Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Microsoft Corporation Published: June, 2009 Authors: James McIllece and Brit Weston Editor: Allyson Adley
Abstract
The Windows Server 2008 R2 Core Network Guide provides instructions for planning and deploying the core components required for a fully functioning network and a new Active Directory domain in a new forest. Using this guide, you can deploy computers configured with the following Windows server components: The Active Directory Domain Services (AD DS) server role The Domain Name System (DNS) server role The Dynamic Host Configuration Protocol (DHCP) server role The Network Policy Server (NPS) role service of the Network Policy and Access Services server role The Windows Internet Name Service (WINS) feature TCP/IP connections on individual servers
This guide also serves as a foundation for companion guides that show you how to deploy additional technologies using Windows Server 2008 R2.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Your right to copy this documentation is limited by copyright law and the terms of the software license agreement. As the software licensee, you may make a reasonable number of copies or printouts for your own use. Making unauthorized copies, adaptations, compilations, or derivative works for commercial distribution is prohibited and constitutes a punishable violation of the law. 2009 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Contents
Core Network Guide.......................................................................................................................1 Abstract....................................................................................................................................1 Contents..........................................................................................................................................3 Windows Server 2008 R2 Core Network Guide..............................................................................6 About this guide...........................................................................................................................7 Network hardware requirements..............................................................................................7 What this guide does not provide................................................................................................7 Technology Overviews.................................................................................................................8 Active Directory Domain Services............................................................................................8 DNS..........................................................................................................................................8 DHCP.......................................................................................................................................8 WINS (optional)........................................................................................................................8 NPS (optional)..........................................................................................................................9 TCP/IP......................................................................................................................................9 Core Network Overview................................................................................................................10 Core Network Components........................................................................................................11 Router.................................................................................................................................12 Static TCP/IP configurations...............................................................................................12 Global catalog and DNS server...........................................................................................12 WINS server (optional)........................................................................................................12 DHCP server.......................................................................................................................12 NPS server (optional)..........................................................................................................12 Client computers.................................................................................................................12 Core Network Planning.................................................................................................................13 Planning subnets.......................................................................................................................13 Planning basic configuration of all servers.................................................................................14 Planning the Administrator account password........................................................................14 Planning naming conventions for computers and devices......................................................14 Planning static IP addresses..................................................................................................14 Planning the deployment of AD-DNS-01....................................................................................15 Planning the name of the forest root domain..........................................................................15 Planning the forest functional level.........................................................................................15 Planning DNS zones..............................................................................................................18 Planning domain access............................................................................................................18 Planning the deployment of WINS-01........................................................................................19 Planning the deployment of DHCP-01.......................................................................................19 Planning DHCP servers and DHCP forwarding......................................................................20
Planning IP address ranges...................................................................................................20 Planning subnet masks..........................................................................................................20 Planning exclusion ranges.....................................................................................................21 Planning TCP/IP static configuration......................................................................................22 Planning the deployment of NPS-01..........................................................................................23 Core Network Deployment............................................................................................................23 Configuring All Servers..................................................................................................................24 Create an Administrator Password................................................................................................24 Rename the Computer..................................................................................................................24 Procedures for renaming computers..........................................................................................24 Windows Server 2008 R2 and Windows 7.......................................................................25 Windows Server 2008 and Windows Vista......................................................................25 Windows Server 2003 and Windows XP.........................................................................26 Configure a Static IP Address.......................................................................................................26 Procedures for configuring static IP addresses..........................................................................26 Windows Server 2008 R2................................................................................................26 Windows Server 2008......................................................................................................27 Windows Server 2003......................................................................................................28 Deploying AD-DNS-01..................................................................................................................28 Administrative privileges............................................................................................................29 Domain user accounts vs. user accounts on the local computer............................................29 Install AD DS and DNS for a New Forest......................................................................................29 Create a User Account in Active Directory Users and Computers.................................................31 Add a Group..................................................................................................................................32 Assign Group Membership............................................................................................................32 Configure a DNS Reverse Lookup Zone.......................................................................................33 Joining Computers to the Domain and Logging On......................................................................34 Join the Computer to the Domain.................................................................................................35 Procedures for joining computers to the domain.......................................................................35 Windows Server 2008 R2 (Release Candidate) and Windows 7 (Release Candidate)...35 Windows Server 2008 and Windows Vista......................................................................36 Windows Server 2003 and Windows XP.........................................................................37 Log on to the Domain....................................................................................................................37 Procedures to log on to the domain...........................................................................................37 Windows Server 2008 R2 and Windows 7.......................................................................38
Windows Server 2008 and Windows Vista......................................................................38 Windows Server 2003 and Windows XP.........................................................................38 Deploying WINS-01 (optional).......................................................................................................39 Install Windows Internet Name Service (WINS)............................................................................39 Deploying DHCP-01......................................................................................................................40 DHCP installation suggestions...................................................................................................40 Deploying DHCP.......................................................................................................................40 Install Dynamic Host Configuration Protocol (DHCP)...................................................................41 Create an Exclusion Range in DHCP...........................................................................................43 Authorize a DHCP Server in Active Directory Domain Services....................................................43 Activate a DHCP Scope................................................................................................................44 Create a New DHCP Scope..........................................................................................................44 Deploying NPS-01 (optional).........................................................................................................46 Install Network Policy Server (NPS)..............................................................................................46 Register the NPS Server in the Default Domain...........................................................................47 Additional Technical Resources....................................................................................................47 Appendix A....................................................................................................................................48 Core Network Planning Preparation Sheet................................................................................48 Installing Active Directory Domain Services and DNS............................................................48 Pre-installation configuration items for AD DS and DNS..................................................48 AD DS and DNS installation configuration items.............................................................49 Configuring a DNS Reverse Lookup Zone..........................................................................50 Installing Windows Internet Name Service (optional).............................................................50 Pre-installation configuration items..................................................................................51 WINS installation configuration items..............................................................................51 Installing DHCP......................................................................................................................51 Pre-installation configuration items for DHCP..................................................................51 DHCP installation configuration items..............................................................................52 Creating an exclusion range in DHCP................................................................................53 Creating a new DHCP scope..............................................................................................53 Installing Network Policy Server (optional).............................................................................54 Pre-installation configuration items..................................................................................54 Network Policy Server installation configuration items.....................................................55
Note Client computers running Windows 7, Windows Vista and Windows XP are configured by default to receive IP address leases from the DHCP server. Therefore, no additional DHCP or Internet Protocol version 4 (IPv4) configuration of client computers is required.
