1. Preparations

1.1. Dell PowerEdge R750xs

1.2. Hyper-V

  • See Hyper-V - Create Virtual Machine to create a virtual machine with 4 GB of RAM, 2 processors and 100 GB disk space.

  • Note: Make sure to check ??? in the ??? tab in the virtual machine settings. This allows the Hyper-V feature to be fully functional and to be able to run virtual machines inside the virtualized Windows Server.

  • Add the following port forwarding rules.

    Name    Protocol        Host IP         Host Port       Guest IP        Guest Port
----    --------        ---------       ---------       --------        ----------
RDP     TCP             127.0.0.1       33389           ???             3389
SSH     TCP             127.0.0.1       2222            ???             22

1.3. VirtualBox

  • See VirtualBox - Create Virtual Machine to create a virtual machine with 4 GB of RAM, 2 processors and 100 GB disk space.

  • Note: Make sure to check Enable Nested VT-x/AMD-V in the System > Processor tab in the virtual machine settings. This allows the Hyper-V feature to be fully functional and to be able to run virtual machines inside the virtualized Windows Server.

  • Note: See https://docs.oracle.com/cd/E97728_01/F12469/html/nested-virt.html.

  • Add the following port forwarding rules.

    Name    Protocol        Host IP         Host Port       Guest IP        Guest Port
----    --------        ---------       ---------       --------        ----------
RDP     TCP             127.0.0.1       33389           10.0.2.15       3389
SSH     TCP             127.0.0.1       2222            10.0.2.15       22

1.4. VMware

  • See VMware - Create Virtual Machine to create a virtual machine with 4 GB of RAM, 2 processors and 100 GB disk space.

  • Note: Make sure to check Virtualize Intel VT-x/EPT or AMD-V/RVI in the Processors tab in the virtual machine settings. This allows the Hyper-V feature to be fully functional and to be able to run virtual machines inside the virtualized Windows Server.

  • Add the following port forwarding rules.

    Name    Protocol        Host IP         Host Port       Guest IP        Guest Port
----    --------        ---------       ---------       --------        ----------
RDP     TCP             127.0.0.1       33389           192.168.180.15  3389
SSH     TCP             127.0.0.1       2222            192.168.180.15  22

2. Installation

  • Boot the computer from the CD/DVD drive.

    Language to install             English (United States)
Time and currency format        English (United States)

  • Click Next.

    Keyboard or input method        US

  • Click Next.

    I would like to         ● Install Windows Server
                        ○ Repair my PC
■ I agree everything will be deleted including files, apps, and settings

  • Click Next.

    ● Use a product key
  Enter Product key
   Dashes will be added automatically

○ Pay-as-you-go

I don’t have a product key
Privacy statement

  • Select I don’t have a product key.

    Operating System:
Windows Server 2025 Standard
Windows Server 2025 Standard (Desktop Experience)
Windows Server 2025 Datacenter
Windows Server 2025 Datacenter (Desktop Experience)

  • Select Windows Server 2025 Standard (Desktop Experience).

  • Click Next.

  • Click Accept to accept the license terms.

    Name                            Total Size      Free Space      Type
Disk 0 Unallocated Space        3.5 TB          3.5 TB          Unallocated Space
Disk 1 Unallocated Space        1.3 TB          1.3 TB          Unallocated Space
Disk 2 Unallocated Space        308.0 MB        303.5 MB        Primary
Disk 3 Unallocated Space        0 B             0 B             Unallocated Space

  • Select Disk 0 Unallocated Space.

  • Select Create Partition.

  • Type 204800 in the Size in MB field.

  • Click Apply.

  • Wait for the partitions to be created.

    Name                            Total Size      Free Space      Type
Disk 0 Partition 1              100.0 MB        100.0 MB        System
Disk 0 Partition 2              16.0 MB         16.0 MB         MSR (Reserved)
Disk 0 Partition 3              200.0 GB        199.9 GB        Primary
Disk 0 Unallocated Space        3.3 TB          3.3 TB          Unallocated Space
Disk 1 Unallocated Space        1.3 TB          1.3 TB          Unallocated Space
Disk 2 Unallocated Space        308.0 MB        303.5 MB        Primary
Disk 3 Unallocated Space        0 B             0 B             Unallocated Space

  • Select Disk 0 Partition 3.

  • Click Next.

     Install Windows Server 2025 Standard (Desktop Experience)
 Keep nothing

  • Click Install.

  • Wait about 30 minutes for the installation to finish.

  • Select Do this later to skip entering the product key.

  • Use the TBHF-HyperV01 Windows Server 2025 Administrator password stored in the KeePass Password Manager.

  • Type the password in the Password field.

  • Type the password in the Reenter password field.

  • Click Finish.

  • Press Ctrl+Alt+Delete.

    • Click Keyboard.

    • Click Ctrl, Alt, Del.

    • Close the virtual keyboard window.

  • Type the Administrator password.

  • Select Required only.

  • Click Accept.

  • Check Don’t show this message again in the Try Windows Admin Center and Azure Arc today window.

  • Close the Try Windows Admin Center and Azure Arc today window.

3. Configuration

3.1. Computer name

  • Select Local Server in the Server Manager window.

  • Select Computer name | WIN-20R0DE09S57.

  • Click Change.

  • Type TBHF-HyperV01 in the Computer name field.

  • Click OK.

  • Click OK.

  • Click Close.

  • Click Restart Later.

3.2. Date and Time

  • Select Local Server in the Server Manager window.

  • Select Time zone | (UTC-08:00) Pacific Time (US & Canada).

  • Click Change time zone.

  • Select (UTC+07:00) Bangkok, Hanoi, Jakarta.

  • Click OK.

  • Click OK.

  • Close the Server Manager window.

  • Restart the server.

3.3. Firewall

  • Enter the following commands at a PowerShell Command Prompt with administrative privileges.

    # Allow pings.
Get-NetFirewallRule | Where-Object { $_.Name -eq "CoreNet-Diag-ICMP4-EchoRequest-In-NoScope" } |
  Enable-NetFirewallRule
Get-NetFirewallRule | Where-Object { $_.Name -eq "CoreNet-Diag-ICMP4-EchoRequest-In-NoScope" } |
  Set-NetFirewallRule -Action Allow -Profile Any

# Allow Hyper-V Manager to connect.
Get-NetFirewallRule | Where-Object { $_.DisplayName -eq "Windows Remote Management (HTTP-In)" } | Enable-NetFirewallRule

3.4. Network

3.4.1. Embedded NIC 1

  • Select Local Server in the Server Manager window.

