Information technology tools and resources at the UW
Windows Domain Setup at the UW
NOTE: UW-IT strongly encourages departments to use a Delegated OU within the NETID domain instead of running their own Windows domain. This saves the university money by reducing systems, administrative overhead, and shared investment in solutions. And you get the benefit of the broad set of capabilities provided centrally. See Getting Started with Delegated OUs.
Table of Contents
- Chapter 1: Requirements
- Chapter 2: Setting Up Your Domain
- Chapter 3: Setting up the domain controllers
- Chapter 4: Removing a domain controller
- Chapter 5: Where to go from here
This document is intended for support personnel or system administrators at the University of Washington. It covers setting up a Windows 2000 domain controller that will be linked into the UW’s existing DNS structure. This document does not cover the details of setting up and using Windows 2000; it assumes that you are already familiar with the basics of using Windows 2000.
NOTE: While Windows 2000 is no longer current, the basics remain the same and this document remains relevant.
Throughout this document the word domain will sometimes refer to a DNS domain and sometimes refer to a Microsoft Windows domain. While in the past these two concepts were separate and non-interchangeable, that is not as true today. With Windows 2000, Microsoft has adopted the DNS naming conventions and structures to its domains. For example, the domain name “cs.washington.edu” is both the DNS and Windows 2000 domain name for Computer Science. For most purposes, these terms are now interchangeable.
We recommend that you read Windows Domain DNS reliance before setting up a Windows domain.
The following chapters of this document assume that you have already performed certain requirements. Those requirements and how to get more help in fulfilling them are outlined below.
In Windows, the windows domain naming structure parallels the DNS naming structure. Thus, the authority and responsibility for the DNS and windows domains are one and the same. If you are unaware of the contact for your department’s DNS domain, wish to change the contact person for your department, or wish to register a new department, send email to email@example.com.
You should have at least two servers ready to act as domain controllers. These machines should not be used as workstations or provide other network services since their stability and availability are paramount. The reason for having more than one domain controller is that if all of your domain controllers become simultaneously unavailable, users cannot log in to your domain. Additionally, if all of your domain controllers become simultaneously unrecoverable, your domain will have to be recreated from scratch.
The domain controllers do not have to have a great deal of computing horsepower. Two domain controllers should be adequate for typical domains serving around a hundred users provided they are only acting as domain controllers. It is easy to add and/or upgrade domain controllers in the future should you find that you require more capacity.
Since your domain controllers must be found by workstations wishing to log into your domain, they must be registered with static IP addresses and have a DNS name in your intended domain. If you require a new or a modification to a DNS registration, send email to firstname.lastname@example.org.
In order to maintain the domain controllers for a domain, you must be the domain contact person. Every existing DNS domain already has a contact person listed. If you are unsure of your domain contact person, you can contact Network Operations to find this out. If you are the domain contact, you can contact Network Operations to request that your domain controller servers be registered as such so that other computers can find them. This process is outlined below.
If you have questions about the DNS domain contact system, you can send email to email@example.com.
Send email to firstname.lastname@example.org with the following information:
- The name of your DNS domain
- The full DNS names of your intended domain controllers
(there should be at least 2)
- Your timeline for the installation
From: Jane Smith <email@example.com> To: firstname.lastname@example.org Subject: New Windows domain Hi, I'm Jane Smith, the domain contact for xyz.washington.edu. I would like to register: bert.xyz.washington.edu and ernie.xyz.washington.edu as Windows domain controllers for my domain. Thanks, Jane Smith
You will shortly get back a reply.
For each of your domain controllers, you should follow the steps in this chapter. Some steps will have alternate actions depending on if you are joining an existing forest.
From the Start menu of your domain controller, select run and enter: DCPROMO
This will start the Active Directory Installation Wizard.
If this is the first domain controller in your domain, choose “Domain controller for a new domain”. If this is not the first one you have set up, choose “Additional domain controller for an existing domain, click next, and authenticate to your existing domain.
Choose “Create new domain tree”, even if you will be joining an existing forest.
If you are joining an existing forest, choose “Place this new domain tree in an existing forest”. Otherwise, choose “Create a new forest of domain trees”.
If you are joining an existing forest, you will be asked for credentials to use to join. You will need to get this information from the administrator of the forest you are joining. This account must have authority to add domains to the forest.
