Security
Reader small image

You're reading from  Mastering Windows Server 2022 - Fourth Edition

Product typeBook
Published inMay 2023
PublisherPackt
ISBN-139781837634507
Edition4th Edition
Tools
Windows Server
Concepts
Information Security
Right arrow
Author (1)
Jordan Krause
Jordan Krause
author image
Jordan Krause

Jordan Krause has been an IT professional for more than 20 years and has received 9 Microsoft MVP awards for his work with Microsoft server and networking technologies. One of the world's first experts on Microsoft DirectAccess, he has a passion for helping companies find the best ways to enable a remote workforce. Committed to continuous learning, Jordan holds certifications as an MCSE, MCSA, and MCITP Enterprise Administrator, and has authored numerous books on Microsoft technologies. Jordan lives in beautiful West Michigan (USA), but works daily with companies around the world.
Read more about Jordan Krause

Right arrow

In-place upgrading to Windows Server 2022

Before wrapping this chapter, let’s enter into this taboo topic. As technology consumers, we are very much used to the idea of in-place upgrades. In fact, we expect them to work flawlessly and we whine and complain when they don’t. iPhone operating systems, Android version updates, Windows feature pack installations, and even something like a Windows 7 to Windows 10 upgrade are all expected to work seamlessly after a couple simple pushes of a button. Those of us who have worked in Windows Server administration for more than a few years do NOT have this same mindset about server upgrades. For so many years it was normal that in-place Windows Server upgrades were almost guaranteed to tank your server, causing it to be useless in the end. Due to this, server upgrades almost always meant replacing the server, rather than upgrading it. You would leave the production server running, spin up a new one in parallel, configure all of the roles...

Summary

Anyone interested in being a Windows Server administrator needs to be comfortable with installing and managing their servers, and covering those topics establishes an important baseline for moving forward. It is quite common in today's IT world for new operating system releases to be thoroughly tested by companies before deploying them, both because server hardware resources are so easily available to us through virtualization technologies, and because most business systems are now being designed for 100% uptime. This kind of reliability requires very thorough testing of any platform changes, and, in order to accomplish such testing of the Windows Server 2022 operating system in your environment, you will be burning quite a bit of time spinning through the basic installation processes numerous times. I hope that you can put the suggestions provided in this chapter to good use in saving you precious extra minutes when dealing with these tasks in your Windows Server world.

...

Questions

  1. What is the name of the new web-based, centralized server management tool from Microsoft (fun fact, this toolset was formerly known as Project Honolulu)? (Answer: Windows Admin Center (WAC))
  2. True or False—Windows Server 2022 needs to be installed onto rack-mount server hardware. (Answer: False. Windows Server 2022 can be installed onto physical hardware, or as a virtual machine instance.)
  3. True or False—By choosing the default installation option for Windows Server 2022, you will end up with a user interface that looks quite like Windows 10. (Answer: False. The default installation option for Server 2022 will land you with a Server Core instance, with no graphical interface.)
  4. What is the PowerShell cmdlet that displays currently installed roles and features in Windows Server 2022? (Answer: Get-WindowsFeature | Where Installed)
  5. True or False—Server Manager can be used to manage many different servers at the same time. (Answer: True)
  6. What is the name of the...

Multiple domain controllers for redundancy

Now having configured our first domain controller, we should jump in and start setting up objects inside Active Directory, right? Not yet! I’m being a little dramatic here, of course you can jump ahead and start using the tools that interface with AD, which we will discuss immediately following this section of our chapter. But if you are setting up a real environment and not just monkeying around in a test lab, it is going to be super critical that you establish redundancy in your domain.

Adding a second domain controller is even easier than spinning up the first one. Simply take the same steps that you did last time, with one exception to the way that the NIC is configured:

  1. Spin up a new server.
  2. Set a static IP.
  3. Configure a good permanent hostname.
  4. Deviation from before: Instead of configuring your NIC’s DNS server settings to point at the new server itself, point your primary DNS to the existing...

