Core Network Guide

Microsoft Corporation Published: June, 2009 Authors: James McIllece and Brit Weston Editor: Allyson Adley

Abstract
The Windows Server 2008 R2 Core Network Guide provides instructions for planning and deploying the core components required for a fully functioning network and a new Active Directory domain in a new forest. Using this guide, you can deploy computers configured with the following Windows server components: The Active Directory Domain Services (AD DS) server role The Domain Name System (DNS) server role The Dynamic Host Configuration Protocol (DHCP) server role The Network Policy Server (NPS) role service of the Network Policy and Access Services server role The Windows Internet Name Service (WINS) feature TCP/IP connections on individual servers

This guide also serves as a foundation for companion guides that show you how to deploy additional technologies using Windows Server 2008 R2.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Your right to copy this documentation is limited by copyright law and the terms of the software license agreement. As the software licensee, you may make a reasonable number of copies or printouts for your own use. Making unauthorized copies, adaptations, compilations, or derivative works for commercial distribution is prohibited and constitutes a punishable violation of the law. 2009 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

Contents
Core Network Guide.......................................................................................................................1 Abstract....................................................................................................................................1 Contents..........................................................................................................................................3 Windows Server 2008 R2 Core Network Guide..............................................................................6 About this guide...........................................................................................................................7 Network hardware requirements..............................................................................................7 What this guide does not provide................................................................................................7 Technology Overviews.................................................................................................................8 Active Directory Domain Services............................................................................................8 DNS..........................................................................................................................................8 DHCP.......................................................................................................................................8 WINS (optional)........................................................................................................................8 NPS (optional)..........................................................................................................................9 TCP/IP......................................................................................................................................9 Core Network Overview................................................................................................................10 Core Network Components........................................................................................................11 Router.................................................................................................................................12 Static TCP/IP configurations...............................................................................................12 Global catalog and DNS server...........................................................................................12 WINS server (optional)........................................................................................................12 DHCP server.......................................................................................................................12 NPS server (optional)..........................................................................................................12 Client computers.................................................................................................................12 Core Network Planning.................................................................................................................13 Planning subnets.......................................................................................................................13 Planning basic configuration of all servers.................................................................................14 Planning the Administrator account password........................................................................14 Planning naming conventions for computers and devices......................................................14 Planning static IP addresses..................................................................................................14 Planning the deployment of AD-DNS-01....................................................................................15 Planning the name of the forest root domain..........................................................................15 Planning the forest functional level.........................................................................................15 Planning DNS zones..............................................................................................................18 Planning domain access............................................................................................................18 Planning the deployment of WINS-01........................................................................................19 Planning the deployment of DHCP-01.......................................................................................19 Planning DHCP servers and DHCP forwarding......................................................................20

Planning IP address ranges...................................................................................................20 Planning subnet masks..........................................................................................................20 Planning exclusion ranges.....................................................................................................21 Planning TCP/IP static configuration......................................................................................22 Planning the deployment of NPS-01..........................................................................................23 Core Network Deployment............................................................................................................23 Configuring All Servers..................................................................................................................24 Create an Administrator Password................................................................................................24 Rename the Computer..................................................................................................................24 Procedures for renaming computers..........................................................................................24 Windows Server 2008 R2 and Windows 7.......................................................................25 Windows Server 2008 and Windows Vista......................................................................25 Windows Server 2003 and Windows XP.........................................................................26 Configure a Static IP Address.......................................................................................................26 Procedures for configuring static IP addresses..........................................................................26 Windows Server 2008 R2................................................................................................26 Windows Server 2008......................................................................................................27 Windows Server 2003......................................................................................................28 Deploying AD-DNS-01..................................................................................................................28 Administrative privileges............................................................................................................29 Domain user accounts vs. user accounts on the local computer............................................29 Install AD DS and DNS for a New Forest......................................................................................29 Create a User Account in Active Directory Users and Computers.................................................31 Add a Group..................................................................................................................................32 Assign Group Membership............................................................................................................32 Configure a DNS Reverse Lookup Zone.......................................................................................33 Joining Computers to the Domain and Logging On......................................................................34 Join the Computer to the Domain.................................................................................................35 Procedures for joining computers to the domain.......................................................................35 Windows Server 2008 R2 (Release Candidate) and Windows 7 (Release Candidate)...35 Windows Server 2008 and Windows Vista......................................................................36 Windows Server 2003 and Windows XP.........................................................................37 Log on to the Domain....................................................................................................................37 Procedures to log on to the domain...........................................................................................37 Windows Server 2008 R2 and Windows 7.......................................................................38

Windows Server 2008 and Windows Vista......................................................................38 Windows Server 2003 and Windows XP.........................................................................38 Deploying WINS-01 (optional).......................................................................................................39 Install Windows Internet Name Service (WINS)............................................................................39 Deploying DHCP-01......................................................................................................................40 DHCP installation suggestions...................................................................................................40 Deploying DHCP.......................................................................................................................40 Install Dynamic Host Configuration Protocol (DHCP)...................................................................41 Create an Exclusion Range in DHCP...........................................................................................43 Authorize a DHCP Server in Active Directory Domain Services....................................................43 Activate a DHCP Scope................................................................................................................44 Create a New DHCP Scope..........................................................................................................44 Deploying NPS-01 (optional).........................................................................................................46 Install Network Policy Server (NPS)..............................................................................................46 Register the NPS Server in the Default Domain...........................................................................47 Additional Technical Resources....................................................................................................47 Appendix A....................................................................................................................................48 Core Network Planning Preparation Sheet................................................................................48 Installing Active Directory Domain Services and DNS............................................................48 Pre-installation configuration items for AD DS and DNS..................................................48 AD DS and DNS installation configuration items.............................................................49 Configuring a DNS Reverse Lookup Zone..........................................................................50 Installing Windows Internet Name Service (optional).............................................................50 Pre-installation configuration items..................................................................................51 WINS installation configuration items..............................................................................51 Installing DHCP......................................................................................................................51 Pre-installation configuration items for DHCP..................................................................51 DHCP installation configuration items..............................................................................52 Creating an exclusion range in DHCP................................................................................53 Creating a new DHCP scope..............................................................................................53 Installing Network Policy Server (optional).............................................................................54 Pre-installation configuration items..................................................................................54 Network Policy Server installation configuration items.....................................................55

Windows Server 2008 R2 Core Network Guide

A core network is a collection of network hardware, devices, and software that provides the fundamental services for your organization's information technology (IT) needs. A Windows Server core network provides you with many benefits, including the following. Core protocols for network connectivity between computers and other Transmission Control Protocol/Internet Protocol (TCP/IP) compatible devices. TCP/IP is a suite of standard protocols for connecting computers and building networks. TCP/IP is network protocol software provided with Microsoft Windows operating systems that implements and supports the TCP/IP protocol suite. Automatic IP addressing with Dynamic Host Configuration Protocol (DHCP). Manual configuration of IP addresses on all computers on your network is time-consuming and less flexible than dynamically providing computers and other devices with IP address leases from a DHCP server. Name resolution services, such as Domain Name System (DNS) and Windows Internet Name Service (WINS). DNS and WINS allow users, computers, applications, and services to find the IP addresses of computers and devices on the network using the network basic input/output system (NetBIOS) name or Fully Qualified Domain Name of the computer or device. A forest, which is one or more Active Directory domains that share the same class and attribute definitions (schema), site and replication information (configuration), and forest-wide search capabilities (global catalog). A forest root domain, which is the first domain created in a new forest. The Enterprise Admins and Schema Admins groups, which are forest-wide administrative groups, are located in the forest root domain. In addition, a forest root domain, as with other domains, is a collection of computer, user, and group objects that are defined by the administrator in Active Directory Domain Services (AD DS). These objects share a common directory database and security policies. They can also share security relationships with other domains if you add domains as your organization grows. The directory service also stores directory data and allows authorized computers, applications, and users to access the data. A user and computer account database. The directory service provides a centralized user accounts database that allows you to create user and computer accounts for people and computers that are authorized to connect to your network and access network resources, such as applications, databases, shared files and folders, and printers. A core network also allows you to scale your network as your organization grows and IT requirements change. For example, with a core network you can add domains, IP subnets, remote access services, wireless services, and other features and server roles provided by Windows Server 2008 R2. 6

About this guide

This guide is designed for network and system administrators who are installing a new network or who want to create a domain-based network to replace a network that consists of workgroups. The deployment scenario provided in this guide is particularly useful if you foresee the need to add more services and features to your network in the future. It is recommended that you review design and deployment guides for each of the technologies used in this deployment scenario to assist you in determining whether this guide provides the services and configuration that you need.

Network hardware requirements

To successfully deploy a core network, you must deploy network hardware, including the following: Ethernet, Fast Ethernet, or Gigabyte Ethernet cabling A hub, Layer 2 or 3 switch, router, or other device that performs the function of relaying network traffic between computers and devices. Computers that meet the minimum hardware requirements for their respective client and server operating systems. Note This guide depicts the use of four server computers. In some cases, such as on small networks, you can use fewer servers. For example, you can install DHCP and WINS on the same server rather than on separate servers.

What this guide does not provide

This guide does not provide instructions for deploying the following: Network hardware, such as cabling, routers, switches, and hubs Additional network resources, such as printers and file servers Internet connectivity Remote access Wireless access Client computer deployment

Note Client computers running Windows 7, Windows Vista and Windows XP are configured by default to receive IP address leases from the DHCP server. Therefore, no additional DHCP or Internet Protocol version 4 (IPv4) configuration of client computers is required.

Technology Overviews
The following sections provide brief overviews of the required and optional technologies used to create a core network.

Active Directory Domain Services

A directory is a hierarchical structure that stores information about objects on the network. A directory service, such as AD DS, provides the methods for storing directory data and making this data available to network users and administrators. For example, AD DS stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information.

