Introduction of server 2008

Introduction

This article will cover the different configuration scenarios of enhancing security of an FTP site, using a SSL certificate in the new FTP Publishing Service for IIS 7.0. The prerequisite for this article is that the FTP Publishing Service is already installed on Windows Server 2008 and an FTP site has been configured. To see how this is done, please refer to part 1 and part 2 of this article series. This article will contain two main configuration topics each divided into its own sections:

• How to configure a secure FTP site using a commercial SSL certificate
• How to configure a secure FTP site using a self-signed SSL certificate

The new FTP Publishing Service for IIS 7.0 supports adding an SSL certificate to an FTP site. Using an SSL certificate with an FTP site is also known as FTP-S or FTP over Secure Socket Layers (SSL). FTP-S is a RFC standard (RFC 4217) where an SSL certificate is added to an FTP site and thereby making it possible to perform secure file transfers using a TLS (SSL) layer below the FTP protocol. By using SSL, the FTP transmission is encrypted and secured from point to point and all FTP traffic is thereby guarded against interception.

The requirements for the users would be to use an FTP client that is able to connect using FTP-S to connect to the FTP site. Examples or FTP clients which support FTP-S could be the open-source FTP client FileZilla or the commercial FTP client CuteFTP.

Configure a secure FTP site using a commercial SSL

Below I will describe how to secure an existing FTP site using a SSL certificate. The certificate issued and used below will be created on an internal Certificate Authority made for testing purpose only, but the certificate enrollment process on the server is the same as when ordering a certificate from a third party certificate provider such as Verisign or Godaddy. It is also possible to create a self-signed certificate directly from within IIS, this process will be described later in the article.

Make sure you have the FTP site running and that you are able to log in to the FTP site. The FTP site used as example in this article ftp.example.com as illustrated below.

1. Start the IIS Manager found at Start – Administrative Tools – Internet Information Service (IIS) Manager
2. In IIS Manager click the FTP server and mark the server and choose Server Certificates:

Figure A: Server Certificates

3. In the actions pane, choose Create Certificate Request:

Figure B: Server Certificates - Actions

4. In the dialog windows that pops up, fill out the required information for the certificate and click Next:

Figure C: Self-signed Certificate - Name

5. Choose the default cryptographic service provider and click Next:

Figure D: Cryptographic Service Provider

6. Save the request to a file and click Finish:

Figure E: Save Certificate request

The certificate request has now been done and is pending in IIS. The request is now ready to be sent off to a commercial 3rd party certificate provider (e.g. Verisign, Godaddy etc.).

Import Certificate request

When the certificate request gets back from the certificate provider, it needs to be imported into IIS to work.

1. In IIS Manager click the FTP server and choose Server Certificates:

Figure F: IIS Manager – Server Certificates

2. Choose Complete Certificate Request…:

Figure G: Server Certificates – Complete Certificate Request

3. Select the Certificate request, that came back from the certificate provider and enter the common name of the site and click OK:

Figure H: Complete Certificate Request

4. The certificate is now displayed in the IIS Manager and ready for use:

Figure I: Server Certificates

Enable the commercial certificate on the FTP site

When imported the SSL certificate can be enabled and applied to an FTP site. Go to the FTP site, which you want to apply the certificate to.

1. In IIS Manager select the FTP site and click FTP SSL Settings:

Figure J: FTP site – FTP SSL Settings

2. Select the certificate and the SSL policy (Allow or Required SSL) settings and click Apply:

Figure K: FTP SSL Settings

3. The SSL certificate has now been applied to the FTP site:

Figure L: FTP SSL Settings

The FTP site is now secured and requires the connection to the FTP site to be FTP-S, using a FTP client which supports FTP-S.

Configure a secure FTP site using a self-signed SSL

As described previously it is also possible to generate a self-signed SSL certificate, directly from within the Internet Information Services (IIS) Manager. This process is quicker, than compared to requesting a commercial certificate. Self-signed certificates are great for testing FTP sites or maybe internal use, but not recommended for production use.

1. Start the IIS Manager found at Start – Administrative Tools – Internet Information Service (IIS) Manager
2. In IIS Manager click the FTP server and choose Server Certificates:

Figure M: Server Certificates

3. In the actions pane, choose Create Self-Signed Certificate:

Figure N: Server Certificates - Actions

4. In the dialog windows that pops up, give the certificate a friendly name and click OK:

Figure O: Self-signed Certificate - Name

5. The certificate is now generated and ready for use:

Figure P: Server Certificates – Generated certificates

Next step is to apply and enable this new certificate on an existing FTP site.

6. Select the FTP site (in this example: ftp.example.com) and click on FTP SSL Settings:

Figure Q: FTP site – FTP SSL Settings

7. Choose the certificate and select the settings needed (Require SSL Connections) and click apply:

Figure R: FTP site – FTP SSL Settings

The FTP site is now ready to be used and all traffic will be encrypted. An FTP client that supports FTPs is now required to connect to the new FTP site.

Connecting to an FTP site

Use an FTP client which supports FTP-S to connect to the FTP site and test the connectivity. In the example below FileZilla is used. It is important to configure the FTP server setting in FileZilla to connect using FTPs, with FileZilla the settings would be "FTPES - FTP over explicit TLS/SSL".

Figure S: FileZilla – FTPS Settings

The first time you logon to an FTP site running with a self-signed certificate, the FTP client (FileZilla) will prompt and tell you that the root of the certificate is not known. If you want to trust it and import it, click OK.

The FTP site is now ready to be used in a secure manner.

Summary

With the new Microsoft FTP Publishing Service it is now possible to deploy a secure FTP solution based on a Microsoft product, with the integration to Internet Information Services and Active Directory. All FTP communication can now be encrypted because the FTP Publishing Service for IIS 7.0 supports FTP-S (FTP over SSL), FTP-S is a RFC standard (RFC 4217) for encryption FTP traffic.

Encryption of your FTP traffic can be done using a commercial or self-signed SSL certificate. All the configuration is done on the server. The clients connecting to the new secure FTP site, need to use an FTP client that supports FTP-S.

This concludes part 3 of this 3 part article series about the new FTP Publishing Service for Internet Information Services 7.0 (IIS 7.0).

This article covers different configuration scenarios of the new FTP Publishing Service for IIS 7.0. The prerequisites of this article is that the FTP Publishing Service is already installed on Windows Server 2008. Part 1 of this article series covered how to download and install the new version of the FTP Publishing Service. This article will consist of two main configuration topics each divided into its own section:

• How to configure a new FTP site
• How to add FTP Publishing to an existing website

Both topics will cover configuring FTP using the GUI and the command line management tools.

The use of FTP can be different depending on the usage and the requirement for FTP in the organization. Therefore this article will cover some different scenarios.

Configure a new FTP site

There are numerous of ways to configure a new FTP site with IIS 7.0 and the new FTP Publishing Service, it is now possible to change or add an ftp site directly in the configuration xml files or by using scripting.

The first part of this section will cover configuring FTP “the GUI way” using IIS Manager and in the end I will cover configuring FTP using the command line interface. Both ways have the same end result, which is a new FTP site.

Creating a new folder

A folder needs to be prepared for FTP Publishing. It is easier to create the folder now, before continuing with the FTP configuration. Make sure the folder is configured with the correct permissions. The folder used in this example is: “D:\Inetpub\ftproot\ftp.iis-digest.com”.

1. Create the folder D:\Inetpub\ftproot\ftp.iis-digest.com
2. Set folder permissions using calcs through a commandprompt:

CACLS "C:\inetpub\ftproot\ftp.iis-digest.com" /G IUSR:R /T /E

FIGURE A: Command prompt and cacls command

The above command changes the permissions on the ftp.ii-digest.com folder and add read and execute permissions to the IUSR account.

The IUSR user is the new built-in account on Windows Server 2008 used for IIS 7.0, replacing the old IUSR_machinename account found previously in Windows Server 2003 and IIS 6.0.

Configuring FTP

1. Start the IIS Manager found at Start – Administrative Tools – Internet Information Service (IIS) Manager.
2. In IIS Manager under Sites, click Add FTP Site…

FIGURE B: Add FTP Site…

3. The Add FTP Site Wizard starts and at the first dialog box, enter the name of the FTP Site and the physical path, created previously:

FIGURE C: Add FTP Site Wizard – Enter site information

FIGURE D: Add FTP Site Wizard – Enter Binding and SSL Settings

4. Enter the IP address information for the FTP Site and binding on port, use default FTP port 21. In case you know what you are doing and if your application might need to use another port than the default one, you can change it here.
5. As something new with FTP Publishing Service, it now support virtual host naming, which is the same as using host headers on website. A Virtual Host name like e.g. ftp.iis-digest.com means that it is now possible to have multiple FTP Sites configured on one IP address and no conflicting bindings on the port.
6. SSL is also a new feature supported by FTP Publishing Service, by combining SSL and FTP, the server is providing FTPS support. By selecting a SSL certificate during configuration, the FTP Site is made available as a secure site, so all traffic will be encrypted. In the above example it should be “Allow SSL”, since there is no SSL certificate for this ftp site.
7. Set the Authentication to anonymous to provide anonymous access to the new ftp site used as example in this article.

FIGURE E: Add FTP Site Wizard – Set Authentication and Authorization Information

8. Add the Authorization settings used for the ftp site, set it to “Anonymous users” and Read (only) permissions.

9. The new ftp site has been configured and can been seen in the IIS Manager

FIGURE F: IIS Manager – view of the new ftp site

10. Test the new FTP site: In this example we login to the test site ftp.iis-digest.com with an anonymous user. With FTP 7 using virtual headers, login needs to be formatted like this: “ftp.iis-digest.com|anonymous”:

FIGURE G: Command prompt – test the ftp connection

There are numerous ways of configuring the users for an ftp site in a secure way and it is not recommended to use anonymous level of authentication for production. Securing FTP will be covered in my next article.

Configure a new FTP site using command line or scripting

With IIS 7.0 and the new FTP 7, it is now possible to script and automate a lot of management of IIS and FTP. This section will describe how to accomplish creating and configuring the same new FTP site as above, just using command line and scripting instead.

Using the new command line tool AppCMD.exe, the command and parameters for creating a new FTP site are:

appcmd add site /name:"ftp.iis-digest.com ftpsite" /bindings:ftp://ftp.iis-digest.com:21 /physicalpath:"c:\inetpub\ftproot\ftp.iis-digest.com /ftpServer.security.ssl.dataChannelPolicy:SslAllow"

FIGURE H: Command prompt – using the appcmd management tool

The same can be archived using PowerShell and the new PowerShell Provider for IIS 7.0. It is an requirement that PowerShell 1.0 is installed on the Windows Server 2008 along with the new PowerShell Provider for IIS 7.0. The PowerShell Provider can be downloaded from www.iis.net. Both needs to be installed to provide the connection and commands for managing IIS 7.0 and FTP 7 using PowerShell.

There is also another more programmatic interface for managing IIS 7.0, which is Microsoft.Web.Administration, more information about this interface can be found on the official IIS website (www.iis.net). The interface will not covered in this article.

Add FTP Publishing to an existing website

With IIS 7.0 and the new FTP Publishing Service it is now possible to add FTP to an existing website, directly from within the IIS Manager. This is a great new feature, not previously seen in IIS. This means that in e.g. hosting environments it is now a lot easier to add FTP access to a website already running on the web server.

With the new FTP Publishing Service it is easy to publish a FTP to an already existing website and this can be done directly within the IIS Manager. In the example below an FTP site will be added to the default website.

1. Expand “Sites” and find the website, which you want to add FTP functionality to, in this example the site name is “Default Web Site”
2. Mark the web site (Default Web Site) and right click or from the Action Pane choose “Add FTP Publishing…”:

FIGURE I: IIS Manager – Choose Add FTP Publishing…

3. A dialog with the Add FTP Publishing Wizard appears, first page “Binding and SSL Settings”:

FIGURE J: Add FTP Site Wizard – Enter Binding and SSL Settings

4. IP Address: Choose the IP address for your new FTP site, this can be either “All Unassigned” or you can enter the IP address or chose from the pull down menu. In this example “All Unassigned” are used

5. Port: The default FTP port is TCP Port 21, which will also be used in this example

6. Virtual Name: It is now possible to use host header for a FTP site, as we know from host headers on web sites and from my first example above. In this example it will be left blank, which means that it will respond to the IP address

7. Select “Allow SSL” since there is no SSL certificate to add to the ftp site

FIGURE K: Add FTP Site Wizard – Enter Authentication and Authorization

8. Select Basic or Anonymous authentication method for your ftp site, it is not recommended to use anonymous. In this example we use anonymous since it is a test site

FTP has now been added to the existing Default web site. Test the ftp connection by connecting to the server IP address or on the server using localhost.

FIGURE L: Testing the FTP connection

Summary

The article described how to configure a new FTP site and how to add FTP Publishing to an existing website. The configuration was done using the IIS Manager and also showed that it can be done through the new command line interface appcmd.exe.

This concludes part 2 of this 3 part article series about the new FTP Publishing Service for Internet Information Services 7.0 (IIS 7.0).

The next article in this series will cover FTP security and how to secure the FTP Publishing Service

NAP

Part A:-

The Network Access Protection Infrastructure

Implementing Network Access Protection requires the use of several servers, each performing a specific role. As you can see in the figure below, we are going to be using a Routing and Remote Access Server, a domain controller, and a Network Policy Server.

Figure A: Implementing Network Access Protection requires several servers to be used

As you can see in the diagram, the Windows Vista client is connecting to a Windows 2008 Server that’s running the Remote Access (RRAS) service. This server acts as the VPN server for the network. The Windows Vista client establishes a connection to this VPN server in the usual way.

When the remote user connects to the VPN server, the user’s credentials are validated using the RADIUS protocol. .The network policy server then determines which health policies are in effect, and what should happen if the remote client is out of compliance.

 In a lab environment, a single physical server could be used to host both the Routing and Remote Access Service role and the Network Policy Server role. In the real world VPN servers exist at the network perimeter, and it would completely undermine your network’s security if you hosted the network policy server on a perimeter server.

The Domain Controller

If you look at the diagram shown in Figure A, you will see that one of the required servers is a domain controller. Don’t think of this as a single server, but rather as an entire Active Directory infrastructure.  As I’m sure you know, the Active Directory cannot function without a DNS server.  That being the case, if this diagram were a literal representation of an actual network, then the domain controller would be hosting the DNS services.  Of course, in the real world organizations typically use multiple domain controllers and a dedicated DNS servers.

An additional infrastructure requirement that is not shown on the diagram is an Enterprise Certificate Authority. Fortunately, Windows can be configured to act in such a capacity. In this article series, I will be configuring the domain controller to also function as our enterprise certificate authority. If this were a real world deployment you would want to use a dedicated server as the enterprise certificate authority because of the sensitive nature of digital certificates.

Installing an Enterprise Certificate Authority

The procedure for deploying an enterprise certificate authority varies a little bit depending on whether you are installing the services on a Windows 2003 server or on a Windows 2008 server.  Because one of my purpose is in writing this article series is to familiarize you with Windows 2008 Server, the following procedure is intended for installing the certificate services on a Windows 2008 Server.

Before a show you how to install the certificate services, you need to keep in mind that in a real world deployment, you would want to take extreme measures to make sure that your enterprise certificate authority is secure.  After all, if someone were to compromise your enterprise certificate authority, they own your network.  Because this article focuses on Network Access Protection and not on the certificate services per se, I am going to show you just enough to get the certificate services up and running.  In a real world deployment, you would want to put a whole lot more thought into the server’s configuration.

Begin the deployment process by opening Windows 2008 Server’s Server Manager and select the Roles option from the console tree. Next, click the Add Roles link found in the Roles Summary section of the console. This will cause Windows to launch the Add Roles Wizard. Click Next to bypass the wizard’s Welcome screen. You will now see a list of all of the available roles, as shown in Figure B.  Select the Active Directory Certificate Server option from the list. Click Next to continue.

Figure B: Windows lists all of the roles that are available to you

At this point, you will see a screen that introduces you to the certificate services and provides you with some words of caution. Click Next to ignore this screen and you will see another screen that asks you which components you want to install. Select the Certification Authority and the Certificate Authority Web Enrollment check boxes.

You will now see a screen similar to the one that’s shown in Figure C, telling you that some additional roles must be installed prior to installing the Certificate Authority Web Enrollment Role. Click the Add Required Role Service button, and then click Next.

Figure C: The Certificate Services Web Enrollment Role cannot function without IIS

You will now see a screen that asks you if you would like to create an enterprise certificate authority or a standalone certificate authority. Choose the Enterprise Certificate Authority option and click Next. You will now be prompted as to whether this server should act as a Root CA or as a Subordinate CA. Since this is the first (and only) certificate authority in your lab, you should choose the Root CA option. Click Next to continue.

The Wizard will now ask you if you want to create a new private key or if you want to use an existing private key. Again, this is a lab setup, so choose the option to create a new private key and click Next to continue.

The next screen that you will encounter asks you to either create a new private key or to use an existing private key. Since no private key exists yet, choose the option to create a new private key, and click Next.

You should now see a screen that’s similar to the one shown in Figure D, asking you to select a cryptographic service provider, a key length, and a hash algorithm. In a real world deployment these are all things that you would want to carefully consider. Since we are setting this certificate authority up solely for demonstration purposes just go with the defaults and click Next.

Figure D: Choosing the correct cryptographic options would be critical in a real world deployment for security reasons

The next screen that you will see gives you a chance to define a common name and a distinguished name suffix for the certificate authority. Again, just go with the defaults and click Next.

