Domain Controllers and Active Directory

James McDermott (jamesmcd05@gmail.
com)
Installing and Configuring a Domain Controller and Active Directory Services
James McDermott (jamesmcd05@gmail.com)
Table of Contents Introduction.......................................................................................................................... 2 A.1 Windows Server 2008 R2 Standard Server Core Installation ......................................... 3 A.2 Windows Sever 2008 Datacenter Full Installation ....................................................... 12 B.1 Setting up a Domain Controller.................................................................................... 19 B.2 Adding a second Domain Controller (server2) ............................................................. 29 B.3 Setting up a member server (MS-Core) ...................................................................... 36 C.1 Setting up a disk mirror ................................................................................................ 41 C.2 Creating Spanned Volumes .......................................................................................... 46 D.1 Setting up Organizational Units (OUs) ......................................................................... 49 D.2 Setting up Users ........................................................................................................... 52 D.3 Setting user logon times .............................................................................................. 56 E.1 Setting up groups ......................................................................................................... 58 E.2 Restrict view to Organizational Unit with a Group Policy ............................................ 64 E.3 Redirecting My Documents from client machine to server ......................................... 68 E.4 Blocking access to Control Panel with GPOs ................................................................ 79 E.5 Publishing software to Users with GPOs ...................................................................... 85 F.1 Installing print server role ............................................................................................ 89 F.2 Installing Printers .......................................................................................................... 92 F.3 Publishing printer to directory ..................................................................................... 96 F.4 Installing a generic unshared printer............................................................................ 99 G.1 Setting up server core file services ............................................................................ 100 G.2 Configuring Remote Desktop on Server Core ............................................................ 103 G.3 Remote connecting to Server Core from Windows 7 ................................................ 105 H.1 Setting up DHCP Services (Server2) ........................................................................... 108 H.2 Setting up windows 7 to obtain IP from server2 ....................................................... 114 H.3 Removing DHCP services ........................................................................................... 115 I.1 Decommissioning a domain controller ....................................................................... 118 References ........................................................................................................................ 120
Introduction
This manual will demonstrate how to configure a domain controller and use active directory services. We will be setting up two server machines which will be used as domain controllers (each running a full installation of Windows Sever 2008 R2), a member server (running a core installation of Windows Server 2008 R2) and a client machine (running windows 7) which will be connected to the domain. The four machines will be named as follows: Server1 - will be the first domain controller Server2 - will be a second domain controller MS-Core - will be the member server Client1 - will be the client machine For the purpose of this manual a domain will be created to host a college network for staff members, which will include trainers, managers and administrative staff. The college is called IPA and has trainers for both IT and Marketing. The IT department is subdivided into two locations Dublin and Belfast. There are also managers and administrative staff within the college that will be represented in the domain.
A.1 Windows Server 2008 R2 Standard Server Core Installation

The core installation of Windows server gives us a textual user interface (TUI) which is lighter and requires less processing power to run (Minasi, M., Gibson, D., Finn, A., Henry, W. & Hynes, B., 2010, p.111). As this is a light installation it can run on machines that have limited resources. Due to the fact that there are fewer features installed (such as graphic interfaces) there is less need to repair or patching. This makes for a more stable installation of the system. Installing the system Start the windows installation. 1. Choose the install language and keyboard input (See Figure 1: Language and Input)
Figure 1: Language and Input
Next screen click Install now, setup will now begin. 2. Select Windows Server 2008 R2 Standard (Server Core Installation) and click Next (See Figure 2: Installation Version)
Figure 2: Installation Version
3. Click I accept to aggree to the license term then click Next (See Figure 3: Licensing Agreement).
Figure 3: Licensing Agreement
4. Click Custom to install a fresh copy of Windows (See Figure 4: Custom Installation).
Figure 4: Custom Installation
5. Select Drive Options to create a partition and install the OS (See Figure 5: Configuring Hard Drive)
Figure 5: Configuring Hard Drive
6. Click New (See Figure 6: Adding Partition).
Figure 6: Adding Partition
7. Enter the size of partition required in MB then click Apply (here we will use 30000MB, 30GB, see Figure 7: Set Partition Size).
Figure 7: Set Partition Size
8. Click OK to the notification window. (See Figure 8: Windows Drive Usage Notification).
Figure 8: Windows Drive Usage Notification
9. Next click on partiaion that has just been created and click Next (See Figure 9: Install to Partition).
Figure 9: Install to Partition
10. Windows will now install the system; Windows will restart several times before finishing (See Figure 10: Windows Installation)
Figure 10: Windows Installation
11. Click OK to change password on first use (See Figure 11: Password Change Prompt).
Figure 11: Password Change Prompt
12. Enter the new password (here we use Pa$$w0rd) and click the blue arrow (See Figure 12: New Password Entry).
Figure 12: New Password Entry
Renaming the server Server core contains a very useful tool which includes a menu oriented command interface called server configuration (sconfig) which allows us to manage many configuration settings (Minasi, M., Gibson, D., Finn, A., Henry, W. & Hynes, B., 2010, p. 1277) 1. Using the server core command prompt window, type sconfig and press Enter (See Figure 1: sconfig command).
Figure 1: sconfig command
2. In the sconfig console type 2 and press Enter (See Figure 2: Computer Name Option).
Figure 2: Computer Name Option
3. Type in a new computer name (here we are using MS-Core) and press Enter (See Figure 3: Rename Core Server).
Figure 3: Rename Core Server
4. You will be prompted to restart the computer. Click Yes and restart (See Figure 4: Restart Prompt).
Figure 4: Restart Prompt
5. Log into the server once Windows restarts and run sconfig again (See Figure 5: Servers New Name).
Figure 5: Servers New Name
The computer name field will now display the new name setting.
Setting static IP address When dealing with domain controllers the IP4 address should be statically assigned (Tittel, E. & Korelc, J.,2008,p.107). It is beneficial to set up static IP addresses for any server machine that is connected to the domain as it may be later upgraded to be a domain controller. Here we will set the static IP address for the server core installation. 1. Run sconfig and type 8, then press Enter (See Figure 1: sconfig window Network Settings).
Figure 1: sconfig window Network Settings
2. Choose the index number of the network adapter that you want to edit (in our case we use 0, see Figure 2: Choose Network Adapter).
Figure 2: Choose Network Adapter
3. In network adapter settings type 1 and press Enter. Then type S and press Enter to set a static IP address (See Figure 3: Static IP Options)
Figure 3: Static IP Options
10
4. Type the IP address you wish to use if you are changing the IP and press Enter. Then type the subnet mask if you wish to change it and press Enter
Figure 4: Static IP Settings
Set a static IP of 192.168.0.34 and press Enter, subnet mask of 255.255.255.0 (the default setting) which is the same as /24 in the Classless Inter-Domain Routing (CIDR) notation and press Enter. As we are not looking at internet access leave gateway blank. 5. The new static IP settings are displayed (See Figure 5: New IP Settings).
Figure 5: New IP Settings
6. Type 4 then press Enter to exit to the main menu. Next type 12 and press Enter to shut down the server (See Figure 6: Restart Server).
Figure 6: Restart Server
11
A.2 Windows Sever 2008 Datacenter Full Installation