DNS
DNS is a name resolution protocol for TCP/IP networks, such as the Internet or an organization network. A DNS server hosts the information that enables client computers to resolve easily recognized, alphanumeric DNS names to the IP addresses that computers use to communicate with each other.

DHCP
DHCP is an IP standard for simplifying management of host IP configuration. The DHCP standard provides for the use of DHCP servers as a way to manage dynamic allocation of IP addresses and other related configuration details for DHCP-enabled clients on your network. Every computer on a TCP/IP network must have a unique IP address. The IP address (together with its related subnet mask) identifies both the host computer and the subnet to which it is attached. When you move a computer to a different subnet, the IP address must be changed. DHCP allows you use a DHCP server to dynamically assign an IP address to a computer or other device on your local network. For TCP/IP-based networks, DHCP reduces the complexity and amount of administrative work involved in reconfiguring computers.

WINS (optional)
While DNS is a required component of a core network, WINS is optional because, like DNS, it is a naming service. In some cases, you might not need both DNS and WINS, but older operating systems and applications might require WINS. For medium to small networks, WINS is extremely easy to install and manage, and it is not resource-intensive. If you are in doubt about whether you need WINS, you can test your network functionality without it and install it if needed. WINS provides a distributed database for registering and querying dynamic mappings of NetBIOS names for computers and groups used on your network. WINS maps NetBIOS names to IP addresses and was designed to solve the problems arising from NetBIOS name resolution in routed environments. WINS is the best choice for NetBIOS name resolution in routed networks that use NetBIOS over TCP/IP. 8

NetBIOS names are used by earlier versions of Windows operating systems to identify and locate computers and other shared or grouped resources required to register or resolve names for use on the network. NetBIOS names are a requirement for establishing networking services in earlier versions of Windows operating systems. Although the NetBIOS naming protocol can be used with network protocols other than TCP/IP (such as NetBEUI or IPX/SPX), WINS was designed specifically to support NetBIOS over TCP/IP (NetBT). WINS simplifies the management of the NetBIOS namespace in TCP/IP-based networks.

NPS (optional)
Network Policy Server (NPS) allows you to centrally configure and manage network policies with the following three features: Remote Authentication Dial-In User Service (RADIUS) server, RADIUS proxy, and Network Access Protection (NAP) policy server. NPS is an optional component of a core network, but you should install NPS if any of the following are true: You are planning to expand your network to include remote access servers that are compatible with the RADIUS protocol, such as a computer running Windows Server 2008 R2 or Windows Server 2008 and Routing and Remote Access service, Terminal Services Gateway, or Remote Desktop Gateway. You plan to deploy NAP. You plan to deploy 802.1X wired or wireless access.

TCP/IP
TCP/IP in Windows Server 2008 is the following: Networking software based on industry-standard networking protocols. A routable, enterprise networking protocol that supports the connection of your Windowsbased computer to both local area network (LAN) and wide area network (WAN) environments. Core technologies and utilities for connecting your Windows-based computer with dissimilar systems for the purpose of sharing information. A foundation for gaining access to global Internet services, such as the World Wide Web and File Transfer Protocol (FTP) servers. A robust, scalable, cross-platform, client/server framework. TCP/IP provides basic TCP/IP utilities that enable Windows-based computers to connect and share information with other Microsoft and non-Microsoft systems, including: Windows Server 2008 R2 Windows 7 Windows Server 2008 Windows Vista 9

Windows Server 2003 operating systems Windows XP Internet hosts Apple Macintosh systems IBM mainframes UNIX systems Open VMS systems Network-ready printers, such as HP LaserJet series printers that use HP JetDirect cards

Core Network Overview

The following illustration shows the Windows Server Core Network topology.

10

Core Network Components

Following are the components of a core network.

11

Router
This deployment guide provides instructions for deploying a core network with two subnets separated by a router that has DHCP forwarding enabled. You can, however, deploy a Layer 2 switch, a Layer 3 switch, or a hub, depending on your requirements and resources. If you deploy a switch, the switch must be capable of DHCP forwarding or you must place a DHCP server on each subnet. If you deploy a hub, you are deploying a single subnet and do not need DHCP forwarding or a second scope on your DHCP server.

Static TCP/IP configurations

All of the servers in this deployment are configured with static IPv4 addresses. Client computers are configured by default to receive IP address leases from the DHCP server.

Global catalog and DNS server

Both Active Directory Domain Services (AD DS) and Domain Name System (DNS) are installed on this server, providing directory and name resolution services to all computers and devices on the network.

WINS server (optional)

Installing Windows Internet Name Service (WINS) on your core network is optional. It is often difficult to determine whether applications and services require WINS for name resolution. In some cases, you might need WINS; in other cases, DNS might be the only name resolution service that you need on your network. Because WINS is low maintenance and is not processoruse intensive for medium and small networks, you can install WINS on the DHCP server in the event that applications or services need the service.

DHCP server
The Dynamic Host Configuration Protocol (DHCP) server is configured with a scope that provides Internet Protocol (IP) address leases to computers on the local subnet. The DHCP server can also be configured with additional scopes to provide IP address leases to computers on other subnets if DHCP forwarding is configured on routers.

NPS server (optional)

The Network Policy Server (NPS) server is installed as a preparatory step for deploying other network access technologies, such as virtual private network (VPN) servers, wireless access points, and 802.1X authenticating switches. In addition, installing NPS prepares your network for the deployment of Network Access Protection (NAP).

Client computers
Client computers running Windows 7, Windows Vista, and Windows XP are configured by default as DHCP clients, which obtain IP addresses and DHCP options automatically from the DHCP server. 12

Core Network Planning

Before you deploy a core network, you must plan the following items. Planning subnets Planning basic configuration of all servers Planning the deployment of AD-DNS-01 Planning domain access Planning the deployment of WINS-01 Planning the deployment of DHCP-01 Planning the deployment of NPS-01

The following sections provide more detail on each of these items.

Planning subnets
In Transmission Control Protocol/Internet Protocol (TCP/IP) networking, routers are used to interconnect the hardware and software used on different physical network segments called subnets. Routers are also used to forward IP packets between each of the subnets. Determine the physical layout of your network, including the number of routers and subnets you need, before proceeding with the instructions in this guide. In addition, to configure the servers on your network with static IP addresses, you must determine the IP address range that you want to use for the subnet where your core network servers are located. In this guide, the private IP address range 192.168.0.1 - 192.168.0.254 is used as an example, but you can use any private IP address range. The following recognized private IP address ranges are specified by Internet Request for Comments (RFC) 1918: 10.0.0.0 10.255.255.255 172.16.0.0 172.31.255.255 192.168.0.0 192.168.255.255

When you use the private IP address ranges as specified in RFC 1918, you cannot connect directly to the Internet using a private IP address because requests going to or from these addresses are automatically discarded by Internet service provider (ISP) routers. To add Internet connectivity to your core network later, you must contract with an ISP to obtain a public IP address. Important When using private IP addresses, you must use some type of proxy or network address translation (NAT) server to convert the private IP address ranges on your local network to a public IP address that can be routed. For more information, see Planning the deployment of DHCP-01.

13

Planning basic configuration of all servers

For each server in the core network, you must change the password for the Administrator account on the local computer, rename the computer, and assign and configure a static IP address for the local computer.

Planning the Administrator account password

For security reasons, it is important to create a password for the Administrator account and to use a strong password. In addition, it is recommended that you use a different Administrator account password for each server on your network. The following is an example of a strong password.
Configuration item: Example value:

Administrator password

Example: J*p2leO4$F Note Strong passwords contain a minimum of 7 characters that consist of each of the following: uppercase letters (A, B, C, lowercase letters (d, e, f), numerals (0, 1, 2, 3), and keyboard symbols (' ~ ! @ # $ % | /).

Planning naming conventions for computers and devices

For consistency across your network, it is generally a good idea to use consistent names for servers, printers, and other devices. Computer names can be used to help users and administrators easily identify the purpose and location of the server, printer, or other device. For example, if you have three DNS servers, one in San Francisco, one in Los Angeles, and one in Chicago, you might use the naming convention server function-location-number: DNS-SF-01. This name represents the DNS server in San Francisco. If additional DNS servers are added in San Francisco, the numeric value in the name can be incremented, as in DNS-SF-02 and DNS-SF-03. DNS-LA-01. This name represents the DNS server in Los Angeles. DNS-CH-01. This name represents the DNS server in Chicago.

Choose a naming convention before you install your core network using this guide.

Planning static IP addresses

Before configuring each computer with a static IP address, you must plan your subnets and IP address ranges. In addition, you must determine the IP addresses of your DNS and WINS servers. If you plan to install a router that provides access to other networks, such as additional 14

subnets or the Internet, you must know the IP address of the router, also called a default gateway, for static IP address configuration. The following table provides example values for static IP address configuration.
Configuration items: Example values:

IP address Subnet mask Default gateway Preferred DNS server Alternate DNS server Preferred WINS server Alternate WINS server

192.168.0.3 255.255.255.0 192.168.0.10 192.168.0.1 192.168.0.7 192.168.0.2 192.168.0.8

For more information, see Planning the deployment of DHCP-01.

Planning the deployment of AD-DNS-01

Following are key planning steps before installing Active Directory Domain Services (AD DS) and DNS on AD-DNS-01.

Planning the name of the forest root domain

A first step in the AD DS design process is to determine how many forests your organization requires. A forest is the top-level AD DS container, and consists of one or more domains that share a common schema and global catalog. An organization can have multiple forests, but for most organizations, a single forest design is the preferred model and the simplest to administer. When you create the first domain controller in your organization, you are creating the first domain (also called the forest root domain) and the first forest. Before you take this action using this guide, however, you must determine the best domain name for your organization. In most cases, the organization name is used as the domain name, and in many cases this domain name is registered. If you are planning to deploy Web servers for your customers or partners, choose a domain name and ensure that the domain name is not already in use.

Planning the forest functional level

While installing AD DS, you must choose the forest functional level that you want to use. Domain and forest functionality, introduced in Windows Server 2003 Active Directory, provides a way to enable domain- or forest-wide Active Directory features within your network environment. Different levels of domain functionality and forest functionality are available, depending on your environment. 15

Forest functionality enables features across all the domains in your forest. The following forest functional levels are available: Windows 2000. This forest functional level supports Windows NT 4.0, Windows 2000, and Windows Server 2003 domain controllers. Windows Server 2003. This forest functional level supports only Windows Server 2003 domain controllers and domain controllers that are running later versions of the Windows Server operating system. Windows Server 2008. This forest functional level supports only domain controllers that are running Windows Server 2008 and later versions of the Windows Server operating system. Windows Server 2008 R2. This forest functional level supports Windows Server 2008 R2 domain controllers and domain controllers that are running later versions of the Windows Server operating system. If you are deploying a new domain in a new forest and all of your domain controllers will be running Windows Server 2008 R2, it is recommended that you configure AD DS with the Windows Server 2008 R2 forest functional level during AD DS installation. Important After the forest functional level has been raised, domain controllers running earlier operating systems cannot be introduced into the forest. For example, if you raise the forest functional level to Windows Server 2008 R2, domain controllers running Windows Server 2003 or Windows Server 2008 cannot be added to the forest. Example configuration items for AD DS are provided in the following table.
Configuration items: Example values:

Full DNS name

Examples: example.com corp.example.com Windows Server 2003 Windows Server 2008 Windows Server 2008 R2

Forest functional level: Windows 2000 The Windows 2000 forest functional level provides all AD DS features that are available in Windows 2000 Server. If you have domain controllers running later versions of the Windows Server operating system, some advanced features will not be available on those domain controllers while this forest is at the Windows 2000 functional level. Windows Server 2003 The Windows Server 2003 forest functional level provides all features that are available in

16

Configuration items:

Example values:

Windows 2000 forest functional level, and the following additional features: Linked-value replication, which improves the replication of changes to group memberships. More efficient generation of complex replication topologies by the Knowledge Consistency Checker (KCC). Forest trust, which allows organizations to easily share internal resources across multiple forests. Any new domains that are created in this forest will automatically operate at the Windows Server 2003 domain functional level. Windows Server 2008 This forest functional level does not provide any new features over the Windows Server 2003 forest functional level. However, it ensures that any new domains created in this forest will automatically operate at the Windows Server 2008 domain functional level, which does provide unique features. Windows Server 2008 R2 The Windows Server 2008 R2 forest functional level provides all features that are available in the Windows Server 2008 forest functional level, and the following additional feature: Recycle Bin. When enabled, Recycle Bin provides the ability to restore deleted objects in their entirety while Active Directory Domain Services is running. Any new domains that are created in this forest will operate by default at the Windows Server 2008 R2 domain functional level. Active Directory Domain Services Database folder location Active Directory Domain Services Log files folder location Active Directory Domain Services SYSVOL E:\Configuration\ Or accept the default location. E:\Configuration\ Or accept the default location. E:\Configuration\ 17

Configuration items:

Example values:

folder location Or accept the default location Directory Restore Mode Administrator Password Answer file name (optional) J*p2leO4$F AD DS_AnswerFile

Planning DNS zones

In DNS, a forward lookup zone is created by default during installation. A forward lookup zone allows computers and devices to query for another computer's or device's IP address based on its DNS name. In addition to a forward lookup zone, it is recommended that you create a DNS reverse lookup zone. With a DNS reverse lookup query, a computer or device can discover the name of another computer or device using its IP address. Deploying a reverse lookup zone typically improves DNS performance and greatly increases the success of DNS queries. When you create a reverse lookup zone, the in-addr.arpa domain, which was defined in the DNS standards and reserved in the Internet DNS namespace to provide a practical and reliable way to perform reverse queries, is installed in DNS. To create the reverse namespace, subdomains within the in-addr.arpa domain are formed, using the reverse ordering of the numbers in the dotted-decimal notation of IP addresses. The in-addr.arpa domain applies to all TCP/IP networks that are based on Internet Protocol version 4 (IPv4) addressing. The New Zone Wizard automatically assumes that you are using this domain when you create a new reverse lookup zone. While you are running the New Zone Wizard, the following selections are recommended:
Configuration Items Example values

Zone type Active Directory Zone Replication Scope First Reverse Lookup Zone Name wizard page Second Reverse Lookup Zone Name wizard page Dynamic Updates

Primary zone, and Store the zone in Active Directory is selected To all DNS servers in this domain IPv4 Reverse Lookup Zone Network ID = 192.168.0. Allow only secure dynamic updates

Planning domain access

To log onto the domain, the computer must be a domain member computer and the user account must be created in AD DS before the logon attempt. 18

Note You cannot log on to the domain with a user account that is located in the Security Accounts Manager (SAM) user accounts database on the local computer. After the first successful logon with domain logon credentials, the logon settings persist unless the computer is removed from the domain or the logon settings are manually changed. Before you log on to the domain: Create user accounts in Active Directory Users and Computers. Each user must have an Active Directory Domain Services user account in Active Directory Users and Computers. For more information, see Create a User Account in Active Directory Users and Computers. Ensure IP address configuration. To join a computer to the domain, the computer must have an IP address. In this guide, servers are configured with static IP addresses and client computers receive IP address leases from the DHCP server. For this reason, the DHCP server must be deployed before you join clients to the domain. For more information, see Deploying DHCP-01. Join the computer to the domain. Any computer that provides or accesses network resources must be joined to the domain. For more information, see Join the Computer to the Domain.

Planning the deployment of WINS-01

If you determine that you need to deploy WINS as well as DNS on your network, you must plan how many WINS servers to deploy. On smaller networks, a single WINS server can adequately service up to 10,000 clients for NetBIOS name resolution requests. To provide additional fault tolerance, you can configure a second computer running Windows Server 2008 R2 or Windows Server 2008 as a secondary, or backup, WINS server for clients. If you use only two WINS servers, you can easily configure them as replication partners. For simple replication between two servers, one server should be set as a pull partner and the other as a push partner. Replication can be either manual or automatic. Large networks sometimes require more WINS servers for several reasons including, most importantly, the number of client connections per server. The number of users that each WINS server can support varies with usage patterns, data storage, and the processing capabilities of the WINS server computer. When planning your servers, remember that each WINS server can simultaneously handle hundreds of registrations and queries per second.

Planning the deployment of DHCP-01

Following are key planning steps before installing the DHCP server role on DHCP-01.

19

Planning DHCP servers and DHCP forwarding

Because DHCP messages are broadcast messages, they are not forwarded between subnets by routers. If you have multiple subnets and want to provide DHCP service for each subnet, you must do one of the following: Install a DHCP server on each subnet Configure routers to forward DHCP broadcast messages across subnets and configure multiple scopes on the DHCP server, one scope per subnet. In most cases, configuring routers to forward DHCP broadcast messages is more cost effective than deploying a DHCP server on each physical segment of the network.

Planning IP address ranges

Each subnet must have its own unique IP address range. These ranges are represented on a DHCP server with scopes. A scope is an administrative grouping of IP addresses for computers on a subnet that use the DHCP service. The administrator first creates a scope for each physical subnet and then uses the scope to define the parameters used by clients. A scope has the following properties: A range of IP addresses from which to include or exclude addresses used for DHCP service lease offerings. A subnet mask, which determines the subnet for a given IP address. A scope name assigned when it is created.

Lease duration values, which are assigned to DHCP clients that receive dynamically allocated IP addresses. Any DHCP scope options configured for assignment to DHCP clients, such as DNS server IP address, router/default gateway IP address, and WINS server IP address. Reservations are optionally used to ensure that a DHCP client always receives the same IP address. Before deploying your servers, list your subnets and the IP address range you want to use for each subnet.

Planning subnet masks

Network IDs and host IDs within an IP address are distinguished by using a subnet mask. Each subnet mask is a 32-bit number that uses consecutive bit groups of all ones (1) to identify the network ID and all zeroes (0) to identify the host ID portions of an IP address. For example, the subnet mask normally used with the IP address 131.107.16.200 is the following 32-bit binary number:
11111111 11111111 00000000 00000000

20

This subnet mask number is 16 one-bits followed by 16 zero-bits, indicating that the network ID and host ID sections of this IP address are both 16 bits in length. Normally, this subnet mask is displayed in dotted decimal notation as 255.255.0.0. The following table displays subnet masks for the Internet address classes.
Address class Bits for subnet mask Subnet mask

Class A Class B Class C

11111111 00000000 00000000 00000000 11111111 11111111 00000000 00000000 11111111 11111111 11111111 00000000

255.0.0.0 255.255.0.0 255.255.255.0

When you create a scope in DHCP and you enter the IP address range for the scope, DHCP provides these default subnet mask values. Typically, default subnet mask values (as shown in the preceding table) are acceptable for most networks with no special requirements and where each IP network segment corresponds to a single physical network. In some cases, you can use customized subnet masks to implement IP subnetting. With IP subnetting, you can subdivide the default host ID portion of an IP address to specify subnets, which are subdivisions of the original class-based network ID. By customizing the subnet mask length, you can reduce the number of bits that are used for the actual host ID. To prevent addressing and routing problems, you should make sure that all TCP/IP computers on a network segment use the same subnet mask and that each computer or device has an unique IP address.