You should now see a screen asking how long the certificates should be valid for. The default time period is 5 years, which is fine for our purposes, so just click Next. The next screen that you will see asks you where the certificate databases and the corresponding transaction logs should be located. In a production environment, choosing an appropriate location is critical to fault tolerance and security. Since this is a lab just go with the defaults and click Next.

As you will recall, we had to add an additional role midstream in order to support the Certificate Services Web Enrollment role. Therefore, the next screen that you will see is an introduction to IIS. Click Next to bypass this screen, and you will see a screen asking you which Web Server components you want to install. It is important to understand that Windows has already made the appropriate choices for you, so just click Next.

You will now see a screen detailing the options that you have selected. Click the Install button and Windows will copy the necessary files and configure the underlying services. When the process completes, the results screen should show you that the roles have been installed successfully, as shown in Figure E. Click Close to complete the process.

Figure E: When the installation process completes, click the Close button

Conclusion

Now that I have shown you how to configure the enterprise certificate authority, it is time to begin configuration of the VPN server.  I will show you how in Part 3.

Configuring a Network Policy Server

Begin the configuration process by entering the MMC command at the Run prompt to open an empty Microsoft Management Console. When the console opens, select the Add / Remove Snap-in command from the console’s File menu. This will cause Windows to display the Add or Remove Snap-Ins dialog box. Select the Network Policy Server option from the list of available snap-ins, and click the Add button. You should now see a prompt asking you if you would like to manage the local computer or another computer. Make sure that the Local Computer option is selected and then click OK. Click OK one more time and the Network Policy Server component will be opened.

At this point, you must navigate through the console tree to NPS (Local) | Network Access Protection | System Health Validators, as shown in Figure A. Now, right click on the Windows System Health Validator object found in the center pane of the console, and select the Properties command from the resulting shortcut menu. This will cause Windows to display the Windows Security Health Validator Properties dialog box, shown in Figure B.

Figure A: Navigate through the console tree to NPS (Local) | Network Access Protection | System Health Validators

Figure B: The Windows Security Health Validator Properties dialog box is used to configure the system health validator

Click the dialog box’s Configure button and Windows will display the Windows Security Health Validator dialog box, shown in Figure C. As you can see in the figure, this dialog box allows you to define your system health validator policy. By default the dialog box is configured to require the Windows firewall to be enabled, Windows update to be enabled, and anti virus and anti spyware protection to be installed and up to date. Since we are only interested in making sure that the Windows firewall is enabled, leave the A Firewall is Enabled for all Network Connections check box selected, but deselect all of the other check boxes. Click OK twice to continue.

Figure C: Select the 'A Firewall is Enabled for all Network Connections' check box and deselect all of the other check boxes

Creating a System Health Policy

Now that you have configured the System Health Validators, you must configure a System Health Policy. System health policies define the system health validation results. Essentially, this means defining what constitutes a pass or fail when the system health validation is performed on a client.

To configure the Network Policy Server’s health policy, navigate though the console tree to NPS (Local) | Policies | Health Policies. Now, right click on the Health Policies container, and select the New command from the resulting shortcut menu. When you do, Windows will display the Create New Health Policy dialog box that’s shown in Figure D.

Figure D: You must create a new system health policy

As you can see in the figure, the dialog box prompts you to enter a name for the new policy. Enter the word Compliant into the Name field. Now, make sure that the Client SHV Checks drop down list is set to Client Passes all SHV Checks. Select the Windows System Health Validator check box and click OK.

We have now created a policy that defines what it means to be compliant. We must now create a second policy that defines what it means for a system to be out of compliance. To do so, right click on the Health Policies container and select the New command from the resulting shortcut menu. You should now see the same screen that you were working with a moment ago.

This time, name the new policy NonCompliant. Set the Client SHV Checks drop down list to use the Client Fails one or More SHV Checks option. Now, select the Windows Security Health Validator check box and click OK. If you return to the Network Policy Server console’s main screen and select the Health Policies container, you should see both the Compliant and the NonCompliant policies displayed in the console’s center pane, as shown in Figure E.

Figure E: If you return to the Network Policy Server console’s main screen and select the Health Policies container, you should see both the Compliant and the NonCompliant template displayed in the console’s center pane

Conclusion

In this article, I have shown you how to configure a system health validator so that Windows will check to see if clients requesting access to the network have the Windows firewall enabled. I then showed you how to create a system health policy that defines what it means to be in and out of compliance with the network health policy.

In the next part of this article series, I will show you how to create health authorization policies. Health authorization policies are the policies that control what happens if a client is compliant with the network health policy, or what will happen if the system that is requesting network access is found to be non compliant. It is these policies that determine what level of access, if any, the client will receive to the network. As this series progresses, I will also be discussing automatic remediation. Remediation refers to fixing health problems on the fly, prior to granting clients network access.

Part   C :-

Configuring a Network Policy Server

Begin the configuration process by entering the MMC command at the Run prompt to open an empty Microsoft Management Console. When the console opens, select the Add / Remove Snap-in command from the console’s File menu. This will cause Windows to display the Add or Remove Snap-Ins dialog box. Select the Network Policy Server option from the list of available snap-ins, and click the Add button. You should now see a prompt asking you if you would like to manage the local computer or another computer. Make sure that the Local Computer option is selected and then click OK. Click OK one more time and the Network Policy Server component will be opened.

At this point, you must navigate through the console tree to NPS (Local) | Network Access Protection | System Health Validators, as shown in Figure A. Now, right click on the Windows System Health Validator object found in the center pane of the console, and select the Properties command from the resulting shortcut menu. This will cause Windows to display the Windows Security Health Validator Properties dialog box, shown in Figure B.

Figure A: Navigate through the console tree to NPS (Local) | Network Access Protection | System Health Validators

Figure B: The Windows Security Health Validator Properties dialog box is used to configure the system health validator

Click the dialog box’s Configure button and Windows will display the Windows Security Health Validator dialog box, shown in Figure C. As you can see in the figure, this dialog box allows you to define your system health validator policy. By default the dialog box is configured to require the Windows firewall to be enabled, Windows update to be enabled, and anti virus and anti spyware protection to be installed and up to date. Since we are only interested in making sure that the Windows firewall is enabled, leave the A Firewall is Enabled for all Network Connections check box selected, but deselect all of the other check boxes. Click OK twice to continue.

Figure C: Select the 'A Firewall is Enabled for all Network Connections' check box and deselect all of the other check boxes

Creating a System Health Policy

Now that you have configured the System Health Validators, you must configure a System Health Policy. System health policies define the system health validation results. Essentially, this means defining what constitutes a pass or fail when the system health validation is performed on a client.

To configure the Network Policy Server’s health policy, navigate though the console tree to NPS (Local) | Policies | Health Policies. Now, right click on the Health Policies container, and select the New command from the resulting shortcut menu. When you do, Windows will display the Create New Health Policy dialog box that’s shown in Figure D.

Figure D: You must create a new system health policy

As you can see in the figure, the dialog box prompts you to enter a name for the new policy. Enter the word Compliant into the Name field. Now, make sure that the Client SHV Checks drop down list is set to Client Passes all SHV Checks. Select the Windows System Health Validator check box and click OK.

We have now created a policy that defines what it means to be compliant. We must now create a second policy that defines what it means for a system to be out of compliance. To do so, right click on the Health Policies container and select the New command from the resulting shortcut menu. You should now see the same screen that you were working with a moment ago.

This time, name the new policy NonCompliant. Set the Client SHV Checks drop down list to use the Client Fails one or More SHV Checks option. Now, select the Windows Security Health Validator check box and click OK. If you return to the Network Policy Server console’s main screen and select the Health Policies container, you should see both the Compliant and the NonCompliant policies displayed in the console’s center pane, as shown in Figure E.

Figure E: If you return to the Network Policy Server console’s main screen and select the Health Policies container, you should see both the Compliant and the NonCompliant template displayed in the console’s center pane

Conclusion

In this article, I have shown you how to configure a system health validator so that Windows will check to see if clients requesting access to the network have the Windows firewall enabled. I then showed you how to create a system health policy that defines what it means to be in and out of compliance with the network health policy.

In the next part of this article series, I will show you how to create health authorization policies. Health authorization policies are the policies that control what happens if a client is compliant with the network health policy, or what will happen if the system that is requesting network access is found to be non compliant. It is these policies that determine what level of access, if any, the client will receive to the network. As this series progresses, I will also be discussing automatic remediation. Remediation refers to fixing health problems on the fly, prior to granting clients network access.

Creating Network Policies

Begin the process by opening the Network Policy Server console and selecting the console’s Network Policies container. Upon doing so, take a look at the Details pane to see if any network policies currently exist. On my test system, there are two default network policies, both of which are enabled by default. One policy is the Connections to Microsoft Routing and Remote Access Server policy, and the other is the Connections to Other Access Servers policy. I recommend disabling these policies by right clicking on them, and choosing the Disable command from the resulting shortcut menu.

Now that you have cleared out the previously existing policies, you can create a new network policy. To do so, right click on the Network Policy container and select the New command from the resulting shortcut menu. When you do, Windows will launch the New Network Policy Wizard.

