windows server 2008 r2 core network guide

Core Network Guide

Microsoft Corporation

Published: June, 2009

Authors: James McIllece and Brit Weston

Editor: Allyson Adley

AbstractThe Windows Server® 2008 R2 Core Network Guide provides instructions for planning and

deploying the core components required for a fully functioning network and a new Active

Directory® domain in a new forest. Using this guide, you can deploy computers configured with

the following Windows server components:

The Active Directory Domain Services (AD DS) server role

The Domain Name System (DNS) server role

The Dynamic Host Configuration Protocol (DHCP) server role

The Network Policy Server (NPS) role service of the Network Policy and Access Services

server role

The Windows Internet Name Service (WINS) feature

TCP/IP connections on individual servers

This guide also serves as a foundation for companion guides that show you how to deploy

additional technologies using Windows Server 2008 R2.

The information contained in this document represents the current view of Microsoft Corporation

on the issues discussed as of the date of publication. Because Microsoft must respond to

changing market conditions, it should not be interpreted to be a commitment on the part of

Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the

date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,

EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail

addresses, logos, people, places, and events depicted herein are fictitious, and no association

with any real company, organization, product, domain name, e-mail address, logo, person, place,

or event is intended or should be inferred.

Your right to copy this documentation is limited by copyright law and the terms of the software

license agreement. As the software licensee, you may make a reasonable number of copies or

printouts for your own use. Making unauthorized copies, adaptations, compilations, or derivative

works for commercial distribution is prohibited and constitutes a punishable violation of the law.

© 2009 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered

trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

Contents

Windows Server 2008 R2 Core Network Guide..............................................................................7

About this guide........................................................................................................................... 8

Network hardware requirements..............................................................................................8

What this guide does not provide................................................................................................8

Technology Overviews.................................................................................................................9

Active Directory Domain Services............................................................................................9

DNS......................................................................................................................................... 9

DHCP....................................................................................................................................... 9

WINS (optional)........................................................................................................................ 9

NPS (optional)........................................................................................................................ 10

TCP/IP................................................................................................................................... 10

Core Network Overview................................................................................................................11

Core Network Components.......................................................................................................12

Router................................................................................................................................. 13

Static TCP/IP configurations...............................................................................................13

Global catalog and DNS server..........................................................................................13

WINS server (optional).......................................................................................................13

DHCP server....................................................................................................................... 13

NPS server (optional).........................................................................................................13

Client computers................................................................................................................. 14

Core Network Planning................................................................................................................. 14

Planning subnets....................................................................................................................... 14

Planning basic configuration of all servers................................................................................15

Planning the Administrator account password........................................................................15

Planning naming conventions for computers and devices.....................................................15

Planning static IP addresses..................................................................................................16

Planning the deployment of AD-DNS-01...................................................................................16

Planning the name of the forest root domain..........................................................................16

Planning the forest functional level.........................................................................................17

Planning DNS zones..............................................................................................................19

Planning domain access............................................................................................................20

Planning the deployment of WINS-01........................................................................................20

Planning the deployment of DHCP-01.......................................................................................21

Planning DHCP servers and DHCP forwarding......................................................................21

Planning IP address ranges...................................................................................................21

Planning subnet masks..........................................................................................................22

Planning exclusion ranges.....................................................................................................22

Planning TCP/IP static configuration......................................................................................23

Planning the deployment of NPS-01..........................................................................................24

Core Network Deployment............................................................................................................25

Configuring All Servers................................................................................................................. 25

Create an Administrator Password...............................................................................................25

Rename the Computer..................................................................................................................26

Procedures for renaming computers.........................................................................................26

Windows Server 2008 R2 and Windows 7......................................................................26

Windows Server 2008 and Windows Vista......................................................................26

Windows Server 2003 and Windows XP.........................................................................27

Configure a Static IP Address.......................................................................................................27

Procedures for configuring static IP addresses.........................................................................28

Windows Server 2008 R2................................................................................................28

Windows Server 2008.....................................................................................................28

Windows Server 2003.....................................................................................................29

Deploying AD-DNS-01.................................................................................................................. 30

Administrative privileges............................................................................................................30

Domain user accounts vs. user accounts on the local computer............................................30

Install AD DS and DNS for a New Forest......................................................................................31

Create a User Account in Active Directory Users and Computers................................................32

Add a Group................................................................................................................................. 33

Assign Group Membership...........................................................................................................34

Configure a DNS Reverse Lookup Zone.......................................................................................35

Joining Computers to the Domain and Logging On......................................................................36

Join the Computer to the Domain.................................................................................................36

Procedures for joining computers to the domain.......................................................................36

Windows Server 2008 R2 (Release Candidate) and Windows 7 (Release Candidate)...37



Log on to the Domain.................................................................................................................... 39

Procedures to log on to the domain...........................................................................................39

Windows Server 2008 R2 and Windows 7......................................................................39



Deploying WINS-01 (optional)......................................................................................................40

Install Windows Internet Name Service (WINS)............................................................................41

Deploying DHCP-01.....................................................................................................................41

DHCP installation suggestions..................................................................................................41

Deploying DHCP....................................................................................................................... 42

Install Dynamic Host Configuration Protocol (DHCP)...................................................................42

Create an Exclusion Range in DHCP...........................................................................................44

Authorize a DHCP Server in Active Directory Domain Services...................................................45

Activate a DHCP Scope................................................................................................................45

Create a New DHCP Scope..........................................................................................................46

Deploying NPS-01 (optional)........................................................................................................47

Install Network Policy Server (NPS).............................................................................................48

Register the NPS Server in the Default Domain...........................................................................49

Additional Technical Resources....................................................................................................49

Appendix A.................................................................................................................................... 50

Core Network Planning Preparation Sheet................................................................................50

Installing Active Directory Domain Services and DNS............................................................50

Pre-installation configuration items for AD DS and DNS.................................................50

AD DS and DNS installation configuration items.............................................................51

Configuring a DNS Reverse Lookup Zone..........................................................................51

Installing Windows Internet Name Service (optional).............................................................52

Pre-installation configuration items..................................................................................52

WINS installation configuration items..............................................................................53

Installing DHCP...................................................................................................................... 53

Pre-installation configuration items for DHCP.................................................................53

DHCP installation configuration items.............................................................................54

Creating an exclusion range in DHCP................................................................................55

Creating a new DHCP scope..............................................................................................55

Installing Network Policy Server (optional).............................................................................56

Pre-installation configuration items..................................................................................56

Network Policy Server installation configuration items....................................................57

Windows Server 2008 R2 Core Network Guide

A core network is a collection of network hardware, devices, and software that provides the

fundamental services for your organization's information technology (IT) needs.

A Windows Server core network provides you with many benefits, including the following.

Core protocols for network connectivity between computers and other Transmission Control

Protocol/Internet Protocol (TCP/IP) compatible devices. TCP/IP is a suite of standard

protocols for connecting computers and building networks. TCP/IP is network protocol

software provided with Microsoft® Windows® operating systems that implements and

supports the TCP/IP protocol suite.

Automatic IP addressing with Dynamic Host Configuration Protocol (DHCP). Manual

configuration of IP addresses on all computers on your network is time-consuming and less

flexible than dynamically providing computers and other devices with IP address leases from

a DHCP server.

Name resolution services, such as Domain Name System (DNS) and Windows Internet

Name Service (WINS). DNS and WINS allow users, computers, applications, and services to

find the IP addresses of computers and devices on the network using the network basic

input/output system (NetBIOS) name or Fully Qualified Domain Name of the computer or

device.

A forest, which is one or more Active Directory domains that share the same class and

attribute definitions (schema), site and replication information (configuration), and forest-wide

search capabilities (global catalog).

A forest root domain, which is the first domain created in a new forest. The Enterprise Admins

and Schema Admins groups, which are forest-wide administrative groups, are located in the

forest root domain. In addition, a forest root domain, as with other domains, is a collection of

computer, user, and group objects that are defined by the administrator in Active Directory

Domain Services (AD DS). These objects share a common directory database and security

policies. They can also share security relationships with other domains if you add domains as

your organization grows. The directory service also stores directory data and allows

authorized computers, applications, and users to access the data.

A user and computer account database. The directory service provides a centralized user

accounts database that allows you to create user and computer accounts for people and

computers that are authorized to connect to your network and access network resources,

such as applications, databases, shared files and folders, and printers.

A core network also allows you to scale your network as your organization grows and IT

requirements change. For example, with a core network you can add domains, IP subnets,

remote access services, wireless services, and other features and server roles provided by

Windows Server® 2008 R2.

7

About this guideThis guide is designed for network and system administrators who are installing a new network or

who want to create a domain-based network to replace a network that consists of workgroups.

The deployment scenario provided in this guide is particularly useful if you foresee the need to

add more services and features to your network in the future.

It is recommended that you review design and deployment guides for each of the technologies

used in this deployment scenario to assist you in determining whether this guide provides the

services and configuration that you need.

Network hardware requirementsTo successfully deploy a core network, you must deploy network hardware, including the

following:

Ethernet, Fast Ethernet, or Gigabyte Ethernet cabling

A hub, Layer 2 or 3 switch, router, or other device that performs the function of relaying

network traffic between computers and devices.

Computers that meet the minimum hardware requirements for their respective client and

server operating systems.

