Mega Lab Series: Windows 2000/server 2003

Windows 2000/Server 2003
MEGA LAB SERIES

www.trainsignal.com
Active Directory Sites & Services in

Windows 2000 & Server 2003
Video CBT Lab 16
Part 3 of 3 in the Advanced Active Directory in
Windows 2000 & Server 2003 Series
Active Directory
Lab Setup
Computer Name: DC1

Static IP: 200.200.201.1 Switch
Computer Name: DC2

Static IP: 200.200.201.2 Computer Name: DC3
Static IP: 200.200.202.1
Computer Name: ROUTER

Static IP: 200.200.201.254
200.200.202.254
© Train Signal, Inc, 2005

Active Directory Sites & Services in
Windows 2000 & Server 2003
Video CBT Lab 16

Part 3 of 3 in the Advanced Active Directory in
Windows 2000 & Server 2003 Series
Page 1 of 85 © Train Signal, Inc., 2002-2005

About the Author
Obaid Chhatriwala (MBA, MCSE, Security+, CNA) is an experienced technology

consultant and trainer. He has designed and administered networks for a variety of
industries, including healthcare and financial companies. He also has over 9 years’ experience
of teaching a variety of computer courses in Windows NT, Windows 2000/2003, Windows
XP, Novell Netware, Cisco Routing and Switching, Network Security and Computer
Hardware. You will greatly benefit from Obaid’s true passion for education and the amount
of detail that he covers whenever he undertakes computer networking training.
Train Signal, Inc.

400 West Dundee Road
Suite #106
Buffalo Grove, IL 60089
Phone - (847) 229-8780
Fax – (847) 229-8760
www.trainsignal.com
Copyright and other Intellectual Property Information

© Train Signal, Inc., 2002. All rights are reserved. No part of this publication, including
written work, videos, and on-screen demonstrations (together called “the Information” or
“THE INFORMATION”), may be reproduced or distributed in any form or by any means
without the prior written permission of the copyright holder.
Products and company names, including but not limited to, Microsoft, Novell and Cisco, are
the trademarks, registered trademarks, and service marks of their respective owners.

Disclaimer and Limitation of Liability
Although the publishers and authors of the Information have made every effort to ensure
that the information within it was correct at the time of publication, the publishers and the
authors do not assume and hereby disclaim any liability to any party for any loss or damage
caused by errors, omissions, or misleading information.
TRAIN SIGNAL, INC. PROVIDES THE INFORMATION "AS-IS." NEITHER TRAIN

SIGNAL, INC. NOR ANY OF ITS SUPPLIERS MAKES ANY WARRANTY OF ANY
KIND, EXPRESS OR IMPLIED. TRAIN SIGNAL, INC. AND ITS SUPPLIERS
SPECIFICALLY DISCLAIM THE IMPLIED WARRANTIES OF TITLE, NON-
INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THERE IS NO WARRANTY OR GUARANTEE THAT THE OPERATION
OF THE INFORMATION WILL BE UNINTERRUPTED, ERROR-FREE, OR VIRUS-
FREE, OR THAT THE INFORMATION WILL MEET ANY PARTICULAR
CRITERIA OF PERFORMANCE OR QUALITY. YOU ASSUME THE ENTIRE RISK
OF SELECTION, INSTALLATION AND USE OF THE INFORMATION.
IN NO EVENT AND UNDER NO LEGAL THEORY, INCLUDING WITHOUT
LIMITATION, TORT, CONTRACT, OR STRICT PRODUCTS LIABILITY, SHALL
TRAIN SIGNAL, INC. OR ANY OF ITS SUPPLIERS BE LIABLE TO YOU OR ANY
OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES OF ANY KIND, INCLUDING WITHOUT
LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE,
COMPUTER MALFUNCTION, OR ANY OTHER KIND OF DAMAGE, EVEN IF
TRAIN SIGNAL, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. IN NO EVENT SHALL TRAIN SIGNAL, INC. BE LIABLE FOR
DAMAGES IN EXCESS OF TRAIN SIGNAL, INC.'S LIST PRICE FOR THE
INFORMATION.
To the extent that this Limitation is inconsistent with the locality where you use the
Software, the Limitation shall be deemed to be modified consistent with such local law.
Choice of Law:
You agree that any and all claims, suits, or other disputes arising from your use of the
Information shall be determined in accordance with the laws of the State of Illinois, in the
event Train Signal, Inc. is made a party thereto. You agree to submit to the jurisdiction of
the state and federal courts in Cook County, Illinois for all actions, whether in contract or in
tort, arising from your use or purchase of the Information.

TABLE OF CONTENTS
INTRODUCTION............................................................................................................... 7
LAB SETUP...................................................................................................................... 9
SETTING UP THE LAB................................................................................................... 10

COMPUTER 1............................................................................................................. 12
COMPUTER 2............................................................................................................. 12
COMPUTER 3............................................................................................................. 12
COMPUTER 4............................................................................................................. 12
LAB 1.............................................................................................................................. 15
SCENARIO – PART ONE ............................................................................................... 16
ACTIVE DIRECTORY ..................................................................................................... 18
INSTALLING ACTIVE DIRECTORY ............................................................................... 18
CREATING THE ANSWER FILE FOR ACTIVE DIRECTORY INSTALLATION............. 19
INSTALLING ACTIVE DIRECTORY ............................................................................... 20
CREATING AN ADDITIONAL DOMAIN CONTROLLER FOR BENANDBRADY.COM.. 22
DOMAIN AND SITE VERIFICATION AND REPLICATION ............................................ 24
INSTALLING A ROUTER IN THE BENANDBRADY.COM NETWORK.......................... 27
TESTING ROUTING IN THE BENANDBRADY.COM NETWORK ................................. 31
INSTALLING AN ADDITIONAL DOMAIN CONTROLLER IN THE 200.200.202.0

SUBNET.......................................................................................................................... 32
LAB 2.............................................................................................................................. 33
SCENARIO – PART TWO .............................................................................................. 34
WHAT IS A SITE?........................................................................................................... 35
CONFIGURING SITES ................................................................................................... 35
CREATING SITES .......................................................................................................... 36

STEP 1: CREATE A NEW SITE CALLED NC.............................................................. 36
STEP 2: CREATE A SUBNET AND ASSOCIATE IT WITH A SITE ............................. 37
STEP 3: MOVE A DOMAIN CONTROLLER OBJECT TO THE NC SITE .................... 38

STEP 4: DESIGNATE A SITE LICENSE SERVER FOR THE NC SITE ...................... 39
TESTING ACTIVE DIRECTORY REPLICATION ........................................................... 40
LAB 3.............................................................................................................................. 41
SCENARIO – PART THREE........................................................................................... 42
REPLICATION TYPES IN ACTIVE DIRECTORY........................................................... 43
CONFIGURING INTERSITE REPLICATION.................................................................. 43

STEP 1: CREATE SITE LINKS.................................................................................... 44
STEP 2: CONFIGURE SITE LINK ATTRIBUTES........................................................ 45
STEP 3: CONFIGURE A BRIDGEHEAD SERVER ..................................................... 47
STEP 4: CREATE SITE LINK BRIDGES ..................................................................... 48
STEP 5: CREATE AND CONFIGURE CONNECTION OBJECTS .............................. 49
GLOBAL CATALOG SERVERS ..................................................................................... 50
UNIVERSAL GROUP CACHING .................................................................................... 50
LAB 4.............................................................................................................................. 55
SCENARIO – PART FOUR............................................................................................. 56
INSTALLING THE ACTIVE DIRECTORY SUPPORT TOOLS ....................................... 57
ACTIVE DIRECTORY REPLICATION MONITOR (REPLMON.EXE)............................. 58
REPLICATION DIAGNOSTICS TOOL (REPADMIN.EXE) ............................................. 63
DIRECTORY SERVICES UTILITY (DSASTAT.EXE) ..................................................... 65
DOMAIN CONTROLLER DIAGNOSTIC TOOL (DCDIAG.EXE) .................................... 66
ACTIVE DIRECTORY SIZER ......................................................................................... 67
LAB 5.............................................................................................................................. 71
SCENARIO – PART FIVE............................................................................................... 72
DOMAIN FUNCTIONAL LEVELS ................................................................................... 73
FOREST FUNCTIONAL LEVELS ................................................................................... 77
OPERATIONS MASTER ROLES ................................................................................... 80
MANAGING OPERATIONS MASTER ROLES............................................................... 83

