Thursday, March 27, 2008

Installing Active Directory

This is a well-written, concise article on the details to install Active Directory. I used this tutorial for creating a VM with SharePoint...a no-no according to MSFT but necessity for our organization so i would replicate what production like. Full text below:

================================

In this guide, we will begin with a non-existent domain and end with a new Active Directory installation, in its own forest. Along with Active Directory we will also configure DNS (Which is required by Active Directory) on the same machine.

Get a machine that is somewhat powerful, when I say somewhat, it can be a lonely PIII 800MHz if you so wish it. I would have at least 512MB of memory in it, a 10/100 Network card, CD-ROM, and I would give it at least a 30GB hard drive. The more features you add (different walkthroughs) the more space you will need.

Grab your copy of Windows 2003 and boot from the CD, install Windows 2003 like any other version of Windows XP you have installed before. When Windows is installed, load all your necessary drivers (video, LAN, motherboard, and others if needed).

Close the Configure Your Server Wizard. We will be doing this the manual way, so we have more options.

First, assign this server a static IP address. This can be found by going to Start -> Settings -> Control Panel -> Network Connections. Inside ‘Network Connections’ you should (by default) have a connection called ‘Local Area Connection’. Right click on ‘Local Area Connection’ and choose ‘Properties’. In the middle of the dialog box there will be a list of protocols, from here choose ‘Internet Protocol (TCP/IP)’ and click on the ‘Properties’ button.

Choose the radio button labeled; ‘Use the following IP Address’ and in the boxes provided type in the IP Address you wish to assign this server to.

If you are unsure, you can use ‘192.168.100.2′ as I am going to refer to as the IP Address used throughout this walkthrough or you can check another computer and find out what IP Address it has (Start -> Run -> cmd (enter)) and type ‘ipconfig’ at the command line.

Most routers will probably give you 192.168.1.100+ as an IP Address and 192.168.1.1 as an Default Gateway, so if you have this, I would recommend you use 192.168.1.2 for the IP Address on your server, for the Subnet Mask type in: ‘255.255.255.0′ and for Default Gateway type in the IP Address of the router for access to the Internet (If you are unsure of what the Gateway IP Address is, then go to another machine that has Internet access and drop to a console (Start -> Run -> cmd (enter)) and type ‘ipconfig’ at the command line and read the line that says Default Gateway).

Now, choose the radio button labeled; ‘Use the following DNS server addresses’ and in the boxes provided type in the SAME IP Address you choose for the IP Address of this machine (Yes, the DNS Server this machine will use is ITSELF!). You do NOT need to fill in the ‘Alternate DNS Server’ address boxes.

Okay, for this test setup I’m going to use these as my settings (remember that your settings may vary and don’t forget to adjust mine when I make future references to them in this walkthrough).

IP Address = 192.168.100.2
Subnet Mask = 255.255.255.0
Default Gateway = 192.168.100.1
DNS Servers = 192.168.100.2

Click ‘Ok’ on the Internet Protocol (TCP/IP) dialog window, and another ‘Ok’ on the Local Area Connection dialog window. You can close any other windows you may have open on the server so you are back at a nice clean Desktop.

Reboot the server now, just to make sure everything was saved. When it comes back on, we will continue installing the Windows 2003 DNS Server.

Second, now that your server has rebooted, go to Start -> Settings -> Control Panel -> Add / Remove Programs. Inside Add / Remove Programs click on the button to the left that is labeled ‘Add / Remove Windows Components’ when it’s done loading, you should be presented with a box of components you can remove and add.

Click on ‘Network Services’ (don’t check the box, just select the item) and click the ‘Details’ button. In this new dialog check the box next to the item labeled ‘Domain Name Server (DNS)’ and click ‘Ok’. Back at the Windows Components click ‘Next’ and let it finish its job (you may need the Windows 2003 disc to complete this step).

When it’s all done, click ‘Finish’ close all windows again so you are back at the Desktop.

Go to Start -> Settings -> Control Panel in Control Panel open ‘System’. Click on the ‘Computer name’ tab at the top of this dialog and then click the ‘Change’ button near the bottom. Now click on the ‘More’ button near the middle, in the text box labeled ‘Primary DNS suffix of this computer’ type your DNS suffix here…

Example:

myhome.home

or

companyname.work

or

myhome.com

It does not matter, but if you choose a ‘Standard Convention’ by that I mean, if you choose .net, .com, .org, or another top level domain suffix then you should make sure It’s not in use, or you may run into problems getting to the website owned by that real domain. Say if I choose google.com as my Zone Name, I would have a slight problem going to the REAL google.com now wouldn’t I? This is why I choose .home or .work and such.

When you have chosen your Suffix, click ‘Ok’ then ‘Ok’ again, and another ‘Ok’ going through all the dialog boxes. You will then need to reboot!

When your server has come back up…

Click on Start -> Programs -> Administrative Tools -> then click on ‘DNS’.

When the window has loaded you should have some items on the left side in a tree view. The top most items should be DNS and should fall in like a tree.

Example:

DNS
(server name)
Event Viewer
Forward Lookup Zones
Reverse Lookup Zones

(You many need to expand the (server name))

Left click, then Right click on ‘Forward Lookup Zones’ and choose ‘New Zone…’ when the dialog comes up click the ‘Next’ button, then choose the radio button labeled ‘Primary Zone’ and click ‘Next’. You will now be presented with a Zone Name box, in this box type the name you choose above for the DNS suffix of this computer, and click ‘Next’ The next page will ask you what to name the file, you can just click ‘Next’ here, as the defaults are fine.

