join to domain as member server
    - Do not DCPromo yet
    - Install DNS server role

=== At Branch Office ===

  - Switch on new DC (still a member server)
  - Configure IP address for new site
  - Verify DNS Server role is installed
    - AD integrated
  - Make sure new DC has main site DC as its primary DNS server
  - Check that VPN is established
    - Ping main site DC by name
    - Ping main site DC by FQDN
  - DCPromo (will be slower than at main site)
    - Make new server a Global Catalog server
    - Make new server a DNS server
    - If static IPv4 address is assigned, you can ignore the DHCP warning
    - If you see a DNS delegation warning, you can click Yes to continue
  - Use ADSS
    - Check that new server is in the correct site
    - Right-click NTDS Settings object under PDC
      - All Tasks -> Check Replication Topology
    - Refresh Sites folder
      - Connections should appear under all NTDS Settings objects in both sites
    - Check that site links have been created under Inter-Site Transports/IP
      - From old to new
      - New to old
      - Manually create them on both DCs if needed
  - Create test objects in AD at both ends and wait until they have replicated to the other server
    - Be patient
  - Change networking on new DC to point to itself for first DNS server and main site DC as second

==== Reference ====

http://srvcore.wordpress.com/2010/02/04/domain-controllers-and-active-directory-domains-part-3/

http://technet.microsoft.com/en-us/library/cc816705%28WS.10%29.aspx

http://technet.microsoft.com/en-us/library/cc794962%28WS.10%29.aspx

==== Planning and Deploying AD to Remote Sites ====

http://technet.microsoft.com/en-us/library/cc749943.aspx

http://technet.microsoft.com/en-us/library/cc749914.aspx

==== Active Directory Sites and Services ====

=== Site ===

    * Create a new Site

=== Subnet ===

    * Prefix
      * 192.168.1.0/24
    * Assign new subnet to new site
    * Multiple subnets possible per site
    * This is how authentication and apps know which DC to contact

=== Site Link ===

    * Properties
      * Verify both sites are using the same Site Link
      * Replication interval
        * 15 min
    * AD Intersite Change Notification (optional)
      * http://www.frickelsoft.net/blog/?p=145

==== Configure Server ====

=== Networking ===

  * Static IP Address
    * Matches subnetting above
  * Primary DNS Server
    * Use the PDC or other existing DC/DNS server

=== Firewall ===

  * If a firewall exists between the sites/DCs
    * See KB179442

=== Install Active Directory ===

  * dcpromo.exe
    * Choose new site created above
    * Add roles
      * DNS
      * Global Catalog
  * Reboot server

=== Verify AD Configuration ===

  * Active Directory Sites and Services
    * Browse to (new site) -> Servers -> ServerName -> NTDS Settings
    * Right-click -> Replicate Now
      * A warning may not represent a real problem
        * especially after first reboot

    * Right-click top level and change to another DC
      * Try the same tests

  * Troubleshooting
    * Be patient and wait for the replication to occur
    * Reboot again
    * Review firewall configuration

=== Configure DNS Server ===

  * Reverse Lookup Zone for new subnet
    * DNS Manager
      * Review the Forward Lookup records for the new DC
      * Create new PTR records for new DC and clients in new site
      * Create new Reverse Lookup Zone
        * Primary zone
        * Store the zone in AD (replicated)
        * All DNS servers running on DCs
        * Network ID
          * 192.168.1
        * Only secure dynamic updates

=== NIC DNS Settings ===

http://support.microsoft.com/kb/825036

  * Set the Primary DNS server to PDC
    * Consider setting the Primary DNS server to own IP after replication is successful 
  * Set the Secondary DNS Server to the PDC or closest DC
  * Advanced TCP/IP Settings
    * Add remote DC/DNS server(s) as backup
    * Add additional DNS servers if desired

=== DHCP Server ===

  * Configure DHCP server to hand out local DC/DNS server as primary
  * Configure DHCP server to hand out remote DC/DNS server as backup

===== Troubleshooting =====

<file>
dcdiag /test:dns

dcdiag -v |more
</file>