Thursday, June 30, 2011

step by step Installing Active Directory on Windows Server 2008

Microsoft Active Directory provides the structure to centralize the network management and store information about network resources across the entire domain. Active Directory uses Domain Controllers to keep this centralized storage available to network users. In order to configure a Windows Server 2008 machine to act as Domain Controller, several considerations and prerequisites should be taken into account, and several steps should be performed. In this article I will guide you through these prerequisites and steps of creating a new Windows Server 2008 Domain Controller for a new Active Directory domain in a new forest.

Considerations when Installing a new Windows Server 2008 forest
When you install AD to create the first domain controller in a new Windows Server 2008 forest, you must keep the following considerations in mind:
  • You must make forest and domain functional level decisions that determine whether your forest and domain can contain domain controllers that run Windows 2000 Server, Windows Server 2003, or both. To read more about forest and domain functional levels please refer to the links below.
  • Domain controllers running the Microsoft Windows NT Server 4.0 operating system are NOT supported with Windows Server 2008.
  • Servers running Windows NT Server 4.0 are NOT supported by domain controllers that are running Windows Server 2008, meaning you MUST have additional DCs running Windows 2000/2003 to support older NT 4.0 servers.
  • The first Windows Server 2008 domain controller in a forest must be a global catalog server and it cannot be an RODC.

Considerations when Installing a new Windows Server 2008 domain in an existing Windows 2000/2003 forest

When you install AD to create the first domain controller in a new Windows Server 2008 domain, you must keep the following considerations in mind:
  • Before you create a new Windows Server 2008 domain in a Windows 2000/2003 forest, you must prepare the forest for Windows Server 2008 by extending the schema (that is, by running ADPREP /forestprep). To read more about ADPREP please refer to the links below or my "Windows Server 2008 ADPREP" article.
  • You must make domain functional level decisions that determine whether your domain can contain domain controllers that run Windows 2000 Server, Windows Server 2003, or both. To read more about forest and domain functional levels please refer to the links below.
  • I recommend that you host the PDC emulator operations master role in the forest root domain on a domain controller that runs Windows Server 2008. For more information about FSMO Roles, please read my "Understanding FSMO Roles in Active Directory" and "Transferring FSMO Roles" articles.

General considerations

Make sure you read and follow the requirements described in my "Active Directory on Windows Server 2008 Requirements" article.

Installing Active Directory Domain Services (AD-DS)

In Windows Server 2008, unlike previous server operating Systems, there is an additional step that needs to be taken before running DCPROMO to promote the server to Domain Controller and installing Active Directory on it. This step is the installation of Active Directory Domain Services (AD-DS) role on the server. In fact, the AD-DS role is what enables the server to act as a Domain Controller, but you will still need to run DCPROMO the regular way.
AD-DS can be installed in one of 3 methods:

Method 1 – Server Manager/Initial Configuration Tasks

Roles can and should be added from Server Manager (but they can also be initiated from the Initial Configuration Tasks wizard that auto-opens the first time you log on to the server).
  1. Open Server Manager by clicking the icon in the Quick Launch toolbar, or from the Administrative Tools folder.
  2. Wait till it finishes loading, then click on Roles > Add Roles link.

  3. In the Before you begin window, click Next.

  4. In the Select Server Roles window, click to select Active Directory Domain Services, and then click Next.

  5. In the Active Directory Domain Services window read the provided information if you want to, and then click Next.

  6. In the Confirm Installation Selections, read the provided information if you want to, and then click Next.

  7. Wait till the process completes.

  8. When it ends, click Close.

  9. Going back to Server Manager, click on the Active Directory Domain Services link, and note that there's no information linked to it, because the DCPROMO command has not been run yet.

  10. Now you can click on the DCPROMO link, or read on.
    1. To run DCPROMO, enter the command in the Run command, or click on the DCPROMO link from Server Manager > Roles > Active Directory Domain Services.

    2. Depending upon the question if AD-DS was previously installed or not, the Active Directory Domain Services Installation Wizard will appear immediately or after a short while. Click Next.

      3. Note: The Advanced features of DCPROMO will be discussed in a future article.
    3. In the Operating System Compatibility window, read the provided information and click Next.

    4. In the Choosing Deployment Configuration window, click on "Create a new domain in a new forest" and click Next.

    5. Enter an appropriate name for the new domain. Make sure you pick the right domain name, as renaming domains is a task you will not wish to perform on a daily basis. Click Next.

      6. Note: Do NOT use single label domain names such as "mydomain" or similar. You MUST pick a full domain name such as "mydomain.local" or "mydomain.com" and so on.
      The wizard will perform checks to see if the domain name is not already in use on the local network.

    6. Pick the right forest function level. Windows 2000 mode is the default, and it allows the addition of Windows 2000, Windows Server 2003 and Windows Server 2008 Domain Controllers to the forest you're creating. Read my "Understanding Windows Server 2008 Active Directory Domain and Forest Functional Levels" article for more information on that.

    7. Pick the right domain function level. Windows 2000 Native mode is the default, and it allows the addition of Windows 2000, Windows Server 2003 and Windows Server 2008 Domain Controllers to the domain you're creating.

      8. Note: If you select "Windows Server 2008" for the forest function level, you will Not be prompted to pick a domain function level. Read more about domain and forest function levels on my "Understanding Windows Server 2008 Active Directory Domain and Forest Functional Levels" article.
    8. The wizard will perform checks to see if DNS is properly configured on the local network. In this case, no DNS server has been configured, therefore, the wizard will offer to automatically install DNS on this server.

      9. Note: The first DCs must also be a Global Catalog. Also, the first DCs in a forest cannot be a Read Only Domain controller.
    9. It's most likely that you'll get a warning telling you that the server has one or more dynamic IP Addresses. Running IPCONFIG /all will show that this is not the case, because as you can clearly see, I have given the server a static IP Address. So, where did this come from? The answer is IPv6. I did not manually configure the IPv6 Address, hence the warning. In a network where IPv6 is not used, you can safely ignore this warning.

    10. You'll probably get a warning about DNS delegation. Since no DNS has been configured yet, you can ignore the message and click Yes.

    11. Next, change the paths for the AD database, log files and SYSVOL folder. For large deployments, carefully plan your DC configuration to get the maximum performance. When satisfied, click Next.

    12. Enter the password for the Active Directory Recovery Mode. This password must be kept confidential, and because it stays constant while regular domain user passwords expire (based upon the password policy configured for the domain, the default is 42 days), it does not. This password should be complex and at least 7 characters long. I strongly suggest that you do NOT use the regular administrator's password, and that you write it down and securely store it. Click Next.

    13. In the Summary window review your selections, and if required, save them to an unattend answer file. When satisfied, click Next.

    14. The wizard will begin creating the Active Directory domain, and when finished, you will need to press Finish and reboot your computer.

      15. Note: You can automate the rebooting process by checking the Reboot on Completion checkbox.
      To automate domain controller installations, you can use an answer file or you can specify unattended installation parameters at the command line. More on that in my "Creating an Unattend Installation File for DCPROMO in Windows Server 2008" article.
      Note: As written in my "Installing Active Directory on Windows 2008 Server Core" article, configuring a Windows Server 2008 Server Core machine REQUIRES you to perform an automated installation of Active Directory on that server, as there is NOT DCPROMO GUI on Server Core.
      Your server now acts as a Domain Controller. Make sure you properly back it up. You can test functionality by using AD management tools such as Active Directory Users and Computers, examine the Event Logs, services and folders and shares that have been created.

      Links

      AD DS Installation and Removal Step-by-Step Guide

    11. Method 2 – Servermanagercmd.exe

    Servermanagercmd.exe is the command prompt equivalent of the Add Roles and Add Features wizards in Server Manager. Through the use of various command line options, you can quickly and easily add or remove features and roles to or from your server, including the AD-DS role.
    To install AD-DS by using Servermanagercmd.exe, simply enter the following command in the Command Prompt window:
    Servermanagercmd.exe –I ADDS-Domain-Controller
    Let the command run and when it finishes, AD-DS will be installed on the server.

    Method 3 – Letting DCPROMO do the job

    Oh yes. If you forget to install AD-DS or simply want to skip clicking on some windows, you can run DCPROMO from the Run command and before it is executed, the server will check to see if the AD-DS binaries are installed. Since they are not, they will auto-install.

    After you complete the Add Roles Wizard, either click the link to start the Active Directory Domain Services Installation Wizard, or close Server Manager and manually run DCPROMO from the Run command.

    Running DCPROMO

    After installing the AD-DS role, we need to run DCPROMO to perform the actual Active Directory database and function installation.
    Note: This guide assumes this is the first Domain controller in the forest, thus creating a new domain in a new forest. For a guide on how to add additional Domain Controllers to existing domains, please read my upcoming "Installing Additional Windows Server 2008 Domain Controllers in your Existing Active Directory Domain" article.
Posted by at No comments:

IPv4/IPv6 subnetmask calculation

Well, you all know about calculation network masks and wildcard masks in the IPv4 world. But how to do it in IPv6? IPv6 has a binary numbering system, but IPv6 is hexadecimal based and now we have 340282366920938463463374607431768211456 IP addresses. So that’s the number you will find on the internet. My calculator says just 3,402408308e+38. I multiplied FFFF*FFFF*FFFF*FFFF*FFFF*FFFF*FFFF*FFFF in hexadecimal format and converted it afterwords into decimal.
With IPv4 there are a maximum of 255*255*255*255 with is 4228250625. Well you see the difference? I read it’s about 1000 addressess for each square centimeter of the earth IPv6 has.
IPv4 has 32 bits into his entire IP address. This means, there are 32 places where there can be a 1 or 0 in place.
So a binary numbers for 192.168.10.1 looks like:
11000000 => 192 => 2^7+2^6
10101000 => 168 => 2^7+2^5+2^3
00001010 => 10 => 2^3+2^1
00000001 => 1 => 2^0
And you have 192.168.29.2:
11000000 => 192 => 2^7+2^6
10101000 => 168 => 2^7+2^5+2^3
00011101 => 29 => 2^4+2^3+2^2+2^0
00000001 => 2 => 2^1
To calculate the host and network part you will “and” one ip with the subnet mask. If the mask is 255.255.192.0:
11111111 => 255
11111111 => 255
11000000 => 192
00000000 => 0
Anding the ip address with the mask:
11000000 = 192
11111111 = 255
—————
11000000 = 192
10101000 = 168
11111111 = 255
—————-
10101000 = 168
00011101 = 29
11000000 = 192
—————-
00000000 = 0
00000001 = 2
00000000 = 0
—————–
00000000 = 0
So here you will have 192.168.0.0 for the network address. As for the mask 255.255.192.0
there will be the last 14 bits for hosts on the network.
11111111.11111111.11000000.00000000
The network ranges are from 192.168.0.0 – 192.168.192.0
So you have 2 bits for the network and 14 for hosts.
11111111.11111111.00000000.00000000 = 192.168.0.0
11111111.11111111.01000000.00000000 = 192.168.64.0
11111111.11111111.10000000.00000000 = 192.168.128.0
11111111.11111111.11000000.00000000 = 192.168.192.0
Where the network address is for example:
11111111.11111111.01000000.00000000 = 192.168.64.0
The broadcast address is:
11111111.11111111.0111111.11111111 = 192.168.127.255
The first and the last usable host in the network is:
11111111.11111111.01000000.00000001 = 192.168.64.1
11111111.11111111.01111111.1111110 = 192.168.127.254
So now you have the IPv6 addressing and how to compute a netmask matching your needs. I did not found anything on the internet about it, and so i write i down myself. Well that’s not absolute true. Look at the links provided…
The network mask /64 will be:
FFFF:FFFF:FFFF:FFFF:0000:0000:0000:0000 => /64
FFFF:FFFF:FFFF:FFFF:F000:0000:0000:0000 => /68
FFFF:FFFF:FFFF:FFFF:FF00:0000:0000:0000 => /72
FFFF:FFFF:FFFF:FFFF:FFFF:0000:0000:0000 => /80
FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:0000:0000 => /96
FFFF:FFFF:FFFF:FFFF:F000:0000:0000:0000 => /68
FFFF:FFFF:FFFF:FFFF:C000:0000:0000:0000 => /69
FFFF:FFFF:FFFF:FFFF:8000:0000:0000:0000 => /70
FFFF:FFFF:FFFF:FFFF:4000:0000:0000:0000 => /65
The main thing which is important to understand is, that the quadrupples are divided into two 8 bit parts. That means, if you have the FF00 this is devided into FF which is 11111111 and 00 which is 00000000. So each /64 is half of all networks. And the next smaller unsubnetted network begins with /80 and so on, every 16 bits.
Each network “bit” represents a 4 bit value. So plus a value of 1 means you will habe 2^4=16 more networks.
So the smalles subnetmask for example these IPv6 networks:
0001:2001:00EF:0222:0003:0001:EEEA:00AA
0001:2001:00EF:0222:0003:0001:EEEA:001A
——————————————————–
FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFF:FFC0 => /121
0001:2001:00EF:0222:0003:0001:EEEA:00AA
0001:2001:00EF:0222:0003:0001:EEEA:001A
——————————————————–
FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFF:FFC0 => /121
0001:2001:00EF:0012::/64
0001:2001:00EF:0022::/64
——————————————————–
FFFF:FFFF:FFFF:FF40 => /82
Example 1:
To calculate an access-list mask for two IPv4 addresses that matches both addresses you AND these addresses:
For example:
192.168.1.10.1 and 10.11.2.3
11000000 => 192
00001010 => 10
————
00000000 => 0
10101000 => 168
00000001 => 11
————
00000000 => 0
00001010 => 10
00001011 => 11
————
00001010 => 10
00000001 => 1
00000011 => 3
————
00000001 => 1
The result is an access-list mask of 0.0.10.1 that would match both ip addresses.
The wildcard mask is a logical XOR conjunction. Means 0 XOR 1 = 1, 1 XOR 0 = 1, 0 XOR 0 = 0, 1 XOR 1 = 0. So only if there are differnt values, the result is 1.
That’s:
11000000 => 192
00001010 => 10
————
1111111 => 255
10101000 => 168
00000001 => 11
————
1111111 => 255
00001010 => 10
00001011 => 11
————
11110101 => 244
00000001 => 1
00000011 => 3
————
00000010=> 2
192.168.1.10.1 and 10.11.2.3
Networkmask: 0.0.10.1
Wildcardmask: 255.255.244.2
Example 2:
Another more common example:
192.168.43.132
192.168.45.4
access-list mask:
11000000 => 192
11000000 => 192
——————-
11000000 => 192
10101000 => 168
10101000 => 168
——————-
10101000 => 168
00101011 => 43
00101101 => 45
——————-
00101001 => 41
10000100 => 132
00000100 => 4
—————–
00000100 = > 4
The resulting access-list is:
192.168.41.4
The wildcard mask is:
11000000 => 192
11000000 => 192
——————-
00000000 => 0
10101000 => 168
10101000 => 168
——————-
00000000 = > 0
00101011 => 43
00101101 => 45
——————-
00000110 => 6
10000100 => 132
00000100 => 4
—————–
10000000 => 128
Wildcardmask 0.0.6.128
192.168.43.132
192.168.45.4
Mask: 192.168.41.4 , Wildcardmask: 0.0.6.128
Example 3
192.168.32.5
192.168.48.99
11000000 => 192
11000000 => 192
——————-
11000000 => 192
10101000 => 168
10101000 => 168
——————
10101000 => 168
00100000 => 32
00110000 => 48
—————–
00100000 => 32
00000101 => 5
01100011 => 99
—————-
00000001 => 1
Mask 192.168.32.1
Wildcardmask:
11000000 => 192
11000000 => 192
——————-
0000000 => 0
10101000 => 168
10101000 => 168
——————
00000000 => 168
00100000 => 32
00110000 => 48
—————–
00010000 => 16
00000101 => 5
01100011 => 99
—————-
01100110 => 102
0.0.16.102
Source:
http://www.internetworkexpert.com/resources/01700370.htm
http://wiki.linuxquestions.org/wiki/IPv6_deployment:addressing
http://blog.sazza.de/?p=209
Posted by at No comments:

OSI Seven-Layer Model

In the 1980s, the European-dominated International Standards Organization (ISO), began to develop its Open Systems Interconnection (OSI) networking suite. OSI has two major components: an abstract model of networking (the Basic Reference Model, or seven-layer model), and a set of concrete protocols. The standard documents that describe OSI are for sale and not currently available online.
Parts of OSI have influenced Internet protocol development, but none more than the abstract model itself, documented in OSI 7498 and its various addenda. In this model, a networking system is divided into layers. Within each layer, one or more entities implement its functionality. Each entity interacts directly only with the layer immediately beneath it, and provides facilities for use by the layer above it. Protocols enable an entity in one host to interact with a corresponding entity at the same layer in a remote host.


The seven layers of the OSI Basic Reference Model are (from bottom to top):

  1. The Physical Layer describes the physical properties of the various communications media, as well as the electrical properties and interpretation of the exchanged signals. Ex: this layer defines the size of Ethernet coaxial cable, the type of BNC connector used, and the termination method.
  2. The Data Link Layer describes the logical organization of data bits transmitted on a particular medium. Ex: this layer defines the framing, addressing and checksumming of Ethernet packets.
  3. The Network Layer describes how a series of exchanges over various data links can deliver data between any two nodes in a network. Ex: this layer defines the addressing and routing structure of the Internet.
  4. The Transport Layer describes the quality and nature of the data delivery. Ex: this layer defines if and how retransmissions will be used to ensure data delivery.
  5. The Session Layer describes the organization of data sequences larger than the packets handled by lower layers. Ex: this layer describes how request and reply packets are paired in a remote procedure call.
  6. The Presentation Layer describes the syntax of data being transferred. Ex: this layer describes how floating point numbers can be exchanged between hosts with different math formats.
  7. The Application Layer describes how real work actually gets done. Ex: this layer would implement file system operations.
The original Internet protocol specifications defined a four-level model, and protocols designed around it (like TCP) have difficulty fitting neatly into the seven-layer model. Most newer designs use the seven-layer model.
    The OSI Basic Reference Model has enjoyed a far greater acceptance than the OSI protocols themselves. There are several reasons for this. OSI's committee-based design process bred overgrown, unimaginative protocols that nobody ever accused of efficiency. Heavy European dominance helped protect their investments in X.25 (CONS is basically X.25 for datagram networks). Perhaps most importantly, X.25 data networks never caught people's imagination like the Internet, which, with a strong history of free, downloadable protocol specifications, has been loath to embrace yet another networking scheme where you have to pay to figure how things work.
    And why should we? OSI's biggest problem is that doesn't really offer anything new. The strongest case for its implementation comes from its status as an "international standard", but we already have a de facto international standard - the Internet. OSI protocols will be around, but its most significant contribution is the philosophy of networking represented by its layered model.
    If the Internet community has to worry about anything, it's the danger of IETF turning into another ISO - a big, overgrown standards organization run by committees, churning out thousands of pages of rubbish, and dominated by big business players more interested in preserving investments than advancing the state of the art.
Posted by at No comments:

Wednesday, June 30, 2010

step by step Boot windows 7/2008 from VHD

The post is updated accordingly with the Server 2008 R2 build 7000 commands, and information on how to create/add/attach VHDs using Disk Management.
Windows 7 and Server 2008 R2 supports booting directly from a VHD file, the same kind of files used for Virtual PC/Server and Hyper-V.
This gives you the option to install and handle the installation directly in one simple file, while being able to boot and run the OS just as if it were installed in a regular harddisk.
Also you should be able to attach these installation to the above products, and boot the installation. I'm just guessing here, i have not tried that yet but i'll have a go at it.
First you need to create a VHD file. This is done using diskpart, and then afterwards you can handle the boot process using bcdedit. The following shows the commands used in the 2008 R2 (build 7000), and the Windows 7 Beta 1 (build 7000).
If you have Windows 7 installed, boot into the OS and create the VHD file
diskpart
create vdisk file=c:\vhd\win7.vhd type=fixed maximum=16000
This will create a 16GB VHD file in C:\VHD (C:\VHD\ needs to exists prior to running the command)
VHD files can also be managed using a GUI directly from the Disk Management tool. “Computer Management” and right click “Disk Management”. You should see the following options:
diskmgmt-VHD-options
create-VHD
attach-VHD
After you have created the disk file, boot your machine with the Windows 7 DVD in the drive, and choose "Install Now". Press SHIFT+F10 to get a CMD prompt. You can also choose "Repair" and start the CMD from the tools menu. Run the following to select and attach the VHD file.
diskpart
select vdisk file=c:\vhd\win7.vhd
attach vdisk
NOTE: The command for "surfacing" (crazy name if you ask me...) a VHD files has changed in the 7000 build, and is now called "attach vdisk" instead of "surface vdisk".
If you are running the above commands when installing 2008 R2 Build 6801 the command is "surface vdisk". My guess is that this will also change in comming 2008 R2 builds to attach instead. The new beta 1 release of Server 2008 R2 (Build 7000) now also uses the “attach” command instead of surface.
After you have attached (Or surfaced the disk...) just type exit 2 times, and you will be back with the installation. When you come to the part where you choose where to install, you should see a 16GB partition. The installation will tell you that you cannot boot off this volume, just ignore and select the drive and install.
Since Windows 7 supports VHD files, it also knows when it is being installed to a VHD file. Therefore you do not need to add boot entries manually, the installation process takes care of that itself. The bad thing about this is that it makes your VHD installation the default boot option, and the entry name is "Windows 7" - just as it is for a "normal" installation.
Fear not - this can be changed using bcdedit.
When you have booted either the HDD or VHD installation, start a CMD prompt and run bcdedit with the verbose (this will show you identifier as GUID, which i find easier)
bcdedit /v
copy the ID for your VHD installation and type: (change xxxxx... to your GUID)
bcdedit /set {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} description "Windows 7 VHD"
The above changes the description for your VHD installation to "Windows 7 VHD" so you can distingues them.
bcdedit /displayorder {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} /addlast
This adds the VHD installation as the last choice in the boot list. If you have multiple entries, jyst type them in your prefered order seperated by spaces, and drop the /addlast option.
If you want to add an entry for a VHD installation manually, the easiest way is to just copy an entry in the boot store
bcdedit /copy {GUID} /d "my copy"
Afterwards you can change the 2 following options to point to your VHD file:
bcdedit /set {GUID} device vhd=[C:]\vhd\win7.vhd
bcdedit /set {GUID} osdevice vhd=[C:]\vhd\win7.vhd
Thats it! Im running 2x 2008 R2 and 2x Windows 7 installation on my laptop using the above, and it works like a charm.
You can also use the diskpart command for attaching your VHD files. This way you can copy files, change settings and so on to the installation in the VHD file. Just use the select + attach/surface command. Remember you cannot attach an running VHD file.
Posted by at No comments:

Setup IP Reverse DNS Record in Windows Server 2003

1. Install Microsoft Windows DNS Service

  1. Go to Start > Settings > Control Panel.
  2. Double-click Add/Remove Programs.
  3. Click Add and Remove Windows Components.
  4. The Windows Components Wizard starts. Click Next.
  5. Click Networking Services, and then click Details.
  6. Click to select the Domain Name System (DNS) check box, and then click OK.
  7. Click OK to start server Setup. The DNS server and tool files are copied to your computer.
  8. Continue to the next step to configure the DNS server.

2. Deletgate Reverse Lookup Zone

Your upstream provider need to delegate the reverse DNS lookup zone to your DNS servers. Creating delegated subnetted reverse lookup zones is not a trivial task. This article discusses how to configure delegated subnetted reverse lookup zones for a Microsoft Windows DNS server. How to configure a subnetted reverse lookup zone on Windows NT, Windows 2000, or Windows Server 2003

Create Reverse DNS Record in Your DNS Servers

a. Login to your DNS server and start DNS control panel at Start > Programs > Administrative Tools - DNS

HowToRDNS Step 1

2. Expand Reverse Lookup Zones and click the IP segment that your will setup

HowToRDNS Step 2 If you can't find the IP segment, You should create a new zone for the IP segment.

3. Create New PTR, You can Right Click IP segment -> New Pointer(PTR)...

HowToRDNS Step 3

3. Set the correct parameters for PTR

  • Host Ip Number: Please input correct IP
  • Host Name: Server Host Name + domain name eg. CP1001.databasemart.net
HowToRDNS Step 4
Posted by at No comments:

configuring radius server using windows server 2008

This will be a basic setup using Windows 2008 Server to allow RADIUS and dot1x authentication. Steps for basic installation include:
  1. Rename the server
  2. Setting server as Domain Controller
  3. Installing Certificate Services
  4. Request Certificates (optional)
  5. Installing Network Policy Services (previously IAS)
  6. Creating Group Policies

Rename The Server

Something different about Windows 2008 Server is that the server name is auto-generated and you are not given a chance during the install to name the server so you must do before installing Active Directory or Certificate Services.
In the “Initial Configuration Tasks” window, click the “Provide computer name and domain” link.

Enter a Computer description and click the “Change…” button to change the computer name. I’ll be using WLAN-DC as my name and description.

Enter the Computer name and click “OK” and reboot when prompted.

Setting Server as a Domain Controller

For this example we setup a new forest for the wlan.net domain. Server 2008 abstracts most server function into “Roles” so we’ll be adding the Active Directory Domain Services Role with the Server Manager by clicking “Roles” and clicking “Add Roles.”

Select the Active Directory Domain Services Role.

Click through the confirmation screens and click Install. You should get see an installation progress screen and finally an “installation success” message that asks you to run the command “dcpromo.exe” which will configure your domain. So click the link to run “dcpromo” or click the “Start” button, select “Run” and enter “dcpromo.exe”. You should now see the “Active Directory Domain Service” install wizard. Click “Next “ to continue.

Choose “Create a new domain in a new forest” and click “Next”.

For our example domain we’ll use “wlan.net”. Click “Next” and it will check to see if the name is already used on the network.

When asked to set which “Forest Functional Level” I used the 2008 level.

The next screen you’ll see is a warning that the DNS service isn’t install and will offer to install it for you. Just click “Next” to accept and install.

It will display the following warning, just click “Yes” to continue.

Just accept the defaults and click “Next”.

Now you’ll be prompted to enter a “Directory Services Restore Mode Administrator Password”. Enter a password and click “Next”.

Click “Next” at the Summary screen.

You’ll now see the Installation Wizard install DNS and Active Directory. Check the “Reboot on completion” box and once the wizard finishes it’ll reboot and be ready for the next step.

Installing Certificate Services

To enable PEAP or EAP-TLS we’ll need to install Certificate Services to enable a Certificate Authority (CA) to generate and sign certificates for our domain. Again, add a Role via the Server Manager and select “Active Directory Certificate Services” and click “Next”.

Click through the conformation screen and select “Certification Authority” and “Certificate Authority Web Enrollment” which will tell you that you’ll need IIS to be installed to use the “Certificate Authority Web Enrollment”. Click “Add Required Role Services” and click “Next” to continue.