Planning exclusion ranges

You can exclude IP addresses from distribution by the DHCP server by creating an exclusion range for each scope. You should use exclusions for all devices that are configured with a static IP address. The excluded addresses should include all IP addresses that you assigned manually to other servers, non-DHCP clients, diskless workstations, or Routing and Remote Access and PPP clients. It is recommended that you configure your exclusion range with extra addresses to accommodate future network growth. The following table provides an example exclusion range for a scope with an IP address range of 192.168.0.1 - 192.168.0.254.
Configuration items: Example values:

Exclusion range Start IP Address Exclusion range End IP Address

192.168.0.1 192.168.0.15 21

Planning TCP/IP static configuration

Certain devices, such as routers, DHCP servers, and DNS servers, must be configured with a static IP address. In addition, you might have additional devices, such as printers, that you want to ensure always have the same IP address. List the devices that you want to configure statically for each subnet, and then plan the exclusion range you want to use on the DHCP server to ensure that the DHCP server does not lease the IP address of a statically configured device. An exclusion range is a limited sequence of IP addresses within a scope, excluded from DHCP service offerings. Exclusion ranges assure that any addresses in these ranges are not offered by the server to DHCP clients on your network. For example, if the IP address range for a subnet is 192.168.0.1 through 192.168.0.254 and you have ten devices that you want to configure with a static IP address, you can create an exclusion range for the 192.168.0.x scope that includes ten or more IP addresses: 192.168.0.1 through 192.168.0.15. In this example, you use ten of the excluded IP addresses to configure servers and other devices with static IP addresses and five additional IP addresses are left available for static configuration of new devices that you might want to add in the future. With this exclusion range, the DHCP server is left with an address pool of 192.168.0.16 through 192.168.0.254. Additional example configuration items for AD DS and DNS are provided in the following table.
Configuration items: Example values:

Network Connect Bindings DNS Server Settings Preferred DNS server IP address Alternate DNS server IP Address WINS Server Settings, specify the IP address of your preferred WINS server, only if WINS is deployed on the network. Alternate WINS server IP Address Note Specify the IP address of your alternate WINS server only if an alternate WINS server is deployed on the network. Add Scope dialog box values: Scope Name: Starting IP Address Ending IP Address: Subnet Mask Default Gateway (optional)

Local Area Connection 2 AD-DNS-01 192.168.0.1 192.168.0.6 192.168.0.2

192.168.0.12

Primary Subnet 192.168.0.1 192.168.0.254 255.255.255.0 192.168.0.11 Wired (Lease duration will be 6 days) 22

Configuration items:

Example values:

Subnet Type Not enabled

IPv6 DHCP Server Operation Mode

Planning the deployment of NPS-01

If you intend to deploy network access servers, such as wireless access points or VPN servers, after deploying your core network, it is recommended that you deploy NPS. When you use NPS as a Remote Authentication Dial-In User Service (RADIUS) server, NPS performs authentication and authorization for connection requests through your network access servers. NPS also allows you to centrally configure and manage network policies that determine who can access the network, how they can access the network, and when they can access the network. Following are key planning steps before installing NPS. Plan the user accounts database. By default, if you join the server running NPS to an Active Directory domain, NPS performs authentication and authorization using the AD DS user accounts database. In some cases, such as with large networks that use NPS as a RADIUS proxy to forward connection requests to other RADIUS servers, you might want to install NPS on a non-domain member computer. Plan the use of Network Access Protection (NAP). With some NAP enforcement methods, it is required that you install NPS on a specific server. For example, if you deploy NAP with DHCP, NPS must be installed on the DHCP server. Plan RADIUS accounting. NPS allows you to log accounting data to a SQL Server database or to a text file on the local computer. If you want to use SQL Server logging, plan the installation and configuration of your server running SQL Server.

Core Network Deployment

To deploy a foundation network, the basic steps are as follows: 1. Configuring All Servers 2. Deploying AD-DNS-01 3. Joining Computers to the Domain and Logging On 4. Deploying WINS-01 (optional) 5. Deploying DHCP-01 6. Deploying NPS-01 (optional) Note The procedures in this guide do not include instructions for those cases in which the User Account Control dialog box opens to request your permission to continue. If this dialog 23

box opens while you are performing the procedures in this guide, and if the dialog box was opened in response to your actions, click Continue.

Configuring All Servers

Before installing other technologies, such as DHCP or WINS, it is important to configure the following items. Create an Administrator Password Rename the Computer Configure a Static IP Address

You can use the following sections to perform these actions for each server.

Create an Administrator Password

You can use this procedure to create an administrator password after you have installed Windows Server 2008 R2.

1. On the Windows start page, beneath the text The users password must be changed before logging on the first time, click OK. 2. The Administrator credentials page opens. In New password, type a password. In Confirm password, retype the password. 3. If you want to create a password reset disk, click Create a password reset disk and follow the instructions. 4. In the Administrator credentials page, click the blue arrow. 5. A message that states Your password has been changed appears. Click OK.

Rename the Computer

You can use the procedures in this topic to provide computers running Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP with a different computer name.

Procedures for renaming computers

This topic provides procedures to rename computers running the following operating systems: Windows Server 2008 R2 and Windows 7 24

Windows Server 2008 and Windows Vista Windows Server 2003 and Windows XP

Windows Server 2008 R2 and Windows 7 Membership in Administrators, or equivalent, is the minimum required to perform these procedures. To rename computers running Windows Server 2008 R2 and Windows 7 1. Click Start, right-click Computer, and then click Properties. The System dialog box opens. 2. In Computer name, domain, and workgroup settings, click Change settings. The System Properties dialog box opens. Note On computers running Windows 7, before the System Properties dialog box opens, the User Account Control dialog box opens, requesting permission to continue. Click Continue to proceed. 3. Click Change. The Computer Name/Domain Changes dialog box opens. 4. In Computer Name, type the name for your computer. For example, if you want to name the computer AD-DNS-01, type AD-DNS-01. 5. Click OK twice, click Close, and then click Restart Now to restart the computer. Windows Server 2008 and Windows Vista Membership in Administrators, or equivalent, is the minimum required to perform these procedures. To rename computers running Windows Server 2008 and Windows Vista 1. Click Start, right-click Computer, and then click Properties. The System dialog box opens. 2. In Computer name, domain, and workgroup settings, click Change settings. The System Properties dialog box opens. Note On computers running Windows Vista, before the System Properties dialog box opens, the User Account Control dialog box opens, requesting permission to continue. Click Continue to proceed. 3. Click Change. The Computer Name/Domain Changes dialog box opens. 4. In Computer Name, type the name for your computer. For example, if you want to name the computer AD-DNS-01, type AD-DNS-01. 5. Click OK twice, click Close, and then click Restart Now to restart the computer.

25

Windows Server 2003 and Windows XP Membership in Administrators, or equivalent, is the minimum required to perform these procedures. To rename computers running Windows Server 2003 and Windows XP 1. Click Start, right-click My Computer, and then click Properties. The System Properties dialog box opens. 2. Click Computer Name, and then click Change. The Computer Name Changes dialog box opens. 3. In Computer name, type the name for your computer. For example, if you want the computer named Client-01, type Client-01. 4. Click OK. The System Setting Changes dialog box opens, indicating that you must restart the computer before the changes take effect. 5. Click OK, click OK again to close the dialog box, and then click Yes to restart the computer.

Configure a Static IP Address

You can use the procedures in this topic to configure the Internet Protocol version 4 (IPv4) properties of a network connection with a static IP address for computers running Windows Server 2008, or for computers running Windows Server 2003.

Procedures for configuring static IP addresses

This topic provides procedures for configuring static IP addresses on computers running the following operating systems: Windows Server 2008 R2 Windows Server 2008 Windows Server 2003

Windows Server 2008 R2 Membership in Administrators, or equivalent, is the minimum required to perform these procedures. To configure a static IP address on a computer running Windows Server 2008 R2 1. Click Start, and then click Control Panel. 2. In Control Panel, click Network and Internet. Network and Internet opens. In Network and Internet, click Network and Sharing Center. Network and Sharing Center opens. 26

3. In Network and Sharing Center, click Change adapter settings. Network Connections opens. 4. In Network Connections, right-click the network connection that you want to configure, and then click Properties. 5. In Local Area Connection Properties, in This connection uses the following items, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties. The Internet Protocol Version 4 (TCP/IPv4) Properties dialog box opens. 6. In Internet Protocol Version 4 (TCP/IPv4) Properties, on the General tab, click Use the following IP address. In IP address, type the IP address that you want to use. 7. Press tab to place the cursor in Subnet mask. A default value for subnet mask is entered automatically. Either accept the default subnet mask, or type the subnet mask that you want to use. 8. In Default gateway, type the IP address of your default gateway. 9. In Preferred DNS server, type the IP address of your DNS server. If you plan to use the local computer as the preferred DNS server, type the IP address of the local computer. 10. In Alternate DNS Server, type the IP address of your alternate DNS server, if any. If you plan to use the local computer as an alternate DNS server, type the IP address of the local computer. 11. Click OK, and then click Close. Windows Server 2008 Membership in Administrators, or equivalent, is the minimum required to perform these procedures. To configure a static IP address on a computer running Windows Server 2008 1. Click Start, and then click Control Panel. 2. In Control Panel, verify that Classic View is selected, and then double-click Network and Sharing Center. 3. In Network and Sharing Center, in Tasks, click Manage Network Connections. 4. In Network Connections, right-click the network connection that you want to configure, and then click Properties. 5. In Local Area Connection Properties, in This connection uses the following items, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties. The Internet Protocol Version 4 (TCP/IPv4) Properties dialog box opens. 6. In Internet Protocol Version 4 (TCP/IPv4) Properties, on the General tab, click Use the following IP address. In IP address, type the IP address that you want to use. 7. Press tab to place the cursor in Subnet mask. A default value for subnet mask is entered automatically. Either accept the default subnet mask, or type the subnet mask that you want to use. 27

8. In Default gateway, type the IP address of your default gateway. 9. In Preferred DNS server, type the IP address of your DNS server. If you plan to use the local computer as the preferred DNS server, type the IP address of the local computer. 10. In Alternate DNS Server, type the IP address of your alternate DNS server, if any. If you plan to use the local computer as an alternate DNS server, type the IP address of the local computer. 11. Click OK, and then click Close. Windows Server 2003 Membership in Administrators, or equivalent, is the minimum required to perform these procedures. To configure a static IP address on a computer running Windows Server 2003 1. Click Start, click Control Panel, right-click Network Connections, and then click Open. 2. In Network Connections, right-click the network connection that you want to configure, and then click Properties. 3. In Local Area Connection Properties, in This Connection uses the following Items, select Internet Protocol (TCP/IP), and then click Properties. The Internet Protocol (TCP) Properties dialog box opens. 4. In Internet Protocol Version 4 (TCP/IPv4) Properties, on the General tab, click Use the following IP address. In IP address, type the IP address that you want to use. 5. In Subnet mask, either accept the default subnet mask, or type the subnet mask that you want to use. 6. In Default gateway, type the IP address of your default gateway. 7. In Preferred DNS server, type the IP address of your DNS server. 8. In Alternate DNS Server, type the IP address of your alternate DNS server, if any. 9. Click OK, and then click Close.

