Running Windows Server 2008 R2 – Installing and Creating the Lab Domain Controller

[patris1]

کد:

http://www.windowsnetworking.com/articles_tutorials/Running-Windows-Server-2008-R2-Installing-Creating-Lab-Domain-Controller-Part1.html

PART-1

Introduction

It has been a long time since I have done one of those “old school” articles that starts from the beginning and does not assume that you are already a Windows Server pro. Over the last few years I have written hundreds of articles on much of the arcane of Windows computing. In most of these articles, I take a lot for granted in terms of what I expected you to know. I did that because there was some little trick, some hard to configure feature, or some obscure issue in configuration that I wanted to demonstrate. While all that stuff is pretty interesting to the three people who are interested in those issues, it sort of leaves everyone else out.
A long, long time ago, in a world far away, this site was called “World of Windows Networking” or WOWN. During those days, the site was filled with a lot of articles that showed you how to get common Windows networking tasks done. This was a lot less of the Active Directory, Group Policy, installation and other non-networking complexities covered at that time. While the site has matured and focused more on experienced IT professionals, there is still some value in providing content for people entering into the business and who want to learn the basics.
That got me to thinking about doing an article and perhaps a series from the ground up. What better time to try something like this than with the recent release of Windows Server 2008 R2? OK, so I thought I would do a basic “let’s install Windows Server 2008 R2” article—but then I thought “how about using this as a launch point for a broader series?” The more I thought about it, the better it sounded. Since there is a ton of great new networking and security features in Windows Server 2008 R2, why not start with building the lab network first, and then take you into all the cool features? That way we can be working with the same basic lab network and go through the long trip together.
Let us do it. The first step is to pick the virtualization software of your choice. For this kind of lab network I prefer VMware Workstation. I do not have strong technical reasons for preferring VMware Workstation, I just prefer to use it because I have been using this application for almost a decade and know how it works. I do not have to learn a new language like I do with Hyper-V and it works nicely for me. However, if you want to use Hyper-V or ESX, those are good options too.
As this series builds, I expect that we will need to be running up to 8 virtual machines at a time. Because of this, I recommend that you have a computer that can support at least 8 GB of RAM and has a quad core processor. For all the articles I will be writing in this series, I will be using a workstation that has 12 GB of DDR3 triple channel memory and a quad core Core i7 processor. If you are using any quad core Xeon or quad core Core 2 processor, you’ll be in good shape. Of course, AMD equivalents are good too.
We will start with installing the first machine on our lab network. This is going to be a Windows Server 2008 R2 machine using one virtual processor and 512 MB of virtual memory. During the installation, I am going to use bridged networking on my virtual NIC. Some people like to use NAT, and that should be fine. The point is that you will want to be able to connect a live network so that you can access updates during the initial installation. After the initial installation is complete, we’ll move this virtual machine to another virtual network, since we want it to be placed behind a virtual TMG firewall. The TMG firewall VM will have the live network connection and all the other VMs will be located behind it.
In VMware Workstation 6.5 I will create a new virtual machine and bind the Windows Server 2008 R2 .iso file to the CD drive so that it boots that .iso. When the machine first starts up, you will see the first page of the installation wizard that asks for what Language to install, Time and currency format and Keyboard or input method.
Click Next after making your selections.

Figure 1
So much for introductions! The installer gives you the option to Install now. Let’s do it.

Figure 2
The .iso file actually has all the versions of Windows Server 2008 R2 on it and we can choose the option we want to install here. Note that you can even install the Server Core versions from here. I would rather pull a bobcat’s tail while in a phone booth with that cat, so we would not be doing a core installation. Let us choose the Windows Server 2008 R2 Enterprise (Full Installation) option and click Next.

Figure 3
Put a checkmark in the I accept the license terms checkbox on the license terms page and click Next.

Figure 4
Which type of installation do you want? Honestly, I want one that works and does what I tell it to do, but that is not a choice here. This is a clean install, so the upgrade option does not make sense. Click the Custom (advanced) option. Notice that there is no “Next” option on this page, just to throw you off a little bit.

