Windows Server 2008

**patris1** · 2010-02-27, 04:49 AM

کد:

http://windowsserver.trainsignal.com/windows-server-2008-active-directory-users

Windows Server 2008 Active Directory — Creating Users is Easy

You probably already know that a User Account is an Active Directory Object, or simply said, a record in an AD database.
Most of the time we create user accounts for people, however user accounts can also be created for applications or processes.
User accounts allow a person to access resources on a network. But we can just as easily deny access to certain resources on the network through the user account. That’s why, User Account Objects are quite important and very useful.
Today I’ll show you how easy it is to create a new user account, create a user template and how to use a template — all on your brand new Windows Server 2008!
Next week we’ll discuss User Groups and Organizational Units. Now, let’s get started with creating a user account.

Creating a New User Account

1. To start let’s go ahead and open up Server Manager

2. Then we will open up the Roles section — next to Active Directory Users and Computers section and finally the Active Directory Users and Computers.
You should now see your domain name.

3. We are going to click on our Users section where we are going to create a new User Account. To do so, right-click on the blank section, point to New and select User.

4. In this window you need to type in the user’s first name, middle initial and last name. Next you will need to create a user’s logon name.
In our example we are going to create a user account for Billy Miles and his logon name will be bmiles. When done, click on the Next button.

5. In the next window you will need to create a password for your new user and select appropriate options.
In our example we are going to have the user change his password at his next logon. You can also prevent a user from changing his password, set the password so that it will never expire or completely disable the account.
When you are done making your selections, click the Next button.

6. And finally, click on the Finish button to complete the creation of new User Account.

Creating a User Template

A user template in Active Directory will make your life a little easier, especially if you are creating users for a specific department, with exact same properties, and membership to the same user groups.
A user template is nothing more than a disabled user account that has all these settings already in place. The only thing you are doing is copying this account, adding a new name and a password.
You may have multiple user templates for multiple purposes with different settings and properties. There is no limit on the number of user templates, but keep in mind that they are there to help you, not to confuse you, so keep in mind less is better.
To create a user template, we are going to create a regular user account just like we did above. A little note here, you may want to add an * as the first character of the name so it floats at the top in AD and is much easier to find.
1. To start out, right-click on the empty space, point to new, and select User.

2. Type in the user’s name (with asterisks if so desired) and click Next.

3. Create the template’s password and do not forget to check the box next to the Account is disabled option. When ready, click Next.

4. Once the account is created, you can go ahead and add all the properties you need for that template. To do so, double-click on that account and navigate to a specific tab. Once done click OK.

Using a Template

1. Now in order to use that user template, we are going to select it, copy it and add the unique information such as user name, password, etc.
We can do that for as many users as needed. Let’s start by right-clicking on the template and selecting Copy.

2. Next we are going to enter the user’s name, login and password information while making sure the checkbox next to Account is disabled is unchecked.

3. Once we finish, our new user account is created with all the properties of the template account. Now wasn’t that easy

موضوعات مشابه:

**patris1** · 2010-02-27, 04:51 AM

کد:

http://windowsserver.trainsignal.com/windows-server-2008-active-directory-user-groups

User Groups and Organizational Units are two great ways of keeping your Active Directory organized and controlled.
Last week I showed you how to create user accounts and user templates. So today, I’m going to show you how to put all of these users into a group.
Why would we want to do that? Well, let’s say for example that we have this one shared folder on our network that we want only our Sales Department to have access to.
Without groups in your Active Directory, you would have to go to each individual Sales Department user account and give that account access to that shared folder. That can take quite some time if you have, let’s say … 200 users in your Sales Department.
Instead, what we are going to do is, take all the Sales Department user accounts and put them in a Sales User Group. Now when I want to give access to all of my Sales Users to that shared folder, I just give the entire Sales Group access to it and voila! All Sales Users now have access to our shared folder!
That’s just so much easier, isn’t it? You can then take the Sales User Group and put it in a Sales Organizational Unit.

Organizational Unit is really just a folder for organizational purpose, to keep your Active Directory nice and clean. You can add different groups, computers and other resources to an Organizational Unit.
Enough talk, let me show you how you can accomplish all of this in your Windows Server 2008 Active Directory.
Creating an Organizational Unit

1. Start by opening up your Server Manager, then expand the Roles section.

2. Next expand the Active Directory Domain Services section and click on Active Directory Users and Computers.

3. At this point you should be able to see your domain. In our example we are using the Globomantics domain. Go ahead and expand your domain.

4. Now we need to create an Organizational Unit for a group to live in. In our example we are going to create an OU for our Ops Team.
To create a new Organization Unit, right-click on your domain name, point to the New option and then select Organizational Unit.

5. Type in the name of your OU and make sure that the box is checked next to Protect container from accidental deletion. When done, click OK.

6. We now have a new Organizational Unit in our Active Directory called OpsOU.

Creating a New Group

1. After you create an Organizational Unit in your Active Directory, you are ready to create your first group. Go ahead and select your OU and then right-click in the blank area.

2. Next, point to New and then select Group.

3. The next step is to name your Group, select the scope and then select the type.
In this example we are going to name our group OpsUSers. We are also going to leave the default selections for group scope, which is Global, and group type, which is Security. When you are ready, click OK.

4. Our new group has been created!

Moving Accounts Into a Group

1. In order to move pre-existing accounts into a group, you need to hold down the Control key and click on all the User or Computer accounts that you want to move into that group.

2. Then you need to right-click on any one of those accounts and select Add to a group.

3. Next, you need to type in the group name and let the machine find it.
In our example, I will type in OpsUsers and then click on the Check names button. Once the name is verified and group name is found, the text will become underlined and you can click the OK button. Since we know our group exists, we are going to click OK without verification.

4. Now all of these accounts are part of our OpsUsers group.

Note: Another way of accomplishing this would be to click on an account, hold it, then drag and drop it into a particular group. Depending on how much you like to use your mouse and how much time you have this may or may not be your preferred way of accomplishing this task

**patris1** · 2010-02-27, 04:52 AM

کد:

http://windowsserver.trainsignal.com/installing-software-using-gpos-on-windows-server-2008

Imagine for a minute that your boss came in one day, gave you a Foxit DVD and said that everyone in your organization needs to get that DPF software that’s on this DVD installed today.
You think, well that’s great but are you sure you want all 500 people to get the software today?
That’s almost impossible, isn’t it? There isn’t enough time for you to walk around with the DVD and install it 500 times.
Sure there is! But you won’t be walking around with the DVD in your hand, that’s for sure.
The solution I’m going to show you today is quite simple, and much less time consuming
You are going to copy that software on a Shared Folder on your network. Then, you’re going to create a Group Policy Object, aka GPO, (aren’t you happy you installed Active Directory?) that will take that software and install it on everyone’s machines.
Easy, huh? Of course it is and it is not going to take you days, I promise.

What You Need Before Installing Software Using GPOs

There are 3 things you will need in order to have a successful Software Installation GPO:

1. The most important thing you will need is a Microsoft installer file, called .msi — you cannot use the .exe file that is on the DVD.
You will need to get a packaging utility to turn that .exe file into .msi file. Many of them are available for instant download from internet.
There are a few that will cost money but there are also free downloads. Here is an example from each:

MSI Studio (30 day free trial):
MSI Studio - ScriptLogic
EXE-to-MSI: http://juice.altiris.com/download/1355/exe-to-msi

2. The second thing you will need to create is a Shared Folder on your network for the software to live in. You need to make sure that every computer has at least "read" access to that folder and its contents.
3. And the last thing you will need is the new Group Policy Object linked to the appropriate Organization Unit.

How to Install Software Using GPOs

Assuming that you already have the .msi file ready, let’s start with creating a shared folder on our network.
1. Browse to the location on your network, right-click and select New, then Folder.

2. Name the folder — in this example we are going to call it "Software".
3. Select that folder and then click on the Share button on the menu toolbar.

4. Like I mentioned above, every machine needs to have at least read access to this folder. To do this type in Everyone and hit enter, or click on the Add button.

5. Make sure the Permission Level says Reader and then click the Share button.

6. Remember or write down the location of this shared folder. In our example the location is \\NY-MEM1-2K8\Software

7. Double click on the Shared Folder you just created and once again perform the steps to create a new folder.
This time name the folder with a name specific to the software you are about to install. We are going to call it "Foxit".

8. Double click on the new folder ("Foxit") and copy and paste the .msi file for the software you want to install. Our .msi is called FoxitReader23.

9. Now it is time to switch to your domain controller.
We are going to switch to our DC1 server. Once there, go ahead and open up Server Manager.

10. Now you need to point to the Organizational Unit where the new Group Policy Object will reside.
To start off, go ahead and expand Features, then Group Policy Management, and then your Forest. In our example it is the Globomantics.com forest.
11. Then expand Domains and then the domain in which you want to create the GPO.
12. Once you are in the correct domain, expand the Organizational Unit. In our example, we are expanding NewYorkOU.
13. Since we want the software to be installed on every single computer, we are going to create the Group Policy Object in our NYComputers Organization Unit.
Go ahead and click on that OU.

14. To create a new GPO, right-click on the appropriate Organization Unit and select Create a GPO in this domain, and Link it here…

15. Name your new GPO and hit OK.

16. To make sure the new GPO was created, go ahead and expand the Group Policy Objects.
You should see your GPO listed there. That GPO is now being linked to our NYComputers OU.

17. Select and then right click on the GPO under the Organization Unit. Then select Edit.

18. That should open a Group Policy Management Editor.
19. Go ahead and expand Computer Configuration, then Policies, and then Software Settings.
20. Next click on and select Software Installation.

21. Right click on the right side of the Software Installation, select New and then click on Package.

22. Browse to the location where your software .msi file exists.
In our example it is NY-MEM1-2K8 → Software → Foxit. Once you have located it, double click on the file or select it and then click on the Open button.

23. Select Assigned and click OK.

Testing

Before you actually go and test this on one of your client machines, do not forget to run a GPO Update. To do so, open up you command prompt on your Domain Controller and type in gpupdate /force.

Once the update ran through you can go to one of your clients and restart the machine. Keep in mind that in order for the software to be installed on a computer, you will need to do a hard reboot.
Now go ahead and relax for the rest of your day

**patris1** · 2010-02-27, 04:55 AM

کد:

http://windowsserver.trainsignal.com/windows-server-2008-as-a-lan-router-running-rip

If you’re designing a virtual test or evaluation network and want to get into complicated network scenarios you will eventually need to segment out your virtual network.
To do that you need something functioning as a router, since this may be virtual machines, you can’t just plug-in a hardware solution.
This will allow you to mimic a much larger network and teach you how things might be done in a mid to enterprise sized environment.
For this walkthrough I will show you how to turn a Server 2008 box with two network interfaces into a router.
Install Routing on Windows Server 2008

I am going to be running this demo on a cleanly installed Windows Server 2008 virtual machine that is configured with two network interfaces both set to "Local Only" in Virtual PC 2007.
It currently holds no role information and will only function as a router. We will also configure RIP routing protocol so it can talk to other routers on the network.

1. Start Server Manager.
2. Click on Roles, and then click on Add Roles.

3. Since this is a clean install we get a Before You Begin warning page telling us that if we’re going to install a role on a server to make sure it is secure. If you get this page, just click Next.
4. On the Select Server Roles page go ahead and place a check next to Network Policy and Access Services. Click Next after you’re done.

5. The next page gives you an overview of the Network Policy and Access Services and everything that you can do with it. Read through the various options and click Next.

6. The Select Role Services page now comes up and we are going to go ahead and place a check next to Routing & Remote Access Services.
Note that you cannot just click on Routing because it is dependent on the Remote Access Service also being installed; then click Next.

7. You are now asked to confirm your installation selections, review everything and then click on Install.

8. After a few minutes you should see an Installation Results page and the outcome hopefully is Installation Succeeded, review any messages and then click Close.

9. Now in Server Manager you can see in roles that Network Policy and Access Services is now installed, but it is in a down state because no devices are associated to the service.

Go ahead and close out Server Manager as that now concludes the install of the Router service on the Windows Server 2008.
Configure Routing on Windows Server 2008

Ok let’s go ahead and get routing enabled and configured by associating some of our network adapters with the service.
1. Click on Start, Administrative Tools, Routing and Remote Access

2. When the Routing and Remote Access MMC starts you will notice that the server has a red down arrow showing that it is currently offline.
Right click on the server and select configure and Enable Routing and Remote access.

3. The Routing and Remote Access Server Setup Wizard will now come up, go ahead and click Next to get started.

4. There are quite a few default options for this service that include:

Remote Access
Network Address Translation (NAT)
Virtual Private Network (VPN) & NAT
Secure Connection Between Two Private Networks
Custom Configuration

We are going to choose Custom Configuration and click Next.

5. In the Custom Configuration screen you can choose several services, but for this demo go ahead and place a check next to LAN routing and then click Next.

6. Again you will see a summary of your selections and you can go ahead and click on Finish.

7. Next a pop-up window will tell you that Routing & Remote Access service is now ready to use, and you can click on Start service to start it.

8. After a few seconds the service will start and the wizard will close. You can see in the Routing and Remote Access MMC that the server now has a green up arrow which shows that it is in a enabled state and functioning.
If you expand out the IPv4 folder and left click on General you will see the network interfaces listed in the right pane. Now right click on General and select New Routing Protocol.

9. The New Routing Protocol window will contain 4 available protocols:

DHCP Relay Agent
IGMP Router and Proxy
NAT
RIP Version 2 for Internet Protocol

For this demo we are going to choose RIP Version 2 for Internet Protocol, though if you wanted the router to pass DHCP information you would also want to enable DHCP Relay Agent, but for this demo it is not necessary.
Make your selections and click OK.

10. You should now see the RIP protocol under the IPv4 folder in your Routing and Remote Access MMC.
If you select it, you will find no information on it, because we need to enable the network interfaces we want this to work on. Go ahead and right click on RIP, then select New Interface.

11. You can now add either interface, but not both as you can only approve one interface at a time. For this demo we are going to be working on Local Area Connection, select it and then click Ok.

12. The RIP properties window now comes up to be configured.
There are many different options you can configure in this window, but unless you are using other types of routers in your network with RIP you can just leave the defaults in place. Go ahead and click Ok.

13. Go ahead and repeat steps 11 and 12 for Local Area Connection 2, and then you should see both interfaces under RIP in the Routing and Remote Interface MMC.

You have now configured the Windows Server 2008 virtual machine to function as a router between its two network cards.
As I mentioned this can help you setup a segmented network that will allow you to emulate a corporate environment for testing and learning.
While this article focused on setting it up for a virtual environment, it would also work the same way if you configured this on a physical server

**patris1** · 2010-02-27, 05:52 AM

کد:

http://windowsserver.trainsignal.com/install-dhcp-role-on-windows-server-2008

Chances are that if you have used a computer on a network you have used DHCP technology.
DHCP stands for Dynamic Host Configuration Protocol, and its main purpose in life is to give your computer an IP address so it can send and receive data on the network.
In the old days of computing your computers would have to be assigned IP addresses when they were setup, and the job of keeping all these IP addresses in order usually fell to a network administrator.
I can vividly remember starting a new position at a large company and having the outgoing administrator show me the spreadsheets that had all the IP addresses for the plant, along with a notepad with changes that had not been input yet. I tell you that I implemented DHCP within 2 months, because there was no way I was dealing with that headache.
This of course was back in the days of NT 4.0, but surprisingly DHCP hasn’t changed that much since back then. If you have installed DHCP before on a Windows platform, you won’t see too much of a difference on Server 2008, with the exception of adding support for IPv6.

How DHCP Works

Let’s talk a minute about the basic workings of how DHCP works. The DHCP server sits and waits for a client computer to turn on and need an IP. It does this through a very basic 4 step process which I will explain below.

1. Discovery — When a computer is setup to use DHCP and is attached to the network it sends out a broadcast called DHCPDISCOVER looking for a DHCP server. Alternatively, it will request the last IP used by its DHCP client.

2. Offer — The DHCP server will respond with a lease offer that is called DHCPOFFER and includes the lease duration, IP address, subnet mask, clients MAC address, and IP address of the DHCP server.

3. Request — Once the client computer receives the offer and accepts it, it then sends out a broadcast called DHCPRequest that contains the IP address of the DHCP server that issued the accepted client IP. This tells other DHCP servers that their offer if any was refused, and keeps the IPs free for others.

4. Acknowledgement — The DHCP server then sends out a DHCPACK packet to the client that includes lease duration and any other configuration information needed by the client. At this point the IP configuration process is done and the client configures its network interface.

It is important to note that the majority of these messages are broadcasts which means that your routers must be configured to pass these on if the DHCP server is not on the same subnet as the client.
There are other options to get around this limitation, but really, if your router is that old, you are better off upgrading anyway.
Windows Server 2008 DHCP Install Environment

For this demo I am going to assume we have the following already setup:

Windows Server 2008 Installed
Active Directory Domain Services Installed
DNS Server Installed
Static IP on DHCP Server

The domain for this demo is named tstdemo.com and the server we are installing DHCP on is a domain controller. I normally wouldn’t recommend this, but since I am using a Virtual PC to show this demo, I am going to only have one server to use.
Install DHCP Role on Server 2008

Ok, now that we have discussed what DHCP is and how it does its magic, let’s go ahead and install the DHCP role.
1. Open Server Manager
2. In the left pane click on Roles and in the center pane click on Add Roles

3. You might get a Before You Begin page next if it hasn’t been disabled before this. It just generally warns you that if you are going to install a role on this server to make sure that it has a strong password, has the latest updates loaded, and has a static IP.
You can place a check mark next to Skip this page by default, if you don’t want to see this warning again or leave it blank and click Next.

4. On the Select Server Roles page go ahead and place a check next to DHCP Server in the list, then you can click Next.

5. The next screen discusses what a DHCP Server does, which we already covered but feel free to read through it again. Once you are done go ahead and click on Next.

6. For the Select Network Connection Bindings page, the wizard will list out the network adapters you have available to bind the server to for servicing clients.
In our case we only have one adapter so it is an easy choice. Select the adapters you are working with and click Next.

7. On the Specify IPv4 DNS Server Settings screen you will fill in the name of the parent domain, and at least one preferred DNS server.
Please note that the DNS server is a Mandatory fill to continue. If you have this information setup on the server already, it will use what you have in the network and Active Directory Domain Services information to pre-fill the fields.
Either confirm or input your own information and click Next.

8. The next screen asks you to specify your WINS server. If you don’t know what WINS is and your network doesn’t need it, consider yourself lucky!
Some legacy applications still need it though, and while I won’t get into an explanation of what it does, you should find out if you are using it before proceeding.
Either select WINS is not required for applications on this network, if you’re not using it, or input the WINS Server IPs if you are. Either way click on Next when you are finished.

