© Stacy Simpkins 2016

Stacy Simpkins, Building a SharePoint 2016 Home Lab, 10.1007/978-1-4842-2170-9_4

4. Active Directory

Stacy Simpkins

(1)Brandon, Florida, USA

In the previous chapters, you planned your domain. You thought up names for your servers and for your service accounts. And now it’s time to create those accounts and start thinking about how they’ll be used.

Active Directory Domain Services (ADDS) is installed at this point and you’re going to start organizing its objects. Objects in Active Directory (AD) take various forms. For example, user accounts, security groups, distribution groups, organizational units, and containers, are all types of AD objects. When you look inside ADDS, take notice that there are essentially two different places that objects can reside: containers or organizational units (OUs).

It’s a best practice to store users and groups inside OUs. The reason for using OUs is that group policy objects (GPOs) can be applied to OUs and you use GPOs to control users and groups, as well as machines. In Chapter 7, we’ll create a GPO that controls the member of the local administrator’s group on servers that are members of our domain.

In this chapter, we’re going to create the user accounts that will be needed when we build out SharePoint.

Configuring Active Directory

Let’s open Active Directory and get started. Active Directory is where organizations should keep a record of all the people in their company, as well as all the computers, printers, scanners, servers, and other devices used by the business.

Now that you have Active Directory open, let’s make sure that you can see the advanced features.

Now let’s create a few OUs: one for service accounts, one for servers, and one for SQL servers.

Creating User Accounts

OK, now that we have the OUs created, let’s create some user accounts for the service accounts. You need these service accounts before you can install SharePoint.

Tip

In a live-fire situation, you fill out all of the information; but in your home lab, you don’t have to. You can just complete full name, user logon name, and password.

Now you have the option to repeat the preceding steps for all of your service accounts, or you can perform the optional exercise that involves creating them programmatically using PowerShell.

PowerShell Example

Here is an example of one user account getting created. The following text in bold shows an example of what was edited:

New-ADUser -Name "svc_account" -Path "OU=Svc Accounts,OU=People,DC=Tailspintoys,DC=com" -SamAccountName "svc_account" -Server "DCAD1.Tailspintoys.com" -Type "user" -UserPrincipalName "svc_account@Tailspintoys.com"
Set-ADAccountPassword -Identity "CN=svc_account,OU=Svc Accounts,OU=People,DC=Tailspintoys,DC=com" -NewPassword (ConvertTo-SecureString –AsPlainText "P@ssword" –force)
-Reset $true -Server "DCAD1.Tailspintoys.com"
Enable-ADAccount -Identity "CN=svc_account,OU=Svc Accounts,OU=People,DC=Tailspintoys,DC=com" -Server "DCAD1.Tailspintoys.com"
Set-ADAccountControl -AccountNotDelegated $false -AllowReversiblePasswordEncryption $false -CannotChangePassword $false -DoesNotRequirePreAuth $false -Identity "CN=svc_account,OU=Svc Accounts,OU=People,DC=Tailspintoys,DC=com" -PasswordNeverExpires $true -Server "DCAD1.Tailspintoys.com" -UseDESKeyOnly $false
Set-ADUser -ChangePasswordAtLogon $false -Identity "CN=svc_account,OU=Svc Accounts,OU=People,DC=Tailspintoys,DC=com" -Server "DCAD1.Tailspintoys.com" -SmartcardLogonRequired $false
Tip

To create the accounts using PowerShell, you need a set of these commands for each account, modified for the proper names that correspond with your naming conventions and that match the FQDN of your domain controller.

There is another way to do this with PowerShell, where you can feed in the values for each account as a variable using a comma-separated value list and populate that into those variables, but it’s a bit outside our scope.

Thwart Those Hackers

In a real-life domain, the domain administrator account is renamed to trick hackers and make it harder for them to get total control of a domain server, or worse yet, of a domain controller. We’ll rename our domain administrator account at this point for that reason.

Now you have renamed your domain admin account.

Note

This procedure changes only the default administrator account’s logon name and account details, which can be seen by anyone that manages to enumerate a list of accounts on your system. This procedure does not affect the ability to use the administrator account to boot into Directory Services Restore Mode. —Microsoft TechNet

Let’s create some regular user accounts and an SQL service account that we can use for SharePoint and for SQL Server.

Imagine that you have an OU created and you want to move it and all of its objects (users, groups, and computers) into another OU. What would you do? If you said right-click the OU and move it, then you are correct!

SharePoint uses security groups for access. Let’s create an Active Directory security group, so that we can use them for access to a SharePoint site at some future date.

Tip

There is a school of thought that believes that adding Active Directory security groups to SharePoint user groups is a best practice. I’m one of those believers. Always use AD security groups whenever possible, as oppossed to adding users directly into SharePoint groups.

SharePoint 2016 products require that the domain contain a container named Microsoft SharePoint Products inside of the System container. Let’s create this container now.

Do You Want to Know More?

Please note that the information listed in Table 4-3 is not required reading.

Table 4-3. Not Required Reading, But Here If You Want to Dive Deeper

Topic

URL

Microsoft Virtual Academy

https://mva.microsoft.com/

MCSA: Server 2012

https://www.microsoft.com/en-us/learning/mcsa-windows-server-certification.aspx

MCSE: SharePoint

https://www.microsoft.com/en-us/learning/mcse-sharepoint-certification.aspx

Summary

Congrats! Your home lab domain is coming along great! In this chapter, you created all of your user accounts using the GUI, PowerShell, or a combination of the two. You changed the default domain admin name in order to thwart would-be hackers. You also created a service connection point for SharePoint 2016.

Keep on moving forward to create host (A) records, canonical name (CNAME) records, and pointer (PTR) records. You’ll also review the service location (SVC) record for utilization in your domain.

This is exciting. You’re almost ready to join the SharePoint 2016 member servers and SQL Server to the domain. After which, you’ll install SQL. Let’s go to work on DNS!

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.224.31.41