EVERYTHING

WINDOWS SERVER 2022

Everything You Need to Know About Administering

Windows Server 2022 with Professional
Security Hacks, Tips & Tricks

CARTY BINN
Copyright © 2022 CARTY BINN
All Rights Reserved
This book or parts thereof may not be reproduced in any
form, stored in any retrieval system, or transmitted in any
form by any means—electronic, mechanical, photocopy,
recording, or otherwise—without prior written
permission of the publisher, except as provided by United
States of America copyright law and fair use.
Disclaimer and Terms of Use
The author and publisher of this book and the
accompanying materials have used their best efforts in
preparing this book. The author and publisher make no
representation or warranties with respect to the accuracy,
applicability, fitness, or completeness of the contents of
this book. The information contained in this book is
strictly for informational purposes. Therefore, if you wish
to apply the ideas contained in this book, you are taking
full responsibility for your actions.
Printed in the United States of America
 CONTENTS
CONTENTS
INTRODUCTION
BOOK 1
INSTALLING AND SETTING UP WINDOWS SERVER 2022
CHAPTER 1
AN OVERVIEW OF WINDOWS SERVER 2022
EXTRA! EXTRA! READ ALL ABOUT IT! SEEING WHAT’S NEW IN WINDOWS SERVER 2022
DECIDING WHICH WINDOWS SERVER 2022 EDITION IS RIGHT FOR YOU
Essentials
Standard
Datacenter
WALKING THE WALK: WINDOWS SERVER 2022 USER EXPERIENCES
Desktop Experience
Server Core
Nano
SEEING WHAT SERVER MANAGER HAS TO OFFER
WINDOWS ADMIN CENTER: YOUR NEW BEST FRIEND
EXTENDING AND IMPROVING YOUR DATACENTER
Azure Arc
Azure Auto-manage
CHAPTER 2
USING BOOT DIAGNOSTICS
ACCESSING BOOT DIAGNOSTICS
From the DVD
USING ADVANCED BOOT OPTIONS
Safe Mode
Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Enable Boot Logging
Enable Low-Resolution Video
Last Known Good Configuration
Directory Services Restore Mode (DSRM)
Debugging Mode
Disable Automatic Restart on System Failure
Disable Driver Signature Enforcement
Disable Early Launch Anti-Malware Driver
PERFORMING A MEMORY TEST
USING THE COMMAND PROMPT
WORKING WITH THIRD-PARTY BOOT UTILITIES
CHAPTER 3
PERFORMING THE BASIC INSTALLATION
MAKING SURE YOU HAVE WHAT IT TAKES
Central processing unit
Random Access Memory
Storage
Network adapter
DVD drive
UEFI-based firmware
Trusted Platform Module
Monitor
Keyboard and mouse
PERFORMING A CLEAN INSTALL
UPGRADING WINDOWS
PERFORMING A NETWORK INSTALL WITH WINDOWS DEPLOYMENT SERVICES
CHAPTER 4
PERFORMING INITIAL CONFIGURATION TASKS
UNDERSTANDING DEFAULT SETTINGS
GETTING AN OVERVIEW OF THE CONFIGURATION PROCESS
PROVIDING COMPUTER INFORMATION
WINDOWS SERVER 2022 WITH DESKTOP EXPERIENCE
Begin with Activation
Setting the Time Zone
COMPUTER NAME AND DOMAIN
CONFIGURING THE NETWORK
UPDATING WINDOWS SERVER 2022
Windows Server 2022 with Desktop Experience
Automatic updates
Downloading and installing updates
WINDOWS SERVER 2022 CORE
Automatic updates
Setting updates to automatic with the use of sconfig
Setting updates to automatic with the use of PowerShell
Downloading and installing updates
CUSTOMIZING WINDOWS SERVER 2022
Let's begin with Windows Server 2022 with Desktop Experience
Addition of roles and features
Enabling remote administration
Configuring Windows Firewall
Windows Server 2022 Core
Adding roles and features
Enabling remote administration
Configuration of Windows Firewall
Configuring Startup Options with BCDEdit
BOOK 2
CONFIGURING WINDOWS SERVER 2022
CHAPTER 1
CONFIGURING SERVER ROLES AND FEATURES
 MAKING USE OF SERVER MANAGER
Roles and features
Diagnostics
Configuration tasks
Configure and manage Storage
UNDERSTANDING SERVER ROLES
Active Directory Certificate Services
Active Directory Domain Services
Active Directory Federation Services
Device Health Attestation
Domain Name System
Fax Server
File and Storage Services
HOST GUARDIAN SERVICE
Hyper-V
Network Controller
Print and Document Services
Remote Access
Web Services
WINDOWS DEPLOYMENT SERVICES
UNDERSTANDING SERVER FEATURES
.NET 4.8
Background Intelligent Transfer Service
BitLocker Drive Encryption
BitLocker Network Unlock
BranchCache
Containers
XPS Viewer
WoW64 Support
Wireless LAN Service
WinRM IIS Extension
Windows Server Backup
Windows Search Service
Windows Server 2022
Windows Internal Database
CHAPTER 2
CONFIGURING SERVER HARDWARE
WORKING WITH DEVICE MANAGER
Configuring Device Manager
Checking for devices that are not performing optimally
Memory
Input/Output
Can you see all the devices?
Having Control over Individual device settings
Using the Add Hardware Wizard
PERFORMING HARD-DRIVE RELATED TASKS
Which disks would you prefer?
Storage area networks
 Storage spaces direct
Creating Storage pool
Logical disk
Volume
Making the best use of Storage Replica
USING STORAGE QUALITY OF SERVICE
Trusted Platform Modules
PERFORMING PRINTER-RELATED TASKS
Printer Install Wizard
Print Server Role
Installing Print Server role
PERFORMING OTHER CONFIGURATION TASKS
Mouse
Keyboard
Language
Sound
Fonts
CHAPTER 3
USING SETTINGS MENU
ACCESSING THE SETTINGS MENU
Understanding Settings Menu Items
Devices
Network and Internet
Personalization
Time and Language
System
Apps
Ease of Access
Update and Security
CHAPTER 4
WORKING WITH WORKGROUPS
KNOWING WHAT A WORKGROUP IS
KNOWING IF A WORKGROUP IS RIGHT FOR YOU
COMPARING CENTRALIZED AND GROUP SHARING
CONFIGURING A SERVER FOR A WORKGROUP
Changing the name of your workgroup
Adding groups
Creating users and adding users to the group
Adding shared resources
MANAGING WORKGROUPS
Making use of the User Account window
Modifying users with the Computer Management console
EXAMINING THE PEER NAME RESOLUTION PROTOCOL
CHAPTER 5
PROMOTING YOUR SERVER TO DOMAIN CONTROLLER
UNDERSTANDING DOMAINS
 PREPARING TO CREATE A DOMAIN
Functional Levels
Domain functional level
Forest functional level
PERFORMING DOMAIN CONFIGURATION PREREQUISITE
Unsupported roles and features
Installation and configuration of Domain Name System
Installing and configuring Dynamic Host Configuration Protocol
CONFIGURING THE SERVER AS A DOMAIN CONTROLLER
WRAPPING THINGS UP
CHAPTER 6
MANAGING DNS AND DHCP WITH IP ADDRESS MANAGEMENT
INSTALLING IP ADDRESS MANAGEMENT
CONFIGURING IP ADDRESS MANAGEMENT
USING IP ADDRESS MANAGEMENT
IP Address Space
DNS Zones
DHCP Scopes
DNS and DHCP Servers
Sever Groups
Event Catalog
BOOK 3
ADMINISTERING WINDOWS SERVER 2022
CHAPTER 1
AN OVERVIEW OF THE TOOLS MENU IN SERVER MANAGER
ACCESSING THE SERVER MANAGER TOOLS MENU
WORKING WITH COMMON ADMINISTRATIVE TOOLS
Disk Cleanup
Event Viewer
Local Security Policy
Registry editor
Defragment and Optimize Drives
Computer Management
Services
System Configuration
Task Scheduler
INSTALLING AND USING REMOTE SERVER ADMINISTRATION TOOLS
CHAPTER 2
SETTING GROUP POLICY
UNDERSTANDING HOW GROUP POLICY WORKS
Starting the Group Policy Editor
PERFORMING COMPUTER MANAGEMENT
Modifying computer settings
Modifying computer software settings
PERFORMING USER CONFIGURATION
 Software settings
Windows settings
Administrative Templates
VIEWING RESULTANT SET OF POLICY
CHAPTER 3
CONFIGURING THE REGISTRY
STARTING REGISTRY EDITOR
IMPORTING AND EXPORTING REGISTRY ELEMENTS
Importing Registry elements
Exporting Registry elements
FINDING REGISTRY ELEMENTS
UNDERSTANDING REGISTRY DATA TYPES
UNDERSTANDING THE HIVES
HKEY_CURRENT_USER
HKEY_USERS
HKEY_CURRENT_CONFIG
LOADING AND UNLOADING HIVES
CONNECTING TO NETWORK REGISTRIES
SETTING REGISTRY SECURITY
CHAPTER 4
WORKING WITH ACTIVE DIRECTORY
ACTIVE DIRECTORY 101
CONFIGURING THE USER INTERFACE
Making use of Active Directory Domains and Trusts
HOW TO CREATE A DOMAIN TRUST
Active Directory Site
Subnets
AD site Links
Active Directory Users and Computers
Creating users
Creating groups
MANAGING USERS AND GROUPS
CHAPTER 5
PERFORMING STANDARD MAINTENANCE
ACTIVATING WINDOWS
Through the graphical user interface
Through the command line
CONFIGURING THE USER INTERFACE
Folder options dialog box
The General tab
The View tabs
The Search tabs
Personalization settings
Setting your Regional and Language Options
UNDERSTANDING HOW USER ACCESS CONTROL AFFECTS MAINTENANCE TASKS
ADDING AND REMOVING STANDARD APPLICATIONS
 MEASURING RELIABILITY AND PERFORMANCE
Performance Monitor
Resource Monitor
Task Manager
PROTECTING THE DATA ON YOUR SERVER
Backing Up
Creating a one-time backup
Creating a scheduled backup
Restoring the System
PERFORMING DISK MANAGEMENT TASK
Managing storage
Managing disks
AUTOMATING DIAGNOSTIC TASK WITH TASK SCHEDULER
WORKING WITH REMOTE DESKTOP
WORKING WITH REMOTE SERVER ADMINISTRATION TOOLS
WORKING WITH ADMIN CENTER
Connecting to a server
Managing your servers with Windows Admin Center
CREATING A WINDOWS RECOVERY DRIVE
CHAPTER 6:
WORKING AT THE COMMAND LINE
OPENING AN ADMINISTRATIVE COMMAND PROMPT
CONFIGURING THE COMMAND-LINE
Command History
Edit Options
Changing the font
MAKING USE OF LEGACY CONSOLE
Text Colors
SETTING ENVIRONMENTAL VARIABLES
GETTING HELP AT THE COMMAND LINE
UNDERSTANDING COMMAND-LINE SYMBOLS
CHAPTER 7
WORKING WITH POWERSHELL
OPENING AN ADMINISTRATIVE POWERSHELL WINDOW
CONFIGURING POWERSHELL
Options
Cursor Size
Edit Options
Text Selection
Command History
Font tab
Layout tab
Color tab
Customizing PowerShell, a Little Further
USING A PROFILE SCRIPT
SETTING ENVIRONMENTAL VARIABLES
GETTING HELP IN POWERSHELL
 UNDERSTANDING POWERSHELL PUNCTUATIONS
BOOK 4
CONFIGURING NETWORKING IN WINDOWS SERVER 2022
CHAPTER 1
OVERVIEW OF WINDOWS SERVER 2022 NETWORKING
GETTING ACQUAINTED WITH THE NETWORK AND SHARING CENTER
USING THE NETWORK CONNECTION TOOLS
Ethernet
Dial-up
VPN
Status
Proxy
CONFIGURING TCP/IP
UNDERSTANDING DHCP
DEFINING DNS
Creating a DNS zone
CHAPTER 2
PERFORMING BASIC NETWORK TASKS
VIEWING NETWORK PROPERTIES
CONNECTING TO ANOTHER NETWORK
Connecting to the Internet
Setting up a dial-up connection
Connecting to a virtual private network
MANAGING NETWORK CONNECTIONS
Configuring the Internet Protocol
Installing network features
Uninstalling network features
CHAPTER 3
ACCOMPLISHING ADVANCED NETWORK TASKS
WORKING WITH REMOTE DESKTOP SERVICES
WORKING WITH NETWORK POLICY AND ACCESS SERVICES
TROUBLESHOOTING AT THE COMMAND LINE
CHAPTER 4
DIAGNOSIS AND REPAIRING NETWORK CONNECTION PROBLEMS
USING WINDOWS NETWORK DIAGNOSTICS
REPAIRING INDIVIDUAL CONNECTIONS
NETWORK TROUBLESHOOTING AT THE COMMAND LINE
WORKING WITH WINDOWS FIREWALL
MAKING SENSE OF COMMON CONFIGURATION ERRORS
Duplicate IP address
No gateway addresses
An application is experiencing network issues
WORKING WITH OTHER TROUBLESHOOTING TOOLS
BOOK 5
MANAGING SECURITY WITH WINDOWS SERVER 2022
CHAPTER1
UNDERSTANDING WINDOWS SERVER 2022 SECURITY
UNDERSTANDING BASIC WINDOWS SERVER SECURITY
CONFIDENTIALITY, INTEGRITY, AND AVAILABILITY
AUTHENTICATION, AUTHORIZATION, AND ACCOUNTING
Security descriptors
Access Control List
WORKING WITH FILES AND FOLDERS
Setting file and folder security
NTFS PERMISSIONS
Share Permission
Effective Permissions
PAYING ATTENTION TO WINDOWS SECURITY
Virus & Threat Protection
Firewall & Network Protection
App & Browser Control
Device Security
CHAPTER 2
CONFIGURING SHARED RESOURCES
COMPARING SHARE SECURITY WITH FILE SYSTEM SECURITY
Shared folders permission
Files System Security
Effective Permissions
SHARING RESOURCES
Printer
Storage Media
CONFIGURING ACCESS WITH FEDERATED RIGHTS MANAGEMENT
WORKING WITH ACTIVE DIRECTORY RIGHTS MANAGEMENT SERVICES
CHAPTER 3
CONFIGURING OPERATING SYSTEM SECURITY
UNDERSTANDING AND USING USER ACCOUNT CONTROL
Using User Account Control to protect the server
MANAGING USER PASSWORD
Understanding Credential Guard
Group Policy
Registry
ENABLING VIRTUALIZATION BASED SECURITY
Enable Credential Guard
CONFIGURING STARTUP AND RECOVERY OPTIONS
HARDENING YOUR SERVER
Cipher Protocol
Cipher Suites
CHAPTER4
WORKING WITH THE INTERNET
 FIREWALL BASICS
DISABLING THROUGH THE GRAPHICAL USER INTERFACE
DISABLING/ ENABLING THROUGH POWERSHELL
DISABLING/ENABLING THROUGH THE USE OF COMMAND PROMPT
CONFIGURING WINDOWS DEFENDER FIREWALL WITH ADVANCED SECURITY
Profile Settings
Creating a Custom rule
CHAPTER 5
UNDERSTANDING DIGITAL CERTIFICATES
CERTIFICATES IN WINDOWS SERVER 2022
Cryptography
TYPES OF CERTIFICATES IN ACTIVE DIRECTORY CERTIFICATE SERVICES
User certificates
Computer
CHAPTER 6
INSTALLING AND CONFIGURING AD CS
INTRODUCING CERTIFICATE AUTHORITY ARCHITECTURE
Root certificate authorities
Policy certificate authorities
INSTALLING A CERTIFICATE AUTHORITY
Creating the CAPolicy.inf file
Installing the root certificate authority
Offline root certificate authority
Enterprise root certificate authority
Installing the issuing certificate authority
CONFIGURING A CERTIFICATE AUTO-ENROLLMENT
CHAPTER 7
SECURING YOUR DNS INFRASTRUCTURE
UNDERSTANDING DNSSEC
UNDERSTANDING DANE
PROTECTING DNS TRAFFIC WITH DNS-OVER-HTTPS
INDEX
 INTRODUCTION
Over the years, Microsoft has continued to evolve with its server operating
system and now the release of Windows Server 2022. This operating server
brings about new and exciting features some of which are advancements in
security, system administration, and services.
The features as it pertains to security have been improved upon hence it offers
better encryption support for Server Message Block (SMB) protocol. Another
new feature that comes with the Windows Server 2022 is a secured core server
which gives room for systems administrators to make their systems harder at the
level of hardware/firmware.
With the movement of more customers to the Azure cloud, Microsoft has
included new features to offer more support to Windows Server 2022
administration in the Azure cloud which also includes on-premises for hybrid
environments. One of such is the ability to patch without having to reboot!
Windows Server 2022 offer something to everyone who comes across it; from a
junior system administrator who is just finding his feet to a seasoned system
administrator who needs to have his skills sharpened.
In this book, I have covered lots of topics that are essential for you to know even
as a system administrator and I have also explained things that can be considered
to be outside your everyday work. My aim in writing this book is to help you
come to terms with not just the what and the how but most importantly the why.
This is without a doubt not the type of book that you just pick up in order to get
a glimpse of the content, rather it is one that should always be a reference point.
It has been broken down into five different aspects. There is no need to know the
contents of your hands, pick it up when you have issues with whatever is around
the topic and when you are done you drop but always ensure to have it close to
you as you never can tell when the need for it might arise.
 BOOK 1

INSTALLING AND SETTING UP WINDOWS

SERVER 2022
 CHAPTER 1

AN OVERVIEW OF WINDOWS SERVER 2022

The Windows Server is the most recent version of Microsoft’s flagship server
operating system. This chapter contains details needed by just about everyone. If
you already have prior knowledge of Windows Server, I will be discussing the
new features that this new window brings to the table. If you are yet to work
with Microsoft Server operating system systems, you will then be appreciative of
every tiny bit of information on the editions and the experiences of the users,
based on what your needs are.

Extra! Extra! Read All About it! Seeing What’s New

in Windows Server 2022
With every recent version of the Windows Server, Microsoft brings in new
innovations using the latest technology to create an improvement in
administration, add various functionality where needed, and also enhance
security.
Below are some of the latest features in Windows Server 2022;
Secured-core server: These systems contain sophisticated hardware
which they use in the advancement of security features. Trusted
Platform Module (TPM) 2.0 is a very standard feature, for instance, it
can be used for various things some of which are securing key storage
and the improvement of boot-time protection from BitLocker.
Microsoft also offers more security against attacks of firmware-level
and virtualization-based security (VBS).
Improvements to Domain Name System (DNS) security: The
various requests of the DNS can now be created through Hypertext
Transfer Protocol Secure (HTTPS), with the use of an encrypted
channel. This recent attribute is known to also be called DNS-over-
HTTPS which when abbreviated is called DoH.
Transport Layer Security (TLS): With Windows Server 2022, the
duo of HTTPS and TLS 1,3 have been custom enabled to aid the
 protection of your network and activities on the internet.
Server Message Block (SMB) security: Windows Server 2022
comes with lots of improvements for SMB security. Now the use of
SMB rather than QUIC protocol of Transmission Control Protocol
(TCP) is now tenable. With this, you can now take advantage of the
TLS 1.3 encryption. SMB Direct also offers encryption with little or
no impact on performance. Earlier, if the SMB encryption has been
enabled, the direct placement of data will be disabled because of the
impact on performance. In addition, traffic that exists between storage
clusters in Storage Spaces Direct is fit to be encrypted.
Azure hybrid capabilities: The Azure Arc is embedded in Windows
Server 2022 with which there is no provision for centralized
management of servers and Azure Auto-manage: Hot-patch, which
gives room for updates that cannot be rebooted.
Windows Admin Center: Certain improvements have been added to
the Windows Admin Center in order to provide more support for the
recent secured-core server features.
Network Performance: Both performances of TCP and User
Datagram Protocol (UDP) have been enhanced in Windows Server
2022.
Microsoft Edge browser: Microsoft Edge is now the latest choice for
browsing products related to Microsoft. It has succeeded in replacing
Internet Explorer as the custom default browser in Windows Server
2022.
Storage improvements: Moving data is now much easier and simpler
with the use of the Storage Migration Service. Storage Spaces Direct
has also been treated fairly with two major improvements. The user-
adjustable storage repair speed which is the first new attribute gives
way for users to indicate the number of resources that should be given
to the repair of data or the servicing of active storage needs. The
second feature is the storage bus cache which can also be found on
systems that are non-clustered making space for the creation of tiered
storage on any stand-alone server.

Deciding Which Windows Server 2022 Edition Is

Right for You
There are basically three editions of the Windows Server 2022 which are;
Essentials, Standard, and Datacenter. In the sections below, I will be telling you
more about each of the editions, this way you can determine which is right for
you by yourself.
Essentials
The essentials edition is perfect for little organizations that have no more than 50
users. It offers just enough functionality that can aid them in completing most of
their jobs and it is also cost-effective.
The attributes of the Essentials edition are as follows:
Offers support for up to two CPU cores
Offers a maximum of 64GB of random-access memory (RAM).

Standard
This edition is perfect for environments that have very small or no virtualization
or in an environment where it is being used as a guest operating system.

The attributes of this edition include:

Offers support for up to two Hyper-V containers and unlimited Windows
containers
Offer immense support for HGS and Nano server
Offers support for Storage Replica though with some limitations

Datacenter
The edition of the Datacenter has almost the same attributes as the standard
edition with the more features added making it the very perfect edition for
organizations with a lot of needs for virtualization, the urge to networking that is
software-defined or one that needs more storage options.
The features of the edition include offering support for;
Unlimited Hyper -V containers with the inclusion of unlimited Windows
containers
Unlimited Hyper- V virtual machines and also support for shielded virtual
 machines.
Storage Replica which is also unlimited and storage Spaces Direct
Software-defined networking
Network controller
Host Guardian Hyper- V support
Note: There is actually a more sophisticated windows Server Datacenter known
as the Azure Edition. Windows Server 2022 Datacenter: Azure Edition offers
more integration with the Azure cloud of Microsoft. This version can only be
obtained through the installation of Microsoft Azure as a virtual machine in
Azure. It cannot be installed on your own on-premises systems or have it
running on hypervisors.
The new features of this edition include;
Azure Extended Network
Hot-patching
SMB over QUIC
Shielded support for VM

Walking the Walk: Windows Server 2022 User

Experiences
Windows Server 2022 has about two different user experiences that you can
choose from. What will be used by you will be based solely on the workload you
want to offer support and also the basic organizational requirement. This section
contains a detailed explanation of the Desktop Experience and the Server Core
Experience with the inclusion of some advantages and disadvantages.

Desktop Experience
This experience is what is known to be the standard graphical user interface
(GUI) that you might have explored in the earlier versions of the Windows
Server operating systems. It gives you the opportunity to become acquainted
with the system with the use of buttons and menus as opposed to the use of the
command line. Server with Desktop Experience can be effectively managed via
Group Policy if it is attached to an Active Directory domain, and workgroups
that are non-domain servers can also be managed with the use of local Group
Policy.
Desktop Experience is said to be the easiest form of installation for server and
administration for system administrators who are just starting out, but I will
recommend you not depend on the GUI. Get familiar with PowerShell!! It is
known to be a versatile language and it can be used on different systems with the
inclusion of some of the latest versions of Linux.

Server Core
Server core offers a very simple interface if you are connected to the console.
You will be welcomed by a command window that looks very familiar that will
prompt you to input your username and your password. Once you have logged
in, and custom-designed, you should be ready to sconfig the window. When you
make the option to leave the command line from sconfig, you will be sent a
PowerShell window to get busy with. In the beginning, the configuration is
completed with the sconfig utility, even though it can also be done with the aid
of a PowerShell script or PowerShell Desired State Configuration (DSC). You
can manage this experience via the Group Policy if it is attached to an Active
Directory Domain or via local Group Policy if they are workstation servers.

Nano
Nano offers a much simpler interface with a much more limited console, which
can be called the Recovery Console. It is not available via the regular installer on
the disc; rather, there is a need for the container image to be downloaded from
Microsoft. Nano has a much smaller footprint, in terms of both disk and
computing needs, much more than is needed with disk and computing or than
Desktop Experience or Server Core. Since it has a much smaller overall
footprint, the attack on the surface is also minimal. Windows Server Nano 2022
can be accessed only through a container base operating system image and you
can only run it as a container on a container host.
There is actually no way Nano can be managed with the aid of Group Policy.
There is a need to make use of PowerShell DSC rather if you want to have Nano
managed effectively at the scale level. You might be thinking why should Nano
even be used in the first instance bearing that it has a very limited version of the
operating system. If there is a need to run container workloads that make use of
the .NET, then Nano will be the best candidate since its optimization to run .NET
Core applications.
To check this out, you can choose to download Nano server images from
Microsoft’s container registry on DockerHub with the following command;
“Docker pulls mcr.microsoft.com/windows/nanose”

Seeing What Server Manager Has to Offer

At first instance when Windows Server 2022 is installed and then you log in, the
first screen that welcomes you is that of the Server Manager. This screen offers a
central location to have all the configuration tasks that should be done on your
system completed. It also gives a handy menu to help with the management of
all the roles and features which are also installed on your server.
With the aid of Server Manager, you will be able to effectively manage remote
servers and not just the local servers alone. There is a need for the remote servers
to be added to the Server Manager before any form of management can occur,
and also some firewall ports might need to be opened in order to give way for
full functionality. Once remote servers have been added, you can then execute
PowerShell against them and also do some basic management tasks such as
shutting down, connecting through Remote Desktop Protocol (RDP), and lots
more. There is even a chance for up to 100 remote servers to be managed with
Server Manager. This number might actually be smaller, it all depends on what is
being executed on the managed servers. If you will be executing a large
workload, there might be the opportunity to manage this many numbers.
Always remember that you can only use Server Manager for the management of
the same operating system it is installed on and also operating systems that are
much older than what has been installed. It won't be able to manage the
operating system on a server that is running a much earlier version of the
operating system. For instance, a server executing Server Manager on Server
2019 will not be able to manage a server that is executing Windows Server 2022.
Below are some very commonly used attributes of the Server Manager:
The management of both local and remote servers.
The management of attributes and roles on servers,
Commencing management tools such as Windows PowerShell and MMC
 snap-ins.
Having a review of events, performance, data, and results from the very
Best Practices Analyzer.

Windows Admin Center: Your New Best Friend

Window Admin Center can be described as a very new server management tool
from Microsoft. Before now, Microsoft has been investing quite heavily in
Windows Admin Center and it is quite obvious. It can be used to effectively
manage your on-premises system and also your systems in Azure. Windows
Admin Center can be accessed via your browser and it also gives room for
nearly all administrative tasks to be executed via the very same interface. This is
actually free. All You need to do is to make a payment for the license of the
operating system you are executing it on.
You can use the Admin Center to administer Windows Server 2022, 2019, 2016,
2012R2, and 2012 with full support for all of its functionality.
Custom-made, Windows Admin Center makes use of TCP port 6516, hence,
there is a need for you to give room for this via server firewalls based on the
manner in which your network is architected. If you would like to gain access to
the Admin Center Dashboard, there is a need for you to have the hostname of the
system that the Admin Center is installed on. The Desktop mode is usually used
by just one system administrator as against the Gateway mode, which can be
accessed by various departments within an organization.
The installation process of the Windows Admin Center is quite simple. All you
need to do is download the Microsoft Installer (MSI) package from the
Microsoft Windows Admin Center website. Before the installation, there might
be a need for you to make a decision if you are only going to install on your
desktop client or if you also want to install on a server. I would recommend that
you make use of your desktop if you are just merely laying your hands on it or if
you are only managing a few servers. If you will be using Windows Admin
Center fully, it is best you have it installed on your server, this way all the
administrators you have will be able to gain access to it.
The Windows Admin Center can be installed on versions that are Windows 10 or
Windows 2016 supported or something more recent. If you will be managing old
servers including 2012 and 2012 R2, there will be a need to install Windows
Management Framework 5.1 on all of those servers.
When Windows Admin Center has been installed on Windows 10, it is already in
Desktop mode, this means you can access it by using HTTPS:// localhost:6516.
When Windows Admin Center is installed on a server, it is installed in a gateway
mode and can be accessed with the name of the server in the URL, for instance,
HTTPS:// server name. There is no need for a port number.
The installation of Windows Admin Center on a domain controller is not
supported. As you might be thinking, this is a very bad idea! Since Windows
Admin Center displays its services through a web page, it offers a point of attack
that normally will not be present.
Some of the most unique features of Window Admin Center are;
Centralized management of server
Integration with Azure hence you will be able to effectively manage
on-premises and cloud resources from the same console.
Cluster management tools built into Windows Admin Center
Show Script gives room for the display of the PowerShell scripts that
are being executed to perform your administrative work.
Note that Microsoft Edge and Google Chrome are the only browsers that are
supported. As of now, Firefox and Internet Explorer have not been tested hence
they are not officially supported.

Extending and Improving Your Datacenter

Windows Server 2022 gives room for you to make use of some of the very
powerful features in the Azure cloud. Some of these functionalities require that
you are executing the Server 2022 Datacenter: Azure Edition; others are not so
difficult.

Azure Arc
This is a much more recent service that enables the management of both Azure
and on-premises assets with the use of the Azure toolset. Windows Server 2022
is just one of the lots of operating systems that can be easily managed by Azure
Arc. There is a need for you to only install the Azure Connected Machine agent.
Azure Auto-manage
Azure Auto-manage: Hot-patch as at the time of this writing is only in the
preview mode; it can be previewed on Windows Server 2022 Datacenter: Azure
Edition. It works with the establishment of a baseline that has the latest
cumulative update (CU) that has been published. Hence, each month hot patches
that can be installed directly and need no reboot will be released. This I can say
has been long-awaited by almost every system administrator. When the baseline
has been updated with the new CU, which occurs almost every three months,
then there will be a reboot option.
In this chapter, you must have learned what the Windows server is and all of its
components. You must have also been introduced to the new inclusion which is
the Admin Center and also Azure which has to do with cloud computing. Ensure
you go over this chapter properly as it will give you a proper guide on what the
Windows Server is about and the various components you have at your disposal.
 CHAPTER 2

USING BOOT DIAGNOSTICS

You might one day get a call about a server that has just refused to start.
Probably the server is in a continuous boot loop mode or the server is just
hanging. You will then be saddled with the responsibility of finding out why the
system is developing this fault and then offering a solution.
This chapter sheds lighter on basic techniques and tools that can be used in
troubleshooting problems that might lead to the system not booting properly.

Accessing Boot Diagnostics

The first approach to discovering what is wrong with your system is to gain
access to the boot diagnostic utilities that ships with Windows Server operating
systems.

From the DVD

If the server having boot issues is one that is physical, you can make use of a
DVD or a USB flash drive to gain access to the boot diagnostics menu. It has
become a very rare phenomenon to have access to physical media at hand, there
will be a need to download the ISO file for Windows Server 2022 from the
Microsoft website and then have the image sent to either a DVD or a USB flash
drive.
Once the disc is ready, you will have to insert it into the server and then conduct
the boot process from it. There might be a need to have the boot order changed
in order for the boot order to start with the DVD drive or the USB flash drive
before that of the hard drive. This change can be made by going through the
basic input/output system (BIOS). This option can be made available on server
systems when the system is already in a booting process. The key that should be
used in order to gain access to the BIOS is totally dependent on the firmware
manufacturer that was involved in the creation of the BIOS or the Unified
Extensible Firmware (UEFI). Certain systems just provide a boot menu when the
F12 button is selected which in turn enables you to choose the DVD drive or
USB flash drive you prefer to use for a one-time boot.
When you must have discovered how to boot from the DVD or USB flash
drive, take the steps below;
Boot from a DVD or USB flash drive
When the message “press any key to boot from CD or DVD" is
displayed, press any key of your choice.
When you get to the first screen, click on the Next button. All this
screen is in needs is language, time, currency format, and Keyboard
or input method. The defaults can be accepted.
When you get to the next screen, the big Install Now button will be
displayed, do not choose that option, rather, take a look at the lower-
left corner for the link with the message Repair Your computer and
then select that option.
On the screen that follows, choose Troubleshoot.
This will then give you some available options;
Command Prompt: This enables advanced troubleshooting and is
basically helpful if there is a need to fix the boot files. The disk-part
utility can be used in working with the drive, and the bootrec
command can be used in rebuilding or repairing the boot files.
System Image Recovery: This enables the restoration of your system
from an image built by a backup utility. You will be advised to make
a choice of targeting an operating system in order to restore and then
the backups available for use will be displayed.

Using Advanced Boot Options

The Advanced Boot Options menu provides you with some utilities to
troubleshoot different system issues.
Advanced Boot Options is a menu that has been in existence in Windows
Operating systems for a very long time.
There are two different ways of achieving it;
The first option which almost every system administrator will always
want to avoid is when the server has an issue, reboots, and then goes
 into the Advanced Boot Options menu, showing that there was a
problem.
The second option which is less scary is when a system administrator
makes a choice of booting into an Advanced Boot Options menu.
This might be done for a couple of reasons. It can be done to
troubleshoot problems with drivers and also to find out and take away
malware from a machine that might be infected already.
If you want to go into the Advanced Boot Options menu, follow the
following steps:
Select the Start menu and choose the settings icon.
Select the Update and Security option and then choose the
Recovery option.
Beneath the Advanced startup option, choose the Restart Now
button.
Select the continue button.
Choose the Troubleshoot button

Click on the Startup settings

Finally, click on the Restart option.
When the Advanced Boot Options menu has been displayed, you will then have
a number of options that you can choose from which are;

Safe Mode
This is always my first point of call when I have any issues with booting a
system. When there is a new installation of the hardware or software, or if I
think a system might be having some challenges due to an infection from
malware, I will simply turn to Safe Mode.
Are you asking yourself what the importance of Safe Mode is? The Safe Mode
starts Windows with the minimum services and drivers needed to execute
properly. It is important for troubleshooting issues like a bad driver causing a
boot loop. When you go into Safe Mode, the issues with the driver can be
troubleshot, and then go ahead to either replace or uninstall it.
Safe Mode is also of extreme significance when you have any case of suspected
malware infection since the malware might have certain dependencies it needs to
be properly executed that might not be loading, which enables the running of
malware removal tools and destroying the last bits and pieces of the malicious
code emanating from the operating system.
There are different types of Safe Mode that can be used, below are some of
them:
Safe Mode
This is just the normal Safe Mode. This option boots just the basic services and
drivers that are needed for Windows to effectively function and for you to be
able to work with it and nothing more.
In most cases, this form of Safe Mode is all that is needed to trouble and have
issues and resolved them immediately. It has a graphical interface as you are
used to with Windows Server, but there is no internet access or any other
network resources. It can be said to be a stand-alone machine.

Safe Mode with Networking

This is also quite similar to the regular Safe Mode with the only exception being
that the systems will also have to boot the respective drivers that are needed for
the proper functioning of the network interface card (NIC). This is also quite
useful if there is a need for you to download software from the internet or better
still over a work share.
Safe Mode Networking can be very useful especially when you are attempting to
solve a driver or software issue. You will be able to download a replacement
software or replacement driver while still being in Safe Mode. You can then
change the driver that is not acting while or is not compatible with the software
with a well-known good version and then boot successfully.

Safe Mode with Command Prompt

With the Safe Mode with Command Prompt, there will be a bypassing of the
Explorer desktop environment. This can be very useful when the desktop is not
showing properly for whatever unknown reason.
If you are a lover of the Server Core, you will most likely then be a lover of the
Safe Mode version also. If you think you are not so comfortable with the
command window as much as you would love to, being in possession of a cheat
sheet might be of great help to you.
I will recommend the Safe Mode with Command Prompt when the issue that
needs to be attended to has one or two things to do with graphics. The problem
might be a reason for the driver, rendering graphics, or having to take off a
malware infection that is dependent on graphical elements such as screensavers
or wallpapers.

Enable Boot Logging

If there is a need for you to see the drivers that were installed immediately when
the system is starting up, you probably should make use of the Enable Boot
Logging then. This will help with the creation of a file known as ntbtlog.txt, this
file lists all the drivers that have been installed upon the starting up of the
operating system. The file is located in the Windows system directory, and it will
be known as C:\ WINDOWS. Incidentally, this is the very same list that will be
seen as a flash on the screen when you are booting to Safe Mode.

Enable Low-Resolution Video

This setting is quite useful if you happen to be having issues with the display,
this commonly occurs when you have altered some settings connected with the
display and your monitor is not in support of it. It will begin with the currently
installed video driver but at a quite lower resolution, most times 640 x 480, and
then much later have the settings refreshed.

Last Known Good Configuration

The Last Known Good Configuration can be of immense help in terms of
solving issues that are related to booting that can occur due to the Windows
Registry being damaged. Oftentimes, this happens when the user has
misconfigured some settings it can also occur from updates or patches. When
Last Known Good Configuration is chosen, it will revert the Registry in such a
way that it will match the settings it was using the last time the system
successfully booted.
Note that each time you make use of anything that alters the Registry in any
form, you will have to be extra cautious. There is currently no known way to
reverse the changes you make with the use of Last Known Good Configuration.
If it does not solve the issue or on the other hand, makes it worse, there will be a
need for you to restore from a backup either a hard drive or a flash drive.

Directory Services Restore Mode (DSRM)

This aspect will only be displayed on servers that are domain controllers. DSRM
for short is a very special Safe Mode made strictly for domain controllers that
enables you to fix or bring back an Active Directory database.
To make use of this option, there is a need for you to have the DSRM password
that was fixed when the domain controller was created at first. If the password is
not known, there is an option to make use of the ntdsutil tool to help in the
changing of the password. There is a need to have access to the Command
Prompt on the system to be able to run it.
All you have to do for now is think of the DSRM as a very unique database that
keeps data on users, computers, websites, and every other object that can be
found in your network. This special database can be very important to your
company, hence, having basic knowledge on how to restore it if by chance it
becomes faulty can be a very useful skill.

Debugging Mode
If you are a genius type of system administrator and you want to lay your hands
on the kernel debugger then this option is for you!
The kernel can be described as a program that is one of the first to be executed
when your server begins to boot; it has complete control over all that is on your
system.
Debugging Mode brings on the kernel debugging which enables you to make use
of the kernel debugger to check the states and processes that are executing at the
level of the kernel. It can be a very useful option for troubleshooting problems
associated with device drivers that lead to the less popular blue screen of death
and also problems with the central processing unit (CPU).
You can view the kernel memory dump on the system that happens to be having
problems or you can choose to view the kernel memory dump in a remote
manner with the use of another system through a serial connection. The
information from the Debugging Mode is usually made accessible over the
COM1 port. On more recent systems that do not have a serial port, this
information can also be accessed over USB.

Disable Automatic Restart on System Failure

Much later, all system administrators have a system that will keep attempting to
start, fail, reboot, and so on. This situation can be called a boot loop. If you are
having a boot loop on any of your systems, you can make the system stop
restarting on its own by making the choice of Disabling Automatic Restart on
System Failure from the Advanced Boot Options menu.
When you Disable automatic restart, it can be of great help if the system is
receiving the blue screen of death and you have a need to receive the information
that is being displayed. Anytime the system stops on its next blue screen, you
will have ample time to get the information.

Disable Driver Signature Enforcement

When you choose the option of disabling driver signature enforcement, you are
simply informing your system that it can load drivers that are not signed
digitally. Microsoft needs drivers to be signed digitally by default, hence it will
stop all drivers that are not signed from being executed. It does this simply
because when a driver is signed digitally, it is presumed to be authentic since you
can check the digital signature that it has said it belongs to from the vendor.
Digital signature additionally guarantees that the driver has not in any way been
changed since its release from the vendor.
Data signatures make use of a code-signing certificate to have the hash of a file
encrypted. The encrypted hash will then be bundled alongside the certificate and
the executable for the sake of the driver. When the driver is being installed by
the end-user, the hash of the system is then decrypted using the key in the
certificate. The file then gets hashed again on the system of the end-user then the
most recent hash will be compared to the hash that was decrypted. If there
happens to be a match, the driver then has not been fiddled with.
If you make the choice of disabling driver signature enforcement, you will
automatically be able to load drivers that are not signed. Note that choosing this
option is simply at your own risk; there is every possibility you end up installing
a virus that comes in the form of a driver that is unsigned.

Disable Early Launch Anti-Malware Driver

Malware that helps in installation after Windows must have booted will most
assuredly be seen by any antivirus that has been installed on the system. The
only problem with this is that virus writers have started writing malware known
as rootkits. These rootkits can prove to be very stubborn to take away due to the
fact they install and run just before the operating system has booted. Most of the
sophisticated rootkits start installing drivers that begin quite early in the booting
process of the system. This makes them exceedingly tough to locate and take off.
Microsoft on its part does all it can to improve and deal with threats and also
stop them where possible. This feature can be a very lovely one to have. You
should simply have it disabled if there is a need to, and this is only just till the
problem is solved.

Performing a Memory Test

What will be done if your server happens to be crashing when you least expected
it or if it is displaying a blue screen when you were not anticipating it? That can
be a quite tough question to give a reply to. These signs can only happen due to
the corruption of software or simply because of the failure of hardware. The
memory is a very good location to commence the troubleshooting from, and
Windows Server 2022 contains a built-in memory diagnostic utility known as the
Windows Memory Diagnostics Tool.
The Windows Memory Diagnostics Tool can be executed by;
Pressing the Windows key + R
Type mdsched.exe
When you are done click on the OK button.
If you do not do anything, the Windows Memory Diagnostics Tools will keep
running in Standard mode.
This can be interrupted at any time by
● pressing the F1 button to gain access to the Options screen menu
● When you have done that simply alter the settings. The following
options will be made available to you;
● Test Mix: This is a list of tests that the tool should run;
○ Basic: This helps in running three tests on your memory
and it is known as the fastest option.
○ Standard: This helps in running the same tests on your
 memory and your Basic, it also adds five more tests. It can
take a much longer time to be completed compared to
Basic
○ Extended: This helps in running the same tests as with
Standard and adds an extra additional nine tests. The
Extended option is the most detailed of all the tests and as
expected, takes a much longer time to get completed.
If peradventure you do not have an idea of what the test is searching for,
Standard can be a very good way to start for your tests. Extended takes a much
longer time hence if you don't have a need for the extra tests, you may not have
any more information if you choose to eventually run them. That said, there is
no harm in running all of the three tests as it will not adversely affect the
server.
● Cache: Cache helps in setting the cache for all of the tests that
will be executed. You should have the cache disabled when
running tests that need direct access to the memory.
Below are the options made available for you;
● Default: Most times, the default option happens to be the
best setting. It chooses the correct cache setting for the test
that is currently running.
○ On: Ensures the cache is forced on for the tests.
○ Off: Ensures the cache is forced off for the tests.
● Pass Count (0-15): This helps in controlling the number
of times the entire test mix you have chosen will be
executed. If it is up to 5, the chosen text mix will be
executed via its test a total of 5 times. The custom setting
is to make at least two passes.
● When all of these settings have been completed, select the
F10 e to add the settings and the scan will start over again.

Using the Command Prompt

When every other thing has failed, the command prompt will always be there to
rescue you. I have had a cause to make much troubleshooting over the years and
been saved by the Command Prompt. Are you faced with system files that are
corrupted? Open the command prompt and run SFC/scan now. Damaged hard
drive? Have the Command Prompt opened and type chkdsk/f/r.
Below is a table where I have outlined all of the useful tools, I have had a cause
to use over the years. Most of these commands have a need for the Command
Prompt to be executed alongside the administrator credentials.
Name Command Description If you want to
This helps in checking the run the
system files if they are up to Command
what is expected by the Prompt as an
comparison between the administrator,
signature of the system file● Click on the
with that of a cached copy of Start button >
System File SFC/scan the same file. The cached files Windows
Checker now are then saved in a compressed system
folder which can be found at● Right-click on
C:\ the Command
Windows\System32\dllcache. Prompt option
If a system file that is and select
corrupted happens to be found, more then
it will be replaced immediately. choose the Run
This helps in fixing the file as
system errors and also marks Administrator
sectors that are bad this way option or better
the operating system will not still if you can
have a need for them anymore. open up the
Check Disk chkdsk/f/r The /f will let the utility repair Task Manager
any problem it locates and the option, choose
/r will find the areas that are
not good on the disk. This can Working
take a couple of minutes.
with
Driverquery driver-query This helps in querying the Third-
system for all the hardware
drivers that are installed on Party
Windows. This can be of Boot
immense help if you are
 dabbling into problems with Utilities
systems that have hardware
and you need to know if they This chapter
both have a drive-in in will be totally
common. incomplete if
we do not take
bcdedit bcededit This allows the editing of boot a look at third-
configuration on your party utilities
Windows server. that are created
to help with the diagnosing and resolving of boot issues. The below states two of
my most used alongside their cost and a concise description.

Name Cost Description

Ultimate Boot Free This is one of my favorite

CD utilities. It contains various
diagnostic and recovery tools.
If you want to use it, boot to
the disc. It is that easy!

Trinity Rescue Free This kit has so many great

Kit features, it is also a very great
utility to have.

This chapter must have exposed you to what boot and safe mode is all about, you
must have also learned about the various safe mode and by now I believe you
must have chosen the mode you prefer to work with.
 CHAPTER 3

PERFORMING THE BASIC INSTALLATION

This is a very important step to take. One of the most important things to do to
make sure your installation is successful is to ensure that you meet all of the
prerequisites for Window Server 2022. When you have all of this in place, you
can save yourself a lot of stress.
When you have all the necessary things to install Windows Server 2022 then you
are good to go. Here in this chapter, I will explain how to ensure your
installation is smooth and also how to perform a network installation with the
use of Windows Deployment Services.
Note that there is no option of changing between Server Core and Server with
Desktop Experience anymore. This ability has been removed in the 2016 edition
to make room for the support of the recent Windows 10 desktop experience on
the server as against the much older legacy desktop experience you must have
had with Windows Server 2012 R2.
If you have completed the installation of Server Core and you suddenly have a
change of mind and choose to make use of the Server with Desktop Experience,
you will have to reinstall it. If you make an attempt to make use of the Windows
Server installation media to pass between Core and desktop experience, there
will be no option to have anything kept.

Making Sure You Have What It Takes

Microsoft shows the prerequisites for all of its operating systems. Most of the
requirements for the hardware are independent of whichever edition of Windows
Server you wish to make use of; all other hardware requirements are not stable
as they are dependent on if you will be installing the Server with Desktop
Experience or the one with Server Core.
Windows Server 2022 is accessible only in the form of a 64-bit operating
system; the 32-bit version is currently not accessible. When you want to execute
the installer, you will then be presented with the options for either a Standard
Edition or Datacenter edition. In the same event, you will also have to make a
choice if you prefer to install Server Core or the Server with Desktop
Experience.
In the places where minimum requirements are cited, it's necessary for you to
know that they are the barest minimum to have the Windows Server 2022
successfully installed. Never should you expect your server to perform well if
you give it the requirements below that which has been stated. For any major
workload, your server should possess processors that are faster and have more
processor cores and a lot more memory.
What then is the absolute barest minimum that should be met before you can
have Windows Server 2022 installed? For major aspects, there isn't much
difference existing between the minimum requirements of Server Core and that
of Server with Desktop Experience. The only very important exception to that is
the amount of random-access memory (RAM). The smallest requirement to have
the Server Core installed is 512 RAM, and that Server Desktop Experience
needs at least a minimum of 2GB of RAM.

Central processing unit

The central processing outfit CPU as it is fondly called is regarded as the brain
of the outfit. It works on instructions created by programs or applications.

The CPU requirements for Windows Server 2022 are quite simple to meet
by almost all recent processors such as:
● 1.4 GHz 64-bit processor: When you consider the fact that the operating
system is an x64 system, it makes more sense that the processor should also
as a matter of importance be an x64 processor. That said, a very cheap server
with a much lower-end processor should meet up with the 1,4GHz
requirement perfectly.
● Supports No Execute (NX): When the NX bit has been enabled on some
areas of memory, the processor will have no need to make any execution in
the memory space and this can help in the provision of protection from
malware. The places protected by the NX bit most times have certain things
 such as processor instructions or data storage. This technology might be
referred to as XD which means Execute Disable by intel and Enhanced Virus
Protection by AMD.
● Supports Data Execution Prevention (DEP): DEP offers more protection
from malware that may attack various memory locations.
● Supports CMPXCHG16b, LAHF/SAHF, and PrefetchW: All of these
settings are specific to the processor only, also there are various whitepapers
displayed on that same specific. CMPXCHG16b can be said to be a set of
instructions that are supported by the most recent x86_64 processors. Load
AH right from flags (LAHY)/Store AH into the Flags (SAHF) is actually
required for the support of virtualization. PrefetchW offers basic
improvements to the performance when making use of AMD processors, all
you need to know is that these processor attributes can increase the speed of
running tasks and also include some more security features too.
● Supports Second Level Address Translation (Extended Page Table [
EPT] or Nested Page Table [NPT]):
● This attribute is very important if you have plans to run Hyper-V. It helps
with the improvement of the performance of the VMs on the system and also
removes some of the press mounted on the hypervisor, which can also serve
as a major improvement for the performance of the hypervisor.
You might be very curious as to how you can know if your CPU offers any form
of support for all of these requirements. Microsoft provides a tool that is said to
be a part of the System's internal suite called core info; this tool has a unique
way of telling you what your processor can do. It can also be downloaded on the
Microsoft website without cost. When you download it, the file downloaded is a
zip file that has been well compressed and there is a need to have it extracted
first. Once you have extracted it, you can then open a command prompt to
execute the utility. To execute Core-info, all you have to do is
● Type core info into the command window and feedback of both available
and unavailable attributes will be made known to you. Note that the
available features will be marked with an asterisk (*) and those that are
unavailable will be marked with a hyphen (-).

Random Access Memory

The Random-access memory (RAM) can be used by the server for keeping
things that you need access to immediately and the things you might need access
to much later. RAM is very fast, much faster than persistent storage, hence, a
server with a lot of RAMS will obviously perform much better than one with
very small RAM. As earlier said, Server Core has a need of 512MB of RAM at
the barest minimum while the Server with Desktop Experience needs at the
barest minimum 2GB RAM. Note that the RAM must also be an Error
Correcting Code (ECC) kind of memory. The ECC-kind of memory can fix
single-bit errors; for instance, if there is a bit of an error with electrical
interference, the use of a parity bit can make sure that the data that is in the
memory is adequately fixed.

Storage
There is actually no special formula or calculation with this. If there is a need for
you to install Windows Server 2022, you will be in need of at least 32GB of hard
drive space. Take note that this requirement is only the bare minimum to have
the operating system installed. If all you can get is 32GB, there will be no space
left to have any other thing installed. If you have a limit as regards storage,
Microsoft says that Windows Server Core is then approximately 4GB lesser than
that of Windows Server with Desktop Experience.

Network adapter
If there is just no way to gain access to it, then a server is of no use. The network
adapter which can also be referred to as the network interface card (NIC)
provides a medium through which the server can interact with the network. For
Windows Server 2022, there must at the barest minimum be support of gigabit
ethernet for your network adapter. These adapters might be onboard, which
means that they are inclusive of the motherboard, or rather they might just be
located on a NIC, which goes into a PCI Express slot.
Any network adapter you are making use of should offer maximum support for
the Pre-boot Execution Environment (PXE). This is also what most companies
use in today’s world to be able to image systems right from a central imaging
server such as Windows Deployment Services or the System Center
Configuration Manager.

DVD drive
Not every server has a DVD drive. There are lots of other options available for
the installation of operating systems such as booting right from flash drives or
better still booting from the network that most systems administrators don't
necessarily have to worry about with DVDs. With respect to that, if there is a
need to install from DVD then you have to make sure that you are in the
possession of a DVD drive. The said drive can either be internal or external.

UEFI-based firmware
Unified Extensible Firmware Interface (UEFI) has succeeded the old legacy
Basic Input/Output System (BIOS) at this point. I advise that you make the UEFI
your choice against BIOS. There will be a requirement for it if you are to make
use of some advanced attributes such as a secure boot.

Trusted Platform Module

Most of the motherboards are from a Trusted Platform Module (TPM) chip of
recent. If you have a plan on performing disk encryption with the use of
BitLocker, you must have the TPM in your possession.

Monitor
It does not need to be said that there is a need for you to be able to view what is
being done with your server when having the operating system installed.
Windows Server 2022 needs a Super Video Graphics Array (SVGA) connection
that has a minimum of 1024 x 768 screen resolution. It is possible for you to
accomplish all of this merely by including a physical monitor on the server or
rather by viewing the video stream via a KVM.
KVMs enable the use of one keyboard, monitor, and mouse in the administration
of various servers. The earlier KVMs needed that you be onsite in person to
make use of the keyboard, monitor, and mouse. Recently made KVMs enable the
administration of servers in a remote manner through a web service, and also
offer comparable functionality to what can be obtained if you have a keyboard,
monitor, and mouse physically plugged into your server.

Keyboard and mouse

There is a possibility of connecting a keyboard and mouse in a direct manner to
the server when imaging or you can also choose to show them to the system
through a KVM. Any method you choose, there is a need for a keyboard and
mouse for you to have an interaction with the system.

Performing a Clean Install

I prefer going the way of clean installs. When you do a clean install, there is less
possibility to get into certain problems which can be a result of bad drivers,
corrupted system files, or even misconfigurations. In this aspect of the chapter, I
have thoroughly explained how you can perform a clean installation of the
Windows Server 2022.
I am of the assumption that you must have already booted to whichever media
you will be using to install (DVD, flash drive, etc.) and you are on the screen to
commence the installation process for Windows Server 2022.
Follow the steps below to have a complete and hitch-free installation;
● Choose the much-needed settings option (language to
install, time and currency format, keyboard or method of
input) for your own locality and then select the Next
button;
● Once you click on the Next button, you will then be
invited to select the Install Now option.

● When in the screen that follows, select the version of the operating
 system that should be installed and then choose the Next option. Here the
default is for Windows Server 2022, but you can make a choice of yours;
Windows Server 2022 Standard (Desktop Experience), Windows Server
2022 Datacenter, or Windows Server 2022 Datacenter (Desktop
Experience)

● When you are on the screen that follows, view the I Accept the License
Terms box and then select the Next option.
● When you are on the screen that follows, click Custom.

● On the screen that is next, choose the partition on which you would
prefer the installation of Windows and select the Next button. With this,
Windows Server 2022 will commence installation and restart
automatically when it has finished installing.
Upgrading Windows
Whenever there is a consideration for an upgrade install, you have to make sure
that the version of the operating system you are about to commence with can be
upgraded to Windows Server 2022. The table below explains further the
operating systems that can be upgraded and the very edition of Windows Server
2022 you will be able to upgrade to.
As a widely used rule, there is the freedom to update to the latest Windows
Server operating system straightforwardly so long as you are right within the last
two key releases.

If you are running this edition You can upgrade to any of

these editions

Windows Server 2016 Windows Server 2022

Standard Standard or Datacenter

Windows Server 2016 Windows Server 2022

Datacenter Datacenter
Windows Server 2019 Windows Server 2022
Datacenter Datacenter

Windows Server 2019 Windows Server 2022

Datacenter Datacenter

There is also a need for you to check with your applications vendors to make
sure the applications on the server supports Windows Server 2022. If it does not
support then there might be a need for you to upgrade your applications before
you make an upgrade to the server operating system.
There is nothing like a direct upgrade path from Windows Server operating
systems that are much older than Windows Server 2016. If you happen to be
moving from an older server to commence a lean installation. If you cannot
make use of a clean installation, there will also be a need for you to upgrade to
either the Windows Server 2016 or the Windows Server 2019 in order to be able
to have a complete upgrade to Windows Server 2022.
Once you are through with the verification that you are on a version that is
supported, you can then begin with the upgrade installation process. Below is an
example of an upgrade from Windows Server 2019 Standard to the
Windows Server 2022 Standard;
● Log in as an administrator on the very system that needs to be upgraded.
● Input the disc or any other medium of installation into the system that you
want to upgrade and then execute setup.exe.
● When you are in the Install Windows Server screen, select the Next
option. When in the Install Windows Server screen, there will be a
display with the content “Change How Setup Downloads Updates link.
If you click on this link, you will not be allowed to patch the server when
you want to install it. I don't advise doing this only if the server is not
connected to the internet as it will be very vulnerable to any form of
attack until it has been patched.
● Choose the Windows Server 2022 Standard with Desktop Experience or
any other version you prefer and then choose the Next option.
● If you have time at your disposal you can choose to read through the
license terms and when you are done, click on the Accept button.
● On the screen that follows, you will be provided with the option of
keeping your personal files and apps or not keeping them. If you are
 maintaining the same experience (Core or Desktop), both options will be
displayed. If you are altering the experience the only option that will be
made available will be to keep nothing.
● If there is an availability of the option; choose the keep Personal Files
and Apps radio button and then choose the Next icon.
● If you notice that the Keep Files, Settings, and Apps option is grayed out,
this might be as a result of trying to change the user experience or you
might be making use of the evaluation media rather than the retail media.
Whatever the case may be, you just have to choose the Nothing option.
● When you are done and everything looks perfect, select the install
button. With this, the installer will commence the upgrade install to
Windows Server 2022 option. Note, that it might restart a couple of times
during the process, you have nothing to worry about.

Performing a Network Install with Windows

Deployment Services
Windows Deployment Services (WDS) can be described as a role that can be
installed on a Windows Server operating system. It serves as both a Pre-boot
Execution Environment (PXE) server and also a Trivial File Transfer Protocol
(TFTP) server and allows the installation of Windows through a network
connection by selecting the network interface card as the boot device.
The installation of WDS is quite straightforward. You can make a choice of
installing it as a standard server or better still choose to have it integrated with
Active Directory. The easiest way to start is with the boot.wim file on the
Windows Server installation media, which has the Windows Preinstallation
Environment (WinPE). This can naturally be found under the Sources directory
located on the installation media.
Hence, there will be a need for you to create the installation files. The easiest
way to get started with this is to make a copy of install.wim from the Windows
Server 2022 installation media to the system that will work as your WDS server.
You will possess the very same version and experience options that you would
have had via the installation wizard on disc. Once the WDS has been totally
configured, it will be serving over the network. All there needs to be done is to
let your new server know it has to boot from the network.
If in case you are performing a network installation and the server by chance is
not the same subnet as the WDS server, there will be a need for you to fix a
Dynamic Host Configuration Protocol (DHCP) options 66 and 67. Option 66
will help to specify the name of the host or that of the IP address of the WDS
server and option 67 is the name of the boot file. There might also be a need to
design a firewall rule to enable UDP ports 67 and 68 if it happens that there is a
firewall right in between both networks.
If you happen to make use of the default boot.wim option from the media of
installation, you will get a deprecation notice, but then you will still be able to go
ahead in the configuration of the boot.wim. The later versions of Windows
Server will not offer support for this option. However, you can make use of the
custom boot.wim files. Microsoft advises that you move to either Microsoft
Endpoint Configuration Manager or Microsoft Deployment Toolkit products for
more customization and the deployment of images.
The concluded chapter enlists all that there is to it as regards installation, it also
highlights the various components that are needed and should be in proper shape
for the installation to be a success.
 CHAPTER 4

PERFORMING INITIAL CONFIGURATION

TASKS
Now that you have completed the installation of Windows Server 202, you can
then begin to explore. You should then begin to configure the operating system
to do what you want it to do.
Microsoft came in with the Server Manager attribute in Server 2008, and it was
heavily updated in Windows 2012 for it to include the support of Remote
Management. Server Manager is the very point where you begin for most of the
configurations that are needed for the accomplishment on your server if you
happen to be working on a server with the Desktop Experience.
If also you are working on a Server Core system, there will be no need for the
use of Server Manager on the console. Rather, you will make use of the sconfig
utility to create your initial configuration, on the assumption that you are not
using the Server Core images that have been configured already for the
environment. You should know that you can use the Server Manager for the
administration of your Server Core systems in a remote manner, with just a little
setup at the beginning to ensure things are ongoing. Below are all the things you
need to know about the configuration process.

Understanding Default Settings

Upon the initial installation of Windows Server 2022, there are certain settings
that are made or just fixed by default. Normally, these are things you will want to
make changes to like setting the name of the server, an IP address, fixing the
server to a domain, and much more. The table below explains all of these default
settings more and also states what they are out to do this way you have a better
knowledge of what you are starting with.

Setting Default Value Description

This name basically

 will be randomly
generated
commencing with
Computer WIN WIN. The name
Name <randomstring> should be changed
based on the naming
standard of your
company. When the
name is altered, there
will be a need for
you to reboot the
system.

IP Address Assigned by Custom made; your

DHCP new server will be
making use of the
DHCP to get an IP
address
automatically. If for
any reason your
company makes use
of DHCP in the
management of IP
addresses, you are
ready to go. If it
doesn't then there
might be a need for
you to fix a static IP
address.
Domain or Workgroup names Windows Server
workgroup WORKGROUP 2022 starts life when
it is joined with a
workgroup known as
WORKGROUP. If it
will be a standalone
server, then that
specific setting might
 be just perfect.
Servers located in
workgroups are
actually not domain-
joined. If there is a
need for your server
to be joined to a
domain, you might
want to have the
settings changed. To
perform this
operation, there will
be a need for you to
reboot.

Windows Automatic update All updates are

Update download downloaded on their
own but will not be
installed until you
permit them to do so.

Microsoft Public and Private In its basic default

Defender profiles: On Core state, Microsoft
Firewall OS functionality: Defender Firewall
Allowed has both a public and
private profile. The
core functionality
that is needed for the
operating system to
function optimally is
automatically
allowed. The domain
profile will be
displayed if the
server becomes
domain-joined.

Microsoft Real-time This helps in the

Defender protection: On provision of real-
Antivirus time scanning of
viruses/malware. It
stops the virus from
being executed
alongside the server.
There is also the
enablement of an
automatic submission
of samples by
default. This will
help send sample
files to Microsoft for
analysis.

Roles and Some Some roles and

Attributes roles/attributes attributes are allowed
have been out of the box to give
installed way to the server's
basic functionality.
Note that it is quite
important to know
that the mere fact
that a role or attribute
has been chosen
doesn't necessarily
mean that the role
wholly will be
installed.

Remote Enabled This gives room for

Management the server to be
managed by
PowerShell in a
remote manner. It
also enables
applications or
commands that need
 Windows
Management
Instrumentation for
the management of
its server.

Remote Disabled Enables users to have

Desktop a connection with the
desktop of the server
remotely and also,
and enabled users
can either
individually or
collectively in groups
be configured.

Getting an Overview of the Configuration Process

When you begin with a newly installed server, it has not been configured yet to
take up so many tasks. There are certain basic configuration steps you must take.
Some of these steps include basics such as the setting of time and day; others are
settings of the task that will enable you to effectively manage your systems
remotely.
Here are some of the basic processes;
● Activation of Windows Server 2022
● Setting of the date, time, and time zone.
● Changing the name of the computer.
● Add to the domain if there is any to be added.
● Configuration of the network.
● Configuring the server to receive Windows updates.
● Adding roles and attributes.
● Setting up the Windows Server OS for remote administration
● Configuration of the Windows Server firewall.

Providing Computer Information

Whenever you are configuring new servers, there is a need to do certain things
like activating the operating system with a Microsoft product key that is valid;
activating the time zone, changing the name, and the addition of the server to the
domain. Below are explanations on how information can be offered for the
server on both the Windows Server 2022 with Desktop Experience and Server
2022 Core.

Windows Server 2022 with Desktop Experience

Most System administrators actually started practicing with the use of the
graphical user interface (GUI) of a Windows Server operating system. This
server has continued the use of the GUI with the installation of the Desktop
Experience. Below is a little about the configuration process of Windows Server
2022 with the use of Desktop Experience.

Begin with Activation

One of the things you start doing after you must have installed the Windows
Server operating system is to activate it with the use of a product key.

This can be done either through the desktop interface or through

PowerShell.
● Begin by logging into the server. This will open up the server manager
automatically.
● When you are in the server manager, select the Local Server located in
the navigation pane.
● When you are ready to commence the process of activation, select the
Not Activated hyperlink that is close to the Product ID. This will
instantly open up a dialog box requesting the product key.
● Type the product key and select Next. This will bring up a prompt
asking you to activate Windows.
 ● Click on the Activate button. Upon activation, you will get a
confirmation.

● Select the close button to round up the process.

Setting the Time Zone

This is a very common thing to do, there is always a need to have to fix the
server to the time zone that you are in or the time zone as an office located
somewhere else. This is done most times when you have the servers in co-
location and you prefer them to be in the same time zone as that of your local
systems.
● Locate the Server Manager and choose the Local Server located on the
left side of the menu.
● Select the hyperlink close to the Time Zone.
● Choose the option of changing the Time zone.
● Choose the time zone you prefer to use from the drop-down list that is
displayed
● Follow through the options of Daylight settings as it is applicable to you.
● Select the OK button to leave the Time Zone Settings dialog box and then
choose the same OK button to leave the Date and Time dialog box.

Computer name and domain

Fixing the name of the computer is very important in an organizational setting.
Most organizations have a naming pattern that should be followed, but the names
that will be needed by the organization are names that should be easy to
remember rather than the default generated name. Having to join the domain is
a quite simple step but it is equally very important to allow the centralization of
authentication management and configuration functions.
To name the computer;
● Locate the Server Manager and select the Local Server on the left side
of the menu.
● Choose the hyperlink that can be found next to Computer Name. Note
that it usually starts with WIN and some letters and numbers will then
follow.
● Select the Change button.
● Locate the Computer Name field and insert your preferred name for
the server then select OK.
● Select the Close button option in the system properties dialog box. You
will then be prompted to either Restart Now or Restart Later, this is to
have the process completed. The choice is yours based on what you are
doing with the server at that moment.
● If you want to join a domain, repeat steps 1 through 3.
● Locate the Computer Name /Domain Changes dialog box and then click
on the Domain radio button then input the name of the domain you
wish to join.
● Select the OK button and this will bring up a dialog box instructing you
of the need to restart the server.
● Select OK.
● Select the Close button located in the System Properties dialog box.
● Select the Restart Now or Restart Later buttons.
Configuring the network
The server will make use of an IP address that has been assigned by default. If
this is not what you wish for, then you have to create a static IP address, with
this, the Server will keep using the same address.
● Locate the Server Manager and choose the Local Server on the left side
of the menu.
● Move to Ethernet and choose the hyperlink with the inscription IPV4
Address Assigned by DHCP, IPv6 Enabled.

● Right-click on the network adapter and then choose properties.

● It is best to make use of the Internet Protocol Version 4 and then choose
the Properties button.
● If at any point in time you observe you have to alter some changes choose
 the Use the Following IP Address option.
● Enter the IP address, subnet mask, and also the Default Gateway.
● Manually, insert the IP addresses for the preferred DNS servers of your
choice

.
● Select the OK button to close up the dialog box.
● Select the OK button once again to leave Ethernet Properties.

Updating Windows Server 2022

When you must have installed the new Windows server and probably concluded
with some of the main configurations like changing the name of the computer
and joining a domain, there will be a need to have the server updated. When a
server is updated, it helps in the fixing of lots of vulnerabilities as well as the
inclusion of new features. Ensure all these have been done before you have the
server sent over to the team that asked for it. In this section, we will be looking
at updates for both Windows Server 2022 with Desktop Experience and
Windows Server 2022 Core.

Windows Server 2022 with Desktop Experience

When you take into consideration the need to remain updated on Windows
Server, almost every organization will prefer to employ the use of automatic
updates. Occasionally, there might be a server that cannot be configured to
update automatically, with this in view, I will be explaining both methods of
configuration which are automatic updates and manual updates.

Automatic updates
Almost all organizations make use of this option as they consider it to be the
safest. Below are the settings that you will take to get through with setting your
server so it connects with that of Microsoft’s update servers.
Most organizations have updating solutions that help in taking care of the
scheduling of basic updates and are still considered to be automatic simply
because the tool is saddled with the responsibility of scheduling the deployment
of the patches that have been approved.
● Begin with the start menu and insert “gpedit,msc.”
● Go over to the Windows Update section by selecting the Computer
Configuration > Administrative Templates >Windows component and
lastly Windows Update.
● Click twice on the Configure Automatic Updates option.
● Choose Enabled. Note that it will be set at default which is Auto-
Download and Notify to Install.
● Choose the drop-down box and choose the setting that you feel should
work best in your environment.
● Finally, save the changes you have made by clicking on the Ok button.

Downloading and installing updates

There might be a need to update manually when perhaps a security vulnerability
affects your Windows Server systems.
To download and install updates manually, follow the steps below;
● With the use of Server Manager, choose Local Server on the left side of
the menu.
● Select the hyperlink found close to Last Checked for Updates.
● Choose the Check for Updates option. This makes the server check to
find out if there is any update to be made.

Windows Server 2022 Core

When it specifically has to do with updates, Windows Server Core has just about
the same needs with receiving updates from Microsoft as Windows Server with
Desktop Experience does. I will be explaining how to go about the updates both
automatically and also manually from PowerShell.

Automatic updates
Automatic updates can be done in two different ways basically; this with the use
of the sconfig utility and the use of PowerShell.

Setting updates to automatic with the use of sconfig

The text-driven menu that is provided by the sconfig utility ensures the
enablement and also makes automatic updates very simple.

With the use of very quick four steps, the automatic updates can be
completed as follows;
● Right within the sconfig menu, input type 5 to configure the Windows
Update settings, and then tap the Enter button.
● Type A for automatic download and installation of Windows updates.
● Tap the Enter button to leave the updates section.
Setting updates to automatic with the use of PowerShell
If you want to make use of PowerShell in setting updates to automatic, you will
have to switch to C:\Windows\system32 and then stop the Windows Update
service. You will then make use of the script program in the execution of
scregedit.wsf.
Follow the steps below to enable windows updates;
● Stop the Windows Update Server service.
● Set automatic updates to 4 which are enabled.
● Start the Windows Updates Server service.

Downloading and installing updates

If you want to force Server Core to find and also install available updates,
insert the command below;
wuauclt/detectnow

Customizing Windows Server 2022

After the installation of the Windows Server operating system, the action that
should follow is to have it personalized.

Let's begin with Windows Server 2022 with Desktop Experience

When you log in to a server that is Desktop Experience enabled, the server
manual will also launch by default. Lots of the configuration and customization
operations that you might need to perform can be done with the use of the Server
Manager.

Addition of roles and features

This operation is done with the use of the server manager. Follow the steps
below to complete this;
● Open up the server manager.
● Click on Manage >Add Roles and Features
● Right when you are on the Before You Begin page, select Next.
 ● When on the Select Installation Type page, choose Next.
● On the Select Destination Server page, choose Next.
● Take a look at the checkbox close to the role that you want to be installed
then choose the Next option.
● Locate the next screen and choose any feature that should be installed
after which you can select Next.
● Finally, select install to have the roles/features you have chosen installed.

Enabling remote administration

Remote management is most times custom enabled with the use of PowerShell.
Remote Desktop is a much different setting that helps with the connection to the
server and also directly works with the server.
Most times, when a server has a Desktop Experience, system administrators
always choose to work with the server via a Remote Desktop. This option is
often disabled; you will have to enable it if you desire to use it. If the firewall on
the server is enabled but it has no Remote Desktop, a connection to it will be
rather impossible.
Below are the steps to have the remote administration enabled;
● Open Server Manager and select the Local Server on the left side of the
menu.
● Choose the hyperlink close to the Remote Desktop with the inscription
“Disabled”.
● A dialog box will then be displayed, from the box, choose the Allow
Remote Connections to This Computer option.
● Click on the OK button as seen.
● If you want only some specified set of people or groups to have access to
the remote desktop, choose the option Select Users
● Select Add, choose the group or the preferred person and click on the OK
button.
 ● To leave the Remote Desktop Users click on the OK button.
● To have the Remote Desktop enabled, click on the OK button again.

Configuring Windows Firewall

There will definitely be a need to learn how to enable applications via firewall if
you will be using Firewall on your server. By simply giving room for incoming
traffic, the server will be enabled to get the job you are planning to use it for
all done;
● Go to Server Manager and from there, choose the Local Server option
on the left side of the menu
● Choose the option Private which is on the link after the Microsoft
Defender Firewall.
● Choose the option Allow an App through Firewall

● Locate the check box under the Private option, choose file print > print
sharing and have it enabled for the private profile.
 ● When you have gone through all the settings again and you are ready to
save it, click on the OK button.

Windows Server 2022 Core

The PowerShell command is very useful especially if you want to do a lot of
configurations. Note that this must always be done via the remote PowerShell
option though.

Adding roles and features

It can be a very tedious task to find what you really need to make use of if you
want to be a pro with the Server Core. There is a guide that the GUI offers in
Desktop Experience but you don't have that option with the Server Core.
For example, if you want to install a particular file server role, there is a need to
look for a name to call it before you can install it. With the use of the Get-
WindowsFeature command, you can search for the names of the roles and
features you prefer. In the case where you have a faint idea of what the name
should be, you can then conduct a wildcard search.
Once you have done that, you can use the command stated above and you will be
provided with at least three results that have the names you have included in the
command. Before you install you need to have access to the name underneath
the Name column check it and then install it with the command below;
Install -WindowsFeature *name of the server*
There will be a progress bar showing you information about the installation
process. Upon installation, if you repeat the first command again it will show all
three files being installed.

Enabling remote administration

Remote Management is most times enabled by default in Windows Server 2022.
If you, have it disabled at your end, you can have it enabled simply by running
the command Configure-SMRemoting. This will give you free access to use the
server with the Server Manager remotely.
There is a need to run two more commands if you will be using the server
remotely with PowerShell. Enable-PSRemoting helps to configure PowerShell
so that it will get the commands that will be sent remotely to the system you are
using and then the Winrm quickconfig will help check and configure the WinRM
service automatically. If all you want is to get the work done and you are not
interested in personalization of some sort then this option is better.
Note that running the command winrm quickconfig is quite different. After it
must have executed its own checks, it will tell you the areas where adjustments
need to be made and simply ask for a yes or no reply as to if it can go ahead to
effect the necessary changes. If all goes well when it is being executed, there
will be a pop telling you that WinRM is already running and has been set up for
Remote Management rather than the yes/no option.

Configuration of Windows Firewall

It is quite an easy task to use the Microsoft Defender Firewall on Server Core.
Simply start by looking for the name of the rule you wish to work with. Use the
command Get-NetFirewallRule to get that done. The use of the Format-table
command towards the end helps the output to be more comprehensive.

Configuring Startup Options with BCDEdit

Upon the release of Windows Server 2008, Microsoft came up with a utility
called BCDEdit, which allows you to modify the Windows boot configuration
data (BCD) store. The BCD instructs the operating system on how it should
boot, it has all of the boot configuration parameters needed to help in the support
of that function. This utility comes as a replacement for the older “bootcfg,exe
which was used to edit the boot.ini file in pre-Windows Vista. You won't have
access to use the BCDEdit except if you are a member of the local Administrator
group. This advanced utility is quite useful in troubleshooting problems that
might arise and stop a server from properly booting.
You have to be extremely careful when using the BCDEdit utility as mistakes
made while in use can condemn the system such that it won't be able to boot at
all. Ensure you have a good backup before using it and if you don't, export the
current settings from BCDEdit this way you will be able to bring back some
settings if the need for it arises.
Below are some of the options most system administrators use with BCDEdit;
Options Descriptions
/Debug This helps to enable and also disable
debugging.

/Delete Useful in deleting boot entries from the

datastore; you have to be careful while
deleting any item though as restoring
might be very difficult.
/deletevalue This deletes boot entry options. Same as
above, you have to be cautious.
/dbgsettings Helps in the configuration of the
debugging connection.

/Export Exports the content of the BCD; it can

 also be used as a backup in the restoration
of the BCD.

/Import Imports the contents of a file that has been

exported; it can be called upon if there is a
need for a restore.

/enum Lists all of the entries in the boot

configuration datastore

/Set Sets a value in a boot option

Oftentimes, there might be a need to make changes to your boot configuration

data store and you can have this done with the bcdedit/set command. Note that
you must know what the BCD is like before you attempt to make any change
and you can get that done with the use of the /enum option.
This chapter has shown that installation isn't all there is to it, much after the
installation process has been completed, there is a need for configuration as well.
This is where you get to provide the computer with all of the information, set up
the computer name and domain, configure the network, configure the windows
firewall, and also configure the Startup options.
 BOOK 2

CONFIGURING WINDOWS SERVER 2022

 CHAPTER 1

CONFIGURING SERVER ROLES AND FEATURES

In this chapter, I will be discussing the use of server managers and having an
understanding of the server roles and server features. Adequate knowledge of the
above-listed topics will help you get your job done better and with ease.

Making Use of Server Manager

The Server Manager is the very place where you will most likely spend more
time if you are working on a new server. It will launch automatically once you
get logged in and it is also a central management area for whichever server you
happen to be logged into.
Upon logging in, the Server Manager will open up the Dashboard. The
Dashboard contains a large tile at the top known as the Quick Start tile. If you
don't like the large file and want it removed,
● Simply click on the hide button in the lower right corner.
There are tiles available for all the roles under the Quick Start tiles. There are
also tiles for File and Storage Services which also includes Local Server if it is a
fresh installation. These files are very useful as they possess certain features that
help you to know if your server is healthy or not. For instance, if the tile happens
to be red in color with a small arrow pointing downwards, this means that the
server must have run into a problem or is not running at all but if the color of the
tile is green with a small arrow pointing upwards then it means that the server is
running properly as it should. You can also click on certain individual tiles to get
more information about the like for instance, if you click on the File and Storage
Services role tile, you will be able to see certain things that have to do with the
services running that are in support of this role.

Roles and features

With the use of roles and features, you can add more functions to the server. A
role is anything you want your server to do and a feature helps to support a role
to ensure it does what it should properly. For example, a role that is the Active
Directory Domain Services has management tools which are known as features,
for this role to function optimally, you would need to have the management tools
installed.

Diagnostics
Server Manager provides very fast and easy access to a lot of diagnostic tools
that are needed by almost everyone. To gain access,
● Click on the Tools icon in the top menu.
Below are some of the items that can be found in the Tools menu.
● Performance Monitor: This tool is a very important tool that is used in
the measurement of some particular metrics that are in some way related
to performance such as the central processing unit (CPU) idle time, user
time, etc. When you have problems that have to do with performance;
slowness or freezing this tool can be called upon to provide assistance.
● Resource Monitor: If all you want is to have a peep at how your system
is functioning, this tool can help you with that. It consists of what I will
call a summary screen that provides information on CPU, disk, network,
and the use of memory. It can also help to troubleshoot certain problems
such as insufficient network bandwidth and low disk space.
● System Information: This tool helps you to know what the specifications
of your hardware are and also some of the settings. If you need any
information about your system, this tool should be the first place you
visit. It can also give you certain information about your BIOS like the
version it is and the mode it is running in.
Windows PowerShell: The PowerShell is always there to use. It can help with
settings and also have text exported to a file if there is a need for it.

Configuration tasks
Most of the configuration tasks will take place in the Local Server section in
Server Manager. Upon clicking Local Server, you will be shown the Properties
page that shows the information about the current server. The nice thing about
this page is that it is filled with hyperlinks, hence with any click, you will be
taken straight to where the setting can be configured. When you have a new
server, this can help to make the process of configuration very simple; you can
change the hostname and IP address and also update the server and include a
domain.

Configure and manage Storage

As earlier mentioned, Windows Server 2022 systems have File and Storage
Services roles installed. This makes access to work with the Server’s storage
much easier. When you choose the File and Storage Services option in the
navigation menu, lots of options will be displayed; choose the disk option. This
is where new disks can be brought in; you can then go ahead to initialize the
disks and create volumes.

Understanding Server Roles

As earlier defined, a role is what you want the server to do. When you install a
role, the servers will become useful. If for instance, you are trying to build a
virtualization platform, or whatever you want to do, you most likely will have to
start by installing a role. Below are some roles that are part of Windows Server
2022.

Active Directory Certificate Services

This is a role that enables users to make a public key infrastructure (PKI) in any
organization that lets users give their own internal certificates. These certificates
can include an internal web server or code-signing certificates for the scripts that
will help in the running of the system of the organization. There is also an option
to have certificate authorities installed and also the provision of more services
such as Network Device Enrollment Service that enables work devices to also
enroll for certificates even without a domain certificate.

Active Directory Domain Services

This role helps users to be able to save information about themselves, other
users, and other network objects in a directory service. This role also has a
catalog that contains all the information about every object in the directory and
is needed for successful logon to the domain. When using this role, it can be
quite easy to find certain objects even if you have just very little information
about them.

Active Directory Federation Services

This role helps in the provision of certain sign-on capabilities to organizations
that make use of the Active Directory Domain Services. It enables users with an
Active Directory account to use the account on applications that are not within
the boundaries of their Active Directory.

Device Health Attestation

This role was added when Windows Server 2016 was introduced. It helps the
administrator check if the device is healthy or not. It can be used for a lot of
systems and this is at the discretion of the system administrator. This role is most
times used to check if systems are safe before they can be allowed to connect to
remote access services such as DirectAccess or other VPN services.
This role helps you to check if your computer has the following;
● Early -launch anti-malware (ELAM) which helps in the protection of the
computer when it starts up and way before the initialization of third-party
drivers.
● Windows BitLocker Drive Encryption helps with the encryption of all the
data saved on the OS and also the data volumes which includes
removable disks.
● Secure Boot is a security standard that helps in ensuring that a device
boots with the use of only software that is trusted by the manufacturer of
the server.
● Code Integrity helps in the improvement of OS security through the
validation of the integrity of a driver or system file all of the time it is
loaded into memory.

Domain Name System

Domain name system is a very useful role as it helps to connect hostnames to IP
addresses. The DNS helps you to insert a web address in the web browser which
is much easier than having to recall an IP address such as 199.212.232.002.
Fax Server
Simply put, the fax server sends and also receives faxes. It allows users to
control fax resources which include jobs, Fax devices, and also reports on your
network. A fax server can also be used to distribute and control fax resources
from a more central location that allows the user more freedom to send and
receive faxes. This can help much better than having to set up physical fax
machines all around the office. You can also set this role to send faxes to users
through email and in turn, they can also send an email or even a document to the
server and it will be faxed out.

File and Storage Services

File and Storage Services contain various technologies that help in the setting up
and the management of one or more file servers, which are also servers that offer
central locations on the network where files can be stored and shared with users
according to your preference. If the users have a need to access the same files
and applications, or if your organization takes centralized backing up and file
management to be very important, one or more servers should then be installed
as a file server through the installation of the File and Storage Services role and
also the appropriate role services.
Note that this role is always installed by default but without the inclusion of any
other role services. This primary functionality ensures that you make use of
Server Manager or Windows PowerShell to effectively manage the storage
functionality of the servers you are using.
Some of the specific applications of this role can be found below;
● Storage Spaces: This is used in the deployment of high availability
storage that is considered to be resilient and that can also be scaled with
the use of economical but industry standardized disks.
● Folder redirection and Roaming User Profiles: This can be used to
change the direction of local folders e.g., document folders, or change the
whole user profile to a certain network location while caching contents
locally for an increase in speed and availability.
● Work Folders: This helps users to store and also gain access to work
files on personal PC and devices, with the addition of corporate PCs.
Users can also choose to gain access to a more convenient place to store
 work files and also gain access to them from any location. Organizations
have a certain measure of control over corporate data with the storing of
files on file servers that are centrally managed and also the optional
specification of user device policies.
● Data Deduplication: This helps in the reduction of disk space
requirements of your files which also helps you to save money.
● ISCSI Target Server: This is used in the centralization of software-based
and hardware-independent ISCSI disk subsystems in storage area
networks.

Host Guardian Service

This role was initially introduced in Windows Server 2016 for the configuration
of guarded hosts and the running of shielded virtual machines in Windows server
and also in system Center Virtual Machine Manager.
The Host Guardian Service Role deals specifically with the provision of
Attestation and Key Protections services that are needed for the enablement of
Hyper -V for the running of Shielded VMs. The Attestation services help in the
proper validation of a Hyper-V host as a “guarded host” which then brings about
the enablement of the Key Protection service for the provision of the transport
key needed to unlock and also in due time run the Shielded VMs.

Hyper-V
The installation of the Hyper-V role means the installation of a hypervisor on the
Windows Server operating system. When using the Standard edition, you will be
able to run an unlimited number of VMs on the Server Datacenter edition. This
edition also has the ability to work alongside shielded VMs.

Network Controller
The Network Controller is a new role that was recently introduced in Windows
Server 2016 and can be installed easily with the use of the Server Manager or the
use of PowerShell which helps in the management, configuration of monitoring
of both virtual and physical network infrastructure of the datacenter. With the
use of the Network Controller, there is also a way in which you can automate the
configuration of network infrastructure rather than having to configure devices
and services manually. This role can be installed on virtual machines also with
plans to have it in high availability which can also be scaled with ease.
Communication between the network and the components of the network is
usually done with the use of the southbound API, figure 1 which in turn made
the discovery of network equipment and can also be detected with the use of
configuring services.
Northbound interface API helps with the communication of Network Controllers
in the consulting of network information and also making use of them for
monitoring and also for troubleshooting. The same API is used to make some
changes to the network configuration and also in the deployment of new
devices.

Print and Document Services

This role allows for the centralization of the print server and also network printer
tasks. Using this role, you will also be able to get scanned documents from
network scanners and also route these documents to a shared network resource
which includes Windows SharePoint Services site or email addresses. All of
these are basics especially when it has to do with printing in black and white or
printing double-sided.

Remote Access
This role enables you to do a whole lot of different things. This role helps in the
provision of instructions for any of these roles which include; Always On VPN,
Routing and Remote Access Service, Web Application Proxy) both individually
and on the same server. For instance, the above-mentioned documents can be
applied to circumstances where any of the three roles have been deployed like
deploying both the RRAS and DirectAccess on the same server. The routing
function of this role also gives similar functionality to that of a traditional router
which includes network address translation and other various methods that are
needed for performing routing on an IP network.

Web Services
This role simply helps with the installation of Windows-based web servers also
known as Internet Information Services (IIS). IIS offers support for FTP
services and can also be used in the hosting of various different websites and
also offers support for some of the server-side languages such as PHP and ASP.

Windows Deployment Services

With the use of this role, managing images for servers and also desktops will be
quite easy and simple. If you are not quite used to PXE, it enables a server that
has no operating system to boot from the network such that a system
administrator will also be able to configure it and also choose an operating
system image for it. The images here are saved as .Wim files and can be saved
up to date with tools that can be found on the system. Systems that are imaged
by the WDS are booted from the interface card of their network and can also get
settings for the WDS server.

Understanding Server Features

Without features, you might probably not be able to make use of roles because
features offer roles all the support needed for them to perform their basic
functions. Features provide support ranging from management of tools to
encryption functionality and lots more. There are lots of features that are
available in the Datacenter edition of Windows Server 2022.

.NET 4.8
The Microsoft .NET Framework 4.8 is very compatible and up to date as against
all other frameworks such as 4, 4.5,4.5.2,4.5.2, etc. The offline package can also
be used in circumstances wherein the web installer cannot be used due to a lack
of internet connection. This package is actually larger than the web installer and
also has no language pack included in it. Most recent applications are making
use of these features, check with your vendor to see if your application supports
.NET 4.8.

Background Intelligent Transfer Service

Background Intelligent Transfer Service helps in the transferring of files both in
the foreground and background, it helps to control the flow of transfers in order
to help preserve the responsiveness of some other network applications, and it
resumes files almost immediately if for any reason there happen to be an
interruption during file transfer like disconnection from the network or having to
restart the computer.
With the use of BITS, background files are optimal since it makes use of idle
network bandwidth in the transferring of files which will also lead to an increase
or decrease in the rate at which files are being transferred although it will be
based on the amount of idle bandwidth network that is made available. For
example, if a network application suddenly begins to consume much bandwidth.
BITS will reduce the rate at which it transfers so as to preserve the user’s
interactive experience.
If the user who started the transfer is still logged on and the network connection
is still kept in progress, BITS will continue to transfer files. If for any reason the
connection is lost or the user decides to log-off, BITS will help suspend the
transfer. However, BITS don’t force a network connection. When the user logs
on again or when the network connection is established, BITS will continue the
transfer.
Note that service is already installed by default with the Windows Server 2022
OS, hence there is no need for you to compulsorily install this feature except
when an application needs the feature for it to function.

BitLocker Drive Encryption

This feature deals strictly with the encryption of the hard drive and the contents
in it on various systems wherein it has been enabled. It allows users to encrypt
all on the drive thereby securing the data from theft or unauthorized access.
This feature improves files and system protections through the mitigation of data
access that is unauthorized. It makes use of the Advanced Encryption Standard
algorithm which has 128 or 256-bit keys. This unique feature easily combines
the on-disk encryption process alongside the special key management
techniques.
Bit locker makes use of a very specialized chip which is known as a Trusted
Platform Module (TPM). The TPM is installed by the main computer
manufacturer and works alongside BitLocker in the protection of user data.
Along with a TPM, BitLocker can also close up the start-up process until the
user inserts an in or a removable device such as a flash drive that comes with a
startup key. It also helps in the creation of a recovery key for the hard drive of
the user if in case the user happens to forget or lose their password.
Systems that have much older TPM chips can still make use of BitLocker,
though it is not User-friendly. TPM chips that are much older do not check for
the integrity of the system the way the newer TPM chips do.

BitLocker Network Unlock

This feature was first introduced in Windows Server 2012. The BitLocker
Network Unlock feature provides systems the ability to unlock Bitlocker
automatically so long as the system is on a corporate network thereby helping to
bypass any manual inputs or steps that should have been followed.
The BitLocker works in a similar fashion much to the TPM+startup key
BitLocker method, with the exception that the key is sent over the network.
It is also worthy to note that BitLocker Network Unlock in some way depends
on DHCP, ensure that you have it running if you want to make use of the
BitLocker Network Unlock.

BranchCache
BranchCache is simply a wide area network (WAN) bandwidth optimization
technology present in Windows servers. BranchCache helps in fetching contents
from the main office or a hosted cloud content server and caches the content at
branch office locations, enabling clients' computers to gain access to the contents
locally as against via WAN. This means the network traffic of the branch office
won't be clashing with that of the main office when retrieving files and this can
bring about a significant increase in the way the bandwidth is used.
When you turn on the BranchCache feature it will turn your own server into the
hosted cache server or more a BranchCache-enabled content server.

Containers
This feature is very unique and was introduced in Windows Server 2016. If there
is a need to execute Hyper-V containers or Window Server Containers you need
to have this feature enabled. With the installation of this feature, you can get
closer to working with container hosts such as installing Docker and pulling base
images.

XPS Viewer
This feature is installed by default on Windows Server 2022 with Desktop
Experience. It enables users to read documents that are XPS-related and also
assigns permissions or enables the signing of XPS documents digitally.

WoW64 Support
This feature is installed by default on Windows Server 2022 and permits you to
run applications with 32-bit on a system with 64-bit.

Wireless LAN Service

This feature is mostly used if there is a need for your server to connect with a
wireless connection. This feature enables the server to locate wireless network
adapters and effectively use both wireless profiles and wireless connections.

WinRM IIS Extension

If a client uses the WS-Management such as PowerShell, this feature once
enabled helps you to control the server remotely.

Windows Server Backup

Backups are always necessary as there is no guarantee there won't be times when
the system might malfunction or even crash. Windows Server Backup is a
feature that serves as a backup though it is in-built. You can use it to perform full
system backups, backups for certain folders, and also volume backups. If there is
a need for total haul and then build the server again you can make use of the
metal backup option.
You can have backups saved on either a local drive or on a remote server, you
can also choose to run them manually or have a schedule so it runs
automatically.

Windows Search Service

This feature helps in the extraction of meaningful information, especially
metadata that can be queried much later. When trying to index, the CPU can be
put to great use but the service will limit itself and sometimes try to stop itself
from working for a while if it can harm the usage of the user via indexing. When
you have leverage on the indexing, there is every possibility your user will
notice an improvement in performance when they conduct a search on the file
server.

Windows Server 2022

PowerShell 5.1 is the version of Windows PowerShell that comes with Windows
Server 2022 though it can also be found in Windows Server 2019 and Windows
Server 2016. Most times this version is all that is needed to work with the server.
You can also choose to have the older versions which are PowerShell 2.0
Engine, PowerShell Web Access, and PowerShell Desired State Configuration
(DSC). There will be further discussion on the PowerShell in Book 6.

Windows Internal Database

Windows Server and its components make use of the Windows Internal Database
in storing data. It can be used in the storage of relational data of services such as;
Active Directory Right management service, Windows server update service,
and Windows system resource manager. Upon the configuration of any of the
above-mentioned services, the WID Database will be automatically installed. If
there is a need to gain access to the database, the SQL Server Management
Studio can be used (SSMS). Note that this feature was however not designed to
be a replacement for SQL. It is only needed to provide support for roles and
features in the Windows Server operating system.
In this chapter, you must have learned about the configuration of various roles
and features that are a part of the Windows Server. You must have also
familiarized yourself with the new terms such as Active Directory Certificate
Services (ADCS), Active Directory Domain Services(ADDS), and Active
Directory Federation Services (ADFS).
 CHAPTER 2

CONFIGURING SERVER HARDWARE

There is always a need to make certain configurations either if you are working
with a new server or an old one. Some of these configurations might have more
to do with the applications you want to install while others might have to do with
the server hardware itself.
Checking if the hardware of a new server is functioning properly is one of the
things you must put in place when you just install it. There must be drivers
present for each of the hardware this way you will be sure that none of the
devices has any problem.
Troubleshooting an older server if it has hardware issues should also be one of
the first things you do if you encounter a server that has issues.

Working with Device Manager

Device Manager shows a graphical representation of the hardware that is
installed on the server. This tool is often used when there is a need to view and
manage hardware devices and their drivers. You need to be logged on to the
server as an administrator or as a member of the Administrators group if you
have to add or remove devices and also if there will be a need for you to
configure device properties in Device Manager.
With its first introduction with Windows Server 2000, its strength is from its
simple but unique interface which makes it very easy to locate hardware devices
that might be having problems.
To open the device manager all you have to do is
● Right-click on the start menu.
● Choose Device Manager from the menu.

Configuring Device Manager

The view menu that is in the Device Manager provides different ways the
hardware in the system can be seen. This hardware can be grouped in ways
deemed fit by you, this way troubleshooting can also be easier.
If you click on the View menu, you will be presented with the following
options;
● Devices by Type: Under this section, hardware is grouped according to
its type. If for instance there are different network interface cards on your
server, you can choose to group them all as Network Adapters, the same
as various hard drives can be grouped as Disk Drives.
● Devices by Connection: Before any job can be done by the devices in the
server there has to be a form of connection. This view can help group
devices under their mode of connection. For instance, most of the storage
devices will be displayed under the PCI Bus since that is the major way
in which they are connected.
● Devices by Container: In this view, devices are grouped based on their
container IDs. These may be assigned to devices or a device might have
one already from its parent object. A server for instance is a parent
container and it can have items such as communication ports, ATA
channels, and so on under it.

Checking for devices that are not performing optimally

With the use of the Device Manager, you can also check for devices that are not
functioning at their best. This device might have been broken or is not properly
connected.

Carefully study the two ways you can take of this below;
● If you have a device that is broken or not properly connected hence it is
not working at all it will have a black arrow facing downwards, this is an
indication that the device is disabled and should be properly fixed if it is
to be used again.
● On the other hand, there are times when a device might be faulty but it is
still working a little even though not optimally, such as an orange triangle
with the exclamation sign in the middle. This kind of device won't need
so much work to get fixed like the example given above.
Device Manager is of great use to every system administrator in that it helps
them notify with ease devices that are no longer functioning properly as it
automatically expands such devices once it is opened, this way the system
administrator will take note of such devices quickly and conduct the necessary
assessment to get the device fixed. When you take a swipe at the Properties
screen of a faulty device, you can actually know more about what the problem is
even before you make a decision to troubleshoot. If it is the case of a driver, you
can simply choose to search properly to check if the driver can be used with any
other device, if not then you can choose to get through to the vendor to have a
driver that will fit with the device downloaded.
There are a couple of resources that can be found in the Device Manager. Having
a perfect understanding of them can help you improve your work as a system
administrator. These resources sometimes can cause harm to a device thereby
allowing the device to malfunction, such as a freeze or at the worst a total crash.
I will mention a few of such below;

Memory
Random Access Memory (RAM) is very useful when it has to do with devices or
applications running fast and smooth without any hitches. Oftentimes when a
device does not function optimally, the very first thing that should be checked is
the RAM of that very device. When in the Device Manager, you can have a
check for the amount of memory that has been given to a particular device when
you go to the Resources tab for that very device.

Input/Output
From our basic computing knowledge, we understand those input devices are
those that are used in entering information into the computer e.g., keyboard,
scanner, mouse, etc. while output devices are those that are used to display
information such as Monitor, printer, etc. You can also with the aid of the Device
Manager check the devices that the input or output device has been attached to
simply by checking out for the I/O range.

Can you see all the devices?

Though I earlier mentioned that the Device Manager is somewhat like a hub that
helps you see connected devices and also assists in helping to reach out to
devices that might not be properly connected. That being said, not all devices
can be seen via the Device Manager; devices that do not plug and play for
instance will not be displayed in the Device Manager. But what if they
malfunction you would say, you can still have these devices viewed, simply’
● Click on the View option > Show Hidden Devices
There are times when issues with drivers for applications that are no longer in
use start causing problems. When an application is deleted many times, its
drivers are still left in the system and can begin to create issues.

To view such long-used devices in an attempt to get to their drivers you have
to make use of a command prompt or use PowerShell Window as an
administrator then insert the command below;
SET DEVMGR_SHOW_NONPRESENT_DEVICES=1.
In the same window type devmgmt.msc.
To open up the device manager. When the device manager opens up,
● select the View option and then choose Show Hidden Devices. All the
hidden devices will then be displayed, you can then find out the device
whose driver is causing a problem and fix it.

Having Control over Individual device settings

When in the Device Manager, you can check through all the settings of all the
devices that are connected to the server.
You can either choose to;
● Locate the device in the Device Manager view and then click twice on
the device, this will display the settings of the device.
● You can also choose to right-click on the device and then choose the
Properties option.
There are about four different tabs on each of the devices some of which I
will be described below;
 ● General: In this tab, you can find all of the simple and basic information
about the devices. Information such as the name of the device, the
location of the device on the system, and also the manufacturer of the
device. There is usually always a status box below that helps you know
when your device is working properly or not, especially during a
troubleshoot.
● Drivers: In this tab, you basically have information about the installed
driver and every other thing that has to do with the driver such as the
name of the driver, the version of the driver, and also the provider of the
driver. The driver tab has some other buttons such as driver details;
which tells more about them such as the location of the files of the driver,
Update driver; if you click on this button the driver can be updated either
via the internet or through you can choose to scan through the driver
software if you know the exact location on your system where you can
find the updated drivers.
● Uninstall Device: As mentioned earlier you might have an issue with a
device whose hardware has already been removed but the driver is still
installed and is now causing harm to the system. You can uninstall the
whole device at once by clicking on this button.
Within the Device Manager also, there are some devices that have a power
management tab. With this tab, the computer can take control of the operation of
the device.
The options of this tab are as follows;
● Allow This Device to Wake the Computer: If any device has this
checkbox, it can wake the computer if it is asleep. For example, an input
device like the mouse has this function once it is attached to the system
and the system is asleep, if you simply shake the mouse, the system will
come back to life again.
● Allow Computer to Turn Off This Device to Save Power: You can use
this option if you have devices that will most likely drain off your battery
power.

Using the Add Hardware Wizard

The function of the Add Hardware Wizard option is simply to help when you
have a device whose driver cannot be found, this might be because the device is
either too old and the driver has now become obsolete or the device is too new
and hence the driver might not be ready yet. Either way, you can make use of
this function by launching it manually and then have the particular driver you
need to be downloaded from the website of the manufacturer for this process to
be complete.
Below are sets of instructions on how to install the driver.
● Ensure you are logged in as an administrator then right-click on the Start
menu and click on the Windows PowerShell.
● Enter the command hdwwiz.exe and then tap the Enter key.
● Select the Next button.
● Choose the radio button close to the Search for icon and then install the
hardware automatically. Once that has been done click Next.
● The hardware will search and if it finds new hardware it will indicate what
it has found, you can then install the driver.
● If the wizard on the other hand doesn't find any hardware it will also
indicate and tell you to choose your preferred hardware category. Choose
the one you want and click on the Next button.
● Select the manufacturer and also the model of your device and click on
the Next button. The wizard will then install the driver.

Performing Hard-Drive Related Tasks

The Hard-drive is a very important tool and it is quite useful for almost all you
will be doing with the server. Important items such as data needed by an
organization and also the operating system can be found on the hard drive. In our
world today, there are two major types of storage which are hard disk drives and
solid-state disks.
I will discuss both of them briefly;
● Hard Disk Drive: Also known as a hard drive or HDD, can be said to be
a magnetic medium of storage for a computer. Hard disks are flat circular
plates that are made up of either glass or aluminum and are also layered
with magnetic material. Hard disks can store up to terabytes of
information. They also have very high speeds and are also quite
affordable. Being a mechanical drive, it can wear out easily and with the
 recent development in technology, it can easily become obsolete. The
term hard disk is also used when referring to the total internal storage of
a computer.
● Solid State Disk: The Solid-State Disk (SSD) performs just about the
same function as the hard drive but in its own case, data is stored on an
interconnected flash-memory chip that has the ability to keep data stored
even when there is no power flowing through it. These chips are much
different compared to those used in USB and are much faster and more
reliable. SSDs are comparatively smaller than HDDs thereby providing
manufacturers with more flexibility. If you have an application on your
server that is in need of a constant and steady high-performance SSD that
is capable enough to meet the needs of such applications.

Which disks would you prefer?

There are as of now two major types of disks which are the basic and dynamic
disks. Almost all users prefer to work with basic needs but if you need more
features than what the basic disks can offer then you should consider opting for a
dynamic disk.
This disk has support for the following;
● Raid 0: This can be described as a process wherein a body of data is
divided into data blocks and spread over various different storage devices
like the hard disk or solid-state disks. This can help to enhance writing
performance but there is a need for two different disks to be able to do
this. If there is a loss of a disc then the whole process will be aborted as
the disk will also contain some amount of data.
● Spanned: A dynamic spanned volume contains two or more sub disks on
one or more disks, with this spanned volume, you can choose to have a
combination of sections of spaces that are not allocated from multiple
dynamic disks into just one large volume. You can choose to do this if
you have two or more small hard drives but you need just one big hard
drive.
● Disk Mirroring: This can be said to be a form of disc backup such that
anything written on one disc will also be simultaneously written on the
other disk. This provides a form of data security as no data will be lost if
any of the disks becomes faulty.
 ● Raid 5: This option allows you to have the best of everything, it brings
about the combination of safety and excellent performance. RAID 5 is a
very special version of RAID in that it makes use of something known as
parity. This parity ensures that if a disk goes down, there won't be any
data loss but definitely there might be data loss if more than one disk
goes down.

Storage area networks

The storage area network is said to be a very high-speed network that helps with
interconnection and also shares collections of storage devices to various servers.
The ease in the access of storage has become much of a concern in the world of
computing. The traditional direct-attached disk deployment around individual
servers can be quite simple and cost-friendly for most of the applications of
certain enterprises but the disk which includes the data in them is linked to the
physical server over a dedicated interface like Serial Attached SCSI.
SAN brings solutions to the demands of advanced enterprises through the
provision of a different highly scalable performance network that is designed to
serve as an interconnection between various servers and storage devices. These
storage devices can be arranged and controlled in a form of cohesive tiers. With
the use of a storage area network, an organization can choose to treat its storage
as just one collective source which can also be replicated and protected centrally
and additional technologies like data deduplication and RAID can maximize the
capacity of storage and also enhance its improvement.
There are basically two main types of networking technologies and
interfaces that can be used with the storage area network and they are;
● fiber Channel: This can be described as a speed of very high need,
highly noted for its latency, and offers data of up to about 128 Gbps
through metropolitan area distances and about 6 miles or 10km with the
use of optical fiber cabling and interfaces. This type of network offers the
potential to use block-level storage in just one location, while there can
be the distribution of servers around various buildings or cities. Due to its
speed and reliability, the fiber channel happens to be the most used of the
two. Though it provides a very fast transfer of data, it could be limited by
a distance far more than the iSCSI. As a network interface, FC provides
 support for various topologies which also includes point-to-point, and
switched fabrics such as the modern ethernet.
● ISCSI: This is another type of network aimed at connecting computing
with shared storage. The ISCSI can run at an amazing speed of about
100Gbps and also helps in the provision of various simplifications for
operators of data centers. In the place of a special network design offered
by FC, the ISCSI combines both the SCSI block data and command
packets with commonplace Ethernet and TCP/IP networking technology.
This allows ISCSI storage networks to make use of the same cables,
switches, and several other network components that can be used in any
Ethernet network.

Are you asking if you can have both FC and ISCSI in use, the answer is,
yes? There are some companies that sell a kind of storage device known
as Unified Storage. These storage devices can support both ISCSI and
also the fiber Channel.

Storage spaces direct

This can be described as a software-defined storage solution that enables users to
share storage resources in converged IT infrastructure. It allows for the
combination of both internal storage drives and a cluster of physical servers into
just a collection of storage.
Storage Spaces Direct is said to be a core technology that is included in the
Datacenter edition of the Windows Server 2022 with its introduction in the
Windows Server 2016 edition.
Storage Spaces Direct helps with the creation of a software-defined storage
solution that helps to combine internal storage drives on a cluster of standard
servers. To begin with, you should connect your server with internal storage
through Ethernet in order to have a cluster formed, this doesn't have any need for
a special cable or a storage fabric. When the Storage Spaces Direct has been
enabled on this cluster, it will combine all the storage drives from each server
into one collection of virtually shared storage.
If you want to make use of the Storage Spaces Direct on various servers, there is
a need for you to start with the installation of the Failover Clustering and Hyper-
V roles on all of the servers. The barest minimum needed is a 10Gb Ethernet
which should be placed between the clustered systems and it is also advisable to
use remote direct memory access.
It is quite easy to set up the storage. You have to begin with the creation of a
storage pool and then you will create logical disks and then volumes.

Creating Storage pool

Below is the straightforward way to create a storage pool;
● From the Server Manager, choose the file option and then click on
Storage Services on the left side of the menu.
● Click on storage pools
● Then right-click where you find Primordial and click on the New
Storage Pool.

● You will then see a bar asking you to specify the name of the storage
pool, enter your preferred name and then click Next.
 ● You can decide to choose all the disks option or pick just some.

● Change the Allocation drop-down box located on the last drive to Hot
Spare and then click on the Next button.
● You will be in the Confirm Selections screen now if you have been
following the procedure accurately, choose the Create option
● Finally click on close.

Logical disk
After the creation of the storage pool, up next is the creation of a logical disk.
Below is a step-by-step instruction on how to create a logical disk;
● Locate Pool 1 and right-click on it then click on New Virtual Disk.
 ● Choose Pool 1 and then click on the OK button.
● In the Before You Begin screen, click on the Next option.
● On the Specify the Virtual Disk Name Screen, insert a preferred name
for the disk
● Click on the Next option.
● When in the Specify Enclosure Resiliency screen, you will see a
checkbox named Enable Enclosure Awareness, leave it unchecked.
● Choose the option Simple and then click Next.
● Choose the option Thin for the Provisioning Type and click on the Next
button.
● On the Specify the size of the Virtual Disk screen, express yourself and
tell it how big or otherwise you want the disk to be, and then click on the
Next button.
● When on the Confirm selections page, click on the Create option.
● If all happens to be successful, click on the close option.

Volume
Your Storage Spaces Direct won't be complete without creating volume,
below are steps on how to create volume;
● Locate Disk 1, right-click on it, and click on the New Volume option.
● When in the Before You Begin screen, click on the Next button.
● On the Select the Server and Disk screen, there should be just one server
and disk at this stage, proceed by choosing Next.
● When in the Assign to a Driver Letter or Folder screen, choose a drive
letter or make an indication for a particular folder and click Next.
● When in the Select File System Settings screen, choose the file system
settings and then choose the Next option.
● When in the Confirm Selection screen, click on the Create button if all
seems okay.
● If the Completion screen also looks okay, click on the close option.

Making the best use of Storage Replica

The Storage Replica is a technology in Windows Server that allows volumes
between servers or clusters to be replicated so as to be able to help with disaster
recovery. It allows the creation of stretch failover clusters that covers two
different sites while having all of the nodes remaining in sync.
The storage replica also offers support for both synchronous and
asynchronous replication;
● Synchronous replication has a way of mirroring data that are just within a
low-latency network site with crash-consistent volumes in order to make
sure that mo-data is lost at the file-system level in the event of a failure.
● Asynchronous replication also helps in mirroring data through sites that
are more than metropolitan ranges over various network links that have
quite higher latencies but there is rather no form of guarantee that the two
sites have the same identical copies of the data at that particular time a
failure occurs.
After a data strike, all data will be displayed elsewhere such that there will be
zero possibility of data loss. The same is with before a data strike; Storage
Replica provides the ability to change workloads to much safer locations before
the occurrence of a failure once you have been given very few warnings that
such is about to happen, there will of course be no data loss also.
There are however some limitations with Storage Replica in Windows
Server 2022 (Standard edition);
● It offers support for only sizes that are up to 2TB, but if Datacenter has no
limitations whatsoever on size.
● There can be just one replication for a volume as against that of
Datacenter wherein there are so many unlimited numbers of replications
for a volume.

Using Storage Quality of Service

Storage Quality of Service offers a unique way of central monitoring and
management of storage performance for virtual machines that are using both
Hyper-V and the Scale-Out-File Server roles. This feature allows the automatic
improvement of storage resource fairness between different virtual machines
while making use of the same file server cluster and also gives room for policy-
based minimum and maximum performance goals to be configured in units that
are of normalized IOPS.
Storage Quality of Service offers the deployment of the scenarios below;
 ● Hyper-V making use of a Scale-Out File Server: This scenario is one
that needs both a storage cluster that is a Scale-Out File server cluster and
also a Compute cluster that has at the barest minimum one server that has
the role of Hyper-V enabled.
● Hyper-V making use of Cluster Shared Volumes: This scenario needs
both a Compute cluster that has the role of Hyper-V enabled and also one
that uses the Cluster shared Volumes (CSV) for the sole purpose of
storage.
You can put the Storage Quality of Service to test by setting up a failover cluster
and then creating a cluster shared volume. Once this is done, Storage Quality of
Service will be created automatically and you can also have it reviewed under
the Cluster Core Resources.

Trusted Platform Modules

The Trusted Platform Modules (TPM) is a passive device that helps in the
carrying out of security-related procedures. You can actually think about it as
being a crypto-processor that has the capability to produce, store and also
process cryptographic keys for security-related operations. These operations
include the attestation and verification of security in order to quickly note and
put a stop to any malicious code. If you will love to have a very easy BitLocker
experience, there is a need to have a TPM chip that is of version 1.2 or earlier. If
your system doesn't have a TPM, no need to worry, you can still make use of the
BitLocker but there will be a need to make use of the Group Policy in order to
pass over the requirement of the TPM.

Performing Printer-Related Tasks

Printers are quite useful in every organization. There is always a need to have to
print a document or several documents each day in an organization. Even though
files are better stored as softcopy i.e., on flash drives, discs, hard drives, etc.,
there can still be a need to have the hardcopy for a closer view and of course, a
primer will be needed. It can be quite frustrating if you are trying to print a
document but cannot get through with it.
Printers, when used in smaller organizations, are most times connected with the
use of a USB cable, and with the improvement of technology, there are some that
can be connected via Bluetooth this way it can be shared easily, and access can
be given to more than one user with ease. However, there are some very large
organizations that have printers on their Local Area Network (LAN). These
organizations make use of a print server in the management of their print, all
they do is send the document to the server's print queue and it will automatically
send the job to the printer via the network.

Printer Install Wizard

The Printer Install Wizard helps with the installation of printers with ease.
All you need to do is
● Locate settings
● Choose Devices
● Select Printers and Scanners and then you can choose the Add a
printer or Scanner option and the wizard will then launch out.

Print Server Role

The print server role is one that can be installed and then configured. Below I
will walk you through both processes.

Installing Print Server role

● Open the server manager and then click on Manage > Add roles and
features
● When you get to the Before you Begin screen, click on the Next button.
● You should be on the Select Installation Types Screen, choose your
 preferred Role-Based or Feature-Based installation, and then click on
the Next button.
● When in the Select Destination Server screen, click on the Next button.
● Move downwards and then choose Print and Document Services.
● Choose the Add Features option when you're asked to do that.
● Select the Next button
● When on the Select Features screen, choose Next
● This will take you to the Print and Document Services screen then choose
the Next option also.
● Choose Print when in the Role Services screen and then click on the
Next button.
● When on the confirm installations selection screen, choose the Install
option.
● Once the installation process has been completed, simply click on the
close button.
Once you must have completed the installation process you should then
configure the Print Server role.
Follow the steps below to have this done;
● Locate Server Manager then click on Tools and then choose the Print
Management option.
● Right-click on the print server and then click on the Add Printer
option.
● Choose the option Add an IPP, TCP/IP, or the web services printer by
IP address or the hostname, and then click on the Next option.
● Insert the IP address and then click on the Next option.
● Name your printer as preferred and then click on the Next button.
● Once the drivers have now been installed, click on the finish button and
then leave the wizard.

Performing Other Configuration Tasks

The major configuration settings have been discussed above.
Below are some of the other configurations you might need to perform;

Mouse
 ● Locate the Settings menu
● Go to the devices option and then click on Typing
● The Mouse screen should be displayed at this point.
● You can then begin to configure as it best suits you, the addition of button
configurations, and how you will prefer the scroll wheel to function.

Keyboard
● Locate the Settings menu
● Go to the devices option and then click on Typing
● Right Click on the keyboard you want to configure and then click on
Keyboard settings
● The Typing screen will then be displayed
● You can then begin to configure your keyboard according to your
preference.

Language
● Locate the Settings menu
● Choose the Time and language option and then choose a language.
● You will be taken to a screen from where you can add new languages,
change the layout of the keyboard to conform to your typing patterns
and you can also choose to set a default language.

Sound
● Locate the Settings menu
● Choose the system option and then choose sound
● You will then be taken to a screen where you can alter the settings of your
sound devices and also that of the recording devices. There is also an
option of troubleshooting the device from this screen also.

Fonts
All users have their own preferences when it comes to the use of fonts. Some
like to have a simple font wherein they will be able to read with ease all they
have on their screen while some others like to have their fonts in a rather stylish
manner. Whatever the case, you can always have the best of whatever option you
prefer.
To make changes to your fonts;
● Locate the Settings menu
● Choose the Personalization option
● Select fonts
This chapter contains all that has to do with the device manager and the tools
that you will be making use of frequently in Windows Server. You must have
learned about memory and the basic memory needed for the server to function
properly. You must have also learned how to configure other key components
such as keyboard, printer mouse, etc.
 CHAPTER 3

USING SETTINGS MENU

With the new improvement Microsoft has made, we now have a settings menu
against the Control Panel that was used in the configuration of almost everything
on the windows server. From setting up date and time, changing the way the
server appears controlling windows updates, and also setting up various
accessibility options. All of this can now be done with the use of the settings
menu.
I will walk you through the use of the settings menu and all that has to do with
configurational settings within the settings menu.

Accessing the Settings Menu

There are basically two different ways through which you can gain access to
the Settings menu, these are;
● Select the Start menu option and then choose the Settings icon.
● Right-click on the start menu and then click on the Settings option.

Understanding Settings Menu Items

All the useful tools that you will need as a system administrator can be found in
the settings menu. As earlier established, it is best you use the settings menu
rather than the old model of configuration which is the use of the Control Panel.

Devices
This menu allows you to gain access to devices such as printers, keyboards,
scanners, the mouse as well as Bluetooth devices.

Network and Internet

With the Network and Internet menu, you will be able to view your network
connection, checkup if there are any available Wi-Fi connections so you can
connect your server to it, you will also be able to see options to have an ethernet
connection or a virtual private network and also proxy connections. You will
also be able to check up for network adapters and also set up a dial-up
connection for the internet. There is also an airplane mode that can stop all the
wireless communication that you might be connected to from working.

Personalization
This menu gives you the ability to take complete ownership of the server. Here
you can choose a theme of your choice, this can be the ones already installed or
you can choose to download anyone you prefer, you can also change the
background of the server; most people like to use their pictures for this purpose,
you can choose to activate the touch keyboard option if your server has the
ability to do this, you can also make an adjustment to taskbar behaviors, change
fonts; installing another to make the server look more stylish or simply change
the size of the one in use, you can also set a lock screen mode wherein when the
server sleeps and it comes up again it will require a password before it will grant
access to the user.

Time and Language

In this menu, you can set the date and time as to what suits you; you can choose
to have the time set automatically or have it altered manually by also choosing
the time zone. Choose your preferred language here for both display and speech;
there are so many languages that you can choose from and it also includes even
the type of English language you are more familiar with (British or American),
you will also be able to choose a country and also set the county region.
Finally in this menu, you can set everything that has to do with speech, voice
controls, and so on. This will help you to better use the server more effectively.

System
There are a lot of things you can do in this menu option. Some of them
include;
● Making some changes to the display which include adjusting the level of
brightness, activating the night light option, and also configuring the
display profiles.
 ● You can make certain adjustments to sound; adjust the level of volume of
both the output and input devices, you can also choose where the sound
from the server is played which can be either through the speakers or
headphones if you have one connected.
● You can configure system notifications which include receiving
notifications from apps also, you can also make use of focus assist in
controlling just when you get these notifications also. There is also an
option to choose between banners and sound or you can choose to have
them both.
● Here in this menu, you can also make adjustments to the way power is
consumed and how it affects your battery. You can set a definite time you
want the server to sleep, optimize your server based on how well you use
it, and you can also save it by setting a battery saver mode. Ultimately
you can check the battery usage, this way you know the exact time you
are consuming battery the most and also the apps that consume battery
the most.
Some of the other things that can be done in this menu include; configuration of
storage devices, discoverability and receiving files from close locations,
troubleshooting, activation with the use of a product key and also configuring a
remote desktop.

Apps
With this menu, you will be able to view installed apps, located where apps can
be installed, and also how they can be uninstalled. You can also choose to have
apps start up automatically, and configure apps that can be used in sync with a
particular website.

Ease of Access
The Ease of Access menu has all the necessary accessibility tools that are also
embedded in Windows OS.
You can get a lot of things done in this menu such as;
● Having your experience with the server optimized if you are either blind
or visually impaired or you are deaf or have a form of hearing loss.
● Configure the pointer of your mouse to either make it larger or have the
 color change from the default white color.
● Setting up the screen reader or narrator.
● Using high contrast settings for visibility's sake.
● Set up a keyboard that can be used on the screen by just clicking with the
use of the mouse (Onscreen keyboard).
● Including additional settings on the keyboard.

Update and Security

This menu is where windows are being configured and also certain windows
security such as firewall, antivirus, browser, and app control are all being
managed. You can also choose to activate windows here or be in the
development mode if you are not ready for windows activation or do not have
the license key yet.
The settings menu has embedded in it all the tools and features you need to be
able to make use of the server with so much ease. They include personalization
which makes you more comfortable with using the server, setting time and
language, applications, and also the use of Ease of Access.
 CHAPTER 4

WORKING WITH WORKGROUPS

Workgroups help in the sharing of data between two systems. Some networks
might not have a need for a domain controller with Active Directory running
hence will still have a need to share certain things. This is where the workgroup
option comes into play.
All through this chapter, I will be telling you more about workgroups and how
you can create them. You will also learn about Peer Name Resolution; how it
works and also its relationship with workgroups.

Knowing What a Workgroup Is

Workgroup is known to be a peer-to-peer network setup that participates in the
sharing of resources but does not belong to an Active Directory domain. In a
workgroup, all of the servers on the network will be connected physically to
either a route or a switch. Each server that belongs to a workgroup has the ability
to access shared resources in the network such as files or printers or they can
also share their own resources in the network. Though a workgroup is known to
be a group of servers connected to a network, note that a workgroup is not the
same as a network. A server can be connected to a network without necessarily
making the server a member of a specific workgroup. Also, you can have more
than one workgroup in the same network.
If you want a system to work properly as it should, all of the systems must share
the same workgroup name which by default in Windows, a system that doesn't
have a domain will belong to a workgroup known as WORKGROUP.
Note that there is always a need for you to set up access for users and resources
on each of the servers that they might have a need to connect to. The workgroup
can be termed “every man for himself” wherein there is no central control. All
the systems in the workgroup are a server and also a client at the same time. A
system will function as a client when it wants to access resources on some other
PC. The PC which has the resource needed will in turn act as a server when in
the process of authentication and authorization.
Workgroups have the advantage of being very simple to use in as much as it is
not large in themselves. There is no need to worry about some policies or
anything becoming complex as all the settings are done locally. There is also no
basic need for servers as such since you can create a workgroup with just the use
of client systems. This can be a very perfect option. I suggest you try this out
almost immediately.

Knowing If a Workgroup Is Right for You

As much as a workgroup seems like an inexpensive option and everyone likes to
cut down on cost, you have to be sure workgroup is the perfect option for you
before starting out to create one. For example, if you own just a very small
network with probably less than about 12 systems, the workgroup route might
then be the best option for you but if you have a network with over 200 systems
then you cannot take the workgroup, recall I earlier stated that workgroup is best
used if the workgroup or the systems associated is not large.
Within a small organization where basically all you do is share files, databases,
and printers; a workgroup can help take care of all of that. For example, in an
office of just three people. James, Azpilicueta, and Mount. If Mount wants to
make use of James’ system, his username and also his password must be created
first on James' system. And also, if James’ will have a need for the Mounts’
system also, his username and password must also be created on the server. If
both James and Mount are to use Azpilicueta’s system they both need to have
their username and passwords created on Azpilicueta's system. This can help
save the organization from having to set up a domain and also save the cost of
having to hire a system administrator who knows how to handle Active
Directory.
With this kind of setting and arrangement, it will be quite difficult for a
workgroup to be of use in an organization with lots of employees. Larger
organizations need to own a domain and also hire a system administrator for
things to work properly.

Comparing Centralized and Group Sharing

Of the most important steps in the preparation of a server is the determining how
the data created will be stored. There are basically two ways this is done and
they are either through the centralized method or the group sharing method.
Centralized sharing has to do with having all of the data in just one place. Data
can be arranged into folders so that different projects will be kept separate but all
will still seem to be displayed under just one main folder or on a specially
created folder or hard drive.
Group sharing is such that all the data will be arranged in different locations. The
arrangement will be based on whoever created the data and needs to make use of
the data next. All workstations should of necessity have an inbox that will hold
files that the person news to treat next. Each of them should also have files
where they will have their private data stored, files that no one else will have a
need for.
Centralized sharing offers more benefits than group files. For instance, it is much
easier to find files when all those on the network have an idea of where the file
should be. Also, centralized files can be backed up and restored easily. It is also
easy to maintain adequate security to files as there is always no need to have
many areas within the network opened in order to have common access.
Group sharing is also useful, don't have the notion that it isn't as it helps in the
provision of basic workgroup functions. When using the group sharing method it
can help to be very useful in workflow scenarios wherein there is a flow of data
from one person to another. Only the two people that are involved in data
transfer basically have a need to gain access to where the data is stored, this
method also helps in the reduction of the number of people who can have access
to the data hence beefing up security for the data. Consider both options and
make the best choice based on your needs.

Configuring a Server for a Workgroup

Preparation is key, you will definitely need to put into consideration all of the
elements of your workgroup and then make up a plan for the network it needs.
When you get to this point, you will have a need to configure the server which
means setting up users, groups, and resources that the server will make use of.
The method employed in setting up the server will be based on the plan that you
have created for the workgroup. Once you have created this plan, ensure you
adhere strictly to the plan as much as possible. There might be an instance when
you have to make certain changes this is just fine.
There will also be a need for you to add groups, users, and resources that might
be shared. Before you begin to do any of these, you should rename the
workgroup to one that you will be able to reconcile with.

Changing the name of your workgroup

As earlier mentioned, the default name of the workgroup is WORKGROUP. You
should change this name to something more meaningful.
Below is a step-by-step instruction on how to change the name of a
workgroup with ease;
● Locate the Server Manager and then select Local Server.
● Select the WORKGROUP link that can be found beneath the
computer name.
● Select the Change button
● Change the workgroup to whatever name that suits you. A message
welcoming you to the workgroup will then be displayed.
● Click on the OK button. A message asking you to restart the server will
then be displayed.
● Click on the OK button
● When in the System Properties dialog box, choose the close option.
● When a prompt is displayed asking you to restart the server, click on the
Restart Now option, and the server will restart and the name would have
been changed.

Adding groups
After renaming the workgroup, you should then add groups to the workgroup.
There might be a need for you to create a group for writers who are saddled with
the responsibility of creating new documents. You can decide to name such a
group of Unique Writers. You probably might need a group of project managers
in addition to the already created group. The major reason groups are of extreme
importance is that they will help you know instantly the role of each member.
Note that if you want your workgroup to function optimally, then you should
ensure you create the groups before the users. Users are always assigned to
groups and not a group to users. Always ensure you create as many groups as
you think you will need before beginning to create users.
There are a number of default groups that focus on the needs of lots of operating
systems. The group that has the most power is definitely the Administrators
group. There is also an option to make use of different operator groups like the
Print Operators in the provision of access to special features of the server for
those that might be in need of it.

Below are instructions on how to create a group;

● Locate the Server Manager, select tools > Computer Management
● Select the Local Users and Groups option
● Click twice on Groups.
● Select the More Actions option located on the right side of the screen
and then click on the New Group option.
● Insert a name in the Group Name field and then choose the Create
option.

Creating users and adding users to the group

As earlier said that a group should be created first, once this has been taken care
of you can then add a user. When a user account is created, there is an option to
grant them permission directly but when a user is added to a group that already
has the right permission, the process becomes much easier.
Below are instructions on how to create a user and also have the user added
to the group.
● Locate the Server Manager > choose the tools option and then click on
Computer Management
● Choose Local Users and Groups
● Click twice on the Users options.
● Select the More Actions option on the right side of the screen and then
click on the New User option.
● Enter the names of the User including the password as displayed
● Select the create button
● Choose close to have the New User dialog box closed.
● Right-click on the new user you have just created and then select
properties.
● Select the Member of tab option and select Add.
 ● When in the Enter the Object Names to Select field, enter the name of
the group that you earlier created and then click on the Check Names
option.
● Select the OK button to have the Select Groups dialog box closed.
● Finally, click on the OK button to have the User Name Properties dialog
box closed.

Adding shared resources

Most of the things that are being shared in an organization using a
workgroup are files and printers. Below are instructions on how to share
files;
● Locate the Server Manager > click on Tools and then select Computer
Management
● Choose the Shared Folders option
● Click twice on shares
● Select the More Actions on the right side of the screen and then click on
the New Share option.
● Locate the first screen tagged welcome to the Create a Shared Folder
Wizard and then choose the Next option.
● When in the Folder Path screen, choose the Browse option.
● Go to the folder you want to share
● Select the OK option to have the Browse for Folder dialog box closed.
● Choose the Next option
● When you have chosen your preferred options, choose the Next button.
● Click on the Customize Permissions radio button and then choose the
Custom option.
● Select Add
● Insert the name of the group you earlier created and then choose the
Check Names option
● Select OK
● When in the Permissions for Workstation Users section, configure your
choice of permission for the share.
● Select the OK button to close the Customize Permissions dialog box
● Click on Finish
● If all went well, a screen stating Sharing Was Successful will be
displayed, click on the Finish button again.
Managing Workgroups
The more a user spends time with an organization the more the role and
activities of the user are bound to be changed. If the user happens to be
promoted, this might mean that the user will be given additional access to very
sensitive resources or the user might be added to another group entirely. In the
case that a user forgets his password, there will be a need to provide such a user
with a temporary password to enable the user to gain access to the system.
Below are sections that best explain the two major techniques that can be used to
perform user configuration within a workgroup.

Making use of the User Account window

The user account applet located in the control panel offers access to the user
account information. The task list that can be found on the left side of the
window displays various tasks that you can take up like making changes to the
environmental variables.
The User Account applet opens your personal account all the time, however, if
you are an administrator, you ought to be able to manage someone else's account
hence the very first thing you should do is click on the Manage Another Account
option. Windows will then show the dialog box, where you can either choose to
manage an already existing account or choose to create a new one.
To access the User account window, follow the steps below;
● Select the Start menu and then choose the Settings icon.
● Choose Accounts
● Click on the Other Users option.
● Lastly, click on the user you had earlier created.

Modifying users with the Computer Management console

When there is a need to take up tasks that are different from that which is
provided by the User Account applet, you have to work with the Computer
Management console.
Follow the steps below to get this done;
● Locate the Server manager then click on tools and then computer
 management
● Click twice on Local Users and then Groups to cause an expansion.
● Click twice on Users to display the user list.
● Right-click on the account you have earlier created and click on
Properties.
In the properties dialog box is a general tab that has the basic user information
like the name and description, there is also an option to configure the password
of the user on this tab. Note that you cannot change the password of the user on
this tab, the User Account applet is best used to get that done.

Examining the Peer Name Resolution Protocol

The Peer Name Resolution Protocol (PRNP) is known as the basis for any
connection between peers in a certain workgroup. All the servers in a network
have the ability to recognize all of the other servers on the same network as it is.
You will not attempt to connect to server A at a particular time and server B at
another time simply because they both have the same name or the networks
bring about some confusion. A reliable connection ensures that all users connect
to the same machine at all times.
Most times a workgroup encounters certain difficulties with standard methods of
machine identification like the use of the Domain Name System (DNS). This is
the main reason why Microsoft decided to create the PNRP in order for it to help
overcome the difficulties that arise with identification.
The benefits offered by PNRP include;
● A distributed identity that doesn't depend in any way on the central server.
● Offers tremendous support for as many names as needed by the network.
● Helps in the naming of publications without the use of third-party
products or even third-party servers.
● Helps with the Real-time identification of updates
● Offers support for the naming of almost all the device types and not
servers only.
● Helps with the protection of publicized names this way you won't be
puzzled about someone else getting a hold of your name.
 CHAPTER 5

PROMOTING YOUR SERVER TO DOMAIN

CONTROLLER
Most organizations make use of domains. A domain is said to be the solution to
all of the problems of networking a server can encounter. In a domain there is
just one name and password, this name and password take you into all the
servers and printers on the network. All the account information is located on the
central server called the domain controller which is usually locked far away in a
data-center room.
A domain controller helps in keeping track of those that are allowed to log on,
who is logged on, and also what each person is given access to do on the
network. When you log on to the domain with your server, the domain controller
will start by checking all your credentials before either granting or denying you
access.
Almost all domain networks have at the minimum two domain controllers which
have information that looks the same, this way if one server goes off, the other
one can step in. This helps the domain so much because if the domain controller
is not performing optimally the whole network is then of no use.

Understanding Domains
As regards Microsoft network, domains are most times referred to as Active
Directory Domain Services (AD DS) domains. There are always different
database objects in every AD DS domain which might be a printer, user, or
computer. For example, a user object's features will indicate the name of the
person, telephone number, email address, location, and some other technical
elements.
AD DS enables network administrators to have a large hierarchy of servers. A
multinational corporation for instance that has tens of thousands of employees in
various offices all over the world can all be incorporated into one Active
Directory Domain, with its servers shared in hundreds of locations around the
world with all of them connected by wide-area networking links. A group of
domains is usually called a tree and huge networks should have more than one
tree and if so, they will be called a forest.
The objects located in an Active Directory Domain are organized in a form of
hierarchy, which is quite similar to the hierarchy of folders located on the hard
drive. Most of the time companies base their directory-tree designs on the mode
of organization of the company, with the use of departments and divisions as
building blocks. Some others make use of geographic locations for the basis of
their designs or at times a combination of both. Let me introduce you to some
terms that are commonly used with the AD DS;
Domains: This has earlier described consists of its own database of the objects it
has. All of the objects make use of that database and also all securities that might
be attached to the domain. A domain can also create another domain in what can
be referred to as a trust relationship, this will enable users that are in a particular
domain to gain access to the resources in another domain.
Forests: Forest is known as the top-level object. It keeps all of the Active
Directory which includes the trees and domains also. The Forest root domain is
the first domain created in a forest on which all others might then be created
much later and will normally share the name of the forest.
Organizational Units: These are simply the containers for which objects are
stored in the Active Directory. Basically, you can use them to group objects
together. Managing objects can be much easier if objects that are similar are
grouped together because they will often have the same configurations or
settings.
Domain trees: This is simply known as a collection of domains. For example,
the namespace for a domain tree might be rccg.org and the domain beneath the
tree will be something like ademola.rccg.org. This is to emphasize that domains
share the same namespace as domain trees.

Preparing to Create a Domain

Here you must have made up your mind that you will be creating a domain.
There are certain things you need to have done before creating a domain in its
real sense.
One of the very important tasks especially if you will be working with a new
server is to ensure that all available updates that have to do with security are
installed and also ensure you have an antivirus that is up to date. This will be
your central authentication server so it is just ideal for you to ensure it is
optimally protected.
Most times people just don't like to plan hence they skip the planning part
because planning isn't as intriguing as the process of installing the server or the
process of configuring the server. Note that if you put in so much effort in the
planning processes the configuration and settings aspect of the server will turn
out much better.
There is a need for you to strategize just how you would love the domain to look
like and all the components you might want to have embedded in it. This has to
be done most times when it has to do with the installation of a new server but
even if you tend to be working with an already existing server, note that in
general planning is a very key step, it helps you ensure that all you need has
been provided hence you will not be stranded during the course of either
installation or configuration.
There might be a need for you to ask yourself certain questions like; will this
newly constructed domain replace an already existing one? If it will then what is
the current functional level and also the domain functional level at the moment?

Functional Levels
Functional levels help in the determination of the Active Directory Domain
Services, domain or forest capabilities. They also help in the determination of
the windows server operating system that can be executed on domain controllers
in the domain or forest. Note however that the functional levels are not in any
way affected by the operating systems that can be executed on the workstations
and also member servers that are attached to the domain or forest. If you will be
creating a new installation of Active Directory, ensure you choose the highest
functional levels that are available.
When setting the Active Directory Domain Service, ensure you also set the
domain and the forest functional levels to the highest value that the environment
you have can support. With this, you will be able to use as many AD DS features
as you would want to. When a new forest is deployed, you will then be prompted
to set the functional level as well as the domain level.
Functional levels have a way of preventing a server from becoming a domain
controller if the functional level is too low. Functional levels can also be fixed at
the forest level or even at the domain level. Domains have the ability to run at a
much higher functional level than the forest that is but they definitely cannot run
at a lower functional level than the forest. When a functional level is raised, it is
always impossible to add domain controllers that will be at a lower functional
level. You should also note that the domain functional level can never be below
the forest functional level although it can be equal to or higher than it.

Domain functional level

You must be a member of the Domain Admin group if you will have a need to
have the domain functional level raised. If you have a need for it, the domain
functional level will be raised on the domain controller running the PDC
Emulator role. This cannot be done from the other domain controllers. Check
the current domain functional level that you are at by opening the PowerShell
and running the command Get-ADDomain.

Forest functional level

If there will be a need for you to have the forest functional group raised then you
must be a member of the Enterprise Admin group. The forest functional level
must be raised from the domain controller that is running the Schema Master
role.
As with the Domain functional level, open PowerShell and run the command
Get-ADForest if you would like to check the current forest functional level you
are.

Performing Domain Configuration Prerequisite

Now that you are over the planning stage, you are now ready to install the Active
Directory Domain Services role on a new server. You should then move to install
the Domain Name System (DNS) and also the installation of the Dynamic Host
Configuration Protocol (DHCP). Ensure you have everything in place if you are
installing AD DS on an old server, you must be sure that there are no roles or
features that are unsupported that you should uninstall first. Note that for you to
have an optimally performing AD DS, there is a need for you to have DNS and
DHCP installed.

Unsupported roles and features

To know the roles and features that are not supported on a system, there are
basically two methods to get that done if you will be installing AD DS;
● If those roles and features are currently in use, complete a backup for the
system, have the roles and features uninstalled and then install AD DS
and have the other roles and features re-installed.
● If the roles and features are not in use currently, simply uninstall them.

Installation and configuration of Domain Name System

One of the major foundations of the internet is the Domain Name System (DNS),
however, most people that are outside of networking do not realize they make
use of it every day when having to complete tasks, checking their email or just
surfing through the net on their smartphones.
In the simplest form, DNS can be described as a directory of names that match
numbers. The numbers here are IP addresses that servers use in communication
with one another. The DNS is also a basic requirement for Active Directory to
function at its peak. If for any reason you do not have DNS installed on the
system but you, have it in your environment then that is fair enough but if you
do not have it in your environment as well, you must have it installed.
Note that before you commence the installation of the DNS role, make sure your
server has a static and not a dynamic IP address. If you do not have a static IP
address, you will get a warning sign although you will still be able to go ahead
with the installation when you are through with it and your client begins to use
it, there might arise a time when they will lose connection to the server as a
result of a change in IP address since it is dynamic which means it can change.
Follow the set of instructions below to have the Domain Name System
installed;
● Locate the Server Manager and click on Manage and then choose the
Add Roles and Features option.
 ● When in the Before you Begin screen, choose Next.
● This will take you to a screen with the display Select Installation Type,
and select the Next button.
● On the screen displaying Select Destination Server Screen, click on the
Next button.
● When on the screen showing Select Server Roles Screen, choose DNS
Server.
● Choose the Add Features option in the dialog box that is displayed.
● Click on the Next button
● When on the screen displaying Select Features, choose Next.
● When on the screen displaying the DNS Server screen select the Next
button.
● Then click on Install
● Select the close button once the installation has been completed.
Once you are done with the installation of the Domain Name System, the next
step is to configure it;
follow the instructions below to configure the Domain Name System;
● Locate the Server Manager and then click on Tools and then choose the
DNS option.
● Select the arrow that you can find next to the name of your server so
as to expand the options you have.
● Right-click on forwarding Lookup Zones and choose the New Zone
option.
● You will then be welcomed to the New Zone Wizard, select Next.
● A screen displaying the Zone Type will then pop up, the Primary Zone
that has been selected, and then select Next.
● When on the Zone Name screen, input the name of the ozone. This
usually is always the name of the domain.
● Select the Next button.
● When on the Zone File screen, leave the selection on Create a New File
with this File Name and then select the Next button.
● When on the Dynamic Update screen, get off the selection on Do Not
Allow Dynamic updates and then select the Next button.
● Locate the Completing the New Zone Wizard option and then click on the
Finish button.
 ● Place the arrow on the Reverse Lookup Zones, right-click and then
choose the New Zone option.
● You will then be in the Welcome to the New Zone Wizard screen, click
on the Next button.
● On the Zone Type screen, get off the Primary zone that has been selected
and then click on the Next button.
● When on the Reverse Lookup Zone Name screen, make sure IPv4
Reverse Lookup Zone has been chosen then select the Next button.
● When on the next Reverse Lookup Zone Name screen, insert the
Network ID.
● Click on the Next option.
● On the Zone File screen, get off the selection on Create a New File with
this File Name and then select Next.
● When on the Dynamic Update screen, leave Do Not Allow Dynamic
Updates selected and then choose the Next button.
● In the Completing the New Zone Wizard, select the Finish button.

Installing and configuring Dynamic Host Configuration Protocol

Once you are through with the installation and configuration of the Domain
Name System, the next step is for you to install and configure the DHCP.
Dynamic Host Configuration Protocol (DHCP) can be described as a
client/server protocol that provides an internet protocol (IP) with an automatic IP
address and other related configurations like the subnet mask and also the default
gateway. DHCP also enables hosts to receive the needed TCP/IP configuration
information from a DHCP server.
All devices on a TCP/IP-based network should mandatorily have a unique IP
address with which they will be able to gain access to the network and its
resources. If you don't have the DHCP, then there be a manual configuration for
the IP addresses for the new servers or the servers that are moved from one
subnet to another, and also all IP addresses that have been removed from the
network must also be reclaimed manually.
When using the DHCP, this whole process will be automated and also managed
centrally. The DHCP keeps lots of IP addresses and also gives an address to any
DHCP-enabled client when it begins on the network. If for any reason a certain
IP address is not in use, it will be taken back to the pool for reallocation since all
of the IP addresses are dynamic and not static.
Follow the steps below to install the DHCP server role;
● Locate the Server Manager, select Manage and then choose Add Roles
and Features.
● On the Before You Begin screen, select the Next button
● On the Installation Type screen, select the Next option.
● On the Select Destination Server screen, click on the Next option.
● On the Select Server Roles screen, choose the DHCP server.
● Select the Add Features option in the dialog box that pops up
● Select Next
● When on the Select Features screen, choose Next.
● On the DHCP Server screen, click on the Next option.
● Select Install
● Choose the Close after the installation process has been completed
Once you are done with the installation, you should then have it configured.
Follow the instructions below to have the DHCP configured;
● Locate the Server Manager and then click the flag and select the
Complete DHCP configuration button.
● When in the DHCP Post Install Configuration Wizard, select Commit.
● Upon completion, select the close button.
● Navigate to the Server Manager and select Tools and then click on
DHCP.
● Select the arrow that is close to the name of the server and then the
arrow after IPv4.
● Right-click on IPv4 and then select New Scope.
● When on the Welcome to the New Scope Wizard, click on the Next
button.
● On the Scope Name screen, you can choose to leave the description blank
and then choose the Next option.
● When on the screen displaying the IP Address Range screen, insert all of
the addresses you would like the DHCP to manage which includes the
subnet mask.
● Select the Next option.
● When on the Add Exclusions and Delay screen, insert addresses that you
 wouldn't like the scope to assign.
● Click on the Next option.
● If you are fine with the default number of days on the Lease Duration
screen, click on the Next button.
● When on the Configure DHCP Options screen, ensure it is set to Yes, I
Want to Configure These Options Now, and then click on the Next
button.
● You can choose to include the IP address for the default gateway and
then click on Next.
● Locate the Domain Name and DNS Servers, and insert the name of the
domain you have earlier created on the DNS server.
● Select the Next button.
● Locate the WINS Secerns screen and as another option, you can choose
to insert the name or IP address of a WINS Server on your network,
once you have done this select Next.
● Leave the default option as Yes when asked if you want to activate your
scope then click on the Next button.
● When on the Completing the New Scope Wizard screen, click on the
Finish button.

Configuring the Server as a Domain Controller

A domain controller can be described as a kind of server that offers a response to
the requests of security authentication and also helps with the verification of
users on the domain of a computer network. The domain controller can be
termed a gatekeeper that allows hosts to gain access to the domain resources. It
also helps in the enforcement of different security policies, storage of user’s
account information, and also authentication of users for a domain.
To have a Windows domain controller created, there is a need to install and then
configure Active Directory Domain Services. The Active Directory Domain
Services is best installed via the graphical user interface (GUI).
Follow the steps below to complete the process;
● Locate the Server Manager then select the Manage option and then
choose the Add Roles and Features option.
● When on the Before You Begin screen, select the Next option.
 ● On the Select Installation Type, select Next.
● On the Select Destination Server screen, click on Next
● On the Select Server Roles screen, and choose Active Directory Domain
Services.
● Select the Add Features in the dialog box that is displayed.
● Click on the Next option.
● On the Select Features screen, click Next.
● On the Active Directory Domain Services screen, click on Next.
● Click on the install button.
● Once the installation has been completed, click on the close button.
Now you have installed the Active Directory Domain Services, it is now time to
have it configured.
The steps below explain how you can configure the Active Directory
Domain Services;
● Locate the Server Manager and then click the flag and then click on
Promote This Server to a Domain Controller.
● You should see a screen displaying Deployment Configuration, choose
the Add a New Forest option. Go through the various options and pick
the one that best describes your needs.
● Insert the root domain name and then click on the Next button.
● When you are on the Domain Controller Options screen, choose the
functional levels that you have decided upon before and then select
Next.
● When you are on the next DNS Options screen, choose Next.
● You should then be on a screen displaying Additional Options, click on
the Next button.
● On the Paths screen, make use of the default location and click on Next.
● When you are on the Review Options screen, click on the Next button.
● When all is done and completed, click on the Install button.
With Active Directory now installed and also configured you should then look
into creating user accounts. The main reason for the installation of the Active
Directory Domain Service in the first place is for the purpose of authentication.
Below are the steps involved in the creation of the first user account in
Active Directory;
 ● Locate Server Manager > click on Tools >Active Directory Users and
Computers.
● Click on the arrow next to your domain name and it will help in the
expansion of the domain to see available options
● Select Users
● Right-click on Users and then click on choose New User
● Enter both the First and Last name fields
● Insert your preferred choice of the user’s login name.
● Click on the Next button.
● Insert a temporary password for the user.
● Repeat the password again to confirm it.
● Exit the User Must Change Password when you get to the next Logon
box checked and then select Next.
● Select Finish
● Click twice on the new user
● Select Member of tab
● Select Add and then enter DnsAdmins and then click on the OK button.
● Select Again and then enter DHCP Administrators and then click on the
OK button.
● Select OK one more time in order to leave the user's configuration.
Resource sharing is one of the main activities of Users, since you can now create
user accounts, let's look at how users can share resources on a domain.
Follow the steps below;
● Right Click the Users OU and then make a choice of a new group.
● Insert your preferred choice for the name of the group and then click
on the OK button.
● Click on the new group twice and then click on the Members tab
option.
● Select Add.
● Insert the name of the user and then click on the OK button.
● Select OK again and then leave the group’s configuration screen.
● Click on the icon of the File Explorer at the bottom of the screen.
● Choose this PC option and then make a choice of your preferred
volume that the folder share should be based on.
● Click twice on the volume to have it opened.
 ● Right-click on the space that is blank and then choose New Folder
● Give a name to the folder Files.
● Right-click the Files folder and then select the Give Access to option
and click on specific people.
● Insert the name of the group you created earlier in the box and then
select Add.
● Select the arrow next to the Read options and then choose the
Read/Write option.
● Click on Share
● Your folder should then be on the shared screen, click on Done to
complete it.

Wrapping Things Up
If you have followed diligently up to this stage, you have installed DNS, DHCP
and of course Active Directory you are on the right step. Note that it is very
important that you have the systems registered; this will help your users
remember system names rather than IP addresses. With the DNS helping with
the name resolving, you can make use of the name and the system will
automatically know what the supposed IP address should be.
 CHAPTER 6

MANAGING DNS AND DHCP WITH IP ADDRESS

MANAGEMENT
If you are working with a quite small organization, then it can be pretty easy to
manage the Domain Name System (DNS) and also the Dynamic Host
Configuration Protocol (DHCP). With growth, this might become increasingly
difficult as you will have to begin to manage lots of DNS and DHCP servers.
To this effect, Microsoft has developed a solution to solve the management
problem in a much larger organization with the introduction of IPAM. IPAM (IP
Address Management) helps with the combination of network services such as
DNS and DHCP into a single application for ease of management from one
central management.
IPAM has a very unique feature that helps in ensuring that users or systems do
not finish the number of usable IP addresses. It has the ability to inform you
when there is heavy use of a specific subnet which in turn can help keep track of
when there might be a need to include more subnets.

Installing IP Address Management

The major key to having a very successful hierarchical network structure is the
proper management of IP addresses. If addresses are well designated, there can
be a possibility of summarization of the routing information.

The main reasons to have routes summarized include;

● Summarization helps with the localization of the effects of topological
changes and also helps in the contribution of a stable network.
● Summarization helps with the reduction of the amount of routing
information handled by all routers.
The reasons above help with simplifying network administration and also
troubleshooting alongside reducing the resources that are being consumed by the
routing protocol which might either be CPU, memory, and so on.
Before you commence the installation process of the IPAM, make sure you
have the following requirements in mind;
● IPAM has to be installed on a domain-joined system.
● IPAM should not be installed on DHCP or DNS servers since it can raise
issues with discovery.
● IPAM cannot be installed on domain controllers.
● IPAM is centered around Microsoft. It will be impossible to manage
third-party products such as BIND on Linux.
Once you have taken the requirements into consideration, you can then go ahead
with the installation of IPAM.
Follow the set of instructions below;
● Locate Server Manager, click on the Manage option and then click on
Add Roles and Features.
● When you get to the Before you Begin screen, click on the Next button.
● A screen displaying Select Installation Type will then be displayed, click
on the Next button.
● A screen displaying Destination Server will be displayed, click on the
Next button.
● On the screen asking you to Select Destination Server, click on the Next
button.
● On the Select Server Roles screen, click on the Next button.
● On the Select Features screen, choose IP Address Management (IPAM)
server and then click Add Features when a prompt is being displayed.
● Click on the Next button.
● A screen displaying Confirm Installations will be displayed, click on the
Install button.
● When you are through with the installation, click on the close button.

Configuring IP Address Management

Upon the completion of the installation process, you should then begin to
configure the IP Address Management. The configuration process is quite an
easy one as all of the tasks needed are displayed in the QuickStart tile once you
click on IPAM. Make the configuration process even easier by ensuring you log
in with an account that has the privilege of domain administration.
Take the set of instructions below;
● Locate the Server Manager and then click on IPAM on the left side of
the menu.
● Select Task 2: Provision the IPAM Server.
● A screen displaying Before you Begin will be displayed, click on the
Next button.
● A screen displaying Provisioning Method will be displayed, choose the
Group Policy Based radio button and then insert a Group Policy
Object (GPO)
● Click on the Next button.
● When in the summary screen, select Apply.
● Then click on the close button. You then need to take the new group
policies to the domain. This should be done to all domains you want to
have the IPAM managing.
● Right-click on the start menu on the IPAM server and then select
Windows PowerShell.
● Execute the following command; Invoke-IPAMGpoProvisioning -
Domain<domain name>-GpoprefixName “IPAM” -force
● There will be a prompt that you should confirm you want to do this three
times, one for every policy created.
● Go back to the IPAM Quick Start tile located in the Server Manager
● Select Configure Server Discovery.
● Click on the Get Forest button. This will execute a query
● Select the OK button to have the Server Discovery screen closed.
● When all is set, click on the Configure Server Discovery button again.
● After the domain, click on the Add button
● Choose the roles of the server you need IPAM discovering.
● Select the OK button
● Choose Task4: Begin Server Discovery
● Once that is done, click on Task 5: Choose or include Servers you ought
to manage and then ensure the verification of the IPAM Access.
● Right-click on the server and then click on the Edit Server button.
 ● Alter the Manageability Status drop-down list from the Unspecified to
Managed
● Select OK.
● Right-click on the managed server and then select the Retrieve All
Server Data.

Using IP Address Management

In this section, I will show you how best to make use of IPAM by taking you
through various areas in IPAM that can be used in the configuration and
management of the DNS and DHCP infrastructure.
Locate the QuickStart tile you have been used to and then click on the second
orange tile that states Action. A list of things that can be done will then be
displayed, here is a rundown;

IP Address Space
To make use of the DHCP scope that has been set up before, you have to
consider the utilization under, this means that there are lots of IP addresses.
Tracking the utilization with the use of a spreadsheet was done before IPAM was
introduced. This was of course slightly difficult because the spreadsheet might
not be current and also it couldn't give a warning if you have been overusing
your space.
There are also other screens that can be found under the IP Address Space
category, IP Address Inventory, and IP Address Range Groups which also
provide almost the same data but with a different view. Ensure you take your
time to go through all of these and get acquainted with what each of them is
composed of.

DNS Zones
You can easily note if the status is either good or bad in this section. There is
also information available when you take a quick glance at the DNS server
hosting the zone. You can make a choice between looking in a reverse manner at
the lookup zones or looking forward. Same as with the DHCP Scopes screen,
you can choose to right-click the zone and then have it configured from IPAM.
This way you do not have to go to various DNS servers any longer.

DHCP Scopes
This scope has all the DHCP scopes that have been configured on all of the
DHCP servers that IPAM knows about. This interface offers just about the same
utilization as that of the IP Address Block section. Right-Clicking over the
present scope gives you a rundown of the various options to control the DHCP.
DHCP also informs you of some subnet settings such as the subnet mask and
also the lease duration.

DNS and DHCP Servers

When you open the DNS and DHCP servers, you will be able to view the status
of the service that is on each server that is being managed through the IPAM.
“Running for both DNS and DHCP” should be the message if all is going
smoothly.

Sever Groups
The Server Group enables the separation of the systems by the specific type of
service that is being executed on them. All you have to do is click on the Server
Type drop-down and then choose your preferred service of interest to you.

Event Catalog
This helps in the gathering of all the events in the Event Viewer in direct relation
to the IPAM. if you are troubleshooting for the reason a device isn't working
well, this option can be very useful as you will get to see everything in a more
central position.
 BOOK 3

ADMINISTERING WINDOWS SERVER 2022

 CHAPTER 1

AN OVERVIEW OF THE TOOLS MENU IN

SERVER MANAGER
The Server Manager is one great tool you need to gain access to every other tool
that you will be in need of to effectively manage the server. Note that most of the
time when you get logged into a server you are there to take total control of a
role or have a feature managed or you could also be troubleshooting issues.
Tools like disk management utilities and some other very useful system utilities
can be found in the tools menu of almost all the servers. All that has to do with
the effective management of the roles and features in order to ensure the server
works at its best will be located in the Tools menu.

Accessing the Server Manager Tools Menu

One of the simplest methods of gaining access to the Tools menu is simply to
click on Tools from the Server Manager. Clicking it guarantees you access to
almost all of the tools that you will need for the purpose of administration. With
the use of your PC alongside the Remote Server Administration Tools you will
be able to view all of these tools which also includes the tools in the Active
Directory menu since the domain controller is one that is embedded with
administration tools.
If you have the Server Manager disabled, there is another method you can make
use of to gain access to the Tools menu which is simply right-clicking the Start
menu and then scrolling down just until you get to the Administrative Tools
option.

Working with Common Administrative Tools

You are now acquainted with getting to the tool’s menu, you need to know some
of the administrative tools you will find yourself using most of the time. Some of
these administrative tools include;
Disk Cleanup
The disk cleanup tool helps to clear every file that the server feels is unnecessary
in its environment. This tool is always available by default. If you want to start
this tool, you will have to run the command cleanmgr.exe and when you execute
this command, it will ask for the drive you want to run it against, and then it will
automatically search for all of the files you can safely remove such as files in the
recycle bin and also some internet files that are not quite permanent.
The tool will also let you know the amount of space it will be able to release, it
also has a More Options tab that offers you the ability to take off old copies of
system Restore and also various programs that are currently not in use.

Event Viewer
When you really want to have a feel of being in total control of the whole server,
the event viewer is one tool you have to get yourself familiarized with. Most
importantly when it has to do with troubleshooting issues with the server either
software, hardware, or as regards application.
There are so many logs in the Event viewer which you can scan through but
there are basically three logs that can help you navigate things easily;
Application, System, and Security. When you click on each of them, they help
you navigate to the particular window component they are working with. If you
are looking for a particular thing, simply click on the log that pertains to it and
make use of the search bar and then have a filter created for an easier search.
It's best you play around with Events Viewer and also learn to experiment with
filters. Filters can really be a time saver especially when it comes to
troubleshooting an issue that is causing a delay for a file that should be
submitted quickly.

Local Security Policy

The local security policy contains a set of information about the security of a
local server.
The information of the local security policy includes the following;
● The security auditing policy
 ● The domains that have been entrusted with the authenticate logon
attempts.
● The privileges and rights are assigned to various accounts.
● The user that can gain access to the system and how such a user will.
Note that the above policies only work if you are in an organizational
environment there is every chance you might not necessarily need to go through
those policies because all should have been fixed with the aid of the Group
Policy. But if on the other hand, you are using a standalone system or even a
computer that is just in a workgroup, you might have a need for the above
policies.

Registry editor
The registry has information that Windows will always have a need to make
reference to whenever it is carrying out any operation like profiles for each user,
the applications that are being installed on the server and the type of document
each application can create, the various hardware existing on the system and also
the various ports that are being used.
The registry editor provides you with the option of making certain adjustments
to the system’s registry. Always double-check properly before making any
change so that you don't cause harm or damage to your system in the cause of
changing anything. All settings that are on your system can be found in the
Registry.

Defragment and Optimize Drives

When you click on these options you can fully choose from a menu that will
enable you to optimize and also analyze your drive, this is however dependent
on the type of drive you are using. A Solid-State Driver (SSD) that has TRIM
support that enables the operating system to tell the SSD the blocks that are
being used and can be wiped off. The old hard disk drive which is HDD will of
course get defragmented by the process of optimization.
When you have defragmentation done automatically, there is no need for you to
worry about doing it manually as it was done before which can be a very
difficult task which at times you might find it very hard to remember to do.
Computer Management
The computer management is a very useful tool, it includes various snap-ins
such as Task Scheduler, Shared Folders, Local Users, Event viewer,
Performance, Device Management, and lots more. I have discussed some of
these tools above, discussing this is just for you to know that Computer
Management allows you to have direct access to all of these tools in a more
centralized manner.

Services
When you click on this tool, it shows the Services management console, and also
all the services on the system will be displayed in the console. Note that each
service is always running in the background there is no direct interaction though
you can have it controlled by choosing when it should start or stop and also
configure startup options for it.
Double-clicking on any of the services will display various tabs that are
associated with each of the services.
Below are some of the settings you can configure for various services;
● Manual: If this option is applied to any service, the specified service will
not start on its own as there must be a trigger either from the user or from
an application before it will start.
● Disabled: Whenever a service is disabled, such services will not start at
all.
● Automatic: If this option is chosen for any service, such service will start
immediately after the server starts.
● Automatic but delayed start: If this option is chosen for any service,
such service will start but not immediately like that of the above-
mentioned automatic. Most times this is done if the service is in one way
or the other depending on another service. This means that the dependent
service must start up first before the service will also start too.

System Configuration
The System Configuration helps with the diagnosis of services that are similar to
startups and also have the ability to cause one problem or the other. This tool
deals more with system services than device drivers but they can also be useful
since some contain services and also more traditional device drivers too. This
tool when opened has a tab that contains various options such as Normal Startup
which is the default option, and Selective or Diagnostic startup that you can
choose from. They can be very useful when diagnosing issues that might occur
when the operating system boots fully.
With the boot tab, you can choose just how you want the system to boot, the
service tab allows you to decide the very service that should be enabled. The
Startup tab is rather useless as it contains no startup items that are enabled by
default.

Task Scheduler
This tool gives you more control over all the administrative tasks such that they
can be scheduled and you can have them executed automatically. All you need to
do is to choose a trigger which can simply be just anything like an event,
application, or even a scheduled time to log on. This means you don't have to
always be there to make things work, certain things can just work on their own,
easing some stress off you.

Installing and Using Remote Server Administration

Tools
The Remote Server Administration Tools (RSAT) allow administrators to control
roles and features in a remote manner on a Windows server from a computer that
is running either Windows 10, Windows 8, or Windows 7, or even the Windows
Vista.
There is no way RSAT can be installed on computers that are running the Home
or Standard edition of any of the Windows. It can only be installed on
Professional or Enterprise editions of the operating system of the client's
Window. In this section, I will be showing you how you can install RSAT on a
Windows 10 system and also let you in on how you can add servers and manage
the servers effectively.
Below are steps to install the RSAT on Windows 10 system;
● Select the Start button and then choose Settings.
 ● Choose Apps and then click on the button Optional.
● Select Add a Feature.
● Choose a particular RSAT tool you want to make use of.
Now you are done with the installation, let me show you the steps to take in
order to make the best use of the tool(s).
● Select the Start menu.
● Move all the way down to S and then click on Server Manager
● When it has opened, select the Add Other Servers option in order to
have the link on the Quick Start tile effectively managed.
● Choose Server2022-DC and then Select the right arrow to choose it.
● Once the system has been added, the features or roles that have been
installed on the server can now be controlled with the use of the Server
Manager on the Windows 10 client system.
Note that in Server Manager, when you are on the All-Servers tab you can
simply right-click on a tab to manage it. Based on the feature installed and its
function the drop-down list sometimes differs from role to role.
You must have learned a lot about the tools menu if you have been following
through the whole chapter. You must have also learned about the local group
policy and what the registry editor is all about.
 CHAPTER 2

SETTING GROUP POLICY

Group Policy can be described as an infrastructure that enables the specification
of managed configurations for users and computers via Group Policy settings
and also Group Policy preferences. Imagine having to make certain settings
changes in an organization with over 3000 systems, you definitely won't be able
to go around individual systems to effect these changes.
With Group Policy, you can have a policy created and then aim the policy at
users or systems that are with security groups, and organizational units, and also
it can be used on an individual basis.
The most items that are configured with the use of the Group Policy are;
● BitLocker settings
● User Account Control (UAC) settings
● User rights assignments
● Password policies

Understanding How Group Policy Works

When you use Group Policy, you can significantly reduce the total cost of
ownership of the organization. There are different factors like a large number of
policy settings that are available, the level of interaction between different
policies, and the ability to make Group Policy design complex.
A Group Policy object is simply a virtual collection of different policy settings.
It has a very unique name like the GUID. You can have the GPO linked at
various levels. Most usually the domain or OU. Systems or security groups can
also be targeted within the GPO. Group policy settings are usually in a GPO.
When you are working in a startup, computer-specific GPOs are needed to be
applied. These GPOs have a way they affect settings on the computer
irrespective of the person that logs into the system much later. You apply the
user policy objects when a user logs into the system, they will be used in making
changes that could cause an impact on the user like password policies, lockout
policies, and the rest.
If you apply any change, it will take about 120 minutes for the change to be
affected in all systems and users. This is because the Group Policy by default
refreshes every 90 minutes though at times a delay might occur this is not to be
expected always. There are times when the user will need to log out and then log
in again as not all settings refresh in this manner. A GPO can also represent
policy settings in the file system and also in the Active Directory.
Note that Group Policy applies its settings in a set order;
○ Local policies (which is set by gpedit.msc)
○ Site policies
○ Domain policies
○ OU policies
This manner is always strictly followed when it comes to processing: once you
have applied the local policies and used the command, follow strictly with the
site policies and then the domain GPOs and also the OU GPOs.
Let us take a look at the comparison between Group policies and preferences.
Policies Preferences

When you use a Group Policy in When a Group Policy

the enforcement of certain preference is used in the
settings, users will have grayed- enforcement of certain
out options displayed informing settings, users have the
them that the settings are being option of altering the
managed by the administrators settings manually. The
hence they have no control over configuration value
it. after it had once been
applied will not be
reapplied by the Group
Policy.

