Step-by-Step How to Create a Stub Zone in Windows Server 2008 R2

What is a stub zone?
Stub zones are a way for different DNS servers from different domains to communicate DNS information to each other.  Technically speaking, a stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative DNS servers for that zone.  When someone wants a resource on another DNS namespace, the user first queries his or her specified DNS server.  If the DNS server (or any other DNS server on the domain) cannot resolve the query, the server sends its own query to the name servers specified by the stub zone.
Why are stub zones important?
Before a trust between two different domains in two different forests can be established, DNS must be configured between domains.  Stub zones provide one solution for that.
How do I create a stub zone?
The following tutorial will tell you how to create a stub zone in Windows Server 2008 R2.  In my tutorial I will reference three different servers on two different domains.  All of the servers are Windows Server 2008 R2 with the Active Directoy Domain Services role and the DNS server role.  Servers test1 and wg-dc2-2k8 are on the domain wgtesting.com.  The server called dc1 is on the domain trusttest.com.
1. Log onto the first DNS server.  Open the Server Manager administration tool and expand Forward Lookup Zones under DNS.  For this tutorial test1 will be the first DNS server.
  
2. Right click inside of the Forward Lookup Zones area and select New Zone.

3.  The New Zone Wizard will appear.  Select Next.

4.  A list of zones will appear.  Select Stub Zone and then select Next.  The option to store the stub zone in active directory will only be availabe if the DNS server is also a writable domain controller - test1 is a writable domain controller as well as a DNS server.  This is useful for replicating the stub zone to other domain controllers in your network.

5.  The next screen of the wizard asks how  active directory will replicate the zone throughout your network.  You can select whether to replicate the zone to domain controllers on the whole forest or to just domain controllers for the domain.  If you did not select Store the zone in Active Directory in the last step, this step will not appear; instead you would go straight to step 6.  Select an option and then select Next.

6.  Here you specify a zone name.  The name should simply be the name of the other domain you will be creating the stub zone for.  Select Next after specifying a zone name.

7.  In this step, you would specify the IP of the DNS server or servers from which you want to load the zone.  The option Use the above servers to create a local list of master servers allows you to get a list of all other DNS servers.  In other words, you do not have to put in the IP of every DNS server on the other domain as long as the one DNS server you specify here has a record of the other DNS servers.  After specifying the IP of at least one DNS server on the other domain, select Next.

8.  This is the last page of the New Zone Wizard.  Verify your settings and select Finish.

9.  Here you can see the contents of the stub zone.  It simply contains the SOA (Start of authority) record, NS (name server) resource records, and the glue A resource records for the delegated zone.

That wraps it up.  Creating a stub zone is a fairly straightforward process and can be the prerequisite to creating a trust between domains.  Here are a few other things to look for after creating the stub zone.
Here I have logged onto the second domain controller/DNS server, wg-dc2-2k8, on the wgtesting.com domain.  Because I selected the option for the stub zone to be stored in active directory in step 4, the zone was replicated from test1 to this server since they are both on the wgtesting.com domain.

For the purpose of later creating a trust, go ahead and create a stub zone on the other domain.  Repeat steps 1-9 on the other domain’s DNS server.  In this case, the server is dc1 on the domain trusttest.com.

Windows Server 2008 Service Packs

Windows Server 2008 x86 SP1 Built-in SP2 Windows Server 2008 x64 SP1 Built-in SP2 Windows Server 2008 ia64 SP1 Built-in SP2

In-Place Upgrade from Windows Server 2003 Domain Controller to Windows Server 2008

Introduction
I have been using Windows Server 2003 for years and I believe its time to shift and try using Windows Server 2008, I have downloaded RC0 and decided to Upgrade my Domain Controller, which is also a DNS & DHCP Server to Windows Server 2008 Standard Edition RC0. In this article, I will show you step by step how to perform an in-place upgrade for a Domain Controller from Windows Server 2003 To Windows Server 2008 RC0

Note: This article was written when Windows Server 2008 was still RC0. Changes might occur later once the product is RTM'd

Upgrade Steps

1. On you Windows Server 2003 DC, insert the Windows Server 2008 DVD, and then open command prompt and run the following commands, make sure first to browse to the adprep directory inside the Windows 2008 DVD , in my case case, the F drive is the DVD Drive letter, so to browse to the adprep directory I would write the following inside cmd: cd f:\sources\adprerp

• adprep/ forestprep
• adprep/ domainprep
• adprep/ rodcprep (Optional, if you plan to add a Read Only Domain Controller Later)
  
