2003 Branch Office Deployment Guide

  • Article

The 2003 Version of the Branch Office Deployment Guide (BODG) is brilliant. It takes you through an entire large scale active directory deployment that you can set up in a lab. It has step by step instructions along the way which leave you with a fully functional and reasonably complex AD play pen when you are finished.

So, what better place to start?

When I bring out the 2003 BODG during an ADRAP (Active Directory Health and Risk Assessment Program) the most common comment I get is that its too old to be useful. This is definitely not true. The techniques in the guide are still valid today, Windows 2008 and 2008 R2 build on the topics from the 2003 guide - so it is a great place to start MCM preparation.

You can Download the Guide here: https://www.microsoft.com/DOWNLOADS/en/details.aspx?FamilyId=9353A4F6-A8A8-40BB-9FA7-3A95C9540112&displaylang=en

The key study notes from the guide are:

Use Ultrasound to monitor FRS: https://www.microsoft.com/downloads/en/details.aspx?FamilyID=61acb9b9-c354-4f98-a823-24cc0da73b50&DisplayLang=en

DNS Tombstone Lifetime: HKLM\System\Current Control Set\Services\DNS\Parameters - DWORD - DsTombstoneInterval (15 days in seconds is 1296000). * This DNS tombstone value should not be confused with the directory tombestone lifetime attribute (tombstoneLifetime) stored in the configuration partition > services > windows nt > directory service.

DCDIAG - DCPROMO test: Check if the server's DNS configuration is ready to be a DC. "dcdiag /test:dcpromo /DnsDomain:corp.contoso.com /ReplicaDC"

Configure the PDC to point to a valid time source using NTP (rest of the domain will use NT5DS): "w32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual" then "w32tm /config /update" to apply the change.

Disabling Automatic Site Coverage: Computer Configuration > Admin Templates > System > Netlogon > DC locator DNS Records > Automated Site Coverage by the DC Locator DNS SRV Records > Disabled.

Modify Site Options using repadmin: "repadmin /siteoptions /site:Data-Centre-Site +is_redundant_server_topology_enabled +is_topl_detect_stale_disabled". In the guide we enable the two options so that if the KCC detects a failed link it stops creating extra connection objects and the other option is so we can balance bridgehead load move evenly. You can view the options on a site object using "repadmin /siteoptions /site:Data-Centre-Site"

Adding the first child domain tip: remember to delegate the new zone out to the domain controller for the new domain even before it is promoted. This has the advantage that when you are doing the dcpromo on the first dc in the child domain you can have the dc pointing to a valid dns server for the forest, then when it comes time dcpromo will prompt to install and configure dns.

Verify Global Catalog is ready: check for event 1119 in the Directory Service Log

Extra FRS Logging: HKLM\System\Current Control Set\Services\ntfrs\Parameters
- Debug Log File, string, c:\frslogging
- Debug Log Severity, DWORD, 4
- Debug Log Files, DWORD, 300 (decimal)
- Debug Maximum Log Messages, DWORD, 100000

ADLB.exe - can help with bridge head load balancing during intial large scale deployment. Run once a day as scheduled task till environment is deployed. Use the script associated with the .exe in the BODG files.

Automatic Name Server Registration - in the BODG we choose which servers will register themselves as name servers. Use DNSCMD.exe to do it. The example is: "dnscmd.exe HUBDC1 /config branches.corp.contoso.com /AllowNSRecordsAutoCreation 10.0.0.10 10.0.0.11 10.0.0.12 10.0.0.13 10.0.0.14"

Configuring the DirectoryParitionAutoEnlistInterval: There is a reg key you can use in your domain controller builds that tells the DC to enlist for application partitions sooner. The default is 24 hours, so to cut that back and reduce the time before a DC is ready we can change the interval using the key: HKLM\SYSTEM\Current Control Set\Services\DNS\Parameters - new DWORD value - DirectoryPartitionAutoEnlistInterval - the value is in seconds so to set it at 30 minutes you would choose decimal then enter 1800.

* The notes should not be used on their own, each of the settings has pro's and con's that are discussed thoroughly in the guide. This information is designed to be a shortcut for those that have already read the guide.