Create New Domain

1. Remove server from existing domain

2. Unplug from network

3. Create new domain on server (See Create DC below)

Point domain DNS to itself (127.0.0.1)

4. Add a few users

5. Create new LAN with one or two other computers for testing

(if unable to login to domain, gpedit.msc: allow remote ..., add "Users"

Organization Units (Containers to hold related users or other objects):

• Location? (Meadows OU, Rockford OU, Lynwood OU)

• Or Departments (Relo, Repo, Office, etc.)

NOTES:

• An object may only be part of a single OU.

• May contain GPOs (GPOs cascade down the hierarchy)

• May be used to delegate control.

Groups

• Do not contain GPO (use OUs for this).

• Can be used to grant/restrict permission to resources.

• A user can be a member of many groups but can reside in only one OU.

Group Type

• Distribution: Email list (not used often)

• Security: Permissions and email

Group Scope

• Global

  • Grouping users together (e.g. Departments)

  • Can only contain users from the domain where they are created but
    can be given rights to other domains.

• Domain Local

  • Restricted to their domain (although they can contain links to other
    domains)

• Universal

  • Replicate in every domain.

  • Can be used to group Global groups. They can then be linked to
    Domain Local group.

A->G->DL->P Strategy

• Accounts go into Global groups, Global groups go into Domain Local
  groups, Domain Local groups are given permissions.

• Recommended to minimize ACL (Access Control List) entries by creating
  Domain Local groups, giving permissions to them and then linking
  Global groups to the appropriate Local Group(s).

• https://en.wikipedia.org/wiki/AGDLP#RBAC_in_a_single_AD_domain

Group Managed Service Account (gMSA)

• An account associated with a service (e.g. SLQ Server)

• Used instead of a normal user account.

• Allows AD to manage authentication and password changes for this
  account.

• Must be done in PowerShell (see Lecture 34).

NOTES

• [Preserve DHCP reservations]{.mark}

• [Need to conserve fileshares]{.mark}

• [Check Amanda's files and shares]{.mark}

• [Add print manager.
  https://serverfault.com/questions/797410/adding-a-printer-to-active-directory-any-advantage]{.mark}

• [Create settings GPOs for users/groups]{.mark}

DNS

• Create forwarder to public DNS (such as Google or ISP).

DHCP

• Add from 'Add Roles and Features'.

• Must have a static IP address.

• Must be authorized:

  • After adding role, click on warning triangle, this will open a
    wizard to complete DHCP setup.

    • If in root domain, only need to be Domain Admin to authorize.

    • In any other domain in forest (ex. Subdomain), needs an Enterprise
      Admin to authorize.\

• Once installed, create scope in DNS management

• Add excluded range for static IPs.

• Add reservations (printers, etc).

• Add failover.

DC has DHCP active. Allocating from 192.168.1.100 -- 254. IP of DC:
192.167.1.99. Clients are not pointing to DC but set to get IP
automatically (DNS as well). (DC DHCP does seem to be active).

Create DC

Before creating DC, give computer a static IP (check existing DC in AT&T
router reserved addresses).

1. DC Server needs static IP.

2. Rename computer. Restart.

3. Server Manager -> Add roles and features.

4. Check "Active Directory Domain Services" and click 'Next' to last
   screen, then "Install."

5. Manage -> Promote this server...

6. Add a new forest.

7. Enter root domain name (e.g. northwest.net).

8. Leave options, enter Restore Mode password.

9. Leave DNS Delegation, click Next.

10. Leave NetBIOS, click Next.

11. Leave folder options, click Next.

12. Review, click Next.

13. There will be some warnings, ignore and click Install.

Attach Computer to Domain

1. Set computer name, restart.

2. Set domain, restart.

3. Control Panel => System and Security => System => Allow remote
   access. Add appropriate group, such as "Domain Users".

4. Turn on network discovery for both clients and the server