Add a 2012 Domain Controller to a 2008 Domain

KB ID 0000680 

Problem

This is considerably less painfull than adding a 2008/2008 R2 domain controller to a 2003 domain was. You dont have to maually prep the schema on the schema master, or run forestprep and domainprep. The wizard does everything for you.

Solution

1. Launch server manager from the taskbar > Select Local Server > Manage > Add Roles and Features.

2. Role Based… > Next.

3. Select local server > Next.

4. Tick ‘Active Directory Domain Service’ > Next.

5. Accept the defaults > Next.

6. Next.

7. Install.

8. Installation may take a while.

9. When finished nothing appears to change, but it does say “Suceeded” > Close.

10. Now the role is on the server you just need to promote it, you can do this by selecting AD DS in the left hand menu > and click ‘More’.

11. ‘Promote the server to a domain controller’

12. By default it will fill in the domain you are already a member of > Next

13. Enter your directory servies restore mode password (DON’T ever lose this password!) > Next.

14. I dont want anyone outside my domain browsing my domain so I don’t care about the delegation error > Next.

15. If you want to reboot as soon at it’s finished tick the box, and (optionally) select a Dc to replicate from > Next.

16. Accept or change the paths as required > Next.

17. Heres a nice touch, now it preps the forest, schema, and domain for you > Next.

18. Next.

19. Install (I’d suggest a reboot when its done).

Related Articles, References, Credits, or External Links

NA

Windows Server 2008 R2 – Configure RADIUS for Cisco ASA 5500 Authentication

KB ID 0000688

Problem

Last week I was configuring some 2008 R2 RADIUS authentication, for authenticating remote VPN clients to a Cisco ASA Firewall.

I will say that Kerberos Authentication is a LOT easier to configure, so you might want to check that first.

Solution

Step 1 Configure the ASA for AAA RADIUS Authentication

1. Connect to your ASDM, > Configuration > Remote Access VPN. > AAA Local Users > AAA Server Groups.

2. In the Server group section > Add.

3. Give the group a name and accept the defaults > OK.

4. Now (with the group selected) > In the bottom (Server) section > Add.

5. Specify the IP address, and a shared secret that the ASA will use with the 2008 R2 Server performing RADIUS > OK.

6. Apply.

Configure AAA RADIUS from command line;

[box]

aaa-server PNL-RADIUS protocol radius
aaa-server PNL-RADIUS (inside) host 172.16.254.223
  key 123456
  radius-common-pw 123456
  exit

[/box]

Step 2 Configure Windows 2012 Server to allow RADIUS

7. On the Windows 2008 Server > Launch Server Manager > Roles > Add Role.

8. If you get a welcome page > Next > Select Network Policy and Access Server > Next >Next.

9. Select ‘Network Policy Server’ > Next > Install.

10. Close, when complete.

11. Whilst still in Server Manager > Network Policy and Access Server > NPS (Local).

12. Register Server in Active Directory >OK > OK.

13. Expand RADIUS Clients and Servers > Right click RADIUS Clients > New.

14. Give the firewall a friendly name, (take note of what this is, you will need it again) > Specify its IP > Enter the shared secret you setup above (number 5) > OK.

15. Expand policies > right click ‘Connection Request Policies’ > New > Give the policy a name > Next.

16. Add a condition > Set the condition to ‘Client Friendly Name’ > Add.

17. Specify the name you set up above (number 14) > OK > Next > Next > Next.

18. Change the attribute to User-Name > Next > Finish.

19. Now right click ‘Network Policies’ > New > Give the policy a name> Next.

20. Add a condition > User Groups > Add.

21. Add in the AD security group you want to allow access to > OK > Next > Next.

22. Select ‘Unencrypted Authentication PAP SPAP” > Next > No > Next > Next > Finish.

Step 3 Test RADIUS Authentication

23. Back at the ASDM, in the same page you were in previously, select your server and then click ‘Test’.

24. Change the selection to Authentication > Enter your domain credentials > OK.

25. You are looking for a successful outcome.

Note: if it fails check there is physical connectivity between the two devices, the shared secrets match. Also ensure UDP ports 1645 and 1646 are not being blocked.

To Test AAA RADIUS Authentication from Command Line

[box]

test aaa-server authentication PNL-RADIUS host 172.16.254.223 username petelong password password123

[/box]

26. Finally, save the firewall changes > File > Save running configuration to flash.

Related Articles, References, Credits, or External Links

Windows Server 2003 – Configure RADIUS for Cisco ASA 5500 Authentication

Windows Server 2012 – Configure RADIUS for Cisco ASA 5500 Authentication