Laura Duggan 07314299 14/7/14 MSc Computer Science (Conversion) Systems Management Module Assignment – Users’ Manual Laura Duggan 07314299 1 Laura Duggan 07314299 14/7/14 Table of Contents Part A Task A1 Windows Lite Touch Installation Task A2 BitLocker Drive Encryption p3 p18 Part B Task A Windows Server 2008 Full Installation Windows Server 2008 Server Core Installation p31 p38 Task B Setting up Active Directory Adding a domain controller Adding client machine to domain Adding server core as member server p41 p47 p50 p51 Task C Installing new hard disks Setting up mirrored volume Setting up spanned volume p53 p54 p56 Task D Configuring Active Directory p57 Task E User groups Group permissions Creating group policy objects p63 p64 p66 Task F Setting up server core installation as a file server Configuring server core installation for remote administration Accessing server core installation using remote desktop p85 p86 p90 Task G Installing DHCP Configuring client to use DHCP Disabling DHCP p92 p96 p97 Task H Demoting a domain controller Demoting an unbootable domain controller References p98 p98 103 2 Laura Duggan 07314299 14/7/14 Part A Task A1. Using Virtual Machines to mimic the use of Physical Machines, document and Install Microsoft Windows 7 using the Lite Touch Installation (LTI) method. Windows 7 allows for four deployment strategies – 1. High-touch deployment with retail media - Aimed towards less than 100 deployments - Allows admins to focus on each system individually 2. High-touch deployment with standard image - Aimed for between 100 and 200 deployments - Main advantage is that you can include any applications and files with the image; therefore they don’t need to be added after installation. - Disadvantage is that it doesn’t scale well, a technician and a flash drive is required for each deployment. 3. Lite-touch, high-volume deployment - Aimed towards 200 – 500 deployments by skilled IT staff with deployment experience. - Advantage is that it offers limited interaction with technician, thus reducing deployment time and costs. 4. Zero-touch, high-volume deployment - A fully automated deployment aimed at over 500 deployments - Requires an IT professional with deployment and Config Manager 2007 R2 experience. (Rodriguez, 2011) To decide on a strategy it is important to take into account both your skill level and the amount of computers which you plan on rolling out to. LTI uses a standardized image and then rolls it out over the network. As the configuration will be the same across all computer systems problems are less likely to occur. (Microsoft) Installation adapted from Step-by-Step: Basic Windows 7 Deployment for IT Professionals. Retrieved from http://technet.microsoft.com/en%E2%80%90us/library/dd349348(v=ws.10).aspx (Microsoft, Step by Step: Basic Windows 7 Deployment for IT Professionals, 2010) For this deployment you need – - A Windows 7 product disk. - A Windows 7 AIK DVD disk (can be downloaded from http://go.microsoft.com/fwlink/?LinkId=136976.) - A technician computer running Windows Server 2003, Windows Vista or Windows 7, it must have a network adapter, a working network environment, and access to CD and DVD-ROM drive. - A reference computer (the first machine on which we will install our customized version of Windows7 – we will then image this computer and roll out the image 3 Laura Duggan 07314299 14/7/14 - over the network to the rest of our machines), it must have a network adapter and a working network environment. A USB flash drive A blank CD-R/RW A destination computer (to which we will roll out our image over the network). There are 5 steps in the deployment – 1. Building an Answer File 2. Building a Reference Installation 3. Creating Bootable Windows PE Media 4. Capturing the Installation to a Network Share 5. Deploying from a Network Share To begin the deployment: On the technician computer – insert Windows Automated Installation Kit into CD-ROM drive and install by following on screen wizard. If it doesn’t start automatically browse to the correct drive and click StartCD.exe. Step 1 – Building Answer File In this step we create an XML answer file using the Microsoft AIK on our technician computer. This answer file will contain the answers to prompts usually given to a user when they’re installing Windows, thus automating the process. 4 Laura Duggan 07314299 14/7/14 On technician computer insert Windows 7 product DVD into the CD-ROM drive, open D:/sources and copy install.wim to your desktop. Click the start button, and open Windows SIM by clicking Microsoft Windows AIK and then Windows System Image Manager. Click file and Select Windows Image, when the box opens, navigate to where you copied install.wim on your desktop and click ok. 5 Laura Duggan 07314299 14/7/14 Click the version of Windows 7 you are installing, in this case Windows 7 Professional, when prompted click yes to generate a catalog file, and ok to allow the correct permissions. When the catalog file is generated, click on file and new answer file, a new blank answer file template is automatically generated. 6 Laura Duggan 07314299 14/7/14 Next we will add and configure the settings we desire for our Windows installation to the answer file, by clicking and expanding the components node to see the available settings, folders are listed in alphabetical order. Component Microsoft-Windows-Deployment\Reseal Microsoft-Windows-International-CoreWinPE\SetupUILanguage Microsoft-WindowsSetup\DiskConfiguration\Disk\CreatePartitions\CreatePartition Microsoft-WindowsSetup\DiskConfiguration\Disk\CreatePartitions\ModifyPartition Microsoft-WindowsSetup\DiskConfiguration\Disk\CreatePartitions\CreatePartition Microsoft-WindowsSetup\DiskConfiguration\Disk\CreatePartitions\ModifyPartition Microsoft-Windows-Setup\ImageInstall\OSImage\InstallTo Microsoft-WindowsSetup\DiskConfiguration\ImageInstall\OSImage\InstallFrom Microsoft-Windows-Setup\UserData Microsoft-Windows-Shell-Setup\OOBE Configuration Pass oobeSystem windowsPE windowsPE windowsPE windowsPE windowsPE windowsPE windowsPE windowsPE oobeSystem These settings will populate the centre answer file panel, click on each and enter the corresponding values below. Component Value Microsoft-Windows-International-Core-WinPE InputLocale = en-US SystemLocale = en-US UILanguage = en-US UserLocale = en-US Microsoft-Windows-International-CoreUILanguage = en-US WinPE\SetupUILanguage Microsoft-Windows-Setup\DiskConfiguration WillShowUi = OnError Microsoft-Windows-Setup\DiskConfiguration\Disk DiskID= 0 WillWipeDisk = true 7 Laura Duggan 07314299 14/7/14 Microsoft-WindowsSetup\DiskConfiguration\Disk\CreatePartitions\CreatePartition Microsoft-WindowsSetup\DiskConfiguration\Disk\CreatePartitions\CreatePartition Microsoft-WindowsSetup\DiskConfiguration\Disk\ModifyPartitions\ModifyPartitio n Microsoft-WindowsSetup\DiskConfiguration\Disk\ModifyPartitions\ModifyPartitio n Microsoft-Windows-Setup\ImageInstall\OSImage Microsoft-Windows-Setup\ImageInstall\OSImage\InstallTo Microsoft-Windows-Setup\ImageInstall\OSImage\InstallFrom Microsoft-Windows-Setup\UserData Microsoft-Windows-Setup\UserData\ProductKey Microsoft-Windows-Deployment\Reseal Microsoft-Windows-Shell-Setup\OOBE Order = 1 Size = 300 Type = Primary Extend = true Order = 2 Type = Primary Active = true Format = NTFS Label = System Order = 1 PartitionID = 1 Format = NTFS Label = Windows Order = 2 PartitionID = 2 InstallToAvailablePartitio n = false WillShowUI = OnError DiskID = 0 PartitionID = 2 Key = /IMAGE/NAME Value = Windows 7 Professional Accept EULA = true Key = <your product key> WillShowUi = OnError ForceShutDownNow = false Mode = Audit HideEULAPage = true ProtectYourPC = 3 8 Laura Duggan 07314299 14/7/14 9 Laura Duggan 07314299 14/7/14 10 Laura Duggan 07314299 14/7/14 11 Laura Duggan 07314299 14/7/14 To validate your settings, click tools and validate answer file, check the messages panel to see if there are any warnings or errors, and if there are none save your answer file as autounattend.xml. 12 Laura Duggan 07314299 14/7/14 Copy your autounattend.xml to the root of an active NTFS USB key. Step 2 – Building a reference installation In this step we will build our reference installation of Windows 7 on our reference computer using the answer file which we created in step 1. On your reference computer place your Windows 7 installation disk in the CD/DVD drive and your USB stick with the answer file on it in a USB port. Turn on the computer and enter the BIOS to instruct it to boot from the CD/DVD drive if necessary. If the startup screen appears and doesn’t start automatically press shirt+f10 to bring up the command prompt, to instruct it to find your autounattend.xml file and start unattended set up enter setup.exe /unattend:<PathToAutoUnattend.xmlFile> and press enter. Allow set up to auto complete. When set up has finished you can check to see if your system has configured correctly as it’s still in audit mode. If you’re happy with the configuration complete the system preparation tool window which is on the desktop. Select enter system out of box experience, tick the generalize checkbox, select shutdown and click ok. When sysprep finishes working you’re left with a working installation on your reference computer which is now ready to be imaged. 