Introduction
Welcome to Train Signal!
This series of labs on Windows 2003 is designed to give you detailed, hands-on experience
working with Windows 2003. Train Signal’s Audio-Visual Lab courses are targeted towards
the serious learner, those who want to know more than just the answers to the test
questions. We have gone to great lengths to make this series appealing to both those who
are seeking Microsoft certification and to those who want an excellent overall knowledge of
Windows 2003.
Each of our courses put you in the driver’s seat, working for different fictitious companies,
deploying complex configurations and then modifying them as your company grows. They
are not designed to be a “cookbook lab,” where you follow the steps of the “recipe” until
you have completed the lab and have learned nothing. Instead, we recommend that you
perform each step and then analyze the results of your actions in detail.
To complete these labs yourself, you will need three computers equipped as described in the
Lab Setup section. You also need to have a foundation in Windows 2003 and TCP/IP
concepts. You should be comfortable with installing Windows XP Professional or Windows
Server 2003 and getting the basic operating system up and running. Each of the labs in this
series will start from a default installation of Windows 2000 and will then run you through
the basic configurations and settings that you must use for the labs to be successful. It is
very important that you follow these guidelines exactly, in order to get the best results from
this course.
The course also includes a CD-ROM that features an audio-visual walk-through of all of the
labs in the course. In the walk-through, you will be shown all of the details from start to
finish on each step, for every lab in the course. During the instruction, you will also benefit
from live training that discusses the current topic in great detail, making you aware of many
of the fine points associated with the current topic.
Thanks for choosing Train Signal!
Scott Skinger
Owner
Train Signal, Inc.

Lab Setup

Setting up the Lab
1. Computer Equipment Needed
Item Minimum Recommended
Computers (4) Pentium I 133 MHz (4) Pentium II 300MHz or greater
Memory 256 MB 512 MB
Hard Drive 4 GB 10 GB or larger
NIC 1 NIC card for each server (3) 1 NIC card for each server (3)
2 NIC cards for Router(1) 2 NIC cards for Router(1)
Switch or Hub 1 1
Network Cable (5) Category 5 cables (5) Category 5 cables
You are strongly urged to acquire all of the recommended equipment in the list above. It
can all be easily purchased from eBay or another source, for around $500 (less if you already
have some of the equipment). This same equipment is used over and over again in all of
Train Signal’s labs and will also work great in all sorts of other network configurations that
you may want to set up in the future. It will be an excellent investment in your education.
You may also want to look into a disk-imaging product such as Norton Ghost. Disk
imaging software will save you a tremendous amount of time when it comes to reinstalling
Windows 2000/Server 2003 for future labs. Many vendors offer trial versions or personal
versions of their products that are very inexpensive.

2. Computer Configuration Overview
Computer 1 2 3 4
Number
Computer DC1 DC2 DC3 ROUTER

Name
IP Address 200..200.201.1/24 200..200.201.2/ 200..200.202.1/24 200..200.201.254

24 200..200.202.254
/24
OS Windows Server Windows Windows Server Windows Server

2003 Server 2003 2003 2003
Additional
Configurations
***Important Note***
This lab should NOT be performed on a live production network. You should only use computer
equipment that is not part of a business network AND is not connected to a business network.
Train Signal Inc. is not responsible for any damages. Refer to the full disclaimer and limitation of
liability which appears at the beginning of this document and on our Website at:
www.trainsignal.com

3. Detailed Lab Configuration
Computer 1
Computer 1 will be named DC1 and the operating system on this computer will be Windows
Server 2003. If you do not have a copy of Windows Server 2003 you can obtain an
evaluation copy within the Microsoft Press series of books or through Microsoft’s website.
DC1 will have a static IP address of 200.200.201.1 with a 255.255.255.0 subnet mask. The
default gateway will be 200.200.201.254 and you should enter this computer’s own IP
address for the Preferred DNS field 200.200.201.1. The alternate DNS Server field can be
left blank. See figure 1, next page.
Computer 2
Computer 2 will be named DC2 and Windows Server 2003 will be installed on this
computer. DC2 will have a static IP address of 200.200.201.2 with a 255.255.255.0 subnet
mask. The default gateway will be 200.200.201.254 and the DNS server will be
200.200.201.1. You can leave the alternate DNS setting blank. See figure 1, next page.
Computer 3
Computer 3 will be named DC3 and Windows Server 2003 will be installed on this
computer. DC3 will have a static IP address of 200.200.202.1 with a 255.255.255.0 subnet
mask. The default gateway will be 200.200.202.254 and DNS server will be 200.200.201.1.
You can leave the alternate DNS setting blank. See figure 1, next page.
Computer 4
Computer 4 will be named ROUTER and Windows Server 2003 will be installed on this
computer. ROUTER will have 2 NIC cards. The first NIC card will be labeled CA and will
have a static IP address of 200.200.201.254 with a 255.255.255.0 subnet mask. The second
NIC card will be labeled NC and will have an IP address of 200.200.202.254 with a subnet
mask of 255.255.255.0. You should configure the preferred DNS server setting to point to
DC1, 200.200.201.1, and leave the alternate DNS setting blank. See figure 1, next page.

Active Directory
Lab Setup
Computer Name: DC1

Static IP: 200.200.201.1 Switch
Computer Name: DC2

Static IP: 200.200.201.2 Computer Name: DC3
Static IP: 200.200.202.1
Computer Name: ROUTER

Static IP: 200.200.201.254
200.200.202.254
(Figure 1)
***Important Note***
This lab should NOT be performed on a live production network. You should only use computer
equipment that is not part of a business network AND is not connected to a business network.
Train Signal Inc. is not responsible for any damages. Refer to the full disclaimer and limitation of
liability which appears at the beginning of this document and on our Website at:
www.trainsignal.com

Lab 1
Unattended Active Directory
Installation of
Benandbrady.com
You will learn how to:

• Perform an unattended installation of Active Directory
• Add additional domain controllers
• Test Active Directory replication between domain controllers
• Install and configure a router for benandbrady.com
• Replicate Active Directory across the subnets

Scenario – Part One
Ben & Brady’s Ice Cream Corp., is a manufacturer of gourmet ice cream products that are
sold internationally. They are in the process of migrating their network from Novell to
Windows Server 2003 as well as replacing all of their current servers with new equipment.
Their main headquarters is located in San Francisco and they have a manufacturing facility in
Charlotte, North Carolina. The San Francisco office is connected to the Internet with a full
T1 (1.544 Mbps) and Microsoft’s ISA Server (firewall) will protect the internal network. The
facility in Charlotte is used to manufacture ice cream and to ship to Ben & Brady’s East
Coast distributors. The San Francisco office has just purchased five servers and 25
workstations. The servers will be running Windows Server 2003 and the 25 workstations will
be running Windows XP Professional. The Charlotte location also has five new servers that
were recently purchased, all running Windows Server 2003 and 45 workstations, all running
Windows XP Professional. Charlotte is connected to the Internet with a Fractional T1 (768
Kbps) and they also use ISA Server to protect their internal network. The two locations will
be connected together through a VPN that will be formed between the two ISA Servers over
the Internet.
Ben & Brady’s Ice Cream Co. has hired you on a contract basis, to help with the
implementation of a new pristine Windows 2003 domain. You have been given the task of
installing the first domain controller on the network at the San Francisco office, which will
install Active Directory and create a new domain for Ben & Brady’s Ice Cream Co. You are
also in charge of making sure that all of the installed client computers are able to join the
new domain. The Operations Manager, Jill, also mentions that there is an opportunity for
you to become a full time Administrator with the company, if the project goes well.
In this lab, you will create a new domain for Ben & Brady’s Ice Cream Co., called
benandbrady.com, by building the first domain controller on the network using the Active
Directory installation program. Once your domain controller is working properly, you will
install a second Windows Server 2003 as an additional Domain Controller. These two
Domain Controllers will be located in California. At the North Carolina location, you will
install a third Domain Controller. A Windows 2003 server configured as a Router will
connect the two locations.

