Installing Server 2012
It is like installing a windows computer. Install Windows Server.
Do following items:
A server should have the followings:
Connect a computer to the AD Server: This part is very important. If a computer default DNS server is not the AD/DNS server; when you try to join a computer, it will not see the AD server. So make sure the default DNS is your AD server.
If your DHCP server is Sonicwall and you have only one LAN; change the DNS on the sonicwall to the DNS server.
If your DHCP server is Cisco Meraki and you have several vLANS; you need to change the DNS server fro each VLANS. Go Routing & DHCP on Meraki and click on the Vlans one by one and change them to local DNS server.
* Make sure you have forwarders in DNS server to make DNS faster.
DNS Server: If your DHCP server is Cisco Meraki and you have several vLANS; if a VLAN has wrong DNS server, the devices connected to the VLAN can't go internet since the DNS server is wrong. Remember your case; my student wifi vlan is local server. And I remove the DNS server at the local server 2012. the devices connected to student wifi can't go internet. However, the devices connected to admin wifi can go to intenet because admin wifi vlan DNS server was Google DNS server.
Going internet error. To fix it;
DNS Forwarding Zone: Once you try to connect a computer to AD server, the computer gives couldn't find server error. Because your computer's DNS server is not DNS IP address. Please change the DNS IP address on your DHCP server the DNS server IP address. Make sure you add DNS forwarders such as Google DNS server 8.8.8.8.8. It is not required but it is recommended.
*Without forwarding, all DNS servers will query external DNS resolvers if they don’t have the required addresses cached. This can result in excessive network traffic. By designating a DNS server as a forwarder, that server is responsible for all external DNS resolution and can build up a cache of external addresses, reducing the need to query recursive resolvers and cutting down on traffic. For smaller companies with limited available bandwidth, DNS forwarding can increase the efficiency of the network by both reducing bandwidth usage and improving the speed at which DNS requests are fulfilled.
Trusted Server: If you have more than one building, you should setup servers as trusted server. So, Other building user can use his login info when he/she is at the other building.
HOW to create a forest trust?
First, you need to do conditional forwarding from DNS for both building!
https://www.youtube.com/watch?v=MENYdfNVFgg
1.Open Active Directory Domains and Trusts.
2.In the console tree, right-click the domain node for the forest root domain, and then click Properties.
3.On the Trust tab, click New Trust, and then click Next.
4.On the Trust Name page, type the DNS name (or NetBIOS name) of another forest, and then click Next.
5.On the Trust Type page, click Forest trust, and then click Next.
6.On the Direction of Trust page, do one of the following(for your purpose, you should choose the "one-way"):
a.To create a two-way, forest trust, click Two-way.
Users in this forest and users in the specified forest can access resources in either forest.
b.To create a one-way, incoming forest trust, click One-way:incoming.
Users in the specified forest will not be able to access any resources in this forest.
c.To create a one-way, outgoing forest trust, click One-way:outgoing.
Users in this forest will not be able to access any resources in the specified forest.
7.Continue to follow the wizard.
* According to your choice; the trust server can be created on the other server by itself!
GPO:Setting up GPO Management make your job easy. You can control your clients computer easily such as;
Do following items:
- Put a strong administrator password.
- Check the date and time.
- Rename the computer
- put a static IP
- Install all windows updates.
- Enable the remote desktop connection.
A server should have the followings:
- Domain Name System (DNS)
- Active Directory (AD); without DNS you can't install AD. So, first install DNS.
- Printer Service https://www.youtube.com/watch?v=56OowN5tJww
- Backup Service
PLEASE NOTE; Before adding roles; put the static IP address and install all windows updates first! Then add roles one by one! Install DNS, Install AD DS (after installing AD DS, you need to do deployment configuration! NetBios will be asked, netbios is shown in the picture under section of AD Server), install Print services.
After everything is installed, you can put 127.0.0.1 (itself) or IP as DNS IP address.
To connect server via Remote Desktop Connection: See capture below. you may need to uncheck it. After installing win updates; RDC works fine with checked option!After everything is installed, you can put 127.0.0.1 (itself) or IP as DNS IP address.
AD SERVER: After installing AD and everything; to be organized create some organizational unit. Create users in this unit. So, you will able to manage users by GPO. Also, users should be added in security groups as well for iBoss filtering! So, iBoss understand user type. ?
Connect a computer to the AD Server: This part is very important. If a computer default DNS server is not the AD/DNS server; when you try to join a computer, it will not see the AD server. So make sure the default DNS is your AD server.
If your DHCP server is Sonicwall and you have only one LAN; change the DNS on the sonicwall to the DNS server.
If your DHCP server is Cisco Meraki and you have several vLANS; you need to change the DNS server fro each VLANS. Go Routing & DHCP on Meraki and click on the Vlans one by one and change them to local DNS server.
* Make sure you have forwarders in DNS server to make DNS faster.
DNS Server: If your DHCP server is Cisco Meraki and you have several vLANS; if a VLAN has wrong DNS server, the devices connected to the VLAN can't go internet since the DNS server is wrong. Remember your case; my student wifi vlan is local server. And I remove the DNS server at the local server 2012. the devices connected to student wifi can't go internet. However, the devices connected to admin wifi can go to intenet because admin wifi vlan DNS server was Google DNS server.
Going internet error. To fix it;
DNS Forwarding Zone: Once you try to connect a computer to AD server, the computer gives couldn't find server error. Because your computer's DNS server is not DNS IP address. Please change the DNS IP address on your DHCP server the DNS server IP address. Make sure you add DNS forwarders such as Google DNS server 8.8.8.8.8. It is not required but it is recommended.
*Without forwarding, all DNS servers will query external DNS resolvers if they don’t have the required addresses cached. This can result in excessive network traffic. By designating a DNS server as a forwarder, that server is responsible for all external DNS resolution and can build up a cache of external addresses, reducing the need to query recursive resolvers and cutting down on traffic. For smaller companies with limited available bandwidth, DNS forwarding can increase the efficiency of the network by both reducing bandwidth usage and improving the speed at which DNS requests are fulfilled.
Trusted Server: If you have more than one building, you should setup servers as trusted server. So, Other building user can use his login info when he/she is at the other building.
HOW to create a forest trust?
First, you need to do conditional forwarding from DNS for both building!
https://www.youtube.com/watch?v=MENYdfNVFgg
1.Open Active Directory Domains and Trusts.
2.In the console tree, right-click the domain node for the forest root domain, and then click Properties.
3.On the Trust tab, click New Trust, and then click Next.
4.On the Trust Name page, type the DNS name (or NetBIOS name) of another forest, and then click Next.
5.On the Trust Type page, click Forest trust, and then click Next.
6.On the Direction of Trust page, do one of the following(for your purpose, you should choose the "one-way"):
a.To create a two-way, forest trust, click Two-way.
Users in this forest and users in the specified forest can access resources in either forest.
b.To create a one-way, incoming forest trust, click One-way:incoming.
Users in the specified forest will not be able to access any resources in this forest.
c.To create a one-way, outgoing forest trust, click One-way:outgoing.
Users in this forest will not be able to access any resources in the specified forest.
7.Continue to follow the wizard.
* According to your choice; the trust server can be created on the other server by itself!
GPO:Setting up GPO Management make your job easy. You can control your clients computer easily such as;
- Changing background image: User Configuration>Administrative Templates>Desktop>Desktop. In the details pane, double-click Desktop Wallpaper.
- Changing lock screen image: Computer Configuration > Policies > Administrative Templates > Control Panel > Personalization
- Accessing the control panel: User Configuration > Administrative Templates > Control Panel , find one setting named “Prohibit access to Control Panel and PC settings”
- Password settings (min. password length, when password expires... etc.)
- Deploying printer
- Deploying internet certificate such as iBoss: Do it for all computers.
Comments
Post a Comment