MoFA AD Perimeter Zone
Internal Use
Installation ProcedureInstallation Guide
MoFA Active Directory Perimeter zoneInstallation Guide
Abstract
This document describes how to setup the MoFA Active Directory
for the perimeter zone.
Document Reference
Document Type
Installation Procedure
Version
1.0
Classification
Internal Use
Status
DRAFT
Date of Issue
5th December 2012
File Location
IT Operation team sharepoint
# Pages
4
Produced by
Benoît Lejoly
Reviewed by
Mohammed Al Gannam
Authorized by
Fatih Bekir Kihtir; Majid Al Mirzam
Table of contents
1.Introduction5
1.1Intended audience5
1.2Sources5
1.3Change history5
1.4Forecast changes5
1.5Abbreviations / Glossary5
2.Installation Prerequisite(s)6
2.1Reader’s guide6
2.2Hardware6
2.2.1Disk Space Requirement6
2.2.2HW requirements ( If applicable )6
2.3Software6
2.3.1Software OS Prerequisites ( Mandatory )6
2.3.2Software dependencies ( If applicable )6
2.3.3Out of Scope6
2.3.4Software Support lifecycle ( mandatory )7
2.3.5Software Sources ( mandatory )7
2.4Others prerequisites7
3.Installation guide8
3.1Installation Variables ( Mandatory )8
3.2Build details8
3.2.1Production Environment8
3.2.2Non-Production Environment9
3.3Installation Steps10
3.3.1Production environment – Build process overview10
3.4First DC Installation10
3.4.1Installation options10
3.4.2Installation steps11
3.4.3Installation validation15
3.5Install Additional Domain controller15
3.5.1Installation options16
3.5.2Installation steps16
3.5.3Installation validation20
3.5.4DNS Configuration on the first Domain Controller21
3.6Top Level OU creation22
3.6.1Installation Options22
3.6.2Installation steps22
3.6.3Installation validation24
3.7Create the sub-levels OUs25
3.7.1Installation options25
3.7.2Installation steps25
3.7.3Installation validation27
3.8Create Groups28
3.8.1Installation Options28
3.8.2Installation execution28
3.8.3Installation validation30
3.8.4Rights configuration30
3.8.4.1P_PRM_L_ExtGroupsMgmt_Read30
3.8.4.2P_PRM_L_ExtGroupsMgmt_Write34
3.8.4.3P_PRM_L_ExtUsersMgmt_Read37
3.8.4.4P_PRM_L_ExtUsersMgmt_Write41
3.9Apply GPO adapted for Perimeter network settings44
Table of Figures
Figure 1: MOFA.WEB Production Forest overview7
Figure 2: NPMOFA.WEB Production Forest overview8
Figure 3: Installation flow process9
IntroductionIntended audience
This document covers the installation of Perimeter zone Active
Directory and is intended to be used by the MoFA Wintel Operational
team.
The goal of this document is to give the reader all needed
information to install successfully the new Active Directory
forests and the ADMT servers.
Sources
[1]: Active Directory DMZ Design v1.0.docx
[2]:
[3]:
Change history
Version
Nature of change
Date
01.00
First version
05/12/2012
Forecast changes
Version
Nature of change
Date
Abbreviations / Glossary
Abbreviation
Full text
AD
Active Directory
DNS
Domain Name Server
GPO
Group Policy Object
Installation Prerequisite(s)Reader’s guide
This document describes the installation of Microsoft Active
Directory Domain Services (AD DS.
For each component, the installation guide contains 3
subchapters:
· Installation Options: what are the option needed to deploy the
component
· Installation Steps: Defines main and sub steps
· Installation Validation: how to validate the installation of
the component
If a package is needed for an installation, it is assumed that
sources will be copied locally on the machine where you want to
install.
HardwareDisk Space Requirement
Servers requirements for Domain controllers have been described
in the Perimeter Active Directory Design document that is
referenced as [1].
As a summary, the here below table shows what is needed for each
domain controller:
Disk
Space used for installation
Disk Type ( Virtual/Physical )
40 GB
System Disk (C:) – Contains mainly the OS
Virtual
10 GB
Data disk (D:)
Virtual
10 GB
Swap disk (S:)
Virtual
10 GB
Logs disk (L:)
Virtual
CD/DVD
Z:
Virtual
HW requirements ( If applicable )
Hardware requirements have also been designed in the Perimeter
Active Directory design that referenced [1] in chapter “Domain
Controller System Configuration”.
