Project Report-Nilabja Bhattacharya

BHEL

(BHARAT HEAVY ELECTRICALS LIMITED)

PROJECT REPORT:

1. Re-designing, Prevention of Security Vulnerabilities and Session

Management in Contract Monitoring System, BHEL PSER

2. Configuring and Managing AD DS in Clustering Mode with DNS and

DHCP Server

Submitted by: Nilabja Bhattacharya

B. Tech in Information technology

Roll: 131011006039

6th Semester (2013-2017)

Jalpaiguri Government Engineering College

(Autonomous)

Submitted to: Mr. Amitava Chakrabarti

AGM (IT, SYSTEMS & MSX)

BHEL, PSER, KOLKATA

Acknowledgement

The training opportunity I had with BHEL, PSER IT department was a great chance

for learning and professional development. I am grateful for having a chance to meet

so many professionals who led me though this training period.

I express my deepest gratitude to Mr. Amitava Chakrabarti (AGM Head BHEL PSER/

IT,SYSTEMS &MSX) for allowing me to carry out the project at the esteemed

organization.

I perceive this opportunity as a big milestone in my career development. I will strive

to use gained skills and knowledge in the best possible way, and I will continue to

work on their improvement, in order to attain desired career objectives.

Sincerely,

Nilabja Bhattacharya Information Technology

6th Semester

Jalpaiguri Government Engineering College

(Autonomous)

INDEX 1. Acknowledgement

2. About BHEL

History

Operations

Research and Development

Vision of BHEL

Mission of BHEL

Values of BHEL

Informtaion Technology

3. Project Title

4. Project 1

Introduction

SQL Injection

Cross-Site Scripting

Session Management

Scope of Project

Objective of Project

Development Tools

System Specification

Software Requirement

Working Procedure

UML (Activity Diagram)

User Manual for Contract Monitoring System, BHEL,

PSER

User Manual for Admin User

User Manual for Employee User

5. Project 2

Introduction

Installing AD DS in Windows Server 2008

Setting Up PDC

Setting Up ADC

Installing DHCP Server in Windows Server 2008

Installing DNS Server in Windows 2008

System Specification

Server Specification

Client Specification

6. Conclusion

7. Bibliography

8. Annexure

Unit Testing

Vulnerability Testing

Bharat Heavy Electricals Limited (BHEL) Bharat Heavy Electricals Limited (BHEL) owned by the Government of India, is a

power plant equipment manufacturer and operates as an engineering and

manufacturing company based in New Delhi, India. Established in 1964, BHEL is

India's largest engineering and manufacturing company of its kind. The company has

been earning profits continuously since 1971-72 and paying dividends uninterruptedly

since 1976-77.

It has been granted the prestigious Maharatna (big gem) status in 2013 by Govt of

India for its outstanding performance. The elite list of maharatna contains another 6

behemoth PSU companies of India.

History BHEL was established in 1964 Heavy Electricals (India) Limited was merged with

BHEL in 1974. In 1982, it entered into power equipment, to reduce its dependence on

the power sector. It developed the capability to produce a variety of electrical,

electronic and mechanical equipments for all sectors, including transmission,

transportation, oil and gas and other allied industries.] In 1991, it was converted into a

public limited company. By the end of 1996, the company had handed over 100

Electric Locomotives to Indian Railway and installed 250 Hydro-sets across India.

Operations BHEL is engaged in the design, engineering, manufacturing, construction, testing,

commissioning and servicing of a wide range of products, systems and services for the

core sectors of the economy, viz. power, transmission, industry, transportation,

renewable energy, oil & gas and defence.

It has a network of 17 manufacturing units, 2 repair units, 4 regional offices, 8 service

centres, 8 overseas offices, 15 regional centres, 7 joint ventures, and infrastructure

allowing it to execute more than 150 projects at sites across India and abroad. The

company has established the capability to deliver 20,000 MW p.a. of power

equipment to address the growing demand for power generation equipment.

BHEL has retained its market leadership position during 2015-16 with 74% market

share in the Power Sector. An improved focus on project execution enabled BHEL

record its highest ever commissioning/synchronization of 15059 MW of power plants

in domestic and international markets in 2015-16, marking a 59% increase over 2014-

15. With the all-time high commissioning of 15000 MW in a single year FY2015-16,

BHEL has exceeded 170 GW installed base of power generating equipments.

It also has been exporting its power and industry segment products and services for

over 40 years. BHEL's global references are spread across over 76 countries across all

the six continents of the world. The cumulative overseas installed capacity of BHEL

manufactured power plants exceeds 9,000 MW across 21 countries including

Malaysia, Oman, Iraq, UAE, Bhutan, Egypt and New Zealand. Their physical exports

range from turnkey projects to after sales services.

Research and development BHEL's investment in R&D is amongst the largest in the corporate sector in India.

During the year 2012-13, the company invested about Rs. 1,252 Crore on R&D

efforts, which corresponds to nearly 2.50% of the turnover of the company, focusing

on new product and system developments and improvements in existing products for

cost competitiveness, higher reliability, efficiency, availability and quality etc. To

meet customer expectations, the company has upgraded its products to contemporary

levels through continuous in-house efforts as well as through acquisition of new

technologies from leading engineering organizations of the world. The IPR

(Intellectual Property Rights) capital of BHEL grew by 21.5% in the year, taking the

total to 2170.

The Corporate R&D division at Hyderabad leads BHEL’s research efforts in a number

of areas of importance to BHEL’s product range. Research & product development

(RPD) Groups for each product group at the manufacturing divisions play a

complementary role. BHEL has established Centres of Excellence for Simulators,

Computational Fluid Dynamics, Permanent Magnet Machines, Surface Engineering,

Machine Dynamics, Centre for Intelligent Machines and Robotics, Compressors &

Pumps, Centre for Nano Technology, Ultra High Voltage Laboratory at Corporate

R&D; Centre of Excellence for Hydro Machines at Bhopal; Power Electronics and

IGBT & Controller Technology at Electronics Division, Bengaluru, and Advanced

Fabrication Technology and Coal Research Centre at Tiruchirappalli.

BHEL has established four specialized institutes, viz., Welding Research Institute

(WRI) at Tiruchirappalli, Ceramic Technological Institute (CTI) at Bangalore, Centre

for Electric Traction (CET) at Bhopal and Pollution Control Research Institute (PCRI)

at Haridwar. Amorphous Silicon Solar Cell plant at Gurgaon pursues R&D in Photo

Voltaic applications.

Significantly, BHEL is one of the only four Indian companies and the only Indian

Public Sector Enterprise figuring in 'The Global Innovation 1000' of Booz & Co., a

list of 1,000 publicly traded companies which are the biggest spenders on R&D in the

world.

Vision of BHEL They work with a vision of becoming a Global Engineering enterprise providing

solution for a better tomorrow.

Their greatest strength is their highly skilled and committed workforce of 48,399

employees. Every employee is given an equal opportunity to develop himself/herself

and grow in his/her career. Continuous training and retraining, career planning, a

positive work culture and participative style of management – all these have

endangered development of a committed and motivated workforce setting a new

benchmark in terms of productivity, quality and responsiveness.

Mission of BHEL Providing sustainable business solutions in the field of Energy, Industry and

Infrastructure.

Values of BHEL Governance: We are stewards of our shareholders’ investments and we take that

responsibility very seriously. We are accountable and responsible for delivering

superior results that make difference in lives of people we touch.

Respect: We value the unique contribution of each individual. We believe in respect

for human dignity and we respect the need to preserve the environment around us.

Excellence: We are committed to deliver and demonstrate excellence in whatever we

do.

Loyalty: We are loyal to our customer, to our company and to each other.

Integrity: We work with highest ethical standards and demonstrate a behaviour that is

honest, decent and fair. We are dedicated to the highest levels of personal and

institutional integrity.

Commitment: We set high performance standards for ourselves as individuals and our

teams. We honour our commitment in a timely manner.

Innovation: We constantly support development of newer technologies, products

improved processes, better services and management practices.

Team Work: We work together as a team to provide best solutions and services to our

customers. Through quality relationships with all stakeholders we deliver value to our

customer.

IT,Systems & MSX BHEL PSER’s Information Technology Department is committed to Integrity,

Confidentiality, Availability and Security of its Information at all times for continuity

and efficiency of IT functions/services and serving the needs of the organisation of its

vision, mission and values while meeting all regulatory requirements for a secured,

pertinent and well established IT and communication set up for improvement in

productivity, reduction in processing time, confidentiality, integrity and business

information.

Key

Pro

cess

es o

f IT

& S

ys

IT Budgeting

Procurement of IT Equipments

Sys Admin and Database Management

Network Management

IT Facility Management

Computerised System Development and

Maintenance

ISMS

E Waste Management

Key

Pro

cess

es

of

MSX

Generation of MIRs

Preparation for Monthly Management Committee

Meeting

Corporate Reporting on Unit Performance

Project Title 1. Re-designing, Prevention of Security Vulnerabilities, and Session management

in Contract Monitoring System

2. Configuring and managing AD DS in Clustering Mode with DNS and DHCP

Server

Project 1 Introduction In computer security, a vulnerability is a weakness which allows an attacker to

reduce a system's information assurance. Vulnerability is the intersection of three

elements: a system susceptibility or flaw, attacker access to the flaw, and attacker

capability to exploit the flaw.

Vulnerability management is the cyclical practice of identifying, classifying,

remediating, and mitigating vulnerabilities. This practice generally refers to software

vulnerabilities in computing systems.

A security risk may be classified as a vulnerability. The use of vulnerability with the

same meaning of risk can lead to confusion. The risk is tied to the potential of a

significant loss. Then there are vulnerabilities without risk: for example when the

affected asset has no value. A vulnerability with one or more known instances of

working and fully implemented attacks is classified as an exploitable vulnerability —

a vulnerability for which an exploit exists. The window of vulnerability is the time

from when the security hole was introduced or manifested in deployed software, to

when access was removed, a security fix was available/ deployed, or the attacker was

disabled.

A resource (either physical or logical) may have one or more vulnerabilities that can

be exploited by a threat agent in a threat action. The result can potentially compromise

the confidentiality, integrity or availability of resources (not necessarily the vulnerable

one) belonging to an organization and/or others parties involved (customers,

suppliers).The so-called CIA triad is the basis of Information Security.

An attack can be active when it attempts to alter system resources or affect their

operation, compromising integrity or availability. A "passive attack" attempts to learn

or make use of information from the system but does not affect system resources,

compromising confidentiality.

OWASP depicts the same phenomenon in slightly different terms: a threat agent

through an attack vector exploits a weakness (vulnerability) of the system and the

related security controls, causing a technical impact on an IT resource (asset)

connected to a business impact.

The overall picture represents the risk factors of the risk scenario

https://en.wikipedia.org/wiki/OWASP

Common types of software flaws that lead to vulnerabilities include:

Memory safety violations

Buffer overflows and over-reads

Dangling pointers

Input validation errors, such as:

o Format string attacks

o SQL injection

o Cross-site scripting

o Directory traversal

Cross-site scripting in web applications

HTTP header injection

HTTP response splitting

Race conditions, such as:

o Time-of-check-to-time-of-use bugs

o Symlink races

Privilege-confusion bugs:

Cross-site request forgery in web applications

Clickjacking

FTP bounce attack

Privilege escalation

User interface failures:

Warning fatigue or user conditioning.

Blaming the Victim Prompting a user to make a security decision without

giving the user enough information to answer it.

Race Condition.

Our project deals with prevention of SQL Injection, prevention of Cross-Site

Scripting, and Session Management in Contract Monitoring System of BHEL PSER.

SQL Injection A SQL injection attack consists of insertion or "injection" of a SQL query via the

input data from the client to the application. A successful SQL injection exploit can

read sensitive data from the database, modify database data (Insert/Update/Delete),

execute administration operations on the database (such as shutdown the DBMS),

recover the content of a given file present on the DBMS file system and in some cases

issue commands to the operating system. SQL injection attacks are a type of injection

attack, in which SQL commands are injected into data-plane input in order to effect

the execution of predefined SQL commands.

Threat Modeling

SQL injection attacks allow attackers to spoof identity, tamper with existing data,

cause repudiation issues such as voiding transactions or changing balances, allow the

complete disclosure of all data on the system, destroy the data or make it otherwise

unavailable, and become administrators of the database server.

SQL Injection is very common with PHP and ASP applications due to the prevalence

of older functional interfaces. Due to the nature of programmatic interfaces available,

J2EE and ASP.NET applications are less likely to have easily exploited SQL

injections.

The severity of SQL Injection attacks is limited by the attacker’s skill and

imagination, and to a lesser extent, defense in depth countermeasures, such as low

privilege connections to the database server and so on. In general, consider SQL

Injection a high impact severity.

SQL Injection attacks are unfortunately very common, and this is due to two factors:

The significant prevalence of SQL Injection vulnerabilities

The attractiveness of the target (i.e., the database typically contains all the

interesting/critical data for your application).

SQL Injection flaws are introduced when software developers create dynamic

database queries that include user supplied input. To avoid SQL injection flaws is

simple. Developers need to either: a) stop writing dynamic queries; and/or b) prevent

user supplied input which contains malicious SQL from affecting the logic of the

executed query.

Defenses against SQL injection are:

Primary Defenses:

Option #1: Use of Prepared Statements (Parameterized Queries)

Option #2: Use of Stored Procedures

Option #3: Escaping all User Supplied Input

Additional Defenses:

Also Enforce: Least Privilege

Also Perform: White List Input Validation

Cross-Site Scripting Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts

are injected into otherwise benign and trusted web sites. XSS attacks occur when an

attacker uses a web application to send malicious code, generally in the form of a

browser side script, to a different end user. Flaws that allow these attacks to succeed

are quite widespread and occur anywhere a web application uses input from a user

within the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end

user’s browser has no way to know that the script should not be trusted, and will

execute the script. Because it thinks the script came from a trusted source, the

malicious script can access any cookies, session tokens, or other sensitive information

retained by the browser and used with that site. These scripts can even rewrite the

content of the HTML page.

Cross-Site Scripting (XSS) attacks occur when:

Data enters a Web application through an untrusted source, most frequently a

web request.

The data is included in dynamic content that is sent to a web user without being

validated for malicious content.

The malicious content sent to the web browser often takes the form of a

segment of JavaScript, but may also include HTML, Flash, or any other type of

code that the browser may execute. The variety of attacks based on XSS is

almost limitless, but they commonly include transmitting private data, like

cookies or other session information, to the attacker, redirecting the victim to

web content controlled by the attacker, or performing other malicious

operations on the user's machine under the guise of the vulnerable site.

XSS Prevention

XSS can be prevented in JSP by using JSTL <c:out> tag or fn:escapeXml() EL

function when (re)displaying user-controlled input. This includes request headers,

cookies, URL, body, parameters, etc, the whole request. Also the user-controlled input

which is stored in a database needs to be escaped during redisplaying.

For example:

<p><c:out value="$bean.userControlledValue"></p>

<p><input name="foo" value="$fn:escapeXml(param.foo)"></p>

This will escape characters which may malform the rendered HTML such as <, >, ", '

and & into HTML/XML entities such as <, >, ", ' and &.

Session Management HTTP protocol and Web Servers are stateless, what it means is that for web server

every request is a new request to process and they can’t identify if it’s coming from

client that has been sending request previously.

http://docs.oracle.com/javaee/5/jstl/1.1/docs/tlddocs/

http://docs.oracle.com/javaee/5/jstl/1.1/docs/tlddocs/c/out.html

http://docs.oracle.com/javaee/5/jstl/1.1/docs/tlddocs/fn/escapeXml.fn.html

http://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references

But sometimes in web applications, we should know who the client is and process the

request accordingly. For example, a shopping cart application should know who is

sending the request to add an item and in which cart the item has to be added or who

is sending checkout request so that it can charge the amount to correct client.

Session is a conversional state between client and server and it can consist of multiple

request and response between client and server. Since HTTP and Web Server both are

stateless, the only way to maintain a session is when some unique information about

the session (session id) is passed between server and client in every request and

response.

There are several ways through which we can provide unique identifier in request and

response.

User Authentication – This is the very common way where we user can provide

authentication credentials from the login page and then we can pass the

authentication information between server and client to maintain the session.

This is not very effective method because it won’t work if the same user is

logged in from different browsers.

HTML Hidden Field – We can create a unique hidden field in the HTML and

when user starts navigating, we can set its value unique to the user and keep

track of the session. This method can’t be used with links because it needs the

form to be submitted every time request is made from client to server with the

hidden field. Also it’s not secure because we can get the hidden field value

from the HTML source and use it to hack the session.

URL Rewriting – We can append a session identifier parameter with every

request and response to keep track of the session. This is very tedious because

we need to keep track of this parameter in every response and make sure it’s

not clashing with other parameters.

Cookies – Cookies are small piece of information that is sent by web server in

response header and gets stored in the browser cookies. When client make

further request, it adds the cookie to the request header and we can utilize it to

keep track of the session. We can maintain a session with cookies but if the

client disables the cookies, then it won’t work.

Session Management API – Session Management API is built on top of above

methods for session tracking.

Some of the major disadvantages of all the above methods are:

Most of the time we don’t want to only track the session, we have to store some

data into the session that we can use in future requests. This will require a lot of

effort if we try to implement this.

All the above methods are not complete in themselves, all of them won’t work

in a particular scenario. So we need a solution that can utilize these methods of

session tracking to provide session management in all cases.

Session in Java Servlet – HttpSession

Servlet API provides Session management through HttpSession interface. We can get

session from HttpServletRequest object using following methods. HttpSession allows

us to set objects as attributes that can be retrieved in future requests.

HttpSession getSession() – This method always returns a HttpSession object. It

returns the session object attached with the request, if the request has no session

attached, then it creates a new session and return it.

HttpSession getSession(boolean flag) – This method returns HttpSession object if

request has session else it returns null.

JSESSIONID Cookie

When we use HttpServletRequest getSession() method and it creates a new request, it

creates the new HttpSession object and also add a Cookie to the response object with

name JSESSIONID and value as session id. This cookie is used to identify the

HttpSession object in further requests from client. If the cookies are disabled at client

side and we are using URL re-writing then this method uses the jsessionid value from

the request URL to find the corresponding session. JSESSIONID cookie is used for

session tracking, so we should not use it for our application purposes to avoid any

session related issues.