CA NC
200.200.201.0 200.200.202.0
Router
DC3
DC1 DC2
Domain Controller
Domain Controller Domain Controller

Active Directory
Active Directory is a feature in Windows Server 2003 domains that allows users to logon and
access resources from anywhere in the network. It is a central, hierarchical database that
allows administrators to manage the network from a single location and makes network
security much easier to manage. Resources include users, groups, computers, printers and
shared folders, to name just a few. A directory, much like a telephone book, is essentially a
store of information. When Active Directory is installed on a Windows 2003 server, that
server is then called a domain controller. All of the domain controllers within a domain hold
the same copy of the Active Directory database in a file named NTDS.DIT. Windows 2003
domain controllers are multi-master replication partners, all replicating data back and forth
to each other.
Installing Active Directory

There are four methods of installing Active Directory in Windows Server 2003:
1. Active Directory Installation Wizard – to follow a step by step method, answer

questions and complete the installation.
2. Answer file - to perform an unattended installation for automation and remote
installation.
3. Backup and restore - to install Active Directory on additional domain controllers
in the network using backup media or remote share.
4. Configure Your Server Wizard - an additional way to install the first domain
controller in a network only.
We will be using the Answer file method to install Active Directory and to create a domain
called benandbrady.com.

Creating the answer file for Active Directory installation
An answer file is a text file that has answers to questions that the Active Directory
Installation Wizard asks when creating a domain. The section of the answer file must start
with [DCInstall]. This section takes a number of parameters – some are mandatory and
others are optional. The parameters required also depend on the type of domain controller
you are installing – i.e. the first domain controller in a new forest, an additional domain
controller in an existing domain and so on.
The following box lists the parameters and the operations to which they apply when creating
a new domain in a new forest:
Parameter Applies to:
RebootonSuccess All operations
DatabasePath
LogPath
SYSVOLPath
All installations
UserName
Password
UserDomain
ReplicaorNewDomain = Domain
TreeorChild = Tree
CreateorJoin = Create
NewDomainDNSName
Installation of a new Tree in a new Forest
DNSonNetwork
DomainNetbiosName
AutoInstallAndConfigDNS
SiteName
If you would like to learn about additional parameters, please refer to the deploy.chm and
ref.chm files in the Support folder of the Windows Server 2003 CD.
To use the answer file you type dcpromo /answer:answerfile – where answerfile is the file
name and location of the text file created.

Installing Active Directory
1. Log on as Administrator to DC1. Click Start Æ Run and then type notepad to start
creating the answer file. Type the following code:
[DCInstall]
RebootOnSuccess = No
DatabasePath = %SYSTEMROOT%\NTDS
LogPath = %SYSTEMROOT%\NTDS
SysVolPath = %SYSTEMROOT%\Sysvol
UserName = administrator
Password = Password1
ReplicaorNewDomain = Domain
TreeOrChild = Tree
CreateOrJoin = Create
NewDomainDNSName = benandbrady.com
DNSOnNetwork = No
DomainNetBiosName = BENANDBRADY
AllowAnonymousAccess = No
AutoConfigDNS = Yes
SiteName = Default-First-Site-Name
SafeModeAdminPassword = rainbow
Now, save the file in the C:\ drive as dcinfo.txt.
2. From the desktop click on Start Æ Run then type in dcpromo /answer:C:\dcinfo.txt
click OK.
This command starts the Active Directory installation wizard. The wizard will now look
for answers to its questions in the answer file.

3. The following screen will appear informing you about the progress of the Active
Directory installation. Ensure that the Windows Server 2003 CD is inserted so that the
wizard can copy the necessary files.
4. The parameter DNSOnNetwork = No forces the installation of DNS in our network.

Finally, the parameter RebootOnSuccess = No forces you to click on the Restart
button. Click Restart Now to finish the setup process.
Next, log in as Administrator to the benandbrady.com domain. You have successfully

created a domain in the unattended mode.

Creating an additional Domain Controller for benandbrady.com
1. Log in as Administrator on the computer DC2. Ensure that the IP address is
200.200.201.2 and the DNS address is 200.200.201.1 by typing ipconfig/all in the
command prompt. We are now ready to make DC2 an additional Domain Controller.
Click Start Æ Run Æ dcpromo. Click OK.
2. The Active Directory installation wizard will now start. Click Next. Click Next again on
the O.S. Compatibility screen. Then, select Additional domain controller for an
existing domain in the Domain Controller Type box. Click Next.

3. In the Network Credentials screen, enter administrator, Password1,
benandbrady.com (for the User name, Password, and Domain fields respectively).
Click Next. In the next screen, click Browse to select the benandbrady.com domain.
Click Next.
4. Click Next for the Database and Log folder screen and click Next again for the
SYSVOL screen. In the Directory Services Restore Mode screen, enter the password
rainbow. Click Next. Finally click Next in the Summary screen. The wizard is now
copying the Active Directory database from DC1.

5. When the process finishes, click Finish and then Restart Now. DC2 is now an
additional domain controller in the benandbrady.com domain.
Domain and site verification and replication
1. Log in as Administrator on the computer DC1. Click Start Æ Administrative Tools Æ

Active Directory Users and Computers. Expand benandbrady.com and click on the
Domain Controllers object. In the right hand pane, verify that DC1 and DC2 are listed
as domain controllers. Close the window.

2. Click Start Æ Administrative Tools Æ DNS. Expand DC1 in the left hand pane.
Expand Forward Lookup Zones and click on benandbrady.com. Verify that DC1
and DC2 are listed with their IP addresses. Close DNS.
3. Click Start Æ Administrative Tools Æ Active Directory Sites and Services. In the
left hand pane, expand Sites, Default-First-Site-Name and select Servers. Verify that
DC1 and DC2 both belong to the same site.

4. We will now change the name of the site to CA. Select Default-First-Site-Name, right
click and select Rename, and then type CA. The site is now called CA and has two
Domain Controllers, DC1 and DC2.
5. We will now replicate the Active Directory database. Expand CA, Servers, DC1 in the
left hand pane. Select NTDS settings. In the right hand pane, select automatically
generated, right click and select Replicate Now. Click OK in the Replicate Now box.
You have successfully replicated from DC2 to DC1.
Using the same procedure, replicate from DC1 to DC2. Close all windows.

Installing a router in the benandbrady.com network
We will now use the third computer, Router, and make it a router for the benandbrady.com
network. This router will connect the CA and NC sites.
1. Log in as Administrator to the computer called Router. This computer has two NIC
cards. Right click My Network Places Æ Properties Æ select first NIC card Æ
right click Æ Rename Æ CA. If My Network Places is not displayed by default you
will need to right click on the Start Button Æ Properties Æ Customize Æ click the
Advanced tab Æ check My Network Places radio box Æ OK Æ Apply Æ OK. Now
My Network places will be displayed on the start menu. To set the IP address right click
CA Æ Properties Æ TCP/IP Æ Properties. Set up the IP as 200.200.201.254, mask
as 255.255.255.0, DNS as 200.200.201.1. Click OK and close all boxes.

2. Using the above procedure, change the name of the second NIC card to NC. Change
the IP configuration to 200.200.202.254/24 and the DNS to 200.200.201.1.
The CA interface is now configured for the CA site who’s Network ID is 200.200.201.0
and the NC interface is now configured for the NC site who’s Network ID is
200.200.202.0. We have just one DNS server 200.200.201.1 for both locations.
3. Let us now join this computer as the member server to the benandbrady.com domain.
Right click My Computer Æ Properties Æ Computer Name tab Æ Change Æ
Member of Domain Æ benandbrady Æ OK. Enter administrator as the username
and Password1 as the password when prompted. Restart the computer and log on as
administrator to the benandbrady domain.

4. We will now configure the Routing and Remote Access Service on the router. Click Start
Æ Administrative Tools Æ Routing and Remote Access. Right click Router Æ
Configure and Enable Routing and Remote Access. Click Next on the Welcome
screen.
5. In the Configuration page, select Secure connection between private networks and
click Next. Select No for Demand Dial connection and click Next.

