mofa ad perimeter zone · web viewmicrosoft windows server 2008 r2 sp1 microsoft active directory...

MoFA AD Perimeter Zone

Internal Use

Installation ProcedureInstallation Guide

MoFA Active Directory Perimeter zoneInstallation Guide

Abstract

This document describes how to setup the MoFA Active Directory for the perimeter zone.

Document Reference

Document Type

Installation Procedure

Version

1.0

Classification

Internal Use

Status

DRAFT

Date of Issue

5th December 2012

File Location

IT Operation team sharepoint

# Pages

4

Produced by

Benoît Lejoly

Reviewed by

Mohammed Al Gannam

Authorized by

Fatih Bekir Kihtir; Majid Al Mirzam

Table of contents

1.Introduction5

1.1Intended audience5

1.2Sources5

1.3Change history5

1.4Forecast changes5

1.5Abbreviations / Glossary5

2.Installation Prerequisite(s)6

2.1Reader’s guide6

2.2Hardware6

2.2.1Disk Space Requirement6

2.2.2HW requirements ( If applicable )6

2.3Software6

2.3.1Software OS Prerequisites ( Mandatory )6

2.3.2Software dependencies ( If applicable )6

2.3.3Out of Scope6

2.3.4Software Support lifecycle ( mandatory )7

2.3.5Software Sources ( mandatory )7

2.4Others prerequisites7

3.Installation guide8

3.1Installation Variables ( Mandatory )8

3.2Build details8

3.2.1Production Environment8

3.2.2Non-Production Environment9

3.3Installation Steps10

3.3.1Production environment – Build process overview10

3.4First DC Installation10

3.4.1Installation options10

3.4.2Installation steps11

3.4.3Installation validation15

3.5Install Additional Domain controller15




3.5.4DNS Configuration on the first Domain Controller21

3.6Top Level OU creation22

3.6.1Installation Options22



3.7Create the sub-levels OUs25




3.8Create Groups28

3.8.1Installation Options28

3.8.2Installation execution28


3.8.4Rights configuration30

3.8.4.1P_PRM_L_ExtGroupsMgmt_Read30

3.8.4.2P_PRM_L_ExtGroupsMgmt_Write34

3.8.4.3P_PRM_L_ExtUsersMgmt_Read37

3.8.4.4P_PRM_L_ExtUsersMgmt_Write41

3.9Apply GPO adapted for Perimeter network settings44

Table of Figures

Figure 1: MOFA.WEB Production Forest overview7

Figure 2: NPMOFA.WEB Production Forest overview8

Figure 3: Installation flow process9

IntroductionIntended audience

This document covers the installation of Perimeter zone Active Directory and is intended to be used by the MoFA Wintel Operational team.

The goal of this document is to give the reader all needed information to install successfully the new Active Directory forests and the ADMT servers.

Sources

[1]: Active Directory DMZ Design v1.0.docx

[2]:

[3]:

Change history

Version

Nature of change

Date

01.00

First version

05/12/2012

Forecast changes

Version

Nature of change

Date

Abbreviations / Glossary

Abbreviation

Full text

AD

Active Directory

DNS

Domain Name Server

GPO

Group Policy Object

Installation Prerequisite(s)Reader’s guide

This document describes the installation of Microsoft Active Directory Domain Services (AD DS.

For each component, the installation guide contains 3 subchapters:

· Installation Options: what are the option needed to deploy the component

· Installation Steps: Defines main and sub steps

· Installation Validation: how to validate the installation of the component

If a package is needed for an installation, it is assumed that sources will be copied locally on the machine where you want to install.

HardwareDisk Space Requirement

Servers requirements for Domain controllers have been described in the Perimeter Active Directory Design document that is referenced as [1].

As a summary, the here below table shows what is needed for each domain controller:

Disk

Space used for installation

Disk Type ( Virtual/Physical )

40 GB

System Disk (C:) – Contains mainly the OS

Virtual

10 GB

Data disk (D:)

Virtual

10 GB

Swap disk (S:)

Virtual

10 GB

Logs disk (L:)

Virtual

CD/DVD

Z:

Virtual

HW requirements ( If applicable )

Hardware requirements have also been designed in the Perimeter Active Directory design that referenced [1] in chapter “Domain Controller System Configuration”.

SoftwareSoftware OS Prerequisites ( Mandatory )

This installation procedure must be executed on the following Operating System:

· Windows 2008 R2 SP1

This operating system must be patched to the latest available level provided by Microsoft. Please run a Windows update or any patches deployment software prior executing this installation.

Software dependencies ( If applicable )

This installation procedure requires the following components to be installed prior software installation:

-

-

Out of Scope

The following items are determined to be out of scope:

· The antivirus installation and configuration as it will follow the System Center deployment in the perimeter zone.

· The installation and configuration of the monitoring as this step is part of the deployment of the System Center platform. Specific monitoring requirements have however been described in the Active Directory Design document [1].

· The Windows Base Operating system installation as it will follows current MoFA installation standards.

· AD backups – Appropriate recommendations have been done in the Active Directory Design document [1]. The backup strategy will be defined by the MoFA.

Software Support lifecycle ( mandatory )

Products installation described in this document are part of the lifecycle of the Operating System. It also means that they have the same lifecycle as the Operating System itself. Please refer to your Microsoft Premier contract support to validate current OS support dates and possible extensions that might be signed by the MoFA.

Software Sources ( mandatory )

All sources needed for this procedure are built-in in the operating system. No additional software will be required during the setup.

Others prerequisites

Prior starting the build process, make sure that the following prerequisites are covered:

· The user used for installation has Local Administrative rights on the target servers where the setup will be executed

· All IPs addresses are known and servers are configured in fixed IPs

· Both machine can fully communicate between them without firewall restrictions

· Latest Microsoft patches have been deployed on machines

· An antivirus installation is scheduled after this setup (as we are in the perimeter zone and that these machines are first needed to setup the System Center platform)

· Scripts and answer files are copied locally on each machine

Installation guide Installation Variables ( Mandatory )

Variable

Value per environment

Comment

Variable 1

Variable 2

Variable 3

Value Z

Applicable to all environments

Build detailsProduction Environment

The here below picture provides an overview of what needs to be built:

Figure 1: MOFA.WEB Production Forest overview

Each of the following server’s roles will be installed on both machines:

Role Name

Installed Components

Notes

Domain Controller

Microsoft Windows Server 2008 R2 SP1

Microsoft Active Directory Domain Services

Microsoft DNS Server

Identical roles will be installed on both machines. Due to AD specific constraints, some internal AD key roles will be processed on RUH-DCDMZ-01.

The here below table provides details for the installation itself:

Server name

IP details

RUH-DCDMZ-01

IP: TO BE COMPLETED

Netmask: TO BE COMPLETED

Gateway: TO BE COMPLETED

Primary DNS: RUH-DCDMZ-01

Secondar DNS: RUH-DCDMZ-02

A dedicated VLAN for the two domain controllers must be created by Network team in the perimeter zone.

RUH-DCDMZ-02

IP: TO BE COMPLETED



Primary DNS: RUH-DCDMZ-02

Secondar DNS: RUH-DCDMZ-01


Non-Production Environment

The here below picture provides an overview of what needs to be built for the Non-Production environment:

Figure 2: NPMOFA.WEB Production Forest overview

Each of the following server’s roles will be installed on both machines:

Role Name

Installed Components

Notes

Domain Controller

Microsoft Windows Server 2008 R2 SP1

Microsoft Active Directory Domain Services

Microsoft DNS Server

Identical roles will be installed on both machines. Due to AD specific constraints, some internal AD key roles will be processed on RUH-DCDMZ-01.

The here below table provides details for the installation itself:

Server name

IP details

RUH-TDCDMZ-01

IP: TO BE COMPLETED



Primary DNS: RUH-TDCDMZ-01

Secondar DNS: RUH-TDCDMZ-02


RUH-TDCDMZ-02

IP: TO BE COMPLETED



Primary DNS: RUH-TDCDMZ-02

Secondar DNS: RUH-TDCDMZ-01

A dedicated VLAN for the two domain controllers must be created by Network team in the perimeter zone. This VLAN must be a different one than the production VLAN.

Installation Steps Production environment – Build process overview

The here below schema provides an overview of the perimeter forest build process:

Figure 3: Installation flow process

· Items in blue must be done only one.

· Items in yellow might be done repetitively to create multiple objects.

First DC Installation

This section explains how to install the first domain controller of the environment using the different provided scripts.