SCOPE Project 1 aims at Developing a Secured Contract Monitoring System using

SQL Injection Prevention

Cross Site Scripting (XSS) Prevention

Session Management

Redesigning the Contract Monitoring System in order to make is more

presentable and accessible.

Objective Objective of the project is to design and develop a Secured Contract Monitoring

System that aims at providing

SQL Injection Prevention using PreparedStaments within code

Cross-Site Scripting (XSS) prevention using fn:escapeXml() EL function when

(re)displaying user-controlled input

Session Mangement to bind the objects on HttpSession instance and get the

objects by using setAttribute and getAttribute methods.

Development Tools Platform (OS): Windows 10 Home Edition

Database: Oracle 12c

Database Connection: JDBC

Vulnerability Testing Tool: OWASP Zed Attack Proxy

Software Used:

Notepad++

Apache Tomcat 7.0

JDK 1.8 and JRE 8

System Specification In hardware requirements, we require all those components which will provide the

configuration for development of the project. Minimum Hardware requirement for

development of this project are:

Hard Disk: Minimum: 5 GB

Processor: Intel Core Dual Core

RAM: 128 MB

OS: Windows 98 or Linux

A Steady Internet Connection

These are the minimum hardware requirement required for our project. We want the

project to be used in any type of computer therefore we have taken minimum

configurations. 128 MB RAM and 5 GB Hard Disk space is used so that we can

execute and store project in least possible space.

Software Requirement Software can be defined as an interface between the user and a Computer. Software’s

needed for the development of this project are:

Operating System: Any platform with Internet enabled web browser

Apache Tomcat: Apache Tomcat, often referred to as Tomcat, is an open-

source web server developed by the Apache Software Foundation (ASF).

Tomcat implements several Java EE specifications including Java Servlet,

JavaServer Pages (JSP), Java EL, and WebSocket, and provides a "pure Java"

HTTP web server environment in which Java code can run.

Working Procedure

http://www.google.co.in/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwiPjtL4tMfNAhVBtI8KHWd-DG0QjRwIBw&url=http://docs.oracle.com/javaee/5/tutorial/doc/bncbe.html&bvm=bv.125596728,d.c2I&psig=AFQjCNGNfOgFoqkDW5P-_wTuoQGmdFsf-A&ust=1467089555715733

UML(Activity Diagram) of Contract Monitoring System

User Manual of Contract Monitoring System User Guide for Admin User of BHEL 1. Steps to Enter New WO_Nos

1. Open the Website of BHEL Contract Monitoring System.

2. Enter STAFF NUMBER and PASSWORD

3. Where You see a list of items with the first option being EDIT/ENTER

WO_Nos, Click on it.

4. A second list appears, with two options, Click on Enter New WO_No.

5. Fill Up required information and Save the details using Save button.

6. Where You have options to enter next data or sign out.

2. Steps to Enter Contract with existing WO_Nos



3. Where You see a list of items with the first option being EDIT/ENTER

WO_Nos, Click on it.

4. A second list appears, with two options, Click on Enter Contract with Existing

WO_No.

5. Select the Vendor and P_NO.

6. Fill Up required information and Save the details using Save button.

7. Where You have options to enter next data or sign out.

3. Enter HOD Information



3. Click on EDIT/ENTER HOD information

4. Click on Enter HOD Information

5. Click on Insert to insert HOD details then Press Save to save the Details.

4. Enter HOD Information



3. Click on EDIT/ENTER HOD information

4. Click on Enter HOD Information

5. Click on Select Department

6. Click on Select Site Name

7. Click on UPDATE HOD details or DELETE to delete HOD information

5. To Delete Data.



3. Click on Delete Data option

4. Choose Vendor Name

5. Select PO_NO

6. Fill Up details and then click DELETE to delete the information.

7. Click DELETE NEXT DATA to delete next Data or Sign Out

6. To View SITE WISE VIEW REPORT



3. Click on VIEW REPORT

4. Click on Site wise view Report

7. To View HOD INFORMATION




4. Click on VIEW HOD Information

8. To View Vendor Wise Report




4. Click on View Vendor Wise

5. Select the Vendor and click SUBMIT

9. To View Project Wise Report




4. Click on View Project Wise

5. Select the Project site and click SUBMIT

10. To View Specific Date Wise Report




4. Click on View Specific Wise

5. Select start and end dates and click SUBMIT

11. To View Project and Department Wise Report




4. Click on View Project and Department Wise

5. Select Project Site Name and Department Name and click SUBMIT

12. To View Vendor Wise EMAIL Information




4. Click on Total Email Reminder Report

User Guide for Employee

1. To View SITE WISE VIEW REPORT




4. Click on Site wise view Report

2.To View HOD INFORMATION




4. Click on VIEW HOD Information

3.To View Vendor Wise Report




4. Click on View Vendor Wise

5. Select the Vendor and click SUBMIT

4. To View Project Wise Report




4. Click on View Project Wise

5. Select the Project site and click SUBMIT

5. To View Specific Date Wise Report




4. Click on View Specific Wise

5. Select start and end dates and click SUBMIT

6. To View Project and Department Wise Report




4. Click on View Project and Department Wise

5. Select Project Site Name and Department Name and click SUBMIT

7. To View Vendor Wise EMAIL Information




4. Click on Total Email Reminder Report

Project 2 Introduction Active Directory Domain Services Collection (AD DS) Active Directory Domain Services ﴾AD DS﴿ directory service is the distributed

directory service that is included with Microsoft Windows Server operating systems.

AD DS enables centralized, secure management of an entire network, which might

span a building, a city, or multiple locations throughout the world.

AD DS includes the following:

AD DS on a Windows Server Network

Active Directory Lightweight Directory Services ﴾AD LDS﴿

Structure and Storage Technologies

Domain Controller Roles

Replication Technologies

Search and Publication Technologies

Installation, Upgrade, and Migration Technologies

In distributed computing environments, networked computers and other devices

communicate over remote connections to accomplish tasks through client/server

applications. Distributed environments require a central repository of information and

integrated services that provide the means to manage network users, services, devices,

and additional information that administrators want to store. Organizations operating a

distributed environment need to have a way to manage network resources and

services. As the organization grows, the need for a secure and centralized management

system becomes more critical. A directory service provides a centralized location to

store information in a distributed environment about networked devices and services

and the people who use them. A directory service also implements the services that

make this information available to users, computers, and applications. A directory

service is both a database storage system ﴾directory store﴿ and a set of services that

provide the means to securely add, modify, delete, and locate data in the directory

store.

AD DS is typically used for one of three purposes:

Internal directory. Used within the corporate network for publishing

information about users and resources within the enterprise. A company’s

internal directory may be accessible to employees when they are outside the

company network using a secure connection such as a virtual private network

﴾VPN﴿ connection, but it is not accessible to non‐employees.

External directory. These are directories typically located on servers in the

perimeter network or demilitarized zone ﴾DMZ﴿ at the boundary between the

corporate local area network ﴾LAN﴿ and the public Internet. External

directories are typically used to store information about customers, clients, and

business partners who access external applications or services. They are also

made available to customers, clients, and business partners to provide them

with selected business information such as catalogs and so on.

Application directory. Application directories store “private” directory data that

is relevant only to the application in a local directory, perhaps on the same

server as the application, without requiring any additional configuration to

Active Directory. The personalization data, which is only interesting to the

portal application and does not need to be widely replicated, can be stored

solely in the directory associated with the application. This solution reduces

replication traffic on the network between domain controllers.

AD DS on a Windows Server Network

AD DS is the information hub of the operating system. The following figure shows

AD DS as the focal point of the Windows Server network used to manage identities

and broker relationships between distributed resources so they can work together.

Active Directory on a Windows Server Network

Structure and Storage Technologies

AD DS uses domains and forests to represent the logical structure of the directory

hierarchy. Domains are used to manage the various populations of users, computers,

and network resources in your enterprise. The forest represents the security boundary

for AD DS. Within domains you can create organizational units to subdivide the

various divisions of administration.

The logical structure of AD DS includes a two‐dimensional definition that can be

viewed as a hierarchy, even though the objects themselves are stored in a flat database

file. In addition to its own name, each object stores the name of the container directly

above it in the hierarchy. That container object stores the name of its superior

container, and so on, up to the root container. In this way, a logical structure is

imposed that can be viewed by using AD DS tools as a tree of containers. By virtue of

a hierarchical naming system, the objects in the tree appear to be nested inside

﴾contained by﴿ other objects.

The AD DS schema defines the types of objects that are available to the directory

service. The schema is stored in the schema partition, which is also defined as an

object in the directory. The attributes and classes in AD DS are stored in the schema

partition as directory objects called schema objects. It is possible for Administrators to

add their own classes or attributes to an existing object type. However, the default

schema provides all of the classes and attributes that AD DS needs to function.

AD DS uses objects to store and reference data in the directory. The AD DS database

file ﴾Ntds.dit﴿ provides the physical storage of all AD DS objects for a single forest.

Although there is a single directory, some directory data is stored within domains

while other data is distributed throughout the forest, without regard for domain

boundaries. Beginning with Windows Server 2003, data can also be distributed to

domain controllers according to applications that use the data, where the scope of

distribution can be set according to the needs of the application.

Any updates made to data in the directory are automatically distributed to the

appropriate domain controllers by means of AD DS replication. By replicating data

according to directory partitions, AD DS provides a data repository that is logically

centralized ﴾maintains a single point of administration﴿ but physically distributed ﴾is

synchronized on multiple domain controllers throughout the network﴿.

