03- Windows 2008 Server Basics
In these notes, we will start with the stock install of Windows 2008 R2 Datacenter (x86-64) provided in the classroom laboratory. That machine was built from the MSDNAA .isos (available to the students in class) using the default installation.
The default created user is “Sam Vimes” with the usual class password of “password1!”. The system is set up to automatically have that user log in with that password.
The system also has an Administrator user with a blank password. I wonder- could that be a bad thing?
Once the system boots for the first time, you will be presented with a list of initial configuration tasks similar to the following:
Let’s get the basics set up first. Windows Server 2008 prefers (almost requires) a static IP. Select “Configure Networking” and from the list of network connections, right click on Local Area Connection and select Properties.
Uncheck Internet Protocol Version 6; we don’t need IPv6 in class
Click on Internet Protocol Version 4 → Properties. Specify the IP address of your machine (in my example, this is 192.168.1.30), the subnet mask (in my example 255.255.255.0), and the default gateway (in my example, this is 192.168.1.1).
Leave DNS blank for now- we will be setting up this machine as a DNS server. We could use one of our existing DNS Servers here if we wanted. Test the connection.
Return to “Initial Configuration Tasks” and select “Provide computer name and domain”. Change the computer name and press more to choose the primary DNS suffix for the domain. In this example, we set Computer Name = “Ephebe” with the full computer name “Ephebe.unseen.disc.tu”.
Do not change the domain / workgroup settings, and then reboot.
Our machine is not on the Internet, so there is no way for us to update the server.
DNS & Active Directory Install
Select “Add Roles” from Initial Configuration Tasks. We will install both our DNS Server and our Domain Controller on the same host. We can put these on separate hosts if we wish. If you do, then be sure the DNS is built first.
Select Active Directory Domain Services, and begin the install. I have found it simplest to install only the Active Directory Domain Services at this point, not both the DNS Server and Active Directory Domain Services.
When the install is complete, run the Active Directory Domain Services Installation Wizard (dcpromo.exe). As part of the process, be sure to install the DNS server when the option is given. Since we are starting from scratch, we select a new forest. In our example, our full host name is Ephebe.unseen.disc.tu, and our primary DNS suffix is unseen.disc.tu. With that in mind, we select unseen.disc.tu to be the FQDN of our forest root domain.
Because we are going to be doing a lot of mixing and matching in the class, we select Windows Server 2003 as our Forest functional level and our Domain functional level.
As part of the process, you will receive a warning:
Since we are working in our classroom laboratory environment, we will not need to resolve names outside our domain; thus we can accept this warning and proceed.
The locations of the various files can be kept in their default states, and you should select a solid password for Directory Services Restore Mode (certainly something better than I chose, which is, of course, “password1!”).
Go ahead and complete the install; this will require a system reboot.
Let’s add some entries of some Windows machines to our DNS Server.
Before we do so though, we need to configure the (static) IP address and name for each machine we plan to add to our server. For the IP address, this can be done through the properties tab for the network connection; to find that tab take a slightly different path depending on the version of Windows:
- In Windows XP, navigate Start → Control Panel → Network and Internet Connections → Network Connections → Local Area Connection → Properties → Internet Protocol (TCP/IP) → Properties.
- In Windows Vista, navigate Start Thing → Control Panel → Network and Internet → View network status and tasks → Network View Status → Properties → (UAC) → Internet Protocol Version 4 → Properties
- In Windows 7, navigate Start Thing→ Control Panel → Network and Internet → View network status and tasks → Local Area Connection → Properties → (UAC) → Internet Protocol Version 4 → Properties
Once you find the properties tab, simply set the IP Address, Gateway, and DNS Server. You may also want to disable IPv6, as we will not be using it in this course.
To change the host name for our Windows machines, we again need to navigate differently depending on the version of Windows:
- In Windows XP, navigate Start → My Computer → (right-click) Properties → Computer Name → Change
- In Windows Vista, navigate Start Thing → Computer → (right-click) Properties → Change Settings (Computer name, domain and workgroup settings) (UAC) → Change
- In Windows 7 navigate Start Thing → Computer → (right-click) Properties → Change Settings (Computer name, domain and workgroup settings) (UAC) → Change
Once you reach the Computer Name / Domain Name dialog box, be sure to change both the hostname and the suffix; you change the suffix with the “More…” button
Changing the host name on a Windows machine will require a reboot.
