02- Windows 2008 Server Basics
Initial set up- networking, DNS, and Domain Controller-ville.
You can start with the image provided in the lab. Login as administrator on the provided VM- and CHANGE THE ADMIN PASSWORD. [It is blank!]
Windows Server 2008 prefers (almost requires) a static IP. When the server first starts, you are presented with the Initial Configuration Tasks dialog. Select “Configure Networking” -> Local Area Connection (Right click).
Uncheck Internet Protocol Version 6; we don’t need IPv6 in class
Click on Internet Protocol Version 4->Properties. Select the (static) IP, Subnet, & Gateway. We leave DNS blank for now- we will be setting up this machine as a DNS server. We could use one of our existing DNS Servers here if we wanted. Test the connection.
Select “Provide computer name and domain” from Initial Configuration Tasks. Change the computer name and the domain. In this example, we set Computer Name = 08Server1 (or your choice) and Domain (from the “More” button) = cs (or your choice). Thus, the full name of the server is 08Server1.cs. Do not change the domain / workgroup settings, and then reboot.
Select “Add Roles” from Initial Configuration Tasks. We will install both our DNS Server and our Domain Controller on the same host. We can put these on separate hosts if we wish. If you do, then be sure the DNS is built first.
Select Active Directory Domain Services, and begin the install. When the install is complete, run the Active Directory Domain Services Installation Wizard (dcpromo.exe). As part of the process, be sure to install the DNS server when the option is given. Read & select from the other options. If you are starting from scratch, then you want a new forest.
Let’s add some machines to our DNS Server. First we need to get them static IP Addresses.
In Windows XP, navigate Start / Control Panel / Network and Internet Connections / Network Connections / Local Area Connection / Properties / Internet Protocol (TCP/IP) / Properties.
Set the IP Address, Gateway, and DNS Server
In Windows Vista, navigate Start Thing / Control Panel / Network and Internet
/ View network status and tasks / Network View Status / Properties / (UAC)
/ Internet Protocol Version 4 / Properties
In Windows 7, navigate Start Thing/ Control Panel / Network and Internet
/ View network status and tasks / Local Area Connection / Properties / (UAC)
/ Internet Protocol Version 4 / Properties
Add these names & addresses to the DNS Server Forward Lookup Zone. To do so, Run Server Manager, and navigate Server Manager / Roles / DNS Server / DNS / “Server_Name” / Forward Lookup / “Domain_Name” (Right click) / New Host (A or AAAA), then add the necessary details for each host.
Create a reverse lookup zone; this gives the name associated with an IP address. To do so, navigate Server Manager / Roles / DNS Server / DNS
/ “Server_Name” / Reverse Lookup (right-click) / New Zone, and use the Wizard.
- Create a Primary Zone and store the result in Active Directory.
- Replicate the zone data to all DNS servers in the domain.
- Create an IPv4 Reverse Lookup Zone.
- Select an appropriate network ID (e.g. 192.168.1.x)
- Allow only secure dynamic updates.
With the zone created, add the necessary details for each host:
Server Manager / Roles / DNS Server / DNS / “Server_Name” / Reverse Lookup
/ “IP_ADDR”.in-addr.arpa (e.g. 1.168.192.in-addr.arpa) / New Pointer (PTR)
As was the case with BIND we need to be able to forward requests for other namepsaces to the correct nameserver(s). We can do so using Conditional Forwarding. Navigate Server Manager / Roles / DNS Server / DNS / “Hostname” / Conditional Forwarder.
You need a forwarder for both the forward lookups and the reverse lookups. Verify that this works by setting up both your BIND / DNS servers from week 2 and having your windows servers & BIND servers correctly forward queries to each other.
You may want to use different subnets for your windows & BIND servers to test the correct forwarding of reverse lookups. You may instead want to use the servers from a different team / table.
Constructing a Windows domain
To add a computer to the domain, we work on the domain member, not the doman controller. The process is similar for each different type of Windows system.
For Windows XP, navigate My Computer (Right) / Properties / Computer Name
/ Change / Member of. Be sure that the name of the machine agrees with
the DNS entry. You need an account with privileges on the domain controller. A reboot is required.
For Windows Vista, navigate Computer (Right) / Properties / Change Settings
/ (UAC) / Change / Member of. As before, be sure that the name of the machine agrees with the DNS entry; you still need an account with privileges on the domain controller, and a reboot is still required.
Notice that there is no relationship between the machines in the DNS server and the machines in the domain. It is true that all machines in the domain should have a DNS entry (somewhere, on some server) but they do not have to be on the DNS server on the DC. In fact, the DC and the DNS server can be completely separate hosts. Do not confuse the two!
Add two machines to your domain.
Let us review the default domain users and groups. The information & settings can be found by navigating Server Manager / Roles / Active Directory Domain Services / Active Directory Users and Computers / “DomainName” / Users
- How many users does your DC possess at boot?
- How many are active?
- How many groups does your DC possess at boot?
- How many groups have members?
- Does your initially created user belong to a different set of groups than the administrator?
Add additional users to your DC. Place them in a variety of groups. Verify that these accounts work by using them to log
on to client machines.
In Active Directory, an organizational unit (OU) is a container for users, groups, and computers. OUs can be created around roles, around geography, around the structure of the company/organization, or around any other convenient set of distinctions.
Imagine that you are in charge of the IT staff for a small company, with a main office and three branch offices. Your company has a sales staff, a manufacturing staff, a research & development team, and an IT team. Construct three different potential OU hierarchies. What are the
advantages and disadvantages of each?
We will use a sample OU structure in what follows. The approach selected, while reasonable is not the only reasonable structure. Our structure is to have three top level OUs- one for our sales staff, one for our Research group, and one for our IT Staff. Inside the sales and the research OU, we have two child OUs, one for users and one for computers (named how you wish).
To create the OUs, navigate Start / Administrative Tools / Active Directory Users and Computers. Then navigate Active Directory Users and Computers / “Domain_Name” (right click) / New / Organizational Unit
For each OU you create, you need to specify the name. If you leave the check box “Protect container from accidental deletion” checked, well, then deleting the OU becomes a bit of a pain.
What? You created an OU with that box checked and now you want to delete it?
- Log on to an account that is a domain admin.
- Go to Active Directory Users and Computers
- Right-click on “Active Directory Users and Computers”
- Select View -> Advanced Features
- Navigate the tree (which is now larger), right-click on the OU and select properties.
- From the Security tab, select Advanced.
- The (usually first) entry is a Deny Everyone permission; Remove it.
- Go back to the OU name in the Active Directory Users and Computers tree; right-click and select Delete.
- Uncheck the Advanced Features in the View sub-menu if you wish.
Put one computer into the research computers child OU, and put one computer into the sales computers child OU. [These can be the ones you created earlier and added to the domain. If so, select the computer in Active Directory Users and Computers, and from the Action menu, select Move.]
Create at least one user in each of the three user child OUs- the research user OU, the sales user OU and the IT staff user OU.
Test the result.
Note that a user / group / computer can only be in one OU.
Finally, we remark that it is possible to integrate linux machines into AD and into OUs. The catch is that it is technically demanding- sufficiently so that we will not cover it in class.
Note that the collection of domain controllers (seen in Active Directory Users and Computers) is also an OU- note the folder icon is the same as for the other OUs you have created.
Delegating and OUs
We can use groups within an OU as a way to delegate privileges. In the research users OU, create two users- a “normal” user and an “admin” user. We want to enable the “admin” user to be able to handle passwords, password resets and do simple user management, but only in the Research OU. How do we do this?
Create a group inside the Research Users OU; call it Research Admins. The group scope can remain global; the group type should be Security. Add the “admin” user to the Research Admins group inside the Research Users OU. Note that, despite the name, this is a simple unprivileged user.
To give users inside the Research Admins groups some privileges, right-click on the Research OU, and select Delegate Control. A Wizard starts, called the delegation of control wizard. Select the Research Admins group (Select Add, and type the name). Delegate some common tasks- say Create, delete and manage user accounts and Reser user passwords and force password change at next logon.
Though now the members of the Research Admins group have these privileges, how can they be used? We did not grant these admins the right to log on to the
domain controller, did we? And would that be a good thing?
What happens next depends if we are in Windows Vista or in Windows 7.
In Vista (with SP1 or greater), We must install the Remote Server Administration Tools (KB 941314). This is available online and on the lab share. Open Control Panel, click Programs, and then click Turn Windows features on or off under Programs and Features. If you are prompted to provide permission by User Account Control, click Continue. In the Windows Features dialog box, select the remote administration snap-ins and tools that you want to install, and then click OK.
If you wish, you may configure the Start menu to display the Administration Tools shortcut. [This is done on a per-user basis- so setting this up for one user does not set it up for all users.] Right click Start, and then click Properties. On the Start Menu tab, click Customize. In the Customize Start Menu dialog box, scroll down to System Administrative Tools, and then select Display on the All Programs menu and the Start menu. Click OK. Shortcuts for snap-ins installed by RSAT are added to the Administrative Tools list on the Start menu.
Log into your Vista machine using the Research Admin user. From administrative tools, open Active Directories Users and Computers. From here, you are now able to e.g. enable and disable the account of the regular user(s) from the Research OU.
In Windows 7, the process is essentially similar, though a different software package (KB958830) is used to install the Remote Server Administration Tools.
Verify that your research admin user has the delegated properties.
Group policies are used to create and enforce different policies, including security related policies. Group policies are either local to the machine, or are based on Active Directory.
To modify the local GPO for a machine, run the command gpedit.msc either from the run box or directly from the command line. To see the local GPO for a machine, let’s test it out on a Vista machine that is not connected to a domain.
- What software setting are present by default?
- Are there any startup or shutdown scripts?
- What are the defaul password policies?
- What are the defauls account policies?
- What is the default audit policy?
- What is the significance of this from the point of view of the security of your system?
- Which users can change the system time?
- Modify this setting and test it.
- Can you rename the administrator account?
- Do it. [Hmm. I guess this probably tells you the answer to the above question. Shrug.]
- How is the Windows Firewall configured?
- What information does the Network List Manager provide?
- What software restriction policies are set by default?
- Can you set disk quotas in Windows? If so, how?
Because Group Policies can be set at different levels, it is important to know the order of precedence. It is:
- Local GPOs apply first
- Site-linked GPOs apply next
- Domain-linked GPOs apply next
- OU-linked GPOs apply last.
Note also that the “last writer wins”.
Examine the default domain policy.
To modify domain and GPO level policies, run the Group Policy Management Tool on the domain controller (Start / Administrative Tools / Group Policy Management). Select the Default Domain Policy- follow the tree- Group Policy Management / Forest (in the example this is cs) / Domains / “Domain_name” (in the example this is cs) / Default Domain Policy.
Note that this entry is a link to an entry in the collection of Group Policy Objects.
GPOs can be filtered via security filters and via WMI filters; we will not cover these.
What are the settings in the default domain policy?
Who can modify the default domain policy? What can others do?
Examine the default domain controller policy. Look again the collection of Group Policy Objects.
Creating our own GPOs
As an example, let us create a GPO that disables the screen saver tab for a user. From the collection of Group Policy Objects, select “New”. Name the policy whatever you wish; in the example I will call it “ScrenSaver”. We will not use a Source Starter GPO.
Select the policy, and view the settings. Note that initially no settings have been made. Right-click in the settings window to bring up the Group Policy
Management Editor The resulting editor is very similar to the editor we saw for
To make the change, navigate through User Configuration / Policies / Administrative Templates / Control Panel / Display. Double-click on the Hide Screen Saver tab and set it to “Enabled”.
Be sure to read the Explain Tab
Be sure to add some comments to the Comment tab- after all we all comment cour code carefully, don’t we?
Exit the Group Policy Management Editor [No, you don’t have a “Save” button.]
From the Group Policy Management console, note that apparently no changes have been made. Right click on the settings window and select “Refresh”; at ths point the changes you have already made in the GPO will become visible.
To apply this policy to a group, select an OU, (say the research OU) and right-click; select Link an Existing GPO, then select the GPO you developed and select OK.
GPOs are pulled by the client from the server. This happens on a regular basis, but it is not immediate. The client can update their policy set manually by running the command gpupdate from either the command line or from the Run box. The client will also update their GPO settings on login, so you can refresh the set by logging off and back on.
Verify that your settings have been applied to the client- you should no longer see an entry to allow you to modify the settings for the screensaver.
GPOs can also be applied to an entire site (a collection of forests, which are collections of domains). We do not consider this further here.
Suppose that we want to have our policy apply to all elements of the domain. Create another GPO object as above; now we are going to hide the Desktop settings for users. From the Group Policy Management Editor, navigate
User Configuration / Policies / Administrative Templates / Control Panel / Display / Hide Desktop tab -> Enabled.
From the Group Policy Management window, right click on the domain name, and “Link to an Existing GPO”. Test your changes by examining both the computer that was in your research OU and a computer in the sales OU. Note that gpupdate or a log in (after log out) may be required.
Notice that the changes occur regardless of the user- even if you log in as a domain admin, you will not see the Desktop settings tab.
When deleting a GPO for an OU you can either delete the GPO, or just its link to that OU (so it can be saved and used on another OU for example). To delete the link, select the GPO in the OU, and delete. To delete the GPO, go to Group Policy Objects and delete the rule.
Adding a second domain controller
If you are starting with the lab image, CHANGE THE ADMINISTRATOR PASSWORD!
Set up a static IP address and name for the backup; use the primary DNS server for DNS.
Now suppose that you, like me are using a single name for your namespace- that is your full hostname is host.domain where domain is just one word- so that your full hostname is 08server.cs (as it is in my examples) rather than 08server.cs.com or 08server.cs.org or whatever. Well, it turns out that this will cause a difficult little error to occur later, unless we do a bit of magic now…
After you set the static IP address and DNS server, press the Advanced button, and select the DNS tab. In the box “DNS suffix for this connection” enter a period. Yep- just one period, nothing else. Don’t ask how I know this, just trust me! It will work! (sort of…)
Set up the name of the new server. Be sure that these entries are in the primary DNS server before continuing.
Join the new machine to the old domain.
Use the Add Roles Wizard to install Active Directory Domain Services on the controller. When the wizard completes, run dcpromo.exe (e.g. from the link). Select Add a domain controller to an existing domain (from Existing forest.) Select the domain; since we have only created one domain (cs in the example) use that as the domain.
For the site, we use the default, which has the clever name “Default-First-Site-Name”.
Under additional domain controller options, be sure that both DNS server and Global catalog are checked.
You say that the DNS Server box is grayed out? Didn’t you read the bit above where I talked about a difficult little error?
Note that the setup will then tell you that an authoritative parent zone cannot be found- not surprisingly, since we are creating our own top-level domain without a parent. We do want to continue at this point…
The remaining questions can be answered in the same way we answered them for the first DC.
Take a look at the DNS settings. Note that the forward and reverse zones from the primary will have been duplicated, but not the conditional forwaders; these need to be added manually.
The settings for DNS servers on domain members are not automatically updated with the location of your new DNS server; this must be done manually on each client.
Test your backup DC by shutting down the original DC; be sure that
your services (AD, DNS) are still available.
Windows 2003 Server
Windows 2003 Server, especially Windows Server 2003 R2 is still a
commonly used server. However, we do not have time to cover it this
week. I encourage you to experiment with it- it will make a nice
surprise for the other teams during the exercises.