Hack Attacks Testing How to Conduct Your Own Security Audit 5
Basic Windows 2000/Windows 2000 Server Configuration
Thanks to updated management utilities and a slightly enhanced user interface, Windows
2000 Server can be easily configured by using new and improved configuration
wizards. If this is your first boot-up of the new operating system, you’ll see the Configure
Your Server utility shown in Figure 1.1, which will facilitate some of the basic
configuration techniques. From the flexible interface at the left menu, simply choose
the services that you want to run on this server. We’ll start with Active Directory.
Figure 1.1 Windows 2000 Configure Your Server
Figure 1.2 Active Directory wizard front end.
Thanks to updated management utilities and a slightly enhanced user interface, Windows
2000 Server can be easily configured by using new and improved configuration
wizards. If this is your first boot-up of the new operating system, you’ll see the Configure
Your Server utility shown in Figure 1.1, which will facilitate some of the basic
configuration techniques. From the flexible interface at the left menu, simply choose
the services that you want to run on this server. We’ll start with Active Directory.
NOTE If this is not the first boot-up of the new operating system, and you’ve
elected not to be greeted by the configuration utility, you can retrieve it from
Start/Programs/Administrative Tools/Configure Your Server. It’s a good idea to
do that now so you can follow along here.
Active Directory
Active Directory stores information about network objects, such as user accounts and
shared printers, and provides access to that information. Security is integrated with
Active Directory through logon authentication and access control to objects in the
directory. With a single network logon, administrators can manage directory data and
organization throughout their network, and authorized network users can access
resources anywhere on the network. Policy-based administration eases the management
of even the most complex network.
To make this server a new domain controller, you must install Active Directory. A
domain controller in a Windows 2000 Server domain is a computer running Windows
2000 Server that manages user access to a network, which includes logons, authentication,
and access to the directory and shared resources. The Active Directory Installation
wizard configures this server as a domain controller and sets up the DNS if it is not
already available on the network. DNS is a system for naming computers and network
services; these names are organized into a hierarchy of domains. DNS is used in
TCP/IP networks, such as the Internet, to locate computers and services through userfriendly
names. When a user enters a DNS name in an application, DNS services can
resolve the name to other information associated with the name, such as an IP address.
You can use this wizard for the following scenarios:
No Existing Domain Controller. Sets up your server as the first domain controller
on the network.
Domain Controller Already on Network. Sets up your server as an additional
domain controller, a new child domain, a new domain tree, or a new forest. These entities
are defined in the following paragraphs.
An additional domain controller is a Windows 2000 domain controller installed into
an existing domain. All domain controllers participate equally in Active Directory
replication, but by default the first domain controller installed into a domain is
assigned ownership of at least three floating single-master operations. Additional
domain controllers installed into an existing domain do not assume ownership of these
operations by default.
A child domain is a domain located in the namespace tree directly beneath another
domain name (the parent domain). For example, example.microsoft.com would be a
child domain of the parent domain, microsoft.com. A child domain is also known as a
subdomain.
The domain tree is the hierarchical structure that is used to index domain names.
Domain trees are similar in purpose and concept to directory trees, which are used by
computer filing systems for disk storage. For example, when numerous files are stored
on disk, directories can be used to organize the files into logical collections. When a
domain tree has one or more branches, each branch can organize domain names used
in the namespace into logical collections.
A forest is a set of one or more trees that do not form a contiguous namespace. All
trees in a forest share a common schema, configuration, and global catalog. The trees
must trust one another through transitive, bidirectional trust relationships. Unlike a
tree, a forest does not need a distinct name. A forest exists as a set of cross-reference
objects and trust relationships known to the member trees. Trees in a forest form a hierarchy
for the purpose of trust.
NOTE To host Active Directory, you need a partition formatted with the
version of NTFS used in Windows 2000.
Creating a New Domain
To create a new domain, we’ll install Active Directory using the Active Directory
Installation wizard, which installs and configures components that provide Active
Directory service to network users and computers. In the menu listing of the configuration
utility shown in Figure 1.1, click the Active Directory icon to reach the screen
shown in Figure 1.2. At that screen, click Next; then click Start the Active Directory
Installation wizard shown in Figure 1.3. Click Next to continue.
Recall that a domain controller is a computer running Windows 2000 Server, which
stores directory data and manages user domain interactions, including user logon
processes, authentication, and directory searches. Windows 2000 Server domain controllers
provide an extension of the capabilities and features provided by Windows NT
Server 4.0 domain controllers. Adomain can have one or more domain controllers. For
high availability and fault tolerance, a small organization using a single local area network
(LAN) might need only one domain with two domain controllers, whereas a
large company with many network locations would need one or more domain controllers
in each location.
A domain controller in Windows 2000 is also configured using the Active Directory
Installation wizard. Active Directory supports multimaster replication of directory data
between all domain controllers in the domain. Multimaster replication is an evolution
of the primary and backup domain controller (BDC) model used in Windows NT
Server 4.0, in which only one server, the primary domain controller (PDC), had a readand-
write copy of the directory. Windows 2000 Server multimaster replication synchronizes
directory data on each domain controller, ensuring consistency of
information over time. Changes in the PDC can be impractical to perform in a multimaster
fashion; therefore, only one domain controller, the operations master, accepts
requests for such changes. In any Active Directory forest, there are at least five different
operations’ master roles that are assigned to one or more domain controllers.
Figure 1.3 Starting the Active Directory wizard.
Let’s create a new domain in Active Directory:
Step 1. Once Active Directory is installed, from the Configure Your Server utility,
click Active Directory; from the Active Directory window, choose the domain
controller type to create a new domain by selecting Domain controller for a new
domain; then click Next.
Step 2. In the next window, choose to create a new domain tree by selecting Create
a new domain tree; then click Next.
Step 3. Next, choose to create a new forest of domain trees by selecting Create a
new forest of domain trees; then click Next.
Step 4. Specify a name for the new domain by typing the full DNS name (see Figure
1.4); then click Next.
Comments