Correctly configure the static IP address and host name on at least two Windows machines, including at least one Vista and one Windows 7 machine.
To add the corresponding entry to the DNS server, start by running the DNS Manager on the server. You can find this by navigating Start → Administrative Tools → DNS. The same functionality is also available in the Server Manager; just navigate through the panel on the left side Server Manager → Roles → DNS Server → DNS.
Expand the Host name (in my example, it is called Ephebe), then expand out the tree for Forward Lookup Zones, then the name of your domain (in my example, it is unseen.disc.tu) to obtain something like the following:
Right-click in the panel on the right, and select “New Host (A or AAAA), and provide both the hostname and the IP address selected for one of your clients.
Return to that host, and verify that it correctly can return your host name. In our example, we set up the host genua.unseen.disc.tu at 192.168.1.35, so a simple check of our nameserver at 192.168.1.30 yields:
C:\Users\Sam Vimes>nslookup genua.unseen.disc.tu 192.168.1.30 Server: UnKnown Address: 192.168.1.30:53 Name: genua.unseen.disc.tu Address: 192.168.1.35
Note however, that the reverse lookup fails; if we ask the nameserver at 192.168.1.30 for the hostname that corresponds to the IP address 192.168.1.35, it will fail with an error:
C:\Users\Sam Vimes>nslookup 192.168.1.35 192.168.1.30 Server: UnKnown Address: 192.168.1.30:53 *** UnKnown can't find 192.168.1.35: Non-existent domain
The reason for this is that we have not yet specified the corresponding reverse lookup zone. Return to the server, and click on the Reverse Lookup Zones entry in the navigation panel; you will find that there are no zones present.
Right-click on Reverse Lookup Zones, and select New Zone to launch the New Zone Wizard. You want to create a primary zone, and store the zone in Active Directory. Replication can be as broad as you wish; in this example we will accept the default and replicate to all DNS servers on domain controllers in the domain. Create an IPv4 Reverse Lookup Zone for your network. We will not discuss dynamic updates for the DNS server; in fact we ignored the issue completely when we discussed BIND on Linux; feel free to accept the default and allow only secure dynamic updates.
Open up your new reverse domain; in my example it is named 1.168.192.in-addr.arpa. Right click, and select New Pointer (PTR) and add pointer records for every host you added earlier- and this included the domain controller itself.
Conveniently, once the Reverse Lookup Zone is created, you can add both the address record (A) and the pointer record (PTR) in one step. Simply check the box “Create Associated pointer (PTR) record” when you create the address in the forward lookup zone:
Once this is complete, your nslookup attempts should proceed without error:
C:\Users\Sam Vimes>nslookup lancre Server: ephebe.unseen.disc.tu Address: 192.168.1.30:53 Name: lancre.unseen.disc.tu Address: 192.168.1.33
As was the case with BIND we need to be able to forward requests for other namepsaces to the correct nameserver(s). We can do so using Conditional Forwarding. From the DNS Manager, select Conditional Forwarders in the navigation tree, then right-click and select New Conditional Forwarder.
Because we have not included the .cosc.tu namespace in our server, and because there is no root nameserver, the Windows system is unable to validate the BIND server’s FQDN; this is expected.
Set up your Windows 2008 server to correctly forward queries to your BIND server from week 2. Verify that all works as it ought by looking up an address from the BIND namespace on a Windows host that uses your Windows 2008 server as its nameserver.
C:\Users\Sam Vimes>nslookup longwall.cosc.tu Server: ephebe.unseen.disc.tu Address: 192.168.1.30 Non-authoritative answer: Name: longwall.cosc.tu Address: 192.168.1.62
Constructing a Windows domain
To add a computer to the domain, we work on the domain member, not the doman controller. The process is similar for each different type of Windows system.
