Appendix L: Installing and Configuring Active Directory and DNS in Your Lab
On This Page
Building a Domain Controller for Your Lab
Installing Active Directory Snap-Ins
This appendix describes how to set up a Microsoft® Windows Server™ 2003 domain controller, also known as an Active Directory® server. In a heterogeneous environment in which Active Directory supports UNIX clients, an Active Directory server can act as the Kerberos Key Distribution Center (KDC) for authentication and as the Lightweight Directory Access Protocol (LDAP) for authorization for both Windows and UNIX clients.
IMPORTANT It is possible to install the DNS service on a different server than the domain controller, either Windows or UNIX, or to install DNS on the domain controller later after you first install and configure the domain controller itself. For best results when developing or deploying a solution that enables UNIX clients to authenticate to Active Directory, the recommended practice is to install and configure Active Directory and DNS at the same time. The procedures in this guide were developed and tested in a lab in which DNS is configured on the domain controllers as part of the Active Directory installation process.
Building a Domain Controller for Your Lab
You can use the procedures in this appendix to install and configure an Active Directory server for your development or test lab for the following chapters in Volume 2:
Chapter 2, Using Quest Software VAS to Develop, Stabilize, Deploy, Operate, and Evolve End State 2
Chapter 3, Using Centrify DirectControl to Develop, Stabilize, Deploy, Operate, and Evolve End State 2
Chapter 4. Developing a Custom Solution
Chapter 5, Stabilizing a Custom Solution
Note Chapters 4 and 5 include solutions for both End State 1 and End State 2. For a description of End State 1 and End State 2, see Volume 1: Chapter 1, “Overview of Authentication and Authorization Technologies and Solution End States.”
When setting up a development or test environment for the solutions included in this guide, the recommended practice is to install and configure at least two domain controllers so that you can test UNIX or Linux authentication and authorization under failover conditions. However, you will not be ready to install the second domain controller until after you finish the remaining activities necessary to set up your lab environment. These activities depend on which solution you choose to develop and deploy. For more information, see the section "Complete Other Setup Steps for Your Solution Before You Install the Second Domain Controller" later in this appendix.
Use the steps in the following subsections to install a domain controller that is running the Domain Name System (DNS) service and to create a test forest. This example assumes that you want to create a new Active Directory domain controller in its own forest and domain in your development environment and that you want to follow the recommended practice to install DNS on the domain controller.
Install Active Directory and DNS on the First Domain Controller
Use the following procedure to install Active Directory and DNS at the same time.
IMPORTANT It is possible to install the DNS service on a server (running either the UNIX or Microsoft Windows® operating system) that is different from the domain controller. It is also possible to install DNS on the domain controller later after you first install and configure the domain controller itself. However, for best results when deploying a solution that enables UNIX clients to authenticate to Active Directory, the recommended practice is to install and configure Active Directory and DNS at the same time on the same server. The procedures in this guide were developed and tested in a lab in which DNS is configured on the domain controllers as part of the Active Directory installation process.
To install Active Directory and DNS
Install Windows. Install Windows Server 2003 Standard Edition on a computer. Use a static IP address for this server.
Promote server to domain controller. Click Start, click Run, and then type dcpromo (or use the new role wizard) to open the Active Directory Installation Wizard, and then configure the wizard pages as shown in Table L.1.
Table L.1. Active Directory Installation Wizard
Domain Controller Type
Select Domain controller for a new domain.
Create New Domain
Select Domain in a new forest.
Install or Configure DNS
If you see this page, select No, just install and configure DNS on this computer.
Note Typically, you see this wizard page if you run the Active Directory Installation Wizard (dcpromo.exe) right after installing the operating system on this computer.
New Domain Name
For Full DNS name for new domain, type the name of the test domain. If you want to match the example domain names used in the procedures in this guide, use the following domain names:
For Quest Software VAS (Chapter 2), type fabrikam.com.
For Centrify DirectControl (Chapter 3), type contoso.com.
For a custom solution (Chapter 4), type example.com.
NetBIOS Domain Name
Verify that the domain name that you typed appears on this page.
Database and Log Folders
Accept the defaults.
Shared System Volume
Accept the defaults.
Select Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems.
DNS Registration Diagnostics
Select Install and configure the DNS server on this computer, and set this computer to use this DNS server as its preferred DNS server.
Note Typically, you see this wizard page if DNS was configured on this computer earlier. For example, if you earlier ran dcpromo and configured DNS, and then demoted the domain controller and removed DNS, you will see this page if you rerun dcpromo.
Directory Services Restore Mode Administrator Password
Type and confirm a password.
Review your selections, and then click Next to begin Active Directory installation:
If you are prompted for the files dnsmgr.dll or dnsmgmt.msc, insert your Windows installation CD or navigate to a folder or network share that contains the i386 files.
When the wizard completes, click Restart Now to restart the computer.
Use the following procedure to complete the configuration for DNS.
To complete the DNS configuration
Configure the DNS Forward Lookup Zone. Open the DNS console in Administrative Tools, and then configure the following:
Note When you specified that dcpromo install DNS while installing Active Directory, the Active Directory wizard created a DNS Forward Lookup Zone that uses only secure updates for dynamic updates. Allowing nonsecure dynamic updates is not recommended for your production environment. However, here you set up a proof-of-concept lab in which UNIX-based computers cannot initially perform secure dynamic DNS because they cannot yet authenticate to the Active Directory domain.
In the console tree, expand the DNS server name node, and then expand Forward Lookup Zones.
In the console tree, right-click the appropriate forward lookup zone (fabrikam.com for Quest Software VAS, contoso.com for Centrify DirectControl, or example.com for a custom solution), and then click Properties.
On the General tab, for Dynamic Updates, select Nonsecure and secure, click Apply, and then click OK.
Configure the DNS Reverse Lookup Zone. In the console tree, right-click Reverse Lookup Zones, click New Zone, and then complete the New Zone Wizard actions as shown in the following table.
Table L.2. New Zone Wizard for DNS Reverse Lookup Zone
Select Primary Zone.
Confirm that Store the zone in Active Directory (available only if DNS server is a domain controller) is selected.
Active Directory Zone Replication Scope
Select To all domain controllers in the Active Directory domain DomainName.com.
Reverse Lookup Zone Name
Select Network ID, and then type the network ID (for example, you might type 192.168.0).
Select Allow both nonsecure and secure dynamic updates.
Completing the New Zone Wizard
Confirm zones are integrated with Active Directory:
- Click Forward Lookup Zones or Reverse Lookup Zones in the console tree, and then confirm that Type in the details pane displays Active Directory-Integrated Primary.
Configure (or confirm) DNS for the server's local network connection. Open Network Connections, right-click the local area connection, click Properties, and then configure the following:
In Local Area Connection Properties, click Internet Protocol (TCP/IP), and then click Properties.
For Preferred DNS server, type or confirm the localhost IP address, as shown in the following table.
Table L.3. Configuring the Localhost IP Address for the DNS Server
If You Saw This Dcpromo Wizard Page
Install or Configure DNS
For Preferred DNS server, type 127.0.0.1.
DNS Registration Diagnostics
For Preferred DNS server, confirm that 127.0.0.1 appears.
Add UNIX hosts to DNS. When a Windows-based computer is joined to an Active Directory domain in which DNS is configured, the Windows-based computer is automatically added to DNS. However, you must add UNIX-based computers to DNS manually:
Open DNS in Administrative Tools.
In the console tree, expand the ComputerName node, expand Forward Lookup Zones, right-click the appropriate node (fabrikam.com for Quest Software VAS, contoso.com for Centrify DirectControl, or example.com for a custom solution), and then click New Host (A).
In New Host, for Name, type the name of the UNIX host that you want to add. In IP address, type the IP address of the UNIX host, check the Create associated pointer (PTR) record box, and then click Add Host.
When you see the message The host record HostName.DomainName.com was successfully created, click OK.
Repeat steps a–d for each UNIX host that you want to add to your development environment.
Install Support Tools. You can install the Windows Support Tools from the Windows Server 2003 CD. For information about how to install this set of tools, see "Support Tools on the Windows CD" in Windows Server 2003 Help and Support Center.
Note By default, the installation program installs the support tools in the C:\Program Files\Support Tools folder. However, Windows Support Tools installation also puts the support tools folder in the path for all shell sessions. This means that, after you restart the server after installing the support tools, you can issue any of the support tool commands without changing to the directory where the commands are located.
