Install Windows 2003 server on to the first domain controller in your domain as per normal, and configure how you wish.. the new domain controller you’ve just built to accept the six A
Trang 1Active Directory Domain Configuration
This document provides a set of guidelines for configuring a new Active Directory domain, in a new forest, that will then have a one-way trust established from it up to the central university Active Directory (AD) domain, surrey.ac.uk
These guidelines are provided by IT Services to those schools or departments wishing to build their own AD structure, but make use of the central university accounts, held within surrey.ac.uk
This document only applies to Windows 2003 domains – we do not recommend implementing Windows 2000 domains Please contact IT Services for information regarding Windows 2000 domains
IT Services can provide assistance at any stage of the build and configuration of the new domain if required
Decide on a domain name The preferred scheme is to mimic existing DNS domain name schemes; e.g lib.surrey.ac.uk existed as a DNS domain, and therefore also became the name of the AD domain
Decide on a naming convention for your domain controllers, e.g surrey.ac.uk domain controllers are named ADS01, ADS02 etc
Ensure the domain controllers’ names are registered against a valid IP in the university's UNIX DNS
At this stage, inform IT Services of the domain name of your new AD domain, and the name of each domain controller hosting the domain To begin with this may just be a single server, i.e the first DC in the domain This, and usually any future domain controllers, will run Windows 2003 DNS for your domain IT Services will be able to set up the necessary DNS delegation of 6 AD zones from the UNIX DNS down to your domains Windows 2003 DNS These 6 zones are explained in more detail later in this document
Install Windows 2003 server on to the first domain controller in your domain as per normal, and configure how you wish The following configurations are required:
Ensure the latest service pack is applied, along with any post service pack patches
Set the server to point to the university’s UNIX DNS servers (131.227.100.12 and 131.227.102.6)
Make the following registry change:
Under HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters add a value with the name
RegisterDnsARecords (of type REG_DWORD) and set it to 0 (zero).
Under the DNS tab in the advanced TCP/IP property page of networking ensure the box "Register this connection's address in DNS' is ticked Enter the DNS suffix as yourdomainname.surrey.ac.uk, and also tick the second box about using this connections suffix in DNS registration
Once you're happy with the server build, and after a clean reboot, run dcpromo to upgrade the box to a domain controller It should be the first domain controller in a new domain tree in a new forest Its full domain name will be yourdomainname.surrey.ac.uk, with a NETBIOS domain name of
YOURDOMAINNAME
During this process, if you have not previously installed DNS on the server you will be prompted to do so It
is vital you have DNS running on this server It is recommended that you install DNS on each domain controller that you build for this domain to enable AD DNS integration
You will end up with a new AD domain, yourdomainname.surrey.ac.uk You'll now need to configure the Windows 2003 DNS
Trang 2Windows 2003 DNS Configuration
You need to tell your Windows 2003 DNS server (i.e the new domain controller you’ve just built) to accept the six Active Directory zones previously delegated from the UNIX DNS servers by IT Services
These six zones are:
_msdcs.yourdomainname.surrey.ac.uk
_tcp.yourdomainname.surrey.ac.uk
_udp.yourdomainname.surrey.ac.uk
_sites.yourdomainname.surrey.ac.uk
domaindnszones.yourdomainname.surrey.ac.uk
forestdnszones.yourdomainname.surrey.ac.uk
Every server or workstation within your new domain needs to be configured to point to the university’s UNIX DNS servers, including all domain controllers The UNIX DNS servers will service all normal DNS requests Any Active Directory requests specific to your new domain will be passed down to your Windows 2003 DNS server via the delegation
The web site http://babs.its.yale.edu/yalead/ddns.asp provides more detailed information about DNS delegation, and dynamic DNS, and is where the following instructions were extracted:
Log in as "Administrator" on your new domain controller
Under Start -> Programs -> Administrative Tools, select "DNS" to start the DNS configuration
tool
Click on the "+" next to the name of your server in the DNS tool to expand it You should see two
folders - "Forward Lookup Zones" and "Reverse Lookup Zones"
Right-click on "Forward lookup zones" and select "New Zone " from the menu to start the "New
Zone wizard"
Click "Next" to go past the wizard's welcome screen
Select "Active Directory-integrated" for the zone type This means that the information for the
zone will be stored in the AD Doing this means that your server can support secure updates so
changes to the DNS server can be made from authenticated systems only You will also not need to
configure DNS on any new domain controllers you install it on – Active Directory will replicate DNS
configurations between servers Click "Next" to continue
Enter the name of the first AD zone - "_msdcs.yourdomainname.surrey.ac.uk" in the box
provided and click "Next"
Confirm the settings on the next screen and click "Next" to apply them
Repeat the previous five steps to add each of the other five AD zones
(_tcp.yourdomainname.surrey.ac.uk, _udp.yourdomainname.surrey.ac.uk, and
_sites.yourdomainname.surrey.ac.uk, domaindnszones.yourdomainname.surrey.ac.uk,
forestdnszones.yourdomainname.surrey.ac.uk) Order is not important; just make sure you add
all six zones
Note that there is a zone listed that matches your domain name (yourdomainname.surrey.ac.uk)
You need to DELETE THIS ZONE To do this, right-click on the zone name and choose
"delete" You will get warnings about the zone being removed from the Active Directory this is
normal Click through the dialogs until the zone is gone
Confirm that all six of the special zones are listed, exit the DNS tool and restart your server It
should start up cleanly
Trang 3It's important to check your event log to find out what is broken If you followed these steps you shouldn't have any serious (red) errors in your log The NETLOGON service will sometimes report an error like "Dynamic registration of one or more DNS records failed " This error appears to be harmless if your machine is
otherwise functioning normally
After a restart, go in to the DNS configuration tool and check that the six forward lookup zones you previously set up have now been populated with a variety of records and information
You should now have a fully working AD domain Inform IT Services when you are ready to establish a trust with the surrey.ac.uk domain At this stage, ITS will establish the surrey.ac.uk end of the trust and will then inform you of the trust password to allow you to establish your side of the trust
Making use of the Surrey Accounts
Once the trust is established you can then begin to make use of the central Surrey accounts To do this your local domain administrator must use their surrey.ac.uk account to access the central Surrey domain If you need more information about this account or need its password reset then please contact IT Services
Setting Permissions on Resources
Permissions can be set on resources within your local domain in the normal way:
Log on to your server as a local domain administrator
Under the properties of the selected resource (e.g a folder), select the security tab
Begin to add a user in the normal way, but change the location to surrey.ac.uk, which should now be listed
Enter the username or group* to search for and click check names
During this process you will be prompted for a username and password with permission to access the surrey.ac.uk domain This should be your central surrey.ac.uk account mentioned above
You can then set the users/groups* permission in the normal way
* A number of default groups exist in the surrey.ac.uk domain that schools/departments may wish to make use
of, including groups based on user type (e.g undergraduate) and user location (e.g School of Management) Please contact IT Services for further information
Using this method, a local domain administrator will be prompted for a surrey.ac.uk username each time the wish to set permissions based in surrey.ac.uk accounts Therefore, if you wish to avoid this, IT Services
recommends the following alternative:
Log on to your domain controller as a local domain administrator
Start up Active Directory Users & Computers, and open up the Administrators group within the Builtin
container
Add the surrey.ac.uk user account for each of your local domain administrators to the list of members of this group This effectively makes these accounts administrators of your local domain
After doing this, your local domain administrators can log on to your domain servers against SURREY using their surrey.ac.uk accounts This will allow you to administer your domain in the normal way, plus make use
of the surrey.ac.uk accounts without being prompted for a surrey.ac.uk username and password
Adding Central Surrey Users to Local Domain Groups
Trang 4In much the same way you can set permissions using Surrey accounts, you can also add Surrey accounts to local groups you have created within your domain
However, you must create the group with a scope of Domain Level It is not possible to add surrey.ac.uk users
to Global or Universal groups
Terms and Conditions
The following points outline some general terms and conditions associated with the procedure outlined within this document:
The central university surrey.ac.uk domain is run by IT Services, and automatically populated (currently every 2 hours during the day) with accounts based on information from HR and Registry Therefore, all requests for user creation/deletion/updating must go via these departments and not via IT Services
Accounts are also updated/purged on a nightly basis
The surrey.ac.uk domain holds a user account for every valid member of the University, and is used to authenticate, among other things, email, Open Access Labs and MkIVs
Accounts are placed in default security groups based on a person’s type (i.e Staff, Undergraduate,
Postgraduate Research, Postgraduate Taught or External) and position (e.g a department within the School
of Engineering)
A domain trusting surrey.ac.uk has read/execute access on these central accounts and groups, and can make full use of them to set permissions on local domain resources and populate local security groups if required
Administrators of the trusting local domain will not be able to delete/edit/create accounts/groups within the surrey.ac.uk domain, nor will they be able to reset passwords on these surrey.ac.uk accounts They will have full control over their local domain, along with any local accounts they wish to create No
administrators of the surrey.ac.uk domain will have access or control at the local domain level unless deemed necessary by the local domain administrators
The only attribute set on a user profile for a non-supported workstation user is their home drive, which maps H: to the users file space on the University’s central file storage area Access to this is currently IP
restricted, therefore, if the mapping were required on machines currently excluded, the IP restriction would need reconfiguring We use this home drive area to store equivalent profile information, and therefore redirect normal profile file locations to a folder on the H: drive
No logon scripts are associated with users Logon scripts should only be associated with machines via group policies (using the loopback facility)
No group policies are applied to any of the OU’s within surrey.ac.uk that contain users The only group policy that affects a user is the Default Domain Policy, which is used primarily to control the account security policy This account security policy (including password complexity and rules, details of which are included
in a help sheet for your end users) is set by the University and cannot be changed or overridden by other departments or schools