Technology Overviews
The following sections provide brief overviews of the required and optional technologies used to create a core network.
DNS
DNS is a name resolution protocol for TCP/IP networks, such as the Internet or an organization network. A DNS server hosts the information that enables client computers to resolve easily recognized, alphanumeric DNS names to the IP addresses that computers use to communicate with each other.
DHCP
DHCP is an IP standard for simplifying management of host IP configuration. The DHCP standard provides for the use of DHCP servers as a way to manage dynamic allocation of IP addresses and other related configuration details for DHCP-enabled clients on your network. Every computer on a TCP/IP network must have a unique IP address. The IP address (together with its related subnet mask) identifies both the host computer and the subnet to which it is attached. When you move a computer to a different subnet, the IP address must be changed. DHCP allows you use a DHCP server to dynamically assign an IP address to a computer or other device on your local network. For TCP/IP-based networks, DHCP reduces the complexity and amount of administrative work involved in reconfiguring computers.
WINS (optional)
While DNS is a required component of a core network, WINS is optional because, like DNS, it is a naming service. In some cases, you might not need both DNS and WINS, but older operating systems and applications might require WINS. For medium to small networks, WINS is extremely easy to install and manage, and it is not resource-intensive. If you are in doubt about whether you need WINS, you can test your network functionality without it and install it if needed. WINS provides a distributed database for registering and querying dynamic mappings of NetBIOS names for computers and groups used on your network. WINS maps NetBIOS names to IP addresses and was designed to solve the problems arising from NetBIOS name resolution in routed environments. WINS is the best choice for NetBIOS name resolution in routed networks that use NetBIOS over TCP/IP. 8
NetBIOS names are used by earlier versions of Windows operating systems to identify and locate computers and other shared or grouped resources required to register or resolve names for use on the network. NetBIOS names are a requirement for establishing networking services in earlier versions of Windows operating systems. Although the NetBIOS naming protocol can be used with network protocols other than TCP/IP (such as NetBEUI or IPX/SPX), WINS was designed specifically to support NetBIOS over TCP/IP (NetBT). WINS simplifies the management of the NetBIOS namespace in TCP/IP-based networks.
NPS (optional)
Network Policy Server (NPS) allows you to centrally configure and manage network policies with the following three features: Remote Authentication Dial-In User Service (RADIUS) server, RADIUS proxy, and Network Access Protection (NAP) policy server. NPS is an optional component of a core network, but you should install NPS if any of the following are true: You are planning to expand your network to include remote access servers that are compatible with the RADIUS protocol, such as a computer running Windows Server 2008 R2 or Windows Server 2008 and Routing and Remote Access service, Terminal Services Gateway, or Remote Desktop Gateway. You plan to deploy NAP. You plan to deploy 802.1X wired or wireless access.
TCP/IP
TCP/IP in Windows Server 2008 is the following: Networking software based on industry-standard networking protocols. A routable, enterprise networking protocol that supports the connection of your Windowsbased computer to both local area network (LAN) and wide area network (WAN) environments. Core technologies and utilities for connecting your Windows-based computer with dissimilar systems for the purpose of sharing information. A foundation for gaining access to global Internet services, such as the World Wide Web and File Transfer Protocol (FTP) servers. A robust, scalable, cross-platform, client/server framework. TCP/IP provides basic TCP/IP utilities that enable Windows-based computers to connect and share information with other Microsoft and non-Microsoft systems, including: Windows Server 2008 R2 Windows 7 Windows Server 2008 Windows Vista 9
Windows Server 2003 operating systems Windows XP Internet hosts Apple Macintosh systems IBM mainframes UNIX systems Open VMS systems Network-ready printers, such as HP LaserJet series printers that use HP JetDirect cards
10
11
Router
This deployment guide provides instructions for deploying a core network with two subnets separated by a router that has DHCP forwarding enabled. You can, however, deploy a Layer 2 switch, a Layer 3 switch, or a hub, depending on your requirements and resources. If you deploy a switch, the switch must be capable of DHCP forwarding or you must place a DHCP server on each subnet. If you deploy a hub, you are deploying a single subnet and do not need DHCP forwarding or a second scope on your DHCP server.
DHCP server
The Dynamic Host Configuration Protocol (DHCP) server is configured with a scope that provides Internet Protocol (IP) address leases to computers on the local subnet. The DHCP server can also be configured with additional scopes to provide IP address leases to computers on other subnets if DHCP forwarding is configured on routers.
Client computers
Client computers running Windows 7, Windows Vista, and Windows XP are configured by default as DHCP clients, which obtain IP addresses and DHCP options automatically from the DHCP server. 12
Planning subnets
In Transmission Control Protocol/Internet Protocol (TCP/IP) networking, routers are used to interconnect the hardware and software used on different physical network segments called subnets. Routers are also used to forward IP packets between each of the subnets. Determine the physical layout of your network, including the number of routers and subnets you need, before proceeding with the instructions in this guide. In addition, to configure the servers on your network with static IP addresses, you must determine the IP address range that you want to use for the subnet where your core network servers are located. In this guide, the private IP address range 192.168.0.1 - 192.168.0.254 is used as an example, but you can use any private IP address range. The following recognized private IP address ranges are specified by Internet Request for Comments (RFC) 1918: 10.0.0.0 10.255.255.255 172.16.0.0 172.31.255.255 192.168.0.0 192.168.255.255
When you use the private IP address ranges as specified in RFC 1918, you cannot connect directly to the Internet using a private IP address because requests going to or from these addresses are automatically discarded by Internet service provider (ISP) routers. To add Internet connectivity to your core network later, you must contract with an ISP to obtain a public IP address. Important When using private IP addresses, you must use some type of proxy or network address translation (NAT) server to convert the private IP address ranges on your local network to a public IP address that can be routed. For more information, see Planning the deployment of DHCP-01.
13
Administrator password
Example: J*p2leO4$F Note Strong passwords contain a minimum of 7 characters that consist of each of the following: uppercase letters (A, B, C, lowercase letters (d, e, f), numerals (0, 1, 2, 3), and keyboard symbols (' ~ ! @ # $ % | /).
Choose a naming convention before you install your core network using this guide.
subnets or the Internet, you must know the IP address of the router, also called a default gateway, for static IP address configuration. The following table provides example values for static IP address configuration.
Configuration items: Example values:
IP address Subnet mask Default gateway Preferred DNS server Alternate DNS server Preferred WINS server Alternate WINS server
Forest functionality enables features across all the domains in your forest. The following forest functional levels are available: Windows 2000. This forest functional level supports Windows NT 4.0, Windows 2000, and Windows Server 2003 domain controllers. Windows Server 2003. This forest functional level supports only Windows Server 2003 domain controllers and domain controllers that are running later versions of the Windows Server operating system. Windows Server 2008. This forest functional level supports only domain controllers that are running Windows Server 2008 and later versions of the Windows Server operating system. Windows Server 2008 R2. This forest functional level supports Windows Server 2008 R2 domain controllers and domain controllers that are running later versions of the Windows Server operating system. If you are deploying a new domain in a new forest and all of your domain controllers will be running Windows Server 2008 R2, it is recommended that you configure AD DS with the Windows Server 2008 R2 forest functional level during AD DS installation. Important After the forest functional level has been raised, domain controllers running earlier operating systems cannot be introduced into the forest. For example, if you raise the forest functional level to Windows Server 2008 R2, domain controllers running Windows Server 2003 or Windows Server 2008 cannot be added to the forest. Example configuration items for AD DS are provided in the following table.
Configuration items: Example values:
Examples: example.com corp.example.com Windows Server 2003 Windows Server 2008 Windows Server 2008 R2
Forest functional level: Windows 2000 The Windows 2000 forest functional level provides all AD DS features that are available in Windows 2000 Server. If you have domain controllers running later versions of the Windows Server operating system, some advanced features will not be available on those domain controllers while this forest is at the Windows 2000 functional level. Windows Server 2003 The Windows Server 2003 forest functional level provides all features that are available in
16
Configuration items:
Example values:
Windows 2000 forest functional level, and the following additional features: Linked-value replication, which improves the replication of changes to group memberships. More efficient generation of complex replication topologies by the Knowledge Consistency Checker (KCC). Forest trust, which allows organizations to easily share internal resources across multiple forests. Any new domains that are created in this forest will automatically operate at the Windows Server 2003 domain functional level. Windows Server 2008 This forest functional level does not provide any new features over the Windows Server 2003 forest functional level. However, it ensures that any new domains created in this forest will automatically operate at the Windows Server 2008 domain functional level, which does provide unique features. Windows Server 2008 R2 The Windows Server 2008 R2 forest functional level provides all features that are available in the Windows Server 2008 forest functional level, and the following additional feature: Recycle Bin. When enabled, Recycle Bin provides the ability to restore deleted objects in their entirety while Active Directory Domain Services is running. Any new domains that are created in this forest will operate by default at the Windows Server 2008 R2 domain functional level. Active Directory Domain Services Database folder location Active Directory Domain Services Log files folder location Active Directory Domain Services SYSVOL E:\Configuration\ Or accept the default location. E:\Configuration\ Or accept the default location. E:\Configuration\ 17
Configuration items:
Example values:
folder location Or accept the default location Directory Restore Mode Administrator Password Answer file name (optional) J*p2leO4$F AD DS_AnswerFile
Zone type Active Directory Zone Replication Scope First Reverse Lookup Zone Name wizard page Second Reverse Lookup Zone Name wizard page Dynamic Updates
Primary zone, and Store the zone in Active Directory is selected To all DNS servers in this domain IPv4 Reverse Lookup Zone Network ID = 192.168.0. Allow only secure dynamic updates
Note You cannot log on to the domain with a user account that is located in the Security Accounts Manager (SAM) user accounts database on the local computer. After the first successful logon with domain logon credentials, the logon settings persist unless the computer is removed from the domain or the logon settings are manually changed. Before you log on to the domain: Create user accounts in Active Directory Users and Computers. Each user must have an Active Directory Domain Services user account in Active Directory Users and Computers. For more information, see Create a User Account in Active Directory Users and Computers. Ensure IP address configuration. To join a computer to the domain, the computer must have an IP address. In this guide, servers are configured with static IP addresses and client computers receive IP address leases from the DHCP server. For this reason, the DHCP server must be deployed before you join clients to the domain. For more information, see Deploying DHCP-01. Join the computer to the domain. Any computer that provides or accesses network resources must be joined to the domain. For more information, see Join the Computer to the Domain.
19
Lease duration values, which are assigned to DHCP clients that receive dynamically allocated IP addresses. Any DHCP scope options configured for assignment to DHCP clients, such as DNS server IP address, router/default gateway IP address, and WINS server IP address. Reservations are optionally used to ensure that a DHCP client always receives the same IP address. Before deploying your servers, list your subnets and the IP address range you want to use for each subnet.
20
This subnet mask number is 16 one-bits followed by 16 zero-bits, indicating that the network ID and host ID sections of this IP address are both 16 bits in length. Normally, this subnet mask is displayed in dotted decimal notation as 255.255.0.0. The following table displays subnet masks for the Internet address classes.