6. In the Summary screen click Finish. You have successfully enabled the routing service
on the Router.

Testing routing in the benandbrady.com network
We will now use the fourth computer. We will set up this computer, initially as a member
server for the benandbrady.com domain.
1. Log on to DC3 as the Administrator. Ensure that TCP/IP properties are set as IP:
200.200.202.1, Subnet mask as 255.255.255.0, Default Gateway as 200.200.202.254,
DNS as 200.200.201.1.
2. Go to the command prompt. Type ping 200.200.201.1. If you get replies, you have
successfully reached DC1. DC3 first contacted the NC interface of Router, which
forwarded the packet to the CA interface of Router. This interface then forwarded the
packets to DC1. Hence you are able to ping from the 200.200.202.0 network to the
200.200.201.0 network.

3. Type tracert 200.200.201.1 to trace the route taken from DC3 to DC1.
Next, close the command prompt. Join DC3 as a Member Server to the
benandbrady.com domain. Right click My Computer Æ Properties Æ Computer
Name tab Æ Change Æ Member of Domain Æ benandbrady.com Æ OK. Enter
administrator as the username and Password1 as the password when prompted.
Restart the computer and log on as administrator to the benandbrady.com domain.
Installing an additional Domain Controller in the 200.200.202.0 subnet

We will now promote DC3 to an additional domain controller in the benandbrady.com
domain. The steps will be the same as those used in DC2. However, this time, our Domain
Controller is in the second subnet (200.200.202.0). Router is now forwarding all information
between DC1/DC2 in the 200.200.201.0 subnet and DC3 in the 200.200.202.0 subnet.
1. Click Start Æ Run Æ dcpromo. Follow the wizard to create an additional domain
controller. Use Password1 as the password for the Directory Services Restore Mode.
2. Click Finish and restart DC3.
Network Infrastructure Summary
Network ID Computers Function
200.200.201.0 DC1 First Domain Controller of the Forest

DC2 Additional Domain Controller
200.200.202.0 DC3 Additional Domain Controller
200.200.201.0 Router Network Router – dual homed – has an

200.200.202.0 interface for both CA and NC.

Lab 2
Creating New Sites and Subnets
for Benandbrady.com

• Map the logical domain to a physical network
• Create new site objects
• Create new subnets
• Associate sites with subnets
• Designate a licensing server at each site
• Replicate Active Directory between sites

Scenario – Part Two
The installation of the servers for benandbrady.com has been accomplished. You have
installed three Domain Controllers and a Router. The Router is configured to route traffic
between the 200.200.201.0 and 200.200.202.0 networks.
Now it is time to associate the physical subnets into Active Directory. You set up a meeting
with the Operations Manager and explain the next phase of the project. You will be setting
up two sites, CA and NC, in the benandbrady.com domain. You will then associate these
sites with the appropriate subnets for each location. You explain to the Operations Manager
that setting up the Active Directory in this manner improves the efficiency of network
connections and reduces logon time. The Operations Manager immediately gives you the
approval.
The next task in this phase is to set up a Licensing Server. You explain to the Operations
Manager that the Licensing Server at each site will keep track of the client and server licenses
used. This will also help in determining accurately the number of licenses needed at each site.
Finally, you will test replication between the domain controllers to ensure that the router is
routing packets between CA and NC.

What is a site?
A site is a grouping of one or more TCP/IP subnets that defines the physical structure of a
network. A geographical location (branch) of a company is considered a site for practical
purposes. All devices in a site are well connected by means of a high-speed network link (10
Mbps or greater). Since all devices in a physical LAN are connected usually by Ethernet
cable – 10/100 Mbps – a LAN is considered a site.
The Ben and Brady Ice Cream Corp., has two locations, CA and NC. Each location is
connected by a T1 (1.54 Mbps) line. Hence, we have two sites - the CA site with a subnet of
200.200.201.0 and the NC site with a subnet of 200.200.202.0.
Configuring Sites
To configure a site you must complete the following tasks:
1. Create a site.
2. Create a subnet and associate it with the site.
3. Create or move a domain controller object into the site.
4. Designate a site license server for the site.
All of these tasks can be accomplished by using the Active Directory Sites and Services
console in the Administrative Tools section.

Creating sites
When you install Active Directory on the first domain controller in a domain, a site object
named Default-First-Site-Name is automatically created in the Sites container on the Active
Directory Sites and Services console. All Domain Controller objects are created in this site
by default. You must rename the site to better describe your network location.
Sites will be defined for:
• Each LAN or set of LANs that are connected by a high-speed backbone (T3 or
better).
• Each location that does not have direct connectivity to the rest of the network and
is reachable only by SMTP mail.
• Networks that are separated by links that are heavily used during some parts of the
day and idle during other parts of the day.
In benandbrady.com we have 2 sites – CA and NC. DC1 and DC2 are the Domain
Controllers in the CA site. DC3 is the Domain Controller in the NC site. Currently, we have
only 1 site in our domain CA. Let’s create a 2nd site and associate it with a subnet.
Step 1: Create a new site called NC
1. Log in to DC1 as Administrator. Click Start Æ Administrative Tools Æ Active

Directory Sites and Services. Select Sites then right click and select New Site. In the
Name field type NC, select DEFAULTIPSITELINK, and click OK. The next window
reminds you about the additional steps you need to perform. Click OK again.
You have now successfully created a new site called NC.

Step 2: Create a subnet and associate it with a site
We will now create the 200.200.202.0 subnet and associate it with the NC site.
1. In Active Directory Sites and Services, select Subnets then right click and select New
Subnet. In the Address field type 200.200.202.0 and in the Mask field type
255.255.255.0. In the Select a site object for this subnet box select NC and click OK.
2. We must now create the 200.200.201.0 subnet and associate it with the CA site. In
Active Directory Sites and Services, select Subnets then right click and select New
Subnet. In the Address field type 200.200.201.0 and in the Mask field type
255.255.255.0. In the Select a site object for this subnet box select CA and click OK.
Sites and subnets for benandbrady.com should now appear as shown in the following
figure.

Step 3: Move a Domain Controller object to the NC site
We must now move DC3 from CA to NC. This will optimize performance since all user
logon activities will be performed against a local Domain Controller.
1. In the Servers link in Active Directory Sites and Services, select DC3 Æ Move then
select NC and click OK.
We have now successfully moved DC3 to the NC site.

Step 4: Designate a site license server for the NC site
A license server is used to ensure legal compliance for the Windows Server 2003 operating
system by monitoring license usage and requirements. You must designate a license server at
each site for optimal performance.
1. In Active Directory Sites and Services, click CA site in the left hand pane. In the right
hand pane, select Licensing Site Settings then right click, select Properties, click
Change button, type DC1 and click OK to select the licensing server. Click OK to close
the box.
Follow the same procedure to make DC3 the licensing server for NC site.

Testing Active Directory replication
We’re now going to test the Active Directory replication to ensure that we have both the
logical domain, benandbrady.com, and the physical network between the two sites, CA and
NC, are working properly.
1. In DC1, use Active Directory Users and Computers to create a new user – Michelle
Wong (Logon Name: MWong, Password: Password1) in the Users container.
We will now replicate Active Directory and verify that the user object appears in the
Active Directory database of both DC2 and DC3. In Active Directory Sites and Services,
click select NTDS Settings under DC1. In the right-hand pane, select the
<automatically generated> DC3 to NC link, right click and select Replicate Now.
You will see a message informing you about the impending replication across the sites.
Click OK.
2. In a similar manner, replicate the <automatically generated> DC2 to CA link. This

replication is within the same site since DC2 is in CA. Hence, you will see the message
box shown below. Click OK.
Log in to DC2 and DC3 and verify that the user Michelle Wong appears in the Users
container in Active Directory Users and Computers. Close all windows.

Lab 3
Controlling Inter-site Replication
Using Site Links and Bridgehead Servers

• Create and configure site links
• Create backup replication mechanisms
• Schedule inter-site replication
• Optimize replication using bridgehead servers
• Create site link bridges and connection objects
• Designate a Global Catalog & a Universal Group Caching
server

Scenario – Part Three
Ben & Brady’s Ice Cream Corp’s domain is now fully functional at the two sites. The
Operations Manager is very pleased with the network and is eager to move on to the next
phase of the project.
In this phase you will optimize the traffic between the two sites. In the next meeting with the
Operations Manager you will determine the best time to exchange traffic between the
domain controllers of the two sites. You explain to the Operations Manager that different
types of network traffic cross the WAN link between CA and NC. Some of these transfers
can be scheduled during non-business hours so that maximum bandwidth is available during
hours of operations thereby improving network speed.
You will also configure a dial-up connection as a Backup Replication line. This connection
will be set up in such a way that it will only be used if the T1 line becomes unavailable.
Finally, you will also be setting up Global Catalog and Universal Group Caching servers. The
Operations Manager suddenly becomes concerned about the cost of additional servers. You
explain that these are features within Server 2003 and will not increase any hardware or
licensing costs. Global Catalog will be set up so that directory searches will be local and fast.
It is time to convert these plans into action.