Installation options

Variables described here under are part of the “unattended_firstDC.xml” file. Please check values contained in the script and if not aligned with this document, align them prior using the script (italic text must not be in the answer file). Pay attention that the script will have different configuration for Production and Non-Production.

Variable Name

Variable Value

ReplicaOrNewDomain

Domain

NewDomain

Forest

NewDomainDNSName

Production: MOFA.WEB

Non-Production: NPMOFA.WEB

ForestLevel

4

DomainNetbiosName

Production: MOFAWEB

Non-Production: NPMOFAWEB

DomainLevel

4

InstallDNS

Yes

ConfirmGc

Yes

CreateDNSDelegation

No

DatabasePath

D:\NTDS

LogPath

L:\NTDS

SYSVOLPath

c\windows\sysvol

SafeModeAdminPassword

**********

RebootOnCompletion

Yes

Installation steps

Log on into the future first domain controller. In our example, we are taking “RUH-DCDMZ-01

” as reference and check that your user is well member of the local administrator group of the machine.

Click on the “Start button” and type in the search bar “PowerShell”. Right click on the PowerShell window and select “Run as Administrator”:

In the PowerShell window that is appearing, type “Set-Executionpolicy unrestricted” and type enter; When prompted, enter “Y” and “enter” to confirm the change:

Create a folder called “setup” at the root of the “C:” drive:

Copy all installation scripts in this folder.

In the PowerShell window, set the path to “C:\Setup” and type the following command at the PowerShell invite: Execute Powershell.exe “.\MoFA-Add-ADDS-Role.ps1”

Type “R” if prompted to run the script:

Wait the end of the script execution:

Once the script has finished, you should get this screen:

Type now the following command at the PowerShell screen: “dcpromo.exe /unattend:C:\setup\unattended_firstDC_Prod.txt” and press “enter”:

The Active Directory installation should start. Wait that the installation is completed. This operation can take some time, be patient.

Once the installation is completed, the server will restart by itself. Once the machine has restarted, logon again into the server:



Set back the PowerShell working location to “C:\Setup” and at the command prompt, type powershell.exe “.\RenameDefaultSite.ps1” then press “enter”:

The script execution result will be something like:

We have successfully installed the first Domain Controller. Repeat the same operation with adapted scripts (called NONPROD) for the Non-Production Environment.

Installation validation

Log on onto the server with an administrative account:

In the Server Manager, validate the AD DS and DNS roles have been added.Note: DNS role is automatically added during the dcpromo.exe execution

In Active Directory Site and Services, validate the Default-First-Site-Name site has been renamed to MoFA-Riyadh-HQ:

Install Additional Domain controller

This chapter describes the steps to follow to add domain controller in the MOFA.WEB forest. For the current build, only one additional domain controller will be added.

The MoFA can reuse this chapter later, when additional domain controllers need to be added to the forest.

Installation options

This section details the variables in the configuration file that are most likely to change when executing the scripts.

Configuration variables to verify in unattended_additionalDC.txt. If the value is not aligned with the value in this document, please update the XML file.

Variable Name

Variable Value

ReplicaOrNewDomain

Replica

ReplicaDomainDNSName

MOFA.WEB

SiteName

MoFA-Riyadh-HQ

InstallDNS

Yes

ConfirmGc

Yes

CreateDNSDelegation

No

UserDomain

UserName

Administrator

Password

*(put the correct password)

DatabasePath

D:\NTDS

LogPath

L:\NTDS

SYSVOLPath

C:\windows\sysvol

SafeModeAdminPassword

*(put the correct password)

RebootOnCompletion

Yes

You have to fill in password fields prior to using the unattended file.

Installation steps

Log on into the future additional domain controller. In our example, we are taking “RUH-DCDMZ-02” as reference and check that your user is well member of the local administrator group of the machine.

The first step we have to do prior installation of the domain controller role is to set the preferred DNS server to the IP address of the first domain controller and the alternate DNS server to the IP address of our local machine (the one we installed following this procedure here above):

Note: Illustration here above doesn’t reflect your reality – built in a lab.

Click on “OK” to apply these parameters and close all the windows.



Create a folder called “setup” at the root of the “C:” drive:

Copy all installation scripts in this folder.

In the PowerShell window, set the path to “C:\Setup” and type the following command at the PowerShell invite: Execute Powershell.exe “.\MoFA-Add-ADDS-Role.ps1”



Once the script has finished, you should get this screen:

Type now the following command at the PowerShell screen: “dcpromo.exe /unattend:C:\setup\unattended_additionalDC_Prod.txt” and press “enter”:

The Active Directory installation should start. Wait that the installation is completed. This operation can take some time, be patient. The installation screen looks like something like this:

Once finished, the machine will reboot automatically.


Log on onto the server with an administrative account (member of the domain admin group):

In the Server Manager, validate the AD DS and DNS roles have been added.Note: DNS role is automatically added during the dcpromo.exe execution

In Active Directory Users and Computers, validate that we have well the two domain controllers in the default OU:

DNS Configuration on the first Domain Controller

As we have now added a second Domain Controller that is also DNS server in the environment, we must now adapt the DNS settings of the first Domain Controller to enable redundancy. To do so, connect to the first domain controller and log on into it. Go to the network card properties and adapt the settings to have as Primary DNS server the IP address of the second domain controller and as Alternalte DNS Server, the IP address of the first domain controller:

Top Level OU creationInstallation Options

This section details the variables in the configuration file that are most likely to change when executing the scripts.

Configuration variables to verify in MoFA-CreateTopOUs.xml. If the value is not aligned with the value in this document, please update the XML file:

Installation steps

As we have now installed our two domain controllers, it is time to setup the OU structure at the top level. To do so and automate it, a script has been prepared. The script is called “MoFA-CreateTopOUs.ps1” and its response file is “MoFA-CreateTopOUs.xml”.

Log on into the first Domain Controller with a user that is member of the domain admin group:



Copy the two above mentioned scripts on the previously created folder called “setup” at the root of the “C:” drive:

Copy all installation scripts in this folder:

In the PowerShell window, set the path to “C:\Setup” and type the following command at the PowerShell invite: Execute Powershell.exe “.\MoFA-CreateTopOUs.ps1”




Launch the “Active Directory Users and Computers” and validate that the OUs have been created accordingly to the parameter file:

Create the sub-levels OUsInstallation options

This presents an high level overview of the xml file that is creating the different Active Directory OUs. These values have been aligned with the design document referenced [1] and it is assumed that the user is able to adapt the XML file accordingly to create additional OUs if necessary. The user can also refer to comments that are integrated in the MoFA-CreateSubLevelsOUs.xml script. To execute the script two files must be present in the directory:

· MoFA-CreateSubLevelsOUs.ps1 => Contains the script logic. Must not be modified

· MoFA-CreateSubLevelsOUs.xml => Contains the parameters. File to adapt if necessary

File have currently been created to match the design that has been proposed.

Installation steps






In the PowerShell window, set the path to “C:\Setup” and type the following command at the PowerShell invite: Execute Powershell.exe “.\MoFA-CreateSubLevelsOUs.ps1”



All the sub-containers are now created inside the AD.


Launch the “Active Directory Users and Computers” and validate that the OUs have been created accordingly to the parameter file:

Create GroupsInstallation Options

Variables that can be used to create all AD groups in an automated way are documented in the file MoFA-CreateGroups.xml . You might have to change these names variables if you want to create more Active Directory groups, in an automated way, than the ones specified in the design document.

The file that is used as input file is named MoFA-CreateGroups.xml and the script that is processing the file is named MoFA-CreateGroups.ps1. Both files must be copied, after modification, in the “C:\setup” folder of the server prior execution.

Installation execution






In the PowerShell window, set the path to “C:\Setup” and type the following command at the PowerShell invite: Execute Powershell.exe “.\MoFA-CreateGroups.ps1”



All the sub-containers are now created inside the AD.


Launch the “Active Directory Users and Computers” and validate that groups have been created accordingly to the parameter file:

Rights configuration

As specified in the design documents, the four following resource groups must have specific access on some AD OUs:

· P_PRM_L_ExtGroupsMgmt_Read

· P_PRM_L_ExtGroupsMgmt_Write

· P_PRM_L_ExtUsersMgmt_Read

· P_PRM_L_ExtUsersMgmt_Write

Users groups that will be member of these resource groups will have specific read or write access to some zone of the Active Directory and will not be able to access the rest of the Active Directory. The next section describes how to configure this right delegation.

P_PRM_L_ExtGroupsMgmt_Read

Log on into one of the domain controller and launch the “Active Directory Users and Computers” snap-in. Inside it, find the “External Groups Management OU”:

Click on “Delegate Control”:

Click “Next”

Click “Add”

Type “P_PRM_L_ExtGroupsMgmt_Read” at the prompt and click “OK”.