SoftwareSoftware OS Prerequisites ( Mandatory )
This installation procedure must be executed on the following
Operating System:
· Windows 2008 R2 SP1
This operating system must be patched to the latest available
level provided by Microsoft. Please run a Windows update or any
patches deployment software prior executing this installation.
Software dependencies ( If applicable )
This installation procedure requires the following components to
be installed prior software installation:
-
-
Out of Scope
The following items are determined to be out of scope:
· The antivirus installation and configuration as it will follow
the System Center deployment in the perimeter zone.
· The installation and configuration of the monitoring as this
step is part of the deployment of the System Center platform.
Specific monitoring requirements have however been described in the
Active Directory Design document [1].
· The Windows Base Operating system installation as it will
follows current MoFA installation standards.
· AD backups – Appropriate recommendations have been done in the
Active Directory Design document [1]. The backup strategy will be
defined by the MoFA.
Software Support lifecycle ( mandatory )
Products installation described in this document are part of the
lifecycle of the Operating System. It also means that they have the
same lifecycle as the Operating System itself. Please refer to your
Microsoft Premier contract support to validate current OS support
dates and possible extensions that might be signed by the MoFA.
Software Sources ( mandatory )
All sources needed for this procedure are built-in in the
operating system. No additional software will be required during
the setup.
Others prerequisites
Prior starting the build process, make sure that the following
prerequisites are covered:
· The user used for installation has Local Administrative rights
on the target servers where the setup will be executed
· All IPs addresses are known and servers are configured in
fixed IPs
· Both machine can fully communicate between them without
firewall restrictions
· Latest Microsoft patches have been deployed on machines
· An antivirus installation is scheduled after this setup (as we
are in the perimeter zone and that these machines are first needed
to setup the System Center platform)
· Scripts and answer files are copied locally on each
machine
Installation guide Installation Variables ( Mandatory )
Variable
Value per environment
Comment
Variable 1
Variable 2
Variable 3
Value Z
Applicable to all environments
Build detailsProduction Environment
The here below picture provides an overview of what needs to be
built:
Figure 1: MOFA.WEB Production Forest overview
Each of the following server’s roles will be installed on both
machines:
Role Name
Installed Components
Notes
Domain Controller
Microsoft Windows Server 2008 R2 SP1
Microsoft Active Directory Domain Services
Microsoft DNS Server
Identical roles will be installed on both machines. Due to AD
specific constraints, some internal AD key roles will be processed
on RUH-DCDMZ-01.
The here below table provides details for the installation
itself:
Server name
IP details
RUH-DCDMZ-01
IP: TO BE COMPLETED
Netmask: TO BE COMPLETED
Gateway: TO BE COMPLETED
Primary DNS: RUH-DCDMZ-01
Secondar DNS: RUH-DCDMZ-02
A dedicated VLAN for the two domain controllers must be created
by Network team in the perimeter zone.
RUH-DCDMZ-02
IP: TO BE COMPLETED
Netmask: TO BE COMPLETED
Gateway: TO BE COMPLETED
Primary DNS: RUH-DCDMZ-02
Secondar DNS: RUH-DCDMZ-01
A dedicated VLAN for the two domain controllers must be created
by Network team in the perimeter zone.
Non-Production Environment
The here below picture provides an overview of what needs to be
built for the Non-Production environment:
Figure 2: NPMOFA.WEB Production Forest overview
Each of the following server’s roles will be installed on both
machines:
Role Name
Installed Components
Notes
Domain Controller
Microsoft Windows Server 2008 R2 SP1
Microsoft Active Directory Domain Services
Microsoft DNS Server
Identical roles will be installed on both machines. Due to AD
specific constraints, some internal AD key roles will be processed
on RUH-DCDMZ-01.
The here below table provides details for the installation
itself:
Server name
IP details
RUH-TDCDMZ-01
IP: TO BE COMPLETED
Netmask: TO BE COMPLETED
Gateway: TO BE COMPLETED
Primary DNS: RUH-TDCDMZ-01
Secondar DNS: RUH-TDCDMZ-02
A dedicated VLAN for the two domain controllers must be created
by Network team in the perimeter zone.
