Windows Server 2008 offers many new ways to “skin
the Active Directory cat,” if you will. With the introduction of these
new roles is a new way to determine how they are implemented,
configured, and managed within an Active Directory domain or forest. We
will be discussing each of these Active Directory roles in depth later
in this chapter, but the new roles (and the official Microsoft
definitions) are as follows:
Read-only domain controller (RODC):
This new type of domain controller, as its name implies, hosts
read-only partitions of the Active Directory database. An RODC makes it
possible for organizations to easily deploy a domain controller in
scenarios where physical security cannot be guaranteed, such as branch
office locations, or in scenarios where local storage of all domain
passwords is considered a primary threat, such as in an extranet or in
an application-facing role.
Active Directory Lightweight Directory Service (ADLDS):
Formerly known as Windows Server 2003 Active Directory Application Mode
(ADAM), ADLDS is a Lightweight Directory Access Protocol (LDAP)
directory service that provides flexible support for directory-enabled
applications, without the dependencies required for Active Directory
Domain Services (ADDS). ADLDS provides much of the same functionality
as ADDS, but does not require the deployment of domains or domain
controllers.
Active Directory Rights Management Service (ADRMS):
Active Directory Rights Management Services (ADRMS), a format and
application-agnostic technology, provides services to enable the
creation of information-protection solutions. ADRMS includes several
new features that were available in Active Directory Rights Management
Services (ADRMS). Essentially, ADRMS adds the ability to secure
objects. For example, an e-mail can be restricted to read-only, meaning
it cannot be printed, copied (using Ctrl + C, and so on), or forwarded.
Active Directory Federation Services (ADFS):
You can use Active Directory Federation Services (ADFS) to create a
highly extensible, Internet-scalable, and secure identity access
solution that can operate across multiple platforms, including both
Windows and non-Windows environments. Essentially, this allows
cross-forest authentication to external resources—such as another
company’s Active Directory. ADFS was originally introduced in Windows
Server 2003 R2, but lacked much of its now-available functionality.
So, these are the roles themselves, but as also mentioned, they can be managed in a number of new ways:
Server Manager:
This is likely to be a familiar tool to engineers who have worked with
earlier versions of Windows. It is a single-screen solution that helps
manage a Windows server, but is much more advanced than the previous
version.
Server Core:
Server Core brings not only a new way to manage roles, but an entirely
new way to deploy a Windows Server. With Server Core, we can say
goodbye to unnecessary GUIs, applications, services, and many more
commonly attacked features.
Discussing Server Core is going to take considerably longer, so let’s start with Server Manager.
Using Server Manager to Implement Roles
Although we will be discussing Server Manager (Figure 1) as an Active Directory Management tool, it’s actually much more than just that.
In
fact, Server Manager is a single solution (technically, a Microsoft
Management Console [MMC]) snap-in that is used as a single source for
managing system identity (as well as other key system information),
identifying problems with servers, displaying server status, enabled
roles and features, and general options such as server updates and
feedback.
Table 1 outlines some of the additional roles and features Server Manager can be used to control:
Table 1. Partial List of Additional Server Manager Features
| Role/Feature | Description |
|---|
| Active Directory Certificate Services | Management of Public Key Infrastructure (PKI) |
| Dynamic Host Configuration Server | Dynamic assignment of IP addresses to clients |
| Domain Name Service | Provides name/IP address resolution |
| File Services | Storage management, replication, searching |
| Print Services | Management of printers and print servers |
| Terminal Services | Remote access to a Windows desktop or application |
| Internet Information Server | Web server services |
| Hyper-V | Server virtualization |
| BitLocker Drive Encryption | Whole-disk encryption security feature |
| Group Policy Management | Management of Group Policy Objects |
| SMTP Server | E-mail services |
| Failover Clustering | Teaming multiple servers to provide high availability |
| WINS Server | |
| Legacy NetBIOS name resolution | |
| Wireless LAN Service | Enumerates and manages wireless connections |
Server
Manager is enabled by default when a Windows 2008 server is installed
(with the exception of Server Core). However, Server Manager can be
shut off via the system Registry and can be re-opened at any time by
selecting Start | Administrative Tools | Server Manager, or right-clicking Computer under the Start menu, and choosing Manage (Figure 2).