The full installation of windows server presents us with a graphical interface to change the setting of the server, it also has more features than the server core installation which uses a minimal server operating environment (Tittel, E. & Korelc, J., 2008, p.284). It is heavier than the core installation and requires more resources to run, however it is more user friendly. Installing the system Installing the full installation is similar to A.1 Installing the System 1. At step 2 select Windows Server 2008 R2 Datacenter (Full Installation) (See Figure 1: Full Installation Option).
Figure 1: Full Installation Option
Once installation has completed, log in using the password set up during installation. Now rather than being presented with a command line interface, we are presented with the familiar windows interface (See Figure 2: Server Startup).
Figure 2: Server Startup
12
Configuring computer name and IP address Setting name settings and static IP address in the full installation of Windows Server 2008 R2 is not the same as the core installation. Similar to a standard windows environment we change these settings using properties windows and control panel. Here we will set a staticIP address for Server1 and name the server appropriately. 1. Go to Start Computer (Right Click)Properties (See Figure 1: Computer Properties Option).
Figure 1: Computer Properties Option
2. Click Advanced System Settings from the left-hand pane (See Figure 2: Advanced System Settings).
Figure 2: Advanced System Settings
13
3. From the System properties window select the Computer Name tab 4. Next select Change (See Figure 3: Computer Name Tab).
Figure 3: Computer Name Tab
5. Enter a new Computer name (here we use Server1) and click OK (See Figure 4: Computer Name Change).
Figure 4: Computer Name Change
14
6. You will be prompted to restart your computer. Click OK, then click Restart now (See Figure 5: Restart Prompts).
Figure 5: Restart Prompts
7. Once the computer has restarted go to StartNetwork (Right Click)Properties (See Figure 6: Network Properties Option).
Figure 6: Network Properties Option
This will open the Network and Sharing Center
15
8. Choose Change adapter settings from the left-hand pane (See Figure 7: Network Sharing Center).
Figure 7: Network and Sharing Center
9. In the Network Connections window right click on the connection you want to edit. (See Figure 8: Network Adapter Properties)
Figure 8: Network Adapter Properties
16
10. Select Internet Protocol Version 4 form the list then click Properties (See Figure 9: Adapter Properties).
Figure 9: Adapter Properties
11. Set static IP to 192.168.0.1 and subnet of 255.255.255.0 Leave all other fields blank and click OK (See Figure 10: Static IP Settings).
Figure 10: Static IP Settings
The defaul gateway is used when dealing communication outside of the local network, i.e. internet communication (Northrup, T. & Mackin, J.C., 2010, p.536). As we are not looking at internet access we will leave this setting blank. The server itself will act as a DNS server (Morimoto, R., Noel, M., Droubi, O., Mistry, R. & Amaris, C., 2010, p.260), so it is also unnecesary to enter in an ip address into the DNS fields. 17
Setting up Network configuration on Server2 and Client For the purpose of this manual we will set up another domain controller as in Part 2 we will name this domain controller Server2 and the IP address to 192.168.0.3 with a subnet mask of 255.255.255.0. We will also use a client machine running windows 7. This machine will be named client1 and will have a static IP of 192.168.0.35, a subnet mask of 255.255.255.0 and a DNS of 192.168.0.1 (The IP address of Server1, as this will be a workstation on the domain see Section B: Part 2) For a full listing of the network settings see Table 1: Serer2 and Client1 Network Settings Server2 Client1 (windows 7) 192.168.0.2 192.168.0.4 255.255.255.0 255.255.255.0 192.168.0.1 192.168.0.1 Table 1: Server2 and Client1 Network Settings
Static IP Address Subnet Mask DNS
As we are going to use Server2 as a second domain controller we need to point its primary dns server to the static IP of Server1 Client1 will be used as a workstation on the domain therefore we need to point the primary DNS server to the static IP of Client1 and the alternative DNS to the static IP address of Server2.
18
B.1 Setting up a Domain Controller

A domain controller (DC) is a tool primarily used for network security, and user authentication. However it can also incorporate several features and roles that can extend the functionality of the DC (Desmond, B., Richards, J., Allen, R. and Lowe-Norris, A.G., 2009, p.5). To enable domain controller roles and services we need to use dcpromo (domain controller promotion). Running dcpromo 1. Go to Start and type dcpromo in the search box (See Figure 1: Search For dcpromo).
Figure 1: Search For dcpromo
Click on dcpromo search result and wait for application to load
19
2. You will be presented with a wizard interface, leave Use advanced mode installation unchecked and click Next (See Figure 2: dcpromo Wizard).
Figure 2: dcpromo Wizard
3. You will be presented with information about Operating System Compatibility, click Next to continue (See Figure 3: Compatibility Information).
Figure 3: Compatibility Information
20
4. As we are setting up our first domain controller chose Create a new domain in a new forest and click Next (See Figure 4: Deployment Configuration).
Figure 4: Deployment Configuration
5. Enter a name for the domain (here we use MSCCONV.IPA) and click Next (See Figure 5: Name Domain).
Figure 5: Name Domain
21
6. Next we will be prompted to set the domain and forest fuctional level, leave both as Windows Server 2003 and click Next (See Figure 6: Forest Functional Level).
Figure 6: Forest Functional Level
Set to the same level as all other domain controllers on the network Click Next for the forest function level and the domain functional level The funtional level defines which features are available to the domain or forest. Higher levels often incorporate features from lower levels (i.e. 2008 has features from 2003). Once a functional level is set all other domain controllers within the forest or domain must be at the same funtional level (Morimoto, R., Noel, M., Droubi, O., Mistry, R. & Amaris, C., 2010, p.118).
22
7. On the Additional Domain Controller Options, make sure the DNS server is checked and click Next (See Figure 7: Additional DC Options).
Figure 7: Additional DC Options
The global catalog is contains information on every object in the entire domain forest, it can be accessed by any client that supports active directory can query this catalog (Tittel, E. & Korelc, J., 2008, p.121). The domain name services (DNS) role allows the domain controller to associate fully qualified domain names (FQDN) to their network IP address (Minasi, M., Gibson, D., Finn, A., Henry, W. & Hynes, B., 2010, p.180). 8. When prompted, click Yes to continue (See Figure 8: DNS Delegation Prompt)
Figure 8: DNS Delegation Prompt
23
9. Leave the Location for Database, Log Files, and SYSVOL set to the default settings and click Next (See Figure 9: Location for DB, Log File and SYSVOL).
Figure 9: Location for DB, Log Files and SYSVOL
10. A restore administrator password needs to be set, in case there are any issues with the server. Enter a password (Pa$$w0rd) and click Next
Figure 10: Restore Admin Password
24
11. Click Next on the summary page to continue (See Figure 11: Server Summary).
Figure 11: Server Summary
12. The Active Directory will now be configured. Click Reboot on completion and wait for system to restart.
Figure 12: Active Directory Install
25
Adding a Windows 7 workstation member to the Domain By adding a client machine to the domain we can log onto the computer using any domain account (Bott, E., Sienchert, C. and Stinson, C., 2011, p.650). The client machine will then be a workstation on the domain. Assuming that the networks settings have been set up using the settings given in A.2: Setting up Network configuration on Server2 and Client. 1. Go to Start, right click on Computer and select Properties (See Figure 1: Computer Properties Option)
Figure 1: Computer Properties Option
2. Choose Advanced system settings from the left-hand pane (See Figure 2: Advanced System Settings Option)
Figure 2: Advanced System Settings Option
26
3. Choose the Computer Name tab then click Change (See Figure 3: System Properties Window)
Figure 3: System Properties Window
4. In the Domain text box type the name of the domain we set up earlier (MSCCONV.IPA), see Figure 4: Join Domain Settings.
Figure 4: Join Domain Settings
5. You will be prompted to enter the domain administrator details. Username: administrator, Password: Pa$$w0rd, (See Figure 5: Logon Prompt)
Figure 5: Logon Prompt
NOTE: The local administrator of the first domain controller is promoted to the domain administrator 27
6. Once the client has joined the domain a welcome message will appear, click OK (See Figure 6: Domain Welcome)
Figure 6: Domain Welcome
7. Restart the computer when prompted. Note: Currently there are no domain user accounts set up other than the administrator account, so we cannot log on to the domain. However sets 8 and 9 demonstrate how to log on to the network. 8. When windows restarts at the logon screen choose Switch User (See Figure 7: Domain Logon Window).
Figure 7: Domain Logon Window
9. Choose Other User and then enter domain_name\username and enter the password (e.g. Username: MSCCONV.IPA\user Password: Pa$$w0rd).
28
B.2 Adding a second Domain Controller (server2)

