Windows Server 2008 Foundation Network Guide

8/14/2019 Windows Server 2008 Foundation Network Guide

1/50

Foundation Network Guide

Microsoft CorporationPublished: November, 2007

Authors: James McIllece and Brit Weston

Editor: Allyson Adley

Technical Contributors: Shyam Seshadri

AbstractThe Windows Server 2008 Foundation Network Guide provides instructions on how to plan anddeploy the core components required for a fully functioning network and a new Active Directorydomain in a new forest. Using this guide, you can deploy computers configured with the followingWindows server components: The Active Directory Domain Services (AD DS) server role The Domain Name System (DNS) server role The Dynamic Host Configuration Protocol (DHCP) server role The Network Policy Server (NPS) role service of the Network Policy and Access Services

server role The Windows Internet Name Service (WINS) feature Transmission Control Protocol/Internet Protocol version 4 (TCP/IP) connections on individual

servers

This guide also serves as a foundation for companion guides that show you how to deployadditional network technologies in Windows Server 2008.


2/50

The information contained in this document represents the current view of Microsoft Corporationon the issues discussed as of the date of publication. Because Microsoft must respond tochanging market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after thedate of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no associationwith any real company, organization, product, domain name, e-mail address, logo, person, place,or event is intended or should be inferred.

2007 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.


3/50

ContentsWindows Server 2008 Foundation Network Guide............................................... ................ ..........4

Foundation Network Overview................................................................................................ .....8Foundation Network Planning................................................................................................ ....10Foundation Network Deployment.................................................................. ................. ...........21

Configuring All Servers.................................................................................................. .........21Change the Administrator Password.......................................................................... .........21Rename the Computer................................................................................................... .....23Configure a Static IP Address......................................................................... ................ ....25

Deploying AD-DNS-01......................................................................................................... ...26Install AD DS and DNS for a New Forest................................................................. ...........27Create a User Account in Active Directory Users and Computers..................................... ..29Add a Group....................................................................................................................... .29Assign Group Membership................................................................................................. .30Configure a DNS Reverse Lookup Zone........................................................................ .....31

Joining Computers to the Domain and Logging On......................................................... .......32Join the Computer to the Domain.............................................................. ................ .........33Log on to the Domain...................................................................................................... ....34

Deploying WINS-01 (optional).................................................................................... ............35Install Windows Internet Name Service (WINS).......................................................... ........36

Deploying DHCP-01................................................................................................. ..............36Install Dynamic Host Configuration Protocol (DHCP).................................. ................ .......37

Create an Exclusion Range in DHCP...................................................... ................ ...........39Authorize a DHCP Server in Active Directory Domain Services...................................... ....40Activate a DHCP Scope......................................................................................... .............40Create a New DHCP Scope....................................................................................... .........40

Deploying NPS-01 (optional)....................................................................................... ...........42Install Network Policy Server (NPS)................................................................................ ....42

Additional Technical Resources..................................................................................... ............43Appendix A...................................................................................................... ................. .........43


4/50

Windows Server 2008 Foundation Network

GuideA foundation network is a collection of network hardware, devices, and software that provides thecore services for your organization's information technology (IT) needs.

A Windows Server foundation network provides you with many benefits, including the following. Core protocols for network connectivity between computers and other TransmissionControl Protocol/Internet Protocol (TCP/IP) compatible devices. TCP/IP is a suite of standard protocols for connecting computers and building networks. TCP/IP is networkprotocol software provided with Microsoft Windows operating systems thatimplements and supports the TCP/IP protocol suite. Automatic IP addressing with Dynamic Host Configuration Protocol (DHCP). Manualconfiguration of IP addresses on all computers on your network is time-consuming andless flexible than dynamically providing computers and other devices with IP addressleases from a DHCP server. Name resolution services, such as Domain Name System (DNS) and WindowsInternet Name Service (WINS). DNS and WINS allow users, computers, applications, andservices to find the IP addresses of computers and devices on the network using thenetwork basic input/output system (NetBIOS) name or Fully Qualified Domain Name of the computer or device. A forest, which is one or more Active Directory domains that share the same classand attribute definitions (schema), site and replication information (configuration), and

forest-wide search capabilities (global catalog). A forest root domain, which is the first domain created in a new forest. The EnterpriseAdmins and Schema Admins groups, which are forest-wide administrative groups, arelocated in the forest root domain. In addition, a forest root domain, as with other domains,is a collection of computer, user, and group objects that are defined by the administrator in Active Directory Domain Services (AD DS). These objects share a common directorydatabase and security policies. They can also share security relationships with other domains if you add domains as your organization grows. The directory service also storesdirectory data and allows authorized computers, applications, and users to access thedata. A user and computer account database. The directory service provides a centralizeduser accounts database that allows you to create user and computer accounts for peopleand computers that are authorized to connect to your network and access networkresources, such as applications, databases, shared files and folders, and printers.

A foundation network also allows you to scale your network as your organization grows and ITrequirements change. For example, with a foundation network you can add domains, IP subnets,remote access services, wireless services, and other features and server roles provided byWindows Server 2008 and Windows Vista.

4


5/50

About this guideThis guide is designed for network and system administrators who are installing a new network or who want to create a domain-based network to replace a network that consists of workgroups.The deployment scenario provided in this guide is particularly useful if you foresee the need toadd more services and features to your network in the future.

It is recommended that you review design and deployment guides for each of the technologiesused in this deployment scenario to assist you in determining whether this guide provides theservices and configuration that you need.

Network hardware requirementsTo successfully deploy a foundation network, you must deploy network hardware, including thefollowing:

Ethernet, Fast Ethernet, or Gigabyte Ethernet cabling

A hub, Layer 2 or 3 switch, router, or other device that performs the function of relaying network traffic between computers and devices. Computers that meet the minimum hardware requirements for their respective clientand server operating systems.

Note

This guide depicts the use of four server computers. In some cases, such as on smallnetworks, you can use fewer servers. For example, you can install DHCP and WINS onthe same server rather than on separate servers.

What this guide does not provideThis guide does not provide instructions for deploying the following:

Network hardware, such as cabling, routers, switches, and hubs Additional network resources, such as printers and file servers Internet connectivity Remote access Wireless access Client computer deployment

Note

Client computers running Windows Vista and Windows XP are configured by default toreceive IP address leases from the DHCP server. Therefore, no additional DHCP or Internet Protocol version 4 (IPv4) configuration of client computers is required.

5


6/50


7/50

NetBIOS names are used by earlier versions of Windows operating systems to identify and locatecomputers and other shared or grouped resources required to register or resolve names for useon the network.

NetBIOS names are a requirement for establishing networking services in earlier versions of

Windows operating systems. Although the NetBIOS naming protocol can be used with networkprotocols other than TCP/IP (such as NetBEUI or IPX/SPX), WINS was designed specifically tosupport NetBIOS over TCP/IP (NetBT).

WINS simplifies the management of the NetBIOS namespace in TCP/IP-based networks.

NPS (optional)Network Policy Server (NPS) allows you to centrally configure and manage network policies withthe following three features: Remote Authentication Dial-In User Service (RADIUS) server,RADIUS proxy, and Network Access Protection (NAP) policy server.

NPS is an optional component of a foundation network, but you should install NPS if any of the

following are true: You are planning to expand your network to include any remote access servers thatare compatible with the RADIUS protocol, such as a computer running WindowsServer 2008 and Routing and Remote Access service. You plan to deploy NAP. You plan to deploy 802.1X wired or wireless access.

TCP/IPTCP/IP in Windows Server 2008 is the following:

Networking software based on industry-standard networking protocols. A routable, enterprise networking protocol that supports the connection of your Windows-based computer to both local area network (LAN) and wide area network(WAN) environments. Core technologies and utilities for connecting your Windows-based computer withdissimilar systems for the purpose of sharing information. A foundation for gaining access to global Internet services, such as the World WideWeb and File Transfer Protocol (FTP) servers. A robust, scalable, cross-platform, client/server framework.