So,
those are the basics of Server Manager. Now let’s take a look at how we
use Server Manager to implement a role. Since we will be discussing the
four Active Directory roles in depth later in this chapter, let’s take
the IIS role and talk about using the Add Role Wizard to install
Internet Information Services (IIS).
|
Notice in Figure 1 that the Server Manager window is broken into three different sections:
Under the Customize This Server section, click the Add Role icon. When the wizard opens, complete the following steps to install IIS onto the server.
1. | Click the Add Roles icon.
| 2. | At the Before You Begin window, read the information provided, and then click Next.
| 3. | From the list of server roles (Figure 3), click the check box next to Web Server (IIS) and then click Next.
| 4. | If you are prompted to add additional required features, read and understand the features, and then click Add Required Features.
| 5. | When you return to the Select Server Roles screen, click Next.
| 6. | Read the information listed in the Introduction to Web Server (IIS) window, and then click Next.
| 7. | For purposes of this exercise, we will select all of the default Role Services, and then click Next.
| 8. | Review the Installation Summary Confirmation screen (Figure 4), and then click Install.
| 9. | When installation is complete, click Close.
| 10. | Notice that on the Server Manager screen, Web Server (IIS) is now listed as an installed role.
|
|
|
Sure,
you can always use a wizard to implement a role, but you also have the
option of using a script. Realistically speaking, it’s generally not
the most efficient way to deploy a role for a single server, however.
Unless you are going to copy and paste the script, the chance of error
is high in typing out the commands required. For example, take the
following IIS script syntax:
start
/w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IIS-Common
HttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;
IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASPNET;
IIS-NetFxExtensibility;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;
IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IISLoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IISODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;
IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IISRequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;
IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IISManagementConsole;IIS-ManagementScriptingTools;IIS-Management-Service;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;IIS-LegacySnapIn;IIS-FTP
PublishingService;IIS-FTPServer;IIS-FTPManagement;WAS-Windows
ActivationService;WAS-ProcessModel;WAS-NetFxEnvironment;
WAS-ConfigurationAPI
This
script installs ALL of the IIS features, which may not be the preferred
installation for your environment, and within the time it took to type
it out, you may have already completed the GUI install!
|
Using Server Core and Active Directory
For
years, Microsoft engineers have been told that Windows would never
stand up to Linux in terms of security simply because it was too darn
“heavy” (too much) code, loaded too many modules (services, startup
applications, and so on), and was generally too GUI heavy. With Windows
Server 2008, Microsoft engineers can stand tall, thanks to the
introduction of Server Core.
What Is Server Core?
What
is Server Core, you ask? It’s the “just the facts, ma’am” version of
Windows 2008. Microsoft defines Server Core as “a minimal server
installation option for Windows Server 2008 that contains a subset of
executable files, and five server roles.” Essentially, Server Core
provides only the binaries needed to support the role and the base
operating systems. By default, fewer processes are generally running.
Server
Core is so drastically different from what we have come to know from
Windows Server NT, Windows Server 2000, or even Windows Server 2003
over the past decade-plus, that it looks more like MS-DOS than anything
else (Figure 5).
With Server Core, you won’t find Windows Explorer, Internet Explorer, a
Start menu, or even a clock! Becoming familiar with Server Core will
take some time. In fact, most administrators will likely need a cheat
sheet for a while. To help with it all, you can find some very useful
tools on Microsoft TechNet at http://technet2.microsoft.com/windowsserver2008/en/library/e7e522ac-b32f-42e1-b914-53ccc78d18161033.mspx?mfr=true.
This provides command and syntax lists that can be used with Server
Core. The good news is, for those of you who want the security and
features of Server Core with the ease-of-use of a GUI, you have the
ability to manage a Server Core installation using remote
administration tools.
