Security
Reader small image

You're reading from  Mastering Windows Server 2022 - Fourth Edition

Product typeBook
Published inMay 2023
PublisherPackt
ISBN-139781837634507
Edition4th Edition
Tools
Windows Server
Concepts
Information Security
Right arrow
Author (1)
Jordan Krause
Jordan Krause
author image
Jordan Krause

Jordan Krause has been an IT professional for more than 20 years and has received 9 Microsoft MVP awards for his work with Microsoft server and networking technologies. One of the world's first experts on Microsoft DirectAccess, he has a passion for helping companies find the best ways to enable a remote workforce. Committed to continuous learning, Jordan holds certifications as an MCSE, MCSA, and MCITP Enterprise Administrator, and has authored numerous books on Microsoft technologies. Jordan lives in beautiful West Michigan (USA), but works daily with companies around the world.
Read more about Jordan Krause

Right arrow

Demote an old Domain Controller

Creating new servers and turning them into Domain Controllers is technically known as promoting those servers to become Domain Controllers. This process is fairly straightforward, and easy to accomplish in a fresh environment without any history of changes or issues, such as inside a test lab. Now let’s cover one of the messier things that you may encounter as a server administrator, removing an old Domain Controller server. The process of removing a DC from your environment is known as demoting. Demoting a Domain Controller can be straightforward if the old server is online, or it can be a little convoluted if the old server has died, and you are now trying to remove all traces of it from the domain without being able to take the standard removal steps.

Demoting while the old server is still online

If you are removing an old Domain Controller and it is still online, the process is pretty painless. Log into that server, and accomplish the following...

Group Policy

In a network that is based upon Windows Server and Active Directory, it is almost always the case that the primary set of client computers is also based upon the Microsoft Windows operating systems, and that these machines are all domain-joined. Setting everything up this way not only makes sense from an organizational perspective inside Active Directory, but also allows centralized authentication across devices and applications, as we have already talked about. I know that a couple of the examples I gave earlier in the book went something like, What about when a company has a security policy in place that... or Make sure your servers don't get those existing security policies because... So what are these magical security policies anyway, and how do I set one up?

This is the power of Group Policy. It enables you to create Group Policy Objects (GPOs) that contain settings and configurations that you want to apply to either computers or users in your Active Directory domain...

Summary

Anyone who has been around Windows Server before knows that Active Directory is nothing new and certainly not something coming to us new in Windows Server 2022. AD has been the authentication underpinning of any Microsoft-centric environment for a very long time and will continue to be far into the future for anyone who hosts an on-premise datacenter. Knowing and understanding AD is entirely critical for the mastery of Windows Server 2022, because without this knowledge your career in server administration won't even make it off the ground.

Some hints were dropped in this chapter about another core infrastructure technology that is often in place alongside Active Directory on all of your domain controller servers, DNS. To effectively manage a Microsoft infrastructure, in my opinion there are three in-the-box server technologies that any admin must be able to work with fluently: Active Directory, DNS, and DHCP. Follow along to Chapter 4, DNS and DHCP, as we cover the latter...

Questions

  1. Inside Active Directory, a container (folder) that holds computer and user accounts is called a(n)…? (Answer: Organizational Unit (OU))
  2. What is the term for creating a computer account inside Active Directory prior to that computer being joined to your domain? (Answer: Prestaging the account)
  3. Which management tool is used to specify that certain physical locations in your network are bound to particular IP subnets? (Answer: Active Directory Sites and Services)
  4. What is the name of a special domain controller that cannot accept new information, only synchronize from an existing domain controller? (Answer: Read-Only Domain Controller (RODC))
  5. What tool is needed to create a Fine-Grained Password Policy? (Answer: Active Directory Administrative Center)
  6. What must be configured inside DNS prior to establishing a forest trust? (Answer: Conditional Forwarder)
  7. What is the command-line command that shows you all FSMO role holders at once? (Answer: netdom query fsmo)
  8. True or False...

Types of DNS zones

You are now familiar with creating different types of DNS records, but that information is only going to enable you to create new records inside of an existing DNS zone. At present in our test lab, we have only one DNS zone available to us, contoso.local, which was created automatically when we built the contoso.local domain. As of right now, computers who are using one of my contoso.local domain controllers as their DNS server are only able to look up DNS records that I have plugged into my DNS zone.

With DNS Server provided by Windows Server 2022, you can certainly build out many different DNS zones, to increase name resolution capabilities in your network. There are plenty of different reasons why you might want to create additional DNS zones, and you should understand what types of zones are available to implement. Let’s take a minute and discuss the different types of zones available to us.

Active Directory Integrated Zones

This is not a...

IP addressing with DHCP

IP addresses on your network are sort of like home addresses on your street. When you want to send a package to someone, you write their address on the front of the package and set it in the mailbox. In the same way, when your computer wants to send data to a server or another device on a network, each of those devices has an IP address that is used for the delivery of those packets. We know that DNS is responsible for telling the machines which name resolves to which IP address, but how do those IP addresses get put into place on the servers and computers in the first place?

Static addressing is simply the process of configuring IP addresses on your system manually, using your own hands as the configuration tool to plug all of your IP address information into the NIC settings on that device. While this is a quick and easy way to get network traffic flowing between a few endpoints, by giving them each an IP address, it is not scalable. We do often statically...

Creating a DHCP scope

So far in the new Windows Server 2022 lab environment I have been building, I have been statically assigning IP addresses to all of the servers that are being built. This is starting to get old and is hard to keep track of. When the first domain controller was configured, I installed the DHCP role onto it but haven’t told it to start doing anything yet. What does a DHCP server need to start handing out IP addresses? It needs to know what IP addresses, subnet mask, default gateway, and DNS server addresses are within your network so that it can package that up and start handing the information out to the computers who request it. This package of information inside the DHCP server is called a DHCP scope. Once we define our scope, the DHCP server will start handing out IP addresses from that scope to our new servers and computers that do not already have static addresses defined.

Once again, we need to launch a management tool on our Windows Server 2022...

DHCP reservations

Assigning IP addresses from a big pool of available ones is great, but these address leases are subject to expiry and change. This means that a computer that has 10.10.10.100 today might receive 10.10.10.125 tomorrow. Typically, this is fine from a desktop computer perspective, as they don’t generally care what IP address they have. Client computers are usually reaching outward on the network, and other devices are rarely trying to find and contact them. What if you have a more permanent fixture in your network, like a Windows server, but you don’t want to have to deal with statically addressing this server? Another great example of such a device is a printer that is connected to your network. Some printers don’t even have an interface from which you could assign a static IP address, and once your printer gets a DHCP address you typically want that address to remain the same throughout the printer’s life, because you’ll be configuring...

DHCP failover

Never too much of a good thing? Just like the creation of multiple domain controller servers creates good redundancy for Active Directory, the DHCP servers in your network can be tied together into a failover pair to create their own form of high availability. While it is true that the DHCP server role often happens to co-exist alongside the AD DS and DNS roles, this is not a requirement. You already know that it is easy to store DNS zones right inside Active Directory so there is automatic replication of zone information, but this mentality is not true of DHCP scopes.

DHCP is a useful tool inside domain environments, or outside of domain environments. As such, it is not as tightly integrated a role as DNS. So when we create DHCP failover, we need to take a more manual approach, and whether or not the DHCP role happens to be hosted on top of a domain controller makes no difference.

Two DHCP servers

In a DHCP server failover environment, two DHCP servers can...

IPAM

The IP Address Management (IPAM) feature built into Windows Server 2022 is overlooked by many server administrators because it is a feature and not a full-blown role inside Windows. IPAM is a technology that allows centralized monitoring and management of DHCP and DNS in your environment. If all of your infrastructure is sitting inside one building, it is easy enough to simply use the DNS and DHCP management tools from any server or workstation in your network and have full control over both of those technologies. But how about larger and enterprise-class networks that span many locations, each with its own sets of DNS and DHCP servers? IPAM is useful for gathering up all of those differing namespaces and scopes and providing access to them from one interface.

Let’s install the IPAM feature in my lab so you have an idea of where to start, should you choose to employ this feature. Begin by choosing a server upon which you want to install IPAM, and simply walk through...

Summary

The Microsoft core stack of infrastructure technologies generally consists of Active Directory, DNS, and DHCP—and often you will find all three of these housed on the same servers. Understanding these technologies and knowing how to utilize their associated toolsets is an essential part of any server administrator’s life. As a manager in an IT company, I will tell you with surety that having a grasp on this will greatly improve your chances of finding that sysadmin role you’ve been seeking.

I hope these last two chapters have been beneficial to your overall understanding of the ways that companies make use of Windows Server technology and have given you something to help prepare for IT life in a business setting. Next, we turn to another baked-in component of any Active Directory-focused environment, but one that is often underutilized. Group Policy is an amazingly powerful tool that can be used to enhance security and create automation inside any...

Questions

  1. Which kind of DNS record directs email flow?
  2. Which type of DNS record resolves a name to an IPv6 address?
  3. Which DNS zone type resolves IP addresses backward into hostnames?
  4. Which DHCP option is often used for VoIP phone provisioning?
  5. Which mode of DHCP failover is often used between branch offices and a primary site?
  6. What is the standard recommendation and default setting for Maximum Client Lead Time when configuring load balanced DHCP failover?
  7. Which Windows Server roles can IPAM tap into?

Join our community on Discord

Join our community’s Discord space for discussions with the author and other readers:

https://packt.link/SecNet

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 5 of 20
Next Chapter
You have been reading a chapter from
Mastering Windows Server 2022 - Fourth Edition
Published in: May 2023Publisher: PacktISBN-13: 9781837634507
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Jordan Krause

Jordan Krause has been an IT professional for more than 20 years and has received 9 Microsoft MVP awards for his work with Microsoft server and networking technologies. One of the world's first experts on Microsoft DirectAccess, he has a passion for helping companies find the best ways to enable a remote workforce. Committed to continuous learning, Jordan holds certifications as an MCSE, MCSA, and MCITP Enterprise Administrator, and has authored numerous books on Microsoft technologies. Jordan lives in beautiful West Michigan (USA), but works daily with companies around the world.
Read more about Jordan Krause

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages