Skip Navigation
 Search | Directories | Reference Tools
UW Home > UWIN > Computing and Networking > Support > UW Domains 

Setting up Windows Domains and Forests at the UW

Last Modified 09/05/2006

Table of Contents

Introduction

Purpose of this document

This document is intended for support personnel or system administrators at the University of Washington.  It covers setting up a Windows 2000 domain controller that will be linked into the UW's existing DNS structure.  This document does not cover the details of setting up and using Windows 2000; it assumes that you are already familiar with the basics of using Windows 2000.

A note about the term "domain"

Throughout this document the word domain will sometimes refer to a DNS domain and sometimes refer to a Microsoft Windows domain.  While in the past these two concepts were separate and non-interchangeable, that is not as true today.  With Windows 2000, Microsoft has adopted the DNS naming conventions and structures to its domains.  For example, the domain name "cs.washington.edu" is both the DNS and Windows 2000 domain name for Computer Science.  For most purposes, these terms are now interchangeable.

We recommend that you read Windows Domain DNS reliance before setting up a Windows domain.

Chapter 1: Requirements

The following chapters of this document assume that you have already performed certain requirements.  Those requirements and how to get more help in fulfilling them are outlined below.

Authority to run the domain controllers for your intended DNS domain

In Windows 2000, the windows domain naming structure parallels the DNS naming structure.  Thus, the authority and responsibility for the DNS and windows domains are one and the same.  If you are unaware of the contact for your department's DNS domain, wish to change the contact person for your department, or wish to register a new department, send email to netops@u.washington.edu or call Network Operations at 543-5128.

 

Windows 2000 Servers installed as a stand alone servers

You should have at least two servers ready to act as domain controllers.  These machines should not be used as workstations or provide other network services since their stability and availability are paramount.  The reason for having more than one domain controller is that if all of your domain controllers become simultaneously unavailable, users cannot log in to your domain.  Additionally, if all of your domain controllers become simultaneously unrecoverable, your domain will have to be recreated from scratch.

The domain controllers do not have to have a great deal of computing horsepower. Two domain controllers, each with a PIII 450 CPU, 512MB of RAM and a 20GB hard drive will be more than adequate for typical domains serving around a hundred users provided they are only acting as domain controllers. It is easy to add and/or upgrade domain controllers in the future should you find that you require more capacity.

 

A static IP address and DNS name assigned to your intended DCs

Since your domain controllers must be found by workstations wishing to log into your domain, they must be registered with static IP addresses and have a DNS name in your intended domain.  If you require a new or a modification to a DNS registration, send email to netops@uwashington.edu or call Network Operations at 543-5128.

Chapter 2: Setting Up Your Domain

Authorize your domain

In order to maintain the domain controllers for a domain, you must be the domain contact person.  Every existing DNS domain already has a contact person listed.  If you are unsure of your domain contact person, you can contact Network Operations to find this out.  If you are the domain contact, you can contact Network Operations to request that your domain controller servers be registered as such so that other computers can find them.  This process is outlined below.

If you have questions about the DNS domain contact system, you can reach Network Operations at 543-5128 or send email to netops@u.washington.edu.

Register your domain controllers

Send email to win2kinfo@u.washington.edu with the following information:

Example:

      From:  Jane Smith <jsmith@u.washington.edu>
      To:  win2kinfo@u.washington.edu
      Subject:  New Windows 2000 domain
      Hi,
      I'm Jane Smith, the domain contact for xyz.washington.edu. 
      
      I would like to register:
      bert.xyz.washington.edu and ernie.xyz.washington.edu as
      Windows 2000 domain controllers for my domain.
      
      I will be upgrading an existing NT 4 domain, which is
      used by approximately 50 people. I do not have trust
      relationships with any other domains.  I'd like to make the
      transition to Windows 2000 around the first of
      September.
      Thanks, 
                Jane Smith

You will shortly get back a reply that those machines are OK to use as the domain controllers and a FAQ outlining the UW's campus-wide domain forest.  You should then decide if you want to join your domain to the campus forest.

If you decide to join the UW campus forest, you will need set up an appointment with a UW Technology representative to set up your domain controllers and join your domain to the forest.  You do not need to continue with this document.  An appointment is necessary because when you first join the forest, the administrator of the forest has to perform the join operation.  You will not need the forest administrator to set up subsequent domain controllers, server, or workstations in that domain.

If you decide not to join the UW campus forest, or are not setting up the first domain controller in your domain, continue with these instructions.  

Chapter 3: Setting up the domain controllers

For each of your domain controllers, you should follow the steps in this chapter.  Some steps will have alternate actions depending on if you are joining an existing forest.

Run DCPROMO

From the Start menu of your domain controller, select run and enter:  DCPROMO

This will start the Active Directory Installation Wizard.

If this is the first domain controller in your domain, choose "Domain controller for a new domain".  If this is not the first one you have set up, choose "Additional domain controller for an existing domain, click next, and authenticate to your existing domain.

