Archive for the ‘Server’ Category

Using Control Panel Utilities in Server 2003

Posted: April 18, 2010 in Active Directory, Server, Server 2003, System Information
Tags: , ,
1

Control Panel contains utilities for working with a system’s setup and configuration. You can organize the Control Panel in different ways according to the view you’re using. A view is simply a way of organizing and presenting options. The key utilities you’ll want to use include

  • Add Hardware

Starts the Add Hardware Wizard, which you can use to install and troubleshoot hardware.

  • Add Or Remove Programs

Used to install programs and to safely uninstall programs. Also used to modify Windows Server 2003 setup components. For example, if you didn’t install an add-on component, such as Certificate Services, during installation of the OS, you can use this utility to add it later.

  • Date And Time

Used to view or set a system’s date, time, and time zone. Rather than manually setting the time on individual computers in the domain, you can use the Windows Time Service to automatically synchronize time on the network.

  • Display

Used to configure backgrounds, screen savers, video display mode, and video settings. You can also use this utility to specify desktop icons and to control visual effects, such as the menu fade effect.

  • Folder Options

Used to set a wide variety of folder and file options, including the type of desktop used, the folder views used, whether offline files are used, and whether you need to single-click or double-click to open items.

  • Licensing

On a workstation you use this utility to manage licenses on a local system. On a server it also allows you to change the client-licensing mode of installed products, such as Windows Server 2003 or Microsoft SQL Server.

  • Network Connections

Used to view network identity information, to add network components, and to establish network connections. You can also use this utility to change a system’s computer name and domain.

  • Printers And Faxes

Provides quick access to the Printers And Faxes folder, which you can use to manage print devices on a system.

  • Scheduled Tasks

Allows you to view and add scheduled tasks. You can schedule tasks on a one-time or recurring basis to handle common administrative jobs.

  • System

Used to display and manage system properties, including properties for startup/shutdown, environment, hardware profiles, and user profiles.

All About Microsoft Windows Server 2003

Posted: April 18, 2010 in Active Directory, Server, Server 2003, System Information
Tags: , ,
0

The Windows Server 2003 family of operating systems consists of Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; and Windows Server 2003, Web Edition. Each edition has a specific purpose:

  • Windows Server 2003, Standard Edition

Designed to provide services and resources to other systems on a network. It’s a direct replacement for Windows NT 4.0 Server and Windows 2000 Server. The operating system has a rich set of features and configuration options. Windows Server 2003, Standard Edition supports up to 4 gigabytes (GB) of RAM and two CPUs.

  • Windows Server 2003, Enterprise Edition

Extends the features provided in Windows Server 2003, Standard Edition to include support for Cluster Service, metadirectory services, and Services for Macintosh. It also supports 64-bit Intel Itanium-based computers, hot swappable RAM, and nonuniform memory access (NUMA). Enterprise servers can have up to 32 GB of RAM on x86, 64 GB of RAM on Itanium, and eight CPUs.

  • Windows Server 2003, Datacenter Edition

The most robust Windows server. It has enhanced clustering features and supports very large memory configurations with up to 64 GB of RAM on x86 and 128 GB of RAM on Itanium. It has a minimum CPU requirement of 8 and can support up 32 CPUs in all.

  • Windows Server 2003, Web Edition

Designed to provide Web services for deploying Web sites and Web-based applications. As such, this server edition includes the Microsoft .NET Framework, Microsoft Internet Information Services (IIS), ASP.NET, and network load-balancing features but lacks many other features, including Active Directory. In fact, the only other key Windows features in this edition are the Distributed File System (DFS), Encrypting File System (EFS), and Remote Desktop for administration. Windows Server 2003, Web Edition supports up to 2 GB of RAM and two CPUs.

When you install a Windows Server 2003 system, you configure the system according to its role on the network.

  • Servers are generally assigned to be part of a workgroup or a domain.
  • Workgroups are loose associations of computers in which each individual computer is managed separately.
  • Domains are collections of computers that you can manage collectively by means of domain controllers, which are Windows Server 2003 systems that manage access to the network, to the directory database, and to shared resources.