TCP/IP provides basic TCP/IP utilities that enable Windows-based computers to connect and

share information with other Microsoft and non-Microsoft systems, including: Windows Vista Windows Server 2003 operating systems Windows XP Internet hosts Apple Macintosh systems

7


8/50

IBM mainframes UNIX systems Open VMS systems Network-ready printers, such as HP LaserJet series printers that use HP JetDirectcards

Foundation Network OverviewThe following illustration shows the components of a foundation network.

8


9/50

Foundation Network ComponentsFollowing are the components of a foundation network.

9


10/50

Router

This deployment guide provides instructions for deploying a foundation network with two subnetsseparated by a router that has DHCP forwarding enabled. You can, however, deploy a Layer 2switch, a Layer 3 switch, or a hub, depending on your requirements and resources. If you deploy

a switch, the switch must be capable of DHCP forwarding or you must place a DHCP server oneach subnet. If you deploy a hub, you are deploying a single subnet and do not need DHCPforwarding or a second scope on your DHCP server.

Static TCP/IP configurations

All of the servers in this deployment are configured with static IPv4 addresses. Client computersare configured by default to receive IP address leases from the DHCP server.

Global catalog and DNS server

Both Active Directory Domain Services (AD DS) and Domain Name System (DNS) are installedon this server, providing directory and name resolution services to all computers and devices onthe network.

WINS server (optional)

Installing Windows Internet Name Service (WINS) on your foundation network is optional. It isoften difficult to determine whether applications and services require WINS for name resolution.In some cases, you might need WINS; in other cases, DNS might be the only name resolutionservice that you need on your network. Because WINS is low maintenance and is not processor-use intensive for medium and small networks, you can install WINS on the DHCP server in theevent that applications or services need the service.

DHCP server

The Dynamic Host Configuration Protocol (DHCP) server is configured with a scope that providesInternet Protocol (IP) address leases to computers on the local subnet. The DHCP server canalso be configured with additional scopes to provide IP address leases to computers on other subnets if DHCP forwarding is configured on routers.

NPS server (optional)

The Network Policy Server (NPS) server is installed as a preparatory step for deploying other network access technologies, such as virtual private network (VPN) servers, wireless accesspoints, and 802.1X authenticating switches. In addition, installing NPS prepares your network for the deployment of Network Access Protection (NAP).

Client computers

Client computers running Windows Vista and Windows XP are configured by default as DHCPclients, which obtain IP addresses and DHCP options automatically from the DHCP server.

Foundation Network PlanningBefore you deploy a foundation network, you must plan the following items.

Planning subnets

10


11/50

Planning basic configuration of all servers Planning the deployment of AD-DNS-01 Planning domain access Planning the deployment of WINS-01 Planning the deployment of DHCP-01 Planning the deployment of NPS-01

The following sections provide more detail on each of these items.

Planning subnetsIn Transmission Control Protocol/Internet Protocol (TCP/IP) networking, routers are used tointerconnect the hardware and software used on different physical network segments calledsubnets. Routers are also used to forward IP packets between each of the subnets. Determinethe physical layout of your network, including the number of routers and subnets you need, before

proceeding with the instructions in this guide.In addition, to configure the servers on your network with static IP addresses, you must determinethe IP address range that you want to use for the subnet where your foundation network serversare located. In this guide, the private IP address range 192.168.1.1 - 192.168.0.254 is used as anexample, but you can use any private IP address range.

The following recognized private IP address ranges are specified by Internet Request for Comments (RFC) 1918:

10.0.0.0 10.255.255.255 172.16.0.0 172.31.255.255 192.168.0.0 192.168.255.255

When you use the private IP address ranges as specified in RFC 1918, you cannot connectdirectly to the Internet using a private IP address because requests going to or from theseaddresses are automatically discarded by Internet service provider (ISP) routers. To add Internetconnectivity to your foundation network later, you must contract with an ISP to obtain a public IPaddress.

Important

When using private IP addresses, you must use some type of proxy or network addresstranslation (NAT) server to convert the private IP address ranges on your local network toa public IP address that can be routed.

For more information, see Planning the deployment of DHCP-01 .

Planning basic configuration of all serversFor each server in the foundation network, you must change the password for the Administrator account on the local computer, rename the computer, and assign and configure a static IPaddress for the local computer.

11


12/50

Planning the Administrator account passwordFor security reasons, it is important to create a password for the Administrator account and to usea strong password. In addition, it is recommended that you use a different Administrator accountpassword for each server on your network.

The following is an example of a strong password.

Configuration item: Example value:

Administrator password Example: J*p2leO4$F

Note

Strong passwords contain a minimumof 7 characters that consist of each of the following: uppercase letters (A, B,C, lowercase letters (d, e, f), numerals(0, 1, 2, 3), and keyboard symbols (' ~ !@ # $ % | /).

Planning naming conventions for computers and devicesFor consistency across your network, it is generally a good idea to use consistent names for servers, printers, and other devices. Computer names can be used to help users andadministrators easily identify the purpose and location of the server, printer, or other device. For example, if you have three DNS servers, one in San Francisco, one in Los Angeles, and one inChicago, you might use the naming convention server function -location -number :

DNS-SF-01. This name represents the DNS server in San Francisco. If additional

DNS servers are added in San Francisco, the numeric value in the name can beincremented, as in DNS-SF-02 and DNS-SF-03. DNS-LA-01. This name represents the DNS server in Los Angeles. DNS-CH-01. This name represents the DNS server in Chicago.

Choose a naming convention before you install your foundation network using this guide.

Planning static IP addressesBefore configuring each computer with a static IP address, you must plan your subnets and IPaddress ranges. In addition, you must determine the IP addresses of your DNS and WINSservers. If you plan to install a router that provides access to other networks, such as additionalsubnets or the Internet, you must know the IP address of the router, also called a default gateway,for static IP address configuration.

The following table provides example values for static IP address configuration.

Configuration items: Example values:

IP address 192.168.0.3

12


13/50


Subnet mask 255.255.255.0

Default gateway 192.168.0.10

Preferred DNS server 192.168.0.1

Alternate DNS server 192.168.0.7

Preferred WINS server 192.168.0.2

Alternate WINS server 192.168.0.8

For more information, see Planning the deployment of DHCP-01 .

Planning the deployment of AD-DNS-01Following are key planning steps before installing Active Directory Domain Services (AD DS) andDNS on AD-DNS-01.

Planning the name of the forest root domainA first step in the AD DS design process is to determine how many forests your organizationrequires. A forest is the top-level AD DS container, and consists of one or more domains thatshare a common schema and global catalog. An organization can have multiple forests, but for most organizations, a single forest design is the preferred model and the simplest to administer.

When you create the first domain controller in your organization, you are creating the first domain(also called the forest root domain) and the first forest. Before you take this action using thisguide, however, you must determine the best domain name for your organization. In most cases,the organization name is used as the domain name, and in many cases this domain name isregistered. If you are planning to deploy Web servers for your customers or partners, choose adomain name and ensure that the domain name is not already in use.

Planning the forest functional levelWhile installing AD DS, you must choose the forest functional level that you want to use. Domainand forest functionality, introduced in Windows Server 2003 Active Directory, provides a way toenable domain- or forest-wide Active Directory features within your network environment.Different levels of domain functionality and forest functionality are available, depending on your environment.

Forest functionality enables features across all the domains in your forest. The following forestfunctional levels are available:

Windows 2000. This forest functional level supports Windows NT 4.0, Windows 2000,and Windows Server 2003 domain controllers. Windows Server 2003. This forest functional level supports Windows Server 2003domain controllers only.

13


14/50

Windows Server 2008. This forest functional level supports Windows Server 2008domain controllers only.

If you are deploying a new domain in a new forest and all of your domain controllers will berunning Windows Server 2008, it is recommended that you configure AD DS with the Windows

Server 2008 forest functional level during AD DS installation.Important

After the forest functional level has been raised, domain controllers running earlier operating systems cannot be introduced into the forest. For example, if you raise theforest functional level to Windows Server 2008, domain controllers runningWindows 2000 Server or Windows Server 2003 cannot be added to the forest.

Example configuration items for AD DS are provided in the following table.


