Installing ISA Server on a

Domain Controller.
What we'll do here is go over the installation of Windows 2000 and then the
configuration of various services to insure that everything works correctly on
your Windows 2000 DC. Specifically, we've cover:

 Installing Windows 2000

 Configuring DNS Server and DNS Zone Properties
 Configuring the DNS Server Forward and Reverse Lookup Zones
 Promoting the Machine to a Domain Controller
 Configuring the DNS Forwarder
 Testing the DNS Server
 Installing ISA Server
Installing Windows 2000
First step is to get Windows 2000 installed. If you already have Windows 2000
installed, you might want to consider reinstalling. There's nothing like a clean
machine to help you avoid catastrophic ISA Server problems. Requirements for
installing Windows 2000 and ISA Server for a DC are:
 Windows 2000 Server, Advanced Server or Datacenter Server
 Plenty of RAM! At least 512 MB and more is better
 Make sure all NICs you plan to use are already installed - DCs hate it
when you add NICs to them
 Do not plug the external interface into the Internet during installation or
you will get whacked before the ISA Server installation is complete
There are other hardware requirements, but these are the most important
elements to your success. Let's get started installing Windows 2000:

1. Boot the CD. Format the partitions if required and do all the other steps required during the
text mode phase of installation. There are no special installation requirements to make a DC
work during this phase of the installation.
2. Reboot into the GUI mode phase. On the Regional Settings page, make any changes you need
and then click Next.
3. On the Personalize Your Software page, enter your Name and Organization information
and click Next.
4. On the Your Product Key page, type in your key and click Next.
5. On the Licensing Mode page, select the appropriate licensing mode for your server and click
Next.
6. On the Computer Name and Administrator password page, enter the computer (NetBIOS)
name for your computer and a complex Administrator password. By complex, I mean
complex! I always use 17+ characters with mixed case letters, numbers and symbols. I figure
if they can crack these passwords, they're too good for me J . Click Next.
7. The Windows Components page is a key page, so pay attention!
Double click on Internet Information Services. If you need to support FTP and
NNTP, make the appropriate selections on the Internet Information Services
(IIS) page. I generally recommend that you minimize the number of IIS Servers
running on the ISA Server, but if you are using SBS, may be stuck running all of
these on the ISA/DC machine. Click OK on the Internet Information Services
page.

Back in the Windows 2000 Components page, double click on the

Management and Monitoring Tools node. Select the Network Monitor
Tools option. You might also want to select the Simple Network Management
Protocol option if you use SNMP management stations to manage your Windows
2000 Servers. If you use CMAK, you can install that too. Click OK in the
Management and Monitoring Tools dialog box.
Double click on the Networking Services entry. At the very least, you need to
install DNS and WINS. Scroll through the list of networking services and make
those selections. Then click OK in the Network Services dialog box.
Note:
If you install WINS, you must disable NetBIOS on the external interface of the
ISA/DC computer. If you don't disable NetBIOS, the external IP address of the
ISA/DC will be registered for all sorts of things you don't it registered for in WINS.
Don't disable NetBIOS until you're all done with EVERYTHING in this article.
Before disabling NetBIOS, check out the entries in the WINS database for the
external IP address of the ISA/DC computer. It'll be a real learning experience!
Also, make sure to delete those entries after you've disabled NetBIOS on the
external interface.

8. Double click on the Terminal Services option. Select Enable Terminal Services. If you need
to the client, then select the Client Creator Files option. Click OK in the Terminal Services
 dialog box.
9. Click Next in the Windows 2000 Components page.
10. On the Date and Time Settings page, set the correct date, time and time zone. Click Next.
11. On the Terminal Services Setup page, select Remote administration mode option and click
Next.
12. On the Networking Settings page, select the Custom Settings option. Click Next.
13. On the Networking Components page, you are presented with the configuration settings
dialog box for the external interface of the ISA Server. I refer to this adapter as the external
interface because this interface will be listed as second on the list of adapters in the Advanced
network adapter settings. If you don't want this to be the external interface, you'll have to
manually change its priority after installation is complete. Remove the checkmarks in the
Client for Microsoft Networks and File and Printer Sharing. Double click on the Internet
Protocol (TCP/IP) entry.

Note:
After Windows 2000 installation is complete, you might want to rename the
interfaces to make them easier to work with. Give them names like InternalNIC
and ExternalNIC. Don't use names like internal and external because the
name internal is also used by the RRAS console to represent the interface used
by RAS clients. This could cause some unneeded confusion.