Figure 5
Here you decide where you want to install the system files (which used to be called boot files in the past, but the new crew of Microsoft engineers did not take the Windows NT 4 MCSE training, so they do not know that with Windows NT based system and above, you boot the system files and you “system” the boot files). I created a 24 GB dynamic virtual disk file for the OS which will be more than enough room. Remember, with dynamic disk files they only use the space they need – they do not fully allocate all the space until it is needed.
Click Next.

Figure 6
Yay! Installation is starting – and it is going to take a very long time. Give it an hour or two and come back and see what happened on your own installation.

Figure 7
During first log on the installer will ask you to create a password. Click OK when you see the display as it appears below.

Figure 8
Enter a password and confirm the password and do not click OK (because there is no OK to click). Instead, click that “arrow thing” that does not have a name, which sits to the right of the confirm password text box.

Figure 9
Very good! The password has been changed. Click OK.

Figure 10
You might remember the Initial Configuration Tasks windows if you used Windows Server 2008. If you have not used Windows Server 2008 and are moving up from Windows Server 2003, the Initial Configuration Taskswindow provides you access to many of the things you need to do once the operating system software is installed. After looking at some of the options in this window, you might notice that many of the options that you configured during installation for earlier versions of Windows are now configured here. The goal was to make for fewer inputs during installation and leaving them for the end. Very nice!

Figure 11
From the Initial Configuration Tasks window, I will set the following:

• Set time zone
• Configure networking
• Provide computer name and domain

I will take care of the other stuff once I get this machine an IP address on the network. I will rename this computer FFWIN2008R2DC, since this is going to be a domain controller in my FFLAB domain. FF is short for “Forefront” as we’ll be doing a lot of Forefront testing on this lab network. The IP addressing information is:

• IP address – 10.0.0.2
• Default Gateway – 10.0.0.1
• DNS – 10.0.0.2
• WINS – 10.0.0.2

Sure, we probably will not need WINS much, but you never know, and it is not like it is going to suck up a lot of memory or processor cycles in the lab environment. The default gateway will be a TMG 2010 firewall – which we will install in a later article.
Promoting the Windows Server 2008 R2 Virtual Machine to a Domain Controller


The next step is to make this machine a domain controller. If you are coming from the Windows Server 2003 world, you will find this step to be a lot different. Yes, you will still need to run dcpromo from the Run command, but there is a little twist here – you need to install the Active Directory Domain Controller role. Server roles are sort of a new concept in Windows Server 2008 – where major server services are considered “roles”. The Active Directory Domain Controller role is a bit different, because it is actually a two-step process to get the Active Directory DC installed: first you install the role and second you run dcpromo.
Enter the Server Manager and click the Roles node in the left pane of the console. Then click the Add Roles link in the right pane.

Figure 12
This brings up the Before You Begin page. If this is the first time you have installed a role using the Server Manager, then go ahead and read the information on this page. If you are an old pro with the Server Manager, go ahead and click Next.

Figure 13
Here you select what Server Roles you want to install. We will install other Server Roles later, but we want the DC role installed first. Select Active Directory Domain Services by putting a checkmark in the checkbox. Notice that the wizard will show you a number of features that will be installed along with the Active Directory Server Role. Click the Add Required Features button to get those features installed with the Active Directory Server Role.

Figure 14
After selecting the Active Directory DC Server Role, you will see information about that Server Role. Some interesting things to note here:

• You should install at least two DCs on your network for fault tolerance. Installing a single DC on a network is an invitation for disaster. However, since this is a lab network and we can take snapshots of our DCs, we’re not so concerned about this requirement.
• DNS is required. However, when we run dcpromo, we will install the DNS server role to support Active Directory services.
• You need to run dcpromo after installing the role. You won’t have to go through extra steps like this when installing other server roles, as the entire role installation can be done through the Server Manager. The Active Directory Domain Services role is the only one that takes two steps to get it installed.
• Note that installing the Active Directory Domain Services Role also installs DFS Namespaces, DFS Replication and File Replication Services – all of these are used by Active Directory Domain Services so they’re automatically installed.

Figure 15
Click Install to install the files required to run dcpromo.

Figure 16
Yay! Installation was successful. Click Close.

Figure 17
Now go to the Start menu and type dcpromo in the search box. You will find it in the list as shown in the figure below. Click dcpromo.