Full DNS name Examples: example.com corp.example.com

Forest functional level:

Windows 2000

The Windows 2000 forest functional levelprovides all AD DS features that are availablein Windows 2000 Server. If you have domaincontrollers running later versions of theWindows Server operating system, some

advanced features will not be available onthose domain controllers while this forest is atthe Windows 2000 functional level.

Windows Server 2003

The Windows Server 2003 forest functionallevel provides all features that are available inWindows 2000 forest functional level, and thefollowing additional features:

Linked-value replication, whichimproves the replication of changes to

group memberships. More efficient generation of complex replication topologies by theKnowledge Consistency Checker (KCC). Forest trust, which allowsorganizations to easily share internal

Windows Server 2003 Windows Server 2008

14


15/50


resources across multiple forests. Anynew domains that are created in thisforest will automatically operate at theWindows Server 2003 domainfunctional level.

Windows Server 2008

This forest functional level does not provide anynew features over the Windows 2003 forestfunctional level. However, it ensures that anynew domains created in this forest willautomatically operate at the WindowsServer 2008 domain functional level, whichdoes provide unique features.

Active Directory Domain Services Databasefolder location

E:\Configuration\

Or accept the default location.

Active Directory Domain Services Log filesfolder location

E:\Configuration\


Active Directory Domain Services SYSVOLfolder location

E:\Configuration\

Or accept the default location

Directory Restore Mode Administrator Password

J*p2leO4$F

Answer file name (optional) AD DS_AnswerFile

Planning DNS zonesIn DNS, a forward lookup zone is created by default during installation. A forward lookup zoneallows computers and devices to query for another computer's or device's IP address based onits DNS name. In addition to a forward lookup zone, it is recommended that you create a DNSreverse lookup zone. With a DNS reverse lookup query, a computer or device can discover thename of another computer or device using its IP address. Deploying a reverse lookup zonetypically improves DNS performance and greatly increases the success of DNS queries.

When you create a reverse lookup zone, the in-addr.arpa domain, which was defined in the DNSstandards and reserved in the Internet DNS namespace to provide a practical and reliable way toperform reverse queries, is installed in DNS. To create the reverse namespace, subdomainswithin the in-addr.arpa domain are formed, using the reverse ordering of the numbers in thedotted-decimal notation of IP addresses.

15


16/50

The in-addr.arpa domain applies to all TCP/IP networks that are based on Internet Protocolversion 4 (IPv4) addressing. The New Zone Wizard automatically assumes that you are using thisdomain when you create a new reverse lookup zone.

While you are running the New Zone Wizard, the following selections are recommended:

Configuration Items Example values

Zone type Primary zone , and Store the zone in ActiveDirectory is selected

Active Directory Zone Replication Scope To all DNS servers in this domain

First Reverse Lookup Zone Name wizard page IPv4 Reverse Lookup Zone

Second Reverse Lookup Zone Name wizardpage

Network ID = 192.168.0.

Dynamic Updates Allow only secure dynamic updates

Planning domain accessTo log onto the domain, the computer must be a domain member computer and the user accountmust be created in AD DS before the logon attempt.

Note

You cannot log on to the domain with a user account that is located in the SecurityAccounts Manager (SAM) user accounts database on the local computer.

After the first successful logon with domain logon credentials, the logon settings persist unless

the computer is removed from the domain or the logon settings are manually changed.Before you log on to the domain:

Create user accounts in AD DS. Each user must have an Active Directory DomainServices user account in Active Directory Users and Computers. For more information,see Create a User Account in Active Directory Users and Computers . Ensure IP address configuration. To join a computer to the domain, the computer must have an IP address. In this guide, servers are configured with static IP addressesand client computers receive IP address leases from the DHCP server. For this reason,the DHCP server must be deployed before you join clients to the domain. Fore moreinformation, see Install Dynamic Host Configuration Protocol (DHCP) .

Join the computer to the domain. Any computer that provides or accesses networkresources must be joined to the domain. For more information, see Join the Computer tothe Domain .

16


17/50

Planning the deployment of WINS-01If you determine that you need to deploy WINS as well as DNS on your network, you must planhow many WINS servers to deploy.

On smaller networks, a single WINS server can adequately service up to 10,000clients for NetBIOS name resolution requests. To provide additional fault tolerance, youcan configure a second computer running Windows Server 2008 as a secondary, or backup, WINS server for clients. If you use only two WINS servers, you can easilyconfigure them as replication partners. For simple replication between two servers, oneserver should be set as a pull partner and the other as a push partner. Replication can beeither manual or automatic. Large networks sometimes require more WINS servers for several reasons including,most importantly, the number of client connections per server. The number of users thateach WINS server can support varies with usage patterns, data storage, and theprocessing capabilities of the WINS server computer.

When planning your servers, remember that each WINS server can simultaneously handlehundreds of registrations and queries per second.

Planning the deployment of DHCP-01Following are key planning steps before installing the DHCP server role on DHCP-01.

Planning DHCP servers and DHCP forwardingBecause DHCP messages are broadcast messages, they are not forwarded between subnets byrouters. If you have multiple subnets and want to provide DHCP service for each subnet, youmust do one of the following:

Install a DHCP server on each subnet Configure routers to forward DHCP broadcast messages across subnets andconfigure multiple scopes on the DHCP server, one scope per subnet.

In most cases, configuring routers to forward DHCP broadcast messages is more cost effectivethan deploying a DHCP server on each physical segment of the network.

Planning IP address rangesEach subnet must have its own unique IP address range. These ranges are represented on aDHCP server with scopes.

A scope is an administrative grouping of IP addresses for computers on a subnet that use theDHCP service. The administrator first creates a scope for each physical subnet and then uses thescope to define the parameters used by clients.

A scope has the following properties: A range of IP addresses from which to include or exclude addresses used for DHCPservice lease offerings. A subnet mask, which determines the subnet for a given IP address.

17


18/50

A scope name assigned when it is created. Lease duration values, which are assigned to DHCP clients that receive dynamicallyallocated IP addresses. Any DHCP scope options configured for assignment to DHCP clients, such as DNS

server IP address, router/default gateway IP address, and WINS server IP address. Reservations are optionally used to ensure that a DHCP client always receives thesame IP address.

Before deploying your servers, list your subnets and the IP address range you want to use for each subnet.

Planning subnet masksNetwork IDs and host IDs within an IP address are distinguished by using a subnet mask. Eachsubnet mask is a 32-bit number that uses consecutive bit groups of all ones (1) to identify thenetwork ID and all zeroes (0) to identify the host ID portions of an IP address.

For example, the subnet mask normally used with the IP address 131.107.16.200 is the following32-bit binary number:

11111111 11111111 00000000 00000000

This subnet mask number is 16 one-bits followed by 16 zero-bits, indicating that the network IDand host ID sections of this IP address are both 16 bits in length. Normally, this subnet mask isdisplayed in dotted decimal notation as 255.255.0.0.

The following table displays subnet masks for the Internet address classes.

Address class Bits for subnet mask Subnet mask

Class A 11111111 00000000 0000000000000000 255.0.0.0

Class B 11111111 11111111 0000000000000000

255.255.0.0

Class C 11111111 11111111 1111111100000000

255.255.255.0

When you create a scope in DHCP and you enter the IP address range for the scope, DHCPprovides these default subnet mask values. Typically, default subnet mask values (as shown inthe preceding table) are acceptable for most networks with no special requirements and where

each IP network segment corresponds to a single physical network.In some cases, you can use customized subnet masks to implement IP subnetting. With IPsubnetting, you can subdivide the default host ID portion of an IP address to specify subnets,which are subdivisions of the original class-based network ID.

By customizing the subnet mask length, you can reduce the number of bits that are used for theactual host ID.

18


19/50

To prevent addressing and routing problems, you should make sure that all TCP/IP computers ona network segment use the same subnet mask and that each computer or device has an uniqueIP address.

Planning exclusion rangesYou can exclude IP addresses from distribution by the DHCP server by creating an exclusionrange for each scope. You should use exclusions for all devices that are configured with a staticIP address. The excluded addresses should include all IP addresses that you assigned manuallyto other servers, non-DHCP clients, diskless workstations, or Routing and Remote Access andPPP clients.