Replication Technologies

Objects in the directory are distributed among the domain controllers in a forest, and

all domain controllers can be updated directly. AD DS replication is the process by

which the changes that are made on one domain controller are automatically

synchronized with other domain controllers. Data integrity is maintained by tracking

changes on each domain controller and updating other domain controllers in a

systematic way. By default, AD DS replication uses a connection topology that is

created automatically. This replication topology makes optimal use of physical

network connections and frees administrators from having to determine which domain

controllers replicate with one another. The replication topology can also be created

manually. AD DS replication is designed to maximize directory consistency and

minimize the impact to network traffic.

Domain Controller Roles

A domain controller is a server that has the AD DS server role installed.

When you install Windows Server on a computer, you can choose to configure a

server role for that computer. When you want to create a new forest, a new domain, or

an additional domain controller in an existing domain, you configure the server as a

domain controller by installing AD DS.

By default, a domain controller stores one domain directory partition consisting of

information about the domain in which it is located, plus the schema and configuration

directory partitions for the entire forest. A domain controller can also store one or

more application directory partitions.

Whereas every domain controller stores the objects for only one domain, a domain

controller that is designated as a global catalog server stores the objects from all

domains in the forest. For each object that is not in the domain for which the global

catalog server is authoritative as a domain controller, a limited set of attributes is

stored in a partial replica of a corresponding domain. The partial replicas on a global

catalog server are not writable — you cannot update an object in a partial replica on a

global catalog server, but only on a domain controller that stores a full replica. Thus a

global catalog server stores its own full, writable domain replica ﴾all objects and all

attributes﴿ plus a partial, read‐only replica of every other domain in the forest. The

attributes that are replicated to the global catalog servers are the attributes that are

most likely to be used to search for the object in AD DS. These attributes are

identified by default in the schema as being included in the partial attribute set of the

global catalog.

The global catalog makes it possible for clients to search AD DS without having to be

referred from server to server until the domain controller that has the domain that

stores the requested object is found. By default, AD DS searches are directed to global

catalog servers. The first domain controller in a forest is automatically created as a

global catalog server. Thereafter, you can designate other domain controllers to be

global catalog servers if they are needed.

All domain controllers can receive updates to any writable object that they store ﴾with

the exception of schema updates, which can be made only on the one domain

controller in the forest that has the role of schema master﴿. The day‐to‐day operations

that are associated with managing users, groups, and computers are typically

multimaster operations — that is, changes to these objects can be made on any domain

controller. When a client application updates an object on a domain controller, the

domain controller automatically replicates the change to all other domain controllers

in the same domain if the change is a domain change or to all other domain controllers

in the forest if the change is a configuration or schema change.

There are some operations, however, that are not performed as multimaster operations

because they must occur at only one place and time. For these operations, there are

specially designated domain controllers that manage the operations singly. Some

master operations, required at the forest level, include the schema master and the

domain naming master. Others, required at the domain level, include the PDC

emulator, RID master and infrastructure master. Domain controllers that hold these

special roles are called operations masters.

Search and Publication Technologies

Successful operation of an AD DS forest depends on clients and services being able to

locate domain controllers. The success of domain controller location depends on the

registration of information in DNS and the availability of that information. AD DS

uses DNS to locate networked computers by resolving computer names to IP

addresses. The Net Logon service on domain clients and domain controllers interacts

with Windows server application programming interfaces ﴾APIs﴿ and DNS to provide

a domain controller locator service ﴾Locator﴿. Locator finds requested service‐specific

and site‐specific domain controllers.

After a domain controller has been located, LDAP is used to retrieve information from

the directory. AD DS stores objects that provide information about the real objects

that exist in an organization’s network and that are associated with one or more

domains, such as users, specific groups of users, computers, applications, services,

files, and distribution lists. AD DS makes this information available to administrators,

network users, and applications throughout the organization through LDAP. LDAP

enables clients to query, create, update, and delete information stored in a directory

service. The LDAP protocol is the AD DS core protocol, and is the preferred and most

common way of interacting with AD DS.

The creation, storage, and maintenance of information in AD DS is called service

publication. Directory‐enabled services and applications can publish globally useful

information, such as service availability and properties, in AD DS. This allows client

processes to find and connect to any directory‐enabled service as needed, and network

clients and administrators to find, connect to, and manage services.

Installation, Upgrade, and Migration Technologies

The installation or removal of AD DS is performed by the Active Directory

Installation Wizard. Before installing AD DS on a server, the wizard will verify that

the server is eligible to run AD DS. After the prerequisites have been met, a user

interface is used to gather information specific to the environment in which AD DS

will be installed. Finally, the wizard configures the directory service, making the

server a domain controller.

Part of the directory configuration process includes configuring the AD DS schema.

The schema contains a master list of all classes ﴾object types﴿ and attributes that can

be used in the directory. The Active Directory Preparation Tool ﴾ADPrep﴿ is used to

prepare an AD DS forest and domain for a newer version of the directory service. One

of several tasks accomplished by ADPrep is updating the AD DS schema. If you do

not prepare your AD DS infrastructure, the upgrade will fail.

After installing or upgrading AD DS, you can enable the appropriate domain or forest

functional level based on an assessment of your current environment. The functional

level of a domain or forest defines the set of advanced AD DS features that are

available in that domain or forest. The functional level of a domain or forest also

defines the set of Windows operating systems that can run on the domain controllers

in that domain or forest. Functional levels provide configuration support for the AD

DS features and ensure compatibility with domain controllers running earlier

operating systems.

Depending on the design of your environment, you might opt to restructure it instead

of upgrading. For example, if your Windows NT 4.0 environment consists of multiple

domains, rather than upgrading each domain it might be more productive to

restructure the environment by consolidating some of those domains. Or if your

Windows 2000 environment was poorly designed and you are upgrading your

environment to Windows Server 2003, it might benefit you to restructure your

existing environment before or after the upgrade takes place. You can perform either

of these tasks by using the Active Directory Migration Tool ﴾ADMT﴿. ADMT

includes wizards that automate migration tasks such as copying users, groups, and

service accounts; moving computers; migrating trusts; and performing security

translation. When you use ADMT to restructure Windows NT 4.0 domains, ADMT

copies the accounts that are migrated, so that when the accounts are created in the

target domain, they continue to exist in the source domain. The primary security

identifiers ﴾SIDs﴿ for the accounts can be migrated to the SID history in the target

domain. SID history maintains resource permissions when you migrate accounts, thus

enabling access to resources in the source domain.

Another method for restructuring an AD DS environment is to rename a domain. You

can use the domain rename process to change the names of your domains, and you can

also use it to change the structure of the domain trees in your forest. This process

involves updating the Domain Name System ﴾DNS﴿ and trust infrastructures as well as

Group Policy and service principal names ﴾SPNs﴿.

The ability to rename domains provides you with the flexibility to make important

name changes and forest structural changes as the needs of your organization change.

Using domain rename, you can not only change the name of a domain, but you can

change the structure of the domain hierarchy and change the parent of a domain or

move a domain located in one domain tree to another domain tree.

Operations Masters

Domain controllers that hold operations master roles are designated to perform

specific tasks to ensure consistency and to eliminate the potential for conflicting

entries in the Active Directory database. AD DS defines five operations master roles:

the schema master, domain naming master, relative identifier ﴾RID﴿ master, primary

domain controller ﴾PDC﴿ emulator, and infrastructure master.

The following operations masters perform operations that must occur on only one

domain controller in the forest:

Schema master

Domain naming master

The following operations masters perform operations that must occur on only one

domain controller in a domain:

Primary Domain Controller ﴾PDC﴿ emulator

Infrastructure master

Relative ID ﴾RID﴿ master

A Primary Domain Controller (PDC) is a server computer in a Windows domain. A

domain is a network of logically grouped computers to which access is controlled by

the PDC. Various account types exist in the domain, the most basic is the "guest" or

"anonymous login" account. The PDC has an administration account which has

overall total control of the domain resources.

Flexible Single Master Operation Roles (FSMO) Active Directory has five special roles which are vital for the smooth running of AD

as a multimaster system. Some functions of AD require there is an authoritative

master to which all Domain Controllers can refer to. These roles are installed

automatically and there is normally very little reason to move them, however if you

de-commission a DC and DCPROMO fails to run correctly or have a catastrophic

failure of a DC you will need to know about these roles to recover or transfer them to

another DC.

The forest wide roles must appear once per forest, the domain wide roles must appear

once per domain.

The Roles There are five FSMO roles, two per forest, three in every Domain. A brief

summary of the role is below.

Forest Wide Roles:

Schema Master

The schema is shared between every Tree and Domain in a forest and must

be consistent between all objects. The schema master controls all updates

and modifications to the schema.

Domain Naming

When a new Domain is added to a forest the name must be unique within

the forest. The Domain naming master must be available when adding or

removing a Domain in a forest.

Domain Wide Roles:

Relative ID (RID) Master

Allocates RIDs to DCs within a Domain. When an object such as a user,

group or computer is created in AD it is given a SID. The SID consists of a

Domain SID (which is the same for all SIDs created in the domain) and a

RID which is unique to the Domain.

When moving objects between domains you must start the move on the

DC which is the RID master of the domain that currently holds the object.

