Setup DHCP NAP: Server Side Configuration

Network Access Protection can be implemented in various mechanism. One of the easiest to setup is DHCP NAP. I get this frequent question coming to me. What is the purpose of Network Access Protection? In my personal opinion, NAP is geared towards making sure the client machines you manage in your network, has the base level protection before they get exposed onto the network. It is not meant for preventing someone from getting onto the network.

Its 2 slip sides of the coin. Say you implement DHCP NAP, with the intention of protecting your clients when they get onto the network, it serves its purpose. But if you want to prevent someone from getting an IP address because he is not part of your Domain, you may want to look into Server Domain Isolation.

Anyway, not to confuse you further, the video below shows you how to configure on Windows Server 2008, the Network Policy Server and DHCP Server to achieve DHCP NAP. The steps are actually reflected in an earlier document that I have shown. You can download the full step by step document here.

http://images.video.msn.com/flash/soapbox1_1.swf
Video: Setup DHCP Nap: Server Side

http://cid-80195647fe07388f.skydrive.live.com/embedrowdetail.aspx/ServerSneaks/10.SetupDHCPNAP-ServerSide.wmv

/Dennis

Advertisements

What is Network Access Protection?

Also known as NAP. It provides a platform where Administrators can ensure that clients that communicates on the network has a determined level of protection before they are allowed to communicate. In a previous blog, i wrote about the 4 major pillars / processes of NAP, 4 big processes of NAP.

An IT Pro from Pluto, implemented NAP in his office. Read about it here. Know the health level of your machines on the network– Pluto does…

Well, instead of screencast containing demos and demos, i decided you should this time, listen. 😉 If you need more details about NAP, visit NAP at http://www.microsoft.com/nap

http://images.video.msn.com/flash/soapbox1_1.swf
Video: What is Network Access Protection?

http://cid-80195647fe07388f.skydrive.live.com/embedrowdetail.aspx/ServerSneaks/9.WhatisNAP.wmv

/Dennis

Installing DHCP Server in Windows Server 2008

Something simple for the night – Installing a DHCP Server in Windows Server 2008. You will see how much easier it is to have a working DHCP server running in a simple network.

In the past, I used to have to add DHCP function in Add/Remove Program -> Windows Components (Windows 2003). Then go to Administrative Tools, DHCP and authorize it in the domain. Next create a scope and activate the scope before IP Address could be leased out.

In Windows Server 2008, those horrific steps has been simplified and taken care of by Server Manager. No more running all over the place to load up a working DHCP. Watch it and you will see how easy it is to load up. 

http://images.video.msn.com/flash/soapbox1_1.swf
Video: Installing DHCP Server for WS2008

http://cid-80195647fe07388f.skydrive.live.com/embedrowdetail.aspx/ServerSneaks/8.InstallingDHCPServer.wmv

/Dennis

DCPromo Server Core as a DC in existing Domain

Welcome to another dose of Sneak Peak. Chinese New Year is still on, but i have survived past the 3rd Day. Its 5am (4th Day) and i am kind of like "cannot sleep". Must have been the doses of Coke and Bak Kwa. 😉 Anyway, since i cannot sleep, i thought might as well get some stuff done.

I cranked up my machine and ended up doing this blog post with a sceencast.

Let’s get into the subject proper. We have been looking at Server Core operations in the past videos. Now it would be good to have Server Core running as a Domain Controller. It is designed for handling that role. If you have also been reading about Windows Server 2008, there is a new type of Domain Controller, known as Read-Only Domain controller aka RODC. Now this is the perfect combination. Server Core + Active Directory (Read Only). Perfect combination for having a domain controller do its work, but yet provide security to Active Directory such that physical security of that Read Only Domain Controller in the Branch Office is not possible.

It can be quite a challenge to install a DC into Server Core if you do not get any guidance or help. So here, i want to help you know how to install it. In the video, I used an answer file. To make it easy, you can copy and past the following;

[DCInstall]
InstallDNS=Yes
ConfirmGC=Yes
RebootOnCompletion=Yes
ReplicaDomainDNSName=insiders.com
ReplicaOrNewDomain=replica or readonlyreplica
ReplicationSourceDC=dc1.insiders.com
SafeModeAdminPassword=P@ssw0rd
UserDomain=insiders.com
UserName=administrator
Password=P@ssw0rd
CreateDNSDelegation=No

Save it as a unattend.txt file and then fire off the command "dcpromo /unattend:unattend.txt" in Server Core Watch the Video for more explanation. Yawn, time to sleep.. 😉

http://images.video.msn.com/flash/soapbox1_1.swf

Video: DCPromo a Server Core as DC in existing Domain
http://cid-80195647fe07388f.skydrive.live.com/embedrowdetail.aspx/ServerSneaks/7.DCPromoServerCoretoanExistingDomaing.wmv 

/Dennis

Oh no !! I deleted an OU by accident !!

Hey, who doesn’t make mistakes. I met an IT Pro over the weekend, and he was telling me a huge pain. He deleted an OU back in his office ACCIDENTALLY. Yup, not only did he do it by accident, he has another problem. He was quick fingered.. LOL. He strike "Enter" to a yes confirmation to delete. Yes, he now has to do a AD Authoritative restore to bring back his delete OU.

Yup, painful. So, "Prevention is Better than Cure". Windows 2008 AD has a feature that help prevent that from happening. Check the video. It shows you a new "Protect from Accidental Deletion Feature", and shows you what it takes to delete such an OU.

http://images.video.msn.com/flash/soapbox1_1.swf

Video: Protect Accidental OU Deletion

http://cid-80195647fe07388f.skydrive.live.com/embedrowdetail.aspx/ServerSneaks/6.ADProtectAccidentalDeletion.wmv

If you guys are interested to see certain features here on sneak peaks, please send me an email: i-dchung@microsoft. I’ll try my best to create that screencast for you.

/Dennis

Manage Server Core Remotely

We have been talking about Server Core recently. From Installation, setup, to Activating and now remotely managing it.

Server Core, by default has Firewall blocking all forms of access making it secure to deploy by default. Its a change of model. In the past, we have been doing the process of locking down. Windows Server 2008 took the other approach, totally locked by default, you go through the process of unlocking.

Having said this, Server Core when on the network, is totally locked. This can pose a challenge to managing server core to those who are not proficient in commands.

You can enable remote management for Server Core. In the video the following commands were used;

To enable Windows Firewall Remote Management

netsh advfirewall firewall set rule group="Windows Firewall Remote Management" new enable=yes

To enable remote Administration

netsh advfirewall firewall set rule group="Remote administration" new enable=yes

or

netsh advfirewall set currentprofile settings remotemanagement enable

Here are some other groups for your reference; Source

MMC Snap-In Rule Group
Event Viewer Remote Event Log Management
Services Remote Service Management
Shared Folders File and Printer Sharing
Task Schedule Remote Scheduled Tasks Management
Reliability and Performance "Performance Logs and Alerts" and "File and Printer Sharing"
Disk Management Remote Volume Management
Windows Firewall with Advanced Security Windows Firewall Remote Management

http://images.video.msn.com/flash/soapbox1_1.swf
Video: Manage your Server Core remotely

Download it>> http://cid-80195647fe07388f.skydrive.live.com/embedrowdetail.aspx/ServerSneaks/5.RemotelyManageyourServerCore.wmv

/Dennis

Activating Server Core without Internet Access

Every Windows Server 2008 needs to be activated, included Server Core. However, Server Core does not have GUI to help you activate like in a full Windows Installation. therefore, it can be quick tricky to activate Windows Server 2008 installed as Server Core.

In Server Core, if you have Internet connection, use "slmgr.vbs -ato".

The video will show you how to activate Server Core if you do not have Internet connection.

 http://images.video.msn.com/flash/soapbox1_1.swf
Video: How to Activate Server Core

http://cid-80195647fe07388f.skydrive.live.com/embedrowdetail.aspx/ServerSneaks/4.ActivatingServerCore.wmv

/Dennis