Server roles in Windows Server 2003 enable you, as the administrator, to configure specific roles for your system. To do this, you start the Configure Your Server Wizard through the Manage Your Server window. Depending on your settings, the Manage Your Server window (see Figure 2.1) might be automatically available at login. If it's not, you can find it on the Start menu under All Programs, Administrative Tools. Figure 2.1. You configure your server role through the Manage Your Server window.
In this window, you can add a role to your existing server, which enables you to configure it for a specific task. You can also manage the current role from this window. You can pick one of the following listed roles, all of which are self-explanatory by their titles:
The steps for configuring a server in any role are straightforward; however, they do vary from one role to the other. To start the Configure Your Server Wizard, click Add or remove a role in the main Manage Your Server window (refer to Figure 2.1). After you have read the onscreen information, ensured that all the network connections are verified , and have the necessary installation path information (or the CD) to the Windows Server 2003 setup files, click the Next button to continue. The setup wizard then tests your available and enabled network connections and brings you to the Server Role page. From this point, you can set up the server for one or more roles. To set up a second or third role for a server, you need to run the Configure Your Server Wizard again; only one role can be established at a time. If you need to install any additional software or services, you are prompted on other pages of the wizard. The Summary of Selections page shows the options you elected to install for the server role and continues with the role configuration. After the process is completed, the final page of the Configure Your Server Wizard is displayed. Domain Controller RoleConfiguring your system with the Configure Your Server Wizard is the same as doing it manually. Using the wizard, select the domain controller role. The wizard then runs DCPROMO.EXE to start the Active Directory Installation Wizard, which is discussed next. Domain Controller Installation OverviewThe actual process of configuring your Windows Server 2003 system as a domain controller is fairly straightforward; however, it should be noted that a lot of behind-the-scenes planning often goes on before configuration. There are also subtle differences in the process, depending on whether the system is to be a new domain controller in a new forest, a member of an existing forest, or a new domain or a domain controller in an existing domain. To configure your server as a domain controller, log on locally to the Windows Server 2003 system you want to promote to the role of domain controller, and run DCPROMO (from the command line or from Start, Run) to start the Active Directory Installation Wizard. (You could also use the Configure Your Server Wizard, but it's not necessary.)
After you move past the Welcome window, how you continue with the installation depends on your current environment and where this new domain controller needs to fit in your environment. In the Domain Controller Type page, you can install the domain controller for a new domain or install it as an additional domain controller in an existing domain. If you choose an existing domain, the installation continues from this point, as you are adding this server as a peer domain controller in an existing domain. This allows the necessary services to be installed and enabled so that the system can function as a domain controller after Active Directory has been installed and updated. If you choose to install the domain controller in a new domain, DCPROMO prompts you in the Create New Domain page, asking whether this new domain should be installed as a new child domain or a new domain tree. If you choose to create a new child domain, the installation wizard continues, prompting you for a name for the domain and database locations. If you decide to install this domain controller as a new domain tree, DCPROMO prompts you to select whether you are installing the domain controller in an existing forest or a new forest of domain trees. Regardless of your choice, the installation wizard continues to the New Domain Name page, which is where you enter the name of the new domain.
Next, in the NetBIOS Domain Name page, verify the NetBIOS name for the domain for backward-compatibility with legacy systems. This means that a domain name of gunderville.com entered in the New Domain Name text box would show up as gunderville in the NetBIOS Domain Name text box. As with all NetBIOS entries, the NetBIOS domain name is limited to a maximum of 15 characters (with one additional special hidden character). That means a NetBIOS domain name of thecityofgunderville.com would default to the NetBIOS name of THECITYOFGUNDER because the number of characters exceeds the allowed maximum. In the Database and Log Folders page, the installation wizard prompts you to choose a path for the installation location of the database and log folders. You can accept the listed defaults, enter a new path manually, or browse to a new location.
