Windows Server 2008 Foundation Network Guide
Windows Server 2008 Foundation Network Guide
Microsoft Corporation
Published: November, 2007
Authors: James McIllece and Brit Weston
Editor: Allyson Adley
Technical Contributors: Shyam Seshadri
Abstract
The Windows Server 2008 Foundation Network Guide provides instructions on how to plan and
deploy the core components required for a fully functioning network and a new Active Directory
domain in a new forest. Using this guide, you can deploy computers configured with the following
Windows server components:
The Network Policy Server (NPS) role service of the Network Policy and Access Services
server role
This guide also serves as a foundation for companion guides that show you how to deploy
additional network technologies in Windows Server 2008.
The information contained in this document represents the current view of Microsoft Corporation
on the issues discussed as of the date of publication. Because Microsoft must respond to
changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the
date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
2007 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Contents
Windows Server 2008 Foundation Network Guide ......................................................................... 5
Foundation Network Overview ..................................................................................................... 9
Foundation Network Planning .................................................................................................... 11
Foundation Network Deployment ............................................................................................... 22
Configuring All Servers ........................................................................................................... 22
Change the Administrator Password ................................................................................... 23
Rename the Computer ........................................................................................................ 25
Configure a Static IP Address ............................................................................................. 26
Deploying AD-DNS-01 ............................................................................................................ 27
Install AD DS and DNS for a New Forest ............................................................................ 28
Create a User Account in Active Directory Users and Computers ...................................... 30
Add a Group ........................................................................................................................ 30
Assign Group Membership .................................................................................................. 31
Configure a DNS Reverse Lookup Zone ............................................................................. 32
Joining Computers to the Domain and Logging On ................................................................ 33
Join the Computer to the Domain........................................................................................ 33
Log on to the Domain .......................................................................................................... 35
Deploying WINS-01 (optional) ................................................................................................ 36
Install Windows Internet Name Service (WINS) .................................................................. 36
Deploying DHCP-01................................................................................................................ 37
Install Dynamic Host Configuration Protocol (DHCP) ......................................................... 38
Create an Exclusion Range in DHCP.................................................................................. 40
Authorize a DHCP Server in Active Directory Domain Services ......................................... 40
Activate a DHCP Scope ...................................................................................................... 41
Create a New DHCP Scope ................................................................................................ 41
Deploying NPS-01 (optional) .................................................................................................. 42
Install Network Policy Server (NPS) .................................................................................... 43
Additional Technical Resources ................................................................................................. 43
Appendix A ................................................................................................................................. 44
Core protocols for network connectivity between computers and other Transmission Control
Protocol/Internet Protocol (TCP/IP) compatible devices. TCP/IP is a suite of standard
protocols for connecting computers and building networks. TCP/IP is network protocol
software provided with Microsoft Windows operating systems that implements and
supports the TCP/IP protocol suite.
Name resolution services, such as Domain Name System (DNS) and Windows Internet
Name Service (WINS). DNS and WINS allow users, computers, applications, and services to
find the IP addresses of computers and devices on the network using the network basic
input/output system (NetBIOS) name or Fully Qualified Domain Name of the computer or
device.
A forest, which is one or more Active Directory domains that share the same class and
attribute definitions (schema), site and replication information (configuration), and forest-wide
search capabilities (global catalog).
A forest root domain, which is the first domain created in a new forest. The Enterprise Admins
and Schema Admins groups, which are forest-wide administrative groups, are located in the
forest root domain. In addition, a forest root domain, as with other domains, is a collection of
computer, user, and group objects that are defined by the administrator in Active Directory
Domain Services (AD DS). These objects share a common directory database and security
policies. They can also share security relationships with other domains if you add domains as
your organization grows. The directory service also stores directory data and allows
authorized computers, applications, and users to access the data.
A user and computer account database. The directory service provides a centralized user
accounts database that allows you to create user and computer accounts for people and
computers that are authorized to connect to your network and access network resources,
such as applications, databases, shared files and folders, and printers.
A foundation network also allows you to scale your network as your organization grows and IT
requirements change. For example, with a foundation network you can add domains, IP subnets,
remote access services, wireless services, and other features and server roles provided by
Windows Server 2008 and Windows Vista.
5
A hub, Layer 2 or 3 switch, router, or other device that performs the function of relaying
network traffic between computers and devices.