As with all computer systems, domain controllers are susceptible to failures and viruses. It is advisable to use a secondary domain controller to maintain the domain should anything happen to the primary domain controller (Morimoto, R., Noel, M., Droubi, O., Mistry, R. & Amaris, C., 2010, p.158). Having more than one domain controller can also be useful for decentralized administration and load sharing. Using an additional domain controller to provide DNS services will lighten the load on the primary domain controller. Using dcpromo to join existing forest Assuming that the networks settings have been set up using the settings given in A.2: Setting up Network configuration on Server2 and Client 1. Start dcpromo on Server2 (see Section B Step 1: Setting up Server1 as a Domain Controller and creating a forest). The installation process is similar to the setup of Server1 however as this will be the second domain, we are adding it to an existing forest. 2. when prompted to Choose a Deployment Configuration, choose Existing Forest and Add a domain controller to an existing domain, then click Next (See Figure 1: Add Domain Controller).
Figure 1: Add domain controller
29
3. Enter the name of the domain we set up earlier (MSCCONV.IPA) in the box provided, then click Set.. (See Figure 2: Identify Domain)
Figure 2: Identify domain
4. When prompted, enter the domain administrator details (username: Administrator and password: Pa$$w0rd), see Figure 3: Administrator Logon
Figure 3: Administrator Logon
30
5. MSCCONV.IP should appear highlighted (see figure 4), click Next (See Figure 4: Select a Domain).
Figure 4: Select a Domain
6. Leave the settings as default on the Select a Site screen and click Next (Figure 5: Select a Site)
Figure 5: Select a Site
31
7. Make sure DNS server and Global catalog are selected and click Next (See Figure 6: Additional Options).
Figure 6: Additional Options
8. Click Yes to the DNS notification (See Figure 7. DNS Notification).
Figure 7: DNS Notification
32
9. Leave the default settings on the Location for Database window and click Next (See Figure 8: Location for Database).
Figure 8: Location for Database...
10. Enter a restore password and click Next (See Figure 9: Restore Mode Password Settings).
Figure 9: Restore Mode Password Settings
33
11. Click Next on the Summary window to continue (See Figure 10: Summary Window).
Figure 10: Summary Window
12. Check Reboot on completion on the installation window (See Figure 11: Installation Window).
Figure 11: Installation window
34
13. After reboot you will now see a domain logon window (See Figure 12: Domain Logon).
Figure 12: Domain Logon
35
B.3 Setting up a member server (MS-Core)

Following the same method as in Section A Part 1 Step 3 we can use sconfig to configure the DNS settings of the MS-Core server. 1. Run sconfig, type 8 and press Enter to view the network settings console (See Figure 1. Sconfig Network Settings).
Figure 1: Sconfig - Network Settings
2. Choose the index number of the network connection you wish to configure from the list (here we choose 0) and press Enter. The adapter setting for this network connection will be displayed. 3. Next type 2 and press Enter to configure the DNS settings 4. Enter in the IP address of server1 (192.168.0.1) and press Enter (See Figure 2: DNS Settings).
Figure 2: DNS Settings
36
5. Click OK on the Preferred DNS server set notification 6. Enter the IP address of the alternative DNS server (server2, 192.168.0.2) and press Enter (See Figure 3: Alternative DNS Settings).
Figure 3: Alternative DNS Settings
7. Click OK on the Alternative DNS server set notification 8. Once completed type 4 and press Enter to return to main menu (See Figure 4: Return to Main Menu).
Figure 4: Return to Main Menu
9. Type 1 and press Enter, to edit the Domain/Workgoup settings
37
10. Type D and click Enter to select domain (See Figure 5: Change Domain)
Figure 5: Change Domain
11. Type the name of the domain you wish to join (MSCCONV.IPA) and press Enter (See Figure 6: Name of Domain to Join).
Figure 6: Name of Domain to Join
12. When prompted to enter a domain username enter the administrator details for the domain (UN: administrator PW: Pa$$w0rd), see Figure 7: Domain Logon
Figure 7: Domain logon
38
NOTE: The password window will pop up but will look like nothing is being typed. Enter the password and press Enter (See Figure 8: Password Entry Window)
Figure 8: Password entry window
13. When prompted if you want to change the computer name, as the computer was name previously, click No (See Figure 9: Change Name Prompt).
Figure 9: Change Name Prompt
14. You will then be prompted to restart. Click Yes and restart the server (See Figure 10: Restart Prompt).
39
15. Once the server has restarted, run sconfig. MSCCONV.IPA is now listed as the domain. MS-Core is now a member server (See Figure 11: Domain Change Confirmation).
Figure 11: Domain Change Confirmation
40
C.1 Setting up a disk mirror

A disk mirror allows for one disk to be copied to another, each disk must be the same size to allow for mirroring. Data is duplicated across each disk and can therefore withstand the failure of a single disk (Morimoto, R., Noel, M., Droubi, O., Mistry, R. & Amaris, C., 2010, p.1108). Here we add connect extra hard disks to the server, both 40GB in size, once the disks are physically installed we begin this process. 1. Click the Server Manager, see Figure 1: Server Manager Icon.
Figure 1: Server Manager Icon
2. Select Disk Management from the item tree in the left-hand of the server manager console. This will display the disks and volumes on the system (See Figure 2: Disk Management).
Figure 2: Disk Management
The hard disks cannot be used until they are online and initialised 41
3. Right click on Disk 1 and Disk 2 and choose Online (See Figure 3: Set Disks Online).
Figure 3: Set Disks Online
4. Right click on Disk 1 and Disk 2 again and choose Initialize Disk (See Figure 4: Initialize Disks).
Figure 4: Initialize Disks
42
5. Check the disks to be initialized, choose GPT and click OK (See Figure 4: Choose Disks to Initialize).
Figure 4: Choose Disks to Initialize
Note: By Initialising these two disks, disk0 is automatically set to be Dynamic If disk0 is not dynamic already do the following: 5b. Right click on Disk0 and click Convert to Dynamic Disk (See Figure 5: Make Dynamic)
Figure 5: Make dynamic
43
6. Right click on the drive to be mirrored and choose Add mirror (use the C drive), see Figure 6: Add Mirror Option
Figure 6: Add Mirror Option
7. Choose which disk you want the drive mirrored on to (here we use disk 1) and click Add Mirror (See Figure 7: Choose Disk to Mirror to).
Figure 7: Choose Disk to Mirror to
44
8. Mirroring to disk 1 will set disk 1 to be dynamic. Click Yes to confirm this change (See Figure 8: Basic to Dynamic Prompt)
Figure 8: Basic to Dynamic Prompt
9. When this is completed you will see the drive mirrored on disk 1 (See Figure 9: Mirrored Drive)
Figure 9: Mirrored Drive
45
C.2 Creating Spanned Volumes

