Beruflich Dokumente
Kultur Dokumente
Date:
April 22,2013
Prepared by:
Sainath K.E.V
Server VLAN
3 Server VLANs
1 Client VLAN
Solution Diagram:
Router 3750x
3750 Switch 1
3750 Switch 2
VLAN1-Prod
VLAN2-Prod VLAN3-Prod
Extender
Fabric
Extender
Fabric
Port Port
HYPER-V
HYPER-V
Production Production
Environment/UCS Blade Environment/UCS Blade
DNS Server
(Secondary / Domain
3)
Application Server User
Data Communication:
Following is the proposed DNS name resolution designed for CLT infrastructure. Active Directory
Domains will be staged by SKV Consultants, and relevant DNS routing will be established between 3
domains. Any specific requirements with respect to name resolution will be managed by SKV
Consultants.
For intranet DNS name resolution is either performed by DNS Servers across the Active directory
Forest, any Primary DNS zone configured without the Active Directory integration should be
managed independently through zone file. Public Name space resolution is performed by the DNS
server configured in VLAN1 network.
Though it is not advisable to have the production DNS server to communicate with Public ISP , it is a
temporary design to have the Domain 1 DNS to forwards requests to ISP Namespace. Once CLT creates
dedicated DMZ zone, a DMZ DNS will be configured to resolve public IP name spaces.
Requirement Understanding:
Following are the requirements gathered after infrastructure analysis and discussion with
Architectural group.
CLT Tasks:
SKV Tasks:
a) Installing and configuration of Windows Server Operating Systems for the Domain Controllers
are performed by SKV
b) Windows Updates on all the servers are performed by SKV
c) Firewall Exception rules are provided by SKV to CLT which includes Domain Controller, DNS,
RPC, UDP exception rules
d) DNS infrastructure designing is performed by SKV
e) DNS Implementation is performed by SKV
f) DNS impact analysis is performed by SKV
g) DNS tests are performed by SKV
h) Public Namespace is managed by ISP
i) Domain Controller Replication is configured by SKV
j) Active Directory Sites and Subnets is configured by SKV
Assumptions:
- This document will not provide detail step-step visual information about the configuration of
DNS server in VLAN Domains.
- This document will not cover step-step information about installing and configuring of
Domain Controllers
- This document will provide best practices to design and plan DNS and AD infrastructure on
the specific Network.
Installation Steps:
Following are the installation steps for Installing and Configuring Active Directory and DNS
infrastructure in CLT Data Center
1) Ensure the Static IP address are configured on the Servers which are getting promoted to
Domain Controllers, validate the subnet mask and Default gateway configured on the server
Strictly no multi home networks
2) Ensure the Network Ports are opened for various Active directory and DNS communications
Protocol and
AD and AD DS Usage Type of traffic
Port
Directory, Replication, User and
TCP and
Computer Authentication, Group Policy, LDAP
UDP 389
Trusts
Directory, Replication, User and
TCP 636 Computer Authentication, Group Policy, LDAP SSL
Trusts
Directory, Replication, User and
TCP 3268 Computer Authentication, Group Policy, LDAP GC
Trusts
Directory, Replication, User and
TCP 3269 Computer Authentication, Group Policy, LDAP GC SSL
Trusts
TCP and User and Computer Authentication,
Kerberos
UDP 88 Forest Level Trusts
TCP and User and Computer Authentication,
DNS
UDP 53 Name Resolution, Trusts
TCP and Replication, User and Computer SMB,CIFS,SMB2, DFSN, LSARPC,
UDP 445 Authentication, Group Policy, Trusts NbtSS, NetLogonR, SamR, SrvSvc
TCP 25 Replication SMTP
TCP 135 Replication RPC, EPM
TCP Replication, User and Computer RPC, DCOM, EPM, DRSUAPI,
Dynamic Authentication, Group Policy, Trusts NetLogonR, SamR, FRS
TCP 5722 File Replication RPC, DFSR (SYSVOL)
UDP 123 Windows Time, Trusts Windows Time
TCP and Replication, User and Computer
Kerberos change/set password
UDP 464 Authentication, Trusts
UDP
Group Policy DCOM, RPC, EPM
Dynamic
DFSN, NetLogon, NetBIOS
UDP 138 DFS, Group Policy
Datagram Service
TCP 9389 AD DS Web Services SOAP
DHCP
3) Ensure the account provisioned to promote the server has required permissions to install the
Domain Controller and launch Server Manager on all the Operating system which are
promoted to Domain Controllers
5) Install Active Directory on FRD1.CLT.LOCAL which is configured with Windows Server 2008
R2 and acts as Forest Root Domain. During the installation, it would prompt for installing
DNS service , accept and complete the configuration.
6) Verify the DNS Zone CLT.LOCAL and corresponding folders ( MSDCS, TCP, UDP, Sites )are
created and populated with
a) Kerberos SRV records pointing to Domain Controller
b) LDAP record pointing to Domain Controller
c) _Kpasswd SRV record pointing to Domain Controller
10) Ensure the Active Directory DNS zone are replicated across forest, this ensures that clients
can find Resource records on either of the Domains.
11) Configure the DNS reverse lookup zones for the specific IP subnets.
12) Ensure the DNS host file on the DNS server should be empty
13) Ensure the recursion timeout must be greater than the forwarding timeout
14) Test the name resolution from client operating system, and any applications which are
requesting for External name space ( CLT.com or Microsoft.com )
15) Use Wireshark / Netmon sniffer utilities to analyze the response time. This includes thorough
understanding the client NIC adapter, MTU size, RSS response times.
16) Apply the required server hardening and the Group policies to manage DNS infrastructure.
Which includes configuring client DNS suffix list with CLT.LOCAL, GPR.CLT.LOCAL and
FINANCE.CLT.LOCAL.
17) On the Forest Root Domain, point the Domain Controller Primary DNS server to itself ( remove
127.0.0.1 / Loop back address ) and configure with Static IPV4 address
18) Schema Master, Domain Naming Master, PDC Emulator, RID Master roles are installed on
CLT.local Domain Controller which is also Global Catalog
19) On the Server which is going to get promoted as Additional Domain Controller
(FRD2.CLT.LOCAL), ensure the DNS Primary Server IP address points to FRD1.CLT.LOCAL
server.
20) To Install Additional Domain Controller, Perform the above tasks (1 4) and during
installation select Additional Domain Controller and finish the configuration.
22) Follow the above steps to configure Domain Controllers on VLAN 2 and create
GPR.CLT.LOCAL name space. This includes both Child Domain Controller and Secondary
Child domain Controller. Secondary Child Domain Controller will not be promoted to Global
Catalog server.
23) Configure the Primary DNS server IP address to point to Child Domain Controller.
24) Ensure the Active Directory DNS zone are replicated across forest, this ensures that clients
can find Resource records on either of the Domains.
If you do not want to replicate the Zone across forest, you may have to rely on conditional
forwarders
25) Infrastructure Master Role should be configured on Domain Controller and not on Global
Catalog server
26) PDC Emulator, RID Master are configured on Global Catalog server. (Sec1.GPR.CLT. LOCAL)
27) Configure the NTP service on the domain controller which is configured with PDC Emulator
Role.
28) Create Active Directory sites to reflect the Physical sites and associate them with the subnets.
29) Create Server Objects under the Sites and ensure the Replication between CLT.LOCAL and
GPR.CLT.LOCAL are working.
30) Remove the Root hints on the Sec1.GPR.CLT. LOCAL DNS Server.
31) To install Domain Controller and DNS server in VLAN 3 , perform the above steps which
includes DNS configuration, Domain Controller installation and configuration, DNS IP address
mapping, Configuration of AD Sites and services
Post installation of the Active Directory, SKV Consultants would perform thorough test on Active
Directory Replication using AD Replication tool, follow the Microsoft Operations Framework (Active
Directory) to configure the performance bench marks and hand over the documents to CLT
Engineers.
SKV will design AD delegation model based on the requirements from CLT and Group Policy Design
with AGPM in place.
Conclusion: This document produces steps to install and configure Active Directory domain
Controllers and DNS infrastructure and best practices and provides thorough check list information
for performing DNS or Active Directory configuration.