Computers that meet the minimum hardware requirements for their respective client and
server operating systems.
Note
This guide depicts the use of four server computers. In some cases, such as on small
networks, you can use fewer servers. For example, you can install DHCP and WINS on
the same server rather than on separate servers.
Internet connectivity
Remote access
Wireless access
Technology Overviews
The following sections provide brief overviews of the required and optional technologies used to
create a foundation network.
DNS
DNS is a name resolution protocol for TCP/IP networks, such as the Internet or an organization
network. A DNS server hosts the information that enables client computers to resolve easily
recognized, alphanumeric DNS names to the IP addresses that computers use to communicate
with each other.
DHCP
DHCP is an IP standard for simplifying management of host IP configuration. The DHCP standard
provides for the use of DHCP servers as a way to manage dynamic allocation of IP addresses
and other related configuration details for DHCP-enabled clients on your network.
Every computer on a TCP/IP network must have an unique IP address. The IP address (together
with its related subnet mask) identifies both the host computer and the subnet to which it is
attached. When you move a computer to a different subnet, the IP address must be changed.
DHCP allows you to dynamically assign an IP address to a client from a DHCP server IP address
database on your local network.
For TCP/IP-based networks, DHCP reduces the complexity and amount of administrative work
involved in reconfiguring computers.
WINS (optional)
While DNS is a required component of a foundation network, WINS is optional because, like
DNS, it is a naming service. In some cases, you might not need both DNS and WINS, but older
operating systems and applications might require WINS. For medium to small networks, WINS is
extremely easy to install and manage, and it is not resource-intensive. If you are in doubt about
whether you need WINS, you can test your network functionality without it and install it if needed.
WINS provides a distributed database for registering and querying dynamic mappings of NetBIOS
names for computers and groups used on your network. WINS maps NetBIOS names to IP
addresses and was designed to solve the problems arising from NetBIOS name resolution in
routed environments. WINS is the best choice for NetBIOS name resolution in routed networks
that use NetBIOS over TCP/IP.
NetBIOS names are used by earlier versions of Windows operating systems to identify and locate
computers and other shared or grouped resources required to register or resolve names for use
on the network.
NetBIOS names are a requirement for establishing networking services in earlier versions of
Windows operating systems. Although the NetBIOS naming protocol can be used with network
protocols other than TCP/IP (such as NetBEUI or IPX/SPX), WINS was designed specifically to
support NetBIOS over TCP/IP (NetBT).
WINS simplifies the management of the NetBIOS namespace in TCP/IP-based networks.
NPS (optional)
Network Policy Server (NPS) allows you to centrally configure and manage network policies with
the following three features: Remote Authentication Dial-In User Service (RADIUS) server,
RADIUS proxy, and Network Access Protection (NAP) policy server.
NPS is an optional component of a foundation network, but you should install NPS if any of the
following are true:
You are planning to expand your network to include any remote access servers that are
compatible with the RADIUS protocol, such as a computer running Windows Server 2008 and
Routing and Remote Access service.
TCP/IP
TCP/IP in Windows Server 2008 is the following:
A routable, enterprise networking protocol that supports the connection of your Windowsbased computer to both local area network (LAN) and wide area network (WAN)
environments.
Core technologies and utilities for connecting your Windows-based computer with dissimilar
systems for the purpose of sharing information.
A foundation for gaining access to global Internet services, such as the World Wide Web and
File Transfer Protocol (FTP) servers.
TCP/IP provides basic TCP/IP utilities that enable Windows-based computers to connect and
share information with other Microsoft and non-Microsoft systems, including:
Windows Vista
Windows XP
8
Internet hosts
IBM mainframes
UNIX systems
Network-ready printers, such as HP LaserJet series printers that use HP JetDirect cards
10
Router
This deployment guide provides instructions for deploying a foundation network with two subnets
separated by a router that has DHCP forwarding enabled. You can, however, deploy a Layer 2
switch, a Layer 3 switch, or a hub, depending on your requirements and resources. If you deploy
a switch, the switch must be capable of DHCP forwarding or you must place a DHCP server on
each subnet. If you deploy a hub, you are deploying a single subnet and do not need DHCP
forwarding or a second scope on your DHCP server.
Static TCP/IP configurations
All of the servers in this deployment are configured with static IPv4 addresses. Client computers
are configured by default to receive IP address leases from the DHCP server.
