The environment will serve as the minimum requirements for any of the other guides that are presented.
At the end of this article you should have the following configured and ready for use:
One server running Windows Server 2008 R2 fully updated, configured as the Domain Controller, DNS Server, DHCP Server, and as an Enterprise Root CA.
And another server running Windows Server 2008 R2 fully updated, configured as a member server with IIS, CRL distribution point and HTTPS.
There's nothing amazing here, so let's just get right into it. It doesn't matter if you build this on physical hardware, or any virtualization environment you like!
Install Windows Server 2008 R2
1. Grab your favourite media and install Windows Server 2008 R2 Enterprise Edition. I like to use USB because it's faster. (A 180-day evaluation copy of Windows Server 2008 R2 can be found here)
2. Once it finishes, you will be asked to set a password for the local administrator. Plug one in, and remember it. (For Part 2 of this guide, start installing the second servers OS now too to save time).
3. You will now be presented with the Initial Configuration Tasks Wizard. Set your time zone, then hit Download and Install Updates, install all the important updates. (At the time of writing, there are 66 important updates available)
 |
| Initial Configuration Tasks |
Configure the Operating System
4. Once the updates have completed, reboot and log back in. Now it's time to get configuring. Set the TCP/IP options for this server. I used the following, but feel free to use your favourite addresses:
5. Next we need to set a name, from the Wizard screen, click Provide computer name and domain. In System Properties, click change, and in the computer name, enter your desired DC Name. I chose ttdc1. Click the OK's and when prompted, reboot.
6. After rebooting, log back in and the Initial Tasks wizard will appear again. I like to enable remote desktop at this point, as I could need to connect to this server from any of the other machines that get connected to this network. In the Wizard that should still appear, click the Enable Remote Desktop link, and set it as follows: (this isn't the most secure, but this is only a test environment)
7. With the Initial Tasks screen click the Do Not Show this window at logon check box and click close.
The Server Manager Screen will now appear.
8. Click on Roles, and then click Add Roles.
Install Active Directory and DNS
9. After clicking Next, select the Active Directory Domain Services role, and select Add Required Features, click Next a few times, then click Install.
10. To commence the AD Install, start dcpromo from the run dialog. When the wizard appears, click next two times.
11. The deployment we want is to Create a new domain in a new forest. then click next again.
12. Now you need to decide on a domain name. For this guide, I will use dev.tassietech.local.
13. The forest function level we need/want is Windows Server 2008 R2 - as we won't have any legacy operating systems here.
14. Click Next, Yes and Next.
15. You should now be asked for a Directory Services Restore Mode Admin Password. Put one in here, and remember this as well.
16. Click next a few more times and it will start installing. It shouldn't take too long, but to be safe, grab a coffee.
17. When it finishes, Reboot, and then log into the DEV domain as the Administrator.
Cool, now we have a DC up and running ready to serve our clients and other services. Let's get some services running so that it is more contactable!
Firstly Install the DHCP Server.
18. From the Server Manager Console, Add a new Role, Select DHCP Server.
19. After clicking next a couple of times, check that the Bindings page specifies your IP address, and that it is checked.
20. Ensure that the IPv4 DNS Server page has your domain listed as the parent domain.
21. The Preferred DNS server IP should be 10.0.0.1.
22. Ignore WINS, and Add a Scope, give it a meaningful name, I chose Dev with a starting address of 10.0.0.100 and an ending ip of 10.0.0.200, subnet 255.255.255.0.
23. Disable the stateless IPv6 mode.
24. We want to Authorize the DHCP Server as well for use with AD, select Use Current credentials.
25. Confirm selections, and click Install and wait, then Close :)
Right, at this point other clients could receive an IP, talk to DNS and connect to the domain and go for it. But we will set up a couple more things first.
Install the Enterprise Root CA
26. Add another Role, Select Active Directory Certificate Services, click Next a few times.
27. We want to setup an Enterprise Type, and Root CA
28. Select Create a new private key. Click Next a heap of times, and then Install, drink coffee, and close.
Configure CRL Distribution Settings
29. Open the Certification Authority Management Console, right click your domain and select Properties and go to the Extensions tab.
30. Click Add, and in the Location field, type http://crl.<yourdomain>/crld/ (I had http://crl.tassietech.local/crld/).
31. In Variable, Select the following items followed by Insert. <CAName><CRLNameSuffix><DeltaCRLAllowed>.
32. At the end of the Location field, type .crl and click OK.
33. Below, select Include in CRLs Clients use this to find Delta CRL locations and Include in CDP extension of issued certificates and click Apply. Choose No when it asks you to restart AD CS.
34. Click Add again, and in the Location field, enter \\<appserver>\crldist$\ (I had \\ttapp1\crldist$\).
35. In Variable, Select the following items followed by Insert. <CAName><CRLNameSuffix><DeltaCRLAllowed>.
36. At the end of the Location field, type .crl and click OK.
37. Select the Publish CRLs to this location and Public Delta CRLs to this location boxes and click OK, this time, say Yes to restarting AD CS.
Create a DNS Record for crl.<yourdomain>
38. Open the DNS management console, and expand to Forward lookup zones.
39. Right click your domain and select New Host (A or AAA).
40. In the new host dialog, enter crl as the name and add the IP address that you are giving to the app server (I am using 10.0.0.3). Click Add Host then OK and Done.
Create a user Account
41. Open Active Directory Users and Computers, expand the tree, and right click Users. Create a new User.
42. Give the user a Full Name 'User1' and User Logon 'User1', give the account a password, clear the user must change password field, and select password never expires, click Next, then Finish
43. Click on Users in the Console Tree, and then open the properties of the Domain Admins group. On the Members tab, add User1 and ok out. Close AD users & Computers.
Setup Group Policy
44. Open the Group Policy Management Console. Expand the tree, right click the Default Domain Policy and select Edit.
45. Open this path: Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.
46. Right click Automatic Certificate Request Settings, select New, and Automatic Certificate Request.
47. On the Template page, select Computer, Next, Finish.
If you are using a virtual machine, you will want to change the computer password age settings to prevent issues if you take a snapshot and restore.
(Optional) To change the Maximum password age:
48. Open Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options.
49. Open Domain Member: Maximum machine account password age and on the security policy tab, set the age as 999 and click OK.
You can now close the Group Policy editor.
That's it for Part 1. We now have a basic but fully functioning Domain. Stay tuned for the next instalment where we set up our second server for CRL distribution.
Continue with Part 2 Here.