The problem of course being that since we skipped setting up scopes, the server is unable to service clients.

We are going to fix that with this article because we are going to go through and do some configuration on that DHCP server — by setting up a scope and some common client options that go with it.

DHCP Scopes

The first thing we are going to configure on the server is a scope. You might be wondering what a scope is, so let’s start with that.

A scope is a range of addresses that are allowed to be handed out by the DHCP server. Generally speaking there is only one scope per subnet, but there are exceptions to that called Super Scopes, but that is beyond the scope (no pun intended) of this article.

Within the scope, you can also have Reservations and Exclusions which will do the following:

• Reservations — You can setup certain IPs to be handed out for certain MAC addresses (a MAC address is the unique number for a network adapter). This is generally used for clients or devices that must always have the same IP but you still want to manage through DHCP Server for other options (DNS or Gateway for example)
• Exclusions — An exclusion is either a single IP or range that you do not want managed by the DHCP server. You would do this for the IPs that you would assign statically to devices like Servers that should always have the same IP.

Hopefully before you even installed the DHCP server you have your network diagrammed out and should have to just plug-in the values that you have planned.

Configure a DHCP IPv4 Scope

I am going to walk you through configuring an IPv4 scope for the following IP range and settings:

192.168.10.2 – 192.168.10.230
Subnet Mask: 255.255.255.0
Exclusions: 192.168.10.200 – 192.168.10.230
Reservation: 1 client computer at 192.168.10.190
DNS: 192.168.10.200
Gateway: 192.168.10.1
Least Duration: 20 Days

Some of these are standard fare and others will be done under options. Let’s go ahead and start.

1. Go to Start, Administrative Tools, and click on DHCP

2. Expand out the server and right click on IPv4, then left click on New Scope

3. The New Scope Wizard starts up, go ahead and click Next

4. Go ahead and name your scope. For this demo I am going to call it DHCPdemo and leave the Description blank. Fill in your name for the scope and click on Next

5. Now we are going to enter the IP range we are assigning to the scope.

In the Start IP address: I am going to place 192.168.10.2 and in the End IP address: I will place 192.168.10.230.

For the subnet mask we are going to use 255.255.255.0, and we can enter this either by using the length 24 or placing the 255.255.255.0 in the fields.

Once you fill in your information click Next

6. Now we are going to setup an exclusion range by entering the Start IP address: as 192.168.10.200 and then in the End IP address: place 192.168.10.230.

After that click Add to place your exclusion range in place.

7. Once the exclude range is in place then click Next

8. The Lease Duration window is now up and we are going to change this to 20 days.

You of course should change this to suit your environment, if you have a lot of mobile users you will want to do shorter lease duration, as you will want IPs to free up quicker as the users come and go. After you set your lease time click Next

9. The wizard will now ask if you want to configure DHCP options. There are quite a few options you can send to the DHCP clients, but there are a couple of major ones that make life simple, so select Yes, I want to configure these options now and then click Next

10. The first option to configure is Router (Default Gateway), and we will put in the Router gateway for this subnet 192.168.10.1, click Add and then click Next.

11. Now we will setup the DNS Server; you can leave the Parent Domain blank and then fill in the DNS IP address of 192.168.10.200 and then click Add, then click Next

NOTE: If you followed the Install DHCP Role article there will already be a DNS server in place. I have removed that so I can demonstrate adding it here.

12. If you need WINS Servers then place the information on this next screen and click on Next

13. The next screen asks you if you want to activate the scope. I am going to go ahead and select Yes, but choose what works for you and click then on Next

14. You have successfully completed the New Scope wizard! Click Finish

That’s it, now that you have configured the DHCP scope you should see it in the DHCP Manager:

Setup DHCP Reservation

The one thing we did not do in the wizard is setup our DHCP reservation. As I mentioned above, a reservation guarantees the same IP address to a client using their MAC address as the identifier.

I setup an XP client and used the IPconfig /all cmd to find its MAC address of 00-03-FF-2F-95-0C. You can also see from the screen shot that the XP machine was serviced by our DHCP server and received the very first address of 192.168.10.2, we are going to change this with a reservation to receive 192.168.10.1

Now let’s setup the DHCP reservation.

1. Go into DHCP Manager and expand the scope out, then right click on Reservations and left click on New Reservations…

2. In the New Reservation window input the following information then click Add:

Name: Dave’s Test Client
IP Address: 192.168.10.190
MAC Address: 00-03-FF-2F-95-0C
Description: This Space Blank or whatever you want

Note: please use your own data, don’t use the above MAC and expect this to work.

3. In DHCP Manager you now see your reservation under Reservations

4. Now let’s test this on the client by typing Ipconfig /release, then Ipconfig/renew and you will now see that the client received the reserved IP of 192.168.10.190.

Again you would use this for clients or devices that you always wanted to hand out the same IP to, but still mange through DHCP.

I hope this gave you a good overview of the basics for configuring a DHCP server. There are quite a few options you can configure through DCHP, but outside of these basic ones they are very environment specific and you could go your whole career without needing them.

Related posts:

• Install DHCP Role on Windows Server 2008
• Configure BIND DNS on Windows Web Server 2008 – Part 2
• How To Install, Configure & Use SNMP on Sever 2008

DHCP stands for Dynamic Host Configuration Protocol, and its main purpose in life is to give your computer an IP address so it can send and receive data on the network.

In the old days of computing your computers would have to be assigned IP addresses when they were setup, and the job of keeping all these IP addresses in order usually fell to a network administrator.

I can vividly remember starting a new position at a large company and having the outgoing administrator show me the spreadsheets that had all the IP addresses for the plant, along with a notepad with changes that had not been input yet. I tell you that I implemented DHCP within 2 months, because there was no way I was dealing with that headache.

This of course was back in the days of NT 4.0, but surprisingly DHCP hasn’t changed that much since back then. If you have installed DHCP before on a Windows platform, you won’t see too much of a difference on Server 2008, with the exception of adding support for IPv6.

How DHCP Works

Let’s talk a minute about the basic workings of how DHCP works. The DHCP server sits and waits for a client computer to turn on and need an IP. It does this through a very basic 4 step process which I will explain below.

1. Discovery — When a computer is setup to use DHCP and is attached to the network it sends out a broadcast called DHCPDISCOVER looking for a DHCP server. Alternatively, it will request the last IP used by its DHCP client.

2. Offer — The DHCP server will respond with a lease offer that is called DHCPOFFER and includes the lease duration, IP address, subnet mask, clients MAC address, and IP address of the DHCP server.

3. Request — Once the client computer receives the offer and accepts it, it then sends out a broadcast called DHCPRequest that contains the IP address of the DHCP server that issued the accepted client IP. This tells other DHCP servers that their offer if any was refused, and keeps the IPs free for others.

4. Acknowledgement — The DHCP server then sends out a DHCPACK packet to the client that includes lease duration and any other configuration information needed by the client. At this point the IP configuration process is done and the client configures its network interface.

It is important to note that the majority of these messages are broadcasts which means that your routers must be configured to pass these on if the DHCP server is not on the same subnet as the client.

There are other options to get around this limitation, but really, if your router is that old, you are better off upgrading anyway.

Windows Server 2008 DHCP Install Environment

For this demo I am going to assume we have the following already setup:

• Windows Server 2008 Installed
• Active Directory Domain Services Installed
• DNS Server Installed
• Static IP on DHCP Server

The domain for this demo is named tstdemo.com and the server we are installing DHCP on is a domain controller. I normally wouldn’t recommend this, but since I am using a Virtual PC to show this demo, I am going to only have one server to use.

Install DHCP Role on Server 2008

Ok, now that we have discussed what DHCP is and how it does its magic, let’s go ahead and install the DHCP role.

1. Open Server Manager

2. In the left pane click on Roles and in the center pane click on Add Roles

3. You might get a Before You Begin page next if it hasn’t been disabled before this. It just generally warns you that if you are going to install a role on this server to make sure that it has a strong password, has the latest updates loaded, and has a static IP.

You can place a check mark next to Skip this page by default, if you don’t want to see this warning again or leave it blank and click Next.

4. On the Select Server Roles page go ahead and place a check next to DHCP Server in the list, then you can click Next.

5. The next screen discusses what a DHCP Server does, which we already covered but feel free to read through it again. Once you are done go ahead and click on Next.

6. For the Select Network Connection Bindings page, the wizard will list out the network adapters you have available to bind the server to for servicing clients.

In our case we only have one adapter so it is an easy choice. Select the adapters you are working with and click Next.

7. On the Specify IPv4 DNS Server Settings screen you will fill in the name of the parent domain, and at least one preferred DNS server.

Please note that the DNS server is a Mandatory fill to continue. If you have this information setup on the server already, it will use what you have in the network and Active Directory Domain Services information to pre-fill the fields.

Either confirm or input your own information and click Next.

8. The next screen asks you to specify your WINS server. If you don’t know what WINS is and your network doesn’t need it, consider yourself lucky!

Some legacy applications still need it though, and while I won’t get into an explanation of what it does, you should find out if you are using it before proceeding.

Either select WINS is not required for applications on this network, if you’re not using it, or input the WINS Server IPs if you are. Either way click on Next when you are finished.

9. The next window will allow you to add scopes to your DHCP server. Scopes are the range of IP’s that are handed out to the client computers.

I am going to choose NOT to add a scope at this time, because I will go in-depth on that subject in my next article. At this time just click on Next.

10. Now we come to a new screen for Windows DHCP servers and it asks about configuring IPv6 Stateless Mode.

I will go into this subject at a later time, so for this install I am going to leave Enable DHCPv6 stateless mode for this server selected and click on Next.

11. The next screen will ask for the IPv6 DNS Server Settings, much like the IPv4 screen I am going to use the default for Parent Domain and then type ::1 for the DNS IPv6 address which is the equivalent of localhost. Click Next when done.

12. The next step is to authorize the DHCP server in Active Directory. This is done to keep rogue DHCP servers from being put on the network to service clients.

In this window you will either choose to use the currently logged in users credentials or you can use alternate ones. You can also skip this step and authorize later.

I am going to go ahead and authorize the server, since I didn’t give it any scopes I am not worried about it handing out IPs before I am ready. Make your choice and click Next.

13. The last screen provides a summary of all your selections. Review your choices and then click Install to start. Please note the information message that a server reboot might be needed.

14. The installation results screen will show the status of the install, if everything went well you should see Installation Succeeded. Click on Close.

There you have it, you have now installed the DHCP role on a Windows Server 2008 machine.

In my next article we will go in depth on configuring a scope and other options for the client on the DHCP server.

Related posts:

• Configure DHCP on Windows Server 2008
• 10 Steps to Installing the Web Server Role in Windows Server 2008
• Role Playing with Windows 2008 Server Core

To do that you need something functioning as a router, since this may be virtual machines, you can’t just plug-in a hardware solution.

This will allow you to mimic a much larger network and teach you how things might be done in a mid to enterprise sized environment.

For this walkthrough I will show you how to turn a Server 2008 box with two network interfaces into a router.

Install Routing on Windows Server 2008

I am going to be running this demo on a cleanly installed Windows Server 2008 virtual machine that is configured with two network interfaces both set to "Local Only" in Virtual PC 2007.

It currently holds no role information and will only function as a router. We will also configure RIP routing protocol so it can talk to other routers on the network.

1. Start Server Manager.

2. Click on Roles, and then click on Add Roles.

3. Since this is a clean install we get a Before You Begin warning page telling us that if we’re going to install a role on a server to make sure it is secure. If you get this page, just click Next.

4. On the Select Server Roles page go ahead and place a check next to Network Policy and Access Services. Click Next after you’re done.

5. The next page gives you an overview of the Network Policy and Access Services and everything that you can do with it. Read through the various options and click Next.

6. The Select Role Services page now comes up and we are going to go ahead and place a check next to Routing & Remote Access Services.

Note that you cannot just click on Routing because it is dependent on the Remote Access Service also being installed; then click Next.

7. You are now asked to confirm your installation selections, review everything and then click on Install.

8. After a few minutes you should see an Installation Results page and the outcome hopefully is Installation Succeeded, review any messages and then click Close.

9. Now in Server Manager you can see in roles that Network Policy and Access Services is now installed, but it is in a down state because no devices are associated to the service.

Go ahead and close out Server Manager as that now concludes the install of the Router service on the Windows Server 2008.