Deploying AD-DNS-01
To deploy AD-DNS-01, which is the computer running Active Directory Domain Services (AD DS) and DNS, you must complete these steps in the following order: Perform the steps in the section Configuring All Servers. Install AD DS and DNS for a New Forest Create a User Account in Active Directory Users and Computers Add a Group 28

Assign Group Membership Configure a DNS Reverse Lookup Zone

Administrative privileges
If you are installing a small network and are the only administrator for the network, it is recommended that you create a user account for yourself, and then add your user account as a member of both Enterprise Admins and Domain Admins. Doing so will make it easier for you to act as the administrator for all network resources. It is also recommended that you log on with this account only when you need to perform administrative tasks, and that you create a separate user account for performing non-IT related tasks. If you have a larger organization with multiple administrators, refer to AD DS documentation to determine the best group membership for organization employees.

Domain user accounts vs. user accounts on the local computer

One of the advantages of a domain-based infrastructure is that you do not need to create user accounts on each computer in the domain. This is true whether the computer is a client computer or a server. Because of this, you should not create user accounts on each computer in the domain. Create all user accounts in Active Directory Users and Computers and use the preceding procedures to assign group membership. By default, all user accounts are members of the Domain Users group. After you have joined a computer to the domain, members of the Domain Users group can log on to any domain member client computer. Note Members of the Domain Users group cannot log on to computers running Windows Server 2008. You can configure user accounts to designate the days and times that the user is allowed to log on to the computer. You can also designate which computers each user is allowed to use. To configure these settings, open Active Directory Users and Computers, locate the user account that you want to configure, and double-click the account. In the user account Properties, click the Account tab, and then click either Logon Hours or Log On To.

Install AD DS and DNS for a New Forest

You can use this procedure to install Active Directory Domain Services (AD DS) and DNS and to create a new domain in a new forest. Membership in Administrators is the minimum required to perform this procedure.

29

To install Active Directory Domain Services and DNS 1. Do one of the following: In Initial Configuration Tasks, in Customize This Server, click Add roles. The Add Roles Wizard opens. Click Start, click Administrative Tools, and then click Server Manager. In Server Manager, click Roles, and in the details pane, in Roles Summary, click Add Roles. The Add Roles Wizard opens. 2. In Before You Begin, click Next. Note The Before You Begin page of the Add Roles Wizard is not displayed if you have previously selected Do not show this page again when the Add Roles Wizard was run. 3. In Select Server Roles, in Roles, select Active Directory Domain Services. An Add Roles Wizard message opens that states You cannot install Active Directory Domain Services unless the required features are also installed. Click Add Required Features, and then, in the Add Roles Wizard, click Next. 4. In Active Directory Domain Services, review the information and then click Next. 5. In Confirm Installation Selections, review the information, and then click Install. The Installation Progress page opens during installation. 6. When installation is complete, in Installation Results, review the information, and then click Close this wizard and launch the Active Directory Domain Services Installation Wizard (dcpromo.exe). The Add Roles Wizard closes and the Active Directory Domain Services Installation Wizard opens. Click Next. 7. In Operating System Compatibility, review the information, and then click Next. 8. In Choose a Deployment Configuration, select Create a new domain in a new forest. Click Next. 9. In Name the Forest Root Domain, in FQDN of the forest root domain, type the fully qualified domain name for your domain. For example, if your FQDN is example.com, type example.com. Click Next. 10. In Set Forest Functional Level, select the forest functional level that you want to use, and then click Next. 11. In Additional Domain Controller Options, in Select additional options for this domain controller, verify that DNS server is selected, and then click Next. The Active Directory Domain Services Installation Wizard warning dialog box opens. 12. The warning dialog box informs you that you can create a delegation to this DNS server manually in the parent zone. Click Yes to continue Active Directory Domain Services installation. 13. In Location for Database, Log Files, and SYSVOL, do one of the following: Accept the default values. Type folder locations that you want to use for Database folder, Log files folder, 30

and SYSVOL folder. 14. Click Next. 15. In Directory Services Restore Mode Administrator Password, in Password, type a password. In Confirm password, retype the password, and then click Next. 16. In Summary, review your selections. 17. If you want to export settings to an answer file, click Export settings, and specify a name for the answer file. Click Next. The Active Directory Domain Services Installation Wizard opens and installs Active Directory Domain Services. 18. In Completing the Active Directory Domain Services Installation Wizard, click Finish, and then click Restart Now.

Create a User Account in Active Directory Users and Computers

You can use this procedure to create a new domain user account in Active Directory Users and Computers Microsoft Management Console (MMC). Membership in Domain Admins, or equivalent, is the minimum required to perform this procedure. To create a user account 1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers. The Active Directory Users and Computers MMC opens. If it is not already selected, click the node for your domain. For example, if your domain is example.com, click example.com. 2. In the details pane, right-click the folder in which you want to add a user account. Where? Active Directory Users and Computers/domain node/folder 3. Point to New, and then click User. 4. In First name, type the user's first name. 5. In Initials, type the user's initials. 6. In Last name, type the user's last name. 7. Modify Full name to add initials or reverse the order of first and last names. 8. In User logon name, type the user logon name. Click Next. 9. In New Object - User, in Password and Confirm password, type the user's password, and then select the appropriate password options. 10. Click Next, review the new user account settings, and then click Finish. 31

Add a Group
You can use this procedure to create a new group in Active Directory Users and Computers Microsoft Management Console (MMC). Membership in Domain Admins, or equivalent, is the minimum required to perform this procedure. To add a group 1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers. The Active Directory Users and Computers MMC opens. If it is not already selected, click the node for your domain. For example, if your domain is example.com, click example.com. 2. In the details pane, right-click the folder in which you want to add a new group. Where? Active Directory Users and Computers/domain node/folder 3. Point to New, and then click Group. 4. In New Object Group, in Group name, type the name of the new group. By default, the name you type is also entered as the pre-Windows 2000 name of the new group. 5. In Group scope, select one of the following options: Domain local Global Universal Security Distribution

6. In Group type, select one of the following options:

7. Click OK.

Assign Group Membership

You can use this procedure to add a user, computer, or group to a group in Active Directory Users and Computers Microsoft Management Console (MMC). Membership in Domain Admins, or equivalent is the minimum required to perform this procedure. 32

To assign group membership 1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers. The Active Directory Users and Computers MMC opens. If it is not already selected, click the node for your domain. For example, if your domain is example.com, click example.com. 2. In the details pane, double-click the folder that contains the group to which you want to add a member. Where? Active Directory Users and Computers/domain node/folder that contains the group 3. In the details pane, right-click the group to which you want to add a member, and then click Properties. The group Properties dialog box opens. Click the Members tab. 4. On the Members tab, click Add. 5. In Enter the object names to select, type the name of the user, group, or computer that you want to add, and then click OK. 6. To assign group membership to other users, groups or computers, repeat steps 4 and 5 of this procedure.

Configure a DNS Reverse Lookup Zone

You can use this procedure to configure a reverse lookup zone in Domain Name System (DNS). Membership in Domain Admins is the minimum required to perform this procedure. To configure a DNS reverse lookup zone 1. Click Start, click Administrative Tools, and then click DNS. The DNS Manager opens. 2. In DNS Manager, if it is not already expanded, double-click the server name to expand the tree. For example, if the DNS server name is AD-DNS-01, double-click ADDNS-01. 3. Select Reverse Lookup Zones, right-click Reverse Lookup Zones, and then click New Zone. The New Zone Wizard opens. 4. In Welcome to the New Zone Wizard, click Next. 5. In Zone Type, select one of the following: Primary zone Secondary zone Stub zone

6. If your DNS server is a writeable domain controller, select Store the zone in Active 33

Directory. 7. Click Next. 8. In Active Directory Zone Replication Scope, select one of the following: To all DNS servers running on domain controllers in this forest To all DNS servers running on domain controllers in this domain To all domain controllers in this domain To all domain controllers specified in the scope of this directory partition

9. Click Next. 10. In the first Reverse Lookup Zone Name page, select one of the following: IPv4 Reverse Lookup Zone IPv6 Reverse Lookup Zone

11. Click Next. 12. In the second Reverse Lookup Zone Name page, do one of the following: In Network ID, type the network ID of your IP address range. For example, if your IP address range is 192.168.0.1, type 192.168.0. In Reverse lookup zone name, type the name of your IPv4 reverse lookup zone. 13. Click Next. 14. In Dynamic Update, select the type of dynamic updates that you want to allow. Click Next. 15. In Completing the New Zone Wizard, review your choices, and then click Finish.

