Step 4: Install and Configure AD DS
Applies To: Active Directory Federation Services (AD FS) 2.0
In this step, we install AD DS and configure a single-domain forest for each of the two companies (Contoso Pharmaceuticals and Fabrikam).
Install and configure AD DS
This section includes the following procedures:
Install AD DS
Create accounts
Joint the client computer to the Contoso domain
Install AD DS
You can use the Add Roles Wizard to create two new Active Directory Domain Services (AD DS) forests on both of the AD FS 2.0 VMs (contososrv1 and fabrikamsrv01). When you type values into the wizard pages, use the company names and AD DS domain names in the following table.
Note
AD FS 2.0 has no dependency on forest functional level. When installing AD DS, you can select any forest functional level that is appropriate for your environment.
To start the Add Roles Wizard, click Start, click Administrative Tools, click Server Manager, and then, in the right pane, click Add Roles.
Important
Configure the IP addresses as specified in the table in the Step 3: Reconfigure the IP and DNS Settings for All VMs section of this guide before you attempt to install AD DS. This helps ensure that DNS records are configured appropriately.
Computer name | Company name | AD DS domain name (new forest) | DNS configuration |
---|---|---|---|
Contososrv01 |
Contoso Pharmaceuticals |
contoso.com |
Install DNS when you are prompted. |
Fabrikamsrv01 |
Fabrikam |
fabrikam.com |
Install DNS when you are prompted. |
If you need assistance creating a new Windows Server 2008-based AD DS forest, see Installing a New Forest (https://go.microsoft.com/fwlink/?LinkId=101704).
Join the client computer to the Contoso domain
Use the value in the following table to identify which computer to join to the contoso.com domain.
Computer name | Join to: |
---|---|
CONTOSOSRV02 |
contoso.com |
FABRIKAMSRV02 |
fabrikam.com |
For more information about how to do this, see Join a Computer to a Domain (https://go.microsoft.com/fwlink/?LinkID=150213).
Create accounts
After you set up two forests, you will need to logon as the Administrator for each domain and start the Active Directory Users and Computers snap-in on both domain controllers (both contososrv01 and fabrikamsrv01) to create several accounts that you will use to test and verify federated access across both forests.
For more information about how to create accounts in AD DS, see Create a New User Account (https://go.microsoft.com/fwlink/?LinkID=150218) and Create a New Group (https://go.microsoft.com/fwlink/?LinkID=133523).
For more information about how to add a user to a group in AD DS, see Add a Member to a Group (https://go.microsoft.com/fwlink/?LinkID=133522).
Create accounts in the Contoso domain
Create and configure the accounts with the values in the following table at CONTOSOSRV01 for the Contoso.local domain. When you create the accounts, clear the User must change password upon login check box.
Note
In addition to creating new accounts, set the e-mail address for the Administrator account to "administrator@contoso.com".
Create: | Account name | User name | Action |
---|---|---|---|
User account |
(AD RMS service account) |
Adrmssrvc |
Set password to never expire and the password value to "p@ssw0rd" for this account. Add as a member of the Domain Admins group. |
User account |
AD FS 2.0 Service Account |
adfssrvc |
Set password to never expire and the password value to "p@ssw0rd" for this account. |
User account |
Daniel Weisman |
danielw |
Set password to never expire and the password value to "demo!23" for this account. Set the e-mail address for this account to "danielw@contoso.com." |
Security group - Global account |
DrugTrial1Admins |
N/A |
Add danielw as a member of this group. |
Create accounts in the Fabrikam domain
Create and configure the account values in the following table at FABRIKAMSRV01 for the Fabrikam domain.
Note
In addition to creating new accounts, set the e-mail address for the Administrator account to "administrator@fabrikam.com".
Create: | Account name | User name | Action |
---|---|---|---|
User account |
Frank Miller |
frankm |
Set password to never expire and the password value to "demo!23" for this account. Set the e-mail address for this account to "frankm@fabrikam.com." |
User account |
AD FS Service |
adfssrvc |
Set password to never expire and the password value to "p@ssw0rd" for this account. |
Security group - Global account |
DrugTrial1Auditors |
N/A |
Add frankm as a member of this group. |
User account |
Alice Scott |
alices |
Set password to never expire and the password value to "demo!23" for this account. Set the e-mail address for this account to "alices@fabrikam.com." |
Configure DNS zones for services
When AD DS is installed and configured as a server role on CONTOSOSRV01 and FABRIKAMSRV01, you will also have installed the DNS Server role on these VMs as well. The Contoso zones will be managed using the DNS Server that you added for CONTOSOSRV01. The Fabrikam zones will be managed using the DNS Server that you added for FABRIKAMSRV01.
To assist in locating services to be used in later virtual lab exercises, additional resource records must be configured on each of these two DNS servers.
Configure DNS services records for Contoso
Configuring DNS service records for the Contoso domain is a two-step process. In the first step, we configure new zones for the contoso.com domain. Next, we then add host (A) resource records to the zone.
Configure zones for the Contoso.com domain
To configure zones for the Contoso.com domain
Log on to CONTOSOSRV01 as CONTOSO\Administrator, and open the DNS Manager snap-in.
To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.
Add new host (A) resource records as described in the following section to the Forward Lookup Zone for contoso.com.
Create host (A) resource records for the Contoso.com domain
The following are host (A) resource records that you can add using DNS Manager on CONTOSOSRV01. For more information about how to add these records, see "Add a Resource Record to a Zone" in the DNS Server Help.
Name | Type | Data |
---|---|---|
adrms |
Host (A) |
10.0.0.30 |
docs |
Host (A) |
10.0.0.2 |
pki |
Host (A) |
10.0.0.1 |
sts1 |
Host (A) |
10.0.0.20 |
Configure zones for the Fabrikam.com domain
To configure zones for the Fabrikam.com domain
Log on to FABRIKAMSRV01 as FABRIKAM\Administrator, and open the DNS Manager snap-in.
To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.
Add new host (A) resource records as described in the following section to the Forward Lookup Zone for fabrikam.com.
Create host (A) resource records for the Fabrikam.com domain
The following are host (A) resource records that you can add using DNS Manager on CONTOSOSRV01. For more information about how to add these records, see "Add a Resource Record to a Zone" in the DNS Server Help.
Name | Type | Data |
---|---|---|
pki |
Host (A) |
10.0.0.101 |
sts2 |
Host (A) |
10.0.0.120 |