PDC Emulator

The PDC emulator acts as a Windows NT PDC for backwards

compatibility, it can process updates to a BDC.

It is also responsible for time synchronising within a domain.

It is also the password master (for want of a better term) for a domain. Any

password change is replicated to the PDC emulator as soon as is practical.

If a logon request fails due to a bad password the logon request is passed to

the PDC emulator to check the password before rejecting the login request.

Infrastructure Master

The infrastructure master is responsible for updating references from

objects in its domain to objects in other domains. The global catalogue is

used to compare data as it receives regular updates for all objects in all

domains.

Any change to user-group references are updated by the infrastructure

master. For example if you rename or move a group member and the

member is in a different domain from the group the group will temporarily

appear not to contain that member.

Viewing and Transferring Roles The roles can be viewed and transferred in the GUI or from the command line.

GUI View

Schema Master

To view the schema you must first register the schema master dll with Windows. To

do this enter the following in the RUN dialog of the start menu.

regsvr32 schmmgmt.dll

Once you have done this the schema master mmc snap-in will be available.

Active Directory Domains and Trusts

The Domain naming master can be viewed and transferred from here.

Active Directory User and Computers

The RID, PDC emulator and Infrastructure master roles can be viewed and transferred

from here.

NTDSUTIL

NTDSUTIL provides FSMO maintenance and the option to seize a role (covered in

the FSMO Role Failure section below).

To transfer a role using ntdsutil use the example below as a template for all the roles.

Open a command prompt

Enter in ntdsutil

At the ntdsutil command prompt enter in roles

At the fsmo maintenance prompt enter in connection

At the server connections prompt enter in connect to domancontrollername

At the server connections prompt enter in quit

At the fsmo maintenance prompt enter in transfer schema master

Quit from the console

FSMO Role Failure Some of the operations master roles are essential for AD functionality, others can be

unavailable for a while before their absence will be noticed. Normally it is not the

failure of the role, but rather the failure of the DC on which the role is running.

If a DC fails which is a role holder you can seize the role on another DC, but you

should always try and transfer the role first.

Before seizing a role you need to asses the duration of the outage of the DC which is

holding the role. If it is likely to be a short outage due to a temporary power or

network issue then you would probably want to wait rather than seize the role.

Schema Master Failure

In most cases the loss of the schema master will not affect network users and

only affect Admins if modifications to the schema are required. You should

however only seize this role when the failure of the existing holder is

considered permanent.

Domain Naming Master Failure

Temporary loss of this role holder will not be noticeable to network users.

Domain Admins will only notice the loss if they try and add or remove a

domain in the forest. You should however only seize this role when the failure

of the existing holder is considered permanent.

RID Master Failure


Domain Admins will only notice the loss if a domain they are creating objects

in runs out of relative IDS (RIDs). You should however only seize this role

when the failure of the existing holder is considered permanent.

PDC Emulator Master Failure

Network users will notice the loss of the PDC emulator. If the DC with this role

fails you may need to immediately seize this role. Only pre Windows 2000

clients and NT4 BDCs will be affected.

If you seize the role and return the original DC to the network you can transfer

the role back.

Infrastructure Master Failure


Administrators will not notice the role loss unless they are or have recently

moved or renamed large numbers of accounts.

If you are required to seize the role do not seize it to a DC which is a global

catalogue server unless all DCs are global catalogue servers.

If you seize the role and return the original DC to the network you can transfer

the role back.

Dynamic Host Control Protocol(DHCP) Dynamic Host Configuration Protocol ﴾DHCP﴿ is a client/server protocol that

automatically provides an Internet Protocol ﴾IP﴿ host with its IP address and other

related configuration information such as the subnet mask and default gateway. RFCs

2131 and 2132 define DHCP as an Internet Engineering Task Force ﴾IETF﴿ standard

based on Bootstrap Protocol (BOOTP), a protocol with which DHCP shares many

implementation details. DHCP allows hosts to obtain required TCP/IP configuration

information from a DHCP server.

Why use DHCP?

Every device on a TCP/IP‐based network must have a unique unicast IP address to

access the network and its resources. Without DHCP, IP addresses for new computers

or computers that are moved from one subnet to another must be configured manually;

IP addresses for computers that are removed from the network must be manually

reclaimed.

With DHCP, this entire process is automated and managed centrally. The DHCP

server maintains a pool of IP addresses and leases an address to any DHCP enabled

client when it starts up on the network. Because the IP addresses are dynamic ﴾leased﴿

rather than static ﴾permanently assigned﴿, addresses no longer in use are automatically

returned to the pool for reallocation.

The network administrator establishes DHCP servers that maintain TCP/IP

configuration information and provide address configuration to DHCP‐enabled clients

in the form of a lease offer. The DHCP server stores the configuration information in a

database that includes:

Valid TCP/IP configuration parameters for all clients on the network.

Valid IP addresses, maintained in a pool for assignment to clients, as well as

excluded addresses.

Reserved IP addresses associated with particular DHCP clients. This allows

consistent assignment of a single IP address to a single DHCP client.

The lease duration, or the length of time for which the IP address can be used

before a lease renewal is required.

A DHCP‐enabled client, upon accepting a lease offer, receives:

A valid IP address for the subnet to which it is connecting.

Requested DHCP options, which are additional parameters that a DHCP server

is configured to assign to clients. Some examples of DHCP options are

Router ﴾default gateway﴿, DNS Servers, and DNS Domain Name

Benefits of DHCP

In Windows Server 2008, the DHCP Server service provides the following benefits:

Reliable IP address configuration. DHCP minimizes configuration errors

caused by manual IP address configuration, such as typographical errors, or

address conflicts caused by the assignment of an IP address to more than one

computer at the same time.

Reduced network administration. DHCP includes the following features to

reduce network administration:

o Centralized and automated TCP/IP configuration.

o The ability to define TCP/IP configurations from a central location.

o The ability to assign a full range of additional TCP/IP configuration

values by means of DHCP options.

o The efficient handling of IP address changes for clients that must be

updated frequently, such as those for portable computers that move to

o different locations on a wireless network.

o The forwarding of initial DHCP messages by using a DHCP relay agent,

which eliminates the need for a DHCP server on every subnet.

Domain Name System (DNS) The Domain Name System (DNS) is a hierarchical decentralized naming system for

computers, services, or any resource connected to the Internet or a private network. It

associates various information with domain names assigned to each of the

participating entities. Most prominently, it translates more readily memorized domain

names to the numerical IP addresses needed for the purpose of locating and

identifying computer services and devices with the underlying network protocols. By

providing a worldwide, distributed directory service, the Domain Name System is an

essential component of the functionality of the Internet.

The Domain Name System delegates the responsibility of assigning domain names

and mapping those names to Internet resources by designating authoritative name

servers for each domain. Network administrators may delegate authority over

subdomains of their allocated name space to other name servers. This mechanism

provides distributed and fault tolerant service and was designed to avoid a single large

central database.

The Domain Name System also specifies the technical functionality of the database

service which is at its core.

It defines the DNS protocol, a detailed specification of the data structures and data

communication exchanges used in the DNS, as part of the Internet Protocol Suite.

Historically, other directory services preceding DNS were not scalable to large or

global directories as they were originally based on text files, prominently the

HOSTS.TXT resolver. The Domain Name System has been in use since the 1980s.

The Internet maintains two principal namespaces, the domain name hierarchy and the

Internet Protocol (IP) address spaces. The Domain Name System maintains the

domain name hierarchy and provides translation services between it and the address

spaces. Internet name servers and a communication protocol implement the Domain

Name System. A DNS name server is a server that stores the DNS records for a

domain; a DNS name server responds with answers to queries against its database.

The most common types of records stored in the DNS database are for Start of

Authority (SOA), IP addresses (A and AAAA), SMTP mail exchangers (MX), name

servers (NS), pointers for reverse DNS lookups (PTR), and domain name aliases

(CNAME). Although not intended to be a general purpose database, DNS can store

records for other types of data for either automatic lookups, such as DNSSEC records,

or for human queries such as responsible person (RP) records. As a general purpose

database, the DNS has also been used in combating unsolicited email (spam) by

storing a realtime blackhole list. The DNS database is traditionally stored in a

structured zone file.

Function

An often used analogy to explain the Domain Name System is that it serves as the

phone book for the Internet by translating human friendly

computer hostnames into IP addresses. For example, the domain name

www.example.com translates to the addresses 93.184.216.119 (IPv4) and

2606:2800:220:6d:26bf:1447:1097:aa7 (IPv6). Unlike a phone book, DNS can be

quickly updated, allowing a service's location on the network to change without

affecting the end users, who continue to use the same host

name. Users take advantage of this when they use meaningful Uniform Resource

Locators (URLs), and email addresses without having to know how the computer

actually locates the services.

Additionally, DNS reflects administrative partitioning. For zones operated by a

registry, also known as public suffix zones, administrative information is often

complemented by the registry's RDAP and WHOIS services. That data can be used to

gain insight on, and track responsibility for, a given host on the Internet.

An important and ubiquitous function of DNS is its central role in distributed Internet

services such as cloud services and content delivery networks. When a user accesses a

distributed Internet service using a URL, the domain name of the URL is translated to

the IP address of a server that is proximal to the user. The key functionality of DNS

exploited here is that different users can simultaneously receive different translations

for the same domain name, a key point of divergence from a traditional "phone book"

view of DNS. This process

of using DNS to assign proximal servers to users is key to providing faster response

times on the Internet and is widely used by most major Internet services today.

Setting Up Your Primary Domain Controller(PDC) With Windows

Server 2008 1. If you have set up a domain controller previously with Windows 2000 Server,

or Windows Server 2003, then you would be familiar with

thedcpromo.exe command, it will also be used to set up a Domain Controller

on Windows Server 2008. To use the command, click on Start > Run >

and then write dcpromo > Click OK

2. The system will start checking if Active Directory Domain Services ( AD DS)

binaries are installed, then will start installing them. The binaries could be

installed if you had run the dcpromo command previously and then canceled

the operation after the binaries were installed.

3. The Active Directory Domain Services Installation Wizard will start, either

enable the checkbox beside Use Advanced mode installation and Click Next

, or keep it unselected and click on Next

The following table lists the additional wizard pages that appear for each

deployment configuration when you select the Use advanced mode

installation check box.

Deployment

configuration

Advanced mode installation

wizard pages

New forest Domain NetBIOS name

New domain in an

existing forest

On the Choose a Deployment

Configuration page, the option

to create a new domain tree

appears only in advanced mode

installation.

Domain NetBIOS name Source

Domain Controller

Additional domain

controller in an existing

domain

Install from Media Source

Domain Controller

Specify Password Replication

Policy (for RODC installation

only)

Create an account for a

read-only domain

controller (RODC)

installation


Policy

Attach a server to an

account for an RODC

installation

Install from Media Source

Domain Controller

4. The Operating System Compatibility page will be displayed, take a moment

to read it and click Next

5. Choose Create a new domain in a new forest, Click Next

6. Enter the Fully Qualified Domain Name of the forest root domain inside the

textbox, click Next

7. If you selected Use advanced mode installation on the Welcome page,

the Domain NetBIOS Name page appears. On this page, type the NetBIOS

name of the domain if necessary or accept the default name and then

click Next.

8. Select the Forest Functional Level, choose the level you desire and click

on Next. Make sure to read the description of each functional level to

understand the difference between each one.

9. In the previous step, If you have selected any Forest Functional Level other

than Windows Server 2008 and clicked on Next , you would then get a page to

select the Domain Functional Level. Select it and then click on Next

10. In the Additional Domain Controller Options page, you can select to install

the Domain Name Service to your server. Note that the First domain

controller in a forest must be a Global Catalog that's why the checkbox beside

Global Catalog is selected and it cannot be cleared. The checkbox is also

selected by default when you install an additional domain controller in an

existing domain, however you can clear this checkbox if you do not want the

additional domain controller to be a global catalog server. The first domain

controller in a new forest or in a new domain can not be a Read Only Domain

Controller (RODC), you can later add a RODC but you must have at least one

Windows Server 2008 Domain Controller.

I want to set my DC as a DNS Server as well, so I will keep the checkbox

beside DNS Server selected and click on Next

11. If the wizard cannot create a delegation for the DNS server, it displays a

message to indicate that you can create the delegation manually. To continue,

click Yes

12. Now you will have the location where the domain controller database, log files

and SYSVOL are stored on the server.

The database stores information about the users, computers and other objects

on the network. the log files record activities that are related to AD DS, such

information about an object being updated. SYSVOL stores Group Policy

objects and scripts. By default, SYSVOL is part of the operating system files in

the Windows directory

Either type or browse to the volume and folder where you want to store each,

or accept the defaults and click on Next

13. In the Directory Services Restore Mode Administrator Password (DSRM)

page, write a password and confirm it. This password is used when the domain

controller is started in Directory Services Restore Mode, which might be

because Active Directory Domain Services is not running, or for tasks that

must be performed offline.

Make sure that you memorize this password when you need it. I know many

administrators forgot it when they most needed it.

Make sure the password meet the password complexity requirements of the

password policy, that is a password that contains a combination of uppercase

and lowercase letters, numbers, and symbols. else you will receive the

following message :

14. Summary page will be displayed showing you all the setting that you have set

. It gives you the option to export the setting you have setup into an answer file

for use with other unattended operations, if you wish to have such file, click on

the Export settings button and save the file.

15. DNS Installation will start

16. Followed by installing Group Policy Management Console, the system will

check first if it is installed or not.

17. Configuring the local computer to host active directory Domain Services and

other operations will take place setting up this server as a Domain Controller

18. Active Directory Domain Services installation will be completed,

click Finish, then click on Restart Now to restart your server for the changes to

take effect.

19. Once the server is booted and you logon to it, click on Start > Administrative

Tools , will notice that following have been installed :

Active Directory Domains and Trusts

Active Directory Sites and Services

Active Directory Users and Computers

ADSI Edit

DNS

Group Policy Management

Summary Setting up a Domain Controller in Windows Server 2008 to install Active Directory

Domain Services is performed by running the dcpromo command. It has some new

options like using Advanced Mode Installation, and exporting settings to an answer

file . In my next articles, I will show you how to perform an unattended installation to

set up your domain controller, and also how to set up an additional domain controller

using Windows Server 2008.

Setting Up an Additional Domain Controller (ADC) with Windows

Server 2008 To set up an Additional Domain Controller, I will use the dcpromo.exe command.

1. To use the command, click on Start > Run > and then write dcpromo >

Click OK

2. The system will start checking if Active Directory Domain Services ( AD DS)

binaries are installed, then will start installing them. The binaries could be

installed if you had run the dcpromo command previously and then canceled

the operation after the binaries were installed.

3. The Active Directory Domain Services Installation Wizard will start, either

enable the checkbox beside Use Advanced mode installation and

Click Next, or keep it unselected and click on Next

The following table lists the additional wizard pages that appear for each

deployment configuration when you select the Use advanced mode

installation check box.

Deployment configuration Advanced mode installation wizard

pages

New forest Domain NetBIOS name

New domain in an existing

forest

On the Choose a Deployment

Configuration page, the option to create

a new domain tree appears only in

advanced mode installation.

Domain NetBIOS name

Source Domain Controller

Additional domain controller

in an existing domain

Install from Media



Policy (for RODC installation only)

Create an account for a read-

only domain controller

(RODC) installation Specify Password Replication Policy

Attach a server to an account

for an RODC installation Install from Media


4. The Operating System Compatibility page will be displayed, take a moment

to read it and click Next

5. On the Choose a Deployment Configuration page, click Existing forest,

click Add a domain controller to an existing domain, and then click Next.

6. On the Network Credentials page, type your domain name, my domain name

is elmajdal.net (was set in the previous article) , so I will type elmajdal.net.

7. To set up an Additional Domain Controller, you will need an account that must

be either a member of the Enterprise Admins group or the Domain Admins

group. We have two options:

My Current logged on credentials (DomainName\Username or

MachineName\Username)

Alternate credentials

If you have previously joined this server to the domain and you are currently

logged in to it with an Enterprise Admin/Domain Admin user, then you can

use the first option (My current logged on credentials) . As you can see this

option is grayed here, and the reason for this is below it. It is because I'm

currently logged in with a local user, the machine is not a domain member. I'm

left out with the second option: Alternate credentials

8. To enter the Alternate credentials, click Set. In the Windows Security dialog

box, enter the user name and password for an account that must be either a

member of the Enterprise Admins group or the Domain Admins group > then

click Next.

If you have entered a wrong username/password, you will receive the

following error message

9. On the Select a Domain page, select the domain of the Additional Domain

Controller, and then click Next, as I already have only one domain, then it will

be selected by default.

10. On the Select a Site page, either enable the checkbox beside Use the site that

corresponds to the IP address of this computer, this will install the domain

controller in the site that corresponds to its IP address, or select a site from the

list and then click Next. If you only have one domain controller and one site,

then you will have the first option grayed and the site will be selected by

default as shown in the following image

11. On the Additional Domain Controller Options page, By default, the DNS

Server and Global Catalog checkboxes are selected. You can also select your

additional domain controller to be a Read-only Domain Controller (RODC) by

selecting the checkbox beside it.

My primary domain controller is a DNS Server is well, and this can be verified

by reading the additional information written in the below image, that there is

currently 1 DNS server that is registered as an authoritative name server for

this domain. I do want my Additional DC to be a DNS server and a Global

catalog, so I will keep the checkboxes selected. Click Next

12. If you select the option to install DNS server in the previous step, then you

will receive a message that indicates a DNS delegation for the DNS server

could not be created and that you should manually create a DNS delegation to

the DNS server to ensure reliable name resolution. If you are installing an

additional domain controller in either the forest root domain (or a tree root

domain), you do not need to create the DNS delegation. In this case, you can

safely ignore the message and click Yes.

13. In the Install from Media page (will be displayed if you have selected Use

advanced mode installation on the Welcome page, if you didn't select it, then

skip to step # 15), you can choose to either replicate data over the network

from an existing domain controller, or specify the location of installation

media to be used to create the domain controller and configure AD DS. I want

to replicate data over the network, so I will choose the first option > click Next

14. On the Source Domain Controller page of the Active Directory Domain

Services Installation Wizard, you can select which domain controller will be

used as a source for data that must be replicated during installation, or you can

have the wizard select which domain controller will be used as the source for

this data. You have two options:

Let the wizard choose an appropriate domain controller

Use this specific domain controller

If you want to choose from the list, any domain controller can be the

installation partner. However, the following restrictions apply to the domain

controllers that can be used as an installation partner in other situations:

o A read-only domain controller (RODC) can never be an installation

partner.

o If you are installing an RODC, only a writable domain controller that

runs Windows Server 2008 can be an installation partner.

o If you are installing an additional domain controller for an existing

domain, only a domain controller for that domain can be an installation

partner.

15. Now you will have to specify the location where the domain controller

database, log files and SYSVOL are stored on the server.

The database stores information about the users, computers and other objects

on the network. the log files record activities that are related to AD DS, such

information about an object being updated. SYSVOL stores Group Policy

objects and scripts. By default, SYSVOL is part of the operating system files

in the Windows directory

Either type or browse to the volume and folder where you want to store each,

or accept the defaults and click on Next

Note: Windows Server Backup backs up the directory service by volume. For

backup and recovery efficiency, store these files on separate volumes that do

not contain applications or other nondirectory files.

16. In the Directory Services Restore Mode Administrator Password (DSRM)

page, write a password and confirm it. This password is used when the domain

controller is started in Directory Services Restore Mode, which might be

because Active Directory Domain Services is not running, or for tasks that

must be performed offline.

Make sure the password meets the password complexity requirements of the

password policy, that is a password that contains a combination of uppercase

and lowercase letters, numbers, and symbols. else you will receive the

following message:

17. Summary page will be displayed showing you all the setting that you have

set. It gives you the option to export the setting you have setup into an answer

file for use to automate subsequent AD DS operations, if you wish to have

such file, click on the Export settings button and save the file. Then

click Next to begin AD DS installation

18. Active Directory Domain Services installation will be completed,

click Finish, then click on Restart Now to restart your server for the changes

to take effect.

Open Active Directory Users & Computers, and then click on the Domain

Controllers Organizational Unit, and you will see your Additional Domain

Controller along with your Primary Domain Controller.

Summary

Additional domain controllers improve the performance of authentication requests and

global catalog server lookups. They also help Active Directory Domain Services

(AD DS) overcome hardware, software, or administrator errors. When you add a

domain controller, information is replicated over the network.

Installing DHCP Server in Windows Server 2008 Installing Windows Server 2008 DCHP Server is easy. DHCP Server is now a “role”

of Windows Server 2008 – not a windows component as it was in the past.

To do this, you will need a Windows Server 2008 system already installed and

configured with a static IP address. You will need to know your network’s IP address

range, the range of IP addresses you will want to hand out to your PC clients, your

DNS server IP addresses, and your default gateway. Additionally, you will want to

have a plan for all subnets involved, what scopes you will want to define, and what

exclusions you will want to create.

To start the DHCP installation process, click Add Roles from the Initial

Configuration Tasks window or from Server Manager à Roles à Add Roles.

Figure 1: Adding a new Role in Windows Server 2008

When the Add Roles Wizard comes up, you can click Next on that screen.

Next, select that you want to add the DHCP Server Role, and click Next.

Figure 2: Selecting the DHCP Server Role

If you do not have a static IP address assigned on your server, you will get a warning

that you should not install DHCP with a dynamic IP address.

At this point, you will begin being prompted for IP network information, scope

information, and DNS information. If you only want to install DHCP server with no

configured scopes or settings, you can just click Next through these questions and

proceed with the installation. On the other hand, you can optionally configure your

DHCP Server during this part of the installation. In my case, I chose to take this

opportunity to configure some basic IP settings and configure my first DHCP Scope. I

was shown my network connection binding and asked to verify it, like this:

Figure 3: Network connection binding

What the wizard is asking is, “what interface do you want to provide DHCP services

on?” I took the default and clicked Next.

Next, I entered my Parent Domain, Primary DNS Server, and Alternate DNS

Server (as you see below) and clicked Next.

Figure 4: Entering domain and DNS information

I opted NOT to use WINS on my network and I clicked Next.

Then, I was promoted to configure a DHCP scope for the new DHCP Server. I have

opted to configure an IP address range of 192.168.1.50-100 to cover the 25+ PC

Clients on my local network. To do this, I clicked Add to add a new scope. As you see

below, I named the Scope bhel, configured the starting and ending IP addresses of

192.168.1.50-192.168.1.100, subnet mask of 255.255.255.0, default gateway of

192.168.1.1, type of subnet (wired), and activated the scope.

Figure 5: Adding a new DHCP Scope

Back in the Add Scope screen, I clicked Next to add the new scope (once the DHCP

Server is installed).

I chose to Disable DHCPv6 stateless mode for this server and clicked Next.

Then, I confirmed my DHCP Installation Selections (on the screen below) and

clicked Install.

Figure 6: Confirm Installation Selections

After only a few seconds, the DHCP Server was installed and I saw the window,

below:

Figure 7: Windows Server 2008 DHCP Server Installation succeeded

I clicked Close to close the installer window, then moved on to how to manage my

new DHCP Server.

How to Manage your new Windows Server 2008 DHCP Server

Like the installation, managing Windows Server 2008 DHCP Server is also easy.

Back in my Windows Server 2008Server Manager, under Roles, I clicked on the

new DHCP Server entry.

Figure 8: DHCP Server management in Server Manager

While I cannot manage the DHCP Server scopes and clients from here, what I can do

is to manage what events, services, and resources are related to the DHCP Server

installation. Thus, this is a good place to go to check the status of the DHCP Server

and what events have happened around it.

However, to really configure the DHCP Server and see what clients have obtained IP

addresses, I need to go to the DHCP Server MMC. To do this, I went to Start à

Administrative Tools à DHCP Server, like this:

Figure 9: Starting the DHCP Server MMC

When expanded out, the MMC offers a lot of features. Here is what it looks like:

Figure 10: The Windows Server 2008 DHCP Server MMC

The DHCP Server MMC offers IPv4 & IPv6 DHCP Server info including all scopes,

pools, leases, reservations, scope options, and server options.

If I go into the address pool and the scope options, I can see that the configuration we

made when we installed the DHCP Server did, indeed, work. The scope IP address

range is there, and so are the DNS Server & default gateway.

Figure 11: DHCP Server Address Pool

So how do we know that this really works if we do not test it? The answer is that we

do not. Now, let’s test to make sure it works.

How do we test our Windows Server 2008 DHCP Server?

To test this, I have a Windows Vista PC Client on the same network segment as the

Windows Server 2008 DHCP server. To be safe, I have no other devices on this

network segment.

I did an IPCONFIG /RELEASE then an IPCONFIG /RENEW and verified that I

received an IP address from the new DHCP server, as you can see below:

Figure 13: Vista client received IP address from new DHCP Server

Also, I went to my Windows 2008 Server and verified that the new Vista client was

listed as a client on the DHCP server. This did indeed check out, as you can see

below:

Figure 14: Win 2008 DHCP Server has the Vista client listed under Address Leases

With that, I knew that I had a working configuration and we are done

Install and configure DNS Server in Windows Server 2008 Launch Server Manager by clicking Start > Administrative Tools > Server

Manager. Click Roles and then Add Roles.

Select DNS Server from the list and then click Next button.

A little introduction to DNS Server and a few useful links for further details as

shown in below image. Click Next to move on.

http://gopalthorve.com/install-and-configure-dns-server-in-windows-server-2008/

http://gopalthorve.com/wp-content/uploads/2012/03/install-dns-server-in-windows-server-2008-1.png


Click Install button.

DNS Server has been installed successfully as per below snapshot. Click Close to

finish the Add Roles Wizard.



Creating Forward Lookup Zone

Launch DNS Manager by clicking Start > Administrative Tools > DNS or type

dnsmgmt.msc in Run window (Press Windows Key + R) and press Enter.

Expand Server (e.g. WIN2008) > Right click Forward Lookup Zones > New

Zonewhich will launch New Zone wizard.

Click Next on Welcome to the New Zone wizard.


http://gopalthorve.com/wp-content/uploads/2012/03/configure-dns-server-in-windows-server-2008-1.png

Since this is our primary DNS Server for the zone select Primary zone. Then

move on by clicking Next button.

Enter the domain name for which you want to create the zone for e.g.

gopalthorve.com. Say you want to build up DNS Server for your own Windows

Server 2008 based hosting server then enter your registered domain name here

otherwise if it is for intranet only it can be anything (domain naming conventions

must be followed). The zone can also be created for subdomain e.g.

us.gopalthorve.com.



Zone File Options:

Create a new file with this file name: Enter the physical zone file name where

all zone information will be stored for this domain/subdomain. This file will be

created under %systemroot%\system32\dns. Follow standard zone file naming

convention e.g. gopalthorve.com.dns.

Use this existing file: If you already have a zone file for this domain/subdomain

then select this option and specify zone file name here. You need to put this

zone file under %systemroot%\system32\dns folder

Dynamic Update: Here you can specify if this DNS zone will accept secure,

nonsecure or no dynamic updates from client.

Allow only secure dynamic updates (recommended for Active Directory): This

is available only for Active Directory integrated zones. This setting allows



Active Directory client machines to register their name as resource records

pointing towards their dynamic/static IP address.

Allow both nonsecure and secure dynamic updates: This should never be

enabled because it allows all clients secure and nonsecure both to update from

all clients.

