MoFA AD Perimeter Zone
Internal Use
Installation ProcedureInstallation Guide
MoFA Active Directory Perimeter zoneInstallation Guide
Abstract
This document describes how to setup the MoFA Active Directory for the perimeter zone.
Document Reference
Document Type
Installation Procedure
Version
1.0
Classification
Internal Use
Status
DRAFT
Date of Issue
5th December 2012
File Location
IT Operation team sharepoint
# Pages
4
Produced by
Benoît Lejoly
Reviewed by
Mohammed Al Gannam
Authorized by
Fatih Bekir Kihtir; Majid Al Mirzam
Table of contents
1.Introduction5
1.1Intended audience5
1.2Sources5
1.3Change history5
1.4Forecast changes5
1.5Abbreviations / Glossary5
2.Installation Prerequisite(s)6
2.1Reader’s guide6
2.2Hardware6
2.2.1Disk Space Requirement6
2.2.2HW requirements ( If applicable )6
2.3Software6
2.3.1Software OS Prerequisites ( Mandatory )6
2.3.2Software dependencies ( If applicable )6
2.3.3Out of Scope6
2.3.4Software Support lifecycle ( mandatory )7
2.3.5Software Sources ( mandatory )7
2.4Others prerequisites7
3.Installation guide8
3.1Installation Variables ( Mandatory )8
3.2Build details8
3.2.1Production Environment8
3.2.2Non-Production Environment9
3.3Installation Steps10
3.3.1Production environment – Build process overview10
3.4First DC Installation10
3.4.1Installation options10
3.4.2Installation steps11
3.4.3Installation validation15
3.5Install Additional Domain controller15
3.5.1Installation options16
3.5.2Installation steps16
3.5.3Installation validation20
3.5.4DNS Configuration on the first Domain Controller21
3.6Top Level OU creation22
3.6.1Installation Options22
3.6.2Installation steps22
3.6.3Installation validation24
3.7Create the sub-levels OUs25
3.7.1Installation options25
3.7.2Installation steps25
3.7.3Installation validation27
3.8Create Groups28
3.8.1Installation Options28
3.8.2Installation execution28
3.8.3Installation validation30
3.8.4Rights configuration30
3.8.4.1P_PRM_L_ExtGroupsMgmt_Read30
3.8.4.2P_PRM_L_ExtGroupsMgmt_Write34
3.8.4.3P_PRM_L_ExtUsersMgmt_Read37
3.8.4.4P_PRM_L_ExtUsersMgmt_Write41
3.9Apply GPO adapted for Perimeter network settings44
Table of Figures
Figure 1: MOFA.WEB Production Forest overview7
Figure 2: NPMOFA.WEB Production Forest overview8
Figure 3: Installation flow process9
IntroductionIntended audience
This document covers the installation of Perimeter zone Active Directory and is intended to be used by the MoFA Wintel Operational team.
The goal of this document is to give the reader all needed information to install successfully the new Active Directory forests and the ADMT servers.
Sources
[1]: Active Directory DMZ Design v1.0.docx
[2]:
[3]:
Change history
Version
Nature of change
Date
01.00
First version
05/12/2012
Forecast changes
Version
Nature of change
Date
Abbreviations / Glossary
Abbreviation
Full text
AD
Active Directory
DNS
Domain Name Server
GPO
Group Policy Object
Installation Prerequisite(s)Reader’s guide
This document describes the installation of Microsoft Active Directory Domain Services (AD DS.
For each component, the installation guide contains 3 subchapters:
· Installation Options: what are the option needed to deploy the component
· Installation Steps: Defines main and sub steps
· Installation Validation: how to validate the installation of the component
If a package is needed for an installation, it is assumed that sources will be copied locally on the machine where you want to install.
HardwareDisk Space Requirement
Servers requirements for Domain controllers have been described in the Perimeter Active Directory Design document that is referenced as [1].
As a summary, the here below table shows what is needed for each domain controller:
Disk
Space used for installation
Disk Type ( Virtual/Physical )
40 GB
System Disk (C:) – Contains mainly the OS
Virtual
10 GB
Data disk (D:)
Virtual
10 GB
Swap disk (S:)
Virtual
10 GB
Logs disk (L:)
Virtual
CD/DVD
Z:
Virtual
HW requirements ( If applicable )
Hardware requirements have also been designed in the Perimeter Active Directory design that referenced [1] in chapter “Domain Controller System Configuration”.