Configure Routing on Windows Server 2008

Ok let’s go ahead and get routing enabled and configured by associating some of our network adapters with the service.

1. Click on Start, Administrative Tools, Routing and Remote Access

2. When the Routing and Remote Access MMC starts you will notice that the server has a red down arrow showing that it is currently offline.

Right click on the server and select configure and Enable Routing and Remote access.

3. The Routing and Remote Access Server Setup Wizard will now come up, go ahead and click Next to get started.

4. There are quite a few default options for this service that include:

• Remote Access
• Network Address Translation (NAT)
• Virtual Private Network (VPN) & NAT
• Secure Connection Between Two Private Networks
• Custom Configuration

We are going to choose Custom Configuration and click Next.

5. In the Custom Configuration screen you can choose several services, but for this demo go ahead and place a check next to LAN routing and then click Next.

6. Again you will see a summary of your selections and you can go ahead and click on Finish.

7. Next a pop-up window will tell you that Routing & Remote Access service is now ready to use, and you can click on Start service to start it.

8. After a few seconds the service will start and the wizard will close. You can see in the Routing and Remote Access MMC that the server now has a green up arrow which shows that it is in a enabled state and functioning.

If you expand out the IPv4 folder and left click on General you will see the network interfaces listed in the right pane. Now right click on General and select New Routing Protocol.

9. The New Routing Protocol window will contain 4 available protocols:

DHCP Relay Agent
IGMP Router and Proxy
NAT
RIP Version 2 for Internet Protocol

For this demo we are going to choose RIP Version 2 for Internet Protocol, though if you wanted the router to pass DHCP information you would also want to enable DHCP Relay Agent, but for this demo it is not necessary.

Make your selections and click OK.

10. You should now see the RIP protocol under the IPv4 folder in your Routing and Remote Access MMC.

If you select it, you will find no information on it, because we need to enable the network interfaces we want this to work on. Go ahead and right click on RIP, then select New Interface.

11. You can now add either interface, but not both as you can only approve one interface at a time. For this demo we are going to be working on Local Area Connection, select it and then click Ok.

12. The RIP properties window now comes up to be configured.

There are many different options you can configure in this window, but unless you are using other types of routers in your network with RIP you can just leave the defaults in place. Go ahead and click Ok.

13. Go ahead and repeat steps 11 and 12 for Local Area Connection 2, and then you should see both interfaces under RIP in the Routing and Remote Interface MMC.

You have now configured the Windows Server 2008 virtual machine to function as a router between its two network cards.

As I mentioned this can help you setup a segmented network that will allow you to emulate a corporate environment for testing and learning.

While this article focused on setting it up for a virtual environment, it would also work the same way if you configured this on a physical server.

Related posts:

• Install DHCP Role on Windows Server 2008
• Server 2008: Install Active Directory Certificate Services
• Configure DHCP on Windows Server 2008

The main reason for this of course, is that Windows Web Server 2008 does not allow you to install the Microsoft DNS Role.

In this part of the series I will walk you through an initial configuration of the BIND DNS server. First let’s talk about a few different types of DNS server setups available.

Authoritative Name Servers

Every DNS zone, like www.trainsignaltraining.com, is served by at least one authoritative name server which contains all the DNS records for the zone.

To account for fault tolerance most zones have more than one server that keeps all these records in case of outages.

Because of this you will have two types of Authoritative Name Servers — one that keeps the master copy of the zone and that server is called the primary master, and the other called a slave or secondary server that loads their data from the master server by a means of zone replication.

Caching Name Servers

Also called a recursive name server, this is most commonly the local DNS server that your operating system talks to.

When you make a request on your local PC, more than likely it will go out to your ISP’s DNS Caching server which will make a request to the Authoritative Name Server. One of the features of most caching servers is that it will keep that request cached for a certain amount of time to speed lookups.

Creating an Authoritative Name Server with BIND

Once BIND DNS is installed you will see that it is a pretty bare install and needs to be setup via configuration files.

For some Wintel administrators this may be a little daunting in an age of GUI interfaces, but don’t worry it isn’t too painful, and gives you good practice for some *nix cross training.

In this demo I am going to create a Authoritative Name Server for the domain bindtest.com at the IP of 192.168.11.13, as a note this is only accessible at my internal network so don’t go searching around for it.

To refresh your memory we installed BIND DNS at C:\Windows\System32\dns

1. Start by opening a command prompt with administrative rights by clicking on the Start menu, right click Command Prompt then left click on Run as Administrator

2. Type in the following at the command prompt hitting Enter after each line:

cd c:\windows\system32\dns\bin (or where you installed BIND)
rndc-confgen –a
rndc-confgen > C:\windows\system32\dns\etc\rndc.conf

Close the command prompt

3. Open Explorer and go to C:\windows\system32\dns\etc and create the following directories:

run
zones
log

Create an empty file in the log directory called named.log

4. Download the following file: named.conf and place it in C:\windows\system32\dns\etc (or wherever you installed BIND).

If you did install BIND in a different directory, then in the named.conf go in and change the location in options for the directory to your install location.

5. You also need to modify the named.conf to change the zone to the domain you want to manage.

In our example I am using bindtest.com, but you need to change this to match your domain.

You should also change the file name to replace db.bindtest.com.txt to db.%yourdomain.com%.txt –replacing %yourdomain.com% with your domain name.

6. Open rndc.conf in notepad (in the etc folder) and copy everything below the line that says:

# Use with the following in named.conf

7. Open named.conf and paste the contents of the clipboard at the end of the file.

Remove all the # from each line and delete the first line copied in and the last line copied in so it looks like the picture below. Save and close named.conf

8. Download the following file: db.bindtest.com.txt and place it in C:\windows\system32\dns\etc\zones

9. Rename db.bindtest.com.txt to whatever you used in step 5, so that the file is named db.%yourdomain.com%.txt — replacing %yourdomain.com% with your domain name.

10. Open the db.bindtest.com.txt (or whatever you renamed it) and modify the following then save the file:

Change any reference to bindtest.com to your domain name

Change the serial line to reflect the current date in this format: YYYYMMDDRR
YYYY = YEAR
MM = MONTH
DD = DAY
RR = Revision number (01 if this is the first time)

Change the IPs to the IPs that your servers are using

Now you are configured to be an Authoritative Name Server for bindtest.com (or whatever your domain is named) with no recursive lookup.