Address class Bits for subnet mask Subnet mask
11111111 00000000 00000000 00000000 11111111 11111111 00000000 00000000 11111111 11111111 11111111 00000000
When you create a scope in DHCP and you enter the IP address range for the scope, DHCP provides these default subnet mask values. Typically, default subnet mask values (as shown in the preceding table) are acceptable for most networks with no special requirements and where each IP network segment corresponds to a single physical network. In some cases, you can use customized subnet masks to implement IP subnetting. With IP subnetting, you can subdivide the default host ID portion of an IP address to specify subnets, which are subdivisions of the original class-based network ID. By customizing the subnet mask length, you can reduce the number of bits that are used for the actual host ID. To prevent addressing and routing problems, you should make sure that all TCP/IP computers on a network segment use the same subnet mask and that each computer or device has an unique IP address.
192.168.0.1 192.168.0.15 21
Network Connect Bindings DNS Server Settings Preferred DNS server IP address Alternate DNS server IP Address WINS Server Settings, specify the IP address of your preferred WINS server, only if WINS is deployed on the network. Alternate WINS server IP Address Note Specify the IP address of your alternate WINS server only if an alternate WINS server is deployed on the network. Add Scope dialog box values: Scope Name: Starting IP Address Ending IP Address: Subnet Mask Default Gateway (optional)
192.168.0.12
Primary Subnet 192.168.0.1 192.168.0.254 255.255.255.0 192.168.0.11 Wired (Lease duration will be 6 days) 22
Configuration items:
Example values:
box opens while you are performing the procedures in this guide, and if the dialog box was opened in response to your actions, click Continue.
You can use the following sections to perform these actions for each server.
1. On the Windows start page, beneath the text The users password must be changed before logging on the first time, click OK. 2. The Administrator credentials page opens. In New password, type a password. In Confirm password, retype the password. 3. If you want to create a password reset disk, click Create a password reset disk and follow the instructions. 4. In the Administrator credentials page, click the blue arrow. 5. A message that states Your password has been changed appears. Click OK.
Windows Server 2008 and Windows Vista Windows Server 2003 and Windows XP
Windows Server 2008 R2 and Windows 7 Membership in Administrators, or equivalent, is the minimum required to perform these procedures. To rename computers running Windows Server 2008 R2 and Windows 7 1. Click Start, right-click Computer, and then click Properties. The System dialog box opens. 2. In Computer name, domain, and workgroup settings, click Change settings. The System Properties dialog box opens. Note On computers running Windows 7, before the System Properties dialog box opens, the User Account Control dialog box opens, requesting permission to continue. Click Continue to proceed. 3. Click Change. The Computer Name/Domain Changes dialog box opens. 4. In Computer Name, type the name for your computer. For example, if you want to name the computer AD-DNS-01, type AD-DNS-01. 5. Click OK twice, click Close, and then click Restart Now to restart the computer. Windows Server 2008 and Windows Vista Membership in Administrators, or equivalent, is the minimum required to perform these procedures. To rename computers running Windows Server 2008 and Windows Vista 1. Click Start, right-click Computer, and then click Properties. The System dialog box opens. 2. In Computer name, domain, and workgroup settings, click Change settings. The System Properties dialog box opens. Note On computers running Windows Vista, before the System Properties dialog box opens, the User Account Control dialog box opens, requesting permission to continue. Click Continue to proceed. 3. Click Change. The Computer Name/Domain Changes dialog box opens. 4. In Computer Name, type the name for your computer. For example, if you want to name the computer AD-DNS-01, type AD-DNS-01. 5. Click OK twice, click Close, and then click Restart Now to restart the computer.
25
Windows Server 2003 and Windows XP Membership in Administrators, or equivalent, is the minimum required to perform these procedures. To rename computers running Windows Server 2003 and Windows XP 1. Click Start, right-click My Computer, and then click Properties. The System Properties dialog box opens. 2. Click Computer Name, and then click Change. The Computer Name Changes dialog box opens. 3. In Computer name, type the name for your computer. For example, if you want the computer named Client-01, type Client-01. 4. Click OK. The System Setting Changes dialog box opens, indicating that you must restart the computer before the changes take effect. 5. Click OK, click OK again to close the dialog box, and then click Yes to restart the computer.
Windows Server 2008 R2 Membership in Administrators, or equivalent, is the minimum required to perform these procedures. To configure a static IP address on a computer running Windows Server 2008 R2 1. Click Start, and then click Control Panel. 2. In Control Panel, click Network and Internet. Network and Internet opens. In Network and Internet, click Network and Sharing Center. Network and Sharing Center opens. 26
3. In Network and Sharing Center, click Change adapter settings. Network Connections opens. 4. In Network Connections, right-click the network connection that you want to configure, and then click Properties. 5. In Local Area Connection Properties, in This connection uses the following items, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties. The Internet Protocol Version 4 (TCP/IPv4) Properties dialog box opens. 6. In Internet Protocol Version 4 (TCP/IPv4) Properties, on the General tab, click Use the following IP address. In IP address, type the IP address that you want to use. 7. Press tab to place the cursor in Subnet mask. A default value for subnet mask is entered automatically. Either accept the default subnet mask, or type the subnet mask that you want to use. 8. In Default gateway, type the IP address of your default gateway. 9. In Preferred DNS server, type the IP address of your DNS server. If you plan to use the local computer as the preferred DNS server, type the IP address of the local computer. 10. In Alternate DNS Server, type the IP address of your alternate DNS server, if any. If you plan to use the local computer as an alternate DNS server, type the IP address of the local computer. 11. Click OK, and then click Close. Windows Server 2008 Membership in Administrators, or equivalent, is the minimum required to perform these procedures. To configure a static IP address on a computer running Windows Server 2008 1. Click Start, and then click Control Panel. 2. In Control Panel, verify that Classic View is selected, and then double-click Network and Sharing Center. 3. In Network and Sharing Center, in Tasks, click Manage Network Connections. 4. In Network Connections, right-click the network connection that you want to configure, and then click Properties. 5. In Local Area Connection Properties, in This connection uses the following items, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties. The Internet Protocol Version 4 (TCP/IPv4) Properties dialog box opens. 6. In Internet Protocol Version 4 (TCP/IPv4) Properties, on the General tab, click Use the following IP address. In IP address, type the IP address that you want to use. 7. Press tab to place the cursor in Subnet mask. A default value for subnet mask is entered automatically. Either accept the default subnet mask, or type the subnet mask that you want to use. 27
8. In Default gateway, type the IP address of your default gateway. 9. In Preferred DNS server, type the IP address of your DNS server. If you plan to use the local computer as the preferred DNS server, type the IP address of the local computer. 10. In Alternate DNS Server, type the IP address of your alternate DNS server, if any. If you plan to use the local computer as an alternate DNS server, type the IP address of the local computer. 11. Click OK, and then click Close. Windows Server 2003 Membership in Administrators, or equivalent, is the minimum required to perform these procedures. To configure a static IP address on a computer running Windows Server 2003 1. Click Start, click Control Panel, right-click Network Connections, and then click Open. 2. In Network Connections, right-click the network connection that you want to configure, and then click Properties. 3. In Local Area Connection Properties, in This Connection uses the following Items, select Internet Protocol (TCP/IP), and then click Properties. The Internet Protocol (TCP) Properties dialog box opens. 4. In Internet Protocol Version 4 (TCP/IPv4) Properties, on the General tab, click Use the following IP address. In IP address, type the IP address that you want to use. 5. In Subnet mask, either accept the default subnet mask, or type the subnet mask that you want to use. 6. In Default gateway, type the IP address of your default gateway. 7. In Preferred DNS server, type the IP address of your DNS server. 8. In Alternate DNS Server, type the IP address of your alternate DNS server, if any. 9. Click OK, and then click Close.
Deploying AD-DNS-01
To deploy AD-DNS-01, which is the computer running Active Directory Domain Services (AD DS) and DNS, you must complete these steps in the following order: Perform the steps in the section Configuring All Servers. Install AD DS and DNS for a New Forest Create a User Account in Active Directory Users and Computers Add a Group 28
Administrative privileges
If you are installing a small network and are the only administrator for the network, it is recommended that you create a user account for yourself, and then add your user account as a member of both Enterprise Admins and Domain Admins. Doing so will make it easier for you to act as the administrator for all network resources. It is also recommended that you log on with this account only when you need to perform administrative tasks, and that you create a separate user account for performing non-IT related tasks. If you have a larger organization with multiple administrators, refer to AD DS documentation to determine the best group membership for organization employees.
29
To install Active Directory Domain Services and DNS 1. Do one of the following: In Initial Configuration Tasks, in Customize This Server, click Add roles. The Add Roles Wizard opens. Click Start, click Administrative Tools, and then click Server Manager. In Server Manager, click Roles, and in the details pane, in Roles Summary, click Add Roles. The Add Roles Wizard opens. 2. In Before You Begin, click Next. Note The Before You Begin page of the Add Roles Wizard is not displayed if you have previously selected Do not show this page again when the Add Roles Wizard was run. 3. In Select Server Roles, in Roles, select Active Directory Domain Services. An Add Roles Wizard message opens that states You cannot install Active Directory Domain Services unless the required features are also installed. Click Add Required Features, and then, in the Add Roles Wizard, click Next. 4. In Active Directory Domain Services, review the information and then click Next. 5. In Confirm Installation Selections, review the information, and then click Install. The Installation Progress page opens during installation. 6. When installation is complete, in Installation Results, review the information, and then click Close this wizard and launch the Active Directory Domain Services Installation Wizard (dcpromo.exe). The Add Roles Wizard closes and the Active Directory Domain Services Installation Wizard opens. Click Next. 7. In Operating System Compatibility, review the information, and then click Next. 8. In Choose a Deployment Configuration, select Create a new domain in a new forest. Click Next. 9. In Name the Forest Root Domain, in FQDN of the forest root domain, type the fully qualified domain name for your domain. For example, if your FQDN is example.com, type example.com. Click Next. 10. In Set Forest Functional Level, select the forest functional level that you want to use, and then click Next. 11. In Additional Domain Controller Options, in Select additional options for this domain controller, verify that DNS server is selected, and then click Next. The Active Directory Domain Services Installation Wizard warning dialog box opens. 12. The warning dialog box informs you that you can create a delegation to this DNS server manually in the parent zone. Click Yes to continue Active Directory Domain Services installation. 13. In Location for Database, Log Files, and SYSVOL, do one of the following: Accept the default values. Type folder locations that you want to use for Database folder, Log files folder, 30
and SYSVOL folder. 14. Click Next. 15. In Directory Services Restore Mode Administrator Password, in Password, type a password. In Confirm password, retype the password, and then click Next. 16. In Summary, review your selections. 17. If you want to export settings to an answer file, click Export settings, and specify a name for the answer file. Click Next. The Active Directory Domain Services Installation Wizard opens and installs Active Directory Domain Services. 18. In Completing the Active Directory Domain Services Installation Wizard, click Finish, and then click Restart Now.
Add a Group
You can use this procedure to create a new group in Active Directory Users and Computers Microsoft Management Console (MMC). Membership in Domain Admins, or equivalent, is the minimum required to perform this procedure. To add a group 1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers. The Active Directory Users and Computers MMC opens. If it is not already selected, click the node for your domain. For example, if your domain is example.com, click example.com. 2. In the details pane, right-click the folder in which you want to add a new group. Where? Active Directory Users and Computers/domain node/folder 3. Point to New, and then click Group. 4. In New Object Group, in Group name, type the name of the new group. By default, the name you type is also entered as the pre-Windows 2000 name of the new group. 5. In Group scope, select one of the following options: Domain local Global Universal Security Distribution
7. Click OK.
To assign group membership 1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers. The Active Directory Users and Computers MMC opens. If it is not already selected, click the node for your domain. For example, if your domain is example.com, click example.com. 2. In the details pane, double-click the folder that contains the group to which you want to add a member. Where? Active Directory Users and Computers/domain node/folder that contains the group 3. In the details pane, right-click the group to which you want to add a member, and then click Properties. The group Properties dialog box opens. Click the Members tab. 4. On the Members tab, click Add. 5. In Enter the object names to select, type the name of the user, group, or computer that you want to add, and then click OK. 6. To assign group membership to other users, groups or computers, repeat steps 4 and 5 of this procedure.
6. If your DNS server is a writeable domain controller, select Store the zone in Active 33
Directory. 7. Click Next. 8. In Active Directory Zone Replication Scope, select one of the following: To all DNS servers running on domain controllers in this forest To all DNS servers running on domain controllers in this domain To all domain controllers in this domain To all domain controllers specified in the scope of this directory partition
9. Click Next. 10. In the first Reverse Lookup Zone Name page, select one of the following: IPv4 Reverse Lookup Zone IPv6 Reverse Lookup Zone
11. Click Next. 12. In the second Reverse Lookup Zone Name page, do one of the following: In Network ID, type the network ID of your IP address range. For example, if your IP address range is 192.168.0.1, type 192.168.0. In Reverse lookup zone name, type the name of your IPv4 reverse lookup zone. 13. Click Next. 14. In Dynamic Update, select the type of dynamic updates that you want to allow. Click Next. 15. In Completing the New Zone Wizard, review your choices, and then click Finish.
34
In addition, you can use these instructions to join client computers to the domain and to log on to client computers. On all servers that you are deploying, except for the server running AD DS, do the following: 1. Complete the procedures provided in Configuring All Servers. 2. Use the instructions in the following sections to join your servers to the domain and to log on to the servers to perform additional deployment tasks: Join the Computer to the Domain Log on to the Domain
Important To join a computer to a domain, you must be logged on to the computer with the local Administrator account or, if you are logged on to the computer with a user account that does not have local computer administrative credentials, you must provide the credentials for the local Administrator account during the process of joining the computer to the domain. In addition, you must have a user account in the domain to which you want to join the computer. During the process of joining the computer to the domain, you will be prompted for your domain account credentials (user name and password). Windows Server 2008 R2 (Release Candidate) and Windows 7 (Release Candidate) Membership in Domain Users, or equivalent, is the minimum required to perform this procedure. To join computers running Windows Server 2008 R2 (Release Candidate) and Windows 7 (Release Candidate) to the domain 1. Log on to the computer with the local Administrator account. 2. Click Start, right-click Computer, and then click Properties. The System dialog box opens. 3. In Computer name, domain, and workgroup settings, click Change settings. The 35
System Properties dialog box opens. Note On computers running Windows 7, before the System Properties dialog box opens, the User Account Control dialog box opens, requesting permission to continue. Click Continue to proceed. 4. Click Change. The Computer Name/Domain Changes dialog box opens. 5. In Computer Name, in Member of, select Domain, and then type the name of the domain you want to join. For example, if the domain name is example.com, type example.com. 6. Click OK. The Windows Security dialog box opens. 7. In Computer Name/Domain Changes, in User name, type the user name, and in Password, type the password, and then click OK. The Computer Name/Domain Changes dialog box opens, welcoming you to the domain. Click OK. 8. The Computer Name/Domain Changes dialog box displays a message indicating that you must restart the computer to apply the changes. Click OK. 9. On the System Properties dialog box, on the Computer Name tab, click Close. The Microsoft Windows dialog box opens, and displays a message, again indicating that you must restart the computer to apply the changes. Click Restart Now. Windows Server 2008 and Windows Vista Membership in Domain Users, or equivalent, is the minimum required to perform this procedure. To join computers running Windows Server 2008 and Windows Vista to the domain 1. Log on to the computer with the local Administrator account. 2. Click Start, right-click Computer, and then click Properties. The System dialog box opens. 3. In Computer name, domain, and workgroup settings, click Change settings. The System Properties dialog box opens. Note On computers running Windows 7, before the System Properties dialog box opens, the User Account Control dialog box opens, requesting permission to continue. Click Continue to proceed. 4. Click Change. The Computer Name/Domain Changes dialog box opens. 5. In Computer Name, in Member of, select Domain, and then type the name of the domain you want to join. For example, if the domain name is example.com, type example.com. 6. Click OK. The Windows Security dialog box opens. 7. In Computer Name/Domain Changes, in User name, type the user name, and in Password, type the password, and then click OK. The Computer Name/Domain 36
Changes dialog box opens, welcoming you to the domain. Click OK. 8. The Computer Name/Domain Changes dialog box displays a message indicating that you must restart the computer to apply the changes. Click OK. 9. On the System Properties dialog box, on the Computer Name tab, click Close. The Microsoft Windows dialog box opens, and displays a message, again indicating that you must restart the computer to apply the changes. Click Restart Now. Windows Server 2003 and Windows XP Membership in Domain Users, or equivalent, is the minimum required to perform this procedure. To join computers running Windows Server 2003 and Windows XP to the domain 1. Click Start, right-click My Computer, and then click Properties. The System Properties dialog box opens. 2. Click Change. The Computer Name Changes dialog box opens. 3. In Computer Name Changes, in Member of, select Domain, and then type the name of the domain you want to join. For example, if the domain name is example.com, type example.com. 4. Click OK. The Computer Name Changes dialog box opens. In User name, type the domain administrator account name, and in Password, type the administrator password, and then click OK. 5. The Computer Name Changes dialog box opens, welcoming you to the domain. 6. Click OK. The Computer Name Changes dialog box displays a message indicating that you must restart the computer to apply the changes. 7. Click OK. 8. On the System Properties dialog box, on the Computer Name tab, click OK, to close the System Properties dialog box. The System Settings Change dialog box opens, and displays a message, again indicating that you must restart the computer to apply the changes. 9. Click Yes.