Replication types in Active Directory
1. Intra-site Replication – replication within the same site
2. Inter-site Replication – replication between sites.
Configuring inter-site replication

To configure inter-site replication you must complete the following tasks:
1. Create site links.
2. Configure site link attributes.
3. Designate a preferred bridgehead server.
4. Create site link bridges (optional).
5. Create and configure connection objects (optional).

Step 1: Create site links
The Active Directory Installation Wizard automatically created an object named

DEFAULTIPSITELINK in the IP container for the first default site (CA site). You can
rename the DEFAULTIPSITELINK to the name you want to use for the site link. We will
call it the CA-NC site link. You can create additional site links and associate sites with it.
1. Click Start Æ Administrative Tools Æ Active Directory Sites and Services Æ

Inter-Site Transports Æ IP Æ New Site Link.
2. In the Name field, type Backup CA-NC Link, ensure that both the CA and the NC
sites are selected and click OK. This is the backup link we created so that if the main link
goes down, we can replicate across this link.
Let us now rename the DEFAULTIPSITELINK to CA-NC link. Right click

DEFAULTIPSITELINK and rename it as CA-NC.

Step 2: Configure site link attributes
To ensure efficient replication and fault tolerance, you must configure site link cost,
replication frequency and replication availability information for all site links.
Link cost: Active Directory always chooses the connection on a per-cost basis, so the least
expensive connection is used as long as it is available. You will configure the T1 connection
with a lower cost than Dial-up. If both connections are available, T1 will always be used.
Replication frequency: Configure site link replication frequency for site links by providing
an integer value that tells Active Directory how many minutes it should wait before using a
connection to check for replication updates. Values range from 15 minutes to 10,080
minutes (1 week)
Configuring site link replication availability: Configure site link replication availability to
determine when a site link will be available for replication. This is also known as the
replication schedule.
Let us now configure the attributes of the CA-NC Backup link.
1. In Active Directory Sites and Services, select IP in the Inter-Site Transports. In the right
hand pane, right click Backup CA-NC Link and select Properties.

2. In the Cost box, type 200. The default cost is 100. Since the CA-NC link has a cost of
100 it will always be used first. Leave the replication interval to 180 minutes. Click on
Change Schedule.
3. By default, replication occurs 7 days a week, at any time. We would like to ensure, that
the backup replication occurs during non-business hours. Select All and then click
Replication Not Available. This clears the schedule. Now select the column 12 am to 8
am and then 8 pm to 12 am. Click Replication Available. Click OK twice to complete
the process.

Step 3: Configure a bridgehead server
Replication occurs between bridgehead servers in different sites. When two sites are
connected by a site link, the Knowledge Consistency Checker (KCC) automatically selects
bridgehead servers - one in each site for each domain that has domain controllers in the site.
In this manner, replication traffic crosses the WAN link only once. Each bridgehead server
will then replicate with other domain controllers within their site.
We will now designate DC1 (the CA site) and DC3 (the NC site) as preferred bridgehead
servers.
1. In Active Directory Sites and Service, select DC1 under the CA site, right click and select
Properties. Select IP in the Transports column and click on the Add button to move it
to the preferred bridgehead server column. Click OK to finish the process.
Using the same procedure, designate DC3 as a preferred bridgehead server in the NC
site. DC1 and DC3 will now replicate changes in the Active Directory. DC1 and DC2
will replicate with each other within the same site. DC2 will never replicate with DC3
thereby optimizing how the WAN link is utilized.

Step 4: Create site link bridges
This is an optional procedure. By default, if two sites use the same transport mechanism
(IP), then site transitivity is enabled. If one link is unavailable, another link can be used. Let’s
create a new site link bridge in our network.
1. In Active Directory Sites and Services, select IP under Inter-Site Transports, right click
and select New Site Link Bridge.
Type Backup Bridge in the Name box and click OK.

Step 5: Create and configure connection objects
This is also an optional component. KCC automatically creates connection objects between
those domain controllers across which replication occurs.
Although you can create or configure connection objects manually to force replication over a
particular connection, normally you should allow replication to be automatically optimized
by the KCC based on the information you provide in the Active Directory Sites and Services
console about your deployment. Create connection objects manually only if the connections
that are automatically configured by the KCC do not connect specific domain controllers
that you want to connect.
1. Let us observe the connection objects created, by selecting the NTDS Settings of DC1.
KCC automatically created these objects. You can create your own but it is absolutely
unnecessary.

Global Catalog servers
The Global Catalog is the central database of information about objects in a tree or forest.
The first domain controller in a forest automatically becomes the global catalog server. A
Global catalog server stores a full copy of all objects in the directory for its host domain and
a partial copy of all objects for all other domains in the forest. This storage strategy provides
efficient searches without unnecessary referrals to other domain controllers.
The global catalog performs three key functions:
1. It enables a user to log on to a network by providing universal group membership

information to a domain controller when a logon process is initiated.
2. It enables finding directory information regardless of which domain in the forest

actually contains the data.
3. It resolves user principal names (UPNs) when the authenticating domain controller
does not have knowledge of the account.
Universal Group caching

If you do not have a Global Catalog at a site, the universal group membership caching
feature can optimize the login process. Universal group membership caching allows a
domain controller to process user logon requests without contacting a global catalog server.
The cache is refreshed periodically as is determined in the replication schedule. This feature
eliminates the need to deploy global catalog servers into smaller remote office locations in
order to avoid logon failures in the event that the network link connecting the remote site to
the rest of the organization is disconnected.
The universal group membership caching feature must be set for each site and requires a
domain controller to run a Windows Server 2003 operating system. When a user attempts to
log on the first time after a Windows Server 2003 domain controller has been configured to
enable the universal group membership caching feature, the domain controller obtains the
universal group membership information for the user from a global catalog. The universal
group membership information is then cached on the domain controller for the site
indefinitely and is periodically refreshed.
The next time the user attempts to log on, the authenticating Windows Server 2003 domain
controller obtains the universal group membership information from its local cache without
contacting a global catalog. We will now observe that DC1 is already a Global Catalog
server. We will now create DC3 as the Global Catalog server for the NC site.

1. Click Start Æ Administrative Tools Æ Active Directory Sites and Services. Expand
Servers and select the NTDS Settings for DC1, right click and select Properties.
Observe that the Global Catalog checkbox is already selected. DC1 was the first Domain
Controller in the forest, so it automatically became the Global Catalog server.
2. Using this procedure, make DC3 the Global Catalog server in the NC site. Expand
Servers and select the NTDS Settings for DC3, right click and select Properties. Select
the check box for Global Catalog and click OK.

3. We will now designate DC3 as the Universal Group caching server. Select the NC site
and, in the right hand pane, right click NTDS Site Settings and select Properties.
4. Select the Enable Universal Group Membership Caching checkbox. Click OK. Close
all windows to finish this lab.

Let’s summarize what we have accomplished so far:
• Ben and Brady Ice Cream Corp., has 2 sites, CA and NC.
• CA has two Domain Controllers, DC1 and DC2.
• NC has one Domain Controller, DC3.
• The subnet for CA is 200.200.201.0 and the subnet for NC is 200.200.202.0.
• A Windows Server 2003 server configured as a router connects the two networks.
• DC1 and DC3 are bridgehead servers and inter-site replication will take place
between these 2 servers.
• DC1 and DC3 are also Global Catalog servers.
• DC3 is the Universal Group caching server.

Lab 4
Monitoring Active Directory
Replication
• Install Active Directory support tools
• Use Replication Monitor to monitor and troubleshoot
• Use Active Directory command-line tools for
generating reports and troubleshooting
• Create a batch file to automate domain wide replication
• Use Active Directory Sizer to plan the number of servers
in your network

Scenario – Part Four
The Operations Manager would now like to move on to the Monitoring and Reporting
phase of the project. He inquires if the system set up could monitor the replication traffic
and generate weekly reports so that he is assured the system continues to work as designed.
Your answer is to set up Replication Monitor and other tools for monitoring, reporting and
automating replication between domain controllers. To begin with, you will configure Active
Directory support tools to monitor the network and will then train the Operations Manager
in how to generate and analyze the reports created by Replication Monitor.
You will then create a script that the Operations Manager can run by simply double clicking
on an icon on his desktop that will trigger replication between all domain controllers at all
sites. The Operations Manager is very excited about this.
Finally, you will also set up the Active Directory Sizer tool so that the Operations Manager
can determine the number of servers required to optimize the network as the company
grows.
The Operations Manager is now ecstatic and inquires how soon all this can be delivered.
You get to work immediately.

Installing the Active Directory support tools
We will now install additional tools from the Windows Server 2003 CD. These tools will
help us monitor and troubleshoot Active Directory services.
1. Log in to DC1 as Administrator. Insert the Windows Server 2003 CD. When the CD
runs, select Perform additional tasks and then select Browse this CD. Double click
Support, double click Tools, and then double click the SUPTOOLS.MSI file to start
the installation of the support tools.
2. In the Welcome screen click Next, Agree to the Agreement, enter your name on the
next screen and click Install Now to start the installation. Note that a new folder called
Support Tools will be created in the Program Files folder. Click Finish.

Active Directory Replication Monitor (Replmon.exe)
ReplMon is used to view the status of Active Directory replication, to force synchronization
between domain controllers, to monitor replication and to view the network topology in a
graphical format.
You can use ReplMon for the following important tasks:
• See when a replication partner fails.
• View the history of successful and failed replication changes for troubleshooting
purposes.
• View the properties of directory replication partners.
• Find all direct and transitive replication partners on the network.
• Display replication topology.
• Force replication.
• Trigger the Knowledge Consistency Checker (KCC) to recalculate the replication

topology.
• Display changes that have not yet replicated from a given replication partner.
• Display a list of the trust relationships maintained by the domain controller being
monitored.
• Monitor the replication status of Domain Controllers from multiple forests.

1. On DC1, click Start Æ Command prompt Æ type replmon and press Enter. Right
click Monitored Servers and then click Add Monitored Server to start the Wizard.
2. Click Add the server explicitly by name and click Next.
3. Select Enter the name of the server to monitor explicitly and type DC1. Click
Finish.

4. Using the same steps, add DC2 and DC3 as monitored servers. Your screen should now
look the same as in the following figure. Observe that each Domain Controller is listed
in the appropriate site. DC1 and DC3 have the symbol of the globe since they are Global
Catalog servers.
5. Expand DC1. Note that each partition (component) of Active Directory is represented
by the symbol of a book. Select CA\DC2. The right hand pane shows details of the
replication between DC1 and DC2 such as the USN and the last successful date and time
of replication. Also note that NC\DC3 has a symbol of a telephone connection. This
means that it is a bridgehead server.

6. Right click DC1 and select Generate Status Report. Type Stat1 for the file name and
click Save. Click OK to select all the report options. Click OK in the report status box.
7. To view the report, click File Æ Open Log Æ Stat1.log Æ Open. The report will
open in Notepad and can be printed. Navigate to see the major sections of the report. It
has every detail about the site, domain, FSMO roles, replication and so on. This report is
extremely useful in documentation and troubleshooting. We will now create and modify
objects in the Active Directory. Ensure that DC2 is unavailable by shutting it down.
On DC1, use Active Directory Users and Computers to create an Organizational Unit
called CA. Also, in the properties for the user Michelle Wong, enter Headquarters in
the Office field and 800-555-1212 in the Telephone Number field. Next, log on to DC3.
Create an OU called NC. Now log on to DC1. In the Application Directory Replication
Monitor console (replmon.exe), right click DC1 and select Synchronize Each
Directory Partition with All Servers. Click OK and then Yes for the messages that tell
you that it may take a few minutes for the process to finish.

8. DC1 and DC3 will now replicate. DC1 will be unable to replicate with DC2.
9. Use Active Directory Users and Computers to verify that CA, NC and changes to
Michelle Wong are available on both Domain Controllers. Create another status
report and save it as Stat2. Open the status report.
DC1/DC2
unsuccessful
DC1/DC3
successful
Restart DC2. Use Active Directory Sites and Services to replicate. Run the status
report again and note the success this time. Also, verify the results in Active Directory
Users and Computers. Close all programs.

Replication Diagnostics tool (Repadmin.exe)
Repadmin is a command-line tool used to view the replication topology from the perspective
of each domain controller. You can also use repadmin to force replication and to find out
how up-to-date each domain controller is.
1. On DC1, go to the command prompt and type repadmin /showrepl DC1

and press Enter. This command displays all the replication partners for DC1.
2. At the command prompt type repadmin /showconn DC1 and press Enter. This
command displays all the connection objects for DC1.

3. At the command prompt type repadmin /replicate dc1 dc2
dc=benandbrady,dc=com and press Enter. This command replicates DC1 and DC2.
Note that the replication is from DC2 to DC1.
4. Let us now create a batch file that will replicate all connections. Open Notepad and type
the following:
Save this file to the desktop as Domain Replication.bat. Note that we do not replicate
between DC2 and DC3. DC1 and DC3 are bridgehead servers that participate in Inter-
site Replication.
To synchronize the benandbrady.com domain, you no longer have to use any GUI based
tools. Let’s double click on the file Domain Replication.bat. You will see a Command
Prompt window pop up in which the batch file will run and synchronize the domain.

Directory Services utility (Dsastat.exe)
Dsastat.exe can be used to compare two directory trees across replicas within the same
domain or, in the case of a global catalog, across different domains. The tool retrieves
capacity statistics such as megabytes per server, objects per server and megabytes per object
class and also performs comparisons of the attributes of replicated objects.
1. On DC1, go to the command prompt and type

dsastat /s:dc1;dc2 /b:”CN=Domain Controllers,DC=benandbrady,DC=com”
and press Enter. This command compares the objects in the Domain Controllers
container on DC1 and DC2. Check the last section of the report: Server sizes are equal.
PASS.
Now, close all windows.

Domain Controller Diagnostic tool (Dcdiag.exe)
This command-line tool analyzes the state of domain controllers in a forest or enterprise and
reports any problems to assist in troubleshooting.
1. On DC1, go to the command prompt and type dcdiag /s:dc1 and press Enter. This
command performs a series of tests and gives you a report showing if the Domain
Controller passed or failed each test. To capture the output in a text file type dcdiag
/s:dc1 >dc1.txt and press Enter. In the C:\ drive, double click on the file dc1.txt to
open it in Notepad.

Active Directory Sizer
Active Directory Sizer is a capacity planning tool to help an organization size for their Active
Directory deployment. It should be used after the design phase and before the actual
deployment of servers.
The Active Directory Sizer estimates the hardware required for deploying Active Directory
in your organization depending on your organization's usage profile. Based on your answers
to the Active Directory Sizer wizard, the tool will calculate the total workload and estimate
the following for you:
• Number of domain controllers (including Global Catalog servers and bridgehead

servers).
• Number and type of processor(s) per machine.
• Number of disks needed for the Active Directory database.
• Memory required.
• Network bandwidth utilization.
1. Download the Active Directory Sizer from Microsoft’s web site. Locate and run the
setup.exe file to begin installation. Follow the prompts to install the application. Next,
click Start Æ All Programs Æ Active Directory Sizer.

2. In the Active Directory Sizer console, right click Domain Configuration and select
Add Domain. Type benandbrady.com in the domain name. Click Next. Type 100 for
the Number of Users and click Next.
3. Type 10 for the Average number of groups and the Interactive Logon fields. Click Next.
Type 100 for the Windows computers, 10 for Other computers and 10 for other objects.
Click Next for next two screens to accept the default values. In the Administration
screen, type 5 for Add, 1 for Delete, 10 for Modify. Select Interval Weekly. Click Finish.