Open Server Firewall

If you are using a firewall for your server either software or hardware, you will want to make sure that incoming requests on UDP port 53 are open. This will make sure that your server will accept incoming queries.

Start the BIND DNS Service

Ok, we are finally ready to actually start this service. Let’s go in and start this service.

1. Go to the Start button, then to the Administrative Tools, then left click on Services

2. Scroll down and find ISC Bind and right click on it, then click on Start to start the service.

That’s it! The BIND DNS service is now up and running and ready to accept queries. Let’s test out the service.

Testing BIND DNS

I am going to use a very cool tool that is loaded with BIND DNS that’s called DIG.

You will find it in the bin directory where you installed BIND. The tool will go out and query for a domain name and grab all the DNS records. Let’s take a look:

1. Open a command prompt and navigate to the bin directory

2. Type in the following to get a feel for what you get back and hit Enter:

Dig Yahoo.com any

3. Below you will see a piece of the output:

4. Now that you know what to look for, I am going to use my test domain bindtest.com with the dig tool by typing: Dig @192.168.11.13 bindtest.com any

Note: I use @192.168.11.13 because bindtest.com is not registered with ICANN so it tells dig to use the name server at that address.

5. You can see that the BIND Name Server is responding with the correct information:

We have now configured an Authoritative Name Server for the test server bindtest.com that responds correctly to DNS requests.

A quick note, when you make changes you will have to restart the ISC BIND Service or run the command c:\windows\system32\dns\bin\rndc reload from a command prompt or batch file.

Related posts:

• Install BIND DNS on Windows Web Server 2008 – Part 1
• Configure DHCP on Windows Server 2008
• Role Playing with Windows 2008 Server Core

The 2003 version of this edition was severely limited by licensing to what you could install and do on it, and was really only a solution for the most basic of web sites.

The 2008 version has had most of those limits removed and is now a much more viable alternative for hosts and companies looking for a economical Windows based web server running IIS7.

One of the most glaring oversights for this edition of Windows Web Server is the exclusion of the DNS role. I understand the argument from Microsoft that if you are running this edition of server more than likely your hosting company will have a DNS infrastructure in place and most users can and will use that.

I counter that with the fact that I like to control my own DNS name servers and records and do not like having to deal with a hosting company infrastructure that may or may not be streamlined for DNS requests.

I have read in various forums that the Server team is looking into this and it may change in the future, but for now we will have to find another solution for this problem.

This low cost (free) solution is going to be — installing BIND DNS on the server and configuring it to handle DNS queries.

Today I’ll focus on the installation part and in Part 2 I’ll show you how to configure BIND DNS on Windows Web Server 2008.

BIND DNS Server

BIND (Berkeley Internet Name Domain) is an open source implementation of Domain Name System (DNS) protocols distributed for free under the BSD License.

It is currently maintained on the Internet Systems Consortium and is used by the majority of the DNS servers on the Internet.

The current version we are going to be using in this article is BIND 9.5.0-P2-W2 (Windows-specific fixes). You can download the current version at:

http://www.isc.org/index.pl?/sw/bind/index.php

Creating a User Account for Bind

BIND requires a local user with only "Log on as a service" privilege. The installer will actually check for this, and if the user has more rights it will ask if you really want to use that ID.

The default user for the BIND installer is named, but you can do any other name you want.

1. Open the Computer Management console

2. Select Local Users and Groups and then right click on Users, select New User…

3. Fill in the new user information, I am going to use the following and then click Create before closing the New User window:

User name: named
Description: BIND DNS Account
Password: %password%
Confirm Password: %password%
Unselect: User must change password at next logon
Select: User cannot change password
Select: Password never expires

4. Now open the Local Security Policy MMC from the Administrative Tools Menu.

5. Expand Local Policies then select User Rights Assignment in the policy pane; scroll down and right click on Log on as a service, then left click Properties.

6. Click on Add User or Group…

7. Type in the user account you created, in our case the default named, then click Check Names to make sure you typed it correctly, then click Ok.

8. Click Ok to exit the properties box, and you should see the account listed now next to the Log on as a service policy.

That’s it for the user account for now. Later you will have to give the account you created read/write rights to the directory you install BIND into, but that will be covered in a bit.

Install BIND DNS on Windows Web Server 2008

This is where we will walk through the install and initial configuration of BIND DNS. Let’s get started!

1. Unzip the download and then click on BindInstall.exe to start the installation.

2. The installer will ask for the following information:

Target Directory: Your choice
Service Account Name: The account we created earlier
Service Account Password: Password used
Confirm Service Account Password: Password used

For options I am leaving the default , when you are done click Install

3. When you click on Install you might get a message saying the account has too many privileges, just click on No to continue. You can go in and strip out more of the accounts rights, but as a average user, the attack profile will be low.

4. After a few seconds you should see a message that states Bind installation completed successfully. Click Ok, and then click Exit on the installer.

5. We now want to go in and give the user account you have been using full read/write rights to the directory you installed BIND to.

You have now installed BIND on the server and set it up to run as a service. It is important to note that the installer does not copy over the help html files, so if you are going to need those you can move them to a convenient location yourself.

Summary

In this article we have installed BIND DNS on a Windows Web Server and set it up to run as a service under a local user.

Now since BIND DNS comes from the *NIX side of the house there is quite a bit more we have to do to configure this before it runs.

In the next article we will go through configuring BIND DNS with some demo configurations.

Related posts:

• Configure BIND DNS on Windows Web Server 2008 – Part 2
• Windows Server 2008 Active Directory — Creating Users is Easy!
• Windows Server 2008: Install Active Directory Domain Services

For a short recap, AD CS is the backbone of Microsoft’s Public Key Infrastructure (PKI) implementation. It will allow you to issue certificates for SSL/TTL user on websites or digitally sign your email.

Now let’s take a look at installing Active Directory Certificate Services.