It is recommended that you configure your exclusion range with extra addresses to accommodatefuture network growth. The following table provides an example exclusion range for a scope withan IP address range of 192.168.0.1 - 192.168.0.254.


Exclusion range Start IP Address 192.168.0.1

Exclusion range End IP Address 192.168.0.15

Planning TCP/IP static configurationCertain devices, such as routers, DHCP servers, and DNS servers, must be configured with astatic IP address. In addition, you might have additional devices, such as printers, that you wantto ensure always have the same IP address. List the devices that you want to configure staticallyfor each subnet, and then plan the exclusion range you want to use on the DHCP server to

ensure that the DHCP server does not lease the IP address of a statically configured device. Anexclusion range is a limited sequence of IP addresses within a scope, excluded from DHCPservice offerings. Exclusion ranges assure that any addresses in these ranges are not offered bythe server to DHCP clients on your network.

For example, if the IP address range for a subnet is 192.168.0.1 through 192.168.0.254 and youhave ten devices that you want to configure with a static IP address, you can create an exclusionrange for the 192.168.0. x scope that includes ten or more IP addresses: 192.168.0.1 through192.168.0.15.

In this example, you use ten of the excluded IP addresses to configure servers and other deviceswith static IP addresses and five additional IP addresses are left available for static configurationof new devices that you might want to add in the future. With this exclusion range, the DHCPserver is left with an address pool of 192.168.0.16 through 192.168.0.254.

Additional example configuration items for AD DS and DNS are provided in the following table.


Network Connect Bindings Local Area Connection 2

19


20/50


DNS Server Settings AD-DNS-01

Preferred DNS server IP address 192.168.0.1

Alternate DNS server IP Address 192.168.0.6

WINS Server Settings, specify the IP addressof your preferred WINS server, only if WINS isdeployed on the network.

192.168.0.2

Alternate WINS server IP Address

Note

Specify the IP address of your alternateWINS server only if an alternate WINSserver is deployed on the network.

192.168.0.12

Add Scope dialog box values: Scope Name: Starting IP Address Ending IP Address: Subnet Mask Default Gateway (optional) Subnet Type

Primary Subnet 192.168.0.1 192.168.0.254 255.255.255.0 192.168.0.11 Wired (Lease duration will be 6days)

IPv6 DHCP Server Operation Mode Not enabled

Planning the deployment of NPS-01If you intend to deploy network access servers, such as wireless access points or VPN servers,after deploying your foundation network, it is recommended that you deploy NPS.

When you use NPS as a Remote Authentication Dial-In User Service (RADIUS) server, NPSperforms authentication and authorization for connection requests through your network accessservers. NPS also allows you to centrally configure and manage network policies that determinewho can access the network, how they can access the network, and when they can access thenetwork.

Following are key planning steps before installing NPS. Plan the user accounts database. By default, if you join the server running NPS to anActive Directory domain, NPS performs authentication and authorization using the AD DSuser accounts database. In some cases, such as with large networks that use NPS as aRADIUS proxy to forward connection requests to other RADIUS servers, you might wantto install NPS on a non-domain member computer.

20


21/50

Plan the use of Network Access Protection (NAP). With some NAP enforcementmethods, it is required that you install NPS on a specific server. For example, if youdeploy NAP with DHCP, NPS must be installed on the DHCP server. Plan RADIUS accounting. NPS allows you to log accounting data to a SQL Server

database or to a text file on the local computer. If you want to use SQL Server logging,plan the installation and configuration of your server running SQL Server.

Foundation Network DeploymentTo deploy a foundation network, the basic steps are as follows:

1. Configuring All Servers

2. Deploying AD-DNS-01

3. Joining Computers to the Domain and Logging On

4. Deploying WINS-01 (optional)

5. Deploying DHCP-016. Deploying NPS-01 (optional)

Note

The procedures in this guide do not include instructions for those cases in which the User Account Control dialog box opens to request your permission to continue. If this dialogbox opens while you are performing the procedures in this guide, and if the dialog boxwas opened in response to your actions, click Continue .

Configuring All Servers

Before installing other technologies, such as DHCP or WINS, it is important to configure thefollowing items. On each server computer running Windows Server 2008, create a password for theAdministrator account. Upon installation of Windows Server 2008, you are required tocreate a password for the Administrator account. If you have already created a passwordand want to change it, see Change the Administrator Password . Rename the Computer Configure a Static IP Address

You can use the following sections to perform these actions for each server.

Change the Administrator PasswordYou can use these procedures to change the password for the Administrator account on the localcomputer running Windows Server 2008, Windows Vista, Windows Server 2003, andWindows XP.

21


22/50

Procedures for changing Administrator passwords

This topic provides procedures to change the Administrator password on computers running thefollowing operating systems:

Windows Server 2008 Windows Vista Windows Server 2003 Windows XP

Windows Server 2008

Membership in Administrators , or equivalent, is the minimum required to perform this procedure.

To change the Administrator password in Windows Server 2008

1. Log on to the computer using the Administrator account.

2. Click Start , click Control Panel , and then double-click User Accounts .

3. In User Accounts , in Make changes to your user account , click Change your password .

4. In Change your password , in Current Password , type your password.

5. In New password , type a new password.

6. In Confirm new password , retype the password.

7. In Type a password hint , type a word or phrase that will remind you of your password or, optionally, leave this field blank.

8. Click Change password .

Windows Vista


To change the Administrator password in Windows Vista


2. Click Start , click Control Panel , and then click User Accounts .

3. In User Accounts , click Add or remove user accounts . The User AccountControl dialog box opens, and requests your permission to continue. ClickContinue .

4. In Choose the account you would like to change , select the account you wantto change, and then click Create a password .

NoteIf you have previously created a password for the account, the text that appearsin this step is Change the password .

5. If Current password is displayed, in Current password , type the password thatyou used when you logged on to the computer.

6. In New password , type a new password.

22


23/50

7. In Confirm new password , retype the password.

8. In Type a password hint , type a word or phrase that will remind you of your password or, optionally, leave this field blank.

9. Click Create password or Change password .

Note

If this is the first time you have created a password for the Administrator account,the text that appears in the last step is Create password . If you previouslycreated a password and are changing that password to a new one, the text thatappears in the last step is Change password .

Windows Server 2003


To change the Administrator password in Windows Server 2003

1. Log on to the computer using the Administrator account.2. Click Start , right-click Control Panel , and then click Open . Control Panel opens.

3. Double-click Computer Management , click Local Users and Groups , and inthe details pane, double-click Users . The Users folder opens.

4. In the details pane, right-click the account that you want to change, and click SetPassword . A warning dialog box opens. Read the information to determine whether you want to proceed with the step to change the password.

5. In New Password , type a password. In Confirm password , retype thepassword, and then click OK .

Windows XP


To change the Administrator password in Windows XP


2. Click Start , click Control Panel , and then double-click User Accounts . TheUser Accounts dialog box opens.

3. In User Name , select the account that you want to change, and then click ResetPassword . In New password , type a new password, and in Confirm newpassword , retype the password, and then click OK .

Rename the Computer You can use the procedures in this topic to provide computers running Windows Server 2008,Windows Vista, Windows Server 2003, and Windows XP with a different computer name.

23


24/50

Procedures for renaming computers

This topic provides procedures to rename computers running the following operating systems: Windows Server 2008 and Windows Vista Windows Server 2003 and Windows XP

Windows Server 2008 and Windows Vista

Membership in Administrators , or equivalent, is the minimum required to perform theseprocedures.

To rename computers running Windows Server 2008 and Windows Vista

1. Click Start , right-click Computer , and then click Properties . The System dialogbox opens.

2. In Computer name, domain, and workgroup settings , click Change settings .The System Properties dialog box opens.

Note

On computers running Windows Vista, before the System Properties dialog boxopens, the User Account Control dialog box opens, requesting permission tocontinue. Click Continue to proceed.

3. Click Change . The Computer Name/Domain Changes dialog box opens.

4. In Computer Name , type the name for your computer. For example, if you wantto name the computer AD-DNS-01, type AD-DNS-01 .

5. Click OK twice, click Close , and then click Restart Now to restart the computer.

Windows Server 2003 and Windows XP


To rename computers running Windows Server 2003 and Windows XP

1. Click Start , right-click My Computer , and then click Properties . The SystemProperties dialog box opens.

2. Click Computer Name , and thenclick Change . The Computer Name Changesdialog box opens.

3. In Computer name , type the name for your computer. For example, if you wantthe computer named Client-01, type Client-01 .

4. Click OK. The System Setting Changes dialog box opens, indicating that youmust restart the computer before the changes take effect.

5. Click OK, click OK again to close the dialog box, and then click Yes to restart thecomputer.

24


25/50

Configure a Static IP AddressYou can use the procedures in this topic to configure the Internet Protocol version 4 (IPv4)properties of a network connection with a static IP address for computers runningWindows Server 2008, or for computers running Windows Server 2003.

Procedures for configuring static IP addresses

This topic provides procedures for configuring static IP addresses on computers running thefollowing operating systems:

Windows Server 2008 Windows Server 2003

Windows Server 2008


To configure a static IP address on a computer running Windows Server 2008

1. Click Start , and then click Control Panel .

2. In Control Panel , verify that Classic View is selected, and then double-clickNetwork and Sharing Center .

3. In Network and Sharing Center , in Tasks , click Manage NetworkConnections .

4. In Network Connections , right-click the network connection that you want toconfigure, and then click Properties .

5. In Local Area Connection Properties , in This connection uses the followingitems , select Internet Protocol Version 4 (TCP/IPv4) , and then click Properties .

The Internet Protocol Version 4 (TCP/IPv4) Properties dialog box opens.6. In Internet Protocol Version 4 (TCP/IPv4) Properties , on the General tab, clickUse the following IP address . In IP address , type the IP address that you want touse.

7. Press tab to place the cursor in Subnet mask . A default value for subnet mask isentered automatically. Either accept the default subnet mask, or type the subnetmask that you want to use.

8. In Default gateway , type the IP address of your default gateway.

9. In Preferred DNS server , type the IP address of your DNS server. If you plan touse the local computer as the preferred DNS server, type the IP address of the local

computer.10. In Alternate DNS Server , type the IP address of your alternate DNS server, if any. If you plan to use the local computer as an alternate DNS server, type the IPaddress of the local computer.

11. Click OK, and then click Close .

Windows Server 2003

25


26/50


To configure a static IP address on a computer running Windows Server 2003

1. Click Start , click Control Panel , right-click Network Connections , and thenclick Open .

2. In Network Connections , right-click the network connection that you want toconfigure, and then click Properties .

3. In Local Area Connection Properties , in This Connection uses the followingItems , select Internet Protocol (TCP/IP) , and then click Properties . The InternetProtocol (TCP) Properties dialog box opens.

4. In Internet Protocol Version 4 (TCP/IPv4) Properties , on the General tab, clickUse the following IP address . In IP address , type the IP address that you want touse.

5. In Subnet mask , either accept the default subnet mask, or type the subnet maskthat you want to use.

6. In Default gateway , type the IP address of your default gateway.

7. In Preferred DNS server , type the IP address of your DNS server.

8. In Alternate DNS Server , type the IP address of your alternate DNS server, if any.

9. Click OK, and then click Close .

Deploying AD-DNS-01To deploy AD-DNS-01, which is the computer running Active Directory Domain Services (AD DS)and DNS, you must complete these steps in the following order:

Perform the steps in the section Configuring All Servers . Install AD DS and DNS for a New Forest Create a User Account in Active Directory Users and Computers Add a Group Assign Group Membership Configure a DNS Reverse Lookup Zone

Administrative privilegesIf you are installing a small network and are the only administrator for the network, it isrecommended that you create a user account for yourself, and then add your user account as amember of both Enterprise Admins and Domain Admins. Doing so will make it easier for you toact as the administrator for all network resources. It is also recommended that you log on with this

26


27/50

account only when you need to perform administrative tasks, and that you create a separate user account for performing non-IT related tasks.

If you have a larger organization with multiple administrators, refer to AD DS documentation todetermine the best group membership for organization employees.

Domain user accounts vs. user accounts on the local computer

One of the advantages of a domain-based infrastructure is that you do not need to create user accounts on each computer in the domain. This is true whether the computer is a client computer or a server.

Because of this, you should not create user accounts on each computer in the domain. Create alluser accounts in Active Directory Users and Computers and use the preceding procedures toassign group membership. By default, all user accounts are members of the Domain Usersgroup.

After you have joined a computer to the domain, members of the Domain Users group can log onto any domain member client computer.

Note

Members of the Domain Users group cannot log on to computers runningWindows Server 2008.

You can configure user accounts to designate the days and times that the user is allowed to logon to the computer. You can also designate which computers each user is allowed to use. Toconfigure these settings, open Active Directory Users and Computers, locate the user accountthat you want to configure, and double-click the account. In the user account Properties , click theAccount tab, and then click either Logon Hours or Log On To .

Install AD DS and DNS for a New ForestYou can use this procedure to install Active Directory Domain Services (AD DS) and DNS and tocreate a new domain in a new forest.

Membership in Administrators is the minimum required to perform this procedure.

27


28/50

To install Active Directory Domain Services and DNS

1. Do one of the following:

a. In Initial Configuration Tasks , in Customize This Server , click Addroles . The Add Roles Wizard opens.

b. Click Start , and then click Server Manager . In Server Manager , clickRoles , and in the details pane, in Roles Summary , click Add Roles . TheAdd Roles Wizard opens.

2. In Before You Begin , click Next .

Note

The Before You Begin page of the Add Roles Wizard is not displayed if youhave previously selected Do not show this page again when the Add RolesWizard was run.

3. In Select Server Roles , in Roles , select Active Directory Domain Services ,

and then click Next .4. In Active Directory Domain Services , click Next .

5. In Confirm Installation Selections , click Install . The Installation Progresspage opens during installation.

6. When installation is complete, in Installation Results , review the information,and then click Close this wizard and launch the Active Directory DomainServices Installation Wizard . The Add Roles Wizard closes and the Active DirectoryDomain Services Installation Wizard opens. Click Next .

7. In Choose a Deployment Configuration , select Create a new domain in anew forest . Click Next .

8. In Name the Forest Root Domain , in FQDN of the forest root domain , typethe fully qualified domain name for your domain. For example, if your FQDN isexample.com, type example.com . Click Next .

9. In Set Forest Functional Level , select the forest functional level that you want touse, and then click Next .

10. In Additional Domain Controller Options , in Select additional options for this domain controller , verify that DNS server is selected, and then click Next . TheActive Directory Domain Services Installation Wizard warning dialog box opens.

11. The warning dialog box informs you that you can create a delegation to this DNSserver manually in the parent zone. Click Yes to continue Active Directory DomainServices installation.

12. In Location for Database, Log Files, and SYSVOL , do one of the following: Accept the default values. Type folder locations that you want to use for Database folder , Log filesfolder , and SYSVOL folder .

13. Click Next .

28


29/50

14. In Directory Services Restore Mode Administrator Password , in Password ,type a password. In Confirm password , retype the password, and then click Next .

15. In Summary , review your selections.

16. If you want to export settings to an answer file, click Export settings , and specifya name for the answer file. Click Next .17. In Completing the Active Directory Domain Services Installation Wizard ,click Finish , and then click Restart Now .

Create a User Account in Active Directory Users and ComputersYou can use this procedure to create a new domain user account in Active Directory Users andComputers Microsoft Management Console (MMC).

Membership in Domain Admins , or equivalent, is the minimum required to perform this

procedure.

To create a user account

1. Click Start , click Administrative Tools , and then click Active Directory Usersand Computers . The Active Directory Users and Computers MMC opens. If it is notalready selected, click the node for your domain. For example, if your domain isexample.com, click example.com.

