Yahya Mohamed Mao

@yahyaibnmohamed

AGUDLP principle for the configuration of a main level domain, AD set-up and IP addressing

Preliminary technical tasks that have to be fulfilled before heading towards a fully-operational system based on the example of n’cloud Virtual Office

Setting up a remote desktop terminal server requires preliminary technical tasks that have to be fulfilled before heading towards a fully-operational system. The latter should be characterized by high quality standards in terms of security, reliability and fail-safety. The purpose of this technically oriented article is to give the reader an overview of how to configure a main level domain and how to set up an active directory, as well as addressing of IP. I hereby refer to n’cloud Virtual Office.

n’cloud Virtual Office

Creating the server

We start with the installation of a main domain server. We shall name it DOM002AD01 and configure the domain DOM002.local, which is the highest domain of the entire structure. The server will get a specific address “123.456.78.910”. The server is also the main DNS and is configured as a forwarding DNS. We obtain the following very basic configuration:

Main level domain server: DOM002.local
Domain controller main domain: DOM002AD01.DOM002.local
IP addressing: 123.456.78.910

Before we can start installing and configuring the server, we need to create the virtual server in Hyper-V on our cluster node (DOMCLN201). In doing so, we need an image which we consider here as already prepared in advance in a preliminary work with SYSPREP. We copy this image on the cluster into a folder, created exclusively for the virtual server and named after the new server. Now let us create the new folders for the virtual servers in Hyper-V to be able to install the virtual servers. For this purpose, we have to select before the procedure, the specific storage locations in which the servers are to be stored. While creating the server, the RAM value and the dynamic function of the hard disk’s memory are set.

Determining the generation of the server

Generation 1:

Generation 1 provides the virtual server with the same virtual hardware as in previous versions of Hyper-V.

Generation 2:

Generation 2 provides the following new features on a virtual machine:

· PXE boot using a standard network card
· Boot from a virtual SCSI disk
· Starting from a virtual SCSI DVD
· Safe startup (enabled by default)
· UEFI firmware support

Since the virtual hard disk is designed and created on Generation 2, the Generation 2 option is chosen.

Generations Selection of virtual servers

When creating the server, there is an option where you need to select the network adapter. As the network adapters have already been created on the given cluster, we can simply select the adapter in the section “Configure Network”. This allows to communicate on the network and the Internet.

Afterwards, we select the virtual hard disk, which is stored in the folder on our cluster. The creation of the server is then already finished. Now the virtual server can be started, installed and configured.

Main domains server naming & IP addressing

We launch the server and start with the configuration. First, the computer name is changed to the appropriate and predefined name “DOM002AD01”. Then, the server is restarted. Afterwards, the IP address with gateway and DNS is entered, so that the server can be used in the network of the company providing the virtual server.

Roles installation on the main domain

The Active Directory Domain Services role needs to be installed for both the domains and the entire AD fabric. After installation, the server can be promoted as a domain controller. Consequently, the first domain “Main domain (DOM002.local)” can be configured. The role also brings additional features like Active Directory Users and Computer Management. Here, one creates the NTFS groups, which are needed later for the nesting of the groups from the subdomains, which allow the RDP users the remote and data access.

The “DNS server” role is automatically installed on all Active Directory servers, and the main domain server in the entire structure serves as a forwarding DNS for the servers of the same domain and other domains.

Active Directory Admin & NTFS Groups, AGUDLP Principle

As a first step, a new domain administrator is created that we name “DOMAdmin@dom002.local”. We now copy the “Administrator” into the Active Directory and rename it to “DOMAdmin”. For this, we create a new organizational unit (OU) called “NTFS groups”. In it, we can create all groups needed later for access via web and for the distribution of the network drives. In retrospect, we should also nest the groups from the subdomains into these NTFS groups on the main domain, so that the web access works in the end. The groups must be set to “universal” in the group area, otherwise you would not be able to nest the groups of the subdomain.

The AGUDLP principle

At n’cloud.swiss we build up the entire user and group structure according to the AGUDLP principle. AGUDLP is a principle that simplifies the order and structure of users and groups. AGUDLP simply stands for Accounts > Global Groups > Universal Groups > Domain local > Permissions.

The user accounts are added to global groups on their subdomains. These global groups are then nested within universal groups on the main domain. On the main domain, these are then nested again into special “domain local” groups and from there they are assigned to the specific programs in their access authorization register.

Almost everything in our environment is the same, except that we work without the last “domain local” nesting. This would actually be necessary only if there was confusion and more users and groups. Since we have got here no users on the main domain, except for the new administrator, we do not need this step.

Domain Name Server (DNS)

The main task of a DNS is to answer name resolution requests. The DNS works much like a directory inquiry. The user knows the name but not the address or phone number. The DNS returns us an IPv4 or IPv6 address instead of a phone number, if we query it for the server name, for example, with the command “nslookup”, in the network.

We now create two DNS records. One of these makes possible the resolution of a specific web address ensuring access via the web. The other DNS is forwarding to the DNS of the provider. In doing so, other servers are also available in the network and can access the Internet. For the time being, we create a “reverse lookup zones” so that the pointer entries can be created in it when making a new entry in these “forward lookup zones”. Once done, we can create a new zone which we can call netkom.ch. The important thing is to replicate the zone data to the entire structure so that the servers in the subdomains get redirected as well. Now we integrate the two entries which we already defined. We use the entry WWW, because this ensures that we can reach the website www.netkom.ch.

Subdomain Configuration (Subdomain Active Directory Structure)

Now we head to the configuration of the subdomains. We start with the domain controller “USER1AD01” and work slightly delayed on the second AD “USER2AD01”. For this purpose, as with the DOM002AD01 of the main domain, the role “Active Directory Domain Services” is installed and then the two are promoted to “Domain Controller”.

Before we can install the roles, the IP, DNS and gateway addresses are first entered in the NIC tab and the servers restarted. Since we have set up a forwarding to DOM002AD01, now the DNS address of the DOM002AD01 is entered. After rebooting, the server is now ready to install the roles and promote it as a domain controller.

Image: n’world publications

More by Yahya Mohamed Mao

Topics of interest

More Related Stories