Joining Computers to the Domain and Logging On

After you have installed Active Directory Domain Services (AD DS) and created one or more user accounts that have permissions to join a computer to the domain, you can join foundation network servers to the domain and log on to the servers in order to install additional technologies, such as Dynamic Host Configuration Protocol (DHCP), Windows Internet Name Service (WINS), and Network Policy Server (NPS). Note If you are logged on to a computer running Windows Server 2008 with the local computers Administrator account, by default, you can join a computer to the domain with a user account that is a member of Domain Users in Active Directory Users and Computers.

34

In addition, you can use these instructions to join client computers to the domain and to log on to client computers. On all servers that you are deploying, except for the server running AD DS, do the following: 1. Complete the procedures provided in Configuring All Servers. 2. Use the instructions in the following sections to join your servers to the domain and to log on to the servers to perform additional deployment tasks: Join the Computer to the Domain Log on to the Domain

Join the Computer to the Domain

You can use these procedures to join computers running Windows Server 2008 R2, Windows 7Windows Server 2008, Windows Vista, Windows Server 2003, or Windows XP to the domain.

Procedures for joining computers to the domain

This topic provides procedures for joining computers running the following operating systems to the domain: Windows Server 2008 R2 (Release Candidate) and Windows 7 (Release Candidate) Windows Server 2008 and Windows Vista Windows Server 2003 and Windows XP

Important To join a computer to a domain, you must be logged on to the computer with the local Administrator account or, if you are logged on to the computer with a user account that does not have local computer administrative credentials, you must provide the credentials for the local Administrator account during the process of joining the computer to the domain. In addition, you must have a user account in the domain to which you want to join the computer. During the process of joining the computer to the domain, you will be prompted for your domain account credentials (user name and password). Windows Server 2008 R2 (Release Candidate) and Windows 7 (Release Candidate) Membership in Domain Users, or equivalent, is the minimum required to perform this procedure. To join computers running Windows Server 2008 R2 (Release Candidate) and Windows 7 (Release Candidate) to the domain 1. Log on to the computer with the local Administrator account. 2. Click Start, right-click Computer, and then click Properties. The System dialog box opens. 3. In Computer name, domain, and workgroup settings, click Change settings. The 35

System Properties dialog box opens. Note On computers running Windows 7, before the System Properties dialog box opens, the User Account Control dialog box opens, requesting permission to continue. Click Continue to proceed. 4. Click Change. The Computer Name/Domain Changes dialog box opens. 5. In Computer Name, in Member of, select Domain, and then type the name of the domain you want to join. For example, if the domain name is example.com, type example.com. 6. Click OK. The Windows Security dialog box opens. 7. In Computer Name/Domain Changes, in User name, type the user name, and in Password, type the password, and then click OK. The Computer Name/Domain Changes dialog box opens, welcoming you to the domain. Click OK. 8. The Computer Name/Domain Changes dialog box displays a message indicating that you must restart the computer to apply the changes. Click OK. 9. On the System Properties dialog box, on the Computer Name tab, click Close. The Microsoft Windows dialog box opens, and displays a message, again indicating that you must restart the computer to apply the changes. Click Restart Now. Windows Server 2008 and Windows Vista Membership in Domain Users, or equivalent, is the minimum required to perform this procedure. To join computers running Windows Server 2008 and Windows Vista to the domain 1. Log on to the computer with the local Administrator account. 2. Click Start, right-click Computer, and then click Properties. The System dialog box opens. 3. In Computer name, domain, and workgroup settings, click Change settings. The System Properties dialog box opens. Note On computers running Windows 7, before the System Properties dialog box opens, the User Account Control dialog box opens, requesting permission to continue. Click Continue to proceed. 4. Click Change. The Computer Name/Domain Changes dialog box opens. 5. In Computer Name, in Member of, select Domain, and then type the name of the domain you want to join. For example, if the domain name is example.com, type example.com. 6. Click OK. The Windows Security dialog box opens. 7. In Computer Name/Domain Changes, in User name, type the user name, and in Password, type the password, and then click OK. The Computer Name/Domain 36

Changes dialog box opens, welcoming you to the domain. Click OK. 8. The Computer Name/Domain Changes dialog box displays a message indicating that you must restart the computer to apply the changes. Click OK. 9. On the System Properties dialog box, on the Computer Name tab, click Close. The Microsoft Windows dialog box opens, and displays a message, again indicating that you must restart the computer to apply the changes. Click Restart Now. Windows Server 2003 and Windows XP Membership in Domain Users, or equivalent, is the minimum required to perform this procedure. To join computers running Windows Server 2003 and Windows XP to the domain 1. Click Start, right-click My Computer, and then click Properties. The System Properties dialog box opens. 2. Click Change. The Computer Name Changes dialog box opens. 3. In Computer Name Changes, in Member of, select Domain, and then type the name of the domain you want to join. For example, if the domain name is example.com, type example.com. 4. Click OK. The Computer Name Changes dialog box opens. In User name, type the domain administrator account name, and in Password, type the administrator password, and then click OK. 5. The Computer Name Changes dialog box opens, welcoming you to the domain. 6. Click OK. The Computer Name Changes dialog box displays a message indicating that you must restart the computer to apply the changes. 7. Click OK. 8. On the System Properties dialog box, on the Computer Name tab, click OK, to close the System Properties dialog box. The System Settings Change dialog box opens, and displays a message, again indicating that you must restart the computer to apply the changes. 9. Click Yes.

Log on to the Domain

You can use these procedures to log on to the domain using computers running Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP.

Procedures to log on to the domain

This topic provides procedures to log on to the domain using computers running the following operating systems: 37

Windows Server 2008 R2 and Windows 7 Windows Server 2008 and Windows Vista Windows Server 2003 and Windows XP

Windows Server 2008 R2 and Windows 7 Membership in Domain Users, or equivalent, is the minimum required to perform this procedure. Log on to the domain using computers running Windows Server 2008 R2 and Windows 7 1. Log off the computer, or restart the computer. 2. Press CTRL + ALT + DELETE. The logon screen appears. 3. Click Switch User, and then click Other User. 4. In User name, type your domain and user name in the format domain\user. For example, to log on to the domain example.com with an account named User-01, type example\User-01. 5. In Password, type your domain password, and then click the arrow, or press ENTER. Windows Server 2008 and Windows Vista Membership in Domain Users, or equivalent, is the minimum required to perform this procedure. Log on to the domain using computers running Windows Server 2008 and Windows Vista 1. Log off the computer, or restart the computer. 2. Press CTRL + ALT + DELETE. The logon screen appears. 3. Click Switch User, and then click Other User. 4. In User name, type your domain and user name in the format domain\user. For example, to log on to the domain example.com with an account named User-01, type example\User-01. 5. In Password, type your domain password, and then click the arrow, or press ENTER. Windows Server 2003 and Windows XP Membership in Domain Users, or equivalent, is the minimum required to perform this procedure. Log on to the domain using computers running Windows Server 2003 and Windows XP 1. Log off the computer, or restart the computer. 2. Press CTRL + ALT + DELETE. The Log On to Windows dialog box appears. 3. If Log on to is not displayed, click Options. 4. In Log on to, in the drop down list, select your domain. For example, in the example.com domain, select EXAMPLE. 5. Type your domain and user name in the format domain\user. For example, to log on 38

to the example.com domain with an account named User-01, type example\User-01. 6. In Password, type your domain password, and then press ENTER.

Deploying WINS-01 (optional)

Before deploying this component of the foundation network, you must do the following: Perform the steps in the section Configuring All Servers. Perform the steps in the section Joining Computers to the Domain and Logging On

To deploy WINS-01, which is the computer running Windows Internet Name Service (WINS), you must complete this step: Install Windows Internet Name Service (WINS)

Install Windows Internet Name Service (WINS)

Windows Internet Name Service (WINS) enables computers running Windows to find other computers using NetBIOS across subnets. Some programs rely on WINS to function across the network. Membership in Domain Admins, or equivalent, is the minimum required to perform this procedure. To install WINS 1. Do one of the following: a. In Initial Configuration Tasks, in Customize This Server, click Add Features. The Add Features Wizard opens. b. Click Start, click Administrative Tools, and then click Server Manager. In the left pane of Server Manager, click Features, and in the details pane, in Features Summary, click Add Features. The Add Features Wizard opens. 2. In Select Features, in Features, scroll down the list, select WINS Server, and then click Next. 3. In Confirm installation selections, click Install. 4. In Installation Results, review your installation results, and then click Close.

39

Deploying DHCP-01
Before deploying this component of the foundation network, you must do the following: Perform the steps in the section Configuring All Servers. Perform the steps in the section Joining Computers to the Domain and Logging On.

DHCP installation suggestions

The following choices are recommended when you install DHCP with the Add New Roles Wizard: Activate the scope or scopes that you configure during installation unless you have reason not to do so. For example, if you plan to create an exclusion range for the scope so that some IP addresses are available for statically configured devices, you might not want to activate the scope until after you have created the exclusion range. After you activate a scope, it is configured to function without additional configuration after the installation process is complete. If you choose not to activate a scope during installation, however, you can activate the scope after DHCP is installed by using the DHCP Microsoft Management Console (MMC) and the procedure Activate a DHCP Scope. Authorize the DHCP server in Active Directory Domain Services (AD DS) during installation unless you have reason not to do so. If you authorize the server during installation, the server is configured to function without additional configuration after the installation process is complete. If you choose not to authorize the DHCP server during installation, however, you can authorize the server after DHCP is installed by using the DHCP MMC and the procedure Authorize a DHCP Server in Active Directory Domain Services. Do not enable Configure DHCPv6 Stateless Mode unless you plan to use Internet Protocol version 6 (IPv6) on your network in addition to or to replace IPv4.