9. The next window will allow you to add scopes to your DHCP server. Scopes are the range of IP’s that are handed out to the client computers.
I am going to choose NOT to add a scope at this time, because I will go in-depth on that subject in my next article. At this time just click on Next.

10. Now we come to a new screen for Windows DHCP servers and it asks about configuring IPv6 Stateless Mode.
I will go into this subject at a later time, so for this install I am going to leave Enable DHCPv6 stateless mode for this server selected and click on Next.

11. The next screen will ask for the IPv6 DNS Server Settings, much like the IPv4 screen I am going to use the default for Parent Domain and then type ::1 for the DNS IPv6 address which is the equivalent of localhost. Click Next when done.

12. The next step is to authorize the DHCP server in Active Directory. This is done to keep rogue DHCP servers from being put on the network to service clients.
In this window you will either choose to use the currently logged in users credentials or you can use alternate ones. You can also skip this step and authorize later.
I am going to go ahead and authorize the server, since I didn’t give it any scopes I am not worried about it handing out IPs before I am ready. Make your choice and click Next.

13. The last screen provides a summary of all your selections. Review your choices and then click Install to start. Please note the information message that a server reboot might be needed.

14. The installation results screen will show the status of the install, if everything went well you should see Installation Succeeded. Click on Close.

There you have it, you have now installed the DHCP role on a Windows Server 2008 machine.
In my next article we will go in depth on configuring a scope and other options for the client on the DHCP server

**patris1** · 2010-02-27, 05:54 AM

کد:

http://windowsserver.trainsignal.com/configure-dhcp-on-windows-server-2008

In my last article, Installing DHCP Role, I talked about what DHCP is and how it works then walked you through installing the role on your server.
The problem of course being that since we skipped setting up scopes, the server is unable to service clients.
We are going to fix that with this article because we are going to go through and do some configuration on that DHCP server — by setting up a scope and some common client options that go with it.
DHCP Scopes

The first thing we are going to configure on the server is a scope. You might be wondering what a scope is, so let’s start with that.
A scope is a range of addresses that are allowed to be handed out by the DHCP server. Generally speaking there is only one scope per subnet, but there are exceptions to that called Super Scopes, but that is beyond the scope (no pun intended) of this article.

Within the scope, you can also have Reservations and Exclusions which will do the following:

Reservations — You can setup certain IPs to be handed out for certain MAC addresses (a MAC address is the unique number for a network adapter). This is generally used for clients or devices that must always have the same IP but you still want to manage through DHCP Server for other options (DNS or Gateway for example)
Exclusions — An exclusion is either a single IP or range that you do not want managed by the DHCP server. You would do this for the IPs that you would assign statically to devices like Servers that should always have the same IP.

Hopefully before you even installed the DHCP server you have your network diagrammed out and should have to just plug-in the values that you have planned.
Configure a DHCP IPv4 Scope

I am going to walk you through configuring an IPv4 scope for the following IP range and settings:

192.168.10.2 – 192.168.10.230
Subnet Mask: 255.255.255.0
Exclusions: 192.168.10.200 – 192.168.10.230
Reservation: 1 client computer at 192.168.10.190
DNS: 192.168.10.200
Gateway: 192.168.10.1
Least Duration: 20 Days

Some of these are standard fare and others will be done under options. Let’s go ahead and start.
1. Go to Start, Administrative Tools, and click on DHCP

2. Expand out the server and right click on IPv4, then left click on New Scope

3. The New Scope Wizard starts up, go ahead and click Next

4. Go ahead and name your scope. For this demo I am going to call it DHCPdemo and leave the Description blank. Fill in your name for the scope and click on Next

5. Now we are going to enter the IP range we are assigning to the scope.
In the Start IP address: I am going to place 192.168.10.2 and in the End IP address: I will place 192.168.10.230.
For the subnet mask we are going to use 255.255.255.0, and we can enter this either by using the length 24 or placing the 255.255.255.0 in the fields.
Once you fill in your information click Next

6. Now we are going to setup an exclusion range by entering the Start IP address: as 192.168.10.200 and then in the End IP address: place 192.168.10.230.
After that click Add to place your exclusion range in place.

7. Once the exclude range is in place then click Next

8. The Lease Duration window is now up and we are going to change this to 20 days.
You of course should change this to suit your environment, if you have a lot of mobile users you will want to do shorter lease duration, as you will want IPs to free up quicker as the users come and go. After you set your lease time click Next

9. The wizard will now ask if you want to configure DHCP options. There are quite a few options you can send to the DHCP clients, but there are a couple of major ones that make life simple, so select Yes, I want to configure these options now and then click Next

10. The first option to configure is Router (Default Gateway), and we will put in the Router gateway for this subnet 192.168.10.1, click Add and then click Next.

11. Now we will setup the DNS Server; you can leave the Parent Domain blank and then fill in the DNS IP address of 192.168.10.200 and then click Add, then click Next
NOTE: If you followed the Install DHCP Role article there will already be a DNS server in place. I have removed that so I can demonstrate adding it here.

12. If you need WINS Servers then place the information on this next screen and click on Next

13. The next screen asks you if you want to activate the scope. I am going to go ahead and select Yes, but choose what works for you and click then on Next

14. You have successfully completed the New Scope wizard! Click Finish

That’s it, now that you have configured the DHCP scope you should see it in the DHCP Manager:

Setup DHCP Reservation

The one thing we did not do in the wizard is setup our DHCP reservation. As I mentioned above, a reservation guarantees the same IP address to a client using their MAC address as the identifier.
I setup an XP client and used the IPconfig /all cmd to find its MAC address of 00-03-FF-2F-95-0C. You can also see from the screen shot that the XP machine was serviced by our DHCP server and received the very first address of 192.168.10.2, we are going to change this with a reservation to receive 192.168.10.1

Now let’s setup the DHCP reservation.
1. Go into DHCP Manager and expand the scope out, then right click on Reservations and left click on New Reservations…

2. In the New Reservation window input the following information then click Add:

Name: Dave’s Test Client
IP Address: 192.168.10.190
MAC Address: 00-03-FF-2F-95-0C
Description: This Space Blank or whatever you want

Note: please use your own data, don’t use the above MAC and expect this to work.

3. In DHCP Manager you now see your reservation under Reservations

4. Now let’s test this on the client by typing Ipconfig /release, then Ipconfig/renew and you will now see that the client received the reserved IP of 192.168.10.190.

Again you would use this for clients or devices that you always wanted to hand out the same IP to, but still mange through DHCP.
I hope this gave you a good overview of the basics for configuring a DHCP server. There are quite a few options you can configure through DCHP, but outside of these basic ones they are very environment specific and you could go your whole career without needing them

**patris1** · 2010-02-27, 05:56 AM

کد:

http://windowsserver.trainsignal.com/windows-server-2008-install-active-directory-domain-services

Since Windows 2000, Active Directory has been the driving force behind Microsoft Server Networking Services.
Active Directory provides the structure to centralize the network and store information about network resources across the entire domain. Active Directory uses Domain Controllers to keep this centralized storage available to network users.
In this scenario we are going to install Active Directory fresh with a brand new Domain Controller after a fresh install of Windows Server 2008.
Requirements for Active Directory Domain Services

Let’s go through some of the requirements for a fresh install of Active Directory Domain Services. Some of these will be required to be done before hand; others as noted can be done during the install:

Install Windows Server 2008
Configure TCP/IP and DNS networking configurations
The disk drives that store SYSVOL must be on a local drive configured NTFS
Active Directory requires DNS to be installed in the network. If it is not already installed you can specify DNS server to be installed during the Active Directory Domain Services installation.

Once you verify that these requirements have been met we can get started.

Install Active Directory Domain Services via Server Manager

For the first example let’s start by installing Active Directory through Server Manager. This is the most straight forward way, as a wizard will guide you through the steps necessary.
1. Start Server Manager.
2. Select Roles in the left pane, then click on Add Roles in the center console.

3. Depending on whether you checked off to skip the Before You Begin page while installing another service, you will now see warning pages telling you to make sure you have strong security, static IP, and latest patches before adding roles to your server.
If you get this page, then just click Next.

4. In the Select Server Roles window we are going to place a check next to Active Directory Domain Services and click Next.

5. The information page on Active Directory Domain Services will give the following warnings, which after reading, you should click Next:

Install a minimum of two Domain Controllers to provide redundancy against server outage (which would prevent users from logging in with only one)
AD DS requires DNS which if not installed you will be prompted for
After installing AD DS you must run dcpromo.exe to upgrade to a fully functional domain controller
Installing AD DS will also install DFS Namespaces, DFS Replication, and Filer Replication services which are required by Directory Service

6. The Confirm Installation Selections screen will show you some information messages and warn that the server may need to be restarted after installation.
Review the information and then click Next.

7. The Installation Results screen will hopefully show Installation Succeeded, and an additional warning about running dcpromo.exe (I think they really want us to run dcpromo).
After you review the, click Close.

8. After the Installation Wizard closes you will see that server manager is showing that Active Directory Domain Services is still not running. This is because we have not run dcpromo yet.

9. Click on the Start button, type dcpromo.exe in the search box and either hit Enter or click on the search result.

10. The Active Directory Domain Services Installation Wizard will now start.
There are links to more information if you want to learn a bit more you can follow them or you can go ahead and click Use advanced mode installation and then click Next.