All versions of Windows Server 2003 allow you to configure different views for the Start Menu. The views for the Start Menu are

  • Classic Start Menu

The view used in previous versions of Windows. With this view, clicking Start displays a pop-up dialog box with direct access to common menus and menu items.

With the Classic Start Menu, you access administrative tools by clicking Start, clicking Programs, and then clicking Administrative Tools. You access the Control Panel by clicking Start, pointing to Settings, and then clicking Control Panel.

  • Simple Start Menu

Allows you to directly access commonly used programs and directly execute common tasks. You can, for example, click Start and then click Log Off to quickly log off the computer.

With the Simple Start Menu, you access administrative tools by clicking Start and then clicking Administrative Tools. You access the Control Panel by clicking Start and then clicking Control Panel.

Domain Controllers and Member Servers

When you install Windows Server 2003 on a new system, you can configure the server to be a member server, a domain controller, or a stand-alone server. The differences between these types of servers is extremely important. Member servers are a part of a domain but don’t store directory information. Domain controllers are distinguished from member servers because they store directory information and provide authentication and directory services for the domain. Stand-alone servers aren’t a part of a domain and have their own user database. Because of this, stand-alone servers also authenticate logon requests themselves.

Windows Server 2003 doesn’t designate primary or backup domain controllers. Instead, it supports a multimaster replication model. In this model any domain controller can process directory changes and then replicate those changes to other domain controllers automatically. This differs from the Windows NT single master replication model in which the primary domain controller stores a master copy and backup controllers store backup copies of the master. Additionally, Windows NT distributed only the Security Account Manager (SAM) database, but Windows Server 2003 distributes an entire directory of information called a data store. Inside the data store are sets of objects representing user, group, and computer accounts as well as shared resources, such as servers, files, and printers.

Domains that use Active Directory are referred to as Active Directory domains. This distinguishes them from Windows NT domains. Although Active Directory domains can function with only one domain controller, you can and should configure multiple domain controllers in the domain. This way, if one domain controller fails, you can rely on the other domain controllers to handle authentication and other critical tasks.

In an Active Directory domain, any member server can be promoted to a domain controller, and you don’t need to reinstall the OS as you had to in Windows NT. To promote a member server, all you need to do is install the Active Directory component on the server. You can also demote domain controllers to be member servers, provided that the server isn’t the last domain controller on the network. You promote and demote domain controllers by using the Active Directory Installation Wizard and following these steps:

  1. Click Start.
  2. Click Run.
  3. Type dcpromo in the Open field, and then click OK.

Understanding and Using Server Roles

Servers running Windows Server 2003 are configured based on the services they offer. You can add or remove services at any time by using the Configure Your Server Wizard and following these steps:

  1. Click Start.
  2. Click Programs or All Programs as appropriate.
  3. Click Administrative Tools, and then select Configure Your Server Wizard.
  4. Click Next twice. Windows Server 2003 gathers information about the server’s current roles. The Server Role page displays a list of available server roles and specifies whether they’re configured. Adding and removing roles is easy:
  • If a role isn’t configured and you want to add the role, click the role in the Server Role column and then click Next. Follow the prompts.
  • If a role is configured and you want to remove the role, click the role in the Server Role column and then click Next. Read any warnings displayed carefully and then follow the prompts.

Any server can support one or more of the following server roles:

  • Application server

A server that provides XML Web services, Web applications, and distributed applications. When you configure a server with this role, IIS, COM+, and the Microsoft .NET Framework are installed automatically. You also have the option of adding Microsoft FrontPage Server Extensions and enabling or disabling ASP.NET.

  • DHCP server

A server that runs the Dynamic Host Configuration Protocol (DHCP) and can automatically assign Internet Protocol (IP) addresses to clients on the network. This option installs DHCP and starts the New Scope Wizard.

  • DNS server

A server that runs DNS resolves computer names to IP addresses and vice versa. This option installs DNS and starts the DNS Server Wizard.

  • Domain controller

A server that provides directory services for the domain and has a directory store. Domain controllers also manage the logon process and directory searches. This option installs DNS and Active Directory.

  • File server

A server that serves and manages access to files. This option enables you to quickly configure disk quotas and indexing. You can also install the Web-based file administration utility, which installs IIS and enables Active Server Pages (ASP).

  • Mail server (POP3, SMTP)

A server that provides basic Post Office Protocol 3 (POP3) and Simple Mail Transfer Protocol (SMTP) mail services so that POP3 mail clients can send and receive mail in the domain. Once you install this service, you define a default domain for mail exchange and then create and manage mailboxes. These basic services are best for small offices or remote locations where e-mail exchange is needed but you don’t need the power and versatility of Microsoft Exchange Server.

  • Print server

A server that provides and manages access to network printers, print queues, and printer drivers. This option enables you to quickly configure printers and print drivers that the server should provide.

  • Remote access/VPN server

A server that routes network traffic and manages dial-up networking or virtual private networking (VPN). This option starts the Routing and Remote Access Setup Wizard. You can configure routing and remote access to allow outgoing connections only, incoming and outgoing connections, or no outside connections at all.

  • Server cluster node

A server that operates as part of a group of servers working together called a cluster. This option starts the New Server Cluster Wizard, which allows you to create a new cluster group, or the Add Nodes Wizard, which allows you to add the server to an existing cluster. (This server role is supported by the Enterprise and Datacenter versions only.)

  • Streaming media server

A server that provides streaming media content to other systems on the network or the Internet. This option installs Windows Media Services. (This server role is supported by the Standard and Enterprise versions only.)

  • Terminal Server

A server that processes tasks for multiple client computers running in terminal services mode. This option installs Terminal Server. You don’t need to install Terminal Server to remotely manage this server. Remote Desktop is installed automatically with the OS.

  • WINS server

A server that runs Windows Internet Name Service (WINS) resolves NetBIOS names to IP addresses and vice versa. This option installs WINS.

Once installed, you can manage server roles using Manage Your Server. This enhanced utility in Windows Server 2003 might just become your command and control center.

Frequently Used Tools

Many utilities are available for administrating Windows Server 2003 systems. The tools you’ll use the most include

  • Control Panel

A collection of tools for managing system configuration. With Classic Start Menu, you can access these tools by selecting Start, choosing Settings, and then selecting Control Panel. With Simple Start Menu, you can access these tools by selecting Start and then selecting Control Panel.

  • Graphical administrative tools

The key tools for managing network computers and their resources. You can access these tools by selecting them individually on the Administrative Tools submenu.

  • Administrative wizards

Tools designed to automate key administrative tasks. Unlike in Windows NT, there’s no central place for accessing wizards. Instead, you access wizards by selecting the appropriate menu options in other administrative tools.

  • Command-line utilities

You can launch most administrative utilities from the command line. In addition to these utilities, Windows Server 2003 provides others that are useful for working with Windows Server 2003 systems.

Microsoft Windows Server 2003 System Administration Overview

Posted: April 18, 2010 in Active Directory, Server, System Information
Tags: ,
0

Microsoft Windows Server 2003 represents a major advance in reliability, availability, and manageability. Not only is the operating system more versatile than its predecessors, but it also builds on the revolutionary system management and administration concepts introduced with Windows 2000, including

  • Active Directory directory service

An extensible and scalable directory service that uses a namespace based on the Internet standard Domain Name System (DNS).

  • IntelliMirror

Change and configuration management features that support mirroring of user data and environment settings as well as central management of software installation and maintenance.

  • Security Architecture

The architecture provides improvements for smart cards, public and private encryption keys, and security protocols. It also features tools for analyzing system security and for applying uniform security settings to groups of systems.

  • Terminal Services

Services that allow you to remotely log on to and manage other Windows Server 2003 systems.

  • Windows Script Host

A scripting environment for automating common administration tasks, such as creating user accounts or generating reports from event logs.

Although Windows Server 2003 has dozens of other new features, each of the features just listed has far-reaching effects on how you perform administrative tasks. None has more effect than Active Directory technology. A sound understanding of Active Directory structures and procedures is essential to your success as a Windows Server 2003 systems administrator.

That said, the Windows Server 2003 security architecture also has a far-reaching effect on how you perform administrative tasks. Through Active Directory and administrative templates, you can apply security settings to workstations and servers throughout the organization. Thus, rather than managing security on a machine-by-machine basis, you can manage security on an enterprise-wide basis.

Still, one of the biggest changes has to do with the realignment of product families. Clients systems are now organized under the Windows XP umbrella and server systems are now organized under the Windows Server 2003

What is Changed in Exchange Server 2010?

Posted: March 28, 2010 in Active Directory, Exchange Server, Server, System Information
Tags: , ,
0

As always, as new features come, old features go. There are inevitably a few that have

found themselves on the “deprecated list” this time around, and so will not be continued in

Exchange Server 2010 and beyond. Since this is a much shorter list than the “new features”,

Here they are:

• There are some major changes in Exchange Server clustering: in Exchange Server 2007

you had LCR (Local Continuous Replication), CCR (Cluster Continuous Replication) and

SCR (Standby Continuous Replication) – three diff erent versions of replication, all with

their own management interfaces. All three are no longer available in Exchange Server

2010.

• Windows Server Fail-over Clustering has been removed in Exchange Server 2010.

Although seriously improved in Windows Server 2008, a lot of Exchange Administrators

still found the fail-over clustering complex and diffi cult to manage. As a result, it was still

prone to error and a potential source of all kinds of problems.

Storage Groups are no longer available in Exchange Server 2010. The concepts of a database,

log fi les and a checkpoint fi le are still there, but now it is just called a database. It’s

like CCR in Exchange Server 2007, where you could only have one database per Storage

Group.

• Owing to major reengineering in the Exchange Server 2010 databases, the Single

Instance Storage (SIS) is no longer available. This means that when you send a 1 MB

message to 100 recipients, the database will potentially grow by 100 MB. This will surely

have an impact on the storage requirements in terms of space, but the performance

improvements on the Database are really great. I’ll get back on that later in this chapter.

Enabling Strong Domain Authentication

Posted: March 28, 2010 in Active Directory, Security, Server, System Information
Tags: , ,
0

Problem

You want to ensure that users can only authenticate to Active Directory using strong authentication protocols.

Solution

Using a graphical user interface

  1. Open the Group Policy Management Console snap-in.

  2. In the left pane, expand the Forest container, expand the Domains container, browse to the domain you want to administer, and expand the Group Policy Objects container.

  3. Right-click on the GPO that controls the configuration of your domain controllers and select Edit. (By default, this is the Default Domain Controller Policy, but it may be a different GPO in your environment.) This will bring up the Group Policy Object Editor.

  4. Browse to Computer Configuration Windows Settings Security Settings Local Policies Security Options.

  5. Double-click on “Network security: LAN Manager Authentication Level.” Place a check mark next to “Define this policy setting.”

  6. Select “Send NTLMv2 responses only/refuse LM & NTLM.” Click OK.

  7. Wait for Group Policy to refresh, or type gpupdate /force from the command prompt of a Windows Server 2003 domain controller. On a Windows 2000 DC, use the secedit command with the /refreshpolicy switch.

Discussion

Microsoft operating systems have supported different flavors of LAN Manager (LM) and NT LAN Manager (NTLM) authentication since the earliest days of Windows. LM authentication is an extremely old and weak authentication protocol that should no longer be used in production environments unless absolutely necessary. By default, Windows 2000 Active Directory supported client authentication attempts using LM, NTLM, or NTLMv2; Windows Server 2003 supports only NTLM and NTLMv2 out of the box.

The strongest NTLM authentication scheme you can select is to refuse LM and NTLM authentication from any client, and to only respond to clients using NTLMv2. Depending on your client configuration, though, enabling this option may require changes on the client side as well. You can apply the same setting to a GPO linked to your Active Directory domain to ensure that all of your clients will use NTLMv2 instead of older, weaker protocols.

Restricting Anonymous Access to Active Directory

Posted: March 28, 2010 in Active Directory, Security, Server, System Information
Tags: , ,
3


Problem

You want to enable or disable anonymous access to the information stored in the Active Directory database.

Solution

Using a graphical user interface

  1. Open the Active Directory Users and Computers (ADUC) snap-in.
  2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select “Connect to Domain,” enter the domain name, and click OK.
  3. Navigate to the Builtin container. Double-click on the Pre-Windows 2000 Compatible Access group.
  4. Click the Members tab.
  5. Select the Everyone group and click the Remove button. Click Yes and then OK to confirm.
  6. Select the Anonymous Logon user and click the Remove button. Click Yes and then OK to confirm.
  7. If the Authenticated Users group is not present in the group membership list, click Add to include it and then click OK.

Using a command-line interface

You have three command-line choices to modify the Pre-Windows 2000 Access security group: net localgroup, DSMod, or AdMod. net localgroup takes the following syntax:

> net localgroup ”

Pre-Windows 2000 Compatible Access” Everyone /delete

> net localgroup “Pre-Windows 2000 Compatible Access” “Anonymous Logon” /delete

> net localgroup “Pre-Windows 2000 Compatible Access” “Authenticated Users” /add

To update the group membership using DSMod so that it only includes Authenticated Users, enter the following:

> dsmod group “cn=Pre-Windows 2000 Compatible Access,cn=Builtin,

<DomainDN>” -chmbr “cn=S-1-5-11,cn=ForeignSecurityPrincipals,<DomainDN>”

To use AdMod, use the following syntax:

> admod b “cn=Pre-Windows 2000 Compatible Access,cn=Builtin,

<DomainDN>” member::”cn=S-1-5-11,cn=ForeignSecurityPrincipals,<DomainDN>”

Discussion

Anonymous access to Active Directory is controlled by membership in the Pre-Windows 2000 Compatible Access security group, located in the cn=Builtin container. This group is named like that because some legacy applications and operating systems, most notably Windows NT 4.0 RAS servers, required anonymous access to the information stored in AD in order to function properly. The default membership of this group depends on whether you selected “Permissions compatible with pre-Windows 2000 operating systems” or “Permissions compatible with only Windows 2000 and Windows 2003” when you ran dcpromo. If you selected the former, the Everyone group and the Anonymous Logon SID were added to Pre-Windows 2000 Compatible Access; if the latter, only Authenticated Users was added.

In the DSMod, AdMod, and VBScript solutions, the Authenticated Users group was specified using an SID and it resides in the ForeignSecurityPrincipals container. This is because Well-Known SIDs such as Everyone (S-1-1-0) and Authenticated Users (S-1-5-11) are not maintained within Active Directory itself and are therefore stored in the FSP container.

Restricting Hosts from Performing LDAP Queries

Posted: March 28, 2010 in Active Directory, Security, Server, System Information
Tags: , ,
1


Problem

You want domain controllers to reject LDAP queries from certain IP addresses. This can be useful if you want to prohibit domain controllers from responding to LDAP queries for certain applications or hosts.

Solution

Using a command-line interface

The following adds network 10.0.0.0 with mask 255.255.255.0 to the IP deny list:

> ntdsutil “ipdeny list” conn “co t s <DomainControllerName>” q

IP Deny List: Add 10.0.0.0 255.255.255.0

*[1] 10.0.0.0 GROUP MASK      255.255.255.0

NOTE: * | D – uncommitted addition | deletion

IP Deny List: Commit

[1] 10.10.10.0 GROUP MASK 255.255.255.0

NOTE: * | D – uncommitted addition | deletion

Discussion

The IP deny list is stored as an octet string in the lDAPIPDenyList attribute of a query policy.

When the IP deny list is set, domain controllers that are using the default query policy will not respond to LDAP queries from any IP address specified in the deny list address range. To test whether a certain IP address would be denied, run Test x.x.x.x (where x.x.x.x is an IP address) from the IP Deny List subcommand in ntdsutil.

By setting the IP deny list on the default query policy, you would effectively restrict the IP address range from querying any domain controller in the forest. If you need to restrict queries only for a specific domain controller, you’ll need to create a new LDAP query policy and apply it to only the domain controller in question.

Enabling Anonymous LDAP Access

Posted: March 28, 2010 in Active Directory, Security, Server, System Information
Tags: , ,
3

Problem

You want to enable anonymous LDAP access for clients. In Windows 2000 Active Directory, anonymous queries were enabled by default, although they were restricted. With Windows Server 2003 Active Directory, anonymous queries are disabled by default except for querying the RootDSE.

Solution

Using a graphical user interface

  1. Open ADSI Edit.

  2. In the Configuration partition, browse to cn=Services cn=Windows NT cn=Directory Service.

  3. In the left pane, right-click on the Directory Service object and select Properties.

  4. Double-click on the dSHeuristics attribute.

  5. If the attribute is empty, set it with the value 0000002.

  6. If the attribute has an existing value, make sure the seventh digit is set to 2.

  7. Click OK twice.

Enabling SSL/TLS

Posted: March 28, 2010 in Active Directory, Security, Server, System Information
Tags: , ,
0

Problem

You want to enable SSL/TLS access to your domain controllers so clients can encrypt LDAP traffic to the servers.

Solution

Using a graphical user interface

  1. Open the Control Panel on a domain controller.

  2. Open the “Add or Remove Programs” applet.

  3. Click on Add/Remove Windows Components.

  4. Check the box beside Certificate Services and click Yes to verify.

  5. Click Next.

  6. Select the type of authority you want the domain controller to be (select “Enterprise root CA” if you are unsure) and click Next.

  7. Type the common name for the CA, select a validity period, and click Next.

  8. Enter the location for certificate database and logs, and click Next.

  9. After the installation completes, click Finish.

  10. Now open the Domain Controller Security Policy GPO.

  11. Navigate to Computer Configuration Windows Settings Security Settings Public Key Policies.

  12. Right-click on Automatic Certificate Request Settings and select New Automatic Certificate Request.

  13. Click Next.

  14. Under Certificate Templates, click on Domain Controller and click Next.

  15. Click Finish.

  16. Right-click on Automatic Certificate Request Settings and select New Automatic Certificate Request.

  17. Click Next.

  18. Under Certificate Templates, click on Computer and click Next.

  19. Click Finish.

Managing Auto-Quotas

Posted: March 28, 2010 in Active Directory, Server, System Information
Tags: ,
1

Problem

You want to create a quota that will apply to any new folders created on a file server.

Solution

Using a graphical user interface

  1. Open the File Server Management MMC snap-in. Navigate to File Server Management File Server Resource Manager Quota Management.

  2. Right-click on Quotas and select “Create quota.” Under “Quota path,” specify the directory that this quota should apply to or click Browse to navigate to it using Windows Explorer.

  3. Select the radio button next to “Auto apply template and create quotas on existing and new subfolders.”

  4. Create the remainder of the quota.

Using a command-line interface

The following command will create an auto-quota on the D:\ drive based on the “DefaultAutoQuota” template:

	> dirquota autoquota /path:d:\* /sourcetemplate:"DefaultAutoQuota"

Discussion

When you create a new disk quota, by default the quota will apply only to the individual folder that you specify. By using auto-templates, you can configure a quota that will automatically be applied to any subfolders that are created beneath the folder you named in the quota definition. This is a useful setting for many scenarios, such as specifying an auto-quota for a root folder that houses your users’ home folders or roaming profiles so that any new user will receive the auto-quota by default. Every time a new subfolder is created to which an auto-quota applies, a new quota entry will be automatically created that can be viewed within the File Resource Manager.

Older Entries
Newer Entries