Server Roles in Windows Server 2003

Server roles in Windows Server 2003 enable you, as the administrator, to configure specific roles for your system. To do this, you start the Configure Your Server Wizard through the Manage Your Server window.

Depending on your settings, the Manage Your Server window (see Figure 2.1) might be automatically available at login. If it's not, you can find it on the Start menu under All Programs, Administrative Tools.

Figure 2.1. You configure your server role through the Manage Your Server window.

graphics/02fig01.gif

In this window, you can add a role to your existing server, which enables you to configure it for a specific task. You can also manage the current role from this window. You can pick one of the following listed roles, all of which are self-explanatory by their titles:

File server
Print server
Application server
Mail server
Terminal server
Remote access/VPN server
Domain controller
DNS server
DHCP server
Streaming media server
WINS server

The steps for configuring a server in any role are straightforward; however, they do vary from one role to the other.

To start the Configure Your Server Wizard, click Add or remove a role in the main Manage Your Server window (refer to Figure 2.1). After you have read the onscreen information, ensured that all the network connections are verified , and have the necessary installation path information (or the CD) to the Windows Server 2003 setup files, click the Next button to continue.

The setup wizard then tests your available and enabled network connections and brings you to the Server Role page. From this point, you can set up the server for one or more roles. To set up a second or third role for a server, you need to run the Configure Your Server Wizard again; only one role can be established at a time.

If you need to install any additional software or services, you are prompted on other pages of the wizard. The Summary of Selections page shows the options you elected to install for the server role and continues with the role configuration. After the process is completed, the final page of the Configure Your Server Wizard is displayed.

Domain Controller Role

Configuring your system with the Configure Your Server Wizard is the same as doing it manually. Using the wizard, select the domain controller role. The wizard then runs DCPROMO.EXE to start the Active Directory Installation Wizard, which is discussed next.

Domain Controller Installation Overview

The actual process of configuring your Windows Server 2003 system as a domain controller is fairly straightforward; however, it should be noted that a lot of behind-the-scenes planning often goes on before configuration. There are also subtle differences in the process, depending on whether the system is to be a new domain controller in a new forest, a member of an existing forest, or a new domain or a domain controller in an existing domain.

To configure your server as a domain controller, log on locally to the Windows Server 2003 system you want to promote to the role of domain controller, and run DCPROMO (from the command line or from Start, Run) to start the Active Directory Installation Wizard. (You could also use the Configure Your Server Wizard, but it's not necessary.)

To run DCPROMO , you must be logged on to the system as a local administrator. To join the server to an existing domain, you must have Domain Administrator rights (or higher rights, such as Enterprise Administrator, or have been delegated the permissions needed to complete the task) to successfully complete the installation and add the domain controller to the domain.

After you move past the Welcome window, how you continue with the installation depends on your current environment and where this new domain controller needs to fit in your environment.

In the Domain Controller Type page, you can install the domain controller for a new domain or install it as an additional domain controller in an existing domain. If you choose an existing domain, the installation continues from this point, as you are adding this server as a peer domain controller in an existing domain. This allows the necessary services to be installed and enabled so that the system can function as a domain controller after Active Directory has been installed and updated.

If you choose to install the domain controller in a new domain, DCPROMO prompts you in the Create New Domain page, asking whether this new domain should be installed as a new child domain or a new domain tree. If you choose to create a new child domain, the installation wizard continues, prompting you for a name for the domain and database locations.

If you decide to install this domain controller as a new domain tree, DCPROMO prompts you to select whether you are installing the domain controller in an existing forest or a new forest of domain trees. Regardless of your choice, the installation wizard continues to the New Domain Name page, which is where you enter the name of the new domain.

The only real difference in the process depends on whether you are installing the server in an existing forest or a new forest. If you are installing the server in an existing forest, schema and configuration information is copied from the forest into the new domain tree. If you are installing the server in a new forest, the schema and configuration information must be created.

Next, in the NetBIOS Domain Name page, verify the NetBIOS name for the domain for backward-compatibility with legacy systems. This means that a domain name of gunderville.com entered in the New Domain Name text box would show up as gunderville in the NetBIOS Domain Name text box. As with all NetBIOS entries, the NetBIOS domain name is limited to a maximum of 15 characters (with one additional special hidden character). That means a NetBIOS domain name of thecityofgunderville.com would default to the NetBIOS name of THECITYOFGUNDER because the number of characters exceeds the allowed maximum.

In the Database and Log Folders page, the installation wizard prompts you to choose a path for the installation location of the database and log folders. You can accept the listed defaults, enter a new path manually, or browse to a new location.

The default location for the database and database log files is systemroot\NTDS . Whenever possible, you should choose an installation path for the database and the log files so that they are installed on different physical hard drives for the best performance.

In the Shared System Volume page, the installation wizard prompts you to choose a path for the installation location of the shared system volume. You can accept the listed default path, enter a new path manually, or browse to a new location.

The shared system volume stores scripts and domain-level Group Policy objects for the domain and, in certain instances, the entire enterprise. (This organization depends on whether this server holds any Flexible Single Masters of Operation rolesalso known as Operations Mastersfor the forest.) The default installation path for the shared system volume is systemroot\SYSVOL , and the partition must be formatted with NTFS version 5 at a minimum. The version of NTFS used with Windows NT 4 Server (now referred to as version 4) cannot be used.

Normally, you run into the NTFS issue only during the upgrade of a domain controller running Windows NT Server 4 with less than Service Pack 4; in most cases, the installation wizard asks you to upgrade the file system to NTFS version 5. (This is usually found only in upgrades from NT Server 4 to 2000 Server.)

One of the minimum system requirements for upgrading Windows NT Server 4 directly to Windows Server 2003 is that the system needs to be running with Service Pack 5 or later installed. DCPROMO is designed to not complete the installation if it detects anything lower.

Next, in the DNS Registration Diagnostics page, the DNS server that is authoritative for this forest is displayed. If the DNS server cannot be contacted because of a network issue or if there is no available DNS server to use, you are given the option to install and configure DNS on this server. You then need to configure this server's TCP/IP properties to use this DNS installation as its preferred DNS server.

Next, in the Permissions page, you need to select one of the following options:

Permissions Compatible with Pre-Windows 2000 Server Operating Systems
Permissions Compatible Only with Windows 2000 or Windows Server 2003 Operating Systems

Using Permissions Compatible Only with Windows 2000 or Windows Server 2003 Operating Systems is the recommended option.

Choosing the option to set permissions compatible with pre-Windows 2000 Server operating systems is used only for backward-compatibility in certain instances. It weakens the security structure for the entire environment because it causes the installation wizard to add the Everyone group to the Pre-Windows 2000 Compatible group. This setting is undesirable because "everyone" includes anonymous users who have logged on to a network without any additional identification or authentication. For a new forest, choosing this option weakens the default security for the entire forest.

So far in this wizard, you have been gathering data and configuring installation parameters. When you reach the Summary page and click Next, continuing from this point actually installs Active Directory. After restarting, the server will be running as a domain controller.

Securing Domain Controllers: Security Templates

When a new domain controller is installed on a Windows Server 2003 system, the default template ( DC Security.inf ) is applied through the use of Group Policy objects linked to the Domain Controllers Organizational Unit (OU).

To change the level of security for domain controllers, you must apply the Securedc.inf security template, which increases the default security, or the Hisecdc.inf template, which maximizes the security settings. You can also set these templates manually by creating your own security template. You might want to create your own template if you need settings that the available templates do not provide or you need to customize the settings in some way. Follow these steps to create a custom template:

Open Active Directory Users and Computers, and select the Domain Controllers OU.
Right-click Domain Controllers, and choose Properties.
In the Group Policy tab, you can select the default policy (or disable the default policy and create a new one), and click the Edit button.
When the Group Policy Object Editor opens, expand Computer Configuration and then Windows Settings. Select Security Settings.
Right-click Security Settings and choose Import Policy (see Figure 2.2), which enables you to choose from the available default templates and any others you have created or modified on your own.

Figure 2.2. Right-click Security Settings to import security policies.

Table 2.2 shows the policy's Password Policy section with the default settings from each template available for domain controllers.

Table 2.2. Password Policy Settings from Security Templates

Password Policy	Default Template DC Security.inf	Secure Template Securedc.inf	High-Security Template Hisecdc.inf
Enforce password history	Not defined	24 passwords remembered	24 passwords remembered
Maximum password age	Not defined	42 days	42 days
Minimum password age	Not defined	2 days	2 days
Minimum password length	Not defined	8 characters	8 characters
Passwords must meet complexity requirements	Not defined	Enabled	Enabled
Store password using reversible encryption	Not defined	Disabled	Disabled

Table 2.3 shows the policy's Account Lockout Policy section with the default settings from each template.

Table 2.3. Account Lockout Policy Settings from Security Templates

Account Lockout Policy	Default Template DC Security.inf	Secure Template Securedc.inf	High-Security Template Hisecdc.inf
Account lockout duration	Not defined	30 minutes
Account lockout threshold	Not defined	5 invalid logon attempts	5 invalid logon attempts
Reset account lockout counter after	Not defined	30 minutes	30 minutes

Table 2.4 shows the policy's Audit Policy section with the default settings from each template.

Table 2.4. Audit Policy Settings from Security Templates

Audit Policy	Default Template DC Security.inf	Secure Template Securedc.inf	High-Security Template Hisecdc.inf
Audit account logon events	Not defined	Success/Failure	Success/Failure
Audit account management	Not defined	Success/Failure	Success/Failure
Audit directory services access	Not defined	Failure	Success/Failure
Audit logon events	Not defined	Success/Failure	Success/Failure
Audit object access	Not defined	No auditing	Success/Failure
Audit policy change	Not defined	Success/Failure	Success/Failure
Audit privilege use	Not defined	Failure	Success/Failure
Audit process tracking	Not defined	No auditing	No auditing
Audit system events	Not defined	No auditing	Success/Failure

By default, the policy's User Rights section is not defined in each template. Options for user rights include the following:

Audit system events
Access this computer from the network
Add workstations to the domain
Back up files and directories
Bypass traverse checking
Change system time
Create a token object
Create pagefile
Create permanent shared objects
Debug programs
Force shutdown from a remote system
Generate security audits
Increase quotas
Increase scheduling priority
Load device drivers
Lock pages in memory
Log on locally
Log on as a batch job
Log on as a service
Manage auditing and security log
Modify firmware environment variables
Profile a single process
Profile system performance
Replace a process level token
Restore files and directories
Shut down the system
Take ownership of files and other objects

Table 2.5 shows the policy's Security Options section with the default settings from each template.

Table 2.5. Security Options Settings from Security Templates

Security Options	Default Template DC Security.inf	Secure Template Securedc.inf	High-Security Template Hisecdc.inf
Accounts : Administrator account status	Not defined	Not defined	Not defined
Accounts : Guest account status	Not defined	Disabled	Disabled
Accounts : Limit local account use of blank passwords to console logon only	Not defined	Not defined	Not defined
Accounts : Rename administrator account	Not defined	Not defined	Not defined
Accounts : Rename guest account	Not defined	Not defined	Not defined
Audit : Audit the access of global system objects	Not defined	Disabled	Disabled
Audit : Audit the use of backup and restore privilege	Not defined	Disabled	Disabled
Audit : Shut down system immediately if unable to log security audits	Not defined	Disabled	Disabled
Devices : Allow undock without having to log on	Not defined	Disabled	Disabled
Devices : Allowed to format and eject removable media	Not defined	Administrators	Administrators
Devices : Prevent users from installing printer drivers	Not defined	Enabled	Enabled
Devices : Restrict CD-ROM access to locally logged-on user only	Not defined	Enabled	Enabled
Devices : Restrict floppy access to locally logged-on user only	Not defined	Enabled	Enabled
Devices : Unsigned driver installation behavior	Not defined	Do not allow installation	Do not allow installation
Domain controller : Allow server operators to schedule tasks	Not defined	Disabled	Disabled
Domain controller : LDAP server signing requirements	Not defined	None	Require signing
Domain controller : Refuse machine account password changes	Not defined	Disabled	Disabled
Domain member : Digitally encrypt or sign secure channel data (always)	Not defined	Disabled	Enabled
Domain member : Digitally encrypt secure channel data (when possible)	Not defined	Enabled	Enabled
Domain member : Digitally sign secure channel data (when possible)	Not defined	Enabled	Enabled
Domain member : Disable machine account password changes	Not defined	Disabled	Disabled
Domain member : Maximum machine account password age	Not defined	30 days	30 days
Domain member : Require strong (Windows 2000 or later) session key	Not defined	Disabled	Enabled
Interactive logon : Do not display last user name	Not defined	Disabled	Enabled
Interactive logon : Do not require Ctrl+Alt+Del	Not defined	Disabled	Disabled
Interactive logon : Message text for users attempting to log on	Not defined
Interactive logon : Message title for users attempting to log on	Not defined
Interactive logon : Number of previous logons to cache (in case domain controller is not available)	Not defined	10 logons	0 logons
Interactive logon : Prompt user to change password before expiration	Not defined	14 days	14 days
Interactive logon : Require domain controller authentication to unlock workstation	Not defined	Enabled	Enabled
Interactive logon : Require smart card	Not defined	Not defined	Not defined
Interactive logon : Smart card removal behavior	Not defined	Force logoff	Force logoff
Microsoft network client : Digitally sign communications (always)	Not defined	Disabled	Disabled
Microsoft network client : Digitally sign communications (if server agrees)	Not defined	Enabled	Enabled
Microsoft network client : Send unencrypted password to third-party SMB servers	Not defined	Disabled	Disabled
Microsoft network server : Amount of idle time required before suspending session	Not defined	15 minutes	15 minutes
Microsoft network server : Digitally sign communications (always)	Not defined	Disabled	Enabled
Microsoft network server : Digitally sign communications (if client agrees)	Not defined	Enabled	Enabled
Microsoft network server : Disconnect clients when logon hours expire	Not defined	Enabled	Enabled
Network access : Allow anonymous SID/name translation	Not defined	Disabled	Disabled
Network access : Do not allow anonymous enumeration of SAM accounts	Not defined	Enabled	Enabled
Network access : Do not allow anonymous enumeration of SAM accounts and shares	Not defined	Enabled	Enabled
Network access : Do not allow storage of credentials or .NET Passports for network authentication	Not defined	Disabled	Enabled
Network access : Let Everyone permissions apply to anonymous users	Not defined	Disabled	Disabled
Network access : Named pipes that can be accessed anonymously	Not defined	Not defined	Not defined
Network access : Remotely accessible registry paths	Not defined	Not defined	Not defined
Network access : Remotely accessible registry paths and subpaths	Not defined	Not defined	Not defined
Network access : Restrict anonymous access to named pipes and shares	Not defined	Enabled	Enabled
Network access : Shares that can be accessed anonymously	Not defined	Not defined	Not defined
Network access : Sharing and security model for local accounts	Not defined	Not defined	Not defined
Network security : Do not store LAN Manager hash value on next password change	Not defined	Enabled	Enabled
Network security : Force logoff when logon hours expire	Not defined	Enabled	Enabled
Network security : LAN Manager authentication level	Not defined	Send NTLMv2 response only\refuse LM	Send NTLMv2 response only\ refuse LM and NTLM
Network security : LDAP client signing requirements	Not defined	Negotiate signing	Negotiate signing
Network security : Minimum session security for NTLM SSP based (including secure RPC) clients	Not defined	No minimum	No minimum
Network security : Minimum session security for NTLM SSP based (including secure RPC) servers	Not defined	No minimum	No minimum
Recovery console : Allow automatic administrative logon	Not defined	Disabled	Disabled
Recovery console : Allow floppy copy and access o all drives and all folders	Not defined	Disabled	Disabled
Shutdown : Allow system to be shut down without having to log on	Not defined	Disabled	Disabled
Shutdown : Clear virtual memory pagefile	Not defined	Disabled	Enabled
System cryptography : Force strong key protection for user keys stored on the computer	Not defined	Not defined	Not defined
System cryptography : Use FIPS compliant algorithms for encryption, hashing, and signing	Not defined	Not defined	Not defined
System objects : Default owner for objects created by members of the Administrators group	Not defined	Not defined	Not defined
System objects : Require case insensitivity for non-Windows subsystems	Not defined	Enabled	Enabled
System objects : Strengthen default permissions of internal system objects (e.g. symbolic links)	Not defined	Enabled	Enabled
System settings : Optional subsystems	Not defined	Not defined	Not defined
System settings : Use Certificate Rules on Windows executables for software restriction policies	Not defined	Not defined	Not defined

Memorizing everything laid out in these tables isn't critical. What you do need to know for the exam are the subtle differences between the templatesfor example, Network security: LAN Manager authentication level is set to send NTLM response only by default, send NTLMv2 response only\refuse LM under the secure template, and send NTLMv2 response only\refuse LM and NTLM under the high-security template.

You also need to know that Hisecdc.inf causes issues with legacy clients because of configuration settings that refuse LAN Manager (LM) and NT LAN Manager (NTLM) authentication.

You should also be aware that configuring the default domain controller policy, which is tied to the Domain Controllers OU (or any other policies linked to that OU) affect only the domain controllers in most cases. To make changes at the domain level and affect users and domain member systems, edit the default domain policy or other policies linked to the domain.

If you have found, for example, that using the Hisecdc.inf template in your enterprise has some undesired side effects that did not show up during testing, you can reapply the default template to the domain controllers and then choose the Securedc.inf template.

To apply the Securedc.inf template, perform the following steps:

Click Start, Run, type MMC , and click the OK button.
From within the MMC, choose File, Add/Remove Snap-in from the menu.
Click the Add button.
Click Security Configuration and Analysis, click the Add button, and click the Close button.
Click OK on the Add/Remove Snap-in dialog box.
In the left pane of the MMC, right-click Security Configuration and Analysis, choose Import Template.
In the Import Template From dialog box, browse to WINDOWS\security\templates, select the DC Security.inf template (see Figure 2.3), and click OK. (You also need to make sure you select the Clear this database before importing check box.)

Figure 2.3. Applying the DC Security.inf template in the Import Template From dialog box.

Using Security Templates

In Window 2000, all basic templates are what can be applied to a system to reconfigure it to a baseline security configuration. They are also used on Windows NT 4 workstation ( Basicwk.inf ) and Windows NT Server 4 ( Basicsv.inf ) upgrades to bring the systems up to Windows 2000 security baselines.

When any Windows NT system is upgraded in place (not wiped clean), it retains all its previous and weaker security settings.

Clean installations (and Windows 9x upgrades to Windows 2000 Professional and XP Professional) run using the Defltsv.inf or Defltwk.inf templates as appropriate. If you want to reset security to baseline after installation, you cannot use the Defltxx.inf templates because they are not available. The Basicxx.inf templates should be used instead.

In Windows Server 2003, these templates have been replaced with the DC Security.inf template for domain controllers and the Setup Security.inf template for standard systems.

After you have opened the template, right-click Security Configuration and Analysis, and then click Configure Computer Now to configure the system with the default settings. (You can also choose Analyze Computer Now to simply review the difference between the current system configuration and the one the template would provide.)

When you choose Configure Computer Now, you need to use the specified default log file path, or choose a new one and click OK to continue. To specify a different log file path, type a valid path and filename in the Error Log File Path text box, and click OK.

When the configuration is done, you can view the changes that were made by right-clicking Security Configuration and Analysis, and then clicking View Log File.

The following code is a small sampling of the log; the full log is somewhat larger.

 Log file: C:\Documents and Settings\Jasonz\My Documents\Security\Logs\DC History.log ------------------------------------------- Saturday, March 15, 2003 12:54:18 PM ----Configuration engine was initialized successfully.---- ----Reading Configuration Template info... ----Configure User Rights... User Rights configuration was completed successfully. ----Configure Group Membership... Group Membership configuration was completed successfully. ----Configure Registry Keys... Configure users\.default. Configure users\.default\software\microsoft\netdde. Configure machine\software.

Remote Access/VPN Server Role

Routing and Remote Access Service (RRAS) in Windows Server 2003 is installed by default when the operating system is installed, but it is not configured or enabled.

When you configure your server in the remote access/VPN server role, you can give remote users the proper access permission to access resources on the local area network (LAN) over a dial-up or DSL/cable connection.

When you run the Configure Your Server Wizard to set up your server as a remote access/VPN server, it starts the Routing and Remote Access Server Setup Wizard (see Figure 2.4).

Figure 2.4. You can choose the types of connections to establish via the Configuration page of the Routing and Remote Access Server Setup Wizard.

graphics/02fig04.jpg

Chapter 4, "Planning, Implementing, and Maintaining Routing and Remote Access," covers this server role in depth.

File Server Role

The file server role for a Windows Server 2003 implementation is as simple as it sounds: a server role designed to enable administrators to set up a location for data to be stored and shared in the enterprise.

You use the Configure Your Server Wizard to step through the entire process and configure settings for disk quotas and the Indexing Service. You can also set up the shares themselves and permissions.

The File Server Disk Quotas page is where you enable disk quotas by selecting the Set up default disk quotas for new users of this server check box (see Figure 2.5).

Figure 2.5. You can limit disk usage through the File Server Disk Quotas page.

graphics/02fig05.gif

After you enable quotas, you can limit the total space to any number of kilobytes, megabytes, gigabytes, terabytes, petabytes, and, finally, exabytes.

Measuring Space

As a point of reference, here's a breakdown of those disk space settings:

A byte is a unit of data that is eight binary digits long; the digits, zeros and ones, make up the data.
A kilobyte (KB) is 1,000 bytes (actually, 1,024 bytes).
A megabyte (MB), the next available setting, is 1,000KB (or a million bytes, if you prefer), which is 1,048,576 bytes in true decimal notation.
A gigabyte (GB), the next configurable parameter, is 1,000MB, or 2 to the 30th power, or 1,073,741,824 in decimal size, whichever you prefer.
A terabyte (TB), the next setting, is computed as 2 to the 40th power or approximately 1,000GB. You might think this setting and the next couple of settings are somewhat outrageous , but when you consider that four of the largest IDE hard drives on the market today (which are 250GB) together make about 1TB and could all be placed inside a single end user system, it doesn't seem as off the wall as it did a year or so ago.
A petabye (PB) is 2 to the 50th power bytes, the equivalent of approximately 1,000TB.
An exabyte (EB) is currently the largest unit of measure for computer data storage. It equates to 2 to the 60th power bytes, which is 1,152,921,504,606,846,976 bytes in decimal size or, more simply, one billion gigabytes.

In NTFS, volumes larger than 2TB are possible, and the theoretical maximum limit is 16EB (18,446,744,073,709,551,616 bytes).

You can also set up a warning threshold numerically or by parameter (KB, MB, GB, and so on) so that a warning is sent when users approach their limits. For instance, if a user has a 100MB disk-writing limit, a warning could be set at 80MB.

To enforce the setting, you need to select the Deny disk space to users exceeding disk space limit check box. If you do not select this check box, users can continue writing to the disk.

Two other settings can be enabled on this page: the Disk space limit check box and the Warning level check box. Use these settings to configure the system logs to record each occurrence of these events.

The total amount of disk space available to a user is calculated from actual file size before any type of compression. When a 100MB file is compressed down to 80MB, Windows counts the file's original 100MB toward the quota limit, for example.

Administrator level accounts are not limited to disk space limitations set in this manner. Regardless of the settings, they are not denied write access.

After you have configured any disk space limits (you can also opt to not choose any), you arrive at the File Server Indexing Service page (see Figure 2.6). Usually, leaving this setting disabled on a server is recommended because it affects performance; if only limited searches will be performed, leaving this option disabled makes sense. If the server can handle the load or there will be enough searches against the existing data, you can enable this option.

Figure 2.6. The File Server Indexing Service page is where you configure the Indexing Service.

graphics/02fig06.gif

After you review the summary page of the options you have set and continue the role configuration process, the Share a Folder Wizard is displayed, where you can create new shares and paths to the shares (see Figure 2.7). You can also perform this action the "standard" way through Windows Explorer by right-clicking the folder you want to share and choosing Properties, and then electing to share the folder in the Sharing tab. In the next page (see Figure 2.8), you can supply a description for the share and configure offline settings for data in the share (whether the files should be made available when not connected to the network).

Figure 2.7. You can configure shares through the Folder Path page of the Share a Folder Wizard.

graphics/02fig07.gif

Figure 2.8. You can supply additional information about a share in the Name, Description, and Settings page of the Share a Folder Wizard.

graphics/02fig08.gif

Next is the Permissions page, where you set up permissions for a share. There are a few preconfigured settings (all users have Read access, Administrators have Full Control, and so on), and there is the option to configure your own access control. The initial setting is for share access, but you can customize the setting and set security permissions through NTFS. The final page is the summary page, which shows you that the share was successful and enables you to complete this process or run the wizard again to create another share (see Figure 2.9).

Figure 2.9. The Sharing was Successful page provides a summary about the newly created share.

graphics/02fig09.gif

Regardless of whether you use the Configure Your Server Wizard, you set the server into a file server role as soon as you right-click on any share in Windows Explorer and choose to share a folder in the Sharing tab of the Properties dialog box.

Also, regardless of how the server got into the role of file server, when you use the Configure Your Server Wizard to remove the role, all shares on the server are removed by default, regardless of whether they were created via the wizard, manually, or a combination of both methods (see Figure 2.10).

Figure 2.10. All shares on the system are removed via the Role Removal Confirmation page.

graphics/02fig10.gif

Internet Information Services 6 Role

Unlike Windows 2000, which installs Internet Information Services (IIS) 5 by default, IIS 6 is not deployed on standard versions of Windows Server 2003 unless you explicitly choose to install it. You can install IIS 6 by using the Configure Your Server Wizard as outlined previously or by going to the Control Panel, choosing Add or Remove Programs, and choosing Add/Remove Windows Components .

If you use the Configure Your Server Wizard to enable the server's role as an application server, the wizard installs IIS 6. A quick look shows that only the World Wide Web service is installed. File Transfer Protocol (FTP), Network News Transfer Protocol (NNTP), and Simple Mail Transfer Protocol (SMTP) are not added by default when you establish the server role in this way.

If you want to add those other services, you must go to Add or Remove Programs and choose Add/Remove Windows Components. In the Windows Components dialog box, highlight Application Server, and click Details to choose Internet Information Services. Then highlight Internet Information Services and click Details to select just the services you want to install.

You could perform your entire IIS installation (or any other Windows component, for that matter) using the Add or Remove Programs method if you want. Also, if you simply want to install everything associated with IIS, you could select the check box next to the name instead of drilling lower into the list by clicking Details.

Installing only the services you need, and nothing else, is recommended. In most cases, even if you think you might need a service later, you should usually wait until you actually need a service to install it.

Under Windows 2000 Server, default security templates for Web servers as well as secure and high-security templates were deployed on IIS systems through the Group Policy linked to an OU where the accounts for IIS servers were found.

This deployment method is no longer applicable under Windows Server 2003. When you install IIS, it runs with almost everything disabled and almost fully locked down. At the end of the installation, about the only thing you can do with the server is have it respond to client requests and serve up static (HTML) content. Therefore, no other content, such as Active Server Pages (ASP), ASP.NET pages, WebDAV publishing, and FrontPage Server Extensions, can be hosted from the server until you explicitly enable it.

In fact, a new group policy setting, Prevent IIS from Installing, enables Domain and Enterprise Administrators to control which Windows Server 2003 systems are allowed to install IIS 6.

For most Microsoft exams, you need to know other configuration tasks for IIS servers, such as configuring Internet Connection Firewall and setting proper access permissions for files and folders on the IIS server.

This information is explained in more detail in the "Securing Servers: Standards and Best Practices" section of this chapter because these two specific actions are best practices across the board, not just when configuring an application server role.

Print Server Role

You can use the Configure Your Server Wizard to enable your server as a print server. After you select the print server role, the wizard displays the Printers and Printer Drivers page (see Figure 2.11), where you select which network clients should have printers installed. You can choose one of two options: Windows 2000 and Windows XP Clients Only or All Windows Clients.

Figure 2.11. The Printers and Printer Drivers page is where you can select how to handle printer drivers for network clients.

graphics/02fig11.gif

At this point, the Add Printer Wizard starts, and you step through the prompts of choosing a local printer or a network printer. You can specify the local printer yourself or let Plug and Play find it. You then have the option of choosing one of the local ports already available on the system or creating a new one (see Figure 2.12).

Figure 2.12. Use the Select a Printer Port page to specify a port for the printer or create a new one.

graphics/02fig12.gif

You then choose the make and model of the printer attached to the port you selected earlier. On Windows Server 2003 configurations, all printers added with the Add Printer Wizard are shared by default. If for some reason you do not want to share the printer, you must manually deselect this default option. If the server is a member of a domain, the printer is also published in Active Directory by default.

Configuring Printers

If you install printers by using the Add Printer Wizard and then use the Configure Your Server Wizard to remove the print server role, you will remove all the created printers on the server.

Also, note the terminology used for printers. A printer is the software driver for the print device connected to the system on a local port or over the network. There is a great deal of confusion on these terms because it is so common to say "I'm going to get my documents that I just printed on the 5SI laser printer." The technical term for this piece of hardware is print device .

Here is one way to remember these terms: The print device is the piece of hardware that physically prints on the paper. The term printer refers to the printer driver software, which allows the print job to be properly formatted for the print device that outputs the data to paper. You can also think of a printer as an icon in the Printers and Faxes Control Panel window.

Mail Server Role

When you run the Configure Your Server Wizard to set up your server in the mail server role, you can choose how your users are authenticated to the POP3 service: through the accounts that are local to the server, through Active Directory, or via an encrypted password file (see Figure 2.13).

Figure 2.13. You configure how users are authenticated for mail service via the Configure POP3 Service page.

graphics/02fig13.gif

This setting enables users to connect to the server and download email to their local systems by using Outlook, Outlook Express, or any other email client that supports POP3. After making your selection, the POP3 and SMTP services are installed on the local system.

After the process is completed, the Internet Information Services (IIS) Manager appears on the Administrative Tools menu. The IIS Manager enables administrators to configure the SMTP service that the Configure Your Server Wizard installed.

The other IIS 6 components are not installed unless the server was already set up as an application server.

If you have previously run the Configure Your Server Wizard to install the server as an application server, the wizard would have enabled only the World Wide Web publishing service. SMTP, FTP, and NNTP are not added by default.

However, if you run the Configure Your Server Wizard to install the mail server role, you'll see that both POP3 and SMTP services are installed and enabled at completion of the installation.

Configuring the SMTP service for this use is no different than any other SMTP configuration in Exchange Server 5.x, 2000, and 2003 or within IIS 4 and 5. Configuring the POP3 service is done through the POP3 Service MMC or through the command line by using WINPOP .

The usable WINPOP commands are as follows :

 WINPOP.EXE <cmd> [<parameters>] ADD, CHANGEPWD, CREATEQUOTAFILE, DEL  DELETE, GET, LIST, LOCK, MIGRATETOAD, SET, STAT, UNLOCK Options:ADD <domainname>  <user@domainname [/CREATEUSER <password>]> CHANGEPWD <user@domainname> <new password> CREATEQUOTAFILE <user@domainname> [/USER:user] Note: Quota files are created by default when adding mailboxes (for SAM and AD authentication) /USER: To specify a different user account the quota file will reference. DEL  DELETE <domainname>  <user@domainname [/DELETEUSER]> GET <property> LIST [domainname] LOCK <domainname  user@domainname> MIGRATETOAD <user@domainname> SET <property> <value> STAT [domainname] UNLOCK <domainname  user@domainname>

The POP3 Service MMC also enables you to perform all these actions through a graphical user interface (GUI). You can complete tasks such as setting the authentication method, configuring the POP3 mail store, and setting the mail server to require Secure Password Authentication in whatever way you're most comfortable working. You can also set the POP3 service state, the number of sockets, and the number of threads the service uses.

You don't need to delve deeply into the POP3 Service from a server role perspective for the exam. You mainly need to know how it is installed, which is through the Configure Your Server Wizard or through Control Panel, Add or Remove Programs, Add/Remove Windows Components, Email Services. You also need to familiarize yourself with how to configure the services, whether you use WINPOP from the command line or the POP3 Service MMC.

Terminal Server Role

Like many of the other roles described so far, the terminal server role can be set up by running the Configure Your Server Wizard or through Control Panel, Add or Remove Programs, Add/Remove Windows Components, Terminal Server.

Note that when you install Terminal Services by running the Configure Your Server Wizard, you see a warning that the system will be rebooted as part of the installation process. There is no option to cancel the reboot until later; it occurs as part of the process. No forewarning is given about a reboot when you install the role through Control Panel; however, you are given the option to reboot later through a dialog box.

The installation process has changed since Windows 2000 Server, most noticeably in the capability to configure security modes for operating the terminal server and the lack of an option to install Terminal Services in Application or Remote Administration mode.

Remote Desktop for Administration is now used in place of the Terminal Services in Remote Administration mode. This new feature allows server administration from most systems on your network. No licenses are required, and up to two simultaneous remote connections are allowed in addition to someone logged in at the local console.

To enable Remote Desktop on a system, go to the Remote tab of the System Properties dialog box and select the Allow Users to Connect Remotely to This Computer check box (see Figure 2.14).

Figure 2.14. You can enable Remote Desktop on your Windows Server 2003 system via the Remote tab of the System Properties dialog box.

graphics/02fig14.gif

Running in the terminal server role, your server can operate in two security modes:

Full Security mode This mode is the default deployment of Terminal Services in Windows 2000 Server and Windows Server 2003. This configuration mode forces all applications that need to be installed and run by Terminal Services users to be written to run in the security context of an ordinary user. Applications written so that a higher level of system permission is required do not operate properly (or at all). If they are necessary in the enterprise, require the system to be set up in Relaxed Security mode.
Relaxed Security mode This mode enables you to run programs that otherwise might not work under the higher settings of Full Security mode. Relaxed Security mode is also known as Windows NT 4.0/Terminal Server Edition permissions compatibility mode and runs in much the same manner; any user with a session can change certain files and some Registry settings because of the less rigorous security settings.

After the terminal server role has been established on the server, you need to configure two additional items: Internet Explorer Enhanced Security Configuration settings and configuring the Terminal Server License Server.