Note

This guide depicts the use of four server computers. In some cases, such as on small

networks, you can use fewer servers. For example, you can install DHCP and WINS on

the same server rather than on separate servers.

What this guide does not provideThis guide does not provide instructions for deploying the following:

Network hardware, such as cabling, routers, switches, and hubs

Additional network resources, such as printers and file servers

Internet connectivity

Remote access

Wireless access

Client computer deployment

Note

Client computers running Windows® 7, Windows Vista® and Windows XP are configured

by default to receive IP address leases from the DHCP server. Therefore, no additional

DHCP or Internet Protocol version 4 (IPv4) configuration of client computers is required.

8

Technology OverviewsThe following sections provide brief overviews of the required and optional technologies used to

create a core network.

Active Directory Domain ServicesA directory is a hierarchical structure that stores information about objects on the network. A

directory service, such as AD DS, provides the methods for storing directory data and making this

data available to network users and administrators. For example, AD DS stores information about

user accounts, such as names, passwords, phone numbers, and so on, and enables other

authorized users on the same network to access this information.

DNSDNS is a name resolution protocol for TCP/IP networks, such as the Internet or an organization

network. A DNS server hosts the information that enables client computers to resolve easily

recognized, alphanumeric DNS names to the IP addresses that computers use to communicate

with each other.

DHCPDHCP is an IP standard for simplifying management of host IP configuration. The DHCP standard

provides for the use of DHCP servers as a way to manage dynamic allocation of IP addresses

and other related configuration details for DHCP-enabled clients on your network.

Every computer on a TCP/IP network must have a unique IP address. The IP address (together

with its related subnet mask) identifies both the host computer and the subnet to which it is

attached. When you move a computer to a different subnet, the IP address must be changed.

DHCP allows you use a DHCP server to dynamically assign an IP address to a computer or other

device on your local network.

For TCP/IP-based networks, DHCP reduces the complexity and amount of administrative work

involved in reconfiguring computers.

WINS (optional)While DNS is a required component of a core network, WINS is optional because, like DNS, it is a

naming service. In some cases, you might not need both DNS and WINS, but older operating

systems and applications might require WINS. For medium to small networks, WINS is extremely

easy to install and manage, and it is not resource-intensive. If you are in doubt about whether you

need WINS, you can test your network functionality without it and install it if needed.

WINS provides a distributed database for registering and querying dynamic mappings of NetBIOS

names for computers and groups used on your network. WINS maps NetBIOS names to IP

addresses and was designed to solve the problems arising from NetBIOS name resolution in

9

routed environments. WINS is the best choice for NetBIOS name resolution in routed networks

that use NetBIOS over TCP/IP.

NetBIOS names are used by earlier versions of Windows operating systems to identify and locate

computers and other shared or grouped resources required to register or resolve names for use

on the network.

NetBIOS names are a requirement for establishing networking services in earlier versions of

Windows operating systems. Although the NetBIOS naming protocol can be used with network

protocols other than TCP/IP (such as NetBEUI or IPX/SPX), WINS was designed specifically to

support NetBIOS over TCP/IP (NetBT).

WINS simplifies the management of the NetBIOS namespace in TCP/IP-based networks.

NPS (optional)Network Policy Server (NPS) allows you to centrally configure and manage network policies with

the following three features: Remote Authentication Dial-In User Service (RADIUS) server,

RADIUS proxy, and Network Access Protection (NAP) policy server.

NPS is an optional component of a core network, but you should install NPS if any of the

following are true:

You are planning to expand your network to include remote access servers that are

compatible with the RADIUS protocol, such as a computer running Windows Server 2008 R2

or Windows Server 2008 and Routing and Remote Access service, Terminal Services

Gateway, or Remote Desktop Gateway.

You plan to deploy NAP.

You plan to deploy 802.1X wired or wireless access.

TCP/IPTCP/IP in Windows Server 2008 is the following:

Networking software based on industry-standard networking protocols.

A routable, enterprise networking protocol that supports the connection of your Windows-

based computer to both local area network (LAN) and wide area network (WAN)

environments.

Core technologies and utilities for connecting your Windows-based computer with dissimilar

systems for the purpose of sharing information.

A foundation for gaining access to global Internet services, such as the World Wide Web and

File Transfer Protocol (FTP) servers.

A robust, scalable, cross-platform, client/server framework.

TCP/IP provides basic TCP/IP utilities that enable Windows-based computers to connect and

share information with other Microsoft and non-Microsoft systems, including:

Windows Server 2008 R2

Windows 7

10

Windows Server 2008

Windows Vista

Windows Server 2003 operating systems

Windows XP

Internet hosts

Apple Macintosh systems

IBM mainframes

UNIX systems

Open VMS systems

Network-ready printers, such as HP LaserJet series printers that use HP JetDirect cards

Core Network Overview

The following illustration shows the Windows Server Core Network topology.

11

Core Network ComponentsFollowing are the components of a core network.

12

Router

This deployment guide provides instructions for deploying a core network with two subnets

separated by a router that has DHCP forwarding enabled. You can, however, deploy a Layer 2

switch, a Layer 3 switch, or a hub, depending on your requirements and resources. If you deploy

a switch, the switch must be capable of DHCP forwarding or you must place a DHCP server on

each subnet. If you deploy a hub, you are deploying a single subnet and do not need DHCP

forwarding or a second scope on your DHCP server.

Static TCP/IP configurations

All of the servers in this deployment are configured with static IPv4 addresses. Client computers

are configured by default to receive IP address leases from the DHCP server.

Global catalog and DNS server

Both Active Directory Domain Services (AD DS) and Domain Name System (DNS) are installed

on this server, providing directory and name resolution services to all computers and devices on

the network.

WINS server (optional)

Installing Windows Internet Name Service (WINS) on your core network is optional. It is often

difficult to determine whether applications and services require WINS for name resolution. In

some cases, you might need WINS; in other cases, DNS might be the only name resolution

service that you need on your network. Because WINS is low maintenance and is not processor-

use intensive for medium and small networks, you can install WINS on the DHCP server in the

event that applications or services need the service.

DHCP server

The Dynamic Host Configuration Protocol (DHCP) server is configured with a scope that provides

Internet Protocol (IP) address leases to computers on the local subnet. The DHCP server can

also be configured with additional scopes to provide IP address leases to computers on other

subnets if DHCP forwarding is configured on routers.

NPS server (optional)

The Network Policy Server (NPS) server is installed as a preparatory step for deploying other

network access technologies, such as virtual private network (VPN) servers, wireless access

points, and 802.1X authenticating switches. In addition, installing NPS prepares your network for

the deployment of Network Access Protection (NAP).

13

Client computers

Client computers running Windows® 7, Windows Vista®, and Windows XP are configured by

default as DHCP clients, which obtain IP addresses and DHCP options automatically from the

DHCP server.

Core Network Planning

Before you deploy a core network, you must plan the following items.

Planning subnets

Planning basic configuration of all servers

Planning the deployment of AD-DNS-01

Planning domain access

Planning the deployment of WINS-01

Planning the deployment of DHCP-01

Planning the deployment of NPS-01

The following sections provide more detail on each of these items.

Planning subnetsIn Transmission Control Protocol/Internet Protocol (TCP/IP) networking, routers are used to

interconnect the hardware and software used on different physical network segments called

subnets. Routers are also used to forward IP packets between each of the subnets. Determine

the physical layout of your network, including the number of routers and subnets you need, before

proceeding with the instructions in this guide.

In addition, to configure the servers on your network with static IP addresses, you must determine

the IP address range that you want to use for the subnet where your core network servers are

located. In this guide, the private IP address range 192.168.0.1 - 192.168.0.254 is used as an

example, but you can use any private IP address range.

The following recognized private IP address ranges are specified by Internet Request for

Comments (RFC) 1918:

10.0.0.0 – 10.255.255.255

172.16.0.0 – 172.31.255.255

192.168.0.0 – 192.168.255.255

When you use the private IP address ranges as specified in RFC 1918, you cannot connect

directly to the Internet using a private IP address because requests going to or from these

addresses are automatically discarded by Internet service provider (ISP) routers. To add Internet

connectivity to your core network later, you must contract with an ISP to obtain a public IP

address.

14

Important

When using private IP addresses, you must use some type of proxy or network address

translation (NAT) server to convert the private IP address ranges on your local network to

a public IP address that can be routed.

For more information, see Planning the deployment of DHCP-01.

Planning basic configuration of all serversFor each server in the core network, you must change the password for the Administrator account

on the local computer, rename the computer, and assign and configure a static IP address for the

local computer.

Planning the Administrator account passwordFor security reasons, it is important to create a password for the Administrator account and to use

a strong password. In addition, it is recommended that you use a different Administrator account

password for each server on your network.

The following is an example of a strong password.

Configuration item: Example value:

Administrator password Example: J*p2leO4$F

Note

Strong passwords contain a minimum

of 7 characters that consist of each of

the following: uppercase letters (A, B,

C, lowercase letters (d, e, f), numerals

(0, 1, 2, 3), and keyboard symbols (' ~ !

@ # $ % | /).