A spanned volume works in the same way as a single drive however it is spans two or more disks (Morimoto, R., Noel, M., Droubi, O., Mistry, R. & Amaris, C., 2010, p.1107). Now that the C drive has been mirrored to disk 1 there remains 10gb free on disk 0 and disk 1 and disk 2 has 40gb free. We can create a spanned virtual volume which will make all free space appear as one drive (60gb using the free 10gb + 10gb + 40gb) 1. Right click on Disk 2 and choose New Spanned Volume (See Figure 1: Spanned Volume Option).
Figure 1: Spanned Volume Option
2. The new spanned volume wizard will begin, click Next (See Figure 2: Spanned Volume Wizard).
Figure 2: Spanned Volume Wizard
46
3. Select the disks to be included in the spanned volume. Add all disks by clicking Add, then click Next (See Figure 3: Add Disks)
Figure 3: Add Disks
4. Leave the options as default (assign drive letter E) and click Next (See Figure 4: Assign Drive Letter).
Figure 4: Assign Drive Letter
47
5. Format the volume using the default settings (NTFS, Default size, Quick Format). Click Next (See Figure 5: Format Spanned Volume).
Figure 5: Format Spanned Volume
6. Click finished when wizard completes 7. When wizard has completed new spanned volume information will appear in the disk management console (See Figure 6: Spanned Volume Information)
Figure 6: Spanned Volume Information
48
D.1 Setting up Organizational Units (OUs)

Active directory allows us to define users and computers based on the organisational structure of the network. Using organizational units we can delegate control and management of data (Desmond, B., Richards, J., Allen, R. and Lowe-Norris, A.G., 2009, p.3). Unlike groups, OUs are containers for objects that allow them to be represented in the domain hierarchy (Desmond, B., Richards, J., Allen, R. and Lowe-Norris, A.G., 2009, p.248). 1. Go to Start Administrative Tools Active Directory Users and Computers (See Figure 1: Active Directory Users and Computers).
Figure 1: Active Directory Users and Computers
2. Right click on the domain name (MSCCONV.IPA) in the left-hand pane. Choose New then Organisational Unit (See Figure 2: Organisational Unit).
Figure 2: Organisational Unit
49
3. Enter the name of the new organisational unit (name it IPA) and click OK (See Figure 3: Name Organisational Unit).
Figure 3: Name Organisational Unit
Now we will create a new organisational unit within the one that has just been created. 4. Right click on the newly created IPA organisational unit and choose New then Organisational Unit (See Figure 4: Nested Organisational Unit).
Figure 4: Nested Organisational Unit
50
A diagram of the organisational structure we will be using can be seen in figure 5: Organisational Unit Structure
Figure 5: Organisational Unit Structure
5. Once all organisational unit have been entered there should be a nested list of all unit visible in the left-hand pane (See Figure 6: Nests Organisational Unit Tree).
Figure 6: Nests Organisational Unit Tree
51
D.2 Setting up Users

When setting up a user account in active directory, it becomes an active directory account. This means the user account can log on to any work station within the domain (Tittel, E. & Korelc, J., 2008, p.204). 1. Click the IPA organisational unit from the left-hand pane. Then right click the white space in the right-hand pane (below marketing). Choose New then User (See Figure 1: Add User).
Figure 1: Add User
2. Enter in the user details (see figure 2) and click Next (See Figure 2: User Details).
Figure 2: User Details
52
3. Enter a password (Pa$$w0rd) and uncheck User must change password on next logon and click Next (See Figure 3: User Password).
Figure 3: User Password
4. Click Finish to confirm user settings (See Figure 4: Confirm User Settings)
Figure 4: Confirm User Settings
53
5. We will set up users in each of the organisational units as follows in Figure 5: Organisational Unit Users
Figure 5: Organisational Unit Users
6. To set up users in each organisational units open each unit and right click in the white space and choose New then User (See Figure 6: New User in OU)
Figure 6: New User in OU
54
7. Users should appear listed in the organisational unit (See Figure 7: Organisational Unit User List)
Figure 7: Organisational Unit User List
55
D.3 Setting user logon times

The Active Directory Users and Computers console allows us more control over user accounts and settings. Along with the usual password restrictions (as found in standard Windows user setup) we can also define logon times. Restricting logon times allows greater control over when users can access the system (Tittel, E. & Korelc, J., 2008, p.208). 1. In ADUC highlight the users you wish to apply the logon restrictions to, right click and choose Properties (See Figure 1: Multiple User Properties).
Figure 1: Multiple User Properties
2. On the Account tab, check the box beside Logon Hours: and click Logon Hours (See Figure 2: Logon Hours).
Figure 2: Logon Hours
56
3. In the Logon Hours window choose Logon Denied to clear the time restrictions (See Figure 3: Clear Times).
Figure 3: Clear Times
4. Highlight the time and day you want to allow logon, select Logon permitted, then click OK (See Figure 4: Specify Times).
Figure 4: Specify Times
Now all users that were selected are limited to only log on to the domain between Monday and Friday
57
E.1 Setting up groups

Groups are collections of users that need similar levels of access to resources. Groups simplify administration by reducing the number of relationships that need to be managed (Tittel, E. & Korelc, J., 2008, p. 212). Here we will set up groups to represent the hierarchical structure of our users. More information on best practice for setting up groups can be found at: http://technet.microsoft.com/en-us/library/cc779601%28v=ws.10%29.aspx 1. Users will be grouped according organisational unit and role within the organisation. See Figure 1: User Grouping Diagram
Figure 1: User Grouping Diagram
2. Open Active Directory Users and Groups and select the organisational unit in which you want to create the group. Right click in the white space and choose New then Group (See Figure 2: Adding a New Group).
Figure 2: Adding a New Group
58
3. On the new group window enter the name of the group and choose Global under the Group scope then click OK (See Figure 3: Name Group).
Figure 3: Name Group
There are three group scopes available, domain local, global, and universal. The domain local only applies to a single machine. Global applies to the entire domain, and universal applies to the entire forest, including all domains (Tittel, E. & Korelc, J., 2008, p.212). 4. Right click on the newly created group and choose Properties (See Figure 4: Group Properties).
Figure 4: Group Properties
59
5. Choose the Members tab and click Add (See Figure 5: Add Members to Group).
Figure 5: Add Members to Group
6. From the Select users.. dialogue type user and click Check Names (See Figure 6: Check Names).
Figure 6: Check Names
Note: As there are several users with a username similar to user this will open a Multiple Names Found dialogue, which will allow us to easily add several users to the group at once.
60
7. As we are setting up the group to cover all users (as all are Staff) select all the users from the Multiple Names Found window and click OK (See Figure 7: Add Multiple Users).
Figure 7: Add Multiple Users
8. Click OK to confirm the users to be added to the group (See Figure 8: Confirm Add Users).
Figure 8: Confirm Add Users
We will now add groups based on figure 1. As Managers, Trainers and Admin contain users from all sub organisational unit we will create new groups within the IPA organisational unit. For groups based on organisational unit we will place the group within the OU itself.
61
9. Create a new group for Managers within the IPA organisational unit. Repeat steps 2 8 (See Figure 9: Managers Group).
Figure 9: Managers group
10. Add user1, user11, user16 and user19 to this group using the method as step 7. Press the ctrl key to select multiple users (See Figure 10: Select Multiple Users).
Figure 10: Select Multiple Users
62
11. Within the marketing OU create a new group called marketing and add all the users from the organisational unit to this group (See Figure 11: OU Group).
Figure 11: OU Group
Create a group for the Dublin and Belfast organisational unit Note: For organisational units that have sub groups it is possible to add a group within a group to save time. 12. Go to the IT organisational unit and create a group called IT, now when it comes to adding users simply type the name of the sub group to be added (add Dublin and Belfast), see Figure 12: Groups in Groups.
Figure 12: Groups in Groups
63
E.2 Restrict view to Organizational Unit with a Group Policy

