Check the Computer Account
As with NT 4.0, all Win2K machines, including DCs, need computer accounts to function in a domain. If you open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in and select the Domain Controllers OU, you should see a computer account object for the DC you just installed. The AD installation process creates this computer account for the first DC in the domain. If you promoted a member server in an existing domain, Dcpromo will have moved its computer account to this OU.
If the computer account doesn't exist, something went awry during the AD installation. The same is true if the Ntds and Sysvol subfolders don't show up. These problems are quite rare, but if they arise, you must uninstall AD from this DC, then reinstall it.
Secure the Administrator Account
Whenever you create a new domain, you should rename the domain administrator account and give it an appropriately complex password. This basic security step is often overlooked.
As you know, all Win2K and NT 4.0 domains contain a powerful account named "administrator:" by default. Don't make things easier for potential intruders. Rename the account. And don't name it after your favorite superhero; use a generic-sounding name (e.g., Sue Johnson) to hide the account among your user accounts.
Select a password that will send the best cracking software into conniptions. AD account passwords can contain up to 127 characters, so you can now use a passphrase to protect the administrator account. As always, use a mix of upper- and lowercase as well as alphanumeric and nonalphanumeric characters. The longer and more complex the password, the better.
I also recommend that you create a second domain administrator account in case you forget the first one's long, secure password. Follow the same principles set out above for its name and password. And remember that this step is only the first and most basic step in securing your servers.
Set the Site Membership
You must set the DC's site membership to ensure that both replication and logon traffic don't overburden your WAN links. Although Win2K member servers and Win2K Professional systems will automatically join the correct site according to their IP address, a DC's site membership is static and usually requires that an administrator set it. If, however, you've already created the sites and their corresponding subnets, and if you can set the DC's IP address to the one it's supposed to have before you run dcpromo.exe, the DC should join its intended site automatically.
But if you plan to set up or change site configurations after installing the DCs, you'll have to adjust their site memberships manually using the MMC Active Directory Sites and Services snap-in. This is also the case if you have to configure the DC with a different IP address from the one it will have permanently—for example, if you're setting up the server and shipping it to a branch office. And at the very least, you'll have to modify the site membership of the first DC in the forest root because you have to install AD on it before you can create any sites. A cautionary note: Before you change its site membership, make sure the DC's IP address matches the address of one of the subnets assigned to its intended site.
Prev. page
1
[2]
3
4
next page 