Planning naming conventions for computers and devicesFor consistency across your network, it is generally a good idea to use consistent names for

servers, printers, and other devices. Computer names can be used to help users and

administrators easily identify the purpose and location of the server, printer, or other device. For

example, if you have three DNS servers, one in San Francisco, one in Los Angeles, and one in

Chicago, you might use the naming convention server function-location-number:

DNS-SF-01. This name represents the DNS server in San Francisco. If additional DNS

servers are added in San Francisco, the numeric value in the name can be incremented, as

in DNS-SF-02 and DNS-SF-03.

DNS-LA-01. This name represents the DNS server in Los Angeles.

15

DNS-CH-01. This name represents the DNS server in Chicago.

Choose a naming convention before you install your core network using this guide.

Planning static IP addressesBefore configuring each computer with a static IP address, you must plan your subnets and IP

address ranges. In addition, you must determine the IP addresses of your DNS and WINS

servers. If you plan to install a router that provides access to other networks, such as additional

subnets or the Internet, you must know the IP address of the router, also called a default gateway,

for static IP address configuration.

The following table provides example values for static IP address configuration.

Configuration items: Example values:

IP address 192.168.0.3

Subnet mask 255.255.255.0

Default gateway 192.168.0.10

Preferred DNS server 192.168.0.1

Alternate DNS server 192.168.0.7

Preferred WINS server 192.168.0.2

Alternate WINS server 192.168.0.8

For more information, see Planning the deployment of DHCP-01.

Planning the deployment of AD-DNS-01Following are key planning steps before installing Active Directory Domain Services (AD DS) and

DNS on AD-DNS-01.

Planning the name of the forest root domainA first step in the AD DS design process is to determine how many forests your organization

requires. A forest is the top-level AD DS container, and consists of one or more domains that

share a common schema and global catalog. An organization can have multiple forests, but for

most organizations, a single forest design is the preferred model and the simplest to administer.

When you create the first domain controller in your organization, you are creating the first domain

(also called the forest root domain) and the first forest. Before you take this action using this

guide, however, you must determine the best domain name for your organization. In most cases,

the organization name is used as the domain name, and in many cases this domain name is

registered. If you are planning to deploy Web servers for your customers or partners, choose a

domain name and ensure that the domain name is not already in use.

16

Planning the forest functional levelWhile installing AD DS, you must choose the forest functional level that you want to use. Domain

and forest functionality, introduced in Windows Server 2003 Active Directory, provides a way to

enable domain- or forest-wide Active Directory features within your network environment.

Different levels of domain functionality and forest functionality are available, depending on your

environment.

Forest functionality enables features across all the domains in your forest. The following forest

functional levels are available:

Windows 2000. This forest functional level supports Windows NT 4.0, Windows 2000, and

Windows Server 2003 domain controllers.

Windows Server 2003. This forest functional level supports only Windows Server 2003

domain controllers and domain controllers that are running later versions of the Windows

Server operating system.

Windows Server 2008. This forest functional level supports only domain controllers that are

running Windows Server 2008 and later versions of the Windows Server operating system.

Windows Server 2008 R2. This forest functional level supports Windows Server 2008 R2

domain controllers and domain controllers that are running later versions of the Windows

Server operating system.

If you are deploying a new domain in a new forest and all of your domain controllers will be

running Windows Server 2008 R2, it is recommended that you configure AD DS with the

Windows Server 2008 R2 forest functional level during AD DS installation.

Important

After the forest functional level has been raised, domain controllers running earlier

operating systems cannot be introduced into the forest. For example, if you raise the

forest functional level to Windows Server 2008 R2, domain controllers running

Windows Server 2003 or Windows Server 2008 cannot be added to the forest.

Example configuration items for AD DS are provided in the following table.


Full DNS name Examples:

example.com

corp.example.com

Forest functional level:

Windows 2000

The Windows 2000 forest functional level

provides all AD DS features that are available in

Windows 2000 Server. If you have domain

controllers running later versions of the

Windows Server operating system, some

Windows Server 2003

Windows Server 2008


17


advanced features will not be available on

those domain controllers while this forest is at

the Windows 2000 functional level.

Windows Server 2003

The Windows Server 2003 forest functional

level provides all features that are available in

Windows 2000 forest functional level, and the

following additional features:

Linked-value replication, which improves

the replication of changes to group

memberships.

More efficient generation of complex

replication topologies by the Knowledge

Consistency Checker (KCC).

Forest trust, which allows organizations to

easily share internal resources across

multiple forests. Any new domains that are

created in this forest will automatically

operate at the Windows Server 2003

domain functional level.

Windows Server 2008

This forest functional level does not provide any

new features over the Windows Server 2003

forest functional level. However, it ensures that

any new domains created in this forest will

automatically operate at the Windows

Server 2008 domain functional level, which

does provide unique features.


The Windows Server 2008 R2 forest functional

level provides all features that are available in

the Windows Server 2008 forest functional

level, and the following additional feature:

Recycle Bin. When enabled, Recycle Bin

provides the ability to restore deleted

objects in their entirety while Active

Directory Domain Services is running.

Any new domains that are created in this forest

will operate by default at the Windows

18


Server 2008 R2 domain functional level.

Active Directory Domain Services Database

folder location

E:\Configuration\

Or accept the default location.

Active Directory Domain Services Log files

folder location

E:\Configuration\


Active Directory Domain Services SYSVOL

folder location

E:\Configuration\

Or accept the default location

Directory Restore Mode Administrator

Password

J*p2leO4$F

Answer file name (optional) AD DS_AnswerFile

Planning DNS zonesIn DNS, a forward lookup zone is created by default during installation. A forward lookup zone

allows computers and devices to query for another computer's or device's IP address based on

its DNS name. In addition to a forward lookup zone, it is recommended that you create a DNS

reverse lookup zone. With a DNS reverse lookup query, a computer or device can discover the

name of another computer or device using its IP address. Deploying a reverse lookup zone

typically improves DNS performance and greatly increases the success of DNS queries.

When you create a reverse lookup zone, the in-addr.arpa domain, which was defined in the DNS

standards and reserved in the Internet DNS namespace to provide a practical and reliable way to

perform reverse queries, is installed in DNS. To create the reverse namespace, subdomains

within the in-addr.arpa domain are formed, using the reverse ordering of the numbers in the

dotted-decimal notation of IP addresses.

The in-addr.arpa domain applies to all TCP/IP networks that are based on Internet Protocol

version 4 (IPv4) addressing. The New Zone Wizard automatically assumes that you are using this

domain when you create a new reverse lookup zone.

While you are running the New Zone Wizard, the following selections are recommended:

Configuration Items Example values

Zone type Primary zone, and Store the zone in Active

Directory is selected

Active Directory Zone Replication Scope To all DNS servers in this domain

First Reverse Lookup Zone Name wizard page IPv4 Reverse Lookup Zone

Second Reverse Lookup Zone Name wizard Network ID = 192.168.0.

19

Configuration Items Example values

page

Dynamic Updates Allow only secure dynamic updates

Planning domain accessTo log onto the domain, the computer must be a domain member computer and the user account

must be created in AD DS before the logon attempt.

Note

You cannot log on to the domain with a user account that is located in the Security

Accounts Manager (SAM) user accounts database on the local computer.

After the first successful logon with domain logon credentials, the logon settings persist unless

the computer is removed from the domain or the logon settings are manually changed.

Before you log on to the domain:

Create user accounts in Active Directory Users and Computers. Each user must have an

Active Directory Domain Services user account in Active Directory Users and Computers. For

more information, see Create a User Account in Active Directory Users and Computers.

Ensure IP address configuration. To join a computer to the domain, the computer must have

an IP address. In this guide, servers are configured with static IP addresses and client

computers receive IP address leases from the DHCP server. For this reason, the DHCP

server must be deployed before you join clients to the domain. For more information, see

Deploying DHCP-01.

Join the computer to the domain. Any computer that provides or accesses network resources

must be joined to the domain. For more information, see Join the Computer to the Domain.

Planning the deployment of WINS-01If you determine that you need to deploy WINS as well as DNS on your network, you must plan

how many WINS servers to deploy.

On smaller networks, a single WINS server can adequately service up to 10,000 clients for

NetBIOS name resolution requests. To provide additional fault tolerance, you can configure a

second computer running Windows Server® 2008 R2 or Windows Server® 2008 as a

secondary, or backup, WINS server for clients. If you use only two WINS servers, you can

easily configure them as replication partners. For simple replication between two servers, one

server should be set as a pull partner and the other as a push partner. Replication can be

either manual or automatic.

Large networks sometimes require more WINS servers for several reasons including, most

importantly, the number of client connections per server. The number of users that each

20

WINS server can support varies with usage patterns, data storage, and the processing

capabilities of the WINS server computer.

When planning your servers, remember that each WINS server can simultaneously handle

hundreds of registrations and queries per second.

Planning the deployment of DHCP-01Following are key planning steps before installing the DHCP server role on DHCP-01.

Planning DHCP servers and DHCP forwardingBecause DHCP messages are broadcast messages, they are not forwarded between subnets by

routers. If you have multiple subnets and want to provide DHCP service for each subnet, you

must do one of the following:

Install a DHCP server on each subnet

Configure routers to forward DHCP broadcast messages across subnets and configure

multiple scopes on the DHCP server, one scope per subnet.

In most cases, configuring routers to forward DHCP broadcast messages is more cost effective

than deploying a DHCP server on each physical segment of the network.

Planning IP address rangesEach subnet must have its own unique IP address range. These ranges are represented on a

DHCP server with scopes.