Click “Next”

Select “Read all user information” and click “Next”

Click “Finish”.

P_PRM_L_ExtGroupsMgmt_Write



Click “Next”

Click “Add”

Type “P_PRM_L_ExtGroupsMgmt_Write” at the prompt and click “OK”.

Click “Next”

Tick boxes as mentioned in the screenshot and click “Next”

Click “Finish”.

P_PRM_L_ExtUsersMgmt_Read



Click “Next”

Click “Add”

Type “P_PRM_L_ExtUsersMgmt_Read” at the prompt and click “OK”.

Click “Next”


Click “Finish”.

P_PRM_L_ExtUsersMgmt_Write



Click “Next”

Click “Add”

Type “P_PRM_L_ExtUsersMgmt_Write” at the prompt and click “OK”.

Click “Next”


Click “Finish”.

Apply GPO adapted for Perimeter network settings

As this Active Directory is located in a perimeter network, Active Directory security must be enforced to reduce surface attack risks. In order to do so, two main GPO templates have been created. Copy the two following directories in the C:\setup directory of one of the domain controller:

Click on start button and type “Group Policy Management”:

Start the Group Policy Management console and go to “Group Policy Object”:

Right click on it and select “Manage Backup”:

Configure the “Backup location” to “C:\setup”. You should see the two policies that have been created.

Click them on “Restore”. Execute this for the two backups.

At the prompt, click on “OK”.

The four GPOs can now been seen at the console level:

Click now on the “MOFA.WEB” level, right click on it and select “Link existing GPO…”

Select the “MoFA Perimeter Default Domain Policy” and click OK.

We now have two different GPOs that are applying at domain level. Remove the “Default domain policy” by right clicking on it and select “Link Enabled” to unlink the GPO.

Click on “OK”:

When you check at the screen, you should now have the Default domain policy not linked and the MoFA perimeter default domain policy linked:

Repeat the same operation to link the MoFA Perimeter Domain Controller policy to the Domain Controller OU:

The full domain is now configured, congratulation !

Non-Production environment installationInstallation scenario

As Production and Non-Production are identical environments, we will only have a few differences between the two procedures. In order to avoid to rewrite the exact same procedure, only a few script needs to be adapted and in screenshots, the following differences are applying:

Production case

Non-Production case

Comment

MoFA-Add-ADDS-Role.ps1

MoFA-Add-ADDS-Role.ps1

Identical script

MoFA-CreateGroups.ps1

MoFA-CreateGroups.ps1

Identical script

MoFA-CreateGroups.xml

MoFA-CreateGroups.xml

Identical file

MoFA-CreateSubLevelsOUs.ps1

MoFA-CreateSubLevelsOUs.ps1

Identical script

MoFA-CreateSubLevelsOUs.xml

NoProdMoFA-CreateSubLevelsOUs.xml

Different file

MoFA-CreateTopOUs.ps1

MoFA-CreateTopOUs.ps1

Identical script

MoFA-CreateTopOUs.xml

NoProdMoFA-CreateTopOUs.xml

Different file

RenameDefaultSite.ps1

RenameDefaultSite.ps1

Identical script

unattended_additionalDC_Prod.txt

unattended_additionalDC_NoProd.txt

Different file

unattended_firstDC_Prod.txt

unattended_firstDC_NoProd.txt

Different file

{2B24EF0B-8CA1-4B4C-A573-8C4D6619B16E}

{2B24EF0B-8CA1-4B4C-A573-8C4D6619B16E}

Folder content identical in both cases

{C06485DA-1B0B-4FA6-809E-E0FD8F4034DD}

{C06485DA-1B0B-4FA6-809E-E0FD8F4034DD}

Folder content identical in both cases

©2012 This document and its content are the property of the Ministry of Foreign Affairs, Kingdom of Saudi Arabia.

It may not be copied or in any way reproduced to a third party without prior consent from the Ministry of Foreign Affairs of the Kingdom of Saudi Arabia.

©2012 This document and its content are the property of the Ministry of Foreign Affairs, Kingdom of Saudi Arabia.

Version: 1.0, Status: DRAFTPage 10 of 495th December 2012

mofa ad perimeter zone · web viewmicrosoft windows server 2008 r2 sp1 microsoft active directory...

Documents