AD in New 2003

Just installed Windows 2003 server.(will place in test environment before deployment).  Looking for documentation, links, on step by step instructions to setup typical active directory environment on brand new LAN network. Additionally, would like suggestions or recommendations, tips, caveats, etc., regarding AD with the following general network environment: Network is single domain(only one server). Network includes 100 users, 80 local(LAN), 20 via 7 branch offices(WAN) connected site-to-site VPN(behind firewall and NAT, and all on different subnet). All users required to login to main server(DC),for scripts and DNS. Organization has 5-6 different departments. Branch offices(subnetted) will use local device(firewall) for dhcp or manual ip config. All offices access internet via ISP using one IP behind NAT. THANKS.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Fatal_ExceptionSystems EngineerCommented:
Here is a start for you:  ( I keep these bookmarked)

How do I install Active Directory on my Windows Server 2003 server?

How do I install and configure Windows Server 2003 DNS server?

Windows Server 2003 Downloads

and finally:
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
Build up your 2003 box, make sure you have updated drivers and patches and get Windows fully up to date.  When you are comfortable and have confirmed you have Internet Access, run DCPromo.  You will need the IIS plugin, but it will let you know if you are missing anything.  Do you have a Domain name???  If so, you will probably not want to use that for your internal network.  For example, mine is  My internal domain is  If you have a web presence you could have issues otherwise.  Anyway, you are creating a single forest and a single domain.  When complete, this DC will reboot and you will log on to the domain.  Now, this DC will have all the FSMO roles and be a Global Catalog Server.  I would also go into Add/Delete Programs, Windows components and add WINS.  If this is the only DC or 1 of 2, and you want this to provide DHCP, then also install that.  WINS is an easy configuration and DHCP is not too hard either.  

OK, now this DC is setup.  I highly recommend a second Domain Controller.   You don't want 1 failure to cripple your network.  Build up the same as the first, but when you DCPromo, it will be an additional Domain Controller in an existing Domain/Forest.   This will also load up DNS.  I would go into AD Sites and Services and make this one a Global Catalog Server too.  Your DC's are now complete.  Using DHCP options, make sure your DNS entries are for your internal DNS servers only.  Those servers should only point to themselves.  The only place your ISP DNS entries should be in your main office is on your firewall or router, whatever device has your public IP address.  Name resolution requests will hit the DNS server and if not resolved, will pass it on to the Internet Root Servers.

You have it right for Site to Site VPN tunnels using Firewalls and NAT and different Subnets..   I am assuming the remote sites will also have Internet access.  To make your connectivity seemless, in your firewall or whatever device is your gateway (Mine is my firewall), the First DNS entry should be your server at the main office.  The second one should be the 1st DNS address provided by your ISP.  

I just connected a few additional remote sites with this exact configuration and it makes the network connection scream, even across the slow, broadband links.   Use DHCP to simplify your life, only static IP what you really need to.

In any network or server setting, remember, use the KISS method.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mmm5Author Commented:
Samccarthy: No domain name yet, and there will be no web(internet server) presence.  I'm thinking of a non-standard domain name such as companyname.north. Will this have any ramifications ? Also, all workstations are running XP Pro. Is WINS really needed, or can I stay with TCP/IP only ? Just curious, at remote sites, is all traffic, internal and internet, going through your main firewall at main office, or is internet access routed through local firewalls. Also, do you have a back-up strategy in place. In other words, do user data files reside on network server or local workstation, or both ? THANKS.

Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
No, the domin name will work just fine.  You will need WINS if you have any legacy applications or older systems that require it.  If you don't have the applications, go without it.  You can easily add it later if you do.

With the DNS the first setting in the remote firewall, all DNS requests go to the main DNS server for resolution.  That makes the network traffic fly, but their regular Internet activity will go out their local ISP connection.  Of course network traffic will go over the tunnel.

I use folder redirection for my users, so all their files are on a server.  For remote sites, and I have a few, with a DC onsite, the files reside there.  For those that just connect like yours are, the files reside at the remote server.  With Redirection, it keeps a local copy of the files, so should the link go down, my users can still get to the Internet and still work on their files and they will synchronize when the link is restored.  Works pretty darn good!
mmm5Author Commented:
Appreciate both answers. Thanks again !
Fatal_ExceptionSystems EngineerCommented:
Very good, and thank you!

Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
Thanks and good luck!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.