Do not allow dynamic updates: This should be the preferred setting if you are

setting up this zone for your own hosting server. This denies dynamic updates to

zone resource records from all client and you will need to change them manually

whenever required. We will choose this option and then move on.

Forward lookup zone has been created successfully for gopalthorve.com and

shows the summary as in below image. Click Finish to close the New Zone Wizard.

Configure Forward Lookup Zone

Right click on gopalthorve.com (forward lookup zone recently created) and then

click Properties.



Name Servers: Here we can configure nameservers for the zone gopalthorve.com.

Remove the default entry from the list.

Click Add… button to add new nameserver record.

Tye fully qualified domain name (FQDN) of the nameserver for your domain. I

am configuring my own live DNS Server and hence I entered

ns1.gopalthorve.com.

Enter the IP addresses to which ns1.gopalthorve.com will resolve to. I am

entering private IP address of my computer here for example purpose only.

Please replace it by your Public IP Address allotted by your ISP or dedicated or

VPS hosting provider.

Similarly create another nameserver record. I created it as ns2.gopalthorve.com

pointing to 192.168.0.99 (Please replace it by your Public IP Address allotted by

your ISP or dedicated or VPS hosting provider.). Second nameserver record is

required because your domain name registrar will require atleast two

nameservers for pointing your domain to the DNS server we are configuring.

We are configuring both nameservers pointing to the same DNS Server

configured with multiple IP Addresses. (ns1.gopalthorve.com >> 192.168.0.98

and ns2.gopalthorve.com >> 192.168.0.99).

Click Apply to save changes.


Start of Authority (SOA)

Serial number: This is the serial number for the zone. This should be set to

YYYYMMDDNN where YYYY is the year, MM is the month, DD is the day

and NN is the count is the count indiciating how many times the zone modified

on that particular day. Whenever you change zone data occurs this serial number

must be incremented by one. When slave nameserver contacts master for zone

data it compares its own serial number with master’s serial number and its less

than masters serial number then slave nameserver updates its zone data from

master.

Primary server: This is the FQDN of nameserver which you want to set as

primary nameserver for this zone. In my case its ns1.gopalthorve.com.

Responsible person: Specify the email address of the administrator who is

responsible for maintaining this zone. Here email address must be specified in

dotted format e.g. [email protected] must be specified as

hostmaster.gopalthorve.com. This is required when other webmasters wants to

contact the maintainer of the zone in case of any issues.



Refresh interval: This value instructs the slave nameserver how often to check

that the data for this zone is up to date. Set this to 1 day if zone doesn’t change

frequently. For the DNS server for hosting purpose 1 day is idle.

Retry interval: In case slave nameserver failed to connect to master after Refresh

interval (in case master is down or unreachable), slave tries to connect to master

every interval specified here. Generally Retry interval is shorter than Refresh

interval but its not compulsory. Enter 2 hours here.

Expires after: If the slave fails to connect master for this much time, the slave

expires the zone. Expiring the zone means it slave stops responding to queries

for this zone because the zone data that slave is having is very old. Enter 7 days

here.

Minimum (default) TTL: TTL stands for Time To Leave. This applies to all

negative responses from the authoratative nameservers. Enter 1 day here.

TTL for this record: TTL for SOA record.

Click Apply to save changes.

Zone Transfers: Zone transfer is the process of transferring entire zone to the

requesting server/client. The best practice is to not allow every one to connect and

transfer the zones. You can allow only specific server for zone transfers i.e. the

slave nameserver for the zone. We can setup to notify the servers if any zone

updates happen on this zone.

Allow zone transfers: Enables/disables zone transfers.

To any server: All server/clients will be allowed to transfer zones. Not

recommended.

Only to servers listed on the Name Servers tab: Zone transfers will only be

allowed to the nameservers specified under Name Servers tab


(ns1.gopalthorve.com, ns2.gopalthorve.com). Highly recommended for DNS

Servers for web hosting servers.

Only to the following servers: If you want to enter IP/FQDN to which zone

transfers will be allowed select this option and then click on Edit button and

list all IP/FQDN allowed for zone transfers.

Notify…:

Automatically notify: Enables/disables automatic notification of zone

changes to either nameserver listed on Nameservers tab or specified IP

addresses/FQDN names.

Servers listed on the Name Servers tab: Selecting this will only zone update

notification will only be sent to nameservers listed under Name Servers tab.

This is the recommended setting.

The following servers: You can specify list of other name servers to whom

you want to send automatic notification of zone updates.


Configure DNS Server Properties

Open DNS Manager by clicking Start > Administrative Tools > DNS.

Right Click on the DNS Server for which you want to configure Properties for and

click Properties.

Interfaces: You can configure DNS Server to listen on specific interfaces/IP

Addresses or all IP addresses. If the server has multiple interfaces then you can

configure DNS Server to listen on specific interface. If the server is having only

single interface with multiple IP addresses configured then you can configure it to

listen on specific IP addresses. By default it is configured to listen on all interfaces

and all IP addresses.

Forwarders: You can add other DNS Servers provided by your ISP to forward

DNS queries to in case this server doesn’t hold zones for the domains. These


http://gopalthorve.com/wp-content/uploads/2012/04/configure-dns-server-lavel-properties-interfaces.png

forwarder addresses are only used recursion is enabled. Forwarders are required if

you are having an intranet/extranet DNS server serving a few zones and want to

allow same server to resolve other DNS queries too.

Advanced: You can configure some advanced aspects of DNS Server here. A very

important options I want to discuss here is Disable recursion (also disables

forwarders). If you are setting up this DNS server to serve zones for domains

hosted on your DNS server (dedicated server, VPS Server, Cloud VPS Server) then

enable “Disable recursion” which also disables forwarders, doing this will only

allow the zones hosted on this server to be served.

http://gopalthorve.com/wp-content/uploads/2012/04/configure-dns-server-lavel-properties-forwarders.png

Root Hints: This is the list of root name servers.

Debug Logging: For debugging purpose the debug logs can be enabled from here.

http://gopalthorve.com/wp-content/uploads/2012/04/configure-dns-server-lavel-properties-advanced.png

http://gopalthorve.com/wp-content/uploads/2012/04/configure-dns-server-lavel-properties-root-hints.png

Event Logging: DNS Server events can be enabled for troubleshooting purpose.

DNS Server listens on TCP and UDP port 53, so make sure to allow traffic on these

ports in Windows Firewall. Also make sure that if you are having any router or

firewall device and DNS server is behind any of these device, do necessary

configuration to allow connection to DNS Server.

http://gopalthorve.com/wp-content/uploads/2012/04/configure-dns-server-lavel-properties-debug-logging.png

http://gopalthorve.com/wp-content/uploads/2012/04/configure-dns-server-lavel-properties-event-logging.png

Register Name Servers at Domain Name Registrar

If you have a registered domain name and want to host DNS services for the domain

on the DNS Server you recently configured then you have to create child name server

at your Domain Name Registrar. If you have administrative control of your domain

you can do this with the help of your domain name registrar otherwise ask them to do

this for you. Create child name server like this:

ns1.gopalthorve.com >> 192.168.0.98

ns2.gopalthorve.com >> 192.168.0.99

Replace private IP addresses with public IP addresses on which DNS Server will

listen on.

Update Name Servers at Domain Name Registrar

After creating child name servers you have to update name servers for your domain at

Domain Name Registrar. If you have administrative control of your domain you can

do this with the help of your domain name registrar otherwise ask them to do this for

you. Update name servers as below:

Name Server 1: ns1.gopalthorve.com

Name Server 2: ns2.gopalthorve.com

http://gopalthorve.com/wp-content/uploads/2012/04/create-child-name-servers-at-domain-name-registrar.png

http://gopalthorve.com/wp-content/uploads/2012/04/update-name-servers-at-domain-name-registrar.png

System Specification System specification refers to the specification of the server and client in which we

Configured and Managed AD DS, DHCP and DNS Server.

Server System Specification:

Hard Disk: 200 Gb

RAM: 4 Gb

OS: Windows Server 2008 R2 x86

Processor: Intel Core i5-2400 CPU @ 3.10 GHz

Client System Specification:

Hard Disk: 500 Gb

RAM: 4 Gb

OS: Windows 8.1 x64

Processor: Intel Core i3-4005U CPU @ 1.70GHz

Conclusion This training has been an excellent and rewarding experience. One main thing that I

have learnt through this training is time management skills as well as self-motivation.

From this training I have learnt how to complete project within stipulated time period.

The objective behind this internship were:

To gain exposure to actual working environment in an organisation

To understand web development procedure

To understand the vulnerabilities that may exist in a web application and

procedure to get rid of them

To be comfortable with Apache Tomcat, SQL, JSP and HTML/CSS.

To be familiar with Networking setup and Server Environment

Bibliography www.google.com

www.stackexchange.com

www.stackoverflow.com

www.owasp.org

en.wikipedia.org

www.oracle.com

www.w3schools.com

www.quora.com

www.apache.org

http://www.google.com/

http://www.stackexchange.com/

http://www.stackoverflow.com/

http://www.owasp.org/

http://www.wikipedia.org/

http://www.oracle.com/

http://www.w3schools.com/

http://www.quora.com/

Date post:	10-Jan-2017
Category:	Documents
Upload:	nilabja-bhattacharya
View:	36 times
Download:	3 times

Project Report-Nilabja Bhattacharya

Documents