A scope is an administrative grouping of IP addresses for computers on a subnet that use the

DHCP service. The administrator first creates a scope for each physical subnet and then uses the

scope to define the parameters used by clients.

A scope has the following properties:

A range of IP addresses from which to include or exclude addresses used for DHCP service

lease offerings.

A subnet mask, which determines the subnet for a given IP address.

A scope name assigned when it is created.

Lease duration values, which are assigned to DHCP clients that receive dynamically

allocated IP addresses.

Any DHCP scope options configured for assignment to DHCP clients, such as DNS server IP

address, router/default gateway IP address, and WINS server IP address.

Reservations are optionally used to ensure that a DHCP client always receives the same IP

address.

Before deploying your servers, list your subnets and the IP address range you want to use for

each subnet.

21

Planning subnet masksNetwork IDs and host IDs within an IP address are distinguished by using a subnet mask. Each

subnet mask is a 32-bit number that uses consecutive bit groups of all ones (1) to identify the

network ID and all zeroes (0) to identify the host ID portions of an IP address.

For example, the subnet mask normally used with the IP address 131.107.16.200 is the following

32-bit binary number:

11111111 11111111 00000000 00000000

This subnet mask number is 16 one-bits followed by 16 zero-bits, indicating that the network ID

and host ID sections of this IP address are both 16 bits in length. Normally, this subnet mask is

displayed in dotted decimal notation as 255.255.0.0.

The following table displays subnet masks for the Internet address classes.

Address class Bits for subnet mask Subnet mask

Class A 11111111 00000000 00000000

00000000

255.0.0.0

Class B 11111111 11111111 00000000

00000000

255.255.0.0

Class C 11111111 11111111 11111111

00000000

255.255.255.0

When you create a scope in DHCP and you enter the IP address range for the scope, DHCP

provides these default subnet mask values. Typically, default subnet mask values (as shown in

the preceding table) are acceptable for most networks with no special requirements and where

each IP network segment corresponds to a single physical network.

In some cases, you can use customized subnet masks to implement IP subnetting. With IP

subnetting, you can subdivide the default host ID portion of an IP address to specify subnets,

which are subdivisions of the original class-based network ID.

By customizing the subnet mask length, you can reduce the number of bits that are used for the

actual host ID.

To prevent addressing and routing problems, you should make sure that all TCP/IP computers on

a network segment use the same subnet mask and that each computer or device has an unique

IP address.

Planning exclusion rangesYou can exclude IP addresses from distribution by the DHCP server by creating an exclusion

range for each scope. You should use exclusions for all devices that are configured with a static

IP address. The excluded addresses should include all IP addresses that you assigned manually

to other servers, non-DHCP clients, diskless workstations, or Routing and Remote Access and

PPP clients.

22

It is recommended that you configure your exclusion range with extra addresses to accommodate

future network growth. The following table provides an example exclusion range for a scope with

an IP address range of 192.168.0.1 - 192.168.0.254.


Exclusion range Start IP Address 192.168.0.1

Exclusion range End IP Address 192.168.0.15

Planning TCP/IP static configurationCertain devices, such as routers, DHCP servers, and DNS servers, must be configured with a

static IP address. In addition, you might have additional devices, such as printers, that you want

to ensure always have the same IP address. List the devices that you want to configure statically

for each subnet, and then plan the exclusion range you want to use on the DHCP server to

ensure that the DHCP server does not lease the IP address of a statically configured device. An

exclusion range is a limited sequence of IP addresses within a scope, excluded from DHCP

service offerings. Exclusion ranges assure that any addresses in these ranges are not offered by

the server to DHCP clients on your network.

For example, if the IP address range for a subnet is 192.168.0.1 through 192.168.0.254 and you

have ten devices that you want to configure with a static IP address, you can create an exclusion

range for the 192.168.0.x scope that includes ten or more IP addresses: 192.168.0.1 through

192.168.0.15.

In this example, you use ten of the excluded IP addresses to configure servers and other devices

with static IP addresses and five additional IP addresses are left available for static configuration

of new devices that you might want to add in the future. With this exclusion range, the DHCP

server is left with an address pool of 192.168.0.16 through 192.168.0.254.

Additional example configuration items for AD DS and DNS are provided in the following table.


Network Connect Bindings Local Area Connection 2

DNS Server Settings AD-DNS-01

Preferred DNS server IP address 192.168.0.1

Alternate DNS server IP Address 192.168.0.6

WINS Server Settings, specify the IP address

of your preferred WINS server, only if WINS is

deployed on the network.

192.168.0.2

Alternate WINS server IP Address 192.168.0.12

23


Note

Specify the IP address of your alternate

WINS server only if an alternate WINS

server is deployed on the network.

Add Scope dialog box values:

Scope Name:

Starting IP Address

Ending IP Address:

Subnet Mask

Default Gateway (optional)

Subnet Type

Primary Subnet

192.168.0.1

192.168.0.254

255.255.255.0

192.168.0.11

Wired (Lease duration will be 6 days)

IPv6 DHCP Server Operation Mode Not enabled

Planning the deployment of NPS-01If you intend to deploy network access servers, such as wireless access points or VPN servers,

after deploying your core network, it is recommended that you deploy NPS.

When you use NPS as a Remote Authentication Dial-In User Service (RADIUS) server, NPS

performs authentication and authorization for connection requests through your network access

servers. NPS also allows you to centrally configure and manage network policies that determine

who can access the network, how they can access the network, and when they can access the

network.

Following are key planning steps before installing NPS.

Plan the user accounts database. By default, if you join the server running NPS to an Active

Directory domain, NPS performs authentication and authorization using the AD DS user

accounts database. In some cases, such as with large networks that use NPS as a RADIUS

proxy to forward connection requests to other RADIUS servers, you might want to install NPS

on a non-domain member computer.

Plan the use of Network Access Protection (NAP). With some NAP enforcement methods, it

is required that you install NPS on a specific server. For example, if you deploy NAP with

DHCP, NPS must be installed on the DHCP server.

Plan RADIUS accounting. NPS allows you to log accounting data to a SQL Server database

or to a text file on the local computer. If you want to use SQL Server logging, plan the

installation and configuration of your server running SQL Server.

24

Core Network Deployment

To deploy a foundation network, the basic steps are as follows:

1. Configuring All Servers

2. Deploying AD-DNS-01

3. Joining Computers to the Domain and Logging On

4. Deploying WINS-01 (optional)

5. Deploying DHCP-01

6. Deploying NPS-01 (optional)

Note

The procedures in this guide do not include instructions for those cases in which the User

Account Control dialog box opens to request your permission to continue. If this dialog

box opens while you are performing the procedures in this guide, and if the dialog box

was opened in response to your actions, click Continue.

Configuring All Servers

Before installing other technologies, such as DHCP or WINS, it is important to configure the

following items.

Create an Administrator Password

Rename the Computer

Configure a Static IP Address

You can use the following sections to perform these actions for each server.


You can use this procedure to create an administrator password after you have installed Windows

Server® 2008 R2.

1. On the Windows start page, beneath the text The user’s password must be changed

before logging on the first time, click OK.

2. The Administrator credentials page opens. In New password, type a password. In

Confirm password, retype the password.

3. If you want to create a password reset disk, click Create a password reset disk and

follow the instructions.

25

4. In the Administrator credentials page, click the blue arrow.

5. A message that states Your password has been changed appears. Click OK.

Rename the Computer

You can use the procedures in this topic to provide computers running Windows

Server® 2008 R2, Windows® 7, Windows Server® 2008, Windows Vista®,

Windows Server 2003, and Windows XP with a different computer name.

Procedures for renaming computersThis topic provides procedures to rename computers running the following operating systems:

Windows Server 2008 R2 and Windows 7

Windows Server 2008 and Windows Vista

Windows Server 2003 and Windows XP


Membership in Administrators, or equivalent, is the minimum required to perform these

procedures.

To rename computers running Windows Server 2008 R2 and Windows 7

1. Click Start, right-click Computer, and then click Properties. The System dialog box

opens.

2. In Computer name, domain, and workgroup settings, click Change settings. The

System Properties dialog box opens.

Note

On computers running Windows 7, before the System Properties dialog box

opens, the User Account Control dialog box opens, requesting permission to

continue. Click Continue to proceed.

3. Click Change. The Computer Name/Domain Changes dialog box opens.

4. In Computer Name, type the name for your computer. For example, if you want to name

the computer AD-DNS-01, type AD-DNS-01.

5. Click OK twice, click Close, and then click Restart Now to restart the computer.

26



procedures.

To rename computers running Windows Server 2008 and Windows Vista


opens.



Note

On computers running Windows Vista, before the System Properties dialog box




4. In Computer Name, type the name for your computer. For example, if you want to name

the computer AD-DNS-01, type AD-DNS-01.

5. Click OK twice, click Close, and then click Restart Now to restart the computer.



procedures.

To rename computers running Windows Server 2003 and Windows XP

1. Click Start, right-click My Computer, and then click Properties. The System Properties

dialog box opens.

2. Click Computer Name, and then click Change. The Computer Name Changes dialog

box opens.

3. In Computer name, type the name for your computer. For example, if you want the

computer named Client-01, type Client-01.

4. Click OK. The System Setting Changes dialog box opens, indicating that you must

restart the computer before the changes take effect.