We can restrict users from one organisational unit from being able to see users from another organisational unit in a similar way to setting NTFS permissions in windows. Here we will restrict users in the Marketing OU from seeing users in the IT OU. 1. In the Active Directory Users and Computers console go to View and choose Advanced Features (See Figure 1: View Advanced Features).
Figure 1: View Advanced Features
2. Right click on the IT organisational unit and select Properties (See Figure 2: Organisational Unit Properties).
Figure 2: Organisational Unit Properties
64
3. Choose the Security tab then choose Add (See Figure 3: Add Security Privileges).
Figure 3: Add Security Privileges
4. Add the Marketing group and click OK (See Figure 4: Add Group Privileges).
Figure 4: Add Group Privileges
65
5. Once we have added the Marketing group check the box under Deny for the read option (See Figure 5: Deny Read).
Figure 5: Deny Read
6. On the client machine log in as a user13 from the marketing group. 7. Go to start and type in the searchbox c:\Windows\system32\rundll32.exe dsquery.dll, OpenQueryWindow. This will allow us to search the active directory 8. Type User in the search box to list all users, this will demonstrate that users are visible (See Figure 6: Search Directory).
Figure 6: Search Directory
66
9. Next type user19 (a user in the IT OU), this user cannot be found as the logged on user does not have access to read that OU (See Figure 7: Search For User).
Figure 7: Search For User
The user does not appear in the search because the logged on user is a member of the restricted (Marketing) group which applied to the Marketing OU and cannot read/see users from the IT organisational unit of which user19 is a member.
67
E.3 Redirecting My Documents from client machine to server

When a user saves a file to the My Documents/Documents folder the files are stored on the local machine. In order to ensure that these files will be available to users no matter which machine they are logged on to we can use a tool called folder redirection. This will redirect the My Documents/Documents to a shared folder on the domain, that can be accessed from anywhere within the domain (Minasi, M., Gibson, D., Finn, A., Henry, W. & Hynes, B., 2010, p.1336). 1. Start-up server2 and set up a folder on the C: drive called User_Docs (See Figure 1: Set Up User_Docs Folder).
Figure 1: Set up User_Docs folder
To make the folder accessible from other machines on the domain we will need to share it.
68
2. Right click on the User_Docs folder and choose Properties. Next choose the Sharing tab and click Advanced Sharing (See Figure 2: Advanced Sharing Options).
Figure 2: Advanced Sharing Options
3. Check the option to Share this folder and the click OK (See Figure 3: Share Folder).
Figure 3: Share Folder
4. Close the properties window
69
5. On server1 go to Start Administrative Tools Group Policy Management (See Figure 4: Group Policy Management Option).
Figure 4: Group Policy Management Option
6. Right click on Group Policy Objects and select New (See Figure 5: New Group Policy Object).
Figure 5: New Group Policy Object
70
7. Name the group policy object (RedirectDocsGPO, See Figure 6: Name Group Policy Object)
Figure 6: Name Group Policy Object
8. Click OK to confirm the creation of the object (See Figure 7: Group Policy Confirmation Notification).
Figure 7: Group Policy Confirmation Notification
9. Right click on the newly created object and choose Edit (See Figure 8: Edit Group Policy Object).
Figure 8: Edit Group Policy Object
71
10. Go to User ConfigurationPoliciesWindows SettingsFolder RedirectionDocuments (See Figure 9: Folder Redirection).
Figure 9: Folder Redirection
11. Right click Documents and choose Properties (See Figure 10: Documents Properties).
Figure 10: Documents Properties
72
12. Choose Basic Redirect everyones folder to the same location from the Setting option, then enter the location of the shared User_Docs folder in the Root Path: then choose OK (See Figure 11: Redirect Settings).
Figure 11: Redirect Settings
13. Choose the Settings tab and check all three checkboxes for this example we will leave the folder in place even if the policy is removed, click OK (See Figure 12: Document Redirect Policy Settings).
Figure 12: Document Redirect Policy Settings
73
14. Click Yes to confirm the settings (See Figure 13: Confirm Settings).
Figure 13: Confirm Settings
Note: The editor will appear empty even though policies have been applied. Close the editor. 15. Close the Group Policy Management Editor 16. At the Group Policy Management window right click on the domain (MSCCONV.IPA) and choose Link an Existing GPO (See Figure 14: Link Existing GPO).
Figure 14: Link Existing GPO
74
As we want to apply to a client within the domain we can apply the group policy object to the entire domain 17. Choose the newly created group policy object (RedirectDocsGPO) from the list and click OK (See Figure 15: Select GPO).
Figure 15: Select GPO
18. The group policy object should now be listed in the right-hand pane when the domain is selected (See Figure 16: Listed GPO).
Figure 16: Listed GPO
19. Double click on the GPO in the right-hand pane
75
20. Check Do no show this message again (for convenience) and click OK (See Figure 17: GPO Notification).
Figure 17: GPO Notification
As we only want this GPO to apply to the client1 machine we must add it to the scope of the policy 21. On the Scope tab choose Add.. (See Figure 18: Add to Scope).
Figure 18: Add to Scope
22. In the Select Users, Computers.. window click Object Types.. (See Figure 19: Select Object Types).
Figure 19: Select Object Types
76
23. Check the box beside Computers to list computers in the add dialogue (See Figure 20: List Compuers).
Figure 20: List computers
24. Now we can type Client1 and add it to the scope, click OK (See Figure 21: Adding Client1).
Figure 21: Adding Client1
77
25. Client1 will now be listed in the scope (See Figure 22: Client Listed in Scope).
Figure 22: Client Listed in Scope
26. To demonstrate the folder redirection we need to save a file in the documents folder of the client machine. 27. Start client1 and log on as User16, open the Documents folder and save a file. 28. On server2 go to the User_Docs folder on the C: drive. We can now see the user folder for User16 (See Figure 23: User folder in User_Docs).
Figure 23: User folder in User_Docs
The users documents are now stored in a subfolder within the C:\User_Docs directory of server2
78
E.4 Blocking access to Control Panel with GPOs

