CalNetAD Test Environment

Updated: 08/12/2002

Account information

Account information for access to this test server is available by sending email to calnetad-info.

Access software

Access to the Test machine is through Microsoft's Terminal Services Advanced Client (TSAC). More information, files to install the TSAC, downloads for installing the ActiveX version on your own IIS server, and a MMC snap-in for managing client sessions can be accessed from the Microsoft TSAC page. Also, see this MS hotfix patch to correct a problem with restarts not happening when using TSAC.

Note: You also can make one additional connection to acshost01 using NetMeeting 3.01, specifying an encrypted session by using the Tools/Options/Security menu and checking "I prefer to make secure outgoing calls".

See also the following excerpt from a longer article about using Terminal Services:

Coordinate Remote Administration Tasks with Other Administrators

Remote administration mode is not meant to provide a managed multi-user experience. Using the two remote connections plus the console can implement a collaborative operation, but should not be used to support general access by multiple simultaneous administrators. In particular, ensure that administrators don't run potentially destructive applications at the same time. For instance, two administrators trying to reconfigure the disk subsystem can undermine each other's work, or worse, destroy data. The presence of other administrators can be checked for using the Terminal Services Manager utility (Programs/Administrative Tools) or the quser command line utility. A special tool is available in the Windows 2000 Server Resource Kit to help with this need, which provides a system tray icon showing the number of active sessions.

This latter tool, WINSTA.EXE (WinStation Monitor) has been installed to start automatically.

A couple of useful keyboard shortcuts for TSC (see Help in the TSC window's System menu for more):

• Ctrl+Alt+Break: switch between full-screen and windowed view
• Alt+Page Up or Alt+Page Down: switch between open items, rotating right or left

Client setup

Points to remember when configuring Win2K Workstation clients to join the AD domain:

• Use ksetup (or a custom security configuration template and a GPO; see References) to add realm mappings to the KDCs for the BERKELEY.EDU realm. There is no need to set a host principal (machine) password since the computer itself will belong to the AD domain, not the Kerberos realm:
  
  ksetup /addkdc BERKELEY.EDU kerberos.berkeley.edu
  ksetup /addkdc BERKELEY.EDU kerberos-1.berkeley.edu
  
  
• Before joining the AD domain, make sure that the option to Change primary DNS suffix when domain membership changes is enabled, as it is in the default setting. To verify this, use the System Properties control panel: on the Network Identification tab, click Properties, then More... to check that this option is set on before attempting to add the computer to the AD domain.
• Log on as user@BERKELEY.EDU or select BERKELEY.EDU (Kerberos Realm) as the Log on to: option.

Tools

• KSETUP.EXE: A command-line tool available also as part of the Win2K Support Tools; download this program alone or install all of the tools from the Win2K CD in the SUPPORT\TOOLS folder.
• Kerberos Tray: Kerberos Tray is a GUI tool that displays ticket information for a computer running the Kerberos protocol.
• Kerberos List: Kerberos List is a command-line tool that enables you to view and delete Kerberos tickets granted to the current logon session.
• See: KB article Q262177 on how to enable event logging for Kerberos events

System information

The actdir00 system is a Dell PowerEdge 2550 dual-1.13 GHz CPU system with 2 GB RAM. Two 18-GB SCSI disks and 2 73-GB mirrored disks are part of the system.

Pre-installation checklist

• Configure the intended primary root DC as the authoritative time server for the ad-test.berkeley.edu AD domain:
  
      net time /setsntp:"ntp2-1.berkeley.edu ntp2-2.berkeley.edu"
  
  See: KB article Q216734 on how the Win32Time time service works in an AD
• Configure an IPSec policy for securing DDNS updates:
  • See this Windows 2000 IPsec document from Purdue for general background and setup configuration details. Initially we are testing with a shared secret string rather than with a certificate as is described in the Purdue write-up. Contact CNS (Mike Sinatra during the test period) to get the shared secret (or later to get a cert).
  • The current UC Berkeley-specific procedure is as follows:
    1. Create a new IPSec policy called UCB Secure DDNS Update; disallow the Default Response rule.
    2. Create a new rule to specify that all IP traffic between the DC and the DNS server will be secured via IPSec in transport (not tunnel) mode; apply the rule to all network connections, and select preshared key as the authentication method currently being tested.
    3. Add a new filter list called UCB DDNS and add a single filter specifying My IP Address as the source address and a.b.c.d [IP address for DDNS server as specified by CNS] as the destination address; select this filter to apply to any protocol type.
    4. Add a new custom filter action called UCB Require Security to Negotiate security and select the option: Do not communicate with computers that do not support IPSec.
    5. For the Security Method, select Custom, and for Settings, specify both AH (using SHA1 for integrity) and ESP (using SHA1 for integrity and 3DES for encyption); session keys should be renewed after 100000 Kbytes or every 900 seconds:
       
       [click to view full image]
  • Assign the policy to place it into effect for DDNS traffic. [The default GPO for DCs will use this IPSec policy when the production AD is implemented.]
• Set the primary DNS suffix to ad-test.berkeley.edu and set 123.32.136.9 (ns1.berkeley.edu) as the DNS server (not the DDNS server configured above in the IPSec section). Make sure that the option to Register this connection's addresses in DNS is selected under Advanced TCP/IP Settings. Check that the A record is created in the DDNS server using nslookup:
  
      nslookup acshost01.ad-test.berkeley.edu [DDNS server name]
  
  The DNS information will propagate to the berkeley.edu DNS servers after a short delay. No new PTR record will be created for xxx.yyy.32.128.in-addr.arpa in the DNS servers.
• Install Windows 2000 Support Tools and Windows 2000 Server Resource Kit
• (Optional): Install Kerberos Tray and WinStation Monitor to start automatically by placing shortcuts in the Startup folder.

References

• Answers to Frequently Asked Kerberos Questions
• Guide to Kerberos 5 (krb5 1.0) Interoperability
• Windows 2000-MIT Kerberos Interop Trip-ups Draft [2002-04-01 version from the win2000-hied list]
• Windows 2000-MIT Kerberos Interop Trip-ups Draft [2001-07-20 version from the win2000-hied list]
• How to Add Custom Registry Settings to Security Configuration Editor (See also this custom registry entry for the UC Berkeley KDCs which can be used with a custom security configuration template defining the realm mappings to the KDCs for the BERKELEY.EDU realm. To ensure correct capitalization of the realm name variable in the registry and to enable proper referrals from our MIT-based Kerberos realm, I created a site-linked GPO using a custom administrative template to define the registry key used for realm mappings and to set the RealmFlags value.)
• How to Disable Windows 2000 Dynamic Domain Name System Registrations with Group Policy (See also this custom administrative template from the article: I configured this setting to be enabled in the default domain GPO and disabled in the default DCs OU GPO.)
• Microsoft Research University Programs page
• How to delegate authority for editing a GPO