This document describes the pre-planning procedure to be used when installing a Platform system (using the standard version of Microsoft Server 2012) that will connect to an existing Domain running Active Directory. In this configuration, the Platform will not operate as a domain controller.
Steps to be completed by the Client IT Department
Please note that while these policy recommendations listed below are “default domain” and “default domain controller” policy changes, they can be applied to individual OU’s as needed and are not required to be changed at the default level.
1. Create an Domain account specifically for the Platform
⦁ Account must be an active domain account that can read AD
⦁ Remove password expiration for this account
⦁ Account does NOT need to be a domain admin account.
⦁ Account MUST be able to run PowerShell on the local Platform System as local Administrator.
2. Update group policies on Client’s Primary Domain Controller
⦁ Several policies must be changed, located in the following GPO’s:
⦁ Default Domain controller Policy
⦁ Default Domain Policy
⦁ Inside both of those objects we change 7 policies, all located in:
⦁ Policies > Windows Settings > Security Settings > Local Policies > Security Options
⦁ The following Policies must all be set to Disabled:
⦁ Domain member: Digitally encrypt or sign secure channel data (always) = Disabled
⦁ Domain member: Digitally encrypt secure channel data (when possible) = Disabled
⦁ Domain member: Digitally sign secure channel data (when possible) = Disabled
⦁ Microsoft network client: Digitally sign communications (always) = Disabled
⦁ Microsoft network client: Digitally sign communications (if server agrees) = Disabled
⦁ Microsoft network server: Digitally sign communications (always) = Disabled
⦁ Microsoft network server: Digitally sign communications (if client agrees) = Disabled
⦁ Network access: Do not allow storage of passwords and credentials for network authentication: Disabled
Connecting Platform to an Existing Domain
You must have access to the following accounts in order to proceed with the installation:
⦁ Domain Administrator – “Existing Domain Admin Account”
⦁ Domain service account for the Platform – “Platform Service Account”
Prior to beginning the installation, confirm the following:
⦁ The Platform is securely mounted in a rack/seated and power is connected.
⦁ A Mouse, Keyboard, and Monitor are connected to the Platform server.
⦁ No other external devices (USB sticks, USB HDDs, etc…) are connected to the Platform.
⦁ The Platform unit has physical connectivity to a network with access to the Domain it will be joining.
Step 1 - Join the Domain
1. Physically connect the Platform to the client domain via NIC2 (Internet)
2. Power on the system and log into Windows 2012.
a. Log into Windows with the following information
⦁ Username: Administrator
⦁ Password: Promax123
3. Join the domain using the existing domain admin account credentials
Step 2 - Configure Platform Domain Users
6. Log into the Platform using the Platform Services account
7. Use the Computer Management option and select “Local Users and Groups”
8. Add the Platform Services account to Platform Server local Administrators group.
9. Add the Platform Services account to the local IIS_IUSRS Group