Step 1: Setting up the CP&L Enterprises Domain

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2

Before you install AD FS and the AD RMS Identity Federation Support role service, you need to make changes to the infrastructure of the CPANDL domain. In this step, you will perform the following tasks to install the required Active Directory Federation Services resource partner and add it to the CP&L Enterprises infrastructure.

This section includes the following procedures:

  • Configure the AD FS resource partner (ADFS-RESOURCE)

  • Create the ADFSADMIN user account

  • Add the ADFSADMIN user account to the local Administrators group on ADFS-RESOURCE

  • Configure a DNS forwarder on CPANDL-DC

This step assumes that you have completed the Windows Server Active Directory Rights Management Services Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=72134).

Use the following table as a reference when setting up the appropriate computer names, operating systems, and network settings that are required to complete the steps in this guide.

Important

Before you configure your computers with static Internet Protocol (IP) addresses, we recommend that you first complete Windows product activation while each of your computers still has Internet connectivity. You should also install any available critical security updates from Windows Update (https://go.microsoft.com/fwlink/?LinkID=47290).

Computer name Operating system requirement IP settings DNS settings

ADFS-RESOURCE

Windows Server 2003 R2 Enterprise Edition with Service Pack 2 (SP2) or Windows Server® 2008 Enterprise

IP address:

10.0.0.7

Subnet mask:

255.255.255.0

Preferred:

10.0.0.1

Configure the AD FS resource partner (ADFS-RESOURCE)

AD RMS can use federation servers that are running either Windows Server 2003 R2 or Windows Server 2008 Enterprise. Use one of the following sections to configure Windows Server depending on the requirements in your organization:

  • Configure the Windows Server 2003 R2–based AD FS resource partner

  • Configure the Windows Server 2008–based AD FS resource partner

Configure the Windows Server 2003 R2–based AD FS resource partner

In this section you will install Windows Server 2003 R2 Enterprise Edition, configure TCP/IP properties, add ADFS-RESOURCE to the CP&L domain, and then add the Application server role.

First, install Windows Server 2003 R2 Enterprise Edition as a stand-alone server on ADFS-RESOURCE.

Important

Windows Server 2003 R2 Enterprise Edition is required for the federation servers.

To install Windows Server 2003 R2 Enterprise Edition

  1. Start your computer by using the Windows Server 2003 R2 Enterprise Edition product CD.

  2. Follow the instructions that appear on your computer screen, and when prompted for a computer name, type ADFS-RESOURCE.

In this step configure TCP/IP properties so that ADFS-RESOURCE has a static IP address of 10.0.0.7.

To configure TCP/IP properties on ADFS-RESOURCE

  1. Log on to ADFS-RESOURCE as a member of the local Administrators group.

  2. Click Start, point to Control Panel, and then double-click Network Connections.

  3. Right-click Local Area Connection, and then click Properties.

  4. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.

  5. Click the Use the following IP address option. In the IP address box, type 10.0.0.7. In the Subnet mask box, type 255.255.255.0.

  6. Click the Use the following DNS server addresses option. In the Preferred DNS server box, type 10.0.0.1.

  7. Click OK, and then click Close to close the Local Area Connection Properties dialog box.

Next, join the federation resource partner (ADFS-RESOURCE) computer to the CP&L domain:

To join ADFS-RESOURCE to CPANDL domain

  1. Log on to ADFS-RESOURCE as a member of the local administrators group.

  2. Click Start, right-click My Computer, and then click Properties.

  3. Click Computer Name tab, and then click Change.

  4. In the Computer Name Changes dialog box, click Domain, and then type cpandl.com.

  5. Click More, and then type cpandl.com in the Primary DNS suffix of this computer box.

  6. Click OK twice.

  7. When a Computer Name Changes dialog box appears prompting you for administrative credentials, provide the credentials, and click OK.

  8. When a Computer Name Changes dialog box appears welcoming you to the cpandl.com domain, click OK.

  9. When a Computer Name Changes dialog box appears telling you that the computer must be restarted, click OK, and then click Close.

Finally, add the application server role on the ADFS-RESOURCE computer.

To add the application server role

  1. Log on to ADFS-RESOURCE as CPANDL\Administrator. The Manage Your Server window appears.

  2. Click Add or remove a role.

  3. On the Preliminary Steps page of the Configure your Server Wizard, click Next.

  4. Click Application Server (IIS, ASP.NET), and then click Next.

  5. Select the Enable ASP.NET check box, and then click Next twice.

  6. When asked for files from the Windows Server 2003 product CD, insert it into the CD-ROM drive of the computer.

  7. Click Finish to complete the installation.

Configure the Windows Server 2008–based AD FS resource partner

First, install Windows Server 2008 Enterprise as a stand-alone server on ADFS-RESOURCE.

Important

Windows Server 2008 Enterprise is required for the federation servers.

