Domain Controller Hints, Tips, And Advice
1. F1 !!! Microsoft Help used to be useless, but with Windows 2000, the help files are full of useful information about configuring things, best practices, and all sorts of other topics. This is effectively your user manual for Windows 2000. Microsoft is saving You a ton of money on the OS by providing the manual in an electronic form, instead of passing a huge manual. Plus, it is easily searchable, and updatable from the web if the need arises. If you need information on something, this is the first thing to try. You may be surprised at how much information you will find, and how helpful it is. Check Help first when any questions about the server come up. I can’t stress this one enough, make sure to use the Help, that’s what it’s there for.
2. The web is your friend. If you are having a problem, the chances are very high that someone else has run into the same issue, no matter how bizarre you may think your issue is. Since we are using a Microsoft operating system, your first place to find help is http://support.microsoft.com. This is the Microsoft Knowledge Base; articles are created when people call with problems and a solution is found. Be patient, you may have to read through several articles before finding the information you need. It is best to query on words from the exact error message that you are encountering.
If you don’t find your answer at Microsoft, do a search at http://www.google.com or http://www.ntfaq.com. These are excellent resources to find your answers. Remember, you may not find your answer right away, it takes some time to research some issues, but more often than not, you will find your answer out on the web.
3. If you are going to be working with the Domain Security policies, be sure to read through the Microsoft White Papers on Polices. There is a ton of information to wade through, so again, be prepared to be patient and understand it may take some time to find the answer you are looking for. The link to the White Papers is http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.asp
Again, this is a ton of information, and if you have only a small problem with a policy, you may be better off searching the Knowledge Base or the web for your answer.
IMPORTANT!!! Currently, ARID is setup using a Domain wide security policy that affects all users who login. This policy is found in the Administrative Tools as “GPO Policy for ARID Domain.msc”. Most Domain wide changes can be made here. If something goes very wrong using this particular domain policy file, a backup of the original is located on the C: drive, in a “Backup Policy Files” folder.
Be very careful before making any changes to a security policy, and make sure what you are doing is necessary. If you make the wrong choice, you can very well lock out users from the domain, or cause even bigger problems. Keep in mind that there are a lot of fun options to turn on, turn off, or change the way they work, but they are only needed if you find that not using them is causing a problem with the way things are working on the domain. Most small domains never need to change anything with the security polices.
Places we have changed in the default policy to complete some of the tasks for ARID are as follows:
Password and Account Policy – Computer Configuration/Windows Settings/Security Settings/Account Policies (Password Policy and Account Lockout Policy)
Logon Message – Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options
“My Documents” Redirection – User Configuration/Windows Settings/Folder Redirection/My Documents
Internet Explorer Options – User Configuration/Administrative Templates/Windows Components/Internet Explorer
Start Menu Options (Logoff) – User Configuration/Administrative Templates/Start Menu & Taskbar
Offline File Synchronization – User Configuration/Administrative Templates/Network/Offline Files
Force Policy Refresh -- User Configuration/Administrative Templates/System/Group Policy
Again!!! Don’t just play around in here because it looks fun! Be sure to know what you are doing…between the Policy White Paper, the Knowledge Base, and the “Explain” tabs in the policy properties, you should have enough information to decide whether or not you need to change anything.
4. Adding a new DNS server to the Domain is fairly simple. As long as there is another DNS server in the domain using Active Directory, all you need to remember when setting up another DNS server is to tell it to get it’s information from the Active Directory. For more information about DNS and it’s configuration check the Help files (F1).
5. Backup. The key with backup is to make sure your backup program is Windows 2000 Compatible. If you are not sure, find out. NTBackup, which comes with the system is Windows 2000 Compatible, so if possible, use this for backup up the system. It will be sure to get the important information that other non-compatible backups may leave behind or corrupt. Again, check the help on “backup” and you will find a treasure trove of information on this topic.