The first thing that you will have to do is to assign a name to the policy. Let’s call this policy Compliant-Full-Access. You can enter the policy’s name into the Policy Name field, found on the wizard’s initial screen. Leave the Type of Network Access Server drop down list set to Unspecified, as shown in Figure A, and click Next.

Figure A: Assign a name to the new policy and click Next

The next screen that you will encounter asks you to specify the conditions that are to be used by the new network policy. You can click the Add button to open the Specify Conditions dialog box. Scroll through the dialog box’s various options until you locate the Health Policies option. Select the Health Policies option, and click the Add button. When you do, you will be prompted to select the health policy that you want to enforce. Choose the Compliant option from the drop down list, as shown in Figure B.

Figure B: Choose the Compliant option from the list of health policies

Click OK to close the Select Conditions dialog box, and then click Next. When you do, Windows will display the wizard’s Specify Access Permission screen. Choose the Grant Access option, and click Next. Setting the access permission to Grant Access does not grant users full access to the network. All it means is that requests coming into this policy are approved for further processing.

At this point, you will see the wizard’s Configure Authentication Methods screen. This screen displays a series of check boxes, each corresponding to a different authentication method. Go ahead and accept the defaults, as shown in Figure C, and click Next.

Figure C: Accept the default authentication methods, and click Next

Click Next, and you will see the Configure Constraints screen. We don’t want to add any constraints to this policy, so just click Next.

You will now see the wizard’s Configure Settings screen. This screen allows you to specify the settings that should be applied if a computer is granted access. In some of the earlier builds of Windows Server 2008, you were required to disable NAP enforcement so that client computers could gain access to the network. In the RTM release though, the NAP Enforcement setting is configured by default to allow full access to the network. That being the case, we can just click Next.

You should now see a screen displaying a summary of the configuration options that you have chosen for the policy. Assuming that everything looks correct, click Finish to create the policy.

Non-Compliant Computers

So far we have created a policy for compliant computers, now we have to create a similar policy for computers that are not compliant. To do so, right click on the console tree’s Network Policies container and select the New command from the resulting shortcut menus. This will cause Windows to launch the now familiar New Network Policy wizard.

As was the case before, the first thing that you must do is to enter a name for the new policy that you are creating. Let’s call this policy Noncompliant-Restricted. Once again, set the Type of Network Access Server option to Unspecified, and click Next.

You will now be taken to the wizard’s Conditions screen. When we created the network policy for compliant computers, we created a condition which required the computer to comply with the compliant policy that we had created in a previous part of this article series. Since this policy is for non compliant computers though, you must check to see if the client computer’s configuration matches the conditions defined in the NonCompliant policy. Specifically, this means checking to make sure that the Windows firewall is not enabled.

To do so, click the Add button, and Windows will display the Select Conditions dialog box. Choose the Health Policies option from the list, and click the Add button. Now, choose the NonCompliant option from the list of health policies, and click OK, followed by Next.

Windows will now display the wizard’s Specify Access Permission screen. Even though we are creating a restricted policy, you must still set the policy type to Grant Access. Remember that this does not grant access to the network, but rather allows further processing of the policy.

Click Next, and you will be taken to the wizard’s Configure Authentication Methods screen. Once again, just accept the default settings, and click Next.

At this point, you will see the Configure Constraints screen. We don’t need to configure any constraints, so just click Next.

You will now be taken to the wizard’s Configure Settings screen. So far everything that we have done to the policy for non compliant computers has been identical to what we did to the policy for compliant computers aside from specifying a different policy. If we left this policy the way that it is, then non compliant computers could end up gaining network access. Since we don’t want for that to happen, we need to use NAP enforcement to prevent network access.

To do so, select the NAP Enforcement container found in the list of settings. When you do, the Details pane will display various enforcement options. Select the Allow Limited Access option, and then click the Enable Auto Remediation of Client Computers check box. Enforce option, and then select the Update Non Compliant Computers Automatically check box. Click Next, followed by Finish to create the new policy.

Conclusion

In this article, I have shown you how to create network policies for both compliant and for non compliant computers. In the next article in the series, we will conclude the server configuration.

Part D:-

Requesting a Certificate

We are using Protected EAP (PEAP) as the server side authentication mechanism. In order to make that happen, we need to acquire a computer certificate from the certificate authority that we created earlier in the series. To do so, enter the MMC command at the Run prompt. When the Microsoft Management Console opens, select the Add / Remove Snap-in command from the File menu. Next, choose the Certificates option from the list of snap-ins, and click the Add button followed by the Finish button.

The console will now display the Certificate Templates snap-in. Expand the Certificate Templates container (It takes a few minutes to expand), and then locate the Computer template in the Details pane. Right click on the Computer template, and then choose the Duplicate Template command from the shortcut menu.

Windows will now ask you if you want to create a Windows Server 2003 or a Windows Server 2008 certificate. Choose the Windows Server 2008 option, and click OK. At this point, Windows will display the Properties of New Template dialog box.

The first thing that you will have to do is to enter a name for the new template. You can call the template anything that you want, so long as it is something meaningful to you. For the purposes of this article, I am going to call this certificate template VPN. Now, set the validity period for the template, and then select the Publish Certificate in Active Directory check box and the Allow Private key to be Exported Check box.

Now, go to the Request Handling tab, and make sure that the Purpose option is set to Signature and Encryption. You should also select the Add Read Permissions to Network Service check box. Finally, go to the Security tab, and click the Add button. When Windows displays the Select Users, Computers, or Groups dialog box, make sure that the From this Location field lists the name of your domain. Enter the word Administrators into the Enter the Object Names to Select field, and click the Check Names button. Assuming that Windows is able to resolve the Domain Administrators group, click OK. Finally, add the Allow Full Control option to the Administrators group, and click OK.

Now, close the Certificate Templates console, and then choose the Certification Authority command from the server’s Administrative Tools menu. When you do, Windows will open the Certification Authority console. At this point, you must expand the container that matches the name of your server, and locate the Certificate Template container beneath it.

Right click on the Certificate Template container, and then choose the New | Certificate Template to Issue command from the resulting shortcut menu. When you do, Windows will display the Enable Certificate Templates. Scroll through the list of available templates until you locate the template that you have created. Select the template, and click OK.

You should now be able to associate the certificate template with the server. To accomplish this, enter the MMC command at the Run prompt. When the Microsoft Management Console opens, choose the Add / Remove Snap-ins command from the File menu. When Windows displays the list of available snap-ins, pick the Certificates snap-in from the list, and click the Add button.

Right now, Windows will ask you if you want to manage the certificates for your user account, a service account, or a computer account. It is very important that you choose the Computer Account option. Click Next, followed by Finish and OK, and Windows will display the Certificates console.

The last part of the process involves expanding the Certificates (Local Computer) container to reveal the containers beneath it. Now, right click on the Personal container, and choose the All Tasks | Request New Certificate command from the shortcut menu. This will cause Windows to launch the Certificate Enrollment Wizard.

Click Next to bypass the Wizard’s Welcome screen and you will see a screen that displays the various templates that are available for enrollment. Select the check box that corresponds to the template that you have just created, and then click the Enroll button. The enrollment process can take a couple of minutes to complete. When the enrolment completes, click the Finish button. You can now close the Certificates console.

Now that we have associated a certificate with our server, we have to configure our connection request policy to use it. To do so, open the Network Policy Server console, and navigate through the console tree to NPS (Local) } Policies | Connection Request Policies. When you do, the details pane should display a list of connection request policies that reside on the server. You should have a policy named NAP VPN or something similar that you configured earlier in this article series.

Right click on the NAP VPN connection request policy, and choose the Properties command from the resulting shortcut menu. When you do Windows will display the NAP VPN Properties sheet. Go to the properties sheet’s Settings tab, and click on the Authentication Methods option. You should now see Microsoft: Protected EAP (PEAP) listed in the EAP Types list, as shown in Figure A. If you do not see a listing for Microsoft: Protected EAP (PEAP), then click the Add button to add it.

Figure A: Microsoft Protected EAP should be listed in the EAP Types list

Now, select the listing for Microsoft Protected EAP (PEAP), and click the Edit button. Verify that the certificate that you requested earlier is selected. You should also verify that the Enable Fast Reconnects check box and the Enable Quarantine Checks check boxes are selected. The EAP Types field at the bottom of the screen should be set to Secure Password (EAP MSCHAP V2). If it isn’t, then click the Add button and add it. When you have finished, click OK. Click OK one more time to complete this process.

Conclusion

In this article, I have shown you how to request a computer certificate, and how to associate that certificate with your VPN server. In the next article in the series, I will continue the discussion by walking you through some more of the configuration process.

Introduction

In the previous part of this article series, I showed you how to establish a security group that can be use to designate which computers will be operated using Network Access Protection. In this article, I will conclude the series by showing you how to make a client computer a member of the group that you previously created, and we will perform some tests to make sure that remote access quarantine enforcement is going to be enabled. Finally, I will show you how to connect to your remote access VPN.

