Active Directory On Windows Home Server

From We Got Served Wiki

Revision as of 23:36, 18 June 2009 by Drashna (Talk | contribs)
(diff) ← Older revision | Current revision (diff) | Newer revision → (diff)
Jump to: navigation, search


First of all, let me start off with this is a violation of the End User License Agreement, and is specifically mentioned in it. So, do this at your own risk, and know that there will be no official support, and definitely not sanctioned by Microsoft.

However, there are any number of reasons you would want to do this.

What you will need

Caveats and Discussion

Windows Home Server was definitely not meant to run as a domain controller. There are some issues that will come up when promoting it. Like for one, it can and will break the website. Also, the remote desktop webpage is broken. And it can cause some other issues, like DNS resolution errors for the Connector. And other weird issues, like breaking the "Partner Manager" which is required for adding computers to WHS.

Domain Controllers turn of write caching on the physical drive that the AD database and logs are stored. These are the NTDS and SYSVOL folders. This *does* decrease performance and can cause your system to lag. For this reason, I highly recommend installing a small drive for storage of AD related files. 40GB would likely be more than plenty for anything you could want to do, which includes WDS which stores uncompressed WIM files, at approx 10GB a piece per OS, per version; Exchange, which can get to 10's of GBs; software packages; and numerous other files.

Also, promoting the server will wipe out the WHS User accounts and only preserves built-in accounts, such as the administrator account, guest account, iusr_machinename, et cetera.

By using a domain controller, you will likely see network slowdown when accessing the internet. Depending on your configuration, it may be anywhere from unnoticeable to crippling.

All in all, if you are intent on doing this, prepare a clean installation, so you can "quickly" reinstall if necessary. And to get absolutely no help from Microsoft. But chances are, if you are doing this, you've got the skills to sort out most issues.

Installing Active Directory

Starting off, you'll need to gain access to your server. Also, because Active Directory will require and install the DNS Server role for you if it isn't already, and the DNS Server role requires a static IP address for the server, you will want to Set up Static IP for Windows Home Server.

To start the wizard for promoting the server, you'll need to run "dcpromo.exe" from the Run command (Windows Key + R), or from the command prompt.

You should be greeted with the Active Directory Installation Wizard, allowing you to install Active Directory and DNS. Once the wizard pops-up, click Next to continue, and Next again to go past the OS Compatibility page. You will be asked for the Domain Controller type, you want to choose 'Domain Controller for a new domain', and click next. You could join an existing domain, but most home users wouldn't have an domain already setup to join. Make sure 'Domain in a new forest' is selected and choose next.

Now, you have to come up with a DNS name. In my case, I used my last name followed by '.local'. If you do own a domain name, do not use it here as it will cause issue for your domain. Once you've come up with a DNS name, click Next. Now you will be brought to a page asking you for a NETBIOS name, this is basically your domain name. You will notice a name has been suggested based upon what you entered for the DNS name, keep it and click Next. Alright, now it will ask where you want to store the database and log files. You should store them on the D: drive, I recommend E:\NTDS for both if you have prepped a seperate drive, else D:\NTDS should be okay. After changing the paths accordingly, click Next. Now it asks where to store the SYSVOL folder, you should also store this on the E: drive. E:\SYSVOL will work just fine.

Change the path, and click next. Now you should see 'Diagnostic Failed', don't worry about it. That is because DNS hasn't been installed and setup. Click next twice. Now enter in a password that will be used if the Server is started in Directory Services Restore Mode. This password can be the same as the WHS password. After typing in the password and confirming it, click Next.

Now you are at the summary screen, make sure the NetBIOS name and paths are correct. When ready to have Active Directory actually be installed, click Next. This part may from ten to fifteen minutes to complete. Eventually, you will be prompted with the Windows Home Server Install disk, pop it in and click OK. In a moment, you will be asked again for the Server 2003 disk, just click Browse, Open, and then OK.