2. In the details pane, right-click the folder in which you want to add a user account.

Where? Active Directory Users and Computers/ domain node /folder

3. Point to New , and then click User .4. In First name , type the user's first name.

5. In Initials , type the user's initials.

6. In Last name , type the user's last name.

7. Modify Full name to add initials or reverse the order of first and last names.

8. In User logon name , type the user logon name. Click Next .

9. In New Object - User , in Password and Confirm password , type the user'spassword, and then select the appropriate password options.

10. Click Next , review the new user account settings, and then click Finish .

Add a GroupYou can use this procedure to create a new group in Active Directory Users and ComputersMicrosoft Management Console (MMC).

29


30/50

Membership in Domain Admins , or equivalent, is the minimum required to perform thisprocedure.

To add a group

1. Click Start , click Administrative Tools , and then click Active Directory Usersand Computers . The Active Directory Users and Computers MMC opens. If it is notalready selected, click the node for your domain. For example, if your domain isexample.com, click example.com .

2. In the details pane, right-click the folder in which you want to add a new group.

Where? Active Directory Users and Computers/ domain node /folder

3. Point to New , and then click Group .

4. In New Object Group , in Group name , type the name of the new group.

By default, the name you type is also entered as the pre-Windows 2000 name of the newgroup.

5. In Group scope , select one of the following options: Domain local Global Universal

6. In Group type , select one of the following options: Security Distribution

7. Click OK.

Assign Group MembershipYou can use this procedure to add a user, computer, or group to a group in Active Directory Usersand Computers Microsoft Management Console (MMC).

Note

When you administer a domain, security principals in the parent domain or other trusteddomains are not visible on the Member Of tab of a domain users properties. The onlydomain accounts that you can add or view are the present domain groups. Only domain

groups in the present domain are shown, even if the member belongs to other trusteddomain groups.

Membership in Domain Admins , or equivalent is the minimum required to perform thisprocedure.

To assign group membership

1. Click Start , click Administrative Tools , and then click Active Directory Users

30


31/50

and Computers . The Active Directory Users and Computers MMC opens. If it is notalready selected, click the node for your domain. For example, if your domain isexample.com, click example.com .

2. In the details pane, double-click the folder that contains the group to which you

want to add a member.Where?

Active Directory Users and Computers /domain node /folder that contains the group

3. In the details pane, right-click the group to which you want to add a member, andthen click Properties . The group Properties dialog box opens. Click the Memberstab.

4. On the Members tab, click Add .

5. In Enter the object names to select , type the name of the user, group, or computer that you want to add, and then click OK .

6. To assign group membership to other users, groups or computers, repeat steps 4and 5 of this procedure.

Configure a DNS Reverse Lookup ZoneYou can use this procedure to configure a reverse lookup zone in Domain Name System (DNS).

Membership in Domain Admins is the minimum required to perform this procedure.

To configure a DNS reverse lookup zone

1. Click Start , click Administrative Tools , and then click DNS . The DNS Manager opens.

2. In DNS Manager, if it is not already expanded, double-click the server name toexpand the tree. For example, if the DNS server name is AD-DNS-01, double-clickAD-DNS-01 .

3. Select Reverse Lookup Zones , right-click Reverse Lookup Zones , and thenclick New Zone . The New Zone Wizard opens.

4. In Welcome to the New Zone Wizard , click Next .

5. In Zone Type , select one of the following: Primary zone Secondary zone Stub zone

6. If your DNS server is a writeable domain controller, select Store the zone inActive Directory .

7. Click Next .

8. In Active Directory Zone Replication Scope , select one of the following:

31


32/50

To all DNS servers in this forest To all DNS servers in this domain To all domain controllers in this domain To all domain controllers specified in the scope of this directorypartition

9. Click Next .

10. In the first Reverse Lookup Zone Name page, select one of the following: IPv4 Reverse Lookup Zone IPv6 Reverse Lookup Zone

11. Click Next .

12. In the second Reverse Lookup Zone Name page, do one of the following:

a. In Network ID , type the network ID of your IP address range. For example, if your IP address range is 192.168.0.1, type 192.168.0 .

b. In Reverse lookup zone name , type the name of your IPv4 reverselookup zone.

13. Click Next .

14. In Dynamic Update , select the type of dynamic updates that you want to allow.Click Next .

15. In Completing the New Zone Wizard , review your choices, and then clickFinish .

Joining Computers to the Domain and Logging OnAfter you have installed Active Directory Domain Services (AD DS) and created one or more user accounts that have permissions to join a computer to the domain, you can join foundation networkservers to the domain and log on to the servers in order to install additional technologies, such asDynamic Host Configuration Protocol (DHCP), Windows Internet Name Service (WINS), andNetwork Policy Server (NPS).

Note

If you are logged on to a computer running Windows Server 2008 with the localcomputers Administrator account, by default, you can join a computer to the domain witha user account that is a member of Domain Users in Active Directory Users and

Computers.In addition, you can use these instructions to join client computers to the domain and to log on toclient computers.

On all servers that you are deploying, except for the server running AD DS, do the following:

1. Complete the procedures provided in Configuring All Servers .

32


33/50

2. Use the instructions in the following sections to join your servers to the domain and tolog on to the servers to perform additional deployment tasks:

Join the Computer to the Domain Log on to the Domain

Join the Computer to the DomainYou can use these procedures to join computers running Windows Server 2008,Windows Vista,Windows Server 2003, and Windows XP to the domain.

Procedures for joining computers to the domain

This topic provides procedures for joining computers running the following operating systems tothe domain:

Windows Server 2008 and Windows Vista Windows Server 2003 and Windows XP

Important

To join a computer to a domain, you must be logged on to the computer with the localAdministrator account or, if you are logged on to the computer with a user account thatdoes not have local computer administrative credentials, you must provide the credentialsfor the local Administrator account during the process of joining the computer to thedomain. In addition, you must have a user account in the domain to which you want to

join the computer. During the process of joining the computer to the domain, you will beprompted for your domain account credentials (user name and password).


Membership in Domain Users , or equivalent, is the minimum required to perform this procedure.

To join computers running Windows Server 2008 and Windows Vista to the domain

1. Log on to the computer with the local Administrator account.

2. Click Start , right-click Computer , and then click Properties . The System dialogbox opens.

3. In Computer name, domain, and workgroup settings , click Change settings .The System Properties dialog box opens.

Note

On computers running Windows Vista, before the System Properties dialog

box opens, the User Account Control dialog box opens, requesting permissionto continue. Click Continue to proceed.

4. Click Change . The Computer Name/Domain Changes dialog box opens.

5. In Computer Name , in Member of , select Domain , and then type the name of the domain you want to join. For example, if the domain name is example.com, typeexample.com .

33


34/50

6. Click OK. The Windows Security dialog box opens.

7. In Computer Name/Domain Changes , in User name , type the user name, andin Password , type the password, and then click OK. The Computer Name/DomainChanges dialog box opens, welcoming you to the domain. Click OK .

8. The Computer Name/Domain Changes dialog box displays a messageindicating that you must restart the computer to apply the changes. Click OK.

9. On the System Properties dialog box, on the Computer Name tab, click Close .The Microsoft Windows dialog box opens, and displays a message, again indicatingthat you must restart the computer to apply the changes. Click Restart Now .



To join computers running Windows Server 2003 and Windows XP to the domain

1. Click Start , right-click My Computer , and then click Properties . The SystemProperties dialog box opens.

2. Click Change . The Computer Name Changes dialog box opens.

3. In Computer Name Changes , in Member of , select Domain , and then type thename of the domain you want to join. For example, if the domain name isexample.com, type example.com .

4. Click OK. The Computer Name Changes dialog box opens. In User name , typethe domain administrator account name, and in Password , type the administrator password, and then click OK .

5. The Computer Name Changes dialog box opens, welcoming you to the domain.

6. Click OK. The Computer Name Changes dialog box displays a messageindicating that you must restart the computer to apply the changes.

7. Click OK.

8. On the System Properties dialog box, on the Computer Name tab, click OK , toclose the System Properties dialog box. The System Settings Change dialog boxopens, and displays a message, again indicating that you must restart the computer to apply the changes.