13 Laura Duggan 07314299 14/7/14 Step 3 – creating bootable Windows PE media In this step we create a bootable Windows PE RAM disk on a CD-ROM, this CD will then allow us to start a PC for deployment, it boots directly into memory, thus creating a network environment in which you can use the ImageX tool to copy our image. On the technician computer click the start button, navigate to Windows AIK and right click on deployment tools command prompt and select run as administrator. A command prompt window will open, at the prompt enter copype.cmd <architecture> <destination> with architecture being x86, amd64 or ia64 as required, and destination a path to a local directory. This copype.cmd script creates the directory structure and copies all the necessary files. 14 Laura Duggan 07314299 14/7/14 At the prompt type copy c:\winpe_x86\winpe.wim c:\winpe_x86\ISO\sources\boot.wim to copy the base image to the \ISO\sources folder and rename it boot.wim. Type copy “c:\program files\Windows AIK\Tools\x86\images.exe” c:\winpe_x86\iso\ to copy ImageX into \winpe_x86\iso Use oscdimig to create a Windows PE image (.iso) file by typing oscdimg -n bc:\winpe_x86\etfsboot.com c:\winpe_x86\ISO c:\winpe_x86\winpe_x86.iso When the .iso is created burn it to a CD-ROM. This is now a bootable Windows PE RAM CD containing the ImageX tool. Step 4 – capturing your installation onto a network share In this step we create an image of the reference computer using our Windows PE CD and ImageX, then we copy the image to a network share. Back on your reference computer, insert your Windows PE disk and restart your computer. If necessary change the boot order in the BIOS to boot from the Windows PE disk. When Windows PE starts it launches a command prompt window. 15 Laura Duggan 07314299 14/7/14 At the prompt type E:\imagex.exe /capture C: C:\myimage.wim "my Win7 Install" /compress fast /verify in order to grab an image of your reference installation using the ImageX tool. Connect to a network location using the net use command and the log in credentials to your network share, with the syntax: Net use n: \\server\share\ Create an Images folder and copy the image you’ve created earlier to it. Step 5 – Deploying from a network share In this step, we take the image of our reference computer which is on the network, and use our Windows PE CD and ImageX to roll it out to destination computer(s) On your destination computer, insert Windows PE disk and boot to it (by entering the BIOS on restart and selecting to boot from CD-ROM) A command prompt will launch, format the hard drive to be the same as that selected in your imaged reference computer using the following commands: diskpart select disk 0 clean create partition primary size=300 select partition 1 format fs=ntfs label="System" assign letter=S 16 Laura Duggan 07314299 14/7/14 active create partition primary select partition 2 format fs=ntfs label="Windows" assign letter=C exit Connect to your network share with the syntax: Net use n: \\server\share\ Then copy your image using: Copy N:\Images\myimage.wim C: 17 Laura Duggan 07314299 14/7/14 To apply the image to the destination computer’s hard drive type: D:\imagex.exe /apply C:\myimage.wim 1 C: Finally to initialise your boot config data and copy boot environment files, use BCDboot: You now have a fully deployed installation of Windows 7 on your destination computer, and are ready to deploy it across as many machines as required using the image which is stored on your network share. Task A2. Microsoft Windows offers the ability to enforce full drive encryption, using a Virtual Machine. Document the process of Implementing Bitlocker in the form of a user instruction manual. During the process outline any options and or requirements which must be met in order to setup same. Encryption uses an algorithm to scramble information to render it unreadable to anyone without a key, usually done to protect the security and privacy of a user’s files. Encryption used correctly mitigates risk. BitLocker is Microsoft’s drive level encryption which uses a trusted platform module (TPM) chip built into the device to store cryptographic information including encryption keys. As this TPM chip must be present for information stored on the drive to be unencrypted, it is more secure from physical theft and software attacks. Without access to the TPM, drives 18 Laura Duggan 07314299 14/7/14 cannot just be removed and installed into another computer to access their content. (Paul, 2014) Where it is not possible to have a TPM, such as in a virtual machine, encryption keys are stored on a USB flash drive which must be present to unencrypt the encrypted drives. The process of setting up BitLocker on a virtual machine without a TPM chip is outlined below. (Microsoft, BitLocker Drive Encryption Overview, 2014) Bitlocker protects data by encrypting the entire drive including the OS, Windows registry, temporary files and the hibernation file. BitLocker is available on Windows Vista or 7 Ultimate, Vista or 7 Enterprise, 8.1 Pro or Enterprise, while also requiring that your machine has at least two partitions, and has a TPM (or a USB key). BitLocker’s main disadvantage is that it’s closed source, thus it is unknown if there have really been no back doors put in by Microsoft having been put under pressure from various US government programs, however for protection from a stolen PC or against petty criminals, BitLocker should provide adequate protection. (Paul, 2014) Adapted for VMWare from http://www.shulerent.com/2012/09/04/locking-down-a-virtualmachine-with-bitlocker/ *this operation is being carried out on a virtual machine, using a small hard drive on a USB key to hold encryption keys. To install BitLocker encryption on a machine, you need two USB flash drives – one to permanently hold the encryption keys, so it will be needed for future use of your VM, and a second USB flash drive to temporarily install the encryption key. To begin, add a second drive to your VM. When your VM is powered off, click settings and add new hard drive. Create a new virtual disk and browse to your USB flash drive location, save the .vmdk file on it and finish the wizard. Turn on your virtual machine, open disk management by typing diskmgmt.msc You will be prompted to initialize your new hard disk, click ok. And follow the wizard steps, leaving the defaults in place. 19 Laura Duggan 07314299 14/7/14 When the new disk has been initialized, right click the unallocated space and select new simple volume. Format the disk. 20 Laura Duggan 07314299 14/7/14 To enable BitLocker without a TPM the local group policy must be changed. To access local group policy, click the start button and type mmc into the search bar. When the Microsoft Management Console pops up, add a new local group policy snap in to your console, follow the wizard to create it, and save it. 21 Laura Duggan 07314299 14/7/14 Navigate to operating system drives. Click to open require additional authentication at startup. 22 Laura Duggan 07314299 14/7/14 Move the radio button to enable require additional authentication at startup, and ensure that the allow BitLocker without a compatible TPM is selected. Insert your second (temporary) USB flash drive, in this case F: 23 Laura Duggan 07314299 14/7/14 Open control panel, navigate to system and security and BitLocker drive encryption. Click on turn on BitLocker for your required drives. Allow Windows to check your system. 24 Laura Duggan 07314299 14/7/14 Click next through the rest of the wizard. And restart your computer when prompted. Upon restart BitLocker will continue its installation process. 25 Laura Duggan 07314299 14/7/14 Choose require a startup key at every startup. The next window shows your temporary USB flash drive, select it and click save. 26 Laura Duggan 07314299 14/7/14 Choose save the recovery key to a USB flash drive. When the next screen appears do not click continue! 27 Laura Duggan 07314299 14/7/14 You need to copy your keys from the temp USB flash drive, to the small USB drive. To do this, ensure that you can see hidden files. To see hidden files, open control panel, click on appearance and personalisation, in folder options, click on show hidden files and folders. Under the hidden files and folders section, select the radio button labelled show hidden files, folders and drives. Remove checkboxes label hide extensions for known file types and hide protected operating system files. Click apply and ok. Your temp USB flash drive should now contain two files. Move these files to your small VM hard drive and return to the final encryption screen. 28 Laura Duggan 07314299 14/7/14 Click continue and restart your computer when prompted, upon restart you’ll see that encryption is in progress. Your machine is now protected by BitLocker encryption, when you boot it up with the permanent USB flash drive you will see this message and it will boot normally. 