Active Directory Users and Computers

There is not a single tool that is used to manage all facets of Active Directory. Since it is such an expansive technology, our configuration of the directory is spread across a number of different management consoles. Let’s take a look at each of them, and a couple of the most common tasks that you will be performing inside these tools. Any of these management consoles can be launched from any of your domain controller servers, and just as we saw in a previous chapter, the easiest way to launch these consoles is right from the Tools menu in the upper-right corner of Server Manager.

I’ll start with the tool that is alphabetically last in the list of our Active Directory tools, because this is by far the one that the everyday server administrator will use most often. AD Users and Computers is the console from which all of the user accounts and computer accounts are created and managed. Open it up, and you will see the name of your...

Active Directory Domains and Trusts

This tool is generally only used in larger environments that have more than one domain within the same network. As we discussed earlier, a company may utilize multiple domain names to segregate resources or services, or for the better organizational structure of their servers and namespaces within the company. You already know the differences between a domain and a forest and how the domain resides within the forest. Another way to think of the forest is as the boundary of your AD structure. If you have multiple domains beneath a single forest, it does not necessarily mean that those domains trust each other. So, users from one domain may or may not have permission to access resources on one of the other domains, based on the level of trust that exists between those domains. When you have a domain and are adding child domains under it, there are trusts placed automatically between those domains, but if you need to merge some domains together in...

Active Directory Sites and Services

Sites and Services is another tool that is generally only employed by companies with larger Active Directory infrastructures. As is the case with any server, if having one domain controller is good, then having two domain controllers is even better. As your company grows larger, so does your Active Directory infrastructure. Before you know it, you will be looking into setting up servers in a second location, then a third, and so on. In a domain-centric network, having domain controller servers in each significant site is a general practice, and you could soon be looking at dozens of domain controller servers running in your network.

Turning on new domain controllers and joining them to your existing domain so that they start servicing users and computers is pretty easy. The harder part is keeping all of the traffic organized and flowing where you want it to. If you have a primary datacenter where the majority of your servers are located, you...

Active Directory Administrative Center

While it is critical to understand and be familiar with the tools we have looked at so far that help us manage Active Directory, you can tell that their aesthetics are a bit dated. The Active Directory Administrative Center (ADAC), on the other hand, has a much more streamlined interface that looks and feels like the newer Server Manager that we are all becoming more and more comfortable with. Many of the functions available within the ADAC accomplish the same things that we can do through the other tools already, but it pulls these functions into a more structured interface that brings some of the most commonly utilized functions up to the surface and makes them easier to run.

One great example is right on the landing page of ADAC. A common helpdesk task in any network is the resetting of passwords for user accounts. Whether the user forgot their password, changed it recently and mistyped it, or you are resetting a password during some other...

Read-only domain controllers

The first domain controller you set up in your network will be a fully writable one, able to accept data from the domain-joined users and computers working within your network. In fact, most DCs in your network will likely be fully functional and writeable. However, it’s worth taking a quick minute to point out a limited-scope DC that can be installed called a Read-Only Domain Controller (RODC). Just like the name implies, an RODC can only have its directory data read from it. Writes that might try to be accomplished to the domain from a user’s computer, such as a password change or new user account creation, are impossible with an RODC. Instead, RODCs receive their directory data from other more traditional domain controllers and then utilize that data to verify authentication requests from users and computers. Where would a limited-access domain controller like this be beneficial? Many companies are installing them in smaller branch offices...

FSMO Roles

Active Directory is like a database, a potentially huge database, sync’d across a potentially huge number of different Domain Controller servers in your environment. In an environment with lots of DCs spread across numerous sites, the potential for change conflict is huge. What if DC1 in Redmond receives a change and needs to sync it around the entire domain, and at the same time DC22 in London receives instruction to sync a change that is in conflict with the change of DC1. What now? Who wins? In the early days of Active Directory, there was one single master domain controller server, known as the Primary Domain Controller (PDC), that was responsible for making all changes like this. Technically, the PDC role no longer exists, but some of the same protections are still in place under the hood by the use of Flexible Single Master Operation (FSMO) roles. Every instance of Active Directory has FSMO roles, and FSMO role holders. In a lot of cases, the same Domain Controller...

