DNS Server

Domain name servers, or DNS, are an incredibly important but completely hidden part of the Internet, and they are fascinating. The DNS system forms one of the largest and most active distributed databases on the planet. Without DNS, the Internet would shut down very quickly. When you use the Web or send an e-mail message, you use a domain name to do it. For example, the URL "http://www.school-of-it.com" contains the domain name school-of-it.com. So does the e-mail address test@schoolof-it.com DNS is a system for naming computers and network services that organizes them into a hierarchy of domains. DNS naming is used on TCP/IP networks, such as the Internet, to locate computers and services with user-friendly names. When a user enters the DNS name of a computer in an application, DNS clients and servers work together to look up the name and provide other information that is associated with the computer, such as its IP address or services that it provides for the network. This process is called name resolution. Domain controller The domain controllers in a Microsoft Windows network as well as backup domain controllers are central to the security of all devices on that network and must be secured to a high level. The actions necessary to secure domain controllers include the following:

Realize that the domain controller (DC) is the keeper of the "crown jewels" and that the security of all the machines in the domain depends upon securing the DC well. Maintain physical security. The security of the network is dependent on physically securing and carefully maintaining the domain controller and any backup DC's. Secure the DC according to the Microsoft recommendations for a domain controller. Use only a single-purpose machine.

o o o

The domain controller function is incompatible with other functions such as web server, mail server, ftp server, or mail client that increase the risk of compromise to an unacceptable level.

Severely restrict access to the DC from the Internet and the unneeded parts of the University network. Limit the DC to communicating with specific devices (or an IP range if not practical to individually list the devices) on the University network. Deny access to unknown machines on the Internet and U network using either filtering, firewall, or non-routed network addressing.

Run a network based vulnerability scan (Qualys) and take corrective action on vulnerabilities

Start->run-dcpromo
Windows Server Client Access License
In addition to a server license, a Windows Server Client Access License (CAL) is required. If you wish to conduct a Windows session, an incremental Terminal Server Client Access License (TS CAL) is required as well. A Windows session is defined as a session during which the server software hosts a graphical user interface on a device. For Windows sessions, a TS CAL is required for each user or device.

Device-based versus User-based Terminal Server CALs

Two types of Terminal Server Client Access Licenses are available: TS Device CAL or TS User CAL. A TS Device CAL permits one device (used by any user) to conduct Windows Sessions on any of your servers. A TS User CAL permits one user (using any device) to conduct Windows Sessions on any of your servers.

You may choose to use a combination of TS Device CALs and TS User CALs simultaneously with the server software.

Terminal Server Client Access Licensing Mode

Terminal Server CALs are available in Per User/Per Device mode only. In Per User or Per Device mode, a separate TS CAL is required for each user or device that accesses or uses the server software on any server. You may reassign a TS CAL from one device to another device, or from one user to another user, provided the reassignment is made either (a) permanently away from the one device or user or (b) temporarily to accommodate the use of the TS CAL either by a loaner device, while a permanent device is out of service, or by a temporary worker, while a regular employee is absent. TS CALs are not available in Per Server mode as Windows sessions are not allowed in Per Server mode.

Note:

To use User and Device TS CALs simultaneously on one Terminal Server, the server must be configured for

Per User TS CAL mode. Failure to have the appropriate number of User CALs or Device CALs for each device or user connecting to the server is a violation of the license agreement. Terminal Services, known to some as an Admins best friend, uses RDP (Remote Desktop Protocol), relies on TCP/IP, and falls under the application layer of the ISO 7-layer model. It has been improved by offering more features, greater reliability and scalability in Windows 2003. Terminal Services allow:

the sharing of applications and desktops over the network administrators to take control of, and manage, a computer from their desk the centralization and management of applications (constantly keeping them up to date)

The ability to access a terminal server and establish a session via a Pocket PC, for example, is a great feature that would be handy for employees on the move. Terminal Server does not require the client to have a Microsoft Windows operating system in order to connect to it. A 128 bit, RC4 bi-directional encryption method is used to secure the connection. Should the terminal services client not support such a high level of encryption, then lower levels can be set. A few of the most sought after advantages include:

Automatic re-connection of a disconnected session (useful for wireless connections) Smart Card Authentication support Automatic re-direction of client local and network mapped drives Automatic re-direction of Audio 24-bit color mode support Session Directory (stores a list of sessions indexed by username and server to allow automatic reconnection from a disconnected session, in a terminal server farm environment)

However, a disadvantage would include the fact that although Windows 2003 and Terminal Server offer load balancing, this can still be improved. The current system is based on network utilization and can handle up to 32 servers. A very important feature which has been implemented is the way in which bandwidth is managed for a terminal services session. It has been improved to provide low-bandwidth connections (such as dial up) with better performance by only transmitting a screen view of the remote computer, rather than the actual data itself. To benefit from these new features, the terminal services client must be using RDP 5.1 (included in Windows XP) and the server must have RDP 5.2 (included in Windows 2003). Setting up Windows 2003 as a Terminal Server Open the configure your server wizard from Administrative Tools and in the select a role section, choose Terminal Server and click Next twice to confirm your actions. The wizard will then start to install the required files and warn you that the machine will have to be restarted during the installation process. Close any open programs and click OK.

The installation will continue for a few minutes before the machine is restarted. After the machine has booted and you logon, you are presented with a confirmation screen that states the computer is now a terminal server.

It is important to take note that a 120-day evaluation period has been allocated for unlicensed clients. If you do not obtain a license within that period then terminal services clients will no longer be able to initiate a session. Licensing This is probably where the most changes have been made. Microsoft have introduced a per user license to add to the already familiar per device method.

To make your machine a terminal server license server you will have to install it separately. This can be done from the windows components wizard section in the add/remove window from the control panel.

Once you have installed this option your server will be listed in the terminal server licensing console. You will have to activate the server before it can start distributing licenses. Activation of the licensing server can be done via a direct connection to the internet, a web browser or over the telephone. The following is a screenshot of the terminal server licensing console demonstrating what you would have to do to start the activation process.

This will bring up a wizard asking you to enter details and select options to suite your needs. Follow the on screen instructions and press Finish when you are done. Terminal Server Configuration The two main applications used to configure the terminal server are:

(They can both be found in the administrative tools folder in control panel or on the start menu).

Terminal Services Manager (completely re-written in Windows 2003) Terminal Services Configuration

Terminal Services Manager When you select the server name you can choose to view and manage the Users, Sessions or Processes tab. The green icons indicate that the server is online. If you had to disconnect it, the icons would be gray. The Users tab allows you to see who is connected, how long they have been connected and the state of their connection. If you select a user and right click you can disconnect o r reset the users session, send a message (which will be displayed as a pop-up message box on the client side), view the status or log the person out of the terminal server session. The Sessions tab permits the viewing and control of the terminal server sessions. You can right click a session and select the status to see the incoming and outgoing data or reset to reset the session. The processes tab shows all the processes that are running and which user they belong to (this is a simplified version of the processes tab found on the windows task manager). Select a user, click the right mouse button and choose end process to kill the process. The image below shows the Terminal Services Manager with an active connection initiated by a user (andrew).

If you select the RDP-Tcp#12 (username) option you can view the processes and session information specific to that user. Note: The #12 number will be different for each session. Favorite servers will list all the servers that you have added as a favourite - you can do this by right clicking a server and selecting add to favorites. You are able to connect to multiple terminal servers by press Actions > Connect to computer. These will be listed in the All Listed Servers node. Terminal Services Configuration The screenshot below is that of the Terminal Services Configuration.

Any connections that have been setup will be displayed in the connections part of the console. Double click a connection to open the properties page.

The following table will describe what actions you may take on each tab. Tab General Logon Settings Description add a comment, change the encryption level, enable standard windows authentication select whether or not to always use the same credentials for logging on, enable always prompt

for password Sessions Environment Remote Control Client Settings Network Adapter Permissions select whether to override the users settings with a set of predefined settings choose to override settings of a user profile and run a program when the user logs on change the way the remote control facility is used, disable remote control change connection, colour and mappings settings specify the type of network adapter you want to use and change the connection limit specify the user permissions (who has access to the terminal server and who doesnt)

The server settings section enables you to modify the settings of the server. Double click a setting from the list to bring up the appropriate window and be given the option to make a change.

Each setting shown in the above window is self explanatory. The settings in the list each have an attribute which you can set according to your preferences. Terminal Services give you the opportunity to provide a secure and reliable tool to employees. Microsoft has built on the success of Terminal Server in Windows 2000 and come up with new solutions to meet users needs. Better manageability and user friendliness are just two of the improved features worth mentioning. It will include troubleshooting potential logon problems, terminal services tips and a guide on how to log on to a terminal server from a Windows client. Microsoft supplies an additional service in the Windows server operating system that allows multiple users access to a single Windows computer. This service is called the Windows Terminal Server service (TS). TS computers can be used to provide Windows applications to non-windows users, or a convenient remote connectivity option to remote Windows users.

Windows Terminal Server uses the Remote Desktop Protocol (RDP), and any client that can use an RDP certified client can be used with the Windows Terminal Server. The client is built-in to Windows XP systems, and Microsoft provides free client RDP programs for Windows 95/98/ME, Windows NT, Windows 2000, and Mac OS X. There are also RDP clients available for Linux and various hand-held devices. RDP clients that support version 5 of the RDP protocol sometimes include the additional feature of mapping local disk and printer connections directly to your Windows terminal session. This is extremely handy for transferring data from your local computer, or printing documents to your local printer. The design strategy we are using does have some limitations. In order to maintain a reliable and stable environment for our users, the systems do not allow users to install applications. Additionally, various configuration options have been removed, and we have time limits placed on connectivity. We also restrict users to a single active session. The Central Terminal server is not meant to be a replacement for users requiring a Windows desktop, but instead it is to provide limited Windows desktop capabilities for users requiring occasional Windows desktop needs. There is only a subset of Windows applications provided to users, and users requiring more extensive applications should consider obtaining a windows desktop or consider using a Windows PC emulator like VMware or Virtual PC. ACTIVE DIRECTORY SITES AND SERVICES The primary purpose of the Windows 2000 Active Directory TM Sites and Services snap-in is to administer the replication topology both within a site in a local area network (LAN) and between sites in a wide area network (WAN) in an enterprise environment. Sites A site is a region of your network with high bandwidth connectivity, and by definition is a collection of well-connected computersbased on Internet Protocol (IP) subnets. Because sites control how replication occurs, changes made with the Sites and Service snap-in affect how efficiently domain controllers (DC) within a domain (but separated by great distances) can communicate. A site may span multiple domains, and a domain may span multiple sites. Sites are not part of your domain namespace. Sites control replication of your domain information and help to determine resource proximity. For example, a workstation will select a DC within its site with which to authenticate. To ensure that the Active Directory service in the Windows Server 2003 operating system can replicate properly, a service known as the Knowledge Consistency Checker (KCC) runs on all DCs and automatically establishes connections between individual computers in the same site. These are known as Active Directory connection objects. An administrator can establish additional connection objects or remove connection objects, but at any point where replication within a site becomes impossible or has a single point of failure, the KCC steps in and establishes as many new connection objects as necessary to resume Active Directory replication. Replication between sites is assumed to occur on either higher cost or slower speed connections. As such, the mechanism for inter-site (between site) replication permits the

selection of alternative transports, and is established by creating Site Links and Site Link Bridges. Default-First-Site Your first site was set up automatically when you installed Windows 2000 Server on the first domain controller in your enterprise. The resulting first site is called Default-First-Site. You can rename this site later or leave it as is. The replication topology of sites on your network controls: Where replication occurs, such as which DCs communicate directly with which other DCs in the same site. Additionally, this topology controls how sites communicate with each other. When replication occurs. Replication between sites can be completely scheduled by the administrator. Replication between DCs inside the same site is notification based, where notifications are sent within five minutes of a change being made to an object in the domain. All newly promoted Domain Controllers are placed in the Site container that applies to them at time of installation. For example, a server bound for California might have been initially built and configured in the Maui, Hawaii data centertherefore the Configure Your Server wizard places the server in the Maui site. After it arrives in California, the server object can be moved to the new site using the Sites and Services snap-in. You can use the sites portion of Sites and Services snap-in to: Display the valid sites within an enterprise. As an example, Default-First-Site might be a site name such as Headquarters. You can create, delete, or rename sites. Display the servers that participate in a site. You can delete or move servers between sites. (Note: Although you can also manually add servers, the task of adding a server is typically performed automatically during Domain Controller setup.) Display the applications that use site knowledge. The Active Directory topology is rooted at Sites\Default-First-Site\Servers. This contains just those servers participating in a specific site, regardless of domain. To view the connections for any given server, display Sites\Default-First-Site\Servers\{server}\NTDS Settings. For each server, there are connections and schedules that control replication to other servers in this site. Connections. For two machines to have two-way replication, a connection must exist from the first machine to the second, and a complimentary connection must exist from the second machine to the first. Schedules. Within a site, pull replication of new directory deltas occurs between servers approximately every five minutes. Schedules are significant within a site to force periodic notification to in-bound partners in the event that a partner has a damaged connection object. This type of notification typically occurs every six hours. In addition, schedules are very significant in controlling pull replication between sites (there is no automatic five-minute replication between sites). Display transports and links between sites. Transports represent the protocols used to communicate between chosen sites (for example, IP). Display subnets. Subnets allow the administrator to associate ranges of IP addresses with sites.

Prerequisites
At a minimum, you need to set up two Windows 2000 domain controllers (DCs). Each DC should host a different domain partition (host different Windows 2000 domains) and be members of the same forest. This step-by-step guide assumes a parent/child relationship between the two Windows 2000 domains. You can create this base configuration by running through the Common Infrastructure and Setting up Additional Domain step-by-step guides before going through the instructions in this document. If you are not using the common infrastructure, you need to make the appropriate changes to this instruction set.

Using the Sites Topology Tool

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services. Adding a Site 1. Right-click Sites in the left pane of the console, and then click New Site. 2. In the New ObjectSite dialog box, type a name for the new site 3. Select a site link object that contains the new site. If presented with a Default Site Link, you might associate this site to it at this time. Site Links are explained later in this document. Then click OK. 4. When the Active Directory message box appears, click OK. You can now move computers from other sites into this site, under the NTDS Settings container. To move computers into a site 1. In the Active Directory Sites and Services snap-in, right-click the computer you want to move in the left pane, click Move, and the Move Server box appears. 2. Select the site to move the computer to, and click OK. Adding a Subnet To define subnets for a particular site 1. In the left pane of the console, right-click Subnets under the site name. 2. On the Action menu, click New Subnet. 3. In the New ObjectSubnet box, type the subnet address and subnet mask numbers. 4. Select a Site object for this subnet in the lower pane and click OK. If you have correctly entered the subnet, it will appear in the Subnets folder. To associate the subnet with a site 1. Right-click the subnet in the right pane of the console, and then click Properties. 2. In the Properties dialog box, select a site to associate with this subnet from the list box.

3. Click the Location tab, and enter the name of the city; in this example, Renton. Click OK.

Site Links and Site Link Bridges

Creating a Site Link For scheduled replication to occur between multiple sites, both sites must agree on a transport to communicate. This will more than likely be IP-based. 1. Click the + next to Inter-Site Transports in the left pane to expand it (if it is not already expanded). Right click IP, and click New Site Link. 2. Enter a name for the Site Link in the New ObjectSite Link dialog box, shown in Figure 7 below. 3. Select sites in the left pane, and click Add. 4. Click OK when all the sites you want to include in this site link are added to the right pane list. To create a link between two sites 1. From the Intersite Transports node, click one of the applicable transports to select it. In this example, IP is selected. 2. If you wish to join a site to an existing Site Link, select the link from the Sites in this Link list in the right pane, right-click it, and then click Properties. 3. Add the site, click Apply, and then click OK. Creating a Site Link Bridge The process for creating a Site Link Bridge is identical to creating a Site Link; however, instead of providing Site names for the link, youre now providing Site Link names for the bridge. Important Notes The example company, organization, products, people, and events depicted in this step-bystep guide is fictitious. No association with any real company, organization, product, person, or event is intended or should be inferred. This common infrastructure is designed for use on a private network. The fictitious company name and DNS name used in the common infrastructure are not registered for use on the Internet. Please do not use this name on a public network or Internet. The Active Directory structure for this common infrastructure is designed to show how Windows 2000 features work and function with the Active Directory. It was not designed as a model for configuring an Active Directory for any organization for such information see the Active Directory documentation.