For security purposes we can remove user access to the control panel using group policy object. (Minasi, M., Gibson, D., Finn, A., Henry, W. & Hynes, B., 2010, p.1350). In this task we will block users from the Belfast OU from having access to the Control Panel we will then add an exception to this for User20 1. Open the Group Policy Management console and right click on Belfast and choose Create a GPO on this domain, and Link it here (See Figure 1: Create and Link GPO)
Figure 1: Create and Link GPO
2. Name the GPO BlockControlPanelGPO. Right click on the GPO and select Edit (See Figure 2: Edit GPO).
Figure 2: Edit GPO
79
3. Go to User ConfigurationPoliciesAdministrative TemplateControl Panel and right click on Prohibit access to the Control Panel and choose Edit (See Figure 3: Prohibit Control Panel Access).
Figure 3: Prohibit Control Panel Access
4. Click the radio button beside Enabled then click OK (See Figure 4: Enable Prohibited Access).
Figure 4: Enable Prohibited Access
80
5. To test the restriction log in to client1 as User19 and try access Control panel 6. An error message will appear (See Figure 5: Restriction Notification).
Figure 5: Restriction Notification
Now we will add an exception for User20. 7. On the group policy management window choose Delegation from the right-hand pane of the group policy window and choose Add (See Figure 6: Add Delegation).
Figure 6: Add Delegation
81
8. Add User20 and click OK (See Figure 7: Add User to Delegation).
Figure 7: Add User to Delegation
9. Choose Read from the dropdown list under permissions and click OK (See Figure 8: User Read Permission).
Figure 8: User read permission
10. With User20 highlighted in the list choose Advanced (See Figure 9: Advanced Delegation Options).
Figure 9: Advanced Delegation options
82
11. From the Security Settings window choose User20 and check the box under Deny for Read (See Figure 10: Deny Read of GPO).
Figure 10: Deny Read of GPO
12. Click Yes to confirm settings (See Figure 11: Confirm Settings).
Figure 11: Confirm settings
Note: As the user cannot read the GPO it will not apply to user20
83
13. To confirm these setting log into Client1 as user20 the control panel will now be listed in the start menu and the user can access it (See Figure 12: User20 Control Panel Access).
Figure 12: User20 Control Panel Access
84
E.5 Publishing software to Users with GPOs

Using GPOs it is also possible to automate many tasks, which includes software distribution. In this task we will publish a software package to the domain which will be available to all users on the domain to install through the control panel (Minasi, M., Gibson, D., Finn, A., Henry, W. & Hynes, B., 2010, p.382). 1. To publish software the msi application needs to be stored in a shared folder. 2. For the purpose of this demonstration an MSI installer for google chrome was downloaded and saved to a shared folder on Server1 called sysvol. 3. Create a new group policy name InstallChromeGPO and link it to the Dublin OU (See Figure 1: InstallChromeGPO).
Figure 1: InstallChromeGPO
85
4. Edit the GPO and go to User ConfigurationPoliciesSoftware Settings, right click Software Installation and choose New, then Package (See Figure 2: Software Installation Settings).
Figure 2: Software Installation settings
5. Select the MSI file from the shared folder and click Open (Figure 3: Select MSI File).
Figure 3: Select MSI File
86
6. Choose Published from the Select deployment method option and click OK (See Figure 4: Deployment Method).
Figure 4: Deployment Method
7. The software should now be listed under the Software Installation option (See Figure 5: MSI Listed).
Figure 5: MSI listed
To demonstrate this we will log onto the client machine as User16 (a user from the Dublin OU). Published software is available to user through the control panel, it is not automatically installed
87
8. On client1 log in as User16 and open the Control Panel, under programs select Get Programs (See Figure 6: Get Programs Option).
Figure 6: Get Programs Option
9. The deployed MSI file should appear in the Get Programs window (See Figure 7: MSI in Get Programs Window)
Figure 7: MSI in Get Programs Window
88
F.1 Installing print server role

Adding a print server role allows the server to manage the print queue for all users on the domain. A server role also adds advanced sharing features for the printer (Minasi, M., Gibson, D., Finn, A., Henry, W. & Hynes, B., 2010, p.539). 1. On the Initial Configuration Tasks window choose Add roles from the Customize This Server (See Figure 1: Initial Configuration Task Window - Roles)
Figure 1: Initial Configuration Task Window - Roles
2. Choose Print and Document Services from the Select Server Roles options and click Next (See Figure 2: Print and Document Services).
Figure 2: Print and Document Services
89
3. When presented information about Print and Document Services click Next (See Figure 3: Print and Document Services Information).
Figure 3: Print and Document Services Information
4. Choose Print Server from the top of the list of services and click Next (See Figure 4: Printer Server Role Services).
Figure 4: Print Server - Role Services
90
5. Click Install to confirm the installation the role will now be installed (See Figure 5: Installation Confirmation).
Figure 5: Installation Confirmation
6. When the installation has completed successfully click Close
91
F.2 Installing Printers

Installing Printers in active directory is similar to a printer installation in windows 7 (Bott, E., Sienchert, C. and Stinson, C., 2011, p.1061). However once a printer is installed to a domain controller there are options to list the printer in the directory (Minasi, M., Gibson, D., Finn, A., Henry, W. & Hynes, B., 2010, p.562). 1. Go to Start and click Devices and Printers (See Figure 1: Devices and Printers Option)
Figure 1: Devices and Printers Option
2. In the Devices and Printers window right click under the Printers and Faxes and choose Add a printer (See Figure 2: Add Printer Option).
Figure 2: Add Printer Option
92
3. Choose Add a local printer (See Figure 3: Add Local Printer).
Figure 3: Add Local Printer
4. Next choose and existing port from the drop down list (See Figure 4: Choose Printer Port). Note: Choose a port which is not already in use.
Figure 4: Choose Printer Port
5. From the Manufacturer list choose HP and then choose HP 910 from the Printers list (See Figure 5: Printer Selection).
Figure 5: Printer selection
93
6. Name the printer you want to install (here we name the printer HP910), click Next (See Figure 6: Printer Name).
Figure 6: Printer name
7. Choose Share this printer and leave the default field entries, click Next (See Figure 7: Printer Sharing).
Figure 7: Printer Sharing
8. Click Finish when the installation is completed (See Figure 8: Installation Completion).
Figure 8: Installation Completion
94
9. Repeat the process ensure that you choose a different port to the one used for the installation of the HP900 printer (step 4) and install a HP 915 (step 5), (See Figure 9: Alternate Port Selection).
Figure 9: Alternate Port Selection
Name this second printer HP900
95
F.3 Publishing printer to directory

Although printers that are directly connected to server machines can be shared through the network it is better to have the printer managed by a server which allows for more control over print jobs and multiple user access (Lowe, D., 2011). In this section we will publish both the HP910 and HP900 printer. 1. In Devices and Printers under the Printers and Faxes section right click on the printer you wish to publish. Choose Printer properties (Figure 1: Printer Properties).
Figure 1: Printer Properties
2. Choose the Sharing tab and then check List in the directory, click OK (See Figure 2: List in Directory).
Figure 2: List in directory
96
3. Search for printer in active directory. Using Server2, run Active Directory Users and Computers. Right click on the domain name (MSCCONV.IPA) and choose Find (See Figure 3: Find in Directory).
Figure 3: Find in Directory
4. In the Find Users, Contacts and Groups window choose Printers from the Find: dropdown menu (See Figure 4: Find Window).
Figure 4: Find Window
97
5. Enter the name of the printer into the name field and click Find Now. If the printer is found it will be listed under the Search results: (See Figure 5: Search Results).
Figure 5: Search Results
98
F.4 Installing a generic unshared printer