  
  
  
  
  

2. If the Install Windows page did not auto run before the previous step, double click on your DVD drive where you have inserted the Windows Server 2008 DVD, then Click on Install now
   
   
3. A please wait screen will be followed, then a page to decide what to do, either to go online and get the latest updates for installation or to skip going online by clicking on the Do not get the latest updates for installation option
   
   
   
   
   I will perform the updates later, so for the purpose of this article, I will click on Do not get the latest updates for installation
   
   
   
4. Enter the product key, click Next
   
   
5. Accept the license terms and click on Next
   
   
   
   
6. What we need to do is to upgrade our server, so click on the Upgrade option
   
   
   
7. The compatibility report will be displayed telling you what hardware might not function once upgrade is completed , also to check with software vendors to check if their software are compatible with Windows Server 2008. click Next
   
   
   
8. Upgrade is now in process
   
   
   
9. The Server will be restarted automatically several times, the Upgrade process will continue with the remaining operations:
   • Expanding Files
   • Installing Features and updates
   • Completing Upgrade


After multiple restarts, the Upgrade process will be completed and you will be able to start using your Windows Server 2008.

Summary

In this article, I showed you how to do an in-place upgrade for Windows Server 2003 Domain Controller to Windows Server 2008. The steps are easy and straightforward, just make sure while reading the compatibility report, if any of the hardware/software installed on your Server are compatible with Windows Server 2008.

Unattended Installation of Active Directory Domain Services

Introduction
Unattended installation means no user interaction, and this is exactly what we are going to do in this article, we are going to setup our first domain controller without going through the Server Manager, or going through the Active Directory Domain Services Installation Wizard the follows executing the dcpromo command. 

Note: This article was written when Windows Server 2008 was still RC1. Changes might occur later once the product is RTM'd

In a previous article, Setting Up Your First Domain Controller With Windows Server 2008, we have setup a domain controller through executing the dcpromo command and then going through the The Active Directory Domain Services Installation Wizard. At the end of the wizard and on the Summary page of the Active Directory Domain Services Installation Wizard, you can click Export settings to save the settings that you specified in the wizard to an answer file. You can then use the answer file to automate subsequent installations of Active Directory Domain Services (AD DS).

The answer file is a plain text file with a [DCInstall] header. The answer file provides answers to the questions that are asked by the Active Directory Domain Services Installation Wizard. Using the answer file eliminates the need for an administrator to interact with the wizard. The Active Directory Domain Services Installation Wizard adds text to the answer file that explains how to use it, such as how to invoke it with the dcpromo command and which settings must be updated to use it.

To use an answer file to install AD DS, type the following command at a command prompt, and then press ENTER:

dcpromo /answer [: filename ]

or dcpromo /unattend [: filename ]

Where filename is the name of your answer file.

The answer file to set up a new forest would look like this :

; DCPROMO unattended file
; Usage:
; dcpromo.exe /unattend:C:\answer_file.txt
; or dcpromo.exe /answer:\answer_file.txt
;
[DCInstall]
; New forest promotion
ReplicaOrNewDomain=Domain
NewDomain=Forest                   
NewDomainDNSName=elmajdal.net
ForestLevel=3
DomainNetbiosName=ELMAJDAL
DomainLevel=3
InstallDNS=Yes
ConfirmGc=Yes
CreateDNSDelegation=No
DatabasePath="C:\Windows\NTDS"
LogPath="C:\Windows\NTDS"
SYSVOLPath="C:\Windows\SYSVOL"
; Set SafeModeAdminPassword to the correct value prior to using the unattend file
SafeModeAdminPassword=MyPassword23$
; Run-time flags (optional)
; RebootOnCompletion=Yes

Download it from here , and make sure that you adjust it to the configurations that you need.
for example:

• NewDomainDNSName=elmajdal.net , make sure that you replace elmajdal.net with the domain name you want.
• ForestLevel=3 , This mean the Forest Functional Level will be set to Windows Server 2008, if you want to set it for Windows Server 2003, then set it to 2, whereas Windows 2000 Serve level is = 1
• DomainNetbiosName=ELMAJDAL , this is the NETBIOS name of my domain elmajdal.net , replace it with your Domain name NETBIOS name
• DomainLevel=3, this means the Domain Functional Level will be set to Windows Server 2008, if you want to set it for Windows Server 2003, then set it to 2, whereas Windows 2000 Serve level is = 1
• InstallDNS=Yes, DNS Service will be installed on your DC, if you do not wish to setup you DC as a DNS Server as well, then set it to NO
• DatabasePath="C:\Windows\NTDS"
  LogPath="C:\Windows\NTDS"
  SYSVOLPath="C:\Windows\SYSVOL"
  