29 Laura Duggan 07314299 14/7/14 Without the USB flash drive, your machine will not boot. PART B Task A Using Virtual-box, VMware Workstation or similar you are to create several virtual machines: Three Servers with server 2008 or later installed: - 2 of these servers are to be installed with Standard, Enterprise or Datacenter edition using the full GUI install and named Server1 and Server2 accordingly. - The third server is to be a Standard Server Core installation and named MSCore One Client machine with Windows 7 or later installed and named Client1 Clone this Client Virtual Machine and rename the workstation Client2 Please use adequate sizes for the Hard Disk partitions on each of the Client Machines Configure the servers with 200 GB hard disks. For the Operating System create a partition of 60 GB accordingly. RAM on all machines is to be 512 MB or greater depending on your amount of available RAM All passwords are to be Pa$$w0rd. Give all machines a static IP address from the range 192.168.0.0/24. IP Address – range 192.168.0.0/24 – table for later reference 30 Laura Duggan 07314299 14/7/14 Server1 Server 2 MS-Core Client1 Client2 Subnet Mask 192.168.0.101 192.168.0.102 192.168.0.103 192.168.0.104 192.168.0.105 255.255.255.0 Windows Server 2008 comes in two releases – Windows Server 2008 (32bit or 64bit) and Windows Server 2008 R2 (64bit only), with R2 being an updated version with a range of bug fixes and new features. Within Windows Server 2008 (and R2) there are four editions: - Windows Server 2008 Standard Directed at the SMB sector, usually used as a domain controller, file and print server, DNS, DHCP server and application server. - Windows Server 2008 Enterprise Directed at larger companies running heavier apps ie SQL Server 2008 - Windows Server 2008 Datacenter Directed at the large enterprise market, allows an unlimited number of virtual machines with the single license. - Windows Web Server 2008 For servers that run Windows IIS service. (Windows, 2008) Windows Server 2008 installation To install Windows Server 2008: Place the Windows Server 2008 installation disk in the CD-ROM drive of your machine and power it up. Follow the onscreen instructions to choose installation language, time and currency format and keyboard or input method, click next. 31 Laura Duggan 07314299 14/7/14 Click install now and allow the installation process to run, when prompted enter your product key and click next. For this full installation, select Windows Server 2008 Full Installation (with whichever version you are installing), and click next. 32 Laura Duggan 07314299 14/7/14 Read and accept the license terms and click next. In the ‘which installation do you want’ click custom (advanced). Create a 60GB partition using the wizard and highlight it to install Windows on, click next. 33 Laura Duggan 07314299 14/7/14 Allow the installation to complete itself; your machine will restart itself a few times during this process. After rebooting, press ctrl+alt+delete to log in as administrator. 34 Laura Duggan 07314299 14/7/14 Change the administrator password to a complex alpha-numeric password. After logging in the desktop appears and you can begin working on your server. 35 Laura Duggan 07314299 14/7/14 To change your computer’s name: It is much easier to change your computer’s name before setting up Active Directory services; this will become the name by which the computer is known as on the network, so it is best if it’s descriptive and human readable. Click the start button, right lick on computer, click properties. When the system dialog box opens click on change settings. In computer name, type the new name of your computer. Click ok twice and restart your computer for the changes to come into effect. Static IPv4 Address: In order to set up your server as an Active Directory Domain Controller it must have a statically assigned IP address. As outlined in the table above, our IPv4 addresses are in the range 192.168.0.0/24, meaning that they reserve 24bits for the network portion thus leaving us with 254 possible IPv4 addresses (192.168.0.1-255). This CIDR notation allows for more control over network size than traditional classful IPv4 addressing. 36 Laura Duggan 07314299 14/7/14 To assign a static address, click the start button, open control panel and click on network and sharing centre. Click on Local Area Connection Status and properties. Uncheck the IP6v checkbox, and double click on IPv4 to change its settings. 37 Laura Duggan 07314299 14/7/14 Click the ‘use the following IP address’ checkbox and manually enter your IP address, subnet mask and DNS server address. As this example shows the settings for Server1 (which will later become a domain controller with DNS we use the loopback address of 127.0.0.1, on other machines on the network their DNS will be 192.168.0.101). Click on ok and apply to bind the settings. You can check they have been correctly applied by running ipconfig in a command prompt. Server Core Installation Server Core provides a minimal environment for running specific sever roles, thus reducing the maintenance and management requirements, alongside the potential attack surface. A Server Core 2008 installation can support: - Active Directory Domain Services - Active Directory Lightweight Directory Services - DHCP Server - DNS Server - File Services - Hyper-V - Print Services 38 Laura Duggan 07314299 14/7/14 - Streaming Media Services - Web Server While the 64 bit only R2 supports in addition: - File services (including File Server Resource Manager) - Web Server (including a subset of APS.NET) Server core doesn’t include a graphical user interface (GUI) and requires initial configuration using a command prompt. Once the server is set up, it can be managed locally using a command prompt, or remotely using a terminal server connection or the Microsoft Manag ement Console (MMC). A server core installation is beneficial due to – reduced maintenance, as it only installs what is necessary for a manageable server for the supported roles, reduced attack surface – due to less applications running, reduced management – again due to less applications and services being installed, and finally there is less disk space required – it requires only 3.5GB of disk space to install and 3GB for operations after installation. (Microsoft, Server Core Insta llation Option Getting Started Guide, 2009) The disadvantages of a server core installation however it that due to the lack of a GUI if an administrator isn’t very familiar with a TUI environment they can be that much harder to maintain, while there are also less roles and features available. To install server core, follow the steps outlined for the full installation, however on this screen: Select your version with (Server Core Installation) When the installation has finished, click to log in as ‘other user’ and use user name ‘Admi nistrator’ leaving the password field blank. You’ll then be prompted to change the admin password. 39 Laura Duggan 07314299 14/7/14 After logging in a command prompt will open to allow you to configure your server. 40 Laura Duggan 07314299 14/7/14 Task B Please configure the following Forest settings: Server1 is to be a Domain Controller of a tree called MSCCONV.IPA Client 1 is to be a workstation member of MSCCONV.IPA Server2 is to be setup as a second domain controller of MSCCONV.IPA MS-Core is to be a member server of MSCCONV.IPA Active Directory (AD) is the Windows OS directory service; it is designed to allow coordination of network resources in a unified manner. It is a large database linked ta number of network directories that serves as a single data store for quick access to users, while also controlling access to users based on the security policy, which is laid down in AD. Is allows for single sign on for users across network resources, while being a single point of management for network resources. AD provides: - LDAP (lightweight directory access protocol) for accessing other directory services. - Security service which uses Kerberos based authentication to authenticate users on the system. - Hierarchical storage of organisational data in a central location - The availability of data across multiple servers which update together (Janssen, 2010) AD contains information about objects, which are either resources – ie printers, or security principals – ie user or computer accounts and groups. Each security principal is assigned a unique SID (security identifier). These objects are grouped into domains, with a single domain being held in a single database, a domain therefore is a logical group of network objects that share the same AD database. A tree is one or more of these domains, while a forest is the largest possible structure, being a collection of trees that share a ‘common global catalog, directory schema, logical structure and directory configuration’. It is a security boundary which houses objects which are inaccessible from outside. (Wiki, Active Directory, 2014) A domain controller is a server which has been configured with AD DS. It authenticates and authorises all users and computers on the network, assigns and enforces security policies and installs and updates software, hosts the global catalog and provides for replication across the domain. Replication is how domain controllers keep in synch with changes made to the global catalog. To begin creating a domain, we need to run dcpromo on our first domain controller, dcpromo installs (and also removes) Active Directory Domain Services on s ervers. 