Windows Server 2008 R2 and Windows 7 Windows Server 2008 and Windows Vista Windows Server 2003 and Windows XP
Windows Server 2008 R2 and Windows 7 Membership in Domain Users, or equivalent, is the minimum required to perform this procedure. Log on to the domain using computers running Windows Server 2008 R2 and Windows 7 1. Log off the computer, or restart the computer. 2. Press CTRL + ALT + DELETE. The logon screen appears. 3. Click Switch User, and then click Other User. 4. In User name, type your domain and user name in the format domain\user. For example, to log on to the domain example.com with an account named User-01, type example\User-01. 5. In Password, type your domain password, and then click the arrow, or press ENTER. Windows Server 2008 and Windows Vista Membership in Domain Users, or equivalent, is the minimum required to perform this procedure. Log on to the domain using computers running Windows Server 2008 and Windows Vista 1. Log off the computer, or restart the computer. 2. Press CTRL + ALT + DELETE. The logon screen appears. 3. Click Switch User, and then click Other User. 4. In User name, type your domain and user name in the format domain\user. For example, to log on to the domain example.com with an account named User-01, type example\User-01. 5. In Password, type your domain password, and then click the arrow, or press ENTER. Windows Server 2003 and Windows XP Membership in Domain Users, or equivalent, is the minimum required to perform this procedure. Log on to the domain using computers running Windows Server 2003 and Windows XP 1. Log off the computer, or restart the computer. 2. Press CTRL + ALT + DELETE. The Log On to Windows dialog box appears. 3. If Log on to is not displayed, click Options. 4. In Log on to, in the drop down list, select your domain. For example, in the example.com domain, select EXAMPLE. 5. Type your domain and user name in the format domain\user. For example, to log on 38
to the example.com domain with an account named User-01, type example\User-01. 6. In Password, type your domain password, and then press ENTER.
To deploy WINS-01, which is the computer running Windows Internet Name Service (WINS), you must complete this step: Install Windows Internet Name Service (WINS)
39
Deploying DHCP-01
Before deploying this component of the foundation network, you must do the following: Perform the steps in the section Configuring All Servers. Perform the steps in the section Joining Computers to the Domain and Logging On.
Deploying DHCP
To deploy DHCP-01, which is the computer running the Dynamic Host Configuration Protocol (DHCP) server role, you must complete these steps in the following order: If you plan to deploy Windows Internet Name Service (WINS) on your network, it is recommended that you perform the steps in the section Deploying WINS-01 (optional) before installing DHCP. Install Dynamic Host Configuration Protocol (DHCP) Create an Exclusion Range in DHCP
If you chose not to perform the following actions during DHCP installation, you can perform them after DHCP is installed: Authorize a DHCP Server in Active Directory Domain Services Activate a DHCP Scope Create a New DHCP Scope 40
After DHCP is installed, you can add more scopes to the server configuration:
If one or more WINS servers are deployed on your network, select WINS is required for applications on this network. In Preferred WINS server IP address, type the IPv4 address of your preferred WINS server. In Alternate WINS server IP Address, type the IPv4 address of your alternate WINS server, if any, and then click Next. 9. In Add or Edit DHCP Scopes, click Add. The Add Scope dialog box opens. 10. In the Add Scope dialog box, type values for all required items. In Subnet Type, select either Wired or Wireless, depending on the IP address lease duration that you prefer, and then do one of the following: To automatically activate the scope immediately after DHCP installation is complete, ensure that Activate this scope is selected. If there are computers or devices on the network that have static IP addresses, do not activate the scope until after you have created an exclusion range. The exclusion range prevents the DHCP server from leasing IP addresses that are already in use by a statically configured device. To manually activate the scope later, use the DHCP Microsoft Management Console (MMC). 11. Click OK. This returns you to the Add or Edit DHCP Scopes page. If your network has multiple subnets that are serviced by this DHCP server, add scopes for each subnet using steps 9 and 10. Click Next. 12. In Configure DHCPv6 Stateless Mode, select whether you want to configure the DHCP server for DHCPv6 stateless operation, and then click Next. 13. In the previous step, if you selected Enable DHCPv6 stateless mode for this server, the Specify IPv6 DNS Server Settings page opens. Configure the IPv6 DNS server settings that you prefer, and then click Next. If in the previous step you selected Disable DHCPv6 stateless mode for this server, proceed to the next step. 14. In Authorize DHCP Server, do one of the following: Select Use current credentials to authorize the DHCP server in Active Directory Domain Services (AD DS) using the credentials supplied for the current session. To specify alternate credentials for authorization, select Use alternate credentials. Click Specify, and then type the credentials to use for DHCP server authorization. Select Skip authorization of this DHCP server in AD DS, and then click Next. Note Before your DHCP server can issue IP address leases, the DHCP server must be authorized in AD DS. 15. In Confirm Installation Selections, review your selections, and then click Install. 16. In Installation Results, review your installation results, and then click Close.
42
Authorize menu item is replaced by the Unauthorize menu item. You can use the Unauthorize menu item if you ever want to decommission the DHCP server.
For example, type 10.10.10.1. b. In End IP address, type the IP address that is the last IP address in the range. For example, type 10.10.10.254. Values for Length and Subnet mask are entered automatically, based on the IP address you entered for Start IP address. c. If necessary, modify the values in Length or Subnet mask, as appropriate for your addressing scheme. d. Click Next. 8. In Add Exclusions, do the following: a. In Start IP address, type the IP address that is the first IP address in the exclusion range. For example, type 10.10.10.1. b. In End IP address, type the IP address that is the last IP address in the exclusion range, For example, type 10.10.10.15. 9. Click Add, and then click Next. 10. In Lease Duration, modify the default values for Days, Hours, and Minutes, as appropriate for your network, and then click Next. 11. In Configure DHCP Options, select Yes, I want to configure these options now, and then click Next. 12. In Router (Default Gateway), do one of the following: If you do not have routers on your network, click Next. In IP address, type the IP address of your router or default gateway. For example, type 10.10.10.10. Click Add, and then click Next. 13. In Domain Name and DNS Servers, do the following: a. In Parent domain, type the name of the DNS domain that clients use for name resolution. For example, type example.com. b. In Server name, type the name of the DNS computer that clients use for name resolution. For example, type AD-DNS-01. c. Click Resolve. The IP address of the DNS server is added in IP address. Click Add, wait for DNS server IP address validation to complete, and then click Next. 14. In WINS Servers, do one of the following: If you do not have WINS servers on your network, click Next. If you have one or more WINS servers deployed on your network, for each WINS server: In Server name, type the name of the WINS server. For example, type WINS01. Click Resolve. The IP address of the WINS server is added in IP address. Click Add, and then click Next. 15. In Activate Scope, do one of the following: To automatically activate the scope immediately after the steps in the New Scope Wizard are complete, select Yes, I want to activate this scope now. To manually activate the scope later by using the DHCP MMC, select No I will activate this scope later. 45
To deploy NPS-01, which is the computer running the Network Policy Server (NPS) role service of the Network Policy and Access Services server role, you must complete this step: Install Network Policy Server (NPS) Register the NPS Server in the Default Domain
Note The Before You Begin page of the Add Roles Wizard is not displayed if you have previously selected Do not show this page again when the Add Roles Wizard was run. 3. In Select Server Roles, in Roles, select Network Policy and Access Services, and then click Next. 4. In Network Policy and Access Services, review the information, and then click Next. 5. In Select Role Services, in Role services, select Network Policy Server, and then click Next. 6. In Confirm Installation Selections, click Install. 7. In Installation Results, review your installation results, and then click Close.
