Introduction

With the introduction of new revisions to Microsoft products—for example, Windows, Exchange, and Communications Server—we have seen a trend toward "roles" within each product, as opposed to the various products being an all-in-one type of solution (as with Exchange 2007), or being additional features that work as a snap-in, such as DNS in Windows 2003.

With earlier versions of Windows Server 2000 or 2003, an Active Directory server was just that—an Active Directory server. What we are trying to say here is that it was more-or-less an "all-or-nothing" deal when creating a domain controller in Windows 2003. Very little flexibility existed in the way a domain controller could be installed, with the exception of whether a domain controller would also be a global catalog server or flexible single master operation (FSMO) server.

The new roles in Windows Server 2008 provide a new way for you to determine how they are implemented, configured, and managed within an Active Directory domain or forest. The new roles (and the official Microsoft definitions) are as follows:

* Read-only domain controller (RODC) This new type of domain controller, as its name implies, hosts read-only partitions of the Active Directory database. An RODC makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role.

* Active Directory Lightweight Directory Service (ADLDS) Formerly known as Windows Server 2003 Active Directory Application Mode (ADAM), ADLDS is a Lightweight Directory Access Protocol (LDAP) directory service that provides flexible support for directory-enabled applications, without the dependencies required for Active Directory Domain Services (ADDS). ADLDS provides much of the same functionality as ADDS, but does not require the deployment of domains or domain controllers.

* Active Directory Rights Management Service (ADRMS) Active Directory Rights Management Services (ADRMS), a format and application-agnostic technology, provides services to enable the creation of information-protection solutions. ADRMS includes several new features that were available in Active Directory Rights Management Services (ADRMS). Essentially, ADRMS adds the ability to secure objects. For example, an e-mail can be restricted to read-only, meaning it cannot be printed, copied (using Ctrl+C, and so on), or forwarded.

* Active Directory Federation Services (ADFS) You can use Active Directory Federation Services (ADFS) to create a highly extensible, Internet-scalable, and secure identity access solution that can operate across multiple platforms, including both Windows and non-Windows environments. Essentially, this allows cross-forest authentication to external resources—such as another company's Active Directory. ADFS was originally introduced in Windows Server 2003 R2, but lacked much of its now-available functionality.

These roles can be managed with Server Manager and Server Core. Discussing Server Core is going to take considerably longer, so let's start with Server Manager.

Server Manager

Server Manager is likely to be a familiar tool to engineers who have worked with earlier versions of Windows. It is a single-screen solution that helps manage a Windows server, but is much more advanced than the previous version.

Using Server Manager to Implement Roles

Although we will be discussing Server Manager (Figure 1.1) as an Active Directory Management tool, it's actually much more than just that.

In fact, Server Manager is a single solution (technically, a Microsoft Management Console [MMC]) snap-in that is used as a single source for managing system identity (as well as other key system information), identifying problems with servers, displaying server status, enabled roles and features, and general options such as server updates and feedback.

Table 1.1 outlines some of the additional roles and features Server Manager can be used to control:

Server Manager is enabled by default when a Windows 2008 server is installed (with the exception of Server Core). However, Server Manager can be shut off via the system Registry and can be re-opened at any time by selecting Start | Administrative Tools | Server Manager, or right-clicking Computer under the Start menu, and choosing Manage (Figure 1.2).

So, those are the basics of Server Manager. Now let's take a look at how we use Server Manager to implement a role. Let's take the IIS role and talk about using the Add Role Wizard to install Internet Information Services (IIS).

Server Core

Server Core brings a new way not only to manage roles but also to deploy a Windows Server. With Server Core, we can say goodbye to unnecessary GUIs, applications, services, and many more commonly attacked features.

Using Server Core and Active Directory

For years, Microsoft engineers have been told that Windows would never stand up to Linux in terms of security simply because it was too darn "heavy" (too much) code, loaded too many modules (services, startup applications, and so on), and was generally too GUI heavy. With Windows Server 2008, Microsoft engineers can stand tall, thanks to the introduction of Server Core.

What Is Server Core?

What is Server Core, you ask? It's the "just the facts, ma'am" version of Windows 2008. Microsoft defines Server Core as "a minimal server installation option for Windows Server 2008 that contains a subset of executable files, and five server roles." Essentially, Server Core provides only the binaries needed to support the role and the base operating systems. By default, fewer processes are generally running.

Server Core is so drastically different from what we have come to know from Windows Server NT, Windows Server 2000, or even Windows Server 2003 over the past decade-plus, that it looks more like MS-DOS than anything else (Figure 1.5). With Server Core, you won't find Windows Explorer, Internet Explorer, a Start menu, or even a clock! Becoming familiar with Server Core will take some time. In fact, most administrators will likely need a cheat sheet for a while. To help with it all, you can find some very useful tools on Microsoft TechNet at http://technet2.microsoft.com/windowsserver2008/en/library/e7e522ac-b32f-42e1 -b91453ccc78d18161033.mspx?mfr=true. This provides command and syntax lists that can be used with Server Core. The good news is, for those of you who want the security and features of Server Core with the ease-of-use of a GUI, you have the ability to manage a Server Core installation using remote administration tools.

Before going any further, we should discuss exactly what will run on a Server Core installation. Server Core is capable of running the following server roles:

* Active Directory Domain Services Role

* Active Directory Lightweight Directory Services Role

* Dynamic Host Configuration Protocol (DHCP)

* Domain Name System (DNS) Services Role

* File Services Role

* Hyper-V (Virtualization) Role

* Print Services Role

* Streaming Media Services Role

* Web Services (IIS) Role

Although these are the roles Server Core supports, it can also support additional features, such as:

* Backup

* BitLocker

* Failover Clustering

* Multipath I/O

* Network Time Protocol (NTP)

* Removable Storage Management

* Simple Network Management Protocol (SNMP)

* Subsystem for Unix-based applications

* Telnet Client

* Windows Internet Naming Service (WINS)

The concept behind the design Server Core is to truly provide a minimal server installation. The belief is that rather than installing all the application, components, services, and features by default, it is up to the implementer to determine what will be turned on or off.

Installation of Windows 2008 Server Core is fairly simple. During the installation process, you have the option of performing a Standard Installation or a Server Core installation. Once you have selected the hard drive configuration, license key activation, and End User License Agreement (EULA), you simply let the automatic installation continue to take place. When installation is done and the system has rebooted, you will be prompted with the traditional Windows challenge/response screen, and the Server Core console will appear.

Uses for Server Core

A Windows Server 2008 Core Server Installation can be used for multiple purposes. One of the ways that Server Core can be used is to provide a minimal installation for DNS. You can manipulate, manage, and configure DNS servers through the various Windows Server 2008 DNS Graphical User Interfaces (GUIs)–DNS Manager and the Server Manager tool.

However, there are no GUIs provided with Windows Server 2008 Core Server. There are a number of advantages to running DNS within Server Core, including:

* Smaller Footprint. Reduces the amount of CPU, memory, and hard disk needed.

* More Secure. Fewer components and services running unnecessarily.

* No GUI. No GUI means that users cannot make modifications to the DNS databases (or any other system functions) using common/user-friendly tools.

If you are planning to run DNS within a Server Core install, there a number of steps you must perform prior to installation. The first step we must take is to set the IP information of the server. To configure the IP addressing information of the server follow these steps:

1. Identify the network adapter. In the console window, type netsh interface ipv4 show interfaces and record the number shown under Idx column.

2. Set the IP address, Subnet Mask, and Default Gateway for the server. To do this, type netsh interface ipv4 set address name="<ID>" source=static address=<StaticIP> mask=<SubnetMask> gateway= <DefaultGateway>. ID represents the interface number from step 1, <StaticIP> represents the IP address we will assign, <SubnetMask> represents the subnet mask, and <Default Gateway> represents the IP address of the server's default gateway. See Figure 1.8 for our sample configuration.

3. Assign the IP address of the DNS server. If this server were part of an Active Directory domain and replicating Active-Directory integrated zones (we will discuss those next), we would likely point this server to another AD-integrated DNS server. If it is not, we would point it to another external DNS server—commonly the Internet provider of your company. From the console, type netsh interface ipv4 add dnsserver name="<ID>" address=<DNSIP> index=1. >. ID represents the number from step 1, <StaticIP> represents the IP address of the DNS server.

Once the IP address settings are completed—you can verify this by typing ipconfig /all—we can install the DNS role onto the Core Server installation.

4. To do this, from the command line type start /w ocsetup DNS-Server-Core-Role.

5. To verify that the DNS Server service is installed and started, type NET START. This will return a list of running services.

(Continues...)

---

Excerpted from Securing Windows Server 2008 by Dale Liu Copyright © 2008 by Elsevier, Inc.. Excerpted by permission of Syngress. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---