41 Laura Duggan 07314299 14/7/14 Before running dcpromo, ensure that you have named your computer correctly, and that it has a static IPv4 address – both as outlined in the previous section. On server1, click the start button and type dcpromo into the search bar, click on it to open. Allow it to check that your settings are correct. Allow the wizard to run, and for this first domain controller choose ‘create a new domain in a new forest’ and click next. 42 Laura Duggan 07314299 14/7/14 As this is the first domain in the forest it is known as the forest root domain, when naming it you need to use a FQDN – a fully qualified domain name – in the format abc.xyz where the .xyz is the top level domain name. It is a good idea to avoid common internet TLDs (such as .com, .ie, .fr) to avoid confusion. Name your forest root and click next. 43 Laura Duggan 07314299 14/7/14 You will then be prompted to set the forest functional level – this is the level that matches the oldest version of the operating system running on any of your domain controllers (in this case Windows Server 2008) Note that while you can raise the functional level at a later date, you can never lower it. As ADDS requires a DNS server, a warning box will appear as there is none currently set up, as this is the first domain controller click yes to have the wizard create one automatically. 44 Laura Duggan 07314299 14/7/14 Next the wizard will prompt you to choose the locations of your database folder, log files folder and SYSVOL folder. SYSVOL is a shared folder containing information on Group Policy Objects between DCs, it must be on an NTFS drive. If possible – to optimize performance you can move the database and transaction log files to different drives. Select where you want them to be saved and click next. Choose a Directory Services Restore Mode password, which is used for maintenance or restoration of Active Directory and click next. 45 Laura Duggan 07314299 14/7/14 A summary screen will pop up, review your settings and click next and allow it to run. When your computer reboots ADDS will be installed and ready for use. 46 Laura Duggan 07314299 14/7/14 To add Server2 as a second Domain Controller: Having only one domain controller is a huge risk as if it fails the entire network can go down – for this reason it is important to add a second (or more) domain controller. Ensure that your server has the correct name and IPv4 address settings and run dcpromo as outlined above except: On the ‘choose a deployment configuration’ screen choose existing forest and add controller to an existing domain. Click next. When prompted enter the name of your domain (in this case MSCCONV) and use its administrator credentials to authenticate on the network. 47 Laura Duggan 07314299 14/7/14 Click next and choose the same settings as for Server1. For added redundancy and to reduce the load of DNS requests on Server1, allow DNS to be installed on Server2 also. 48 Laura Duggan 07314299 14/7/14 Click next to review your settings and allow the wizard to run and your server to restart. It is then ready to be configured. 49 Laura Duggan 07314299 14/7/14 To add Client1 as a workstation member: Once again ensure that its name and IPv4 (statically assigned) settings are correct. From control panel, navigate to system properties, click on change computer name/properties. Select the domain radio box and enter your domain name. Authenticate on your domain. 50 Laura Duggan 07314299 14/7/14 Restart your computer for the changes to take effect. Repeat with Client2. To add MS-Core as a member server: Once again ensure that its name and IPv4 (statically assigned) settings are correct, to configure these on your server core installation: IP address: At the command prompt type netsh interface ipv4 show interfaces to see the details of your connections, note the idx number of the one(s) you want to change. To statically assign an ip address type netsh interface ipv4 set address name =”<idx number from above>” source=static address=<your static ip> mask=<your subnet mask> 51 Laura Duggan 07314299 14/7/14 To statically assign your DNS server type netsh interface ipv4 add dnsserver “<its name>” address=<its address> index=1 To check that the settings have applied correctly use the ipconfig command. (Morimoto, 2012) To rename the machine use the netdom command: Type netdom renamecomputer %computername& /namename:MS-Core And press enter, select yes. To have the changes take effect, restart your server by typing shutdown –r –t 0 To join it to the domain: Type netdom join <computername> /domain:<domain name> /userd:<Administrator> /password:* - don’t forget the second d in password. Enter your password and reboot the server for the changes to take effect. 52 Laura Duggan 07314299 14/7/14 (Minasi, 2008) All of your machines are now connected to the domain MSCCONV.IPA. Task C Install 2 additional hard disks of 150 GB, on Server2 and configure them to: Using these disks, use one to Mirror the operating system disk Using the remaining available space available, Create a Spanned volume which is to use all of the remaining free space on all disks. Upon installation of new hard disks you must decide whether to set them up as MBR (ma ster boot record) or GPT (GUID Partition Table) disks. The distinction between the two lies in how they manage partitions on the disk, however they both play the same role in governing and providing information for the hard disk’s partitions. MBR is the older standard, which remains in use today. It sits at the start of the disk and contains information on how logical partitions are organised on the disk. MBR disks have a number of disadvantages; they can only house four partitions of up to 2TB in size, while the MBR at the start of the disk is the only place that holds partition information, so should it get corrupted the entire hard disk will become unreadable. GPT uses globally unique identifiers (GUID) to define partitions on the disk thus you can create up to 128 partitions on the disk, however in Windows they are only supported on the 64 bit version of Windows from XP onward. As we are using 32 bit Windows Server 2008 we will use MBR disks. (Oh, 2013) After physically installing two new hard disk drives on Server1, power it on, click the start button, and navigate to the server manager by right clicking on computer and clicking manage. When server manager opens, click on storage and disk management (local view). 53 Laura Duggan 07314299 14/7/14 Disk 1 and disk 2 are your two new unformatted hard drives, right click on each in the lower panel right click each and select to bring each online. By mirroring the operating system disk we are setting up RAID (redundant array of inexpensive/independent disks). RAID uses multiple drives to create data redundancy or to improve performance (or both) depending on the level and type of RAID us ed. RAID can be either hardware or software based, with hardware based RAID requiring an external RAID controller which exists almost invisible to the OS, while software based RAID is controlled by the OS which is responsible for all the drives. While hardware RAID is more expensive to implement, it has less of an impact on the performance of the host OS than software RAID, while it is more reliable as there are less chances of data corruption occurring. (Differencebetween.net, 2014) Within RAID there are levels 0-5 combining striping (writing data across an array of disks in strips to speed up writing time), parity (error detection) and mirroring (copying data across an array of disks for redundancy). RAID 0 – just stripping, no redundancy or fault tolerance, but speeds up writing times. RAID 1 – just mirroring, provides total redundancy in case one of the disks fails. RAID 2-4 aren’t supported using software RAID on Windows. RAID 5 – block level striping with distributed parity, allows for speed and fault tolerance. (Wiki, RAID, 2014) Thus mirroring our system partition will set up software based RAID 1 on our Server2. This will give redundancy in the case that one of the drives should fail, and provide faster read times but slower write times. 