Active Directory: Getting Started

By: James Beau Webb

To install Active Directory:

Note: Make sure that you have already configured the fully qualified domain name (FQDN)

before you start to install Active Directory.

Note: There must also be at least one NTFS partition on the system in order to install Active

Directory.

Now if you have both of those, you can go ahead and install it, by doing this:

1. Configure DNS client properties:

-Go to the "Start" menu, and then go to "Settings", and then click on "Network and

Dialup Connections".

-Double click on the "Local Area Connection" icon, and then press the "Properties"

button. Then from the "General" tab select the "Internet Protocol (TCP/IP)" by just

clicking on it once.

-Then press the "Properties" button. You should now see a window that at the bottom

allows you to enter the ip address of the preferred DNS server, go ahead and do that,

then press "OK", and the press "OK" again, and then close out the "Local Area Connection

Status" window and then close out the "Network and Dial-up Connections" window.

2. Installing Active Directory on the first domain controller:

-Open the "Start" menu and select "Run".

-In the Run window, enter DCPROMO, and then press "OK".

-The Active Directory installation wizard will appear, go ahead and click "Next".

- In the "Domain Controller Type" window you need to select the option that applies

to your situation; however you SHOULD pick the Domain controller for a new domain

if you are just starting the Active Directory on your network. Then click "Next".

-Then in the "Create Tree or Child Domain" window you need to pick the option

that applies to your situation; however if you are just starting AD, you NEED to select

"Create a new domain tree" option. Then press "Next".

-Then in the "Create or Join Forest" window you need to select the option that

best fits your situation; you SHOULD select "Create a new forest of domain trees"

options since you are just setting up the AD. Then click the "Next" button.

-Then the "New Domain Name" window appears, and now you need to enter the

domain name for the new domain (i.e. ist.com). Don't put the server name or a

computer name in the DNS name. Then press "Next" to continue.

-Then the "NetBIOS Domain Name" window appears, here there will be a suggested

name, you can modify it if you need or want to, and then press "Next" to continue.

-Then in the "Database and Log Locations" window the computer will generate

a default location for the database and log location. Just go ahead and accept the

defaults and press "Next" to continue.

-Then in the "Shared System Volume" window the computer will generate a default

location for the shared system volume (shown as SYSVOL, this is what will be

reproduced throughout the domain to all the domain controllers), this path has

to go on an NTFS partition, so the default path will go the 1st partition that can be

located. You can edit the location if you want to, but it would probably be best to just

keep the default for simplicity. Then press "Next".

-Then in the "Permissions" window you need to select the "Permissions compatible

only with Windows 2000 servers" option, because all the servers should be

running Windows 2000. Then press "Next" to continue.

-Then in the "Directory Services Restore Mode Administrator Password" window

you need to enter a password and then reenter the password. This password can

allow you to do a special boot-up on a Windows 2000 computer to allow you to

troubleshoot. Then press "Next" to continue.

-Then the next window shown should be the "Summary" window, which just shows

what you have entered, verify that information and then press "Next" to continue, or

go "Back" to modify the Active Directory options.

-Once you confirm the summary, then the "Configuring Active Directory" window

appears and shows the progress as the AD is installed, this will take a little while.

Once the installation is done, the "Completion" window will be displayed, just press

"Finish" to close the window out.

-Restart the computer to complete the installation.

You should automatically get register SRV records with DNS once the computer has

restarted and updated the system (which may take a few minutes). Once the _msdcs,

_sites, _tcp, and _udp files are in the DNS's Forward Lookup Zones, which should look

like this:

Once those four files are put in the Forward Lookup Zone, then the Domain controller is officially

ready for use!

3. To install Active Directory on an additional domain controller in an existing domain:

This will allow you to install Active Directory on a secondary domain controller in case the

first one goes down.

-You proceed with the steps above to install Active Directory, however when you get to the

4th hypen (note), where you are at the "Domain Controller Type" window, instead of

selecting "Domain controller for a new domain", SELECT "Additional domain controller

for an existing domain". Then press "Next" to continue.

-Then you should be prompted for the name of the domain, and the administrator name and

password for that domain, which you will have to get yourself, and then input that information.

-After you input that information, and click "Next", then you will see the "Database and Log

Locations" window, and then you continue with the instructions above (part 2 "Installing

Active Directory on the first domain controller"), which means you pick up from the

9th hypen and pick up from there.

4. Put the domain in Native mode:

-Open the "Active Directory Users and Computers" from the administrative tools menu, which

you go to "Start", to "Programs" and then "Administrative Tools", and then you can select it

and open it.

-Once it opens, then right click the domain name (which is whatever you named it, i.e.

ist.com) then select "Properties" from that menu.

-Once the "Properties" window opens, you will see on the "General" tab the "Domain

operation mode" which will be 'mixed mode'. Down below that box is a box that is

labeled "Domain mode", and in that box click the "Change Mode" button.

-You will receive a warning message, but just press "Yes" to continue through the warning

and change the mode to Native mode. Which the "Properties" window should now show

this:

5. Creating an Organizational unit:

-Go to the "Active Directory Users and Computers".

-Right click the intended parent of the OU, and from the action menu go to "New" and

then select the "Organizational unit" option.

-Then the "New Object" window will appear, where you can put in the name of the

OU, it should look like this:

-Just enter the name for your OU and press "OK" and this creates the OU.

6. Creating a user object:

-Go to the "Active Directory Users and Computers".

-Right click the OU where you want the account to be placed, and go to "New"

and then select "User".

-The "New Object-User" window should appear and it should look like this:

-Then you just fill in the user name and info, and press "Next".

-Then the "New Object-User" window will ask for a password, so enter a password

and set the password options you need, and then press "Next".

-Now you should see a summary window, confirm the info and press "Finish" to

create the user. Then do this as many times as necessary for all your users.

7. To configure User Objects:

-Go to "Active Directory Users and Computers" and then locate the user that you

want to set the options for, and then select "Properties" from the action menu.

-You should see a window that has several tab options to input info or set

different settings, it should look like this:

-From here you can do a lot of things, such as go to the "Account" tab and

you can go and click on the "Logon Hours" button, and there you will see

this screen where you can set the hours when the user can and can't logon:

-You can also set the account options under the "Account" tab, by choosing

"Account options:" and select "Password never expires"

-You can also set the "Account expires:" option by selecting "Never" that way

the account won't expire.

-You can also go to the "Sessions" tab, and there you can set an "Idle session

limit:" and if the session goes beyond this limit then the session will end. This window

will look like this:

-You can go to the "Member Of" tab to see what group the user is a member of,

and you can change it if you want to.

-You can also go to the "Security" tab to change the users permissions to allow

them to not be able to read, write or delete (etc.).

8. Create a Group:

-Go to "Active Directory Users and Computers".

-Then select the parent Organizational Unit that you want to create the group in,

and right click, and go to "New" and select the "Group" option.

-Now you should see the "New Object-Group" window and it should look like this:

-In this "New Object-Group" window you need to input your group name and

then specify the 'Group scope' and 'Group type' according to the your group.

-Then press "OK" to create the group.

9. To add User Accounts to the Group:

-Go to "Active Directory Users and Computers".

-Then go to the group that you want to add the users to, which means go

to the parent OU that contains the group and then go the group name and

right click it and select "Properties". Like this:

-Then in the "Properties" window click on the "Members" tab,

then you can just click the "Add" button and you can then add a single user or

several users to the group.

10. To create Computer Objects:

-Go to "Active Directory Users and Computers".

-Then right click the Organizational Unit that you want to contain the computer account,

and then go to "New" and then select "Computer" from the menu.

-Then you should see this screen:

Just enter the computer name, and the user that you want to join the computer

to the domain and then press "OK".

11. To join a computer to the domain:

-Right click "My Computer" and select the "Properties" option from the action menu.

-Click on the "Network Identification" tab, and then press the "Properties" button.

The "Identification Changes" window should appear.

-There is a "Member of" section in the lower part of the "Identification Changes"

window, in this section click on the "Domain" option, and then enter the domain

name in the text box and "OK".

-The "Domain Username and Password" window should appear, and simply

type in the username and their password for the user that can join the computer

to the domain. Then press "OK".

-It may take a few minutes, but you should receive a "Network Identification"

message. Just click "OK".