Certain versions of Server 2008 only allow certain AD CS components to be installed; please take a look at this table for reference:

• CA – issues certificates to users, computers and services while also managing their validity; comes in root and subordinate
• Network Device Enrollment Service – allows network devices (i.e. routers) to request and receive certificates based on Simple Certificate Enrollment Protocol (SCEP)
• Online Responder Service – implements Online Certificate Status Protocol (OCSP) by evaluating certificate status, decoding revocation status requests, and sending back signed responses containing certificate status information

Install Enterprise Certificate Authority on a Windows 2008 Server

As I outlined in my earlier article, there are two varieties of root CA’s: the Enterprise and Stand-Alone. Each has their advantages and configuration, but in this case we are going to install an Enterprise CA.

I am going to be installing this root CA server in my test Active directory domain named ADExample.com on a Windows Server 2008 Enterprise version.

The server is a member of the domain, and is a domain controller. Let’s get started.

1. Open Server Manager.

2. Select Roles, then click Add Roles in the center pane.

3. The Before You Begin page may show up if you haven’t turned it off already. If you see it just click Next.

4. In the Select Server Roles window go ahead and select Active Directory Certificate Services by placing a checkmark next to it, then go ahead and click Next.

5. Now you will see an Introduction to Active Directory Certificate Services, where you can read about the good things you can do with AD CS.

The biggest thing to note here is the following:

Name & Domain settings of this computer cannot be changed after a CA has been installed. If you want to change the computer name, join a domain, or promote this server to a domain controller do so BEFORE install thing the CA.

Now with that warning out of the way, go ahead and click on Next.

6. Next you get to Select Role Services, which can include any of the following depending on what version of Windows Server 2008 you are installing this on — refer to the table above for specifics.

For this install I am going to choose the Certification Authority only.

7. Now comes the Specify Setup Type, and for this I am going to select the Enterprise radio button.

8. For the Specify CA Type, I am going to choose the Root CA radio button and then click Next.

9. In Set Up Private Key, I am going to choose Create a new private key radio button and then select Next.

10. Now you have to Configure Cryptography for CA in this window and there are quite a few to choose from.

Now I am no expert on cryptography, but some basic rules do apply … the longer the key the harder it is to crack. For our purposes I am going to use the following settings:

RSA#Microsoft Software Key Storage Provider
4096 Key Character length
md5 Hash algorithm

Now I am going to click Next.

11. In Configure CA Name you can choose to overwrite the default common name for this CA and also the Distinguished name suffix if you so choose.

I am going to overwrite the default common name with Test-Enterprise-CA, but I will leave the rest alone.

12. Next we will Set Validity Period for this CAs certificate.

Remember a root CA issues itself a certificate. The default is 5 Years so I will just leave it at that. You can change this based on any need you might have in your environment. Click Next.

13. Configure Certificate Database will let you specify where you want to put the database and log files for the CA.

I am going to leave the default in place. Click Next.

14. On the Confirm Installation Selections you can see the answers you have chosen and you will again see a warning that you cannot change the computer name or domain settings for this server after installing the CA.

Go ahead and click Install… you know you want to!

15. After a few minutes you will see the Installation Results, and with any luck you will have the message: Installation succeeded.

After your glow of certificate happiness fades go ahead and click Close.

16. Now let’s go in and take a look by clicking on Certification Authority in Administrative Tools (if you get a UAC pop up just click Ok).

17. Now you can see the snap-in is showing the CA named Test-Enterprise-CA in the left pane with a bunch of folders for certificates.

18. You can also see that if you click the Certificate Templates folder, there are quite a few default templates that are already setup and ready to go.

Summary

Now that we have installed the Active Directory Certificate Services the next step would be to request some certificates and configure them.

The installation for a stand-alone CA is very similar to this. In fact if you are not in a domain and if you are not installing as a domain admin you will not even get the option for an Enterprise CA setup, so if you see that grayed out you now know why.

In my next article we will take a look at some of the uses for certificates and how to request and install them on servers and clients.

Related posts:

• Server 2008: Active Directory Certificate Services
• Windows Server 2008: Install Active Directory Domain Services
• Active Directory Improvements in Windows Server 2008

Certificate Services are the backbone for using Public Key Infrastructures (PKI) on a Windows Server.

In case you don’t know what PKI is — it is a security system of digital certificates, certification authorities (CAs), and registration authorities. PKI verifies the identity of each side that is involved in the digital transaction by verifying the certificates they are using.

Microsoft’s implementation of PKI is in a hierarchical CA model. A very simple example will have just a single Certification Authority, but it is very scalable to contain multiple CAs with defined parent and child roles.

At the top of the hierarchy is the Root CA, with every CA that is a child under that root being called a Subordinate CA.

The root CA in this implementation is key, if you trust the root CA then you trust every subordinate CA in that hierarchy that has a valid certificate. Because of this the root CA should be highly secured as it is the pinnacle of trust in an organization.

Root Certification Authority

As we discussed, the Root CA is the highest level of trust in the organization’s Public Key Infrastructure. If it gets compromised all your subordinate CAs are vulnerable to exploitation. Because of this, not only should the root CA be secured at the system level at all times, but in the physical as well.

Best practice is to only issue certificates for other subordinate CAs from the root CA even though you could issue certificates to end users.

Subordinate Certification Authority

Really the workhorses of the PKI organization, the subordinate CAs will be the servers that should be issuing certificates for most end user needs.

Some of these needs are secure e-mail, Web-based authentication, or smart card authentication. The subordinate CA will derive its authority from either the root CA or a subordinate CA that has issued it a certificate building, another layer in the hierarchy.

Some of the reasons for setting up multiple subordinate CAs are:

• Load Balancing — If you issue a large number of certificates and they are in use constantly you will want several subordinates to issue the same kind of certificate to balance the load among multiple servers.
• Redundancy — If you only have one CA and it fails, there will be nothing to respond to user requests and that is going to be a problem. By having multiple CAs you can guarantee to have something to respond to those requests.
• Logical and Geographic Division — Whether your network is divided by logical organizations or even physical sites, it might make sense to have different CA’s available in those different divisions to service those specific users and ease administrative strain.
• Usage — You may find it advantageous to divide your CAs by their usage, such as one set only does secure e-mail and another set does network authorization. This can make delegation and administration of those functions easier to deal with.

There are also many 3rd party CA suppliers such as Verisign or GeoTrust which use various methods to verify users’ credentials before issuing a certificate to them.