If you haven't set up a static IP Address for your server already, it will prompt you to do so now. Once you've changed the IP to static, click OK and proceed onward. Once the DNS configuration is complete you will see 'Completing the Active Directory Installation Wizard'. Click Finish, and then Restart Now.

Reconfiguring Home Server Services

After the restart we need to change some permissions to the C:\Windows\Temp and C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files folders. You will need to do the following for both folders:

  1. Select the folder, press the right mouse button and select properties.
  2. Select the security tab and press Add...
  3. Fill in NETWORK SERVICE and click check names, press OK.
  4. Click on Full Control, Apply and OK.
You will also notice in the Event log that you get the following error:
DCOM got error "%1058" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}

To fix this error, you'll need to re-enable the following services: "Universal Plug And Play Device Host" and "SSDP Discovery Service". Just put them on Automatic and reboot your server.

DHCP Server

While this part isn't 100% necessary, it does make for a lot less work. As for "Why?", if you don't install the DHCP Server component, you'll either need to configure your router to use your Home Server for the DNS server, or you will have to manually configure each client machine to use it as its primary DNS Server. Why not just let your server handle doing that? Not to mention, if you want to install Windows Deployment Services later, you'll need to do this part anyways.

First of all, you'll need to disable any DHCP server on your network. Mainly, you'll just need to turn off the DHCP Server on your router. See your router's documentation on how to do this. If you don't, it will cause the DHCP Server in WHS to fail to run outright.

Now, you'll need to open the "Windows Components" section of "Add/Remote Programs", or just run "sysocmgr /i:sysoc.inf". Scroll down to network components and click Details. Open that, and check "Dynamic Host Configuration Protocol (DHCP)", and click next twice. Now, open up the DHCP Server console, which can be found in the "Administrative Tools" folder. You'll need to add the server, which will be done by right click the "DHCP", and the first option is the one you will want. Use the "This server", and either just type in the server's name, or click browse and find and select this server. After it has been added, right click on the server's name and select "authorize", and then restart the DHCP Server by right clicking anywhere on that tree, selecting all tasks, and "Restart". If the service fails to start run "netsh dhcp server set dnscredentials Administrator domain_name password". Replace "domain_name" with your domain's NetBIOS domain, and use the WHS's password. You'll need to restart the DHCP server at this point, to ensure that its working.

Once you've verified that the DHCP Server is working, we'll need to configure a new scope so it can start handing out IP addresses to your network. Rightclick on the server and click on "New Scope...". This will start a wizard for adding the new scope, so click "Next". You'll be prompted for a name and description here, and just enter whatever you want (though "Default Scope" is a good starting place). Clicking next will bring you to the "heart" of the configuration. Assuming your router's IP address is 192.168.1.1, you'll want something like 192.168.1.100 for the starting address. I would recommend only allowing enough IP Addresses as need for your network. 10 is probably more than most will ever need, so a ending address of 192.168.1.110 would be sufficient. The length and subnet should be left alone, unless you konw what you are doing and your network configuration is definitely advanced. But for the most part, you won't need to. Click next, and this page allows you to configure exceptions. Just ignore this and click next. This leads to the "lease duration" page. It defaults at 8 days. This is fine for most people, so either play with this or click next. Now it takes you to a page to configure DHCP Options. While this isn't necessary to configure, I highly recommend it.

So select "Yes, configure options" and click next. First is the default gateway, which would be your router. Add the IP address of your router (192.168.1.1, from previous example), and once it's added to the list, click Next. Now we are at the DNS configuration. There is no parent domain, so leave that out. And since this is the DNS server, either enter the server's name, and click resolve, or enter the server's IP address (since you've manually specified it, you should have it on hand),and then click Add. Also, if you have your ISP's DNS server IP Addresses, add them here as well, to help unsure fast and reliable internet connection. Once you've finished here, click Next. If you want to or have a WINS server set up, configure it here, just like you would with the DNS server, and click Next. Now you will have the option to "activate this scope now", do so, click next, and then click Finish. You're DHCP Server is now configured. Try restarting another computer on the network. It should be able to find its IP Address fine. If not, try checking the event log for errors.