54 Laura Duggan 07314299 14/7/14 In order to mirror your system partition, it must be a dynamic disk, to make it a dynamic disk – right click on it click ‘convert to dynamic disk’ and click ok through the wizard. Dynamic disks have features that basic disks do not – they can create volumes that span more than one disk and fault tolerant volumes. A volume is a disk partition which is formatted with a valid file system, (either NTFS/FAT) and is used by Windows to store files. To mirror your system partition, right click on it in the lower half of the disk management view and click ‘add mirror’, click on which ever disk you’d like to add the mirror to and click add mirror. The system will then synch files contained on the system partition to the new mirrored volume and will continue to do so as files are changed. Simple volumes work on the premise that each disk is assigned its own drive letter and exist independently of each other, whereas spanned volumes allow for space from more than 55 Laura Duggan 07314299 14/7/14 one drive to be combined to create a volume, thus using all the space available. The drawback of this however is that if there’s a problem somewhere on the spanned volume it’s likely to be unreadable in its entirety. To create a spanned volume with the rest of the space available, right click on the unal located space and click ‘new spanned volume’. Add in all the available disk space and click through the wizard. After formatting you’ll have one large volume spanning both your disks. (Techtopia, 2011) 56 Laura Duggan 07314299 14/7/14 Task D Within Active Directory, create the following organisational unit structure: Parent OU called IPA containing: ◦ Two child OUs called Marketing and IT. ◦ IT OU to contain 2 sub OUs called Dublin and Belfast. Identify any method of creating users via a TUI environment, outline advantages accordingly. Using a method of your choice, Create 5 users in the IPA OU called user1 to user10 (first name only) using the default Pa$$w0rd. Create 3 users in sales called user11 to user15, 3 users in Dublin called user16 to user18, and 2 users in Belfast called user19 and user20. Users are not to change their passwords at first login and are to have 24 hour logins enabled, Monday to Friday only. Configuring AD DS can be done using the GUI ‘Active Directory Users and Groups’ tool, or the command line (mainly using DSAdd) if required – to allow scripting or if using a server core installation. Organisational Units are put in place to allow easier management of objects (users or groups) within Active Directory. OUs allow for management through group policy, and also to delegate their admin to respective department administrators where possible (for the loss of passwords or account lockout etc). OUs are often created to mimic the department structure of an organisation, and/or to create OUs which group users that have similar responsibilities (and therefore permissions). Group Policy Objects are created and linked to sites, domains and OUs, thus to assign a GPO to a set of users they are placed in an OU and the GPO is linked to the OU – this will be discussed further and implemented in the next section. To create a new Organisational Unit: Open server manager by clicking the start button, right clicking on computer and click on manage. 57 Laura Duggan 07314299 14/7/14 Expand the roles menu to see ‘Active Directory Domain Services’ and right click on your domain, scroll to new and click organisational unit. Enter the name of the OU and click ok. To create child OUs, repeat the process, however right click on the parent OU and select new then organisational unit. Your OUs are then ready to be configured. 58 Laura Duggan 07314299 14/7/14 Identify any method of creating users via a TUI environment, outline advantages accor dingly. The advantages of adding users in a TUI environment is that they can be added using scripts thus semi-automating the process, for example using powershell and Windows Scripting Host. However there are the drawbacks of a less-user friendly interface. User accounts are objects which hold all the information that define a user, they are used for authentication, granting access to processes and services, and to manage particular users’ access to resources. To manually add users using the command prompt: The basic syntax is DSAdd user DN Where DN is the distinguished name used to uniquely identify each object in the directory.as assigned by LDAP (lightweight directory access protocol) thus allowing the directory to be integrated with other services. To create an object’s distinguished name its entire hierarchical path from object to the domain root is represented using: CLASS User/leaf object Organisational unit Domain LDAP NOTATION CN OU DC DEFINITION Common Name Organisational Unit Name Domain components, one for each part of DNS name So for example, an employee Katie who is in the Belfast OU in the IT OU in the MSCCONV.IPA domain would have a DN of CN=Katie,OU=Belfast,OU=IT,DC=MSCCONV,DC=IPA Either without spaces, entirely encased in double quotes – “CN=Katie, OU=Belfast, OU=IT, DC=MSCCONV, DC=IPA” DSAdd user DN has the following options: - Pwd: password - Fn: first name - Ln: last name - Display: display name - Disabled: disabled account - Samid: SAMID name - Upn: user principal name - Mustchpwd: must change password as soon as they log on So to add user named Katie to the Belfast OU in the IT OU in the MSCCONV.IPA domain, with a password of Pa$$w0rd that she’d have to change at next log in the command would be dsadd user “CN=Katie,OU=Belfast,OU=IT,DC=MSCCONV,DC=IPA” –disabled:no –pwd Pa$$w0rd –mustchpwd yes 59 Laura Duggan 07314299 14/7/14 Using a method of your choice, Create 5 users in the IPA OU called user1 to user10 (first name only) using the default Pa$$w0rd As the DSAdd method of adding users has been described in detail above I will demonstrate adding users using the GUI interface. As our users have similar requirements – they have the same password, they are not to change it on first login and they are to have 24 hour log in Monday-Friday to simplify the process a user template account is made. To make a user template account: Open server manager by clicking the start button, right clicking on computer and clicking on manage. When it opens, expand the roles menu until you see the Active Domain Users and Computers area, right click on your IPA container and select add and new user. Create the user template as the first user, with user1 as its first name and display name. Click through the wizard unchecking the ‘change password on first log in’ and set the pas sword. When the user is created, right click on it and select properties, when the properties interface opens, click on account and user hours. 60 Laura Duggan 07314299 14/7/14 Deselect the hours as necessary (in this case Saturday and Sunday 0.00-24.00) and click ok. 61 Laura Duggan 07314299 14/7/14 Click apply and ok. After creating a user template in each container, right click on it and select copy, then change the first name and display name as necessary to create as many users as required. (Certfiication, 2003) *Screenshots to show all users were successfully created 62 Laura Duggan 07314299 14/7/14 Should a user try and log in outside of the specified times this message will be shown. User log on time availability can also be configured using Group Policy Objects, which will be discussed further in the next section. Task E Group the users in each OU according to recommended security policies. Prevent the users in the sales OU from being able to see the IT OU in Active Directory. Create 3 group policies to achieve the following: Forward my documents from Client2 to a folder on the root of C on Server2 called User_Docs. Prevent Belfast from accessing control panel. Please exclude user 20 from this policy. Publish any MSI file of your choice from the C drive contents to all users in Dublin. AD group are similar to local groups in that they are used to collectively treat a group of objects in the same way. Active Directory Global Security Groups are created to organise our users into groups, and then to assign permissions to these groups. To reduce confusion and admin load, you should assign permissions to groups rather than to users. While two types of group exist – distribution and security, security groups can be used for the functionality of both. Security groups can be used to assign permissions or rights to an object or to a set of objects, thus by using security groups you can use Active Directory both for authentication and authorization on the network via user accounts. A number of default groups exist such as domain controllers, domain users, read-only domain controllers, cert publishers etc while you can create groups manually. To best organise groups to assign rights and permissions, taking the example of our marketing department in the MSCCONV domain, instead of assigning each user in the department rights, we can create a group _marketing, and for an administrator in the group we can create an admin_group_marketing thus allowing to delegate permissions accordingly. In our IT department we can have an group_IT_belfast and a group_IT_dublin and should a user move between the locations we can move the group they’re in and they’ll have the appropriate permissions applied to them. Similarly an admin_group_IT can be set up. 63 Laura Duggan 07314299 14/7/14 To create a group: In server manager, right click on the containing OU and select new – group. Name your group as required and click ok. Select your users to add. Click ok to finish the wizard. Repeat for other groups as required. Prevent the users in the sales OU from being able to see the IT OU in Active Directory. In server manager, click view and ensure that the ‘advanced features’ is checked. 64 Laura Duggan 07314299 14/7/14 Right click on the OU that you wish to restrict access to – in this case IT. Remove ‘everyone’ as it also allows unauthorized users which poses security risks, click add to find your marketing group. Find the group and click ok, back in the IT properties screen, highlight the group_marketing and click deny for read access. Without this read access objects will not be visible to them in Active Directory. 65 Laura Duggan 07314299 14/7/14 Click apply and ok for your settings to take effect. (Grillenmeier, 2012) Group policy is edited using the Group Policy Management Console and the Group Policy Management Editor thus being able to manage over 5,000 settings using Group Policy O bjects. These GPOs are containers for groups of setting that can be linked to organisational units, user and computer accounts across as AD network, restricting and giving access to resources where necessary. In the Group Policy Management Editor there is both computer configuration and user configuration. Computer configuration deals with machine-specific settings, while user configuration policies deals with user-specific settings like app configuration, folder redirection and start menu management. Prior to Windows Server 2008 all of a group policy needed to be applied to an OU, however now all group policy preferences have item-level targeting, meaning that there can be exceptions to rules. To open the Group Policy Management Console, click start, administrative tools and group policy management. For best practice in designing Group Policy Objects 66 Laura Duggan 07314299 14/7/14 Keep the GPO name consistent with OU names, ie. ‘Belfast Laptops’ rather than ‘laptops’ - Only create a new GPO when the scope is different. - Disable user/computer settings if not in use - Reuse GPOs where possible (Burchill, 2010) - To begin setting up group policy objects, open the Group Policy Management Editor by cl icking the start button, navigating to administration tools and clicking Group Policy Manag ement Editor. When it opens you’ll see a list of the default group policy objects which are in place. To forward my documents from Client1 to a folder on Server1 called user_docs: By automatically forwarding all documents which are saved on a client machine data is stored centrally on the specified server, which reduces the amount of backups required. First we need to set up a shared folder on the root of C, click the start button, click computer and click into C:, right click and choose new and folder. Name the folder as appropriate (user_docs in this instance) and right click on it and click on properties. Click on the sharing tab and advanced sharing. 67 Laura Duggan 07314299 14/7/14 Check the ‘share this folder’ checkbox and add a comment if desired. Click apply and ok. 68 Laura Duggan 07314299 14/7/14 Ensure that the NTFS permissions are correct under the security tab (full control for auth users) and note the network path given for the share (in this instance \\SERVER1\user_docs) Open group policy management by clicking start, navigating to administrative tools and clicking on group policy management. Find your domain on the left hand side of the console and right click on it, select ‘create a GPO in this domain, and link it here’. Name your GPO and click ok. 69 Laura Duggan 07314299 14/7/14 On the left hand side of the console click user configuration, windows settings, folder redirects and double click on documents. In the dialog box, fill in the details of your desired redirect – in our case basic – redirect everyone’s folder to the same location, and with the target location as our shared folder crea ted earlier. 70 Laura Duggan 07314299 14/7/14 Click apply and ok. Back in group policy management, click on your newly created policy to bring it into focus in the central console. In the security filtering pane, click add to add your client computer. Click on object types and check the computer check box and click ok. 71 Laura Duggan 07314299 14/7/14 Type the name of your computer (in our case client1) and click ok. Remove the everyone group from the security filtering pane. Your GPO is now set up and ready for use. To test it you can save a file on client1 and check the user_docs folder. 72 Laura Duggan 07314299 14/7/14 (Silva, 2008) To create a group policy object to prevent users from accessing control panel: To prevent users from changing settings on their local machines which may breach the sec urity of the network blocking access to the control panel is a good idea. Open Group Policy Management by clicking the start button, administrative tools and clicking Group Policy Management. Right click on your domain (in this case MSCCONV.IPA) and click on ‘create a GPO in this domain and link it here’. Name your new GPO and click ok. In the left pane, click on your new GPO and under security filtering click add. Type the name of your group to which you wish to enforce the GPO and click ok. 73 Laura Duggan 07314299 14/7/14 Click to remove the authenticated users group. To exclude User20 from the policy, click on the delegation tab, and click advanced. 74 Laura Duggan 07314299 14/7/14 Click add and find the user which you wish to exclude, alternatively you could create an excluded users group if there were more than one user to exclude, or this user would be likely to change. Under the list of security settings, click on advanced to pull up the advanced list. 75 Laura Duggan 07314299 14/7/14 The last entry is ‘apply group policy’, check the deny checkbox and click ok. Your custom settings will be reflected in the delegation panel. 76 Laura Duggan 07314299 14/7/14 (Burchill, 2010) To configure the GPO’s settings, right click on it in the left pane and click edit. To block access to the control panel, navigate in the left pane to user configuration, policies, administrative templates, control panel. Double click on ‘prohibit access to the control panel. 77 Laura Duggan 07314299 14/7/14 Click the radio box beside enabled, click apply and ok. Your group policy is now enabled, we can log in as a member of Belfast’s IT group to see changes. When a member of Belfast’s IT group (except User20) tries to open control panel, this message is displayed. 78 Laura Duggan 07314299 14/7/14 (Hamizi, 2013) Publish any MSI file of your choice from the C drive contents to all users in Dublin. An .msi file is a Microsoft installer file which allows software to be pushed out across the network to specific users’ machines through group policy. For this installation, we will publish Firefox to all users in Dublin. To publish and MSI file: First download the .msi file of your choice to your C: drive of the domain controller, in this case we downloaded Firefox from here: http://frontmotion.com/FMFirefoxCE/download_fmfirefoxce.htm As it will be pushed out across the network, it needs to be in a shared folder. Create a shared folder on the C: drive (in this case called ‘installations’), right click on it and select properties, sharing, advanced sharing. Tick the share this folder checkbox, add a comment and click ok. 79 Laura Duggan 07314299 14/7/14 Note the network path of the share and click apply and close. Open group policy management by clicking the start button, administrative tools and group policy management. Right click on your domain and click ‘create a new GPO and link here’, name your GPO, and in the security filtering panel remove authenticated users, and add group_dublin_it. 80 Laura Duggan 07314299 14/7/14 Right click on the policy in the left pane and click edit. When the group policy editor opens up navigate to user configurations, policies, software settings and right click on software i nstallation. 81 Laura Duggan 07314299 14/7/14 Click on new and then package, and navigate to the network location of your .msi file. When the deploy software box pops up, you can choose between published, assigned or advanced. Published automatically installs software, while assigned gives the user a choice. 82 Laura Duggan 07314299 14/7/14 Click into advanced to get more options. Under the deployment tab, by checking the ‘uninstall the application when it falls out of the scope of management’ the application will be uninstalled if the GPO is later removed. Choose your deployment type and click ok. 83 Laura Duggan 07314299 14/7/14 Your GPO is now in place and when users next log in Firefox will automatically be installed. To expedite this process for testing purposes, log in as a user in the Dublin IT group, open a command prompt and type Gpupdate /force /boot /logoff and press enter. Your machine will restart and install Firefox. 84 Laura Duggan 07314299 14/7/14 A small environment such as the one we’ve set up, where we know all users’ password and can log in to check group policy is unlikely to exist in the real world; therefore it is important to test group policy settings in other ways before pushing them out to users. To do this a test environment can be set up, usually using virtual machines housed within a ‘test’ OU that mimics a typical departmental OU with some test accounts. Using the Group Policy Management Console you can make copies of GPOs by right clicking on them, and choosing copy and paste. Then append them with ‘test’ and link them to the test OU. From here you can log in to your test accounts and see what changes have been made without causing problems for existing users or computers. (Beckman, 2012) Task F Setup the MS-Core server as a file server Configure MS-Core for Windows Remote administration. Access MS-Core from Client2 using remote desktop A file server is a computer whose primary function is the storage of files for other computers on the network. They are usually configured with hardware that is configured to maximize their storing and sharing data, and have very basic i/O capabilities, thus a server core installation is ideal for a file server. (Hansen, 2014) To set up MS-Core (server core installation) as a file server: On your server core installation, storage services will be pre-installed, this enables basic file sharing and remote and local storage management, hence you are able to access hidden and administrative shares. (Berkouwer, 2013) There are four other role services that can be installed on server core to add functionality to the file services role: - DFS Namespaces – allows grouping of shared folders on different servers in multiple sites as logically structured namespaces – each namespace appears as a single shared folder - DFS Replication - allows you to synchronise folders on multiple severs across a network. - Services for Network File System – allows the transfer of files between Windows Server 2008 and UNIX OS using NFS protocol 85 Laura Duggan 07314299 14/7/14 - File Replication Service – allows synchronization with file servers that use FRS rather than the newer DFS replication service. Server roles are managed on server core with the Oscetup command, with oslist showing a list of server roles and optional features and whether they are installed or not. To install the four services outlined above, type start /w ocsetup DFSN-Server && start /w ocsetup DFSR-Infrastructure-ServerEdition && start /w ocsetup FRS-Infrastructure && start /w ocsetup ServerForNFSBase To ensure they’ve been correctly installed type oclist |find “ installed” And you’ll see a list of installed roles and services. Your file server can then be managed locally using the net use command, or remotely using MMC snap-ins on a full installation of Windows Server or a Windows client machine. (Tulloch, 2008) Configure MS-Core for Windows Remote administration. There is a multitude of ways to configure a Server Core installation for remote administration including: - Remote Desktop Microsoft Management Console (MMC) snap-ins and the Remote Server Administration Tool - Windows Remote Shell - Group Policy 86 Laura Duggan 07314299 14/7/14 Remote desktop administers a server core installation remotely in the exact same way as if you were using the local console on the server. By default it is disabled, to enable it use the scregedit.wsf, type: cscript %windir%\system32\scregdedit.wsf /ar 0 To check that it has been enabled type cscript %windir%\system32\scregedit.wsf /ar /v A value of 0 is enabled, and a value of 1 is disabled. To later disable remote desktop, use the original command except with /ar 1 at the end (cscript %windir%\system32\scregdedit.wsf /ar 0) A demonstration of how to connect to your server core installation is outlined in the next section. RSAT – Remote Server Administration Tools allows roles and features to be administered remotely on a server core installation in the same way as you would administer then on a full installation of Windows Server 2008, from either a full version of Windows Server 2008, or a client machine running Windows Vista or higher. To remotely manage a share using MMC: On your server core installation type netsh advfirewall firewall set rule group=”Remote Administration” new enable=yes To allow remote administration access through the firewall. On your domain controller, member server or client machine, click start and run, type mmc into the box and press enter to open a new Microsoft Management Console. Click file and add/remove snap-in, choose your snap-in, in this case ‘shared folders’ and choose which computer in the domain you wish it to be for, in our case MS-Core. 87 Laura Duggan 07314299 14/7/14 Click ok and browse into your shared folders and shares, right click to create a new share and follow the wizard. Choose the folder to share and name it, click ok. 88 Laura Duggan 07314299 14/7/14 When the wizard finishes, you can see your new shared folder, and can manage all other shares on your remote computer from here also. 89 Laura Duggan 07314299 14/7/14 To access MS-Core from Client1 using remote desktop: On your client machine, open remote desktop connection by clicking the start button, typing cmd into the search bar so a command prompt opens and typing mstsc.exe and pressing enter. When the remote desktop connection box opens, enter the IP address of the computer you wish to connect to – in our case MS-Core which has an IP address of 192.168.0.103 and click connect. Authenticate by entering your username and password and click ok, and wait for your desktop to load up. 90 Laura Duggan 07314299 14/7/14 You can then administer your server in the same way as if you were sitting in front of it. To logoff and return to the client desktop, type logoff and press enter. 91 Laura Duggan 07314299 14/7/14 (Tulloch, 2008) Task G Install DHCP on Server2 with the scope 192.168.0.110 to 192.168.0.160, default mask and appropriate DNS address. Configure Client2 to obtain its address and TCP/IP settings from DHCP. If you disable DHCP services, what address will Client2 get? DHCP – dynamic host configuration protocol , is a service that allows machines to obtain their IP addresses and network settings automatically, which is used to simplify network configuration as opposed to giving out static IP addresses manually to each machine. The DHCP server will have a pool of IP addresses to assign from, and should a machine be expecting an IP address from a DHCP server and not get one, it will self-assign an APIPA (automatic private IP addressing) address in the range 169.254.0.1 to 169.254.255.254, with a default network mask of 255.255.0.0. When the DHCP server comes back online and is able to service requests again, client machines will update their own addresses automatically back into the normal range. To configure a Windows Server 2008 machine as a DHCP server: Open server manager by clicking the start button, administrative tools and server manager. Click on roles and add roles, tick the DHCP server checkbox and click next. 92 Laura Duggan 07314299 14/7/14 Click next to select network connect bindings with the only option available. Enter your preferred and alternate DNS server IP addresses (in this case 192.168.0.101 and 192.168.0.102) and click next. 93 Laura Duggan 07314299 14/7/14 Check the WINS is not required for applications on this network radio button and click next. Click add new scope. Choose the scope of your IP addresses to be assigned, alongside your subnet mask. *note I’m using 192.168.0.110-160 rather than 192.168.0.100-150. And click ok. Click next, click disable DHCPv6 stateless mode for this server as IPv6 addressing is not being used in our domain. 94 Laura Duggan 07314299 14/7/14 Choose to use current credentials to authorize DHCP server in ADDS and click next. Review and confirm your settings and click install. 95 Laura Duggan 07314299 14/7/14 Allow DHCP to set up and when it has finished it will display installation succeeded. (Warren, 2008) To configure client machine to obtain IP address and TCP/IP settings from DHCP: To have your client obtain its IP address and TCP/IP settings from the DHCP server which is set up on Server2, we need to change the settings from being statically assigned (in task 1) to being assigned automatically. To do this, open network and sharing centre by right clicking on the network icon, and click on local area connection. Click on properties and double click on IPv4 settings. Change the radio buttons to ‘obtain an IP address manually’ and ‘obtain DNS server address automatically’, and click ok. Click ok again to bind settings. To check that the client is getting its information from our DHCP server, click start and type cmd to open a command prompt, to see network information type ipconfig and press enter. We can see that we have been assigned 192.168.0.110 which is in the range we specified for our DHCP server. 96 Laura Duggan 07314299 14/7/14 If you disable DHCP services, what address will Client2 get? To disable the DCHP server: On Server2, open server manager by clicking the start button, administrative tools and server manager. Navigate to roles and DHCP server, and click stop in the right hand pane. 97 Laura Duggan 07314299 14/7/14 Back on Client2, to release our adapter settings, type ipconfig /release and then press enter, then to renew them type ipconfig /renew and press enter. Type ipconfig and press enter to see the new settings. An APIPA address of 169.254.51.55 has been assigned. Task H Decommission Server 2 from the Active Directory system using a method which would be used if the server became unbootable. To demote a domain controller under normal circumstances (ie when it’s still bootable) you use dcpromo, the same tool that promoted it to a domain controller in the first place. Before demoting a domain controller ensure that it’s not the sole source of your global catalog. To demote a domain controller: Click the start button and type run and press enter, when the open box pops up, type dcpromo and click ok and next. When the Active Directory Installation Wizard opens up click next, and on the Remove Active Directory page click next and follow the steps to complete the wizard. Your server is now no longer a domain controller. (Microsoft, Demote a Domain Controller, 2005) Should a domain controller become unbootable due to a hardware issue, to decommission it: These steps can also be used in the case that you try and use the method above and dcpromo fails, or if you start to promote a DC and dcpromo fails. Both of these scenarios will leave traces of metadata in the Active Directory which must be removed, especially