Demote an old domain controller

Creating new servers and turning them into Domain Controllers is technically known as promoting those servers to become Domain Controllers. This process is fairly straightforward, and easy to accomplish in a fresh environment without any history of changes or issues, such as inside a test lab. Now let’s cover one of the messier things that you may encounter as a server administrator, removing an old Domain Controller server. The process of removing a DC from your environment is known as demoting. Demoting a Domain Controller can be straightforward if the old server is online, or it can be a little convoluted if the old server has died, and you are now trying to remove all traces of it from the domain without being able to take the standard removal steps.

Demoting while the old server is still online

If you are removing an old Domain Controller and it is still online, the process is pretty painless. Log into that server, and accomplish...

Group Policy

In a network that is based upon Windows Server and Active Directory, it is almost always the case that the primary set of client computers is also based upon the Microsoft Windows operating systems, and that these machines are all domain-joined. Setting everything up this way not only makes sense from an organizational perspective inside Active Directory, but also allows centralized authentication across devices and applications, as we have already talked about. I know that a couple of the examples I gave earlier in the book went something like, What about when a company has a security policy in place that... or Make sure your servers don’t get those existing security policies because... So what are these magical security policies anyway, and how do I set one up?

This is the power of Group Policy. It enables you to create Group Policy Objects (GPOs) that contain settings and configurations that you want to apply to either computers or users in your Active Directory...

Summary

Anyone who has been around Windows Server before knows that Active Directory is nothing new and certainly not something coming to us new in Windows Server 2022. AD has been the authentication underpinning of any Microsoft-centric environment for a very long time and will continue to be far into the future for anyone who hosts an on-premise datacenter. Knowing and understanding AD is entirely critical for the mastery of Windows Server 2022, because without this knowledge your career in server administration won’t even make it off the ground.

Some hints were dropped in this chapter about another core infrastructure technology that is often in place alongside Active Directory on all of your domain controller servers, DNS. To effectively manage a Microsoft infrastructure, in my opinion there are three in-the-box server technologies that any admin must be able to work with fluently: Active Directory, DNS, and DHCP. Follow along to Chapter 4, DNS and DHCP, as we cover...

Questions

  1. Inside Active Directory, a container (folder) that holds computer and user accounts is called a(n)…?
  2. What is the term for creating a computer account inside Active Directory prior to that computer being joined to your domain?
  3. Which management tool is used to specify that certain physical locations in your network are bound to particular IP subnets?
  4. What is the name of a special domain controller that cannot accept new information, only synchronize from an existing domain controller?
  5. What tool is needed to create a fine-grained password policy?
  6. What must be configured inside DNS prior to establishing a forest trust?
  7. What is the command-line command that shows you all FSMO role holders at once?
  8. True or False? It is faster to manually remove a Domain Controller from the domain than it is to follow the Server Manager role removal wizard.

Join our community on Discord

Join our community’s Discord space...

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 4 of 20
Next Chapter
You have been reading a chapter from
Mastering Windows Server 2022 - Fourth Edition
Published in: May 2023Publisher: PacktISBN-13: 9781837634507
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Author (1)

author image
Jordan Krause

Jordan Krause has been an IT professional for more than 20 years and has received 9 Microsoft MVP awards for his work with Microsoft server and networking technologies. One of the world's first experts on Microsoft DirectAccess, he has a passion for helping companies find the best ways to enable a remote workforce. Committed to continuous learning, Jordan holds certifications as an MCSE, MCSA, and MCITP Enterprise Administrator, and has authored numerous books on Microsoft technologies. Jordan lives in beautiful West Michigan (USA), but works daily with companies around the world.
Read more about Jordan Krause

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages