Installing ISA Server on a Domain Controller

8/8/2019 Installing ISA Server on a Domain Controller

1/15

Installing ISA Server on aDomain Controller.

What we'll do here is go over the installation of Windows 2000 and then theconfiguration of various services to insure that everything works correctly onyour Windows 2000 DC. Specifically, we've cover:

Installing Windows 2000 Configuring DNS Server and DNS Zone Properties Configuring the DNS Server Forward and Reverse Lookup Zones Promoting the Machine to a Domain Controller Configuring the DNS Forwarder Testing the DNS Server Installing ISA Server

Installing Windows 2000First step is to get Windows 2000 installed. If you already have Windows 2000installed, you might want to consider reinstalling. There's nothing like a cleanmachine to help you avoid catastrophic ISA Server problems. Requirements forinstalling Windows 2000 and ISA Server for a DC are:

Windows 2000 Server, Advanced Server or Datacenter ServerPlenty of RAM! At least 512 MB and more is betterMake sure all NICs you plan to use are already installed - DCs hate it

when you add NICs to themDo not plug the external interface into the Internet during installation o

you will get whacked before the ISA Server installation is complete

There are other hardware requirements, but these are the most importantelements to your success. Let's get started installing Windows 2000:

1. Boot the CD. Format the partitions if required and do all the other steps required during the

text mode phase of installation. There are no special installation requirements to make a DC

work during this phase of the installation.

2. Reboot into the GUI mode phase. On the Regional Settings page, make any changes you needand then clickNext.

3. On the Personalize Your Software page, enter yourName and Organization information

and clickNext.4. On the Your Product Key page, type in your key and clickNext.

5. On the Licensing Mode page, select the appropriate licensing mode for your server and clickNext.

6. On the Computer Name and Administrator password page, enter the computer (NetBIOS)

name for your computer and a complex Administrator password. By complex, I mean

complex! I always use 17+ characters with mixed case letters, numbers and symbols. I figure

if they can crack these passwords, they're too good for me J . ClickNext.7. The Windows Components page is a key page, so pay attention!


2/15

Double click on Internet Information Services. If you need to support FTP andNNTP, make the appropriate selections on the Internet Information Services(IIS) page. I generally recommend that you minimize the number of IIS Serversrunning on the ISA Server, but if you are using SBS, may be stuck running all ofthese on the ISA/DC machine. Click OKon the Internet Information Services

page.

Back in the Windows 2000 Components page, double click on the

Management and Monitoring Tools node. Select the Network MonitorTools option. You might also want to select the Simple Network ManagemenProtocol option if you use SNMP management stations to manage your Window2000 Servers. If you use CMAK, you can install that too. Click OKin theManagement and Monitoring Tools dialog box.


3/15

Double click on the Networking Services entry. At the very least, you need toinstall DNS and WINS. Scroll through the list of networking services and makethose selections. Then click OKin the Network Services dialog box.Note:If you install WINS, you mustdisable NetBIOS on the external interface of theISA/DC computer. If you don't disable NetBIOS, the external IP address of theISA/DC will be registered for all sorts of things you don't it registered for in WINS

Don't disable NetBIOS until you're all done with EVERYTHING in this article.Before disabling NetBIOS, check out the entries in the WINS database for theexternal IP address of the ISA/DC computer. It'll be a real learning experience!Also, make sure to delete those entries after you've disabled NetBIOS on theexternal interface.

8. Double click on the Terminal Services option. Select Enable Terminal Services. If you needto the client, then select the Client Creator Files option. ClickOKin the Terminal Services


4/15

dialog box.

9. ClickNext in the Windows 2000 Components page.

10. On the Date and Time Settings page, set the correct date, time and time zone. ClickNext.11. On the Terminal Services Setup page, select Remote administration mode option and click

Next.12. On the Networking Settings page, select the Custom Settings option. ClickNext.13. On the Networking Components page, you are presented with the configuration settings

dialog box for the externalinterface of the ISA Server. I refer to this adapter as the external

interface because this interface will be listed as second on the list of adapters in the Advanced

network adapter settings. If you don't want this to be the external interface, you'll have tomanually change its priority after installation is complete. Remove the checkmarks in the

Client for Microsoft Networks and File and Printer Sharing.Double click on the Internet

Protocol (TCP/IP) entry.

Note:

After Windows 2000 installation is complete, you might want to rename theinterfaces to make them easier to work with. Give them names like InternalNICandExternalNIC. Don't use names like internalandexternalbecause thename internalis also used by the RRAS console to represent the interface usedby RAS clients. This could cause some unneeded confusion.

14. In the Internet Protocols (TCP/IP) Properties dialog box, type in the IP addressinginformation appropriate for your external interface. Make sure you enter your ISP's DNS

server address in the Preferred DNS server text box. The Default gateway will either be

assigned by your ISP, or will be the LAN interface of your router that connects to the InternetClick on the Advanced button.

15. Click the DNS tab. Remove the checkmark from the Append parent suffixes of the primaryDNS suffix checkbox. There's no reason for your external interface to devolve queries to your

ISPs DNS server, so this mightimprove performance in certain situations. Also, remove thecheckmark in the Register this connection's addresses in DNS checkbox. Your ISP isn't

interested in registering your external interface and it's unlikely it supports DDNS. ClickOK.

You'll get an information message telling you your WINS address is empty. ClickYes. Click

OKto close the Internet Protocol (TCP/IP) Properties dialog box. ClickNext in the

Network Components page.


5/15

Reminder!You should disable NetBIOS on the external interface of the DC/ISA Servercomputer in order to prevent problems with the Browser service and preventbrowser announcements from trying to go out the external interface. All they'lldo is fill up your logs since later you will enable packet filtering to block NetBIOScommunications on the external interface. But don't do this until you're all donewith everything we talk about in this article.

16. You are presented with the Networking Components page for the internalinterface of the

ISA/DC computer. Double click on the Internet Protocol (TCP/IP) entry. Enter the internal

IP address and Subnet mask. Make sure that you make the Preferred DNS server the IP

address of the internal interface. This is vitally important since this machine is going to be aDNS server for your Active Directory domain.


6/15

17. Click the Advanced button. Click on the WINS tab. Click the Add button and add the IPaddress of the internal interface of the ISA/DC computer. You will want only this IP address

to register with WINS. You do notwant the external interface to register with WINS. Click

OKin the Advanced TCP/IP Settings dialog box after you have added the WINS server

address. ClickOKin the Internet Protocol (TCP/IP) Properties dialog box. ClickNext onthe Networking Components page.

18. On the Workgroup or Computer Domain page, leave the default selection as it is. There'sisn't a domain yet for it to join. ClickNext.

19. The installation Wizard completes installing the configuration the services you selected. Click

Finish to restart the computer when its done.

20. After the computer restarts, immediately install Service Pack 2.

Configuring the DNS Server Forward and Reverse Lookup ZonesConfiguring the DNS Server properly before you run DCPROMO is critical to your


7/15

success. Many ISA Server admins end up painting themselves into a holebecause they've promoted the machine to a DC before configuring DNS. A basicrule of thumb is to never trust the Active Directory DNS Wizardand do ityourself.Perform the following steps to configure your DNS Server:

1. ClickStart, point to Administrative Tools and click on DNS.

2. Expand all the nodes and then right click on Forward Lookup Zone. Point to View and click

on Advanced.3. Right click on Reverse Look Zone and clickNew Zone. ClickNext on the Welcome page.

4. On the Reverse Lookup Zone page, type in the network ID for the segment connected to theinternalinterface of the DC/ISA Server computer. You may need to create additional reverselookup zones if you have multiple segments on your internal network. ClickNext.

