Configuration of Active Directory is the second step to a successful installation.

Installing Windows 2000, Part 2

Configuration of Active Directory is the second step to a successful installation.

Last month we installed Windows 2000 Server on a machine and not much else. Now it's time to install Active Directory. What is Active Directory and why do you care about it? When the factory whistle blows at the end of the day, AD is about resource management. That's an important perspective to keep as we dig deeply into the AD architecture. Technically speaking, AD is about directory services.

No doubt you've heard the term "directory services" thrown around in the media. It means a few things:

  • Easier administration. Not only are many common "things" such as users, groups, computers, and printers treated as objects in a hierarchical tree, you can specify sub-administrators to manage portions of the network (think of them as mini-gods).
  • Scalability. Granted, AD is oriented towards the larger enterprises and is of less use to small and medium-sized organizations. But if you're working on one of those large organizations, you'll greatly appreciate the ability to add more office locations, merged companies, and so on to your wide area network.
  • Industry-standard directory services. AD is based on time-tested directory services architectures such as Lightweight Directory Access Protocol (LDAP). That means AD will have the ability to merge with other networks such as Novell NetWare. Very important in the real world.

Here are the steps to install and configure AD. Note that Domain Name System (DNS) will be installed as part of the basic AD installation. Also note that this installation presumes you're starting new. This explanation I provide is for your test machine. In future articles MCP Magazine will explore how to handle the migration for existing networks. Also, in a future column I'll explore more AD issues, but we're not quite ready for that right now.

Steps to install AD and DNS

  1. Select Run from the Start button on your desktop.
  2. Type dcpromo.exe in the Open field of the Run dialog box. The AD Installation Wizard appears. Click Next.
  3. When asked about the domain controller type, select Domain controller for a new domain. With this step, you define the machine as something called a domain controller (you may recall last month that you created a member server in a workgroup, the most basic of all configurations). A domain controller is a central authority for managing computer operations, including security and users.
  4. When asked about creating a tree or child domain, select Create a new domain tree. At this step, I've assumed the Win2K server machine you're configuring is the first such machine on your network, thus the need to create a new domain tree (one wouldn't otherwise exist; and at least one domain tree must exist in an AD environment.). A domain is the basic unit of administration in a Win2K networked environment, and the emphasis is on centralized administration. The opposite of a domain is a workgroup, which emphasizes decentralized administration. Note: A domain tree can house several domains.
  5. When asked to create or join a forest, select Create a new forest of domain trees. A forest is a grouping of domain trees.
  6. When asked to install or configure DNS, select No, just install and configure DNS on this computer. This installs the Domain Name System (DNS) service on this computer. DNS is used to resolve names on a Win2K network. For example, if you typed "intranet" in the Address field of Internet Explorer, you would be taken to your company's intranet home page (if it was, indeed, named "intranet"). I'll discuss DNS at length in a future column.
  7. When asked for a new domain name, you'll typically use your registered Internet domain name, such as
  8. When asked for a NetBIOS Domain Name, you'll most likely provide an internal network name similar to your Internet domain name. Confusing, huh? In my example from step 7, type ACME. To be honest, I recommend you take a moment to consult the Win2K Server online help system or an experienced MCSE consultant to come up with a naming scheme that will last you a very long time.
  9. Accept the default locations and suggested answers for the Database and Log Locations, Shared System Volume, and default Windows NT 4.0 RAS (Remote Access Service) Servers permissions.
  10. Click Next | Finish | Restart Now and you've successfully installed both AD and DNS.

So what does a basic AD and DNS configuration look like? See Figures 1 and 2.

Figure 1. An AD configuration, viewed from AD Users and Computers (the most popular AD tool found in the Administrative Tools program group).


Figure 2. A basic DNS service in Win2K as viewed from the DNS Microsoft Management Console (found in the Administrative Tools program group).

Adding a Population of Units

Now that your Win2K foundation is in place, you may move onward to the more practical side of running a Win2K site. As you know, all computer networks support users. These users must be added to the computer network. This is typically done by simply adding a user to the server. Sometimes these users are placed into groups such as Marketing or Northeast to better organize how you manage groups and the way rights are assigned. Computers or machines will also be added.

Ah, but Win2K has a slight twist on the adding users, groups and computers dance. That's because AD treats everything (and I mean everything) as objects. The good news is that you can organize your users, groups and computers even better by dropping them into a container called an organizational unit (OU).

Perhaps you have a main campus in your organization and it's where you're starting to deploy Win2K. Here's how to use OUs to your system management advantage. Create an OU titled MAIN for the main campus. Throw every user, group, and machine you initially create for the main campus in the MAIN OU. There, your AD now mirrors your physical structure. Later (and only later) you can create more OUs once you better understand AD and can justify more OUs as part of your structure.