Choose "Create new domain tree", even if you will be joining an existing forest.

If you are joining an existing forest, choose "Place this new domain tree in an existing forest".  Otherwise, choose "Create a new forest of domain trees".

If you are joining an existing forest, you will be asked for credentials to use to join.  You will need to get this information from the administrator of the forest you are joining.  This account must have authority to add domains to the forest. 

Enter the name of your domain.

Specify a NetBIOS name for your new domain.  This name will be used by older operating systems (Windows 98, NT 4.0, etc.) should you choose to support those operating systems.

If you have separate physical hard disks, it's a good idea to keep the database and log on separate disks.  Otherwise, one could slow the other down.

Enter a directory for the public files area of your Active Directory tree.

At this point, you may see the following message.  You can safely ignore this, as you will be sending DNS registration information in a later step.

Choose No, you will be configuring this later.

Unless you have a mixed environment with Windows NT 4.0 servers that use Active Directory information, you should choose to set the more strict Windows 2000 only permissions.

Enter a password to be used if you must restore the Active Directory.  This will also be your initial administrator password.

Review your setup and click next to start the configuration process.  You will see a screen similar to the following for a few minutes.

When the configuration process completes, you will be directed to restart your computer.  After your domain controller restarts, log in to your new domain as administrator.

Send DNS information to Network Operations

Find the file NETLOGON.DNS from your domain controller's <WINDIR>\SYSTEM32\CONFIG directory.  <WINDIR>  will usually be C:\WINNT.

Attach this file in an email message to netops@u.washington.eduwith a subject or short message of:  DNS entries for Windows 2000 domain xyz.washington.edu.  (Use your own domain here of course).  Do not edit the file or import it into the body of the message.  Attach it to the message using a MIME compatible mailer such as Outlook Express or pine.  If you are setting up multiple domain controllers, you can send them all as attachments to one message.

You will shortly receive an email that this information has been entered into the UW's DNS servers.  If this is a change to an existing Windows 2000 domain, it can take up to 24 hours for the old information to be overwritten.  Otherwise, your new domain is ready for use as soon as you complete the next section.

Turn Off Dynamic DNS

By default, a Windows 2000 or 2003 domain controller will try to periodically update its DNS server with new information. Since the DNS servers at the UW do not accept dynamic updates, this will cause unnecessary network traffic and trigger error events in your event logs.

To turn off dynamic DNS updates on a domain controller:

You should disable (uncheck) the "Register this connection's addresses in DNS" setting. This property can be found in the DNS tab of the Advanced TCP/IP Settings dialog in the properties of your local area network connection.

This should be done on every network interface for the domain controller.

If you would like information on how to turn off DNS updates on your workstations using group policy objects, see Microsoft Knowledge Base article Q294832.

If you are not using the UW's DNS servers and are running your own DNS servers that support dynamic updates, you can disregard this section.

Configure a time server

Since Windows 2000 uses Kerberos authentication, having the correct time is critical.  If this is the first domain controller you are setting up, you must give it an external time source as follows:

  1. Open a command shell as administrator
  2. Enter:  net time /setsntp:time.u.washington.edu

Chapter 4: Removing a domain controller

If you wish to remove a domain controller from an existing doman, follow these steps. NOTE: If you remove the last remaining domain controller for a domain, all Active Directory information from that domain will be permanently lost. In addition, removing the last domain controller from a domain requires Enterprise Administrator privileges. If this domain is part of the UW forest, this means you will need to schedule the removal through win2kinfo@u.washington.edu

  1. Click Start , click Run , type dcpromo , and then click OK .
  2. This starts the Active Directory Installation Wizard. Click Next .
  3. There is a check box in the Remove Active Directory screen. If this computer is the last domain controller in the domain, click to select the check box. Otherwise, click Next .
  4. In the next screen, set the password for the administrator account on the server after Active Directory is removed. Type the appropriate password in the Password and Confirm Password boxes, and then click Next .
  5. In the Summary screen, review and confirm the options you selected, and then click Next .
  6. The wizard begins the process of removing Active Directory from the server. After the process is finished, a message indicates that Active Directory was removed from the computer.
  7. Click Finish to quit the wizard.
  8. Restart the computer.
  9. Send an email message to netops@u.washington.edufrom your DNS domain contact with a short message of:
    Please remove all SRV and CNAME records for dcserver1.xyz.washington.edu (Use your own DC and domain here of course).

It can take up to 24 hours for the old information to be overwritten.  During this time you may see some errors as clients and servers try to contact the demoted domain controller.

Chapter 5: Where to go from here

There is documentation available for Windows domains at the UW.

For help with a Windows domain that you administer, please send your query to win2kinfo@u.washington.edu. For general help with Windows at the UW, please send mail to help@u.washington.edu.

Please note that UW Technology can only provide support for the services that it offers and can only respond to specific questions.