Figure 18
This starts the Welcome to the Active Directory Domain Service Installation Wizard. We do not need advanced options in this scenario, so just click Next.

Figure 19
On the Operating System Compatibility page, you are warned that your NT and non-Microsoft SMB clients are going to have problems with some cryptographic algorithms used by Windows Server 2008 R2. We don’t have this problem on our lab network so just click Next.

Figure 20
On the Choose a Deployment Configuration page, select the Create a new domain in a new forest option. We do this because, of all reasons, this is a new domain in a new forest

Figure 21
On the Name the Forest Root Domain page, enter the name of the domain in the FQDN of the forest root domain text box. In this example we are going to name the domain fflab.net. That is short for “Forefront Lab”. You can name it whatever you like, but if you use a name that is already in use on the Internet (that is to say, a name that has already been registered, then be aware of potential split naming issues). Click Next.

Figure 22
On the Set Forest Functional Level page, select the Windows Server 2008 R2 option (not the Windows Server 2003 option you see in the figure below). We want to select the Windows Server 2008 R2 option so that we can take advantage of all the cool new features included in Windows Server 2008 R2. Click Next.

Figure 23
On the Additional Domain Controller Options page, we have only a single choice: DNS server. The Global catalog option is checked and not an option because this is the only DC so far in this domain, so it has to be a Global Catalog server. The Read-only domain controller (RODC) option is deselected because you have to have another non-RODC on the network to enable this option. Select the DNS server option and click Next.

Figure 24
A dialog box will appear that says that a delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. The reason for this is that this is the first DC on the network. Don’t worry about this and click Yes to continue.

Figure 25
Leave the Database, Log Files and SYSVOL folder in their default locations and click Next.

Figure 26
On the Directory Service Restore Mode Administrator Password, enter a strong password in the Password and Confirm password text boxes.

Figure 27
Confirm the information on the Summary page and click Next.

Figure 28
Active Directory will install. The first DC installs pretty quickly. Put a checkmark in the Reboot on completion checkbox so that the machine automatically reboots when DC installation is complete.

Figure 29
The machine will automatically restart since we selected that option. The installation will be complete when you log on. If I recall correctly, with Windows Server 2008, there was some configuration that took place after you logged on, but that is not happening with Windows Server 2008 R2.
The DNS service was installed during Active Directory installation, so we do not need to worry about that. There are several other services we want to install on this domain controller. These include:

• DHCP
• WINS
• Enterprise Certificate Services

Unfortunately, only DHCP and Certificate Services are considered “roles”. The WINS service is considered a feature. I suppose they had a reason for this, but I was not at that meeting and did not get the memo.

---

موضوعات مشابه:

• Installing Windows Server 2008 R2 On HP DL160 G6
• Installing ISA Server 2006 Configuration Storage Server on a Domain Controller
• Installing MOSS 2007 on Windows Server 2008 and SQL Server 2008
• Secure a Branch Office Domain Controller With Windows Server 2008
• In-Place Upgrade from Windows Server 2003 Domain Controller to Windows Server 2008

---

[patris1]

کد:

http://www.windowsnetworking.com/articles_tutorials/Running-Windows-Server-2008-R2-Installing-Creating-Lab-Domain-Controller-Part2.html

PART-2

Introduction

OK, great! We got the domain controller going and the machine has rebooted. The next step is to install the key roles and services we need in order to get a basic enterprise level network going.
What we will do here is use the Server Manager to install both the Certificate Services and DHCP server roles. Again, if you are used to the Windows 2003 way of doing things, you will find this to be a bit different. Maybe better? That is up to you to decide. I think there are some advantages to using Server Manager and maybe some disadvantages – but overall I think Microsoft did a good job with the Server Manager interface.
To install the DHCP and Certificate Services roles, click the Roles node in the left pane of the console and then click Add Roles in the right pane.

Figure 1
Click Next to skip the Before You Begin page. On the Select Server Roles page, put a check in the Active Directory Certificate Services and DHCP Server checkboxes. Click Next.

Figure 2
The Server Manager will install the DHCP server first, and provides you some information about DHCP services. A couple of things to note:

• You should configure at least one static IP address on the computer running DHCP. This is no problem for us, since this machine is a DC, so it already has a static IP address.
• Before you install a DHCP Server, you should plan your subnets, scopes, and exclusions. So far, we only have a single IP subnet, so we do not have to do a lot of planning in this area. However, as our network grows, we might want to add more DHCP scopes. So far, we are only going to create a single DHCP scope.

