Foundation Network Guide

Microsoft Corporation
Published: November, 2007
Authors: James McIllece and Brit Weston
Editor: Allyson Adley
Technical Contributors: Shyam Seshadri

Abstract
The Windows Server 2008 Foundation Network Guide provides instructions on how to plan and
deploy the core components required for a fully functioning network and a new Active Directory
domain in a new forest. Using this guide, you can deploy computers configured with the following
Windows server components:

The Active Directory Domain Services (AD DS) server role

The Domain Name System (DNS) server role

The Dynamic Host Configuration Protocol (DHCP) server role

The Network Policy Server (NPS) role service of the Network Policy and Access Services
server role

The Windows Internet Name Service (WINS) feature

Transmission Control Protocol/Internet Protocol version 4 (TCP/IP) connections on individual

servers

This guide also serves as a foundation for companion guides that show you how to deploy
additional network technologies in Windows Server 2008.

The information contained in this document represents the current view of Microsoft Corporation
on the issues discussed as of the date of publication. Because Microsoft must respond to
changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the
date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
2007 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.

Contents
Windows Server 2008 Foundation Network Guide ......................................................................... 5
Foundation Network Overview ..................................................................................................... 9
Foundation Network Planning .................................................................................................... 11
Foundation Network Deployment ............................................................................................... 22
Configuring All Servers ........................................................................................................... 22
Change the Administrator Password ................................................................................... 23
Rename the Computer ........................................................................................................ 25
Configure a Static IP Address ............................................................................................. 26
Deploying AD-DNS-01 ............................................................................................................ 27
Install AD DS and DNS for a New Forest ............................................................................ 28
Create a User Account in Active Directory Users and Computers ...................................... 30
Add a Group ........................................................................................................................ 30
Assign Group Membership .................................................................................................. 31
Configure a DNS Reverse Lookup Zone ............................................................................. 32
Joining Computers to the Domain and Logging On ................................................................ 33
Join the Computer to the Domain........................................................................................ 33
Log on to the Domain .......................................................................................................... 35
Deploying WINS-01 (optional) ................................................................................................ 36
Install Windows Internet Name Service (WINS) .................................................................. 36
Deploying DHCP-01................................................................................................................ 37
Install Dynamic Host Configuration Protocol (DHCP) ......................................................... 38
Create an Exclusion Range in DHCP.................................................................................. 40
Authorize a DHCP Server in Active Directory Domain Services ......................................... 40
Activate a DHCP Scope ...................................................................................................... 41
Create a New DHCP Scope ................................................................................................ 41
Deploying NPS-01 (optional) .................................................................................................. 42
Install Network Policy Server (NPS) .................................................................................... 43
Additional Technical Resources ................................................................................................. 43
Appendix A ................................................................................................................................. 44

Windows Server 2008 Foundation Network

Guide
A foundation network is a collection of network hardware, devices, and software that provides the
core services for your organization's information technology (IT) needs.
A Windows Server foundation network provides you with many benefits, including the following.

Core protocols for network connectivity between computers and other Transmission Control
Protocol/Internet Protocol (TCP/IP) compatible devices. TCP/IP is a suite of standard
protocols for connecting computers and building networks. TCP/IP is network protocol
software provided with Microsoft Windows operating systems that implements and
supports the TCP/IP protocol suite.

Automatic IP addressing with Dynamic Host Configuration Protocol (DHCP). Manual

configuration of IP addresses on all computers on your network is time-consuming and less
flexible than dynamically providing computers and other devices with IP address leases from
a DHCP server.

Name resolution services, such as Domain Name System (DNS) and Windows Internet
Name Service (WINS). DNS and WINS allow users, computers, applications, and services to
find the IP addresses of computers and devices on the network using the network basic
input/output system (NetBIOS) name or Fully Qualified Domain Name of the computer or
device.

A forest, which is one or more Active Directory domains that share the same class and
attribute definitions (schema), site and replication information (configuration), and forest-wide
search capabilities (global catalog).

A forest root domain, which is the first domain created in a new forest. The Enterprise Admins
and Schema Admins groups, which are forest-wide administrative groups, are located in the
forest root domain. In addition, a forest root domain, as with other domains, is a collection of
computer, user, and group objects that are defined by the administrator in Active Directory
Domain Services (AD DS). These objects share a common directory database and security
policies. They can also share security relationships with other domains if you add domains as
your organization grows. The directory service also stores directory data and allows
authorized computers, applications, and users to access the data.

A user and computer account database. The directory service provides a centralized user
accounts database that allows you to create user and computer accounts for people and
computers that are authorized to connect to your network and access network resources,
such as applications, databases, shared files and folders, and printers.

A foundation network also allows you to scale your network as your organization grows and IT
requirements change. For example, with a foundation network you can add domains, IP subnets,
remote access services, wireless services, and other features and server roles provided by
Windows Server 2008 and Windows Vista.
5

About this guide

This guide is designed for network and system administrators who are installing a new network or
who want to create a domain-based network to replace a network that consists of workgroups.
The deployment scenario provided in this guide is particularly useful if you foresee the need to
add more services and features to your network in the future.
It is recommended that you review design and deployment guides for each of the technologies
used in this deployment scenario to assist you in determining whether this guide provides the
services and configuration that you need.

Network hardware requirements

To successfully deploy a foundation network, you must deploy network hardware, including the
following:

Ethernet, Fast Ethernet, or Gigabyte Ethernet cabling

A hub, Layer 2 or 3 switch, router, or other device that performs the function of relaying
network traffic between computers and devices.

Computers that meet the minimum hardware requirements for their respective client and
server operating systems.
Note
This guide depicts the use of four server computers. In some cases, such as on small
networks, you can use fewer servers. For example, you can install DHCP and WINS on
the same server rather than on separate servers.

What this guide does not provide

This guide does not provide instructions for deploying the following:

Network hardware, such as cabling, routers, switches, and hubs

Additional network resources, such as printers and file servers

Internet connectivity

Remote access

Wireless access

Client computer deployment

Note
Client computers running Windows Vista and Windows XP are configured by default to
receive IP address leases from the DHCP server. Therefore, no additional DHCP or
Internet Protocol version 4 (IPv4) configuration of client computers is required.

Technology Overviews
The following sections provide brief overviews of the required and optional technologies used to
create a foundation network.

Active Directory Domain Services

A directory is a hierarchical structure that stores information about objects on the network. A
directory service, such as AD DS, provides the methods for storing directory data and making this
data available to network users and administrators. For example, AD DS stores information about
user accounts, such as names, passwords, phone numbers, and so on, and enables other
authorized users on the same network to access this information.

DNS
DNS is a name resolution protocol for TCP/IP networks, such as the Internet or an organization
network. A DNS server hosts the information that enables client computers to resolve easily
recognized, alphanumeric DNS names to the IP addresses that computers use to communicate
with each other.

DHCP
DHCP is an IP standard for simplifying management of host IP configuration. The DHCP standard
provides for the use of DHCP servers as a way to manage dynamic allocation of IP addresses
and other related configuration details for DHCP-enabled clients on your network.
Every computer on a TCP/IP network must have an unique IP address. The IP address (together
with its related subnet mask) identifies both the host computer and the subnet to which it is
attached. When you move a computer to a different subnet, the IP address must be changed.
DHCP allows you to dynamically assign an IP address to a client from a DHCP server IP address
database on your local network.
For TCP/IP-based networks, DHCP reduces the complexity and amount of administrative work
involved in reconfiguring computers.

WINS (optional)
While DNS is a required component of a foundation network, WINS is optional because, like
DNS, it is a naming service. In some cases, you might not need both DNS and WINS, but older
operating systems and applications might require WINS. For medium to small networks, WINS is
extremely easy to install and manage, and it is not resource-intensive. If you are in doubt about
whether you need WINS, you can test your network functionality without it and install it if needed.
WINS provides a distributed database for registering and querying dynamic mappings of NetBIOS
names for computers and groups used on your network. WINS maps NetBIOS names to IP
addresses and was designed to solve the problems arising from NetBIOS name resolution in

routed environments. WINS is the best choice for NetBIOS name resolution in routed networks
that use NetBIOS over TCP/IP.
NetBIOS names are used by earlier versions of Windows operating systems to identify and locate
computers and other shared or grouped resources required to register or resolve names for use
on the network.
NetBIOS names are a requirement for establishing networking services in earlier versions of
Windows operating systems. Although the NetBIOS naming protocol can be used with network
protocols other than TCP/IP (such as NetBEUI or IPX/SPX), WINS was designed specifically to
support NetBIOS over TCP/IP (NetBT).
WINS simplifies the management of the NetBIOS namespace in TCP/IP-based networks.

NPS (optional)
Network Policy Server (NPS) allows you to centrally configure and manage network policies with
the following three features: Remote Authentication Dial-In User Service (RADIUS) server,
RADIUS proxy, and Network Access Protection (NAP) policy server.
NPS is an optional component of a foundation network, but you should install NPS if any of the
following are true:

You are planning to expand your network to include any remote access servers that are
compatible with the RADIUS protocol, such as a computer running Windows Server 2008 and
Routing and Remote Access service.

You plan to deploy NAP.

You plan to deploy 802.1X wired or wireless access.