  • Select Embedded NIC 1 | IPv4 address assigned by DHCP, IPv6 Enabled.

  • Double-click Embedded NIC 1.

  • Click Properties.

  • Select Internet Protocol Version 4 (TCP/IPv4).

  • Click Properties.

  • Choose Use the following IP address.

    IP address:             10.10.1.203
Subnet mask:            255.255.255.0
Default gateway:        10.10.1.170

  • Choose Use the following DNS server addresses.

    Preferred DNS server:   10.10.1.1
Alternate DNS server:

  • Click OK.

  • Click Close.

  • Click Close.

  • Close the Network Connections window.

  • Close the Server Manager window.

  • Restart the server.

3.4.2. Embedded NIC 2

Not Applicable

3.4.3. RDP

  • Open Settings > System.

  • Scroll down and select Remote desktop.

  • Enable Remote Desktop.

  • Click Confirm to confirm.

  • Close Settings.

  • Log in as .\Administrator using Remote Desktop Connection.

3.4.4. Teaming

  • Select Local Server in the Server Manager window.

  • Select NIC Teaming | Disabled.

  • Select TASKS > New Team.

  • Type NIC-Team1 in the Team name field.

  • Check Integrated NIC 1 Port 1-1.

  • Check Integrated NIC 1 Port 1-2.

  • Expand Additional Properties.

    Team name:                      NIC-Team1

□ Embeded NIC 1                 1 Gbps
□ Embeded NIC 1                 Disconnected
■ Integrated NIC 1 Port 1-1     1 Gbps
■ Integrated NIC 1 Port 1-2     1 Gbps
□ Integrated NIC 1 Port 1-3     Disconnected
□ Integrated NIC 1 Port 1-4     Disconnected

Teaming mode:                   Switch Independent
Load balancing mode:            Dynamic
Standby adapter:                None (all adapters Active)
Primary team interface:         (Name generated automatically): Default VLAN

  • Click OK.

3.4.5. Virtual Machine Queues

  • Select Settings > Network & internet.

  • Select Advanced network settings.

  • For all 6 physical network adapters do the following.

    • Select the network card.

    • Click Edit.

    • Click Configure.

    • Select the Advanced tab.

    • Select Virtual Machine Queues.

    • Select Disabled.

  • Close Settings.

3.4.6. Virtual Switch Manager

3.5. Disk Management

  • Open Disk Management (diskmgmt.msc).

  • Optional: Initialize disk.

    • Choose GPT.

    • Click OK. ???

  • Right-click Disk 0 | Unallacated and select New Simple Volume.

  • Click Next.

  • Click Next.

  • Click Next.

  • Select ReFS for the File system.

  • Select Default (4K) for the Allocation unit size.

  • Type Hyper-V-Data1-ReFS-4k for the Volume label.

  • Click Next.

  • Click Finish.

  • Right-click Disk 1 | Unallacated and select New Simple Volume.

  • Click Next.

  • Click Next.

  • Click Next.

  • Select ReFS for the File system.

  • Select Default (4K) for the Allocation unit size.

  • Type Hyper-V-Data2-ReFS-4k for the Volume label.

  • Click Next.

  • Click Finish.

  • Close Disk Management.

3.6. SMRU Domain

Join to SMRU domain

  • Open Settings > System.

  • Scroll down and select About.

  • Select Domain or workgroup.

  • Click Change.

  • Choose Domain.

  • Type smru.shoklo-unit.com for the domain name.

  • Click OK.

  • Type SMRU\ADadmin for the user name.

  • Type the password.

  • Click OK.

  • Click OK.

  • Click OK.

  • Click Close.

  • Click Restart Now.

  • Note: Ask Dean Sherwood at MORU to move Computers/TBHF-HYPERV01 to Member Servers as we don’t have access.

  • Log on to AD using the SMRU\ADadmin account.

    • Press the Shift key and right-click Start > Programs > Windows Tools > Active Directory Users and Computers and select Run as different user.

  • Move Computers/TBHF-HYPERV01 to Member Servers.

  • Click Yes to confirm.

3.7. Applications

  • Uninstall Windows Defender

    • ???

4. Usage

  • VirtualBox: Connect to VBOX-WIN2019 using PuTTY with localhost and port 2222.

  • VirtualBox: Connect to VBOX-WIN2019 using RDP with mstsc.exe /v 127.0.0.1:33389.

  • VMware: Connect to VBOX-WIN2019 using PuTTY with 192.168.243.128 and port 22.

  • VMware: Connect to VBOX-WIN2019 using RDP with mstsc.exe /v 192.168.243.128:3389.

5. Active Directory Domain Services

  • See https://infrasos.com/how-to-setup-active-directory-on-windows-server-2022.

  • Enter the following commands at a PowerShell Command Prompt with administrative privileges.

    Get-WindowsFeature
Add-WindowsFeature -IncludeManagementTools -Name AD-Domain-Services
Get-WindowsFeature

  • Start Server Manager.

  • Click on the Notifications (yellow exclamation mark) icon at the top right.

  • Select Promote this server to a domain controller.

  • Choose Add a new forest.

    Root domain name:		test.shoklo-unit.com
Root domain name:		vbox.shoklo-unit.com
Root domain name:		vmware.shoklo-unit.com

  • Click Next.

  • Use the Local Administrator password.

    Forest functional level:        Windows Server 2016
Domain functional level:        Windows Server 2016

+ Domain Name System (DNS) server
+ Global Catalog (GC)
- Read only domain controller (RODC)

Type the Directory Services Restore Mode (DSRM) password
Password:                       ********
Confirm password:               ********
Password:                       Administr@t0r!!!
Confirm password:               Administr@t0r!!!

  • Click Next.

  • Ignore the A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found message.

  • Click Next.

    The NetBIOS domain name:        VBOX
The NetBIOS domain name:        VMWARE

  • Click Next.

    Database folder:                C:\Windows\NTDS
Log files folder:               C:\Windows\NTDS
SYSVOL folder:                  C:\Windows\SYSVOL

  • Click Next.

  • Click Next.

  • Click Install.

  • Optional: Click Close to restart the computer.

  • Optional: Close Server Manager.

6. DHCP

  • See https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-deploy-wps.

    Remove-WindowsFeature -Name DHCP
# Restart the computer.
Get-WindowsFeature
Add-WindowsFeature -IncludeManagementTools -Name DHCP
Get-WindowsFeature

  • See https://www.technig.com/configure-a-dhcp-scope-in-server-2022-using-powershell.

    Remove-DhcpServerV4Scope -Force -ScopeId 10.30.1.0
Add-DhcpServerv4Scope -Name "Internal LAN" -StartRange 10.30.1.1 -EndRange 10.30.1.254 -SubnetMask 255.255.255.0
Add-DhcpServerv4ExclusionRange -ScopeId 10.30.1.0 -StartRange 10.30.1.1   -EndRange 10.30.1.65
Add-DhcpServerv4ExclusionRange -ScopeId 10.30.1.0 -StartRange 10.30.1.170 -EndRange 10.30.1.170
Add-DhcpServerv4ExclusionRange -ScopeId 10.30.1.0 -StartRange 10.30.1.201 -EndRange 10.30.1.254
Set-DhcpServerv4Scope -ScopeId 10.30.1.0 -LeaseDuration 00.08:00:00
Get-DhcpServerV4Scope

Set-DhcpServerv4OptionValue -ScopeId 10.30.1.0 -DnsServer 10.30.1.1 -DnsDomain "test.shoklo-unit.com"
Set-DhcpServerv4OptionValue -ScopeId 10.30.1.0 -Router 10.30.1.170
Set-DhcpServerv4OptionValue -ScopeId 10.30.1.0 -OptionId 46 -Value "0x8"
Get-DhcpServerv4OptionValue -ScopeId 10.30.1.0
    Remove-DhcpServerv4Reservation -ScopeId 10.30.1.0
Remove-DhcpServerv4Lease -ScopeId 10.30.1.0

Add-DhcpServerv4Reservation -ScopeId 10.30.1.0 -Name SMRU-PRT-TST.test.shoklo-unit.com -IPAddress 10.30.1.47 -ClientId "8C-DC-D4-5B-3D-FB" -Description "HP LaserJet 400 M401n"
Get-DhcpServerv4Binding
Get-DhcpServerv4Lease -IPAddress 10.30.1.47
Get-DhcpServerv4Lease -ScopeId 10.30.1.0

7. Group Policy Management

7.1. TEST Proxy Settings

  • Right-click Forest: test.shoklo-unit.com > Domains > test.shoklo-unit.com and select Create a GPO in this domain, and Link it here.

  • Type TEST Proxy Settings in the Name field.

  • Click OK.

  • Right-click Forest: test.shoklo-unit.com > Domains > test.shoklo-unit.com > TEST Proxy Settings and select Edit.

  • Right-click User Configuration > Preferences > Control Panel Settings > Internet Settings and select New > Internet Explorer 10.

  • Select Connections tab.

  • Choose Never dial a connection.

  • Click LAN settings.

  • Check Use a proxy server your LAN (Thise settings will not apply to dial-up or VPN connections).

  • Click Advanced.

  • Type 10.30.1.170 in the HTTP Proxy address to use field.

  • Type 8080 in the HTTP Port field.

  • Type 10.30.1.170 in the Secure Proxy address to use field.

  • Type 8080 in the Secure Port field.

  • Type 10.30.1.* in the Do not use proxy servers for addresses beginning with field.

  • Click OK.

  • Click OK.

  • Check Bypass proxy server for local addresses.

  • Click OK.

  • Click Apply.

  • Click OK.

  • To Force User: Do the following.

    • Select User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel.

    • Right-click Disable the Connections page and select Edit.

    • Choose Enabled.

    • Click Apply.

    • Click OK.

8. Active Directory

  • Note: Needed for Network Printers.

  • Start Active Directory Users and Computers.

  • Right-click test.shoklo-unit.com > TEST and select New > Organizational Unit.

  • Type groups in the Name field.

  • Click OK.

  • Right-click test.shoklo-unit.com > TEST > groups and select New > Group.

  • Type Network-Printers in the Group name field.

  • Choose Global for the Group scope.

  • Choose Security for the Group type.

  • Click OK.

  • Right-click test.shoklo-unit.com > TEST > users and select New > User.

  • Type <Printer host name> in the First name field.

  • Type <Printer host name> in the User logon name field.

  • Click Next.

  • Type the SMRU AD Network Printer Password stored in the KeePass Password Manager in the Password field.

  • Type the SMRU AD Network Printer Password stored in the KeePass Password Manager in the Confirm password field.

  • Uncheck User must change password at next logon.

  • Check User cannot change password.

  • Check Password never expires.

  • Uncheck Account is disabled.

  • Click Next.

  • Click Finish.

  • Select test.shoklo-unit.com > TEST > users.

  • Right-click <Printer host name> user and select Properties.

  • Select Member Of tab.

  • Click Add.

  • Type Network-Printers.

  • Click Check Names.

  • Click OK.

  • Select Dial-in tab.

  • Choose Allow access for the Network Access Permission.

  • Click Apply.

  • Click OK.

  • Close Active Directory Users and Computers.

9. Certification Authority (CA)

CLI

  • Enter the following commands at a PowerShell Command Prompt with administrative privileges.

    Get-WindowsFeature
Remove-WindowsFeature -Name AD-Certificate
Remove-WindowsFeature -Name Web-Server
Get-WindowsFeature

  • Enter the following commands at a PowerShell Command Prompt with administrative privileges.

    Get-WindowsFeature
Add-WindowsFeature -IncludeManagementTools -Name Web-Server
Add-WindowsFeature -IncludeManagementTools -Name AD-Certificate
Add-WindowsFeature -IncludeManagementTools -Name ADCS-Enroll-Web-Pol
Add-WindowsFeature -IncludeManagementTools -Name ADCS-Enroll-Web-Svc
Add-WindowsFeature -IncludeManagementTools -Name ADCS-Web-Enrollment
Get-WindowsFeature

Install-AdcsCertificationAuthority -Force
Install-AdcsWebEnrollment -Force
Install-AdcsEnrollmentWebService -Force
Install-AdcsEnrollmentPolicyWebService -Force
GUI

  • Perform the following sections.

9.1. Requirements

9.1.1. Service Account

  • Start Active Directory Users and Computers.

  • Select test.shoklo-unit.com > Users.

  • Double-click Administrator.

  • Select Member Of tab.

  • Click Add.

  • Type IIS_IUSRS in the Enter the object names to select field.

  • Click Check Names.

  • Click OK.

  • Click Apply.

  • Click OK.

  • Close Active Directory Users and Computers.

9.1.2. Web Server (IIS)

  • Start Server Manager.

  • Select Dashboard.

  • Click Add roles and features.

  • Click Next.

  • Choose Role-based or feature-based installation.

  • Click Next.

  • Choose Select a server from the server pool.

  • Select SMRU-SRV-TST.

  • Click Next.

  • Check Web Server (IIS).

    • Check Include management tools (if applicable).

    • Click Add Features

  • Click Next.

  • Click Next.

  • Click Next.

  • Click Next.

  • Click Install.

  • Click Close.

9.2. Installation

  • Start Server Manager.

  • Select Dashboard.

  • Click Add roles and features.

  • Click Next.

  • Choose Role-based or feature-based installation.

  • Click Next.

  • Choose Select a server from the server pool.

  • Select SMRU-SRV-TST.

  • Click Next.

  • Check Active Directory Certificate Services.

    • Check Include management tools (if applicable).

    • Click Add Features

  • Click Next.

  • Click Next.

  • Click Next.

  • Check Certification Authority.

  • Click Next.

  • Click Install.

  • Wait for the installation to finish.

  • Click Close.

9.3. Configuration

  • Click the notification icon on Server Manager.

  • Click Configure Active Directory Certificate Services on the destination server.

  • Click Next.

  • Check Certification Authority.

  • Click Next.

  • Choose Enterprise CA.

  • Click Next.

  • Choose Root CA.

  • Click Next.

  • Choose Create a new private key.

  • Click Next.

  • Select RSA#Microsoft Software Key Storage Provider for the Select a cryptographic provider.

  • Select 2048 for the Key length.

  • Select SHA256 for the Select the hash algorithm for signing certificates issued by this CA.

  • Uncheck Allow administrator interaction when the private key is accessed by the CA.

  • Click Next.

  • Click Next.

  • Click Next.

  • Click Next.

  • Click Configure.

  • Click Close.

  • Start Server Manager.

  • Select Dashboard.

  • Click Add roles and features.

  • Click Next.

  • Choose Role-based or feature-based installation.

  • Click Next.

  • Choose Select a server from the server pool.

  • Select SMRU-SRV-TST.

  • Click Next.

  • Expand Active Directory Certificate Services.

  • Check Certificate Enrollment Policy Web Service.

    • Check Include management tools (if applicable).

    • Click Add Features

  • Check Certificate Enrollment Web Service.

  • Check Certification Authority Web Enrollment.

    • Check Include management tools (if applicable).

    • Click Add Features

  • Click Next.

  • Click Next.

  • Click Install.

  • Wait for the installation to finish.

  • Click Close.

  • Close Server Manager.

  • Restart the computer.

  • Click the notification icon on Server Manager.

  • Click Configure Active Directory Certificate Services on the destination server.

  • Click Next.

  • Check Certification Authority Web Enrollment.

  • Check Certificate Enrollment Web Service.

  • Check Certificate Enrollment Policy Web Service.

  • Click Next.

  • Choose CA name.

  • Click Next.

  • Choose Windows integrated authentication.

  • Click Next.

  • Choose Specify service account (recommended).

  • Click Select.

  • Type Administrator in the User name field.

  • Type the Administrator password in the Password field.

  • Click OK.

  • Click Next.

  • Choose Windows integrated authentication.

  • Click Next.

  • Choose Choose an existing certificate for SSL encryption (recommended).

  • Select test-SMRU-SRV-TST-CA.

  • Select vmware-VMWARE-WIN2025-CA.

  • Click Next.

  • Click Configure.

  • Click Close.

  • Close Server Manager.

9.4. Certificate Templates

  • Start Tools > Certification Authority.

  • Select test-SMRU-SRV-TST-CA > Certificate Templates.

  • Right-click test-SMRU-SRV-TST-CA > Certificate Templates and select Manage.

  • Right-click Workstation Authentication and select Duplicate Template.

  • Select General tab.

  • Type TEST-GPO-Computers-Authentication in the Template display name.

  • Check Publish certificate in Active Directory.

  • Select Security tab.

  • Select Domain Computers group.

  • Check Read | Allow.

  • Check Write | Allow.

  • Check Enroll | Allow.

  • Check Autoenroll | Allow.

  • Click Add.

  • Type Domain Controllers in the Enter the object names to select field.

  • Click Check Names.

  • Click OK.

  • Select Domain Controllers group.

  • Check Read | Allow.

  • Check Write | Allow.

  • Check Enroll | Allow.

  • Check Autoenroll | Allow.

  • Select Extensions tab.

  • Click Edit.

  • Click Add.

  • Select Server Authentication.

  • Click OK.

  • Click OK.

  • Click Apply.

  • Click OK.

  • Close Certificate Templates Console.

  • Right-click Certificate Templates and select New > Certificate Template to Issue.

  • Select TEST-GPO-Computers-Authentication.

  • Click OK.

  • Close Certification Authority.

9.5. Troubleshooting

  • If cannot request the certificate run the following commands in command line.

    certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc & net start certsvc

10. Network Policy Server (NPS)

  • Note: For Windows Server 2019 make sure to modify the service account security identifier of the Network Policy Server service to detect and allow RADIUS traffic. This is needed for wired ethernet connections. It is not needed for wireless wifi connections.

  • See https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-firewalls-configure.

  • Enter the following commands at a Command Prompt with administrative privileges.

    rem Internet Authentication Service (listed as Network Policy Server under services.msc).
sc.exe query ias
sc.exe qsidtype ias
sc.exe sidtype IAS unrestricted
sc.exe qsidtype ias
powershell.exe restart-service -DisplayName 'Network Policy Server'

10.1. Installation

CLI

Get-WindowsFeature
Add-WindowsFeature -IncludeManagementTools -Name NPAS
Get-WindowsFeature

GUI

  • Start Server Manager.

  • Select Dashboard.

  • Click Add roles and features.

  • Click Next.

  • Choose Role-based or feature-based installation.

  • Click Next.

  • Choose Select a server from the server pool.

  • Select LAB1-AD01.

  • Click Next.

  • Check Network Policy and Access Services.

    • Check Include management tools (if applicable).

    • Click Add Features

  • Click Next.

  • Click Next.

  • Click Next.

  • Uncheck Restart the destination server automatically if requred.

  • Click Install.

  • Close Server Manager.

10.2. Configuration

Register Server In Active Directory

  • Start Network Policy Server.

  • Right-click NPS (Local) and select Register server in Active Directory.

  • Click OK to confirm.

    This computer is now authorized to read users' dial-in properties from domain smru-lab.com.

To authorize this computer to read users' dial-in properties from other domains,
you must register this computer to be a member of the RAS/NPS Servers Group in that domain.

  • Click OK.

  • Close Network Policy Server.

RADIUS Clients

  • Start Tools > Network Policy Server.

  • RADIUS local: Right-click RADIUS Clients and Servers > RADIUS Clients and select New.

    • Check Enable this RADIUS client.

    • Type SMRU-SG350X-TST in the Friendly name field.

    • Type TBHF-SW01-2930F-24G in the Friendly name field.

    • Type TBHF-SW06-6000-12G in the Friendly name field.

    • Type TBHF-R650-TST in the Friendly name field.

    • TEST: Type 10.30.1.25 in the Address (IP or DNS) field.

    • TEST: Type 10.30.1.26 in the Address (IP or DNS) field.

    • TEST: Type 10.30.1.27 in the Address (IP or DNS) field.

    • TEST: Type 172.16.16.31 in the Address (IP or DNS) field.

    • Choose Manual for the Shared Secret.

    • Type the shared secret in the Shared secret.

    • Type the shared secret in the Confirm shared secret.

    • Click OK.

    • Close Network Policy Server.

  • RADIUS proxy: Right-click RADIUS Clients and Servers > RADIUS Clients and select New.

    • Check Enable this RADIUS client.

    • BHF: Type SMRU-LAB-AD01 in the Friendly name field.

    • SMRU: Type TBHF-AD01 in the Friendly name field.

    • BHF: Type 10.20.2.1 in the Address (IP or DNS) field.

    • SMRU: Type 10.20.1.1 in the Address (IP or DNS) field.

    • Choose Manual for the Shared Secret.

    • Type the secret in the Shared secret field.

    • Type the secret in the Confirm shared secret field.

    • Click OK.

    • Close Network Policy Server.

Remote RADIUS Server

  • Note: RADIUS server is needed for RADIUS proxy.

  • Right-click RADIUS Clients and Servers > Remote RADIUS Server and select New.

  • Select Address tab.

  • BHF: Type SMRU in the Group name field.

  • SMRU: Type BHF in the Group name field.

  • Click Add.

  • BHF: Type 10.20.1.1 in the Server field.

  • SMRU: Type 10.20.2.1 in the Server field.

  • Click Verify.

  • Click Resolve.

  • Click OK.

  • Select Authentication/Accounting tab.

  • Type the secret in the Shared secret field.

  • Type the secret in the Confirm shared secret field.

  • Select Load Balancing tab.

  • Type 100 in the Weight field.

  • Click Apply.

  • Click OK.

  • Click OK.

Connection Request Policies

RADIUS local

  • Right-click Policies > Connection Request Policies and select New.

  • BHF: Type BHF Secure Wired Connections for the Policy name.

  • BHF: Type BHF Secure Wireless Connections for the Policy name.

  • SMRU: Type SMRU Secure Wired Connections for the Policy name.

  • SMRU: Type SMRU Secure Wireless Connections for the Policy name.

  • TEST: Type TEST Secure Wired Connections for the Policy name.

  • Click Next.

  • Click Add.

  • Select NAS Port Type.

  • Click Add.

  • Ethernet: Check Ethernet for the Common 802.1X connection tunnel types.

  • Wireless: Check Wireless for the Common 802.1X connection tunnel types.

  • Click OK.

  • Click Add.

  • Select User Name.

  • Click Add.

  • BHF: Type bhf.bhf-th.org*.bhf-th.com in the User name field.

  • SMRU: Type smru.shoklo-unit.com in the User name field.

  • TEST: Type test.shoklo-unit.com in the User name field.

  • Click OK.

  • Click Next.

  • Click Next.

  • Click Next.

  • Click Next.

  • Click Finish.

RADIUS proxy

  • Right-click Policies > Connection Request Policies and select New.

  • BHF: Type BHF Secure Wired Connections for the Policy name.

  • BHF: Type BHF Secure Wireless Connections for the Policy name.

  • SMRU: Type SMRU Secure Wired Connections for the Policy name.

  • SMRU: Type SMRU Secure Wireless Connections for the Policy name.

  • Click Next.

  • Click Add.

  • Select NAS Port Type.

  • Click Add.

  • Ethernet: Check Ethernet for the Common 802.1X connection tunnel types.

  • Wireless: Check Wireless for the Common 802.1X connection tunnel types.

  • Click OK.

  • Click Add.

  • Select User Name.

  • Click Add.

  • BHF: Type bhf.bhf-th.org*.bhf-th.com in the User name field.

  • SMRU: Type smru.shoklo-unit.com in the User name field.

  • Click OK.

  • Click Next.

  • Select Authentication.

  • Choose Forward requests to the following remote RADIUS server group for authentication.

  • BHF: Select SMRU.

  • SMRU: Select BHF.

  • Click Next.

  • Click Next.

  • Click Finish.

Network Policies

Domain clients (Windows wired)

  • Right-click Policies > Network Policies and select New.

  • BHF: Type BHF Computers Secure Wired Connections for the Policy name.

  • BHF: Type BHF Computers Secure Wireless Connections for the Policy name.

  • SMRU: Type SMRU Computers Secure Wired Connections for the Policy name.

  • SMRU: Type SMRU Computers Secure Wireless Connections for the Policy name.

  • TEST: Type TEST Computers Secure Wired Connections for the Policy name.

  • Click Next.

  • Click Add.

  • Select Machine Groups.

  • Click Add.

  • Click Add Groups.

  • Type Domain Computers.

  • Click Check Names.

  • Click OK.

  • Click OK.

  • Click Add.

  • Select NAS Port Type.

  • Click Add.

  • Ethernet: Check Ethernet for the Common 802.1X connection tunnel types.