To install Windows Server 2008 Enterprise

  1. Start your computer by using the Windows Server 2008 product CD.

  2. When prompted for a computer name, type ADFS-RESOURCE.

  3. Follow the rest of the instructions that appear on your screen to finish the installation.

In this step, configure TCP/IP properties so that the ADFS-RESOURCE computer has a static IP address of 10.0.0.7.

To configure TCP/IP properties on the ADFS-RESOURCE computer

  1. Log on to ADFS-RESOURCE with the ADFS-RESOURCE\Administrator account or another user account in the local Administrators group.

  2. Click Start, click Control Panel, click Network and Internet, double-click Network and Sharing Center, click Manage Network Connections, right-click Local Area Connection, and then click Properties.

  3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  4. Select the Use the following IP address option. In IP address, type 10.0.0.7, in Subnet mask, type 255.255.255.0.

  5. Select the Use the following DNS server addresses option. In Preferred DNS server, type 10.0.0.1.

  6. Click OK, and then click Close to close the Local Area Connection Properties dialog box.

Next, join the ADFS-RESOURCE computer to the CPANDL domain:

To join ADFS-RESOURCE to the cpandl.com domain

  1. Click Start, right-click Computer, and then click Properties.

  2. Click Change settings (at the right side under Computer name, domain, and workgroup settings), and then click Change.

  3. In the Computer Name/Domain Changes dialog box, select the Domain option, and then type cpandl.com.

  4. Click More, and type cpandl.com in Primary DNS suffix of this computer box.

  5. Click OK, and then click OK again.

  6. When a Computer Name/Domain Changes dialog box appears prompting you for administrative credentials, provide the credentials of CPANDL\Administrator, and then click OK.

  7. When a Computer Name/Domain Changes dialog box appears welcoming you to the cpandl.com domain, click OK.

  8. When a Computer Name/Domain Changes dialog box appears telling you that the computer must be restarted, click OK, and then click Close.

  9. Click Restart Now.

Create the ADFSADMIN user account

In this step, create the ADFSADMIN user account in Active Directory.

To add ADFSADMIN to the CPANDL domain

  1. Log on to CPANDL-DC with the CPANDL\Administrator account.

  2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  3. In the console tree, expand cpandl.com, right-click Users, point to New, and then click User.

  4. In the New Object – User dialog box, type ADFSADMIN in Full name and User logon name boxes, and then click Next.

  5. In the New Object – User dialog box, type a password of your choice in the Password and Confirm password boxes. Clear the User must change password at next logon check box, click Next, and then click Finish.

Add the ADFSADMIN user account to the local Administrators group on ADFS-RESOURCE

Installing AD FS requires that the logged-on user have administrative privileges on the local server.

If you are running Windows Server 2003 R2 Enterprise Edition on ADFS-RESOURCE, use the following procedure:

To add ADFSADMIN to the Administrators group on a Windows Server 2003–based server

  1. Log on to ADFS-RESOURCE as cpandl\administrator.

  2. Click Start, point to Administrative Tools, and then click Computer Management.

  3. Expand System Tools, expand Local Users and Groups, and then click Groups.

  4. Right-click Administrators, and then click Add to Group.

  5. Click Add.

  6. In the Select Users, Computers, or Groups window, type cpandl\adfsadmin, and then click OK.

  7. Click OK to close the Administrators properties sheet.

If you are running Windows Server 2008 Enterprise on ADFS-RESOURCE, use the following procedure:

To add ADFSADMIN to the Administrators group on a Windows Server 2008–based server

  1. Log on to ADFS-RESOURCE as cpandl\administrator.

  2. Click Start, point to Administrative Tools, and then click Server Manager.

  3. Expand Configuration, expand Local Users and Groups, and then click Groups.

  4. Right-click Administrators, and then click Add to Group.

  5. Click Add.

  6. In the Select Users, Computers, or Groups window, type cpandl\adfsadmin, and then click OK.

  7. Click OK to close the Administrators properties sheet.

Configure a DNS forwarder on CPANDL-DC

DNS forwarders are used in this guide to forward DNS requests that cannot be resolved from the cpandl.com domain to the treyresearch.net domain, and vice versa.

To configure the DNS forwarder when the computer is running Windows Server 2003:

To configure a DNS forwarder on a Windows Server 2003–based computer

  1. Log on to CPANDL-DC with the CPANDL\Administrator account or another user account in the local Administrators group.

  2. Click Start, point to Administrative Tools, and then click DNS.

  3. Right-click CPANDL-DC, and then click Properties.

  4. Click the Forwarders tab.

  5. In the Selected domain's forward IP address list section, type 10.0.0.30, and then click Add.

  6. Click OK.

To configure the DNS forwarder when the computer is running Windows Server 2008:

To configure a DNS forwarder on a Windows Server 2008–based computer

  1. Log on to CPANDL-DC with the CPANDL\Administrator account or another user account in the local Administrators group.

  2. Click Start, point to Administrative Tools, and then click DNS.

  3. Right-click CPANDL-DC, and then click Properties.

  4. Click the Forwarders tab.

  5. Click Edit.

  6. Type 10.0.0.30, and then click OK.

  7. Click OK to close the properties sheet.