4. You will see a report for benandbrady.com showing the size of the Active Directory
database, including both the Domain Database and the Global Catalog. In our example,
the database is 24 MB.
In a large network, with several hundred users and computers, the size of the database
will be extremely large. The size increases exponentially with the number of computers,
users and groups. Hence, it is extremely important to design the sites and services
carefully, such as the placement of domain controllers, Global Catalog servers and DNS
servers.

The following is a sample report showing a large network of 500,000 users and 400,100
workstations and servers. You will need 68 servers – 33 Domain Controllers, 34 Global
Catalog servers, and 1 bridgehead server.
As you can see, ADSizer gives you a very accurate estimate of hardware requirements
based on the size of your network.

Lab 5
Upgrading the Domain & Forest Functional
Levels and Changing Single Master
Operations Roles in Benandbrady.com
• Determine the appropriate domain & forest functional role
• Upgrade domain and forest functional roles
• Verify the operations master roles
• Transfer the operations master role
• Seize the operations master role

Scenario – Part Five
In the final phase of this project, you will be upgrading the domain and forest functional
level of benandbrady.com so that it can use all the features available in Server 2003.
In your next meeting with the Operations Manager, you explain about the default levels of
the domain and forest. The default levels do not permit the use of certain features but do
allow backward compatibility with Windows NT Server and Windows 2000 Server.
After determining that only Windows Server 2003 will be running on benandbrady.com, you
decide to raise the forest and domain functional levels to Server 2003.
The next phase is to document the flexible single master operations roles so that they can be
distributed across your network. You explain to the Operations Manager that even though
all Domain Controllers are peers of each other, there are some Domain Controllers that
perform specific roles.
The Operations Manager would like to have a one-on-one session with you so that he can
document all the steps required to change roles.
The Management of Ben and Brady Ice Cream Corp. has been getting regular reports from
the Operations Manager about the progress of the network. They are extremely happy with
the professionalism and attention to details you have demonstrated in setting up the
benandBrady.com domain. There was little to no interruption to normal operations. The
domain is performing up to the expectation of the users and the Management.
The Management has offered you a monthly retainer to act as a Consultant and Technical
Support person for the company. Your hard work has finally been rewarded with a lucrative
consulting contract and lots of referrals.

Domain functional levels
Domain functional levels provide a way to enable domain-wide Active Directory features
within the network environment. Windows Server 2003 has a lot of new features, some of
which are not compatible with Windows 2000 and Windows NT networks. You must
activate the appropriate domain functional level to benefit from the features available in
Active Directory.
There are four domain functional levels:
Windows 2000 Mixed (Default): When you first install or upgrade a domain controller to
a Windows Server 2003 operating system, the domain controller is set to run in Windows
2000 mixed functionality. The Windows 2000 mixed functional level allows a Windows
Server 2003 domain controller to interact with domain controllers in the domain running
Microsoft Windows NT 4, Windows 2000, or Windows Server 2003.
Windows 2000 Native: The Windows 2000 native functional level allows a domain
controller running the Windows Server 2003 operating system to interact with domain
controllers in the domain running Windows 2000 or Windows Server 2003. You can raise
the functional level of a domain to Windows 2000 native if the domain controllers in the
domain are all running Windows 2000 Server or later.
Windows Server 2003 Interim: The Windows Server 2003 interim functional level allows a
domain controller running the Windows Server 2003 operating system to interact with
domain controllers in the domain running Windows NT 4 or Windows Server 2003. The
Windows Server 2003 interim functional level is an option only when upgrading the first
Windows NT domain to a new forest and can be manually configured after the upgrade.
This functional level does not support domain controllers running Windows 2000.
Windows Server 2003: The Windows Server 2003 functional level allows a domain
controller running the Windows Server 2003 operating system to interact only with domain
controllers in the domain running Windows Server 2003. You can raise the functional level
of a domain to Windows Server 2003 only if all domain controllers in the domain are
running Windows Server 2003.

Since all the domain controllers in benandbrady.com are Windows Server 2003, we will
upgrade to the Windows Server 2003 domain functional level. To do this, we will be using
the Active Directory Domains and Trusts console.

Directory Users and Computers. Right click benandbrady.com and select
Properties. Note that the current level is set at Windows 2000 mixed. Click Ok.
2. Right click the Users container, select New and then Group. Notice that the Universal
Group scope is unavailable. This feature is not compatible with Windows NT. You must
upgrade the domain mode to create Universal Groups. Click Cancel and close Active
Directory Users and Computers.

3. Click Start Æ Administrative Tools Æ Active Directory Domains and Trusts.
Right click benandbrady.com and select Raise Domain Functional Level.
4. In Select an available domain functional level, click the drop down box and select
Windows Server 2003. Click Raise. Click OK to the warning message that the process
is irreversible. Click OK again to complete the process. Close all windows.
Note that you have changed the domain functional level, not the level of the Domain
Controller. This process can be done at any domain controller. All domain controllers
will now reflect that the domain is in the Windows Server 2003 level. Let us now verify
this.

5. On DC3 log in as Administrator. Click Start Æ Administrative Tools Æ Active
Properties. Now the level is set at Windows Server 2003.
6. Right click the Users container, select New and then Group. Notice that the Universal
Group scope is now available. It may be grayed out until the servers have replicated. You
can force replication by running domain replication.bat or through Active Directory
Sites and Services.
Close all programs and log off from DC3.

Forest functional levels
Forest functional levels provide a way to enable forest-wide Active Directory features within
the network environment. The forest functional levels control the type of interaction
between domain controllers in a forest.
There are three forest functional levels:
Windows 2000: When you first install or upgrade a domain controller to a Windows Server
2003 operating system, the forest is set to run in the Windows 2000 functional level. The
Windows 2000 functional level allows a Windows Server 2003 domain controller to interact
with domain controllers in the forest running Windows NT 4, Windows 2000, or Windows
Server 2003.
Windows Server 2003 Interim: The Windows Server 2003 interim functional level allows a
domain controller running the Windows Server 2003 operating system to interact with
domain controllers in the domain running Windows NT 4 or Windows Server 2003. The
Windows Server 2003 interim functional level is an option only when upgrading the first
Windows NT domain to a new forest and can be manually configured after the upgrade.
This functional level does not support domain controllers running Windows 2000.
Windows Server 2003: The Windows Server 2003 functional level allows a domain
controller running the Windows Server 2003 operating system to interact only with domain
controllers in the domain running Windows Server 2003.
You can raise the functional level of a forest to Windows Server 2003 only if all domain
controllers in the forest are running Windows Server 2003 and all domain functional levels in
the forest have been raised to Windows Server 2003.
Some of the significant features available in Windows Server 2003 forest level are improved
Active Directory & Global Catalog replication and the flexibility of renaming domains.

We will be using the Active Directory Domains and Trusts console to upgrade the forest
functional level.
1. Click Start Æ Administrative Tools Æ Active Directory Domains and Trusts.

Right click Active Directory Domains and Trusts and select Raise Forest
Functional Level.
2. Windows Server 2003 is already selected. Click Raise. Click OK on the informational
message box. Click OK to finish the upgrade.

3. Start Active Directory Users and Computer, right click benandbrady.com and select
Properties. Notice that both the Domain functional level and Forest functional level are
now at Windows Server 2003. Click OK. Close all programs.

Operations master roles
Active Directory supports multimaster replication of the Active Directory database between
all domain controllers in the domain. All Domain Controllers are considered as peers of each
other. Some changes are impractical to perform in multi-master fashion, so one or more
domain controllers can be assigned to perform operations that are single-master (not
permitted to occur at different places in a network at the same time).
In any Active Directory forest, five operations master roles must be assigned to one or more
domain controllers. Two roles are forest wide and three roles are domain wide.
Forest-wide operations master roles
• Schema master
• Domain naming master
These roles must be unique in the forest. This means that throughout the entire forest there
can be only one schema master and one domain naming master.
Schema master role

The domain controller assigned the schema master role controls all updates and
modifications to the schema. To update the schema of a forest, you must have access to the
schema master.
Domain naming master role

The domain controller holding the domain naming master role controls the addition or
removal of domains in the forest. This is like the Registrar of the forest. You cannot add or
remove domains if this role is unavailable.