  • Click OK.

  • Click Next.

  • Choose Access granted.

  • Click Next.

  • Uncheck all Less secure authentication methods.

  • Click Add.

  • Select Microsoft: Smart Card or other certificate.

  • Click OK.

  • Click Next.

  • Click Next.

  • Optional: Select Framed-Protocol on Attributes.

    • Click Remove.

  • Optional: Select Service-Type on Attributes.

    • Click Remove.

  • VLAN:

    • Click Add.

    • Select Tunnel-Type on Attributes.

    • Click Add.

    • Click Add.

    • Choose Commonly used for 802.1x.

    • Click OK.

    • Click OK.

    • Select Tunnel-Pvt-Group-ID on Attributes.

    • Click Add.

    • Click Add.

    • Choose String.

    • SMRU: Type 2 for VLAN ID in Enter the attribute value in field.

    • BHF: Type 3 for VLAN ID in Enter the attribute value in field.

    • Click OK.

    • Click OK.

    • Select Tunnel-Medium-Type on Attributes.

    • Click Add.

    • Click Add.

    • Choose Choose Commonly used for 802.1x.

    • Click OK.

    • Click OK.

    • Click Close.

  • Click Next.

  • Click Finish.

Domain clients (Windows wireless)

  • Right-click Policies > Network Policies and select New.

  • BHF: Type BHF Computers Secure Wireless Connections for the Policy name.

  • SMRU: Type SMRU Computers Secure Wireless Connections for the Policy name.

  • TEST: Type TEST Computers Secure Wireless Connections for the Policy name.

  • Click Next.

  • Click Add.

  • Select Machine Groups.

  • Click Add.

  • Click Add Groups.

  • Type Domain Computers.

  • Click Check Names.

  • Click OK.

  • Click OK.

  • Click Add.

  • Select NAS Port Type.

  • Click Add.

  • Check Wireless - IEEE 802.11 for the Common 802.1X connection tunnel types.

  • Click OK.

  • Click Next.

  • Choose Access granted.

  • Click Next.

  • Uncheck all Less secure authentication methods.

  • Click Add.

  • Select Microsoft: Smart Card or other certificate.

  • Click OK.

  • Click Next.

  • Click Next.

  • Optional: Select Framed-Protocol on Attributes.

    • Click Remove.

  • Optional: Select Service-Type on Attributes.

    • Click Remove.

  • VLAN:

    • Click Add.

    • Select Tunnel-Type on Attributes.

    • Click Add.

    • Click Add.

    • Choose Commonly used for 802.1x.

    • Click OK.

    • Click OK.

    • Select Tunnel-Pvt-Group-ID on Attributes.

    • Click Add.

    • Click Add.

    • Choose String.

    • SMRU: Type 2 for VLAN ID in Enter the attribute value in field.

    • BHF: Type 3 for VLAN ID in Enter the attribute value in field.

    • Click OK.

    • Click OK.

    • Select Tunnel-Medium-Type on Attributes.

    • Click Add.

    • Click Add.

    • Choose Choose Commonly used for 802.1x.

    • Click OK.

    • Click OK.

    • Click Close.

  • Click Next.

  • Click Finish.

Network Printers

  • Right-click Policies > Network Policies and select New.

  • Type SMRU Secure Wired Connections (Network Printers) for the Policy name.

  • Click Next.

  • Click Add.

  • Select NAS Port Type.

  • Click Add.

  • Check Ethernet for the Common 802.1X connection tunnel types.

  • Click OK.

  • Click Add.

  • Select User Groups.

  • Click Add.

  • Click Add Groups.

  • Type Network-Printers.

  • Click Check Names.

  • Click OK.

  • Click OK.

  • Click Next.

  • Choose Access granted.

  • Click Next.

  • Uncheck all Less secure authentication methods.

  • Click Add.

  • Select Microsoft: Smart Card or other certificate.

  • Click OK.

  • Select Microsoft: Smart Card or other certificate.

  • Click Edit.

  • Select NPS-2019.nps.com (CA server) for the Certificate issued to.

  • Select SMRU-SRV-TST.test.shoklo-unit.com (CA server) for the Certificate issued to.

  • Click OK.

  • Click Next.

  • Click Next.

  • Select Framed-Protocol on Attributes.

  • Click Remove.

  • Select Service-Type on Attributes.

  • Click Remove.

  • Click Next.

  • Click Finish.

11. Issued Certificates

11.1. Group Policy

For domain clients Windows.

  • Start Tools > Group Policy Management.

  • Right-click Forest: test.shoklo-unit.com > Domains > test.shoklo-unit.com > Default Domain Policy and select Edit.

  • Select Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.

  • Double-click Certificate Services Client - Auto-Enrollment.

  • Select Enabled for the Configuration Model.

  • Check Renew expired certificates, update pending certificates, and remove revoked certificates.

  • Check Update certificates that use certificate templates.

  • Click Apply.

  • Click OK.

  • Close Group Policy Management Editor.

  • Close Group Policy Management.

11.2. Manual

For Network Printers.

  • Type certtmpl.msc and press Enter in the Command Prompt.

  • Select Certificate Templates (<server name>.<domain name>).

  • Right-click Web Server and select Duplicate Template.

  • Select General tab.

  • Type SMRU Network Printers in the Template display name field.

  • Type 10 in the Validity period field.

  • Uncheck Publish certificate in Active Directory.

  • Select Request Handling tab.

  • Select Signature and encryption for the Purpose.

  • Check Allow private key to be exported.

  • Select Extensions tab.

  • Select Application Policies.

  • Click Edit.

  • Click Add.

  • Select Client Authentication.

  • Click OK.

  • Click OK.

  • Click Apply.

  • Click OK.

  • Close Microsoft Management Console.

  • Start Certification Authority.

  • Right-click Certificate Templates and select New > Certificate Template to Issue.

  • Select SMRU Network Printers.

  • Click OK.

  • Close Certification Authority.

  • Browse to https://<CA-server-IP-address>/certsrv.

  • Sign in as Administrator.

  • Click Download a CA certificate, certificate chain, or CRL.

  • Select Current [<CA certificate name>] for the CA certificate.

  • Choose DER for the Encoding method.

  • Click Download CA certificate and name the file <Server name>-CA.cer.

  • Rename the certnew.cer file to <Server name>-CA.cer.

