.png)
Step 4: Install and Configure AD DS
Updated: May 5, 2010
Applies To: Active Directory Federation Services (AD FS) 2.0
In this step, we install AD DS and configure a single-domain forest for each of the two companies (Contoso Pharmaceuticals and Fabrikam).
This section includes the following procedures:
-
Install AD DS
-
Create accounts
-
Joint the client computer to the Contoso domain
You can use the Add Roles Wizard to create two new Active Directory Domain Services (AD DS) forests on both of the AD FS 2.0 VMs (contososrv1 and fabrikamsrv01). When you type values into the wizard pages, use the company names and AD DS domain names in the following table.
 Note |
|---|
| AD FS 2.0 has no dependency on forest functional level. When installing AD DS, you can select any forest functional level that is appropriate for your environment. |
To start the Add Roles Wizard, click Start, click Administrative Tools, click Server Manager, and then, in the right pane, click Add Roles.
 Important |
|---|
| Configure the IP addresses as specified in the table in the Step 3: Reconfigure the IP and DNS Settings for All VMs section of this guide before you attempt to install AD DS. This helps ensure that DNS records are configured appropriately. |
| Computer name | Company name | AD DS domain name (new forest) | DNS configuration |
|---|---|---|---|
|
Contososrv01 |
Contoso Pharmaceuticals |
contoso.com |
Install DNS when you are prompted. |
|
Fabrikamsrv01 |
Fabrikam |
fabrikam.com |
Install DNS when you are prompted. |
If you need assistance creating a new Windows Server 2008-based AD DS forest, see Installing a New Forest (http://go.microsoft.com/fwlink/?LinkId=101704).
Use the value in the following table to identify which computer to join to the contoso.com domain.
| Computer name | Join to: |
|---|---|
|
CONTOSOSRV02 |
contoso.com |
|
FABRIKAMSRV02 |
fabrikam.com |
For more information about how to do this, see Join a Computer to a Domain (http://go.microsoft.com/fwlink/?LinkID=150213).
After you set up two forests, you will need to logon as the Administrator for each domain and start the Active Directory Users and Computers snap-in on both domain controllers (both contososrv01 and fabrikamsrv01) to create several accounts that you will use to test and verify federated access across both forests.
For more information about how to create accounts in AD DS, see Create a New User Account (http://go.microsoft.com/fwlink/?LinkID=150218) and Create a New Group (http://go.microsoft.com/fwlink/?LinkID=133523).
For more information about how to add a user to a group in AD DS, see Add a Member to a Group (http://go.microsoft.com/fwlink/?LinkID=133522).
Create and configure the accounts with the values in the following table at CONTOSOSRV01 for the Contoso.local domain. When you create the accounts, clear the User must change password upon login check box.
|
Note |
|---|
| In addition to creating new accounts, set the e-mail address for the Administrator account to "administrator@contoso.com". |
| Create: | Account name | User name | Action |
|---|---|---|---|
|
User account |
(AD RMS service account) |
Adrmssrvc |
Set password to never expire and the password value to "p@ssw0rd" for this account. Add as a member of the Domain Admins group. |
|
User account |
AD FS 2.0 Service Account |
adfssrvc |
Set password to never expire and the password value to "p@ssw0rd" for this account. |
|
User account |
Daniel Weisman |
danielw |
Set password to never expire and the password value to "demo!23" for this account. Set the e-mail address for this account to "danielw@contoso.com." |
|
Security group - Global account |
DrugTrial1Admins |
N/A |
Add danielw as a member of this group. |
Create and configure the account values in the following table at FABRIKAMSRV01 for the Fabrikam domain.
|
Note |
|---|
| In addition to creating new accounts, set the e-mail address for the Administrator account to "administrator@fabrikam.com". |
| Create: | Account name | User name | Action |
|---|---|---|---|
|
User account |
Frank Miller |
frankm |
Set password to never expire and the password value to "demo!23" for this account. Set the e-mail address for this account to "frankm@fabrikam.com." |
|
User account |
AD FS Service |
adfssrvc |
Set password to never expire and the password value to "p@ssw0rd" for this account. |
|
Security group - Global account |
DrugTrial1Auditors |
N/A |
Add frankm as a member of this group. |
|
User account |
Alice Scott |
alices |
Set password to never expire and the password value to "demo!23" for this account. Set the e-mail address for this account to "alices@fabrikam.com." |
When AD DS is installed and configured as a server role on CONTOSOSRV01 and FABRIKAMSRV01, you will also have installed the DNS Server role on these VMs as well. The Contoso zones will be managed using the DNS Server that you added for CONTOSOSRV01. The Fabrikam zones will be managed using the DNS Server that you added for FABRIKAMSRV01.
To assist in locating services to be used in later virtual lab exercises, additional resource records must be configured on each of these two DNS servers.
Configuring DNS service records for the Contoso domain is a two-step process. In the first step, we configure new zones for the contoso.com domain. Next, we then add host (A) resource records to the zone.
-
Log on to CONTOSOSRV01 as CONTOSO\Administrator, and open the DNS Manager snap-in.
To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.
-
Add new host (A) resource records as described in the following section to the Forward Lookup Zone for contoso.com.
The following are host (A) resource records that you can add using DNS Manager on CONTOSOSRV01. For more information about how to add these records, see "Add a Resource Record to a Zone" in the DNS Server Help.
| Name | Type | Data |
|---|---|---|
|
adrms |
Host (A) |
10.0.0.30 |
|
docs |
Host (A) |
10.0.0.2 |
|
pki |
Host (A) |
10.0.0.1 |
|
sts1 |
Host (A) |
10.0.0.20 |
-
Log on to FABRIKAMSRV01 as FABRIKAM\Administrator, and open the DNS Manager snap-in.
To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.
-
Add new host (A) resource records as described in the following section to the Forward Lookup Zone for fabrikam.com.
The following are host (A) resource records that you can add using DNS Manager on CONTOSOSRV01. For more information about how to add these records, see "Add a Resource Record to a Zone" in the DNS Server Help.
| Name | Type | Data |
|---|---|---|
|
pki |
Host (A) |
10.0.0.101 |
|
sts2 |
Host (A) |
10.0.0.120 |
