Leverage the Mobile Device Extension for ad rms


Configuring the domain controller



Yüklə 3,87 Mb.
səhifə11/20
tarix16.08.2018
ölçüsü3,87 Mb.
#63133
1   ...   7   8   9   10   11   12   13   14   ...   20

Configuring the domain controller


To configure the domain controller, proceed with the following steps:

  1. Opening a remote desktop connection on the domain controller.

  2. Configuring public DNS forwarders.

  3. Creating DNS records.

  4. Creating a group Managed Service Account (gSMA).

  5. and groups.

  6. Allowing users accounts to log on locally.

The following subsections describe in the context of our test lab environment each of these steps.

Opening a remote desktop connection on the domain controller


To open a remote desktop connection on the DC1 computer, proceed with the following steps:

  1. Open a browsing session and navigate to the Azure management portal at https://manage.windowsazure.com.

  2. Sign in with your administrative credentials to your Azure subscription.

  3. On the left pane of the Azure management portal, click VIRTUAL MACHINES.



  1. On the virtual machine page, at the top, ensure VIRTUAL MACHINE INSTANCES is selected.

  2. Select the dc1 machine and click CONNECT at the tray of the bottom.



  1. Click Open. A Remote Desktop Connection dialog brings up.



  1. Check Don’t ask me again for connections to this computer and click Connect.

  2. A Windows Security dialog brings up.

  3. Log on as LITWARE369\AzureAdmin with “pass@word1” as password.



  1. Another Remote Desktop Connection dialog brings up.



  1. Check Don’t ask me again for connections to this computer and click Yes.

The connection is then established to the remote desktop.

Configuring public DNS forwarders


The Windows PowerShell script used to setup our test lab environment configures the DNS server on the DC1 computer for name resolution instead of the Azure-provided name resolution.

We must ensure that our DNS server is configured to use the root hints if no forwarders are available so that we can correctly resolve name over the Internet in our test lab environment.



Note For more information on the root hints, see the eponym page Root Servers63.

To configure the DNS server to use the root hints, proceed with the following steps:

  1. Open a Windows PowerShell command prompt, and run the following command to start the DNS Manager console:

PS C:\Users\AzureAdmin> dnsmgmt.msc

PS C:\Users\AzureAdmin>
The DNS Manager console brings up.



  1. In the console tree, select DC1.

  2. On the Action menu, click Properties. The DC1 Properties dialog brings up.

  3. Select the Forwarders tab.



  1. Ensure that Use rot hints if no forwarders are available is checked.

  2. Click OK and close the DNS Manager console.

  3. From the above Windows PowerShell command prompt, type the following command to validate the resolution with the root hints:

PS C:\Users\AzureAdmin> dnscmd /ipvalidate /roothints 192.5.5.241


. completed successfully.

Raw Flags ResultCode NoTcp RTT IP Address

---------------------------------------------------------------------------

00001000 0 Success 0 10 192.5.5.241

Command completed successfully.
PS C:\Users\AzureAdmin>
You should see Success as the result code.


Creating DNS records


To create a DNS record for adfs, adrms, and www, proceed with the following steps:

  1. Open a remote desktop session as per previous section.



  1. Open an elevated Windows PowerShell command prompt and run the following command to add an A record for adfs:

PS C:\users\AzureAdmin> Add-DnsServerResourceRecord -ZoneName "litware369.com" -A -Name "adfs" -IPv4Address "10.0.2.5"

PS C:\users\AzureAdmin>

Important note If the DNS resolution of the AD FS service endpoint is performed through CNAME record lookup instead of through an A record lookup, you will be repeatedly prompted for credentials later in this lab during sing-in.
Note For more information on the DNS cmdlets, see the Microsoft TechNet article Domain Name System (DNS) Server Cmdlets in Windows PowerShell64.


  1. Run the following command to add a CNAME record for adrms:

PS C:\users\AzureAdmin> Add-DnsServerResourceRecord -CName -Name "adrms" -HostNameAlias "adrms1.litware369.com" -ZoneName "litware369.com"

PS C:\users\AzureAdmin>



  1. Run the following command to add a CNAME record for www:

PS C:\users\AzureAdmin> Add-DnsServerResourceRecord -CName -Name "www" -HostNameAlias "edge1.litware369.com" -ZoneName "litware369.com"

PS C:\users\AzureAdmin>


Creating a group Managed Service Account (gSMA)


A group Managed Service Account (gMSA) account will be required during the AD FS installation and configuration. The benefit of using a gMSA is its auto-negotiated password update feature.

Note For more information, see the blog post New features in Active Directory Domain Services in Windows Server 2012, Part 8: Group MSAs (gMSAs)65. 

To create the gMSA account, proceed with the following steps:



  1. From the above elevated Windows PowerShell command prompt, run the following command to verify whether the KDS Root Key has been created in your domain to enable gMSA in your domain:

PS C:\users\AzureAdmin> Get-KdsRootKey

PS C:\users\AzureAdmin>



  1. If it has not been created (the output displays no information), run the following command to create the key:

PS C:\users\AzureAdmin> Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)


Guid

----


7d5decb2-6c35-2b0c-6286-8055e413f2a5
PS C:\users\AzureAdmin>

 Note For more information, see the Microsoft TechNet article Key Distribution Service (KDS) in Windows PowerShell66. 



  1. Run the following command:

PS C:\users\AzureAdmin> New-ADServiceAccount FsGmsa -DNSHostName adfs.litware369.com -ServicePrincipalNames http/adfs.litware369.com

PS C:\users\AzureAdmin>

Creating additional user accounts and groups


We will now create the following additional user accounts and groups in our domain litware369.com. The following table lists the user accounts that we need to create at this time:

Account Name

User Logon Name

Email Address

Group

ADRMSSVC

ADRMSSVC







Robert Hatley

RobertH

roberth@litware369.com

Employees, Finance

Janet Schorr

JanetS

janets@litware369.com

Employees, Marketing

Stuart Railson

StuartR

stuartr@litware369.com

Employees, Engineering

These user accounts and groups are used to complete the walkthroughs later in this document.

To create the above user accounts, open an elevated Windows PowerShell command prompt, and run the following command. All the user accounts will use the password: “pass@word1”:

PS C:\users\AzureAdmin> Import-Module -Name ActiveDirectory

PS C:\users\AzureAdmin> New-ADUser -Name ADRMSSVC -GivenName ADRMSSVC -UserPrincipalName “ADRMSSVC@litware369.com" -AccountPassword (ConvertTo-SecureString -AsPlainText "pass@word1" -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true

PS C:\users\AzureAdmin> New-ADUser –Name "Robert Hatley" -SamAccountName "roberth" -DisplayName "Robert Hatley" -AccountPassword (ConvertTo-SecureString “pass@word1” -AsPlainText –Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true -UserPrincipalName “roberth@litware369.com" -EmailAddress “roberth@litware369.com" -GivenName "Hatley" -Surname "Robert"

PS C:\users\AzureAdmin> New-ADUser –Name "Janet Schorr" -SamAccountName "janets" -DisplayName "Janet Schorr" -AccountPassword (ConvertTo-SecureString “pass@word1” -AsPlainText –Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true -UserPrincipalName “janets@litware369.com" -EmailAddress “janets@litware369.com" -GivenName "Schorr" -Surname "Janet"

PS C:\users\AzureAdmin> New-ADUser –Name "Stuart Schorr" -SamAccountName "stuartr" -DisplayName "Stuart Railson" -AccountPassword (ConvertTo-SecureString “pass@word1” -AsPlainText –Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true -UserPrincipalName “stuart@litware369.com" -EmailAddress “stuart@litware369.com" -GivenName "Railson" -Surname "Stuart"

PS C:\users\AzureAdmin>

We now need to create some additional AD groups to assign users. The following table lists the groups that we need to create at this time.