Adding Computers to the Group

Our next task that we have to perform is to add some client computers to the security group that we created in the previous article. Begin the process by opening the Active Directory Users and Computers console, and then selecting the container that bears the name of your domain. The reason why we are selecting this container is because we created the security group at the domain level, rather than placing it in the Users container.

When you select the domain level container, you should see the NAP Clients group displayed in the details pane. Double click on this group and Windows will open the group’s properties sheet. Go to the properties sheet’s Members tab and click the Add button. Now, enter the name of a client PC into the space provided. Next, click the Locations button and select the Computers container, and click OK. When Windows returns you to the Select Users, Contacts, Computers, or Groups screen, click the Check Names button to verify that Windows can find your client computer successfully.  Click OK twice to complete the process.

Testing Your Group Policy Settings

Now that you have added a client computer to the security group that you have created, it is time to test the client computer to make sure that the NAP related group policy settings are in effect.  Before you do though, go ahead and reboot the client machine, and then log in as a standard user.

Once you log in, open a Command Prompt window and enter the following command:

NETSH NAP CLIENT SHOW GROUPPOLICY

When you do, you should see a set of results similar to the ones that are shown in Figure A.

Figure A: Enter the NETSH NAP CLIENT SHOW GROUPPOLICY command at the Command Prompt

As you can see in the figure, there are several different types of enforcement clients built into Windows. This is because there are several different ways that NAP can be deployed. Being that we are using NAP to control access to a VPN server, the only enforcement client that we are interested in is the Remote Access Quarantine Enforcement Client. Look beneath the Remote Access Quarantine Enforcement Client, and ensure that the Admin line is set to Enabled, as shown in the figure above. The other enforcement clients should remain disabled in this particular configuration.

For the next test, enter the following command:

NETSH NAP CLIENT SHOW STATE

As you can see in Figure B, the output from this command is fairly long. Scroll through the output until you locate the Remote Access Quarantine Enforcement Client section. Verify that the Remote Access Quarantine Enforcement Client is initialized.

Figure B: Verify that the Remote Access Quarantine Enforcement Client is initialized

If both of these tests are successful, then the group policy settings related to NAP are successfully being applied to the client. If that is the case, then go ahead and close the Command Prompt window. Otherwise, you will need to go back and double check your configuration.

Creating a VPN Connection

The last step in the configuration process involves setting up our VPN connection to the Remote Access Server. The process for doing so is pretty simple. In Windows Vista, open the Control Panel, and then double click on the Network and Sharing Center icon. When the Network and Sharing Center opens, click the Setup a Connection or Network link, located in the Tasks pane. At this point, you will see a screen similar to the one shown in Figure C, asking you what type of connection you want to create.

Figure C: Choose the Connect to Workplace option, and click Next

Choose the Connect to a Workplace option, and click Next. If there are already network connections present, then Windows will ask you if you want to create a new connection or if you want to use an existing connection. Choose the option to create a new connection, and click Next.

The following screen asks you if you want to use your Internet connection, or if you want to create a direct dial connection. Choose the Use My Internet Connection (VPN) option. You will now be prompted to enter the Internet Address and the destination name. Enter either the RRAS server’s IP address or its URL into the Internet Address field, and then enter a description of the connection into the Destination Name field. You can see an example of this in Figure D. You should also select the Don’t Connect Now check box.

Figure D: Enter the RRAS server’s IP address and a description of the server that you are connecting to

Click Next, and you will be taken to a screen that gives you the option of entering your authentication credentials. Whether or not you save your credentials as a part of the connection’s attributes is up to you. When you are done, click the Create button, and the new connection will be created. Click Close to close the remaining dialog box.

Now that you have created a VPN connection, we have to configure some security settings. To do so, right click on the connection that you just created, and then choose the Properties command from the resulting shortcut menu.

When Windows opens the connection’s properties sheet, go to the Security tab, and select the Advanced option. Next, click the Settings button.

Windows will now display the Advanced Security Settings dialog box, shown in Figure E. Select the Require Encryption (Disconnect if Server Declines) option from the Data Encryption drop down list. Next, select the Use Extensible Authentication Protocol (EAP) option, and then choose the Protected EAP (PEAP) (Encryption Enabled) option from the Logon Security section.

Figure E: You must configure the connection to use PEAP

At this point, you must click the Properties button. When you do, Windows will display the Protected EAP Properties dialog box, shown in Figure F. Make sure that the Validate Server Certificate and the Connect to these Servers check boxes are selected. You should also make sure that the text box beneath the Connect to These Servers option contains a listing for the correct server.

Figure F: The authentication method must be set to EAP-MSCHAP V2)

The middle section of the dialog box contains a list of various certificate authorities. For the sake of simplicity, go ahead and select the check boxes next to each listed certificate authority. In the lower section of the dialog box, you should ensure that the Select Authentication Method option is set to Secure Password (EAP-MSCHAP v2) and that the Enable Quarantine Checks check box is selected. 

The next step in the process is to click the Configure button, and then select the Automatically Use My Windows Logon Name and Password (and Domain if Any) check box. Click OK four times to close the various dialog boxes.

Testing NAP

At this point, we are finally ready to put NAP to the test. As you may recall, you can require clients to meet any number of health criteria, but for demonstration purposes, we are only requiring the Windows Firewall to be enabled on the client machine. That being the case, open the Windows Security Center on the client machine, and turn the Windows Firewall off. When you are done, I recommend leaving the main Windows Security Center screen, shown in Figure G, open so that you can verify the status of the Windows Firewall.

Figure G: Ensure that the Windows Firewall is turned off

Now, open the Control Panel and double click on the Network and Sharing Center icon. When the Network and Sharing Center opens, click the Connect to a Network link. Next, Click on the VPN connection that you created earlier, and click the Connect button. When prompted, enter your authentication credentials, and click the Connect button. As Windows registers your computer on the network, the Windows Firewall should be automatically turned on, as shown in Figure H.

Figure H: NAP should automatically enable the Windows Firewall when the VPN connection is established

Conclusion

As you can see, configuring your Remote Access Server to use Network Access Protection is a rather tedious process. Even so, it is usually worth the effort, because doing so helps you to better ensure your network’s security

Core server

Config remote desktop:-

One of the main ideas behind Windows Server 2008 Server Core is enhanced security by stripping down a lot of the extras in Server 2008 by create an entirely command-line driven server operating system. As with any server, remote management of it is pretty big, so one of the first things you will want to do is to enable remote desktop.

Enabling remote desktop from Server Core is done by using the scregedit.wsf script. The command to do this is:

Cscript C:\windows\system32\scregedit.wsf

This should do the trick. Don’t be misled however, just because you are enabling remote desktop doesn’t mean that you will get a full Windows desktop when logging in remotely. Logging in to Server Core will show the same command prompt you will see when logging in to the console.

Domain controller configurations

Using the new Windows Server 2008 ServerManagerCmd.exe CLI tool to Add & Remove Server Roles, we covered a new Windows Server 2008 command line tool, ServerManagerCMD.exe. That tool is only available in the standard GUI installation of Windows Server 2008, not in the Windows Server 2008 CORE Installation. This is because Server CORE does not have the .NET Framework and ServerManagerCMD requires the .NET Framework.

As Windows Server 2008 CORE does not have any graphical interface, you must use only command line tools so without ServerManagerCMD, the tools to use in Windows Server 2008 CORE to view, add, and remove roles are OCLIST and OCSETUP.

What are Roles?

Before I demonstrate how to use OCLIST and OCSETUP to administer server Roles, let’s first take a step back and answer what are Server Roles? I want to do this because the concept of Server Roles is new in Windows Server 2008.

Examples of Roles for your server are:

• DNS
• DHCP
• File Services
• Telnet Client
• Print Services
• (and more)

It is easy to add these roles in the Windows Server 2008 GUI, as in Figure 1, below.

Figure 1: Adding Roles with the Windows Server 2008 GUI

However, how are you going to view, add, and remove these roles when you are at the Windows Server 2008 CORE command prompt (with no GUI interface available)? How would you do it? Let’s find out...

What are OCLIST.exe & OCSETUP.exe?

Just as the concept of “Roles” is new in Windows Server 2008, you are offered a couple of new CLI tools to manage those Roles in Windows Server 2008 CORE.

Those tools are OCLIST.exe & OCSETUP.exe

With OCLIST, you can query the installed roles on your Windows Server 2008 CORE server by simply typing OCLIST at the command prompt, like this:

Figure 2: Showing installed Roles with OCLIST.exe

In Figure 2, the oclist command was run right after the Windows Server 2008 CORE server was installed. As you can see, there are a number of roles available but not installed. To install these roles, we use OCSETUP.