9. Click Yes .

Log on to the DomainYou can use these procedures to log on to the domain using computers runningWindows Server 2008, Windows Vista, Windows Server 2003, and Windows XP.

Procedures to log on to the domain

This topic provides procedures to log on to the domain using computers running the followingoperating systems:

34


35/50

Windows Server 2008 and Windows Vista Windows Server 2003 and Windows XP



Log on to the domain using computers running Windows Server 2008 andWindows Vista

1. Log off the computer, or restart the computer.

2. Press CTRL + ALT + DELETE. The logon screen appears.

3. Click Switch User , and then click Other User .

4. In User name , type your domain and user name in the format domain\user . For example, to log on to the domain example.com with an account named User-01 , typeexample\User-01 .

5. In Password , type your domain password, and then click the arrow, or pressENTER.



Log on to the domain using computers running Windows Server 2003 and Windows XP

1. Log off the computer, or restart the computer.

2. Press CTRL + ALT + DELETE. The Log On to Window s dialog box appears.

3. If Log on to is not displayed, click Options .

4. In Log on to , in the drop down list, select your domain. For example, in the

example.com domain, select EXAMPLE.5. Type your domain and user name in the format domain\user . For example, to logon to the example.com domain with an account named User-01 , type example\User-01 .

6. In Password , type your domain password, and then press ENTER.

Deploying WINS-01 (optional)Before deploying this component of the foundation network, you must do the following:

Perform the steps in the section Configuring All Servers . Perform the steps in the section Joining Computers to the Domain and Logging On

To deploy WINS-01, which is the computer running Windows Internet Name Service (WINS), youmust complete this step:

Install Windows Internet Name Service (WINS)

35


36/50


37/50

DHCP MMC and the procedure Authorize a DHCP Server in Active Directory DomainServices . Do not enable Configure DHCPv6 Stateless Mode unless you plan to use InternetProtocol version 6 (IPv6) on your network in addition to or to replace IPv4.

Deploying DHCPTo deploy DHCP-01, which is the computer running the Dynamic Host Configuration Protocol(DHCP) server role, you must complete these steps in the following order:

If you plan to deploy Windows Internet Name Service (WINS) on your network, it isrecommended that you perform the steps in the section Deploying WINS-01 (optional) before installing DHCP. Install Dynamic Host Configuration Protocol (DHCP) Create an Exclusion Range in DHCP

If you chose not to perform the following actions during DHCP installation, you can perform themafter DHCP is installed:

Authorize a DHCP Server in Active Directory Domain Services Activate a DHCP Scope

After DHCP is installed, you can add more scopes to the server configuration: Create a New DHCP Scope

Install Dynamic Host Configuration Protocol (DHCP)You can use this procedure to install and configure the DHCP Server role using the Add RolesWizard.

Membership in Domain Admins , or equivalent, is the minimum required to perform thisprocedure.

To install DHCP

1. Do one of the following:

a. In Initial Configuration Tasks , in Customize This Server , click Addroles . The Add Roles Wizard opens.

b. Click Start , and then click Server Manager . In the left pane of Server Manager, click Roles , and in the details pane, in Roles Summary , click AddRoles . The Add Roles Wizard opens.

2. In Before You Begin , click Next .Note


3. In Select Server Roles , in Roles , select DHCP Server , and then click Next .

37


38/50

4. In DHCP Server , click Next .

5. In Select Network Connection Bindings , in Network Connections , select theIP addresses that are connected to the subnets for which you want to provide DHCPservice, and then click Next .

6. In Specify IPv4 DNS Server Settings , in Parent Domain , verify that the nameof the DNS domain that clients use for name resolution is correct. For example, if your domain is named example.com, verify that the DNS domain name isexample.com .

7. In Preferred DNS server IPv4 address , type the IPv4 address of your preferredDNS server, and then click Validate . In Alternate DNS server IPv4 Address , typethe IPv4 address of your alternate DNS server, if any, and then click Validate .

Note

If a DNS server responds when you click Validate , the DHCP installation wizardindicates the specified address for the DNS server is valid. If no DNS server responds when you click Validate , the DHCP installation wizard returns themessage: The DNS server at the specified IP address is not responding .

8. Click Next . In Specify IPv4 WINS Server Settings , select one of the following: If you do not have WINS servers on your network, select WINS is notrequired for applications on this network . If one or more WINS servers are deployed on your network, select WINSis required for applications on this network . In Preferred WINS server IPaddress , type the IPv4 address of your preferred WINS server. In AlternateWINS server IP Address , type the IPv4 address of your alternate WINSserver, if any, and then click Next .

9. In Add or Edit DHCP Scopes , click Add . The Add Scope dialog box opens.10. In the Add Scope dialog box, type values for all required items, and in SubnetType , select either Wired or Wireless , depending on the IP address lease durationthat you prefer, and then do one of the following:

To automatically activate the scope immediately after DHCP installationis complete, click Activate this scope . If there are computers or devices onthe network that have static IP addresses, do not activate the scope untilafter you have created an exclusion range. The exclusion range prevents theDHCP server from leasing IP addresses that are already in use by a staticallyconfigured device.

To manually activate the scope later, use the DHCP MicrosoftManagement Console (MMC).

11. Click OK. This returns you to the Add or Edit DHCP Scopes page. If your network has multiple subnets that are serviced by this DHCP server, add scopes for each subnet using steps 9 and 10. Click Next .

12. In Configure DHCPv6 Stateless Mode , select whether you want to configure

38


39/50

the DHCP server for DHCPv6 stateless operation, and then click Next .

13. In Authorize DHCP Server , do one of the following: Select Use current credentials to authorize the DHCP server in ActiveDirectory Domain Services (AD DS) using the credentials supplied for thecurrent session. To specify alternate credentials for authorization, select Use alternatecredentials . Click Specify , and then type the credentials to use for DHCPserver authorization. Select Skip authorization of this DHCP server in AD DS , and thenclick Next .

Note

Before your DHCP server can issue IP address leases, the DHCP server must be authorized in AD DS.

14. In Confirm Installation Selections , review your selections, and then clickInstall .

15. In Installation Results , review your installation results, and then click Close .

Create an Exclusion Range in DHCPYou can use this procedure to create an exclusion range for an existing DHCP scope.

Membership in DHCP Administrators , or equivalent, is the minimum required to perform thisprocedure.

To create an exclusion range in DHCP1. Click Start , click Administrative Tools , and then click DHCP . The DHCPMicrosoft Management Console (MMC) opens.

2. In DHCP , double-click the server name. For example, if the DHCP server nameis DHCP-01.example.com, double-click DHCP-01.example.com .

3. Double-click IPv4 , and then, for the scope for which you want to create anexclusion range, double-click Scope .

4. Click Address Pool . Right-click Address Pool , and then click New ExclusionRange . The Add Exclusion dialog box opens.

5. In Add Exclusion , in Start IP Address , type the IP address that is the first IPaddress in the exclusion range.

6. In Add Exclusion , in End IP Address , type the IP address that is the last IPaddress in the exclusion range, and then click Add .

7. Click Close .

39


40/50

Authorize a DHCP Server in Active Directory Domain ServicesYou can use this procedure to authorize a DHCP server in Active Directory Domain Services(AD DS).

Membership in Domain Admins , or equivalent, is the minimum required to perform this

procedure.

To authorize a DHCP server in AD DS

1. Click Start , click Administrative Tools , and then click DHCP . The DHCPMicrosoft Management Console (MMC) opens.

2. In DHCP , right-click the server name. For example, if the DHCP server name isDHCP-01.example.com, right-click DHCP-01.example.com .

3. Click Authorize .

4. Click Action , and then click Refresh . The IPv4 icon changes to indicate that theserver is authorized in AD DS.

Activate a DHCP ScopeYou can use this procedure to activate a DHCP scope using the DHCP Microsoft ManagementConsole (MMC).

Membership in DHCP Administrators , or equivalent, is the minimum required to perform thisprocedure.

To activate a DHCP scope

1. Click Start , click Administrative Tools , and then click DHCP . The DHCP MMCopens.


3. Double-click IPv4 , and click the scope that you want to activate. Right-click thescope that you want to activate, and then click Activate .

