Mofa AD Perimeter Zone

Internal Use

Installation ProcedureInstallation Guide

MoFA Active Directory Perimeter zone

Installation Guide

Abstract / This document describes how to setup the MoFA Active Directory for the perimeter zone.
Document Reference
Document Type / Installation Procedure
Version / 1.0
Classification / Internal Use
Status / DRAFT
Date of Issue / 5th December 2012
File Location / IT Operation team sharepoint
# Pages / 4
Produced by / Benoît Lejoly
Reviewed by / Mohammed Al Gannam
Authorized by / Fatih Bekir Kihtir; Majid Al Mirzam

Table of contents

1.Introduction

1.1Intended audience

1.2Sources

1.3Change history

1.4Forecast changes

1.5Abbreviations / Glossary

2.Installation Prerequisite(s)

2.1Reader’s guide

2.2Hardware

2.2.1Disk Space Requirement

2.2.2HW requirements ( If applicable )

2.3Software

2.3.1Software OS Prerequisites ( Mandatory )

2.3.2Software dependencies ( If applicable )

2.3.3Out of Scope

2.3.4Software Support lifecycle ( mandatory )

2.3.5Software Sources ( mandatory )

2.4Others prerequisites

3.Installation guide

3.1Installation Variables ( Mandatory )

3.2Build details

3.2.1Production Environment

3.2.2Non-Production Environment

3.3Installation Steps

3.3.1Production environment – Build process overview

3.4First DC Installation

3.4.1Installation options

3.4.2Installation steps

3.4.3Installation validation

3.5Install Additional Domain controller

3.5.1Installation options

3.5.2Installation steps

3.5.3Installation validation

3.5.4DNS Configuration on the first Domain Controller

3.6Top Level OU creation

3.6.1Installation Options

3.6.2Installation steps

3.6.3Installation validation

3.7Create the sub-levels OUs

3.7.1Installation options

3.7.2Installation steps

3.7.3Installation validation

3.8Create Groups

3.8.1Installation Options

3.8.2Installation execution

3.8.3Installation validation

3.8.4Rights configuration

3.8.4.1P_PRM_L_ExtGroupsMgmt_Read

3.8.4.2P_PRM_L_ExtGroupsMgmt_Write

3.8.4.3P_PRM_L_ExtUsersMgmt_Read

3.8.4.4P_PRM_L_ExtUsersMgmt_Write

3.9Apply GPO adapted for Perimeter network settings

Table of Figures

Figure 1: MOFA.WEB Production Forest overview

Figure 2: NPMOFA.WEB Production Forest overview

Figure 3: Installation flow process

1.Introduction

1.1Intended audience

This document covers the installation of Perimeter zoneActive Directory and is intended to be used by the MoFA Wintel Operational team.

The goal of this document is to give the reader all needed information to install successfully the new Active Directory forests and the ADMT servers.

1.2Sources

[1]:Active Directory DMZ Design v1.0.docx

[2]:

[3]:

1.3Change history

Version / Nature of change / Date
01.00 / First version / 05/12/2012

1.4Forecast changes

Version / Nature of change / Date

1.5Abbreviations / Glossary

Abbreviation / Full text
AD / Active Directory
DNS / Domain Name Server
GPO / Group Policy Object

2.Installation Prerequisite(s)

2.1Reader’s guide

This document describes the installation of Microsoft Active Directory Domain Services (AD DS.

For each component, the installation guide contains 3 subchapters:

Installation Options: what are the option needed to deploy the component
Installation Steps: Defines main and sub steps
Installation Validation: how to validate the installation of the component

If a package is needed for an installation, it is assumed that sources will be copied locally on the machine where you want to install.

2.2Hardware

2.2.1Disk Space Requirement

Servers requirements for Domain controllers have been described in the Perimeter Active Directory Design document that is referenced as [1].

As a summary, the here below table shows what is needed for each domain controller:

Disk / Space used for installation / Disk Type ( Virtual/Physical )
40 GB / System Disk (C:) – Contains mainly the OS / Virtual
10 GB / Data disk (D:) / Virtual
10 GB / Swap disk (S:) / Virtual
10 GB / Logs disk (L:) / Virtual
CD/DVD / Z: / Virtual

2.2.2HW requirements ( If applicable )

Hardware requirements have also been designed in the Perimeter Active Directory design that referenced [1] in chapter “Domain Controller System Configuration”.

2.3Software

2.3.1Software OSPrerequisites( Mandatory )

This installation procedure must be executed on the following Operating System:

Windows 2008 R2 SP1

This operating system must be patched to the latest available level provided by Microsoft. Please run a Windows update or any patches deployment software prior executing this installation.

2.3.2Software dependencies ( If applicable )

This installation procedure requires the following components to be installed prior software installation:

2.3.3Out of Scope

The following items are determined to be out of scope:

The antivirus installation and configuration as it will follow the System Center deployment in the perimeter zone.
The installation and configuration of the monitoring as this step is part of the deployment of the System Center platform. Specific monitoring requirements have however been described in the Active Directory Design document [1].
The Windows Base Operating system installation as it will follows current MoFA installation standards.
AD backups – Appropriate recommendations have been done in the Active Directory Design document [1]. The backup strategy will be defined by the MoFA.

2.3.4Software Support lifecycle ( mandatory )

Products installation described in this document are part of the lifecycle of the Operating System. It also means that they have the same lifecycle as the Operating System itself. Please refer to your Microsoft Premier contract support to validate current OS support dates and possible extensions that might be signed by the MoFA.

2.3.5Software Sources ( mandatory )

All sources needed for this procedure are built-in in the operating system. No additional software will be required during the setup.

2.4Others prerequisites

Prior starting the build process, make sure that the following prerequisites are covered:

The user used for installation has Local Administrative rights on the target servers where the setup will be executed

All IPs addresses are known and servers are configured in fixed IPs

Both machine can fully communicate between them without firewall restrictions

Latest Microsoft patches have been deployed on machines

An antivirus installation is scheduled after this setup (as we are in the perimeter zone and that these machines are first needed to setup the System Center platform)

Scripts and answer files are copied locally on each machine

3.Installation guide

3.1Installation Variables ( Mandatory )

Variable / Value per environment / Comment
Variable 1
Variable 2
Variable 3 / Value Z / Applicable to all environments

3.2Build details

3.2.1Production Environment

The here below picture provides an overview of what needs to be built:

Figure 1: MOFA.WEB Production Forest overview

Each of the following server’s roles will be installed on both machines:

Role Name / Installed Components / Notes
Domain Controller / Microsoft Windows Server 2008 R2 SP1
Microsoft Active Directory Domain Services
Microsoft DNS Server / Identical roles will be installed on both machines. Due to AD specific constraints, some internal AD key roles will be processed on RUH-DCDMZ-01.

The here below table provides details for the installation itself:

Server name / IP details
RUH-DCDMZ-01 / IP: TO BE COMPLETED
Netmask: TO BE COMPLETED
Gateway: TO BE COMPLETED
Primary DNS: RUH-DCDMZ-01
Secondar DNS: RUH-DCDMZ-02 / A dedicated VLAN for the two domain controllers must be created by Network team in the perimeter zone.
RUH-DCDMZ-02 / IP: TO BE COMPLETED
Netmask: TO BE COMPLETED
Gateway: TO BE COMPLETED
Primary DNS: RUH-DCDMZ-02
Secondar DNS: RUH-DCDMZ-01 / A dedicated VLAN for the two domain controllers must be created by Network team in the perimeter zone.

3.2.2Non-Production Environment

The here below picture provides an overview of what needs to be built for the Non-Production environment:

Figure 2: NPMOFA.WEB Production Forest overview

Each of the following server’s roles will be installed on both machines:

Role Name / Installed Components / Notes
Domain Controller / Microsoft Windows Server 2008 R2 SP1
Microsoft Active Directory Domain Services
Microsoft DNS Server / Identical roles will be installed on both machines. Due to AD specific constraints, some internal AD key roles will be processed on RUH-DCDMZ-01.

The here below table provides details for the installation itself:

Server name / IP details
RUH-TDCDMZ-01 / IP: TO BE COMPLETED
Netmask: TO BE COMPLETED
Gateway: TO BE COMPLETED
Primary DNS: RUH-TDCDMZ-01
Secondar DNS: RUH-TDCDMZ-02 / A dedicated VLAN for the two domain controllers must be created by Network team in the perimeter zone.
RUH-TDCDMZ-02 / IP: TO BE COMPLETED
Netmask: TO BE COMPLETED
Gateway: TO BE COMPLETED
Primary DNS: RUH-TDCDMZ-02
Secondar DNS: RUH-TDCDMZ-01 / A dedicated VLAN for the two domain controllers must be created by Network team in the perimeter zone. This VLAN must be a different one than the production VLAN.

3.3Installation Steps

3.3.1Production environment – Build process overview

The here below schema provides an overview of the perimeter forest build process:

Figure 3: Installation flow process

Items in blue must be done only one.
Items in yellow might be done repetitively to create multiple objects.

3.4First DC Installation

This section explains how to install the first domain controller of the environment using the different provided scripts.

3.4.1Installation options

Variables described here under are part of the “unattended_firstDC.xml” file. Please check values contained in the script and if not aligned with this document, align them prior using the script (italic text must not be in the answer file). Pay attention that the script will have different configuration for Production and Non-Production.

Variable Name / Variable Value
ReplicaOrNewDomain / Domain
NewDomain / Forest
NewDomainDNSName / Production: MOFA.WEB
Non-Production: NPMOFA.WEB
ForestLevel / 4
DomainNetbiosName / Production: MOFAWEB
Non-Production: NPMOFAWEB
DomainLevel / 4
InstallDNS / Yes
ConfirmGc / Yes
CreateDNSDelegation / No
DatabasePath / D:\NTDS
LogPath / L:\NTDS
SYSVOLPath / c\windows\sysvol
SafeModeAdminPassword / **********
RebootOnCompletion / Yes

3.4.2Installation steps

Log on into the future first domain controller. In our example, we are taking “RUH-DCDMZ-01

” as reference and check that your user is well member of the local administrator group of the machine.

Click on the “Start button” and type in the search bar “PowerShell”. Right click on the PowerShell window and select “Run as Administrator”:

In the PowerShell window that is appearing, type “Set-Executionpolicy unrestricted” and type enter; When prompted, enter “Y” and “enter” to confirm the change:

Create a folder called “setup” at the root of the “C:” drive:

Copy all installation scripts in this folder.

In the PowerShell window, set the path to “C:\Setup” and type the following command at the PowerShell invite: Execute Powershell.exe “.\MoFA-Add-ADDS-Role.ps1”

Type “R” if prompted to run the script:

Wait the end of the script execution:

Once the script has finished, you should get this screen:

Type now the following command at the PowerShell screen: “dcpromo.exe /unattend:C:\setup\unattended_firstDC_Prod.txt” and press “enter”:

The Active Directory installation should start. Wait that the installation is completed. This operation can take some time, be patient.

Once the installation is completed, the server will restart by itself. Once the machine has restarted, logon again into the server:

Click on the “Start button” and type in the search bar “PowerShell”. Right click on the PowerShell window and select “Run as Administrator”:

In the PowerShell window that is appearing, type “Set-Executionpolicy unrestricted” and type enter; When prompted, enter “Y” and “enter” to confirm the change:

Set back the PowerShell working location to “C:\Setup” and at the command prompt, type powershell.exe “.\RenameDefaultSite.ps1” then press “enter”:

The script execution result will be something like:

We have successfully installed the first Domain Controller. Repeat the same operation with adapted scripts (called NONPROD) for the Non-Production Environment.

3.4.3Installation validation

Log on onto the server with an administrative account:

In the Server Manager, validate the AD DS and DNS roles have been added.
Note: DNS role is automatically added during the dcpromo.exe execution

In Active Directory Site and Services, validate the Default-First-Site-Name site has been renamed to MoFA-Riyadh-HQ:

3.5Install Additional Domain controller

This chapter describes the steps to follow to add domain controller in the MOFA.WEB forest. For the current build, only one additional domain controller will be added.

The MoFA can reuse this chapter later, when additional domain controllers need to be added to the forest.

3.5.1Installation options

This section details the variables in the configuration file that are most likely to change when executing the scripts.

Configuration variables to verify in unattended_additionalDC.txt. If the value is not aligned with the value in this document, please update the XML file.

Variable Name / Variable Value
ReplicaOrNewDomain / Replica
ReplicaDomainDNSName / MOFA.WEB
SiteName / MoFA-Riyadh-HQ
InstallDNS / Yes
ConfirmGc / Yes
CreateDNSDelegation / No
UserDomain
UserName / Administrator
Password / *(put the correct password)
DatabasePath / D:\NTDS
LogPath / L:\NTDS
SYSVOLPath / C:\windows\sysvol
SafeModeAdminPassword / *(put the correct password)
RebootOnCompletion / Yes

You have to fill in password fields prior to using the unattended file.

3.5.2Installation steps

Log on into the future additional domain controller. In our example, we are taking “RUH-DCDMZ-02” as reference and check that your user is well member of the local administrator group of the machine.

The first step we have to do prior installation of the domain controller role is to set the preferred DNS server to the IP address of the first domain controller and the alternate DNS server to the IP address of our local machine (the one we installed following this procedure here above):

Note: Illustration here above doesn’t reflect your reality – built in a lab.