RUH-TDCDMZ-02
IP: TO BE COMPLETED
Netmask: TO BE COMPLETED
Gateway: TO BE COMPLETED
Primary DNS: RUH-TDCDMZ-02
Secondar DNS: RUH-TDCDMZ-01
A dedicated VLAN for the two domain controllers must be created
by Network team in the perimeter zone. This VLAN must be a
different one than the production VLAN.
Installation Steps Production environment – Build process
overview
The here below schema provides an overview of the perimeter
forest build process:
Figure 3: Installation flow process
· Items in blue must be done only one.
· Items in yellow might be done repetitively to create multiple
objects.
First DC Installation
This section explains how to install the first domain controller
of the environment using the different provided scripts.
Installation options
Variables described here under are part of the
“unattended_firstDC.xml” file. Please check values contained in the
script and if not aligned with this document, align them prior
using the script (italic text must not be in the answer file). Pay
attention that the script will have different configuration for
Production and Non-Production.
Variable Name
Variable Value
ReplicaOrNewDomain
Domain
NewDomain
Forest
NewDomainDNSName
Production: MOFA.WEB
Non-Production: NPMOFA.WEB
ForestLevel
4
DomainNetbiosName
Production: MOFAWEB
Non-Production: NPMOFAWEB
DomainLevel
4
InstallDNS
Yes
ConfirmGc
Yes
CreateDNSDelegation
No
DatabasePath
D:\NTDS
LogPath
L:\NTDS
SYSVOLPath
c\windows\sysvol
SafeModeAdminPassword
**********
RebootOnCompletion
Yes
Installation steps
Log on into the future first domain controller. In our example,
we are taking “RUH-DCDMZ-01
” as reference and check that your user is well member of the
local administrator group of the machine.
Click on the “Start button” and type in the search bar
“PowerShell”. Right click on the PowerShell window and select “Run
as Administrator”:
In the PowerShell window that is appearing, type
“Set-Executionpolicy unrestricted” and type enter; When prompted,
enter “Y” and “enter” to confirm the change:
Create a folder called “setup” at the root of the “C:”
drive:
Copy all installation scripts in this folder.
In the PowerShell window, set the path to “C:\Setup” and type
the following command at the PowerShell invite: Execute
Powershell.exe “.\MoFA-Add-ADDS-Role.ps1”
Type “R” if prompted to run the script:
Wait the end of the script execution:
Once the script has finished, you should get this screen:
Type now the following command at the PowerShell screen:
“dcpromo.exe /unattend:C:\setup\unattended_firstDC_Prod.txt” and
press “enter”:
The Active Directory installation should start. Wait that the
installation is completed. This operation can take some time, be
patient.
Once the installation is completed, the server will restart by
itself. Once the machine has restarted, logon again into the
server:
Click on the “Start button” and type in the search bar
“PowerShell”. Right click on the PowerShell window and select “Run
as Administrator”:
In the PowerShell window that is appearing, type
“Set-Executionpolicy unrestricted” and type enter; When prompted,
enter “Y” and “enter” to confirm the change:
Set back the PowerShell working location to “C:\Setup” and at
the command prompt, type powershell.exe “.\RenameDefaultSite.ps1”
then press “enter”:
The script execution result will be something like:
We have successfully installed the first Domain Controller.
Repeat the same operation with adapted scripts (called NONPROD) for
the Non-Production Environment.
Installation validation
Log on onto the server with an administrative account:
In the Server Manager, validate the AD DS and DNS roles have
been added.Note: DNS role is automatically added during the
dcpromo.exe execution
In Active Directory Site and Services, validate the
Default-First-Site-Name site has been renamed to
MoFA-Riyadh-HQ:
Install Additional Domain controller
This chapter describes the steps to follow to add domain
controller in the MOFA.WEB forest. For the current build, only one
additional domain controller will be added.
The MoFA can reuse this chapter later, when additional domain
controllers need to be added to the forest.
Installation options
This section details the variables in the configuration file
that are most likely to change when executing the scripts.
Configuration variables to verify in
unattended_additionalDC.txt. If the value is not aligned with the
value in this document, please update the XML file.
Variable Name
Variable Value
ReplicaOrNewDomain
Replica
ReplicaDomainDNSName
MOFA.WEB
SiteName
MoFA-Riyadh-HQ
InstallDNS
Yes
ConfirmGc
Yes
CreateDNSDelegation
No
UserDomain
UserName
Administrator
Password
*(put the correct password)
DatabasePath
D:\NTDS
LogPath
L:\NTDS
SYSVOLPath
C:\windows\sysvol
SafeModeAdminPassword
*(put the correct password)
RebootOnCompletion
Yes
You have to fill in password fields prior to using the
unattended file.
Installation steps
Log on into the future additional domain controller. In our
example, we are taking “RUH-DCDMZ-02” as reference and check that
your user is well member of the local administrator group of the
machine.
The first step we have to do prior installation of the domain
controller role is to set the preferred DNS server to the IP
address of the first domain controller and the alternate DNS server
to the IP address of our local machine (the one we installed
following this procedure here above):
Note: Illustration here above doesn’t reflect your reality –
built in a lab.
Click on “OK” to apply these parameters and close all the
windows.
Click on the “Start button” and type in the search bar
“PowerShell”. Right click on the PowerShell window and select “Run
as Administrator”:
In the PowerShell window that is appearing, type
“Set-Executionpolicy unrestricted” and type enter; When prompted,
enter “Y” and “enter” to confirm the change:
Create a folder called “setup” at the root of the “C:”
drive:
Copy all installation scripts in this folder.
In the PowerShell window, set the path to “C:\Setup” and type
the following command at the PowerShell invite: Execute
Powershell.exe “.\MoFA-Add-ADDS-Role.ps1”
Type “R” if prompted to run the script:
Wait the end of the script execution:
Once the script has finished, you should get this screen:
Type now the following command at the PowerShell screen:
“dcpromo.exe /unattend:C:\setup\unattended_additionalDC_Prod.txt”
and press “enter”:
The Active Directory installation should start. Wait that the
installation is completed. This operation can take some time, be
patient. The installation screen looks like something like
this:
Once finished, the machine will reboot automatically.
Installation validation
Log on onto the server with an administrative account (member of
the domain admin group):
In the Server Manager, validate the AD DS and DNS roles have
been added.Note: DNS role is automatically added during the
dcpromo.exe execution
In Active Directory Users and Computers, validate that we have
well the two domain controllers in the default OU:
DNS Configuration on the first Domain Controller
As we have now added a second Domain Controller that is also DNS
server in the environment, we must now adapt the DNS settings of
the first Domain Controller to enable redundancy. To do so, connect
to the first domain controller and log on into it. Go to the
network card properties and adapt the settings to have as Primary
DNS server the IP address of the second domain controller and as
Alternalte DNS Server, the IP address of the first domain
controller:
Top Level OU creationInstallation Options
This section details the variables in the configuration file
that are most likely to change when executing the scripts.
Configuration variables to verify in MoFA-CreateTopOUs.xml. If
the value is not aligned with the value in this document, please
update the XML file:
Installation steps
As we have now installed our two domain controllers, it is time
to setup the OU structure at the top level. To do so and automate
it, a script has been prepared. The script is called
“MoFA-CreateTopOUs.ps1” and its response file is
“MoFA-CreateTopOUs.xml”.
Log on into the first Domain Controller with a user that is
member of the domain admin group:
Click on the “Start button” and type in the search bar
“PowerShell”. Right click on the PowerShell window and select “Run
as Administrator”:
In the PowerShell window that is appearing, type
“Set-Executionpolicy unrestricted” and type enter; When prompted,
enter “Y” and “enter” to confirm the change:
Copy the two above mentioned scripts on the previously created
folder called “setup” at the root of the “C:” drive:
Copy all installation scripts in this folder:
In the PowerShell window, set the path to “C:\Setup” and type
the following command at the PowerShell invite: Execute
Powershell.exe “.\MoFA-CreateTopOUs.ps1”
Type “R” if prompted to run the script:
Wait the end of the script execution:
Installation validation
Launch the “Active Directory Users and Computers” and validate
that the OUs have been created accordingly to the parameter
file:
Create the sub-levels OUsInstallation options
This presents an high level overview of the xml file that is
creating the different Active Directory OUs. These values have been
aligned with the design document referenced [1] and it is assumed
that the user is able to adapt the XML file accordingly to create
additional OUs if necessary. The user can also refer to comments
that are integrated in the MoFA-CreateSubLevelsOUs.xml script. To
execute the script two files must be present in the directory:
· MoFA-CreateSubLevelsOUs.ps1 => Contains the script logic.