5. On the Zone file page, accept the default name for the DNS zone file and clickNext.

6. On the Completing the New Zone Wizard page, clickFinish.

The next step is to configure the Forward Lookup Zone:


8/15

1. Right click on the Forward Lookup Zone node and clickNew Zone. ClickNext on the

Welcome page.

2. On the Zone Type page, select Standard Primary and clickNext.3. On the Zone Name page, type in the internal networkdomain name. ClickNext.

4. On the Zone File page, accept the default name for the DNS zone file and clickNext.

5. ClickFinish on the Completing the New Zone Wizard page.

6. Right click on the Zone that you just created and click the New Host command.7. In the New Host dialog box, type in the host name of the DC/ISA Server computer, the IP

address of the internal interface, and select the Create associated pointer (PTR) record.ClickAdd Host. An information message will appear that says the record was created. Click

OK. ClickDone in the New Host dialog box.

8. Check both the Forward and Reverse lookup zones to confirm that the records were created

for the DC/ISA Server computer. Click the Refresh button if you don't see the records.

Configuring DNS Server and DNS Zone PropertiesNow let's configure the DNS Server and Zone properties:


9/15

1. Right click on your DNS Server name and clickProperties.

2. On the serverProperties dialog box, click the Interfaces tab. Click the Only the following

IP addresses option. Then click on the externalIP address on the DC/ISA Server computerand click the Remove button. ClickApply.

3. Click the Root Hints tab and confirm for yourself that the Root Hints file has been primed.4. At this point we won't get into Forwarders, we'll just let the DNS server perform recursion

itself. ClickOK.

5. Right click on your Zone you just created and clickProperties.

6. Click on the General tab. Change the setting forAllow Dynamic Updates to Yes. Click the

WINS tab.7. On the WINS tab, select the Use WINS forward lookup. Type in the IP address of the

internal interface of the DC/ISA Server computer and clickAdd.

8. Click the Zone Transfers tab. Select the Only to servers listed on the Name Servers taboption.

9. Click the Name Servers tab. If the IP address is listed as unknown, select your computer

name and click the Edit button. Click the Browse button in the Edit Record dialog box.Double click on your computer name, then double click on Forward Lookup Zones and then

double click on your Forward Lookup Zone. Double click on your computer name. ClickOKand then clickApply. ClickOKto close the Properties dialog box.


10/15

Promoting the Machine to a Domain ControllerNow you're ready to promote the machine to a domain controller. If you haven'tforgotten anything, this should go smoothly.

1. ClickStart and click the Run command.

2. In the Run dialog box, type dcpromo in the Open text box. ClickOK.

3. ClickNext on the Welcome page.

4. Select the Domain Controller for a new domain and clickNext.5. Select Create a new domain tree and clickNext.

6. Select Create a new forest of domain trees and clickNext.

7. In the New Domain Name text box, type in the full domain name and clickNext.


11/15

8. On the NetBIOS Domain Name page, go with the default. Note that if you made your domain

name too long, the NetBIOS name may be truncated. If so, you might want to rethink yourdomain name. ClickNext.


12/15

9. On the Database and Log Locations page, make any required changes from the defaults and

clickNext.10. On the Shared System Volume page, make any required change and clickNext.

11. You will see an information dialog box informing you that the Wizard can't contact a server

authoritative for the Active Directory domain. That's to be expected since you're not done yet!ClickOKto continue.

12. On the Configure DNS page, select the No, I will install and configure DNS myself.

NEVER allow the Wizard to do this! ClickNext.

13. Select the appropriate permissions for your environment and clickNext.14. Enter your Directory Services Restore Mode password and confirm. ClickNext.

15. Review your settings to make sure everything is correct, then clickNext.16. If everything is configured correctly, it should take less than 5 minutes to complete the Active

Directory configuration. ClickFinish on the Completing the Active Directory Installation

Wizard page.

17. On the Active Directory Installation Wizard dialog box, click the Restart Now button.18. When the server restarts, it may take awhile since its populating the DNS server zone file with

Active Directory related records. Log onto the domain.

19. Wait above 5 minutes, and then open the DNS console. Expand the Forward Lookup Zone for


13/15

your domain and you should see the Active Directory related records.

Configuring the DNS ForwarderAt this point you should consider using a Forwarder to resolve domain names forthose domains that your server is not authoritative for. In practice, this includes

all other domain except your own! In the DNS console, perform the followingsteps:

1. Right click on your server name and clickProperties.

2. In the serverProperties dialog box, click the Forwarders tab.3. On the Forwarders tab, select the Enable forwarders option. Then type in the IP address(es

of your ISP's DNS server(s) and click the Add button. Place a checkmark in the Do not userecursion checkbox. This will improve performance significantly. ClickApply and then click

OK.

4. Right click on your server name, point to All Tasks and then click the Restart command. Thi

will restart the DNS server service.

Testing the DNS ServerOK, now the moment of truth! Does your DNS server work? That is, can it resolvelocal and remote domain names? Check it out! Here's how:

1. In the DNS console, right click on your server name and clickProperties.

2. In the serverProperties dialog box, click on the Monitoring tab.

3. On the Monitoring tab, place a checkmark in the A simple query against a DNS server

checkbox. Then click the Test Now button. You should see a PASS entry in the Simple

Query column.

4. Remove the checkmark from the A simple query against this DNS server checkbox. Place a

checkmark in the A recursive query to other DNS servers checkbox. Click the Test Nowbutton. You should see a PASS in the Recursive Query column.

Congratulations! You've installed DNS and the Active Directory on your computeand it'll all working.Installing ISA ServerThere really aren't any special steps you need to take when installing ISA Serveron the DC. But we'll go through the procedure just to be thorough.

1. Put the ISA Server CD into the tray and when the autoplay dialog box appears, click the

Install ISA Server button.

2. On the Welcome page, clickContinue.3. On the CD Key page, type in your CD Key and clickOK. ClickOKon the Product ID page.

4. ClickI Agree on the license agreement page.

5. ClickFull Installation on the setup page.6. Since we haven't initialized the Active Directory, we can't join an array. If you're running

SBS, you probably have a single server, so this isn't an issue. In this example, we'll run a

stand-alone ISA Server. ClickYes in the dialog box informing you it can't find the schemachanges.


14/15

7. On the mode page, select the Integrated mode option and clickContinue.

8. ClickOKin the dialog box informing you that IIS services will be stopped and that you need

to deal with port 80!9. On the cache size page, set your cache size, clickSet and then clickOK.

10. On the LAT configuration page, click the Construct Table button.

11. Note how I've selected the options in the Local Address Table dialog box. This is the ONLYway I want you to do this! On the NIC selection, make sure you select the internalinterface o

your DC/ISA Server. ClickOK. ClickOKin the info box informing you that the LAT has

been constructed. ClickOKagain.12. Setup continues. When its finished, clickOKto open the ISA Management console. Click

OKagain to finish.

13. Now quickly! Right click on the Servers and Arrays node, point to View and click on the

Advanced command. I take no responsibility for problems you have it you use the Taskpad


15/15

view! (actually, I don't take responsibility for anything that happens to your ISA Server).

Packet filtering is enabled by default. There is a DNS packet filter preconfigured,so you don't need to worry about DNS query problems. You can run the DNSquery tests again to confirm that all is well.

ConclusionThat's all there is to configuring the ISA Server to be a domain controller!However, if this is your only server, you still have a long row to hoe. The reasonfor this is that you'll have a bunch of services contending with your Web andServer publishing rules for the available ports on the external interface. In futurearticles, and/or in the 2nd edition or our book, we'll include all the details youneed to get things like Web, FTP, NNTP, SMTP and Exchange services all workingon your DC/ISA Server computer. Stay tuned and always remember, buy thebook! .

Documents

Installing ISA Server on a Domain Controller