11. The next screen warns about some operating system compatibility with some older clients.
For more information you can view the support documentation from Microsoft and after you have read through it go ahead and click Next.

12. Next is the Choose Deployment Configuration screen and you can choose to add a domain to an existing forest or create a forest from scratch.
Choose Create a new domain in a new forest and click Next.

13. The Name the Forest Root Domain wants you to name the root domain of the forest you are creating.
For the purposes of this test we will create ADExample.com. After typing that go ahead and click Next.

14. The wizard will test to see if that name has been used, after a few seconds you will then be asked for the NetBios name for the domain.
In this case I will leave the default in place of ADEXAMPLE, and then click Next.

15. The next screen is the Set Forest Functional Level that allows you to choose the function level of the forest.
Since this is a fresh install and a new forest with no additional prior version domains to worry about I am going to select Windows Server 2008. If you did have other domain controllers at earlier versions or had a need to have Windows 2000 or 2003 domain controllers (because of Exchange for example), then you should select the appropriate function level.
Select Windows Server 2008 and then click Next.

16. Now we come to the Additional Domain Controller Options where you can select to install a DNS server, which is recommended on the first domain controller.
If this was not the first domain controller you would have the options of installing Global Catalog and/or setting this as a Read-only Domain Controller. Since it is the first domain controller, Global Catalog is mandatory, and a RDOC controller is not an available option.
Let’s install the DNS Server by placing a check next to it and clicking Next.

17. You will get a warning window about delegation for this DNS server cannot be created, but since this is the first DNS server you can just click Yes and ignore this warning.

18. Next you can choose to place the files that are necessary for Active Directory, including the Database, Log Files, and SYSVOL.
It is recommended to place the log files and database on a separate volume for performance and recoverability. You can just leave the defaults though and click Next.

19. Now choose a password for Directory Services Restore Mode that is different than the domain password. Type your password and confirm it before hitting Next.
Note: You should use a STRONG password for this and will be warned if it doesn’t meet criteria.

20. Next you will see a summary of all the options you have went through in the wizard.
If you plan on creating more domain controllers with the same settings hit the Export settings … button to save off a txt copy of the settings to use in an answer file for a scripted install. After exporting and reviewing settings click on Next.

21. Now the installation will start including the DNS server option if selected. You will notice a box to Reboot on completion that you can check to reboot soon as everything is installed (A reboot is required you can do it manually or use this function to do it automatically).
NOTE: This can be from a few minutes to several hours depending on different factors.

Confirming Active Directory Domain Services Install

When you reboot you will be asked to login to the domain, and be able to open Active Directory Users and Computers from the Administrative menu.
When you do you will see the domain ADExample.com and be able to manage the domain.

You have now successfully installed Active Directory Domain Services and the first Domain Controller

**patris1** · 2010-02-27, 05:58 AM

کد:

http://windowsserver.trainsignal.com/server-2008-active-directory-adding-a-child-domain

It’s always a good thing when your company expands, right? More money for the company could mean more money for you!
Unfortunately this is not always the case as expanding will usually mean more work for you.
But in case the company you work for opens up another office in a different city, state, or country, in order to keep your network manageable it’s best to put the new office into its own child domain — a.k.a sub domain.
Why Add a Child Domain?

There are several good reasons for splitting the new office into its own child domain, here are 3 of them:

Less Network Traffic between your main office and the new one – that means your company will spend less money on the direct connection between the two offices and you will never experience a network delay.
You will be able to delegate control of the new network to another administrator who actually lives in the location of the new office. If your offices are close and you are about 20 minutes away to any one of them, then I guess that’s no big deal. But if your main office is located in New York and the new office is going to be in … oh, let’s say Paris, how the heck are you going to get there in case of an emergency? See my point?
Having the child domain will allow you to keep track what is going on in a specific office.

These are only the main good reasons for creating a child domain. Once you start working in an environment with sub domains you will realize there are a lot more good reasons for splitting the two locations in your Active Directory.
Before you begin …

1. In order to create a child domain on your network, you will need another server, or rather a Domain Controller.
You can build that DC in your main office and then ship it out to the new office. This DC will also be a Global Catalog as well as DNS Server to assist all the clients in the new office with any DNS requests, etc.
2. You also need to prepare your current network for the new sub domain. So before you begin with the new DC configuration you need to do the following:

Create a new site in your Active Directory that will represent the physical structure of your network. In my example our main office is in New York and the new one is in Chicago. Based on that info, you would create a new site for the Chicago office.
In addition to the new site you will also need to create a new subnet for your new location. It will allow you to track all of your machines by location. This new subnet should be assigned to your new location.

Once you prepare your network as mentioned above, we are now ready to create a new Domain Controller.
Creating a New Domain Controller

Once you have prepared your network for you child domain and have created the site and sub domain, it’s time to install the new DC on our new site.
As you can see our main office is in New York and we have 3 DCs already configured in the New York Site (see the screenshot below).
Our new site called Chicago doesn’t have any DCs configured yet –- this is where we are going to configure our new DC.

1. After you have installed Windows Server 2008 on your new machine and completed all the Initial Configuration Tasks, open up Server Manager and click on the Roles section.

2. We will need to install the Active Directory Domain Services (ADDS) Role first. So go ahead and check the box next to it and click Next.

3. In this window you will see some additional information about ADDS. Once ready, click on Next.

4. As always you are being informed that once the installation is completed the server will restart and you will need to use the ADDS Installation Wizard to make the server a fully functional Domain Controller.
Go ahead and click on the Install button.

5. The installation will now run for a few minutes.

6. Now it’s time to click on the link and run dcpromo.exe.

7. Go ahead and click Next on the welcome screen.

8. And Next again (for more detailed information on this step you can check out this post on Installing Active Directory Domain Services on Server 2008).

9. Since this is going to be your child domain, make sure you select the Existing forest option and then select Create a new domain in an existing forest.
When ready, click on the Next button.

10. Type in your domain name with the correct internet suffix. In my example I’m are using our globomantics.com domain.
Since this domain already exists and you are logged in to this machine only as a local administrator you will also need to enter alternate credentials of a domain administrator in order to proceed.
So go ahead and click on the Set button.

11. Enter the domain administrator’s name and password, then hit OK.

12. When ready, click on Next.

13. In this step you will need to enter the Fully Qualified Domain Name (FQDN) of your child domain in two steps.
The first is the FQDN of your parent domain. In our example it is going to be globomantics.com.
Next you need to enter the single-label DNS name of your child domain — that means anything that is before the globomantics.com.
In my example I entered na for na.globomantics.com — as seen on the bottom.
That will be our FQDN for the new child domain. Once ready, click on the Next button.

14. Now it’s time to select a site for this DC.
Now you see why we needed to create the new site before we started this installation. Select the correct site and click Next.

15. As mentioned earlier we are going to make this DC be our DNS server as well as Global catalog for our new site.
Make sure both check-marks are checked and then click on the Next button.

16. I would recommend leaving the default locations for these databases unless you have a really good reason not to. Click Next.

17. In this windows you will need to setup the Directory Services Restore Mode Administrative Password for restore purposes.
Go ahead and type that in and then click on the Next button.

18. On this summary window double check your selections and when ready click Next.

19. You can check the box Reboot on completion and let the installation complete.

Congratulations! Your Child Domain has been created!

**patris1** · 2010-02-27, 06:01 AM

کد:

http://windowsserver.trainsignal.com/active-directory-certificate-services

Active Directory Certificate Services are an installed role that can be used on either a domain joined or standalone Windows Server 2008.
Certificate Services are the backbone for using Public Key Infrastructures (PKI) on a Windows Server.
In case you don’t know what PKI is — it is a security system of digital certificates, certification authorities (CAs), and registration authorities. PKI verifies the identity of each side that is involved in the digital transaction by verifying the certificates they are using.
Microsoft’s implementation of PKI is in a hierarchical CA model. A very simple example will have just a single Certification Authority, but it is very scalable to contain multiple CAs with defined parent and child roles.
At the top of the hierarchy is the Root CA, with every CA that is a child under that root being called a Subordinate CA.
The root CA in this implementation is key, if you trust the root CA then you trust every subordinate CA in that hierarchy that has a valid certificate. Because of this the root CA should be highly secured as it is the pinnacle of trust in an organization.

Root Certification Authority

As we discussed, the Root CA is the highest level of trust in the organization’s Public Key Infrastructure. If it gets compromised all your subordinate CAs are vulnerable to exploitation. Because of this, not only should the root CA be secured at the system level at all times, but in the physical as well.
Best practice is to only issue certificates for other subordinate CAs from the root CA even though you could issue certificates to end users.
Subordinate Certification Authority

Really the workhorses of the PKI organization, the subordinate CAs will be the servers that should be issuing certificates for most end user needs.
Some of these needs are secure e-mail, Web-based authentication, or smart card authentication. The subordinate CA will derive its authority from either the root CA or a subordinate CA that has issued it a certificate building, another layer in the hierarchy.
Some of the reasons for setting up multiple subordinate CAs are:

Load Balancing — If you issue a large number of certificates and they are in use constantly you will want several subordinates to issue the same kind of certificate to balance the load among multiple servers.
Redundancy — If you only have one CA and it fails, there will be nothing to respond to user requests and that is going to be a problem. By having multiple CAs you can guarantee to have something to respond to those requests.
Logical and Geographic Division — Whether your network is divided by logical organizations or even physical sites, it might make sense to have different CA’s available in those different divisions to service those specific users and ease administrative strain.
Usage — You may find it advantageous to divide your CAs by their usage, such as one set only does secure e-mail and another set does network authorization. This can make delegation and administration of those functions easier to deal with.

There are also many 3rd party CA suppliers such as Verisign or GeoTrust which use various methods to verify users’ credentials before issuing a certificate to them.
It is important to stress that ANYONE can create a CA so you must decide if you are going to trust those 3rd party CAs based on their stated policies and administration.
While these 3rd party issuers are useful for certain applications like e-commerce websites, most internal company uses will not require such measures and an internal CA structure should be setup.
Enterprise Certification Authorities

These CAs are tied into the Active Directory Domain Services (AD DS) role in the domain and that gives them additional functionality. You can use an Enterprise CA to issue certificates for the following:

Digital Signatures
Secure E-mail Using S/MIME (Secure MultiPurpose Internet Mail Extensions)
Authenticate to a Secure Web Server Using Secure Socket Layer (SSL) or Transport Layer Security (TLS)
Logon to the Domain Using a Smart Card

To install an Enterprise CA you will need access to Active Directory Domain Services which requires a user that is a member of the Domain Admins group or an administrator with write access to AD DS.
One of the benefits of being tied into the AD DS is that it can use Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. It will also publish user certificates and certificate revocation lists (CRLs) to AD DS.
Enterprise CAs can issue certificates based on templates which will do the following:

Enforce credential checks on users during enrollment. Every certificate will have permissions set in AD DS that will determine if the requester has authorization to receive the type of certificate they are trying to request.
Subject name can be generated in the template from information in AD DS or it can be supplied by the user requesting the certificate.
Predefined list of extensions to be used by the certificate which will reduce the information the user has to supply to receive the requested certificate.
Users can be issued certificates through Autoenrollment

Stand-Alone Certification Authorities

These CAs share many similarities with their Enterprise cousins but not all of the functions. They also require more administration then an Enterprise CA because there is no verification of the users credentials from the AD DS.
You can use the Stand-Alone CAs for the following:

Digital Signatures
Secure E-mail Using S/MIME (Secure MultiPurpose Internet Mail Extensions)
Authenticate to a Secure Web Server Using Secure Socket Layer (SSL) or Transport Layer Security (TLS)

Some of the characteristics of a Stand-Alone CA are as follows:

All certificate requests are set to pending for the administrator to manually review. This is the default action and it is recommended that you use this mode especially if you are installing a stand-alone CA in a domain.
Templates are not used
Administrator has to specifically distribute the stand-alone CA’s certificate to the users’ trusted root store or users will have to do it themselves

As mentioned above, a stand-alone CA can be installed in a domain and will gain these additional functions:

If a Domain Admin or an administrator with write access installs the stand-alone root CA, it will publish its certificate to the Trusted Root Certification Authorities certificate store for all domain users and computers.

Because of this reason it is well advised that you leave all requests to pending to verify identity otherwise any requested certificate will be trusted by the entire domain.
A stand-alone CA will also publish its certificate and certification revocation list (CRL) to AD DS if it is installed by a Domain Admin or account with write access to AD DS.

Summary

This article has given you a broad overview of Active Directory Certificate Services and hopefully gotten you ready to take the next step and start to look at how to implement.
In my next article I will show you how to install the services on a Windows 2008 Server and create a certificate

**patris1** · 2010-02-27, 06:02 AM

کد:

http://windowsserver.trainsignal.com/install-active-directory-certificate-services

I gave a good overview of what Active Directory Certificate Services (AD CS) are and what they do in my last article: Server 2008: Active Directory Certificate Services.
For a short recap, AD CS is the backbone of Microsoft’s Public Key Infrastructure (PKI) implementation. It will allow you to issue certificates for SSL/TTL user on websites or digitally sign your email.
Now let’s take a look at installing Active Directory Certificate Services.
Certain versions of Server 2008 only allow certain AD CS components to be installed; please take a look at this table for reference:

CA – issues certificates to users, computers and services while also managing their validity; comes in root and subordinate
Network Device Enrollment Service – allows network devices (i.e. routers) to request and receive certificates based on Simple Certificate Enrollment Protocol (SCEP)
Online Responder Service – implements Online Certificate Status Protocol (OCSP) by evaluating certificate status, decoding revocation status requests, and sending back signed responses containing certificate status information

Install Enterprise Certificate Authority on a Windows 2008 Server

As I outlined in my earlier article, there are two varieties of root CA’s: the Enterprise and Stand-Alone. Each has their advantages and configuration, but in this case we are going to install an Enterprise CA.
I am going to be installing this root CA server in my test Active directory domain named ADExample.com on a Windows Server 2008 Enterprise version.
The server is a member of the domain, and is a domain controller. Let’s get started.
1. Open Server Manager.
2. Select Roles, then click Add Roles in the center pane.

3. The Before You Begin page may show up if you haven’t turned it off already. If you see it just click Next.
4. In the Select Server Roles window go ahead and select Active Directory Certificate Services by placing a checkmark next to it, then go ahead and click Next.

5. Now you will see an Introduction to Active Directory Certificate Services, where you can read about the good things you can do with AD CS.
The biggest thing to note here is the following:

Name & Domain settings of this computer cannot be changed after a CA has been installed. If you want to change the computer name, join a domain, or promote this server to a domain controller do so BEFORE install thing the CA.

Now with that warning out of the way, go ahead and click on Next.

6. Next you get to Select Role Services, which can include any of the following depending on what version of Windows Server 2008 you are installing this on — refer to the table above for specifics.
For this install I am going to choose the Certification Authority only.

7. Now comes the Specify Setup Type, and for this I am going to select the Enterprise radio button.

8. For the Specify CA Type, I am going to choose the Root CA radio button and then click Next.

9. In Set Up Private Key, I am going to choose Create a new private key radio button and then select Next.

10. Now you have to Configure Cryptography for CA in this window and there are quite a few to choose from.
Now I am no expert on cryptography, but some basic rules do apply … the longer the key the harder it is to crack. For our purposes I am going to use the following settings:

RSA#Microsoft Software Key Storage Provider
4096 Key Character length
md5 Hash algorithm

Now I am going to click Next.

11. In Configure CA Name you can choose to overwrite the default common name for this CA and also the Distinguished name suffix if you so choose.
I am going to overwrite the default common name with Test-Enterprise-CA, but I will leave the rest alone.

12. Next we will Set Validity Period for this CAs certificate.
Remember a root CA issues itself a certificate. The default is 5 Years so I will just leave it at that. You can change this based on any need you might have in your environment. Click Next.

13. Configure Certificate Database will let you specify where you want to put the database and log files for the CA.
I am going to leave the default in place. Click Next.

14. On the Confirm Installation Selections you can see the answers you have chosen and you will again see a warning that you cannot change the computer name or domain settings for this server after installing the CA.
Go ahead and click Install… you know you want to!

15. After a few minutes you will see the Installation Results, and with any luck you will have the message: Installation succeeded.
After your glow of certificate happiness fades go ahead and click Close.

16. Now let’s go in and take a look by clicking on Certification Authority in Administrative Tools (if you get a UAC pop up just click Ok).

17. Now you can see the snap-in is showing the CA named Test-Enterprise-CA in the left pane with a bunch of folders for certificates.

18. You can also see that if you click the Certificate Templates folder, there are quite a few default templates that are already setup and ready to go.

Summary

Now that we have installed the Active Directory Certificate Services the next step would be to request some certificates and configure them.
The installation for a stand-alone CA is very similar to this. In fact if you are not in a domain and if you are not installing as a domain admin you will not even get the option for an Enterprise CA setup, so if you see that grayed out you now know why.
In my next article we will take a look at some of the uses for certificates and how to request and install them on servers and clients

**patris1** · 2010-02-27, 06:05 AM

کد:

http://windowsserver.trainsignal.com/windows-server-2008-active-directory

In the Beginning …

When Active Directory was first introduced in Windows Server 2000 it quickly became the most widely implemented Network resource management system in use.
By providing a single logon process from the Windows logon prompt on the client side for authenticated access to all resources locally and on the network as well as a single point of administration, it is hard to argue with results.
The first version of Active Directory used an access control list (ACL) to provide an object based method of managing access to network resources.
Still not every business’ needs were met with the initial release of Active Directory.
Certificate Services, Windows’ method of determining access to web based resources such as email, and Microsoft Metadirectory Services (MMS), Windows’ method for providing central access to multiple network directories, were both separate components from Active Directory.

Here and Now …

When Microsoft released Windows Server 2003 Active Directory’s prominence was secured by adhering to the demands of customers for better integration with other network security components.
Microsoft improved the way Active Directory and Certificate Services worked together. MMS was replaced with Microsoft Identity Integration Server (MIIS), which provided even better integration with other directory types.
Additional features were added in the first revision of Server 2003 such as the Authorization Manager and Windows Rights Management Services (RMS).
The Authorization Manager introduces role-based access control (RBAC) which provides the ability for Administrators to group permissions based on job roles allowing for users to be associated with multiple job roles.
RMS provides the administrator with the ability to associate usage polices that adhere to the new information protection laws to resources. RMS works together with Certificate Services and IIS to uphold its policies on the local network and the World Wide Web.
In Server 2003 Revision 2, Active Directory Federation Services (ADFS) and Active Directory Applications Mode (ADAM) were introduced.
ADFS extends the convenience of Active Directory’s single sign-on authentication to the web by creating a single user session that can be used across multiple web applications.
ADAM was introduced so directory-enabled applications could take advantage of Active Directory’s access control without requiring an actual domain or domain controller.
Windows Server 2008

In Windows Server 2008 Active Directory has continued on its path of integration with its latest family of components. Active Directory components are now available as server roles, which I have listed below:

Active Directory Domain Services (AD DS)
Active Directory Certificate Services (AD CS)
Active Directory Lightweight Directory Services (AD LDS)
Active Directory Federation Services (AD FS)
Active Directory Rights Management Services (AD RMS)

As you have probably noticed, the server roles listed above all contain Active Directory in the name. The new Active Directory roles provide the same functionality of the many identity access components from previous Windows Server versions, but with new names.
Active Directory Domain Services (AD DS)

Active Directory Domain Services is the new name for Active Directory Directory Services and remains the core Active Directory Component. Aside from the improvements to the user interface, there are four major improvements to AD DS which I will go over below.

Read-only domain controllers (RODC) – provide reliable security to insecure environments by replicating a writable domain controller.

Changes cannot be made to a RODC and only the user credentials used with the RODC are stored on the server. This makes it so the whole directory would not need to be rebuilt if security on the RODC were to be breeched.
Auditing enhancements – there are now four different auditing categories: Directory Service Access, Directory Service Changes, Directory Service Replication and Detailed Directory Service Replication.

This allows for better event searching and logging policy management.
Granular password and account lockout policies – domains are no longer limited to a single password or lockout policy. Multiple policy objects can now be saved to a domain and applied to groups or users.
Restartable AD DS – you can now perform maintenance on AD DS by simply stopping the Domain Controller Service.

Before you had to reboot the machine and start in Directory Services Restore Mode to perform maintenance which led to more down time.

Active Directory Certificate Services (AD CS)

Certificate Services is named Active Directory Certificate Services in Server 2008. There are several notable improvements to AD CS. I have listed the major changes below.

Certificate Web enrollment support improvements – the ActiveX control for Web enrollment, XEnroll.dll, has been replaced with the COM control, CertEnroll.dll. The new control is more secure and manageable.
Network device enrollment support – AD CS now provides built in support for issuing certificates to network devices to allow applications using the device to interact with other network entities.
Online certificate status protocol (OCSP) support – Server 2008 includes this as an optional role service.

OCSP checks a certificates status for revocation prevent clients from having to download the entire certificate revocation list, thus improving network performance.
Enterprise PKI (PKIView) – PKI Health has a new name and can now be used as an MMC snap-in. This tool is used for troubleshooting and monitoring the health of certificates and certificate authorities.
CAPI2 Diagnostics – a new PKI troubleshooting feature that performs highly detailed logging for several validation processes.

Active Directory Lightweight Directory Services (AD LDS)

Active Directory Lightweight Directory Services (AD LDS) is the new name for Active Directory Application Mode (ADAM).
AD LDS is essentially the same as ADAM except for it is now available as an in-box role in Server 2008 where it needed to be downloaded from the Microsoft Download Center in Server 2003.
As mentioned previously, but referring to ADAM, AD LS is a stripped down version of AD DS designed to be used in applications. Many CRM and HR applications use Active Directory for storing their data. AD LDS can be used instead of AD DS making it possible for these applications to be used without needing to configure access to network resources.
Active Directory Federation Services (AD FS)

The name for Active Directory Federation Services (AD FS) remains the same, save the addition of a space in the acronym.
AD FS allows for businesses to set up trust relationships with other directories, thus enabling the other directory’s user’s credentials to be used across directories. While there is little change to the name, a couple notable improvements have been made which I will go over below.

Federation trust import/export support – before the process of configuring federation trusts was a long manual process. The manual process is still long, however once set up; settings can be exported and then imported to other AD FS Servers.
AD FS deployment limiting – a group policy can be applied to disable deployment of AD FS servers on Windows Server 2008.

Active Directory Rights Management Services (AD RMS)

The follow-up to Windows RMS is Active Directory Rights Management Services (AD RMS).
The purpose of AD RMS remains the same as its predecessor. It is now integrated with Office 2007 and Internet Explorer 7 for securing sensitive information hosted on the server. For example, rights can be applied to emails to prevent recipients from forwarding messages.
AD RMS is available as a role in Server 2008 and now includes an MMC snap-in for administration as opposed to a Web-based interface.
Still More to Come …

The Preceding components are the five Active Directory components released in Windows Server 2008. This year, MIIS has been updated for Server 2003 under the title Identity Lifecycle Manager. An updated release for Server 2008 code-named Identity Lifecycle Manager 2 is currently in beta.
Notable new features available to this release include administration from a GUI and SharePoint Services as well as an approval request process for content available from Office 2007 applications. You can find out more about Identity Lifecycle Manager 2 here.
While it would be nice to have had the release of Identity Lifecycle Manager included with Server 2008, it goes to show you that Microsoft knows it’s work is never finished and will keep improvements to Active Directory coming.

**patris1** · 2010-02-27, 06:06 AM

کد:

http://windowsserver.trainsignal.com/windows-server-2008-auditing-active-directory

If you have been supporting servers for any amount of time, you have no doubt come across requests from manager for security audits, if you don’t already have them in place yourself to keep an eye on things.
Auditing is exactly what it sounds like — it keeps a record of things that have been modified in Active Directory.
In previous versions of Windows Server there was not a lot of granular control in what you were auditing. Let’s explore some of the new auditing features in Server 2008.
Auditing Changes in Windows Server 2008

One of the most significant changes over the Server 2000 and Server 2003 versions of auditing is that now you can not only audit who and what attribute was changed but also what the new and old value was.
This is significant because you can now tell why it was changed and if something doesn’t look right you’re able to easily find what it should be restored to.

Another significant change is that in the past you were only able to turn auditing policy on or off for the entire Active Directory structure. In Windows Server 2008 the auditing policy is configurable for four subcategories:

Directory Service Access
Directory Service Changes
Directory Service Replication
Detailed Directory Service Replication

This article will focus on enabling auditing on Directory Service Changes which will show us the ability to audit changes to Active Directory Domain Services.
Implementing Auditing on Windows Server 2008

In Server 2008 when setting up auditing there are three places you can modify to implement controls:

Global Audit Policy – In Server 2008 the Global Audit Policy is not on by default and must be enabled.
System Access Control List (SACL) – Is the ultimate authority if an access check gets audited or not.

The SACL is part of the security descriptor for an active directory object and specifies which operations should be audited. These are set by the security administrators who have been assigned Manage Auditing and Security Log privileges. It is assigned automatically to the Administrators Group.
Schema – To protect administrators from generating too many auditing events there is an override that can be set in the schema to exclude any events that have an attribute set.

We will not be covering the Schema modification in this article, but this is important for you to know.

Enable Global Audit Policy on Windows Server 2008

The first step is to enable the audit policy. I will walk you through both doing it through the GUI and then through the command line:
1. Go to Start, Administrative Tools, and then click on Group Policy Management.

2. Navigate down through your Forest, to the Domains, then Domain Controllers and left click on Default Domain Controllers Policy.
You will get a warning that changes here will impact all other locations that the GPO is linked to. Click Ok.

3. Right click on Default Domain Controllers Policy and then left click on Edit…

4. Navigate under Computer Configurations → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy

5. Right click on Audit Directory Service Access, and then click Properties.

6. Select Define these policy settings and then select Success. Click on Apply and then Ok.

That’s it! You now have configured auditing via GUI.
Let’s take a look at the command line method (much faster):
1. Start Command Prompt with elevated rights.

2. Type in the following command and hit Enter:

auditpol /set /subcategory:”directory service changes” /success:enable

I told you it was much faster! You should see The command was successfully executed. Now let’s move on to the next step.
Setup Auditing in System Access Control List (SACL)

As was mentioned earlier, the SACLs do most of the work in determining what gets auditing and what doesn’t.
Please note that there are many different types of SACLs that can be setup; we are only using one as an example.
1. Open Active Directory Computers and Users.

2. Click on View and make sure that Advanced Features is enabled. If not left click on it to place a check next to it.

3. Right click on any of the Organizational Units you want to audit; in our example I am going to audit Users. Then click on Properties.

4. In the Properties window click on Security.

5. Next click on Advanced.

6. Click the Auditing tab, then click Add.

7. Under Enter the object name to select:, type in Authenticated Users and click Ok.

8. In the next window under Apply onto:, select Descendant User Objects and under Access check the box for Successful next to Write all properties and click Ok.

9. Click Ok until you are out of any dialog boxes.
Now that we have enabled auditing in a SACL let’s go ahead and give it a test.
Example Security Events with Auditing Enabled

With auditing enabled, all events will be logged under the Security Event Viewer. Let’s see what happens when you change a value on an object.
For brevity sake, I am going to create a user called audittest, change his name from Audit Test to Test Audit and then we will take a look in the security log to see what was shown.
There are two images that show the change that corresponds with Event 5136, here is the first one which shows the value being deleted, which in this case is Audit Test:

The next image shows the changed object’s new value which in our case is Test Audit:

So you can see that it is very helpful if you are watching these types of things to know what the old value was compared to the new value, in case you need to quickly and easily reset the attribute without having to go to a backup.
There are a ton of things you can audit depending on the situation and your need

**patris1** · 2010-02-27, 06:09 AM

کد:

http://windowsserver.trainsignal.com/ad-rms-data-access-controls

Active Directory Rights Management Services (AD RMS) and the AD RMS client allow server administrators additional ways to protect proprietary information and sensitive data.
This is accomplished through access and usage restrictions that follow the data wherever it is accessed, above and beyond what is set at the folder and file level through NTFS and / or the Encrypting File System (EFS).
By fully leveraging the rights management and access controls available in AD RMS an administrator can drastically reduce the probability (and the possibility) that the data is intentionally or accidentally received by other users that should not have access to the data in the first place.
Today we’ll review Active Directory Rights Management Services as it applies to both Windows Server 2008 as well as Windows Server 2008 R2, and I’ll focus specifically on data access controls.

[NOTES FROM THE FIELD] – Because Server 2008 R2 is in “Release Candidate” status at the moment until it is officially released to manufacturing (RTM), the information is subject to change.

The Basics: Other Types of Access Control

Before we take a look at all the benefits that AD RMS and the AD RMS client offers in the way of locking down permission to data and access rights, I think it’s important to do a historic review of how this was done.

[NOTES FROM THE FIELD] – NTFS permission settings on files and folders are not necessarily relevant when it comes to what AD RMS offers directly, but it does make sense to have an understanding of where the “first” set of permission controls and rights access were introduced.

When your job as a system administrator involved the responsibilities of securing access control to information, historically this meant that you set permissions on the folders and data files themselves. If it was across networks then share permissions might come into play.
These access control permissions were set through the file system and leveraged by the operating system in use. These file and folder access controls could be set to users and / or groups.
ALLOW permissions were cumulative on the local system in that if you were a member of one group and had READ permission and a member of another you had CHANGE / WRITE — so the permissions would combine to give you the least restrictive level of access (in other words, the most control).
If there was a DENY permission anywhere from any one of the groups you were a member of that was a permission setting that trumped all others. Even if the combined access control allowed you FULL CONTROL of a set of data the DENY always had the override and prohibited all access.
This was a problem whenever you had a large environment where a user was a member of many groups for obvious reasons. It got even worse if the administrator decided to set very granular levels of access control by way of NTFS and you’re dealing with inheritance.
More subtly, there might be a reason to limit most people’s READ rights (as an example) to very sensitive information such as exact employee salary and compensation, but what would you do if someone had permission to read and access this information and wanted others to see it?
They could print it out or copy it to a FAT drive (file allocation table) where the file system permissions set by NTFS are removed and anyone that could physically access the data could get their hands on it.
These are some clear and obvious limitations of file system access controls.
Summary of File Based Access Control

So with all these details I thought it made sense to try to net them all out.
There is the additional consideration of inheritance and so forth but in an effort to just keep the overview simple for now consider permissions set on the data object itself.
• NTFS File Permissions

NTFS File Permissions are those set on the files themselves:

Full Control allows for the following level of access control:

Read
Write
Modify
Execute
Change attributes
Permissions
Take ownership of the file

Modify allows for the following level of access control:

Read
Write
Modify
Execute
Change the file’s attributes

Read & Execute:

Read
Run / Execute the file — run a program as allowed by other access controls

Read — display the file’s data, attributes, owner, and permissions
Write — write to the file, append the file, and read or change file attributes

• NTFS Folder Permissions

NTFS Folder Permissions are settings made at the folder level locally on the system:

Full Control:

Read
Write
Modify
Execute files in the folder
Change attributes permissions
Take ownership of the folder or files within the folder

Modify:

Read
Write
Modify
Execute files in the folder
Take ownership of the folder or files within the folder

Read & Execute:

Read
Run / Execute the file — run a program as allowed by other access controls

List Folder Contents:

Display the folder’s contents
Display the data itself
Display the data attributes
Display the data owner
Display the data permissions for files within the folder
Run / Execute the file — run a program as allowed by other access controls

Read — display the file’s data, attributes, owner, and permissions
Write — write to the file, append the file, and read or change file attributes

• Share Permissions

Share Permissions are given to the shared resource over the network:

Read:

View files and subdirectories
Execute applications
No changes can be made

Change:

View files and subdirectories
Execute applications
Add data / subdirectories
Delete data / subdirectories
Change / append files or subdirectories

Full Control:

All of the above

NTFS permissions and share permissions are independent and the most restrictive of the two will be applied to the shared resource.
This would be in the situation that a resource access is attempted across the network (as local access renders share permissions irrelevant).
So in the example of where JOHN has FULL CONTROL of a file locally (NTFS) at the system console but across the network that user only has READ access to the share, JOHN will only be able to READ the data — that would be the maximum control level that user would have accessing the data remotely.
Next Time

In my next article I will go over some of summary details of how the Encrypting File System (EFS) offers another form of access control over data

**patris1** · 2010-02-27, 06:10 AM

کد:

http://windowsserver.trainsignal.com/ad-rms-encryption-efs-bitlocker

Last time we reviewed file access controls to data and resources by leveraging permissions via NTFS and share restrictions.
In today’s article we will take a look at some of the other ways outside of AD RMS that administrators can limit intentional and unintentional data leakage.
As I mentioned in my overview post on Active Directory Rights Management Services, AD RMS allows administrators additional ways to protect proprietary information and sensitive data through access and usage restrictions that follow the data wherever it is accessed.
By leveraging AD RMS administrators can dramatically reduce the probability and the possibility that the data is intentionally or accidentally received by users who should not have access to the data in the first place.
As I noted before, the information in this article is subject to change with the RTM, so please keep this in mind and if you do notice any changes feel free to post them in the comments.
Encrypting File System (EFS)

One of the ways to restrict access to data is to encrypt the data (lock it up) so that only the people or groups that have the permissions to access it can — everyone else is denied access.

Much in the same way that very few people have access to your home (only people with the keys to the doors of the house have allowed access) EFS offers administrators a way to set up strict access controls.
What’s different to this method over NTFS permission that we discussed in the last article is that the encryption permissions follow the file around … to an extent.
EFS adds on to the NTFS security layer by effectively scrambling the contents of that data so that it can be read only by someone who has the encryption key to decipher it. Just being an administrator of a system is not necessarily going to allow you to gain ownership of the data and the control to access it because now you’d need the key to unlock / decipher the data as well.
When a user attempts to access an encrypted file and that user does not have the key to unlock it they will receive an access denied message and they will be unable to read the file.
Because encryption is set on the object (and can be inherited) the effect of copying and moving files around can impact their encryption state.
The Rules of Encryption

The overall rules for encryption are as follows:
• Rule # 1

When moving or copying a file within the same NTFS volume an encrypted file will not inherit the encryption state of the target folder when that folder is unencrypted. When you copy or move an encrypted file to an unencrypted folder, the file is still encrypted. If you have enabled a folder to encrypt files and you move or copy an unencrypted file to it, it will become encrypted at that point.

• Rule # 2

When copying or moving a file or folder from one NTFS volume to another, an encrypted file will not inherit the encryption state of the target folder when that folder is unencrypted. When you copy or move an encrypted file to an unencrypted folder, the file is still encrypted. If you have enabled a folder to encrypt files and you move or copy an unencrypted file to it, across partitions, it will become encrypted at that point.

• Rule # 3

Moving or copying a file or folder to a FAT16 or FAT32 volume – EFS supports attribute driven encryption only on the NTFS file system, so when you move or copy an encrypted NTFS file or folder to a FAT volume, (16 or 32) the encryption attribute will be lost. Because most forms of removable media do not support the NTFS file system, the same is also true.

What You Need to Know about EFS

Some key thoughts with respect to encrypting data by way of EFS:

When you need to access encrypted data and you are on a system where the key to the data is present, you can access the encrypted data by simply double clicking on it; there is no other interaction for you. The operating system decrypts the file to access it and then when it is closed it automatically encrypts it again.

You need to back up your encryption certificate and encryption key in case you need to recover these if the system crashes or there is some other error and the system needs to be rebuilt and so on. If you neglect to do this and there is an issue and no other recovery agent is available then these encrypted files are forever locked. This is especially important on standalone systems that are not attached to a domain.

When there are other users that are going to need access to files or folders that you encrypt they will need to have their own EFS certificate added to the files in order to gain access to them. Think of this like having their own key just to this file. They are not leveraging your key – your key unlocks ALL of your encrypted files; their key when added to a file that you lock with your key allows them to access that data and only that data.

Last Thoughts on EFS

EFS does not offer a complete solution for securing files that are sent across the network. EFS secured files are decrypted when they need to be sent over the wire, which can expose the file to possible interception and attacks if someone is monitoring (sniffing) the wire. In order to secure the transmission of sensitive data on an internal or external network another form of encryption would be needed such as IPSec or SSL depending on the need.
As you can see from this high level overview, there are ways to better secure the data but there are still some pretty big loop holes when it comes to storing the data, moving it around on portable drives and transmitting it over the wire.

[NOTES FROM THE FIELD] – Because this was an introductory overview of EFS there are a lot of details I glossed over. I would recommend reviewing the details of the Encrypting File System information on the Microsoft website to get more details.
Of special interest would be the Changes in Functionality from Windows Server 2003 with SP1 to Windows Server 2008 section.

BitLocker / BitLocker to Go

So with our review of EFS done I’ll turn our attention to BitLocker and Bitlocker To Go.
BitLocker Drive Encryption is available on some versions of Windows Vista, Windows Server 2008 R2 and in some editions of Windows 7. When leveraged BitLocker Drive Encryption is one of the best ways to protect portable systems such as laptops from loss of data and information when the laptops themselves are lost or stolen.
Additionally, the use of Bitlocker on desktop systems is also a good consideration when you consider how much information can be lost from recycled desktop systems that have not undergone a proper hard drive wipe routine before being sold off.