  Either change the path where each of the above will be stored or keep them as they are by default.
• SafeModeAdminPassword=MyPassword23$, the password meet the password complexity requirements of the password policy, that is a password that contains a combination of uppercase and lowercase letters, numbers, and symbols

 Now that you have customized the answer file, lets run it and enjoy a cop of coffee while the server is being setup to be our first Domain Controller

1. Run the answer file , I have saved the answer file inside the C: drive, so i will run it using : dcpromo.exe /unattend:C:\answer_file.txt
   
   
   
   
2. The installation of AD DS will start with first checking if Active Directory Domain Services binaries are installed
   
   
   
   
3. The system will start checking if Active Directory Domain Services (AD DS) binaries are installed, then will start installing them. The binaries could be installed if you had run the dcpromo command previously and then canceled the operation after the binaries were installed.
   
   
   
   
4. Validating environment and parameters ..
   
   
   
   
5. DNS Installation will start as we have the InstallDNS=Yes in the answer file
   
   
   
   
6. When the DNS Server service installation is completed, the system will check if Group Policy Management Console (GMPC) is installed or not, then will start installing it if it was not found to be installed previously
   
   
   
   
7. Creating the SYSVOL folder, configuring the local computer to host Active Directory Domain Service by creating the directory partition
   
   
   
   
   
   
8. Then will start creating AD objects, and then Completing AD installation
   
   
   
   
9. Few services will be configured, and security configurations as well
   
   
   
   
   
   
   
   
10. Once the setup is completed, the server will automatically reboot (RebootOnCompletion=Yes )

Summary
Performing an unattended installation using an answer file is easy and can be performed without any user interaction, using the answer file eliminates the need for an administrator to interact with the wizard, and can be used to automate subsequent installations of Active Directory Domain Services.

 

Setting Up an Additional Domain Controller With Windows Server 2008

Introduction
In a previous article, we have set up our first Active Directory Domain Services (AD DS) using Windows Server 2008. In this article, we are going to see how to set up an Additional Domain Controller for AD DS replication.

To set up an Additional Domain Controller, I will use the dcpromo.exe command.

1. To use the command, click on Start   > Run > and then write dcpromo > Click OK
   
   
   
   
2. The system will start checking if Active Directory Domain Services ( AD DS) binaries are installed, then will start installing them. The binaries could be installed if you had run the dcpromo command previously and then canceled the operation after the binaries were installed.
   
                           
   
   
3. The Active Directory Domain Services Installation Wizard will start, either enable the checkbox beside Use Advanced mode installation and Click Next , or keep it unselected and click on Next
   
   
   
   The following table lists the additional wizard pages that appear for each deployment configuration when you select the Use advanced mode installation check box.

   Deployment configuration	Advanced mode installation wizard pages
   New forest	Domain NetBIOS name
   New domain in an existing forest	On the Choose a Deployment Configuration page, the option to create a new domain tree appears only in advanced mode installation. Domain NetBIOS name Source Domain Controller
   Additional domain controller in an existing domain	Install from Media Source Domain Controller Specify Password Replication Policy (for RODC installation only)
   Create an account for a read-only domain controller (RODC) installation	Specify Password Replication Policy
   Attach a server to an account for an RODC installation	Install from Media Source Domain Controller

   
   
4. The Operating System Compatibility page will be displayed, take a moment to read it and click Next
   
   
   
   
5. On the Choose a Deployment Configuration page, click Existing forest, click Add a domain controller to an existing domain, and then click Next.
   
   
   
   
6. On the Network Credentials page, type your domain name, my domain name is elmajdal.net ( was set in the previous article ) , so I will type elmajdal.net.
   
   
   
   
7. To set up an Additional Domain Controller, you will need an account that must be either a member of the Enterprise Admins group or the Domain Admins group. We have two options:

• My Current logged on credentials ( DomainName\Username or MachineName\Username)
• Alternate credentials
  
  
• If you have previously joined this server to the domain and you are currently logged in to it with an Enterprise Admin/Domain Admin user, then you can use the first option (My current logged on credentials) . As you can see this option is grayed here, and the reason for this is below it. It is because I'm currently logged in with a local user, the machine is not a domain member. I'm left out with the second option: Alternate credentials
  

8. To enter the Alternate credentials, click Set. In the Windows Security dialog box, enter the user name and password for an account that must be either a member of the Enterprise Admins group or the Domain Admins group > then click Next.
   