Windows Firewall

Domain Controllers require a lot of openings in your firewall, and you really have only two options here. Either you can just completely disable Windows Firewall, or add a huge list of exceptions. I wouldn't recommend the second as the Remote Access features will choke if it disabled, and I'm sure that isn't the only part that will. Also, I'm a big supporter of always leaving windows firewall on. So I'm going to list all the programs and ports that you will need to allow through Windows Firewall for your domain to work properly.

C:\WINDOWS\system32\dns.exe
C:\WINDOWS\system32\tcpsvcs.exe (DHCP Server)
LDAP 389 TCP&UDP
LDAP 636 TCP
LDAP 3268 TCP
Kerboros 88 TCP&UDP

While that is not a huge list, that is one entry per type, for a total of 8 entries. There are more if you add more server roles, such as WINS or WDS. Also, I would recommend allowing these for local subnet only, except for DHCP, as there is no subnet for the client when it tries to connect.

Password Policies

One of the first things you may noticed after promoting your server, is that when you try to create new accounts, it may fail. By default Active Directory requires that all accounts have a strong password. Great for corporate security, but generally overkill for home users. And if you want to create an account with less the strong passwords, you can't. The solution is to change the default password policy to allow weak passwords. But this does lower the overall security in your newly created domain. But I'm going to show you anyways, because there will be those that want to know.

  1. Open "Domain Security Policy" in Administrative Tools (located in your server's Control Panel)
  2. Open "Account Policies" and then "Password Policies"
  3. Open the settings for "Minimum password length" and set to "0"
    DO NOT uncheck "Define this policy settings", as that will reset the value and undo what we want to do.
  4. Open the settings for "Password must meet complexity requirements", and set this to disabled. Again, leave the "Define this..." checked.
  5. Exit out of that and run "gpupdate /force".

This will immediately put the new password policy in effect and allow you to create accounts through the console with weak passwords.

Making Sure it Works

After the server has rebooted (it may take a while), run the WHS Toolkit's Connector Troubleshooter in its advanced mode (best way to do this is to edit the shortcut to have a "-a" at the end of the command, outside the quotation marks), and verify that everything is working. Everything but client version, and possible port 56000 tests should pass. If DNS resolution fails, try opening the properties page for your server's NIC, open up the "Internet Protocol (TCP/IP)", click Advanced, and open up the "DNS" tab. Uncheck "append parent suffices of the primary DNS suffix."

Congratulations, you've installed and configured Active Directory! Restart your server to be sure everything is working properly.

Joining Workstations to Your Domain

Now we have to change the primary DNS for your workstation's network card and join it to the domain. Joining a domain is fairly straight-forward. I'll get to that in a minute, first you need to change your workstations DNS settings, unless you already have installed the DHCP Server and configured that accordingly.

Windows Vista and Windows 7

To join the domain open up the System Properties dialog (Start => Right click Computer => Properties). Click change settings under Computer Name, domain, and workgroup settings. Click the Change button.

Windows XP

To join the domain open up the System Properties dialog (Start => Right click My Computer => Properties). Click the Computer Name tab. Now to join the domain, we have to switch from using a workgroup. To do so, click the Change button.

Both

You should see a page that says "Computer Name Changes". The bottom half should have a section that is titled "Member of". By default, workgroup is selected. Select Domain, and set the text box to the NetBIOS of your domain. Click okay. This will bring up a box prompting for credentials to join the domain, use "Administrator" as the username and use the server's password. Click okay, and it will prompt for a restart. Restart, and enjoy your domain.

Conclusion

That's really all you have to do to install Active Directory and join the domain. Later, I will be adding how to login to local accounts in Vista after joining a domain, and more!

Retrieved from "http://wiki.wegotserved.com/index.php?title=Active_Directory_On_Windows_Home_Server"
Windows Media Center