TCP/IP
TCP/IP in Windows Server 2008 is the following:

Networking software based on industry-standard networking protocols.

A routable, enterprise networking protocol that supports the connection of your Windowsbased computer to both local area network (LAN) and wide area network (WAN)
environments.

Core technologies and utilities for connecting your Windows-based computer with dissimilar
systems for the purpose of sharing information.

A foundation for gaining access to global Internet services, such as the World Wide Web and
File Transfer Protocol (FTP) servers.

A robust, scalable, cross-platform, client/server framework.

TCP/IP provides basic TCP/IP utilities that enable Windows-based computers to connect and
share information with other Microsoft and non-Microsoft systems, including:

Windows Vista

Windows Server 2003 operating systems

Windows XP
8

Internet hosts

Apple Macintosh systems

IBM mainframes

UNIX systems

Open VMS systems

Network-ready printers, such as HP LaserJet series printers that use HP JetDirect cards

Foundation Network Overview

The following illustration shows the components of a foundation network.

Foundation Network Components

Following are the components of a foundation network.

10

Router
This deployment guide provides instructions for deploying a foundation network with two subnets
separated by a router that has DHCP forwarding enabled. You can, however, deploy a Layer 2
switch, a Layer 3 switch, or a hub, depending on your requirements and resources. If you deploy
a switch, the switch must be capable of DHCP forwarding or you must place a DHCP server on
each subnet. If you deploy a hub, you are deploying a single subnet and do not need DHCP
forwarding or a second scope on your DHCP server.
Static TCP/IP configurations
All of the servers in this deployment are configured with static IPv4 addresses. Client computers
are configured by default to receive IP address leases from the DHCP server.
Global catalog and DNS server
Both Active Directory Domain Services (AD DS) and Domain Name System (DNS) are installed
on this server, providing directory and name resolution services to all computers and devices on
the network.
WINS server (optional)
Installing Windows Internet Name Service (WINS) on your foundation network is optional. It is
often difficult to determine whether applications and services require WINS for name resolution.
In some cases, you might need WINS; in other cases, DNS might be the only name resolution
service that you need on your network. Because WINS is low maintenance and is not processoruse intensive for medium and small networks, you can install WINS on the DHCP server in the
event that applications or services need the service.
DHCP server
The Dynamic Host Configuration Protocol (DHCP) server is configured with a scope that provides
Internet Protocol (IP) address leases to computers on the local subnet. The DHCP server can
also be configured with additional scopes to provide IP address leases to computers on other
subnets if DHCP forwarding is configured on routers.
NPS server (optional)
The Network Policy Server (NPS) server is installed as a preparatory step for deploying other
network access technologies, such as virtual private network (VPN) servers, wireless access
points, and 802.1X authenticating switches. In addition, installing NPS prepares your network for
the deployment of Network Access Protection (NAP).
Client computers
Client computers running Windows Vista and Windows XP are configured by default as DHCP
clients, which obtain IP addresses and DHCP options automatically from the DHCP server.

Foundation Network Planning

Before you deploy a foundation network, you must plan the following items.
11

Planning subnets

Planning basic configuration of all servers

Planning the deployment of AD-DNS-01

Planning domain access

Planning the deployment of WINS-01

Planning the deployment of DHCP-01

Planning the deployment of NPS-01

The following sections provide more detail on each of these items.

Planning subnets
In Transmission Control Protocol/Internet Protocol (TCP/IP) networking, routers are used to
interconnect the hardware and software used on different physical network segments called
subnets. Routers are also used to forward IP packets between each of the subnets. Determine
the physical layout of your network, including the number of routers and subnets you need, before
proceeding with the instructions in this guide.
In addition, to configure the servers on your network with static IP addresses, you must determine
the IP address range that you want to use for the subnet where your foundation network servers
are located. In this guide, the private IP address range 192.168.1.1 - 192.168.0.254 is used as an
example, but you can use any private IP address range.
The following recognized private IP address ranges are specified by Internet Request for
Comments (RFC) 1918:

10.0.0.0 10.255.255.255

172.16.0.0 172.31.255.255

192.168.0.0 192.168.255.255

When you use the private IP address ranges as specified in RFC 1918, you cannot connect
directly to the Internet using a private IP address because requests going to or from these
addresses are automatically discarded by Internet service provider (ISP) routers. To add Internet
connectivity to your foundation network later, you must contract with an ISP to obtain a public IP
address.
Important
When using private IP addresses, you must use some type of proxy or network address
translation (NAT) server to convert the private IP address ranges on your local network to
a public IP address that can be routed.
For more information, see Planning the deployment of DHCP-01.

12

Planning basic configuration of all servers

For each server in the foundation network, you must change the password for the Administrator
account on the local computer, rename the computer, and assign and configure a static IP
address for the local computer.

Planning the Administrator account password

For security reasons, it is important to create a password for the Administrator account and to use
a strong password. In addition, it is recommended that you use a different Administrator account
password for each server on your network.
The following is an example of a strong password.
Configuration item:

Example value:

Administrator password

Example: J*p2leO4$F
Note
Strong passwords contain a minimum
of 7 characters that consist of each of
the following: uppercase letters (A, B,
C, lowercase letters (d, e, f), numerals
(0, 1, 2, 3), and keyboard symbols (' ~ !
@ # $ % | /).

Planning naming conventions for computers and devices

For consistency across your network, it is generally a good idea to use consistent names for
servers, printers, and other devices. Computer names can be used to help users and
administrators easily identify the purpose and location of the server, printer, or other device. For
example, if you have three DNS servers, one in San Francisco, one in Los Angeles, and one in
Chicago, you might use the naming convention server function-location-number:

DNS-SF-01. This name represents the DNS server in San Francisco. If additional DNS
servers are added in San Francisco, the numeric value in the name can be incremented, as
in DNS-SF-02 and DNS-SF-03.

DNS-LA-01. This name represents the DNS server in Los Angeles.

DNS-CH-01. This name represents the DNS server in Chicago.

Choose a naming convention before you install your foundation network using this guide.

Planning static IP addresses

Before configuring each computer with a static IP address, you must plan your subnets and IP
address ranges. In addition, you must determine the IP addresses of your DNS and WINS
servers. If you plan to install a router that provides access to other networks, such as additional
13

subnets or the Internet, you must know the IP address of the router, also called a default
gateway, for static IP address configuration.
The following table provides example values for static IP address configuration.
Configuration items:

Example values:

IP address

192.168.0.3

Subnet mask

255.255.255.0

Default gateway

192.168.0.10

Preferred DNS server

192.168.0.1

Alternate DNS server

192.168.0.7

Preferred WINS server

192.168.0.2

Alternate WINS server

192.168.0.8

For more information, see Planning the deployment of DHCP-01.

Planning the deployment of AD-DNS-01

Following are key planning steps before installing Active Directory Domain Services (AD DS) and
DNS on AD-DNS-01.

Planning the name of the forest root domain

A first step in the AD DS design process is to determine how many forests your organization
requires. A forest is the top-level AD DS container, and consists of one or more domains that
share a common schema and global catalog. An organization can have multiple forests, but for
most organizations, a single forest design is the preferred model and the simplest to administer.
When you create the first domain controller in your organization, you are creating the first domain
(also called the forest root domain) and the first forest. Before you take this action using this
guide, however, you must determine the best domain name for your organization. In most cases,
the organization name is used as the domain name, and in many cases this domain name is
registered. If you are planning to deploy Web servers for your customers or partners, choose a
domain name and ensure that the domain name is not already in use.

Planning the forest functional level

While installing AD DS, you must choose the forest functional level that you want to use. Domain
and forest functionality, introduced in Windows Server 2003 Active Directory, provides a way to
enable domain- or forest-wide Active Directory features within your network environment.
Different levels of domain functionality and forest functionality are available, depending on your
environment.
14

Forest functionality enables features across all the domains in your forest. The following forest
functional levels are available:

Windows 2000. This forest functional level supports Windows NT 4.0, Windows 2000, and
Windows Server 2003 domain controllers.

Windows Server 2003. This forest functional level supports Windows Server 2003 domain
controllers only.

Windows Server 2008. This forest functional level supports Windows Server 2008 domain
controllers only.

If you are deploying a new domain in a new forest and all of your domain controllers will be
running Windows Server 2008, it is recommended that you configure AD DS with the Windows
Server 2008 forest functional level during AD DS installation.
Important
After the forest functional level has been raised, domain controllers running earlier
operating systems cannot be introduced into the forest. For example, if you raise the
forest functional level to Windows Server 2008, domain controllers running
Windows 2000 Server or Windows Server 2003 cannot be added to the forest.
Example configuration items for AD DS are provided in the following table.
Configuration items:

Example values:

Full DNS name

Examples:

example.com

corp.example.com

Forest functional level:

Windows Server 2003

Windows 2000

Windows Server 2008

The Windows 2000 forest functional level

provides all AD DS features that are available
in Windows 2000 Server. If you have domain
controllers running later versions of the
Windows Server operating system, some
advanced features will not be available on
those domain controllers while this forest is at
the Windows 2000 functional level.
Windows Server 2003
The Windows Server 2003 forest functional
level provides all features that are available in
Windows 2000 forest functional level, and the
following additional features:

Linked-value replication, which improves

the replication of changes to group
15

Configuration items:

Example values:

memberships.