6. If something horrible and awful goes wrong, and you need to start from scratch (see point #5), here is a simplified list of the steps to setting up a Domain Controller. Informational screens that just have a “next” prompt are not listed in the steps, so if you think you are lost in the process, just use common sense.
a. At the Run prompt, type “dcpromo”
b. Choose “DC for new domain”
c. Choose “create new domain tree”
d. Choose “create a new forest of trees”
e. The full DNS name is “arid.arizona.edu”
f. The Netbios name should be “ARID”
g. Keep the default options for the AD Database and Logs
h. Keep the default options for the Sysvol folder
i. If no DNS server is found on the domain, you want to choose to install DNS
j. Choose “permissions compatible with only W2k servers”
k. Choose and confirm a password for the Administrator of the DC
l. Review your choices and if correct, click next
m. Kick back while the install proceeds, you may need the W2k CD handy
n. Click “Finish’
o. Restart the machine. It will take longer than normal as its now a DC
p. Setup DNS if necessary
7. This is a Server. Not a client, not a workstation. It does important things that you don’t want anyone interfering with. If possible, avoid having anyone use this machine for any type of work. Don’t install any software that is not absolutely necessary to the functioning of the machine (games, Java, favorite applets, any client-type software, file-sharing software…i.e. if it’s not included with the server install, you probably don’t need to install it on a DC). If possible, lock the DC’s up in a room without a monitor, keyboard, or mouse attached, and use Terminal Server (in Remote Admin mode) to work on it. This is the best way to keep your user’s from inadvertently busting something.
8. Reread #5 and #7
9. Don’t delete old users, just disable them. Users are assigned a Security ID (SID) when they are created, and if you delete them and recreate them, a new SID is generated. This means you have to re-setup any permissions, shares, profiles and other things you need to do when creating a user. It’s easier to disable the account and re-enable it if the user returns. If a user is only going to be using the system for a set amount of time, set the automatic disabling option to trigger on the date they no longer need to login in the User properties. This makes sure that the account is disabled if you forget about it.
10. Antivirus is good, but remember its also running on the client machines. If none is using the DC as a workstation, its unlikely to become infected by a virus. Due to permission settings, most AV programs cannot scan certain files and folders that are assigned to users (home directories and profile directories mainly), but don’t worry, because anything going into those folders should of already been scanned by the AV program on the client computer.
11. F1 !!! Help is useful now. Use it! Many issues that I have seen solved by tech support were actually solved using the Help option by the technician, since the Admin never bothered to check it first. Avoid a potentially costly support call by using the tools provided to you.
12. Tech calls. Yes, they can be costly. If you feel you may need to contact Microsoft for server support more than once, you may want to look into purchasing a support contract. Contact CCIT to find out if the UofA already has a support plan worked out with Microsoft, and if you are able to use that plan.
13. Licensing. I’m not an auditor, but be aware that licensing issues do exist. If you have concerns that you may be using any software that is not properly licensed, contact the manufacturer and let them know. Most companies are willing to work with you to ensure proper licensing, and won’t go straight to the Legal department if you contact them first. It’s better to pay a few extra license fee’s this way, than get audited and have to pay a hefty fine to keep your software. Your mileage may vary.
14. F1 and http://support.microsoft.com. Use them. So far any issues we had during the setup and configuration of the network were solved using a combination of these two resources. Learn to use them.
15. Read the books! Learn what you can about this new system. As long as things are setup correctly you won’t have much hands-on administration to worry about, but the more knowledge you have about the system, the faster you will be able to solve issues that may arise in the future.
16. Don’t be scared. Although “Domain Controller” sounds big and mighty and scary, it’s not (: Use common sense, and don’t panic when things don’t work correctly the first time. Research the issue, and only make changes when you feel confident you have enough understanding of the task at hand. If you are not sure about something, ask another admin, check the web, or backup before making changes.
17. Event Viewer. Periodically check the Event Viewer (from Computer Management) to ensure that nothing strange is happening. Yellow warning symbols are often just informational, and not something to panic at. Red warning symbols are a little more important, but don’t necessarily mean that something major is not working. You can look up most warning messages in the Knowledge Base and get more information about what they mean. Know that if a warning is caused by 3rd party software, you might not get much information on it from Microsoft.
18. Patches. Make sure to get any critical updates and service packs. Normal updates that are not absolutely necessary to the function of the domain controller can be ignored if you choose (DirectX, Media Player, etc.)