When you enable Internet Explorer Enhanced Security Configuration, users who log on as an administrator have high security settings configured for the Internet and local intranet security zones to disable scripts from running. The Microsoft Virtual Machine (VM) and Microsoft ActiveX controls are disabled. Users are also prevented from downloading files in these zones.

Medium security settings are configured for the trusted sites zone only, which effectively means that trusted sites, by default, are the only ones that allow Internet Explorer to completely render Web sites as they are actually designed. Although static HTML pages are usually not affected in the Internet and local intranet zones, pages designed with Microsoft VM and ActiveX controls are not displayed or don't function correctly.

The Terminal Server License Server must also be configured so that it continues to function normally after installation. When a server is set up in the terminal server role on a Windows Server 2003 system, it runs for only 120 days from the date of the first client logon without the license server in place. After that time, the system stops accepting connections from unlicensed clients.

The Terminal Server Licensing Service is installed via Control Panel, Add or Remove Programs, Add/Remove Windows Components, Terminal Server Licensing and can be enabled at the enterprise level, domain level, or workgroup level. After the service is installed, you can activate the Terminal Server License Server in the Terminal Server Licensing MMC. Right-click the Terminal Server License Server you want to activate, and choose Activate Server to start the Terminal Server License Server Activation Wizard. In the Connection Method page, click the Automatic Connection to Connect over the Internet link after providing the required information for your company.

After completing this process, you need to install the client access licenses (CALs) on the Terminal Server License Server for your clients to use when they connect to the terminal server. When a client makes a first-time connection to a terminal server, the server locates a Terminal Server License Server to issue a new CAL to the client.

DNS Server Role

You can set up the DNS server role by running the Configure Your Server Wizard or through Control Panel, Add or Remove Programs, Add/Remove Windows Components, Networking Services, Domain Name System (DNS). (To install DNS only, click the Networking Services option in the Components list, and click the Details button.)

Configuring IP Addresses

Before you begin installation, make sure the server on which you are configuring the service has been given a static IP address. Also, if the server, the DNS zone, or any systems joined to the domain this server is going to manage are going to be directly connected to the Internet, make sure the DNS name you are using is properly registered and can be resolved by DNS root servers.

It's one thing to set up a test lab or a very small environment by using myhome.local because your servers resolve names to the corresponding IP addresses. However, this name cannot be resolved by Internet DNS servers, and there is no way to handle the resolution outside your environment.

Also, if you decide to arbitrarily use a DNS name and then someone else registers the name later, you are forced to reconfigure your entire network so that it's not exposed directly to the Internet, or you need to rename the domains and forest to correct the problem. Planning and doing it right the first time go a long way toward saving you from future headaches .

If you opt to use the Configure Your Server Wizard, navigate to the Add or Remove Role prompt in the Manage Your Server window and then click DNS Server, which installs DNS and runs the Configure a DNS Server Wizard (see Figure 2.15).

Figure 2.15. You can install DNS via the Configure a DNS Server Wizard.

graphics/02fig15.gif

In the wizard's Configuration Action page, you can create a forward lookup zone only, a forward and reverse lookup zone, or root hints only.

You can create lookup zone or root hints manually after the DNS service is installed by using the DNS MMC.

In the Primary Server Location page, you have the option to choose where the DNS and SRV records for your zone are maintained . You can choose the server you are configuring, which enables you to set up a primary forward lookup zone. You can also choose a secondary forward lookup zone, which is set up if another DNS server is authoritative for the zone, and the copy to be installed on this server should be a read-only copy.

Next, in the Zone name page, enter the name of the DNS zone you are enabling on this server, such as cert.zandri.net or gunderville.com .

The next page is the Zone File page, where you set the path of the standard primary or standard secondary DNS zone file. (The type depends on the answer you provided in the Primary Server Location page.)

In the Dynamic Update page (see Figure 2.16), notice that the default selection is Do not allow dynamic updates, as this is the most secure option when zones are set up as standard primary zones. (A standard secondary zone is a read-only copy and can't be edited directly.)

Figure 2.16. You can specify which type of updates to allow for your DNS zone via the Dynamic Update page.

graphics/02fig16.gif

In the Forwarders page, you can enter IP addresses to specify whether your DNS server should forward lookup queries to DNS servers outside your location to another DNS server in your enterprise, or whether it should forward lookup queries to an ISP-owned DNS server.

In the next page, Completing the Configure a DNS Server Wizard, you can click Back to change any of the settings or click the Finish button to complete the installation of the service as configured.

The Configure Your Server Wizard then displays the This Server Is Now a DNS Server page. If needed, you can review the installation logs at systemroot\Debug\Configure Your Server.log .

Under security information for DNS in "Need to Know More?" at the end of this chapter, the link supplied there takes you to a page listing a few of the typical threats your DNS infrastructure might be susceptible to, including denial-of-service (DoS) attacks, data modification, and DNS redirection. Proper setup and configuration of your DNS server provide some defense against these attacks; the rest is up to the defenses and firewalls enabled on your network.

For more information on additional security against attacks for DNS servers and systems in general, see the "Securing Servers: Standards and Best Practices" section of this chapter.

DHCP Server Role

You can set up the DHCP server role by running the Configure Your Server Wizard or through Control Panel, Add or Remove Programs, Add/Remove Windows Components, Networking Services, Dynamic Host Configuration Protocol (DHCP). To install only DHCP, highlight Networking Services in the Components list, and click the Details button.

In the Manage Your Server window, click Add or Remove a Role, select DHCP Server, and then click Next. The Configure Your Server Wizard installs the DHCP service and starts the New Scope Wizard to configure a new IP address scope for your DHCP server.

In the Scope Name page, enter a name for the scope. In the Description text box, you can optionally enter a descriptive entry for the scope.

Next is the IP Address Range page, where you define the IP address range this particular scope will hand out to clients. To do this, type the IP address for the start of the range and the IP address for the end of the range. The wizard uses the IP address class denominator that you enter to determine the correct subnet mask in the Subnet Mask section. For example, the wizard knows that 131.15.0.1 is the start of the Class B range of addresses and sets the default subnet mask to 255.255.0.0. You can, if necessary, change the default address to another address in use in your environment.

Chapter 3, "Planning, Implementing, and Maintaining a Network Infrastructure," covers many of the TCP/IP addressing aspects that apply to DHCP configuration and IP addressing in general.

Excluding certain IP addresses in the Add Exclusions page configures the DHCP server to not lease these addresses to client systems. If the range of addresses in this scope is 199.168.1.5 through 199.168.1.254, and you want to exclude the 199.168.1.15 address (which belongs to a server with this address as a static entry, for example), enter the single address as an exclusion. If a range from this scope is dedicated as manually entered IP addresses for 10 printers on the floor where this scope is active, for example, enter the entire range as an exclusion, such as 199.168.1.21 through 199.168.1.30.

Another way of doing excluding IP addresses is to exclude the known range from the scope at the start. Then there is no reason to have entries in the Add Exclusions page.

If you know that you need to set up the scope for the 199.168.1.x address range and need 15 static IP addresses for servers and printers, you could always craft the valid range for the scope as 199.168.1.16 through 192.168.1.254. Then addresses 199.168.1.2 through 199.168.1.15 could be used for static systems, and you would have no entries in the Add Exclusions page.

After you have entered any exclusions necessary for this scope, you arrive at the Lease Duration page, where you can define the length of time (in days, hours, and minutes) a client can use an IP address from this scope.

The DHCP server leases IP addresses to its clients. Each lease has an expiration date and time; the default duration is eight days. The client must renew the lease if it will continue to use that IP address. Defining the lease's duration eases client administration, but this step is optional. If you leave all fields of the Lease Duration page blank and click Next, clients can still obtain IP addresses from the DHCP server.

In the Configure DHCP Options page, you can specify whether to configure additional DHCP options at this time. (If you decide not to, you can always return to the scope later and make these changes.) Using the default setting, Yes, is best, as one of the settings is the IP address of the router (default gateway), which allows clients that obtain a lease to have a default path out of their local subnet.

In the Configure DHCP Options section of the Domain Name and DNS Server page, you can assign DHCP clients the IP addresses of the preferred DNS servers they should use. You can also configure IP addresses of preferred NetBIOS name servers (WINS) for clients in the following page. Activating this newly created scope is the final step of setting up a DHCP server role.

Additional Notes on DHCP

After you set a subnet mask range for a DHCP scope, there is no going back to change it. The only way to change it is to delete the entire scope and re-create it with the correct subnet mask.

Windows Server 2003 requires that any Windows-based DHCP server running Windows 2000 or later be authorized to run on the network, the same as in Windows 2000 Server.

Nothing prevents Windows NT 4 DHCP services, other network operating systems hosting the DHCP service, or hardware devices running the DHCP service from responding to client requests.

Domain controllers handle the Active Directory database, and all domain members configured in the role of a DHCP server running Windows 2000 Server or Windows Server 2003 must be domain controllers or authorized to function in the Active Directory database.

Standalone Windows servers (non-domain members) can be configured as DHCP servers as long as they are not on a subnet with any authorized DHCP servers from a domain. Windows Server 2003 systems can run the DHCP service as standalone systems in a domain where Active Directory is not used, such as an NT 4 domain. For what it's worth, the Windows Server 2003 system could even be a member of this NT 4 domain and be allowed to offer IP addresses. This is one example of an exception to the Active Directory authorization requirement.

When a standalone DHCP server detects an authorized DHCP server, that Windows-based workgroup's DHCP server automatically stops leasing IP addresses to requesting DHCP clients.

When the DHCP service starts on a server that holds the DHCP server role, it sends out a DHCPINFORM broadcast message in an attempt to locate other DHCP servers. The other DHCP servers reply with a DHCPACK message and send the domain information to the starting DHCP server. The starting DHCP server then attempts to locate the SRV records for Active Directory in an effort to find the DHCP server's list of IP addresses that have been authorized in the domain as DHCP servers.

If the server finds its IP address in the authorized list, it finishes starting the service and responds to client requests. If it does not find its address in the authorized list, it does not start the DHCP service. The server is still online and active, but because the service does not complete the startup, it does not respond to client requests for IP addresses.

If Active Directory is not available, as with a standalone server in a workgroup, the initializing DHCP server can start if no other DHCP servers are running on the local subnet. If one is encountered , the standalone server stops its DHCP service; otherwise, it handles client requests.

The DHCP server continues to send the DHCPINFORM message every five minutes to check whether it is still authorized to function in the enterprise. If an administrator has not authorized the DHCP server, the server finds out at one of the five-minute intervals and stops its DHCP service, which prevents it from responding to client requests.

WINS Server Role

You can set up the Windows Internet Naming Service (WINS) server role by running the Configure Your Server Wizard or through Control Panel, Add or Remove Programs, Add/Remove Windows Components, Networking Services, Windows Internet Naming Service (WINS). To install only WINS, highlight Networking Services in the Components list, and click the Details button.

Of all the server roles discussed in this chapter, this one is the easiest to configure with the Configure Your Server Wizard. In the Manage Your Server window, click Add or Remove Role, and then choose WINS Server, which installs WINS. After this process is completed on the server end, the WINS server will be running on your network.

The setup wizard uses several default configuration parameters for how NetBIOS name records are managed in the WINS server database; these parameters are fine for most environments.

Removing the role is just as easy: Simply run the Configure Your Server Wizard a second time and choose WINS to remove the role.

Originally, it was hoped during Windows 2000 builds that reliance on WINS would fade and the service could finally be retired . This was not the case and still isn't today, even as Windows Server 2003 hits the shelves . Because of legacy systems and backward-compatibility requirements for older software. NetBIOS name resolution and WINS services are still needed in many enterprises .