Domain Name System (DNS) in the Windows Server 2008 Technical Library, at http://go.microsoft.com/fwlink/?LinkId=110949 Dynamic Host Configuration Protocol (DHCP) in the Windows Server 2008 Technical Library, at http://go.microsoft.com/fwlink/?LinkId=96419 Network Policy Server (NPS) in the Windows Server 2008 Technical Library, at http://go.microsoft.com/fwlink/?LinkId=104545 TCP/IP in the Windows Server 2008 Technical Library, at http://go.microsoft.com/fwlink/? LinkId=103329 Windows Internet Name Service (WINS) in the Windows Server 2008 Technical Library, at http://go.microsoft.com/fwlink/?LinkId=103331
Appendix A
You can use this Network Planning Preparation Sheet to gather the information required to install a core network. This topic provides tables that contain the individual configuration items for each server computer for which you must supply information or specific values during the installation or configuration process. Example values are provided for each configuration item. For planning and tracking purposes, spaces are provided in each table for you to enter the values used for your deployment. If you log security-related values in these tables, you should store the information in a secure location.
Configuration items:
Administrator password
J*p2leO4$F
Configuration items:
IP address Subnet mask Default gateway Preferred DNS server Alternate DNS server Rename the Computer
Configuration item:
Example value:
Value:
Computer name
AD-DNS-01
AD DS and DNS installation configuration items Configuration items for the Windows Server Core Network deployment procedure Install AD DS and DNS for a New Forest:
Configuration items: Example values: Values:
Full DNS name Forest functional level Active Directory Domain Services database folder location Active Directory Domain Services log files folder location Active Directory Domain Services SYSVOL folder location Directory Restore Mode
example.com Windows Server 2003 E:\Configuration\ Or accept the default location. E:\Configuration\ Or accept the default location. E:\Configuration\ Or accept the default location J*p2leO4$F 49
Configuration items:
Example values:
Values:
Zone type:
Zone type Store the zone in Active Directory Active Directory zone replication scope
To all DNS servers in this forest To all DNS servers in this domain To all domain controllers in this domain To all domain controllers specified in the scope of this directory partition
192.168.0
50
Pre-installation configuration items The following three tables list pre-installation configuration items as described in Configuring All Servers: Create an Administrator Password
Example values: Values:
Configuration items:
Administrator password
J*p2leO4$F
Configuration items:
IP address Subnet mask Default gateway Preferred DNS server Alternate DNS server Rename the Computer
Configuration item:
Example value:
Value:
Computer name
WINS-01
WINS installation configuration items Configuration items for the Windows Server Core Network deployment procedure Install Windows Internet Name Service (WINS): No additional configuration items are required to install WINS.
Installing DHCP
The tables in this section list configuration items for pre-installation and installation of DHCP. Pre-installation configuration items for DHCP The following three tables list pre-installation configuration items as described in Configuring All Servers: Create an Administrator Password
Example values: Values:
Configuration items:
Administrator password
J*p2leO4$F 51
Configuration items:
IP address Subnet mask Default gateway Preferred DNS server Alternate DNS server Rename the Computer
Configuration item:
Example value:
Value:
Computer name
DHCP-01
DHCP installation configuration items Configuration items for the Windows Server Core Network deployment procedure Install Dynamic Host Configuration Protocol (DHCP):
Configuration items: Example values: Values:
Network connect bindings DNS server settings Preferred DNS server IP address Alternate DNS server IP address WINS server settings. Alternate WINS server IP address Scope name Starting IP address Ending IP address Subnet mask Default gateway (optional) Subnet type
Local Area Connection AD-DNS-01 192.168.0.1 192.168.0.6 192.168.0.2 192.168.0.12 Primary Subnet 192.168.0.1 192.168.0.254 255.255.255.0 192.168.0.10 Wired (Lease duration will be 6 52
Configuration items:
Example values:
Values:
Scope name Scope description Exclusion range start IP address Exclusion range end IP address
New scope name Scope description (IP address range) Start IP address (IP address range) End IP address Length Subnet mask (Exclusion range) Start IP address
10.10.10.254
8 255.0.0.0 10.10.10.1
Configuration items:
Example values:
Values:
Days Hours Minutes Router (default gateway) IP address DNS parent domain DNS server IP address WINS server IP address
0 0
10.10.10.10
example.com 192.168.0.1
192.168.0.2
Configuration items:
Administrator password
J*p2leO4$F
Configuration items:
IP address Subnet mask Default gateway Preferred DNS server Alternate DNS server Rename the Computer
54
Configuration item:
Example value:
Value:
Computer name
NPS-01
Network Policy Server installation configuration items Configuration items for the Windows Server Core Network NPS deployment procedures: Install Network Policy Server (NPS) and Register the NPS Server in the Default Domain. No additional configuration items are required to install and register NPS.
55