This article is about the configuration of Windows Server 2008 with Kerberos authentication. Kerberos is an integral part of Windows 2008 Active Directory implementations, and anyone planning to deploy and maintain the enterprise NoSQL database e.g. DataStax Enterprise must should have a basic knowledge of the principals and administrative issues involved in this front-line security technology.
If we want to configure Windows Server 2008 with Kerberos authentication we need to install: Web Server(IIS), DHCP Server, Active Directory Domain Server. Also, we should set static ip address, computer name, and configure all installed services. The following section will explain how to properly configure system for Kerebros authentication and install the necessary software.
1. Change computer name (server)
1.1. Click Start, right-click Computer, and then click Properties.
1.2. Under Computer name, domain, and workgroup settings, click Change settings.
1.3. Click the Computer Name tab, and then click Change.
1.4. Write down the computer name. For example we are using "cogserver02" , and then click “OK”.
1.5. Restart computer
1.1 Set static ip
For certain types of servers, you must assign a static IP address and subnet mask during or after Setup.
These servers include DHCP servers, DNS servers and any server providing access to users on the Internet. It is also recommended that you assign a static IP address and subnet mask for each domain controller.
To configure IPv4 for static addressing please do the following:
- Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center and then click Change Adapter Settings.
- Right-click the connection to which you want to add a static IP address and then click Properties.
- Acknowledge the UAC dialog and then double-click Internet Protocol Version 4 (TCP/IP/IPv4).
- Click Use the following IP address, and do one of the following:
- For a local area connection, in IP address, Subnet mask, and Default gateway, type the IP address, subnet mask, and default gateway addresses.
- For all other connections, in IP address, type the IP address.
To configure advanced static IPv4 address settings for a local area connection, click Advanced.
2. Web Server(IIS) installation
Internet Information Services (IIS) is an extensible web server created by Microsoft for use with Windows NT family.
2.1 Click Start, click Administrative Tools and then click Server Manager.
2.2 In the Server Manager window, scroll down to Roles Summary, and then click Add Roles.
2.3 Select Web Server (IIS) on the Select Server Roles page.
2.4 Select the IIS services to be installed on the Select Role Services page. Add only the necessary modules. In this case, ASP.NET is selected, and a description of ASP.NET appears in the right pane.Once desired modules are added, click Next.
2.5 Add any required role services.
2.6 IIS is now installed with a default configuration for hosting ASP.NET on Windows Server. Click Close to complete the process.
More information: installation IIS
3. DHCP Server installation
3.1 From the Start menu, select Administrative Tools, then select Server Manager.
3.2 Expand and click Roles from the left window. Choose Add Roles.
3.3 Next, select that you want to add the DHCP Server Role, and click Next.
3.4 On the Network connection binding screen click Next.
3.5 On the IPv4 DNS Settings screen set Parent Domain (cognet.local), Primary DNS Server (192.168.1.200) and click Next.
3.6 We strongly suggest not to use WINS on the network. Please disable this option. Then click Next.
3.7 On the next screen, click Add to add a new scope. In our example the scope is named “cognet-local”, the starting and ending IP addresses is set to 192.168.1.1-192.168.1.100, the subnet mask is set to 255.255.255.0, After writing down these parameters, please click OK, then Next.
3.8 Please set Disable DHCPv6 stateless mode to disable for this server, then click Next.
3.9 Confirm Installation Selections.
More information: Installation and configure DHCP
4. Active Directory Domain Server
4.1 Installation Active Directory
4.1.1 From the Start menu, select Administrative Tools, then select Server Manager.
4.1.2 Expand and click Roles from the left window. Choose Add Roles.
4.1.3 Next, select that you want to add the Active Directory Domain Server role, and click Next.
4.1.4 Click next to skip the part and then click install to start installing the binaries for Active Directory.
4.1.5 When the installation is finished you will be shown a success message, then click Close.
4.2 Configuration Active Directory
4.2.1 Open Server Manager, expand Roles and click Active Directory Domain Services. On the right hand side click the Run the Active Directory Domain Services Installation Wizard (dcpromo.exe) link.
4.2.2 This will launch another wizard, this time to configure the settings for you domain. Please click Next to continue.
4.2.3 Click Next, choose to create a new domain in a new forest.
4.2.4 Type FQDN ( we are using “cognet.local” as an example ), then click Next.
4.2.5 Since this is the first DC in our domain we can change our forest functional level to Windows Server 2008 R2.
4.2.6 We want to include DNS in our installation because this will allow us to have an AD Integrated DNS Zone. When you click Next you will be prompted with a message to confirm. Please confirm this by clicking Yes to continue.
4.2.7 Confirm all installation sections. (Active directory should install DNS Server)
4.2.8 Restart computer.
4.3 Configure DNS Server
4.3.1 From the Start menu, select Administrative Tools and then select DNS to open the DNS console.
4.3.2 Double-click on your computer name (COGSERVER02), then right-click on Reverse Lookup Zones and choose New zone to launch the New Zone Wizard.
4.3.3 Select Primary zone and Store the zone in Active Directory, then click Next.
4.3.4 On the screen Active Directory Replication Scope select To all DNS servers running on domain controllers in this domain: cognet.local, then click Next.
4.3.5 On the next screen select IPv4 Reverse Lookup Zone, then click Next.
4.3.6 Type Network ID: 192.168.1, then click Next.
4.3.7 On the screen Dynamic Update select: Allow only secure dynamic updates.
4.3.8 Confirm all configurations sections.
4.4 Managing DNS Records
4.4.1 In DNS Manager, expand your server name (cogserver02), then expand the Forward Lookup Zones , right-click on your domain name (cognet.local) and select Properties.
4.4.2 Click the Start of Authority (SOA) tabulation.
4.4.3 Set the Primary Server to your primary nameserver ( for example we are using “cogserver02.cognet.local”)
4.4.4 Next, click the Name Servers tabulation.
4.4.5 Remove all items in the list, then click Add and type your name servers ( for example we are using “cogserver02.cognet.local”).
4.4.6 When done, click OK to close the window. You are now ready to set up your zone records.
4.4.7 Right-click your domain name under Forward Lookup Zones and Reverse Lookup Zones, and select New Host (A or AAAA) or Pointer(PTR). See image below:
Lookup Zones settings|
4.5 Add users to Active directory
4.5.1 Open Active Directory Users and Computers
4.5.2 Right-click the Users then New. Next please select User (in your example “test_user”, “dse/linuxccm.cognet.local”).
4.6 Connect computer to a domain
4.6.1 Open System by clicking the Start button, right-click Computer, and then click Properties
4.6.2 Under Computer name, domain, and workgroup settings, click Change settings. If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
4.6.3 Click the Computer Name tab, and then click Change. Alternatively, click Network ID to use the Join a Domain or Workgroup wizard to automate the process of connecting to a domain and creating a domain user account on your computer.
4.6.4 Under Member of, click Domain.
4.6.5 Type the name of the domain (for example: “COGNET.LOCAL”) that you want to join, and then click OK.
4.6.6 Restart the computer.
If Your computer is already in the domain, you must remove computer from the domain:
I. Click Start button, then point to Computer.
II. Right-Click Computer, then click Properties.
III. Under the Computer name, domain, and workgroup settings, click Change Settings.
IV. Please click Change, change the Member of Option to Workgroup, then click OK.
V. When you are asked for the administrator’s account and/or password, please type it.
VI. Restart the computer.
VII. Then the computer can be added to the domain.
And disable cached domain logon:
How to disable the cached domain logon, please set the cachedlogonscount registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon to 0. Then restart the computer.
4.7 Check the correctness settings
4.7.1 Run command line (on the windows: windows button + R, then type cmd ; on the linux: ctrl + alt + T)
4.7.2 Type nslookup name server (for example: “nslookup cogserver02”)
Cognitum is also a partner of DataStax, a major Cassandra vendor that provides worldwide training for Cassandra and Enterprise level appliances: DataStax Enterprise combining Cassandra, Hadoop, Hive, Solr into single solution.