SoftwareSoftware OS Prerequisites ( Mandatory )
This installation procedure must be executed on the following Operating System:
· Windows 2008 R2 SP1
This operating system must be patched to the latest available level provided by Microsoft. Please run a Windows update or any patches deployment software prior executing this installation.
Software dependencies ( If applicable )
This installation procedure requires the following components to be installed prior software installation:
-
-
Out of Scope
The following items are determined to be out of scope:
· The antivirus installation and configuration as it will follow the System Center deployment in the perimeter zone.
· The installation and configuration of the monitoring as this step is part of the deployment of the System Center platform. Specific monitoring requirements have however been described in the Active Directory Design document [1].
· The Windows Base Operating system installation as it will follows current MoFA installation standards.
· AD backups – Appropriate recommendations have been done in the Active Directory Design document [1]. The backup strategy will be defined by the MoFA.
Software Support lifecycle ( mandatory )
Products installation described in this document are part of the lifecycle of the Operating System. It also means that they have the same lifecycle as the Operating System itself. Please refer to your Microsoft Premier contract support to validate current OS support dates and possible extensions that might be signed by the MoFA.
Software Sources ( mandatory )
All sources needed for this procedure are built-in in the operating system. No additional software will be required during the setup.
Others prerequisites
Prior starting the build process, make sure that the following prerequisites are covered:
· The user used for installation has Local Administrative rights on the target servers where the setup will be executed
· All IPs addresses are known and servers are configured in fixed IPs
· Both machine can fully communicate between them without firewall restrictions
· Latest Microsoft patches have been deployed on machines
· An antivirus installation is scheduled after this setup (as we are in the perimeter zone and that these machines are first needed to setup the System Center platform)
· Scripts and answer files are copied locally on each machine
Installation guide Installation Variables ( Mandatory )
Variable
Value per environment
Comment
Variable 1
Variable 2
Variable 3
Value Z
Applicable to all environments
Build detailsProduction Environment
The here below picture provides an overview of what needs to be built:
Figure 1: MOFA.WEB Production Forest overview
Each of the following server’s roles will be installed on both machines:
Role Name
Installed Components
Notes
Domain Controller
Microsoft Windows Server 2008 R2 SP1
Microsoft Active Directory Domain Services
Microsoft DNS Server
Identical roles will be installed on both machines. Due to AD specific constraints, some internal AD key roles will be processed on RUH-DCDMZ-01.
The here below table provides details for the installation itself:
Server name
IP details
RUH-DCDMZ-01
IP: TO BE COMPLETED
Netmask: TO BE COMPLETED
Gateway: TO BE COMPLETED
Primary DNS: RUH-DCDMZ-01
Secondar DNS: RUH-DCDMZ-02
A dedicated VLAN for the two domain controllers must be created by Network team in the perimeter zone.
RUH-DCDMZ-02
IP: TO BE COMPLETED
Netmask: TO BE COMPLETED
Gateway: TO BE COMPLETED
Primary DNS: RUH-DCDMZ-02
Secondar DNS: RUH-DCDMZ-01
A dedicated VLAN for the two domain controllers must be created by Network team in the perimeter zone.
Non-Production Environment
The here below picture provides an overview of what needs to be built for the Non-Production environment:
Figure 2: NPMOFA.WEB Production Forest overview
Each of the following server’s roles will be installed on both machines:
Role Name
Installed Components
Notes
Domain Controller
Microsoft Windows Server 2008 R2 SP1
Microsoft Active Directory Domain Services
Microsoft DNS Server
Identical roles will be installed on both machines. Due to AD specific constraints, some internal AD key roles will be processed on RUH-DCDMZ-01.
The here below table provides details for the installation itself:
Server name
IP details
RUH-TDCDMZ-01
IP: TO BE COMPLETED
Netmask: TO BE COMPLETED
Gateway: TO BE COMPLETED
Primary DNS: RUH-TDCDMZ-01
Secondar DNS: RUH-TDCDMZ-02
A dedicated VLAN for the two domain controllers must be created by Network team in the perimeter zone.