More efficient generation of complex

replication topologies by the Knowledge
Consistency Checker (KCC).

Forest trust, which allows organizations to

easily share internal resources across
multiple forests. Any new domains that are
created in this forest will automatically
operate at the Windows Server 2003
domain functional level.

Windows Server 2008

This forest functional level does not provide any
new features over the Windows 2003 forest
functional level. However, it ensures that any
new domains created in this forest will
automatically operate at the Windows
Server 2008 domain functional level, which
does provide unique features.
Active Directory Domain Services Database
folder location

E:\Configuration\

Active Directory Domain Services Log files

folder location

E:\Configuration\

Active Directory Domain Services SYSVOL

folder location

E:\Configuration\

Directory Restore Mode Administrator

Password

J*p2leO4$F

Answer file name (optional)

AD DS_AnswerFile

Or accept the default location.

Or accept the default location.

Or accept the default location

Planning DNS zones

In DNS, a forward lookup zone is created by default during installation. A forward lookup zone
allows computers and devices to query for another computer's or device's IP address based on
its DNS name. In addition to a forward lookup zone, it is recommended that you create a DNS
reverse lookup zone. With a DNS reverse lookup query, a computer or device can discover the
name of another computer or device using its IP address. Deploying a reverse lookup zone
typically improves DNS performance and greatly increases the success of DNS queries.

16

When you create a reverse lookup zone, the in-addr.arpa domain, which was defined in the DNS
standards and reserved in the Internet DNS namespace to provide a practical and reliable way to
perform reverse queries, is installed in DNS. To create the reverse namespace, subdomains
within the in-addr.arpa domain are formed, using the reverse ordering of the numbers in the
dotted-decimal notation of IP addresses.
The in-addr.arpa domain applies to all TCP/IP networks that are based on Internet Protocol
version 4 (IPv4) addressing. The New Zone Wizard automatically assumes that you are using this
domain when you create a new reverse lookup zone.
While you are running the New Zone Wizard, the following selections are recommended:
Configuration Items

Example values

Zone type

Primary zone, and Store the zone in Active

Directory is selected

Active Directory Zone Replication Scope

To all DNS servers in this domain

First Reverse Lookup Zone Name wizard page

IPv4 Reverse Lookup Zone

Second Reverse Lookup Zone Name wizard

page

Network ID = 192.168.0.

Dynamic Updates

Allow only secure dynamic updates

Planning domain access

To log onto the domain, the computer must be a domain member computer and the user account
must be created in AD DS before the logon attempt.
Note
You cannot log on to the domain with a user account that is located in the Security
Accounts Manager (SAM) user accounts database on the local computer.
After the first successful logon with domain logon credentials, the logon settings persist unless
the computer is removed from the domain or the logon settings are manually changed.
Before you log on to the domain:

Create user accounts in AD DS. Each user must have an Active Directory Domain Services
user account in Active Directory Users and Computers. For more information, see Create a
User Account in Active Directory Users and Computers.

Ensure IP address configuration. To join a computer to the domain, the computer must have
an IP address. In this guide, servers are configured with static IP addresses and client
computers receive IP address leases from the DHCP server. For this reason, the DHCP
server must be deployed before you join clients to the domain. Fore more information, see
Install Dynamic Host Configuration Protocol (DHCP).

17

Join the computer to the domain. Any computer that provides or accesses network resources
must be joined to the domain. For more information, see Join the Computer to the Domain.

Planning the deployment of WINS-01

If you determine that you need to deploy WINS as well as DNS on your network, you must plan
how many WINS servers to deploy.

On smaller networks, a single WINS server can adequately service up to 10,000 clients for
NetBIOS name resolution requests. To provide additional fault tolerance, you can configure a
second computer running Windows Server 2008 as a secondary, or backup, WINS server
for clients. If you use only two WINS servers, you can easily configure them as replication
partners. For simple replication between two servers, one server should be set as a pull
partner and the other as a push partner. Replication can be either manual or automatic.

Large networks sometimes require more WINS servers for several reasons including, most
importantly, the number of client connections per server. The number of users that each
WINS server can support varies with usage patterns, data storage, and the processing
capabilities of the WINS server computer.

When planning your servers, remember that each WINS server can simultaneously handle
hundreds of registrations and queries per second.

Planning the deployment of DHCP-01

Following are key planning steps before installing the DHCP server role on DHCP-01.

Planning DHCP servers and DHCP forwarding

Because DHCP messages are broadcast messages, they are not forwarded between subnets by
routers. If you have multiple subnets and want to provide DHCP service for each subnet, you
must do one of the following:

Install a DHCP server on each subnet

Configure routers to forward DHCP broadcast messages across subnets and configure
multiple scopes on the DHCP server, one scope per subnet.

In most cases, configuring routers to forward DHCP broadcast messages is more cost effective
than deploying a DHCP server on each physical segment of the network.

Planning IP address ranges

Each subnet must have its own unique IP address range. These ranges are represented on a
DHCP server with scopes.
A scope is an administrative grouping of IP addresses for computers on a subnet that use the
DHCP service. The administrator first creates a scope for each physical subnet and then uses the
scope to define the parameters used by clients.
A scope has the following properties:
18

A range of IP addresses from which to include or exclude addresses used for DHCP service
lease offerings.

A subnet mask, which determines the subnet for a given IP address.

A scope name assigned when it is created.

Lease duration values, which are assigned to DHCP clients that receive dynamically
allocated IP addresses.

Any DHCP scope options configured for assignment to DHCP clients, such as DNS server IP
address, router/default gateway IP address, and WINS server IP address.

Reservations are optionally used to ensure that a DHCP client always receives the same IP
address.

Before deploying your servers, list your subnets and the IP address range you want to use for
each subnet.

Planning subnet masks

Network IDs and host IDs within an IP address are distinguished by using a subnet mask. Each
subnet mask is a 32-bit number that uses consecutive bit groups of all ones (1) to identify the
network ID and all zeroes (0) to identify the host ID portions of an IP address.
For example, the subnet mask normally used with the IP address 131.107.16.200 is the following
32-bit binary number:
11111111 11111111 00000000 00000000

This subnet mask number is 16 one-bits followed by 16 zero-bits, indicating that the network ID
and host ID sections of this IP address are both 16 bits in length. Normally, this subnet mask is
displayed in dotted decimal notation as 255.255.0.0.
The following table displays subnet masks for the Internet address classes.
Address class

Bits for subnet mask

Subnet mask

Class A

11111111 00000000
00000000 00000000

255.0.0.0

Class B

11111111 11111111
00000000 00000000

255.255.0.0

Class C

11111111 11111111
11111111 00000000

255.255.255.0

When you create a scope in DHCP and you enter the IP address range for the scope, DHCP
provides these default subnet mask values. Typically, default subnet mask values (as shown in
the preceding table) are acceptable for most networks with no special requirements and where
each IP network segment corresponds to a single physical network.

19

In some cases, you can use customized subnet masks to implement IP subnetting. With IP
subnetting, you can subdivide the default host ID portion of an IP address to specify subnets,
which are subdivisions of the original class-based network ID.
By customizing the subnet mask length, you can reduce the number of bits that are used for the
actual host ID.
To prevent addressing and routing problems, you should make sure that all TCP/IP computers on
a network segment use the same subnet mask and that each computer or device has an unique
IP address.

Planning exclusion ranges

You can exclude IP addresses from distribution by the DHCP server by creating an exclusion
range for each scope. You should use exclusions for all devices that are configured with a static
IP address. The excluded addresses should include all IP addresses that you assigned manually
to other servers, non-DHCP clients, diskless workstations, or Routing and Remote Access and
PPP clients.
It is recommended that you configure your exclusion range with extra addresses to accommodate
future network growth. The following table provides an example exclusion range for a scope with
an IP address range of 192.168.0.1 - 192.168.0.254.
Configuration items:

Example values:

Exclusion range Start IP Address

192.168.0.1

Exclusion range End IP Address

192.168.0.15

Planning TCP/IP static configuration

Certain devices, such as routers, DHCP servers, and DNS servers, must be configured with a
static IP address. In addition, you might have additional devices, such as printers, that you want
to ensure always have the same IP address. List the devices that you want to configure statically
for each subnet, and then plan the exclusion range you want to use on the DHCP server to
ensure that the DHCP server does not lease the IP address of a statically configured device. An
exclusion range is a limited sequence of IP addresses within a scope, excluded from DHCP
service offerings. Exclusion ranges assure that any addresses in these ranges are not offered by
the server to DHCP clients on your network.
For example, if the IP address range for a subnet is 192.168.0.1 through 192.168.0.254 and you
have ten devices that you want to configure with a static IP address, you can create an exclusion
range for the 192.168.0.x scope that includes ten or more IP addresses: 192.168.0.1 through
192.168.0.15.
In this example, you use ten of the excluded IP addresses to configure servers and other devices
with static IP addresses and five additional IP addresses are left available for static configuration

20

of new devices that you might want to add in the future. With this exclusion range, the DHCP
server is left with an address pool of 192.168.0.16 through 192.168.0.254.
Additional example configuration items for AD DS and DNS are provided in the following table.
Configuration items:

Example values:

Network Connect Bindings

Local Area Connection 2

DNS Server Settings

AD-DNS-01

Preferred DNS server IP address

192.168.0.1

Alternate DNS server IP Address

192.168.0.6

WINS Server Settings, specify the IP address

of your preferred WINS server, only if WINS is
deployed on the network.

192.168.0.2

Alternate WINS server IP Address

192.168.0.12

Note
Specify the IP address of your alternate
WINS server only if an alternate WINS
server is deployed on the network.
Add Scope dialog box values:

Primary Subnet

Scope Name:

192.168.0.1

Starting IP Address

192.168.0.254

Ending IP Address:

255.255.255.0

Subnet Mask

192.168.0.11

Default Gateway (optional)

Wired (Lease duration will be 6 days)

Subnet Type

IPv6 DHCP Server Operation Mode

Not enabled

Planning the deployment of NPS-01

If you intend to deploy network access servers, such as wireless access points or VPN servers,
after deploying your foundation network, it is recommended that you deploy NPS.
When you use NPS as a Remote Authentication Dial-In User Service (RADIUS) server, NPS
performs authentication and authorization for connection requests through your network access
servers. NPS also allows you to centrally configure and manage network policies that determine
who can access the network, how they can access the network, and when they can access the
network.
Following are key planning steps before installing NPS.
21

Plan the user accounts database. By default, if you join the server running NPS to an Active
Directory domain, NPS performs authentication and authorization using the AD DS user
accounts database. In some cases, such as with large networks that use NPS as a RADIUS
proxy to forward connection requests to other RADIUS servers, you might want to install NPS
on a non-domain member computer.

Plan the use of Network Access Protection (NAP). With some NAP enforcement methods, it
is required that you install NPS on a specific server. For example, if you deploy NAP with
DHCP, NPS must be installed on the DHCP server.

Plan RADIUS accounting. NPS allows you to log accounting data to a SQL Server database
or to a text file on the local computer. If you want to use SQL Server logging, plan the
installation and configuration of your server running SQL Server.

Foundation Network Deployment

To deploy a foundation network, the basic steps are as follows:
1. Configuring All Servers
2. Deploying AD-DNS-01
3. Joining Computers to the Domain and Logging On
4. Deploying WINS-01 (optional)
5. Deploying DHCP-01
6. Deploying NPS-01 (optional)
Note
The procedures in this guide do not include instructions for those cases in which the User
Account Control dialog box opens to request your permission to continue. If this dialog
box opens while you are performing the procedures in this guide, and if the dialog box
was opened in response to your actions, click Continue.

Configuring All Servers

Before installing other technologies, such as DHCP or WINS, it is important to configure the
following items.

On each server computer running Windows Server 2008, create a password for the
Administrator account. Upon installation of Windows Server 2008, you are required to create
a password for the Administrator account. If you have already created a password and want
to change it, see Change the Administrator Password.

Rename the Computer

Configure a Static IP Address

You can use the following sections to perform these actions for each server.

22

Change the Administrator Password

You can use these procedures to change the password for the Administrator account on the local
computer running Windows Server 2008, Windows Vista, Windows Server 2003, and
Windows XP.
Procedures for changing Administrator passwords
This topic provides procedures to change the Administrator password on computers running the
following operating systems:

Windows Server 2008

Windows Vista

Windows Server 2003

Windows XP

Windows Server 2008

Membership in Administrators, or equivalent, is the minimum required to perform this procedure.
To change the Administrator password in Windows Server 2008
1. Log on to the computer using the Administrator account.
2. Click Start, click Control Panel, and then double-click User Accounts.
3. In User Accounts, in Make changes to your user account, click Change your
password.
4. In Change your password, in Current Password, type your password.
5. In New password, type a new password.
6. In Confirm new password, retype the password.
7. In Type a password hint, type a word or phrase that will remind you of your password
or, optionally, leave this field blank.
8. Click Change password.
Windows Vista
Membership in Administrators, or equivalent, is the minimum required to perform this procedure.
To change the Administrator password in Windows Vista
1. Log on to the computer using the Administrator account.
2. Click Start, click Control Panel, and then click User Accounts.
3. In User Accounts, click Add or remove user accounts. The User Account Control
dialog box opens, and requests your permission to continue. Click Continue.
4. In Choose the account you would like to change, select the account you want to
change, and then click Create a password.
Note
If you have previously created a password for the account, the text that appears
23

in this step is Change the password.

5. If Current password is displayed, in Current password, type the password that you
used when you logged on to the computer.
6. In New password, type a new password.
7. In Confirm new password, retype the password.
8. In Type a password hint, type a word or phrase that will remind you of your password
or, optionally, leave this field blank.
9. Click Create password or Change password.
Note
If this is the first time you have created a password for the Administrator account,
the text that appears in the last step is Create password. If you previously
created a password and are changing that password to a new one, the text that
appears in the last step is Change password.
Windows Server 2003
Membership in Administrators, or equivalent, is the minimum required to perform this procedure.
To change the Administrator password in Windows Server 2003
1. Log on to the computer using the Administrator account.
2. Click Start, right-click Control Panel, and then click Open. Control Panel opens.
3. Double-click Computer Management, click Local Users and Groups, and in the details
pane, double-click Users. The Users folder opens.
4. In the details pane, right-click the account that you want to change, and click Set
Password. A warning dialog box opens. Read the information to determine whether you
want to proceed with the step to change the password.
5. In New Password, type a password. In Confirm password, retype the password, and
then click OK.
Windows XP
Membership in Administrators, or equivalent, is the minimum required to perform this procedure.
To change the Administrator password in Windows XP
1. Log on to the computer using the Administrator account.
2. Click Start, click Control Panel, and then double-click User Accounts. The User
Accounts dialog box opens.
3. In User Name, select the account that you want to change, and then click Reset
Password. In New password, type a new password, and in Confirm new password,
retype the password, and then click OK.

24

Rename the Computer

You can use the procedures in this topic to provide computers running Windows Server 2008,
Windows Vista, Windows Server 2003, and Windows XP with a different computer name.
Procedures for renaming computers
This topic provides procedures to rename computers running the following operating systems:

Windows Server 2008 and Windows Vista

Windows Server 2003 and Windows XP

Windows Server 2008 and Windows Vista

Membership in Administrators, or equivalent, is the minimum required to perform these
procedures.
To rename computers running Windows Server 2008 and Windows Vista
1. Click Start, right-click Computer, and then click Properties. The System dialog box
opens.
2. In Computer name, domain, and workgroup settings, click Change settings. The
System Properties dialog box opens.
Note
On computers running Windows Vista, before the System Properties dialog box
opens, the User Account Control dialog box opens, requesting permission to
continue. Click Continue to proceed.
3. Click Change. The Computer Name/Domain Changes dialog box opens.
4. In Computer Name, type the name for your computer. For example, if you want to name
the computer AD-DNS-01, type AD-DNS-01.
5. Click OK twice, click Close, and then click Restart Now to restart the computer.
Windows Server 2003 and Windows XP
Membership in Administrators, or equivalent, is the minimum required to perform these
procedures.
To rename computers running Windows Server 2003 and Windows XP
1. Click Start, right-click My Computer, and then click Properties. The System Properties
dialog box opens.
2. Click Computer Name, and thenclick Change. The Computer Name Changes dialog
box opens.
3. In Computer name, type the name for your computer. For example, if you want the
computer named Client-01, type Client-01.
4. Click OK. The System Setting Changes dialog box opens, indicating that you must
25

restart the computer before the changes take effect.

5. Click OK, click OK again to close the dialog box, and then click Yes to restart the
computer.

Configure a Static IP Address

You can use the procedures in this topic to configure the Internet Protocol version 4 (IPv4)
properties of a network connection with a static IP address for computers running
Windows Server 2008, or for computers running Windows Server 2003.
Procedures for configuring static IP addresses
This topic provides procedures for configuring static IP addresses on computers running the
following operating systems:

Windows Server 2008

Windows Server 2003

Windows Server 2008

Membership in Administrators, or equivalent, is the minimum required to perform these
procedures.
To configure a static IP address on a computer running Windows Server 2008
1. Click Start, and then click Control Panel.
2. In Control Panel, verify that Classic View is selected, and then double-click Network
and Sharing Center.
3. In Network and Sharing Center, in Tasks, click Manage Network Connections.
4. In Network Connections, right-click the network connection that you want to configure,
and then click Properties.
5. In Local Area Connection Properties, in This connection uses the following items,
select Internet Protocol Version 4 (TCP/IPv4), and then click Properties. The Internet
Protocol Version 4 (TCP/IPv4) Properties dialog box opens.
6. In Internet Protocol Version 4 (TCP/IPv4) Properties, on the General tab, click Use
the following IP address. In IP address, type the IP address that you want to use.
7. Press tab to place the cursor in Subnet mask. A default value for subnet mask is entered
automatically. Either accept the default subnet mask, or type the subnet mask that you
want to use.
8. In Default gateway, type the IP address of your default gateway.
9. In Preferred DNS server, type the IP address of your DNS server. If you plan to use the
local computer as the preferred DNS server, type the IP address of the local computer.
10. In Alternate DNS Server, type the IP address of your alternate DNS server, if any. If you
plan to use the local computer as an alternate DNS server, type the IP address of the
26

local computer.
11. Click OK, and then click Close.
Windows Server 2003
Membership in Administrators, or equivalent, is the minimum required to perform these
procedures.
To configure a static IP address on a computer running Windows Server 2003
1. Click Start, click Control Panel, right-click Network Connections, and then click Open.
2. In Network Connections, right-click the network connection that you want to configure,
and then click Properties.
3. In Local Area Connection Properties, in This Connection uses the following Items,
select Internet Protocol (TCP/IP), and then click Properties. The Internet Protocol
(TCP) Properties dialog box opens.
4. In Internet Protocol Version 4 (TCP/IPv4) Properties, on the General tab, click Use
the following IP address. In IP address, type the IP address that you want to use.
5. In Subnet mask, either accept the default subnet mask, or type the subnet mask that you
want to use.
6. In Default gateway, type the IP address of your default gateway.
7. In Preferred DNS server, type the IP address of your DNS server.
8. In Alternate DNS Server, type the IP address of your alternate DNS server, if any.
9. Click OK, and then click Close.

Deploying AD-DNS-01
To deploy AD-DNS-01, which is the computer running Active Directory Domain Services (AD DS)
and DNS, you must complete these steps in the following order:

Perform the steps in the section Configuring All Servers.

Install AD DS and DNS for a New Forest

Create a User Account in Active Directory Users and Computers

Add a Group

Assign Group Membership

Configure a DNS Reverse Lookup Zone

Administrative privileges
If you are installing a small network and are the only administrator for the network, it is
recommended that you create a user account for yourself, and then add your user account as a
member of both Enterprise Admins and Domain Admins. Doing so will make it easier for you to
act as the administrator for all network resources. It is also recommended that you log on with this
27

account only when you need to perform administrative tasks, and that you create a separate user
account for performing non-IT related tasks.
If you have a larger organization with multiple administrators, refer to AD DS documentation to
determine the best group membership for organization employees.
Domain user accounts vs. user accounts on the local computer
One of the advantages of a domain-based infrastructure is that you do not need to create user
accounts on each computer in the domain. This is true whether the computer is a client computer
or a server.
Because of this, you should not create user accounts on each computer in the domain. Create all
user accounts in Active Directory Users and Computers and use the preceding procedures to
assign group membership. By default, all user accounts are members of the Domain Users
group.
After you have joined a computer to the domain, members of the Domain Users group can log on
to any domain member client computer.
Note
Members of the Domain Users group cannot log on to computers running
Windows Server 2008.
You can configure user accounts to designate the days and times that the user is allowed to log
on to the computer. You can also designate which computers each user is allowed to use. To
configure these settings, open Active Directory Users and Computers, locate the user account
that you want to configure, and double-click the account. In the user account Properties, click the
Account tab, and then click either Logon Hours or Log On To.

Install AD DS and DNS for a New Forest

You can use this procedure to install Active Directory Domain Services (AD DS) and DNS and to
create a new domain in a new forest.
Membership in Administrators is the minimum required to perform this procedure.
To install Active Directory Domain Services and DNS
1. Do one of the following:
a. In Initial Configuration Tasks, in Customize This Server, click Add roles. The Add
Roles Wizard opens.
b. Click Start, and then click Server Manager. In Server Manager, click Roles, and in
the details pane, in Roles Summary, click Add Roles. The Add Roles Wizard opens.
2. In Before You Begin, click Next.
Note
The Before You Begin page of the Add Roles Wizard is not displayed if you
have previously selected Do not show this page again when the Add Roles
28

Wizard was run.

3. In Select Server Roles, in Roles, select Active Directory Domain Services, and then
click Next.
4. In Active Directory Domain Services, click Next.
5. In Confirm Installation Selections, click Install. The Installation Progress page opens
during installation.
6. When installation is complete, in Installation Results, review the information, and then
click Close this wizard and launch the Active Directory Domain Services Installation
Wizard. The Add Roles Wizard closes and the Active Directory Domain Services
Installation Wizard opens. Click Next.
7. In Choose a Deployment Configuration, select Create a new domain in a new forest.
Click Next.
8. In Name the Forest Root Domain, in FQDN of the forest root domain, type the fully
qualified domain name for your domain. For example, if your FQDN is example.com, type
example.com. Click Next.
9. In Set Forest Functional Level, select the forest functional level that you want to use,
and then click Next.
10. In Additional Domain Controller Options, in Select additional options for this
domain controller, verify that DNS server is selected, and then click Next. The Active
Directory Domain Services Installation Wizard warning dialog box opens.
11. The warning dialog box informs you that you can create a delegation to this DNS server
manually in the parent zone. Click Yes to continue Active Directory Domain Services
installation.
12. In Location for Database, Log Files, and SYSVOL, do one of the following:

Accept the default values.

Type folder locations that you want to use for Database folder, Log files folder, and
SYSVOL folder.

13. Click Next.

14. In Directory Services Restore Mode Administrator Password, in Password, type a
password. In Confirm password, retype the password, and then click Next.
15. In Summary, review your selections.
16. If you want to export settings to an answer file, click Export settings, and specify a name
for the answer file. Click Next.
17. In Completing the Active Directory Domain Services Installation Wizard, click
Finish, and then click Restart Now.

29

Create a User Account in Active Directory Users and Computers

You can use this procedure to create a new domain user account in Active Directory Users and
Computers Microsoft Management Console (MMC).
Membership in Domain Admins, or equivalent, is the minimum required to perform this
procedure.
To create a user account
1. Click Start, click Administrative Tools, and then click Active Directory Users and
Computers. The Active Directory Users and Computers MMC opens. If it is not already
selected, click the node for your domain. For example, if your domain is example.com,
click example.com.
2. In the details pane, right-click the folder in which you want to add a user account.
Where?

Active Directory Users and Computers/domain node/folder

3. Point to New, and then click User.

4. In First name, type the user's first name.
5. In Initials, type the user's initials.
6. In Last name, type the user's last name.
7. Modify Full name to add initials or reverse the order of first and last names.
8. In User logon name, type the user logon name. Click Next.
9. In New Object - User, in Password and Confirm password, type the user's password,
and then select the appropriate password options.
10. Click Next, review the new user account settings, and then click Finish.

Add a Group
You can use this procedure to create a new group in Active Directory Users and Computers
Microsoft Management Console (MMC).
Membership in Domain Admins, or equivalent, is the minimum required to perform this
procedure.
To add a group
1. Click Start, click Administrative Tools, and then click Active Directory Users and
Computers. The Active Directory Users and Computers MMC opens. If it is not already
selected, click the node for your domain. For example, if your domain is example.com,
click example.com.
2. In the details pane, right-click the folder in which you want to add a new group.
Where?
30

Active Directory Users and Computers/domain node/folder

3. Point to New, and then click Group.

4. In New Object Group, in Group name, type the name of the new group.
By default, the name you type is also entered as the pre-Windows 2000 name of the new
group.
5. In Group scope, select one of the following options:

Domain local

Global

Universal

6. In Group type, select one of the following options:

Security

Distribution

7. Click OK.

Assign Group Membership

You can use this procedure to add a user, computer, or group to a group in Active Directory
Users and Computers Microsoft Management Console (MMC).
Note
When you administer a domain, security principals in the parent domain or other trusted
domains are not visible on the Member Of tab of a domain users properties. The only
domain accounts that you can add or view are the present domain groups. Only domain
groups in the present domain are shown, even if the member belongs to other trusted
domain groups.
Membership in Domain Admins, or equivalent is the minimum required to perform this
procedure.
To assign group membership
1. Click Start, click Administrative Tools, and then click Active Directory Users and
Computers. The Active Directory Users and Computers MMC opens. If it is not already
selected, click the node for your domain. For example, if your domain is example.com,
click example.com.
2. In the details pane, double-click the folder that contains the group to which you want to
add a member.
Where?

Active Directory Users and Computers/domain node/folder that contains the group

3. In the details pane, right-click the group to which you want to add a member, and then
click Properties. The group Properties dialog box opens. Click the Members tab.
31

4. On the Members tab, click Add.

5. In Enter the object names to select, type the name of the user, group, or computer that
you want to add, and then click OK.
6. To assign group membership to other users, groups or computers, repeat steps 4 and 5
of this procedure.

Configure a DNS Reverse Lookup Zone

You can use this procedure to configure a reverse lookup zone in Domain Name System (DNS).
Membership in Domain Admins is the minimum required to perform this procedure.
To configure a DNS reverse lookup zone
1. Click Start, click Administrative Tools, and then click DNS. The DNS Manager opens.
2. In DNS Manager, if it is not already expanded, double-click the server name to expand
the tree. For example, if the DNS server name is AD-DNS-01, double-click AD-DNS-01.
3. Select Reverse Lookup Zones, right-click Reverse Lookup Zones, and then click New
Zone. The New Zone Wizard opens.
4. In Welcome to the New Zone Wizard, click Next.
5. In Zone Type, select one of the following:

Primary zone

Secondary zone

Stub zone

6. If your DNS server is a writeable domain controller, select Store the zone in Active
Directory.
7. Click Next.
8. In Active Directory Zone Replication Scope, select one of the following:

To all DNS servers in this forest

To all DNS servers in this domain

To all domain controllers in this domain

To all domain controllers specified in the scope of this directory partition

9. Click Next.
10. In the first Reverse Lookup Zone Name page, select one of the following:

IPv4 Reverse Lookup Zone

IPv6 Reverse Lookup Zone

11. Click Next.

12. In the second Reverse Lookup Zone Name page, do one of the following:
a. In Network ID, type the network ID of your IP address range. For example, if your IP
32

address range is 192.168.0.1, type 192.168.0.

b. In Reverse lookup zone name, type the name of your IPv4 reverse lookup zone.
13. Click Next.
14. In Dynamic Update, select the type of dynamic updates that you want to allow. Click
Next.
15. In Completing the New Zone Wizard, review your choices, and then click Finish.

Joining Computers to the Domain and Logging On

After you have installed Active Directory Domain Services (AD DS) and created one or more user
accounts that have permissions to join a computer to the domain, you can join foundation network
servers to the domain and log on to the servers in order to install additional technologies, such as
Dynamic Host Configuration Protocol (DHCP), Windows Internet Name Service (WINS), and
Network Policy Server (NPS).
Note
If you are logged on to a computer running Windows Server 2008 with the local
computers Administrator account, by default, you can join a computer to the domain with
a user account that is a member of Domain Users in Active Directory Users and
Computers.
In addition, you can use these instructions to join client computers to the domain and to log on to
client computers.
On all servers that you are deploying, except for the server running AD DS, do the following:
1. Complete the procedures provided in Configuring All Servers.
2. Use the instructions in the following sections to join your servers to the domain and to log on
to the servers to perform additional deployment tasks:

Join the Computer to the Domain

Log on to the Domain

Join the Computer to the Domain

You can use these procedures to join computers running Windows Server 2008,
Windows Vista,Windows Server 2003, and Windows XP to the domain.
Procedures for joining computers to the domain
This topic provides procedures for joining computers running the following operating systems to
the domain:

Windows Server 2008 and Windows Vista

Windows Server 2003 and Windows XP

33

Important
To join a computer to a domain, you must be logged on to the computer with the local
Administrator account or, if you are logged on to the computer with a user account that
does not have local computer administrative credentials, you must provide the credentials
for the local Administrator account during the process of joining the computer to the
domain. In addition, you must have a user account in the domain to which you want to
join the computer. During the process of joining the computer to the domain, you will be
prompted for your domain account credentials (user name and password).
Windows Server 2008 and Windows Vista
Membership in Domain Users, or equivalent, is the minimum required to perform this procedure.
To join computers running Windows Server 2008 and Windows Vista to the domain
1. Log on to the computer with the local Administrator account.
2. Click Start, right-click Computer, and then click Properties. The System dialog box
opens.
3. In Computer name, domain, and workgroup settings, click Change settings. The
System Properties dialog box opens.
Note
On computers running Windows Vista, before the System Properties dialog
box opens, the User Account Control dialog box opens, requesting permission
to continue. Click Continue to proceed.
4. Click Change. The Computer Name/Domain Changes dialog box opens.
5. In Computer Name, in Member of, select Domain, and then type the name of the
domain you want to join. For example, if the domain name is example.com, type
example.com.
6. Click OK. The Windows Security dialog box opens.
7. In Computer Name/Domain Changes, in User name, type the user name, and in
Password, type the password, and then click OK. The Computer Name/Domain
Changes dialog box opens, welcoming you to the domain. Click OK.
8. The Computer Name/Domain Changes dialog box displays a message indicating that
you must restart the computer to apply the changes. Click OK.
9. On the System Properties dialog box, on the Computer Name tab, click Close. The
Microsoft Windows dialog box opens, and displays a message, again indicating that
you must restart the computer to apply the changes. Click Restart Now.
Windows Server 2003 and Windows XP
Membership in Domain Users, or equivalent, is the minimum required to perform this procedure.
To join computers running Windows Server 2003 and Windows XP to the domain
1. Click Start, right-click My Computer, and then click Properties. The System Properties
34

dialog box opens.

2. Click Change. The Computer Name Changes dialog box opens.
3. In Computer Name Changes, in Member of, select Domain, and then type the name of
the domain you want to join. For example, if the domain name is example.com, type
example.com.
4. Click OK. The Computer Name Changes dialog box opens. In User name, type the
domain administrator account name, and in Password, type the administrator password,
and then click OK.
5. The Computer Name Changes dialog box opens, welcoming you to the domain.
6. Click OK. The Computer Name Changes dialog box displays a message indicating that
you must restart the computer to apply the changes.
7. Click OK.
8. On the System Properties dialog box, on the Computer Name tab, click OK, to close
the System Properties dialog box. The System Settings Change dialog box opens,
and displays a message, again indicating that you must restart the computer to apply the
changes.
9. Click Yes.

Log on to the Domain

You can use these procedures to log on to the domain using computers running
Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP.
Procedures to log on to the domain
This topic provides procedures to log on to the domain using computers running the following
operating systems:

Windows Server 2008 and Windows Vista

Windows Server 2003 and Windows XP

Windows Server 2008 and Windows Vista

Membership in Domain Users, or equivalent, is the minimum required to perform this procedure.
Log on to the domain using computers running Windows Server 2008 and
Windows Vista
1. Log off the computer, or restart the computer.
2. Press CTRL + ALT + DELETE. The logon screen appears.
3. Click Switch User, and then click Other User.
4. In User name, type your domain and user name in the format domain\user. For example,
to log on to the domain example.com with an account named User-01, type
example\User-01.
35

5. In Password, type your domain password, and then click the arrow, or press ENTER.
Windows Server 2003 and Windows XP
Membership in Domain Users, or equivalent, is the minimum required to perform this procedure.
Log on to the domain using computers running Windows Server 2003 and Windows XP
1. Log off the computer, or restart the computer.
2. Press CTRL + ALT + DELETE. The Log On to Windows dialog box appears.
3. If Log on to is not displayed, click Options.
4. In Log on to, in the drop down list, select your domain. For example, in the example.com
domain, select EXAMPLE.
5. Type your domain and user name in the format domain\user. For example, to log on to
the example.com domain with an account named User-01, type example\User-01.
6. In Password, type your domain password, and then press ENTER.

Deploying WINS-01 (optional)

Before deploying this component of the foundation network, you must do the following:

Perform the steps in the section Configuring All Servers.

Perform the steps in the section Joining Computers to the Domain and Logging On

To deploy WINS-01, which is the computer running Windows Internet Name Service (WINS), you
must complete this step:

Install Windows Internet Name Service (WINS)

Install Windows Internet Name Service (WINS)

Windows Internet Name Service (WINS) enables computers running Windows to find other
computers using NetBIOS across subnets. Some programs rely on WINS to function across the
network.
Membership in Domain Admins, or equivalent, is the minimum required to perform this
procedure.
To install WINS
1. Do one of the following:
a. In Initial Configuration Tasks, in Customize This Server, click Add Features. The
Add Features Wizard opens.
b. Click Start, and then click Server Manager. In the left pane of Server Manager, click
Features, and in the details pane, in Features Summary, click Add Features. The
Add Features Wizard opens.
2. In Select Features, in Features, scroll down the list, select WINS Server, and then click
36

Next.
3. In Confirm installation selections, click Install.
4. In Installation Results, review your installation results, and then click Close.

Deploying DHCP-01
Before deploying this component of the foundation network, you must do the following:

Perform the steps in the section Configuring All Servers.

Perform the steps in the section Joining Computers to the Domain and Logging On.

DHCP installation suggestions

The following choices are recommended when you install DHCP with the Add New Roles Wizard:

Activate the scope or scopes that you configure during installation unless you have reason
not to do so. For example, if you plan to create an exclusion range for the scope so that some
IP addresses are available for statically configured devices, you might not want to activate
the scope until after you have created the exclusion range. After you activate a scope, it is
configured to function without additional configuration after the installation process is
complete. If you choose not to activate a scope during installation, however, you can activate
the scope after DHCP is installed by using the DHCP Microsoft Management Console (MMC)
and the procedure Activate a DHCP Scope.

Authorize the DHCP server in Active Directory Domain Services (AD DS) during installation
unless you have reason not to do so. If you authorize the server during installation, the server
is configured to function without additional configuration after the installation process is
complete. If you choose not to authorize the DHCP server during installation, however, you
can authorize the server after DHCP is installed by using the DHCP MMC and the procedure
Authorize a DHCP Server in Active Directory Domain Services.

Do not enable Configure DHCPv6 Stateless Mode unless you plan to use Internet Protocol
version 6 (IPv6) on your network in addition to or to replace IPv4.

Deploying DHCP
To deploy DHCP-01, which is the computer running the Dynamic Host Configuration Protocol
(DHCP) server role, you must complete these steps in the following order:

If you plan to deploy Windows Internet Name Service (WINS) on your network, it is
recommended that you perform the steps in the section Deploying WINS-01 (optional) before
installing DHCP.

Install Dynamic Host Configuration Protocol (DHCP)

Create an Exclusion Range in DHCP

If you chose not to perform the following actions during DHCP installation, you can perform them
after DHCP is installed:
37

Authorize a DHCP Server in Active Directory Domain Services

Activate a DHCP Scope

After DHCP is installed, you can add more scopes to the server configuration:

Create a New DHCP Scope

Install Dynamic Host Configuration Protocol (DHCP)

You can use this procedure to install and configure the DHCP Server role using the Add Roles
Wizard.
Membership in Domain Admins, or equivalent, is the minimum required to perform this
procedure.
To install DHCP
1. Do one of the following:
a. In Initial Configuration Tasks, in Customize This Server, click Add roles. The Add
Roles Wizard opens.
b. Click Start, and then click Server Manager. In the left pane of Server Manager, click
Roles, and in the details pane, in Roles Summary, click Add Roles. The Add Roles
Wizard opens.
2. In Before You Begin, click Next.
Note
The Before You Begin page of the Add Roles Wizard is not displayed if you
have previously selected Do not show this page again when the Add Roles
Wizard was run.
3. In Select Server Roles, in Roles, select DHCP Server, and then click Next.
4. In DHCP Server, click Next.
5. In Select Network Connection Bindings, in Network Connections, select the IP
addresses that are connected to the subnets for which you want to provide DHCP
service, and then click Next.
6. In Specify IPv4 DNS Server Settings, in Parent Domain, verify that the name of the
DNS domain that clients use for name resolution is correct. For example, if your domain
is named example.com, verify that the DNS domain name is example.com.
7. In Preferred DNS server IPv4 address, type the IPv4 address of your preferred DNS
server, and then click Validate. In Alternate DNS server IPv4 Address, type the IPv4
address of your alternate DNS server, if any, and then click Validate.
Note
If a DNS server responds when you click Validate, the DHCP installation wizard
indicates the specified address for the DNS server is valid. If no DNS server
responds when you click Validate, the DHCP installation wizard returns the
38

message: The DNS server at the specified IP address is not responding.

8. Click Next. In Specify IPv4 WINS Server Settings, select one of the following:

If you do not have WINS servers on your network, select WINS is not required for
applications on this network.

If one or more WINS servers are deployed on your network, select WINS is required
for applications on this network. In Preferred WINS server IP address, type the
IPv4 address of your preferred WINS server. In Alternate WINS server IP Address,
type the IPv4 address of your alternate WINS server, if any, and then click Next.

9. In Add or Edit DHCP Scopes, click Add. The Add Scope dialog box opens.
10. In the Add Scope dialog box, type values for all required items, and in Subnet Type,
select either Wired or Wireless, depending on the IP address lease duration that you
prefer, and then do one of the following:

To automatically activate the scope immediately after DHCP installation is complete,

click Activate this scope. If there are computers or devices on the network that have
static IP addresses, do not activate the scope until after you have created an
exclusion range. The exclusion range prevents the DHCP server from leasing IP
addresses that are already in use by a statically configured device.

To manually activate the scope later, use the DHCP Microsoft Management Console
(MMC).

11. Click OK. This returns you to the Add or Edit DHCP Scopes page. If your network has
multiple subnets that are serviced by this DHCP server, add scopes for each subnet
using steps 9 and 10. Click Next.
12. In Configure DHCPv6 Stateless Mode, select whether you want to configure the DHCP
server for DHCPv6 stateless operation, and then click Next.
13. In Authorize DHCP Server, do one of the following:

Select Use current credentials to authorize the DHCP server in Active Directory
Domain Services (AD DS) using the credentials supplied for the current session.

To specify alternate credentials for authorization, select Use alternate credentials.

Click Specify, and then type the credentials to use for DHCP server authorization.

Select Skip authorization of this DHCP server in AD DS, and then click Next.
Note
Before your DHCP server can issue IP address leases, the DHCP server
must be authorized in AD DS.

14. In Confirm Installation Selections, review your selections, and then click Install.
15. In Installation Results, review your installation results, and then click Close.

39

Create an Exclusion Range in DHCP

You can use this procedure to create an exclusion range for an existing DHCP scope.
Membership in DHCP Administrators, or equivalent, is the minimum required to perform this
procedure.
To create an exclusion range in DHCP
1. Click Start, click Administrative Tools, and then click DHCP. The DHCP Microsoft
Management Console (MMC) opens.
2. In DHCP, double-click the server name. For example, if the DHCP server name is DHCP01.example.com, double-click DHCP-01.example.com.
3. Double-click IPv4, and then, for the scope for which you want to create an exclusion
range, double-click Scope.
4. Click Address Pool. Right-click Address Pool, and then click New Exclusion Range.
The Add Exclusion dialog box opens.
5. In Add Exclusion, in Start IP Address, type the IP address that is the first IP address in
the exclusion range.
6. In Add Exclusion, in End IP Address, type the IP address that is the last IP address in
the exclusion range, and then click Add.
7. Click Close.

Authorize a DHCP Server in Active Directory Domain Services

You can use this procedure to authorize a DHCP server in Active Directory Domain Services
(AD DS).
Membership in Domain Admins, or equivalent, is the minimum required to perform this
procedure.
To authorize a DHCP server in AD DS
1. Click Start, click Administrative Tools, and then click DHCP. The DHCP Microsoft
Management Console (MMC) opens.
2. In DHCP, right-click the server name. For example, if the DHCP server name is DHCP01.example.com, right-click DHCP-01.example.com.
3. Click Authorize.
4. Click Action, and then click Refresh. The IPv4 icon changes to indicate that the server is
authorized in AD DS.

40

Activate a DHCP Scope

You can use this procedure to activate a DHCP scope using the DHCP Microsoft Management
Console (MMC).
Membership in DHCP Administrators, or equivalent, is the minimum required to perform this
procedure.
To activate a DHCP scope
1. Click Start, click Administrative Tools, and then click DHCP. The DHCP MMC opens.
2. In DHCP, double-click the server name. For example, if the DHCP server name is DHCP01.example.com, double-click DHCP-01.example.com.
3. Double-click IPv4, and click the scope that you want to activate. Right-click the scope
that you want to activate, and then click Activate.

Create a New DHCP Scope

You can use this procedure to create a new DHCP scope using the DHCP Microsoft
Management Console (MMC).
Membership in DHCP Administrators, or equivalent, is the minimum required to perform this
procedure.
To create a new DHCP Scope
1. Click Start, click Administrative Tools, and then click DHCP. The DHCP MMC opens.
2. In DHCP, double-click the server name. For example, if the DHCP server name is DHCP01.example.com, double-click DHCP-01.example.com.
3. Right-click IPv4, and then click New Scope. The New Scope Wizard opens.
4. In Welcome to the New Scope Wizard, click Next.
5. In Scope Name, in Name, type a name for the scope. For example, type Subnet-02.
6. In Description, type a description for the new scope, and then click Next.
7. In IP Address Range, do the following:
a. In Start IP Address, type the IP address that is the first IP address in the range. For
example, type 10.10.10.1.
b. In End IP Address, type the IP address that is the last IP address in the range. For
example, type 10.10.10.254. Values for Length and Subnet mask are entered
automatically, based on the IP address you entered for Start IP address.
c.

If necessary, modify the values in Length or Subnet mask, as appropriate for your
addressing scheme.

d. Click Next.
8. In Add Exclusions, do the following:
41

a. In Start IP Address, type the IP address that is the first IP address in the exclusion
range. For example, type 10.10.10.1.
b. In End IP Address, type the IP address that is the last IP address in the exclusion
range, For example, type 10.10.10.15.
9. Click Add, and then click Next.
10. In Lease Duration, modify the default values for Days, Hours, and Minutes, as
appropriate for your network, and then click Next.
11. In Configure DHCP Options, select Yes, I want to configure these options now, and
then click Next.
12. In Router (Default Gateway), do one of the following:

If you do not have routers on your network, click Next.

In IP address, type the IP address of your router or default gateway. For example,
type 10.10.10.10. Click Add, and then click Next.

13. In Domain Name and DNS Servers, do the following:

a. In Parent Domain, type the name of the DNS domain that clients use for name
resolution. For example, type example.com.
b. In Server name, type the name of the DNS computer that clients use for name
resolution. For example, type AD-DNS-01.
c.

Click Resolve. The IP address of the DNS server is added in IP Address. Click
Add, and then click Next.

14. In WINS Servers, do one of the following:

If you do not have WINS servers on your network, click Next.

If you have one or more WINS servers deployed on your network, for each WINS
server: In Server name, type the name of the WINS server. For example, type
WINS-01. Click Resolve. The IP address of the WINS server is added in IP
Address. Click Add, and then click Next.

15. In Activate Scope, do one of the following:

To automatically activate the scope immediately after the steps in the New Scope
Wizard are complete, select Yes, I want to activate this scope now.

To manually activate the scope later by using the DHCP MMC, select No I will
activate this scope later.

16. Click Next, and then click Finish.

Deploying NPS-01 (optional)

Before deploying this component of the foundation network, you must do the following:

Perform the steps in the section Configuring All Servers.

Perform the steps in the section Joining Computers to the Domain and Logging On
42

To deploy NPS-01, which is the computer running the Network Policy Server (NPS) role service
of the Network Policy and Access Services server role, you must complete this step:

Install Network Policy Server (NPS)

Install Network Policy Server (NPS)

You can use this procedure to install Network Policy Server (NPS) using the Add Roles Wizard.
NPS is a role service of the Network Policy and Access Services server role.
Membership in Domain Admins, or equivalent, is the minimum required to perform this
procedure.
To install NPS
1. Do one of the following:
a. In Initial Configuration Tasks, in Customize This Server, click Add roles. The Add
Roles Wizard opens.
b. Click Start, and then click Server Manager. In the left pane of Server Manager, click
Roles, and in the details pane, in Roles Summary, click Add Roles. The Add Roles
Wizard opens.
2. In Before You Begin, click Next.
Note
The Before You Begin page of the Add Roles Wizard is not displayed if you
have previously selected Do not show this page again when the Add Roles
Wizard was run.
3. In Select Server Roles, in Roles, select Network Policy and Access Services, and
then click Next.
4. In Network Policy and Access Services, click Next.
5. In Select Role Services, in Role Services, select Network Policy Server, and then
click Next.
6. In Confirm Installation Selections, click Install.
7. In Installation Results, review your installation results, and then click Close.

Additional Technical Resources

For more information about the technologies in this guide, see the following resources:

Active Directory Domain Services in the Windows Server 2008 Technical Library, at
http://go.microsoft.com/fwlink/?LinkId=96418

Domain Name System (DNS) in the Windows Server 2008 Technical Library, at
http://go.microsoft.com/fwlink/?LinkId=93215

43

Dynamic Host Configuration Protocol (DHCP) in the Windows Server 2008 Technical Library,
at http://go.microsoft.com/fwlink/?LinkId=96419

Network Access Protection in the Windows Server 2008 Technical Library, at

http://go.microsoft.com/fwlink/?LinkId=103446 and Network Access Protection at
http://go.microsoft.com/fwlink/?LinkId=84637

Network Policy Server (NPS) in the Windows Server 2008 Technical Library, at
http://go.microsoft.com/fwlink/?LinkId=104545 and Network Policy Server at
http://go.microsoft.com/fwlink/?LinkId=93758

TCP/IP in the Windows Server 2008 Technical Library, at

http://go.microsoft.com/fwlink/?LinkId=103329

Windows Internet Name Service (WINS) in the Windows Server 2008 Technical Library, at
http://go.microsoft.com/fwlink/?LinkId=103331

Appendix A
You can use this Network Planning Preparation Sheet to gather the information required to install
a foundation network. This topic provides tables that contain the individual configuration items for
each server computer for which you must supply information or specific values during the
installation or configuration process. Example values are provided for each configuration item.
For planning and tracking purposes, spaces are provided in each table for you to enter the values
used for your deployment. If you log security-related values in these tables, you should store the
information in a secure location.

Foundation Network Planning Preparation Sheet

The following links lead to the sections in this topic that provide configuration items and example
values that are associated with the deployment procedures presented in this guide.

Installing Active Directory Domain Services and DNS

Configuring a DNS Reverse Lookup Zone

Installing Windows Internet Name Service (optional)

Installing DHCP

Creating an exclusion range in DHCP

Creating a new DHCP scope

Installing Network Policy Server (optional)

Installing Active Directory Domain Services and DNS

The tables in this section list configuration items for pre-installation and installation of Active
Directory Domain Services (AD DS) and DNS.
Pre-installation configuration items for AD DS and DNS

44

The following three tables list pre-installation configuration items as described in Configuring All
Servers:

Change the Administrator Password

Configuration items:

Example values:

Administrator password

J*p2leO4$F

Configure a Static IP Address

Configuration items:

Example values:

IP address

192.168.0.1

Subnet mask

255.255.255.0

Default gateway

192.168.0.10

Preferred DNS server

192.168.0.1

Alternate DNS server

192.168.0.6

Values:

Values:

Rename the Computer

Configuration item:

Example value:

Computer name

AD-DNS-01

Value:

AD DS and DNS installation configuration items

Configuration items for the Windows Server Foundation Network deployment procedure Install
AD DS and DNS for a New Forest:
Configuration items:

Example values:

Full DNS name

example.com

Forest functional level

Windows Server 2003

Active Directory Domain

Services database folder
location

E:\Configuration\

Active Directory Domain

Services log files folder
location

E:\Configuration\

Active Directory Domain

E:\Configuration\

Values:

Or accept the default location.

Or accept the default location.

45

Configuration items:

Example values:

Services SYSVOL folder

location

Or accept the default location

Directory Restore Mode

Administrator password

J*p2leO4$F

Answer file name (optional)

AD DS_AnswerFile

Values:

Configuring a DNS Reverse Lookup Zone

Configuration items:

Example values:

Zone type:

Primary zone

Secondary zone

Stub zone

Zone type

Selected

Store the zone in Active

Directory

Not selected

Active Directory zone

replication scope

To all DNS servers in this

forest

To all DNS servers in this

domain

To all domain controllers in

this domain

To all domain controllers

specified in the scope of
this directory partition

Reverse lookup zone name

IPv4 Reverse Lookup Zone

(IP type)

IPv6 Reverse Lookup Zone

Reverse lookup zone name

192.168.0

Values:

(network ID)

Installing Windows Internet Name Service (optional)

The tables in this section list configuration items for pre-installation and installation of Windows
Internet Name Service (WINS).
Pre-installation configuration items

46

The following three tables list pre-installation configuration items as described in Configuring All
Servers:

Change the Administrator Password

Configuration items:

Example values:

Administrator password

J*p2leO4$F

Configure a Static IP Address

Configuration items:

Example values:

IP address

192.168.0.2

Subnet mask

255.255.255.0

Default gateway

192.168.0.10

Preferred DNS server

192.168.0.1

Alternate DNS server

192.168.0.6

Values:

Values:

Rename the Computer

Configuration item:

Example value:

Computer name

WINS-01

Value:

WINS installation configuration items

Configuration items for the Windows Server Foundation Network deployment procedure Install
Windows Internet Name Service (WINS):

No additional configuration items are required to install WINS.

Installing DHCP
The tables in this section list configuration items for pre-installation and installation of DHCP.
Pre-installation configuration items for DHCP
The following three tables list pre-installation configuration items as described in Configuring All
Servers:

Change the Administrator Password

Configuration items:

Example values:

Administrator password

J*p2leO4$F

Values:

47

Configure a Static IP Address

Configuration items:

Example values:

IP address

192.168.0.3

Subnet mask

255.255.255.0

Default gateway

192.168.0.10

Preferred DNS server

192.168.0.3

Alternate DNS server

192.168.0.6

Values:

Rename the Computer

Configuration item:

Example value:

Computer name

DHCP-01

Value:

DHCP installation configuration items

Configuration items for the Windows Server Foundation Network deployment procedure Install
Dynamic Host Configuration Protocol (DHCP):
Configuration items:

Example values:

Network connect bindings

Local Area Connection

DNS server settings

AD-DNS-01

Preferred DNS server IP

address

192.168.0.1

Alternate DNS server IP

address

192.168.0.6

WINS server settings.

192.168.0.2

Alternate WINS server IP

address

192.168.0.12

Scope name

Primary Subnet

Starting IP address

192.168.0.1

Ending IP address

192.168.0.254

Subnet mask

255.255.255.0

Default gateway (optional)

192.168.0.10

Values:

48

Configuration items:

Example values:

Subnet type

Wired (Lease duration will be 6

days)

IPv6 DHCP server operation

mode

Not enabled

Values:

Creating an exclusion range in DHCP

Configuration items for the Windows Server Foundation Network deployment procedure Create
an Exclusion Range in DHCP:
Configuration items:

Example values:

Scope name

Primary Scope

Scope description

Parent Domain Scope

Exclusion range start IP

address

192.168.0.1

Exclusion range end IP address

192.168.0.15

Values:

Creating a new DHCP scope

Configuration items for the Windows Server Foundation Network deployment procedure Create a
New DHCP Scope:
Configuration items:

Example values:

New scope name

Subnet-02

Scope description

Scope for Subnet-02

(IP address range)

10.10.10.1

Values:

Start IP address
(IP address range)

10.10.10.254

End IP address
Length

Subnet mask

255.0.0.0

(Exclusion range) Start IP

address

10.10.10.1

Exclusion range end IP address 10.10.10.15

49

Configuration items:

Example values:

Lease duration

Days

Hours

Values:

Minutes
Router (default gateway)

10.10.10.10

IP address
DNS parent domain

example.com

DNS server

192.168.0.1

IP address
WINS server

192.168.0.2

IP address

Installing Network Policy Server (optional)

The tables in this section list configuration items for pre-installation and installation of NPS.
Pre-installation configuration items
The following three tables list pre-installation configuration items as described in Configuring All
Servers:

Change the Administrator Password

Configuration items:

Example values:

Administrator password

J*p2leO4$F

Configure a Static IP Address

Configuration items:

Example values:

IP address

192.168.0.4

Subnet mask

255.255.255.0

Default gateway

192.168.0.10

Preferred DNS server

192.168.0.1

Alternate DNS server

192.168.0.6

Values:

Values:

Rename the Computer

50

Configuration item:

Example value:

Computer name

NPS-01

Value:

Network Policy Server installation configuration items

Configuration items for the Windows Server Foundation Network deployment procedure Install
Network Policy Server (NPS):

No additional configuration items are required to install NPS.

51