Search icon Close icon
Search icon
Subscription
0
Cart icon
Close icon
You have no products in your basket yet
Arrow left icon
All Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletters
Free Learning
Arrow right icon
Mastering Windows Server 2022 - Fourth Edition

You're reading from  Mastering Windows Server 2022 - Fourth Edition

Product type Book
Published in May 2023
Publisher Packt
ISBN-13 9781837634507
Pages 720 pages
Edition 4th Edition
Languages
Concepts
Author (1):
Jordan Krause Jordan Krause
Profile icon Jordan Krause
LinkedIn
Jordan Krause has been an IT professional for more than 20 years and has received 9 Microsoft MVP awards for his work with Microsoft server and networking technologies. One of the world's first experts on Microsoft DirectAccess, he has a passion for helping companies find the best ways to enable a remote workforce. Committed to continuous learning, Jordan holds certifications as an MCSE, MCSA, and MCITP Enterprise Administrator, and has authored numerous books on Microsoft technologies. Jordan lives in beautiful West Michigan (USA), but works daily with companies around the world.
See other products by Jordan Krause

Table of Contents (20) Chapters

Preface 1. Getting Started with Windows Server 2022 2. Installing and Managing Windows Server 2022 3. Active Directory 4. DNS and DHCP 5. Group Policy 6. Certificates 7. Networking with Windows Server 2022 8. Remote Access 9. Hardening and Security 10. Server Core 11. PowerShell 12. Redundancy in Windows Server 2022 13. Containers 14. Hyper-V 15. Remote Desktop Services 16. Troubleshooting 17. Other Books You May Enjoy
18. Index
Appendix: Answers to the End-of-Chapter Questions

DHCP reservations

Assigning IP addresses from a big pool of available ones is great, but these address leases are subject to expiry and change. This means that a computer that has 10.10.10.100 today might receive 10.10.10.125 tomorrow. Typically, this is fine from a desktop computer perspective, as they don't generally care what IP address they have. Client computers are usually reaching outward on the network, and other devices are rarely trying to find and contact them. What if you have a more permanent fixture in your network, like a Windows server, but you don't want to have to deal with statically addressing this server? Another great example of such a device is a printer that is connected to your network. Some printers don't even have an interface from which you could assign a static IP address, and once your printer gets a DHCP address you typically want that address to remain the same throughout the printer's life, because you'll be configuring computers...

DHCP failover

Never too much of a good thing? Just like the creation of multiple domain controller servers creates good redundancy for Active Directory, the DHCP servers in your network can be tied together into a failover pair to create their own form of high availability. While it is true that the DHCP server role often happens to co-exist alongside the AD DS and DNS roles, this is not a requirement. You already know that it is easy to store DNS zones right inside Active Directory so there is automatic replication of zone information, but this mentality is not true of DHCP scopes.

DHCP is a useful tool inside domain environments, or outside of domain environments. As such, it is not as tightly integrated a role as DNS. So when we create DHCP failover, we need to take a more manual approach, and whether or not the DHCP role happens to be hosted on top of a domain controller makes no difference.

Two DHCP servers

In a DHCP server failover environment, two DHCP servers can be configured...

IPAM

The IP Address Management (IPAM) feature built into Windows Server 2022 is overlooked by many server administrators because it is a feature and not a full-blown role inside Windows. IPAM is a technology that allows centralized monitoring and management of DHCP and DNS in your environment. If all of your infrastructure is sitting inside one building, it is easy enough to simply use the DNS and DHCP management tools from any server or workstation in your network and have full control over both of those technologies. But how about larger and enterprise-class networks that span many locations, each with its own sets of DNS and DHCP servers? IPAM is useful for gathering up all of those differing namespaces and scopes and providing access to them from one interface.

Let's install the IPAM feature in my lab so you have an idea of where to start, should you choose to employ this feature. Begin by choosing a server upon which you want to install IPAM, and simply walk through the Add...