RUH-TDCDMZ-02
IP: TO BE COMPLETED
Netmask: TO BE COMPLETED
Gateway: TO BE COMPLETED
Primary DNS: RUH-TDCDMZ-02
Secondar DNS: RUH-TDCDMZ-01
A dedicated VLAN for the two domain controllers must be created by Network team in the perimeter zone. This VLAN must be a different one than the production VLAN.
Installation Steps Production environment – Build process overview
The here below schema provides an overview of the perimeter forest build process:
Figure 3: Installation flow process
· Items in blue must be done only one.
· Items in yellow might be done repetitively to create multiple objects.
First DC Installation
This section explains how to install the first domain controller of the environment using the different provided scripts.
Installation options
Variables described here under are part of the “unattended_firstDC.xml” file. Please check values contained in the script and if not aligned with this document, align them prior using the script (italic text must not be in the answer file). Pay attention that the script will have different configuration for Production and Non-Production.
Variable Name
Variable Value
ReplicaOrNewDomain
Domain
NewDomain
Forest
NewDomainDNSName
Production: MOFA.WEB
Non-Production: NPMOFA.WEB
ForestLevel
4
DomainNetbiosName
Production: MOFAWEB
Non-Production: NPMOFAWEB
DomainLevel
4
InstallDNS
Yes
ConfirmGc
Yes
CreateDNSDelegation
No
DatabasePath
D:\NTDS
LogPath
L:\NTDS
SYSVOLPath
c\windows\sysvol
SafeModeAdminPassword
**********
RebootOnCompletion
Yes
Installation steps
Log on into the future first domain controller. In our example, we are taking “RUH-DCDMZ-01
” as reference and check that your user is well member of the local administrator group of the machine.
Click on the “Start button” and type in the search bar “PowerShell”. Right click on the PowerShell window and select “Run as Administrator”:
In the PowerShell window that is appearing, type “Set-Executionpolicy unrestricted” and type enter; When prompted, enter “Y” and “enter” to confirm the change:
Create a folder called “setup” at the root of the “C:” drive:
Copy all installation scripts in this folder.
In the PowerShell window, set the path to “C:\Setup” and type the following command at the PowerShell invite: Execute Powershell.exe “.\MoFA-Add-ADDS-Role.ps1”
Type “R” if prompted to run the script:
Wait the end of the script execution:
Once the script has finished, you should get this screen:
Type now the following command at the PowerShell screen: “dcpromo.exe /unattend:C:\setup\unattended_firstDC_Prod.txt” and press “enter”:
The Active Directory installation should start. Wait that the installation is completed. This operation can take some time, be patient.
Once the installation is completed, the server will restart by itself. Once the machine has restarted, logon again into the server:
Click on the “Start button” and type in the search bar “PowerShell”. Right click on the PowerShell window and select “Run as Administrator”:
In the PowerShell window that is appearing, type “Set-Executionpolicy unrestricted” and type enter; When prompted, enter “Y” and “enter” to confirm the change:
Set back the PowerShell working location to “C:\Setup” and at the command prompt, type powershell.exe “.\RenameDefaultSite.ps1” then press “enter”:
The script execution result will be something like:
We have successfully installed the first Domain Controller. Repeat the same operation with adapted scripts (called NONPROD) for the Non-Production Environment.
Installation validation
Log on onto the server with an administrative account:
In the Server Manager, validate the AD DS and DNS roles have been added.Note: DNS role is automatically added during the dcpromo.exe execution
In Active Directory Site and Services, validate the Default-First-Site-Name site has been renamed to MoFA-Riyadh-HQ:
Install Additional Domain controller
This chapter describes the steps to follow to add domain controller in the MOFA.WEB forest. For the current build, only one additional domain controller will be added.
The MoFA can reuse this chapter later, when additional domain controllers need to be added to the forest.
Installation options
This section details the variables in the configuration file that are most likely to change when executing the scripts.
Configuration variables to verify in unattended_additionalDC.txt. If the value is not aligned with the value in this document, please update the XML file.
Variable Name
Variable Value
ReplicaOrNewDomain
Replica
ReplicaDomainDNSName
MOFA.WEB
SiteName
MoFA-Riyadh-HQ
InstallDNS
Yes
ConfirmGc
Yes
CreateDNSDelegation
No
UserDomain
UserName
Administrator
Password
*(put the correct password)
DatabasePath
D:\NTDS
LogPath
L:\NTDS
SYSVOLPath
C:\windows\sysvol
SafeModeAdminPassword
*(put the correct password)
RebootOnCompletion
Yes
You have to fill in password fields prior to using the unattended file.
Installation steps
Log on into the future additional domain controller. In our example, we are taking “RUH-DCDMZ-02” as reference and check that your user is well member of the local administrator group of the machine.
The first step we have to do prior installation of the domain controller role is to set the preferred DNS server to the IP address of the first domain controller and the alternate DNS server to the IP address of our local machine (the one we installed following this procedure here above):
Note: Illustration here above doesn’t reflect your reality – built in a lab.
Click on “OK” to apply these parameters and close all the windows.
Click on the “Start button” and type in the search bar “PowerShell”. Right click on the PowerShell window and select “Run as Administrator”:
In the PowerShell window that is appearing, type “Set-Executionpolicy unrestricted” and type enter; When prompted, enter “Y” and “enter” to confirm the change:
Create a folder called “setup” at the root of the “C:” drive:
Copy all installation scripts in this folder.
In the PowerShell window, set the path to “C:\Setup” and type the following command at the PowerShell invite: Execute Powershell.exe “.\MoFA-Add-ADDS-Role.ps1”
Type “R” if prompted to run the script:
Wait the end of the script execution:
Once the script has finished, you should get this screen:
Type now the following command at the PowerShell screen: “dcpromo.exe /unattend:C:\setup\unattended_additionalDC_Prod.txt” and press “enter”:
The Active Directory installation should start. Wait that the installation is completed. This operation can take some time, be patient. The installation screen looks like something like this:
Once finished, the machine will reboot automatically.
Installation validation
Log on onto the server with an administrative account (member of the domain admin group):
In the Server Manager, validate the AD DS and DNS roles have been added.Note: DNS role is automatically added during the dcpromo.exe execution
In Active Directory Users and Computers, validate that we have well the two domain controllers in the default OU:
DNS Configuration on the first Domain Controller
As we have now added a second Domain Controller that is also DNS server in the environment, we must now adapt the DNS settings of the first Domain Controller to enable redundancy. To do so, connect to the first domain controller and log on into it. Go to the network card properties and adapt the settings to have as Primary DNS server the IP address of the second domain controller and as Alternalte DNS Server, the IP address of the first domain controller:
Top Level OU creationInstallation Options
This section details the variables in the configuration file that are most likely to change when executing the scripts.
Configuration variables to verify in MoFA-CreateTopOUs.xml. If the value is not aligned with the value in this document, please update the XML file:
Installation steps
As we have now installed our two domain controllers, it is time to setup the OU structure at the top level. To do so and automate it, a script has been prepared. The script is called “MoFA-CreateTopOUs.ps1” and its response file is “MoFA-CreateTopOUs.xml”.
Log on into the first Domain Controller with a user that is member of the domain admin group:
Click on the “Start button” and type in the search bar “PowerShell”. Right click on the PowerShell window and select “Run as Administrator”:
In the PowerShell window that is appearing, type “Set-Executionpolicy unrestricted” and type enter; When prompted, enter “Y” and “enter” to confirm the change:
Copy the two above mentioned scripts on the previously created folder called “setup” at the root of the “C:” drive:
Copy all installation scripts in this folder:
In the PowerShell window, set the path to “C:\Setup” and type the following command at the PowerShell invite: Execute Powershell.exe “.\MoFA-CreateTopOUs.ps1”
Type “R” if prompted to run the script:
Wait the end of the script execution:
Installation validation
Launch the “Active Directory Users and Computers” and validate that the OUs have been created accordingly to the parameter file:
Create the sub-levels OUsInstallation options
This presents an high level overview of the xml file that is creating the different Active Directory OUs. These values have been aligned with the design document referenced [1] and it is assumed that the user is able to adapt the XML file accordingly to create additional OUs if necessary. The user can also refer to comments that are integrated in the MoFA-CreateSubLevelsOUs.xml script. To execute the script two files must be present in the directory:
· MoFA-CreateSubLevelsOUs.ps1 => Contains the script logic. Must not be modified
· MoFA-CreateSubLevelsOUs.xml => Contains the parameters. File to adapt if necessary
File have currently been created to match the design that has been proposed.