Must not be modified
· MoFA-CreateSubLevelsOUs.xml => Contains the parameters.
File to adapt if necessary
File have currently been created to match the design that has
been proposed.
Installation steps
Log on into the first Domain Controller with a user that is
member of the domain admin group:
Click on the “Start button” and type in the search bar
“PowerShell”. Right click on the PowerShell window and select “Run
as Administrator”:
In the PowerShell window that is appearing, type
“Set-Executionpolicy unrestricted” and type enter; When prompted,
enter “Y” and “enter” to confirm the change:
Copy the two above mentioned scripts on the previously created
folder called “setup” at the root of the “C:” drive:
Copy all installation scripts in this folder:
In the PowerShell window, set the path to “C:\Setup” and type
the following command at the PowerShell invite: Execute
Powershell.exe “.\MoFA-CreateSubLevelsOUs.ps1”
Type “R” if prompted to run the script:
Wait the end of the script execution:
All the sub-containers are now created inside the AD.
Installation validation
Launch the “Active Directory Users and Computers” and validate
that the OUs have been created accordingly to the parameter
file:
Create GroupsInstallation Options
Variables that can be used to create all AD groups in an
automated way are documented in the file MoFA-CreateGroups.xml .
You might have to change these names variables if you want to
create more Active Directory groups, in an automated way, than the
ones specified in the design document.
The file that is used as input file is named
MoFA-CreateGroups.xml and the script that is processing the file is
named MoFA-CreateGroups.ps1. Both files must be copied, after
modification, in the “C:\setup” folder of the server prior
execution.
Installation execution
Log on into the first Domain Controller with a user that is
member of the domain admin group:
Click on the “Start button” and type in the search bar
“PowerShell”. Right click on the PowerShell window and select “Run
as Administrator”:
In the PowerShell window that is appearing, type
“Set-Executionpolicy unrestricted” and type enter; When prompted,
enter “Y” and “enter” to confirm the change:
Copy the two above mentioned scripts on the previously created
folder called “setup” at the root of the “C:” drive:
Copy all installation scripts in this folder:
In the PowerShell window, set the path to “C:\Setup” and type
the following command at the PowerShell invite: Execute
Powershell.exe “.\MoFA-CreateGroups.ps1”
Type “R” if prompted to run the script:
Wait the end of the script execution:
All the sub-containers are now created inside the AD.
Installation validation
Launch the “Active Directory Users and Computers” and validate
that groups have been created accordingly to the parameter
file:
Rights configuration
As specified in the design documents, the four following
resource groups must have specific access on some AD OUs:
· P_PRM_L_ExtGroupsMgmt_Read
· P_PRM_L_ExtGroupsMgmt_Write
· P_PRM_L_ExtUsersMgmt_Read
· P_PRM_L_ExtUsersMgmt_Write
Users groups that will be member of these resource groups will
have specific read or write access to some zone of the Active
Directory and will not be able to access the rest of the Active
Directory. The next section describes how to configure this right
delegation.
P_PRM_L_ExtGroupsMgmt_Read
Log on into one of the domain controller and launch the “Active
Directory Users and Computers” snap-in. Inside it, find the
“External Groups Management OU”:
Click on “Delegate Control”:
Click “Next”
Click “Add”
Type “P_PRM_L_ExtGroupsMgmt_Read” at the prompt and click
“OK”.
Click “Next”
Select “Read all user information” and click “Next”
Click “Finish”.
P_PRM_L_ExtGroupsMgmt_Write
Log on into one of the domain controller and launch the “Active
Directory Users and Computers” snap-in. Inside it, find the
“External Groups Management OU”:
Click on “Delegate Control”:
Click “Next”
Click “Add”
Type “P_PRM_L_ExtGroupsMgmt_Write” at the prompt and click
“OK”.
Click “Next”
Tick boxes as mentioned in the screenshot and click “Next”
Click “Finish”.
P_PRM_L_ExtUsersMgmt_Read
Log on into one of the domain controller and launch the “Active
Directory Users and Computers” snap-in. Inside it, find the
“External Groups Management OU”:
Click on “Delegate Control”:
Click “Next”
Click “Add”
Type “P_PRM_L_ExtUsersMgmt_Read” at the prompt and click
“OK”.
Click “Next”
Select “Read all user information” and click “Next”
Click “Finish”.
P_PRM_L_ExtUsersMgmt_Write
Log on into one of the domain controller and launch the “Active
Directory Users and Computers” snap-in. Inside it, find the
“External Groups Management OU”:
Click on “Delegate Control”:
Click “Next”
Click “Add”
Type “P_PRM_L_ExtUsersMgmt_Write” at the prompt and click
“OK”.
Click “Next”
Select “Read all user information” and click “Next”
Click “Finish”.
Apply GPO adapted for Perimeter network settings
As this Active Directory is located in a perimeter network,
Active Directory security must be enforced to reduce surface attack
risks. In order to do so, two main GPO templates have been created.
Copy the two following directories in the C:\setup directory of one
of the domain controller:
Click on start button and type “Group Policy Management”:
Start the Group Policy Management console and go to “Group
Policy Object”:
Right click on it and select “Manage Backup”:
Configure the “Backup location” to “C:\setup”. You should see
the two policies that have been created.
Click them on “Restore”. Execute this for the two backups.
At the prompt, click on “OK”.
The four GPOs can now been seen at the console level:
Click now on the “MOFA.WEB” level, right click on it and select
“Link existing GPO…”
Select the “MoFA Perimeter Default Domain Policy” and click
OK.
We now have two different GPOs that are applying at domain
level. Remove the “Default domain policy” by right clicking on it
and select “Link Enabled” to unlink the GPO.
Click on “OK”:
When you check at the screen, you should now have the Default
domain policy not linked and the MoFA perimeter default domain
policy linked:
Repeat the same operation to link the MoFA Perimeter Domain
Controller policy to the Domain Controller OU:
The full domain is now configured, congratulation !
Non-Production environment installationInstallation scenario
As Production and Non-Production are identical environments, we
will only have a few differences between the two procedures. In
order to avoid to rewrite the exact same procedure, only a few
script needs to be adapted and in screenshots, the following
differences are applying:
Production case
Non-Production case
Comment
MoFA-Add-ADDS-Role.ps1
MoFA-Add-ADDS-Role.ps1
Identical script
MoFA-CreateGroups.ps1
MoFA-CreateGroups.ps1
Identical script
MoFA-CreateGroups.xml
MoFA-CreateGroups.xml
Identical file
MoFA-CreateSubLevelsOUs.ps1
MoFA-CreateSubLevelsOUs.ps1
Identical script
MoFA-CreateSubLevelsOUs.xml
NoProdMoFA-CreateSubLevelsOUs.xml
Different file
MoFA-CreateTopOUs.ps1
MoFA-CreateTopOUs.ps1
Identical script
MoFA-CreateTopOUs.xml
NoProdMoFA-CreateTopOUs.xml
Different file
RenameDefaultSite.ps1
RenameDefaultSite.ps1
Identical script
unattended_additionalDC_Prod.txt
unattended_additionalDC_NoProd.txt
Different file
unattended_firstDC_Prod.txt
unattended_firstDC_NoProd.txt
Different file
{2B24EF0B-8CA1-4B4C-A573-8C4D6619B16E}
{2B24EF0B-8CA1-4B4C-A573-8C4D6619B16E}
Folder content identical in both cases
{C06485DA-1B0B-4FA6-809E-E0FD8F4034DD}
{C06485DA-1B0B-4FA6-809E-E0FD8F4034DD}
Folder content identical in both cases
©2012 This document and its content are the property of the
Ministry of Foreign Affairs, Kingdom of Saudi Arabia.
It may not be copied or in any way reproduced to a third party
without prior consent from the Ministry of Foreign Affairs of the
Kingdom of Saudi Arabia.
©2012 This document and its content are the property of the
Ministry of Foreign Affairs, Kingdom of Saudi Arabia.
Version: 1.0, Status: DRAFTPage 10 of 495th December 2012