So, the plan is four-fold. First, create an AD OU. Second, create a few users. Third, create a few groups. Fourth, create computers.

Steps To Create an Organizational Unit

  1. Launch the Active Directory Users and Computers MMC from the Administrative Tools program group.
  2. In the left pane, right-click on the domain object (for example, ACME.COM). The secondary menu will appear.
  3. Select New | Organization Unit as seen in Figure 3.
Figure 3. Selecting Organizational Unit from the secondary menu.
  1. Type in the name of the OU (such as MAIN) as seen in Figure 4. Click OK.
Figure 4. Designating the MAIN organization unit in the New Object - Organizational Unit dialog box.
  1. The new OU (MAIN) appears as an object beneath the domain as seen in Figure 5.
Figure 5. MAIN OU appears as an AD object.

Now your task is to add and place users in the OU you've created. This is simple.

Adding a User

  1. If adding a user to an OU in the AD Users and Computers MMC (which we are), right-click on the OU (MAIN) to display the secondary menu.
  2. Select New | User. The New Object - User dialog box appears.
  3. Complete the basic user information (first name, last name, and logon name) and click Next.
  4. Provide a password on the next screen as well as password conditions (such as "expires after x days"). Note: Passwords should be tricky and contain a mix of characters and numbers and different cases (lower and upper).
  5. Click Finish. You've now created a user inside an OU.

Adding a Group

  1. If adding a group to an OU in the AD Users and Computers MMC (which we are), right-click on the OU (MAIN) to display the secondary menu.
  2. Select New | Group. The New Object - Group dialog box appears.
  3. Provide a group name (such as Managers) and accept the global group scope and security group type. A global group is a versatile group that can interact across different domains. It's the most popular type of group. A security group is a type of group to which rights are assigned vs. a distribution group, which is more like an email list group. In the future I'll discuss groups at length.
  4. Click OK. The group appears in the OU.
  5. To add users to the group, right-click on the group you've just created.
  6. Select Properties. The Group's Properties dialog box appears.
  7. Select the Members tab sheet.
  8. Click the Add button.
  9. Select a user to add to this group and click OK. The user should appear as a member similar to what's shown in Figure 6.
Figure 6. A users is added as a member to a group in AD.
  1. Click OK to close the groups' Properties dialog box. You have now added a user to a group.

Adding a Computer

Adding computers to the network assists in the management of these "units."

  1. If adding a computer to an OU in the AD Users and Computers MMC (which we are), right-click on the OU (such as MAIN) to display the secondary menu.
  2. Select New | Computer. The New Object - Computer dialog box appears.
  3. Provide a computer name. I advise something simple that's easy to remember and spell (you'll need to type this name later in different Win2K management situations). Such a name might be CEO1 (named for the position, not the user; titles tend to outlast users).
  4. Select the All pre-Windows 2000 computers to use this account checkbox (if applicable). In most networks today, it's likely you have older Windows NT machines, so I'd advise you to select this checkbox.
  5. Click OK. The computer appears in the OU.

You have now added an OU, user, group and computer. Your results should look similar to Figure 7.

Figure 7. An OU, user, group, and computer added to AD.

Adding A Printer

A final step you must undertake is to add a printer. Why? Because no sooner than you've added users to your network, they start clamoring for printing! After adding the printer to the machine, I'll place the printer in the MAIN OU, in keeping with our one-OU-until-more-are-needed philosophy.

  1. Select Printers from the Settings group (accessed from the Start menu).
  2. Add a printer to the machine. This is the same as the old NT Server 4.0 days where a printer is added, based on its port (such as LPT1), manufacturer (HP), and model (LaserJet III). Be sure to share the printer with a simple share name.
  3. If placing a printer in an OU in the AD Users and Computers MMC (which we are), right-click on the OU (MAIN in this case) to display the secondary menu.
  4. Select New | Printer. The New Object - Printer dialog box appears.
  5. Provide the share path (UNC path) to the printer. For example, this might be \\LONDON\HPColorL for a shared printer titled HPColorL on the LONDON server.
  6. Click OK and the printer will appear ("be published") to the OU.

Advanced Configuration Issues

Whew! Believe it or not, we've covered just about every basic Win2K configuration issue you're likely to encounter out of the gate. By no means have we exhausted every Win2K configuration issue. Rather, we've created a functional Win2K network.

One great resource for advanced Win2K configured issues is Microsoft's MCSE course 1557: Installing and Configuring Microsoft Windows 2000. The configuration issues addressed in this course include:

  • Configuring new hardware (such as adding a sound card via Device Manager).
  • Configuring operating system settings (for example, configuring the paging file).
  • Configuring services (such as startup options).
  • Configuring disks and partitions.
  • Configuring network protocols.

In future columns I'll address many of these topics. See you next month!

comments powered by Disqus
Most   Popular