It is important to stress that ANYONE can create a CA so you must decide if you are going to trust those 3rd party CAs based on their stated policies and administration.

While these 3rd party issuers are useful for certain applications like e-commerce websites, most internal company uses will not require such measures and an internal CA structure should be setup.

Enterprise Certification Authorities

These CAs are tied into the Active Directory Domain Services (AD DS) role in the domain and that gives them additional functionality. You can use an Enterprise CA to issue certificates for the following:

• Digital Signatures
• Secure E-mail Using S/MIME (Secure MultiPurpose Internet Mail Extensions)
• Authenticate to a Secure Web Server Using Secure Socket Layer (SSL) or Transport Layer Security (TLS)
• Logon to the Domain Using a Smart Card

To install an Enterprise CA you will need access to Active Directory Domain Services which requires a user that is a member of the Domain Admins group or an administrator with write access to AD DS.

One of the benefits of being tied into the AD DS is that it can use Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. It will also publish user certificates and certificate revocation lists (CRLs) to AD DS.

Enterprise CAs can issue certificates based on templates which will do the following:

• Enforce credential checks on users during enrollment. Every certificate will have permissions set in AD DS that will determine if the requester has authorization to receive the type of certificate they are trying to request.
• Subject name can be generated in the template from information in AD DS or it can be supplied by the user requesting the certificate.
• Predefined list of extensions to be used by the certificate which will reduce the information the user has to supply to receive the requested certificate.
• Users can be issued certificates through Autoenrollment

Stand-Alone Certification Authorities

These CAs share many similarities with their Enterprise cousins but not all of the functions. They also require more administration then an Enterprise CA because there is no verification of the users credentials from the AD DS.

You can use the Stand-Alone CAs for the following:

• Digital Signatures
• Secure E-mail Using S/MIME (Secure MultiPurpose Internet Mail Extensions)
• Authenticate to a Secure Web Server Using Secure Socket Layer (SSL) or Transport Layer Security (TLS)

Some of the characteristics of a Stand-Alone CA are as follows:

• All certificate requests are set to pending for the administrator to manually review. This is the default action and it is recommended that you use this mode especially if you are installing a stand-alone CA in a domain.
• Templates are not used
• Administrator has to specifically distribute the stand-alone CA’s certificate to the users’ trusted root store or users will have to do it themselves

As mentioned above, a stand-alone CA can be installed in a domain and will gain these additional functions:

• If a Domain Admin or an administrator with write access installs the stand-alone root CA, it will publish its certificate to the Trusted Root Certification Authorities certificate store for all domain users and computers.
  
  Because of this reason it is well advised that you leave all requests to pending to verify identity otherwise any requested certificate will be trusted by the entire domain.
• A stand-alone CA will also publish its certificate and certification revocation list (CRL) to AD DS if it is installed by a Domain Admin or account with write access to AD DS.

Summary

This article has given you a broad overview of Active Directory Certificate Services and hopefully gotten you ready to take the next step and start to look at how to implement.

In my next article I will show you how to install the services on a Windows 2008 Server and create a certificate.

Related posts:

• Server 2008: Install Active Directory Certificate Services
• Active Directory Improvements in Windows Server 2008
• Active Directory Rights Management Services: System Requirements & Other Considerations

If you have not read it or need a review please check out that article before proceeding.

Back already? Good, let’s move on!

There are two parts we will be configuring in this article the first will be DFS NameSpace and then we will move on to the DFS Replication.

Configure DFS NameSpace on Server 2008

The DFS NameSpace will be the client facing aspect of DFS and what really makes life easier for the end users.

Having a common namespace across your enterprise for the users to share files will cut down on support calls and make collaboration on documents a breeze.

Let’s go ahead and configure a DFS Namespace through the DFS Management MMC Snap-In.

1. Open DFS Management Snap-in.

2. In the left pane click on Namespaces and then in the right column click New Namespace…

3. In the New Namespace Wizard, the first thing it wants to see is your server that will host the Namespace.

In this case it will be the domain controller that I installed DFS on, so let’s go ahead and enter that name in TESTDOMAIN and then click Next.

4. The next window is Namespace Name and Settings, and it is asking for the name of the namespace.

Depending on if this is a standalone install or a domain, this is the name that will be after the server or domain name. In this case I am going to type the namespace Sharedfiles.

Notice when you type in the name the Edit Settings button becomes live. This is because the wizard will create the shared folder. You can modify the settings it uses at this time by clicking Edit Settings.

5. You can now edit the following settings:

      Local path of share folder
      Shared folder permissions

I am going to go with Administrators have full access; Other users have read and write permissions.

If you select Custom you can choose specific groups and users and give them specific rights. Click Ok when you are done choosing permissions, then click Next.

6. Next comes the Namespace Type, there are two choices: Domain-based namespace or Stand-alone namespace. There are some big difference between the two so let’s take a quick look at them now:

• Domain-based namespace – Stored on one or more servers and in Active Directory Domain Services. Increased scalability and access-based enumeration when used in Server 2008 mode.
• Stand-alone namespace – It is stored only on a single namespace server, for redundancy you have to use a failover cluster.

I am going to go with Domain-based namespace in Windows Server 2008 mode and you can see the preview is going to be \\ADExample.com\Sharedfiles, once your choice is made click on Next.

7. The next screen lets you review the choices you just made, if they are correct go ahead and click Create.

8. Next you will see a screen telling you that the namespace is being created. After a few minutes you should see the status of Success, and then click Ok.

9. Now in DFS Management Snap-in you can see the Namespace we just created.

10. Let’s go ahead and quickly create a folder. Right click on the namespace and click New Folder.

11. Now type the name of the folder you want. In this case I am going to be very original and type Folder1, but hopefully you will use something more descriptive when the time comes.

Below the Name field you will see a space that shows you a preview of the Namespace with this new folder. Also under that you will see Folder Targets. This allows you to point this folder at a shared folder already on your network.

That way you don’t have to migrate files over, but be warned; if you setup these target folders there is no replication, so if that share goes down for any reason users will not be able to access that data.

Go ahead and click Ok.

12 You will now see in the DFS Management Snap-in Folder1 under the namespace we just created.

Configure DFS Replication

Ok now that we have a Namespace configured and we have placed a folder in that namespace let’s setup replication with another server in the domain to make sure that users can always get their data and we don’t get any complaints!