Global catalog and DNS server
Both Active Directory Domain Services (AD DS) and Domain Name System (DNS) are installed
on this server, providing directory and name resolution services to all computers and devices on
the network.
WINS server (optional)
Installing Windows Internet Name Service (WINS) on your foundation network is optional. It is
often difficult to determine whether applications and services require WINS for name resolution.
In some cases, you might need WINS; in other cases, DNS might be the only name resolution
service that you need on your network. Because WINS is low maintenance and is not processoruse intensive for medium and small networks, you can install WINS on the DHCP server in the
event that applications or services need the service.
DHCP server
The Dynamic Host Configuration Protocol (DHCP) server is configured with a scope that provides
Internet Protocol (IP) address leases to computers on the local subnet. The DHCP server can
also be configured with additional scopes to provide IP address leases to computers on other
subnets if DHCP forwarding is configured on routers.
NPS server (optional)
The Network Policy Server (NPS) server is installed as a preparatory step for deploying other
network access technologies, such as virtual private network (VPN) servers, wireless access
points, and 802.1X authenticating switches. In addition, installing NPS prepares your network for
the deployment of Network Access Protection (NAP).
Client computers
Client computers running Windows Vista and Windows XP are configured by default as DHCP
clients, which obtain IP addresses and DHCP options automatically from the DHCP server.
Planning subnets
Planning subnets
In Transmission Control Protocol/Internet Protocol (TCP/IP) networking, routers are used to
interconnect the hardware and software used on different physical network segments called
subnets. Routers are also used to forward IP packets between each of the subnets. Determine
the physical layout of your network, including the number of routers and subnets you need, before
proceeding with the instructions in this guide.
In addition, to configure the servers on your network with static IP addresses, you must determine
the IP address range that you want to use for the subnet where your foundation network servers
are located. In this guide, the private IP address range 192.168.1.1 - 192.168.0.254 is used as an
example, but you can use any private IP address range.
The following recognized private IP address ranges are specified by Internet Request for
Comments (RFC) 1918:
10.0.0.0 10.255.255.255
172.16.0.0 172.31.255.255
192.168.0.0 192.168.255.255
When you use the private IP address ranges as specified in RFC 1918, you cannot connect
directly to the Internet using a private IP address because requests going to or from these
addresses are automatically discarded by Internet service provider (ISP) routers. To add Internet
connectivity to your foundation network later, you must contract with an ISP to obtain a public IP
address.
Important
When using private IP addresses, you must use some type of proxy or network address
translation (NAT) server to convert the private IP address ranges on your local network to
a public IP address that can be routed.
For more information, see Planning the deployment of DHCP-01.
12
Example value:
Administrator password
Example: J*p2leO4$F
Note
Strong passwords contain a minimum
of 7 characters that consist of each of
the following: uppercase letters (A, B,
C, lowercase letters (d, e, f), numerals
(0, 1, 2, 3), and keyboard symbols (' ~ !
@ # $ % | /).
DNS-SF-01. This name represents the DNS server in San Francisco. If additional DNS
servers are added in San Francisco, the numeric value in the name can be incremented, as
in DNS-SF-02 and DNS-SF-03.
Choose a naming convention before you install your foundation network using this guide.
subnets or the Internet, you must know the IP address of the router, also called a default
gateway, for static IP address configuration.
The following table provides example values for static IP address configuration.
Configuration items:
Example values:
IP address
192.168.0.3
Subnet mask
255.255.255.0
Default gateway
192.168.0.10
192.168.0.1
192.168.0.7
192.168.0.2
192.168.0.8
Forest functionality enables features across all the domains in your forest. The following forest
functional levels are available:
Windows 2000. This forest functional level supports Windows NT 4.0, Windows 2000, and
Windows Server 2003 domain controllers.
Windows Server 2003. This forest functional level supports Windows Server 2003 domain
controllers only.
Windows Server 2008. This forest functional level supports Windows Server 2008 domain
controllers only.
If you are deploying a new domain in a new forest and all of your domain controllers will be
running Windows Server 2008, it is recommended that you configure AD DS with the Windows
Server 2008 forest functional level during AD DS installation.
Important
After the forest functional level has been raised, domain controllers running earlier
operating systems cannot be introduced into the forest. For example, if you raise the
forest functional level to Windows Server 2008, domain controllers running
Windows 2000 Server or Windows Server 2003 cannot be added to the forest.
Example configuration items for AD DS are provided in the following table.
Configuration items:
Example values:
Examples:
example.com
corp.example.com
Windows 2000
Configuration items:
Example values:
memberships.
E:\Configuration\
E:\Configuration\
E:\Configuration\
J*p2leO4$F
AD DS_AnswerFile
16
When you create a reverse lookup zone, the in-addr.arpa domain, which was defined in the DNS
standards and reserved in the Internet DNS namespace to provide a practical and reliable way to
perform reverse queries, is installed in DNS. To create the reverse namespace, subdomains
within the in-addr.arpa domain are formed, using the reverse ordering of the numbers in the
dotted-decimal notation of IP addresses.
The in-addr.arpa domain applies to all TCP/IP networks that are based on Internet Protocol
version 4 (IPv4) addressing. The New Zone Wizard automatically assumes that you are using this
domain when you create a new reverse lookup zone.
While you are running the New Zone Wizard, the following selections are recommended:
Configuration Items
Example values
Zone type
Network ID = 192.168.0.
Dynamic Updates
Create user accounts in AD DS. Each user must have an Active Directory Domain Services
user account in Active Directory Users and Computers. For more information, see Create a
User Account in Active Directory Users and Computers.
Ensure IP address configuration. To join a computer to the domain, the computer must have
an IP address. In this guide, servers are configured with static IP addresses and client
computers receive IP address leases from the DHCP server. For this reason, the DHCP
server must be deployed before you join clients to the domain. Fore more information, see
Install Dynamic Host Configuration Protocol (DHCP).
17
Join the computer to the domain. Any computer that provides or accesses network resources
must be joined to the domain. For more information, see Join the Computer to the Domain.
On smaller networks, a single WINS server can adequately service up to 10,000 clients for
NetBIOS name resolution requests. To provide additional fault tolerance, you can configure a
second computer running Windows Server 2008 as a secondary, or backup, WINS server
for clients. If you use only two WINS servers, you can easily configure them as replication
partners. For simple replication between two servers, one server should be set as a pull
partner and the other as a push partner. Replication can be either manual or automatic.
Large networks sometimes require more WINS servers for several reasons including, most
importantly, the number of client connections per server. The number of users that each
WINS server can support varies with usage patterns, data storage, and the processing
capabilities of the WINS server computer.
When planning your servers, remember that each WINS server can simultaneously handle
hundreds of registrations and queries per second.
Configure routers to forward DHCP broadcast messages across subnets and configure
multiple scopes on the DHCP server, one scope per subnet.
In most cases, configuring routers to forward DHCP broadcast messages is more cost effective
than deploying a DHCP server on each physical segment of the network.
A range of IP addresses from which to include or exclude addresses used for DHCP service
lease offerings.
Lease duration values, which are assigned to DHCP clients that receive dynamically
allocated IP addresses.
Any DHCP scope options configured for assignment to DHCP clients, such as DNS server IP
address, router/default gateway IP address, and WINS server IP address.
Reservations are optionally used to ensure that a DHCP client always receives the same IP
address.
Before deploying your servers, list your subnets and the IP address range you want to use for
each subnet.
This subnet mask number is 16 one-bits followed by 16 zero-bits, indicating that the network ID
and host ID sections of this IP address are both 16 bits in length. Normally, this subnet mask is
displayed in dotted decimal notation as 255.255.0.0.
The following table displays subnet masks for the Internet address classes.
Address class
Subnet mask
Class A
11111111 00000000
00000000 00000000
255.0.0.0
Class B
11111111 11111111
00000000 00000000
255.255.0.0
Class C
11111111 11111111
11111111 00000000
255.255.255.0
When you create a scope in DHCP and you enter the IP address range for the scope, DHCP
provides these default subnet mask values. Typically, default subnet mask values (as shown in
the preceding table) are acceptable for most networks with no special requirements and where
each IP network segment corresponds to a single physical network.
19
In some cases, you can use customized subnet masks to implement IP subnetting. With IP
subnetting, you can subdivide the default host ID portion of an IP address to specify subnets,
which are subdivisions of the original class-based network ID.
By customizing the subnet mask length, you can reduce the number of bits that are used for the
actual host ID.
To prevent addressing and routing problems, you should make sure that all TCP/IP computers on
a network segment use the same subnet mask and that each computer or device has an unique
IP address.
Example values:
192.168.0.1
192.168.0.15
20
of new devices that you might want to add in the future. With this exclusion range, the DHCP
server is left with an address pool of 192.168.0.16 through 192.168.0.254.
Additional example configuration items for AD DS and DNS are provided in the following table.
Configuration items:
Example values:
AD-DNS-01
192.168.0.1
192.168.0.6
192.168.0.2
192.168.0.12
Note
Specify the IP address of your alternate
WINS server only if an alternate WINS
server is deployed on the network.
Add Scope dialog box values:
Primary Subnet
Scope Name:
192.168.0.1
Starting IP Address
192.168.0.254
Ending IP Address:
255.255.255.0
Subnet Mask
192.168.0.11
Subnet Type
Not enabled
Plan the user accounts database. By default, if you join the server running NPS to an Active
Directory domain, NPS performs authentication and authorization using the AD DS user
accounts database. In some cases, such as with large networks that use NPS as a RADIUS
proxy to forward connection requests to other RADIUS servers, you might want to install NPS
on a non-domain member computer.
Plan the use of Network Access Protection (NAP). With some NAP enforcement methods, it
is required that you install NPS on a specific server. For example, if you deploy NAP with
DHCP, NPS must be installed on the DHCP server.
Plan RADIUS accounting. NPS allows you to log accounting data to a SQL Server database
or to a text file on the local computer. If you want to use SQL Server logging, plan the
installation and configuration of your server running SQL Server.
On each server computer running Windows Server 2008, create a password for the
Administrator account. Upon installation of Windows Server 2008, you are required to create
a password for the Administrator account. If you have already created a password and want
to change it, see Change the Administrator Password.
You can use the following sections to perform these actions for each server.
22
Windows Vista
Windows XP
24
local computer.
11. Click OK, and then click Close.
Windows Server 2003
Membership in Administrators, or equivalent, is the minimum required to perform these
procedures.
To configure a static IP address on a computer running Windows Server 2003
1. Click Start, click Control Panel, right-click Network Connections, and then click Open.
2. In Network Connections, right-click the network connection that you want to configure,
and then click Properties.
3. In Local Area Connection Properties, in This Connection uses the following Items,
select Internet Protocol (TCP/IP), and then click Properties. The Internet Protocol
(TCP) Properties dialog box opens.
4. In Internet Protocol Version 4 (TCP/IPv4) Properties, on the General tab, click Use
the following IP address. In IP address, type the IP address that you want to use.
5. In Subnet mask, either accept the default subnet mask, or type the subnet mask that you
want to use.
6. In Default gateway, type the IP address of your default gateway.
7. In Preferred DNS server, type the IP address of your DNS server.
8. In Alternate DNS Server, type the IP address of your alternate DNS server, if any.
9. Click OK, and then click Close.
Deploying AD-DNS-01
To deploy AD-DNS-01, which is the computer running Active Directory Domain Services (AD DS)
and DNS, you must complete these steps in the following order:
Add a Group
Administrative privileges
If you are installing a small network and are the only administrator for the network, it is
recommended that you create a user account for yourself, and then add your user account as a
member of both Enterprise Admins and Domain Admins. Doing so will make it easier for you to
act as the administrator for all network resources. It is also recommended that you log on with this
27
account only when you need to perform administrative tasks, and that you create a separate user
account for performing non-IT related tasks.
If you have a larger organization with multiple administrators, refer to AD DS documentation to
determine the best group membership for organization employees.
Domain user accounts vs. user accounts on the local computer
One of the advantages of a domain-based infrastructure is that you do not need to create user
accounts on each computer in the domain. This is true whether the computer is a client computer
or a server.
Because of this, you should not create user accounts on each computer in the domain. Create all
user accounts in Active Directory Users and Computers and use the preceding procedures to
assign group membership. By default, all user accounts are members of the Domain Users
group.
After you have joined a computer to the domain, members of the Domain Users group can log on
to any domain member client computer.
Note
Members of the Domain Users group cannot log on to computers running
Windows Server 2008.
You can configure user accounts to designate the days and times that the user is allowed to log
on to the computer. You can also designate which computers each user is allowed to use. To
configure these settings, open Active Directory Users and Computers, locate the user account
that you want to configure, and double-click the account. In the user account Properties, click the
Account tab, and then click either Logon Hours or Log On To.
Type folder locations that you want to use for Database folder, Log files folder, and
SYSVOL folder.
29
Add a Group
You can use this procedure to create a new group in Active Directory Users and Computers
Microsoft Management Console (MMC).
Membership in Domain Admins, or equivalent, is the minimum required to perform this
procedure.
To add a group
1. Click Start, click Administrative Tools, and then click Active Directory Users and
Computers. The Active Directory Users and Computers MMC opens. If it is not already
selected, click the node for your domain. For example, if your domain is example.com,
click example.com.
2. In the details pane, right-click the folder in which you want to add a new group.
Where?
30
Domain local
Global
Universal
Security
Distribution
7. Click OK.
Active Directory Users and Computers/domain node/folder that contains the group
3. In the details pane, right-click the group to which you want to add a member, and then
click Properties. The group Properties dialog box opens. Click the Members tab.
31
Primary zone
Secondary zone
Stub zone
6. If your DNS server is a writeable domain controller, select Store the zone in Active
Directory.
7. Click Next.
8. In Active Directory Zone Replication Scope, select one of the following:
9. Click Next.
10. In the first Reverse Lookup Zone Name page, select one of the following:
33
Important
To join a computer to a domain, you must be logged on to the computer with the local
Administrator account or, if you are logged on to the computer with a user account that
does not have local computer administrative credentials, you must provide the credentials
for the local Administrator account during the process of joining the computer to the
domain. In addition, you must have a user account in the domain to which you want to
join the computer. During the process of joining the computer to the domain, you will be
prompted for your domain account credentials (user name and password).
Windows Server 2008 and Windows Vista
Membership in Domain Users, or equivalent, is the minimum required to perform this procedure.
To join computers running Windows Server 2008 and Windows Vista to the domain
1. Log on to the computer with the local Administrator account.
2. Click Start, right-click Computer, and then click Properties. The System dialog box
opens.
3. In Computer name, domain, and workgroup settings, click Change settings. The
System Properties dialog box opens.
Note
On computers running Windows Vista, before the System Properties dialog
box opens, the User Account Control dialog box opens, requesting permission
to continue. Click Continue to proceed.
4. Click Change. The Computer Name/Domain Changes dialog box opens.
5. In Computer Name, in Member of, select Domain, and then type the name of the
domain you want to join. For example, if the domain name is example.com, type
example.com.
6. Click OK. The Windows Security dialog box opens.
7. In Computer Name/Domain Changes, in User name, type the user name, and in
Password, type the password, and then click OK. The Computer Name/Domain
Changes dialog box opens, welcoming you to the domain. Click OK.
8. The Computer Name/Domain Changes dialog box displays a message indicating that
you must restart the computer to apply the changes. Click OK.
9. On the System Properties dialog box, on the Computer Name tab, click Close. The
Microsoft Windows dialog box opens, and displays a message, again indicating that
you must restart the computer to apply the changes. Click Restart Now.
Windows Server 2003 and Windows XP
Membership in Domain Users, or equivalent, is the minimum required to perform this procedure.
To join computers running Windows Server 2003 and Windows XP to the domain
1. Click Start, right-click My Computer, and then click Properties. The System Properties
34
5. In Password, type your domain password, and then click the arrow, or press ENTER.
Windows Server 2003 and Windows XP
Membership in Domain Users, or equivalent, is the minimum required to perform this procedure.
Log on to the domain using computers running Windows Server 2003 and Windows XP
1. Log off the computer, or restart the computer.
2. Press CTRL + ALT + DELETE. The Log On to Windows dialog box appears.
3. If Log on to is not displayed, click Options.
4. In Log on to, in the drop down list, select your domain. For example, in the example.com
domain, select EXAMPLE.
5. Type your domain and user name in the format domain\user. For example, to log on to
the example.com domain with an account named User-01, type example\User-01.
6. In Password, type your domain password, and then press ENTER.
Perform the steps in the section Joining Computers to the Domain and Logging On
To deploy WINS-01, which is the computer running Windows Internet Name Service (WINS), you
must complete this step:
Next.
3. In Confirm installation selections, click Install.
4. In Installation Results, review your installation results, and then click Close.
Deploying DHCP-01
Before deploying this component of the foundation network, you must do the following:
Perform the steps in the section Joining Computers to the Domain and Logging On.
Activate the scope or scopes that you configure during installation unless you have reason
not to do so. For example, if you plan to create an exclusion range for the scope so that some
IP addresses are available for statically configured devices, you might not want to activate
the scope until after you have created the exclusion range. After you activate a scope, it is
configured to function without additional configuration after the installation process is
complete. If you choose not to activate a scope during installation, however, you can activate
the scope after DHCP is installed by using the DHCP Microsoft Management Console (MMC)
and the procedure Activate a DHCP Scope.
Authorize the DHCP server in Active Directory Domain Services (AD DS) during installation
unless you have reason not to do so. If you authorize the server during installation, the server
is configured to function without additional configuration after the installation process is
complete. If you choose not to authorize the DHCP server during installation, however, you
can authorize the server after DHCP is installed by using the DHCP MMC and the procedure
Authorize a DHCP Server in Active Directory Domain Services.
Do not enable Configure DHCPv6 Stateless Mode unless you plan to use Internet Protocol
version 6 (IPv6) on your network in addition to or to replace IPv4.
Deploying DHCP
To deploy DHCP-01, which is the computer running the Dynamic Host Configuration Protocol
(DHCP) server role, you must complete these steps in the following order:
If you plan to deploy Windows Internet Name Service (WINS) on your network, it is
recommended that you perform the steps in the section Deploying WINS-01 (optional) before
installing DHCP.
If you chose not to perform the following actions during DHCP installation, you can perform them
after DHCP is installed:
37
After DHCP is installed, you can add more scopes to the server configuration:
If you do not have WINS servers on your network, select WINS is not required for
applications on this network.
If one or more WINS servers are deployed on your network, select WINS is required
for applications on this network. In Preferred WINS server IP address, type the
IPv4 address of your preferred WINS server. In Alternate WINS server IP Address,
type the IPv4 address of your alternate WINS server, if any, and then click Next.
9. In Add or Edit DHCP Scopes, click Add. The Add Scope dialog box opens.
10. In the Add Scope dialog box, type values for all required items, and in Subnet Type,
select either Wired or Wireless, depending on the IP address lease duration that you
prefer, and then do one of the following:
To manually activate the scope later, use the DHCP Microsoft Management Console
(MMC).
11. Click OK. This returns you to the Add or Edit DHCP Scopes page. If your network has
multiple subnets that are serviced by this DHCP server, add scopes for each subnet
using steps 9 and 10. Click Next.
12. In Configure DHCPv6 Stateless Mode, select whether you want to configure the DHCP
server for DHCPv6 stateless operation, and then click Next.
13. In Authorize DHCP Server, do one of the following:
Select Use current credentials to authorize the DHCP server in Active Directory
Domain Services (AD DS) using the credentials supplied for the current session.
Select Skip authorization of this DHCP server in AD DS, and then click Next.
Note
Before your DHCP server can issue IP address leases, the DHCP server
must be authorized in AD DS.
14. In Confirm Installation Selections, review your selections, and then click Install.
15. In Installation Results, review your installation results, and then click Close.
39
40
If necessary, modify the values in Length or Subnet mask, as appropriate for your
addressing scheme.
d. Click Next.
8. In Add Exclusions, do the following:
41
a. In Start IP Address, type the IP address that is the first IP address in the exclusion
range. For example, type 10.10.10.1.
b. In End IP Address, type the IP address that is the last IP address in the exclusion
range, For example, type 10.10.10.15.
9. Click Add, and then click Next.
10. In Lease Duration, modify the default values for Days, Hours, and Minutes, as
appropriate for your network, and then click Next.
11. In Configure DHCP Options, select Yes, I want to configure these options now, and
then click Next.
12. In Router (Default Gateway), do one of the following:
In IP address, type the IP address of your router or default gateway. For example,
type 10.10.10.10. Click Add, and then click Next.
Click Resolve. The IP address of the DNS server is added in IP Address. Click
Add, and then click Next.
If you have one or more WINS servers deployed on your network, for each WINS
server: In Server name, type the name of the WINS server. For example, type
WINS-01. Click Resolve. The IP address of the WINS server is added in IP
Address. Click Add, and then click Next.
To automatically activate the scope immediately after the steps in the New Scope
Wizard are complete, select Yes, I want to activate this scope now.
To manually activate the scope later by using the DHCP MMC, select No I will
activate this scope later.
Perform the steps in the section Joining Computers to the Domain and Logging On
42
To deploy NPS-01, which is the computer running the Network Policy Server (NPS) role service
of the Network Policy and Access Services server role, you must complete this step:
Active Directory Domain Services in the Windows Server 2008 Technical Library, at
http://go.microsoft.com/fwlink/?LinkId=96418
Domain Name System (DNS) in the Windows Server 2008 Technical Library, at
http://go.microsoft.com/fwlink/?LinkId=93215
43
Dynamic Host Configuration Protocol (DHCP) in the Windows Server 2008 Technical Library,
at http://go.microsoft.com/fwlink/?LinkId=96419
Network Policy Server (NPS) in the Windows Server 2008 Technical Library, at
http://go.microsoft.com/fwlink/?LinkId=104545 and Network Policy Server at
http://go.microsoft.com/fwlink/?LinkId=93758
Windows Internet Name Service (WINS) in the Windows Server 2008 Technical Library, at
http://go.microsoft.com/fwlink/?LinkId=103331
Appendix A
You can use this Network Planning Preparation Sheet to gather the information required to install
a foundation network. This topic provides tables that contain the individual configuration items for
each server computer for which you must supply information or specific values during the
installation or configuration process. Example values are provided for each configuration item.
For planning and tracking purposes, spaces are provided in each table for you to enter the values
used for your deployment. If you log security-related values in these tables, you should store the
information in a secure location.
Installing DHCP
44
The following three tables list pre-installation configuration items as described in Configuring All
Servers:
Configuration items:
Example values:
Administrator password
J*p2leO4$F
Configuration items:
Example values:
IP address
192.168.0.1
Subnet mask
255.255.255.0
Default gateway
192.168.0.10
192.168.0.1
192.168.0.6
Values:
Values:
Configuration item:
Example value:
Computer name
AD-DNS-01
Value:
Example values:
example.com
E:\Configuration\
E:\Configuration\
E:\Configuration\
Values:
45
Configuration items:
Example values:
J*p2leO4$F
AD DS_AnswerFile
Values:
Example values:
Zone type:
Primary zone
Secondary zone
Stub zone
Zone type
Selected
Not selected
(IP type)
192.168.0
Values:
(network ID)
46
The following three tables list pre-installation configuration items as described in Configuring All
Servers:
Configuration items:
Example values:
Administrator password
J*p2leO4$F
Configuration items:
Example values:
IP address
192.168.0.2
Subnet mask
255.255.255.0
Default gateway
192.168.0.10
192.168.0.1
192.168.0.6
Values:
Values:
Configuration item:
Example value:
Computer name
WINS-01
Value:
Installing DHCP
The tables in this section list configuration items for pre-installation and installation of DHCP.
Pre-installation configuration items for DHCP
The following three tables list pre-installation configuration items as described in Configuring All
Servers:
Configuration items:
Example values:
Administrator password
J*p2leO4$F
Values:
47
Configuration items:
Example values:
IP address
192.168.0.3
Subnet mask
255.255.255.0
Default gateway
192.168.0.10
192.168.0.3
192.168.0.6
Values:
Configuration item:
Example value:
Computer name
DHCP-01
Value:
Example values:
AD-DNS-01
192.168.0.1
192.168.0.6
192.168.0.2
192.168.0.12
Scope name
Primary Subnet
Starting IP address
192.168.0.1
Ending IP address
192.168.0.254
Subnet mask
255.255.255.0
192.168.0.10
Values:
48
Configuration items:
Example values:
Subnet type
Not enabled
Values:
Example values:
Scope name
Primary Scope
Scope description
192.168.0.1
192.168.0.15
Values:
Example values:
Subnet-02
Scope description
10.10.10.1
Values:
Start IP address
(IP address range)
10.10.10.254
End IP address
Length
Subnet mask
255.0.0.0
10.10.10.1
Configuration items:
Example values:
Lease duration
Days
Hours
Values:
Minutes
Router (default gateway)
10.10.10.10
IP address
DNS parent domain
example.com
DNS server
192.168.0.1
IP address
WINS server
192.168.0.2
IP address
Configuration items:
Example values:
Administrator password
J*p2leO4$F
Configuration items:
Example values:
IP address
192.168.0.4
Subnet mask
255.255.255.0
Default gateway
192.168.0.10
192.168.0.1
192.168.0.6
Values:
Values:
Configuration item:
Example value:
Computer name
NPS-01
Value:
51