With OCSETUP.exe, you can do the following:

• Install & uninstall new Server 2008 CORE Roles
• Perform logging on the install of those roles
• Perform quiet or unattended installations
• Supply parameters to the installation routine
• And choose not to restart the server after an installation, even if it is required for the install to be complete

If you run OCSETUP.exe without any parameters, you will see a help screen, like this:

Figure 3: OCSETUP Help Screen shown when run with no parameters

How do I install a Windows Server 2008 CORE Role with OCSETUP?

To install a Windows Server 2008 CORE Role with OCSETUP, let’s look at an example. Let’s say that we wanted to install the Windows Server DHCP Role / Component. As we saw from the OCLIST output, above, the Windows Server DHCP role was not installed by default.

To install DHCP on our CORE server with OCSETUP, we do the following:

start /w ocsetup DHCPServerCore

Let’s examine this command line string, step by step:

1. Optionally, we use the start command because it will open up a new CMD prompt window that we can use to monitor the progress of the install. Plus it frees our current CMD prompt window so that we can continue to do other things while the installation is happening
2. If we used the start command, we also use the /w (or /WAIT) switch with the start command so that the command prompt will wait for the command that is executed to terminate before closing the window. This way, we can see what happens with the installation.
3. Of course, we use the OCSETUP command
4. With the OCSETUP command, we specify what component we want to install. Each of the components has its own, specific, name. You can view the available component names in the output of the OCLIST command. In our case, we specified the name of the DHCP component, DHCPServerCore.

When you run this command, you won’t see ANY output, at all (unless you mistyped it). So, here is what a successful install looks like:

Figure 4: Results of DHCP Server Core Install with OCSETUP

That’s right, no real output. So how do you know if it was successfully installed? Easy, run OCLIST, like this:

Figure 5: Verifying a successful install using OCLIST

As you can see, the DHCPServerCore was successfully installed.

However, is the DHCP server fully functional at this point? No.

To get our DHCP server fully functioning, we need to configure a scope using the netsh command or using the MMC DHCP snap-in from a remote system.

Next, we need to set the DHCP service to start automatically using sc config dhcpserver start=auto then start the service manually for the first time with net start dhcpserver.

What other common Windows Server 2008 CORE Roles can I install?

Some other common Core server roles are:

• DNS Server – DNS-Server-Core-Role
• File Server – FRS-Infrastructure
• Print Server – Printing-ServerCore-Role

For example, here is an install of the DNS Server Core Role:

Figure 6: Installation of the Windows Server 2008 Core DNS Server Role

You would then need to configure the DNS Server zones using the dnscmd CLI utility or remotely using the DNS MMC Snap-in.

Say that you did want to Uninstall the DNS Server role, you would run the same command with the /uninstall switch, like this:

Figure 7: Uninstall of the Windows Server 2008 Core DNS Server Role

As with this uninstall, some installs or uninstalls that are done will require you to reboot your Windows Server 2008 Core server. When that happens, you will see a pop-up message, like this:

Figure 8: Message that the Core server must be restarted before the changes take effect

What else do I need to know?

One important thing to note is this - if you want to make a Windows Server 2008 CORE system a Windows Active Directory domain controller (DC), then you should NOT use OCSETUP. Instead, you should use DCPromo to install or uninstall Windows Active Directory.

Summary

If you are using or plan on using Windows Server 2008 CORE, the OCLIST and OCSETUP command line utilities are necessary for any administrator to understand. With OCLIST, you can query the Windows Server 2008 CORE roles and components that are installed. With OCSETUP, you can add & remove the same Core Server Roles. When using Windows Server 2008 CORE, you must use these commands for Role administration as there aren’t any GUI tools available on the server. Additionally, the ServerManagerCMD CLI utility, available in normal (non-core) versions of Windows Server 2008, is not available in Windows CORE. Once these Roles are installed, they will still need to be started and configured using either local command line utilities or remote Windows MMC administrative tools.

For Date & time:

running Windows 2008 Server Core, please follow these steps:

1. On the server running a Server Core installation, type the following command at a command prompt:

Control timedate.cpl

This will fire up the Time and Date Control Panel applet (one of two .CPL survivors on Server Core…)  

2. In order to change the clock and date, press the Change Date and Time button.  
3. In order to change the time zone, press the Change Time Zone button.  
4. When done, press Ok to close the applet.

Active directory:

Installing Active Directory on Windows 2008 Server Core

In my previous articles (see list below) I have written about how, in Windows Server 2008,  Server Core installation does not include the traditional full graphical user interface (GUI). Therefore, once you have configured the server, you can only manage it locally at a command prompt, or remotely using a Terminal Server connection. Read more about Server Core on my "Understanding Windows Server 2008 Server Core" article.

Network Performance Monitor: Map Your Network in Minutes!

Relax while Network Performance Monitor automatically maps your network, even VMs!

NPM automatically discovers your LAN or WAN and produces comprehensive, easy-to-view network diagrams that can be exported into gorgeous reports!

You Have Got To Try This! Get the Download Here...

Server Core can host a few roles. See my "Managing Windows 2008 Server Core Server Roles" article for more info. One of these roles can be the Active Directory Directory Services (AD DS) role, where the server will act as a Domain Controller for an Active Directory domain. This Domain Controller (or DC for short) can be used as one of the following DC scenarios:

• The first DC in a new Active Directory Domain, inside a new Active Directory Forest
• An additional (replica) DC in an existing Active Directory Domain
• A Read Only DC (RODC) in an existing Active Directory Domain, in case you already have at least one regular DC running Windows Server 2008 in that domain
• The first DC in a new Active Directory Domain (child domain), under an existing Active Directory Tree, inside an existing Active Directory Forest
• The first DC in a new Active Directory Domain, as a new Active Directory Tree, inside an existing Active Directory Forest

Now, one might wonder how would you go about managing that DC if it were to run on a GUI-less server core. Well, the answer for that is based on 3 parts. The first part is to get your server core up and running. In order to do that, read my server core articles under the Related Articles section below. To make life easier on you, I've also written about a GUI tool called CoreConfigurator – read more about it on my "Easily Manage Windows Server 2008 Server Core Settings with CoreConfigurator" article.
The second part is the management of the specific Active Directory DS role that you're about to install on the core. That can be easily done from one of your regular Windows Server 2008 DCs, or even from a workstation computer running Windows Vista. Read more about it on my "Installing Remote Server Administrative Tools on Windows Vista" article.
The third part is the process of the installation of the Active Directory DS role. It is done through the Active Directory Domain Services Installation Wizard (DCPROMO.exe). It performs the following tasks:

• Installs Active Directory Domain Services (AD DS) on Windows Server 2008-based workgroup servers and member servers

Or, if you run it on a server that is already configured as a DC:

• Removes AD DS from Windows Server 2008-based domain controllers

As noted above, since server core does not have a GUI, you will need to manually configure the DCPROMO settings and run them as an unattended process.
So, now let's go to the business of actually installing the role. In order to install Active Directory DS on your server core machine you will need to perform the following tasks:

1. Configure an unattend text file, containing the instructions for the DCPROMO process
2. Configure the right server core settings + meet the DCPROMO requirements
3. Copy that file to the server core machine
4. Run the DCPROMO process with the unattend file
5. Reboot the computer

Let's begin...

Configure an unattend text file

First, let's create the unattend, or answer, file. The unattend file is an ASCII text file that provides automated user input for each page of the Active Directory Domain Services Installation Wizard.
One method of creating the unattend file is by editing a sample file you've created before or obtained from other sources (like this website). This is an example of such an Unattend file. In this example you will create an additional DC for a domain called petrilab.local:

UserName=administrator

UserDomain=petrilab

Password=P@ssw0rd1

SiteName=Default-First-Site-Name

ReplicaOrNewDomain=replica

DatabasePath="%systemroot%'NTDS"

LogPath="%systemroot%'NTDS"

SYSVOLPath="%systemroot%'SYSVOL"

InstallDNS=yes

ConfirmGC=yes

SafeModeAdminPassword=P@ssw0rd1

RebootOnCompletion=yes 

Another method is by creating it through the DCPROMO wizard that you've ran on a different server. Read "Creating an Unattend Installation File for DCPROMO in Windows Server 2008" for more information.

Configure the right server core settings

After that you need to make sure the core machine is properly configured.

1. Perform any configuration setting that you require (tasks such as changing computer name, changing and configure IP address, subnet mask, default gateway, DNS address, firewall settings, configuring remote desktop and so on).

2. After changing the required server configuration, make sure that for the task of creating it as a DC – you have the following requirements in place:

• A partition formatted with NTFS (you should, it's a server…)
• A network interface card, configure properly with the right driver
• A network cable plugged in
• The right IP address, subnet mask, default gateway

And most importantly, do not forget:

• The right DNS setting, in most cases, pointing to an existing internal DNS in your corporate network

Copy the unattend file to the server core machine

Now you need to copy the unattend file from wherever you've stored it. You can run it from a network location but I prefer to have it locally on the core machine. You can use the NET USE command on server core to map to a network path and copy the file to the local drive. You can also use a regular server/workstation to graphically access the core's C$ drive (for example) and copy the file to that location.

Run the DCPROMO process

Next you need to manually run DCPROMO. To run the Active Directory Domain Services Installation Wizard in unattended mode, use the following command at a command prompt:

dcpromo /unattend:

Reboot the machine

In order to reboot the server core machine type the following text in the command prompt and press Enter.

shutdown /r /t 0

After the server comes back online you'll have yourself a new and shining DC running on a server core machine.

Running it all from one command line

Using an unattended file for DCPROMO is fine, and if you've prepared one handy it's quite easy. However, there's another method.
DCPROMO will accept command line switches, and if provided correctly, it will use them to perform the required tasks. For example, running the following command:

Dcpromo /unattend /replicaOrnewDomain:replica

/replicaDomainDNSName:petrilab.local /ConfirmGC:yes

/username:petrilab'administrator /Password:*

/safeModeAdminPassword:P@ssw0rd1

will run DCPROMO and add the server as a Global Catalog server to the petrilab.local domain. The Domain restore Mode password will be set to P@ssw0rd1. You will be asked to enter the domain administrator password when the command is run.
The server will reboot itself as part of the install.
BTW, to see the construction of the command we can enter the following command. It will create a text file containing the required information.

Dcpromo /?:Promotion > promotion.txt & promotion.txt

To manage a server running a Server Core installation locally at a command prompt

1. Start a server running a Server Core installation.  
2. Log on using an administrator account.  
3. At the command prompt, use the appropriate command-line tool for the task you want to complete.  

To add hardware to Windows Server 2008

1. If the driver for the hardware is included in Windows Server 2008, Plug and Play will start automatically and install the driver.  
2. At a command prompt, open the folder where the driver files are located, and then run the following command:

pnputil -i -a

Where: driverinf is the file name of the .inf file for the driver.  

3. If prompted, restart the computer.

To add a user to the local Administrators group

1. At a command prompt, type:

net localgroup Administrators /add '

To remove a user from the local Administrators group

1. At a command prompt, type:

net localgroup Administrators /delete

To disable a device driver

1. At a command prompt, type:

sc delete

Where: service_name is the name of the service that you obtain by running

To obtain a list of drivers that are installed on the server

1. At a command prompt, type:

sc query type= driver

Note: You must include the space after the equal sign for the command to complete successfully.

To manage event logs

1. To list event logs type:

wevtutil el

2. To query events in a specified log type:

wevtutil qe /f:text

3. To export an event log type:

wevtutil epl

4. To clear an event log type:

wevtutil cl

To list the running services

1. At a command prompt, type one of the following:

sc query

or

net start

1. At a command prompt, type one of the following:

sc start

or

net start

To stop a service

1. At a command prompt, type one of the following:

sc stop

or

net stop

To forcibly stop a process

1. Use the tasklist command to retrieve the process ID (PID).  
2. At a command prompt, type:

taskkill /PID

To configure the firewall

1. Use the netsh advfirewall command. For example, to enable remote management from any MMC snap-in, type the following:

netsh advfirewall firewall set rule group="Remote Administration" new enable=yes

Note: You can also use the Windows Firewall snap-in from a Windows Vista or Windows Server 2008 computer to remotely manage the firewall on a server running a Server Core installation. To do this, you must first enable remote management of the firewall by running the following command on the computer running a Server Core installation:

netsh advfirewall set currentprofile settings remotemanagement enable

Configure the paging file

1. At a command prompt type:

wmic pagefileset where name=”” set InitialSize=,MaximumSize=

Where:

• path/filename - is the path to and name of the paging file
• initialsize - is the starting size of the paging file in bytes.
• maxsize - is the maximum size of the page file in bytes.

To install an optional feature

1. At a command prompt, type:

start /w ocsetup

Note: Using /w prevents the command prompt from returning until the installation completes. Without /w, there is no indication that the installation completed. Where featurename is the name of a feature from the following list:

• Failover Clustering: FailoverCluster-Core
• Network Load Balancing: NetworkLoadBalancingHeadlessServer
• Subsystem for UNIX-based applications: SUACore
• Multipath IO: MultipathIo
• Removable Storage: Microsoft-Windows-RemovableStorageManagementCore
• Bitlocker Drive Encryption: BitLocker

Note: To install the remote administration tool for BitLocker, type the following at a command prompt:

start /w ocsetup BitLocker-RemoteAdminTool

 

• Backup: WindowsServerBackup
• Simple Network Management Protocol (SNMP): SNMP-SC
• Windows Internet Name Service (WINS): WINS-SC
• Telnet client: TelnetClient

Note: To remove an optional feature, use start /w ocsetup with the appropriate role name and the /uninstall switch.

To reboot the server

1. You can reboot the server by typing the following at a command prompt:

shutdown /r /t 0

To change the name of the server

1. Determine the current name of the server with the hostname or ipconfig /all commands.  
2. At a command prompt, type:

netdom renamecomputer  /NewName:

Note: You can obtain the name of the server by running the hostname or ipconfig /all commands.  

3. Restart the computer.

To change the name of a domain-joined server

1. At a command prompt, type:

netdom renamecomputer %computername% /NewName: /userd: /password:*

To set the administrative password

1. At a command prompt, type the following:

net user administrator *

2. When prompted to enter the password, type the new password for the administrator user account and press ENTER.  
3. When prompted, retype the password and press ENTER.

What is different about Windows Server 2008 netsh vs. Windows XP?

There are a number of differences even at the core command level between the Windows XP version of netsh and the Windows Server 2008 netsh. To compare these, I ran “netsh /?” in each operating system. While Windows XP has “routing” listed as a context and Windows Server 2008 does not, that is the only context that Win 2008 lacks (and that is included in the Win 2008 RAS context). Otherwise, Windows Server 2008 has the following netsh context options available that Windows XP does not:

• dhcp
• dhcpclient
• http
• ipsec
• lan
• nap
• netio
• rpc
• winhttp

Thus, as you can see, there are many more “context” / options available in Window Server 2008.

With no more delay, let’s get started with our Netsh top 10 Netsh commands that every admin should know.

#10 – How to get help

Every Windows admin should know how to get guided help with netsh. This is easy – just use the “/?” command to be guided through what you are trying to do. For example, to show all netsh contexts (categories of options), just type: netsh /?

Figure 1: Results of netsh /? help options

From there, you can select a context and be guided through configuring or showing options in that context. For example, say that I typed netsh lan /?, I would see:

Figure 2: Results of netsh lan /?

From there, I can continue with the guided help by doing-

netsh lan show /?

And, from there, I would see that I can show interfaces with-

netsh lan show interfaces

Being able to guide yourself through the many netsh commands using /? is a very valuable skill.

#9 – Supplying remote machine names and credentials

If you run netsh /? you will see that you can supply the remote machine name & IP address and credentials for the remote machine you will run netsh against. The options are “-r” for the machine, “-u” for the username, and “-p” for the password. Here is an example:

netsh -r WinXP-1 -u winxp-1\administrator -p My!Pass1 interface ip show config

As you can see, I supplied the remote machine name, remote username, and password which allowed me to perform this command over the network. You can perform any of the commands shown here over the network as long as the remote machine supports that command (different operating systems will use different variations of commands).

#8 – Run Netsh in interactive mode or with a script

Netsh can be run either interactively (just you typing commands manually) or when using scripting. Say that you wanted to manually step through some commands on your local machine or remote machine. You could just start by typing netsh at the command line and you would see:

netsh>

From there, you can enter all the netsh commands you want, or even tell netsh to connect to a remote machine with set machine.

On the other hand, you could use netsh –f <scriptfile> and specify a script that netsh would use.

#7 – Open a port on your firewall

With netsh, you can quickly and easily open a port on your firewall if you know the right command. Here is an example of opening port 445-

netsh firewall set portopening tcp 445 smb enable

If the command was successful, you should get a response of “Ok.”

#6 – Export your current network configuration to a file and import it

With netsh, exporting and importing your IP address configuration is easy – unlike in the GUI interface. To export your configuration, just do:

netsh –c interface dump > test.txt

Figure 3: Export of IP address configuration and viewing the file

Later on this machine or on a different machine, you could import this configuration with-

netsh –f test.txt

#5 – Try out the latest Netsh uses

As mentioned above, there are a lot of new features in Windows Server 2008 as it pertains to netsh.

Here are the new categories that I see on my Windows Server 2008 system:

• dhcp
• dhcpclient
• http
• ipsec
• lan
• nap
• netio
• rpc
• winhttp

For example, you can configure not only your DHCP client but also your DHCP server. You can configure IPSec encryption, the network access protection (NAP) client, and many more!

As you add other roles & features to your server, you will have additional contexts available to you. For example, if you add the network policy server to Windows Server 2008, you will have “nps” as a net netsh context that can be configured.

For the official Microsoft Windows Server 2008 netsh documentation, see this URL:

Microsoft TechNet- Windows Server 2008 -Netsh Technical Reference

#4 – TCP/IP troubleshooting and interface resets

There are a number of things you can do with netsh to troubleshoot and reset your TCP/IP network interface. Here are some examples:

• Reset all IP protocol stack configurations on your interface and send the output to a log file- netsh int ipv4 reset resetlog.txt
• Install the TCP/IP protocol- netsh int ipv4 install
• UnInstall the TCP/IP protocol- netsh int ipv4 uninstall

#3 – Configure the Windows Advanced Firewall

In my previous article, How to Configure Windows 2008 Advanced Firewall with the NETSH CLI, I discussed how you can now configure the new Windows advanced (bi-directional) firewall using the new advfirewall networking context settings using netsh in Windows Server 2008 and Windows Vista. Of course, you can also configure the traditional Windows firewall. Here are some examples:

• Show all firewall rules - netsh advfirewall firewall show rule name=all
• Delete an inbound advanced firewall rule for port 21 - netsh advfirewall firewall delete name rule name=all protocol=tcp localport=21
• Export Windows Advanced Firewall settings - netsh advfirewall export “c:\advfirewall.wfw”

Perhaps the most common command you might use is the command to enable or disable your Windows firewall, like this:

netsh firewall set opmode disable

or

netsh firewall set opmode enable

However, for more specific information & examples, please see my article, above.

#2 – Configure Wireless Settings

In another article, Configuring Windows Server 2008 & Windows Vista Wireless connections from the CLI using netsh wlan, I discussed how you can now configure wireless networking context settings using netsh in Windows Server 2008 and Windows Vista. Here are some examples:

• Connect to an already defined wireless network- netsh wlan connect ssid=”mySSID” name=”WLAN-Profil1”
• Show your current wireless settings - netsh wlan show settings
• Add an already exported wireless network profile - netsh wlan add profile filename="Wireless Network Connection-BOW.xml"

However, for more specific information, please see my article, above.

#1 – Configure your IP Address & Network interface settings

As netsh is the “network shell”, what better way to use it than to configure your basic network settings? Here are some examples:

• Show your IP address - netsh interface ip show config
• Set an interface to use DHCP for its IP address configuration - netsh interface ip set address name="Local Area Connection" source=dhcp
• Set an interface to use a static IP address for its IP address configuration - netsh interface ip set address "Local Area connection" static 10.0.0.9 255.0.0.0 10.0.0.1 1
• Or, add a DNS Server entry – netsh interface ip add dnsserver "Local Area Connection" 10.0.0.1

For more examples of configuring basic network settings with Netsh,

In Summary

The netsh command line utility has always been a very powerful tool for Windows Administrators. With the new features added in Windows Server 2008 and Windows Vista, netsh becomes an even more powerful utility. In this article, you saw that power demonstrated and I offered 10 commands that you should know concerning netsh.

What is different about Windows Server 2008 netsh vs. Windows XP?

There are a number of differences even at the core command level between the Windows XP version of netsh and the Windows Server 2008 netsh. To compare these, I ran “netsh /?” in each operating system. While Windows XP has “routing” listed as a context and Windows Server 2008 does not, that is the only context that Win 2008 lacks (and that is included in the Win 2008 RAS context). Otherwise, Windows Server 2008 has the following netsh context options available that Windows XP does not:

• dhcp
• dhcpclient
• http
• ipsec
• lan
• nap
• netio
• rpc
• winhttp

Thus, as you can see, there are many more “context” / options available in Window Server 2008.

With no more delay, let’s get started with our Netsh top 10 Netsh commands that every admin should know.

#10 – How to get help

Every Windows admin should know how to get guided help with netsh. This is easy – just use the “/?” command to be guided through what you are trying to do. For example, to show all netsh contexts (categories of options), just type: netsh /?

Figure 1: Results of netsh /? help options

From there, you can select a context and be guided through configuring or showing options in that context. For example, say that I typed netsh lan /?, I would see:

Figure 2: Results of netsh lan /?

From there, I can continue with the guided help by doing-

netsh lan show /?

And, from there, I would see that I can show interfaces with-

netsh lan show interfaces

Being able to guide yourself through the many netsh commands using /? is a very valuable skill.

#9 – Supplying remote machine names and credentials

If you run netsh /? you will see that you can supply the remote machine name & IP address and credentials for the remote machine you will run netsh against. The options are “-r” for the machine, “-u” for the username, and “-p” for the password. Here is an example:

netsh -r WinXP-1 -u winxp-1\administrator -p My!Pass1 interface ip show config

As you can see, I supplied the remote machine name, remote username, and password which allowed me to perform this command over the network. You can perform any of the commands shown here over the network as long as the remote machine supports that command (different operating systems will use different variations of commands).

#8 – Run Netsh in interactive mode or with a script

Netsh can be run either interactively (just you typing commands manually) or when using scripting. Say that you wanted to manually step through some commands on your local machine or remote machine. You could just start by typing netsh at the command line and you would see:

netsh>

From there, you can enter all the netsh commands you want, or even tell netsh to connect to a remote machine with set machine.

On the other hand, you could use netsh –f <scriptfile> and specify a script that netsh would use.

#7 – Open a port on your firewall

With netsh, you can quickly and easily open a port on your firewall if you know the right command. Here is an example of opening port 445-

netsh firewall set portopening tcp 445 smb enable

If the command was successful, you should get a response of “Ok.”

#6 – Export your current network configuration to a file and import it

With netsh, exporting and importing your IP address configuration is easy – unlike in the GUI interface. To export your configuration, just do:

netsh –c interface dump > test.txt

Figure 3: Export of IP address configuration and viewing the file

Later on this machine or on a different machine, you could import this configuration with-

netsh –f test.txt

#5 – Try out the latest Netsh uses

As mentioned above, there are a lot of new features in Windows Server 2008 as it pertains to netsh.

Here are the new categories that I see on my Windows Server 2008 system:

• dhcp
• dhcpclient
• http
• ipsec
• lan
• nap
• netio
• rpc
• winhttp

For example, you can configure not only your DHCP client but also your DHCP server. You can configure IPSec encryption, the network access protection (NAP) client, and many more!

As you add other roles & features to your server, you will have additional contexts available to you. For example, if you add the network policy server to Windows Server 2008, you will have “nps” as a net netsh context that can be configured.

#4 – TCP/IP troubleshooting and interface resets

There are a number of things you can do with netsh to troubleshoot and reset your TCP/IP network interface. Here are some examples:

• Reset all IP protocol stack configurations on your interface and send the output to a log file- netsh int ipv4 reset resetlog.txt
• Install the TCP/IP protocol- netsh int ipv4 install
• UnInstall the TCP/IP protocol- netsh int ipv4 uninstall

#3 – Configure the Windows Advanced Firewall

 How to Configure Windows 2008 Advanced Firewall with the NETSH CLI, I discussed how you can now configure the new Windows advanced (bi-directional) firewall using the new advfirewall networking context settings using netsh in Windows Server 2008 and Windows Vista. Of course, you can also configure the traditional Windows firewall. Here are some examples:

• Show all firewall rules - netsh advfirewall firewall show rule name=all
• Delete an inbound advanced firewall rule for port 21 - netsh advfirewall firewall delete name rule name=all protocol=tcp localport=21
• Export Windows Advanced Firewall settings - netsh advfirewall export “c:\advfirewall.wfw”

Perhaps the most common command you might use is the command to enable or disable your Windows firewall, like this:

netsh firewall set opmode disable

or

netsh firewall set opmode enable

However, for more specific information & examples, please see my article, above.

#2 – Configure Wireless Settings

 Configuring Windows Server 2008 & Windows Vista Wireless connections from the CLI using netsh wlan, I discussed how you can now configure wireless networking context settings using netsh in Windows Server 2008 and Windows Vista. Here are some examples:

• Connect to an already defined wireless network- netsh wlan connect ssid=”mySSID” name=”WLAN-Profil1”
• Show your current wireless settings - netsh wlan show settings
• Add an already exported wireless network profile - netsh wlan add profile filename="Wireless Network Connection-BOW.xml"

However, for more specific information, please see my article, above.

#1 – Configure your IP Address & Network interface settings

As netsh is the “network shell”, what better way to use it than to configure your basic network settings? Here are some examples:

• Show your IP address - netsh interface ip show config
• Set an interface to use DHCP for its IP address configuration - netsh interface ip set address name="Local Area Connection" source=dhcp
• Set an interface to use a static IP address for its IP address configuration - netsh interface ip set address "Local Area connection" static 10.0.0.9 255.0.0.0 10.0.0.1 1
• Or, add a DNS Server entry – netsh interface ip add dnsserver "Local Area Connection" 10.0.0.1

For more examples of configuring basic network settings with Netsh, see this article-

In Summary

The netsh command line utility has always been a very powerful tool for Windows Administrators. With the new features added in Windows Server 2008 and Windows Vista, netsh becomes an even more powerful utility. In this article, you saw that power demonstrated and I offered 10 commands that you should know concerning netsh.