How to Configure a Windows 2008 Child Domain in a Windows 2003 Domain Environment

I am considering that you have already configured a windows 2003 domain and you just want to add a windows 2008 child domain so it is necessary follow the next steps

1.      Raise functional level

You can see the steps needed to raise the functional level in your windows 2003 domain machine. 

1.      In the Windows 2003 machine domain  Go to start and select “Administrative tools” >”Active Directory Domains and Trusts”  

2.      Right click in the domain where the child domain will be added and select “Raise domain functional level” when the “Active Directory Domains and Trusts” window appears.  

 3.      Select “Windows server 2003”  domain functional level and click on “Raise” button 

4.      Click on “ok” button in the Warning text box message

5.      Click in “Ok” button in the information textbox message 

2.      Run Adprep /forestprep to prepare the schema

Now you can see the steps needed to prepare the schema from schema31.ldf to schema47.ldf in your windows 2003 domain machine.

1.      Load  the CD installer of “windows 2008”  

2.      Open the CD and open the “Support” folder contained in the CD installer 

3.      Copy the “adprep” folder contained in the “Support” folder to C:\ 

4.      Go to start an run cmd

5.      When the cmd window is opened set the command “cd C:\adprep”

6.      When the directory had been changed set the command “adprep32 /forestprep”

7.      Type “C” and press enter after the ADPREP WARNING message appears

8.      Wait until the message “Adprep successfully updated” appears

9.      Set the command “adprep32 /domainprep  /gpprep”     

10.   Wait until the message “Group policy object (GPO) has been updated” appears 

3.      Run DCPROMO 

When all the previous steps has been configured the windows 2008 machine is ready to be configured as a child domain. To configure the machine follow the next steps. 

1.      Go to start and run “DC PROMO” (if this is the first time you run DC PROMO in the windows 2008 machine wait until the Active Directory are being installed) 

2.      Check “use advanced mode installation” option in the welcome window in the configuration wizard and click on next in the follow window

3.      Check  the options “Existing forest ”and “Create a new domain in an existing forest” ,click on the “next” button  

4.      Fill the domain name information where the child domain will be added and set the correct credentials, click on the “Next” button. 

5.      Fill the information with FQDN of the parent domain   and the domainchild name, click on the next button. 

6.      Wait until the examining  active directory is validate (at this point no error message appears)

7.      Click on next in the windows where the NETBIOS name for the child domain has been generated 

8.      Change the domain functional level to “Windows 2003” and click on next

9.      Select the “Default Site name ” and click on next

10.   Uncheck the DNS option and click on next  

11.   Click on “YES” in the Warning text box message  

12.   Click on next in the “Source domain controller” window

13.   Click on next in the “location log files, active directory” window

14.   Set the credential for the Restore mode and  click on next

15.   Review the selection and click on Next in the summary window 

16.   Wait until all the component being installed  

17.   Click on finish in the completing  installation window

18.   The Child domain has been created successfully, restart the machine and you are done!!!!

Read more »

How to configure IPSec on Windows 20008 - Example and detailed steps

Some people asked me of how to use IPSec with Windows 2008, well the IPSec has changed compared to Windows 2003 and XP, well that changed a little bit, since we now manage from another console (plus the Windows Advanced Firewall). To begin with this let’s say that you have the Machine "A", and want to use IPSec for the communication that is between port 3389, we will use the ‘non recommended procedure’, but the good thing is that you can configure this very quickly and test it in your non production environment. So let’s begin:

1. Create an IPsec Negotiation policy on Computer "A"

1.　　　 On Computer "A", click Start, click All Programs, clickAdministrative Tools, and then click Local Security Policy.

2.　　　 Right-click the IP Security Policies on Local Computer node, and then click Create IP Security Policy.

3.  　　 On the Welcome screen of the IP Security Policy Wizard, clickNext.

4.　　　 In the Name box, type Secure3389. In the Description field, type Policy to encrypt SMB, and then click Next.

5.  　　 If you will NOT have in your environment machines earlier than Windows Vista then ensure that Activate the default response ruleis not selected and go to step 7, and then click Next.

6.　　　 In the Default Response Rule Authentication Method, choose the option: Use this string to protect the key exchange (preshared key): and type $ecrET

7.  　　 In the Completing the IP Security Policy Wizard dialog box, ensure that Edit properties is selected, and then click Finish.

8.　　　 In the Secure3389 Properties dialog box, click Add.

9.  　　 In the Welcome to the Create IP Security Rule Wizard, clickNext.

10.            In the Tunnel EndPoint dialog box, click This rule does not specify a tunnel. Click Next.

11.      In the Network Type dialog box, click All network connections, and then click Next.

12.            In the IP Filter List dialog box, click Add.

13.      A new dialog box called IP Filter List appears. TypeSecure3389TCP, and then Add.

14.            On the Welcome screen of the IP Filter Wizard, click Next.

15.      In the Description text box, type 3389 IPsec Filter. ClickNext.

16.            In the IP Traffic Source dialog box, click Any IP Address, and then click Next.

17.      In the IP Traffic Destination dialog box, click Any IP Address, and then click Next.

18.            In the IP Protocol Type dialog box, click TCP in the drop-down list, and then click Next.

19.      In the Protocol Port dialog box, select From this port, type3389 in the text box, select To Any port, and then click Next.

20.            On the Completing the IP Filter Wizard screen, clickFinish, and then click OK.

21.      In the IP Filter list, select Secure3389TCP, and then clickNext.

22.            In the Filter Action dialog box, click Add.

23.      In the Filter Action Wizard dialog box, click Next.

24.            In the Filter Action Name dialog box, typeSecure3389Filter, and then click Next.

25.      In the Filter Action General Options dialog box, selectNegotiate Security, and then click Next.

26.            In the Communicating with computers that do not support IPsec dialog box, select Do not allow unsecured communications, and then click Next.