Now, you should be on the Dynamic Update page. Choose ‘Allow both nonsecure and secure dynamic updates’ radio button; (This is not secure I KNOW, but we will change this after Active Directory is installed.) and then click ‘Next’, then ‘Finish’.

You should now be back at the DNS Management console screen with the options on your left in a tree view. Left, then Right click on ‘Reverse Lookup Zones’ and choose ‘New Zone…’. Click ‘Next’ make sure ‘Primary Zone’ is selected and then click ‘Next’ again. Now we are presented with a new screen, Network ID. In the boxes type in the first three portions of the servers IP Address. (Remember that from above?) If your server IP Address was 192.168.100.2 then in the boxes put 192.168.100 and click ‘Next’. Next page should be your Zone File, clicking ‘Next’ will be fine, since defaults are good enough. Again, click ‘Allow both nonsecure and secure dynamic updates’ radio button and then ‘Next’ then ‘Finish’.

Now you should be back at the DNS Management console screen. Close this console screen and you should be back at the Desktop.

Let’s reboot the server to make sure everything gets restarted correctly. (Yes, Windows likes reboots during its setup)

Back at the desktop now, let’s test to make sure DNS is working correctly… Go to Start -> Run and type ‘cmd’ and click ‘Ok’. In the black command console type ‘nslookup’ you should be presented with a few lines that resemble…

Default Server: (server name).(dns suffix you choose)
Address: (ip address you choose for server)

If this shows your doing well thus far, if this does not show, you may have skipped the part of adding your DNS suffix in the ‘System’ part of Control Panel. Type ‘exit’ then ‘exit’ again to close nslookup and the command console and return to the Desktop.

Third, now that you have DNS working correctly, we can now install Active Directory and create our domain.

Go to Start -> Run and type ‘dcpromo’ then click ‘Ok’. The Active Directory Wizard will start; click ‘Next’ then ‘Next’ again after you have read some security information for older versions of Windows. Now you will be able to choose what type of Domain Controller. This walkthrough is for a brand-spanking new domain and such, so we will leave it defaulted for ‘Domain controller for a new domain’ and click ‘Next’. Now we see some choices for Forests. Again for this walkthrough we choose the default ‘Domain in a new forest’ and click ‘Next’. We are now asked for our Full DNS name, in this text box type in the suffix that you choose a while back when setting up DNS, the one that was exampled as:

Example:

myhome.home

or

companyname.work

or

myhome.com

and click ‘Next’. On the next dialog we will choose the default recommended Domain NETBIOS name and click ‘Next’. Here we can choose where to save the database for Active Directory, for our purposes, the defaults are good and we will click ‘Next’. Then ‘Next’ again when we are asked where to save the SYSVOL files. The next page is sort of important if you have any servers running Windows NT 4 and such (Anything below Windows 2000) when it comes to the Server Operating System, Clients are not affected. But within scope of this Walkthrough we will do the default for permissions which is ‘Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems’, and then click ‘Next’.

Now Windows will ask for a Directory Services Restore Mode Administrator Password, you can choose any password you wish, this password is needed incase you have some sort of disaster and need to do a recovery of the Active Directory. When you have your password entered twice for verification, click ‘Next’. A brief summary of what you have done thus far is shown on this dialog, and you can click ‘Next’ to start the installation of Active Directory.

When the installation has completed, you will be asked to restart the computer, so go ahead and reboot now.

Let’s go back and secure DNS shall we…

Click on Start -> Programs -> Administrative Tools -> DNS

Inside the DNS Management Console left then right click on the + next to Forward Lookup Zones to expand it and then right click on (dns suffix you choose) and choose ‘Properties’ . There should be a button labeled ‘Change’ next to Type: Primary. Click ‘Change’ check the box labeled ‘Store the zone in Active Directory (available only if DNS server is a domain controller)’ and click ‘Ok’. When it warns you, Click ‘Ok’ again.

Now back at the suffix properties click on the drop down list labeled; ‘Dynamic Updates’ and choose ‘Secure Only’. Then click ‘Ok’.

Inside the DNS Management Console left then right click on the + next to Reverse Lookup Zones to expand it and then right click on ((IP Address) (Subnet)) and choose ‘Properties’. There should be a button labeled ‘Change’ next to Type: Primary. Click ‘Change’ check the box labeled ‘Store the zone in Active Directory (available only if DNS server is a domain controller)’ and click ‘Ok’. When it warns you, Click ‘Ok’ again.

Now back at the suffix properties click on the drop down list labeled; ‘Dynamic Updates’ and choose ‘Secure Only’. Then click ‘Ok’.

Active Directory is now installed and DNS is working and secured. You can manage your users in Start -> Programs -> Administrative Tools -> Active Directory Users and Computers

You should have a tree on the left that resembles…

Active Directory Users and Computers
Saved Queries
(dns suffix you choose)
Builtin
Computers
Domain Controllers
ForeignSecurityPrincipals
Users

I recommend that you create an new Organizational Unit under your (dns suffix you choose) just right click on (dns suffix you choose) and click on ‘New’ then ‘Organizational Unit’ and name it. I usually choose a company name, or workgroup name here. Like ‘Archaic Binary’ :-)

You can then add new users to that OU or create more OUs below that and add users to different OUs and create a more refined structure.

Hope this helps some people install and slightly configure Active Directory on Windows 2003.

2 comments:

  1. Thanks for your input very useful.

    ReplyDelete
  2. Can anyone recommend the robust Remote Management & Monitoring program for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central network management
    ? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

    ReplyDelete