Enter the name of your domain.
Specify a NetBIOS name for your new domain. This name will be used by older operating systems (Windows 98, NT 4.0, etc.) should you choose to support those operating systems.
If you have separate physical hard disks, it’s a good idea to keep the database and log on separate disks. Otherwise, one could slow the other down.
Enter a directory for the public files area of your Active Directory tree.
At this point, you may see the following message. You can safely ignore this, as you will be sending DNS registration information in a later step.
Choose No, you will be configuring this later.
Unless you have a mixed environment with Windows NT 4.0 servers that use Active Directory information, you should choose to set the more strict Windows 2000 only permissions.
Enter a password to be used if you must restore the Active Directory. This will also be your initial administrator password.
Review your setup and click next to start the configuration process. You will see a screen similar to the following for a few minutes.
When the configuration process completes, you will be directed to restart your computer. After your domain controller restarts, log in to your new domain as administrator.
Find the file NETLOGON.DNS from your domain controller’s <WINDIR>\SYSTEM32\CONFIG directory. <WINDIR> will usually be C:\WINDOWS.
Attach this file in an email message to email@example.com with a subject or short message of: DNS entries for Windows domain xyz.washington.edu. (Use your own domain here of course). Do not edit the file or import it into the body of the message. Attach it to the message using a MIME compatible mailer such as Outlook Express or pine. If you are setting up multiple domain controllers, you can send them all as attachments to one message, but do note that you must send the NETLOGON.DNS file from every domain controller to firstname.lastname@example.org or campus DNS will have incomplete information about your Windows domain.
You will shortly receive an email that this information has been entered into the UW’s DNS servers. If this is a change to an existing Windows domain, it can take a couple hours for the old information to be overwritten.
By default, a Windows domain controller will try to periodically update its DNS server with new information. Since the DNS servers at the UW do not accept dynamic updates, this will cause unnecessary network traffic and trigger error events in your event logs.
To turn off dynamic DNS updates on a domain controller:
You should disable (uncheck) the “Register this connection’s addresses in DNS” setting. This property can be found in the DNS tab of the Advanced TCP/IP Settings dialog in the properties of your local area network connection.
This should be done on every network interface for the domain controller.
If you would like information on how to turn off DNS updates on your workstations using group policy objects, see Microsoft Knowledge Base article Q294832.
If you are not using the UW’s DNS servers and are running your own DNS servers that support dynamic updates, you can disregard this section.
Since Windows Active Directory uses Kerberos authentication, having the correct time is critical. If this is the first domain controller you are setting up, you must give it an external time source as follows:
- Open a command shell as administrator
w32tm /config /manualpeerlist:time.u.washington.edu /syncfromflags:manual /reliable:yes /update net stop w32time net start w32time
Deprecated command: net time /setsntp:time.u.washington.edu
If you wish to remove a domain controller from an existing domain, follow these steps. NOTE: If you remove the last remaining domain controller for a domain, all Active Directory information from that domain will be permanently lost. In addition, removing the last domain controller from a domain requires Enterprise Administrator privileges.
- Click Start , click Run , type dcpromo , and then click OK .
- This starts the Active Directory Installation Wizard. Click Next .
- There is a check box in the Remove Active Directory screen. If this computer is the last domain controller in the domain, click to select the check box. Otherwise, click Next .
- In the next screen, set the password for the administrator account on the server after Active Directory is removed. Type the appropriate password in the Password and Confirm Password boxes, and then click Next .
- In the Summary screen, review and confirm the options you selected, and then click Next .
- The wizard begins the process of removing Active Directory from the server. After the process is finished, a message indicates that Active Directory was removed from the computer.
- Click Finish to quit the wizard.
- Restart the computer.
- Send an email message to email@example.com from your DNS domain contact with a short message of:
Please remove all SRV and CNAME records for dcserver1.xyz.washington.edu (Use your own DC and domain here of course).
It can take up to 24 hours for the old information to be overwritten. During this time you may see some errors as clients and servers try to contact the demoted domain controller.
There is documentation available for Windows at the UW.
For help with a Windows domain that you administer or for general help with Windows at the UW, please send mail to firstname.lastname@example.org.
Please note that UW-IT can only provide support for the services that it offers and can only respond to specific questions.