Active Directory Domain Configuration This document provides a set of guidelines for configuring a new Active Directory domain, in a new forest, that will then have a one-way trust established from it up to the central university Active Directory (AD) domain, surrey.ac.uk. These guidelines are provided by IT Services to those schools or departments wishing to build their own AD structure, but make use of the central university accounts, held within surrey.ac.uk. This document only applies to Windows 2003 domains – we do not recommend implementing Windows 2000 domains. Please contact IT Services for information regarding Windows 2000 domains. IT Services can provide assistance at any stage of the build and configuration of the new domain if required. • Decide on a domain name. The preferred scheme is to mimic existing DNS domain name schemes; e.g. lib.surrey.ac.uk existed as a DNS domain, and therefore also became the name of the AD domain. • Decide on a naming convention for your domain controllers, e.g. surrey.ac.uk domain controllers are named ADS01, ADS02 etc. • Ensure the domain controllers’ names are registered against a valid IP in the university's UNIX DNS. • At this stage, inform IT Services of the domain name of your new AD domain, and the name of each domain controller hosting the domain. To begin with this may just be a single server, i.e. the first DC in the domain. This, and usually any future domain controllers, will run Windows 2003 DNS for your domain. IT Services will be able to set up the necessary DNS delegation of 6 AD zones from the UNIX DNS down to your domains Windows 2003 DNS. These 6 zones are explained in more detail later in this document. • Install Windows 2003 server on to the first domain controller in your domain as per normal, and configure how you wish. The following configurations are required: • Ensure the latest service pack is applied, along with any post service pack patches. • Set the server to point to the university’s UNIX DNS servers (131.227.100.12 and 131.227.102.6) • Make the following registry change: Under HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters add a value with the name RegisterDnsARecords (of type REG_DWORD) and set it to 0 (zero). • Under the DNS tab in the advanced TCP/IP property page of networking ensure the box "Register this connection's address in DNS' is ticked. Enter the DNS suffix as yourdomainname.surrey.ac.uk, and also tick the second box about using this connections suffix in DNS registration. • Once you're happy with the server build, and after a clean reboot, run dcpromo to upgrade the box to a domain controller. It should be the first domain controller in a new domain tree in a new forest. Its full domain name will be yourdomainname.surrey.ac.uk, with a NETBIOS domain name of YOURDOMAINNAME. • During this process, if you have not previously installed DNS on the server you will be prompted to do so. It is vital you have DNS running on this server. It is recommended that you install DNS on each domain controller that you build for this domain to enable AD DNS integration. • You will end up with a new AD domain, yourdomainname.surrey.ac.uk. You'll now need to configure the Windows 2003 DNS. Page 1 of 4 xfm1387894521.doc University of Surrey – IT Services 24/12/13 PV Windows 2003 DNS Configuration You need to tell your Windows 2003 DNS server (i.e. the new domain controller you’ve just built) to accept the six Active Directory zones previously delegated from the UNIX DNS servers by IT Services. These six zones are: _msdcs.yourdomainname.surrey.ac.uk _tcp.yourdomainname.surrey.ac.uk _udp.yourdomainname.surrey.ac.uk _sites.yourdomainname.surrey.ac.uk domaindnszones.yourdomainname.surrey.ac.uk forestdnszones.yourdomainname.surrey.ac.uk Every server or workstation within your new domain needs to be configured to point to the university’s UNIX DNS servers, including all domain controllers. The UNIX DNS servers will service all normal DNS requests. Any Active Directory requests specific to your new domain will be passed down to your Windows 2003 DNS server via the delegation. The web site http://babs.its.yale.edu/yalead/ddns.asp provides more detailed information about DNS delegation, and dynamic DNS, and is where the following instructions were extracted: • Log in as "Administrator" on your new domain controller. • Under Start -> Programs -> Administrative Tools, select "DNS" to start the DNS configuration tool. • Click on the "+" next to the name of your server in the DNS tool to expand it. You should see two folders - "Forward Lookup Zones" and "Reverse Lookup Zones". • Right-click on "Forward lookup zones" and select "New Zone ." from the menu to start the "New Zone wizard". • Click "Next" to go past the wizard's welcome screen. • Select "Active Directory-integrated" for the zone type. This means that the information for the zone will be stored in the AD. Doing this means that your server can support secure updates so changes to the DNS server can be made from authenticated systems only. You will also not need to configure DNS on any new domain controllers you install it on – Active Directory will replicate DNS configurations between servers. Click "Next" to continue. • Enter the name of the first AD zone - "_msdcs.yourdomainname.surrey.ac.uk" in the box provided and click "Next". • Confirm the settings on the next screen and click "Next" to apply them. • Repeat the previous five steps to add each of the other five AD zones (_tcp.yourdomainname.surrey.ac.uk, _udp.yourdomainname.surrey.ac.uk, and _sites.yourdomainname.surrey.ac.uk, domaindnszones.yourdomainname.surrey.ac.uk, forestdnszones.yourdomainname.surrey.ac.uk). Order is not important; just make sure you add all six zones. • Note that there is a zone listed that matches your domain name (yourdomainname.surrey.ac.uk). You need to DELETE THIS ZONE. To do this, right-click on the zone name and choose "delete". You will get warnings about the zone being removed from the Active Directory -- this is normal. Click through the dialogs until the zone is gone. • Confirm that all six of the special zones are listed, exit the DNS tool and restart your server. It should start up cleanly. Page 2 of 4 xfm1387894521.doc University of Surrey – IT Services 24/12/13 PV It's important to check your event log to find out what is broken. If you followed these steps you shouldn't have any serious (red) errors in your log. The NETLOGON service will sometimes report an error like "Dynamic registration of one or more DNS records failed .". This error appears to be harmless if your machine is otherwise functioning normally. After a restart, go in to the DNS configuration tool and check that the six forward lookup zones you previously set up have now been populated with a variety of records and information. You should now have a fully working AD domain. Inform IT Services when you are ready to establish a trust with the surrey.ac.uk domain. At this stage, ITS will establish the surrey.ac.uk end of the trust and will then inform you of the trust password to allow you to establish your side of the trust. Making use of the Surrey Accounts Once the trust is established you can then begin to make use of the central Surrey accounts. To do this your local domain administrator must use their surrey.ac.uk account to access the central Surrey domain. If you need more information about this account or need its password reset then please contact IT Services. Setting Permissions on Resources Permissions can be set on resources within your local domain in the normal way: • Log on to your server as a local domain administrator • Under the properties of the selected resource (e.g. a folder), select the security tab • Begin to add a user in the normal way, but change the location to surrey.ac.uk, which should now be listed • Enter the username or group* to search for and click check names • During this process you will be prompted for a username and password with permission to access the surrey.ac.uk domain. This should be your central surrey.ac.uk account mentioned above • You can then set the users/groups* permission in the normal way * A number of default groups exist in the surrey.ac.uk domain that schools/departments may wish to make use of, including groups based on user type (e.g. undergraduate) and user location (e.g. School of Management). Please contact IT Services for further information. Using this method, a local domain administrator will be prompted for a surrey.ac.uk username each time the wish to set permissions based in surrey.ac.uk accounts. Therefore, if you wish to avoid this, IT Services recommends the following alternative: • Log on to your domain controller as a local domain administrator • Start up Active Directory Users & Computers, and open up the Administrators group within the Builtin container • Add the surrey.ac.uk user account for each of your local domain administrators to the list of members of this group. This effectively makes these accounts administrators of your local domain. • After doing this, your local domain administrators can log on to your domain servers against SURREY using their surrey.ac.uk accounts. This will allow you to administer your domain in the normal way, plus make use of the surrey.ac.uk accounts without being prompted for a surrey.ac.uk username and password. Page 3 of 4 xfm1387894521.doc University of Surrey – IT Services 24/12/13 PV Adding Central Surrey Users to Local Domain Groups In much the same way you can set permissions using Surrey accounts, you can also add Surrey accounts to local groups you have created within your domain. However, you must create the group with a scope of Domain Level. It is not possible to add surrey.ac.uk users to Global or Universal groups. Terms and Conditions The following points outline some general terms and conditions associated with the procedure outlined within this document: • The central university surrey.ac.uk domain is run by IT Services, and automatically populated (currently every 2 hours during the day) with accounts based on information from HR and Registry. Therefore, all requests for user creation/deletion/updating must go via these departments and not via IT Services. Accounts are also updated/purged on a nightly basis. • The surrey.ac.uk domain holds a user account for every valid member of the University, and is used to authenticate, among other things, email, Open Access Labs and MkIVs. • Accounts are placed in default security groups based on a person’s type (i.e. Staff, Undergraduate, Postgraduate Research, Postgraduate Taught or External) and position (e.g. a department within the School of Engineering). • A domain trusting surrey.ac.uk has read/execute access on these central accounts and groups, and can make full use of them to set permissions on local domain resources and populate local security groups if required. • Administrators of the trusting local domain will not be able to delete/edit/create accounts/groups within the surrey.ac.uk domain, nor will they be able to reset passwords on these surrey.ac.uk accounts. They will have full control over their local domain, along with any local accounts they wish to create. No administrators of the surrey.ac.uk domain will have access or control at the local domain level unless deemed necessary by the local domain administrators. • The only attribute set on a user profile for a non-supported workstation user is their home drive, which maps H: to the users file space on the University’s central file storage area. Access to this is currently IP restricted, therefore, if the mapping were required on machines currently excluded, the IP restriction would need reconfiguring. We use this home drive area to store equivalent profile information, and therefore redirect normal profile file locations to a folder on the H: drive. • No logon scripts are associated with users. Logon scripts should only be associated with machines via group policies (using the loopback facility). • No group policies are applied to any of the OU’s within surrey.ac.uk that contain users. The only group policy that affects a user is the Default Domain Policy, which is used primarily to control the account security policy. This account security policy (including password complexity and rules, details of which are included in a help sheet for your end users) is set by the University and cannot be changed or overridden by other departments or schools. Page 4 of 4 xfm1387894521.doc University of Surrey – IT Services 24/12/13 PV . Active Directory Domain Configuration This document provides a set of guidelines for configuring a new Active Directory domain, in a new. _msdcs.yourdomainname.surrey.ac.uk _tcp.yourdomainname.surrey.ac.uk _udp.yourdomainname.surrey.ac.uk _sites.yourdomainname.surrey.ac.uk domaindnszones.yourdomainname.surrey.ac.uk