Active Directory

 

 

 

1. In order for Active Directory to work correctly, DNS must be installed. The problem is that you cannot use another DNS server to run Active Directory (Well, after messing with it for an entire class period, we could not get it to work). So, you will be running the DNS server for your network too. If another DNS server is running, go ahead and shut it down as it will become obsolete (Or you can wait for DNS to install itself, then shut it down). Sometime during this installation, it will ask you if you want to automatically set up DNS. Say yes.

 

NOTE: DNS for Active Directory is not the same as DNS for the internet nor should it be. You can name your domain Yahoo.com and Yahoo will never know. Doing this is risky though and you should always be carefull of what you name your domain because if your DNS server goes down, your computers may cast about until they find the DNS server for the real Yahoo.com and then you are broadcasting your internal schema to the internet at large. On these non-internet connected computers, it does not matter. However, in the real world it just might.

 

2. Make sure the computer name is set for the server that is being promoted to Domain Controller. Do this by right clicking the My Computer icon and selecting Properties, choose the Network ID tab and click the properties button. Change the name of the computer to whatever you want it to be.

 

3. Run DCPROMO from the command line or Run box. A wizard will start.

 

4. Because this is a new domain, click "Domain Controller for a new Domain". Then click next.

 

5. You want to create a new domain tree on the next screen because you are not part of an existing tree.

 

6. You want to create a new forest because you are not part of any forest.

 

NOTE:

If two domains need to trust each other, they must be in the same forest.

If the following domains need to trust each other,

            west.ist.com

            east.ist.com

            mis.com

            cs.com

You can see that west and east ist.com are separate domains but they belong to the same parent domain (tree)

If mis.com, ist.com, and cs.com all need to trust each other, they should be in the same forest.

This should not concern you for this excercise. It's just provided for general knowledge.

 

7. The next window is the new domain name window. It should be something like ist.com or mis.com or mis.org. For the purposes of this class, it does not matter. In the real world, if you want to have people able to access your stuff from the internet, you need to have your domain registered first so that you know it is available before you name your domain. Also, it has to be something.something_else. You can't just have a domain called yahoo. You could, however, have a domain called yahoo.ist if you so wanted.

 

8. The NETBIOS name window is for OS's prior to windows2000. It should be the name of your domain minus the .com part and limited to 15 characters. This is the name that will be in the Domain logon box whenever you log on to any computer in the domain.

 

9. On the next window ,storage places for the directory itself, take the defaults.

 

10. Take the defaults on the next screen as well (System Volume).

 

11. If you have any WinNT servers in your network, choose the Non-win2k compatable option. For this class, choose Native mode (compatable only with WIN2K servers).

 

12. Type in your administrator password. This will be the password if you ever demote this server. This will also be the password if you ever need to recover Active Directory on this computer (think Safe Mode).

 

13. Review and confirm, then click next.

 

14. This takes awhile, go do something else.

 

15. After it is done, you have to reboot.

 

16. You should check DNS to see that it is installed and working automatically. You should have the following directories under your domain name. _msdcs, _sites, _tcp, and _udp. If these are there, DNS is set up. If they are not, wait for a minute (it can take up to five, but not usually), right click your domain name under Forward Lookup Zones and choose properties. Set allow dynamic updates to yes. After a minute (or so) the required entries will automagicaly appear. This is where you will want to shut down your other DNS server (if installed) and point your DHCP server to the new Active Directory DNS Server.

 

 

17. You now have a domain installed. If you want other computers to be members of your new domain (the rest of your group maybe?) you need to join them to the domain.

 

18. Before you do that though, you might want to add user accounts for those users who are not you. We should do this because it is much easier for you if not everybody has administrator rights to the domain. Click start, Programs, Administrative tools, Active Directory Users and Computers.

 

19. Create an OU called something like "YourDomainHere users". To do this right click your domain in the lefthand window, select new, then OU. type in the name for your users container. Click on your new OU then right click in the right pane. Create three new OU's here called lockeddown, mortalusers, and administrators (or something equally relevant).

 

20. Right click the administrators OU, choose add members to a group, choose the administrators group. This adds all users who are part of the administrators group (you and a couple built-in accounts) to the administrators OU that you just created.