1. Open DFS Management Snap-in.

2. In the left pane go ahead and right click on Replication and then left click on New Replication Group.

3. Your first choice is: if you want a Multipurpose replication group or Replication group for data collection.

In most cases you will want the Multipurpose replication group, but in some cases where you wanted to grab data from a remote server and bring it to a centralized backup server the group collection would help.

In our case we are going to use Multipurpose replication group, and click Next.

4. Next we are going to set the name of the replication group; the only limit is that the group must be unique for the domain it servers.

In our case let’s use testrep for the group name. After typing it in click Next.

5. Next we are going to add the group members. Click Add and enter the name of the servers that are going to be members of this group.

In my case it is going to be TSTest and TESTDOMAIN; after they are entered click Next.

6. In the next page we are going to choose the Topology for the group. Since we only have two servers we will be defaulted to Full Mesh which will work in this example.

On this page you will also see an explanation of the other topologies if you need them. Click Next.

7. Replication Schedule is next on the list to configure. There are A LOT of option here for every bandwidth budget and the ability to limit it to certain days and times.

I am going to leave the default since we are just in my virtual lab, but you may need different settings based on your server locations and connections. Once set, click Next.

8. Primary member is now the next thing to be set. This is to set the authoritative member for the INITIAL replication.

In our case we will use TESTDOMAIN, and then click Next.

9. Now we can setup the folders we want to replicate to the other server.

Click Add and you will be prompted for the folders information. In this case I am going to choose to replicate the folder we used in the last example Folder1. Note that you can always change permissions on the replication target by selecting Custom Permissions, or you can leave them as is by leaving it at Existing Permissions.

I am going to enter all the info, click Ok and then click Next as that is the only folder I am replicating.

10. Next you must set the local path for the replicated folder on the other server.

It is by default disabled, so highlight the partner server and click Edit. Select Enable and then browse and you can navigate to a folder you have already created or create one in the desired location.

After you’re done you can click Ok, and if that is your only partner server click Next.

11. Next you can review your settings and then click Create; after a few seconds you should go to a Confirmation page where you will see a success messages for each step.

After review click Close.

12. After that you will see a popup window telling you:

"Replication will not begin until the configuration is picked up by the members of the replication group. The amount of time this takes depends on Active Directory Domain Services replication latency as well as the polling interval".

Basically the meaning of this is that if you specified remote servers in different sites, you will have to wait until Active Directory replicates the data out with their next sync.

Click Ok to get passed this.

Now that we have configured the namespace and setup replication let’s take a look at how it would be used by our ever grateful end users.

1. Click start.

2. Type in the domain and namespace, in our case it was \\ADExample.com\Sharedfiles and hit Enter.

3. You should get an explorer window with the Folder1 in the center pane.

Remember this has been the very basic structure of DFS and depending on your need and environment you can create very robust namespaces and replication.

Related posts:

• Server 2008: Installing Distributed File System (DFS)
• Lesson 5: Windows Server 2008 File and Print Servers
• Server 2008 Active Directory User Groups — the Easy Way!

The first is the benefit of being able to have one Namespace that all users can use, no matter what their location, to locate the files they share and use.

The second is a configurable automatic replication service that keeps files in sync across various locations to make sure that everyone is using the same version.

Let’s take a look at these two very important aspects of DFS.

• DFS NameSpaces – Each namespace appears as a folder with subfolders underneath.
  
  The trick to this is that those folders and files can be on any shared folder on any server in your network without the user having to do any complicated memorization of server and share names.
  
  This logical grouping of your shares will also make it easier for users at different sites to share files without resorting to emailing them back and forth.
• DFS Replication – This service keeps multiple copies of files in sync.
  
  Why would you need this? Well if you want to improve performance for your DFS users you can have multiple copies of your files at each site.
  
  That way a user would be redirected to the file local to them, even though they came through the DFS Namespace. If the user changed the file it would then replicate out to keep all copies out in the DFS Namespace up to date.
  
  This feature of course is completely configurable.

What’s New in DFS Server 2008?

Distributed File System in Server 2008 has added some additional functionality and improved stability from some of the problems that might have plagued earlier DFS implementations.

Most new features are contingent on running your DFS NameSpace in Server 2008 mode which means all servers are Windows Server 2008 AND the domain is running at Server 2008 domain functional level.

DFS NameSpaces Changes:

• Access-based Enumeration – Users are only allowed to see files and folders that they have access to through permissions.
  
  This feature requires either a standalone Server 2008 NameSpace or a domain based NameSpace running in 2008 domain functional level.
  
  It is not enabled by default and has to be activated through the following command line:
  
         dfsutil property abde enable \\‹namespace_root›
• Improved Command Line Tools – Windows Server 2008 DFS NameSpaces has a new version of dfsUtil and a diagnostic tool to help troubleshoot issues named dfsdiag.
• Search within the DFS NameSpace – Windows Server 2008 has the ability to run a search through the NameSpace and target folders.
  
  Convenient if you want to do a targeted search across all the documents in the NameSpace instead of having to attach to each server.

Improved Functionality in DFS Replication:

• Performance Improvements – Server 2008 DFS Replication includes several improvements including: Faster replication both for small and large files, Initial synchronization is faster, Network bandwidth is utilized better.
• Improved Unexpected Shutdowns Handling – There are a few reasons for unexpected shutdown of the DFS NameSpace, and when they occur it can cause the NameSpace database to become corrupt or out of sync.
  
  In earlier versions of DFS, this could cause the entire database to be rebuilt which would be very time consuming and resource intensive. The Windows Server 2008 DFS rarely has to rebuild its database after an unexpected shutdown and allows a much quicker recovery.
• Content Freshness – A new feature in Windows Server 2008 DFS keeps servers that are part of the DFS NameSpace that might be offline for an extended period of time from overwriting other servers when it comes back online.
• Replicate Now – Administrators now have the ability to force replication in the NameSpace on demand, temporarily ignoring the replication schedule.
• Support for Read Only Domain Controllers (RODC) – Any changes detected on the RODC are rolled back by the DFS Replication service.
• SYSVOL Replication – Server 2008 replaces the use of FRS (File Replication Service) with DFS Replication for Active Directory DS for domains that are running at the Server 2008 functional level.
• Propagation Report – Shows a report based on a test file created during a diagnostic propagation test.