14. In the Internet Protocols (TCP/IP) Properties dialog box, type in the IP addressing
information appropriate for your external interface. Make sure you enter your ISP's DNS
server address in the Preferred DNS server text box. The Default gateway will either be
assigned by your ISP, or will be the LAN interface of your router that connects to the Internet.
Click on the Advanced button.
15. Click the DNS tab. Remove the checkmark from the Append parent suffixes of the primary
DNS suffix checkbox. There's no reason for your external interface to devolve queries to your
ISPs DNS server, so this might improve performance in certain situations. Also, remove the
checkmark in the Register this connection's addresses in DNS checkbox. Your ISP isn't
interested in registering your external interface and it's unlikely it supports DDNS. Click OK.
You'll get an information message telling you your WINS address is empty. Click Yes. Click
OK to close the Internet Protocol (TCP/IP) Properties dialog box. Click Next in the
Network Components page.
Reminder!
You should disable NetBIOS on the external interface of the DC/ISA Server
computer in order to prevent problems with the Browser service and prevent
browser announcements from trying to go out the external interface. All they'll
do is fill up your logs since later you will enable packet filtering to block NetBIOS
communications on the external interface. But don't do this until you're all done
with everything we talk about in this article.

16. You are presented with the Networking Components page for the internal interface of the
ISA/DC computer. Double click on the Internet Protocol (TCP/IP) entry. Enter the internal
IP address and Subnet mask. Make sure that you make the Preferred DNS server the IP
address of the internal interface. This is vitally important since this machine is going to be a
DNS server for your Active Directory domain.
 17. Click the Advanced button. Click on the WINS tab. Click the Add button and add the IP
address of the internal interface of the ISA/DC computer. You will want only this IP address
to register with WINS. You do not want the external interface to register with WINS. Click
OK in the Advanced TCP/IP Settings dialog box after you have added the WINS server
address. Click OK in the Internet Protocol (TCP/IP) Properties dialog box. Click Next on
the Networking Components page.
18. On the Workgroup or Computer Domain page, leave the default selection as it is. There's
isn't a domain yet for it to join. Click Next.
19. The installation Wizard completes installing the configuration the services you selected. Click
Finish to restart the computer when its done.
20. After the computer restarts, immediately install Service Pack 2.

Configuring the DNS Server Forward and Reverse Lookup Zones

Configuring the DNS Server properly before you run DCPROMO is critical to your
success. Many ISA Server admins end up painting themselves into a hole
because they've promoted the machine to a DC before configuring DNS. A basic
rule of thumb is to never trust the Active Directory DNS Wizard and do it
yourself.
Perform the following steps to configure your DNS Server:

1. Click Start, point to Administrative Tools and click on DNS.

2. Expand all the nodes and then right click on Forward Lookup Zone. Point to View and click
on Advanced.
3. Right click on Reverse Look Zone and click New Zone. Click Next on the Welcome page.
4. On the Reverse Lookup Zone page, type in the network ID for the segment connected to the
internal interface of the DC/ISA Server computer. You may need to create additional reverse
lookup zones if you have multiple segments on your internal network. Click Next.

5. On the Zone file page, accept the default name for the DNS zone file and click Next.
6. On the Completing the New Zone Wizard page, click Finish.

The next step is to configure the Forward Lookup Zone:

 1. Right click on the Forward Lookup Zone node and click New Zone. Click Next on the
Welcome page.
2. On the Zone Type page, select Standard Primary and click Next.
3. On the Zone Name page, type in the internal network domain name. Click Next.

4. On the Zone File page, accept the default name for the DNS zone file and click Next.
5. Click Finish on the Completing the New Zone Wizard page.
6. Right click on the Zone that you just created and click the New Host command.
7. In the New Host dialog box, type in the host name of the DC/ISA Server computer, the IP
address of the internal interface, and select the Create associated pointer (PTR) record.
Click Add Host. An information message will appear that says the record was created. Click
OK. Click Done in the New Host dialog box.
8. Check both the Forward and Reverse lookup zones to confirm that the records were created
for the DC/ISA Server computer. Click the Refresh button if you don't see the records.

Configuring DNS Server and DNS Zone Properties

Now let's configure the DNS Server and Zone properties:
1. Right click on your DNS Server name and click Properties.
2. On the server Properties dialog box, click the Interfaces tab. Click the Only the following
IP addresses option. Then click on the external IP address on the DC/ISA Server computer
and click the Remove button. Click Apply.
3. Click the Root Hints tab and confirm for yourself that the Root Hints file has been primed.
4. At this point we won't get into Forwarders, we'll just let the DNS server perform recursion
itself. Click OK.
5. Right click on your Zone you just created and click Properties.
6. Click on the General tab. Change the setting for Allow Dynamic Updates to Yes. Click the
WINS tab.
7. On the WINS tab, select the Use WINS forward lookup. Type in the IP address of the
internal interface of the DC/ISA Server computer and click Add.
8. Click the Zone Transfers tab. Select the Only to servers listed on the Name Servers tab
option.
9. Click the Name Servers tab. If the IP address is listed as unknown, select your computer
name and click the Edit button. Click the Browse button in the Edit Record dialog box.
Double click on your computer name, then double click on Forward Lookup Zones and then
double click on your Forward Lookup Zone. Double click on your computer name. Click OK,
and then click Apply. Click OK to close the Properties dialog box.
Promoting the Machine to a Domain Controller
Now you're ready to promote the machine to a domain controller. If you haven't
forgotten anything, this should go smoothly.