Summary

The Microsoft core stack of infrastructure technologies generally consists of Active Directory, DNS, and DHCP—and often you will find all three of these housed on the same servers. Understanding these technologies and knowing how to utilize their associated toolsets is an essential part of any server administrator's life. As a manager in an IT company, I will tell you with surety that having a grasp on this will greatly improve your chances of finding that sysadmin role you've been seeking.

I hope these last two chapters have been beneficial to your overall understanding of the ways that companies make use of Windows Server technology and have given you something to help prepare for IT life in a business setting. Next, we turn to another baked-in component of any Active Directory-focused environment, but one that is often underutilized. Group Policy is an amazingly powerful tool that can be used to enhance security and create automation inside any domain.

Questions

  1. What kind of DNS record directs email flow? (Answer: MX record)
  2. Which type of DNS record resolves a name to an IPv6 address? (Answer: AAAA record)
  3. Which DNS zone type resolves IP addresses backward into hostnames? (Answer: Reverse Lookup Zone)
  4. What DHCP option is often used for VoIP phone provisioning? (Answer: Option 66)
  5. Which mode of DHCP failover is often used between branch offices and a primary site? (Answer: Hot standby mode)
  6. What is the standard recommendation and default setting for Maximum Client Lead Time when configuring load balanced DHCP failover? (Answer: One hour)
  7. Which Windows Server roles can IPAM tap into? (Answer: Active Directory, DNS, DHCP, and NPS! We didn’t talk about NPS in this chapter because we have not yet covered any NPS material, but it is a fourth role that can report data into IPAM.)

Policy versus preference

There is an important distinction that every Group Policy administrator needs to understand about GPO settings. There are two different types of policy settings, and they behave very differently. Now that we understand the differences between Computer Configuration and User Configuration, the next tier you’ll notice inside Group Policy Management Editor are sub-folders titled Policies and Preferences.

Policies

Managed policies, the items listed under the Policies section of both computer and user configurations, generally behave like true gentlemen. These are settings that you put into place and expect results, forcing the setting into place, and nothing the user tries to do can change them. When reversing course and removing a GPO from a system, they happily comply. What do I mean by that? When you plug some policy settings into a GPO and then link that GPO to a location, you expect those settings to be put into place on the machines or users...

Default Domain Policy

Throughout this chapter, we have bounced in and out of the GPMC a number of times, and now that you know what a GPO looks like and how to identify GPO links, you have probably noticed a GPO linked to the root of the domain called Default Domain Policy. This GPO comes built in with Group Policy. Every environment has one unless an admin has taken steps to delete it, which I would not recommend.

The Default Domain Policy applies to every user and computer that is part of your domain directory. Since this GPO is completely enabled right off the bat and applies to everyone, it is commonplace for companies to enforce global password policies or security rules that need to apply to everyone. In fact, many who are unfamiliar with Group Policy and uncomfortable with creating, linking, and filtering their own GPOs will just continually throw more and more settings in the Default Domain Policy.

All of these settings will apply successfully, of course –...

Administrative Templates

Go ahead and edit a GPO, any GPO, so that you have the Group Policy Management Editor open in front of you. Expand the Policies folder for either Computer Configuration, User Configuration, or both, and you will notice a folder inside each called Administrative Templates. Most of us generally think of Administrative Templates the same as any other GPO configuration setting, simply a collection of items with which you can manipulate users or computers, right? Sort of, but while Software Settings and Windows Settings are built into Group Policy and are basically the same for any domain environment, Administrative Templates are customizable.

Administrative Templates showcase the flexibility of Group Policy. Each setting within Administrative Templates is pulled from template files that reside on your domain controller servers. These template files are ADMX files. All of the information needed to display the setting inside Group Policy Management Editor is...

The Central Store

When opening up the Group Policy Management Console and creating or editing a GPO, the settings available within your console session are settings pulled from ADMX/ADML files that are on the hard drive of the computer or server from which you are using the GPMC. When implementing new settings via ADMX files, it would be a huge chore to have to copy those new files into place on every one of your domain controllers, in addition to all of the client computers where you might have the RSAT tools installed. Thankfully, there is a solution to automate this for you!

The Central Store is something that can be enabled in Active Directory that allows the replication of ADMX/ADML files. Once you enable the Central Store, all of your Group Policy management machines, such as domain controllers, will look to the store as its repository for these template files.

Enable the Central Store

All that it takes to enable the Central Store in Active Directory is the creation...

Summary

Group Policy is an incredibly powerful tool to have at your disposal when working within a domain environment. Many pre-built configurations and settings exist, and since we can manipulate the registry on client machines, the sky is pretty much the limit on what you can manage on your client computers via GPOs.

As is the case with many topics inside Windows Server, there is so much information related to Group Policy that it warrants a book of its own. Thankfully, I had the opportunity to do exactly that! If you are interested in discovering more about Group Policy and all of the ways that it can be used to secure your infrastructure, check out my title Mastering Windows Group Policy (https://www.packtpub.com/networking-and-servers/mastering-windows-group-policy).

Questions

  1. Are screensaver settings computer or user configuration?
  2. Do domain-level or OU-level links process first?
  3. What is the special GPO setting that forces user settings to apply to any user on a given computer?
  4. What type of GPO filtering do you configure inside the GPO itself, such as with a mapped network drives policy?
  5. True or false – it is possible for a user to override a Group Policy preference.
  6. What is the default timer between Group Policy background refresh cycles?
  7. What kind of GPO filtering could be utilized to assign settings only to laptop computers?
  8. If you find a USB stick on the ground labeled “CEO financials,” what should you do with it?

Join our community on Discord

Join our community’s Discord space for discussions with the author and other readers:

https://packt.link/SecNet

lock icon The rest of the chapter is locked
arrow left Previous Chapter
Chapter 1 of 20
Next Chapter arrow right
You have been reading a chapter from
Mastering Windows Server 2022 - Fourth Edition
Published in: May 2023 Publisher: Packt ISBN-13: 9781837634507
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime}

Authors (1)

Profile icon Jordan Krause
LinkedIn
Jordan Krause has been an IT professional for more than 20 years and has received 9 Microsoft MVP awards for his work with Microsoft server and networking technologies. One of the world's first experts on Microsoft DirectAccess, he has a passion for helping companies find the best ways to enable a remote workforce. Committed to continuous learning, Jordan holds certifications as an MCSE, MCSA, and MCITP Enterprise Administrator, and has authored numerous books on Microsoft technologies. Jordan lives in beautiful West Michigan (USA), but works daily with companies around the world.
Read more
See other products by Jordan Krause

Personalised recommendations for you

Based on your interests and search pattern
Left arrow icon
Attacking and Exploiting Modern Web Applications
Attacking and Exploiting Modern Web Applications
Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.
Aug 2023 11 hours 16 minutes
Automotive Cybersecurity Engineering Handbook
Automotive Cybersecurity Engineering Handbook
This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.
Oct 2023 13 hours 4 minutes
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide
This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.
Aug 2023 16 hours 32 minutes
Cloud Penetration Testing for Red Teamers
Cloud Penetration Testing for Red Teamers
The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.
Nov 2023 9 hours 56 minutes
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide
ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.
Sep 2023 10 hours 32 minutes
Burp Suite Cookbook
Burp Suite Cookbook
Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.
Oct 2023 15 hours 0 minutes
Building and Automating Penetration Testing Labs in the Cloud
Building and Automating Penetration Testing Labs in the Cloud
This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.
Oct 2023 18 hours 44 minutes
Ethical Hacking Workshop
Ethical Hacking Workshop
As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.
Oct 2023 7 hours 20 minutes
Windows Forensics Analyst Field Guide
Windows Forensics Analyst Field Guide
This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.
Oct 2023 10 hours 36 minutes
Implementing DevSecOps Practices
Implementing DevSecOps Practices
This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.
Dec 2023 8 hours 36 minutes
Right arrow icon