Click on “OK” to apply these parameters and close all the windows.

Click on the “Start button” and type in the search bar “PowerShell”. Right click on the PowerShell window and select “Run as Administrator”:

In the PowerShell window that is appearing, type “Set-Executionpolicy unrestricted” and type enter; When prompted, enter “Y” and “enter” to confirm the change:

Create a folder called “setup” at the root of the “C:” drive:

Copy all installation scripts in this folder.

In the PowerShell window, set the path to “C:\Setup” and type the following command at the PowerShell invite: Execute Powershell.exe “.\MoFA-Add-ADDS-Role.ps1”

Type “R” if prompted to run the script:

Wait the end of the script execution:

Once the script has finished, you should get this screen:

Type now the following command at the PowerShell screen: “dcpromo.exe /unattend:C:\setup\unattended_additionalDC_Prod.txt” and press “enter”:

The Active Directory installation should start. Wait that the installation is completed. This operation can take some time, be patient. The installation screen looks like something like this:

Once finished, the machine will reboot automatically.

3.5.3Installation validation

Log on onto the server with an administrative account (member of the domain admin group):

In the Server Manager, validate the AD DS and DNS roles have been added.
Note: DNS role is automatically added during the dcpromo.exe execution

In Active Directory Users and Computers, validate that we have well the two domain controllers in the default OU:

3.5.4DNS Configuration on the first Domain Controller

As we have now added a second Domain Controller that is also DNS server in the environment, we must now adapt the DNS settings of the first Domain Controller to enable redundancy. To do so, connect to the first domain controller and log on into it. Go to the network card properties and adapt the settings to have as Primary DNS server the IP address of the second domain controller and as Alternalte DNS Server, the IP address of the first domain controller:

3.6Top Level OU creation

3.6.1Installation Options

This section details the variables in the configuration file that are most likely to change when executing the scripts.

Configuration variables to verify in MoFA-CreateTopOUs.xml. If the value is not aligned with the value in this document, please update the XML file:

OUs

DomainName="DC=RUH-DCDMZ-01,DC=MOFA,DC=WEB" />

OUName="External Users Management" Path="DC=MOFA,DC=WEB" />

OUName="External Group Management" Path="DC=MOFA,DC=WEB" />

OUName="Servers and Computers Management" Path="DC=MOFA,DC=WEB" />

OUName="Resource Group Management" Path="DC=MOFA,DC=WEB" />

OUName="IT Users Management" Path="DC=MOFA,DC=WEB" />

OUName="IT Group Management" Path="DC=MOFA,DC=WEB" />

</OUs

3.6.2Installation steps

As we have now installed our two domain controllers, it is time to setup the OU structure at the top level. To do so and automate it, a script has been prepared. The script is called “MoFA-CreateTopOUs.ps1” and its response file is “MoFA-CreateTopOUs.xml”.

Log on into the first Domain Controller with a user that is member of the domain admin group:

Click on the “Start button” and type in the search bar “PowerShell”. Right click on the PowerShell window and select “Run as Administrator”:

In the PowerShell window that is appearing, type “Set-Executionpolicy unrestricted” and type enter; When prompted, enter “Y” and “enter” to confirm the change:

Copy the two above mentioned scripts on the previously created folder called “setup” at the root of the “C:” drive:

Copy all installation scripts in this folder:

In the PowerShell window, set the path to “C:\Setup” and type the following command at the PowerShell invite: Execute Powershell.exe “.\MoFA-CreateTopOUs.ps1”

Type “R” if prompted to run the script:

Wait the end of the script execution:

3.6.3Installation validation

Launch the “Active Directory Users and Computers” and validate that the OUs have been created accordingly to the parameter file:

3.7Create the sub-levels OUs

3.7.1Installation options

This presents an high level overview of the xml file that is creating the different Active Directory OUs. These values have been aligned with the design document referenced [1] and it is assumed that the user is able to adapt the XML file accordingly to create additional OUs if necessary. The user can also refer to comments that are integrated in the MoFA-CreateSubLevelsOUs.xml script. To execute the script two files must be present in the directory:

MoFA-CreateSubLevelsOUs.ps1 => Contains the script logic. Must not be modified
MoFA-CreateSubLevelsOUs.xml => Contains the parameters. File to adapt if necessary

File have currently been created to match the design that has been proposed.

3.7.2Installation steps

Log on into the first Domain Controller with a user that is member of the domain admin group: