Installing ISA Server on a Domain Controller.

One particularly vexing problem that comes up often on the ISAserver.org mailing list and Web boards is how to deal with installing ISA Server on a domain controller (DC). Although its generally a bad idea from a security standpoint to install ISA Server on a DC, people stuck with Small Business Server (SBS) apparently have to put all of their eggs in one basket.

Although I haven’t used SBS, from what I can tell, the license agreement requires that you install all the SBS Servers on the same computer. That means you have to run ISA Server on the same machine that everything else is installed on, like Active Directory, SQL and Exchange.

From what I can tell from the web and mail postings, it appears the majority of problems are related to interface and DNS configuration. Remember that an Active Directory DC must have DNS server to add Active Directory related entries. If you have only one DC, that DC must also be your DNS server.

Another problematic issue with the ISA/DC combination is that the DC must be multihomed. Multihomed DCs have there own issues, especially in the realm of NetBIOS and the browser service. The reason for this is that the Windows 2000 Active Directory DC also acts the PDC emulator, which makes it the domain master browser and master browser on its network segment.
 

What we’ll do here is go over the installation of Windows 2000 and then the configuration of various services to insure that everything works correctly on your Windows 2000 DC. Specifically, we’ve cover:

Installing Windows 2000

First step is to get Windows 2000 installed. If you already have Windows 2000 installed, you might want to consider reinstalling. There’s nothing like a clean machine to help you avoid catastrophic ISA Server problems. Requirements for installing Windows 2000 and ISA Server for a DC are:

There are other hardware requirements, but these are the most important elements to your success. Let’s get started installing Windows 2000:

1. Boot the CD. Format the partitions if required and do all the other steps required during the text mode phase of installation. There are no special installation requirements to make a DC work during this phase of the installation.
   
2. Reboot into the GUI mode phase. On the Regional Settings page, make any changes you need and then click Next.
   
3. On the Personalize Your Software page, enter your Name and Organization information and click Next.
   
4. On the Your Product Key page, type in your key and click Next.
   
5. On the Licensing Mode page, select the appropriate licensing mode for your server and click Next.
   
6. On the Computer Name and Administrator password page, enter the computer (NetBIOS) name for your computer and a complex Administrator password. By complex, I mean complex! I always use 17+ characters with mixed case letters, numbers and symbols. I figure if they can crack these passwords, they’re too good for me J . Click Next.
   
7. The Windows Components page is a key page, so pay attention!

Double click on Internet Information Services. If you need to support FTP and NNTP, make the appropriate selections on the Internet Information Services (IIS) page. I generally recommend that you minimize the number of IIS Servers running on the ISA Server, but if you are using SBS, may be stuck running all of these on the ISA/DC machine. Click OK on the Internet Information Services page.

Back in the Windows 2000 Components page, double click on the Management and Monitoring Tools node. Select the Network Monitor Tools option. You might also want to select the Simple Network Management Protocol option if you use SNMP management stations to manage your Windows 2000 Servers. If you use CMAK, you can install that too. Click OK in the Management and Monitoring Tools dialog box.

Double click on the Networking Services entry. At the very least, you need to install DNS and WINS. Scroll through the list of networking services and make those selections. Then click OK in the Network Services dialog box.

Note:

If you install WINS, you must disable NetBIOS on the external interface of the ISA/DC computer. If you don’t disable NetBIOS, the external IP address of the ISA/DC will be registered for all sorts of things you don’t it registered for in WINS. Don’t disable NetBIOS until you’re all done with EVERYTHING in this article. Before disabling NetBIOS, check out the entries in the WINS database for the external IP address of the ISA/DC computer. It’ll be a real learning experience! Also, make sure to delete those entries after you’ve disabled NetBIOS on the external interface.

8. Double click on the Terminal Services option. Select Enable Terminal Services. If you need to the client, then select the Client Creator Files option. Click OK in the Terminal Services dialog box.
   
