Escolar Documentos
Profissional Documentos
Cultura Documentos
Introduction Building a Domain Controller for Your Lab Installing Active Directory Snap-Ins
Introduction
This appendix describes how to set up a Microsoft Windows Server 2003 domain controller, also known as an Active Directory server. In a heterogeneous environment in which Active Directory supports UNIX clients, an Active Directory server can act as the Kerberos Key Distribution Center (KDC) for authentication and as the Lightweight Directory Access Protocol (LDAP) for authorization for both Windows and UNIX clients. IMPORTANT It is possible to install the DNS service on a different server than the domain controller, either Windows or UNIX, or to install DNS on the domain controller later after you first install and configure the domain controller itself. For best results when developing or deploying a solution that enables UNIX clients to authenticate to Active Directory, the recommended practice is to install and configure Active Directory and DNS at the same time. The procedures in this guide were developed and tested in a lab in which DNS is configured on the domain controllers as part of the Active Directory installation process. Top of page
Authentication and Authorization Technologies and Solution End States. When setting up a development or test environment for the solutions included in this guide, the recommended practice is to install and configure at least two domain controllers so that you can test UNIX or Linux authentication and authorization under failover conditions. However, you will not be ready to install the second domain controller until after you finish the remaining activities necessary to set up your lab environment. These activities depend on which solution you choose to develop and deploy. For more information, see the section "Complete Other Setup Steps for Your Solution Before You Install the Second Domain Controller" later in this appendix. Use the steps in the following subsections to install a domain controller that is running the Domain Name System (DNS) service and to create a test forest. This example assumes that you want to create a new Active Directory domain controller in its own forest and domain in your development environment and that you want to follow the recommended practice to install DNS on the domain controller.
Wizard Page
Action DNS on this computer. Note Typically, you see this wizard page if you run the Active Directory Installation Wizard (dcpromo.exe) right after installing the operating system on this computer. For Full DNS name for new domain, type the name of the test domain. If you want to match the example domain names used in the procedures in this guide, use the following domain names:
For Quest Software VAS (Chapter 2), type fabrikam.com. For Centrify DirectControl (Chapter 3), type contoso.com. For a custom solution (Chapter 4), type example.com. NetBIOS Domain Name Verify that the domain name that you typed appears on this page. Database and Log Folders Accept the defaults. Shared System Volume Accept the defaults. Permissions Select Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems. DNS Registration Select Install and configure the DNS server on this Diagnostics computer, and set this computer to use this DNS server as its preferred DNS server. Note Typically, you see this wizard page if DNS was configured on this computer earlier. For example, if you earlier ran dcpromo and configured DNS, and then demoted the domain controller and removed DNS, you will see this page if you rerun dcpromo. Directory Services Restore Type and confirm a password. Mode Administrator Password Summary Review your selections, and then click Next to begin Active Directory installation: If you are prompted for the files dnsmgr.dll or dnsmgmt.msc, insert your Windows installation CD or navigate to a folder or network share that contains the i386 files. When the wizard completes, click Restart Now to restart the computer.
Configure DNS
Use the following procedure to complete the configuration for DNS. To complete the DNS configuration 1Configure the DNS Forward Lookup Zone. Open the DNS console in Administrative .Tools, and then configure the following: Note When you specified that dcpromo install DNS while installing Active Directory, the Active Directory wizard created a DNS Forward Lookup Zone that uses only secure updates for dynamic updates. Allowing nonsecure dynamic updates is not recommended for your production environment. However, here you set up a proof-of-concept lab in which UNIX-based computers cannot initially perform secure dynamic DNS because they cannot yet authenticate to the Active Directory domain. 1In the console tree, expand the DNS server name node, and then expand Forward .Lookup Zones. 2In the console tree, right-click the appropriate forward lookup zone (fabrikam.com for .Quest Software VAS, contoso.com for Centrify DirectControl, or example.com for a custom solution), and then click Properties. 3On the General tab, for Dynamic Updates, select Nonsecure and secure, click Apply, .and then click OK. 2Configure the DNS Reverse Lookup Zone. In the console tree, right-click Reverse .Lookup Zones, click New Zone, and then complete the New Zone Wizard actions as shown in the following table. Table L.2. New Zone Wizard for DNS Reverse Lookup Zone Wizard Page Zone Type Action Select Primary Zone.