Deploying DHCP
To deploy DHCP-01, which is the computer running the Dynamic Host Configuration Protocol (DHCP) server role, you must complete these steps in the following order: If you plan to deploy Windows Internet Name Service (WINS) on your network, it is recommended that you perform the steps in the section Deploying WINS-01 (optional) before installing DHCP. Install Dynamic Host Configuration Protocol (DHCP) Create an Exclusion Range in DHCP

If you chose not to perform the following actions during DHCP installation, you can perform them after DHCP is installed: Authorize a DHCP Server in Active Directory Domain Services Activate a DHCP Scope Create a New DHCP Scope 40

After DHCP is installed, you can add more scopes to the server configuration:

Install Dynamic Host Configuration Protocol (DHCP)

You can use this procedure to install and configure the DHCP Server role using the Add Roles Wizard. Membership in Domain Admins, or equivalent, is the minimum required to perform this procedure. To install DHCP 1. Do one of the following: a. In Initial Configuration Tasks, in Customize This Server, click Add roles. The Add Roles Wizard opens. b. Click Start, click Administrative Tools, and then click Server Manager. In the left pane of Server Manager, click Roles, and in the details pane, in Roles Summary, click Add Roles. The Add Roles Wizard opens. 2. In Before You Begin, click Next. Note The Before You Begin page of the Add Roles Wizard is not displayed if you have previously selected Do not show this page again when the Add Roles Wizard was run. 3. In Select Server Roles, in Roles, select DHCP Server, and then click Next. 4. In DHCP Server, click Next. 5. In Select Network Connection Bindings, in Network Connections, select the IP addresses that are connected to the subnets for which you want to provide DHCP service, and then click Next. 6. In Specify IPv4 DNS Server Settings, in Parent domain, verify that the name of the DNS domain that clients use for name resolution is correct. For example, if your domain is named example.com, verify that the DNS domain name is example.com. 7. In Preferred DNS server IPv4 address, type the IPv4 address of your preferred DNS server, and then click Validate. In Alternate DNS server IPv4 Address, type the IPv4 address of your alternate DNS server, if any, and then click Validate. Note If a DNS server responds when you click Validate, the DHCP installation wizard indicates the specified address for the DNS server is valid. If no DNS server responds when you click Validate, the DHCP installation wizard returns the message: The DNS server at the specified IP address is not responding. 8. Click Next. In Specify IPv4 WINS Server Settings, select one of the following: If you do not have WINS servers on your network, select WINS is not required for applications on this network. 41

 If one or more WINS servers are deployed on your network, select WINS is required for applications on this network. In Preferred WINS server IP address, type the IPv4 address of your preferred WINS server. In Alternate WINS server IP Address, type the IPv4 address of your alternate WINS server, if any, and then click Next. 9. In Add or Edit DHCP Scopes, click Add. The Add Scope dialog box opens. 10. In the Add Scope dialog box, type values for all required items. In Subnet Type, select either Wired or Wireless, depending on the IP address lease duration that you prefer, and then do one of the following: To automatically activate the scope immediately after DHCP installation is complete, ensure that Activate this scope is selected. If there are computers or devices on the network that have static IP addresses, do not activate the scope until after you have created an exclusion range. The exclusion range prevents the DHCP server from leasing IP addresses that are already in use by a statically configured device. To manually activate the scope later, use the DHCP Microsoft Management Console (MMC). 11. Click OK. This returns you to the Add or Edit DHCP Scopes page. If your network has multiple subnets that are serviced by this DHCP server, add scopes for each subnet using steps 9 and 10. Click Next. 12. In Configure DHCPv6 Stateless Mode, select whether you want to configure the DHCP server for DHCPv6 stateless operation, and then click Next. 13. In the previous step, if you selected Enable DHCPv6 stateless mode for this server, the Specify IPv6 DNS Server Settings page opens. Configure the IPv6 DNS server settings that you prefer, and then click Next. If in the previous step you selected Disable DHCPv6 stateless mode for this server, proceed to the next step. 14. In Authorize DHCP Server, do one of the following: Select Use current credentials to authorize the DHCP server in Active Directory Domain Services (AD DS) using the credentials supplied for the current session. To specify alternate credentials for authorization, select Use alternate credentials. Click Specify, and then type the credentials to use for DHCP server authorization. Select Skip authorization of this DHCP server in AD DS, and then click Next. Note Before your DHCP server can issue IP address leases, the DHCP server must be authorized in AD DS. 15. In Confirm Installation Selections, review your selections, and then click Install. 16. In Installation Results, review your installation results, and then click Close.

42

Create an Exclusion Range in DHCP

You can use this procedure to create an exclusion range for an existing DHCP scope. Membership in DHCP Administrators, or equivalent, is the minimum required to perform this procedure. To create an exclusion range in DHCP 1. Click Start, click Administrative Tools, and then click DHCP. The DHCP Microsoft Management Console (MMC) opens. 2. In DHCP, double-click the server name. For example, if the DHCP server name is DHCP-01.example.com, double-click DHCP-01.example.com. 3. Double-click IPv4, and then, for the scope for which you want to create an exclusion range, double-click Scope. 4. Click Address Pool. Right-click Address Pool, and then click New Exclusion Range. The Add Exclusion dialog box opens. 5. In Add Exclusion, in Start IP address, type the IP address that is the first IP address in the exclusion range. 6. In Add Exclusion, in End IP address, type the IP address that is the last IP address in the exclusion range, and then click Add. 7. Click Close.

Authorize a DHCP Server in Active Directory Domain Services

You can use this procedure to authorize a DHCP server in Active Directory Domain Services (AD DS). Membership in Domain Admins, or equivalent, is the minimum required to perform this procedure. To authorize a DHCP server in AD DS 1. Click Start, click Administrative Tools, and then click DHCP. The DHCP Microsoft Management Console (MMC) opens. 2. In DHCP, double-click the server name. For example, if the DHCP server name is DHCP-01.example.com, double-click DHCP-01.example.com. 3. In the DHCP MMC, click Action, and then click Authorize. 4. To verify that the server was authorized in AD DS, click Action, and then click Refresh. The IPv4 icon changes from red to green. In addition, on the Action menu, the 43

Authorize menu item is replaced by the Unauthorize menu item. You can use the Unauthorize menu item if you ever want to decommission the DHCP server.

Activate a DHCP Scope

You can use this procedure to activate a DHCP scope using the DHCP Microsoft Management Console (MMC). Membership in DHCP Administrators, or equivalent, is the minimum required to perform this procedure. To activate a DHCP scope 1. Click Start, click Administrative Tools, and then click DHCP. The DHCP MMC opens. 2. In DHCP, double-click the server name. For example, if the DHCP server name is DHCP-01.example.com, double-click DHCP-01.example.com. 3. Double-click IPv4, and click the scope that you want to activate. Right-click the scope that you want to activate, and then click Activate.

Create a New DHCP Scope

You can use this procedure to create a new DHCP scope using the DHCP Microsoft Management Console (MMC). Membership in DHCP Administrators, or equivalent, is the minimum required to perform this procedure. To create a new DHCP Scope 1. Click Start, click Administrative Tools, and then click DHCP. The DHCP MMC opens. 2. In DHCP, double-click the server name. For example, if the DHCP server name is DHCP-01.example.com, double-click DHCP-01.example.com. 3. Right-click IPv4, and then click New Scope. The New Scope Wizard opens. 4. In Welcome to the New Scope Wizard, click Next. 5. In Scope Name, in Name, type a name for the scope. For example, type Subnet-02. 6. In Description, type a description for the new scope, and then click Next. 7. In IP Address Range, do the following: a. In Start IP address, type the IP address that is the first IP address in the range. 44

For example, type 10.10.10.1. b. In End IP address, type the IP address that is the last IP address in the range. For example, type 10.10.10.254. Values for Length and Subnet mask are entered automatically, based on the IP address you entered for Start IP address. c. If necessary, modify the values in Length or Subnet mask, as appropriate for your addressing scheme. d. Click Next. 8. In Add Exclusions, do the following: a. In Start IP address, type the IP address that is the first IP address in the exclusion range. For example, type 10.10.10.1. b. In End IP address, type the IP address that is the last IP address in the exclusion range, For example, type 10.10.10.15. 9. Click Add, and then click Next. 10. In Lease Duration, modify the default values for Days, Hours, and Minutes, as appropriate for your network, and then click Next. 11. In Configure DHCP Options, select Yes, I want to configure these options now, and then click Next. 12. In Router (Default Gateway), do one of the following: If you do not have routers on your network, click Next. In IP address, type the IP address of your router or default gateway. For example, type 10.10.10.10. Click Add, and then click Next. 13. In Domain Name and DNS Servers, do the following: a. In Parent domain, type the name of the DNS domain that clients use for name resolution. For example, type example.com. b. In Server name, type the name of the DNS computer that clients use for name resolution. For example, type AD-DNS-01. c. Click Resolve. The IP address of the DNS server is added in IP address. Click Add, wait for DNS server IP address validation to complete, and then click Next. 14. In WINS Servers, do one of the following: If you do not have WINS servers on your network, click Next. If you have one or more WINS servers deployed on your network, for each WINS server: In Server name, type the name of the WINS server. For example, type WINS01. Click Resolve. The IP address of the WINS server is added in IP address. Click Add, and then click Next. 15. In Activate Scope, do one of the following: To automatically activate the scope immediately after the steps in the New Scope Wizard are complete, select Yes, I want to activate this scope now. To manually activate the scope later by using the DHCP MMC, select No I will activate this scope later. 45

16. Click Next, and then click Finish.

Deploying NPS-01 (optional)

Before deploying this network component, you must do the following: Perform the steps in the section Configuring All Servers. Perform the steps in the section Joining Computers to the Domain and Logging On

To deploy NPS-01, which is the computer running the Network Policy Server (NPS) role service of the Network Policy and Access Services server role, you must complete this step: Install Network Policy Server (NPS) Register the NPS Server in the Default Domain