In the Shared System Volume page, the installation wizard prompts you to choose a path for the installation location of the shared system volume. You can accept the listed default path, enter a new path manually, or browse to a new location. The shared system volume stores scripts and domain-level Group Policy objects for the domain and, in certain instances, the entire enterprise. (This organization depends on whether this server holds any Flexible Single Masters of Operation rolesalso known as Operations Mastersfor the forest.) The default installation path for the shared system volume is systemroot\SYSVOL , and the partition must be formatted with NTFS version 5 at a minimum. The version of NTFS used with Windows NT 4 Server (now referred to as version 4) cannot be used.
Next, in the DNS Registration Diagnostics page, the DNS server that is authoritative for this forest is displayed. If the DNS server cannot be contacted because of a network issue or if there is no available DNS server to use, you are given the option to install and configure DNS on this server. You then need to configure this server's TCP/IP properties to use this DNS installation as its preferred DNS server. Next, in the Permissions page, you need to select one of the following options:
Using Permissions Compatible Only with Windows 2000 or Windows Server 2003 Operating Systems is the recommended option.
So far in this wizard, you have been gathering data and configuring installation parameters. When you reach the Summary page and click Next, continuing from this point actually installs Active Directory. After restarting, the server will be running as a domain controller. Securing Domain Controllers: Security TemplatesWhen a new domain controller is installed on a Windows Server 2003 system, the default template ( DC Security.inf ) is applied through the use of Group Policy objects linked to the Domain Controllers Organizational Unit (OU). To change the level of security for domain controllers, you must apply the Securedc.inf security template, which increases the default security, or the Hisecdc.inf template, which maximizes the security settings. You can also set these templates manually by creating your own security template. You might want to create your own template if you need settings that the available templates do not provide or you need to customize the settings in some way. Follow these steps to create a custom template:
Table 2.2 shows the policy's Password Policy section with the default settings from each template available for domain controllers. Table 2.2. Password Policy Settings from Security Templates
Table 2.3 shows the policy's Account Lockout Policy section with the default settings from each template. Table 2.3. Account Lockout Policy Settings from Security Templates
Table 2.4 shows the policy's Audit Policy section with the default settings from each template. Table 2.4. Audit Policy Settings from Security Templates
By default, the policy's User Rights section is not defined in each template. Options for user rights include the following:
Table 2.5 shows the policy's Security Options section with the default settings from each template. Table 2.5. Security Options Settings from Security Templates
If you have found, for example, that using the Hisecdc.inf template in your enterprise has some undesired side effects that did not show up during testing, you can reapply the default template to the domain controllers and then choose the Securedc.inf template. To apply the Securedc.inf template, perform the following steps:
After you have opened the template, right-click Security Configuration and Analysis, and then click Configure Computer Now to configure the system with the default settings. (You can also choose Analyze Computer Now to simply review the difference between the current system configuration and the one the template would provide.) When you choose Configure Computer Now, you need to use the specified default log file path, or choose a new one and click OK to continue. To specify a different log file path, type a valid path and filename in the Error Log File Path text box, and click OK. When the configuration is done, you can view the changes that were made by right-clicking Security Configuration and Analysis, and then clicking View Log File. The following code is a small sampling of the log; the full log is somewhat larger. Log file: C:\Documents and Settings\Jasonz\My Documents\Security\Logs\DC History.log ------------------------------------------- Saturday, March 15, 2003 12:54:18 PM ----Configuration engine was initialized successfully.---- ----Reading Configuration Template info... ----Configure User Rights... User Rights configuration was completed successfully. ----Configure Group Membership... Group Membership configuration was completed successfully. ----Configure Registry Keys... Configure users\.default. Configure users\.default\software\microsoft\netdde. Configure machine\software. Remote Access/VPN Server RoleRouting and Remote Access Service (RRAS) in Windows Server 2003 is installed by default when the operating system is installed, but it is not configured or enabled. When you configure your server in the remote access/VPN server role, you can give remote users the proper access permission to access resources on the local area network (LAN) over a dial-up or DSL/cable connection. When you run the Configure Your Server Wizard to set up your server as a remote access/VPN server, it starts the Routing and Remote Access Server Setup Wizard (see Figure 2.4). Figure 2.4. You can choose the types of connections to establish via the Configuration page of the Routing and Remote Access Server Setup Wizard.
File Server RoleThe file server role for a Windows Server 2003 implementation is as simple as it sounds: a server role designed to enable administrators to set up a location for data to be stored and shared in the enterprise. You use the Configure Your Server Wizard to step through the entire process and configure settings for disk quotas and the Indexing Service. You can also set up the shares themselves and permissions. The File Server Disk Quotas page is where you enable disk quotas by selecting the Set up default disk quotas for new users of this server check box (see Figure 2.5). Figure 2.5. You can limit disk usage through the File Server Disk Quotas page.
After you enable quotas, you can limit the total space to any number of kilobytes, megabytes, gigabytes, terabytes, petabytes, and, finally, exabytes.
You can also set up a warning threshold numerically or by parameter (KB, MB, GB, and so on) so that a warning is sent when users approach their limits. For instance, if a user has a 100MB disk-writing limit, a warning could be set at 80MB. To enforce the setting, you need to select the Deny disk space to users exceeding disk space limit check box. If you do not select this check box, users can continue writing to the disk. Two other settings can be enabled on this page: the Disk space limit check box and the Warning level check box. Use these settings to configure the system logs to record each occurrence of these events.
After you have configured any disk space limits (you can also opt to not choose any), you arrive at the File Server Indexing Service page (see Figure 2.6). Usually, leaving this setting disabled on a server is recommended because it affects performance; if only limited searches will be performed, leaving this option disabled makes sense. If the server can handle the load or there will be enough searches against the existing data, you can enable this option. Figure 2.6. The File Server Indexing Service page is where you configure the Indexing Service.
After you review the summary page of the options you have set and continue the role configuration process, the Share a Folder Wizard is displayed, where you can create new shares and paths to the shares (see Figure 2.7). You can also perform this action the "standard" way through Windows Explorer by right-clicking the folder you want to share and choosing Properties, and then electing to share the folder in the Sharing tab. In the next page (see Figure 2.8), you can supply a description for the share and configure offline settings for data in the share (whether the files should be made available when not connected to the network). Figure 2.7. You can configure shares through the Folder Path page of the Share a Folder Wizard.
Figure 2.8. You can supply additional information about a share in the Name, Description, and Settings page of the Share a Folder Wizard.
Next is the Permissions page, where you set up permissions for a share. There are a few preconfigured settings (all users have Read access, Administrators have Full Control, and so on), and there is the option to configure your own access control. The initial setting is for share access, but you can customize the setting and set security permissions through NTFS. The final page is the summary page, which shows you that the share was successful and enables you to complete this process or run the wizard again to create another share (see Figure 2.9). Figure 2.9. The Sharing was Successful page provides a summary about the newly created share.
Internet Information Services 6 RoleUnlike Windows 2000, which installs Internet Information Services (IIS) 5 by default, IIS 6 is not deployed on standard versions of Windows Server 2003 unless you explicitly choose to install it. You can install IIS 6 by using the Configure Your Server Wizard as outlined previously or by going to the Control Panel, choosing Add or Remove Programs, and choosing Add/Remove Windows Components . If you use the Configure Your Server Wizard to enable the server's role as an application server, the wizard installs IIS 6. A quick look shows that only the World Wide Web service is installed. File Transfer Protocol (FTP), Network News Transfer Protocol (NNTP), and Simple Mail Transfer Protocol (SMTP) are not added by default when you establish the server role in this way. If you want to add those other services, you must go to Add or Remove Programs and choose Add/Remove Windows Components. In the Windows Components dialog box, highlight Application Server, and click Details to choose Internet Information Services. Then highlight Internet Information Services and click Details to select just the services you want to install.
Under Windows 2000 Server, default security templates for Web servers as well as secure and high-security templates were deployed on IIS systems through the Group Policy linked to an OU where the accounts for IIS servers were found. This deployment method is no longer applicable under Windows Server 2003. When you install IIS, it runs with almost everything disabled and almost fully locked down. At the end of the installation, about the only thing you can do with the server is have it respond to client requests and serve up static (HTML) content. Therefore, no other content, such as Active Server Pages (ASP), ASP.NET pages, WebDAV publishing, and FrontPage Server Extensions, can be hosted from the server until you explicitly enable it. In fact, a new group policy setting, Prevent IIS from Installing, enables Domain and Enterprise Administrators to control which Windows Server 2003 systems are allowed to install IIS 6.
Print Server RoleYou can use the Configure Your Server Wizard to enable your server as a print server. After you select the print server role, the wizard displays the Printers and Printer Drivers page (see Figure 2.11), where you select which network clients should have printers installed. You can choose one of two options: Windows 2000 and Windows XP Clients Only or All Windows Clients. Figure 2.11. The Printers and Printer Drivers page is where you can select how to handle printer drivers for network clients.
At this point, the Add Printer Wizard starts, and you step through the prompts of choosing a local printer or a network printer. You can specify the local printer yourself or let Plug and Play find it. You then have the option of choosing one of the local ports already available on the system or creating a new one (see Figure 2.12). Figure 2.12. Use the Select a Printer Port page to specify a port for the printer or create a new one.
You then choose the make and model of the printer attached to the port you selected earlier. On Windows Server 2003 configurations, all printers added with the Add Printer Wizard are shared by default. If for some reason you do not want to share the printer, you must manually deselect this default option. If the server is a member of a domain, the printer is also published in Active Directory by default.
Mail Server RoleWhen you run the Configure Your Server Wizard to set up your server in the mail server role, you can choose how your users are authenticated to the POP3 service: through the accounts that are local to the server, through Active Directory, or via an encrypted password file (see Figure 2.13). Figure 2.13. You configure how users are authenticated for mail service via the Configure POP3 Service page.
This setting enables users to connect to the server and download email to their local systems by using Outlook, Outlook Express, or any other email client that supports POP3. After making your selection, the POP3 and SMTP services are installed on the local system. After the process is completed, the Internet Information Services (IIS) Manager appears on the Administrative Tools menu. The IIS Manager enables administrators to configure the SMTP service that the Configure Your Server Wizard installed.
Configuring the SMTP service for this use is no different than any other SMTP configuration in Exchange Server 5.x, 2000, and 2003 or within IIS 4 and 5. Configuring the POP3 service is done through the POP3 Service MMC or through the command line by using WINPOP . The usable WINPOP commands are as follows : WINPOP.EXE <cmd> [<parameters>] ADD, CHANGEPWD, CREATEQUOTAFILE, DEL DELETE, GET, LIST, LOCK, MIGRATETOAD, SET, STAT, UNLOCK Options:ADD <domainname> <user@domainname [/CREATEUSER <password>]> CHANGEPWD <user@domainname> <new password> CREATEQUOTAFILE <user@domainname> [/USER:user] Note: Quota files are created by default when adding mailboxes (for SAM and AD authentication) /USER: To specify a different user account the quota file will reference. DEL DELETE <domainname> <user@domainname [/DELETEUSER]> GET <property> LIST [domainname] LOCK <domainname user@domainname> MIGRATETOAD <user@domainname> SET <property> <value> STAT [domainname] UNLOCK <domainname user@domainname> The POP3 Service MMC also enables you to perform all these actions through a graphical user interface (GUI). You can complete tasks such as setting the authentication method, configuring the POP3 mail store, and setting the mail server to require Secure Password Authentication in whatever way you're most comfortable working. You can also set the POP3 service state, the number of sockets, and the number of threads the service uses.
Terminal Server RoleLike many of the other roles described so far, the terminal server role can be set up by running the Configure Your Server Wizard or through Control Panel, Add or Remove Programs, Add/Remove Windows Components, Terminal Server. Note that when you install Terminal Services by running the Configure Your Server Wizard, you see a warning that the system will be rebooted as part of the installation process. There is no option to cancel the reboot until later; it occurs as part of the process. No forewarning is given about a reboot when you install the role through Control Panel; however, you are given the option to reboot later through a dialog box. The installation process has changed since Windows 2000 Server, most noticeably in the capability to configure security modes for operating the terminal server and the lack of an option to install Terminal Services in Application or Remote Administration mode. Remote Desktop for Administration is now used in place of the Terminal Services in Remote Administration mode. This new feature allows server administration from most systems on your network. No licenses are required, and up to two simultaneous remote connections are allowed in addition to someone logged in at the local console. To enable Remote Desktop on a system, go to the Remote tab of the System Properties dialog box and select the Allow Users to Connect Remotely to This Computer check box (see Figure 2.14). Figure 2.14. You can enable Remote Desktop on your Windows Server 2003 system via the Remote tab of the System Properties dialog box.
Running in the terminal server role, your server can operate in two security modes:
After the terminal server role has been established on the server, you need to configure two additional items: Internet Explorer Enhanced Security Configuration settings and configuring the Terminal Server License Server. When you enable Internet Explorer Enhanced Security Configuration, users who log on as an administrator have high security settings configured for the Internet and local intranet security zones to disable scripts from running. The Microsoft Virtual Machine (VM) and Microsoft ActiveX controls are disabled. Users are also prevented from downloading files in these zones. Medium security settings are configured for the trusted sites zone only, which effectively means that trusted sites, by default, are the only ones that allow Internet Explorer to completely render Web sites as they are actually designed. Although static HTML pages are usually not affected in the Internet and local intranet zones, pages designed with Microsoft VM and ActiveX controls are not displayed or don't function correctly. The Terminal Server License Server must also be configured so that it continues to function normally after installation. When a server is set up in the terminal server role on a Windows Server 2003 system, it runs for only 120 days from the date of the first client logon without the license server in place. After that time, the system stops accepting connections from unlicensed clients. The Terminal Server Licensing Service is installed via Control Panel, Add or Remove Programs, Add/Remove Windows Components, Terminal Server Licensing and can be enabled at the enterprise level, domain level, or workgroup level. After the service is installed, you can activate the Terminal Server License Server in the Terminal Server Licensing MMC. Right-click the Terminal Server License Server you want to activate, and choose Activate Server to start the Terminal Server License Server Activation Wizard. In the Connection Method page, click the Automatic Connection to Connect over the Internet link after providing the required information for your company. After completing this process, you need to install the client access licenses (CALs) on the Terminal Server License Server for your clients to use when they connect to the terminal server. When a client makes a first-time connection to a terminal server, the server locates a Terminal Server License Server to issue a new CAL to the client. DNS Server RoleYou can set up the DNS server role by running the Configure Your Server Wizard or through Control Panel, Add or Remove Programs, Add/Remove Windows Components, Networking Services, Domain Name System (DNS). (To install DNS only, click the Networking Services option in the Components list, and click the Details button.)
If you opt to use the Configure Your Server Wizard, navigate to the Add or Remove Role prompt in the Manage Your Server window and then click DNS Server, which installs DNS and runs the Configure a DNS Server Wizard (see Figure 2.15). Figure 2.15. You can install DNS via the Configure a DNS Server Wizard.
In the wizard's Configuration Action page, you can create a forward lookup zone only, a forward and reverse lookup zone, or root hints only.
In the Primary Server Location page, you have the option to choose where the DNS and SRV records for your zone are maintained . You can choose the server you are configuring, which enables you to set up a primary forward lookup zone. You can also choose a secondary forward lookup zone, which is set up if another DNS server is authoritative for the zone, and the copy to be installed on this server should be a read-only copy. Next, in the Zone name page, enter the name of the DNS zone you are enabling on this server, such as cert.zandri.net or gunderville.com . The next page is the Zone File page, where you set the path of the standard primary or standard secondary DNS zone file. (The type depends on the answer you provided in the Primary Server Location page.) In the Dynamic Update page (see Figure 2.16), notice that the default selection is Do not allow dynamic updates, as this is the most secure option when zones are set up as standard primary zones. (A standard secondary zone is a read-only copy and can't be edited directly.) Figure 2.16. You can specify which type of updates to allow for your DNS zone via the Dynamic Update page.
In the Forwarders page, you can enter IP addresses to specify whether your DNS server should forward lookup queries to DNS servers outside your location to another DNS server in your enterprise, or whether it should forward lookup queries to an ISP-owned DNS server. In the next page, Completing the Configure a DNS Server Wizard, you can click Back to change any of the settings or click the Finish button to complete the installation of the service as configured. The Configure Your Server Wizard then displays the This Server Is Now a DNS Server page. If needed, you can review the installation logs at systemroot\Debug\Configure Your Server.log . Under security information for DNS in "Need to Know More?" at the end of this chapter, the link supplied there takes you to a page listing a few of the typical threats your DNS infrastructure might be susceptible to, including denial-of-service (DoS) attacks, data modification, and DNS redirection. Proper setup and configuration of your DNS server provide some defense against these attacks; the rest is up to the defenses and firewalls enabled on your network.
DHCP Server RoleYou can set up the DHCP server role by running the Configure Your Server Wizard or through Control Panel, Add or Remove Programs, Add/Remove Windows Components, Networking Services, Dynamic Host Configuration Protocol (DHCP). To install only DHCP, highlight Networking Services in the Components list, and click the Details button. In the Manage Your Server window, click Add or Remove a Role, select DHCP Server, and then click Next. The Configure Your Server Wizard installs the DHCP service and starts the New Scope Wizard to configure a new IP address scope for your DHCP server. In the Scope Name page, enter a name for the scope. In the Description text box, you can optionally enter a descriptive entry for the scope. Next is the IP Address Range page, where you define the IP address range this particular scope will hand out to clients. To do this, type the IP address for the start of the range and the IP address for the end of the range. The wizard uses the IP address class denominator that you enter to determine the correct subnet mask in the Subnet Mask section. For example, the wizard knows that 131.15.0.1 is the start of the Class B range of addresses and sets the default subnet mask to 255.255.0.0. You can, if necessary, change the default address to another address in use in your environment.
Excluding certain IP addresses in the Add Exclusions page configures the DHCP server to not lease these addresses to client systems. If the range of addresses in this scope is 199.168.1.5 through 199.168.1.254, and you want to exclude the 199.168.1.15 address (which belongs to a server with this address as a static entry, for example), enter the single address as an exclusion. If a range from this scope is dedicated as manually entered IP addresses for 10 printers on the floor where this scope is active, for example, enter the entire range as an exclusion, such as 199.168.1.21 through 199.168.1.30.
After you have entered any exclusions necessary for this scope, you arrive at the Lease Duration page, where you can define the length of time (in days, hours, and minutes) a client can use an IP address from this scope. The DHCP server leases IP addresses to its clients. Each lease has an expiration date and time; the default duration is eight days. The client must renew the lease if it will continue to use that IP address. Defining the lease's duration eases client administration, but this step is optional. If you leave all fields of the Lease Duration page blank and click Next, clients can still obtain IP addresses from the DHCP server. In the Configure DHCP Options page, you can specify whether to configure additional DHCP options at this time. (If you decide not to, you can always return to the scope later and make these changes.) Using the default setting, Yes, is best, as one of the settings is the IP address of the router (default gateway), which allows clients that obtain a lease to have a default path out of their local subnet. In the Configure DHCP Options section of the Domain Name and DNS Server page, you can assign DHCP clients the IP addresses of the preferred DNS servers they should use. You can also configure IP addresses of preferred NetBIOS name servers (WINS) for clients in the following page. Activating this newly created scope is the final step of setting up a DHCP server role.
WINS Server RoleYou can set up the Windows Internet Naming Service (WINS) server role by running the Configure Your Server Wizard or through Control Panel, Add or Remove Programs, Add/Remove Windows Components, Networking Services, Windows Internet Naming Service (WINS). To install only WINS, highlight Networking Services in the Components list, and click the Details button. Of all the server roles discussed in this chapter, this one is the easiest to configure with the Configure Your Server Wizard. In the Manage Your Server window, click Add or Remove Role, and then choose WINS Server, which installs WINS. After this process is completed on the server end, the WINS server will be running on your network. The setup wizard uses several default configuration parameters for how NetBIOS name records are managed in the WINS server database; these parameters are fine for most environments. Removing the role is just as easy: Simply run the Configure Your Server Wizard a second time and choose WINS to remove the role.
|