12. To force Active Directory Replication between domain controllers:

-Go to "Active Directory Sites and Services".

-Now double click on the "Sites" folder on the left hand side of the screen,

then double click on the "Default-First-Site-Name" option, and then double click

the "Servers" option, then double click on the server that you want to receive

the updates, and then just single click on the "NTDS Settings" option.

-Now on the right hand side of the screen you should see an option that has

a graphic of two machines, and it says "automatically generated", like this:

Now, just right click on the "automatically generated" option and select "Replicate Now"

from the action menu. This forces the replication of the AD database to another domain

controller in case one goes down.

Configuring different options with Active Directory

1. To create a Home Folder:

-Create a folder on a server to hold the User home folders

-Then share this folder by right clicking on the folder and clicking on "Properties" from

the action menu. Once the "Properties" window has opened select the "Sharing" tab, and

select the option to "Share this folder" and enter a comment for the share, then press

"OK". Don't put the shared folder in "My Documents" because problems will occur, instead

just put the file on the root of the hard drive (c:\).

-It is a good idea to try to connect to the share, by using "Run" and typing in the

path name to the server.

-Now configure each user to recognize the home folder by:

-going to "Active Directory Users and Computers", and find the user that you want

to recognize the home folder, like this:

and right click that user account and select "Properties".

-Once the properties screen appears click on the "Profile" tab, and then in the home

folder section select "Connect" and then pick a letter to map the home folder to, and

finally enter the path to the home folder. Like this:

-Then just click "OK".

-You will be able to see the home folder in "My Computer" when you are logged

on under your domain account.

2. To create a User Template:

-Go to "Active Directory Users and Computers" find the OU that you want the

user template to reside in, and right click that OU's name, and go to "New"

and then select "User".

-Then the "New Object-User" window appears, just enter in general information for

a user account, like this:

Then press "Next" to continue.

-In the next window just select the option to disable the account, and press "Next".

-Then select "Finish" to create the user profile template which you can copy

and use to create new user accounts as new users are added.

3. To enable Roaming Profiles:

-First off, create a folder to hold the profiles and share it, by going to the folder

right clicking, selecting "Properties", and then go to the "Sharing" tab, and

select "Share this folder" and enter a share name and comment. Then press "OK".

Don't put the shared folder in "My Documents" because problems will occur.

-Once you've done that test the share, by going to "Run" and typing in the

path name, and press "OK" and you should see the shared folder.

-Now configure each user to recognize the Profiles folder by:

-going to "Active Directory Users and Computers", and find the user that you want

to recognize the Profiles folder, and right click that user account and select "Properties".

-Once the properties screen appears click on the "Profile" tab, and then in

the "User profile" section go to the "Profile path:" option and type in the

path to the user's roaming profile folder, like so:

Once you have done this, just click "OK" to create the roaming profile.

-This will allow the users to log on to any machine in the domain, and remember

to do this for all users that you want to have this ability.

4. To create a Group Policy Object:

-Go to "Active Directory Users and Computer"

-Right click the OU that you created and want to apply a group policy object

to, then select "Properties" and once that window appears click on the

"Group Policy" tab.

-Then click "New" to create a new group policy object and then just

type in the name that you want to name it.

-Then click the "Edit" button to change or modify the group policy

5. To apply the GPO at the domain level:

-Go to "Active Directory Users and Computer"

-Then right click on the domain name, such as ist.com, then select "Properties"

from the action menu, and then go to the "Group Policy" tab and select "New"

to create a new Group Policy.

-Then you can click the "Edit" button and go into the Group Policy and edit as

needed for the users in the OU or group.

6. To apply the GPO at the OU level:

-Go to "Active Directory Users and Computer"

-Then right click on the OU name, such as IST Group or whatever you named

it, like this:

then select "Properties" from the action menu, and then go to the

"Group Policy" tab and select "New" to create a new Group Policy.

7. Configuring Group Policy Settings:

-Go to "Active Directory Users and Computer"

-Right click the domain or the OU that has the GPO, and then select "Properties"

and in the "Properties" window, then select the "Group Policy" tab and press the

"Edit" button, and you should see this:

From here you can configure several different options and restrictions for your users

in the domain, or OU.