[NOTES FROM THE FIELD] – Bitlocker leverages the Trusted Platform Module (TPM) version 1.2 to help protect user data and to ensure that a computer has not been tampered with while the system was offline.
The main focus of this topic for the article is to talk about securing files and access control, so this part of what it offers is a little beyond the scope of the conversation.
For additional details on this there is the “What is a TPM” section of the BitLocker Drive Encryption Overview; it is a Vista based article but it is still applicable.
The Windows BitLocker Drive Encryption Step-by-Step Guide is another good detailed document to review.

For our conversation regarding securing files, BitLocker works well on a local drive on a laptop or a desktop as it completely prevents someone from accessing a system in its entirety unless they have a password to start up the system.
Without that password (or the recovery key if the password is lost) the entire system is unavailable.
Fairly skilled people understand that there are ways to get around regular file based security that the operating system offers by installing another version of the operating system locally or booting from a DVD or USB key to work from a lower level of disk access to get to the stored data.
When BitLocker is correctly enabled, the whole area of disk data that is locked out under the encryption is inaccessible to that person even at that low level.
With respect to BitLocker To Go this security of the data is expanded further as it can be leveraged on portable devices to lock all the data even when it is stored on FAT formatted drives keeping the data completely secured from unauthorized access.
The User – the Single Point of Failure

The problem with EFS and BitLocker to Go (most specifically) is that the single point of failure is the end user.
If the end user un-encrypts their EFS locked data or transfers it to a FAT or FAT32 drive it ends up being accessible to anyone that can get to it. If the user sends that data off to themselves in an email it can be left behind in the SENT folder and so forth allowing people that should not have access to it the possibility of getting access to it.
If the end user with the BitLocker to Go device like a USB stick needs to make edits and changes to data and temporarily copies it off the protected device to work on it (as would be the situation under a legacy operating system like Windows XP) and then forgets to delete the local copy, it is left behind unprotected and potentially available to others that should not have access to it.
Active Directory Rights Management Services (AD RMS) takes that point of failure and removes it by taking the control of the data away from the user.
But we’ll cover this in more detail in my next AD RMS article. Stay tuned

**patris1** · 2010-02-27, 06:13 AM

کد:

http://windowsserver.trainsignal.com/ad-rms-features

In the last couple of weeks we have covered AD RMS Data Access Controls as well as AD RMS Encryption, mainly EFS and BitLocker as it applies to both Server 2008 and Server 2008 R2.
As I mentioned before, Server 2008 R2 is still in “Release Candidate” status so the details in these articles might change before the product is officially released to manufacturing (RTM), so please keep this in mind.
Now before we get started, let’s do a quick review of what we already covered:
In AD RMS – Data Access Controls we briefly reviewed file access controls to data and resources by leveraging permissions via NTFS and share restrictions. In this article we will take a look at some of the other ways outside of AD RMS that administrators can limit intentional and unintentional data leakage.
In AD RMS – Encryption: EFS and BitLocker we reviewed the Encrypting File System and BitLocker functionality. While not directly related to Active Directory Rights Management Services they are a part of any good security and control strategy.
In today’s segment on Features and Operational Considerations we will review some of the higher level features and operational considerations of the technology in order to get a good understanding of what it offers in terms of content permission and control. I’ll cover:

Why use AD RMS?
What AD RMS can do
How Rights Management works (in a nutshell)
Shares and Licenses

Why Use AD RMS?

When administrators leverage Active Directory Rights Management Services (AD RMS) as part of their security strategy, they add an additional layer above and beyond standard file based security, EFS, or disk encryption technologies such as BitLocker.
This is accomplished by allowing for the protection of information through persistent usage policies and rights management. The best part of this use and rights security is that it is not limited to where the data is stored but rather it is part of the data itself, which means that no matter where the data resides it effectively carries the permissions and restrictions with it.
AD RMS allows administrators to set up the services that will allow data owners to configure permissions to sensitive information as part of their security efforts to keep it from intentionally or accidentally being sent to or received by people that should not have access to it in the first place.
As an example, if I have general file access rights (read) to a Word document and I have it in my possession there is nothing preventing me from forwarding that out to the world in an email.
AD RMS resolves that issue.
As another example, if I have general file access rights (read) to a Word document and I am fired from my company I will always have access to that Word document saved on my own storage device.
AD RMS resolves this problem as well.

What AD RMS Can Do

The AD RMS environment that administrators will deploy includes a system running Server 2008 R2, the latest version released. This system would be running with the AD RMS server role enabled in order to handle all of the necessary certificates for the data. You would also need it to host database services and the AD RMS client.
The AD RMS client is included as part of Windows 7 and Windows Vista and is leveraged as part of the solution to process the permissions on the data.
Data owners are able to define who can open, modify, print, forward, or take other actions with the data. Policy templates can also be created and can be applied directly to the information so that the users do not have to define permissions or rights individually.
As an example a template could be set up as “INTFTE” which allows for “all rights denied except READ” and that could be applied to Word Documents and Spreadsheet and the like, where only those people that are full time, internal employees would even be granted access to the data and then only at a READ level. At that setting they would be unable to print out the data, copy and paste it out and the ability to create screen shots or clippings would be disabled when that document was open.
If you want to be able to leverage rights management to data created on a given application it must be rights management aware or be able to leverage add-ons that have been created to make an application AD RMS-enabled, even if it does not natively implement RMS functionality. Text files created with Notepad cannot be rights enabled because the application cannot leverage the functionality natively as an example.
How Rights Management Works (in a nutshell)

The way the Active Directory Rights Management Service works is that it will issue RMS licenses by way of the AD RMS client which is required for creating the permissions and restrictions on the rights-protected content. The client is also needed for access to that data as well.
Data that is protected by AD RMS leverages encryption and an embedded Usage Policy that defines how each user or group will have access to that data. The data owner will decide the rights that those trusted users will have and they will enable that access right through the application itself.
When a data creator / owner decides that they will rights protect a Word 2007 document, that is done right through Word by selecting the “Office Button” (sometimes called “The Pearl”) in the upper left hand corner of the application and choosing the Prepare option (preparing the document for distribution) and then choosing the Restrict Permission option.

[NOTES FROM THE FIELD] – When content is rights protected (often referred to a “published” or “distributed”) through AD RMS, it is encrypted with Advanced Encryption Standard (AES) 128-bit encryption. (Data Encryption Standard (DES) 56-bit encryption is available for backward compatibility).
In our example above in using Word, AES 128-bit encryption would be used as Microsoft Office 2007 always uses AES 128-bit encryption by default.
AD RMS uses public and private keys to encrypt the content encryption symmetric key. The rights policy data in the publishing license and the use license are also encrypted. AD RMS also uses the public keys to digitally sign AD RMS certificates and licenses as well.

Once the permissions are set (such as READ) then specific users or groups are assigned that license or right to that data. The data owner may then put the Word document out on a share (where the share may have access and permissions rights added to it through the share itself and / or where file permissions may be set via NTFS).
When a user with share and file rights access attempts to view the document they must also have this “licensed” right to do so from the owner or they will be denied access to the data from the rights management perspective.
You can see where combining share, file system, EFS, and BitLocker can add to the security of data and how RMS adds an additional layer even above and beyond that.
Shares and Licenses

If a user was accidentally put into a group that has permissions to a shared resource (such as the Payroll folder and network share), they would suddenly have access to data that they should never have been granted access to in the first place.
However, if the actual data was rights protected this user would not have the license right to access the data; despite the fact they are in a share they don’t otherwise belong in they cannot read the data because they have no RMS access to it.
Additionally, in a situation where someone is fired or quits working for a company, their rights to that data can be revoked. Despite the fact that they may still have data saved on a removable drive or flash memory in their possession, they will no longer be able to access it as their rights, remotely managed via the AD RMS service, will now be denied.
An overly simple way to consider AD RMS is — deny all access rights to all users / groups except those with specific granted rights by way of RMS permissions.
Further Reading

For a much more of a detailed look at the actual process please consider a review of Deploying Active Directory Rights Management Services at Microsoft — specifically the Process That IRM Uses to Generate and Retrieve Licenses section of the article.
Next Time

In my next article AD RMS – System Requirements and other Considerations we’ll go over the recommend system requirements and some of the high level configuration considerations for a standard set up. See you then

موضوع: Windows Server 2008

پیوند

ابزارهای موضوع

نمایش

Windows Server 2008

Server 2008 Active Directory User Groups — the Easy Way

Installing Software Using GPOs on Windows Server 2008

Windows Server 2008 as a LAN Router Running RIP

Install DHCP Role on Windows Server 2008

Configure DHCP on Windows Server 2008

Windows Server 2008: Install Active Directory Domain Services

Server 2008 Active Directory: Adding a Child Domain

Server 2008: Active Directory Certificate Services

Server 2008: Install Active Directory Certificate Services

Active Directory Improvements in Windows Server 2008

Windows Server 2008: Auditing Active Directory

Active Directory Rights Management Services: Data Access Controls

Active Directory Rights Management Services: Encryption – EFS and BitLocker

Active Directory Rights Management Services: Features & Operational Considerations

کلمات کلیدی در جستجوها:

1

برچسب برای این موضوع

مجوز های ارسال و ویرایش