   
   
   
   
   If you have entered a wrong username/password , you will receive the following error message
   
   
   
   
9. On the Select a Domain page, select the domain of the Additional Domain Controller, and then click Next, as I already have only one domain, then it will be selected by default.
   
   
   
   
10. On the Select a Site page, either enable the checkbox beside Use the site that corresponds to the IP address of this computer, this will install the domain controller in the site that corresponds to its IP address, or select a site from the list and then click Next. If you only have one domain controller and one site, then you will have the first option grayed and the site will be selected by default as shown in the following image
    
    
    
    
11. On the Additional Domain Controller Options page, By default, the DNS Server and Global Catalog checkboxes are selected. You can also select your additional domain controller to be a Read-only Domain Controller (RODC) by selecting the checkbox beside it.
    
    My primary domain controller is a DNS Server is well, and this can be verified by reading the additional information written in the below image, that there is currently 1 DNS server that is registered as an authoritative name server for this domain. I do want my Additional DC to be a DNS server and a Global catalog, so I will keep the checkboxes selected. Click Next
    
    
    
    
12. If you select the option to install DNS server in the previous step, then you will receive a message that indicates a DNS delegation for the DNS server could not be created and that you should manually create a DNS delegation to the DNS server to ensure reliable name resolution. If you are installing an additional domain controller in either the forest root domain (or a tree root domain) , you do not need to create the DNS delegation. In this case, you can safely ignore the message and click Yes.
    
    
    
    
13. In the Install from Media page ( will be displayed if you have selected Use advanced mode installation on the Welcome page, if you didn't select it, then skip to step # 15), you can choose to either replicate data over the network from an existing domain controller, or specify the location of installation media to be used to create the domain controller and configure AD DS. I want to replicate data over the network, so I will choose the first option > click Next
    
    
    
    
14. On the Source Domain Controller page of the Active Directory Domain Services Installation Wizard, you can select which domain controller will be used as a source for data that must be replicated during installation, or you can have the wizard select which domain controller will be used as the source for this data. You have two options :

• Let the wizard choose an appropriate domain controller
• Use this specific domain controller
  
  
  
  If you want to choose from the list, any domain controller can be the installation partner. However, the following restrictions apply to the domain controllers that can be used as an installation partner in other situations:
  • A read-only domain controller (RODC) can never be an installation partner.
  • If you are installing an RODC, only a writable domain controller that runs Windows Server 2008 can be an installation partner.
  • If you are installing an additional domain controller for an existing domain, only a domain controller for that domain can be an installation partner.

15. Now you will have to specify the location where the domain controller database, log files and SYSVOL are stored on the server.
    The database stores information about the users, computers and other objects on the network. the log files record activities that are related to AD DS, such information about an object being updated. SYSVOL stores Group Policy objects and scripts. By default, SYSVOL is part of the operating system files in the Windows directory
    
    Either type or browse to the volume and folder where you want to store each, or accept the defaults and click on Next
    
    
    
    Note : Windows Server Backup backs up the directory service by volume. For backup and recovery efficiency, store these files on separate volumes that do not contain applications or other nondirectory files.
    
16. In the Directory Services Restore Mode Administrator Password (DSRM) page, write a password and confirm it. This password is used when the domain controller is started in Directory Services Restore Mode, which might be because Active Directory Domain Services is not running, or for tasks that must be performed offline.
    
    
    
    Make sure the password meet the password complexity requirements of the password policy, that is a password that contains a combination of uppercase and lowercase letters, numbers, and symbols. else you will receive the following message  :
    
    
    
    
17. Summary page will be displayed showing you all the setting that you have set . It gives you the option to export the setting you have setup into an answer file for use to automate subsequent AD DS operations, if you wish to have such file, click on the Export settings button and save the file. Then click Next to begin AD DS installation
    
    
    
    
18. Active Directory Domain Services installation will be completed, click Finish, then click on Restart Now to restart your server for the changes to take effect.
    
    
    
    
    
    

• Open Active Directory Users & Computers, and then click on the Domain Controllers Organizational Unit, and you will see your Additional Domain Controller along with your Primary Domain Controller.
  
  
  
  

Summary

Additional domain controllers improve the performance of authentication requests and global catalog server lookups. They also help Active Directory Domain Services (AD DS) overcome hardware, software, or administrator errors. When you add a domain controller, information is replicated over the network.