if you wish to add a new DC with the same name to AD DS. 98 Laura Duggan 07314299 14/7/14 From Microsoft Server 2008 it is possible to remove these NTDS settings automatically in the GUI using Active Directory Users and Computers or Active Directory Sites and Services, by right clicking on the Server to be removed, clicking delete and delete in the confirmation pop up. (Microsoft, 2012) However the process below outlines in detail how to remove the metadata manually should there still be traces of it left behind. To begin, open a command prompt by clicking the start button and typing cmd. To remove NTDS settings the ntdsutil tool is used, at the prompt type ntdsutil and press enter, then metadata cleanup and enter, then connections and enter. We then connect to a domain controller which is online and bootable, in this case connect to server server1 and press enter. When connected, type q and press enter. At the metadata cleanup prompt, type select operation target and press enter, then list domains and enter. A list of your domains will appear. At the select operation target prompt, type select domain 0 (the number of your domain) and press enter. At the select operation target prompt, type list sites and press enter, a list of your available sites will be populated, using their DNs. At the select operation target prompt, type select site 0 (the number of your site) and press enter. 99 Laura Duggan 07314299 14/7/14 At the select operation target prompt, type list servers in site and press enter, you will then see a list of the domain controllers which exist in your domain at the present time. At the select operation target prompt, type select server 1 (server NUMBER 1 being our Server2, which we wish to remove). You will be asked to confirm that you are removing the desired server, check that the details are correct and click ok to continue. Your progress will be shown, and when completed type q and press enter until you return to a regular command prompt. 100 Laura Duggan 07314299 14/7/14 After the metadata about Server2 has been removed, you can then remove it from Active Directory Sites and Services, (start – admin tools – Active Directory Sites and Services), open sites, default-first-site-name and your server to be removed in the right pane. Right click on its NTDS settings and click delete. Click ok to delete the entry. To ensure that all traces of Server2 are removed, we must check Active Directory Users and Computers and our DNS settings. Open Active Directory Users and Computers by clicking start, administrative tools and ADUC. 101 Laura Duggan 07314299 14/7/14 In the domain, click on domain controllers and check that Server2 is no longer on the list. To ensure that your DNS settlings are also correct, open DNS manager by clicking start, administrative tools and DNS manager. Navigate to Server1, forward lookup zones, _msdocs and properties, highlight Server2.MSCCONV.ipa and click remove. Click apply and ok. (Hashmi, 2012) . (Petri, 2008) Server2 has now been fully decommissioned from AD DS. 102 Laura Duggan 07314299 14/7/14 References Beckman, K. (2012, January 31). Troubleshooting Group Policy - Part 2: Test and Deploy. Retrieved July 14, 2014, from 4sysops.com: http://4sysops.com/archives/troubleshooting-grouppolicy-part-2-test-and-deploy/ Berkouwer, S. (2013, May 14). How to install File Services on Server Core. Retrieved July 13, 2014, from 4sysops.com: http://4sysops.com/archives/how-to-install-file-services-on-server-core/ Burchill, A. (2010, July 27). Group Policy Design Guidelines - Part 2. Retrieved July 11, 2014, from grouppolicy.biz: http://www.grouppolicy.biz/2010/07/best-practice-group-policy-designguidelines-part-2/ Burchill, A. (2010, May 19). How to exclude individual users or computers from a Group Policy Object. Retrieved July 13, 2014, from grouppolicy.biz: http://www.grouppolicy.biz/2010/05/how-toexclude-individual-users-or-computers-from-a-group-policy-object/ Certfiication, P. I. (2003, November 3). Managing Users, Computers, and Groups. Retrieved July 11, 2014, from Pearson IT Certification: http://www.pearsonitcertification.com/articles/article.aspx?p=101711&seqNum=2 Differencebetween.net. (2014). Difference Between Hardware RAID and Software RAID. Retrieved July 14, 2014, from differencebetween.net: http://www.differencebetween.net/technology/difference-between-hardware-raid-andsoftware-raid/ Grillenmeier, G. (2012, March 22). Hiding Data in Active Directory. Retrieved July 11, 2014, from windowsitpro.vom: http://windowsitpro.com/active-directory/hiding-data-active-directory Hamizi, M. (2013, July 16). Simple Guide: How to Prohibit access to control panel for domain users in Server 2012. Retrieved July 13, 2014, from mizitechinfo.wordpress.com: http://mizitechinfo.wordpress.com/2013/07/16/simple-guide-how-to-prohibit-access-tocontrol-panel-for-domain-users-in-server-2012/ Hansen, G. (2014, June 19). What is a file server? Retrieved July 13, 2014, from wisegeek.com: http://www.wisegeek.com/what-is-a-file-server.htm Hashmi, B. (2012, January 4). Cleaning metadata after a failed DC. Retrieved July 13, 2014, from cloud-buddy.com: http://www.cloud-buddy.com/?p=919 Janssen, C. (2010). What does Active Directory mean? Retrieved July 14, 2014, from techopedia.com: http://www.techopedia.com/definition/25/active-directory Microsoft. (2005, January 31). Demote a Domain Controller. Retrieved July 13, 2015, from technet.microsoft.com: http://technet.microsoft.com/en-us/library/cc740017(v=ws.10).aspx Microsoft. (2009, October 22). Server Core Installation Option Getting Started Guide. Retrieved July 9, 2014, from technet.microsoft.com: http://technet.microsoft.com/enus/library/cc753802(v=ws.10).aspx Microsoft. (2010, October 13). Step by Step: Basic Windows 7 Deployment for IT Professionals. Retrieved June 6, 2014, from technet.microsoft.com: http://technet.microsoft.com/engb/en%E2%80%90us/library/dd349348(v=ws.10).aspx Microsoft. (2012, November 1). Clean Up Server Metadata. Retrieved July 13, 2014, from technet.microsoft.com: http://technet.microsoft.com/en-us/library/cc816907(WS.10) 103 Laura Duggan 07314299 14/7/14 Microsoft. (2014). BitLocker Drive Encryption Overview. Retrieved June 10, 2014, from windows.microsoft.com: http://windows.microsoft.com/en-ie/windows-vista/bitlockerdrive-encryption-overview Microsoft. (n.d.). Lite-Touch, High Volume Deployment. Retrieved June 15, 2013, from technet.microsoft.com: http://technet.microsoft.com/enus/library/dd919179(v=ws.10).aspx Minasi, M. (2008, May 28). Go Commando with Windows Server 2008's Server Core. Retrieved July 10, 2014, from windowsitpro.com: http://windowsitpro.com/windows/go-commandowindows-server-2008-s-server-core Morimoto, R. (2012, October 10). Installing Windows Server 2008 and Server Core. Retrieved July 10, 2014, from informit.com: http://www.informit.com/articles/article.aspx?p=1947698&seqNum=5 Oh, D. (2013, September 13). The Differences Between MBR and GPT. Retrieved July 14, 2014, from maketecheasier.com: http://www.maketecheasier.com/differences-between-mbr-and-gpt/ Paul, I. (2014, May 30). A beginner's guide to BitLocker, Windows' built in encryption tool. Retrieved June 11, 2014, from pcworld.com: http://www.pcworld.com/article/2308725/a-beginnersguide-to-bitlocker-windows-built-in-encryption-tool.html Petri, D. (2008, January 8). Delete Failed DCs from Active Directory. Retrieved July 13, 2014, from petri.com: http://www.petri.com/delete_failed_dcs_from_ad.htm Rodriguez, M. (2011, March 2). How to Choose the Right Windows 7 Deployment Strategy. Retrieved June 6, 2014, from blog.pluralsight.com: http://blog.pluralsight.com/windows-7deployment-strategy Shuler, J. (2012, September 4). Locking down a Virtual Machine with BitLocker. Retrieved June 11, 2014, from shulerent.com: http://www.shulerent.com/2012/09/04/locking-down-a-virtualmachine-with-bitlocker/ Silva, P. d. (2008, January 29). Step-by-Step guide to Redirect Users Documents to Server Folder. Retrieved July 11, 2014, from padmandesilva.wordpress.com: http://padmandesilva.wordpress.com/2008/01/29/step-by-step-guide-to-redirect-users%E2%80%9Cmy-documents%E2%80%9D-to-server-folder-and-implement-disk-quota/ Techtopia. (2011, April 1). Mirroring Windows Server 2008 GBT and MBR Boot and System Disks. Retrieved July 10, 2014, from techtopia.com: http://www.techotopia.com/index.php/Mirroring_Windows_Server_2008_System_Disks Tulloch, M. (2008). Windows Server 2008 Server Core Administrator's Pocket Consultant. Microsoft Press. Warren, S. (2008, April 29). How do I install and configure a DHCP server in Windows Server 2008? Retrieved July 13, 2014, from techrepublic.com: http://www.techrepublic.com/blog/theenterprise-cloud/how-do-i-install-and-configure-a-dhcp-server-in-windows-server-2008/ Wiki. (2014). Active Directory. Retrieved July 14, 2014, from wikipedia.org: http://en.wikipedia.org/wiki/Active_Directory Wiki. (2014). RAID. Retrieved July 14, 2014, from wikipedia.org: http://en.wikipedia.org/wiki/RAID Windows. (2008). Differences Between the Editions of Windows Server 2008. Retrieved July 9, 2014, from social.technet.com: 104 Laura Duggan 07314299 14/7/14 http://social.technet.microsoft.com/wiki/contents/articles/3556.differences-between-theeditions-of-windows-server-2008.aspx 105
© Copyright 2024