 

NOTE: There are two philosophies for the way that you do group policy. You can make one policy for each of the three OU's (the locked down users, the mortal users and the administrators) OR you can make them specificly according to what you want to limit and just make alot of them (one for mandatory background, one for ability to log onto domain controllers, one just for restrictions on control panel). Then you can apply them to multiple OU's according to the policies that you want to enforce for that OU. The latter way is the way that Microsoft and others teach. There is more configuration on the front end and less on the back end.

 

21. To make a group policy, right click the mortalusers group and choose properties then the Group policy tab. Click new, then type user policy. Add any policy that you think makes sense for normal users (Disk quotas, that sort of thing). Close that window then click OK on the properties window.

 

NOTE: One Policy that you may want to set for some users is log on locally. By default (and rightfully so), normal users are not allowed to log onto domain controllers. Your peers may have the need to log onto yours. Because they will have their own accounts (in the mortal user OU) by the end of this document, you may want to assign them log on locally rights. The path is Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment. Then find Log On Locally and double click and enable it. You should make this a policy on it's own and assign the GPO to users instead of OU's.

 

22. Do step 21 again for the locked down users but make it more restrictive. Do this in the user configuration of the GP window. Play around, there is lots that you can do here. Some keys that you may want to look at are:

 

User Configuration/ Administrative Templates  / Start Menu & Taskbar       / Disable and removelinks to Windows Update

                                                                                                                                    /Disable Programs on Settings menu

                                                                                                                                    /Remove Run from Start Menu

                                                                                                                                    /Disable Logoff on the Start Menu

                                                                                     /Control Panel         /AddRemovePrograms       /Disable add remove programs

                                                                                    /System                      / Disable the command Prompt

                                                                                                                        /Logon Logoff                       /Disable Lock Computer

 

There are some keys in the computer configuration section of Group Policy that you may want to look at, namely:

 

Computer Configuration    /Windows Settings   /Security Settings     /Password Policies

                                                                                                                        /Account Lockout Policies

                                                /Admin Templates   /Disk Quotas

 

But you may want to apply these at a higher level than a group of users, like the entire domain, or your OU for normal computers.

 

23. Create users in whatever OU you want them to be in. Do this by selecting the OU in the left pane and right clicking in the right pane. Select New, User. Type in name and stuff then click Next and type in the password (twice).

 

24. Connect all of the other computers that are going to be in your domain to the domain. This is done on those computers. Right click My Computer, choose properties, click the Network ID tab, push the properties button and join the domain. It will ask for a username and password, type in the administrators credentials.

 

25. The users on those computers should be able to log on to the domain now (you had just made their accounts, right?)

 

26. To make a "Home Drive" like the Marshall V: drive, there must first exist a network share on the network. Make one of your buddies do this on their computer. Create a folder, share it on the network. Right click the user in users and computers, choose properties. On the profile tab, under Home Folder, Select a drive and type in the path to that drive and folder append /%username% to the path. So the whole thing should be \\yourbuddiescomputername\sharename\%username%. Click OK. The next time this user logs on, it will connect the drive. You can test this by having your peers log out then back in.

 

 

27. Say you have another drive (or two) that you want to automatically map everytime any user logs on. You can't do this with the home drive tool as above. You have to instead use a logon script. As above, have a buddy share out a folder on the network. Call it stdapps (standard applications) a usuall folder to share out to all users. Create a logon.bat file somewhere that you can find it. Inside this bat file, type:

 

echo off

net use s: \\your_buddies_computername\stdapps /persistent:no

echo you are now connected to the greatest domain on earth

pause

 

then save and close the file.

 

28. The next step is to create a Group Policy Object that says everybody gets this (these) drive mapped at logon. Go to Users and Computers, right click on your users OU (you made this OU previously) right click and choose properties. Then choose the group policy tab. Create a new policy, name it logon script. Edit it, drill down to User Configuration/Windows Settings/Scripts, then double click logon. Click add script, then Browse, and in the drop down box at the top, look to see what policy folder you are inside of (should look like {4AFDTR-...} or something equally weird. Switch to your windows explorer and copy the .bat file to c:\\winnt\sysvol\sysvol\policies\{4AFDTR-...}\users\scripts\logon\ and put the batch file here. (there is probably an easier way to do this but I could not find it.). Now, whenever someone logs on, it will automatically map the S: drive to your buddies shared folder.