For Windows XP, navigate My Computer (Right) / Properties / Computer Name
/ Change / Member of. Be sure that the name of the machine agrees with
the DNS entry. You need an account with privileges on the domain controller. A reboot is required.
For Windows Vista, navigate Computer (Right) / Properties / Change Settings
/ (UAC) / Change / Member of. As before, be sure that the name of the machine agrees with the DNS entry; you still need an account with privileges on the domain controller, and a reboot is still required.
If the machine does not have a DNS entry, one will be created for it in Active Directory. It will even create both the PTR and the A records, provided the reverse lookup domain already exists.
Add at least two machines to your domain.
Adding Linux Machines to a Domain
There are a number of tools that can be used to join a Linux machine to a Windows domain. One of the most complete is PowerBroker® Identity Services Open Edition available from BeyondTrust.
They have .rpm installation files for CentOS / OpenSuSE / Fedora / Red Hat systems, and .deb packages for Ubuntu / Debian / Mint systems. Download and run (as root) the package appropriate for your OS; you will be presented with a dialog box like
When logging into a linux system joined to a domain, be sure to use the usual method of specifying the user name: domain\username; you may also need an escape character on the command line: domain\\username.
Add at least one Linux system to your domain. Log in to that system using an account from your domain.
Working with Active Directory
Review the default domain users and groups in your domain controller. The information & settings can be found by navigating Server Manager → Roles → Active Directory Domain Services → Active Directory Users and Computers → “DomainName” → Users
- How many users does your DC possess at boot?
- How many are active?
- How many groups does your DC possess at boot?
- How many groups have members?
- Does your initially created user belong to a different set of groups than the administrator?
Add additional users to your DC. Place them in a variety of groups. Verify that these accounts work by using them to log on to client machines.
In Active Directory, an organizational unit (OU) is a container for users, groups, and computers. OUs can be created around roles, around geography, around the structure of the company/organization, or around any other convenient set of distinctions.
Imagine that you are in charge of the IT staff for a small company, with a main office and three branch offices. Your company has a sales staff, a manufacturing staff, a research & development team, and an IT team. Construct three different potential OU hierarchies. What are the advantages and disadvantages of each?
We will use a sample OU structure in what follows. The approach selected, while reasonable is not the only reasonable structure. Our structure is to have three top level OUs- one for our sales staff, one for our Research group, and one for our IT Staff. Inside the sales and the research OU, we have two child OUs, one for users and one for computers (named how you wish).
To create the OUs, navigate Start → Administrative Tools → Active Directory Users and Computers. Then navigate Active Directory Users and Computers → “Domain_Name” (right click) → New → Organizational Unit.
For each OU you create, you need to specify the name. If you leave the check box “Protect container from accidental deletion” checked, well, then deleting the OU becomes a bit of a pain.
What? You created an OU with that box checked and now you want to delete it?
- Log on to an account that is a domain admin.
- Go to Active Directory Users and Computers
- Right-click on “Active Directory Users and Computers”
- Select View -> Advanced Features
- Navigate the tree (which is now larger), right-click on the OU and select properties.
- From the Security tab, select Advanced.
- The (usually first) entry is a Deny Everyone permission; Remove it.
- Go back to the OU name in the Active Directory Users and Computers tree; right-click and select Delete.
- Uncheck the Advanced Features in the View sub-menu if you wish.
Put one computer into the research computers child OU, and put one computer into the sales computers child OU. [These can be the ones you created earlier and added to the domain. If so, select the computer in Active Directory Users and Computers, and from the Action menu, select Move.]
Create at least one user in each of the three user child OUs- the research user OU, the sales user OU and the IT staff user OU.
Test the result.
Note that a user / group / computer can only be in one OU.
Note that the collection of domain controllers (seen in Active Directory Users and Computers) is also an OU- note the folder icon is the same as for the other OUs you have created.
Delegating and OUs
We can use groups within an OU as a way to delegate privileges. In the research users OU, create two users- a “normal” user and an “admin” user. We want to enable the “admin” user to be able to handle passwords, password resets and do simple user management, but only in the Research OU. How do we do this?