Install DFS Role on Windows Server 2008

Now that we know more than we probably wanted to about Windows Server 2008 DFS NameSpaces let’s go ahead and run through installing the role on a server.

For our example I am using a Windows Server 2008 Domain Controller running Active Directory DS at the Server 2008 functional level.

1. Open Server Manager.

2. Go to Roles in the left pane, then click Add Roles in the center pane.

3. Select File Services from the list of roles.

You will see a short description of what the File Services role provides in the upper right corner in case you needed it. Click Next when done.

4. Now you will get an Introduction to File Services information screen; read through it and move on by clicking Next.

5. In Select Service Roles you can click on Distributed File System and it should also place a check next to DFS Namespaces & DFS Replication; after this click Next.

NOTE: At the bottom you will see Windows Server 2003 File Services and File Replication Service. You would only choose this if you were going to be synchronizing the 2008 server with old servers using the FRS service.

6. On the Create a DFS Namespace screen you can choose to create a namespace now or later.

For this tutorial I am going to create one later as I will have another article going into greater details. So I am going to choose Create a namespace later using the DFS Management snap-in in Server Manager and then click Next.

7. The next screen allows you to confirm your installation selections, so review and then click Install.

8. After a short interval of loading you will see the Installation Results screen which will hopefully have Installation succeeded in the top right. Go ahead and click Close.

9. In Server Manager you should now see File Services and under the Role Services you will see the installed components:

Distributed File System
      DFS Namespaces
      DFS Replication

Now that you have DFS installed the next step is to create a namespace and configure replication. I will be covering these in my next article.

Related posts:

• Server 2008: Configuring Distributed File Systems (DFS)
• Lesson 5: Windows Server 2008 File and Print Servers
• 10 Steps to Installing the Web Server Role in Windows Server 2008

Auditing is exactly what it sounds like — it keeps a record of things that have been modified in Active Directory.

In previous versions of Windows Server there was not a lot of granular control in what you were auditing. Let’s explore some of the new auditing features in Server 2008.

Auditing Changes in Windows Server 2008

One of the most significant changes over the Server 2000 and Server 2003 versions of auditing is that now you can not only audit who and what attribute was changed but also what the new and old value was.

This is significant because you can now tell why it was changed and if something doesn’t look right you’re able to easily find what it should be restored to.

Another significant change is that in the past you were only able to turn auditing policy on or off for the entire Active Directory structure. In Windows Server 2008 the auditing policy is configurable for four subcategories:

• Directory Service Access
• Directory Service Changes
• Directory Service Replication
• Detailed Directory Service Replication

This article will focus on enabling auditing on Directory Service Changes which will show us the ability to audit changes to Active Directory Domain Services.

Implementing Auditing on Windows Server 2008

In Server 2008 when setting up auditing there are three places you can modify to implement controls:

• Global Audit Policy – In Server 2008 the Global Audit Policy is not on by default and must be enabled.
• System Access Control List (SACL) – Is the ultimate authority if an access check gets audited or not.
  
  The SACL is part of the security descriptor for an active directory object and specifies which operations should be audited. These are set by the security administrators who have been assigned Manage Auditing and Security Log privileges. It is assigned automatically to the Administrators Group.
• Schema – To protect administrators from generating too many auditing events there is an override that can be set in the schema to exclude any events that have an attribute set.
  
  We will not be covering the Schema modification in this article, but this is important for you to know.

Enable Global Audit Policy on Windows Server 2008

The first step is to enable the audit policy. I will walk you through both doing it through the GUI and then through the command line:

1. Go to Start, Administrative Tools, and then click on Group Policy Management.

2. Navigate down through your Forest, to the Domains, then Domain Controllers and left click on Default Domain Controllers Policy.

You will get a warning that changes here will impact all other locations that the GPO is linked to. Click Ok.

3. Right click on Default Domain Controllers Policy and then left click on Edit…

4. Navigate under Computer Configurations → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy

5. Right click on Audit Directory Service Access, and then click Properties.

6. Select Define these policy settings and then select Success. Click on Apply and then Ok.

That’s it! You now have configured auditing via GUI.

Let’s take a look at the command line method (much faster):

1. Start Command Prompt with elevated rights.

2. Type in the following command and hit Enter:

auditpol /set /subcategory:”directory service changes” /success:enable

I told you it was much faster! You should see The command was successfully executed. Now let’s move on to the next step.

Setup Auditing in System Access Control List (SACL)

As was mentioned earlier, the SACLs do most of the work in determining what gets auditing and what doesn’t.

Please note that there are many different types of SACLs that can be setup; we are only using one as an example.

1. Open Active Directory Computers and Users.

2. Click on View and make sure that Advanced Features is enabled. If not left click on it to place a check next to it.

3. Right click on any of the Organizational Units you want to audit; in our example I am going to audit Users. Then click on Properties.

4. In the Properties window click on Security.

5. Next click on Advanced.

6. Click the Auditing tab, then click Add.

7. Under Enter the object name to select:, type in Authenticated Users and click Ok.

8. In the next window under Apply onto:, select Descendant User Objects and under Access check the box for Successful next to Write all properties and click Ok.

9. Click Ok until you are out of any dialog boxes.

Now that we have enabled auditing in a SACL let’s go ahead and give it a test.

Example Security Events with Auditing Enabled

With auditing enabled, all events will be logged under the Security Event Viewer. Let’s see what happens when you change a value on an object.

For brevity sake, I am going to create a user called audittest, change his name from Audit Test to Test Audit and then we will take a look in the security log to see what was shown.

There are two images that show the change that corresponds with Event 5136, here is the first one which shows the value being deleted, which in this case is Audit Test:

The next image shows the changed object’s new value which in our case is Test Audit:

So you can see that it is very helpful if you are watching these types of things to know what the old value was compared to the new value, in case you need to quickly and easily reset the attribute without having to go to a backup.

There are a ton of things you can audit depending on the situation and your need.

Related posts:

• Active Directory Improvements in Windows Server 2008
• Windows Server 2008: Install Active Directory Domain Services
• Lesson 3: Active Directory Users and Groups in Windows Server 2008