5. Click OK, click OK again to close the dialog box, and then click Yes to restart the

computer.

27


You can use the procedures in this topic to configure the Internet Protocol version 4 (IPv4)

properties of a network connection with a static IP address for computers running

Windows Server® 2008, or for computers running Windows Server 2003.

Procedures for configuring static IP addressesThis topic provides procedures for configuring static IP addresses on computers running the

following operating systems:


Windows Server 2008

Windows Server 2003



procedures.

To configure a static IP address on a computer running Windows Server 2008 R2

1. Click Start, and then click Control Panel.

2. In Control Panel, click Network and Internet. Network and Internet opens.

In Network and Internet, click Network and Sharing Center. Network and Sharing

Center opens.

3. In Network and Sharing Center, click Change adapter settings. Network

Connections opens.

4. In Network Connections, right-click the network connection that you want to configure,

and then click Properties.

5. In Local Area Connection Properties, in This connection uses the following items,

select Internet Protocol Version 4 (TCP/IPv4), and then click Properties. The Internet

Protocol Version 4 (TCP/IPv4) Properties dialog box opens.

6. In Internet Protocol Version 4 (TCP/IPv4) Properties, on the General tab, click Use

the following IP address. In IP address, type the IP address that you want to use.

7. Press tab to place the cursor in Subnet mask. A default value for subnet mask is entered

automatically. Either accept the default subnet mask, or type the subnet mask that you

want to use.

8. In Default gateway, type the IP address of your default gateway.

9. In Preferred DNS server, type the IP address of your DNS server. If you plan to use the

local computer as the preferred DNS server, type the IP address of the local computer.

10. In Alternate DNS Server, type the IP address of your alternate DNS server, if any. If you

plan to use the local computer as an alternate DNS server, type the IP address of the

28

local computer.

11. Click OK, and then click Close.

Windows Server 2008


procedures.

To configure a static IP address on a computer running Windows Server 2008

1. Click Start, and then click Control Panel.

2. In Control Panel, verify that Classic View is selected, and then double-click Network

and Sharing Center.

3. In Network and Sharing Center, in Tasks, click Manage Network Connections.



5. In Local Area Connection Properties, in This connection uses the following items,

select Internet Protocol Version 4 (TCP/IPv4), and then click Properties. The Internet

Protocol Version 4 (TCP/IPv4) Properties dialog box opens.



7. Press tab to place the cursor in Subnet mask. A default value for subnet mask is entered

automatically. Either accept the default subnet mask, or type the subnet mask that you

want to use.


9. In Preferred DNS server, type the IP address of your DNS server. If you plan to use the

local computer as the preferred DNS server, type the IP address of the local computer.

10. In Alternate DNS Server, type the IP address of your alternate DNS server, if any. If you

plan to use the local computer as an alternate DNS server, type the IP address of the

local computer.


Windows Server 2003


procedures.

To configure a static IP address on a computer running Windows Server 2003

1. Click Start, click Control Panel, right-click Network Connections, and then click Open.



3. In Local Area Connection Properties, in This Connection uses the following Items,

29

select Internet Protocol (TCP/IP), and then click Properties. The Internet Protocol

(TCP) Properties dialog box opens.



5. In Subnet mask, either accept the default subnet mask, or type the subnet mask that you

want to use.


7. In Preferred DNS server, type the IP address of your DNS server.

8. In Alternate DNS Server, type the IP address of your alternate DNS server, if any.


Deploying AD-DNS-01

To deploy AD-DNS-01, which is the computer running Active Directory Domain Services (AD DS)

and DNS, you must complete these steps in the following order:

Perform the steps in the section Configuring All Servers.

Install AD DS and DNS for a New Forest

Create a User Account in Active Directory Users and Computers

Add a Group

Assign Group Membership

Configure a DNS Reverse Lookup Zone

Administrative privilegesIf you are installing a small network and are the only administrator for the network, it is

recommended that you create a user account for yourself, and then add your user account as a

member of both Enterprise Admins and Domain Admins. Doing so will make it easier for you to

act as the administrator for all network resources. It is also recommended that you log on with this

account only when you need to perform administrative tasks, and that you create a separate user

account for performing non-IT related tasks.

If you have a larger organization with multiple administrators, refer to AD DS documentation to

determine the best group membership for organization employees.

Domain user accounts vs. user accounts on the local computerOne of the advantages of a domain-based infrastructure is that you do not need to create user

accounts on each computer in the domain. This is true whether the computer is a client computer

or a server.

30

Because of this, you should not create user accounts on each computer in the domain. Create all

user accounts in Active Directory Users and Computers and use the preceding procedures to

assign group membership. By default, all user accounts are members of the Domain Users

group.

After you have joined a computer to the domain, members of the Domain Users group can log on

to any domain member client computer.

Note

Members of the Domain Users group cannot log on to computers running

Windows Server® 2008.

You can configure user accounts to designate the days and times that the user is allowed to log

on to the computer. You can also designate which computers each user is allowed to use. To

configure these settings, open Active Directory Users and Computers, locate the user account

that you want to configure, and double-click the account. In the user account Properties, click the

Account tab, and then click either Logon Hours or Log On To.

Install AD DS and DNS for a New Forest

You can use this procedure to install Active Directory Domain Services (AD DS) and DNS and to

create a new domain in a new forest.

Membership in Administrators is the minimum required to perform this procedure.

To install Active Directory Domain Services and DNS

1. Do one of the following:

In Initial Configuration Tasks, in Customize This Server, click Add roles. The Add

Roles Wizard opens.

Click Start, click Administrative Tools, and then click Server Manager. In Server

Manager, click Roles, and in the details pane, in Roles Summary, click Add Roles.

The Add Roles Wizard opens.

2. In Before You Begin, click Next.

Note

The Before You Begin page of the Add Roles Wizard is not displayed if you

have previously selected Do not show this page again when the Add Roles

Wizard was run.

3. In Select Server Roles, in Roles, select Active Directory Domain Services. An Add

Roles Wizard message opens that states You cannot install Active Directory Domain

Services unless the required features are also installed. Click Add Required

Features, and then, in the Add Roles Wizard, click Next.

4. In Active Directory Domain Services, review the information and then click Next.

31

5. In Confirm Installation Selections, review the information, and then click Install. The

Installation Progress page opens during installation.

6. When installation is complete, in Installation Results, review the information, and then

click Close this wizard and launch the Active Directory Domain Services Installation

Wizard (dcpromo.exe). The Add Roles Wizard closes and the Active Directory Domain

Services Installation Wizard opens. Click Next.

7. In Operating System Compatibility, review the information, and then click Next.

8. In Choose a Deployment Configuration, select Create a new domain in a new forest.

Click Next.

9. In Name the Forest Root Domain, in FQDN of the forest root domain, type the fully

qualified domain name for your domain. For example, if your FQDN is example.com, type

example.com. Click Next.

10. In Set Forest Functional Level, select the forest functional level that you want to use,

and then click Next.

11. In Additional Domain Controller Options, in Select additional options for this

domain controller, verify that DNS server is selected, and then click Next. The Active

Directory Domain Services Installation Wizard warning dialog box opens.

12. The warning dialog box informs you that you can create a delegation to this DNS server

manually in the parent zone. Click Yes to continue Active Directory Domain Services

installation.

13. In Location for Database, Log Files, and SYSVOL, do one of the following:

Accept the default values.

Type folder locations that you want to use for Database folder, Log files folder, and

SYSVOL folder.

14. Click Next.

15. In Directory Services Restore Mode Administrator Password, in Password, type a

password. In Confirm password, retype the password, and then click Next.

16. In Summary, review your selections.

17. If you want to export settings to an answer file, click Export settings, and specify a name

for the answer file. Click Next. The Active Directory Domain Services Installation

Wizard opens and installs Active Directory Domain Services.

18. In Completing the Active Directory Domain Services Installation Wizard, click

Finish, and then click Restart Now.

32

Create a User Account in Active Directory Users and Computers

You can use this procedure to create a new domain user account in Active Directory Users and

Computers Microsoft Management Console (MMC).

Membership in Domain Admins, or equivalent, is the minimum required to perform this

procedure.

To create a user account

1. Click Start, click Administrative Tools, and then click Active Directory Users and

Computers. The Active Directory Users and Computers MMC opens. If it is not already

selected, click the node for your domain. For example, if your domain is example.com,

click example.com.

2. In the details pane, right-click the folder in which you want to add a user account.

Where?

Active Directory Users and Computers/domain node/folder

3. Point to New, and then click User.

4. In First name, type the user's first name.

5. In Initials, type the user's initials.

6. In Last name, type the user's last name.

7. Modify Full name to add initials or reverse the order of first and last names.

8. In User logon name, type the user logon name. Click Next.

9. In New Object - User, in Password and Confirm password, type the user's password,

and then select the appropriate password options.

10. Click Next, review the new user account settings, and then click Finish.

Add a Group

You can use this procedure to create a new group in Active Directory Users and Computers

Microsoft Management Console (MMC).


procedure.

To add a group



33


click example.com.

2. In the details pane, right-click the folder in which you want to add a new group.

Where?

Active Directory Users and Computers/domain node/folder

3. Point to New, and then click Group.

4. In New Object – Group, in Group name, type the name of the new group.

By default, the name you type is also entered as the pre-Windows 2000 name of the new

group.