Domain-wide operations master roles
• Relative identifier (RID), or relative ID, master

• Primary domain controller (PDC) emulator
• Infrastructure master
These roles must be unique in each domain. This means that each domain in the forest can
have only one RID master, PDC emulator master and infrastructure master.
RID master role

The domain controller assigned the RID master role allocates sequences of relative IDs to
each of the various domain controllers in its domain. Whenever a domain controller creates
a user, group, or computer object, it assigns the object a unique security ID. The security ID
consists of a domain security ID that is the same for all security IDs created in the domain
and a relative ID that is unique for each security ID created in the domain. To move an
object between domains (using Movetree.exe, the Active Directory Object Manager), you
must initiate the move on the domain controller acting as the RID master of the domain that
currently contains the object.
PDC emulator role

If the domain contains computers operating without Windows Server 2003 client software
or if it contains Windows NT backup domain controllers (BDCs), the domain controller
assigned the PDC emulator role acts as a Windows NT PDC. It processes password changes
from clients and replicates updates to the BDCs. Even after all systems are upgraded to
Windows Server 2003 and the Windows Server 2003 domain is operating at the Windows
Server 2003 functional level, the PDC emulator receives preferential replication of password
changes performed by other domain controllers in the domain. If a password was recently
changed, that change takes time to replicate to every domain controller in the domain. If a
logon authentication fails at another domain controller due to a bad password, that domain
controller forwards the authentication request to the PDC emulator before rejecting the
logon attempt.
Infrastructure master role

The domain controller assigned the infrastructure master role is responsible for updating the
group-to-user references whenever the members of groups are renamed or changed. When
you rename or move a member of a group (and the member resides in a different domain
from the group), the group might temporarily appear not to contain that member. The
infrastructure master distributes the update via multimaster replication.

Let’s now see which Domain Controllers have these roles in benandbrady.com.

Operations Masters.
2. This shows the domain wide Operations master. Click on each tab, RID, PDC and
Infrastructure and observe that DC1 is the Operations master for all these roles.
DC1 was the first Domain Controller in this domain. It received all domain wide roles
because at any time there should be exactly ONE Domain Controller with these roles.
Click Close.

Managing operations master roles
There are two ways to manage operations master roles:
1. Transfer.
2. Seizure.
Transferring operations master roles

To transfer an operations master role is to move it with the cooperation of its current owner.
You transfer an operations master role when you want to move a role from one server to
another.
Seizing operations master roles

To seize an operations master role is to move it without the cooperation of its current
owner. You seize an operations master role assignment when a server that is holding a role
fails and you do not intend to restore it.
We will now transfer the infrastructure master role to DC2.
1. Right click benandbrady.com select Connect to Domain Controller and then select
DC2 from the list. Click OK. Right click benandbrady.com, select Operations
Masters and select the Infrastructure tab. Click Change button.

2. Click Yes to confirm the transfer. Click OK on the successful transfer message.
DC2 is now the infrastructure master in the benandbrady.com domain.
We’re now going to shut down the server DC2 so that it is unavailable. We’re also going to
assume that the hard disk DC2 has failed. We will never be able to recover DC2 again. We
now have to take the drastic measure of seizing the infrastructure master role. This is
accomplished by using the ntds utility in the Command Prompt.
1. Log on to DC1. Click Start, click Command Prompt and at the prompt, type ntdsutil
and press Enter. At the ntdsutil prompt, type roles and press Enter. At the fsmo
maintenance prompt, type connections and press Enter. At the server connections
prompt, type connect to server dc1.benandbrady.com and press Enter, then type
quit and press Enter. At the fsmo maintenance prompt, type seize infrastructure
master and press Enter.
2. Press Yes in the Role Seizure Confirmation Dialog box.
You will see messages telling you that the role has been successfully seized.

3. At the fsmo maintenance prompt, type quit and then press Enter. At the ntdsutil
prompt, type quit and press Enter. Let us now verify this. Click Start Æ
Administrative Tools Æ Active Directory Users and Computers. Right click
benandbrady.com and select Operations Masters. Click on the Infrastructure tab.
Observe that DC1 is now the infrastructure master. You have successfully seized this
role from DC2. Now, close all windows and programs.

Mega Lab Series: Windows 2000/server 2003

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mega Lab Series: Windows 2000/server 2003

Uploaded by

Copyright:

Available Formats

Windows 2000/Server 2003

MEGA LAB SERIES

Active Directory Sites & Services in

Computer Name: DC1

Computer Name: DC2

Computer Name: ROUTER

© Train Signal, Inc, 2005

Video CBT Lab 16

Page 1 of 85 © Train Signal, Inc., 2002-2005

Obaid Chhatriwala (MBA, MCSE, Security+, CNA) is an experienced technology

Train Signal, Inc.

Copyright and other Intellectual Property Information

Page 3 of 85 © Train Signal, Inc., 2002-2005

TRAIN SIGNAL, INC. PROVIDES THE INFORMATION "AS-IS." NEITHER TRAIN

Page 4 of 85 © Train Signal, Inc., 2002-2005

SETTING UP THE LAB................................................................................................... 10

SCENARIO – PART ONE ............................................................................................... 16

ACTIVE DIRECTORY ..................................................................................................... 18

INSTALLING ACTIVE DIRECTORY ............................................................................... 18

CREATING THE ANSWER FILE FOR ACTIVE DIRECTORY INSTALLATION............. 19

INSTALLING ACTIVE DIRECTORY ............................................................................... 20

CREATING AN ADDITIONAL DOMAIN CONTROLLER FOR BENANDBRADY.COM.. 22

DOMAIN AND SITE VERIFICATION AND REPLICATION ............................................ 24

INSTALLING A ROUTER IN THE BENANDBRADY.COM NETWORK.......................... 27

TESTING ROUTING IN THE BENANDBRADY.COM NETWORK ................................. 31

INSTALLING AN ADDITIONAL DOMAIN CONTROLLER IN THE 200.200.202.0

SCENARIO – PART TWO .............................................................................................. 34

CONFIGURING SITES ................................................................................................... 35

CREATING SITES .......................................................................................................... 36

Page 5 of 85 © Train Signal, Inc., 2002-2005

SCENARIO – PART THREE........................................................................................... 42

REPLICATION TYPES IN ACTIVE DIRECTORY........................................................... 43

CONFIGURING INTERSITE REPLICATION.................................................................. 43

UNIVERSAL GROUP CACHING .................................................................................... 50

SCENARIO – PART FOUR............................................................................................. 56

INSTALLING THE ACTIVE DIRECTORY SUPPORT TOOLS ....................................... 57

ACTIVE DIRECTORY REPLICATION MONITOR (REPLMON.EXE)............................. 58

REPLICATION DIAGNOSTICS TOOL (REPADMIN.EXE) ............................................. 63

DIRECTORY SERVICES UTILITY (DSASTAT.EXE) ..................................................... 65

DOMAIN CONTROLLER DIAGNOSTIC TOOL (DCDIAG.EXE) .................................... 66

ACTIVE DIRECTORY SIZER ......................................................................................... 67

SCENARIO – PART FIVE............................................................................................... 72

DOMAIN FUNCTIONAL LEVELS ................................................................................... 73

FOREST FUNCTIONAL LEVELS ................................................................................... 77

OPERATIONS MASTER ROLES ................................................................................... 80

MANAGING OPERATIONS MASTER ROLES............................................................... 83

Page 6 of 85 © Train Signal, Inc., 2002-2005

Welcome to Train Signal!

Thanks for choosing Train Signal!

Page 7 of 85 © Train Signal, Inc., 2002-2005

Page 9 of 85 © Train Signal, Inc., 2002-2005

Item Minimum Recommended

Computers (4) Pentium I 133 MHz (4) Pentium II 300MHz or greater

Memory 256 MB 512 MB

Hard Drive 4 GB 10 GB or larger

Network Cable (5) Category 5 cables (5) Category 5 cables

Page 10 of 85 © Train Signal, Inc., 2002-2005

Computer DC1 DC2 DC3 ROUTER

IP Address 200..200.201.1/24 200..200.201.2/ 200..200.202.1/24 200..200.201.254

OS Windows Server Windows Windows Server Windows Server

Page 11 of 85 © Train Signal, Inc., 2002-2005

Page 12 of 85 © Train Signal, Inc., 2002-2005