4. Joining a New Domain Tree to a Forest
A forest is one or more trees that do not share a contiguous namespace. For example, you could join the organization1.com and organization2.com domains together to create a single Active Directory environment.
Any two trees can be joined together to create a
forest, as long as the second tree is installed after the first and the
trees have noncontiguous namespaces. (If the namespaces were
contiguous, you would actually need to create a new domain for an
existing tree.) The process of creating a new tree to form or add to a
forest is as simple as promoting a server to a domain controller for a
new domain that does not share a namespace with an existing Active Directory domain.
NOTE
The command-line tool adprep.exe is
used to prepare a Microsoft Windows 2003 forest or a Windows 2003
domain for the installation of Windows Server 2008 domain controllers.
Before you promote a Windows Server 2008 domain controller into a Windows 2003 forest, an administrator should successfully run adprep /forestprep on the schema operations master and run adprep/domainprep on the infrastructure master in the Windows 2003 forest. The forestprep and domainprep processes prepare the Windows 2000 or 2003 network to accept the installation of the Windows Server 2008 servers.
In Exercise 2,
you will use the Active Directory Installation Wizard to create a new
domain tree to add to a forest. In order to add a new domain to an
existing forest, you must already have at least one other domain, which
is the root domain. Keep in mind that the entire forest structure is
destroyed if the original root domain is ever entirely removed.
Therefore, you should have at least two domain controllers in the
Active Directory root domain; the second serves as a backup in case you
have a problem with the first, and it can also serve as a backup
solution for disaster recovery and fault tolerance purposes. Such a
setup provides additional protection for the entire forest in case one
of the domain controllers fails. In order to complete this exercise,
you must have already installed another domain controller that serves
as the root domain for a forest, and you must use a server in the
domain that is not a domain controller.
Open the Active Directory Installation Wizard by clicking Start => Run, and typing dcpromo. Click the Use Advanced Mode Installation box. Click Next.
On
the Choose a Deployment Configuration page, select Existing Forest and
then click Create A New Domain In An Existing Forest. Check the box
"Create a new domain tree root instead of a new child domain." Click
Next.
A
warning box might appear stating that the local administrator account
becomes the domain administrator account for the new domain. If it
appears, Click Yes to continue. On
the Network Credentials page. Click the Set button and enter
the username and password for the domain administrator of a domain in
the forest you wish to join. Click Next.
On
the Name the New Domain Tree Root page, you need to specify the full
name of the new domain you wish to create. Note that this domain may
not share a contiguous namespace with any other existing domain. Once
you have entered the appropriate information, click Next.
On
the Domain NetBIOS Name page, you are prompted for the NetBIOS name of
the domain controller. This is the name previous versions of Windows
use to identify this machine. Choose a name that is up to 15 characters
in length and includes only alphanumeric characters. Click Next to
continue.
If
the Select A Site screen appears, choose any site and click Next. (You
may not have any sites created on your forest. This server will then be
added to the DefaultFirstSite.) On the Additional Domain Controller Options page, make sure DNS Server is checked and click Next.
If a delegation for DNS message appears, click Yes.
The
Source Domain Controller screen appears. Click the button labeled This
Specific Domain Controller and highlight the domain controller . Click Next.
On
the Location For Database, Log Files, And SYSVOL page, specify the
database and log locations. These settings specify where the Active
Directory database resides on the local machine. Click Next.
In
order to be able to recover this server in the event of a loss of
Active Directory information, you need to provide a Directory Services
Restore Mode Administrator password. This password allows you to use
the built-in recovery features of Windows Server 2008 if the Active
Directory database is lost or corrupted. Enter P@ssw0rd, confirm it, and then click Next. On the Summary page, you are given a brief listing of all of the choices you made in the previous steps. Click Next to continue.
The
Active Directory Installation Wizard automatically begins performing
the steps required to create a new domain tree based on the information
you provided. Note that you can press Cancel if you want to abort this
process. When the setup is complete, you are prompted to reboot the
system. Go ahead and do so, and once the process is finished, you will
have a new domain tree.
|
5. Adding Additional Domain Controllers
In addition to the operations you've already
performed, you can use the Active Directory Installation Wizard to
create additional domain controllers for any of your domains. There are
two main reasons to create additional domain controllers:
Fault tolerance and reliability
You should always consider the theory of
disaster recovery (DR) and have a plan, sometimes referred to as a
Disaster Recovery Plan (DRP). If you're part of one of those
organizations that rely upon their network directory services
infrastructures, you need Active Directory to provide security and
resources for all users. For this reason, downtime and data loss are
very costly. Through the use of multiple domain controllers, you can
ensure that if one of the servers goes down, another one is available
to perform the necessary tasks, such as user authentication and
resource browsing. Additionally, data loss (perhaps from hard disk
drive failure) will not result in the loss or unavailability of network
security information since you can easily recover Active Directory
information from the remaining, still functional domain controller.
Performance
The burden of processing login requests and
serving as a repository for security permissions and other information
can be quite extensive, especially in larger businesses. By using
multiple domain controllers, you can distribute this load across
multiple systems. Additionally, by strategically placing domain
controllers, you can greatly increase response times for common network
operations, such as authentication and browsing for resources.
As a rule of thumb, you should always plan
and design your infrastructure to have at least two domain controllers
per domain. For many organizations, this provides a good balance
between the cost of servers and the level of reliability and
performance. For larger or more distributed organizations, however,
additional domain controllers greatly improve performance.