Install Network Policy Server (NPS)

You can use this procedure to install Network Policy Server (NPS) by using the Add Roles Wizard. NPS is a role service of the Network Policy and Access Services server role. Note By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 on all installed network adapters. If Windows Firewall with Advanced Security is enabled when you install NPS, firewall exceptions for these ports are automatically created during the installation process for both Internet Protocol version 6 (IPv6) and IPv4 traffic. If your network access servers are configured to send RADIUS traffic over ports other than these defaults, remove the exceptions created in Windows Firewall with Advanced Security during NPS installation, and create exceptions for the ports that you do use for RADIUS traffic. Administrative Credentials To complete this procedure, you must be a member of the Domain Admins group. To install NPS 1. Do one of the following: In Initial Configuration Tasks, in Customize This Server, click Add roles. The Add Roles Wizard opens. Click Start, click Administrative Tools, and then click Server Manager. In the left pane of Server Manager, click Roles, and in the details pane, in Roles Summary, click Add Roles. The Add Roles Wizard opens. 2. In Before You Begin, click Next. 46

Note The Before You Begin page of the Add Roles Wizard is not displayed if you have previously selected Do not show this page again when the Add Roles Wizard was run. 3. In Select Server Roles, in Roles, select Network Policy and Access Services, and then click Next. 4. In Network Policy and Access Services, review the information, and then click Next. 5. In Select Role Services, in Role services, select Network Policy Server, and then click Next. 6. In Confirm Installation Selections, click Install. 7. In Installation Results, review your installation results, and then click Close.

Register the NPS Server in the Default Domain

You can use this procedure to register an NPS server in the domain where the server is a domain member. NPS servers must be registered in Active Directory so that they have permission to read the dialin properties of user accounts during the authorization process. Registering an NPS server adds the server to the RAS and IAS Servers group in Active Directory. Administrative credentials To complete this procedure, you must be a member of the Domain Admins group. To register an NPS server in its default domain 1. Click Start, click Administrative Tools, and then click Network Policy Server. 2. Right-click NPS (Local), and then click Register Server in Active Directory. The Network Policy Server dialog box opens. 3. In Network Policy Server, click OK, and then click OK again.

Additional Technical Resources

For more information about the technologies in this guide, see the following resources: Active Directory Domain Services in the Windows Server 2008 Technical Library, at http://go.microsoft.com/fwlink/?LinkId=96418 47

 Domain Name System (DNS) in the Windows Server 2008 Technical Library, at http://go.microsoft.com/fwlink/?LinkId=110949 Dynamic Host Configuration Protocol (DHCP) in the Windows Server 2008 Technical Library, at http://go.microsoft.com/fwlink/?LinkId=96419 Network Policy Server (NPS) in the Windows Server 2008 Technical Library, at http://go.microsoft.com/fwlink/?LinkId=104545 TCP/IP in the Windows Server 2008 Technical Library, at http://go.microsoft.com/fwlink/? LinkId=103329 Windows Internet Name Service (WINS) in the Windows Server 2008 Technical Library, at http://go.microsoft.com/fwlink/?LinkId=103331

Appendix A
You can use this Network Planning Preparation Sheet to gather the information required to install a core network. This topic provides tables that contain the individual configuration items for each server computer for which you must supply information or specific values during the installation or configuration process. Example values are provided for each configuration item. For planning and tracking purposes, spaces are provided in each table for you to enter the values used for your deployment. If you log security-related values in these tables, you should store the information in a secure location.

Core Network Planning Preparation Sheet

The following links lead to the sections in this topic that provide configuration items and example values that are associated with the deployment procedures presented in this guide. Installing Active Directory Domain Services and DNS Configuring a DNS Reverse Lookup Zone Installing Windows Internet Name Service (optional) Installing DHCP Creating an exclusion range in DHCP Creating a new DHCP scope

Installing Network Policy Server (optional)

Installing Active Directory Domain Services and DNS

The tables in this section list configuration items for pre-installation and installation of Active Directory Domain Services (AD DS) and DNS. Pre-installation configuration items for AD DS and DNS The following three tables list pre-installation configuration items as described in Configuring All Servers: 48

Create an Administrator Password

Example values: Values:

Configuration items:

Administrator password

J*p2leO4$F

Configure a Static IP Address

Example values: Values:

Configuration items:

IP address Subnet mask Default gateway Preferred DNS server Alternate DNS server Rename the Computer

192.168.0.1 255.255.255.0 192.168.0.10 192.168.0.1 192.168.0.6

Configuration item:

Example value:

Value:

Computer name

AD-DNS-01

AD DS and DNS installation configuration items Configuration items for the Windows Server Core Network deployment procedure Install AD DS and DNS for a New Forest:
Configuration items: Example values: Values:

Full DNS name Forest functional level Active Directory Domain Services database folder location Active Directory Domain Services log files folder location Active Directory Domain Services SYSVOL folder location Directory Restore Mode

example.com Windows Server 2003 E:\Configuration\ Or accept the default location. E:\Configuration\ Or accept the default location. E:\Configuration\ Or accept the default location J*p2leO4$F 49

Configuration items:

Example values:

Values:

Administrator password Answer file name (optional) AD DS_AnswerFile

Configuring a DNS Reverse Lookup Zone

Configuration items: Example values: Values:

Zone type:

Primary zone Secondary zone Stub zone Selected Not selected

Zone type Store the zone in Active Directory Active Directory zone replication scope

To all DNS servers in this forest To all DNS servers in this domain To all domain controllers in this domain To all domain controllers specified in the scope of this directory partition

Reverse lookup zone name (IP type)

IPv4 Reverse Lookup Zone IPv6 Reverse Lookup Zone

Reverse lookup zone name (network ID)

192.168.0

Installing Windows Internet Name Service (optional)

The tables in this section list configuration items for pre-installation and installation of Windows Internet Name Service (WINS).

50

Pre-installation configuration items The following three tables list pre-installation configuration items as described in Configuring All Servers: Create an Administrator Password
Example values: Values:

Configuration items:

Administrator password

J*p2leO4$F

Configure a Static IP Address

Example values: Values:

Configuration items:

IP address Subnet mask Default gateway Preferred DNS server Alternate DNS server Rename the Computer

192.168.0.2 255.255.255.0 192.168.0.10 192.168.0.1 192.168.0.6

Configuration item:

Example value:

Value:

Computer name

WINS-01

WINS installation configuration items Configuration items for the Windows Server Core Network deployment procedure Install Windows Internet Name Service (WINS): No additional configuration items are required to install WINS.

Installing DHCP
The tables in this section list configuration items for pre-installation and installation of DHCP. Pre-installation configuration items for DHCP The following three tables list pre-installation configuration items as described in Configuring All Servers: Create an Administrator Password
Example values: Values:

Configuration items:

Administrator password

J*p2leO4$F 51

Configure a Static IP Address

Example values: Values:

Configuration items:

IP address Subnet mask Default gateway Preferred DNS server Alternate DNS server Rename the Computer

192.168.0.3 255.255.255.0 192.168.0.10 192.168.0.3 192.168.0.6

Configuration item:

Example value:

Value:

Computer name

DHCP-01

DHCP installation configuration items Configuration items for the Windows Server Core Network deployment procedure Install Dynamic Host Configuration Protocol (DHCP):
Configuration items: Example values: Values:

Network connect bindings DNS server settings Preferred DNS server IP address Alternate DNS server IP address WINS server settings. Alternate WINS server IP address Scope name Starting IP address Ending IP address Subnet mask Default gateway (optional) Subnet type

Local Area Connection AD-DNS-01 192.168.0.1 192.168.0.6 192.168.0.2 192.168.0.12 Primary Subnet 192.168.0.1 192.168.0.254 255.255.255.0 192.168.0.10 Wired (Lease duration will be 6 52

Configuration items:

Example values:

Values:

days) IPv6 DHCP server operation mode Not enabled

Creating an exclusion range in DHCP

Configuration items for the Windows Server Core Network deployment procedure Create an Exclusion Range in DHCP:
Configuration items: Example values: Values:

Scope name Scope description Exclusion range start IP address Exclusion range end IP address

Primary Scope Parent Domain Scope 192.168.0.1 192.168.0.15

Creating a new DHCP scope

Configuration items for the Windows Server Core Network deployment procedure Activate a DHCP Scope:
Configuration items: Example values: Values:

New scope name Scope description (IP address range) Start IP address (IP address range) End IP address Length Subnet mask (Exclusion range) Start IP address

Subnet-02 Scope for Subnet-02 10.10.10.1

10.10.10.254

8 255.0.0.0 10.10.10.1

Exclusion range end IP address 10.10.10.15 Lease duration 8 53

Configuration items:

Example values:

Values:

Days Hours Minutes Router (default gateway) IP address DNS parent domain DNS server IP address WINS server IP address

0 0

10.10.10.10

example.com 192.168.0.1

192.168.0.2

Installing Network Policy Server (optional)

The tables in this section list configuration items for pre-installation and installation of NPS. Pre-installation configuration items The following three tables list pre-installation configuration items as described in Configuring All Servers: Create an Administrator Password
Example values: Values:

Configuration items:

Administrator password

J*p2leO4$F

Configure a Static IP Address

Example values: Values:

Configuration items:

IP address Subnet mask Default gateway Preferred DNS server Alternate DNS server Rename the Computer

192.168.0.4 255.255.255.0 192.168.0.10 192.168.0.1 192.168.0.6

54

Configuration item:

Example value:

Value:

Computer name

NPS-01

Network Policy Server installation configuration items Configuration items for the Windows Server Core Network NPS deployment procedures: Install Network Policy Server (NPS) and Register the NPS Server in the Default Domain. No additional configuration items are required to install and register NPS.

55