Figure 3
The Server Manager found that a single static IP address is bound to this machine. We will use this address, so leave the checkmark in the checkbox.

Figure 4
Now the Server Manager wants to know what domain name should be assigned to DHCP clients. In our lab, we are using the fflab.net domain – so we will enter that into the Parent domain text box. In the Preferred DNS server IPv4 address text box, you need to enter the IP address of the DNS server that clients will use for name resolution. Notice that the local host address is entered by default. We can not use that, because the clients will try to use themselves for DNS services, and that is not going to work. Enter 10.0.0.2, which is the IP address of the domain controller and DNS server. If we had a second DNS server on the network, we could add the IP address of the second DNS server in the Alternate DNS server IPv4 address text box. We might do this later, because it’s always a good idea to have at least two DNS server (and for that matter, two domain controllers).

Figure 5
Next, the Server Manager asks about a WINS server address. We have not installed the WINS server yet, but we will later. The reason why we are not installing the WINS server now is that Microsoft considers WINS to be a feature, rather than a role, so we have to install WINS through the features installation routine. However, we know that the DC is also going to be a WINS server, so we will select the WINS is required for applications on this network option and then enter the IP address of the DC in the Preferred WINS server IP address text box.

Figure 6
DHCP assigns address from scopes. You need at least one scope to assign IP addresses to DHCP clients. In the Add Scope dialog box, enter a Scope Name (which can be anything you want – just make it descriptive so that you know the purpose and “scope” of the scope), Starting IP address, Ending IP address, Subnet type, Subnet mask and Default gateway (optional). In our example, we’ll enter the following:

• Scope name Corpnet
• Starting IP address 10.0.0.201
• Ending IP address 10.0.0.225
• Subnet type Wired (least duration will be 8 days)
• Activate this scope enabled
• Subnet mask 255.255.255.0
• Default gateway (optional) 10.0.0.1

The default gateway will be the IP address that we will assign the TMG firewall when we install it later in this series.

Figure 7
The Server Manager shows the range of IP addresses you selected for the scope.

Figure 8
The next page asks about IPv6 addresses. Since we are probably going to use IPv6 later in this series, we want to think about how we’re going to handle IPv6 addresses. However, at this point we are not going to use DHCP to assign addresses to IPv6 clients. Because of that, we will select the Enable DHCPv6 stateless mode for this server. We might change this option later, but since we do not have any immediate use for DHCP for IPv6, we won’t enable it at this time.

Figure 9
On the next page, you will be asked about DHCP options for IPv6 clients. These settings are not going to be used since we are not using DHCP for IPv6 clients, so you can click Next.

Figure 10
Active Directory stores a list of DHCP servers that are authorized to service clients on the network. In order for DHCP servers to be functional on an Active Directory network, they need to be authorized in the Active Directory. On this page, you select what credentials you want to use to authorize the DHCP server in the Active Directory. Since we are logged on as a domain admin, we can select the option Use current credentials. If we were logged on with a non-domain admin account, we could select the Use alternate credentials and then provide them. Or, if we didn’t want to enable the DHCP server on the network at all, we could choose the Skip authorization of this DHCP server in Active Directory DS.

Figure 11
That is it for the DHCP server installation – the Server Manager has all the information it needs. Next, Server Manager will ask you a series of questions about Active Directory Certificate Services. As with all CAs, you need to know that the name and domain settings of the computer cannot be changed after the CA has been installed. Since we are installing the CA on a DC, this is not much of an issue.

Figure 12
On the next page, make sure there are checkmarks in the Certification Authority and Certification Authority Web Enrollment checkboxes. Notice that the Add Roles Wizard pops up a dialog box telling you that it will need to add a number of web related services to make the Web enrollment site work. Click Add Required Role Services to confirm that it’s OK to do this.

Figure 13
We now need to choose which type of CA to install: Enterprise or Standalone. Since we want to take advantage of autoenrollment for machine certificate and maybe user certificates later in this series, we will install an Enterprise CA.

Figure 14
In a production environment, your PKI infrastructure will likely have several CAs – a root CA and subordinate CAs that get their CA certificates from the root CA. However, in our network, we are only going to have a single CA, so that CA must be a root CA, which is the CA on the top of the hierarchy. Select the Root CA option.

Figure 15
Now we need to assign a private key to the CA that will be used to generate and issue certificates to clients. There are a couple of ways to do this – create a new private key, or use a existing private key that has already been assigned to another CA. Since this is a new PKI for a new network, the best option here is to Create a new private key. Select that option and move to the next page.

Figure 16
To create a new private key, you need to make several decisions. First, you need to choose a cryptographic service provider (CSP). Second you need to select a key length, and last you need to select a hash algorithm for signing the certificates. This can be a complex subject, and there are reasons for selecting different CSPs, key lengths and hash algorithms. We do not want to get into those complexities right now, so we will go with the defaults:

• RAS Microsoft Software Key Storage Provider
• 2048 key length
• SHA1 hash algorithm

Use these defaults and move to the next page.

Figure 17
Now you need to assign a name to the CA. This can be the name of the server itself, but typically the common name is changed a bit to make it clear that this is a CA. In this example, we will name the CA FFWIN2008R2-CA. The Distinguished name suffix for this CA is DC=fflab, DC=net, representing the domain names of this CA. Use this values and click Next.

Figure 18
Now select how long the CA certificate should be valid for. The default value is 5 years, which is better than the 2 year default period with previous versions of Microsoft CA. At the end of this period, you will need to renew the CA certificate. If you don’t, then none of the certificates issued by the CA will be valid and you will feel a whole world of pain. Make a note of the CA expiration Data and put it in your calendar so that you will renew the CA certificate in advance of its expiration date.

Figure 19
Use the default locations for the Certificate database location and Certificate database log location and click Next.

Figure 20
That’s it for the questions on CA configuration. Now the Server Manager wants to ask you a few things about IIS installation. The reason why Server Manager asks about IIS services is due to the fact that we choose to install the Web enrollment site. We do not plan to use this machine for other Web services, so the issues noted on this information page are not so much a concern for us at this time.

Figure 21
The role services required for the Web enrollment site are selected for you automatically. No need for you to figure these out for yourself. Nice! Click Next.

Figure 22
That is it! Server Manager has all the information it needs to install the DHCP and Certificate services. Confirm this in the dialog box that summarizes your configuration and click Install.

Figure 23
At the end of the installation, you should be seeing all green – Installation succeeded.

Figure 24
The last “core networking feature” we need to install is WINS. While WINS should be considered deprecated at this point, there may be some services that will benefit from it, and there might even be a few of them that require it in our lab series (although that is unlikely since we will focus on the new stuff throughout this Windows Server 2008 R2 series). Given that WINS has lost its luster, Microsoft decided to move it to a “feature” instead of a “Server Role”. No problem, it still installs from the Server Manager.
Open the Server Manager and click the Features node in the left pane of the console. Then click the Add Features link in the right pane.

Figure 25
Put a checkmark in the WINS Server checkbox and click Next.

Figure 26
The information box informs you that WINS will be installed. Click Install.

Figure 27
Yay! It worked. The installation of the WINS server was successful.

Figure 28
Alright, our DC is now fully installed and ready to do the work of a DC, WINS, DHCP and certificate server. Now we can move to the next step of our infrastructure – installing the firewall so that the DC and all the other services that we install on our network can connect to the Internet. What firewall should we install? Of course, the Forefront Threat Management Gateway Firewall! Why? Because as we'll see later, the TMG firewall integrates with the Forefront Protection Manager, which will allow us to create proactive firewall policy in response to threats detected on our network. It is really cool and I can not wait to show you how that works.
After we install the firewall, we will install a SharePoint Server and an Exchange Server. The SharePoint Server will be easy – just a single server. But I am not sure how to approach the Exchange installation yet. We want to make the discussion useful but not too complex. I am thinking that we will install the Exchange Edge Server role on the TMG firewall, and then create an Exchange Server that has all the other roles on it – however, it would be nice to create a separate Hub server, so that we can show how to install Forefront Protection for Exchange on Edge, Hub and Mailbox server roles. I will think about it and let you know when we get there.