4. Configuring the Second and Subsequent Domain Controllers

Carry out the following operations on the server you are adding to the domain, unless stated. Again, skip any steps you have already carried out.

Check TCP/IP configuration
  • On the second domain controller, open the TCP/IP properties of the network connection and delete any DNS server entries. Instead, enter the address of the existing Windows DNS server (usually your first domain controller).
Install Active Directory
  • Use dcpromo to install Active Directory adding the server as a new server in an existing domain.
  • This time, you shouldn't be prompted about DNS on 2000 or 2003. Again 2008 may refuse to install DNS; this is fine and should not prevent Active Directory Domain Services from being installed. Again, on 2008 Server Core, use InstallDNS=No in an answer file, or /InstallDNS:No as a command-line switch to dcpromo to stop DNS from being installed.)
Install the DNS Service
  • If necessary, use [Add/Remove Programs] (Windows Components/Networking Services) or the Configure your Server wizard to install the DNS service. For 2008 Server Core use start /w ocsetup DNS-Server-Core-Role
  • Since you have configured DNS to use Active Directory-integrated zones, you don't need to configure the zones again as they will be replicated automatically (although this can take a while).
Check that the Zones have replicated
  • Open the DNS management program and check that the zones shown below are visible. For 2008 Server Core, use DNSCMD or remote management. It may take a while for them to appear.
    • _tcp.unitDNSname.ox.ac.uk
    • _udp.unitDNSname.ox.ac.uk
    • _sites.unitDNSname.ox.ac.uk
    • _msdcs.unitDNSname.ox.ac.uk
    • DomainDnsZones.unitDNSname.ox.ac.uk
    • ForestDnsZones.unitDNSname.ox.ac.uk
Configure Forwarders
  • Configure your DNS servers to send all requests for information that they do not hold themselves to the DNS Caching Resolvers. This is recommended for security reasons and also speeds up queries for information in the ox.ac.uk domain. Configure this via the Forwarders tab in the [Properties] of the server object in the DNS management tool. Make sure there is an entry for All other DNS domains and add the addresses for each of the DNS Caching Resolvers to the forwarders list for this entry.
Configure delegations from the central DNS servers
  • You can register up to two servers centrally. If this is the second server in the domain, use the [change Active Directory server definitions] using the Interface for Host Updates page, linked from the OUCS DNS page to register this server. You need to include the unitname part (e.g. oucsserver1.oucs, bncw2k1.bnc).
Update TCP/IP configuration
  • Open the TCP/IP properties of the network connection and add this server's own IP address to the list of DNS servers. Ensure it is at the top of the list. You can use 127.0.0.1 as the address (although some of the diagnostics tools may report an error if you use this address but won't if you use the real address of the server).. Do not remove the addresses of any other Windows DNS server from the list, but it can be a good idea to remove any of the central Computing Services servers.
Register and check records
  • Take a look in the file C:\Windows\System32\Config\netlogon.dns and compare the entries with the entries in the DNS management tool.
Run tests to check for errors
  • Check the event logs for errors. Expect to see 5774 where it complains that it can't register all of the records. The problem is the host (A) record for the domain itself. You can suppress this by adding a multistring value (REG_MULTI_SZ) value called DnsAvoidRegisterRecords under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry key, and entering the data value LdapIpAddress. See Restrict the DNS resource records that are updated by Netlogon. This may not be supported on Windows 2000, only 2003 upwards.
  • Run netdiag /v /test:dns and dcdiag /v /test:dns using the Support tools included on the Windows server CD (the latter won't work on 2000). to check that everything looks good.
Update other domain controllers
  • On any other domain controllers, open the TCP/IP properties of the network connection and add the IP address of your new domain controller/DNS server to the list of servers. Always make sure that DNS servers have their own address first in the list, but then do include the addresses of the other Windows DNS servers in the list. If you don't, it can result in slow (5 or 10 minutes) boot times, for later versions of Windows server.
Configure Firewalls and Clients
  • Refer to the other sections in this document for details on updating the configuration of perimeter firewalls and clients.

Up: Contents Previous: 3. Installing and Configuring DNS on the First Domain Controller Next: 5. Multi-domain Environments