Windows Active Directory (AD) domain controllers contain the Active Directory
database and run the Kerberos distribution center service. The Kerberos authentication
information is stored in Active Directory. Therefore, the user account and service principal
must be first defined in AD.
Windows configuration consists of creating a user account for a managed DHCP Server in
Active Directory, and then mapping a service principal name to the user account.
Note: A service principal name is the name by
which a client uniquely identifies an instance of a service, and is associated with
the security principal (user, host, or service in a realm) in whose security context
the service executes.
Before the Kerberos authentication service can use a service
principal name to authenticate a service, the service principal name must be
registered on the account object that the service instance uses to log
on.
You need to create one user account and user principal name for every
DNS/DHCP Server that complies with security
policies.
For more information about Service Principal Names (SPN), refer
to the following URL: http://msdn.microsoft.com/en-us/library/windows/desktop/ms677949%28v=VS.85%29.aspx
Note: Configuring and managing your
Kerberos service is beyond the scope of this guide. For information on Kerberos
concepts and configuration, refer to your Kerberos documentation.
The following section contains steps that are required to complete the Windows server
configuration.
Note: You should already have a
Windows server running Active Directory and DNS Server roles installed and
defined.