Introduction
As SonicWALL’s products and firmware keeps getting more features that are based on integration with Active Directory, e.g., Active Directory Connector for CSM appliance, LDAP integration for UTM Appliances and SSL-VPN and Email Security, more people will install Active Directory on their local server or server in a test environment.
This training document is a guideline on how to setup Microsoft Active Directory.
Versions Used
• Windows Server 2003Setup Used
i. Server Name = martini ii. Credentials: User = “Administrator” , Password = “password” iii. IP Address: 10.1.1.101 iv. AD Setup: AD Domain Name = echofloor.com v. AD Setup: NetBIOS Domain Name= echofloorPrerequisites
Before being able to Install Active Directory, a Domain Name System (DNS) server is required. Therefore, some knowledge of DNS is required. An integration of DNS and WINS (Windows Internet Naming Service) is not required but is best practice. Therefore knowledge of WINS is also a prerequisite. As this training involves changing TCP/IP Settings, knowledge of TCP/IP is the next requirement. In this Tech Note Microsoft terms will be used without explanation.
Microsoft Active Directory is dependent on a fully functional DNS server. This training will include a basic guide for how to install and setup Microsoft Windows 2003 DNS server to support Microsoft Active Directory.
Task List
• Install Windows 2003;
• Prepare Windows 2003 Server; • Prepare TCP/IP Settings; • Install WINS and DNS; • Setup DNS;
• Install Active Directory; • Setup Active Directory.
Install Windows 2003
This training assumes Windows 2003 Server is installed and that all drivers have been installed. Make sure that either a copy of the I386 Directory from the Windows Server installation CD on the local hard drive remains, or the Windows Server installation CD is in the CD Drive.
A Domain Controller must have a fixed IP so make sure that the server does not get an IP from a DHCP server. The server must be able to reach the Internet but DNS settings are not required as the server will be its own DNS server.
CATEGORY Title
Prepare Windows 2003
The first step for installing Active Directory is to set the computer name and Primary DNS Suffix. The computer name and Primary DNS Suffix must be set from System Properties.
• From System Properties go to the Computer Name tab. On this tab the full computer name and the workgroup can be seen. Workgroup name is not important, as this will not be used;
• Computer name, membership and Primary DNS Suffix can be changed by clicking the Change button; • The More button brings up the DNS Suffix and NetBIOS Computer Name dialog;
• In the Primary DNS Suffix of this computer field the Domain Name to be used by your DNS Server must be filled
in. e.g. echofloor.com;
• After applying these settings the server needs to be restarted.
Prepare TCP/IP Settings
Once the proper name and DNS Suffix are setup, some adjustments have to be made to the TCP/IP settings. For this go to the properties of the Primary Local Area Connection in Network Connections.
• Select Internet Protocol (TCP/IP) and click the Properties button;
• Make sure that the server has a static IP address and a Default Gateway. For Preferred DNS Server fill in the server’s IP address;
• Click the Advanced button to go to the advanced settings;
• On the WINS tab click the Add button to fill in the server’s IP address;
• Make sure that the Enable NetBIOS over TCP/IP is selected.
Install WINS and DNS
DNS (Domain Name System) and WINS (Windows Internet Name Service) Server can be installed in a single go. DNS and WINS are installable windows components and need to be installed via Add/Remove Programs from Control Panel.
• From Windows Components select Networking Services;
• Click Details to select the Networking Services you want to install;
• Select Domain Name System (DNS) and Windows Internet Name Service (WINS).
Installing Windows Components, the I386 Directory from the Original Windows Server 2003 is needed. If the CD is not in the CD Drive, a popup will allow you to select the location of the I386 directory.
Once installation is complete, two additional Services and two additional Administrative Tools can be found on the server.
Setup DNS
In contrary to WINS, which does not need additional configuration, DNS setup consists of multiple steps. This training only covers setting up Microsoft DNS server to prepare for Microsoft Active Directory. More Advanced Microsoft DNS Server configuration will be handled in a separate training.
Microsoft DNS Server is configured via DNS Manager. DNS Manager can be launched via the DNS shortcut within
Administrative Tools.
The first step to setup Microsoft DNS server is to setup a Forward Lookup Zone. This can be done by selecting and right clicking Forward Lookup Zones and choosing the New Zone option.
• The first step is to select the Zone Type. Select Primary Zone;
• For Zone Name, fill in the Domain Name needed for the Domain, in this case echfloor.com;
• For Zone File, leave the option on Create a new file and leave the filename as it is;
Completing the New Zone Wizard will create the Forward Lookup Zone.
Once the Forward Lookup Zone is created, the next step is to create a Reverse Lookup Zone.
• For Reverse Lookup Zone Name, fill in the Network ID needed for the Domain. The network ID consists of the IP
Subnet ID - in this case 10.1.1;
• For Zone File, leave the option on Create a new file and leave the filename as it is;
• On the Dynamic Update option, choose to Allow both nonsecure and secure option .
Completing the New Zone Wizard will create the Reverse Lookup Zone. As an option WINS and DNS can be integrated.
Integrating DNS and WINS
Integrating DNS and WINS server is not required, but can help with name resolving and is advised when using Microsoft Active Directory.
WINS Integration can be enabled on the Properties Dialog of a specific Zone.
• On the Properties of the Forward Lookup Zone go to WINS tab; • Enable Use WINS forward lookup;
• Enter the IP Address of your WINS Server; in this case the server IP is 10.1.1.101.
• On the Properties of the Reverse Lookup Zone go to WINS-R tab; • Enable Use WINS-R lookup;
Install Active Directory
Now that the preparations for Active Directory have been setup, the server can be setup as an Active Directory Domain Controller. This step is also called Promoting a server to Domain Controller.
• To promote a server to Domain Controller run DCPromo, from Start, Run. This will launch the Active Directory Installation Wizard;
• After reading the warning about Operating System Compatibility, setup can be started;
• On the New Domain Name dialog fill in the Full DNS Name for new domain. This is the same Domain Name
used in setting up the Forward Lookup Zone in DNS Server. In this case echofloor.com;
• On the NetBIOS Domain Name choose a Domain Name as used in earlier versions of windows. This is the
Domain Name that will be seen in the Logon Screen for Windows clients and in the Logon Screen for Email Security when using Domain Login. In this case ECHOFLOOR;
• The last step in the wizard is to set Permissions level. When pre-Windows 2000 Servers exist within the network the Permissions compatible with pre-Windows 2000 option needs to be chosen. This option lowers part of Windows Server security level. In this case choose this option.
After all the above options have been completed, a DNS Registration Diagnostics test will run. If these Diagnostics fail, Active Directory can not be installed. The most probable cause for this is the DNS Server has not been setup properly.
Possible causes:
• Primary DNS Suffix has not been configured;
• Preferred DNS Server IP has not been configured to the server’s own IP address;
• DNS Service is not started;
• Forward Lookup Zone does not allow Dynamic Updates.
After choosing a Domain Administrator password Active Directory will be installed.
After the wizard is complete, the server needs to be restarted.
Note: without restarting Active Directory will not be active
Note: A Domain Controller Startup takes much longer than a normal server
Once Active Directory has been successfully installed, a few direct changes can be found on the system: Active Directory will add five new Administrative Tools:
-Active Directory Users and Computers; -Active Directory Sites and Services; -Active Directory Domains and Trusts; -Domain Security Policy;
-Domain Controller Security Policy.
The final steps for Active Directory Setup are to integrate Windows DNS Server and Active Directory. This is done by changing the properties of the Forward Lookup Zone and Reverse Lookup Zone;
• From the Forward Lookup Zone Properties click the Change button to
change the Zone Type;
• Enable the Store the zone in Active Directory;
Setup Active Directory
Once Active Directory is installed Active Directory can be further setup to be used. This chapter will cover a few basic tasks:
-Setup Sites and Services;
-Modify Domain Security Policy for ease of use; -Setup an Organizational Unit (OU);
-Add a user.
Setup Sites and Services
Although modifying Sites and Services is not a requirement, it is an Administrative Task that will help to identify where each server is located. This is especially useful in a multi-site environment. With Sites and Services Inter-Site links are defined and Inter-Site Replication is defined. Settings changed in Sites and Services will be reflected in DNS Server and in Exchange Server.
Sites and Services can be setup from the Active Directory Sites and Services Manager
tool.
• The First task is to rename Default-First-Site-Name to an appropriate Site Name; in this case
EchoFloor-TestLab;
• The second task is to add the local Subnet, by right clicking Subnets and choosing New Subnet;
• In the New Object - Subnet dialog fill in the appropriate IP Address and Subnet Mask and select the Site this
Subnet belongs to. In this case fill in 10.1.1.0 and 255.255.255.0 and choose EchoFloor-Testlab as site. Modify Domain Security Policy
By default Windows Server 2003 uses a very strict Password Policy. By default passwords must meet a certain complexity requirement. This includes the requirement to have three out of the following four characteristics: -Must contain small case letters;
-Must contain upper case letters; -Must contain numbers;
-Must contain non-alpha numeric characters like @#$%.
This behavior can be changed by modifying the Domain Security Policy.
Domain Security Policies can be modified with the Domain Security Policy manager.
Setup an Organization Unit (OU)
Although using Organization Units is not a requirement, it helps Administrators organize Active Directory users and is a requirement for Delegation of Control. In this training we will use Organizational Units to administratively separate the testlab users and groups from the Active Directory built-in users and groups. OU’s can be created with the Active
Directory Users and Computers manager.
Add a User
Now that Active Directory is installed and setup, users can be created. Users are managed with the Active Directory
Users and Computers management tool. Users can be created in any of the available containers available.
• Select the container or OU where you want the user to be created In this case select EchoFloor; • Right click on either the container or in the right pane and select New>User;
• In the New Object – User dialog fill in the User’s attributes:
o First name; o Initials; o Last name; o Full name;
o User logon name this is also called the User Principal;
o User logon pre-Windows 2000 this is the user login used when logging on to Domain Computers, SonicWALL Appliances and Email Security. • Create a password and set password options.
Note: User logon name is NOT an email address
When users are created, you can create groups in a similar manner, and add users to groups. After the Active Directory is filled with users and groups, the Active Directory is ready to be used.
