windows server 2008 r2 core network guide
TRANSCRIPT
Core Network Guide
Microsoft Corporation
Published: June, 2009
Authors: James McIllece and Brit Weston
Editor: Allyson Adley
AbstractThe Windows Server® 2008 R2 Core Network Guide provides instructions for planning and
deploying the core components required for a fully functioning network and a new Active
Directory® domain in a new forest. Using this guide, you can deploy computers configured with
the following Windows server components:
The Active Directory Domain Services (AD DS) server role
The Domain Name System (DNS) server role
The Dynamic Host Configuration Protocol (DHCP) server role
The Network Policy Server (NPS) role service of the Network Policy and Access Services
server role
The Windows Internet Name Service (WINS) feature
TCP/IP connections on individual servers
This guide also serves as a foundation for companion guides that show you how to deploy
additional technologies using Windows Server 2008 R2.
The information contained in this document represents the current view of Microsoft Corporation
on the issues discussed as of the date of publication. Because Microsoft must respond to
changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the
date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
Your right to copy this documentation is limited by copyright law and the terms of the software
license agreement. As the software licensee, you may make a reasonable number of copies or
printouts for your own use. Making unauthorized copies, adaptations, compilations, or derivative
works for commercial distribution is prohibited and constitutes a punishable violation of the law.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Contents
Windows Server 2008 R2 Core Network Guide..............................................................................7
About this guide........................................................................................................................... 8
Network hardware requirements..............................................................................................8
What this guide does not provide................................................................................................8
Technology Overviews.................................................................................................................9
Active Directory Domain Services............................................................................................9
DNS......................................................................................................................................... 9
DHCP....................................................................................................................................... 9
WINS (optional)........................................................................................................................ 9
NPS (optional)........................................................................................................................ 10
TCP/IP................................................................................................................................... 10
Core Network Overview................................................................................................................11
Core Network Components.......................................................................................................12
Router................................................................................................................................. 13
Static TCP/IP configurations...............................................................................................13
Global catalog and DNS server..........................................................................................13
WINS server (optional).......................................................................................................13
DHCP server....................................................................................................................... 13
NPS server (optional).........................................................................................................13
Client computers................................................................................................................. 14
Core Network Planning................................................................................................................. 14
Planning subnets....................................................................................................................... 14
Planning basic configuration of all servers................................................................................15
Planning the Administrator account password........................................................................15
Planning naming conventions for computers and devices.....................................................15
Planning static IP addresses..................................................................................................16
Planning the deployment of AD-DNS-01...................................................................................16
Planning the name of the forest root domain..........................................................................16
Planning the forest functional level.........................................................................................17
Planning DNS zones..............................................................................................................19
Planning domain access............................................................................................................20
Planning the deployment of WINS-01........................................................................................20
Planning the deployment of DHCP-01.......................................................................................21
Planning DHCP servers and DHCP forwarding......................................................................21
Planning IP address ranges...................................................................................................21
Planning subnet masks..........................................................................................................22
Planning exclusion ranges.....................................................................................................22
Planning TCP/IP static configuration......................................................................................23
Planning the deployment of NPS-01..........................................................................................24
Core Network Deployment............................................................................................................25
Configuring All Servers................................................................................................................. 25
Create an Administrator Password...............................................................................................25
Rename the Computer..................................................................................................................26
Procedures for renaming computers.........................................................................................26
Windows Server 2008 R2 and Windows 7......................................................................26
Windows Server 2008 and Windows Vista......................................................................26
Windows Server 2003 and Windows XP.........................................................................27
Configure a Static IP Address.......................................................................................................27
Procedures for configuring static IP addresses.........................................................................28
Windows Server 2008 R2................................................................................................28
Windows Server 2008.....................................................................................................28
Windows Server 2003.....................................................................................................29
Deploying AD-DNS-01.................................................................................................................. 30
Administrative privileges............................................................................................................30
Domain user accounts vs. user accounts on the local computer............................................30
Install AD DS and DNS for a New Forest......................................................................................31
Create a User Account in Active Directory Users and Computers................................................32
Add a Group................................................................................................................................. 33
Assign Group Membership...........................................................................................................34
Configure a DNS Reverse Lookup Zone.......................................................................................35
Joining Computers to the Domain and Logging On......................................................................36
Join the Computer to the Domain.................................................................................................36
Procedures for joining computers to the domain.......................................................................36
Windows Server 2008 R2 (Release Candidate) and Windows 7 (Release Candidate)...37
Windows Server 2008 and Windows Vista......................................................................37
Windows Server 2003 and Windows XP.........................................................................38
Log on to the Domain.................................................................................................................... 39
Procedures to log on to the domain...........................................................................................39
Windows Server 2008 R2 and Windows 7......................................................................39
Windows Server 2008 and Windows Vista......................................................................39
Windows Server 2003 and Windows XP.........................................................................40
Deploying WINS-01 (optional)......................................................................................................40
Install Windows Internet Name Service (WINS)............................................................................41
Deploying DHCP-01.....................................................................................................................41
DHCP installation suggestions..................................................................................................41
Deploying DHCP....................................................................................................................... 42
Install Dynamic Host Configuration Protocol (DHCP)...................................................................42
Create an Exclusion Range in DHCP...........................................................................................44
Authorize a DHCP Server in Active Directory Domain Services...................................................45
Activate a DHCP Scope................................................................................................................45
Create a New DHCP Scope..........................................................................................................46
Deploying NPS-01 (optional)........................................................................................................47
Install Network Policy Server (NPS).............................................................................................48
Register the NPS Server in the Default Domain...........................................................................49
Additional Technical Resources....................................................................................................49
Appendix A.................................................................................................................................... 50
Core Network Planning Preparation Sheet................................................................................50
Installing Active Directory Domain Services and DNS............................................................50
Pre-installation configuration items for AD DS and DNS.................................................50
AD DS and DNS installation configuration items.............................................................51
Configuring a DNS Reverse Lookup Zone..........................................................................51
Installing Windows Internet Name Service (optional).............................................................52
Pre-installation configuration items..................................................................................52
WINS installation configuration items..............................................................................53
Installing DHCP...................................................................................................................... 53
Pre-installation configuration items for DHCP.................................................................53
DHCP installation configuration items.............................................................................54
Creating an exclusion range in DHCP................................................................................55
Creating a new DHCP scope..............................................................................................55
Installing Network Policy Server (optional).............................................................................56
Pre-installation configuration items..................................................................................56
Network Policy Server installation configuration items....................................................57
Windows Server 2008 R2 Core Network Guide
A core network is a collection of network hardware, devices, and software that provides the
fundamental services for your organization's information technology (IT) needs.
A Windows Server core network provides you with many benefits, including the following.
Core protocols for network connectivity between computers and other Transmission Control
Protocol/Internet Protocol (TCP/IP) compatible devices. TCP/IP is a suite of standard
protocols for connecting computers and building networks. TCP/IP is network protocol
software provided with Microsoft® Windows® operating systems that implements and
supports the TCP/IP protocol suite.
Automatic IP addressing with Dynamic Host Configuration Protocol (DHCP). Manual
configuration of IP addresses on all computers on your network is time-consuming and less
flexible than dynamically providing computers and other devices with IP address leases from
a DHCP server.
Name resolution services, such as Domain Name System (DNS) and Windows Internet
Name Service (WINS). DNS and WINS allow users, computers, applications, and services to
find the IP addresses of computers and devices on the network using the network basic
input/output system (NetBIOS) name or Fully Qualified Domain Name of the computer or
device.
A forest, which is one or more Active Directory domains that share the same class and
attribute definitions (schema), site and replication information (configuration), and forest-wide
search capabilities (global catalog).
A forest root domain, which is the first domain created in a new forest. The Enterprise Admins
and Schema Admins groups, which are forest-wide administrative groups, are located in the
forest root domain. In addition, a forest root domain, as with other domains, is a collection of
computer, user, and group objects that are defined by the administrator in Active Directory
Domain Services (AD DS). These objects share a common directory database and security
policies. They can also share security relationships with other domains if you add domains as
your organization grows. The directory service also stores directory data and allows
authorized computers, applications, and users to access the data.
A user and computer account database. The directory service provides a centralized user
accounts database that allows you to create user and computer accounts for people and
computers that are authorized to connect to your network and access network resources,
such as applications, databases, shared files and folders, and printers.
A core network also allows you to scale your network as your organization grows and IT
requirements change. For example, with a core network you can add domains, IP subnets,
remote access services, wireless services, and other features and server roles provided by
Windows Server® 2008 R2.
7
About this guideThis guide is designed for network and system administrators who are installing a new network or
who want to create a domain-based network to replace a network that consists of workgroups.
The deployment scenario provided in this guide is particularly useful if you foresee the need to
add more services and features to your network in the future.
It is recommended that you review design and deployment guides for each of the technologies
used in this deployment scenario to assist you in determining whether this guide provides the
services and configuration that you need.
Network hardware requirementsTo successfully deploy a core network, you must deploy network hardware, including the
following:
Ethernet, Fast Ethernet, or Gigabyte Ethernet cabling
A hub, Layer 2 or 3 switch, router, or other device that performs the function of relaying
network traffic between computers and devices.
Computers that meet the minimum hardware requirements for their respective client and
server operating systems.
Note
This guide depicts the use of four server computers. In some cases, such as on small
networks, you can use fewer servers. For example, you can install DHCP and WINS on
the same server rather than on separate servers.
What this guide does not provideThis guide does not provide instructions for deploying the following:
Network hardware, such as cabling, routers, switches, and hubs
Additional network resources, such as printers and file servers
Internet connectivity
Remote access
Wireless access
Client computer deployment
Note
Client computers running Windows® 7, Windows Vista® and Windows XP are configured
by default to receive IP address leases from the DHCP server. Therefore, no additional
DHCP or Internet Protocol version 4 (IPv4) configuration of client computers is required.
8
Technology OverviewsThe following sections provide brief overviews of the required and optional technologies used to
create a core network.
Active Directory Domain ServicesA directory is a hierarchical structure that stores information about objects on the network. A
directory service, such as AD DS, provides the methods for storing directory data and making this
data available to network users and administrators. For example, AD DS stores information about
user accounts, such as names, passwords, phone numbers, and so on, and enables other
authorized users on the same network to access this information.
DNSDNS is a name resolution protocol for TCP/IP networks, such as the Internet or an organization
network. A DNS server hosts the information that enables client computers to resolve easily
recognized, alphanumeric DNS names to the IP addresses that computers use to communicate
with each other.
DHCPDHCP is an IP standard for simplifying management of host IP configuration. The DHCP standard
provides for the use of DHCP servers as a way to manage dynamic allocation of IP addresses
and other related configuration details for DHCP-enabled clients on your network.
Every computer on a TCP/IP network must have a unique IP address. The IP address (together
with its related subnet mask) identifies both the host computer and the subnet to which it is
attached. When you move a computer to a different subnet, the IP address must be changed.
DHCP allows you use a DHCP server to dynamically assign an IP address to a computer or other
device on your local network.
For TCP/IP-based networks, DHCP reduces the complexity and amount of administrative work
involved in reconfiguring computers.
WINS (optional)While DNS is a required component of a core network, WINS is optional because, like DNS, it is a
naming service. In some cases, you might not need both DNS and WINS, but older operating
systems and applications might require WINS. For medium to small networks, WINS is extremely
easy to install and manage, and it is not resource-intensive. If you are in doubt about whether you
need WINS, you can test your network functionality without it and install it if needed.
WINS provides a distributed database for registering and querying dynamic mappings of NetBIOS
names for computers and groups used on your network. WINS maps NetBIOS names to IP
addresses and was designed to solve the problems arising from NetBIOS name resolution in
9
routed environments. WINS is the best choice for NetBIOS name resolution in routed networks
that use NetBIOS over TCP/IP.
NetBIOS names are used by earlier versions of Windows operating systems to identify and locate
computers and other shared or grouped resources required to register or resolve names for use
on the network.
NetBIOS names are a requirement for establishing networking services in earlier versions of
Windows operating systems. Although the NetBIOS naming protocol can be used with network
protocols other than TCP/IP (such as NetBEUI or IPX/SPX), WINS was designed specifically to
support NetBIOS over TCP/IP (NetBT).
WINS simplifies the management of the NetBIOS namespace in TCP/IP-based networks.
NPS (optional)Network Policy Server (NPS) allows you to centrally configure and manage network policies with
the following three features: Remote Authentication Dial-In User Service (RADIUS) server,
RADIUS proxy, and Network Access Protection (NAP) policy server.
NPS is an optional component of a core network, but you should install NPS if any of the
following are true:
You are planning to expand your network to include remote access servers that are
compatible with the RADIUS protocol, such as a computer running Windows Server 2008 R2
or Windows Server 2008 and Routing and Remote Access service, Terminal Services
Gateway, or Remote Desktop Gateway.
You plan to deploy NAP.
You plan to deploy 802.1X wired or wireless access.
TCP/IPTCP/IP in Windows Server 2008 is the following:
Networking software based on industry-standard networking protocols.
A routable, enterprise networking protocol that supports the connection of your Windows-
based computer to both local area network (LAN) and wide area network (WAN)
environments.
Core technologies and utilities for connecting your Windows-based computer with dissimilar
systems for the purpose of sharing information.
A foundation for gaining access to global Internet services, such as the World Wide Web and
File Transfer Protocol (FTP) servers.
A robust, scalable, cross-platform, client/server framework.
TCP/IP provides basic TCP/IP utilities that enable Windows-based computers to connect and
share information with other Microsoft and non-Microsoft systems, including:
Windows Server 2008 R2
Windows 7
10
Windows Server 2008
Windows Vista
Windows Server 2003 operating systems
Windows XP
Internet hosts
Apple Macintosh systems
IBM mainframes
UNIX systems
Open VMS systems
Network-ready printers, such as HP LaserJet series printers that use HP JetDirect cards
Core Network Overview
The following illustration shows the Windows Server Core Network topology.
11
Core Network ComponentsFollowing are the components of a core network.
12
Router
This deployment guide provides instructions for deploying a core network with two subnets
separated by a router that has DHCP forwarding enabled. You can, however, deploy a Layer 2
switch, a Layer 3 switch, or a hub, depending on your requirements and resources. If you deploy
a switch, the switch must be capable of DHCP forwarding or you must place a DHCP server on
each subnet. If you deploy a hub, you are deploying a single subnet and do not need DHCP
forwarding or a second scope on your DHCP server.
Static TCP/IP configurations
All of the servers in this deployment are configured with static IPv4 addresses. Client computers
are configured by default to receive IP address leases from the DHCP server.
Global catalog and DNS server
Both Active Directory Domain Services (AD DS) and Domain Name System (DNS) are installed
on this server, providing directory and name resolution services to all computers and devices on
the network.
WINS server (optional)
Installing Windows Internet Name Service (WINS) on your core network is optional. It is often
difficult to determine whether applications and services require WINS for name resolution. In
some cases, you might need WINS; in other cases, DNS might be the only name resolution
service that you need on your network. Because WINS is low maintenance and is not processor-
use intensive for medium and small networks, you can install WINS on the DHCP server in the
event that applications or services need the service.
DHCP server
The Dynamic Host Configuration Protocol (DHCP) server is configured with a scope that provides
Internet Protocol (IP) address leases to computers on the local subnet. The DHCP server can
also be configured with additional scopes to provide IP address leases to computers on other
subnets if DHCP forwarding is configured on routers.
NPS server (optional)
The Network Policy Server (NPS) server is installed as a preparatory step for deploying other
network access technologies, such as virtual private network (VPN) servers, wireless access
points, and 802.1X authenticating switches. In addition, installing NPS prepares your network for
the deployment of Network Access Protection (NAP).
13
Client computers
Client computers running Windows® 7, Windows Vista®, and Windows XP are configured by
default as DHCP clients, which obtain IP addresses and DHCP options automatically from the
DHCP server.
Core Network Planning
Before you deploy a core network, you must plan the following items.
Planning subnets
Planning basic configuration of all servers
Planning the deployment of AD-DNS-01
Planning domain access
Planning the deployment of WINS-01
Planning the deployment of DHCP-01
Planning the deployment of NPS-01
The following sections provide more detail on each of these items.
Planning subnetsIn Transmission Control Protocol/Internet Protocol (TCP/IP) networking, routers are used to
interconnect the hardware and software used on different physical network segments called
subnets. Routers are also used to forward IP packets between each of the subnets. Determine
the physical layout of your network, including the number of routers and subnets you need, before
proceeding with the instructions in this guide.
In addition, to configure the servers on your network with static IP addresses, you must determine
the IP address range that you want to use for the subnet where your core network servers are
located. In this guide, the private IP address range 192.168.0.1 - 192.168.0.254 is used as an
example, but you can use any private IP address range.
The following recognized private IP address ranges are specified by Internet Request for
Comments (RFC) 1918:
10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255
When you use the private IP address ranges as specified in RFC 1918, you cannot connect
directly to the Internet using a private IP address because requests going to or from these
addresses are automatically discarded by Internet service provider (ISP) routers. To add Internet
connectivity to your core network later, you must contract with an ISP to obtain a public IP
address.
14
Important
When using private IP addresses, you must use some type of proxy or network address
translation (NAT) server to convert the private IP address ranges on your local network to
a public IP address that can be routed.
For more information, see Planning the deployment of DHCP-01.
Planning basic configuration of all serversFor each server in the core network, you must change the password for the Administrator account
on the local computer, rename the computer, and assign and configure a static IP address for the
local computer.
Planning the Administrator account passwordFor security reasons, it is important to create a password for the Administrator account and to use
a strong password. In addition, it is recommended that you use a different Administrator account
password for each server on your network.
The following is an example of a strong password.
Configuration item: Example value:
Administrator password Example: J*p2leO4$F
Note
Strong passwords contain a minimum
of 7 characters that consist of each of
the following: uppercase letters (A, B,
C, lowercase letters (d, e, f), numerals
(0, 1, 2, 3), and keyboard symbols (' ~ !
@ # $ % | /).
Planning naming conventions for computers and devicesFor consistency across your network, it is generally a good idea to use consistent names for
servers, printers, and other devices. Computer names can be used to help users and
administrators easily identify the purpose and location of the server, printer, or other device. For
example, if you have three DNS servers, one in San Francisco, one in Los Angeles, and one in
Chicago, you might use the naming convention server function-location-number:
DNS-SF-01. This name represents the DNS server in San Francisco. If additional DNS
servers are added in San Francisco, the numeric value in the name can be incremented, as
in DNS-SF-02 and DNS-SF-03.
DNS-LA-01. This name represents the DNS server in Los Angeles.
15
DNS-CH-01. This name represents the DNS server in Chicago.
Choose a naming convention before you install your core network using this guide.
Planning static IP addressesBefore configuring each computer with a static IP address, you must plan your subnets and IP
address ranges. In addition, you must determine the IP addresses of your DNS and WINS
servers. If you plan to install a router that provides access to other networks, such as additional
subnets or the Internet, you must know the IP address of the router, also called a default gateway,
for static IP address configuration.
The following table provides example values for static IP address configuration.
Configuration items: Example values:
IP address 192.168.0.3
Subnet mask 255.255.255.0
Default gateway 192.168.0.10
Preferred DNS server 192.168.0.1
Alternate DNS server 192.168.0.7
Preferred WINS server 192.168.0.2
Alternate WINS server 192.168.0.8
For more information, see Planning the deployment of DHCP-01.
Planning the deployment of AD-DNS-01Following are key planning steps before installing Active Directory Domain Services (AD DS) and
DNS on AD-DNS-01.
Planning the name of the forest root domainA first step in the AD DS design process is to determine how many forests your organization
requires. A forest is the top-level AD DS container, and consists of one or more domains that
share a common schema and global catalog. An organization can have multiple forests, but for
most organizations, a single forest design is the preferred model and the simplest to administer.
When you create the first domain controller in your organization, you are creating the first domain
(also called the forest root domain) and the first forest. Before you take this action using this
guide, however, you must determine the best domain name for your organization. In most cases,
the organization name is used as the domain name, and in many cases this domain name is
registered. If you are planning to deploy Web servers for your customers or partners, choose a
domain name and ensure that the domain name is not already in use.
16
Planning the forest functional levelWhile installing AD DS, you must choose the forest functional level that you want to use. Domain
and forest functionality, introduced in Windows Server 2003 Active Directory, provides a way to
enable domain- or forest-wide Active Directory features within your network environment.
Different levels of domain functionality and forest functionality are available, depending on your
environment.
Forest functionality enables features across all the domains in your forest. The following forest
functional levels are available:
Windows 2000. This forest functional level supports Windows NT 4.0, Windows 2000, and
Windows Server 2003 domain controllers.
Windows Server 2003. This forest functional level supports only Windows Server 2003
domain controllers and domain controllers that are running later versions of the Windows
Server operating system.
Windows Server 2008. This forest functional level supports only domain controllers that are
running Windows Server 2008 and later versions of the Windows Server operating system.
Windows Server 2008 R2. This forest functional level supports Windows Server 2008 R2
domain controllers and domain controllers that are running later versions of the Windows
Server operating system.
If you are deploying a new domain in a new forest and all of your domain controllers will be
running Windows Server 2008 R2, it is recommended that you configure AD DS with the
Windows Server 2008 R2 forest functional level during AD DS installation.
Important
After the forest functional level has been raised, domain controllers running earlier
operating systems cannot be introduced into the forest. For example, if you raise the
forest functional level to Windows Server 2008 R2, domain controllers running
Windows Server 2003 or Windows Server 2008 cannot be added to the forest.
Example configuration items for AD DS are provided in the following table.
Configuration items: Example values:
Full DNS name Examples:
example.com
corp.example.com
Forest functional level:
Windows 2000
The Windows 2000 forest functional level
provides all AD DS features that are available in
Windows 2000 Server. If you have domain
controllers running later versions of the
Windows Server operating system, some
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
17
Configuration items: Example values:
advanced features will not be available on
those domain controllers while this forest is at
the Windows 2000 functional level.
Windows Server 2003
The Windows Server 2003 forest functional
level provides all features that are available in
Windows 2000 forest functional level, and the
following additional features:
Linked-value replication, which improves
the replication of changes to group
memberships.
More efficient generation of complex
replication topologies by the Knowledge
Consistency Checker (KCC).
Forest trust, which allows organizations to
easily share internal resources across
multiple forests. Any new domains that are
created in this forest will automatically
operate at the Windows Server 2003
domain functional level.
Windows Server 2008
This forest functional level does not provide any
new features over the Windows Server 2003
forest functional level. However, it ensures that
any new domains created in this forest will
automatically operate at the Windows
Server 2008 domain functional level, which
does provide unique features.
Windows Server 2008 R2
The Windows Server 2008 R2 forest functional
level provides all features that are available in
the Windows Server 2008 forest functional
level, and the following additional feature:
Recycle Bin. When enabled, Recycle Bin
provides the ability to restore deleted
objects in their entirety while Active
Directory Domain Services is running.
Any new domains that are created in this forest
will operate by default at the Windows
18
Configuration items: Example values:
Server 2008 R2 domain functional level.
Active Directory Domain Services Database
folder location
E:\Configuration\
Or accept the default location.
Active Directory Domain Services Log files
folder location
E:\Configuration\
Or accept the default location.
Active Directory Domain Services SYSVOL
folder location
E:\Configuration\
Or accept the default location
Directory Restore Mode Administrator
Password
J*p2leO4$F
Answer file name (optional) AD DS_AnswerFile
Planning DNS zonesIn DNS, a forward lookup zone is created by default during installation. A forward lookup zone
allows computers and devices to query for another computer's or device's IP address based on
its DNS name. In addition to a forward lookup zone, it is recommended that you create a DNS
reverse lookup zone. With a DNS reverse lookup query, a computer or device can discover the
name of another computer or device using its IP address. Deploying a reverse lookup zone
typically improves DNS performance and greatly increases the success of DNS queries.
When you create a reverse lookup zone, the in-addr.arpa domain, which was defined in the DNS
standards and reserved in the Internet DNS namespace to provide a practical and reliable way to
perform reverse queries, is installed in DNS. To create the reverse namespace, subdomains
within the in-addr.arpa domain are formed, using the reverse ordering of the numbers in the
dotted-decimal notation of IP addresses.
The in-addr.arpa domain applies to all TCP/IP networks that are based on Internet Protocol
version 4 (IPv4) addressing. The New Zone Wizard automatically assumes that you are using this
domain when you create a new reverse lookup zone.
While you are running the New Zone Wizard, the following selections are recommended:
Configuration Items Example values
Zone type Primary zone, and Store the zone in Active
Directory is selected
Active Directory Zone Replication Scope To all DNS servers in this domain
First Reverse Lookup Zone Name wizard page IPv4 Reverse Lookup Zone
Second Reverse Lookup Zone Name wizard Network ID = 192.168.0.
19
Configuration Items Example values
page
Dynamic Updates Allow only secure dynamic updates
Planning domain accessTo log onto the domain, the computer must be a domain member computer and the user account
must be created in AD DS before the logon attempt.
Note
You cannot log on to the domain with a user account that is located in the Security
Accounts Manager (SAM) user accounts database on the local computer.
After the first successful logon with domain logon credentials, the logon settings persist unless
the computer is removed from the domain or the logon settings are manually changed.
Before you log on to the domain:
Create user accounts in Active Directory Users and Computers. Each user must have an
Active Directory Domain Services user account in Active Directory Users and Computers. For
more information, see Create a User Account in Active Directory Users and Computers.
Ensure IP address configuration. To join a computer to the domain, the computer must have
an IP address. In this guide, servers are configured with static IP addresses and client
computers receive IP address leases from the DHCP server. For this reason, the DHCP
server must be deployed before you join clients to the domain. For more information, see
Deploying DHCP-01.
Join the computer to the domain. Any computer that provides or accesses network resources
must be joined to the domain. For more information, see Join the Computer to the Domain.
Planning the deployment of WINS-01If you determine that you need to deploy WINS as well as DNS on your network, you must plan
how many WINS servers to deploy.
On smaller networks, a single WINS server can adequately service up to 10,000 clients for
NetBIOS name resolution requests. To provide additional fault tolerance, you can configure a
second computer running Windows Server® 2008 R2 or Windows Server® 2008 as a
secondary, or backup, WINS server for clients. If you use only two WINS servers, you can
easily configure them as replication partners. For simple replication between two servers, one
server should be set as a pull partner and the other as a push partner. Replication can be
either manual or automatic.
Large networks sometimes require more WINS servers for several reasons including, most
importantly, the number of client connections per server. The number of users that each
20
WINS server can support varies with usage patterns, data storage, and the processing
capabilities of the WINS server computer.
When planning your servers, remember that each WINS server can simultaneously handle
hundreds of registrations and queries per second.
Planning the deployment of DHCP-01Following are key planning steps before installing the DHCP server role on DHCP-01.
Planning DHCP servers and DHCP forwardingBecause DHCP messages are broadcast messages, they are not forwarded between subnets by
routers. If you have multiple subnets and want to provide DHCP service for each subnet, you
must do one of the following:
Install a DHCP server on each subnet
Configure routers to forward DHCP broadcast messages across subnets and configure
multiple scopes on the DHCP server, one scope per subnet.
In most cases, configuring routers to forward DHCP broadcast messages is more cost effective
than deploying a DHCP server on each physical segment of the network.
Planning IP address rangesEach subnet must have its own unique IP address range. These ranges are represented on a
DHCP server with scopes.
A scope is an administrative grouping of IP addresses for computers on a subnet that use the
DHCP service. The administrator first creates a scope for each physical subnet and then uses the
scope to define the parameters used by clients.
A scope has the following properties:
A range of IP addresses from which to include or exclude addresses used for DHCP service
lease offerings.
A subnet mask, which determines the subnet for a given IP address.
A scope name assigned when it is created.
Lease duration values, which are assigned to DHCP clients that receive dynamically
allocated IP addresses.
Any DHCP scope options configured for assignment to DHCP clients, such as DNS server IP
address, router/default gateway IP address, and WINS server IP address.
Reservations are optionally used to ensure that a DHCP client always receives the same IP
address.
Before deploying your servers, list your subnets and the IP address range you want to use for
each subnet.
21
Planning subnet masksNetwork IDs and host IDs within an IP address are distinguished by using a subnet mask. Each
subnet mask is a 32-bit number that uses consecutive bit groups of all ones (1) to identify the
network ID and all zeroes (0) to identify the host ID portions of an IP address.
For example, the subnet mask normally used with the IP address 131.107.16.200 is the following
32-bit binary number:
11111111 11111111 00000000 00000000
This subnet mask number is 16 one-bits followed by 16 zero-bits, indicating that the network ID
and host ID sections of this IP address are both 16 bits in length. Normally, this subnet mask is
displayed in dotted decimal notation as 255.255.0.0.
The following table displays subnet masks for the Internet address classes.
Address class Bits for subnet mask Subnet mask
Class A 11111111 00000000 00000000
00000000
255.0.0.0
Class B 11111111 11111111 00000000
00000000
255.255.0.0
Class C 11111111 11111111 11111111
00000000
255.255.255.0
When you create a scope in DHCP and you enter the IP address range for the scope, DHCP
provides these default subnet mask values. Typically, default subnet mask values (as shown in
the preceding table) are acceptable for most networks with no special requirements and where
each IP network segment corresponds to a single physical network.
In some cases, you can use customized subnet masks to implement IP subnetting. With IP
subnetting, you can subdivide the default host ID portion of an IP address to specify subnets,
which are subdivisions of the original class-based network ID.
By customizing the subnet mask length, you can reduce the number of bits that are used for the
actual host ID.
To prevent addressing and routing problems, you should make sure that all TCP/IP computers on
a network segment use the same subnet mask and that each computer or device has an unique
IP address.
Planning exclusion rangesYou can exclude IP addresses from distribution by the DHCP server by creating an exclusion
range for each scope. You should use exclusions for all devices that are configured with a static
IP address. The excluded addresses should include all IP addresses that you assigned manually
to other servers, non-DHCP clients, diskless workstations, or Routing and Remote Access and
PPP clients.
22
It is recommended that you configure your exclusion range with extra addresses to accommodate
future network growth. The following table provides an example exclusion range for a scope with
an IP address range of 192.168.0.1 - 192.168.0.254.
Configuration items: Example values:
Exclusion range Start IP Address 192.168.0.1
Exclusion range End IP Address 192.168.0.15
Planning TCP/IP static configurationCertain devices, such as routers, DHCP servers, and DNS servers, must be configured with a
static IP address. In addition, you might have additional devices, such as printers, that you want
to ensure always have the same IP address. List the devices that you want to configure statically
for each subnet, and then plan the exclusion range you want to use on the DHCP server to
ensure that the DHCP server does not lease the IP address of a statically configured device. An
exclusion range is a limited sequence of IP addresses within a scope, excluded from DHCP
service offerings. Exclusion ranges assure that any addresses in these ranges are not offered by
the server to DHCP clients on your network.
For example, if the IP address range for a subnet is 192.168.0.1 through 192.168.0.254 and you
have ten devices that you want to configure with a static IP address, you can create an exclusion
range for the 192.168.0.x scope that includes ten or more IP addresses: 192.168.0.1 through
192.168.0.15.
In this example, you use ten of the excluded IP addresses to configure servers and other devices
with static IP addresses and five additional IP addresses are left available for static configuration
of new devices that you might want to add in the future. With this exclusion range, the DHCP
server is left with an address pool of 192.168.0.16 through 192.168.0.254.
Additional example configuration items for AD DS and DNS are provided in the following table.
Configuration items: Example values:
Network Connect Bindings Local Area Connection 2
DNS Server Settings AD-DNS-01
Preferred DNS server IP address 192.168.0.1
Alternate DNS server IP Address 192.168.0.6
WINS Server Settings, specify the IP address
of your preferred WINS server, only if WINS is
deployed on the network.
192.168.0.2
Alternate WINS server IP Address 192.168.0.12
23
Configuration items: Example values:
Note
Specify the IP address of your alternate
WINS server only if an alternate WINS
server is deployed on the network.
Add Scope dialog box values:
Scope Name:
Starting IP Address
Ending IP Address:
Subnet Mask
Default Gateway (optional)
Subnet Type
Primary Subnet
192.168.0.1
192.168.0.254
255.255.255.0
192.168.0.11
Wired (Lease duration will be 6 days)
IPv6 DHCP Server Operation Mode Not enabled
Planning the deployment of NPS-01If you intend to deploy network access servers, such as wireless access points or VPN servers,
after deploying your core network, it is recommended that you deploy NPS.
When you use NPS as a Remote Authentication Dial-In User Service (RADIUS) server, NPS
performs authentication and authorization for connection requests through your network access
servers. NPS also allows you to centrally configure and manage network policies that determine
who can access the network, how they can access the network, and when they can access the
network.
Following are key planning steps before installing NPS.
Plan the user accounts database. By default, if you join the server running NPS to an Active
Directory domain, NPS performs authentication and authorization using the AD DS user
accounts database. In some cases, such as with large networks that use NPS as a RADIUS
proxy to forward connection requests to other RADIUS servers, you might want to install NPS
on a non-domain member computer.
Plan the use of Network Access Protection (NAP). With some NAP enforcement methods, it
is required that you install NPS on a specific server. For example, if you deploy NAP with
DHCP, NPS must be installed on the DHCP server.
Plan RADIUS accounting. NPS allows you to log accounting data to a SQL Server database
or to a text file on the local computer. If you want to use SQL Server logging, plan the
installation and configuration of your server running SQL Server.
24
Core Network Deployment
To deploy a foundation network, the basic steps are as follows:
1. Configuring All Servers
2. Deploying AD-DNS-01
3. Joining Computers to the Domain and Logging On
4. Deploying WINS-01 (optional)
5. Deploying DHCP-01
6. Deploying NPS-01 (optional)
Note
The procedures in this guide do not include instructions for those cases in which the User
Account Control dialog box opens to request your permission to continue. If this dialog
box opens while you are performing the procedures in this guide, and if the dialog box
was opened in response to your actions, click Continue.
Configuring All Servers
Before installing other technologies, such as DHCP or WINS, it is important to configure the
following items.
Create an Administrator Password
Rename the Computer
Configure a Static IP Address
You can use the following sections to perform these actions for each server.
Create an Administrator Password
You can use this procedure to create an administrator password after you have installed Windows
Server® 2008 R2.
1. On the Windows start page, beneath the text The user’s password must be changed
before logging on the first time, click OK.
2. The Administrator credentials page opens. In New password, type a password. In
Confirm password, retype the password.
3. If you want to create a password reset disk, click Create a password reset disk and
follow the instructions.
25
4. In the Administrator credentials page, click the blue arrow.
5. A message that states Your password has been changed appears. Click OK.
Rename the Computer
You can use the procedures in this topic to provide computers running Windows
Server® 2008 R2, Windows® 7, Windows Server® 2008, Windows Vista®,
Windows Server 2003, and Windows XP with a different computer name.
Procedures for renaming computersThis topic provides procedures to rename computers running the following operating systems:
Windows Server 2008 R2 and Windows 7
Windows Server 2008 and Windows Vista
Windows Server 2003 and Windows XP
Windows Server 2008 R2 and Windows 7
Membership in Administrators, or equivalent, is the minimum required to perform these
procedures.
To rename computers running Windows Server 2008 R2 and Windows 7
1. Click Start, right-click Computer, and then click Properties. The System dialog box
opens.
2. In Computer name, domain, and workgroup settings, click Change settings. The
System Properties dialog box opens.
Note
On computers running Windows 7, before the System Properties dialog box
opens, the User Account Control dialog box opens, requesting permission to
continue. Click Continue to proceed.
3. Click Change. The Computer Name/Domain Changes dialog box opens.
4. In Computer Name, type the name for your computer. For example, if you want to name
the computer AD-DNS-01, type AD-DNS-01.
5. Click OK twice, click Close, and then click Restart Now to restart the computer.
26
Windows Server 2008 and Windows Vista
Membership in Administrators, or equivalent, is the minimum required to perform these
procedures.
To rename computers running Windows Server 2008 and Windows Vista
1. Click Start, right-click Computer, and then click Properties. The System dialog box
opens.
2. In Computer name, domain, and workgroup settings, click Change settings. The
System Properties dialog box opens.
Note
On computers running Windows Vista, before the System Properties dialog box
opens, the User Account Control dialog box opens, requesting permission to
continue. Click Continue to proceed.
3. Click Change. The Computer Name/Domain Changes dialog box opens.
4. In Computer Name, type the name for your computer. For example, if you want to name
the computer AD-DNS-01, type AD-DNS-01.
5. Click OK twice, click Close, and then click Restart Now to restart the computer.
Windows Server 2003 and Windows XP
Membership in Administrators, or equivalent, is the minimum required to perform these
procedures.
To rename computers running Windows Server 2003 and Windows XP
1. Click Start, right-click My Computer, and then click Properties. The System Properties
dialog box opens.
2. Click Computer Name, and then click Change. The Computer Name Changes dialog
box opens.
3. In Computer name, type the name for your computer. For example, if you want the
computer named Client-01, type Client-01.
4. Click OK. The System Setting Changes dialog box opens, indicating that you must
restart the computer before the changes take effect.
5. Click OK, click OK again to close the dialog box, and then click Yes to restart the
computer.
27
Configure a Static IP Address
You can use the procedures in this topic to configure the Internet Protocol version 4 (IPv4)
properties of a network connection with a static IP address for computers running
Windows Server® 2008, or for computers running Windows Server 2003.
Procedures for configuring static IP addressesThis topic provides procedures for configuring static IP addresses on computers running the
following operating systems:
Windows Server 2008 R2
Windows Server 2008
Windows Server 2003
Windows Server 2008 R2
Membership in Administrators, or equivalent, is the minimum required to perform these
procedures.
To configure a static IP address on a computer running Windows Server 2008 R2
1. Click Start, and then click Control Panel.
2. In Control Panel, click Network and Internet. Network and Internet opens.
In Network and Internet, click Network and Sharing Center. Network and Sharing
Center opens.
3. In Network and Sharing Center, click Change adapter settings. Network
Connections opens.
4. In Network Connections, right-click the network connection that you want to configure,
and then click Properties.
5. In Local Area Connection Properties, in This connection uses the following items,
select Internet Protocol Version 4 (TCP/IPv4), and then click Properties. The Internet
Protocol Version 4 (TCP/IPv4) Properties dialog box opens.
6. In Internet Protocol Version 4 (TCP/IPv4) Properties, on the General tab, click Use
the following IP address. In IP address, type the IP address that you want to use.
7. Press tab to place the cursor in Subnet mask. A default value for subnet mask is entered
automatically. Either accept the default subnet mask, or type the subnet mask that you
want to use.
8. In Default gateway, type the IP address of your default gateway.
9. In Preferred DNS server, type the IP address of your DNS server. If you plan to use the
local computer as the preferred DNS server, type the IP address of the local computer.
10. In Alternate DNS Server, type the IP address of your alternate DNS server, if any. If you
plan to use the local computer as an alternate DNS server, type the IP address of the
28
local computer.
11. Click OK, and then click Close.
Windows Server 2008
Membership in Administrators, or equivalent, is the minimum required to perform these
procedures.
To configure a static IP address on a computer running Windows Server 2008
1. Click Start, and then click Control Panel.
2. In Control Panel, verify that Classic View is selected, and then double-click Network
and Sharing Center.
3. In Network and Sharing Center, in Tasks, click Manage Network Connections.
4. In Network Connections, right-click the network connection that you want to configure,
and then click Properties.
5. In Local Area Connection Properties, in This connection uses the following items,
select Internet Protocol Version 4 (TCP/IPv4), and then click Properties. The Internet
Protocol Version 4 (TCP/IPv4) Properties dialog box opens.
6. In Internet Protocol Version 4 (TCP/IPv4) Properties, on the General tab, click Use
the following IP address. In IP address, type the IP address that you want to use.
7. Press tab to place the cursor in Subnet mask. A default value for subnet mask is entered
automatically. Either accept the default subnet mask, or type the subnet mask that you
want to use.
8. In Default gateway, type the IP address of your default gateway.
9. In Preferred DNS server, type the IP address of your DNS server. If you plan to use the
local computer as the preferred DNS server, type the IP address of the local computer.
10. In Alternate DNS Server, type the IP address of your alternate DNS server, if any. If you
plan to use the local computer as an alternate DNS server, type the IP address of the
local computer.
11. Click OK, and then click Close.
Windows Server 2003
Membership in Administrators, or equivalent, is the minimum required to perform these
procedures.
To configure a static IP address on a computer running Windows Server 2003
1. Click Start, click Control Panel, right-click Network Connections, and then click Open.
2. In Network Connections, right-click the network connection that you want to configure,
and then click Properties.
3. In Local Area Connection Properties, in This Connection uses the following Items,
29
select Internet Protocol (TCP/IP), and then click Properties. The Internet Protocol
(TCP) Properties dialog box opens.
4. In Internet Protocol Version 4 (TCP/IPv4) Properties, on the General tab, click Use
the following IP address. In IP address, type the IP address that you want to use.
5. In Subnet mask, either accept the default subnet mask, or type the subnet mask that you
want to use.
6. In Default gateway, type the IP address of your default gateway.
7. In Preferred DNS server, type the IP address of your DNS server.
8. In Alternate DNS Server, type the IP address of your alternate DNS server, if any.
9. Click OK, and then click Close.
Deploying AD-DNS-01
To deploy AD-DNS-01, which is the computer running Active Directory Domain Services (AD DS)
and DNS, you must complete these steps in the following order:
Perform the steps in the section Configuring All Servers.
Install AD DS and DNS for a New Forest
Create a User Account in Active Directory Users and Computers
Add a Group
Assign Group Membership
Configure a DNS Reverse Lookup Zone
Administrative privilegesIf you are installing a small network and are the only administrator for the network, it is
recommended that you create a user account for yourself, and then add your user account as a
member of both Enterprise Admins and Domain Admins. Doing so will make it easier for you to
act as the administrator for all network resources. It is also recommended that you log on with this
account only when you need to perform administrative tasks, and that you create a separate user
account for performing non-IT related tasks.
If you have a larger organization with multiple administrators, refer to AD DS documentation to
determine the best group membership for organization employees.
Domain user accounts vs. user accounts on the local computerOne of the advantages of a domain-based infrastructure is that you do not need to create user
accounts on each computer in the domain. This is true whether the computer is a client computer
or a server.
30
Because of this, you should not create user accounts on each computer in the domain. Create all
user accounts in Active Directory Users and Computers and use the preceding procedures to
assign group membership. By default, all user accounts are members of the Domain Users
group.
After you have joined a computer to the domain, members of the Domain Users group can log on
to any domain member client computer.
Note
Members of the Domain Users group cannot log on to computers running
Windows Server® 2008.
You can configure user accounts to designate the days and times that the user is allowed to log
on to the computer. You can also designate which computers each user is allowed to use. To
configure these settings, open Active Directory Users and Computers, locate the user account
that you want to configure, and double-click the account. In the user account Properties, click the
Account tab, and then click either Logon Hours or Log On To.
Install AD DS and DNS for a New Forest
You can use this procedure to install Active Directory Domain Services (AD DS) and DNS and to
create a new domain in a new forest.
Membership in Administrators is the minimum required to perform this procedure.
To install Active Directory Domain Services and DNS
1. Do one of the following:
In Initial Configuration Tasks, in Customize This Server, click Add roles. The Add
Roles Wizard opens.
Click Start, click Administrative Tools, and then click Server Manager. In Server
Manager, click Roles, and in the details pane, in Roles Summary, click Add Roles.
The Add Roles Wizard opens.
2. In Before You Begin, click Next.
Note
The Before You Begin page of the Add Roles Wizard is not displayed if you
have previously selected Do not show this page again when the Add Roles
Wizard was run.
3. In Select Server Roles, in Roles, select Active Directory Domain Services. An Add
Roles Wizard message opens that states You cannot install Active Directory Domain
Services unless the required features are also installed. Click Add Required
Features, and then, in the Add Roles Wizard, click Next.
4. In Active Directory Domain Services, review the information and then click Next.
31
5. In Confirm Installation Selections, review the information, and then click Install. The
Installation Progress page opens during installation.
6. When installation is complete, in Installation Results, review the information, and then
click Close this wizard and launch the Active Directory Domain Services Installation
Wizard (dcpromo.exe). The Add Roles Wizard closes and the Active Directory Domain
Services Installation Wizard opens. Click Next.
7. In Operating System Compatibility, review the information, and then click Next.
8. In Choose a Deployment Configuration, select Create a new domain in a new forest.
Click Next.
9. In Name the Forest Root Domain, in FQDN of the forest root domain, type the fully
qualified domain name for your domain. For example, if your FQDN is example.com, type
example.com. Click Next.
10. In Set Forest Functional Level, select the forest functional level that you want to use,
and then click Next.
11. In Additional Domain Controller Options, in Select additional options for this
domain controller, verify that DNS server is selected, and then click Next. The Active
Directory Domain Services Installation Wizard warning dialog box opens.
12. The warning dialog box informs you that you can create a delegation to this DNS server
manually in the parent zone. Click Yes to continue Active Directory Domain Services
installation.
13. In Location for Database, Log Files, and SYSVOL, do one of the following:
Accept the default values.
Type folder locations that you want to use for Database folder, Log files folder, and
SYSVOL folder.
14. Click Next.
15. In Directory Services Restore Mode Administrator Password, in Password, type a
password. In Confirm password, retype the password, and then click Next.
16. In Summary, review your selections.
17. If you want to export settings to an answer file, click Export settings, and specify a name
for the answer file. Click Next. The Active Directory Domain Services Installation
Wizard opens and installs Active Directory Domain Services.
18. In Completing the Active Directory Domain Services Installation Wizard, click
Finish, and then click Restart Now.
32
Create a User Account in Active Directory Users and Computers
You can use this procedure to create a new domain user account in Active Directory Users and
Computers Microsoft Management Console (MMC).
Membership in Domain Admins, or equivalent, is the minimum required to perform this
procedure.
To create a user account
1. Click Start, click Administrative Tools, and then click Active Directory Users and
Computers. The Active Directory Users and Computers MMC opens. If it is not already
selected, click the node for your domain. For example, if your domain is example.com,
click example.com.
2. In the details pane, right-click the folder in which you want to add a user account.
Where?
Active Directory Users and Computers/domain node/folder
3. Point to New, and then click User.
4. In First name, type the user's first name.
5. In Initials, type the user's initials.
6. In Last name, type the user's last name.
7. Modify Full name to add initials or reverse the order of first and last names.
8. In User logon name, type the user logon name. Click Next.
9. In New Object - User, in Password and Confirm password, type the user's password,
and then select the appropriate password options.
10. Click Next, review the new user account settings, and then click Finish.
Add a Group
You can use this procedure to create a new group in Active Directory Users and Computers
Microsoft Management Console (MMC).
Membership in Domain Admins, or equivalent, is the minimum required to perform this
procedure.
To add a group
1. Click Start, click Administrative Tools, and then click Active Directory Users and
Computers. The Active Directory Users and Computers MMC opens. If it is not already
33
selected, click the node for your domain. For example, if your domain is example.com,
click example.com.
2. In the details pane, right-click the folder in which you want to add a new group.
Where?
Active Directory Users and Computers/domain node/folder
3. Point to New, and then click Group.
4. In New Object – Group, in Group name, type the name of the new group.
By default, the name you type is also entered as the pre-Windows 2000 name of the new
group.
5. In Group scope, select one of the following options:
Domain local
Global
Universal
6. In Group type, select one of the following options:
Security
Distribution
7. Click OK.
Assign Group Membership
You can use this procedure to add a user, computer, or group to a group in Active Directory Users
and Computers Microsoft Management Console (MMC).
Membership in Domain Admins, or equivalent is the minimum required to perform this
procedure.
To assign group membership
1. Click Start, click Administrative Tools, and then click Active Directory Users and
Computers. The Active Directory Users and Computers MMC opens. If it is not already
selected, click the node for your domain. For example, if your domain is example.com,
click example.com.
2. In the details pane, double-click the folder that contains the group to which you want to
add a member.
Where?
Active Directory Users and Computers/domain node/folder that contains the group
3. In the details pane, right-click the group to which you want to add a member, and then
click Properties. The group Properties dialog box opens. Click the Members tab.
34
4. On the Members tab, click Add.
5. In Enter the object names to select, type the name of the user, group, or computer that
you want to add, and then click OK.
6. To assign group membership to other users, groups or computers, repeat steps 4 and 5
of this procedure.
Configure a DNS Reverse Lookup Zone
You can use this procedure to configure a reverse lookup zone in Domain Name System (DNS).
Membership in Domain Admins is the minimum required to perform this procedure.
To configure a DNS reverse lookup zone
1. Click Start, click Administrative Tools, and then click DNS. The DNS Manager opens.
2. In DNS Manager, if it is not already expanded, double-click the server name to expand
the tree. For example, if the DNS server name is AD-DNS-01, double-click AD-DNS-01.
3. Select Reverse Lookup Zones, right-click Reverse Lookup Zones, and then click New
Zone. The New Zone Wizard opens.
4. In Welcome to the New Zone Wizard, click Next.
5. In Zone Type, select one of the following:
Primary zone
Secondary zone
Stub zone
6. If your DNS server is a writeable domain controller, select Store the zone in Active
Directory.
7. Click Next.
8. In Active Directory Zone Replication Scope, select one of the following:
To all DNS servers running on domain controllers in this forest
To all DNS servers running on domain controllers in this domain
To all domain controllers in this domain
To all domain controllers specified in the scope of this directory partition
9. Click Next.
10. In the first Reverse Lookup Zone Name page, select one of the following:
IPv4 Reverse Lookup Zone
IPv6 Reverse Lookup Zone
11. Click Next.
35
12. In the second Reverse Lookup Zone Name page, do one of the following:
In Network ID, type the network ID of your IP address range. For example, if your IP
address range is 192.168.0.1, type 192.168.0.
In Reverse lookup zone name, type the name of your IPv4 reverse lookup zone.
13. Click Next.
14. In Dynamic Update, select the type of dynamic updates that you want to allow. Click
Next.
15. In Completing the New Zone Wizard, review your choices, and then click Finish.
Joining Computers to the Domain and Logging On
After you have installed Active Directory Domain Services (AD DS) and created one or more user
accounts that have permissions to join a computer to the domain, you can join foundation network
servers to the domain and log on to the servers in order to install additional technologies, such as
Dynamic Host Configuration Protocol (DHCP), Windows Internet Name Service (WINS), and
Network Policy Server (NPS).
Note
If you are logged on to a computer running Windows Server® 2008 with the local
computer’s Administrator account, by default, you can join a computer to the domain with
a user account that is a member of Domain Users in Active Directory Users and
Computers.
In addition, you can use these instructions to join client computers to the domain and to log on to
client computers.
On all servers that you are deploying, except for the server running AD DS, do the following:
1. Complete the procedures provided in Configuring All Servers.
2. Use the instructions in the following sections to join your servers to the domain and to log on
to the servers to perform additional deployment tasks:
Join the Computer to the Domain
Log on to the Domain
36
Join the Computer to the Domain
You can use these procedures to join computers running Windows Server® 2008 R2,
Windows® 7Windows Server® 2008, Windows Vista®, Windows Server 2003, or Windows XP to
the domain.
Procedures for joining computers to the domainThis topic provides procedures for joining computers running the following operating systems to
the domain:
Windows Server 2008 R2 (Release Candidate) and Windows 7 (Release Candidate)
Windows Server 2008 and Windows Vista
Windows Server 2003 and Windows XP
Important
To join a computer to a domain, you must be logged on to the computer with the local
Administrator account or, if you are logged on to the computer with a user account that
does not have local computer administrative credentials, you must provide the credentials
for the local Administrator account during the process of joining the computer to the
domain. In addition, you must have a user account in the domain to which you want to
join the computer. During the process of joining the computer to the domain, you will be
prompted for your domain account credentials (user name and password).
Windows Server 2008 R2 (Release Candidate) and Windows 7 (Release Candidate)
Membership in Domain Users, or equivalent, is the minimum required to perform this procedure.
To join computers running Windows Server 2008 R2 (Release Candidate) and Windows 7 (Release Candidate) to the domain
1. Log on to the computer with the local Administrator account.
2. Click Start, right-click Computer, and then click Properties. The System dialog box
opens.
3. In Computer name, domain, and workgroup settings, click Change settings. The
System Properties dialog box opens.
Note
On computers running Windows® 7, before the System Properties dialog box
opens, the User Account Control dialog box opens, requesting permission to
continue. Click Continue to proceed.
4. Click Change. The Computer Name/Domain Changes dialog box opens.
5. In Computer Name, in Member of, select Domain, and then type the name of the
domain you want to join. For example, if the domain name is example.com, type
example.com.
37
6. Click OK. The Windows Security dialog box opens.
7. In Computer Name/Domain Changes, in User name, type the user name, and in
Password, type the password, and then click OK. The Computer Name/Domain
Changes dialog box opens, welcoming you to the domain. Click OK.
8. The Computer Name/Domain Changes dialog box displays a message indicating that
you must restart the computer to apply the changes. Click OK.
9. On the System Properties dialog box, on the Computer Name tab, click Close. The
Microsoft Windows dialog box opens, and displays a message, again indicating that
you must restart the computer to apply the changes. Click Restart Now.
Windows Server 2008 and Windows Vista
Membership in Domain Users, or equivalent, is the minimum required to perform this procedure.
To join computers running Windows Server 2008 and Windows Vista to the domain
1. Log on to the computer with the local Administrator account.
2. Click Start, right-click Computer, and then click Properties. The System dialog box
opens.
3. In Computer name, domain, and workgroup settings, click Change settings. The
System Properties dialog box opens.
Note
On computers running Windows® 7, before the System Properties dialog box
opens, the User Account Control dialog box opens, requesting permission to
continue. Click Continue to proceed.
4. Click Change. The Computer Name/Domain Changes dialog box opens.
5. In Computer Name, in Member of, select Domain, and then type the name of the
domain you want to join. For example, if the domain name is example.com, type
example.com.
6. Click OK. The Windows Security dialog box opens.
7. In Computer Name/Domain Changes, in User name, type the user name, and in
Password, type the password, and then click OK. The Computer Name/Domain
Changes dialog box opens, welcoming you to the domain. Click OK.
8. The Computer Name/Domain Changes dialog box displays a message indicating that
you must restart the computer to apply the changes. Click OK.
9. On the System Properties dialog box, on the Computer Name tab, click Close. The
Microsoft Windows dialog box opens, and displays a message, again indicating that
you must restart the computer to apply the changes. Click Restart Now.
Windows Server 2003 and Windows XP
Membership in Domain Users, or equivalent, is the minimum required to perform this procedure.
38
To join computers running Windows Server 2003 and Windows XP to the domain
1. Click Start, right-click My Computer, and then click Properties. The System Properties
dialog box opens.
2. Click Change. The Computer Name Changes dialog box opens.
3. In Computer Name Changes, in Member of, select Domain, and then type the name of
the domain you want to join. For example, if the domain name is example.com, type
example.com.
4. Click OK. The Computer Name Changes dialog box opens. In User name, type the
domain administrator account name, and in Password, type the administrator password,
and then click OK.
5. The Computer Name Changes dialog box opens, welcoming you to the domain.
6. Click OK. The Computer Name Changes dialog box displays a message indicating that
you must restart the computer to apply the changes.
7. Click OK.
8. On the System Properties dialog box, on the Computer Name tab, click OK, to close
the System Properties dialog box. The System Settings Change dialog box opens,
and displays a message, again indicating that you must restart the computer to apply the
changes.
9. Click Yes.
Log on to the Domain
You can use these procedures to log on to the domain using computers running
Windows Server® 2008, Windows Vista®, Windows Server 2003, and Windows XP.
Procedures to log on to the domainThis topic provides procedures to log on to the domain using computers running the following
operating systems:
Windows Server 2008 R2 and Windows 7
Windows Server 2008 and Windows Vista
Windows Server 2003 and Windows XP
Windows Server 2008 R2 and Windows 7
Membership in Domain Users, or equivalent, is the minimum required to perform this procedure.
Log on to the domain using computers running Windows Server 2008 R2 and Windows 7
39
1. Log off the computer, or restart the computer.
2. Press CTRL + ALT + DELETE. The logon screen appears.
3. Click Switch User, and then click Other User.
4. In User name, type your domain and user name in the format domain\user. For example,
to log on to the domain example.com with an account named User-01, type example\
User-01.
5. In Password, type your domain password, and then click the arrow, or press ENTER.
Windows Server 2008 and Windows Vista
Membership in Domain Users, or equivalent, is the minimum required to perform this procedure.
Log on to the domain using computers running Windows Server 2008 and Windows Vista
1. Log off the computer, or restart the computer.
2. Press CTRL + ALT + DELETE. The logon screen appears.
3. Click Switch User, and then click Other User.
4. In User name, type your domain and user name in the format domain\user. For example,
to log on to the domain example.com with an account named User-01, type example\
User-01.
5. In Password, type your domain password, and then click the arrow, or press ENTER.
Windows Server 2003 and Windows XP
Membership in Domain Users, or equivalent, is the minimum required to perform this procedure.
Log on to the domain using computers running Windows Server 2003 and Windows XP
1. Log off the computer, or restart the computer.
2. Press CTRL + ALT + DELETE. The Log On to Windows dialog box appears.
3. If Log on to is not displayed, click Options.
4. In Log on to, in the drop down list, select your domain. For example, in the example.com
domain, select EXAMPLE.
5. Type your domain and user name in the format domain\user. For example, to log on to
the example.com domain with an account named User-01, type example\User-01.
6. In Password, type your domain password, and then press ENTER.
Deploying WINS-01 (optional)
Before deploying this component of the foundation network, you must do the following:
40
Perform the steps in the section Configuring All Servers.
Perform the steps in the section Joining Computers to the Domain and Logging On
To deploy WINS-01, which is the computer running Windows Internet Name Service (WINS), you
must complete this step:
Install Windows Internet Name Service (WINS)
Install Windows Internet Name Service (WINS)
Windows Internet Name Service (WINS) enables computers running Windows to find other
computers using NetBIOS across subnets. Some programs rely on WINS to function across the
network.
Membership in Domain Admins, or equivalent, is the minimum required to perform this
procedure.
To install WINS
1. Do one of the following:
a. In Initial Configuration Tasks, in Customize This Server, click Add Features. The
Add Features Wizard opens.
b. Click Start, click Administrative Tools, and then click Server Manager. In the left
pane of Server Manager, click Features, and in the details pane, in Features
Summary, click Add Features. The Add Features Wizard opens.
2. In Select Features, in Features, scroll down the list, select WINS Server, and then click
Next.
3. In Confirm installation selections, click Install.
4. In Installation Results, review your installation results, and then click Close.
Deploying DHCP-01
Before deploying this component of the foundation network, you must do the following:
Perform the steps in the section Configuring All Servers.
Perform the steps in the section Joining Computers to the Domain and Logging On.
DHCP installation suggestionsThe following choices are recommended when you install DHCP with the Add New Roles Wizard:
41
Activate the scope or scopes that you configure during installation unless you have reason
not to do so. For example, if you plan to create an exclusion range for the scope so that some
IP addresses are available for statically configured devices, you might not want to activate the
scope until after you have created the exclusion range. After you activate a scope, it is
configured to function without additional configuration after the installation process is
complete. If you choose not to activate a scope during installation, however, you can activate
the scope after DHCP is installed by using the DHCP Microsoft Management Console (MMC)
and the procedure Activate a DHCP Scope.
Authorize the DHCP server in Active Directory Domain Services (AD DS) during installation
unless you have reason not to do so. If you authorize the server during installation, the server
is configured to function without additional configuration after the installation process is
complete. If you choose not to authorize the DHCP server during installation, however, you
can authorize the server after DHCP is installed by using the DHCP MMC and the procedure
Authorize a DHCP Server in Active Directory Domain Services.
Do not enable Configure DHCPv6 Stateless Mode unless you plan to use Internet Protocol
version 6 (IPv6) on your network in addition to or to replace IPv4.
Deploying DHCPTo deploy DHCP-01, which is the computer running the Dynamic Host Configuration Protocol
(DHCP) server role, you must complete these steps in the following order:
If you plan to deploy Windows Internet Name Service (WINS) on your network, it is
recommended that you perform the steps in the section Deploying WINS-01 (optional) before
installing DHCP.
Install Dynamic Host Configuration Protocol (DHCP)
Create an Exclusion Range in DHCP
If you chose not to perform the following actions during DHCP installation, you can perform them
after DHCP is installed:
Authorize a DHCP Server in Active Directory Domain Services
Activate a DHCP Scope
After DHCP is installed, you can add more scopes to the server configuration:
Create a New DHCP Scope
Install Dynamic Host Configuration Protocol (DHCP)
You can use this procedure to install and configure the DHCP Server role using the Add Roles
Wizard.
42
Membership in Domain Admins, or equivalent, is the minimum required to perform this
procedure.
To install DHCP
1. Do one of the following:
a. In Initial Configuration Tasks, in Customize This Server, click Add roles. The Add
Roles Wizard opens.
b. Click Start, click Administrative Tools, and then click Server Manager. In the left
pane of Server Manager, click Roles, and in the details pane, in Roles Summary,
click Add Roles. The Add Roles Wizard opens.
2. In Before You Begin, click Next.
Note
The Before You Begin page of the Add Roles Wizard is not displayed if you
have previously selected Do not show this page again when the Add Roles
Wizard was run.
3. In Select Server Roles, in Roles, select DHCP Server, and then click Next.
4. In DHCP Server, click Next.
5. In Select Network Connection Bindings, in Network Connections, select the IP
addresses that are connected to the subnets for which you want to provide DHCP
service, and then click Next.
6. In Specify IPv4 DNS Server Settings, in Parent domain, verify that the name of the
DNS domain that clients use for name resolution is correct. For example, if your domain
is named example.com, verify that the DNS domain name is example.com.
7. In Preferred DNS server IPv4 address, type the IPv4 address of your preferred DNS
server, and then click Validate. In Alternate DNS server IPv4 Address, type the IPv4
address of your alternate DNS server, if any, and then click Validate.
Note
If a DNS server responds when you click Validate, the DHCP installation wizard
indicates the specified address for the DNS server is valid. If no DNS server
responds when you click Validate, the DHCP installation wizard returns the
message: The DNS server at the specified IP address is not responding.
8. Click Next. In Specify IPv4 WINS Server Settings, select one of the following:
If you do not have WINS servers on your network, select WINS is not required for
applications on this network.
If one or more WINS servers are deployed on your network, select WINS is required
for applications on this network. In Preferred WINS server IP address, type the
IPv4 address of your preferred WINS server. In Alternate WINS server IP Address,
type the IPv4 address of your alternate WINS server, if any, and then click Next.
9. In Add or Edit DHCP Scopes, click Add. The Add Scope dialog box opens.
43
10. In the Add Scope dialog box, type values for all required items. In Subnet Type, select
either Wired or Wireless, depending on the IP address lease duration that you prefer,
and then do one of the following:
To automatically activate the scope immediately after DHCP installation is complete,
ensure that Activate this scope is selected. If there are computers or devices on the
network that have static IP addresses, do not activate the scope until after you have
created an exclusion range. The exclusion range prevents the DHCP server from
leasing IP addresses that are already in use by a statically configured device.
To manually activate the scope later, use the DHCP Microsoft Management Console
(MMC).
11. Click OK. This returns you to the Add or Edit DHCP Scopes page. If your network has
multiple subnets that are serviced by this DHCP server, add scopes for each subnet
using steps 9 and 10. Click Next.
12. In Configure DHCPv6 Stateless Mode, select whether you want to configure the DHCP
server for DHCPv6 stateless operation, and then click Next.
13. In the previous step, if you selected Enable DHCPv6 stateless mode for this server,
the Specify IPv6 DNS Server Settings page opens. Configure the IPv6 DNS server
settings that you prefer, and then click Next. If in the previous step you selected Disable
DHCPv6 stateless mode for this server, proceed to the next step.
14. In Authorize DHCP Server, do one of the following:
Select Use current credentials to authorize the DHCP server in Active Directory
Domain Services (AD DS) using the credentials supplied for the current session.
To specify alternate credentials for authorization, select Use alternate credentials.
Click Specify, and then type the credentials to use for DHCP server authorization.
Select Skip authorization of this DHCP server in AD DS, and then click Next.
Note
Before your DHCP server can issue IP address leases, the DHCP server
must be authorized in AD DS.
15. In Confirm Installation Selections, review your selections, and then click Install.
16. In Installation Results, review your installation results, and then click Close.
Create an Exclusion Range in DHCP
You can use this procedure to create an exclusion range for an existing DHCP scope.
Membership in DHCP Administrators, or equivalent, is the minimum required to perform this
procedure.
44
To create an exclusion range in DHCP
1. Click Start, click Administrative Tools, and then click DHCP. The DHCP Microsoft
Management Console (MMC) opens.
2. In DHCP, double-click the server name. For example, if the DHCP server name is DHCP-
01.example.com, double-click DHCP-01.example.com.
3. Double-click IPv4, and then, for the scope for which you want to create an exclusion
range, double-click Scope.
4. Click Address Pool. Right-click Address Pool, and then click New Exclusion Range.
The Add Exclusion dialog box opens.
5. In Add Exclusion, in Start IP address, type the IP address that is the first IP address in
the exclusion range.
6. In Add Exclusion, in End IP address, type the IP address that is the last IP address in
the exclusion range, and then click Add.
7. Click Close.
Authorize a DHCP Server in Active Directory Domain Services
You can use this procedure to authorize a DHCP server in Active Directory Domain Services
(AD DS).
Membership in Domain Admins, or equivalent, is the minimum required to perform this
procedure.
To authorize a DHCP server in AD DS
1. Click Start, click Administrative Tools, and then click DHCP. The DHCP Microsoft
Management Console (MMC) opens.
2. In DHCP, double-click the server name. For example, if the DHCP server name is DHCP-
01.example.com, double-click DHCP-01.example.com.
3. In the DHCP MMC, click Action, and then click Authorize.
4. To verify that the server was authorized in AD DS, click Action, and then click Refresh.
The IPv4 icon changes from red to green. In addition, on the Action menu, the
Authorize menu item is replaced by the Unauthorize menu item. You can use the
Unauthorize menu item if you ever want to decommission the DHCP server.
45
Activate a DHCP Scope
You can use this procedure to activate a DHCP scope using the DHCP Microsoft Management
Console (MMC).
Membership in DHCP Administrators, or equivalent, is the minimum required to perform this
procedure.
To activate a DHCP scope
1. Click Start, click Administrative Tools, and then click DHCP. The DHCP MMC opens.
2. In DHCP, double-click the server name. For example, if the DHCP server name is DHCP-
01.example.com, double-click DHCP-01.example.com.
3. Double-click IPv4, and click the scope that you want to activate. Right-click the scope
that you want to activate, and then click Activate.
Create a New DHCP Scope
You can use this procedure to create a new DHCP scope using the DHCP Microsoft Management
Console (MMC).
Membership in DHCP Administrators, or equivalent, is the minimum required to perform this
procedure.
To create a new DHCP Scope
1. Click Start, click Administrative Tools, and then click DHCP. The DHCP MMC opens.
2. In DHCP, double-click the server name. For example, if the DHCP server name is DHCP-
01.example.com, double-click DHCP-01.example.com.
3. Right-click IPv4, and then click New Scope. The New Scope Wizard opens.
4. In Welcome to the New Scope Wizard, click Next.
5. In Scope Name, in Name, type a name for the scope. For example, type Subnet-02.
6. In Description, type a description for the new scope, and then click Next.
7. In IP Address Range, do the following:
a. In Start IP address, type the IP address that is the first IP address in the range. For
example, type 10.10.10.1.
b. In End IP address, type the IP address that is the last IP address in the range. For
example, type 10.10.10.254. Values for Length and Subnet mask are entered
automatically, based on the IP address you entered for Start IP address.
c. If necessary, modify the values in Length or Subnet mask, as appropriate for your
46
addressing scheme.
d. Click Next.
8. In Add Exclusions, do the following:
a. In Start IP address, type the IP address that is the first IP address in the exclusion
range. For example, type 10.10.10.1.
b. In End IP address, type the IP address that is the last IP address in the exclusion
range, For example, type 10.10.10.15.
9. Click Add, and then click Next.
10. In Lease Duration, modify the default values for Days, Hours, and Minutes, as
appropriate for your network, and then click Next.
11. In Configure DHCP Options, select Yes, I want to configure these options now, and
then click Next.
12. In Router (Default Gateway), do one of the following:
If you do not have routers on your network, click Next.
In IP address, type the IP address of your router or default gateway. For example,
type 10.10.10.10. Click Add, and then click Next.
13. In Domain Name and DNS Servers, do the following:
a. In Parent domain, type the name of the DNS domain that clients use for name
resolution. For example, type example.com.
b. In Server name, type the name of the DNS computer that clients use for name
resolution. For example, type AD-DNS-01.
c. Click Resolve. The IP address of the DNS server is added in IP address. Click Add,
wait for DNS server IP address validation to complete, and then click Next.
14. In WINS Servers, do one of the following:
If you do not have WINS servers on your network, click Next.
If you have one or more WINS servers deployed on your network, for each WINS
server: In Server name, type the name of the WINS server. For example, type WINS-
01. Click Resolve. The IP address of the WINS server is added in IP address. Click
Add, and then click Next.
15. In Activate Scope, do one of the following:
To automatically activate the scope immediately after the steps in the New Scope
Wizard are complete, select Yes, I want to activate this scope now.
To manually activate the scope later by using the DHCP MMC, select No I will
activate this scope later.
16. Click Next, and then click Finish.
47
Deploying NPS-01 (optional)
Before deploying this network component, you must do the following:
Perform the steps in the section Configuring All Servers.
Perform the steps in the section Joining Computers to the Domain and Logging On
To deploy NPS-01, which is the computer running the Network Policy Server (NPS) role service of
the Network Policy and Access Services server role, you must complete this step:
Install Network Policy Server (NPS)
Register the NPS Server in the Default Domain
Install Network Policy Server (NPS)
You can use this procedure to install Network Policy Server (NPS) by using the Add Roles
Wizard. NPS is a role service of the Network Policy and Access Services server role.
Note
By default, NPS listens for RADIUS traffic on ports 1812, 1813, 1645, and 1646 on all
installed network adapters. If Windows Firewall with Advanced Security is enabled when
you install NPS, firewall exceptions for these ports are automatically created during the
installation process for both Internet Protocol version 6 (IPv6) and IPv4 traffic. If your
network access servers are configured to send RADIUS traffic over ports other than
these defaults, remove the exceptions created in Windows Firewall with Advanced
Security during NPS installation, and create exceptions for the ports that you do use for
RADIUS traffic.
Administrative Credentials
To complete this procedure, you must be a member of the Domain Admins group.
To install NPS
1. Do one of the following:
In Initial Configuration Tasks, in Customize This Server, click Add roles. The Add
Roles Wizard opens.
Click Start, click Administrative Tools, and then click Server Manager. In the left
pane of Server Manager, click Roles, and in the details pane, in Roles Summary,
click Add Roles. The Add Roles Wizard opens.
2. In Before You Begin, click Next.
Note
The Before You Begin page of the Add Roles Wizard is not displayed if you
have previously selected Do not show this page again when the Add Roles
48
Wizard was run.
3. In Select Server Roles, in Roles, select Network Policy and Access Services, and
then click Next.
4. In Network Policy and Access Services, review the information, and then click Next.
5. In Select Role Services, in Role services, select Network Policy Server, and then
click Next.
6. In Confirm Installation Selections, click Install.
7. In Installation Results, review your installation results, and then click Close.
Register the NPS Server in the Default Domain
You can use this procedure to register an NPS server in the domain where the server is a domain
member.
NPS servers must be registered in Active Directory so that they have permission to read the dial-
in properties of user accounts during the authorization process. Registering an NPS server adds
the server to the RAS and IAS Servers group in Active Directory.
Administrative credentials
To complete this procedure, you must be a member of the Domain Admins group.
To register an NPS server in its default domain
1. Click Start, click Administrative Tools, and then click Network Policy Server.
2. Right-click NPS (Local), and then click Register Server in Active Directory. The
Network Policy Server dialog box opens.
3. In Network Policy Server, click OK, and then click OK again.
Additional Technical Resources
For more information about the technologies in this guide, see the following resources:
Active Directory Domain Services in the Windows Server® 2008 Technical Library, at
http://go.microsoft.com/fwlink/?LinkId=96418
Domain Name System (DNS) in the Windows Server 2008 Technical Library, at
http://go.microsoft.com/fwlink/?LinkId=110949
49
Dynamic Host Configuration Protocol (DHCP) in the Windows Server 2008 Technical Library,
at http://go.microsoft.com/fwlink/?LinkId=96419
Network Policy Server (NPS) in the Windows Server 2008 Technical Library, at
http://go.microsoft.com/fwlink/?LinkId=104545
TCP/IP in the Windows Server 2008 Technical Library, at http://go.microsoft.com/fwlink/?
LinkId=103329
Windows Internet Name Service (WINS) in the Windows Server 2008 Technical Library, at
http://go.microsoft.com/fwlink/?LinkId=103331
Appendix A
You can use this Network Planning Preparation Sheet to gather the information required to install
a core network. This topic provides tables that contain the individual configuration items for each
server computer for which you must supply information or specific values during the installation or
configuration process. Example values are provided for each configuration item.
For planning and tracking purposes, spaces are provided in each table for you to enter the values
used for your deployment. If you log security-related values in these tables, you should store the
information in a secure location.
Core Network Planning Preparation SheetThe following links lead to the sections in this topic that provide configuration items and example
values that are associated with the deployment procedures presented in this guide.
Installing Active Directory Domain Services and DNS
Configuring a DNS Reverse Lookup Zone
Installing Windows Internet Name Service (optional)
Installing DHCP
Creating an exclusion range in DHCP
Creating a new DHCP scope
Installing Network Policy Server (optional)
Installing Active Directory Domain Services and DNSThe tables in this section list configuration items for pre-installation and installation of Active
Directory Domain Services (AD DS) and DNS.
Pre-installation configuration items for AD DS and DNS
The following three tables list pre-installation configuration items as described in Configuring All
Servers:
Create an Administrator Password
50
Configuration items: Example values: Values:
Administrator password J*p2leO4$F
Configure a Static IP Address
Configuration items: Example values: Values:
IP address 192.168.0.1
Subnet mask 255.255.255.0
Default gateway 192.168.0.10
Preferred DNS server 192.168.0.1
Alternate DNS server 192.168.0.6
Rename the Computer
Configuration item: Example value: Value:
Computer name AD-DNS-01
AD DS and DNS installation configuration items
Configuration items for the Windows Server Core Network deployment procedure Install AD DS
and DNS for a New Forest:
Configuration items: Example values: Values:
Full DNS name example.com
Forest functional level Windows Server 2003
Active Directory Domain
Services database folder
location
E:\Configuration\
Or accept the default location.
Active Directory Domain
Services log files folder
location
E:\Configuration\
Or accept the default location.
Active Directory Domain
Services SYSVOL folder
location
E:\Configuration\
Or accept the default location
Directory Restore Mode J*p2leO4$F
51
Configuration items: Example values: Values:
Administrator password
Answer file name (optional) AD DS_AnswerFile
Configuring a DNS Reverse Lookup Zone
Configuration items: Example values: Values:
Zone type: Primary zone
Secondary zone
Stub zone
Zone type
Store the zone in Active
Directory
Selected
Not selected
Active Directory zone
replication scope
To all DNS servers in this
forest
To all DNS servers in this
domain
To all domain controllers in
this domain
To all domain controllers
specified in the scope of
this directory partition
Reverse lookup zone name
(IP type)
IPv4 Reverse Lookup Zone
IPv6 Reverse Lookup Zone
Reverse lookup zone name
(network ID)
192.168.0
Installing Windows Internet Name Service (optional)The tables in this section list configuration items for pre-installation and installation of Windows
Internet Name Service (WINS).
Pre-installation configuration items
The following three tables list pre-installation configuration items as described in Configuring All
Servers:
Create an Administrator Password
52
Configuration items: Example values: Values:
Administrator password J*p2leO4$F
Configure a Static IP Address
Configuration items: Example values: Values:
IP address 192.168.0.2
Subnet mask 255.255.255.0
Default gateway 192.168.0.10
Preferred DNS server 192.168.0.1
Alternate DNS server 192.168.0.6
Rename the Computer
Configuration item: Example value: Value:
Computer name WINS-01
WINS installation configuration items
Configuration items for the Windows Server Core Network deployment procedure Install Windows
Internet Name Service (WINS):
No additional configuration items are required to install WINS.
Installing DHCPThe tables in this section list configuration items for pre-installation and installation of DHCP.
Pre-installation configuration items for DHCP
The following three tables list pre-installation configuration items as described in Configuring All
Servers:
Create an Administrator Password
Configuration items: Example values: Values:
Administrator password J*p2leO4$F
Configure a Static IP Address
53
Configuration items: Example values: Values:
IP address 192.168.0.3
Subnet mask 255.255.255.0
Default gateway 192.168.0.10
Preferred DNS server 192.168.0.3
Alternate DNS server 192.168.0.6
Rename the Computer
Configuration item: Example value: Value:
Computer name DHCP-01
DHCP installation configuration items
Configuration items for the Windows Server Core Network deployment procedure Install Dynamic
Host Configuration Protocol (DHCP):
Configuration items: Example values: Values:
Network connect bindings Local Area Connection
DNS server settings AD-DNS-01
Preferred DNS server IP
address
192.168.0.1
Alternate DNS server IP
address
192.168.0.6
WINS server settings. 192.168.0.2
Alternate WINS server IP
address
192.168.0.12
Scope name Primary Subnet
Starting IP address 192.168.0.1
Ending IP address 192.168.0.254
Subnet mask 255.255.255.0
Default gateway (optional) 192.168.0.10
Subnet type Wired (Lease duration will be 6
days)
54
Configuration items: Example values: Values:
IPv6 DHCP server operation
mode
Not enabled
Creating an exclusion range in DHCP
Configuration items for the Windows Server Core Network deployment procedure Create an
Exclusion Range in DHCP:
Configuration items: Example values: Values:
Scope name Primary Scope
Scope description Parent Domain Scope
Exclusion range start IP
address
192.168.0.1
Exclusion range end IP address 192.168.0.15
Creating a new DHCP scope
Configuration items for the Windows Server Core Network deployment procedure Activate a
DHCP Scope:
Configuration items: Example values: Values:
New scope name Subnet-02
Scope description Scope for Subnet-02
(IP address range)
Start IP address
10.10.10.1
(IP address range)
End IP address
10.10.10.254
Length 8
Subnet mask 255.0.0.0
(Exclusion range) Start IP
address
10.10.10.1
Exclusion range end IP address 10.10.10.15
Lease duration 8
55
Configuration items: Example values: Values:
Days
Hours
Minutes
0
0
Router (default gateway)
IP address
10.10.10.10
DNS parent domain example.com
DNS server
IP address
192.168.0.1
WINS server
IP address
192.168.0.2
Installing Network Policy Server (optional)The tables in this section list configuration items for pre-installation and installation of NPS.
Pre-installation configuration items
The following three tables list pre-installation configuration items as described in Configuring All
Servers:
Create an Administrator Password
Configuration items: Example values: Values:
Administrator password J*p2leO4$F
Configure a Static IP Address
Configuration items: Example values: Values:
IP address 192.168.0.4
Subnet mask 255.255.255.0
Default gateway 192.168.0.10
Preferred DNS server 192.168.0.1
Alternate DNS server 192.168.0.6
Rename the Computer
56
Configuration item: Example value: Value:
Computer name NPS-01
Network Policy Server installation configuration items
Configuration items for the Windows Server Core Network NPS deployment procedures: Install
Network Policy Server (NPS) and Register the NPS Server in the Default Domain.
No additional configuration items are required to install and register NPS.
57