Create a group inside the Research Users OU; call it Research Admins. The group scope can remain global; the group type should be Security. Add the “admin” user to the Research Admins group inside the Research Users OU. Note that, despite the name, this is a simple unprivileged user.
To give users inside the Research Admins groups some privileges, right-click on the Research OU, and select Delegate Control. A Wizard starts, called the delegation of control wizard. Select the Research Admins group (Select Add, and type the name). Delegate some common tasks- say Create, delete and manage user accounts and Reset user passwords and force password change at next logon.
Though now the members of the Research Admins group have these privileges, how can they be used? We did not grant these admins the right to log on to the
domain controller, did we? And would that be a good thing?
What happens next depends if we are in Windows Vista or in Windows 7.
In Vista (with SP1 or greater), We must install the Remote Server Administration Tools (KB 941314). This is available online and on the lab share. Open Control Panel, click Programs, and then click Turn Windows features on or off under Programs and Features. If you are prompted to provide permission by User Account Control, click Continue. In the Windows Features dialog box, select the remote administration snap-ins and tools that you want to install, and then click OK.
If you wish, you may configure the Start menu to display the Administration Tools shortcut. [This is done on a per-user basis- so setting this up for one user does not set it up for all users.] Right click Start, and then click Properties. On the Start Menu tab, click Customize. In the Customize Start Menu dialog box, scroll down to System Administrative Tools, and then select Display on the All Programs menu and the Start menu. Click OK. Shortcuts for snap-ins installed by RSAT are added to the Administrative Tools list on the Start menu.
Log into your Vista machine using the Research Admin user. From administrative tools, open Active Directories Users and Computers. From here, you are now able to e.g. enable and disable the account of the regular user(s) from the Research OU.
In Windows 7, the process is essentially similar, though a different software package (KB958830) is used to install the Remote Server Administration Tools.
Verify that your research admin user has the delegated properties.
Group policies are used to create and enforce different policies, including security related policies. Group policies are either local to the machine, or are based on Active Directory.
To modify the local GPO for a machine, run the command gpedit.msc either from the run box or directly from the command line. To see the local GPO for a machine, let’s test it out on a Vista machine that is not connected to a domain.
- What software setting are present by default?
- Are there any startup or shutdown scripts?
- What are the default password policies?
- What are the default account policies?
- What is the default audit policy?
- What is the significance of this from the point of view of the security of your system?
- Which users can change the system time?
- Modify this setting and test it.
- Can you rename the administrator account?
- Do it. [Hmm. I guess this probably tells you the answer to the above question. Shrug.]
- How is the Windows Firewall configured?
- What information does the Network List Manager provide?
- What software restriction policies are set by default?
- Can you set disk quotas in Windows? If so, how?
Because Group Policies can be set at different levels, it is important to know the order of precedence. It is:
- Local GPOs apply first
- Site-linked GPOs apply next
- Domain-linked GPOs apply next
- OU-linked GPOs apply last.
Note also that the “last writer wins”.
To modify domain and GPO level policies, run the Group Policy Management Tool on the domain controller (Start → Administrative Tools → Group Policy Management). Select the Default Domain Policy- follow the tree- Group Policy Management → Forest (in the example this is unseen.disc.tu) → Domains → “Domain_name” (in the example this is unseen.disc.tu) → Default Domain Policy.
Note that this entry is a link to an entry in the collection of Group Policy Objects.
GPOs can be filtered via security filters and via WMI filters; we will not cover these.
What are the settings in the default domain policy?
Who can modify the default domain policy? What can others do?
Examine the default domain controller policy. Look again the collection of Group Policy Objects.
Creating our own GPOs
As an example, let us create a GPO that disables the screen saver controls for a user. From the collection of Group Policy Objects, select “New”. Name the policy whatever you wish; in the example I will call it “ScrenSaver”. We will not use a Source Starter GPO.
Select the policy, and view the settings. Note that initially no settings have been made. Right-click in the settings window to bring up the Group Policy Management Editor The resulting editor is very similar to the editor we saw for local policy.
