IST346: Lab Last Update: 10/7/2010 12:38 PM

LAB – NAMESPACES, ACTIVE DIRECTORY, DNS

OVERVIEW

In this lab you will have to configure your computers in your virtual machine network to use Active Directory. With the computers and users being managed by Active directory, you will no longer need to create the same user accounts on each computer on your network. Through Active directory you will discover how name spacing and DNS are applied in practice.

LEARNING OBJECTIVES

Upon completion of this lab, you should be able to

Install and configure Windows Active directory and the DNS service. Understand how DNS works and how to add hosts to DNS. Configure your windows computers to join the active directory domain.

LAB BREAKDOWN

This lab consists of 4 parts:

1. Lab overview and the namespace plan2. Prepare the network for Active Directory’s DNS3. Learn more about DNS4. Bind the Win7 virtual machine to Active Directory

REQUIREMENTS

Before you start this lab you will need:

1. These virtual machines, a. Win2008 (Windows Server 2008) – acting as a serverb. Centos5 (Centos Linux 5) – acting as a server c. Win 7 (Windows 7) – acting as a workstation

2. Startup the Win2008, Centos5 and Win7 virtual machines:a. Logon to Win2008dc as Administrator (the account with the most access on the Windows

platform)b. Logon to Centos5 as root (the account with the most access on a *nix platform)c. Logon to Win7 as user (a non-privileged account)d. Remember, in all cases, the password is SU2orange!

Page 1

IST346: Lab Last Update: 10/7/2010 12:38 PM

PART 1 – LAB OVERVIEW AND THE NAMESPACE PLAN

OVERVIEW

IMPORTANT INFORMATION – PLEASE READ!

The goal of this lab is to install and configure Microsoft Active Directory on our virtual machine network. In order to do this, we must host our own DNS service on our network. If you recall the DNS service resolves names to IP addresses, and is a key factor in making the Internet useable. For example when you want to search the web you enter http://www.google.com you don’t enter http://66.249.81.104. Without DNS we’d have to consume services by IP address rather than by name! U-G-L-Y!

For example up until this point we have been exposing services by IP address or hostname. For example, in a previous lab you setup the SMB protocol on Linux and Windows. To access the remote file share we needed to know the IP address of the Windows 2008 and Linux computers to connect to the remote file share. This is not how services are configured in the real world where we use names to represent the service. Names make services easier to identify, remember, and troubleshoot.

NAMESPACE PLAN

You’re building this Active Directory setup for a company known as fauxco.com. Active Directory provides a unified account store for both users and computers. This means a user is created one time but can log-on to any domain-bound computer with that account. This is a good thing because without it we’d have to create the same account on each workstation!

Here’s our namespace plan: (Nothing to do at this point but simply review the plan.)

DOMAIN CONTROLLER CONFIGURATION

Domain Controller Win2008 IP v4 Address of Active directory / DNS Domain Controller 192.168.80.10Active Directory Domain ad.fauxco.com

WORKSTATION CONFIGURATION

Workstations win7 (etc…)Name of a Workstation (on domain) win7.ad.fauxco.com

PART 2 - SETUP ACTIVE D IRECTORY IN THE W IN2008 VM

INSTALLING ACTIVE D IRECTORY DOMAIN SERVICES

Now it is time to install Active Directory. This process is fairly straightforward. From the Win2008 virtual machine:

Page 2

IST346: Lab Last Update: 10/7/2010 12:38 PM

1. Let’s verify the computer name is what we want. Open the Server Manager utility from the Start menu. The server name should be WIN2008 like so. The IP address should be 192.168.80.10 this is also important because the other computers in our network will use this computer for DNS.

2. Use the Add roles wizard in the Server Manager utility to setup Active Directory Domain Services. Click Roles Add Roles then select Active Directory Domain Services like so:

Click next and follow the dialogs. Be sure to read the information on the dialogs as it’s quite informative! Also you might need to know this information for a quiz or Exam

3. When ready, click Install. The server will be configured for Active Directory. All that is being done at this point is setting up the required software.

4. After the configuration is complete, click close.

PROMOTING THIS SERVER TO A DOMAIN CONTROLLER – DCPROMO

In this next section will run the DCPromo utility to configure this server to run as a domain controller. This process will configure DNS and the Other Utilities required by Active Directory.

1. Run dcpromo.exe (Click Start and type dcpromo, then click on the dcpromo icon. This will promote this server to a domain controller.

Page 3

IST346: Lab Last Update: 10/7/2010 12:38 PM

2. Dcpromo.exe starts a wizard to walk you through the process:

3. Do NOT choose advanced mode, click next. 4. Next you will see an information dialog concerning compatibility with older versions of windows. After

reading the information, click next.5. From the deployment configuration screen, click the radio button to Create a new domain in a new

forest This is the simplest method for configuring Active Directory.

When you’re ready, click Next.6. For the FQDN of the Forest Root Domain, enter the name ad.fauxco.com and then click next. Windows

will check DNS to make sure the domain isn’t already in use.

Page 4

IST346: Lab Last Update: 10/7/2010 12:38 PM

When ready, click next.7. Set the forest functional level to Windows Server 2008. This will provide the most current set of features

for our environment.

When ready, click next.

8. Windows will investigate your current DNS configuration. When asked about additional domain controller options, check the DNS server checkbox,

Page 5

IST346: Lab Last Update: 10/7/2010 12:38 PM

and when you’re ready, choose next. 9. You will see the following warning message:

10. Select Yes, the computer will use a dynamically assigned IP address.11. You will see the following warning message:

This message is informing you that the domain fauxco.com is not an “official” registered DNS name. Since we will only use fauxco.com for our internal network of virtual machines, this is sufficient. Select yes.

Page 6

IST346: Lab Last Update: 10/7/2010 12:38 PM

12. For the locations of the database, log files and system volume,

keep the defaults and click next.13. IMPORTANT! For the restore mode password, enter SU2orange! and click next. We will need this

password should we ever wish to uninstall Active Directory or recover from a serious error. In real life this would be a different password but for the sake of simplicity make it the same password used by all accounts in the labs.

14. At the summary screen click next (for the last time) to begin the configuration process.15. As the final step in the process, everything will be configured you can watch the progress from this dialog:

As the process continues, check reboot on completion. Once everything is configured, your Win2008 virtual machine will reboot.

LOVE AT FIRST BOOT… ( I <3 U ACTIVE D IRECTORY!)

Page 7

IST346: Lab Last Update: 10/7/2010 12:38 PM

After your Win2008 server restarts, you will notice the logon prompt looks a little different (Now says AD\Administrator, which means you are logging in as the Domain Administrator.

1. At this screen, logon with the same password SU2orange!2. In Server Manager, the Full Computer Name should now be win2008.ad.fauxco.com

3. As a last step we should make sure DNS is working on our domain controller. If it is then we’re in good shape! The FQDN (Fully qualified domain name) for computers on our domain should be computer name + domain name, so for example the FQDN Win2008 virtual machine should be Win2008.ad.fauxco.com. To put this information in context with this week’s lecture, the FQDN is a hierarchical name space that is globally unique.

4. From the command prompt on Win2008 type:ping –a 192.168.80.10 (The –a will resolve the IP address to its DNS name. We call this a “reverse lookup.”) You should see output like the following:

5. You can also perform a forward lookup, type:nslookup Win2008.ad.fauxco.com and you should see:

6. If both the ping and nslookup commands are working, then you’ve got everything working properly. Time to move on!

CREATING A DOMAIN USER ACCOUNT

Page 8

IST346: Lab Last Update: 10/7/2010 12:38 PM

As I alluded to earlier one benefit of a directory service, such as Active Directory is that the objects you add to the directory can be used by all of the computers bound to the directory. For example in this next part we will create a user account called testing which we will use to logon to the Win7 virtual machine in a subsequent step.

Let’s create a user in Active Directory.

1. From the command prompt, create a new user, testing with password SU2orange!.c:\users\Administrator> net user testing /add * then enter the password SU2orange! twice:

2. Now let’s check out how you can manager users, computers and groups in Active Directory from the GUI. From Server Manager, open Roles Active Directory Domain Services Active Directory Users and Computers. This is the primary utility for managing the entries in Active directory.

3. Double-click on ad.fauxco.com to open the domain. And then double-click on the Users folder.You should

see the testing user you created (along with several other built in domain users and groups).

Page 9

IST346: Lab Last Update: 10/7/2010 12:38 PM

Use of this graphical tool is fairly straightforward, and it is interesting to know the command line commands have a graphical counterpart.

PART 3 – DNS AND ACTIVE D IRECTORY

A key technical requirement of Active Directory is the DNS service. As you already know, DNS is responsible for name to IP address resolution. This section will explore the DNS service in greater detail.

VERIFY THE DNS CLIENT ON THE W IN7 COMPUTER

First let’s make sure the Win7 virtual machine, can talk to our new DNS server and the ad.fauxco.com domain.

1. From the win7 virtual machine open a command prompt. 2. From the command prompt, see if you can resolve the domain, type:

nslookup ad.fauxco.com

3.

Page 10

IST346: Lab Last Update: 10/7/2010 12:38 PM

4. In addition, you should be able to ping Win2008, type:ping win2008.ad.fauxco.com

5. And finally you should still be able to access the internet, too:ping www.syr.edu

6. If both resolve properly, then you are in good shape.

THE DNS SERVER (AKA. AN IMPORTANT TEACHING MOMENT REGARDING OUR DNS SETUP.)

How does step nslookup work? I mean I understand how our Win2008 DNS service can resolve ad.fauxco.com domains, but how can it ALSO resolve real domains? Well our DNS server was setup as a forwarder. Which means when the DNS service running on Win2008 (192.168.80.10) cannot resolve a name (like www.syr.edu) it then forwards the request to Its DNS server 10.1.1.1 (Part of Lab Manager). Any queries which are forwarded are then cached on the Win2008 DNS server for future use.

In techno-speak, ad.fauxco.com is called an Intranet because it is only available inside the Fauxco “corporate” network.

Wanna see it in action? Of course you do! For a brief, but important tangent, go back to Win2008

1. Switch back to the Win2008 virtual machine2. Inside the Server Manager utility, under Roles open the DNS server role. Select DNS.

Page 11

IST346: Lab Last Update: 10/7/2010 12:38 PM

3. Double-click on WIN2008

4. From the menu, select View Advanced You should now see a Cached Lookups folder, like so:

and inside the cached lookups folder, if you keep double-clicking you should be able to navigate to (root) edu syr www. Like this:

5. The DNS cache, represents a copy of all of the name-to-IP address lookups which were asked of this DNS server (192.168.80.10) and then forwarded to the next server (10.1.1.1) once a DNS server resolves the name to an IP address, that record is stored in the DNS cache on 192.168.80.10. This ensures future

Page 12

IST346: Lab Last Update: 10/7/2010 12:38 PM

requests can be handed by the same server (192.168.80.10) thereby speeding up the name resolution process. DNS caching is a blessing and a curse. It’s a blessing because it speeds things up, it’s a curse because if you change a DNS record you have to wait a while before that change propagates through all of the cached DNS server on the internet!

ADDING A DNS RECORD

In this next step, we will add a DNS record for our centos5 linux virtual machine. Once we add the record we’ll go back to Win7 and see if we can get it to resolve properly.

1. From the DNS utility in the Server Manager window of Win2008, double-click on Forward Lookup Zones. You should see two zones:

2. We would like to add a record to the domain ad.fauxco.com so double-click on that zone. You should see the following:

3. From the menu, choose Action New Host. The new host dialog appears. Enter centos5 for the name, and 192.168.80.11 for the IP address

Page 13

IST346: Lab Last Update: 10/7/2010 12:38 PM

when you’re ready, click Add Host.4. You should now see a new A record for centos 5:

5. Now let’s test our new entry. Go back to the Win7 virtual machine.6. Open a command prompt, and type:

ping centos5.ad.fauxco.comYou should see this output:

If you do, then your DNS record is setup correctly (and your Centos5 VM is powered on, too)

Page 14

IST346: Lab Last Update: 10/7/2010 12:38 PM

PART 4 - B IND THE W IN7 VIRTUAL MACHINE TO ACTIVE D IRECTORY

The directory service is only useful if computers bind to the directory for user and group information. In this final phase we will bind the win7 virtual machine to our ad.fauxco.com domain. When we do this we will be able to logon to the win7computer using the testing account we created in Active Directory, rather than the accounts which are local to the computer. This is a huge benefit and the primary means that organizations scale support of 100’s or 1,000’s of computers.

B INDING THE W IN7 COMPUTER TO THE AD.FAUXCO.COM DOMAIN

To bind the Win7 computer to the ad.fauxco.com domain:

1. Back at win7, Click on Start control Panel System and Security System Advanced System Settings

2. You should see this dialog:

Click on the Computer Name tab.

Page 15

IST346: Lab Last Update: 10/7/2010 12:38 PM

3. You should see this dialog:

Click on the Change… button.4. The Computer Name dialog appears from here you can select Domain and then enter ad.fauxco.com for

the domain name.

Select Ok when you’re done.

Page 16

IST346: Lab Last Update: 10/7/2010 12:38 PM

5. You will be asked to authenticate to the Active directory Domain.

Logon with the Domain account Administrator with password SU2orange!6. If you are successful, you should see this message:

Click Ok and you will be asked to restart the computer, click Ok to restart. Close all open windows and restart Win7.

7. When the logon screen appears, let’s try to logon with a Domain Account.

Click the Switch User button.8. Click the Other User button and you will see the AD logon. Logon as user testing with password

SU2orange!

Page 17

IST346: Lab Last Update: 10/7/2010 12:38 PM

9. If you can logon successfully, then you’ve now bound the win7 computer to the Active Directory domain on win2008. This means the directory trusts the win7 computer and users can now logon with domain accounts!

ONE MORE TRIP BACK TO W IN2008

If you go back to our domain controller, you can see the bound computer in the directory (and in DNS if you like).

1. Go back to Win2008 and to the Active Directory Users and Computers utilty. 2. Click on the Computers folder. You should see the Win7 computer. If you do not, click on the “Refresh”

icon to get a fresh copy from the directory.3. You should see the following:

4. If you navigate down to the DNS Server and look for forward lookup zones under ad.fauxco.com you should see the DNS Host entry for win7 along with its IP address (again, if you don’t, click refresh).

5. Neato. When you add a computer to the domain, the DNS record is updated automatically. The computer name is used as the host record in DNS!

Page 18

IST346: Lab Last Update: 10/7/2010 12:38 PM

LAST PART – GETTING THE LAB CHECKER SCRIPT WORKING

This lab is handed in using the provided lab-checker script. This lab checker will execute from your Win2008 computer. Here are the instructions:

ONETIME PRE-SCRIPT SETUP

The script is designed to be run from your Win2008 virtual machine. You will need to install PowerShell. Make sure you are logged on as the Domain Administrator.

1. From Win2008 open Server Manager2. Click on Features then Add Features3. Select the Windows Powershell feature, click next. Click Install.4. Click on Start Run Type in PowerShell and click on Windows PowerShell.5. At the Blue PowerShell prompt, type set-executionpolicy unrestricted 6. At the Blue PowerShell prompt, type get-executionpolicy and make sure it returns Unrestricted

EXECUTING THE SCRIPT

1. Make sure all the virtual machines you used in the lab are powered on and working properly.2. Download the script: open Internet Explorer visit http://classes.ischool.syr.edu/ist346/ and right click on

the script and choose “save target as” save to your documents folder.3. Open PowerShell command prompt. (A different one from the one-time setup)4. Move into the documents folder (where you stored the script) type: cd documents 5. Execute the script by typing .\L02.ps16. When you think you’re got it correct, email the lab to yourself and it will cc your instructor.

Page 19