7.1 To configure your GPO to run certain programs at log on:

-Go into the GPO by clicking the "Edit" button, and then go to the "User Configuration"

and under that go to the "Administrative Templates" and then go to the "System" level

under that and finally select the "Logon/Logoff" option.

-Now the right hand side you should see a list of options to set, it should look like

this:

Then select the "Run these programs at user logon" by double clicking.

-Then a new window should appear, in this window select the "Enabled" option,

and then in the box at the bottom of the window is a "Show" button, click it and

another new window opens, and here you can specify what programs you want

run when the user logons.

-We put "cmd" to have the command prompt open during logon, and "sol.exe" to

get solitaire to open during logon as well. Then just click "OK".

7.2 To Disable changes to the Taskbar and Start Menu Settings:

-Go into the GPO by clicking the "Edit" button, and then go to the "User Configuration"

and under that go to the "Administrative Templates" and then go to the "Start

Menu & Taskbar" level.

-Now, on the right hand side you should see several settings that you can set

for your GPO, and there you can select the "Disable changes to

Taskbar and Start Menu Settings" option, by double clicking it, and then just

select the "Enabled" option, and click "OK". This will prevent the users from

open the taskbar properties dialog box and it will keep them from making any

changes to the settings on the start menu.

7.3 To configure your GPO to allow active desktop and apply a wallpaper:

-Go into the GPO by clicking the "Edit" button, and then go to the "User Configuration"

and under that go to the "Administrative Templates" and then go to the "Desktop" level

and under it go to "Active Desktop".

-Now to the right you should see some settings, and the top one of those is "Enable

Active Desktop", double click it and click the "Enabled" option and then press "OK".

This will allow an html and a jpeg wallpaper to be applied.

-Now that Active Desktop has been enabled, while still under the "Desktop" level

at the "Active Desktop" option, like this:

Now go to the "Active Desktop Wallpaper" setting on the right hand side, and

double click it. Click the "Enabled" option, and then type in the picture file path,

and specify how you want it to be displayed, stretched, centered or tiled. Like this:

As you can see, we just specified a local path which can be found on every

machine, and then set the style to stretch, but once you have it the way

you want it, click "OK" to apply it.

7.4 To disable certain Windows applications for the domain users:

-Go into the GPO by clicking the "Edit" button, and then go to the "User Configuration"

and under that go to the "Administrative Templates" and then go to the "System" level

by just clicking on the "System" word once.

-Then on the right hand side of the screen you should see a list of settings

that you can set, now locate the one that says "Don't run specified

Windows applications" and double click it. Then click the "Enabled" option,

and in the middle part of that window, there is a "Show" button, click on it

and then a new window should appear and it will have a list of the programs

to not allow to run, but if this is the first time you've done this is, it will be empty.

So then click the "Add" button and a new window pops up, and just enter in the

program (executable) file that you don't want to run, and then click "OK" and

you should now see that file in the list of the "Show contents" window. Like this:

-Then once you have in the programs you don't want to run in the list on the

"Show Contents" window, just click "OK". Then click "OK" in the original

setting window to apply it

8. To configure a few security settings:

-Go to the "Start" menu, then go to "Programs" and then to "Administrative Tools",

and then click on "Domain Security Policy".

-Once that window opens, then double click the "Security Settings" option,

and then double click the "Account Policies" option, and

then double click the "Account Lockout Policy" option.

-You should now see 3 settings that you can set on the right hand side of the

window, go to the first setting, the "Account lockout duration" option and

double click it, and then you check the check box to "Define this policy setting",

and then you can set the time that you want the account to

be locked out for, which is up to you. Once you have the time set that you want

just click "OK".

-Now if you don't have the "Account lockout threshold" and the "Reset account

lockout counter after" settings set, then a box will appear with the suggested

values for these options, so you can either accept the suggested values or

you need to go to the option of the three (Account lockout duration or threshold

or reset account lockout counter after) that you want to set to a specific time or

number, and set it, and then the system will suggest the other two settings from

there. Just click "OK" to the other two suggested settings and that will apply

them. By doing this on the "Domain Security Policy" level it will apply to allow

devices in the domain, but you could instead go to the "Local Security Policy"

under the "Start", "Programs", "Administrative Tools", and then it will set it just

on one computer.