Next we will install a generic printer which will not be shared. A generic printer installation provides general printer configuration without specific hardware settings. Although it may work in some cases for attached hardware, it should generally be replaced with specific hardware drivers (Bott, E., Sienchert, C. and Stinson, C., 2011, p.57). For the purpose of this manual we will install a generic printer. Follow the steps in F.2 Installing Printers At step 4, choose a free port and then choose Generic and Generic/Text Only at step 5. Then click Next (See Figure 1: Generic Printer Installation).
Figure 1: Generic Printer Installation
6. At step 7 choose Do not share this printer (See Figure 2: Do Not Share Printer).
Figure 2: Do Not Share Printer
99
G.1 Setting up server core file services

Enabling Network File System and creating share By default any machine sharing a file or folder is a file server. However to demonstrate some of the extra file server features we will install a new role. Server machines allow us to add extra functionality and system maintenance roles (Installing a server role on a server running a Server Core installation of Windows Server 2008 R2: Overview, 2010). The Network File System (NFS) role, is a file sharing role to allow sharing between windows and unix systems. This role would be used when the domain hosts several different environments e.g. Mac, Linux and Windows. 1. Start windows server core (MS-Core) and type start /w ocsetup ServerForNFS-Base and press Enter (See Figure 1: Install NFS Role).
Figure 1: Install NFS Role
2. Next we will make a folder to share. Type mkdir c:\share and press Enter (See Figure 2: Make Folder).
Figure 2: Make folder
This will place a folder on the C drive called share 3. Navigate to the folder to confirm it has been created. Type cd c:\share and press enter (See Figure 3: Navigate to Folder).
Figure 3: Navigate to folder
Once we have confirmed the folder is created we will share it on the network
100
4. Type net share ms-coreShare=c:\share and press Enter. This will set up a share called ms-coreShre and points it to the share folder on the C drive (See Figure 4: Folder Share).
Figure 4: Folder share
By sharing the ms-coreShare folder the MS-Core machine is now a file server, however as we have also installed NFS, this share is also accessible by machines running unix systems.
101
Testing share on the network using server1 To find a shared resource on the network we can simply search for the computer name on the network using the prefix \\, network shares are identified as follows \\computer\\shareName (Bott, E., Sienchert, C. and Stinson, C., 2011, p.742). 1. On server1 go to Start and type \\ms-core to display the network shares for the core server (See Figure 2: Search for Core Server).
Figure 1: Search for Core Server
2. If the core server has been configured correctly we should see the ms-coreShare folder (See Figure 2: Shared Folder).
Figure 2: shared folder
102
G.2 Configuring Remote Desktop on Server Core

Remote Desktop is one of the most powerful tools available to an administrator, it allows an administrator to virtually connect to a machine and use it as thought they were using the physical machine (Lowe, D., 2011, p.494). Note: In order to remote desktop to another machine within the domain we must ensure that the primary domain server is powered on to allow logon services. 1. Start Server1 2. Run sconfig on the core server. (MS-Core). Type 7 and press enter for Remote Desktop options. Then type E and press Enter to enable remote desktop (See Figure 1: Remote Desktop Options).
Figure 1: Remote Desktop Options
3. Next type 2 and press Enter to allow clients with any version of Remote Desktop to connect (See Figure 2: Any Remote Desktop Client).
Figure 2: Any Remote Desktop Client
103
4. Click OK to close the notification (See Figure 3: Notification).
Figure 3: Notification
104
G.3 Remote connecting to Server Core from Windows 7

Windows 7 comes with an inbuilt feature called Remote Desktop Connection which allows us to access remote desktop services easily (Bott, E., Sienchert, C. and Stinson, C., 2011, p.762). In this section remote desktop will be used to connect into the core installation from the windows 7 client machine (client1). 1. Go to Start and type Remote Desktop Connection. Click the top entry in the list (See Figure 1: Remote Desktop Search)
Figure 1: Remote Desktop Search
2. Enter the IP address of the core server in the Computer field and click Connect (See Figure 2: Connection Setup)
Figure 2: Connection Setup
105
3. Logon with an administrator account. Click Use another account (See Figure 3: Use Another Account)
Figure 3: Use Another Account
4. Enter in the domain administrator username (administrator) and password (Pa$$w0rd), (See Figure 4: Administrator Logon).
Figure 4: Administrator Logon
5. Remote desktop will now connect (See Figure 5: remote Desktop Connecting).
Figure 5: Remote Desktop Connecting
106
6. Click Yes to accept the security certificate (See Figure 6: Remote Desktop Certificate)
Figure 6: Remote Desktop Certificate
7. A window will now open that displays the screen of the MS-Core server (See Figure 7: Remote Desktop to Core).
Figure 7: Remote Desktop to Core
107
H.1 Setting up DHCP Services (Server2)

Dynamic Host Configuration Protocol (DHCP) services allow a server to assign IP addresses to nodes on the network. This allows for greater control over the network and better management of network resources (Lowe, D., 2011, p.125). 1. Start-up Server2 and choose Add roles from the Initial Configuration Tasks window (See Figure 1: Initial Configuration Tasks Window).
Figure 1: Initial Configuration Tasks Window
2. Click Next on the Before You Begin notification. Choose DHCP Server from the Select Server Roles page and click Next (See Figure 2: Install Server Role).
Figure 2: Install Server Role
108
3. Click Next at the Introduction to DHCP Server 4. Select the network connection you wish to use with the DHCP server and click Next. (Here we use 192.168.0.2)
Figure 3: Network Connection Selection
5. Set the DNS server to point to the local host (127.0.0.1) and parent domain to the domain network we have set up. Make sure all settings are the same as those in Figure 4 (Below) and click Next
Figure 4: DNS Settings
Make sure there are no references to server1 in the DNS as we want to use server2 solely for DHCP services 109
6. WINS is not required, so choose WINS is not required for application on this network and click Next
Figure 5: WINS Server Settings
7. On the Add or Edit DHCP Scopes window choose Add (See Figure 6: DHCP Scopes)
Figure 6: DHCP scopes
110
8. Enter in the following details: Scope Name = server2 Starting IP = 192.168.0.100 Ending IP = 192.168.0. 150 Subnet mask = 255.255.255.0 (See Figure 7: DHCP Scope Settings)
Figure 7: DHCP Scope Settings
9. Click Next once you have added the scope (See Figure 8: DHCP Set Up).
Figure 8: DHCP Set Up
111
10. Enable DHCPv6 stateless mode and click Next (Figure 9: DHCPv6 Settings).
Figure 9: DHCPv6 Settings
11. Leave the IPv6 DNS server settings as the default settings and click Next (See Figure 10: IPv6 DNS Server Settings).
Figure 10: IPv6 DNS Server Settings
112
12. As we are logged into server2 as the domain administrator we can Use current credentials to authorize the DHCP server, the click Next (See Figure 11: Authorize DHCP)
Figure 11: Authorize DHCP
13. Click Install to confirm the settings (See Figure 12: Confirm Installation).
Figure 12: Confirm Installation
14. Click Close when installation completes
113
H.2 Setting up windows 7 to obtain IP from server2

To use server2 as the DHCP server it must be running along with the client machine. The client machine will obtain its IP settings automatically and use the DNS to configure it settings. In the following example we will point the DNS to Server2 to obtain the IP settings from the DHCP server on Server2. 1. On the client machine (client1) open the network adapter settings and change the IPv4 settings to obtain an IP address automatically. Change the preferred DNS to the IP address of server2 (192.168.0.2), leave the alternative DNS server blank. (See Figure 1: Network Adapter Settings)
Figure 1: Network Adapter Settings
2. Open Command Prompt and type ipconfig to display the ip address that is being assigned from server2. It should be in the range of the scope defined during the setup of DHCP server (See Figure 2: Assigned IP)
Figure 2: Assigned IP
114
H.3 Removing DHCP services

We will now remove DHCP services from server2 so it will no longer hand out IP addresses to computers on the network. 1. Go to Start Administrative Tools Server Manager (See Figure 1: Server Manager Option)
Figure 1: Server Manager Option
2. Choose Roles from the left-hand pane, then choose Remove Roles (See Figure 2: Remove Role Option)
Figure 2: Remove Role Option
115
3. Click next on the Before You Begin information page 4. Uncheck DHCP in the Remove Server Roles window, then click Next (See Figure 3: Remove Roles).
Figure 3: Remove Roles
5. Click Remove to confirm the removal selection 6. Click Close when removal process complete 7. When prompted restart the server (See Figure 4: Restart Prompt).
116
To confirm that the settings have been applied correctly, test the client machine to see what IP address it is assigned when the DHCP server is down. On client1 open command prompt and run IPCONFIG Because server2 is no longer a DHCP server, the client machine will not be assigned an IP address. By default windows will assign an Automatic Private IP Address (APIPA) when it cannot obtain network configurations from the server (Northrup, T. & Mackin, J.C., 2010, p.60). An APIPA address always starts with 169.X.X.X (See Figure 5: APIPA Address)
Figure 5: APIPA Address
117
I.1 Decommissioning a domain controller

Normally when a domain controller is still functioning and connected to the domain we can use dcpromo to decommission it from the domain. This offers a graphical user interface similar to the one used on setting up the domain controller. Once a domain controller has been decommissioned using this method, it is automatically connected as a work station and is now a member server. If however a domain controller is unbootable or disconnected from the server, we need to delete it from the domain using an active domain controller on the domain (Minasi, M., Gibson, D., Finn, A., Henry, W. & Hynes, B., 2010, p.264). 1. Open Active Directory User and Computers and choose Domain Controllers from the left-hand pane. 2. Right click on Server2 and choose Delete (Figure 1: Deleting Domain Controller).
Figure 1: Deleting Domain Controller
3. Click Yes to confirm delete (See Figure 2: Confirm Delete).
Figure 2: Confirm Delete
118
4. In order for the domain controller to be deleted we must confirm that it is offline and choose delete. Check the box and click Delete (See Figure 3: Confirm Offline)
Figure 3: Confirm Offline
5. A message box will appear stating that the domain controller is a global catalog. Click Yes to continue the deletion. 6. The sever2 domain controller has now been deleted (See Figure 4: Server2 Deleted).
Figure 4: Server2 Deleted
As server2 is no longer bootable it is unlikely to be powered on again within the network. If however it was to start working then the server should be forcibly removed as to avoid domain conflicts. Open command prompt on Server2 and type dcpromo /forceremoval and follow the steps in the wizard to remove the domain controller features from the server. Where possible any machine whose primary DNS pointed to server2, should have this changed to server1.
119
References
Bott, E., Sienchert, C. and Stinson, C. (2011). Windows 7 Inside Out Deluxe Edition. Washington: Microsoft Press Desmond, B., Richards, J., Allen, R. and Lowe-Norris, A.G. (2009). Active Directory, Fourth Edition. USA: O'Reilly Installing a server role on a server running a Server Core installation of Windows Server 2008 R2: Overview. (July 26th 2010). Retrieved June 12th, 2013, from http://technet.microsoft.com/en-us/library/ee441260%28v=ws.10%29.aspx Lowe, D. (2011). Networking All-In-One for Dummies, Fourth Edition. NJ: Weily Minasi, M., Gibson, D., Finn, A., Henry, W. & Hynes, B. (2010). Mastering Windows Server 2008 R2. Indiana: Wiley Publishing Morimoto, R., Noel, M., Droubi, O., Mistry, R. & Amaris, C. (2010). Windows Server 2008 R2 Unleashed. Indiana: Pearson Northrup, T. & Mackin, J.C. (2010). Windows 7 Enterprise Desktop Support Technician: Selfpaced Training Kit. Washington: Microsoft Press Tittel, E. & Korelc, J. (2008). Windows Server 2008 For Dummies. Indiana: Wiley Publishing
120

Domain Controllers and Active Directory

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Domain Controllers and Active Directory

Caricato da

Copyright:

Formati disponibili

James McDermott (jamesmcd05@gmail.

Installing and Configuring a Domain Controller and Active Directory Services

James McDermott (jamesmcd05@gmail.com)

James McDermott (jamesmcd05@gmail.com)

James McDermott (jamesmcd05@gmail.com)

A.1 Windows Server 2008 R2 Standard Server Core Installation

Figure 1: Language and Input

Figure 2: Installation Version

James McDermott (jamesmcd05@gmail.com)

Figure 3: Licensing Agreement

Figure 4: Custom Installation

James McDermott (jamesmcd05@gmail.com)

Figure 5: Configuring Hard Drive

6. Click New (See Figure 6: Adding Partition).

Figure 6: Adding Partition

Figure 7: Set Partition Size

James McDermott (jamesmcd05@gmail.com)

Figure 8: Windows Drive Usage Notification

Figure 9: Install to Partition

Figure 10: Windows Installation

James McDermott (jamesmcd05@gmail.com)

Figure 11: Password Change Prompt

Figure 12: New Password Entry

James McDermott (jamesmcd05@gmail.com)

Figure 1: sconfig command

Figure 2: Computer Name Option

Figure 3: Rename Core Server

James McDermott (jamesmcd05@gmail.com)

Figure 4: Restart Prompt

Figure 5: Servers New Name

James McDermott (jamesmcd05@gmail.com)

Figure 1: sconfig window Network Settings

Figure 2: Choose Network Adapter

Figure 3: Static IP Options

James McDermott (jamesmcd05@gmail.com)

Figure 4: Static IP Settings

Figure 5: New IP Settings

Figure 6: Restart Server

James McDermott (jamesmcd05@gmail.com)

A.2 Windows Sever 2008 Datacenter Full Installation

Figure 1: Full Installation Option

Figure 2: Server Startup

James McDermott (jamesmcd05@gmail.com)

Figure 1: Computer Properties Option

Figure 2: Advanced System Settings

James McDermott (jamesmcd05@gmail.com)

Figure 3: Computer Name Tab

Figure 4: Computer Name Change

James McDermott (jamesmcd05@gmail.com)

Figure 5: Restart Prompts

Figure 6: Network Properties Option

This will open the Network and Sharing Center

James McDermott (jamesmcd05@gmail.com)

Figure 7: Network and Sharing Center

Figure 8: Network Adapter Properties

James McDermott (jamesmcd05@gmail.com)

Figure 9: Adapter Properties

Figure 10: Static IP Settings

James McDermott (jamesmcd05@gmail.com)

Static IP Address Subnet Mask DNS

James McDermott (jamesmcd05@gmail.com)

B.1 Setting up a Domain Controller

Figure 1: Search For dcpromo

Click on dcpromo search result and wait for application to load