5. In Group scope, select one of the following options:

Domain local

Global

Universal

6. In Group type, select one of the following options:

Security

Distribution

7. Click OK.

Assign Group Membership

You can use this procedure to add a user, computer, or group to a group in Active Directory Users

and Computers Microsoft Management Console (MMC).

Membership in Domain Admins, or equivalent is the minimum required to perform this

procedure.

To assign group membership




click example.com.

2. In the details pane, double-click the folder that contains the group to which you want to

add a member.

Where?

Active Directory Users and Computers/domain node/folder that contains the group

3. In the details pane, right-click the group to which you want to add a member, and then

click Properties. The group Properties dialog box opens. Click the Members tab.

34

4. On the Members tab, click Add.

5. In Enter the object names to select, type the name of the user, group, or computer that

you want to add, and then click OK.

6. To assign group membership to other users, groups or computers, repeat steps 4 and 5

of this procedure.

Configure a DNS Reverse Lookup Zone

You can use this procedure to configure a reverse lookup zone in Domain Name System (DNS).

Membership in Domain Admins is the minimum required to perform this procedure.

To configure a DNS reverse lookup zone

1. Click Start, click Administrative Tools, and then click DNS. The DNS Manager opens.

2. In DNS Manager, if it is not already expanded, double-click the server name to expand

the tree. For example, if the DNS server name is AD-DNS-01, double-click AD-DNS-01.

3. Select Reverse Lookup Zones, right-click Reverse Lookup Zones, and then click New

Zone. The New Zone Wizard opens.

4. In Welcome to the New Zone Wizard, click Next.

5. In Zone Type, select one of the following:

Primary zone

Secondary zone

Stub zone

6. If your DNS server is a writeable domain controller, select Store the zone in Active

Directory.

7. Click Next.

8. In Active Directory Zone Replication Scope, select one of the following:

To all DNS servers running on domain controllers in this forest

To all DNS servers running on domain controllers in this domain

To all domain controllers in this domain

To all domain controllers specified in the scope of this directory partition

9. Click Next.

10. In the first Reverse Lookup Zone Name page, select one of the following:

IPv4 Reverse Lookup Zone


11. Click Next.

35

12. In the second Reverse Lookup Zone Name page, do one of the following:

In Network ID, type the network ID of your IP address range. For example, if your IP

address range is 192.168.0.1, type 192.168.0.

In Reverse lookup zone name, type the name of your IPv4 reverse lookup zone.

13. Click Next.

14. In Dynamic Update, select the type of dynamic updates that you want to allow. Click

Next.

15. In Completing the New Zone Wizard, review your choices, and then click Finish.

Joining Computers to the Domain and Logging On

After you have installed Active Directory Domain Services (AD DS) and created one or more user

accounts that have permissions to join a computer to the domain, you can join foundation network

servers to the domain and log on to the servers in order to install additional technologies, such as

Dynamic Host Configuration Protocol (DHCP), Windows Internet Name Service (WINS), and

Network Policy Server (NPS).

Note

If you are logged on to a computer running Windows Server® 2008 with the local

computer’s Administrator account, by default, you can join a computer to the domain with

a user account that is a member of Domain Users in Active Directory Users and

Computers.

In addition, you can use these instructions to join client computers to the domain and to log on to

client computers.

On all servers that you are deploying, except for the server running AD DS, do the following:

1. Complete the procedures provided in Configuring All Servers.

2. Use the instructions in the following sections to join your servers to the domain and to log on

to the servers to perform additional deployment tasks:

Join the Computer to the Domain

Log on to the Domain

36

Join the Computer to the Domain

You can use these procedures to join computers running Windows Server® 2008 R2,

Windows® 7Windows Server® 2008, Windows Vista®, Windows Server 2003, or Windows XP to

the domain.

Procedures for joining computers to the domainThis topic provides procedures for joining computers running the following operating systems to

the domain:

Windows Server 2008 R2 (Release Candidate) and Windows 7 (Release Candidate)



Important

To join a computer to a domain, you must be logged on to the computer with the local

Administrator account or, if you are logged on to the computer with a user account that

does not have local computer administrative credentials, you must provide the credentials

for the local Administrator account during the process of joining the computer to the

domain. In addition, you must have a user account in the domain to which you want to

join the computer. During the process of joining the computer to the domain, you will be

prompted for your domain account credentials (user name and password).

Windows Server 2008 R2 (Release Candidate) and Windows 7 (Release Candidate)

Membership in Domain Users, or equivalent, is the minimum required to perform this procedure.

To join computers running Windows Server 2008 R2 (Release Candidate) and Windows 7 (Release Candidate) to the domain

1. Log on to the computer with the local Administrator account.


opens.



Note

On computers running Windows® 7, before the System Properties dialog box




5. In Computer Name, in Member of, select Domain, and then type the name of the

domain you want to join. For example, if the domain name is example.com, type

example.com.

37

6. Click OK. The Windows Security dialog box opens.

7. In Computer Name/Domain Changes, in User name, type the user name, and in

Password, type the password, and then click OK. The Computer Name/Domain

Changes dialog box opens, welcoming you to the domain. Click OK.

8. The Computer Name/Domain Changes dialog box displays a message indicating that

you must restart the computer to apply the changes. Click OK.

9. On the System Properties dialog box, on the Computer Name tab, click Close. The

Microsoft Windows dialog box opens, and displays a message, again indicating that

you must restart the computer to apply the changes. Click Restart Now.



To join computers running Windows Server 2008 and Windows Vista to the domain

1. Log on to the computer with the local Administrator account.


opens.



Note

On computers running Windows® 7, before the System Properties dialog box




5. In Computer Name, in Member of, select Domain, and then type the name of the

domain you want to join. For example, if the domain name is example.com, type

example.com.

6. Click OK. The Windows Security dialog box opens.

7. In Computer Name/Domain Changes, in User name, type the user name, and in

Password, type the password, and then click OK. The Computer Name/Domain

Changes dialog box opens, welcoming you to the domain. Click OK.

8. The Computer Name/Domain Changes dialog box displays a message indicating that

you must restart the computer to apply the changes. Click OK.

9. On the System Properties dialog box, on the Computer Name tab, click Close. The

Microsoft Windows dialog box opens, and displays a message, again indicating that

you must restart the computer to apply the changes. Click Restart Now.



38

To join computers running Windows Server 2003 and Windows XP to the domain

1. Click Start, right-click My Computer, and then click Properties. The System Properties

dialog box opens.

2. Click Change. The Computer Name Changes dialog box opens.

3. In Computer Name Changes, in Member of, select Domain, and then type the name of

the domain you want to join. For example, if the domain name is example.com, type

example.com.

4. Click OK. The Computer Name Changes dialog box opens. In User name, type the

domain administrator account name, and in Password, type the administrator password,

and then click OK.

5. The Computer Name Changes dialog box opens, welcoming you to the domain.

6. Click OK. The Computer Name Changes dialog box displays a message indicating that

you must restart the computer to apply the changes.

7. Click OK.

8. On the System Properties dialog box, on the Computer Name tab, click OK, to close

the System Properties dialog box. The System Settings Change dialog box opens,

and displays a message, again indicating that you must restart the computer to apply the

changes.

9. Click Yes.

Log on to the Domain

You can use these procedures to log on to the domain using computers running

Windows Server® 2008, Windows Vista®, Windows Server 2003, and Windows XP.

Procedures to log on to the domainThis topic provides procedures to log on to the domain using computers running the following

operating systems:






Log on to the domain using computers running Windows Server 2008 R2 and Windows 7

39

1. Log off the computer, or restart the computer.

2. Press CTRL + ALT + DELETE. The logon screen appears.

3. Click Switch User, and then click Other User.

4. In User name, type your domain and user name in the format domain\user. For example,

to log on to the domain example.com with an account named User-01, type example\

User-01.

5. In Password, type your domain password, and then click the arrow, or press ENTER.



Log on to the domain using computers running Windows Server 2008 and Windows Vista


2. Press CTRL + ALT + DELETE. The logon screen appears.

3. Click Switch User, and then click Other User.

4. In User name, type your domain and user name in the format domain\user. For example,

to log on to the domain example.com with an account named User-01, type example\

User-01.

5. In Password, type your domain password, and then click the arrow, or press ENTER.



Log on to the domain using computers running Windows Server 2003 and Windows XP


2. Press CTRL + ALT + DELETE. The Log On to Windows dialog box appears.

3. If Log on to is not displayed, click Options.

4. In Log on to, in the drop down list, select your domain. For example, in the example.com

domain, select EXAMPLE.

5. Type your domain and user name in the format domain\user. For example, to log on to

the example.com domain with an account named User-01, type example\User-01.

6. In Password, type your domain password, and then press ENTER.

Deploying WINS-01 (optional)

Before deploying this component of the foundation network, you must do the following:

40


Perform the steps in the section Joining Computers to the Domain and Logging On

To deploy WINS-01, which is the computer running Windows Internet Name Service (WINS), you

must complete this step:

Install Windows Internet Name Service (WINS)

Install Windows Internet Name Service (WINS)

Windows Internet Name Service (WINS) enables computers running Windows to find other

computers using NetBIOS across subnets. Some programs rely on WINS to function across the

network.


procedure.