Confirm that Store the zone in Active Directory (available only if DNS server is a domain controller) is selected. Active Directory Zone Select To all domain controllers in the Active Directory Replication Scope domain DomainName.com. Reverse Lookup Zone Select Network ID, and then type the network ID (for Name example, you might type 192.168.0). Dynamic Update Select Allow both nonsecure and secure dynamic updates. Completing the New Zone Click Finish. Wizard 3Confirm zones are integrated with Active Directory: . Click Forward Lookup Zones or Reverse Lookup Zones in the console tree, and then confirm that Type in the details pane displays Active Directory-Integrated Primary. 4Configure (or confirm) DNS for the server's local network connection. Open Network .Connections, right-click the local area connection, click Properties, and then configure the
following: 1In Local Area Connection Properties, click Internet Protocol (TCP/IP), and then click .Properties. 2For Preferred DNS server, type or confirm the localhost IP address, as shown in the .following table. Table L.3. Configuring the Localhost IP Address for the DNS Server If You Saw This Dcpromo Wizard Page Install or Configure DNS DNS Registration Diagnostics Do This For Preferred DNS server, type 127.0.0.1. For Preferred DNS server, confirm that 127.0.0.1 appears.
3Click OK. . 5Add UNIX hosts to DNS. When a Windows-based computer is joined to an Active .Directory domain in which DNS is configured, the Windows-based computer is automatically added to DNS. However, you must add UNIX-based computers to DNS manually: 1Open DNS in Administrative Tools. . 2In the console tree, expand the ComputerName node, expand Forward Lookup Zones, .right-click the appropriate node (fabrikam.com for Quest Software VAS, contoso.com for Centrify DirectControl, or example.com for a custom solution), and then click New Host (A). 3In New Host, for Name, type the name of the UNIX host that you want to add. In IP .address, type the IP address of the UNIX host, check the Create associated pointer (PTR) record box, and then click Add Host. 4When you see the message The host record HostName.DomainName.com was .successfully created, click OK. 5Repeat steps ad for each UNIX host that you want to add to your development .environment. 6Install Support Tools. You can install the Windows Support Tools from the Windows .Server 2003 CD. For information about how to install this set of tools, see "Support Tools on the Windows CD" in Windows Server 2003 Help and Support Center. Note By default, the installation program installs the support tools in the C:\Program Files\Support Tools folder. However, Windows Support Tools installation also puts the support tools folder in the path for all shell sessions. This means that, after you restart the server after installing the support tools, you can issue any of the support tool commands without changing to the directory where the commands are located.
Complete Other Setup Steps for Your Solution Before You Install the Second Domain Controller
Installing and configuring a domain controller is only one of several activities that you must complete to prepare your lab for developing or testing one of the solutions in this guide. After optionally installing the Active Directory snap-ins (described next, in the section "Installing Active Directory Snap-Ins"), refer to the appropriate chapter for the remaining actions that you must take to prepare your development or test lab. You must complete the activities as described in the appropriate chapter before you will be ready to install your second domain controller: For the commercial VAS solution. Refer to the section "Preparing Your Environment" in Volume 2: Chapter 2, "Using Quest Software VAS to Develop, Stabilize, Deploy, Operate, and Evolve End State 2." For the commercial DirectControl solution. Refer to the section "Preparing Your Environment" in Volume 2: Chapter 3, "Using Centrify DirectControl to Develop, Stabilize, Deploy, Operate, and Evolve End State 2." For developing one of the custom solutions. Refer to the section "Preparing Your Environment" in Volume 2: Chapter 4, "Developing a Custom Solution." For testing one of the custom solutions. Refer to the section "Prepare Test Lab Environment" in Volume 2: Chapter 5, "Stabilizing a Custom Solution." Only after completing the remaining activities as described in the appropriate chapter to prepare your lab will you be ready to repeat the steps in this section to build your second domain controller. Top of page
are not domain controllers by using the instructions in "To add a snap-in to a new MMC console for a local computer" in Help and Support Center for Windows Server 2003. Alternatively, you can find the Help steps for "Add a snap-in to a new MMC console for a local computer" online at http://technet2.microsoft.com/WindowsServer/en/Library/4d38c08b-907f-410c-b26f5bd7481194bd1033.mspx.
. 1Click Start, click Run, type mmc, and then click OK. . 2In the console window, click File, and then click Add/Remove Snap-in. . 3In the Add/Remove Snap-in dialog box, click Add. . 4From Available Standalone Snap-ins list in the Add Standalone Snap-in dialog box, .select the snap-in that you want to installin this case, select ADSI Editclick Add, and then click Close. 5In the Add/Remove Snap-in dialog box, click OK. . 6If you want to save this console for later use, in the console window, click File, click .Save, and then in the Save As dialog box, type a name for the snap-in, and then click OK.