27.      In the IP Traffic Security dialog box, select Integrity and encryption, and then click Next.

28.           On the Completing the IP Security Filter Action Wizardscreen, click Finish.

29.      In the Filter Action dialog box, select Secure3389Filter, and then click Next.

30.            In the Authentication Method dialog box, select Use this string to protect the key exchange (preshared key), type $ecrETand then click Next.

31.      On the Completing the Security Rule Wizard screen, clickFinish.

32.             In the Secure3389 Properties dialog box, click OK.

Task 2: Assign the Policy

Since you already have the policy created this is still not active until you activate it, so to do it, you need to:

1.　　　 On Computer "A", click Start, click All Programs, clickAdministrative Tools, and then click Local Security Policy.

2.　　　 Go to the IP Security Policies on Local Computer node and in the right pane right click the Secure3389 Policy and selectAssign.

You are done!, you configure IPSec under the 3389 port, now let’s see how you need to configure the clients in order to be able to communicate between them.

Windows Vista or Machine "B"

In Windows Vista client, the process is similar to the one that I presented before, so you can execute the steps 1 trough 32 and then you will be able to connect, or you can export the policy from windows 2008 and import it on Windows Vista, with this procedure:

1.　　　 In the Local Security Policy Microsoft Management Console (MMC) console, right-click IP Security Policies on Local Computer, click All Tasks, and then click Export Policies.

2.　　　 In the Save As dialog box, typeC:\IPSecPolicy\IPsecurityPolicy3389.ipsec, and then click Save. (and then save that ipsec policy on a USB key)

Import the security policy to Windows Vista machine (Machine "B"):

1.　　　 On Windows Vista machine, open the local security policy. To do this, click Start, click the Start Search dialog, and then type: gpedit.msc.

2.　　　 Navigate to Computer Configuration  Windows Settings  IP Security Policies on Local Computer.

3.　　　 Right-click IP Security Policies on Local Computer, click All Tasks, and then click Import Policies.

4.  　　 Is good to Read the IP Security Import warning, after that click Yes.

5.　　　 In the Open dialog box, navigate to the USB key (where you should have the file), and then double-clickIPsecurityPolicy3389.ipsec.

We finish!, of course if you have access (in a LAN) to the file you can share in a directory and copy more easily.

Now you can try, and have the 3389 communication protected under IPSec!

Another thing is the enforcement, for that you need to use the Advanced Windows Firewall and configure a Security Association with this procedure:

Configure a Security Association rule in the Windows Firewall with Advanced Security MMC

1.　　　 On Computer "A", click Start, click Administrative Tools, and then click Windows Firewall with Advanced Security.

2.　　　 Select and then right-click Connection Security Rules, and then click New Rule.

3.  　　 In the New Connection Security Rule Wizard, select Server-to-server, and then click Next.

4.　　　 In the Endpoints dialog box, select Any IP Address for both options, and then click Next.

5.　　　 In the Requirements dialog box, select Require authentication for inbound and outbo und connections, and then click Next.

6.　　　 In the Authentication Method dialog box, select PreShared key, type$ecrET in the text box, and then click Next.

7.　　　 On the Profile page, verify that the Domain, Private, and Publicoptions are selected, and then click Next.

8.　　　 In the Name box, type SecureServerAuthenticationRule, and then click Finish

Read more »

How to Configure the website on IIS 7 in Windows Server 2008

A site is consist of web Application. Web site is the combination of an IP address, Port (default 80) and optional host Header on which HTTP.sys listens for request.

Now, i will guide you step by step configuration of web site on IIS 7

First Click on Start button on left bottom of your desktop. as you see  Administrator tools, take your mouse cursor, a sub menu will be open , Click on Internet Information Services (IIS) Manager.As shown in below figure.

IIS 7 Internet information Services Window will be open,In connections panel. Expand webserver Your system name. Right Click on Sites,menu will be open. Click on Add Web site as shown in below Figure.

Add Web Site window will be open as shown in below figure

Here you will see serval options are:

1. Site name: Enter your Site Name.
2. Application pool: Click on Select button to select the Application pool which you have created.
3. Physical path: select the folder where you have placed you web site.
4. Pass-Through authentication:
   1. Connection as :First Click on Path credentails, there are two options Specific user, Application user, click on Application users
   2. Test Settings: The server is configured to use pass-through authentication with a built-in account to access the specified physical path.
5. Binding: Select http (if you  have  purchase SSL then select https and configure later) ,Enter your IP Address and define port.

Enable Authentication and ASP.Net Impersonation as you see in below Figure.

Browse you site as shown below.

Read more »

Install Active Directory on Windows Server 2008 Step by Step

Open your Server Manager from administrative tool folder.When Server Manager Window will open Click on Roles -> Add Roles Link. Now Select Active Directory Domain Services and click Next to proceded.Now it will install AD services on your Window server 2008.

Enter the Command DCPROMO in Run command as shown in below Figure.

Checking if Active Directory Domian services are installed.

Welcome to Active Directory Domain Services Intallation Wizard will be open, Click Next

Operating System Compatibility Window will be display on your screen read it and click next to continue.

Select  Create a new domain in a new forest and click Next

Enter your domain name and make sure domain name will be right. As i have given my domain name.

Select Window Server 2008 as Forest Funtions Level.

In next Screen Select Window Server 2008 and click Next. Check DNS Server and click Next.

Be carefully, select the right path of your Database Folder, Log Folder and Users Folder.

Enter the password of Recovery Mode

Click Next

Click Finish and Restart your System.Now your Server is Domain Controller (DC).

Now you can create Users in users Folder as shown in below figure.

Read more »