Complete Other Setup Steps for Your Solution Before You Install the Second Domain Controller
Installing and configuring a domain controller is only one of several activities that you must complete to prepare your lab for developing or testing one of the solutions in this guide. After optionally installing the Active Directory snap-ins (described next, in the section "Installing Active Directory Snap-Ins"), refer to the appropriate chapter for the remaining actions that you must take to prepare your development or test lab.
You must complete the activities as described in the appropriate chapter before you will be ready to install your second domain controller:
For the commercial VAS solution. Refer to the section "Preparing Your Environment" in Volume 2: Chapter 2, "Using Quest Software VAS to Develop, Stabilize, Deploy, Operate, and Evolve End State 2."
For the commercial DirectControl solution. Refer to the section "Preparing Your Environment" in Volume 2: Chapter 3, "Using Centrify DirectControl to Develop, Stabilize, Deploy, Operate, and Evolve End State 2."
For developing one of the custom solutions. Refer to the section "Preparing Your Environment" in Volume 2: Chapter 4, "Developing a Custom Solution."
For testing one of the custom solutions. Refer to the section "Prepare Test Lab Environment" in Volume 2: Chapter 5, "Stabilizing a Custom Solution."
Only after completing the remaining activities as described in the appropriate chapter to prepare your lab will you be ready to repeat the steps in this section to build your second domain controller.
Installing Active Directory Snap-Ins
The Microsoft Management Console (MMC) snap-ins for Active Directory, including Active Directory Domains and Trusts, Active Directory Users and Computers, and Active Directory Sites and Services, are installed in Administrative Tools by default on a Windows-based domain controller. To locate the Active Directory snap-ins, click Start, point to All Programs, point to Administrative Tools, and then click the snap-in that you want to open.
If you want to use the Active Directory snap-ins on a workstation or on a server other than a domain controller, you must add the MMC snap-ins for Active Directory manually. In addition, you might want to use other Active Directory–related snap-ins, such as the ADSI Edit tool, which must be installed manually as a stand-alone MMC snap-in.
The following sections describe how to manually install the Active Directory snap-ins and the ADSI Edit tool.
Install Active Directory Snap-ins on a Member Server (Optional)
You can install the Active Directory snap-ins on servers running Windows Server 2003 that are not domain controllers by using the instructions in "To add a snap-in to a new MMC console for a local computer" in Help and Support Center for Windows Server 2003. Alternatively, you can find the Help steps for "Add a snap-in to a new MMC console for a local computer" online at http://technet2.microsoft.com/WindowsServer/en/Library/4d38c08b-907f-410c-b26f-5bd7481194bd1033.mspx.
Install Active Directory Snap-ins on a Windows XP-based Computer (Optional)
Active Directory snap-ins are also available for Windows XP by installing the Administration Tools Pack for Windows Server 2003. You can download the Windows Server 2003 Administration Tools Pack at
Install the MMC Snap-in for ADSI Edit
Some snap-ins, such as ADSI Edit, do not appear under Administrative Tools with the default Active Directory snap-ins such as Active Directory Users and Computers. You must add these snap-ins manually.
You can use the ADSI Edit tool to view and modify attributes of directory service objects, including UNIX attributes for user and group objects (if, for example, you install Windows Services for UNIX in conjunction with one of the custom solutions in this guide) and the principal name attributes for computer objects.
To manually add ADSI Edit as an MMC snap-in
Install the Windows Support Tools:
Insert the Windows CD into your CD-ROM drive.
If you are prompted to reinstall Windows, click No.
When the Welcome screen appears, click Perform Additional Tasks, and then click Browse this CD.
Navigate to the \Support\Tools folder.
Follow the instructions that appear on your screen.
Install the ADSI Edit snap-in:
Click Start, click Run, type mmc, and then click OK.
In the console window, click File, and then click Add/Remove Snap-in.
In the Add/Remove Snap-in dialog box, click Add.
From Available Standalone Snap-ins list in the Add Standalone Snap-in dialog box, select the snap-in that you want to install—in this case, select ADSI Edit—click Add, and then click Close.
In the Add/Remove Snap-in dialog box, click OK.
If you want to save this console for later use, in the console window, click File, click Save, and then in the Save As dialog box, type a name for the snap-in, and then click OK.