Windows Server 2003 { Domain Controller Installation and } Benedikt Riedel MCSE + Messaging www.go-unified.com www.siemens.com/open Benedikt.riedel@siemens.com
Start up the prepared Windows Server 2003 installation 2
Right click My Network Places and select Properties 3
Right click the network adapter in use an select Properties to set a static IP address (required for DC role) 4
Select the Internet Protocol (TCP/IP) and hit Properties 5
Select use the following IP address and enter your IP details and as DNS server only enter 127.0.0.1 6
Open the command prompt via Start Run cmd OK and type ipconfig /all and check the result 7
Press Start Run and enter DCPROMO and hit OK to start the Active Directory Installation Wizard. 8
Press Next to continue 9
Press Next to continue 10
Select the Domain Controller Type. Either a DC for a new Domain or an additional DC for an existing Domain (first option in this example) 11
Now you can choose to select a new forest (default for a new domain e.g. siemens.net), become a child of an existing domain (e.g. ie001.siemens.net) or a new domain tree in an existing forest (e.g. *.siemens.net to link with *.newcompany.net) 12
Next select the name for your new domain that is not reachable through the internet for an easier DNS setup (e.g. XXX.local) 13
Accept the default NetBIOS name or change it if you want. It is used by some applications for authentication e.g. GH\%SAMAccount% as username 14
Now select the Database and Log Folder this should be a partition on a raid array with proper speed. 15
Another drive is the shared system drive ensure to keep enough space for this drive depending on the use at least 10 GB 16
Because our windows installation is blank we have to install the DNS service that it can generate an active directory enabled zone. 17
Always select the bottom option except you want to become member in an <Windows 2000 Server domain 18
Enter the Restore Mode password. This should be very secure that backups can not opened to read passwords 19
Press Next to confirm all settings 20
Wait until the installation and setup is finished 21
Press Finish 22
Press Restart Now to finalize the installation 23
The logon screen changed a bit and you can select now (only) your Domain. Logon with the previously used Windows Password 24
Verify the installation. You should see new options in the Administrative Tools e.g. Active Directory... And DNS Press the DNS option 25
After expanding the forest you will see the domain name space and the DC as only member. 26
Right Click the servers hostname and select Properties. 27
Select the Forwarders tab and enter the IP address of an external DNS server. Else the DC DNS server will not know about external domain names such as audi.de or siemens.com (below the OPENDNS servers) 28
Select the Event Logging tab and choose Errors and warnings. This way no information messages are recorded. 29
To add the DHCP (Dynamic Host Control Protocol) and WINS role press Start Run Control Panel Add or Remove Programs 30
Select Add/Remove Windows Components and highlight Networking Services and press Details 31
Select DHCP and WINS and press OK 32
Wait until the installation is finished (Windows Server 2003 CD may be required) 33
Press Finish to complete the installation 34
No configuration on WINS is required to configure DHCP select Start Run Administrative Tools DHCP 35
Right click the hostname and press New Scope 36
Press Next to bypass the Welcome Screen 37
Give your Scope a name e.g. WLAN, VoIP, Marketing... 38
Enter the start and end address as well as the subnet mask used 39
You can setup exclusions e.g. For servers or network equipment 40
Change the Lease Duration to 1 Day and 2 Hours that PCs request a new IP address every day while it is running and the scope is refreshed every week on Monday morning (default lease expires on Sunday). 41
To setup the gateway and DNS servers select Yes and press Next 42
Enter the Gateway IP and press Add and Next 43
Same for DNS settings + you can enter a parent Domain (e.g. VoIP, WLAN...) 44
Enter the WINS IP as well and press next 45
To activate the scope press Yes and Next 46
Press Finish to complete the configuration 47
Right click the hostname and press Authorize to activate the DHCP server 48
Press F5 and verify the scope is setup and the green arrow is shown in front of the server name 49
To start the User configuration press Start Administrative Tools Active Directory Users and Computers or Start Run dsa.msc 50
Expand the first DC and right click into the white area select New and Organisation Unit 51
Ous are used to manage groups of users or computers. You can apply so called Group Policy Objects to them to assign special permissions to them. 52
Create different OUs for the different business parts and for servers and workstations e.g. For patching. Clients are patched during the day servers through the night. 53
The following will show you how to create the first Domain Administrator Do a right-click New User 54
Fill in the required fields e.g. Name and User Logon Name 55
Select a password and tick the options you wish below. 56
Press Finish to create the user 57
Right click the new user and press Properties to modify its settings 58
Change to the Member Of tab and press Add 59
Enter Domain Admins press Check Names and hit OK 60
To test the new user press Start run mstsc OK and connect to the local computer using the new created user account 61
Start the command prompt Start Run CMD OK fill in whoami and verify the name. 62
Add a computer to the Domain. Check the IP settings of the PC / Server in question and ensure that the DNS server is set to the Domain Controller and that the DC can be reached via the network 63
Right click the My Computer Icon and select Properties 64
Browse to the Computer Name tab and press Change (currently our server is configured to be member of a Workgroup) 65
Select Domain and enter the domain name that you chose during the installation and hit OK 66
As username and password enter the Administrator Account of the DC or the new created user account with Domain Admin rights. 67
Press OK to confirm the welcome message 68
Restart the PC that the server information can be added into the AD domain 69
After the reboot you can choose to logon to the local computer or the domain using any domain user account 70
On the DC you will see the new server inside the Computers Container. Right click the hostname and press Move 71
Select the OU you want to put the server into e.g. Servers 72
Open the Computer Name tab again and you will see that the Domain is used now instead of a Workgroup 73
If you only use Windows Server 2003 ++ Domain Controllers the Domain Function Level should be modified. Right click the DC and press Raise Domain Functional Level 74
Select Windows Server 2003 and hit Raise 75
Accept the warning by pressing OK 76
To enable Reverse DNS a new zone has to be created Right click the Reverse DNS Zone and press New Zone 77
Press Next to continue 78
Select a Primary Zone on the first DC and store it in AD 79
Accept the default and press Next 80
Enter the Network ID (A zone has to be generated for each subnet) 81
Only allow secure dynamic updates and press Next 82
Press Finish to create the Zone 83
On the command prompt enter ipconfig /registerdns and press F5 on the DNS zone the server will appear now (reboot will do the same) 84
If you try to access now the IP address the hostname is displayed as well. 85
Add the second DC into the Domain as described earlier 86
Start the AD installation with Start Run dcpromo - OK 87
Press Next 88
Select Additional domain controller... And hit Next 89
Enter the account details of Domain Administrator in the existing domain 90
Press Next 91
Confirm every question with the settings as stated earlier and wait till the process is finished 92
Press Finish and reboot the new DC 93
On the second DC the dsa.msc is available as well and you can change the operations master by right clicking the Domain name and pressing Operations Master 94
Press Yes and continue this setting. (this is not recommended unless you want to migrate to a new server) 95
To synchronise the time of the root DC (time resource for every client) you have to create a batch file on the DC. Right click the desktop press New and Text Document 96
Enter the lines as visible below and save the file as time_sync.bat w32tm /config /manualpeerlist:0.de.pool.ntp.org /syncfromflags:manual w32tm /config /update w32tm /resync 97
To perform this batch file automatically press Start control Panel Scheduled Tasks Add Scheduled task 98
Press Next 99
Press Browse and select the batch file and select daily 100
Perform the sync in the morning hours every day and hit next 101
Enter the credentials of a Domain Administrator and hit Next 102
Press Finish to finalize 103
Check the task by right clicking it and pressing run 104