Step 4: Install and Configure AD DS

Applies To: Active Directory Federation Services (AD FS) 2.0

In this step, we install AD DS and configure a single-domain forest for each of the two companies (Contoso Pharmaceuticals and Fabrikam).

Install and configure AD DS

This section includes the following procedures:

  • Install AD DS

  • Create accounts

  • Joint the client computer to the Contoso domain

Install AD DS

You can use the Add Roles Wizard to create two new Active Directory Domain Services (AD DS) forests on both of the AD FS 2.0 VMs (contososrv1 and fabrikamsrv01). When you type values into the wizard pages, use the company names and AD DS domain names in the following table.

Note

AD FS 2.0 has no dependency on forest functional level. When installing AD DS, you can select any forest functional level that is appropriate for your environment.

To start the Add Roles Wizard, click Start, click Administrative Tools, click Server Manager, and then, in the right pane, click Add Roles.

Important

Configure the IP addresses as specified in the table in the Step 3: Reconfigure the IP and DNS Settings for All VMs section of this guide before you attempt to install AD DS. This helps ensure that DNS records are configured appropriately.

Computer name Company name AD DS domain name (new forest) DNS configuration

Contososrv01

Contoso Pharmaceuticals

contoso.com

Install DNS when you are prompted.

Fabrikamsrv01

Fabrikam

fabrikam.com

Install DNS when you are prompted.

If you need assistance creating a new Windows Server 2008-based AD DS forest, see Installing a New Forest (https://go.microsoft.com/fwlink/?LinkId=101704).

Join the client computer to the Contoso domain

Use the value in the following table to identify which computer to join to the contoso.com domain.

Computer name Join to:

CONTOSOSRV02

contoso.com

FABRIKAMSRV02

fabrikam.com

For more information about how to do this, see Join a Computer to a Domain (https://go.microsoft.com/fwlink/?LinkID=150213).

Create accounts

After you set up two forests, you will need to logon as the Administrator for each domain and start the Active Directory Users and Computers snap-in on both domain controllers (both contososrv01 and fabrikamsrv01) to create several accounts that you will use to test and verify federated access across both forests.

For more information about how to create accounts in AD DS, see Create a New User Account (https://go.microsoft.com/fwlink/?LinkID=150218) and Create a New Group (https://go.microsoft.com/fwlink/?LinkID=133523).

For more information about how to add a user to a group in AD DS, see Add a Member to a Group (https://go.microsoft.com/fwlink/?LinkID=133522).

Create accounts in the Contoso domain

Create and configure the accounts with the values in the following table at CONTOSOSRV01 for the Contoso.local domain. When you create the accounts, clear the User must change password upon login check box.

Note

In addition to creating new accounts, set the e-mail address for the Administrator account to "administrator@contoso.com".

Create: Account name User name Action

User account

(AD RMS service account)

Adrmssrvc

Set password to never expire and the password value to "p@ssw0rd" for this account.

Add as a member of the Domain Admins group.

User account

AD FS 2.0 Service Account

adfssrvc

Set password to never expire and the password value to "p@ssw0rd" for this account.

User account

Daniel Weisman

danielw

Set password to never expire and the password value to "demo!23" for this account.

Set the e-mail address for this account to "danielw@contoso.com."

Security group - Global account

DrugTrial1Admins

N/A

Add danielw as a member of this group.

Create accounts in the Fabrikam domain

Create and configure the account values in the following table at FABRIKAMSRV01 for the Fabrikam domain.

Note

In addition to creating new accounts, set the e-mail address for the Administrator account to "administrator@fabrikam.com".

Create: Account name User name Action

User account

Frank Miller

frankm

Set password to never expire and the password value to "demo!23" for this account.

Set the e-mail address for this account to "frankm@fabrikam.com."

User account

AD FS Service

adfssrvc

Set password to never expire and the password value to "p@ssw0rd" for this account.

Security group - Global account

DrugTrial1Auditors

N/A

Add frankm as a member of this group.

User account

Alice Scott

alices

Set password to never expire and the password value to "demo!23" for this account.

Set the e-mail address for this account to "alices@fabrikam.com."

Configure DNS zones for services

When AD DS is installed and configured as a server role on CONTOSOSRV01 and FABRIKAMSRV01, you will also have installed the DNS Server role on these VMs as well. The Contoso zones will be managed using the DNS Server that you added for CONTOSOSRV01. The Fabrikam zones will be managed using the DNS Server that you added for FABRIKAMSRV01.

To assist in locating services to be used in later virtual lab exercises, additional resource records must be configured on each of these two DNS servers.

Configure DNS services records for Contoso

Configuring DNS service records for the Contoso domain is a two-step process. In the first step, we configure new zones for the contoso.com domain. Next, we then add host (A) resource records to the zone.

Configure zones for the Contoso.com domain

To configure zones for the Contoso.com domain

  1. Log on to CONTOSOSRV01 as CONTOSO\Administrator, and open the DNS Manager snap-in.

    To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.

  2. Add new host (A) resource records as described in the following section to the Forward Lookup Zone for contoso.com.

Create host (A) resource records for the Contoso.com domain

The following are host (A) resource records that you can add using DNS Manager on CONTOSOSRV01. For more information about how to add these records, see "Add a Resource Record to a Zone" in the DNS Server Help.

Name Type Data

adrms

Host (A)

10.0.0.30

docs

Host (A)

10.0.0.2

pki

Host (A)

10.0.0.1

sts1

Host (A)

10.0.0.20

Configure zones for the Fabrikam.com domain

To configure zones for the Fabrikam.com domain

  1. Log on to FABRIKAMSRV01 as FABRIKAM\Administrator, and open the DNS Manager snap-in.

    To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.

  2. Add new host (A) resource records as described in the following section to the Forward Lookup Zone for fabrikam.com.

Create host (A) resource records for the Fabrikam.com domain

The following are host (A) resource records that you can add using DNS Manager on CONTOSOSRV01. For more information about how to add these records, see "Add a Resource Record to a Zone" in the DNS Server Help.

Name Type Data

pki

Host (A)

10.0.0.101

sts2

Host (A)

10.0.0.120