Group Name

Email Address

Finance

finance@litware369.com

Marketing

marketing@litware369.com

Engineering

engineering@litware369.com

Employees

employees@litware369.com

To create the above user groups, proceed with the following steps:

  1. From the previous elevated Windows PowerShell command prompt, run the following command to create the various groups.

PS C:\users\AzureAdmin> New-ADGroup -Name Finance -SamAccountName Finance -GroupCategory Security -GroupScope Universal

PS C:\users\AzureAdmin> New-ADGroup -Name Marketing -SamAccountName Marketing -GroupCategory Security -GroupScope Universal

PS C:\users\AzureAdmin> New-ADGroup -Name Engineering -SamAccountName Engineering -GroupCategory Security -GroupScope Universal

PS C:\users\AzureAdmin> New-ADGroup -Name Employees -SamAccountName Employees -GroupCategory Security -GroupScope Universal

PS C:\users\AzureAdmin>





  1. Run the following command to add email addresses to group objects:

PS C:\users\AzureAdmin> Set-ADGroup Finance -Add @{mail='finance@litware369.com'}

PS C:\users\AzureAdmin> Set-ADGroup Marketing -Add @{mail='marketing@litware369.com'}

PS C:\users\AzureAdmin> Set-ADGroup Engineering -Add @{mail='engineering@litware369.com'}

PS C:\users\AzureAdmin> Set-ADGroup Employees -Add @{mail='employees@litware369.com'}

PS C:\users\AzureAdmin>





  1. Run the following command to add the user accounts to their appropriate groups:

PS C:\users\AzureAdmin> Add-ADGroupMember -Identity Employees -Members roberth,janets,stuartr

PS C:\users\AzureAdmin> Add-ADGroupMember -Identity Finance -Members roberth

PS C:\users\AzureAdmin> Add-ADGroupMember -Identity Marketing -Members janets

PS C:\users\AzureAdmin> Add-ADGroupMember -Identity Engineering -Members stuartr

PS C:\users\AzureAdmin>




Allowing users accounts to log on locally


By default, a domain user is not allowed to log on locally on a member server like the EDGE1 computer. A configuration of group policy can be modified so that a domain user account can log on locally on a member sever. Though this is NOT at all recommended in production environment but for testing purpose or in lab setup like this one this configuration can be quite handy. This configuration helps where there are only few computers.

To modify group policy settings to allow a domain user to log on locally a member server, proceed with following steps:



  1. Open an elevated command prompt if none, and run the following command:

PS C:\users\AzureAdmin> gpmc.msc

PS C:\users\AzureAdmin>

A Group Policy Management windows brings up.





  1. Double-click the name of the forest, double-click Domains, and double-click the name of the domain.



  1. Right-click Default Domain Policy, and then click Edit. A Group Policy Management Editor window pops up.



  1. In the console tree, expand Computer Configuration, Policies, Windows Settings, Security Settings, and Local Policies, and then click User Rights Assignment.

  2. In the details pane, double-click Allow Logon Locally.



  1. Check Define these policy settings, and then click Add User or Group. An Add User or Group dialog brings up.



  1. Click Browse to locate the account with the Select Users, Computers, or Groups dialog.



  1. Under Enter the object names to select, type “janets; roberth; administrators”, click Check Names, and then click OK.

  2. Click OK in the Add User or Group dialog, and then click OK in the Allow log on locally Properties dialog box.

  3. Close the Group Policy Management Editor window.

  4. Close the Group Policy Management window.

Yüklə 3,87 Mb.

Dostları ilə paylaş:
1   ...   7   8   9   10   11   12   13   14   ...   20



Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©genderi.org 2024
rəhbərliyinə müraciət
    Ana səhifə
Psixologiya