1. Click Start and click the Run command.

2. In the Run dialog box, type dcpromo in the Open text box. Click OK.
3. Click Next on the Welcome page.
4. Select the Domain Controller for a new domain and click Next.
5. Select Create a new domain tree and click Next.
6. Select Create a new forest of domain trees and click Next.
7. In the New Domain Name text box, type in the full domain name and click Next.
8. On the NetBIOS Domain Name page, go with the default. Note that if you made your domain
name too long, the NetBIOS name may be truncated. If so, you might want to rethink your
domain name. Click Next.
9. On the Database and Log Locations page, make any required changes from the defaults and
click Next.
10. On the Shared System Volume page, make any required change and click Next.
11. You will see an information dialog box informing you that the Wizard can't contact a server
authoritative for the Active Directory domain. That's to be expected since you're not done yet!
Click OK to continue.
12. On the Configure DNS page, select the No, I will install and configure DNS myself.
NEVER allow the Wizard to do this! Click Next.
13. Select the appropriate permissions for your environment and click Next.
14. Enter your Directory Services Restore Mode password and confirm. Click Next.
15. Review your settings to make sure everything is correct, then click Next.
16. If everything is configured correctly, it should take less than 5 minutes to complete the Active
Directory configuration. Click Finish on the Completing the Active Directory Installation
Wizard page.
17. On the Active Directory Installation Wizard dialog box, click the Restart Now button.
18. When the server restarts, it may take awhile since its populating the DNS server zone file with
Active Directory related records. Log onto the domain.
19. Wait above 5 minutes, and then open the DNS console. Expand the Forward Lookup Zone for
 your domain and you should see the Active Directory related records.

Configuring the DNS Forwarder

At this point you should consider using a Forwarder to resolve domain names for
those domains that your server is not authoritative for. In practice, this includes
all other domain except your own! In the DNS console, perform the following
steps:

1. Right click on your server name and click Properties.

2. In the server Properties dialog box, click the Forwarders tab.
3. On the Forwarders tab, select the Enable forwarders option. Then type in the IP address(es)
of your ISP's DNS server(s) and click the Add button. Place a checkmark in the Do not use
recursion checkbox. This will improve performance significantly. Click Apply and then click
OK.
4. Right click on your server name, point to All Tasks and then click the Restart command. This
will restart the DNS server service.

Testing the DNS Server

OK, now the moment of truth! Does your DNS server work? That is, can it resolve
local and remote domain names? Check it out! Here's how:

1. In the DNS console, right click on your server name and click Properties.
2. In the server Properties dialog box, click on the Monitoring tab.
3. On the Monitoring tab, place a checkmark in the A simple query against a DNS server
checkbox. Then click the Test Now button. You should see a PASS entry in the Simple
Query column.
4. Remove the checkmark from the A simple query against this DNS server checkbox. Place a
checkmark in the A recursive query to other DNS servers checkbox. Click the Test Now
button. You should see a PASS in the Recursive Query column.

Congratulations! You've installed DNS and the Active Directory on your computer
and it'll all working.
Installing ISA Server
There really aren't any special steps you need to take when installing ISA Server
on the DC. But we'll go through the procedure just to be thorough.

1. Put the ISA Server CD into the tray and when the autoplay dialog box appears, click the
Install ISA Server button.
2. On the Welcome page, click Continue.
3. On the CD Key page, type in your CD Key and click OK. Click OK on the Product ID page.
4. Click I Agree on the license agreement page.
5. Click Full Installation on the setup page.
6. Since we haven't initialized the Active Directory, we can't join an array. If you're running
SBS, you probably have a single server, so this isn't an issue. In this example, we'll run a
stand-alone ISA Server. Click Yes in the dialog box informing you it can't find the schema
changes.
7. On the mode page, select the Integrated mode option and click Continue.
8. Click OK in the dialog box informing you that IIS services will be stopped and that you need
to deal with port 80!
9. On the cache size page, set your cache size, click Set and then click OK.
10. On the LAT configuration page, click the Construct Table button.

11. Note how I've selected the options in the Local Address Table dialog box. This is the ONLY
way I want you to do this! On the NIC selection, make sure you select the internal interface of
your DC/ISA Server. Click OK. Click OK in the info box informing you that the LAT has
been constructed. Click OK again.
12. Setup continues. When its finished, click OK to open the ISA Management console. Click
OK again to finish.
13. Now quickly! Right click on the Servers and Arrays node, point to View and click on the
Advanced command. I take no responsibility for problems you have it you use the Taskpad
 view! (actually, I don't take responsibility for anything that happens to your ISA Server).

Packet filtering is enabled by default. There is a DNS packet filter preconfigured,

so you don't need to worry about DNS query problems. You can run the DNS
query tests again to confirm that all is well.
Conclusion
That's all there is to configuring the ISA Server to be a domain controller!
However, if this is your only server, you still have a long row to hoe. The reason
for this is that you'll have a bunch of services contending with your Web and
Server publishing rules for the available ports on the external interface. In future
articles, and/or in the 2nd edition or our book, we'll include all the details you
need to get things like Web, FTP, NNTP, SMTP and Exchange services all working
on your DC/ISA Server computer. Stay tuned and always remember, buy the
book! .