Installation steps
Log on into the first Domain Controller with a user that is member of the domain admin group:
Click on the “Start button” and type in the search bar “PowerShell”. Right click on the PowerShell window and select “Run as Administrator”:
In the PowerShell window that is appearing, type “Set-Executionpolicy unrestricted” and type enter; When prompted, enter “Y” and “enter” to confirm the change:
Copy the two above mentioned scripts on the previously created folder called “setup” at the root of the “C:” drive:
Copy all installation scripts in this folder:
In the PowerShell window, set the path to “C:\Setup” and type the following command at the PowerShell invite: Execute Powershell.exe “.\MoFA-CreateSubLevelsOUs.ps1”
Type “R” if prompted to run the script:
Wait the end of the script execution:
All the sub-containers are now created inside the AD.
Installation validation
Launch the “Active Directory Users and Computers” and validate that the OUs have been created accordingly to the parameter file:
Create GroupsInstallation Options
Variables that can be used to create all AD groups in an automated way are documented in the file MoFA-CreateGroups.xml . You might have to change these names variables if you want to create more Active Directory groups, in an automated way, than the ones specified in the design document.
The file that is used as input file is named MoFA-CreateGroups.xml and the script that is processing the file is named MoFA-CreateGroups.ps1. Both files must be copied, after modification, in the “C:\setup” folder of the server prior execution.
Installation execution
Log on into the first Domain Controller with a user that is member of the domain admin group:
Click on the “Start button” and type in the search bar “PowerShell”. Right click on the PowerShell window and select “Run as Administrator”:
In the PowerShell window that is appearing, type “Set-Executionpolicy unrestricted” and type enter; When prompted, enter “Y” and “enter” to confirm the change:
Copy the two above mentioned scripts on the previously created folder called “setup” at the root of the “C:” drive:
Copy all installation scripts in this folder:
In the PowerShell window, set the path to “C:\Setup” and type the following command at the PowerShell invite: Execute Powershell.exe “.\MoFA-CreateGroups.ps1”
Type “R” if prompted to run the script:
Wait the end of the script execution:
All the sub-containers are now created inside the AD.
Installation validation
Launch the “Active Directory Users and Computers” and validate that groups have been created accordingly to the parameter file:
Rights configuration
As specified in the design documents, the four following resource groups must have specific access on some AD OUs:
· P_PRM_L_ExtGroupsMgmt_Read
· P_PRM_L_ExtGroupsMgmt_Write
· P_PRM_L_ExtUsersMgmt_Read
· P_PRM_L_ExtUsersMgmt_Write
Users groups that will be member of these resource groups will have specific read or write access to some zone of the Active Directory and will not be able to access the rest of the Active Directory. The next section describes how to configure this right delegation.
P_PRM_L_ExtGroupsMgmt_Read
Log on into one of the domain controller and launch the “Active Directory Users and Computers” snap-in. Inside it, find the “External Groups Management OU”:
Click on “Delegate Control”:
Click “Next”
Click “Add”
Type “P_PRM_L_ExtGroupsMgmt_Read” at the prompt and click “OK”.
Click “Next”
Select “Read all user information” and click “Next”
Click “Finish”.
P_PRM_L_ExtGroupsMgmt_Write
Log on into one of the domain controller and launch the “Active Directory Users and Computers” snap-in. Inside it, find the “External Groups Management OU”:
Click on “Delegate Control”:
Click “Next”
Click “Add”
Type “P_PRM_L_ExtGroupsMgmt_Write” at the prompt and click “OK”.
Click “Next”
Tick boxes as mentioned in the screenshot and click “Next”
Click “Finish”.