9. Click Next in the Windows 2000 Components page.
   
10. On the Date and Time Settings page, set the correct date, time and time zone. Click Next.
    
11. On the Terminal Services Setup page, select Remote administration mode option and click Next.
    
12. On the Networking Settings page, select the Custom Settings option. Click Next.
    
13. On the Networking Components page, you are presented with the configuration settings dialog box for the external interface of the ISA Server. I refer to this adapter as the external interface because this interface will be listed as second on the list of adapters in the Advanced network adapter settings. If you don’t want this to be the external interface, you’ll have to manually change its priority after installation is complete. Remove the checkmarks in the Client for Microsoft Networks and File and Printer Sharing. Double click on the Internet Protocol (TCP/IP) entry.

Note:

After Windows 2000 installation is complete, you might want to rename the interfaces to make them easier to work with. Give them names like InternalNIC and ExternalNIC. Don’t use names like internal and external because the name internal is also used by the RRAS console to represent the interface used by RAS clients. This could cause some unneeded confusion.

14. In the Internet Protocols (TCP/IP) Properties dialog box, type in the IP addressing information appropriate for your external interface. Make sure you enter your ISP’s DNS server address in the Preferred DNS server text box. The Default gateway will either be assigned by your ISP, or will be the LAN interface of your router that connects to the Internet. Click on the Advanced button.
    
15. Click the DNS tab. Remove the checkmark from the Append parent suffixes of the primary DNS suffix checkbox. There’s no reason for your external interface to devolve queries to your ISPs DNS server, so this might improve performance in certain situations. Also, remove the checkmark in the Register this connection’s addresses in DNS checkbox. Your ISP isn’t interested in registering your external interface and it’s unlikely it supports DDNS. Click OK. You’ll get an information message telling you your WINS address is empty. Click Yes. Click OK to close the Internet Protocol (TCP/IP) Properties dialog box. Click Next in the Network Components page.

Reminder!

You should disable NetBIOS on the external interface of the DC/ISA Server computer in order to prevent problems with the Browser service and prevent browser announcements from trying to go out the external interface. All they’ll do is fill up your logs since later you will enable packet filtering to block NetBIOS communications on the external interface. But don’t do this until you’re all done with everything we talk about in this article.

16. You are presented with the Networking Components page for the internal interface of the ISA/DC computer. Double click on the Internet Protocol (TCP/IP) entry. Enter the internal IP address and Subnet mask. Make sure that you make the Preferred DNS server the IP address of the internal interface. This is vitally important since this machine is going to be a DNS server for your Active Directory domain.

17. Click the Advanced button. Click on the WINS tab. Click the Add button and add the IP address of the internal interface of the ISA/DC computer. You will want only this IP address to register with WINS. You do not want the external interface to register with WINS. Click OK in the Advanced TCP/IP Settings dialog box after you have added the WINS server address. Click OK in the Internet Protocol (TCP/IP) Properties dialog box. Click Next on the Networking Components page.
    
18. On the Workgroup or Computer Domain page, leave the default selection as it is. There’s isn’t a domain yet for it to join. Click Next.
    
19. The installation Wizard completes installing the configuration the services you selected. Click Finish to restart the computer when its done.
    
20. After the computer restarts, immediately install Service Pack 2.

Configuring the DNS Server Forward and Reverse Lookup Zones

Configuring the DNS Server properly before you run DCPROMO is critical to your success. Many ISA Server admins end up painting themselves into a hole because they’ve promoted the machine to a DC before configuring DNS. A basic rule of thumb is to never trust the Active Directory DNS Wizard and do it yourself.

Perform the following steps to configure your DNS Server:

1. Click Start, point to Administrative Tools and click on DNS.
   
2. Expand all the nodes and then right click on Forward Lookup Zone. Point to View and click on Advanced.
   
3. Right click on Reverse Look Zone and click New Zone. Click Next on the Welcome page.
   
4. On the Reverse Lookup Zone page, type in the network ID for the segment connected to the internal interface of the DC/ISA Server computer. You may need to create additional reverse lookup zones if you have multiple segments on your internal network. Click Next.

5. On the Zone file page, accept the default name for the DNS zone file and click Next.
   
6. On the Completing the New Zone Wizard page, click Finish.

The next step is to configure the Forward Lookup Zone:

1. Right click on the Forward Lookup Zone node and click New Zone. Click Next on the Welcome page.
   
2. On the Zone Type page, select Standard Primary and click Next.
   
3. On the Zone Name page, type in the internal network domain name. Click Next.

4. On the Zone File page, accept the default name for the DNS zone file and click Next.
   
5. Click Finish on the Completing the New Zone Wizard page.
   
6. Right click on the Zone that you just created and click the New Host command.
   
7. In the New Host dialog box, type in the host name of the DC/ISA Server computer, the IP address of the internal interface, and select the Create associated pointer (PTR) record. Click Add Host. An information message will appear that says the record was created. Click OK. Click Done in the New Host dialog box.
   
8. Check both the Forward and Reverse lookup zones to confirm that the records were created for the DC/ISA Server computer. Click the Refresh button if you don’t see the records.

Configuring DNS Server and DNS Zone Properties

Now let’s configure the DNS Server and Zone properties:

1. Right click on your DNS Server name and click Properties.
   
2. On the server Properties dialog box, click the Interfaces tab. Click the Only the following IP addresses option. Then click on the external IP address on the DC/ISA Server computer and click the Remove button. Click Apply.
   
3. Click the Root Hints tab and confirm for yourself that the Root Hints file has been primed.
   
4. At this point we won’t get into Forwarders, we’ll just let the DNS server perform recursion itself. Click OK.
   
5. Right click on your Zone you just created and click Properties.
   
6. Click on the General tab. Change the setting for Allow Dynamic Updates to Yes. Click the WINS tab.
   
7. On the WINS tab, select the Use WINS forward lookup. Type in the IP address of the internal interface of the DC/ISA Server computer and click Add.
   
8. Click the Zone Transfers tab. Select the Only to servers listed on the Name Servers tab option.
   
9. Click the Name Servers tab. If the IP address is listed as unknown, select your computer name and click the Edit button. Click the Browse button in the Edit Record dialog box. Double click on your computer name, then double click on Forward Lookup Zones and then double click on your Forward Lookup Zone. Double click on your computer name. Click OK, and then click Apply. Click OK to close the Properties dialog box.

Promoting the Machine to a Domain Controller

Now you’re ready to promote the machine to a domain controller. If you haven’t forgotten anything, this should go smoothly.

1. Click Start and click the Run command.
   
2. In the Run dialog box, type dcpromo in the Open text box. Click OK.
   
3. Click Next on the Welcome page.
   
4. Select the Domain Controller for a new domain and click Next.
   
5. Select Create a new domain tree and click Next.
   
6. Select Create a new forest of domain trees and click Next.
   
7. In the New Domain Name text box, type in the full domain name and click Next.

8. On the NetBIOS Domain Name page, go with the default. Note that if you made your domain name too long, the NetBIOS name may be truncated. If so, you might want to rethink your domain name. Click Next.

9. On the Database and Log Locations page, make any required changes from the defaults and click Next.
   
10. On the Shared System Volume page, make any required change and click Next.
    
11. You will see an information dialog box informing you that the Wizard can’t contact a server authoritative for the Active Directory domain. That’s to be expected since you’re not done yet! Click OK to continue.
    
12. On the Configure DNS page, select the No, I will install and configure DNS myself. NEVER allow the Wizard to do this! Click Next.
    
13. Select the appropriate permissions for your environment and click Next.
    
14. Enter your Directory Services Restore Mode password and confirm. Click Next.
    
15. Review your settings to make sure everything is correct, then click Next.
    
16. If everything is configured correctly, it should take less than 5 minutes to complete the Active Directory configuration. Click Finish on the Completing the Active Directory Installation Wizard page.
    
17. On the Active Directory Installation Wizard dialog box, click the Restart Now button.
    
18. When the server restarts, it may take awhile since its populating the DNS server zone file with Active Directory related records. Log onto the domain.
    
19. Wait above 5 minutes, and then open the DNS console. Expand the Forward Lookup Zone for your domain and you should see the Active Directory related records.

Configuring the DNS Forwarder

At this point you should consider using a Forwarder to resolve domain names for those domains that your server is not authoritative for. In practice, this includes all other domain except your own! In the DNS console, perform the following steps:

1. Right click on your server name and click Properties.
   
2. In the server Properties dialog box, click the Forwarders tab.
   
3. On the Forwarders tab, select the Enable forwarders option. Then type in the IP address(es) of your ISP’s DNS server(s) and click the Add button. Place a checkmark in the Do not use recursion checkbox. This will improve performance significantly. Click Apply and then click OK.
   
4. Right click on your server name, point to All Tasks and then click the Restart command. This will restart the DNS server service.

Testing the DNS Server

OK, now the moment of truth! Does your DNS server work? That is, can it resolve local and remote domain names? Check it out! Here’s how:

1. In the DNS console, right click on your server name and click Properties.
   
2. In the server Properties dialog box, click on the Monitoring tab.
   
3. On the Monitoring tab, place a checkmark in the A simple query against a DNS server checkbox. Then click the Test Now button. You should see a PASS entry in the Simple Query column.
   
4. Remove the checkmark from the A simple query against this DNS server checkbox. Place a checkmark in the A recursive query to other DNS servers checkbox. Click the Test Now button. You should see a PASS in the Recursive Query column.

Congratulations! You’ve installed DNS and the Active Directory on your computer and it’ll all working.

Installing ISA Server

There really aren’t any special steps you need to take when installing ISA Server on the DC. But we’ll go through the procedure just to be thorough.

1. Put the ISA Server CD into the tray and when the autoplay dialog box appears, click the Install ISA Server button.
   
2. On the Welcome page, click Continue.
   
3. On the CD Key page, type in your CD Key and click OK. Click OK on the Product ID page.
   
4. Click I Agree on the license agreement page.
   
5. Click Full Installation on the setup page.
   
6. Since we haven’t initialized the Active Directory, we can’t join an array. If you’re running SBS, you probably have a single server, so this isn’t an issue. In this example, we’ll run a stand-alone ISA Server. Click Yes in the dialog box informing you it can’t find the schema changes.
   
7. On the mode page, select the Integrated mode option and click Continue.
   
8. Click OK in the dialog box informing you that IIS services will be stopped and that you need to deal with port 80!
   
9. On the cache size page, set your cache size, click Set and then click OK.
   
10. On the LAT configuration page, click the Construct Table button.

11. Note how I’ve selected the options in the Local Address Table dialog box. This is the ONLY way I want you to do this! On the NIC selection, make sure you select the internal interface of your DC/ISA Server. Click OK. Click OK in the info box informing you that the LAT has been constructed. Click OK again.
    
12. Setup continues. When its finished, click OK to open the ISA Management console. Click OK again to finish.
    
13. Now quickly! Right click on the Servers and Arrays node, point to View and click on the Advanced command. I take no responsibility for problems you have it you use the Taskpad view! (actually, I don’t take responsibility for anything that happens to your ISA Server).

Packet filtering is enabled by default. There is a DNS packet filter preconfigured, so you don’t need to worry about DNS query problems. You can run the DNS query tests again to confirm that all is well.

Conclusion

That’s all there is to configuring the ISA Server to be a domain controller! However, if this is your only server, you still have a long row to hoe. The reason for this is that you’ll have a bunch of services contending with your Web and Server publishing rules for the available ports on the external interface. In future articles, and/or in the 2^nd edition or our book, we’ll include all the details you need to get things like Web, FTP, NNTP, SMTP and Exchange services all working on your DC/ISA Server computer. Stay tuned and always remember, buy the book! .