WINDOWS 2008 ACTIVE DIRECTORY & setting up a DC

WINDOWS 2008 ACTIVE DIRECTORY

Active directory is a brain of windows server network.  It’s a database that keeps huge amount of data and manages all our network machines, users & groups, services like emails, resources like printers, shared folders etc.

Domain Controller (DC) is a windows server machine which runs Active Directory Domain Services (AD DS). AD DS –> Active Directory. You may have multiple DC that all have copies of the same Active Directory database.

Servers need jobs. We have to decide what a server is going to do. A server will not have too many jobs. A Server Role is a major job that a server can perform.

A DC usually has only two jobs – AD DS (Active Directory Domain Services) and DNS (Domain Name services).

Domain Name Service (DNS) is service provided by a server that allows you to find other computers in our network. DNS allows you to type in name of the machine instead of its IP address. Without DNS, Active Directory will not work.  DNS will work together with Active Directory.

Domain is a namespace or a windows server domain is a logical group of computers with windows operating system that share a central directory database. The machines are all named with part of domain name like globomantics.com and are registered in Active Directory Database so they can be managed. A 
Forest is comprised of all the domains in the enterprise.

E.g.:     A domain - globomantics.com A Child domain – Na.globomantics.com

            User emails are part of domain namespace – marcel@globomantics.com

 NB: Make sure that you own the name globomantics.com 

                                           We are setting up 2 almost similar DCs.

DC 1                                                            

Computer name: NY-DC1-2K8                                                           

IP Address: 192.168.5.2                       (192.168.5.1 is the router)     

This DC will create the domain globomantics.com      

             

DC 2                                                           

Computer name: NY-DC2-2K8                                                           

IP Address: 192.168.5.3                       

This DC will join the domain globomantics.com

       

There are two types of windows server 2008 installations –

                                         Bare Metal - No existing OS on the HDD                         

                                        Upgrade- installing over 2003 that is already installed on the hard drive.

• ·         Install Windows Server 2008 Standard Edition x64

·        After installing, it will pop with the Initial Task Configuration (ITC). ITC is a list which groups together all the common tasks we have to do – Configure time zone info, configure the network settings for 192.168.5.2(with default gateway: router) and an initial DNS server(router IP address), rename the computer to NY-DC1-2K8 and reboot, configure automatic updates and feedbacks, configure remote desktop, turn off ITC.

Set up a DC

Setting up a DC has two basic parts

            -Installing the AD DS Role (is done from Server Manager using add roles),

         Open Server Manager>Roles>Add Roles> (skip this page by default) > select the role – Active Directory Domain Services> Install> click on close this wizard & launch the AD DS installation wizard (dcpromo.exe)

       -Running DCPromo.exe (can be ran from the link provided in server Manager after AD DS      installation or from the search box. dcpromo.exe is a wizard that sets up AD and promotes a machine to DC status,

(dcpromo.exe)>create a new domain in a new forest>domain name – globomantics.com>select forest functional level – windows server 2008> the 1^st DC in a forest must be a global catalog server & can’t be a Read Only DC, install the DNS server service on the 1^st DC> YES>Database Folder – C:\Windows\NTDS (keeps database file)   NTDS – Network Domain Services, Log Files Folder – C:\Windows\NTDS,  SYSVOL Folder  -  C:\Windows\SYSVOL   SYSVOL – is a shared folder that is required for DC s to talk each other in a process called replication > Put Directory services restore mode password which is not same as domain administrator > Also you can export settings > Reboot on completion

NB: NTDS.dit – The Database file for AD

NB: When you create a domain on your 1^st server, the local Administrator password becomes the domain Administrator password for all the machines in your domain. So it is better to change the domain user name and password. Go to Server Manager>Roles>AD DS>AD Users & Computers>globomantics.com> users>Rename Administrator & change password.

Now go to Server Manager>AD Sites & Services>Sites>Rename Default-First-Site-Name>NewYork. So it is more identifiable.

Thus we have built globomantics.com and a Site called NewYork. Next we will create the 2^nd DC and will join to the domain.

-          Install Server 2K8 “Bare Metal”

-          Configure the basic stuff using the ICT

-          Install the AD DS Role

-          Run DCPromo

While configuring the network, put the IP address as 192.168.5.3, Default gateway as 192.168.5.1 and the DNS Server for the 2^nd DC will be the 1^st machine – 192.168.5.2

NB: Please try to logon to the 1^st DC with domain administrator, right click on network icon> Network & Sharing Center >Manage Network Connections> See the DNS, it has been changed to 127.0.0.1, because it has taken itself as DNS server

Now change the computer name to NY-DC2-2K8.

Go to start>search DCPromo and run> It will install the AD DS>Add a DC to an existing forest / existing domain >globomantics.com>Provide Alternate Credentials- Set using domain username and password> it will find globomantics.com and it will communicate to DC1>NewYork Site>in additional DC options, check DNS Server & Global Catalog> YES>Database Folder – C:\Windows\NTDS (keeps database file)   NTDS – Network Domain Services, Log Files Folder – C:\Windows\NTDS,  SYSVOL Folder  -  C:\Windows\SYSVOL   SYSVOL – is a shared folder that is required for DC s to talk each other in a process called replication > Put Directory services restore mode password which is not same as domain administrator > Also you can export settings > Reboot on completion

NB: In DC2, Server Manager>View Network Connections>Look for DNS – Preferred DNS Server– 192.168.5.2 and Alternate DNS Server – 127.0.0.1. In DC1, put Alternate DNS Server as 192.168.5.3.

The process of exchanging and recording the changes in AD between the DCs is called replication. Replication between the 2 DCs is done through Organizational Unit (OU). So create a new OU in Active Directory Users & Computers on either of the DC and go to command line and type repadmin /syncall. Check the other DC ‘s AD Users & Computers to see if the OU also shows up there as well. You might need to click F5 to refresh the screen to see the changes in Server Manager.

Go to Server Manager>Roles>AD DS>AD Users & Computers>globomantics.com>create a new folder in globomantics.com>New OU>Name as Test Dummy>go to command prompt>type repadmin /syncall


Now if you go to DC2 and check Computer>globomantics.com. If you can find Test Dummy folder, then replication is happening between the 2 DCs. They are talking to each other now :) So incase if one DC blow up you will have a copy in the other DC.


2 DCs are now setup in Golobomantics domain.