When prompted for which type of Certificate Authority to install, choose “Enterprise”.

When prompted for CA Type, select “Root CA” and click “Next”.

When prompted to Set Up Private Key select “Create a new private key” and click “Next”.

When prompted to Configure Cryptography for CA, accept the defaults and click “Next” for the rest of the conformation screens.

Request Certificates (optional)

Now that we have our Certificate Authority (CA) up and running we may want to request a certificate for our Authentication Server.
We’ll create a Microsoft Management Console (MMC) that will allow us to request and install the certificate for our server. Press the “Start” button and enter “MMC” in the command field to open the MMC. Next we’ll add the Certificate (For Local Computer) snap-in by clicking “File” and choosing “Add/Remove Snap-in”. Select “Certificates” and click “Add”.

Now be sure to select “Computer Account” and click “Next”.

Choose “Local Computer”, click “Finish” and “OK”.

TIP: While you’re here you might as well add the “Certificate Authority” snap-in and save this MMC to your desktop because you’ll need it again in the future.
To request a certificate for your server (if you don’t want to use the default certificate) expand “Certificates (Local Computer Account)”, “Personal”, and right-click “Certificates” and select “All Tasks”, “Request New Certificate…”

Click through the Enrollment screens choosing the settings you desire for your certificate.

Installing Network Policy and Access Services

In Windows 2008 Server you can no longer just install the Internet Authentication Service (IAS) and have RADIUS functionality. You must now install Network Policy and Access Services, which now include everything from earlier versions of Windows server such as RRAS/IAS/etc,… but now includes NAP (think NAC for Windows). We will be installing and configuring just enough to enable PEAP and RADIUS functionality with our Aruba controller. So once again head to the Server Manager and “Add a Role” selecting “Network Policy and Access Services” and click through the confirmation screen.

Select “Network Policy Server”, “Routing and Remote Access Services”, “Remote Access Service” and “Routing”. Click “Next”, click through the confirmation screen and click “Install”.

Installation will take a couple of minutes and present you with an install summery. Just click “Close”.
Now that NPS is installed, press the “Start” button and enter “nps.msc” in the command field. The NPS MMC should open up allowing you to select the “RADIUS server for 802.1X Wireless or Wired Connections” Installation Wizard from the “Standard Configuration” pull-down menu and click “Configure 802.1X”.

From the “Select 802.1X Connections Type” page, select “Secure Wireless Connections” and click “Next”.

From the “Specify 802.1X Switches” screen click “Add…” and enter the settings for your Aruba controller and press “OK”.

For the “Configure an Authentication Method” screen select “Microsoft Smart Card or other certificate” for EAP-TLS or “Microsoft Protected EAP (PEAP)” for PEAP. I will be selecting PEAP for this example and click “Configure…”

Select the appropriate certificate to use for this server. In this case we’ll use the “WLAN-DC.wlan.net” certificate and click “OK”.

For the “Specify User Groups” screen select the users and/or groups you would like to allow wireless access. For this example I am allowing all of my domain users by selecting the “Domain Users” group. If I want to enforce Machine Authentication I need to add the “Domain Computers” group as well as checking the “Enforce Machine Auth” option in the dot1x policy on my Aruba controller. Click “Next” to continue.
Note: Groups listed here are considered as an OR statement.

For the next screen you can click “Next” and “Finish” or click “Configure…” to add RADIUS attributes for Server Derivation rules.

For example, you may want to map the “Domain Users” to the “employee_role” on your Aruba controller. You could do that here with the “Filter-Id” attribute.

Note: There seems to be a bug in Windows if you mess with these attributes too much the “Filter-Id” attribute vanishes. If this happens cancel out of the wizard and start over.
Press “Next” and “Finish” to complete the wizard. This should now allow you to authenticate users against your Windows 2008 Server.
Posted by at No comments:
Subscribe to: Posts (Atom)