Create a New DHCP ScopeYou can use this procedure to create a new DHCP scope using the DHCP Microsoft Management

Console (MMC).Membership in DHCP Administrators , or equivalent, is the minimum required to perform thisprocedure.

To create a new DHCP Scope

1. Click Start , click Administrative Tools , and then click DHCP . The DHCP MMC

40


41/50

opens.


3. Right-click IPv4 , and then click New Scope . The New Scope Wizard opens.

4. In Welcome to the New Scope Wizard , click Next .

5. In Scope Name , in Name , type a name for the scope. For example, typeSubnet-02 .

6. In Description , type a description for the new scope, and then click Next .

7. In IP Address Range , do the following:

a. In Start IP Address , type the IP address that is the first IP address in therange. For example, type 10.10.10.1 .

b. In End IP Address , type the IP address that is the last IP address in therange. For example, type 10.10.10.254 . Values for Length and Subnet

mask are entered automatically, based on the IP address you entered for Start IP address .

c. If necessary, modify the values in Length or Subnet mask , asappropriate for your addressing scheme.

d. Click Next .

8. In Add Exclusions , do the following:

a. In Start IP Address , type the IP address that is the first IP address in theexclusion range. For example, type 10.10.10.1 .

b. In End IP Address , type the IP address that is the last IP address in theexclusion range, For example, type 10.10.10.15 .

9. Click Add , and then click Next .10. In Lease Duration , modify the default values for Days , Hours , and Minutes , asappropriate for your network, and then click Next .

11. In Configure DHCP Options , select Yes, I want to configure these optionsnow , and then click Next .

12. In Router (Default Gateway) , do one of the following: If you do not have routers on your network, click Next . In IP address , type the IP address of your router or default gateway. For example, type 10.10.10.10 . Click Add , and then click Next .

13. In Domain Name and DNS Servers , do the following:

a. In Parent Domain , type the name of the DNS domain that clients use for name resolution. For example, type example.com .

b. In Server name , type the name of the DNS computer that clients use for name resolution. For example, type AD-DNS-01 .

c. Click Resolve . The IP address of the DNS server is added in IPAddress . Click Add , and then click Next .

41


42/50


43/50


3. In Select Server Roles , in Roles , select Network Policy and Access Services ,

and then click Next .4. In Network Policy and Access Services , click Next .

5. In Select Role Services , in Role Services , select Network Policy Server , andthen click Next .

6. In Confirm Installation Selections , click Install .

7. In Installation Results , review your installation results, and then click Close .

Additional Technical ResourcesFor more information about the technologies in this guide, see the following resources:

Active Directory Domain Services in the Windows Server 2008 Technical Library, athttp://go.microsoft.com/fwlink/?LinkId=96418 Domain Name System (DNS) in the Windows Server 2008 Technical Library, athttp://go.microsoft.com/fwlink/?LinkId=93215 Dynamic Host Configuration Protocol (DHCP) in the Windows Server 2008 TechnicalLibrary, at http://go.microsoft.com/fwlink/?LinkId=96419 Network Access Protection in the Windows Server 2008 Technical Library, athttp://go.microsoft.com/fwlink/?LinkId=103446 and Network Access Protection athttp://go.microsoft.com/fwlink/?LinkId=84637 Network Policy Server (NPS) in the Windows Server 2008 Technical Library, athttp://go.microsoft.com/fwlink/?LinkId=104545 and Network Policy Server athttp://go.microsoft.com/fwlink/?LinkId=93758 TCP/IP in the Windows Server 2008 Technical Library, athttp://go.microsoft.com/fwlink/?LinkId=103329 Windows Internet Name Service (WINS) in the Windows Server 2008 TechnicalLibrary, at http://go.microsoft.com/fwlink/?LinkId=103331

Appendix AYou can use this Network Planning Preparation Sheet to gather the information required to installa foundation network. This topic provides tables that contain the individual configuration items for each server computer for which you must supply information or specific values during theinstallation or configuration process. Example values are provided for each configuration item.

For planning and tracking purposes, spaces are provided in each table for you to enter the valuesused for your deployment. If you log security-related values in these tables, you should store theinformation in a secure location.

43
http://go.microsoft.com/fwlink/?LinkId=96418http://go.microsoft.com/fwlink/?LinkId=96418http://go.microsoft.com/fwlink/?LinkId=93215http://go.microsoft.com/fwlink/?LinkId=96419http://go.microsoft.com/fwlink/?LinkId=103446http://go.microsoft.com/fwlink/?LinkId=84637http://go.microsoft.com/fwlink/?LinkId=84637http://go.microsoft.com/fwlink/?LinkId=84637http://go.microsoft.com/fwlink/?LinkId=104545http://go.microsoft.com/fwlink/?LinkId=104545http://go.microsoft.com/fwlink/?LinkId=104545http://go.microsoft.com/fwlink/?LinkId=93758http://go.microsoft.com/fwlink/?LinkId=93758http://go.microsoft.com/fwlink/?LinkId=103329http://go.microsoft.com/fwlink/?LinkId=103329http://go.microsoft.com/fwlink/?LinkId=103331http://go.microsoft.com/fwlink/?LinkId=103331http://go.microsoft.com/fwlink/?LinkId=96418http://go.microsoft.com/fwlink/?LinkId=93215http://go.microsoft.com/fwlink/?LinkId=96419http://go.microsoft.com/fwlink/?LinkId=103446http://go.microsoft.com/fwlink/?LinkId=84637http://go.microsoft.com/fwlink/?LinkId=104545http://go.microsoft.com/fwlink/?LinkId=104545http://go.microsoft.com/fwlink/?LinkId=93758http://go.microsoft.com/fwlink/?LinkId=103329http://go.microsoft.com/fwlink/?LinkId=103331


44/50

Foundation Network Planning Preparation SheetThe following links lead to the sections in this topic that provide configuration items and examplevalues that are associated with the deployment procedures presented in this guide.

Installing Active Directory Domain Services and DNS Configuring a DNS Reverse Lookup Zone

Installing Windows Internet Name Service (optional) Installing DHCP

Creating an exclusion range in DHCP Creating a new DHCP scope

Installing Network Policy Server (optional)

Installing Active Directory Domain Services and DNSThe tables in this section list configuration items for pre-installation and installation of Active

Directory Domain Services (AD DS) and DNS.Pre-installation configuration items for AD DS and DNS

The following three tables list pre-installation configuration items as described in Configuring AllServers :

Change the Administrator Password

Configuration items: Example values: Values:

Administrator password J*p2leO4$F

Configure a Static IP Address


IP address 192.168.0.1

Subnet mask 255.255.255.0

Default gateway 192.168.0.10

Preferred DNS server 192.168.0.1

Alternate DNS server 192.168.0.6

Rename the Computer

Configuration item: Example value: Value:

Computer name AD-DNS-01

AD DS and DNS installation configuration items

44


45/50

Configuration items for the Windows Server Foundation Network deployment procedure InstallAD DS and DNS for a New Forest :


Full DNS name example.com

Forest functional level Windows Server 2003

Active Directory DomainServices database folder location

E:\Configuration\


Active Directory DomainServices log files folder location

E:\Configuration\


Active Directory DomainServices SYSVOL folder location

E:\Configuration\

Or accept the default location

Directory Restore ModeAdministrator password

J*p2leO4$F

Answer file name (optional) AD DS_AnswerFile

Configuring a DNS Reverse Lookup Zone


Zone type: Primary zone Secondary zone Stub zone

Zone type

Store the zone in ActiveDirectory

Selected Not selected

Active Directory zonereplication scope

To all DNS serversin this forest To all DNS serversin this domain To all domaincontrollers in thisdomain To all domaincontrollers specified in

45


46/50


the scope of thisdirectory partition

Reverse lookup zone name(IP type)

IPv4 ReverseLookup Zone IPv6 ReverseLookup Zone

Reverse lookup zone name

(network ID)

192.168.0

Installing Windows Internet Name Service (optional)

Windows Server 2008 Foundation Network Guide

Documents

Transcript of Windows Server 2008 Foundation Network Guide