P_PRM_L_ExtUsersMgmt_Read
Log on into one of the domain controller and launch the “Active Directory Users and Computers” snap-in. Inside it, find the “External Groups Management OU”:
Click on “Delegate Control”:
Click “Next”
Click “Add”
Type “P_PRM_L_ExtUsersMgmt_Read” at the prompt and click “OK”.
Click “Next”
Select “Read all user information” and click “Next”
Click “Finish”.
P_PRM_L_ExtUsersMgmt_Write
Log on into one of the domain controller and launch the “Active Directory Users and Computers” snap-in. Inside it, find the “External Groups Management OU”:
Click on “Delegate Control”:
Click “Next”
Click “Add”
Type “P_PRM_L_ExtUsersMgmt_Write” at the prompt and click “OK”.
Click “Next”
Select “Read all user information” and click “Next”
Click “Finish”.
Apply GPO adapted for Perimeter network settings
As this Active Directory is located in a perimeter network, Active Directory security must be enforced to reduce surface attack risks. In order to do so, two main GPO templates have been created. Copy the two following directories in the C:\setup directory of one of the domain controller:
Click on start button and type “Group Policy Management”:
Start the Group Policy Management console and go to “Group Policy Object”:
Right click on it and select “Manage Backup”:
Configure the “Backup location” to “C:\setup”. You should see the two policies that have been created.
Click them on “Restore”. Execute this for the two backups.
At the prompt, click on “OK”.
The four GPOs can now been seen at the console level:
Click now on the “MOFA.WEB” level, right click on it and select “Link existing GPO…”
Select the “MoFA Perimeter Default Domain Policy” and click OK.
We now have two different GPOs that are applying at domain level. Remove the “Default domain policy” by right clicking on it and select “Link Enabled” to unlink the GPO.
Click on “OK”:
When you check at the screen, you should now have the Default domain policy not linked and the MoFA perimeter default domain policy linked:
Repeat the same operation to link the MoFA Perimeter Domain Controller policy to the Domain Controller OU:
The full domain is now configured, congratulation !
Non-Production environment installationInstallation scenario
As Production and Non-Production are identical environments, we will only have a few differences between the two procedures. In order to avoid to rewrite the exact same procedure, only a few script needs to be adapted and in screenshots, the following differences are applying:
Production case
Non-Production case
Comment
MoFA-Add-ADDS-Role.ps1
MoFA-Add-ADDS-Role.ps1
Identical script
MoFA-CreateGroups.ps1
MoFA-CreateGroups.ps1
Identical script
MoFA-CreateGroups.xml
MoFA-CreateGroups.xml
Identical file
MoFA-CreateSubLevelsOUs.ps1
MoFA-CreateSubLevelsOUs.ps1
Identical script
MoFA-CreateSubLevelsOUs.xml
NoProdMoFA-CreateSubLevelsOUs.xml
Different file
MoFA-CreateTopOUs.ps1
MoFA-CreateTopOUs.ps1
Identical script
MoFA-CreateTopOUs.xml
NoProdMoFA-CreateTopOUs.xml
Different file
RenameDefaultSite.ps1
RenameDefaultSite.ps1
Identical script
unattended_additionalDC_Prod.txt
unattended_additionalDC_NoProd.txt
Different file
unattended_firstDC_Prod.txt
unattended_firstDC_NoProd.txt
Different file
{2B24EF0B-8CA1-4B4C-A573-8C4D6619B16E}
{2B24EF0B-8CA1-4B4C-A573-8C4D6619B16E}
Folder content identical in both cases
{C06485DA-1B0B-4FA6-809E-E0FD8F4034DD}
{C06485DA-1B0B-4FA6-809E-E0FD8F4034DD}
Folder content identical in both cases
©2012 This document and its content are the property of the Ministry of Foreign Affairs, Kingdom of Saudi Arabia.
It may not be copied or in any way reproduced to a third party without prior consent from the Ministry of Foreign Affairs of the Kingdom of Saudi Arabia.
©2012 This document and its content are the property of the Ministry of Foreign Affairs, Kingdom of Saudi Arabia.
Version: 1.0, Status: DRAFTPage 10 of 495th December 2012