At this point, we see our first differences between Windows Server 2008 and Windows 2008 Server R2, as the precise locations appear to have changed between 2008 and 2008 R2. In Server 2008 to make the change, navigate through User Configuration → Policies → Administrative Templates → Control Panel → Display. Double-click on the Hide Screen Saver tab and set it to “Enabled”.
On the other hand, in Server 2008 R2, that entry is not there. Instead, take a look at User Configuration → Policies → Administrative Templates → Control Panel → Personalization → Prevent changing screen saver. Set that value to “Enabled”.
Be sure to read the Explain Tab
Be sure to add some comments to the Comment tab- after all we all comment cour code carefully, don’t we?
Exit the Group Policy Management Editor [No, you don’t have a “Save” button.]
From the Group Policy Management console, note that apparently no changes have been made. Right click on the settings window and select “Refresh”; at ths point the changes you have already made in the GPO will become visible.
To apply this policy to a group, select an OU, (say the research OU) and right-click; select Link an Existing GPO, then select the GPO you developed and select OK.
GPOs are pulled by the client from the server. This happens on a regular basis, but it is not immediate. The client can update their policy set manually by running the command gpupdate from either the command line or from the Run box. The client will also update their GPO settings on login, so you can refresh the set by logging off and back on.
Verify that your settings have been applied to the client- you should no longer be allowed to modify the settings for the screensaver.
GPOs can also be applied to an entire site (a collection of forests, which are collections of domains). We do not consider this further here.
Suppose that we want to have our policy apply to all elements of the domain. Create another GPO object as above; now we are going to hide the Desktop settings for users. From the Group Policy Management Editor, navigate User Configuration → Policies → Administrative Templates → Control Panel → Display → Hide Settings tab (Hide Desktop in Windows 2008 not 2008 R2).
From the Group Policy Management window, right click on the domain name, and “Link to an Existing GPO”. Test your changes by examining both the computer that was in your research OU and a computer in the sales OU. Note that gpupdate or a log in (after log out) may be required.
Notice that the changes occur regardless of the user- even if you log in as a domain admin, you will not see the Desktop settings tab.
When deleting a GPO for an OU you can either delete the GPO, or just its link to that OU (so it can be saved and used on another OU for example). To delete the link, select the GPO in the OU, and delete. To delete the GPO, go to Group Policy Objects and delete the rule.
Adding a second domain controller
If you are starting with the lab image, CHANGE THE ADMINISTRATOR PASSWORD!
Set up a static IP address and name for the backup; use the primary DNS server for DNS. Set up the name of the new server. Join the new machine to the old domain; this will add the name information to the DNS server.
Use the Add Roles Wizard to install Active Directory Domain Services on the controller. When the wizard completes, run dcpromo.exe (e.g. from the link). Select Add a domain controller to an existing domain (from Existing forest.) Select the domain; since we have only created one domain (cs in the example) use that as the domain.
For the site, we use the default, which has the clever name “Default-First-Site-Name”.
Under additional domain controller options, be sure that both DNS server and Global catalog are checked.
Note that the setup will then tell you that an authoritative parent zone cannot be found- not surprisingly, since we are creating our own top-level domain without a parent. We do want to continue at this point…
The remaining questions can be answered in the same way we answered them for the first DC.
Take a look at the DNS settings. Note that the forward and reverse zones from the primary will have been duplicated, but not the conditional forwaders; these need to be added manually.
The settings for DNS servers on domain members are not automatically updated with the location of your new DNS server; this must be done manually on each client.
Test your new DC by shutting down the original DC; be sure that your services (AD, DNS) are still available.
When fully configured, a Windows 2008 server will be running a number of services that will listen on a wide range of ports. Fortunately, Microsoft has provided a guide to the ports used by various services running on a Windows 2008 server.
Windows 2003 Server
Windows 2003 Server, especially Windows Server 2003 R2 is still a commonly used server. However, we do not have time to cover it this week. I encourage you to experiment with it- it will make a nice surprise for the other teams during the exercises.