12. Supplicant

12.1. Windows Wired

12.1.1. GPO

  • Start Tools > Group Policy Management.

  • Right-click Forest: test.shoklo-unit.com > Domains > test.shoklo-unit.com > Default Domain Policy and select Edit.

  • Select Computer Configuration > Policies > Windows Settings > Security Settings > System Services.

  • Double-click Wired AutoConfig.

  • Check Define this policy setting.

  • Choose Automatic.

  • Click Apply.

  • Click OK.

  • Right-click Computer Configuration > Policies > Windows Settings > Security Settings > Wired Network (IEEE 802.3) Policies and select Create A New Wired Network Policy for Windows Vista and Later Releases.

  • Select General tab.

  • Type TEST-Computers-Secure-Wired-Connections in the Policy Name field.

  • Check Use Windows Wired Auto Config service for clients.

  • Select Security tab.

  • Check Enable use of IEEE 802.1X authentication for network access.

  • Select Microsoft: Smart Card or other certificate for the Select a network authentication method.

  • Click Properties.

  • Check test-SMRU-SRV-TST-CA for the Trusted Root Certification Authorities.

  • Click OK.

  • Select Computer only for the Authentication Mode.

  • Type 1 for the Mac Authentication Failures.

  • Check Cache user information for subsequent connections to this network.

  • Click Apply.

  • Click OK.

  • Close Group Policy Management Editor.

  • Close Group Policy Management.

12.1.2. Manual

Services

  • Start Services.

  • Right-click Wired AutoConfig and select Properties.

  • Select Automatic for the Startup type.

  • Click Start to start the Wired AutoConfig service.

  • Click Apply.

  • Click OK.

  • Close Services.

Network Adapter

  • Start Network and Sharing Center.

  • Click Change adapter settings.

  • Right-click Ethernet and select Properties.

  • Select Authentication tab.

  • Check Enable IEEE 802.1X authentication.

  • Select Microsoft: Protected EAP (PEAP) for the Choose a network authentication method.

  • Click Settings.

  • Check Verify the server’s identity by validating the certificate.

  • Check test-SMRU-SRV-TST-CA for the Trusted Root Certification Authorities.

  • Select Tell user if the server name or root certificate isn’t specified for the Notifications before connecting.

  • Select Smart Card or other certificate for the Select Authentication Method.

  • Click Configure.

  • Choose Use a certificate on this computer.

  • Check Use simple certificate selection (Recommended).

  • Check Verify the server’s identity by validating the certificate.

  • Uncheck Connect to these servers.

  • Check test-SMRU-SRV-TST-CA for the Trusted Root Certification Authorities.

  • Uncheck Don’t prompt user to authorize new servers or trusted certification authorities.

  • Uncheck Use a different user name for the connection.

  • Click OK.

  • Check Enable Fast Reconnect.

  • Click OK.

  • Check Remember my credentials for this connection each tme I’m logged on.

  • Check Fallback to unauthorized network access.

  • Click Additional Settings.

  • Check Specify authentication mode.

  • Select Computer authentication.

  • Click OK.

  • Click OK.

  • Close Network and Sharing Center.

12.2. Windows Wireless

12.2.1. GPO

  • Start Tools > Group Policy Management.

  • Right-click Forest: test.shoklo-unit.com > Domains > test.shoklo-unit.com > Default Domain Policy and select Edit.

  • Right-click Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies and select Create A New Wireless Network Policy for Windows Vista and Later Releases.

  • Type TEST-Computers-Secure-Wireless-Connections in the Policy Name field.

  • Check Use Windows WLAN AutoConfig service for clients.

  • Click Add.

  • Select Connection tab.

  • Type TEST-DOT1X in the Profile Name field.

  • Type TEST-DOT1X in the Network Name(s)(SSID) field.

  • Click Add.

  • Check Connect automatically when this network is in range.

  • Uncheck Connect to a more preferred network if available.

  • Uncheck Connect even if the network is not broadcasting.

  • Select Security tab.

  • Select WPA2-Enterprise for the Authentication.

  • Select AIS-CCMP for the Encryption.

  • Select Microsoft: Smart Card or other certificate for the Select a network authentication method.

  • Click Properties

  • Check test-SMRU-SRV-TST-CA for the Trusted Root Certification Authorities.

  • Click OK.

  • Select Computer authentication for the Authentication Mode.

  • Click OK.

  • Click Apply.

  • Click OK.

12.2.2. Manual

  • Start Network and sharing Center.

  • Select Set up a new connection or network.

  • Select Manually connect to a wireless network.

  • Click Next.

  • Type TEST-DOT1X in the Network name field.

  • Select WPA2-Enterprise for the Security type.

  • Check Start this connection automatically.

  • Click Next.

  • Select Change connection settings.

  • Select Connection tab.

  • Check Connect automatically when this network is in range

  • Select Security tab.

  • Select WPA2-Enterprise for the Security type.

  • Select AIS for the Encryption.

  • Select Microsoft: Smart Card or other certificate for the Choose a network authentication method.

  • Click Settings.

  • Check test-SMRU-SRV-TST-CA for the Trusted Root Certification Authorities.

  • Click OK.

  • Check Remember my credentials for this connection each time I’m Logged on.

  • Click Advanced settings.

  • Select 802.1X settings tab.

  • Check Specify authentication mode.

  • Select Computer authentication for the Specify authentication mode.

  • Click OK.

  • Click OK.

  • Click Close.

12.3. Network Printer

HP

  • Browse to https://<Printer-IP-address>.

  • Sign in as admin.

  • Select Networking tab.

  • Select Security > Certificates.

  • Click Configure for the Printer Certificate.

  • Choose Create a Certificate Request.

  • Click Next.

  • Type <Printer host name>.<domain> in the Common Name field.

  • Type Shoklo Malaria Research Unit in the Organization field.

  • Type SMRU in the Organization Unit field.

  • Click Next.

  • Wait for the certificate to be created.

  • Click Save.

  • Click OK.

  • Rename the Certificate.cer file to <Printer host name>-request.cer.

  • Browse to https://<CA-server-IP-address>/certsrv.

  • Sign in as Administrator.

  • Select Request a certificate.

  • Select advanced certificate request.

  • Copy the content in the <Printer host name>-request.cer file and paste it in the Saved Request field.

  • Select SMRU Network Printers for the Certificate Template.

  • Click Submit.

  • Choose DER encoded.

  • Click Download certificate.

  • Rename the certnew.cer file to <Printer host name>.cer.

  • Browse to https://<Printer-IP-address>.

  • Sign in as admin.

  • Select Networking tab.

  • Select Security > Certificates.

  • Click Configure for the Printer Certificate.

  • Choose Install a Certificate.

  • Click Next.

  • Click Choose File.

  • Select the <Printer host name>.cer file and click Open.

  • Uncheck Mark private key as exportable.

  • Click Finish.

  • Click OK on the The printer certificate has been updated message.

  • Browse to https://<Printer-IP-address>.

  • Select Networking tab.

  • Select Security > Certificates.

  • Click Configure for the CA Certificate.

  • Choose Install a CA Certificate.

  • Click Next.

  • Click Choose File.

  • Select the <Server name>-CA.cer file and click Open.

  • Click Finish.

  • Click OK on the The CA certificate has been installed message.

  • Browse to https://<Printer-IP-address>.

  • Select Networking tab.

  • Select Security > 802.1X Authentication.

  • Check EAP-TLS.

  • Type <Printer host name> in the Username field.

  • Type the SMRU AD Network Printer Password stored in the KeePass Password Manager in the Password field.

  • Type the SMRU AD Network Printer Password stored in the KeePass Password Manager in the Confirm password field.

  • Select Low (DES-56-bit, RC4-128-bit or 3DES-168-bit) for the Encryption Strength.

  • Select Connect Anyway (802.1X Fail-over) for the On Authentication Failure.

  • Click Apply.

  • Start Active Directory Users and Computers.

  • Check View > Advanced Features to make Name Mappings available in the popup menu.

  • Select test.shoklo-unit.com > TEST > users.

  • Right-click <Printer host name> user and select Name Mappings.

  • Select X.509 Certificates tab.

  • Click Add.

  • Select the <Printer host name>.cer file and click Open.

  • Check Use Issuer for alternate security identity.

  • Check Use Subject for alternate security identity.

  • Click OK.

  • Click Apply.

  • Click OK.

  • Close Active Directory Users and Computers.

13. Hyper-V

  • Enter the following commands at a PowerShell Command Prompt with administrative privileges.

    Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -NoRestart
Install-WindowsFeature -Name RSAT-Hyper-V-Tools
Install-WindowsFeature -Name RSAT-Clustering -IncludeAllSubFeature
Install-WindowsFeature -Name Multipath-IO -IncludeAllSubFeature
Restart-Computer

14. Update

  • Enter the following commands at a Command Prompt.

    sconfig.cmd

  • Enter the following commands at a PowerShell Command Prompt.

    Install-Module PSWindowsUpdate
Get-WindowsUpdate
Install-WindowsUpdate

15. Print Server

15.1. Installation

  • Start Server manager.

  • Select Dashboard.

  • Select Add roles and features.

  • Click Next.

  • Choose Role-based or feature-based installation.

  • Click Next.

  • Choose Select a server from the server pool.

  • Select <Server> in the Server Pool.

  • Click Next.

  • Check Print and Document Services.

    • Check Include management tools (if applicable).

    • Click Add Features.

  • Click Next.

  • Click Next.

  • Click Next.

  • Check Print Server.

  • Click Next.

  • Check Restart the destination server automatically if required.

  • Click Install.

  • Wait less than 1 minute for the installation to finish.

  • Click Close.

15.2. Configuration

  • Start Server manager.

  • Select Tools > Print Management.

  • Expand Print Servers.

  • Right-click <Server> (local) and select Add Printer.

  • Choose Add a TCP/IP or Web Services Printer by IP address or hostname.

  • Click Next.

  • Select TCP/IP Device for the Type of Device.

  • Type <Network Printer IP> in the Host name and IP address field.

  • Optional: Type <Network Printer IP> in the Port name field.

  • Uncheck Auto detect the printer driver to use.

  • Click Next.

  • Choose Install a new driver.

  • Click Next.

  • Click Have Disk.

  • Click Browse.

  • Select <Network Printer Driver> folder.

  • Click Open.

  • Click OK.

  • Select <Network Printer>.

  • Click Next.

  • Type the <Network Printer Name> you preferred in the Printer Name field.

  • Check Share this printer.

  • Type the <Network Printer Name> you preferred in the Share Name field.

  • Click Next.

  • Click Next.

  • Uncheck Print test page.

  • Uncheck Add another printer.

  • Click Finish.

16. Domain Trust

16.1. DNS

  • Start Server manager.

  • Select Tools > DNS.

  • Right-click <DNS server name> > Forward Lookup Zones > <Domain name> and select Properties.

  • Select Zone Transfers tab.

  • Check Allow zone transfers.

  • Option 1: Choose To any server.

  • Option 2: Choose Only to the following servers.

    • Add the remote Domain Controller DNS entry.

    • Dah to continue:.

  • Click Apply.

  • Click OK.

  • Right-click Forward Lookup Zones and select New Zone.

  • Click Next.

  • Choose Secondary zone.

  • Click Next.

  • Type bhf.com (remote domain controller domain) in the Zone name field.

  • Click Next.

  • Type 10.20.2.1 (remote domain controller IP address) in the Click here to add an IP Address or DNS name field.

  • Press Enter.

  • Click Next.

  • Click Finish.

16.2. Active Directory Domains and Trusts

  • Start Server manager.

  • Select Tools > Active Directory Domains and Trusts.

  • Right-click smru-lab.com (local domain controller domain) and select Properties.

  • Select Trusts tab.

  • Click New Trust.

  • Click Next.

  • Type bhf.com (remote domain controller domain) in the Name field.

  • Click Next.

  • Choose Forest trust.

  • Click Next.

  • Choose Two-way.

  • Click Next.

  • Choose This domain only.

  • Click Next.

  • Choose Forest-wide authentication.

  • Click Next.

  • Type password4BS for the Trust password.

  • Type password4BS for the Confirm trust password.

  • Click Next.

  • Click Next.

  • Click Next.

  • Choose Yes, confirm the outgoing trust.

  • Click Next.

  • Choose Yes, confirm the incoming trust.

  • 2nd DC: Type the 1st DC administrator user name and password.

  • Click Next.

  • Click Finish.

16.3. DNS Conditional Forwarder