To install WINS


a. In Initial Configuration Tasks, in Customize This Server, click Add Features. The

Add Features Wizard opens.

b. Click Start, click Administrative Tools, and then click Server Manager. In the left

pane of Server Manager, click Features, and in the details pane, in Features

Summary, click Add Features. The Add Features Wizard opens.

2. In Select Features, in Features, scroll down the list, select WINS Server, and then click

Next.

3. In Confirm installation selections, click Install.

4. In Installation Results, review your installation results, and then click Close.

Deploying DHCP-01

Before deploying this component of the foundation network, you must do the following:


Perform the steps in the section Joining Computers to the Domain and Logging On.

DHCP installation suggestionsThe following choices are recommended when you install DHCP with the Add New Roles Wizard:

41

Activate the scope or scopes that you configure during installation unless you have reason

not to do so. For example, if you plan to create an exclusion range for the scope so that some

IP addresses are available for statically configured devices, you might not want to activate the

scope until after you have created the exclusion range. After you activate a scope, it is

configured to function without additional configuration after the installation process is

complete. If you choose not to activate a scope during installation, however, you can activate

the scope after DHCP is installed by using the DHCP Microsoft Management Console (MMC)

and the procedure Activate a DHCP Scope.

Authorize the DHCP server in Active Directory Domain Services (AD DS) during installation

unless you have reason not to do so. If you authorize the server during installation, the server

is configured to function without additional configuration after the installation process is

complete. If you choose not to authorize the DHCP server during installation, however, you

can authorize the server after DHCP is installed by using the DHCP MMC and the procedure

Authorize a DHCP Server in Active Directory Domain Services.

Do not enable Configure DHCPv6 Stateless Mode unless you plan to use Internet Protocol

version 6 (IPv6) on your network in addition to or to replace IPv4.

Deploying DHCPTo deploy DHCP-01, which is the computer running the Dynamic Host Configuration Protocol

(DHCP) server role, you must complete these steps in the following order:

If you plan to deploy Windows Internet Name Service (WINS) on your network, it is

recommended that you perform the steps in the section Deploying WINS-01 (optional) before

installing DHCP.

Install Dynamic Host Configuration Protocol (DHCP)

Create an Exclusion Range in DHCP

If you chose not to perform the following actions during DHCP installation, you can perform them

after DHCP is installed:

Authorize a DHCP Server in Active Directory Domain Services

Activate a DHCP Scope

After DHCP is installed, you can add more scopes to the server configuration:

Create a New DHCP Scope

Install Dynamic Host Configuration Protocol (DHCP)

You can use this procedure to install and configure the DHCP Server role using the Add Roles

Wizard.

42


procedure.

To install DHCP


a. In Initial Configuration Tasks, in Customize This Server, click Add roles. The Add

Roles Wizard opens.

b. Click Start, click Administrative Tools, and then click Server Manager. In the left

pane of Server Manager, click Roles, and in the details pane, in Roles Summary,

click Add Roles. The Add Roles Wizard opens.


Note



Wizard was run.

3. In Select Server Roles, in Roles, select DHCP Server, and then click Next.

4. In DHCP Server, click Next.

5. In Select Network Connection Bindings, in Network Connections, select the IP

addresses that are connected to the subnets for which you want to provide DHCP

service, and then click Next.

6. In Specify IPv4 DNS Server Settings, in Parent domain, verify that the name of the

DNS domain that clients use for name resolution is correct. For example, if your domain

is named example.com, verify that the DNS domain name is example.com.

7. In Preferred DNS server IPv4 address, type the IPv4 address of your preferred DNS

server, and then click Validate. In Alternate DNS server IPv4 Address, type the IPv4

address of your alternate DNS server, if any, and then click Validate.

Note

If a DNS server responds when you click Validate, the DHCP installation wizard

indicates the specified address for the DNS server is valid. If no DNS server

responds when you click Validate, the DHCP installation wizard returns the

message: The DNS server at the specified IP address is not responding.

8. Click Next. In Specify IPv4 WINS Server Settings, select one of the following:

If you do not have WINS servers on your network, select WINS is not required for

applications on this network.

If one or more WINS servers are deployed on your network, select WINS is required

for applications on this network. In Preferred WINS server IP address, type the

IPv4 address of your preferred WINS server. In Alternate WINS server IP Address,

type the IPv4 address of your alternate WINS server, if any, and then click Next.

9. In Add or Edit DHCP Scopes, click Add. The Add Scope dialog box opens.

43

10. In the Add Scope dialog box, type values for all required items. In Subnet Type, select

either Wired or Wireless, depending on the IP address lease duration that you prefer,

and then do one of the following:

To automatically activate the scope immediately after DHCP installation is complete,

ensure that Activate this scope is selected. If there are computers or devices on the

network that have static IP addresses, do not activate the scope until after you have

created an exclusion range. The exclusion range prevents the DHCP server from

leasing IP addresses that are already in use by a statically configured device.

To manually activate the scope later, use the DHCP Microsoft Management Console

(MMC).

11. Click OK. This returns you to the Add or Edit DHCP Scopes page. If your network has

multiple subnets that are serviced by this DHCP server, add scopes for each subnet

using steps 9 and 10. Click Next.

12. In Configure DHCPv6 Stateless Mode, select whether you want to configure the DHCP

server for DHCPv6 stateless operation, and then click Next.

13. In the previous step, if you selected Enable DHCPv6 stateless mode for this server,

the Specify IPv6 DNS Server Settings page opens. Configure the IPv6 DNS server

settings that you prefer, and then click Next. If in the previous step you selected Disable

DHCPv6 stateless mode for this server, proceed to the next step.

14. In Authorize DHCP Server, do one of the following:

Select Use current credentials to authorize the DHCP server in Active Directory

Domain Services (AD DS) using the credentials supplied for the current session.

To specify alternate credentials for authorization, select Use alternate credentials.

Click Specify, and then type the credentials to use for DHCP server authorization.

Select Skip authorization of this DHCP server in AD DS, and then click Next.

Note

Before your DHCP server can issue IP address leases, the DHCP server

must be authorized in AD DS.

15. In Confirm Installation Selections, review your selections, and then click Install.


Create an Exclusion Range in DHCP

You can use this procedure to create an exclusion range for an existing DHCP scope.

Membership in DHCP Administrators, or equivalent, is the minimum required to perform this

procedure.

44

To create an exclusion range in DHCP

1. Click Start, click Administrative Tools, and then click DHCP. The DHCP Microsoft

Management Console (MMC) opens.

2. In DHCP, double-click the server name. For example, if the DHCP server name is DHCP-

01.example.com, double-click DHCP-01.example.com.

3. Double-click IPv4, and then, for the scope for which you want to create an exclusion

range, double-click Scope.

4. Click Address Pool. Right-click Address Pool, and then click New Exclusion Range.

The Add Exclusion dialog box opens.

5. In Add Exclusion, in Start IP address, type the IP address that is the first IP address in

the exclusion range.

6. In Add Exclusion, in End IP address, type the IP address that is the last IP address in

the exclusion range, and then click Add.

7. Click Close.

Authorize a DHCP Server in Active Directory Domain Services

You can use this procedure to authorize a DHCP server in Active Directory Domain Services

(AD DS).


procedure.

To authorize a DHCP server in AD DS

1. Click Start, click Administrative Tools, and then click DHCP. The DHCP Microsoft

Management Console (MMC) opens.



3. In the DHCP MMC, click Action, and then click Authorize.

4. To verify that the server was authorized in AD DS, click Action, and then click Refresh.

The IPv4 icon changes from red to green. In addition, on the Action menu, the

Authorize menu item is replaced by the Unauthorize menu item. You can use the

Unauthorize menu item if you ever want to decommission the DHCP server.

45

Activate a DHCP Scope

You can use this procedure to activate a DHCP scope using the DHCP Microsoft Management

Console (MMC).


procedure.

To activate a DHCP scope

1. Click Start, click Administrative Tools, and then click DHCP. The DHCP MMC opens.



3. Double-click IPv4, and click the scope that you want to activate. Right-click the scope

that you want to activate, and then click Activate.

Create a New DHCP Scope

You can use this procedure to create a new DHCP scope using the DHCP Microsoft Management

Console (MMC).


procedure.

To create a new DHCP Scope

1. Click Start, click Administrative Tools, and then click DHCP. The DHCP MMC opens.



3. Right-click IPv4, and then click New Scope. The New Scope Wizard opens.

4. In Welcome to the New Scope Wizard, click Next.

5. In Scope Name, in Name, type a name for the scope. For example, type Subnet-02.

6. In Description, type a description for the new scope, and then click Next.

7. In IP Address Range, do the following:

a. In Start IP address, type the IP address that is the first IP address in the range. For

example, type 10.10.10.1.

b. In End IP address, type the IP address that is the last IP address in the range. For

example, type 10.10.10.254. Values for Length and Subnet mask are entered

automatically, based on the IP address you entered for Start IP address.

c. If necessary, modify the values in Length or Subnet mask, as appropriate for your

46

addressing scheme.

d. Click Next.

8. In Add Exclusions, do the following:

a. In Start IP address, type the IP address that is the first IP address in the exclusion

range. For example, type 10.10.10.1.

b. In End IP address, type the IP address that is the last IP address in the exclusion

range, For example, type 10.10.10.15.

9. Click Add, and then click Next.

10. In Lease Duration, modify the default values for Days, Hours, and Minutes, as

appropriate for your network, and then click Next.

11. In Configure DHCP Options, select Yes, I want to configure these options now, and

then click Next.

12. In Router (Default Gateway), do one of the following:

If you do not have routers on your network, click Next.

In IP address, type the IP address of your router or default gateway. For example,

type 10.10.10.10. Click Add, and then click Next.

13. In Domain Name and DNS Servers, do the following:

a. In Parent domain, type the name of the DNS domain that clients use for name

resolution. For example, type example.com.

b. In Server name, type the name of the DNS computer that clients use for name

resolution. For example, type AD-DNS-01.

c. Click Resolve. The IP address of the DNS server is added in IP address. Click Add,

wait for DNS server IP address validation to complete, and then click Next.

14. In WINS Servers, do one of the following:

If you do not have WINS servers on your network, click Next.

If you have one or more WINS servers deployed on your network, for each WINS

server: In Server name, type the name of the WINS server. For example, type WINS-

01. Click Resolve. The IP address of the WINS server is added in IP address. Click

Add, and then click Next.

15. In Activate Scope, do one of the following:

To automatically activate the scope immediately after the steps in the New Scope

Wizard are complete, select Yes, I want to activate this scope now.

To manually activate the scope later by using the DHCP MMC, select No I will

activate this scope later.

16. Click Next, and then click Finish.

47

Deploying NPS-01 (optional)

Before deploying this network component, you must do the following:


Perform the steps in the section Joining Computers to the Domain and Logging On

To deploy NPS-01, which is the computer running the Network Policy Server (NPS) role service of

the Network Policy and Access Services server role, you must complete this step:

Install Network Policy Server (NPS)

Register the NPS Server in the Default Domain

Install Network Policy Server (NPS)

You can use this procedure to install Network Policy Server (NPS) by using the Add Roles

Wizard. NPS is a role service of the Network Policy and Access Services server role.

Note

By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 on all

installed network adapters. If Windows Firewall with Advanced Security is enabled when

you install NPS, firewall exceptions for these ports are automatically created during the

installation process for both Internet Protocol version 6 (IPv6) and IPv4 traffic. If your

network access servers are configured to send RADIUS traffic over ports other than

these defaults, remove the exceptions created in Windows Firewall with Advanced

Security during NPS installation, and create exceptions for the ports that you do use for

RADIUS traffic.

Administrative Credentials

To complete this procedure, you must be a member of the Domain Admins group.

To install NPS


In Initial Configuration Tasks, in Customize This Server, click Add roles. The Add

Roles Wizard opens.

Click Start, click Administrative Tools, and then click Server Manager. In the left

pane of Server Manager, click Roles, and in the details pane, in Roles Summary,

click Add Roles. The Add Roles Wizard opens.


Note



48

Wizard was run.

3. In Select Server Roles, in Roles, select Network Policy and Access Services, and

then click Next.

4. In Network Policy and Access Services, review the information, and then click Next.

5. In Select Role Services, in Role services, select Network Policy Server, and then

click Next.

6. In Confirm Installation Selections, click Install.


Register the NPS Server in the Default Domain

You can use this procedure to register an NPS server in the domain where the server is a domain

member.

NPS servers must be registered in Active Directory so that they have permission to read the dial-

in properties of user accounts during the authorization process. Registering an NPS server adds

the server to the RAS and IAS Servers group in Active Directory.

Administrative credentials

To complete this procedure, you must be a member of the Domain Admins group.

To register an NPS server in its default domain

1. Click Start, click Administrative Tools, and then click Network Policy Server.

2. Right-click NPS (Local), and then click Register Server in Active Directory. The

Network Policy Server dialog box opens.

3. In Network Policy Server, click OK, and then click OK again.

Additional Technical Resources

For more information about the technologies in this guide, see the following resources:

Active Directory Domain Services in the Windows Server® 2008 Technical Library, at

http://go.microsoft.com/fwlink/?LinkId=96418

Domain Name System (DNS) in the Windows Server 2008 Technical Library, at


49



Dynamic Host Configuration Protocol (DHCP) in the Windows Server 2008 Technical Library,

at http://go.microsoft.com/fwlink/?LinkId=96419

Network Policy Server (NPS) in the Windows Server 2008 Technical Library, at


TCP/IP in the Windows Server 2008 Technical Library, at http://go.microsoft.com/fwlink/?

LinkId=103329

Windows Internet Name Service (WINS) in the Windows Server 2008 Technical Library, at


Appendix A

You can use this Network Planning Preparation Sheet to gather the information required to install

a core network. This topic provides tables that contain the individual configuration items for each

server computer for which you must supply information or specific values during the installation or

configuration process. Example values are provided for each configuration item.

For planning and tracking purposes, spaces are provided in each table for you to enter the values

used for your deployment. If you log security-related values in these tables, you should store the

information in a secure location.

Core Network Planning Preparation SheetThe following links lead to the sections in this topic that provide configuration items and example

values that are associated with the deployment procedures presented in this guide.

Installing Active Directory Domain Services and DNS

Configuring a DNS Reverse Lookup Zone

Installing Windows Internet Name Service (optional)

Installing DHCP

Creating an exclusion range in DHCP

Creating a new DHCP scope

Installing Network Policy Server (optional)

Installing Active Directory Domain Services and DNSThe tables in this section list configuration items for pre-installation and installation of Active

Directory Domain Services (AD DS) and DNS.

Pre-installation configuration items for AD DS and DNS

The following three tables list pre-installation configuration items as described in Configuring All

Servers:


50





Configuration items: Example values: Values:

Administrator password J*p2leO4$F








Rename the Computer

Configuration item: Example value: Value:

Computer name AD-DNS-01

AD DS and DNS installation configuration items

Configuration items for the Windows Server Core Network deployment procedure Install AD DS

and DNS for a New Forest:


Full DNS name example.com

Forest functional level Windows Server 2003

Active Directory Domain

Services database folder

location

E:\Configuration\



Services log files folder

location

E:\Configuration\



Services SYSVOL folder

location

E:\Configuration\

Or accept the default location

Directory Restore Mode J*p2leO4$F

51


Administrator password

Answer file name (optional) AD DS_AnswerFile

Configuring a DNS Reverse Lookup Zone


Zone type: Primary zone

Secondary zone

Stub zone

Zone type

Store the zone in Active

Directory

Selected

Not selected

Active Directory zone

replication scope

To all DNS servers in this

forest

To all DNS servers in this

domain

To all domain controllers in

this domain

To all domain controllers

specified in the scope of

this directory partition

Reverse lookup zone name

(IP type)



Reverse lookup zone name

(network ID)

192.168.0

Installing Windows Internet Name Service (optional)The tables in this section list configuration items for pre-installation and installation of Windows

Internet Name Service (WINS).

Pre-installation configuration items


Servers:


52










Rename the Computer


Computer name WINS-01

WINS installation configuration items

Configuration items for the Windows Server Core Network deployment procedure Install Windows

Internet Name Service (WINS):

No additional configuration items are required to install WINS.

Installing DHCPThe tables in this section list configuration items for pre-installation and installation of DHCP.

Pre-installation configuration items for DHCP


Servers:





53







Rename the Computer


Computer name DHCP-01

DHCP installation configuration items

Configuration items for the Windows Server Core Network deployment procedure Install Dynamic

Host Configuration Protocol (DHCP):


Network connect bindings Local Area Connection

DNS server settings AD-DNS-01

Preferred DNS server IP

address

192.168.0.1

Alternate DNS server IP

address

192.168.0.6

WINS server settings. 192.168.0.2

Alternate WINS server IP

address

192.168.0.12

Scope name Primary Subnet

Starting IP address 192.168.0.1

Ending IP address 192.168.0.254


Default gateway (optional) 192.168.0.10

Subnet type Wired (Lease duration will be 6

days)

54


IPv6 DHCP server operation

mode

Not enabled

Creating an exclusion range in DHCP

Configuration items for the Windows Server Core Network deployment procedure Create an

Exclusion Range in DHCP:


Scope name Primary Scope

Scope description Parent Domain Scope

Exclusion range start IP

address

192.168.0.1

Exclusion range end IP address 192.168.0.15

Creating a new DHCP scope

Configuration items for the Windows Server Core Network deployment procedure Activate a

DHCP Scope:


New scope name Subnet-02

Scope description Scope for Subnet-02

(IP address range)

Start IP address

10.10.10.1

(IP address range)

End IP address

10.10.10.254

Length 8


(Exclusion range) Start IP

address

10.10.10.1

Exclusion range end IP address 10.10.10.15

Lease duration 8

55


Days

Hours

Minutes

0

0

Router (default gateway)

IP address

10.10.10.10

DNS parent domain example.com

DNS server

IP address

192.168.0.1

WINS server

IP address

192.168.0.2

Installing Network Policy Server (optional)The tables in this section list configuration items for pre-installation and installation of NPS.

Pre-installation configuration items


Servers:











Rename the Computer

56


Computer name NPS-01

Network Policy Server installation configuration items

Configuration items for the Windows Server Core Network NPS deployment procedures: Install

Network Policy Server (NPS) and Register the NPS Server in the Default Domain.

No additional configuration items are required to install and register NPS.

57

windows server 2008 r2 core network guide

Documents