-- Main.ctucker - 04 Aug 2010

Plan For Implementing Campus Active Directory Prototype As Proof Of Concept

ADUwCampus outlines a proposed Active Directory forest structure that would conform to the security and management needs of the UW campus. Here in this document we seek to plan out the implementation of a small section of this forest as a proof on concept.


To begin with we intend to establish only three domains. The forest root (UW or uwaterloo.ca), one user domain (UW-GENERAL or general.uwaterloo.ca) and one CS domain (CS or cs.uwaterloo.ca).

Domain Controllers

As this is not intended to be a production forest, each domain could get away with just two domain controllers rather than three. Thus with three domains, we require six domain controllers to be in service for the establishment of this prototype forest. We could likely create them as a series of virtual servers housed on one piece of server hardware.

Virtual Servers

We already have a sysprep'ed image of a Windows Server 2008 Enterprise Edition OS. It has already been used as the basis for creating the following production terminal servers.

  • elegans4.student.cs.uwaterloo.ca
  • elegans5.student.cs.uwaterloo.ca
  • barbarus3.cs.uwaterloo.ca

In principle, it should be a simple matter to take this sysprep'ed Windows Server image and place it onto a newly created virtual machine. Then by simply starting the virtual server the syspreped install process will be initiated for the Windows OS.

Once a stand alone server is created, the conversion to domain controller state is started using the dcpromo command from any command prompt on the new server.


As we did for CSCF's existing AD (see ADDnsConfiguration), we can establish dynamic DNS servers for the prototype forest. They would be installed on two of the domain controllers in the new forest and DCs within the new forest will be DNS clients of these servers and none others. This would create a private DNS space for the prototype forest which will not conflict with the existing CS or UW DNS space. Thus we could create domains with DNS names such as uwaterloo.ca and cs.uwaterloo.ca within the prototype forest that would be unnoticed outside this forest. Indeed, as these domain controllers are only temporary, we would not even need to give them names in Maintain.

Certificate Authority

If we are to populate the user domain using HR and Registrar information, we shall have to create a forest based certificate authority as we did for our production forest (see ADLdapS and ADLdapSPasswd). This will allow us to maintain on an administration server (like cscf.cs) secure authentication credentials for a service account in the user domain which has accounts maintenance authority.

How To Proceed With Forest Creation

  1. Acquire hardware for running virtual servers. It should have the capacity to support six basic Windows 2008 domain controllers. System requirements for a Windows Server 2008 Enterprise server are as follows:
    • 64-bit processor, 2 GHz
    • 2 GB RAM
    • 40 GB Hard Drive
  2. Create one virtual server and install CSCF's current Windows Server 2008 image on to it.
  3. Copy this server image five more times creating six virtual servers.
  4. Activate one virtual server and allow stand alone server installation to complete.
  5. Use dcpromo to establish first forest domain controller and forest root domain (UW or uwaterloo.ca)
  6. Install DNS server on first domain controller and make domain controller a DNS client of itself.
  7. Activate a second virtual server and allow stand alone server installation to complete.
  8. Use dcpromo to establish it as a new domain controller within the forest root domain (UW or uwaterloo.ca)
  9. Make this new domain controller a DNS client of the DNS server on the first domain controller.
  10. Repeat steps 1 through 9, establishing the user subdomain called UW-GENERAL or general.uwaterloo.ca
  11. Make both domain controllers in UW-GENERAL DNS clients of the DNS server setup in UW
  12. Repeat steps 1 through 9, establishing the service subdomain called CS or cs.uwaterloo.ca
  13. Make both domain controllers in CS DNS clients of the DNS server setup in UW
  14. Install a secondary DNS server on one of the domain controllers in the UW-GENERAL domain.
  15. Make this the secondary DNS server for all the domain controllers in the prototype forest.
  16. Perform One Time Active Directory Configuration as outlined in ADAddSolaris10
    • Extend The Active Directory Schema to include RFC 2307 attributes (already present for Windows 2008)
    • Allow Anonymous Read Of Active Directory LDAP Information
    • Enforce TCP Protocol For Kerberos Connections
  17. Create Accounts Maintenance service account with complex password and grant it authority to manage common user accounts in the user domain UW-GENERAL
  18. Create forest based Certificate Authority as outlined in ADLdapS
  19. Create key certificates for Accounts Maintenance service account as outlined in ADLdapSPasswd
Topic revision: r3 - 2013-02-01 - DrewPilcher
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback