In the previous chapters, you planned your domain. You thought up names for your servers and for your service accounts. And now it’s time to create those accounts and start thinking about how they’ll be used.
Active Directory Domain Services (ADDS) is installed at this point and you’re going to start organizing its objects. Objects in Active Directory (AD) take various forms. For example, user accounts, security groups, distribution groups, organizational units, and containers, are all types of AD objects. When you look inside ADDS, take notice that there are essentially two different places that objects can reside: containers or organizational units (OUs).
It’s a best practice to store users and groups inside OUs. The reason for using OUs is that group policy objects (GPOs) can be applied to OUs and you use GPOs to control users and groups, as well as machines. In Chapter 7, we’ll create a GPO that controls the member of the local administrator’s group on servers that are members of our domain.
In this chapter, we’re going to create the user accounts that will be needed when we build out SharePoint.
Configuring Active Directory
Let’s open Active Directory and get started. Active Directory is where organizations should keep a record of all the people in their company, as well as all the computers, printers, scanners, servers, and other devices used by the business.
Open Active Directory
Log on to your DC (domain controller).
Open the Run bar (Windows key + R).
Type dsa.msc and click OK, as shown in Figure 4-1.
Figure 4-1. Opening Active Directory
Now that you have Active Directory open, let’s make sure that you can see the advanced features.
Advanced Features
Now let’s create a few OUs: one for service accounts, one for servers, and one for SQL servers.
Organizational Unit Creation
Right-click the domain node (FQDN) and then click New ➤ Organizational Unit, as shown in Figure 4-4.
Figure 4-4. New OU creation
Give the OU a name (e.g., Servers). Leave the Protect container from accidental deletion checked and click OK, as shown in Figure 4-5.
Figure 4-5. Name the new OU
Repeat this for SQL Servers and for People. When you get to People, make a child OU inside of the People OU. Make one for Admins and one for Svc Accounts, as shown in Figure 4-6, where you can see the two child OUs.
Figure 4-6. Child OUs inside People OU
If you recall, in Chapter 1 we created the accounts shown in Table 4-1, which are shown here for easy reference.
Table 4-1. SharePoint Service Accounts
Account Name | Purpose |
|---|---|
svc_SQLDBA | SQL Database Administrator |
svc_Install | Installation account |
svc_Farm | FarmSystem account |
svc_svcacct | SharePoint service application account |
svc_content | SharePoint web application content access account |
svc_search | SharePoint search crawler account used to access content |
svc_sync | SharePoint account used to synchronize user profiles with Active Directory |
svc_superuser | SharePoint publishing infrastructure super user account |
svc_superreader | SharePoint publishing infrastructure super reader account |
svc_unattened | SharePoint unattended access account for secure store, performance point, and Visio Graphics services |
Table 4-2 lists the various OUs that were added to Active Directory.
Table 4-2. Organizational Units Added
OU | Parent OU |
|---|---|
People | Root of domain |
Admins | People |
SharePoint Groups | People |
Svc Accounts | People |
Servers | Root of domain |
SQL Servers | Root of domain |
Creating User Accounts
OK, now that we have the OUs created, let’s create some user accounts for the service accounts. You need these service accounts before you can install SharePoint.
Tip
In a live-fire situation, you fill out all of the information; but in your home lab, you don’t have to. You can just complete full name, user logon name, and password.
Create Service Accounts
Right-click Svc Accounts OU and select New ➤ User, as shown in Figure 4-7.
Figure 4-7. New user
Enter the Full name and the User logon name, and then click Next, as shown in Figure 4-8.
Figure 4-8. Home lab names
Create a password that you can remember, keeping in mind that you will use it over and over again in this lab. Please note: in a live-fire exercise, this password needs to be rather cryptic; but in your home lab, it should just be alphanumeric: one uppercase letter, one lowercase letter, and numbers.
Enter the password and uncheck “User must change password at next logon”. Check “Password never expires” and click Next, as shown in Figure 4-9.
Figure 4-9. Password, uncheck change it, make it never expire
Click Finish.
Now you have the option to repeat the preceding steps for all of your service accounts, or you can perform the optional exercise that involves creating them programmatically using PowerShell.
(Optional) Create Remaining Service Accounts Using Powershell
Open the server dashboard. Figure 4-10 shows one way to open the dashboard.
Figure 4-10. Click this icon to open the dashboard
Click Tools and select Active Directory Administrative Center (see Figure 4-11).
Figure 4-11. The Tools menu has many things to learn about
In the left-hand menu, click the name of your domain (e.g., Tailspintoys.com), as shown in Figure 4-12.
Figure 4-12. Click your domain name
Once the ADAC changes to show your domain, drive down into the OU where you want to create the users. Figure 4-13 shows the People OU.
Figure 4-13. People OU; notice the title of the window
Tip Notice how the top of the ADAC shows which OU you’ve driven down into
Over in the right-hand menu, click New, then click user (See Figure 4-14).
Figure 4-14. Making new users
Fill out the required fields (same fields as the previous exercise), as shown in Figure 4-15.
Figure 4-15. Fill out the required fields
Select the radio button for other password options and select the “Password never expires” option (see Figure 4-15).
Enter the password and confirm it (see Figure 4-15).
Leave everything else as it is. Then scroll down to the bottom and click OK.
Now click WINDOWS POWERSHELL HISTORY at the bottom of your screen (see Figure 4-16, which shows the small PowerShell history up arrow button circled on the right).
Figure 4-16. The up arrow button
Right-click History and click Select All, and then click Copy.
New-ADUser -Name "svc_account" -Path "OU=Svc Accounts,OU=People,DC=Tailspintoys,DC=com" -SamAccountName "svc_account" -Server "DCAD1.Tailspintoys.com" -Type "user" -UserPrincipalName "[email protected]"Set-ADAccountPassword -Identity "CN=svc_account,OU=Svc Accounts,OU=People,DC=Tailspintoys,DC=com" -NewPassword "System.Security.SecureString" -Reset $true -Server "DCAD1.Tailspintoys.com"Enable-ADAccount -Identity "CN=svc_account,OU=Svc Accounts,OU=People,DC=Tailspintoys,DC=com" -Server "DCAD1.Tailspintoys.com"Set-ADAccountControl -AccountNotDelegated $false -AllowReversiblePasswordEncryption $false -CannotChangePassword $false -DoesNotRequirePreAuth $false -Identity "CN=svc_account,OU=Svc Accounts,OU=People,DC=Tailspintoys,DC=com" -PasswordNeverExpires $true -Server "DCAD1.Tailspintoys.com" -UseDESKeyOnly $falseSet-ADUser -ChangePasswordAtLogon $false -Identity "CN=svc_account,OU=Svc Accounts,OU=People,DC=Tailspintoys,DC=com" -Server "DCAD1.Tailspintoys.com" -SmartcardLogonRequired $falseReplace all of the : with a space ( e.g., -changePasswordAtLogon:$false is changed to -changePasswordAtLogon $false)
Set-ADUser -ChangePasswordAtLogon:$false -Identity:"CN=svc_account,OU=Svc Accounts,OU=People,DC=Tailspintoys,DC=com" -Server:"DCAD1.Tailspintoys.com" -SmartcardLogonRequired:$falseSet-ADUser -ChangePasswordAtLogon $false -Identity "CN=svc_account,OU=Svc Accounts,OU=People,DC=Tailspintoys,DC=com" -Server "DCAD1.Tailspintoys.com" -SmartcardLogonRequired $falseChange the part on the Set-ADAccountPassword as follows:
From -NewPassword:"System.Security.SecureString" to-NewPassword (ConvertTo-SecureString –AsPlainText "T1peyourpasswordTextHere" –force)Remove any pound signs (#) as these indicate comments in PowerShell.
Adjust the server name to your DC name.
Make a set of these commands for each account.
Open an administrative PowerShell window on your domain controller. Right-click PowerShell and click Run as Administrator (see Figure 4-17).
Figure 4-17. Run PowerShell as Admin
Type import-module ActiveDirectory and press Enter (see Figure 4-18).
Figure 4-18. PowerShell is the way
Make one set of commands for each account, copy and paste your commands into the window, and press Enter.
PowerShell Example
Here is an example of one user account getting created. The following text in bold shows an example of what was edited:
New-ADUser -Name "svc_account" -Path "OU=Svc Accounts,OU=People,DC=Tailspintoys,DC=com" -SamAccountName "svc_account" -Server "DCAD1.Tailspintoys.com" -Type "user" -UserPrincipalName "svc_account@Tailspintoys.com"Set-ADAccountPassword -Identity "CN=svc_account,OU=Svc Accounts,OU=People,DC=Tailspintoys,DC=com" -NewPassword (ConvertTo-SecureString –AsPlainText "P@ssword" –force)-Reset $true -Server "DCAD1.Tailspintoys.com"Enable-ADAccount -Identity "CN=svc_account,OU=Svc Accounts,OU=People,DC=Tailspintoys,DC=com" -Server "DCAD1.Tailspintoys.com"Set-ADAccountControl -AccountNotDelegated $false -AllowReversiblePasswordEncryption $false -CannotChangePassword $false -DoesNotRequirePreAuth $false -Identity "CN=svc_account,OU=Svc Accounts,OU=People,DC=Tailspintoys,DC=com" -PasswordNeverExpires $true -Server "DCAD1.Tailspintoys.com" -UseDESKeyOnly $falseSet-ADUser -ChangePasswordAtLogon $false -Identity "CN=svc_account,OU=Svc Accounts,OU=People,DC=Tailspintoys,DC=com" -Server "DCAD1.Tailspintoys.com" -SmartcardLogonRequired $false
Tip
To create the accounts using PowerShell, you need a set of these commands for each account, modified for the proper names that correspond with your naming conventions and that match the FQDN of your domain controller.
There is another way to do this with PowerShell, where you can feed in the values for each account as a variable using a comma-separated value list and populate that into those variables, but it’s a bit outside our scope.
Thwart Those Hackers
In a real-life domain, the domain administrator account is renamed to trick hackers and make it harder for them to get total control of a domain server, or worse yet, of a domain controller. We’ll rename our domain administrator account at this point for that reason.
Now you have renamed your domain admin account.
Note
This procedure changes only the default administrator account’s logon name and account details, which can be seen by anyone that manages to enumerate a list of accounts on your system. This procedure does not affect the ability to use the administrator account to boot into Directory Services Restore Mode. —Microsoft TechNet
Let’s create some regular user accounts and an SQL service account that we can use for SharePoint and for SQL Server.
Create Regular User Accounts and the Sql Account
In this exercise, you can use the graphical user interface (GUI) or you can use PowerShell.
Create the SQL service account in the Svc Accounts OU.
Create the regular user accounts for the SharePoint Administrator in the Admins OU. Note that we did not plan the names of the Admins accounts because they’re regular users. Figure 4-19 shows what I’ve called my regular user accounts. Make two accounts, as shown in Figure 4-19.
Figure 4-19. SharePoint Admin accounts
Imagine that you have an OU created and you want to move it and all of its objects (users, groups, and computers) into another OU. What would you do? If you said right-click the OU and move it, then you are correct!
Moving OUs
Open Active Directory and then select an OU to move by right-clicking the OU. Please note: you won’t be able to move a container. The OU object has a small object that looks like a scroll as part of the icon design; whereas the container looks like a folder and it does not have a scroll on its icon, as shown in Figure 4-20.
Figure 4-20. Move an OU
After you click Move, drill down into the target OU that you’re moving the OU into and click OK, as shown in Figure 4-21.
Figure 4-21. Drill down into the target OU and click OK
To practice this, you could create an OU named SharePoint Groups in the root of your domain, and then move it under the People OU.
SharePoint uses security groups for access. Let’s create an Active Directory security group, so that we can use them for access to a SharePoint site at some future date.
Tip
There is a school of thought that believes that adding Active Directory security groups to SharePoint user groups is a best practice. I’m one of those believers. Always use AD security groups whenever possible, as oppossed to adding users directly into SharePoint groups.
Creating Ad Security Groups
Right-click the SharePoint groups OU and click New ➤ Group, as shown in Figure 4-22.
Figure 4-22. SharePoint groups OU and new group
Give the group a name, select Universal as the scope and Security as the type, and click OK.
SharePoint 2016 products require that the domain contain a container named Microsoft SharePoint Products inside of the System container. Let’s create this container now.
Create Sharepoint Service Connection Point
Log on to the domain controller.
Open the Run bar.
Type adsiedit.msc and click OK, as shown in Figure 4-23.
Figure 4-23. Open the Active Directory Services interface editor
Expand the domain (as shown in Figure 4-24), where the caption reads, “Click here to expand”.
Figure 4-24. Expand the root domain
Right-click CN=System and click New ➤ Object…, as shown in Figure 4-25.
Figure 4-25. New Object
Create a new container by selecting container and then clicking Next, as shown in Figure 4-26.
Figure 4-26. New container
Type Microsoft SharePoint Products and then click Next, as shown in Figure 4-27.
Figure 4-27. Name the new container exactly as shown
Click Finish. Do not click More Attributes (see Figure 4-28).
Figure 4-28. Click Finish
Close the Active Directory Services interface editor and then open Active Directory.
Navigate to the system container, as shown in Figure 4-29.
Figure 4-29. Set security
Right-click the Microsoft SharePoint Products container and click Properties, as shown in Figure 4-29.
Click the Security tab. Add tailspintoyssvc_install, tailspintoyssvc_farm, and tailspintoyssync, as shown in Figure 4-30.
Figure 4-30. Read, Write, and Create all child objects
Then select Read, Write, and “Create all child objects”.
Do You Want to Know More?
Please note that the information listed in Table 4-3 is not required reading.
Table 4-3. Not Required Reading, But Here If You Want to Dive Deeper
Topic | URL |
|---|---|
Microsoft Virtual Academy | |
MCSA: Server 2012 | https://www.microsoft.com/en-us/learning/mcsa-windows-server-certification.aspx |
MCSE: SharePoint | https://www.microsoft.com/en-us/learning/mcse-sharepoint-certification.aspx |
Summary
Congrats! Your home lab domain is coming along great! In this chapter, you created all of your user accounts using the GUI, PowerShell, or a combination of the two. You changed the default domain admin name in order to thwart would-be hackers. You also created a service connection point for SharePoint 2016.
Keep on moving forward to create host (A) records, canonical name (CNAME) records, and pointer (PTR) records. You’ll also review the service location (SVC) record for utilization in your domain.
This is exciting. You’re almost ready to join the SharePoint 2016 member servers and SQL Server to the domain. After which, you’ll install SQL. Let’s go to work on DNS!