Before
going any further, we should discuss exactly what will run on a Server
Core installation. Server Core is capable of running the following
server roles:
Active Directory Domain Services Role
Active Directory Lightweight Directory Services Role
Dynamic Host Configuration Protocol (DHCP)
Domain Name System (DNS) Services Role
File Services Role
Hyper-V (Virtualization) Role
Print Services Role
Streaming Media Services Role
Web Services (IIS) Role
Note
Internet
Information Server is Microsoft’s brand of Web server software,
utilizing Hypertext Transfer Protocol to deliver World Wide Web
documents. It incorporates various functions for security, allows for
CGI programs, and also provides for Gopher and FTP servers.
Although these are the roles Server Core supports, it can also support additional features, such as:
Backup
BitLocker
Failover Clustering
Multipath I/O
Network Time Protocol (NTP)
Removable Storage Management
Simple Network Management Protocol (SNMP)
Subsystem for Unix-based applications
Telnet Client
Windows Internet Naming Service (WINS)
Note
BitLocker
Drive Encryption is an integral new security feature in Windows Server
2008 that protects servers at locations, such as branch offices, as
well as mobile computers for all those roaming users out there.
BitLocker provides offline data and operating system protection by
ensuring that data stored on the computer is not revealed if the
machine is tampered with when the installed operating system is offline.
The
concept behind the design Server Core is to truly provide a minimal
server installation. The belief is that rather than installing all the
application, components, services, and features by default, it is up to
the implementer to determine what will be turned on or off.
Installation
of Windows 2008 Server Core is fairly simple. During the installation
process, you have the option of performing a Standard Installation or a
Server Core installation. Once you have selected the hard drive
configuration, license key activation, and End User License Agreement
(EULA), you simply let the automatic installation continue to take
place. When installation is done and the system has rebooted, you will
be prompted with the traditional Windows challenge/response screen, and
the Server Core console will appear.
So
let’s put Server Core into action and use it to install Active
Directory Domain Services. To install the Active Directory Domain
Services Role, perform the following steps:
1. | The
first thing we need to do is set the IP information for the server. To
do this, we first need to identify the network adapter. In the console
window, type netsh interface ipv4 show interfaces and record the number shown under the Idx column.
|
2. | Set the IP address, Subnet Mask, and Default Gateway for the server. To do this, type netsh
interface ipv4 set address name= “<ID>” source=static
address=<StaticIP> mask=<SubnetMask>
gateway=<DefaultGateway>. ID
represents the number from step 1, <StaticIP> represents the IP
address we will assign, <SubnetMask> represents the subnet mask,
and <Default Gateway> represents the IP address of the server’s
default gateway. See Figure 6 for our sample configuration.
|
3. | Assign
the IP address of the DNS server. Since this will be an Active
Directory Domain Controller, we will set the DNS settings to point to
the DNS server. From the console, type netsh interface ipv4 add dnsserver name=“<ID>” address=<DNSIP> index=1. >.
ID represents the number from step 1, and <StaticIP> represents
the IP address of the DNS server (in this case, the same IP address
from step 2).
|
So,
here is where things get a little tricky. When installing the Directory
Services role in a full server installation, we would simply open up a Run window (or a command line) and type in DCPromo.
Then, we would follow the prompts for configuration (domain name, file
location, level of forest/domain security), and then restart the
system. Installing the role in Server Core isn’t so simple, yet it’s
not exactly rocket science. In order to make this installation happen,
we are going to need to configure an unattended installation file. An unattended installation file (see Figure 2.7)
s nothing more than a text file that answers the questions that would
have been answered during the DCPromo installation. So, let’s assume
you have created the unattended file and placed it on a floppy disk,
CD, or other medium, and then inserted it into the Server Core server.
Let’s go ahead and install Directory Services:
1. | Sign in to the server.
|
2. | In the console, change drives to the removable media. In our example, we will be using drive E:, our DVD drive.
|
3. | Once you have changed drives, type dcpromo answer:\answer.txt. Answer.txt is the name of our unattended file (see Figure 7).
|
4. | Follow
the installation process as it configures directory services. Once the
server has completed the installation process, it will reboot
automatically.
|
When the server reboots, you will have a fully functional Active Directory implementation!