When the application of a Group When the application of

Policy is no longer valid, the a Group Preference is
settings will then be removed no longer valid, the
with the restoration of the original settings will still remain
value. in the registry.

When you have a certain value When you have a

for an application that a Group certain value for an
Policy has been set to, the application that a Group
application will also make use of Policy Preference has
the value that has been set by the been set to, it will
policy. But if the policy is overwrite the value for
removed, the application will then the application. But if
make use of the main value. the preference is
removed, the
application will still
remain unchanged.

Starting the Group Policy Editor

To begin with,
● Locate Server Manager
● Click on Tools and then choose Group Policy Management. If you have
installed the management tools, you will always find the Group Policy
Management directly on the server. You can also gain access to it via the
Remote Server Administration Tools (RSAT) which will enable you to
control the Group Policy directly from your Windows 10 desktop.
● Upon launching the Group Policy Management, an entry for the Active
Directory Forest which you are will be displayed.
● Select the arrow that can be found beside that forest in order to have it
expanded.
● Select the arrow close to Domains to have it expanded and then have the
domain name itself expanded by clicking on the arrow close to it.
At the domain level, you will have a new Active Directory environment and a
Default Domain Policy which must have been linked together. The Default
Domain Policy is usually applied to any user in the Authenticated Users group,
which can also be shown by the presence of this particular group in the section
that handles Security Filtering. It is also where basic settings like passwords and
some other security settings are applied to all users.
To have the Group Policy Management Editor opened,
● Right-click on a GPO and then click on the Edit option. This will open
up the Group Policy and you can apply the changes.

Performing Computer Management

The activities of computer management can span a lot from security settings to
the type of application that you might need to have installed on a specific
system. There is so much that can be done when making use of the Group Policy
the only hindrance you might encounter is if there is a particular setting that will
take up the task of performing the configuration you need.

Below are the steps to be taken in the creation of a new GPO;

● Open the Group Policy Management, have it expanded then right-click
on the Group Policy Objects?
● Give the GPO a name, ensure it is one you can always remember with
ease.
● This will then take you to a page with the displayed Source Starter
GPO. leave this blank and then click on the OK button.
● Once you have chosen the GPO, select the Add button that can be found
beneath the Security Filtering section in the main window of the policy.
● Select the Object Types button and then choose the computers to check
box and then select the OK button.
● If you want to have the GPO linked at the domain level, right-click the
name of the domain and then select the Link an Existing GPO option.
● Choose the Computer GPO (this can also be whatever name you have
chosen to give it) and then select the OK button.
This is all that you really need to start out with the editing of the Group Policy.
You can then go on to try some edits to the computer GPO that you have just
created.

Modifying computer settings

Some settings can be made to the system configurations via the windows
Settings area of the Computer Configuration. You can choose to have the
Domain Name System settings configured and also set Startup and Shutdown
scripts and also set up printers and security settings.
Follow the settings below to make some security settings for a computer;
● From the Group Policy Management screen, right-click on the GPO that
you have created and then click on the Edit button.
● Expand the Computer Configuration, Windows Settings, Security
Settings, and also the Local Policy, and then click on the Audit Policy
option.
● Click twice on the Audit Account Logon Events.
● Choose the Define These Policy Settings and then choose Success and
Failure and then click on the OK button.
● Take the 3rd and 4th steps again for each of the items in the Audit
Policy.

Modifying computer software settings

You can also have software assigned to a particular group of systems and even to
all the systems. The use of the software settings area in the Group Policy enables
the installation of the various systems to which the GPO has been applied.
Follow the steps below to assign a software with Group Policy;
● Begin with the Group Policy Management screen and then right-click on
the GPO that you have earlier created and then click on the Edit
button.
● Have the Computer Configuration expanded and then choose the
Software Installation option?
● Right-click on the blank space close to the Software Installation and
then select New Package.
● Choose the file and then select Open.
● Click on Assigned and then choose the Ok button.

Performing User Configuration

The User Configuration is basically used for settings as it concerns the user only.
Most of these settings cannot be used until a user log into a system. It doesn't
matter the system the user logs into, the settings will always be applied. There is
always an application of the User GPO whenever the user logs in and then logs
out although this is based on what the GPO has been configured to do.
You can make use of the User GPO when there is a need to make account
settings or installation of software where it is more aimed at the user than the
system. The User Configuration section has about three subfolders, ensure you
use them with care as they can bring about an increase in the number of users
that log in.

Software settings
Here the User has all the power, in addition to the fact that the installation of any
software is always at the preference of the User.
Follow the steps below to modify this section;
● Begin with the Group Policy Management screen, right-click on the GPO
that you have created before, and then select the Edit option.
● Have the User Configuration expanded and then select the Software
Installation option?
● Right-click on the empty space close to the Software Installation and
then select New Package.
● Choose the file and then select the Open option.
● Click on the Assigned button and then select OK.

Windows settings
In this section, there are general Windows settings that you can have configured
for every user. Just like the Computer Configuration’s Windows Settings, the
User Configuration’s Windows settings have some specified settings some of
which are Security settings, Policy-based QoS, Deployed printers, and Internet
Explorer Maintenance. The major difference remains that they are always
applied only when the user logs in as against when the system starts up. There
aren't so many options in the windows Settings like we have with the Computer
Configuration.
Most times, users have their files saved in documents where they don't
necessarily have to do any backup. You can then choose to set up folder
redirection for the Document folders of the users. When you turn on redirection,
the document folders of the users will be saved automatically on the server
where they will be backed up.
Follow the set of instructions below to get this done;
● Begin with the Group Policy Management screen and then right-click on
the GPO that you have once created and then click on the Edit button.
● Have the User Configuration, Policies, and the Folder Redirection
button expanded, and then choose the Documents option.
● Right Click on the area that is empty towards the right side of the
Documents then clicks on Properties.
● Locate the Target tab from the drop-down list of the settings icon then
click on the Basic option.
● Beneath the option Target Folder Location, click on the Create a Folder
for Each User that can be found underneath the Root Path option.
● Choose the Browse button and then select the very location you want to
have the Documents folders be redirected to.
● Select the OK button.
● Finally, click on the Yes button to continue.

Administrative Templates
The Administrative Templates can be described as registry-based settings that
can be configured for the system.

Follow the step-by-step instructions below to make use of this section;

● Begin with the Group Policy Management screen then right-click on
the GPO that has been created earlier then click on the Edit button.
● Have the Policies, User Configuration, and Desktop expanded then
click on the Desktop option?
● Click twice on the Disable Active Desktop option.
● Select the Enable option then choose OK.
Viewing Resultant Set of Policy
Resultant Set of Policy (RSoP) is said to be an addition to the Group Policy in
order to assist with troubleshooting and the implementation of policies. It can
also be described as a query engine that helps in polling planned policies as well
as policies that are already in existence and then giving a report of the result of
those queries. It does this based on domain, site, organizational unit, and domain
controller. RSoP helps to bring information from the Common Information
Management Object Model (CIMOM) database via the Windows Management
Instrumentation (WMI).
RSoP offers specific details about all of the policy settings that are configured by
an Administrator which includes Folder Redirection, Administrative Templates,
Internet Explorer Maintenance, Security Settings, and also Software Installation.
When various policies are applied on different levels, the result can be very
conflicting. RSoP can help with determining a set of policies that are applied and
also their respective precedence.
RSop has about two different modes which are the logging mode and the
planning mode. With the use of the planning mode, the effect of the policy
settings can be stimulated to indicate that you have a need to apply it to a
computer and user. Logging mode helps in giving a report of the existing policy
settings for a computer and user currently logged on.
The Resultant Set of Policy Wizard helps with the creation of the RSoP query. It
can be opened from the Microsoft Management Console (MMC), Active
Directory Users and Computers, or Active Directory Sites and Services. If you
want to create an RSoP query, the Wizard must be executed at least once. Once
the execution has been completed, the wizard will show the result of the query in
the RSoP snap-in in MMC. You can then choose to save the change and also
have the queries refreshed. Lots of RSoP queries can be created with the addition
of various Resultant Set of Policy snap-in to MMC, or a single RSoP snap-in for
one query.
 CHAPTER 3

CONFIGURING THE REGISTRY

Being a system administrator is not such an easy job to take up. There are so
many things that will be up to you to figure out in order to make everything
work just fine without any hiccups and if there happens to be any you should
also always be there to fix it! Lots of things might throw you off balance and
create a mess with the Registry ranks very high among such things.
The Registry is a hub for information that Windows makes reference to almost
all the time when an operation is ongoing like profiles of each user, the
applications you have installed on the computer, and the various types of
documents that each one of them creates, different property sheet settings for
folders and application icons, the hardware that exists on the system and also the
various ports that are in use.
The Registry can also be said to be the basic structure of the operating system.
Everything that has ever been installed or plugged into your system will be
recorded in the registry, the control panel is simply just a front end to the values
that are existing in the Registry. That being said, you can definitely see how
much of important the Registry is to a system and how central it is to the
operating system, and also how it functions. Making any alteration or deleting a
wrong key can lead to the system collapsing altogether.
Follow me in this chapter as I will be explaining all about the Registry, how you
can configure it properly, the components of the Registry, and also how to get
back on track if unfortunately, something goes wrong with the Registry.

Starting Registry Editor

It is not much of a difficult task to start the Registry, there are quite a number of
ways to get that done. You can do that from the server manager by
● Clicking on Tools and then clicking on Registry Editor.
If you happen not to be in the server manager,
 ● Right Click the Start menu
● Click on the Windows PowerShell then insert the command regedit.exe.
The use of any of the two above mentioned methods will open the Registry
Editor, you might not have the hives visible if that is the first time you are
opening the Registry Editor, you should also note that you also must have the
administrative privileges before you can execute the Registry Editor.

Importing and Exporting Registry Elements

The process of importing and exporting Registry elements has been the same for
a couple of years now and this method still works just fine with the Windows
Server 2022. When you have Registry elements imported or exported, it gives
you the ability to be able to restore and also backup your Registry.

Importing Registry elements

To have the Registry restored, there is a need for you to have access to both the
Registry Editor and the .reg file that must have been exported. Some of the
major reasons why you might choose to import the .reg file are; you might have
made some editing on one of the servers and you also want to apply the same to
another server or all of the other servers and you might have also made some
changes to the Registry that might be causing the server to act funny, there will
be a need to for you to make some restorations from the .reg file that you have
created before making the changes you made.
Follow the detailed steps below to have the Registry restored from the
backup file;
● Navigate to the Server Manager then click on Tools > Registry Editor.
● Click on File > Import
● Move to the place where you have the .reg backup file stored.
● Choose the file and then click on the open button
● Finally, upon completion of the restoration, click on the OK button.

Exporting Registry elements

Even as a system administrator, you are not perfect. More so, you are dealing
with a machine that you don't have total control over as anything can go wrong
at anything. In view of this, there is always a need for you to have a backup of
all your files before applying any changes to the system. One of the easiest ways
to get this done is to have the .reg file which is usually used for the identification
of Registry files exported.
Follow the below step-by-step instructions on how to have a backup created;
● Locate the Server Manager then click on Tools then choose Registry
Editor.
● Choose your preferred element that should be exported.
● When you have chosen the element, click on file > export.
● Choose your preferred location to save the .reg file.
● Finally, click on the Save button.

Finding Registry Elements

Do we ever stop looking for things? I am sure at a point you will definitely have
a need to search for a particular hive or a key that might be needed for you to
have an update to perform on the Registry completed. This would have been a
rather tedious task because there might be so many similar keys or hives to that
which you are looking for but thanks to the registry search tool, this can be quite
easy simply search for the key or hive with the use of the tool.
Follow the instructions below to learn how to find whatever you might be
looking for with the use of the search tool.
● Locate the Server Manager then click on Tools and then Registry
Editor.
● When you are in the Registry Editor, click on Edit > Find
● Insert the item you are searching for in the Find What box, and then
choose the types of elements you want to search for.
● You should only click on the Find Next option if the first result did not
contain what you were looking for or simply keep pressing the F3 button
until you must have found whatever it is you must be looking for.

Understanding Registry Data Types

There is quite a number of new terms that are being used as it pertains to
Registry Editor today. Starting with hives which are known to be the highest
level in the hierarchy within the Registry. Next up is keys, they can be found
within hives and they look like folders in the Registry basically used for the
purpose of the organization. They can also have various levels within
themselves.
Data types can be found embedded in each hive and key, the most important
thing to take note of is the data type itself and what it is used for; they might
sound similar but they really won't serve the same function.
Below are various types of data types and what they are used for;
Data types Use

String Value (REG_SZ) This contains

length text
strings that
are fixed and
it is also one
of the
common data
types that are
used in
Registry.

ExpandableStringValue(REG_EXPAND_SZ) It is used in
the storing of
variables that
the operating
system or
application
may need to
be able to
resolve. It
might include
variables like
%password%
and are much
like what can
be used if you
 were to script
with
environmental
variables.

64-bit Number (REG_QWORD) This

represents 64-
bit numbers.

32- bit Number (REG_DWORD) This is also

one of the
common data
types used in
the Registry.

Binary Data (REG_BINARY) This is used

in the storage
of binary
format for
either the
hexadecimal
or decimal
format. It is
commonly
used when
relating
hardware
components
and
information.

Multi-String Value (REG_MULTI_SZ) This is made

up of different
text strings
and is
separated by
commas or
spaces.
Understanding the Hives
A hive can be defined as a logical group of keys, subkeys, and values in the
registry which has a set of supporting files that are loaded into memory when a
user logs in or the operating system is started. For every time a user logs on to a
computer, there is always the creation of a new hive for that particular user and a
different file for the user profile which is simply known as the user profile hive.
Hives are group-like settings, for example, HKEY_USERS is embedded with
settings that pertain to all the users while HKEY_CURRENT_USER is
embedded with settings that deal with just the user that is currently logged in.

Below is a table that contains hives and their supporting files.

Hive Supporting files

HKEY_CURRENT_USER Ntuser.dat, Ntuser.dat.log

HKEY_LOCAL_MACHINE\SAM Sam, Sam.log, Sam.sav

HKEY_LOCAL_MACHINE\Security Security, Security.log,

Security.sav

HKEY_LOCAL_MACHINE\System System,
System.alt,System.log,System.sav

HKEY_LOCAL_MACHINE\Software Software, Software.log,

Software.sav

HKEY_CURRENT_CONFIG System, System.alt, System.log,

System.sav

HKEY_USERS\.DEFAULT Default, Default.log, Default.sav

HKEY_CURRENT_USER
This is most often referred to as HKCU. This part of the registry is not always
constant as it changes based on who the current user login is. When a user logs
in for the first time, it will be created from the default user which is the
ntuser.dat file stored at the C:\Users\Default\Ntuser.dat and when next the same
user logs in, it will simply re-create on the basis of the information that user has
stored previously.
HKCU houses a pointer to the data of the user, it by no means stores any data
itself. Each user is given a security identifier and each user also has a key with
the security identifier where his data is kept in HKEY_USERS.

HKEY_USERS
This is most commonly referred to as HKU. In it, you will find settings as it
pertains to each user that has logged on to the system. Since each user has a
security identifier it will be very easy for the system to point out each user.

HKEY_CURRENT_CONFIG
This can be shortened as HKCC. It is quite similar to HKEY_CURRENT_USER
as it also doesn't store data and only stores pointers to data. The pointer it stores
basically points to
HKLM\SYSTEM\CurrentControlSet\HardwareProfiles\Current

Loading and Unloading Hives

Loading and unloading of hives basically affects just the
HKEY_LOCAL_MACHINE and also HKEY_USERS and these actions can be
performed only when one of these root keys have been chosen. As against
changing the key that has been chosen, the hive that you are currently loading
can then be used as the subkey of the root key. The HKEY_LOCAL_MACHINE
and the HKEY_USERS are used in the building of all the logical root keys that
are on a system hence you can work in any area of the Registry.
After you must have chosen either the HKEY_LOCAL_MACHINE or the
HKEY_USERS in the Registry Editor, you can also load a hive for the machine
in use or another machine by choosing Load Hive on the File menu. The
Registry Editor will then give a prompt for the location name of the hive file that
has been previously saved.
Follow the steps below to load a hive and have a view of how it works;
 ● Locate the Server Manager, click on Tools and then choose Registry
Editor.
● Choose HKEY_USERS > File > Load Hive.
● Move to the ntuser.dat file you want to make a comparison with
● Choose NTUSER.DAT and then select Open.
● Finally, name it and then click on the OK button.
If you will like to Unload the hive, take the steps below;
● Choose the key you would want to remove.
● Select File then Unload Hive.
● When you are in the Confirm Unload Hive dialog box, select the Yes
button.

Connecting to Network Registries

There are times when you might need to hurriedly fix certain things in a
computer that you are not in close proximity to. It can be very annoying when
such a need arises you will always have to walk around to get it done. Rather
than having to move around, you can simply choose to connect to a Remote
Registry over the network with so much ease.
For you to be able to pull this anyway, the remote system needs to have a remote
administration enabled in the firewall with the Remote Registry Service running
on both the source and also the destination systems.
Follow the steps below for detailed instructions on how to connect to a
Remote Registry.
● Locate Server Manager then click on Tools > Registry Editor
● Select File > Connect Network Registry
● Insert the name of the system that you would love to connect to
● Finally, click on the OK button.

Setting Registry Security

Security of any form is always extremely important as there is always a need for
you to have your data secured and protected from theft by hackers and so on.
Security for the Windows Registry is even more important because it is at the
helm of affairs of all that occurs in the Windows Operating system, it is just the
right thing to do to have it protected.
You can provide security to both the hives and keys in the registry by simply
doing the following;
● Right Click on the key or hive that you would like to secure and then
click on Permissions.
● This will display a dialog box where you can either choose to add or
remove users and also fix the level of permission you want to be assigned
to each user.
● Clicking on the Advanced button will allow you to provide much more
permissions.
If you wouldn't be having a need to access the server remotely, you can choose
to disable Remote Registry. Once this has been disabled, no one will be able to
gain access to the Registry remotely; they will only be able to gain access by
logging in physically.
● Locate the Server Manager, click on Tools and then choose Services.
● Move downwards towards the Remote Registry service and then click
on it twice to have the properties dialog box opened.
● Choose the Disabled option in the Startup Type
● Finally, click on the OK button.
 CHAPTER 4

WORKING WITH ACTIVE DIRECTORY

You will at some point have a need to work with Active Directory either with
Users or computers or both. This chapter explains the components and functions
of Active Directory.

Active Directory 101

When you take a look at Active Directory Service running in the server, you can
observe that there are different parts associated with the user directory which
include domain controller (DC), organizational unit (OU), and common name
(CN). The DC should always be the main focus with the exception of you having
an advanced system that has forests. The OU can be said to be similar to a folder
that contains CNs that could in some way be linked to the user account through
almost all the newer systems will display them as just a user within the interface.
Basically, you can find users under CNs and CNs can be found under OUs and
OUs under DCs. This is a method that you can deploy in the organization of
your user database. When a piece of equipment is connected to the Active
Directory Server, it will in one way or the other have a need of some of this
information this way the device will know just what it is looking for and where
the server is.
Users that are in Active Directory are usually assigned security groups in order
to gain access to certain resources. The security groups are also given
permissions to the resources and when the user is then added to the security
group, they will in turn be able to gain access to any of the resources the security
groups grant.
There are basically three types of security groups in Active Directory;
● Global: This is one in which permissions will be granted to resources for
any domain in the forest or when trust is in place for domains and forest.
● Domain local: This is one in which permission is granted for resources
that are in the same domain alone.
● Universal: This is one in which the security group grants permission for a
 domain in the same forest or in any other first having trust in place.

Configuring the User Interface

This section will be taking you around a few components that are attached to the
Active Directory and also their function and what they contribute to the proper
functioning of the Active Directory.

Making use of Active Directory Domains and Trusts

Trusts help in making the process of authentication much easier. A single domain
can work well for a small organization but larger organizations will have a need
for more than one domain which is where Trusts come into play. You can make
the user experience and administration easier when you create trust in-between
domains, this way any user that has been authenticated in a particular domain
can gain access to resources that are in another domain without the need to
authenticate again with different credentials.
Below are some terminologies you should have basic knowledge of before we
delve into the various types of trust;
● Two-way trust: This is regarded as a bi-directional kind of trust
relationship i.e., if Domain 1 trusts Domain 2 then Domain 2 should also
trust Domain 1.
● One-way trust: This brings about trust in just one direction as against
what was discussed above. Here Domain 1 trusts Domain 2 but Domain 2
doesn't trust Domain 1.
● Transitive trust: This benefits from trust relationships that have been
built by other domains. This means that if Domain 1 trusts Domain 2 and
Domain 2 trusts Domain 3 then trust should also exist between Domain 1
and Domain 3.
● Non-transitive trust: As against the transitive trust, the trust created with
other domains has nothing to do with other domains. I.e., If Domain 1
trusts Domain 2 and Domain 2 trusts Domain 3, Domain 1 does not have
Domain 3 as it has no direct trust relationship.
Let us then take a look at the various types of trust:
● External Trust: An external trust is always created only when the
 resources are located in another Active Directory Forest. External trusts
are basically always non-transitive and can either be one-way or two-way
trust.
● Realm trust: This is a trust that is always created between Active
Directory Forest and a non-Windows Kerberos directory like eDirectory,
UnixDirectory, etc. Realm trust can either be a transitive or non-transitive
and also either a one-way or two-way trust.
● Forest trust: There will be a need to build a Forest trust if you have a
need to enable resources to be distributed between Active Directory
forests. Forests are known to be transitive in nature and the direction
either be one-way or two-way.
● Shortcut trust: If you want to have the user login experience improved
upon, there might be a need for you to build a shortcut trust between
domains that have quite the same Active Directory Forest. The shortcut
trust is usually always transitive and also the direction can either be one-
way or two-way.

How to create a domain trust

It can be a quite simple and straightforward task to have a domain created.
With your domain set in its forest and you want to establish a connection
with another domain, follow the steps below to build trust;
● Locate Server Manager > click on Tools > Active Directory Domains
and Trusts.
● Right-click on the name of the domain and choose properties.
● Select the Trust tab and then choose the New Trust button.
● This will then bring you to a screen with the display “Welcome to the
New Trust Wizard”, choose the Next button.
● When you get to the Trust Name screen, insert the name of the preferred
domain you need to establish a trust relationship with.
● Click on the Next button.
● When you are on the Trust Type screen, take into account the fact that
you want to create a trust between the root domains of each of the
forests, click on external trust and then select the Next button.
● When on the screen displaying Direction of Trust, you can make your
preferred choice if you prefer the trust to be one-way or two-way then
 click on Next.
● On both sides of the Trust screen, there is a need for you to choose if you
are setting the trust on your domain only or both domains.
● Click on the Next button.
● When you are on the next screen, insert the username and password of an
enterprise administrator or a domain administrator and click on the Next
button.
● When you are on the Outgoing Trust Authentication Local Domain
screen, click on Domain Wide Authentication and then choose the Next
button.
● On the Outgoing Trust Authentication Specified Domain screen, select
Domain-Wide Authentication and then choose the Next option.
● On the Trusts Selections Complete screen, click on Next.
● On Trust creation, Complete screen, click Next.
● On the Confirm Outgoing Trust screen, choose Yes and then confirm the
outgoing trust and then click on the Next button.
● On the Confirm Incoming Trust screen, choose Yes and then confirm the
incoming trust and then click on the Next button.
● Finally, click on the Finish button.

Active Directory Site

Active Directory sites are basically used for the management of organizations
that have branches across various locations but are also under the same domain.
It can be a very great solution to the management of geographically constructed
AD networks without having to change any part of the logical structure of the
environment.
AD sites are also known as the physical grouping of IP subnets that are well
connected and can be used in the replication of information among domain
controllers (DC). It can also be imagined as a map that best describes the routes
in which the replication of AD should be carried out which ultimately results in
making the most efficient use of the network that is available. AD sites also help
with the achievement of speed and cost-efficiency.
AD sites are useful when it has to do with the deployment and targeting of group
policies. In AD, any information about topology is stored as site link objects. By
default, the Name site container is created for the forest as the Default First Site.
Until the creation of another site, all DCs will be assigned to the site
automatically.

Subnets
Located right within sites are subnets. Subnets are regarded as entities that help
with the group of close computer systems depending on their IP addresses. With
this, all subnets are identified by a wide range of IP addresses that are associated,
and also a site can be described as an aggregate of subnets that are well
connected. Note that subnets could either be based on TCP/IPv4 or TCP/IPv6
protocol addresses.

AD site Links
Just as the name implies, AD site links are used basically for the establishment
of links between AD sites, with the name of the first link being Default-First-
Site-Link. AD site links offer the flow of the replication that exists between
different sites. When you have site link properties like link schedule, replication
cost, and interval properly configured, there can be proper management of inter-
site replication to further increase efficiency.
Below are well-detailed step-by-step instructions on how to create a site;
● Locate Server Manager, click on Tools and then open Active Directory
Sites and Services.
● Place the arrow on sites, right-click on it and then select the New Site
option.
● Insert the name of the new site and then choose a site link object.
● Finally, click on the OK button.
Let us also look at how subnets are assigned;
● Place your arrow on the subnets and then right-click and select New
Subnet.
● Insert the prefix for the site.
● Choose the site that you have just created.
● Finally, click on the OK button.

Active Directory Users and Computers

This is basically a part of the Active Directory that most people make use of
from time to time. With this component you will be able to manage the objects in
Active Directory and some other attributes like; changing passwords, resting
user accounts, adding users to various security groups, deleting and creating
organizational units, creating and managing groups, computers, users, and also
their attributes, delegating control of various objects. Domain users can also be
referred to as User accounts that were created in the Active Directory Users and
Computers. When you have a domain account, users will be able to log into
various resources using the same account.

Creating users
This is one task almost everyone should know how to do; follow the steps
below to have a user created.
● Locate Server Manager, click on Tools, and then Active Directory
Users and Computers.
● Place your arrow on the OU or the container that you that the user
account will be created in and then right-click on it.
● Click on New and then User.
● Insert the First Name and Last Name and choose a log-on name.
● Click on the Next button.
● Insert a password for the user and then type the password again in the
confirm password box
● On this next page, choose the User Must Change Password option.
● Select the Next option.
● When you are done click on the finish button on the confirmation screen.

Creating groups
When you have a domain user account, this can be a very nice thing as it offers
users the ability to be indifferent to systems or applications while making use of
the same account. It can be very difficult to maintain when you give all the users
direct access to resources. If for instance, a user has a cause to leave the
organization, it can be very tedious having to remove the user from all of the
locations he had access to before but with the use of a domain group, you can
grant users access and then you can also remove them with ease from the group
and have their account disabled when they leave the organization.
Below are instructions on how to have a group created;
● Locate the Server Manager then click on Tools and then Active
Directory Users and Computers.
● Place your arrow on the OU or the container that you that the user
account will be created in and then right-click on it.
● Choose New and then click on Group.
● Insert your preferred name in the Group Name Field.
● Make your choice of the Group Scope.
● Choose the Group Type you prefer.
● Finally, click on the OK button.
Let's then have a swipe at how users can be added to groups;
● Click twice on the new group.
● Select the Members tab option.
● Select Add and then insert the name of the user and click on the OK
button.
● Select OK to have the dialog box closed.

Managing users and groups

The management of users and groups in the Active Directory Administrative
Center can be a very simple task to run through. To start with you need to ensure
you have the Active Directory Administrative Center opened.
Prior to the creation of the Active Directory Administrative Center users did not
have access to the creation utility hence they could make certain settings as
when they were creating users but with the use of this tool can now save time by
configuring settings for users swiftly.
 CHAPTER 5

PERFORMING STANDARD MAINTENANCE

This chapter covers all the basic things a system administrator will be doing on a
daily basis which includes working with the Admin Center. Read through
carefully and ensure you practice as often as possible.

Activating Windows
After the installation of an operating system on a server, the next thing you
should consider is activating it. The activation can be done in two ways. The first
is automatic which depends on if you have the Key Management Server (KMS)
in the same domain as there will be no need for the product key. But if you do
not have the KMS in your domain you will have to activate the server manually
which also can either be done with the use of the command line or the graphical
user interface.

Through the graphical user interface

Activating the server from the graphical user interface is very easy as it begins
with the Server Manager.
Follow the steps below to get this done;
● Locate the Server Manager then choose Local Server on the left side of
the menu.
● Click on the Not Activated hyperlink close to the Product ID to
commence with the process of activation.
● Insert the product key and click on the Next button.
● Select the Activate option.
● Select the Close button.

Through the command line

Server can also be activated via the command line also. You have to begin with
the installation of the key which can be done with the use of the Windows Server
License Manager script, slmgr.vbs.
Making use of the slmgr.vbs in the installation of the key means you will be:
● Starting with the command parameter -ipk.
● Replace <product key> with the license key you have been given which
includes the dashes.
● A dialog box should be displayed informing you of the successful
installation of the product key.
● Click on the OK button.
Once the license key has been installed, make use of the same script that has the
-ato parameter to complete the activation online. Once the activation is
successful, a dialog box with the display that the activation was successful
should then be displayed.

Configuring the User Interface

Most times you always want things the way you prefer them to be. You can
achieve all of this with the user interface. Below are ways you can personalize
the user interface.

Folder options dialog box

There are three tabs in the Folder Options dialog box which are General, View,
and Search. To gain access to it,
● Locate the File Explorer
● Select the View tab option.
● Choose Change Folder and Search Options.

The General tab

The general tab provides you with the opportunity of setting some very useful
parameters for the whole user interface. File Explorer can be configured to open
by default to either this PC or Quick Access. You can also choose to click once
instead of having to click twice to open files or documents, you can choose to
configure Quick Access to show folders that are used frequently, and you can
also decide how you want to open folders.
The View tabs
The view tab basically offers you the opportunity to choose how folders and
items will be displayed. Some prefer to hide some extensions and show Hidden
Files, Drives, and Folders. Whichever you want to adopt, the View tab can help
you get it done.

The Search tabs

With this tab you can search for whatever document you need through various
files and folders that are on the operating system. You can choose to search for
file names, contents, and also compressed files.

Personalization settings
With the introduction of the Windows Server 2022 version, personalization has
gained more attention so much that it has its own section in the settings menu.
To gain access to the personalization menu,
● Select the Start Menu
● Click on an icon looking like a gear to gain access to Settings
● Then lastly, click on Personalization.
Below are the different areas in the personalization menu you can choose to
make some changes;
● Themes: You can choose to decide the theme you want to use in
Windows 2022. Themes add so much effect to the look of the server with
a different view of what the background, color, and also cursor look like.
● Lock Screen: In this aspect, you can choose any image of your choice to
set as a lock screen image either from your own collection or from stock
photos. Much similar to what you do with your smartphone.
● Start: This section offers you the opportunity to decide what happens and
what is being displayed on your start menu. You can choose to show
more applications so as to gain access to them and you can decide that it
should take over the whole screen.
● Fonts: You can change the view and also install new fonts in this section.
Browse through the font view, click on any you prefer and the whole text
on the server will be configured to that font.
Setting your Regional and Language Options
This section allows you to set the region, language, speech settings, and also date
and time.
You can gain access to this menu by;
● Clicking on the Start menu.
● Click on the gear icon to gain access to Settings.

Understanding How User Access Control Affects

Maintenance Tasks
The User Account Control (UAC) helps with the prevention of malicious
programs that are also known as malware from causing harm or total damage to
a computer. It also assists organizations in the deployment of a better-managed
desktop. When you have the UAC on your server, applications and tasks will
always be executed in the security context of a non-administrator account, with
the exception of an administrator specifically authorizing administrator-level
access to the system.
Wherever a program wants to make any changes to the system, the UAC will
always prompt for approval, if you are logged in as a standard user, there is a
need for you to provide the password or pin of an administrator to gain access.
There are about four settings within the level of the UAC. They are;
● Notify Me Only When Apps Try to Make Changes to My Computer:
As implied, this option will always give you a notification when any
program is attempting to make certain changes to your system. If you are
logged in as an admin, simply answer yes or no but if not, there is a need
for you to use an administrator account and also insert the password once
it prompts.
● Always Notify: This option provides adequate security as it will always
prompt you whenever an application or a user attempt to make a change
that needs the approval of the administrator.
● Never Notify: This option can be very risky as it can open your system to
threats and might damage it in the long run. This option is basically
asking you to turn off the UAC, please do your best to avoid this option.
 ● Notify Me Only When Apps Try to Make Changes to My Computer
(Do Not Dim My Desktop): This option will also notify you when an
app or user wants to make changes to your system, you can choose to
continue to do this in the background and ignore the prompts of the
UAC.

Adding and Removing Standard Applications

In the same manner as Windows 10, Windows Server 2022 can also make use of
the Windows App Store in the installation of standard applications. There is also
an option of inserting a disk or flash drive into their respective drives and then
clicking twice on the package installer to have the download process completed.
Note that apps can also be removed with ease simply;
● Click on the Start menu
● Choose the gear icon to gain access to Settings.
● Then click on Apps, select the preferred app and then click on the
uninstall button.

Measuring Reliability and Performance

There is always a need for you as a system administrator to measure the
performance of the server you are operating. There might be certain times when
the server completes all executions within a flash and at other times, you might
complain that the server is just too slow.
With Windows Server 2022, you can always check the performance of your
system and figure out areas where you might need to work on. You can also
check the memory usage, disk usage, and also network usage. The very common
tools that can be used to do this include; Resource Monitor, Task Manager, and
Performance Monitor.

Performance Monitor
The performance monitor is used basically for viewing real-time statistics. It
helps you take a look at the impact applications in the process are having on the
general performance of your system. The Performance Monitor can help you
keep track of memory usage (RAM) and also the central processing unit (CPU).
You can also choose to check out the performance level of some software,
hardware, and other services running on the system.
It can be somewhat difficult to find the counter that will actually provide the
information that you need, you should play around a little, this way you get to
find the right counter to provide you with the right information.
You can also choose to add more counters to the performance monitor by
following the steps below:
● Click on Performance monitor
● Select the plus (+) sign on the menu bar.
● Get to the Add Counters screen, expand the processor and then choose
Interrupts/Sec. This will then be highlighted and you can select the Add
button and then click OK.
● Click twice on the new counter, choose a much different color from the
default counter’s color then select the OK button.

Resource Monitor
Resource monitor is basically used to troubleshoot Windows Performance issues.
It is in fact also a method used to view performing data. It is a combination of
performed data and Windows Event Tracing data.
With this monitor, you can easily see the process that is using the most amount
of disk space, memory, or network bandwidth. To get more details on this
information you can choose to click on the tabs for CPU, Memory, Network, or
Disk.

Task Manager
The Task Manager is a very powerful tool loaded with very useful information
ranging from the overall resource usage of the system to the detailed statistics of
all of the processes going on in the system, providing access to stop running
processes or applications that are not responding properly. The Task manager
also helps with the provision of a quick glance at the memory utilization, CPU,
and the network.
The easiest way to gain access to the Task Manager is to
● Right-click the taskbar and then select the Task Manager
If you have a need to stop either a process or an application that is not
responding properly in the task manager simply;
● Locate the Task Manager, open, and then choose the application that is
not responding.
● Then click on the End Task option.

Protecting the Data on Your Server

No one ever wants to go through the trauma of losing a very important document
that is critical to the existence of an organization. With Windows Server 2022,
you can ensure your data is kept safe by backing up and restoring your data with
the use of the Windows Server Backup.
There is a need for you to install this amazing feature before using it. Go
through the steps below to have it installed on your server;
● Locate Server Manager, select Manage and then choose the Add Roles
and Features options.
● When on the Before You Begin screen, choose Next.
● Locate the Select Installation Type screen and then click Next.
● Locate the Select Destination Server screen and then click Next.
● On the Select Features screen, move down and then choose Windows
Server Backup.
● Select Next
● Click on the Install button
● When you are through with the installation, click on the close option.

Backing Up
There is always a need to backup data on your server, this way you can prevent
data loss. There are basically two different ways to create a backup in Windows
Server 2022; creating a one-time backup and creating a scheduled backup.

Creating a one-time backup

When you want to perform any task on your servers such as a software upgrade
or maintenance, you can make use of this option to quickly have all your
important files saved before you commence the task.
Follow the steps below in creating a one-time backup;
● Locate Server Manager, click on Tools and then choose Windows
Server Backup.
● When you are in the Windows Server Backup console, click on Backup
on the right of the screen.
● This should bring you to the Backup options screen, click on Different
Options and then click Next.
● Choose the Add Items option and then decide what you want to have
backed up.
● Select the OK button and then click on Next.
● Locate the Specify Destination Type Screen and make your preferred
choice.
● Click on the Next button.
● On the Select Backup Destination screen, select the drive you prefer to
back up and then click on the Next button.
● On the Confirmation screen, select the Backup option and the backup
process will commence.

Creating a scheduled backup

Scheduled backup is one that backs up your data automatically at the specific
dates and time you have configured for it to do so.
To have a scheduled backup configured on your server, follow the steps
below;
● Locate the Server Manager and then click on Tools and then Windows
Server Backup
● In the Windows Server Backup console, select Backup schedule on the
right side of the screen
● This should take you to the Getting Started screen then choose Next.
● When on the Select Backup Configuration screen, click on Custom and
then click on the Next button.
● Select Add Items and then make the choice of what you want to be
backed up.
● Select OK and then click on the Next option.
● Locate the Specify Destination Type screen and make your preferred
choice.
 ● Select the Next button.
● When on the Select Destination Disk screen, choose the disk you wish
to back up to.
● Once you have chosen your preferred backup disk, choose Next.
● Click Yes.
● When you are on the Confirmation screen, select the finish button.

Restoring the System

Windows Server Backup also provides you with an option to restore the system
in case of an attack by malware or any form of damage or loss of data.
Follow the steps below to restore a system;
● Locate the Server Manager, click on Tools, and then Windows Server
Backup.
● Locate the right-hand menu and choose Recover.
● On the Getting Started screen, choose where the backup is stored.
● Choose the Next option.
● Select the choice of available backup according to your need.
● Select the Next button.
● Choose the things you wish to recover.
● Click on the Next button.
● Browse through the tree till you get what you are looking for.
● Click on the Next button.
● On the Specify Recovery Options screen, choose the recovery
destination and how the restore should respond (replace or ignore) if it
finds items with the same name in the destination.
● Click on the Next button.
● When you are on the confirmation screen, select Recover
● Click on the close button when the recovery has been completed.

Performing Disk Management Task

It is very essential to know how to manage the storage on your servers, this can
increase your servers’ performance.

Managing storage
The File and Storage Services area in the Server Manager does almost all that
has to do with storage management in Windows Server 2022. Right from this
section you can have volumes, storage pools and disks managed effectively.

Managing disks
This action can also be completed in the File and Storage area of the Server
Manager.
Follow the steps below to get this done;
● Open File and Storage Services and click on disks. With this, you gain
access to the disks and you can have the physical, logical disks as well as
the volumes managed.
When you right-click on the drive you will be presented with various options
like bringing an offline disk online, creating a new volume, or totally resetting
the disk.

Automating Diagnostic Task with Task scheduler

Task scheduler offers a means wherein various tasks can be executed
automatically on the server. It can be used to make certain specifications in
regards to a specific time or an event that informs Windows when it should
commence work. For instance, you can ask Task Scheduler to defragment your
hard drive automatically.
To get to the task scheduler simply
● Locate the Server Manager
● Select Tools
● Choose Task Scheduler. The task scheduler screen will then be
displayed.
There are so many things that can be done with the task scheduler and it includes
discovering the status of the task and also making use of preconfigured tasks.

If you have a need to discover the status of any task within the task
scheduler,
 ● Click on Task Scheduler and view the status columns.
In the status columns, here is some status that might be displayed;
● Running: This means that the task you scheduled is already being
executed.
● Ready: This simply means that the task you scheduled is getting ready to
be executed.
● Disabled: This means that the task you scheduled will not run.
There are a number of pre-configured tasks that you can make use of with the
Windows Server 2022. For example, the disk space has been configured to run
on its own, it helps to clean up itself automatically when the system begins to lag
as a result of low space.
If you need to make certain changes to a preconfigured task such as the
time it should start, simply
● Click twice on the task
● Make your preferred changes
● Select the OK button.
You can also choose to make your own tasks as you are not confined to using the
preconfigured task alone.
Follow the steps below to have a task of your own created;
● Locate Server Manager, click on Tools, and then Task Scheduler.
● Choose the Task Scheduler Library.
● Click on Create Task from the right side of the menu.
● Locate the General tab, insert a name of your choice for the task, choose
the user you prefer the task running under and then choose the OS you
would like to configure for it.
● Select the Triggers tab and then choose the new option.
● Beneath Begin the Task, choose the On a Schedule option.
● Make changes to the settings area and choose Daily and then choose the
preferred time you would like the task to run.
● Beneath Advanced settings, choose the option Stop Task if it Runs
Longer Than and choose a very reasonable time frame.
● Select the OK button to save the trigger.
● Select the Actions tab and choose to Start a Program.
 ● When in Program/Script, choose the Browse option and choose the script
that you would like the task to execute.
● Ensure to include any argument that may be needed then click on the OK
button.
● Select the OK button to save the task finally.

Working with Remote Desktop

With the Remote Desktop, you are able to connect to the console of the
Windows Server System without necessarily being there physically. There are
various ways in which the Remote Desktop can be configured to give you
that seamless control.
● Get on the server you will be using the Remote Desktop.
● Select the Start Menu.
● Choose the Windows Accessories option.
● Click on Windows accessories
● Finally insert the name of the system that you would like to connect to
and then click on the connect button.
● A prompt will be displayed, requesting credentials to enable you to log in
to the other server.
● Insert the username and password and then click on the OK button.

If the system is one you make use of frequently, below are some of the
settings you can choose to create and save into a Remote Desktop Protocol
(RDP) file;
● Accessing local resources: Once you have the Remote Desktop
Connection open with the expansion of the Options bubble, choose the
Local Resources tab. With the use of the tab, you can effectively manage
the local devices that will move through remote connections such as
drives and clipboards, you also will be able to configure the audio
settings and also the reaction of the keyboard with a remote session.
● Optimizing performance: Once you have the Remote Desktop
Connection open with the expansion of the Options bubble, choose the
experience tab. Has it configured to whichever connection you are using
either low-speed, satellite WAN or LAN? You can also select if you like
 the connection reconnecting or being dropped.
● Setting display configuration: Once you have the Remote Desktop
Connection open with the expansion of the Options bubble, choose the
display tab. From within this tab, you can choose the remote window,
have support enabled for various monitors, and note that it has already
been set to the highest quality by default which is 32 bits.

Working with Remote Server Administration Tools

Remote Server Administration Tools enables you to have all the roles and
features on your system effectively managed. You can have this great tool
installed on your desktop server and then use it to manage other servers
remotely.

If you want to control another server with the use of the RSAT, follow the
steps below to have a server added to a server manager.
● Select the Start button, open server manager, and then click the All-
Servers option.
● Right-click on All Servers and then select the Add Servers option.
● Look for the name of the system.
● Choose the server that you would like to use and then select the arrow to
move the servers you have chosen to a selected box.
● Select the OK button.
● Right-click on the newly chosen server and then click on Start
Performance Counters.

Working with Admin Center

The Windows Admin Center is a very useful tool, it has replaced both the PC-
hosted Remote Server Admin tools and also the on-desktop Server Manager and
it is also a recent web front end to the management of APIs that are now
basically a part of Windows Server over the past decade.
If you have ever made use of PowerShell Remoting in the management of
servers then you should also be very familiar with most of the principles of the
Admin Center. Upon authorization and connection to the Windows Management
interface which can be found on a server, you will have all the access to the
services and tools you must have encountered from working with the server
hardware to the management of the Active Directory, or the controlling of virtual
infrastructures that run on Azure. The main strength of the Windows Admin
Center is in you installing it on a server and then making it your management
server.

Below are some of the administrative tasks that can be done with the use of
the Windows Admin Center.

Connecting to a server
Once you open the Windows Admin Center, it will take you to a default page
that shows all of the connections.
Go through the step-by-step instructions below on how to add a new server;
● Select the Add button, then click on the Add server connection option.
● Choose Add One Server and then insert the name of the server.
● Choose the submit option.
That is all about adding a server, the connection will be set automatically to
make use of the basic credentials of the logged-in user.

Managing your servers with Windows Admin Center

You can control your ways with the use of the Windows Admin Center.
● Select the name of the system you would like to manage.
● Your view will then be changed to that of the Server Manager.
With that being done, you can then manage the system and just whatever you
want to do with the system. The most recent version of the Windows Admin
Center has a lot of the new Azure functions which include the ability to control
Azure Backups, Azure Security Center, and lots more.
Creating a Windows Recovery Drive
Creating a Windows Recovery Drive is a very good idea. Once this is done, if
your server happens to develop issues as it pertains to hardware failure, you will
have the recovery drive to your rescue. Note that Windows will always run
updates periodically in order to improve security and performance, hence I will
recommend that you annually recreate the recovery drive. Note that any personal
files that are not from your PC will not be backed up. It is also best if you
provide a USB drive with at least 16 gigabytes of storage space.
Take the steps below if you would like to create a recovery drive;
● Insert a blank flash drive (USB) into the system.
● Select the Start menu, move downwards to the Windows System and
then select the Control Panel.
● Make changes to the view category in order to view large icons.
● Choose the Recovery option, then select the Recovery Drive option.
● When you are on the Create a Recovery Drive screen, select the Next
option.
● When the system locates the driver, select the Next option.
● Finally, click on the Create button.
With the completion of this chapter, you must have learned how to perform
standard maintenance and also all that has to do with working with the Remote
Desktop, Remote Server, and also Windows Admin Center.
 CHAPTER 6

WORKING AT THE COMMAND LINE

Working with the command prompt is almost inevitable, you must have had a
cause to use it at one time or the other. This prompt is a launching point for quite
a number of diagnostic utilities and it is also a very great resource for bringing
together diverse information.
In this chapter, I will shed more light on how to go about working with the
command line and also how you can personalize the command prompt to your
taste.

Opening an Administrative Command Prompt

Opening the command prompt can be quite simple, especially in Windows
Server 2022.
Take the steps below to have this done;
● Select the Start menu
● Move downwards to Windows System and then choose the Command
Prompt option.
● This will then help to execute the Command Prompt.

Configuring the Command-Line

Customizing the command prompt can be very nice as it will give you a sense of
ownership, having to work with the prompt just the way you like it to respond.
● Right-click on the menu bar
● Select properties
● Finally set the preferred customizations.
Note that the configured customizations will only last for the duration of the
open session.
If you would like to permanently save the settings,
 ● Right-click on the menu bar and then click on defaults.
● The properties and menu for default are almost identical.
Below is a rundown of the various customizations you can perform;

Command History
This option enables you to simply make use of the arrow keys on your keyboard
to move through the previously used commands which can save you a lot of time
having to retype the command if you are doing something else. Basically, it has
a buzzer size of 50 by default but you can choose to either increase or decrease
it.

Edit Options
There are quite a number of different ways in which you can choose to edit
things in the command prompt;
● Enable the use of the Ctrl Key Shortcuts: This provides you with the
option of making use of the Ctrl shortcuts such as Ctrl + C which is used
to copy and Ctrl + V which is used to paste.
● Insert Mode: This option enables you to type just where the cursor is
placed.
● Quick Edit Mode: With this option, you can make use of the mouse in
copying and pasting the text into and from the Command Prompt
window.

Changing the font

Customizing fonts is very easy and straightforward, the font tab provides you
with the option of choosing the size of the font that you want and also your
preferred choice of font. It also gives you a preview so you know how the font
will look before you finally decide to choose it.

Making Use of Legacy Console

With the use of the Legacy console, you can take off a lot of the more recent
features that have been included with the Command Prompt. This might simply
be for the sake of compatibility or you might want to do that if you feel the
Command Prompt has a way of disrupting your work.

Text Colors
With the use of the colors tab, you can choose to configure the color of the text
and background that will be used in the Command Prompt. Amazing, yeah! As
you must have observed, the command prompt has a black background and an
off-white text but you can change this color to just whatever you want to make it
look rather more appealing to you.
There is a new tab that has just been introduced with Windows Server 2022
known as the Terminal tab which gives room for more customization of the
command prompt.
This tab comes with four new options and they are;
● Cursor shape: In this section, there are various ways you can choose to
make your cursor appear and they are; underscore, a solid or an empty
box, a vertical bar, etc.
● Terminal colors: Changes can be made in both the background and the
foreground of the Command Prompt within the Terminal colors section.
● Terminal Scrolling: This option is always enabled (by default). It allows
you to move through the command history that has been saved in the
buffer.
● Cursor colors: As the name implies, it allows you to make certain
changes to the color of the cursor that is within the Command Prompt.

Setting Environmental Variables

When using Windows Environment variables are not often seen. That being
said, there are some instances, especially when making use of the command line,
that configuring and updating environment variables are deemed a necessity.
There are basically two types of environment variables. They are the user
variable that deals with an individual user and also a system variable that applies
to every user. There are a lot of environmental systems but if you wish to know
the ones you can make use of typeset/more on the command prompts and then
you will be able to get all the necessary output for all of the environmental
variables that can be found on the system.
The most commonly used variable is the path variable which you can alter when
you want to include it in a directory in your path so you will be able to execute
various programs in that directory without you having to navigate to that
directory itself.

Getting Help at the Command Line

There are definitely times when you will need help with the command line,
getting such help is however very easy, you can choose to type the command
then followed by the /? Or use the -help. If on the other hand, you would like a
general help at the command prompt like a guide on what should be done;
● Type help and then press the Enter button. With this, you will have a
list of all of the commands that you can execute at that point.

Understanding Command-Line Symbols

With symbols you can have the output sent to a file and you can also combine
commands.
Below is a list of symbols that can be used on the Command Prompt
window.
Symbol Example Description
< command<file.txt This helps with the
execution of a
command and also
inputs the contents of
the file right after the
command.
>> Command This is of proximity
>>file.txt with the single >
symbol with the
exception of the fact
that this command
will choose to append
if the file is in
 existence as against
overwriting the file.
| Command A| This helps in sending
command B the output of
command A to the
input of command B.
& Command A & This executes both
command B command A and
command B.
|| Command A || This helps with the
command B execution of
command B only
when command A has
not successfully been
executed.
@ @Echo off When you type the
@symbol, it will help
with suppressing all
that comes after the
symbol. It cannot
basically be
considered as a
command; you can
refer to it as an
optional flag that can
be used in
suppressing just
anything coming after
it. It can help with the
prevention of a line of
code being shown in
the log of your
server.
> Command >
 file.txt Helps with writing the
command to the
filename that is
specified. If the file is
not in existence, it
will then be created
but if it does exist
then it will be
overwritten.

In this chapter, you must have learned how important the command prompt and
the command line are especially when it has to do with Windows Server.
 CHAPTER 7

WORKING WITH POWERSHELL

Over the years, the command has been widely used but Microsoft has now been
making a huge lean towards PowerShell. This is simply because, with
PowerShell, you can do almost the same thing as you can with the command
prompt and even much more.
PowerShell is a much more advanced version of the cmd which can be used to
execute certain external programs such as ping or copy and also it can help with
the automation of various tasks done by the system administrator but cannot be
accessed from the cmd.exe. Though it is said to be similar to the cmd with the
exception of the fact that it is also more powerful and adopts a totally different
command. It is more than just a shell; it is a scripting environment that is created
specially to help system administrators take up their basic administrative tasks
on various operating systems.
PowerShell can also be said to be a task-based command-line tool and also a
scripting language that is built on the Net Framework. It calls in a very rich set
of commands that are within the context of an automation script known as
“cmdlets” that allows administration in the Windows system. You can also use
them easily, especially with standardized syntax that makes it quite easy to
design very powerful scripts. It is a very powerful command-line interpreter
much more than the command prompt itself which has the ability to interpret
both batch commands and PowerShell commands. PowerShell brings an
improvement on the ability to offer support automation all across various
platforms which includes on-premise data centers, Azure, Amazon Web Services
(AWS), and also with PowerShell Core which also includes Linux and macOS!
One very unique thing about PowerShell you should take note of is the fact that
it uses common language with the PowerShell cmdlets. The PowerShell cmdlet
makes use of a verb-noun format, the most common ones which are Get, Set,
New, and Invoke. Within the context of PowerShell cmdlets, Nouns are simply
the things you want to take an action on. For example, SET-TIME. SET here is
the verb and this indicates you are asking PowerShell to get something done.
TIME here is the noun; you are asking PowerShell to fix the time.
Opening an Administrative PowerShell Window
With the Windows Server 2022, Microsoft seems to be pushing for system
administrators to get more familiar with PowerShell. When you right-click the
start menu rather than seeing the Command Prompt as was earlier obtainable you
now see the Windows PowerShell.
There are primarily two options in this view;
● Select Windows PowerShell (Admin), which helps in opening a much-
elevated PowerShell window. Most of the work done by a system
administrator will need administrative access which will prompt you to
select Windows PowerShell (Admin).
● You can also select Windows PowerShell which will open a non-elevated
PowerShell window. With this window, you will be able to take up most
of the PowerShell tasks that do not have a need for administrative
privileges.

Configuring PowerShell
PowerShell can actually be configured in the same manner as the Command
Prompt window. There is just one drawback with making use of the Defaults or
Properties selection in the menu which is the fact that the colors that PowerShell
makes use of for its command and some other things are not affected by the
settings of Properties. This doesn't mean the color in PowerShell cannot be
affected, it definitely can but only with the use of a profile script.
Follow the steps below to configure the PowerShell window.
● Open Windows PowerShell
● Right-click on the Windows PowerShell title bar and then click on
Properties. The Windows PowerShell Properties dialog box will then be
displayed.
In the sections below, I will be discussing some of the tabs in the dialog box.

Options
In this tab, you will set so many things which you normally make use of
frequently like the number of commands you will be able to recall, the size of
the cursor, text selection, and edit options.

Cursor Size
When you make any alteration to the size of the cursor, it makes the cursor much
wider and easier to notice. This can be a very useful setting for someone that has
issues with sight.

Edit Options
This offers much more power over the control of how you can make changes to
certain things in the PowerShell window.
Some of which include;
● Insert Mode: When this box is checked, you will be able to type
anywhere the cursor is placed. And on the other hand, if it is disabled, it
will be possible to overwrite the text in existence which is also based on
the location of the cursor.
● Enable Ctrl Key Shortcuts: When this box is checked, you will be able
to make use of shortcuts such as Ctrl + C to copy text or images and also
Ctrl + V to have the text or images pasted.
● Quick Edit Mode: When you check this box, you will be able to make
use of the mouse in copying and pasting text from and into the
PowerShell window.

Text Selection
In this section there are primarily two options you can make use of;
● Extended Text Selection Keys: When you check this box, you will be
able to make use of various commonly used keyboard shortcuts in the
PowerShell window.
● Enable Line Wrapping Selection: When you check this box, the issues
with formatting can be corrected when you copy and paste from
Windows PowerShell.

Command History
With the settings in the command history, you will be able to make use of the
arrow keys to navigate backward through the previous commands. Doing this
can save you the stress of having to type the command again if you happen to be
doing something similar. With the default size of the buffer being 50 with a
possibility of adjusting it, the number of buffer settings is only used in
specifying the number of processes that can be allowed for a single buffer. A
check box with the inscription “discard old duplicates” helps to remove
duplicate commands making it quite easier to locate an old command since there
will be no need to have to go through a series of repeated commands.

Font tab
This is one of the simplest tabs with very few settings. It enables you to choose
the font you like and also the size of the font you would like to use. You can also
get a preview of how each font you choose and the size will look like when you
activate it.

Layout tab
There are basically three options in this tab;
● Window Position: If the Let System Position Window checkbox is
unchecked, it will be possible to make certain adjustments to just how far
you would like the PowerShell window to be away from the top and left
part of the screen. If the checkbox is marked the left and Top areas will
be grayed out.
● Screen Buffer Size: The breadth adjustment is in total control of the
number of characters that can fit a screen while the adjustment of the
height is a determination of the number of lines that will be stored in the
memory. With the help of the Wrap Text Output on Resize box, you will
be able to allow the text on the screen to adjust itself automatically when
the Window of the PowerShell is resized.
● Window Size: In this section, both the width and the height adjustments
alter the actual size of the PowerShell window.

Color tab
With the colors tab, you can make basic adjustments to the background and text
colors for the PowerShell window and also any popup boxes that may appear.
 ● Choose the radio button of the option you wish to change
● Choose your preferred color with the use of either Red, Green, and blue
drop-down lists or by choosing any of the colored boxes.
You can always change the blue background color and off-white text of the
Windows PowerShell to suit your taste. You can also with the use of the Opacity
slider make adjustments to the opacity of the PowerShell. Usually, the slider is
always on 100% making it solid enough so it can't be seen through.

Customizing PowerShell, a Little Further

This section contains a terminal tab that gives room for more customization
of the PowerShell window with four new options;
● Terminal Scrolling: By default, scroll forwarding is enabled. This
enables scrolling through the command history that has been stored in the
buffer. If this box is checked and the scroll forwarding option disabled,
you will be able to scroll to the last line output alone.
● Cursor Shape: In this section, the cursor can be adjusted to be displayed
either as an underscore, a vertical bar, an empty or solid box, or as the
legacy cursor.
● Terminal Colors: Changes can be made in the Terminal Colors section in
both the background and the foreground of the PowerShell window.
● Cursor Colors: In this section within the PowerShell window, you can
make changes to the color of the cursor.

Using a Profile Script

Whenever you are about to create a script of your own, there is a need for you to
create a Windows PowerShell folder in the Documents folder. Hence, the profile
script ought to be named profile.ps1 and it should be inside the Windows
PowerShell folder.
There is a need to have a script created if you would like to have specified colors
for the different components that are being displayed on the screen such as
variables, commands, strings, and so on.

Setting Environmental Variables

There are primarily two types of environment variables, they are;
● User: This variable deals with individual users.
● System: This variable deals with all the users that are on a system.
The above-mentioned variables are not the only variables, if you would like to
have an idea of the variables that are available to you and also what their settings
are, simply check this from the Windows PowerShell by typing
Get-ChildItem Env: With this, you will receive output for the environmental
variables you have on the system.
There is a very common variable known as the PATH variable which is done
when there is a need for you to include a directory in your path for all programs
in that directory to run without necessarily having to be in that directory.

Getting Help in PowerShell

You will definitely get to a fix someday and you will need some form of help.
You might need help with the syntax of a cmdlet. To get this help all you have to
do is to type the Get-Help Get-Command.
If on the other hand, you require general help right from within Windows
PowerShell all you have to do is type help and then tap the Enter key.

Understanding PowerShell Punctuations

In contrast with the Command Prompt which was all about symbols, Windows
PowerShell is about punctuation. Below is a table that contains the list of
punctuations that you can make use of in the Windows PowerShell window.
Punctuation Example Description
# # This is a Helps in the identification
comment of comments. Comments
are made in PowerShell
scripts to help with the
documentation of the
sections' code, what they
are supposed to do, and
 every other information. If
any text is entered after the
# on a line, such text is
considered to be a
comment.
$ $myvariable=1 This helps with the
declaration of a variable.
= $myvariable=1 This helps to assign a
value to a variable.
| Get-ChildItem | This helps in taking the
Get-Member output of the first
command and then passes
it right into the input of the
second command.
“ “My value is This encloses text with the
$var” (The result variables displaying the
might be: My appropriate value.
value is 7) This
brings up the
assumption that
the variable $var
has been
previously set to
7
‘ ‘My value is Enclose text and treat text
$var’ (The result literally so variables are
would be: My also treated the same way
value is $var.) as text.
Even if you have
the variable $var
is set to 7, $var
will then be
printed as $var.
() some Helps with the provision of
text.ToLower() cmdlets and group items
100/(5+4)*6 like numbers.

$fruit=[apple, Basically, it can be used

[] orange]- like for arrays and like
[some text] comparisons.
{} Invoke- Used in the enclosure of
Command-Script blocks of code.
Block {cmdlets}

The just-concluded chapter must have enlightened you more on all that has to
with PowerShell and also how to go about configuring it and also asking for help
when using PowerShell
 BOOK 4

CONFIGURING NETWORKING IN WINDOWS

SERVER 2022
There is always a need for a very solid network before a server will be able to
complete its task adequately. Most times the network that will be supported is
the Ethernet network. This network makes use of the unshielded twisted pair
cable. The most common of these cables are Category 5e (Cat5e) and Category 6
(Cat6); with every increase in the category, there will also be an increase in
speed.
The local area network (LAN) can be used if your company is sited in a very
small building and there is every possibility that your company will also be in
ownership of all the network components. The wide area network (WAN) on the
other hand will work just fine if your company is quite bigger and also further
dispersed geographically. Here the company cannot own all of the network
components as the services of an Internet Provider are needed because they will
most likely own some of the cables that traffic from the company will be
crossing.
In this chapter, I will be introducing you to the Network and Sharing Center and
also explain how you can have the TCP/IP, DNS and DHCP configured.
 CHAPTER 1

OVERVIEW OF WINDOWS SERVER 2022

NETWORKING

Getting Acquainted with the Network and Sharing

Center
The Network and Sharing Center helps with the provision of the current status of
the network and also provides an overview of the current configuration of the
network.
There are basically three main areas in the Network and Sharing Center
and they are;
● Summary network map: This offers a graphical representation of the
network configuration and connections. When the status is normal, it is
depicted by a line linking the different network segments. If there happen
to be any problems with the connection or the network configuration, it
will be indicated with some warning icons. A yellow warning icon
depicts an issue with configuration. A red X icon depicts that there is no
connection at all for a particular network segment. Meaning that the
computer has a connection to the network but no connection to the
internet has been established.
● Network details: This displays the name of the current network and also
gives an overview of the network. The various values in parentheses
accompanied by the name of the network display the category of the
current network as either Private Network, Public Network, or Domain
Network. The access field is an indication of how the computer is
connected to its current network either as Internet only, Local only or
Local and the Internet. The connection field displays the name of the
local area connection that is being used in the connection of the current
network.
● Sharing and discovery: This offers the options of configuring the
computer’s sharing and discovery settings and also lists the current state
 of those options.
If you would like to gain access to the Network and Sharing Center,
● Right-click on the start page and select Network Connections.
● Locate the Status page and move downwards to Network and Sharing
Center.
You can get access to some of the useful utilities centrally right on the Network
and Sharing Center screen. The “View Your Active Networks' ' section offers a
view that lets you know if you have a network-enabled connection and if you
have an internet connection, if you don't the Access Type will display on the
screen “No Internet' '.
There is also a section in the Network and Sharing Center that helps with solving
various problems which is the Troubleshoot Problems utility. Clicking on this
link will take you directly to the Troubleshoot area and you can then click on the
internet connection in order to get a wizard-based utility that can help identify
and also solve the problem.

Using the Network Connection Tools

The network connection tools help with the control of all the network settings.
These tools can be accessed when you;
● Right Click on the start menu and then click on Network Connections.

You can also;

● Click on the Start button
● Click on Settings
● Click on Network and Internet
Below are some of the tools to get yourself familiar with;

Ethernet
The Ethernet link is located on the left side of the menu of the Network and
Internet area will have displayed various options that are peculiar to the Ethernet
connection. The options include;
● Change Advanced Sharing Options: Once you click on this link, you
will be able to alter the network discovery and also the file and printer
sharing settings for the profiles of our network.
● Network and Sharing Center: When you click on this link, it will open
the good and old-fashioned Network and Sharing Center.
● Windows Firewall: This link opens up the more recent firewall and
Network Protection screen. In this option, you can enable or disable
peculiar applications via the firewall and also alter the notifications made
by the firewall. You can also choose to make use of the Advanced
Settings area which provides you with the option of specifying more
granular rules by the Internet Protocol (IP) port number etc.
● Change Adapter Options: This link helps you get a list of all the various
adapters that have been installed on the system. From this option, you
can make a choice of the adapter you prefer to work with.

Dial-up
This option is located on the left side of the Network and Internet area, it can be
used in the creation of a new connection if there is a modem attached to the
system.

VPN
This option is located on the left side of the Network and Internet area with
which you can create a virtual private network connection. There is a need for
you to have the VPN named and then inform it of the address of the VPN server
you wish to connect to.

Status
This page provides just about the same option as you have with the Network and
Sharing Center and also enables you to view the status of your network
connection.

Proxy
There are various options available here with this option. If you happen to be
using an automatic configuration script, you can choose to turn on the
Automatically Detect Settings and make use of the Use Setup Script switch. If
also there is a need for you to configure things manually, click on the Manual
Proxy Setup option in order to specify the IP address and also the port of the
proxy server.

Configuring TCP/IP
The transmission control protocol/internet protocol can be described as a suite of
various protocols that enables devices to get connected to a network. Having to
make use of the TCP/IP configuration is one of the major tasks that you should
know how to perform.
There are certain terms that are used with the TCP/IP that you should have
basic knowledge of. They include;
● IP address: This is a special number that specifies a particular system on
a network. The IP address has basically two different versions; IPv4
which helps with the identification of systems that are on the IPv4
network and IPv6 which helps with the identification of systems on the
IPv6 network.
● Domain Name System: This deals with the translation of various
hostnames to IP addresses with the use of forwarding lookup zones and
IP addresses to hostnames that have a reverse lookup zone.
● Windows Internet Name Service (WINS): This option is responsible
for the conversion of the NETBIOS names to IP addresses.
With the above known, below are the step-by-step instructions on settings
that can be changed.
● Right-click on the start menu and select Network Connections.
● Choose the Change Adapter options.
● Right-click on any of the adapters and click on properties.
● Choose the Internet Protocol Version 4 and choose the Properties
button.
With the use of the IP Settings tab, you can add, edit or remove IP addresses or
their gateways while the DNS tab enables you to add, edit or remove DNS
servers. You can also choose to specify WINS servers they can be found in the
network if you are using WINS

Understanding DHCP
DHCP enables individual computers on a TCP/IP network to get their
configuration information, especially their IP address from a server. The DHCP
server helps to keep track of the very IP address that has already been assigned
such that whenever a computer asks for an IP address, the DHCP server will then
provide it with an IP address that is not being used.
With the DHCP, you will have a lot of things done stress-free as it helps to
assign IP addresses to a system automatically. It effectively controls the various
addresses that are in use and also ensures that duplicates are never issued. By
default, an address is always released for a maximum of eight days after which
the IP address can then be given to another system or it can be renewed by the
system currently using it.
The fact that IP addresses are assigned by default is really intriguing though
there are certain instances where you might have a need to configure a static IP
address that will not change. This is mostly used by systems that play host to
important infrastructure services such as DHCP, Active Directory, and DNS.
You can choose to configure and use the DHCP and also know the details of how
the DHCP client configuration works. However, a primary understanding of the
whole process can be of immense help in understanding the work of the DHCP.
This doesn't just help you to know about the DHCP it can also help with issues
as regards troubleshooting various problems associated with the DHCP.
Below is a step-by-step account of how DHCP helps with the configuration of
the TCP/IP hosts. This procedure takes place each time a host computer is
booted. It can occur when there is a release of an IP lease and then the request
for a fresh lease is made.
● When you start a host computer, the DHCP client software will send a
unique broadcast packet which is known as a DHCP Discover message.
This message makes use of the subnet of the broadcast address as its own
destination address and then uses 0.0.0.0 as the source address. The
client will then have to specify 0.0.0.0 as the source address since it does
not have an IP address just yet, it will also specify the broadcast address
 as the destination address since it does not have an idea of the address of
the DHCP servers.
● The DHCP server gets the broadcast DHCP Discover message and then
replies via sending a DHCP offer message. The DHCP provides a
message that has an IP address that the client also makes use of. For
instance, the DHCP message is sent to the broadcast address. This is
quite ideal since the client who should be receiving the message does not
have an IP address yet and it won't have until the acceptance of the offer.
● When the client gets the DHCP message it will then send back a message
that is called the DHCP Request message. The client still doesn't own the
IP address at this point. All it is doing is showing an indication that it is
very much ready to accept the IP address that the server has offered it.
● When the server then gets the DHCP Request message, it will mark the IP
address as assigned to the client and also send a DHCP Ack message.
● When the server then receives the DHCP Ack message, it will configure
its TCP/IP stack by making use of the address it accepted from the server.

Defining DNS
Domain Name System can be described as a suite of different protocols
consisting of TCP/IP and together the combination of both the DNS client and
the DNS service offers computer name-to-IP address mapping name resolution
services to various users and computers.
The DNS is a server role that can be installed with the use of the Server Manager
or the Windows PowerShell commands. If you are in the process of installing a
new Active Directory Forest and domain, DNS will be installed automatically as
the Global Catalog server for both the forest and the domain.
The DNS client service is added in all client and server versions of the Windows
operating system which is already being run by default on the operating system
installation. Upon configuration of a TCP/IP network connection with the IP
address of a DNS server, the DNS Client queries the DNS server to look for
domain controllers, and to also resolve computer names to their IP addresses.
Domain Name System is also a service that is used in the mapping of human-
friendly names to an IP address.
There are certain terminologies you however need to understand with the
way DNS breaks down addresses:
● Top-level domain: This is used for the indication of the country of origin
rather than the type of organization.
The most common top-level domain include;
○ .net (an alternative to .com)
○ . Edu (educational institutions)
○ .com (commercial)
○ .gov (government sites)
There are also country codes such as .us, .br, .tk,.cn etc.
● Second-level domain: This domain is actually one that has been
registered to either an individual or an organization.
● Subdomain: These types of domains are additional domains that an
organization decides to register.
Domain Name System records are stored in DNS zones. There are various types
of DNS records that can be found in zones and the type of record will also be a
determining factor to the kind of record that is being used.

The table below is a list of the commonly used DNS record types.
Record Description
Type
A or AAAA Records are usually hosted records for IPv4
addresses while AAAA records are often
hosted records for the IPv6 addresses. This
record helps with the provision of a
mapping of a hostname to an IP address.
NS This helps with the definition of the name of
servers of the DNS zone.
PTR This record maps an IP address to a
hostname and is also being used for reverse
DNS lookups.
SOA The Start of Authority helps with the
definition of the basic DNS server name,
time-time live settings, and refresh intervals.
CNAME This record is used in the creation of an alias
record.
MX This record defines the mail exchange
server’s DNS record.

Creating a DNS zone

There will definitely be a time when you might be saddled with the
responsibility of creating a DNS zone.

Below are step-by-step instructions on how to create a new zone;

● Locate Server Manager, click on Tools then click on DNS.
● Right-click on the Forward Lookup Zones and then choose the New
Zone option.
● When you are in the New Zone Wizard, select Next.
● On the Zone Type screen. Choose the radio button close to the Primary
Zone then choose Next.
● On the Active Directory Zone Replication Scope screen, choose the
radio button that can be found close to All DNS Servers Running on
Domain Controllers in This Domain.
● Select Next
● On the Zone Name screen, insert the name of the zone you wish to
create, and choose Next.
● Click on Allow Only Secure Dynamic Updates and choose Next.
● When on the Completing the New Zone Wizard screen, click on the
finish button.
When a DNS server is created, you should indicate if it will actually be a
primary DNS server or a secondary DNS server. Queries are served by the
primary DNS servers that come in and they also accept changes and certain
additions to the zone records while secondary servers can also service queries
but they are unable to accept additions or make changes to the zone records. In
them, you will find a read-only copy of the zone that is copied from the primary
DNS server. If the primary DNS server for the zone happens to go down, you
will be able to promote the secondary DNS server for the zone to the primary.
Note that this process is not automatic, it has to be initiated by the administrator.
Networking is quite a very important aspect of this book, the just conclude
chapter must have shown you how to go about configuring the network and that
has to do with proxy address, TCP, and also IP addresses. You should have also
understood more about DNS and DHCP.
 CHAPTER 2

PERFORMING BASIC NETWORK TASKS

It is expected that system administrators should know the basics of how to
configure networking on a Windows server. There might be a need for you to
make certain changes as regards the IP address on a server for example. Some
servers are supposed to have their address set to be static. These generally ought
to be critical infrastructure systems such as Active Directory Domain Services
(D DS), Domain Name System (DNS), and also Dynamic Host Configuration
Protocol (DHCP) servers.
In this chapter, I will be covering the basic configuration that should be done on
a network interface card and also briefly describe certain things that can be done
with networking in Windows Server 2022.

Viewing Network Properties

Taking a look at the properties of your network adapter provides you with a very
quick and easy method to see how the configuration of your system is connected
to communicate on your network.
Follow the steps below to have a look at the various network properties in
Windows Server 2022;
● Select the start menu and choose the gear icon to have the settings
menu opened.
● Choose Network and Internet.
● Select Ethernet from the left side of the menu.
● Select the Change Adapter Options.
Upon choosing the network adapter, there are various options that will be
displayed in a bar located across the top of the screen.
These options are briefly described below;
● View Status of This Connection: This option displays the status of the
network connection.
 ● Rename This Connection: This option enables the renaming of the
connection. It is also very helpful in case you have different network
adapters and there is a need for you to keep tabs on what each of them is
doing.
● Diagnose This Connection: You can use this to troubleshoot issues that
deal with connection as regards network connectivity.
● Disable This Network Device: This option disables the chosen Network
adapter.
● Change Settings of This connection: When you choose this option it
will bring up the properties dialog box for the network adapter you must
have chosen.
Another option known as Bridge connections enables you to bridge two different
networks adapters for the operating system to be able to view them as just one
network adapter.
If you would like to have the network adapter configured, you can choose to
right-click on the adapter then click on properties or choose the Change Settings
of This Connection at the top bar when the network adapter is chosen.

Connecting to Another Network

Connection to a local network should be the first step when you are to connect
the server but you should have other options such as connecting to the internet.
The internet is totally different from the network that can be found on your
computer and there is a need for you to set it up properly before you can have
access to use it.

Connecting to the Internet

In most networks, the computer is connected to a router or a switch that is fixed
to a cable modem and the setup is usually automatic. This way, you can gain
access to the internet within a few minutes. If you had a way to check your IP
address, you then would have at least one of the non-routable internal IP
addresses.
There is however a need for a public IP address if you want to get connected to
the internet. The cable modem that has been leased from your ISP is getting the
attention of the public IP address and usually, it does the translation between
your Internal IP address to the IP address that you can route that is specifically
assigned to it.
Most times you will always have proxies in between you and the internet. A
proxy can act as a combination of a web filter and a firewall and also help to
protect your system from certain malicious sites.
Follow the steps below to set up a proxy;
● Choose the Start menu then select the gear icon to gain access to the
settings menu.
● Select Network & Internet.
● Choose Proxy.
● Most times this comes with a Setup script so select the Use Setup Script
option and insert the Script address which includes the name of the .Pac
file.
● Select the Save option.

Setting up a dial-up connection

Though this option can be termed as obsolete, there are quite a number of
reasons why it can be a much preferable option for you.
● You have a traditional phone line but DSL is not provided in your area.
● You have a need for a reliable and consistent connection and all you do is
a few searches on google and check your mailbox.
● You have a dire need for an internet connection but you don't want an
expensive one.
Follow the setting below to have a dial-up connection configured;
● Sign up with dial-up service and obtain the service number from them.
● Click on the Start menu, select the gear icon to gain access to the
Settings menu.
● Choose Network & Internet
● Choose the Dial-up option
● Select Set Up a New Connection.
● Click on Connect to the Internet and choose Next.
● When you get to the screen displaying How Do You Want to Connect,
choose Dial-up
 ● When you are on the Type the Information from Your Internet Service
Provider (ISP)screen, insert the information that you have received in the
first step
● Finally, click on the create button.

Connecting to a virtual private network

A virtual private network can be used to gain access to a network remotely. The
lovely thing about VPNs is the fact that they enable you to work as though you
are on your own.
Below is how to have a VPN configured;
● Click on the Start menu and then choose the gear icon to gain access to
the settings menu.
● Select Network & Internet
● Choose VPN
● Select Add a VPN connection
● For a provider of VPN, click on Windows (Built-in)
● Insert a connection name and also the address of the VPN server that
you want to connect to
● Insert the username and password, and then select the save option.

Managing Network Connections

There are some basic activities like having to change the IP address that is quite
easy but also there are some other options in the properties dialog box of the
network adapter that is not so straightforward. I will describe in the section
below the very common ones you will most likely use often.

Configuring the Internet Protocol

Having to configure the IP settings on a server is definitely one of the very
common things you will find yourself doing from time to time.
The Internet Protocol (IP) address is the address given to a system. It is also how
other systems on the network identify your system. IP addresses are basically of
two different types and they are IPv4 and IPv6. Below is a table showing the
basic differences between the two IP addresses.
Feature IPv4 IPv6

Number of bits(bytes) 32 (4) 128(16)

Expressed form Dotted- Colon-

decimal hexadecimal

Variable-length subnets Yes No

Public addresses Yes Yes (global

addresses)

Private addresses Yes (RFC Yes (unique local

1918 addresses)
addresses)

Autoconfigured Yes (APIPA) Yes (Link-local

addresses for the local addresses)
link

Support for address Yes, but No

classes deprecated by
CIDR

Broadcast address Yes Multicast used

instead

Subnet mask Required Implicit 64-bit

address prefix
length addresses
assigned to
various interface

Follow the steps below to configure a static IPv4 address;

● Choose Internet Protocol version 4 (TCP/IPv4)
● Select properties. This should already be set to Obtain IP Address
Automatically and Obtain DNS Server Address Automatically.
● Choose the Use the Following IP Address option and then insert the IP
address, the subnet mask, and the default gateway located at the top half
 of the dialog box.
● Choose the Use the Following DNS Server Addresses and insert the
preferred DNS servers at the lower part and then click on the OK button.
Follow the steps below to configure a static IPv6 address;
● Choose Internet Protocol version 6 (TCP/IPv6)
● Select properties: This should already be set to Obtain IP Address
Automatically and Obtain DNS Server Address Automatically.
● Choose the Use the Following IP Address option and then insert the IP
address, the subnet mask, and the default gateway located at the top half
of the dialog box.
● Choose the Use the Following DNS Server Addresses and insert the
preferred DNS servers at the lower part and then click on the OK
button.

Installing network features

This option is not done often though it is still available in the network adapter
Properties dialog box.
To install features, follow the following steps below;
● Locate the network adapter’s Properties dialog box and select the
Install option.
● Choose Protocol and select the Add option.
● Choose Reliable Multicast Protocol and select OK.

Uninstalling network features

This option is almost the same as that of installing. Just choose what you want to
uninstall and then click on the uninstall button.
Note that it can be quite risky to remove features such as the above-mentioned
on production servers to ensure you run a test on the environment to check if the
change you are about to make is safe.
 CHAPTER 3

ACCOMPLISHING ADVANCED NETWORK

TASKS
Being vast with the setting up of the Windows Server network is quite important
and also having an idea of how to set up some of the more advanced services can
be very essential also. Though the network offers access to resources there are
times when you also need to enable remote access or set access for network
devices through leveraging on Active Directory (AD) infrastructure for
authentication’s sake.
In this chapter, I will explain more about the Remote Desktop Service (RDS) and
also enlighten you on all that you need to know for proper configuration.

Working with Remote Desktop Services

Remote Desktop Services which were known previously as Terminal Services
enables different Remote Desktop Protocol (RDP) connections to the same
server. Normally, Windows Server 2022 gives room for just two remote
connections. RDP enables you to connect to a remote system and see the desktop
as though you had the console of the server.
With the use of RDS, users can own their own virtual desktops from where they
can work. Upgrade if needed is only done on the application server hence
making it really cost-effective for applications with very costly installations.
RDS can be used for Remote-APPs which enables the running of applications on
the server while presenting the application to the user as though it were installed
on their desktop.

Below are steps on how to install Remote Desktop Services;

● Locate the server manager then select Manage and then click on the
Add Roles and Features option.
● When on the Before You Begin screen, choose the Next option.
 ● On the Select Installation Type screen, choose Remote Desktop
Services Installation and then select Next.
● On the Select Development Type Screen, choose the QuickStart option
and select the Next button.
● On the Select Deployment Scenario screen, click on Session-Based
Desktop Development and choose Next.
● On the Confirm Selections screen, run a check on the Restart the
Destination Server Automatically If Required check box and then
select the Deploy option.
● Upon the completion of the server’s reboot process, select the close
option.
Upon the installation of the RDS, you then should make certain changes to the
settings like setting the RDS server to use roaming files. In all ensure you
configure the server such that the user will have a wonderful experience using it
just as it should be with a physical desktop.
Below are steps to getting all of these done;
● Get into any system that has the RSAT tools installed for Active
Directory-Choose Server Manager then click on Tools and then Active
Directory Users and Computers.
● Have the domain name expanded and choose the user's container.
● Click twice on a user's account.
● Select the Remote Desktop Services Profile tab
● Insert the various information needed.

Working with Network Policy and Access Services

This is one of the roles of the server that makes use of the Network Policy Server
(NPS).
Begin with the installation of NPAS;
● Locate the Server Manager then click on Manage and then choose Add
Roles and Features
● On the Before You Begin screen click Next
● On the Select Installation Type screen select Next
● On the Select Destination Server screen click Next
 ● On the Select Server Roles screen, move downwards and choose
Network Policy and Access Services and select Add Features then
choose Next.
● On the Select Features screen, click Next
● On the Network Policy and Access Services screen click Next
● On the Confirm Installation Selections screen click on the Install
button.
● Upon completion of the Installation, select close.
Upon the installation of NPAS, you can gain access to the NPS from the server
manager. A network policy server is a feature that enables you to manage
authentication, authorization, and accounting for different devices on the
network.
To activate this, click on tools and then Network Policy Server.
Follow the steps to have a network policy configured;
● Locate the Server Manager then select Tools then choose Network
Policy Server.
● Have the Policies expanded?
● Right-click on Network Policies then choose New.
● Name the Policy and indicate the network access server.
● Select Next
● On the Specify Conditions screen, and indicate the conditions that
should be met for the policy to be applied.
● Get back on the Specify Conditions screen, have another condition then
choose Next.
● On the Specify Access Permission screen, choose the Access Granted
option then click Next.
● On the Configure Authentication Methods screen, choose Next.
● On the Configure Constraints screen, choose Next.
● On the Configure Settings screen, click on Next.
● On the Completing New Network Policy screen then click on the Finish
button.

Troubleshooting at the Command Line

By default, PowerShell is installed on all Windows servers. It contains various
modules that can help with different tasks.
The Test-NetConnection cmdlet is a very great tool when it comes to
troubleshooting. When used on its own, the Test-NetConnection cmdlet displays
the needed information as regards the network and also adds a ping. There are
also so many parameters that can help you indicate certain issues. They include
port, information level, diagnose routing, and traceroute.
 CHAPTER 4

DIAGNOSIS AND REPAIRING NETWORK

CONNECTION PROBLEMS
Nothing can be as perfect as not developing an issue at one point in time or the
other. This chapter deals with some of the troubleshooting capabilities that the
operating system has and also some of the common issues with the configuration
you might experience with both new and older systems.

Using Windows Network Diagnostics

There are times when you can't help but notice the issues with the network. This
can be a result of a bad cable connection, a bad port, or a bad network interface
card existing on the server. Those are basically hardware issues and it is up to
you to solve them. Issues with software can be solved with the use of Microsoft
Windows Network Diagnostics. Go through the steps below;
● Select the Start Menu, and choose the gear icon to gain access to the
settings menu.
● Choose Network & Internet.
● On the Status page, move downwards and choose Network
Troubleshooter.
● Select the Close button to leave the troubleshooter.

Repairing Individual Connections

You can choose to work with a network adapter that is having issues, it can be a
very good way to test your adapters if you have more than one on a system.
To get this done, follow the steps below;
● Select the Start menu then click on the gear icon for the settings menu.
● Choose Network & Internet.
● Locate the Status page, move downwards, and choose Change Adapter
Options.
 ● Right-click on the network adapter you wish to check and click on
Diagnose.

Network Troubleshooting at the Command Line

If the Windows Network Diagnostics Wizard doesn't seem to find anything
wrong, there are some other things you can try out.
Follow the steps below;
● Select Start and scroll downwards to the Windows System.
● Choose Command Prompt and test the following commands;
netsh int IP reset (helps with resetting IP), ipconfig/release (released the
old IP address), ipconfig/renew (helps in renewing the IP address),
ipconfig/flushdns (helps to flush Domain Name System on your system).

Working with Windows Firewall

There are times when Windows Firewall might just be the reason why you are
having issues with the network.
To check this simply follow the steps below;
● Locate the Server Manager then click on Tools and select Event
Viewer.
● Click twice on Applications and Services then have it expanded.
● Select Microsoft, Windows, then Windows Firewall with Advanced
Security.
● Click twice on the firewall to see if there are any issues.

Making Sense of Common Configuration Errors

Oftentimes the issues your server might have could be minor issues you can fix
easily. I will explain some of these issues and also provide solutions to them.

Duplicate IP address
With this error, you will get a message notifying you of a duplicate IP address on
your network. In solving this, you can make use of the Dynamic Host
Configuration Protocol (DHCP) with this, IP addresses will be assigned and
tracked automatically.

No gateway addresses
When this error arises, your system will be able to communicate with other
systems in the same subnet but it won't be able to communicate with anything
else.
Solving this is quite easy, simply configure a default gateway address and this
will help tell the system where it should send the traffic if the traffic is not meant
for the system on the local network.

An application is experiencing network issues

When this error arises, the application on the server will not respond to network
requests. In solving this, verify if the Windows Defender Firewall is enabled.
Check that there are rules that allow traffic that should go to the application.

Working with Other Troubleshooting Tools

There are other troubleshooting tools that can be very handy and can help you
find network issues also. Such tools include; Cacti, Nagios Core, Nagios
Network Analyzer, Nagios XI, SolarWindsipMonitor, SolarWinds
NetworkTrafficAnalyzer, and Wireshark.
 BOOK 5

MANAGING SECURITY WITH WINDOWS

SERVER 2022
 CHAPTER1

UNDERSTANDING WINDOWS SERVER 2022

SECURITY
With the number of security breaches that have been recorded all around the
world in recent times, Microsoft has since taken advantage of that by investing
heavily as it regards the improvement of the security of Windows Server.
This chapter deals extensively with security basics. You will learn all that has to
do as regards security with the Windows Server 2022

Understanding Basic Windows Server Security

Ensuring that your server is well secured is a very important part of your daily
routine. You don't want to have to deal with malware or an attempted breach of
data at any point in time as this can be very frustrating. In this section, I will
explain the basic terminologies you can make use of and how important they are
also;

Confidentiality, Integrity, and Availability

This has an acronym known as CIA, and it is one of the primary concepts used
in information security. This concept has an ideology in that the closer you are to
one of the terms then the farther you also will be from the other two.
Let us consider below what this term should mean to you and how you can
make the best use of it;
● Confidentiality: This can be best described as keeping data away from
the reach of those that shouldn't have access to it. This can mean for
example having to use HTTPS if you are on an important site such as a
banking site, the use of HTTPS will help make the site encrypted which
helps with the protection of very sensitive information from being
breached by someone on the other side online.
● Integrity: This means that the data has in no way been altered or
 tampered with. Data integrity can also be applied to data stored in a file
and kept saved or data you are currently transferring to someone. Note
that potentially malicious changes can be noticed by any file integrity
monitoring software which can lead to the creation of a hash file. The
change of the hash also leads to a change in the file.
● Availability: This part of the triad is one with which the majority is kind
of familiar. You need to ensure that your data is available to everyone so
they can have access to it just whenever they want to. Note that if
something should go wrong with the system also when any of the users
are making use of it, you will definitely be held responsible to provide a
backup at the right time and also ensure that you have things restored
back in good time.

Authentication, authorization, and accounting

The above terms are the next terms you also should be familiar with. They
can also be called triple A.
● Authentication: This option simply helps you tell the system who you
are. This can be anything from your username to password or pin. This is
also another aspect of security as without your pin or password you
definitely won't gain access to the system or probably a data or file.
● Authorization: This comes right next after you must have been
authenticated. The system will always run a check to ensure that you are
authorized to use a particular resource before it will grant you permission
to make use of it. This can also be the same as swiping your card at a
door so you can gain access to a particular building.
● Accounting: Also, sometimes known as auditing, is simply keeping a
record of the times both authentication and authorization occurred on a
system. An Event Viewer can be of immense help with this.

Security descriptors
This contains information that is said to be very useful as they are related to the
security of either an object or a file that is secured or being able to be secured. It
can also have the security identifier (SID) for the owner of the object.
Access Control List
The ACLs have access to control various entries that deny or grant particular
access to either a group or users. The windows server operating system has
basically two distinct types of ACLs that you should know. They are;
● Discretionary Access Control List (DACL): This type of ACL states
the access rights of a particular trustee to a securable object. DACLs have
ACEs that are either access-allowed or access-denied ACEs. The system
will always run a check to know the level of access that is authorized to
the object when there is an attempt to access the object by the trustee. If
for any reason a securable object does not have DACL in association
with it, the system will then give full access to all of the trustees that are
making an attempt to access the object.
● System Access Control List (SACL): This ACL helps with the
generation of various audit logs that indicate if a trustee has been trying
to gain access to an object or not. It also helps to indicate if, in the
process of attempting, access was either granted or denied and if granted
the type of access that was given to the trustee. SACLs have system audit
ACEs.
Note that by default, SACL is usually empty, there is a need for you to configure
what they need to audit. If you have a few servers, it can be just fine to have
them configured manually but if you have lots of servers then you need the help
of Group Policy in the configuration of the servers. Below is a step-by-step
instruction on how to effectively turn on features with the use of Group
Policy;
● Locate server manager, click on Tools then choose Group Policy
Management
● Have the domain expanded by clicking on the domain.
● Select the preferred policy you want to set this through.
● Right-click on the name of the domain and then choose the Create a
GPO option in This Domain and Link It Here.
● Give the policy a name and click on the Ok button.
● Right-click on the new policy and then select the Edit option.
● Locate beneath Computer Configuration. Click twice on Policies then
click on Windows settings then Security settings then Advanced Audit
Policy Configuration.
 ● Click twice on Audit Policies in order to have it expanded, then click
twice on Object Access.
● Click twice on the Audit File System.
● Observe the Configure the Following Audit Events check box and choose
Success, Failure or you can decide to choose both.
● Finally, click on the Ok button.
With that, you are done with having to set up a file for a Group Policy though
there is also a need for you to have auditing enabled on the folder you want to
keep tabs on.

Navigate to the file server where the folder is and take the following steps
below;
● Right-click on the folder on which you want to have auditing enabled
and then click on Properties.
● Select the Security tab and then choose the Advanced button.
● Choose the Auditing tab then click on the Add button.
● Choose the Select Principal Hyperlink, insert a username or group in
the dialog box and click on the Ok button.
● Make changes to the Type drop-down list and set it to All then click on
the OK button.
● Select OK again to leave the Advanced Security Settings for the <folder
name> dialog box.
● Finally, click on the OK button again to leave the Properties dialog box.

Working with Files and Folders

Having to work with files on a server is quite simple and very easy to deal with
or maneuver. You will have to learn to gain control over your files and folders,
this way only those you grant access to will be able to make use of them hence
you keep the security intact. Let us have a look at the different types of
permissions you can grant a user with the conflict that can arise from the NT File
System (NTFS) and share permissions;

Setting file and folder security

Using the NTFS, you can have the ability to fix ACLs which is considered to be
a huge improvement over the FAT32. Though there are times when file servers
take advantage of the permissions of NTFS permissions, it is possible for them
to also make use of shares. The basic idea with the use of shares is that users will
be able to have access to a directory on the server without the need for direct
access to the server.

NTFS PERMISSIONS
With the NTFS comes various ways of permissions which we shall take a
look at in the section below;
● Full Control: This option gives you the ability to write, read, and also
run files in a folder of which you can also choose to set permissions.
This option is a very high one and should only be granted to users that
have administrative access.
● Read & Execute: This simply allows you to open files and also open
various programs which include scripts.
● Read: This option only allows you to read files but you cannot make any
changes to them.
● Write: This option only allows you to modify the file and make major
inputs.
● List Folder Contents: This option only allows you to see the titles of
files and folders but you won't be able to open them.
● Special Permissions: This option grants some other permissions that you
can set via the Advanced dialog box.

Share Permission
You set this option with the use of the sharing tab which can be found in the
Properties dialog box.
● Click on the Advanced Sharing button
● Click on Permissions
In the share permissions option, there are just three basic levels of
permissions that can be set and they are;
● Read: Gives you the ability to read files only but you cannot make any
 changes to them.
● Full Control: In this option, you can read files, make changes to them
and also have them deleted. You can also choose to change the
permissions set on the file and take up the management of the file.
● Change: In this option, you can do just as you can with the full control
option except changing permissions.

Effective Permissions
These Permissions are those that can raise issues. If for example you have fixed
the permissions but a user reaches out to you saying they don't have access to
their folders. You can make use of the Effective Permissions tab to quickly run a
check on the permissions a user should have based on the combination of share
and NTFS permissions.
Follow the steps below to get to the Effective Permissions tab;
● Right-click on the folder you wish to check and then choose properties
● Select the Security tab option
● Select Advanced
● Choose the Effective Access tab option
● Click on Select a User insert the username of the person you want to run
a check on his permission.
● Select View Effective Access

Paying Attention to Windows Security

With the use of the Windows security app, you can have an overview of the
security and health status of your system. With this app, you can check the
status of your antivirus software beneath Virus and Threat protection, you can
also check your firewall settings under the Firewall & Network Protection.

Virus & Threat Protection

The Microsoft Defender Antivirus is a well-known solution for malware. With it,
you can scan for updates and also schedule scanning to ensure your system is
well-protected at all times. With the aid of Group Policy, pick settings you prefer
for Virus & Threat Protection.
Firewall & Network Protection
The main function of a firewall is for it to have access to various controls well
centralized. It helps to serve as a gatekeeper between internet users you don't
trust and the more trusted internal networks. If by any means outsiders or a
remote user gains access to the internal networks without having to go through
the firewall then such firewalls can be said to be less effective.
With the firewall and network protection area, you have the access to work with
different profiles that are in your Windows Firewall. Also, you have a private
profile and a public profile, and also if you have a domain-joined system, you
will also have a domain profile.
In this section you can also choose to allow certain apps to bypass the firewall
by granting them exceptions; you can also choose to make changes to the
notification settings of the Windows Firewall.

App & Browser Control

This section helps you to provide adequate security for your system by checking
the applications and files downloaded from other sources that are not secured or
generally from the web. By default, there should be a warning when you are
about to install such an application but you can also choose to bypass and
configure the settings such that it allows you to freely install applications from
any site of your choice.
There is also an Exploit Protection screen that helps with a little bit more
inspection. It is always turned on by default and can also protect you adequately
from different types of exploitation. It has in it, Data Execution Prevention
which helps with the prevention of code being run in various memory pages that
are meant for data.

Device Security
This section makes available various utilities that enable interaction with the
TPM chip and virtualization control. The TPM can be described as a chip
located on the motherboard that helps with generating cryptographic keys and
also saves the other half of the key on the disk. With this, a thief will not be able
to steal a hard drive and decrypt it on a different system.
This section also you have a Hypervisor Control Integrity setting that can be
used to either enable or disable the above-described functionalities. It can also be
used to ascertain if the software running in kernel mode such as drivers happens
to be safe software.
Security is of utmost importance. The just-concluded brings makes understand
all about security and how we can have our files and folders protected which
includes sharing of permission and how it can be done. It also sheds more light
on various viruses and threats and how you can protect your server from such.
 CHAPTER 2

CONFIGURING SHARED RESOURCES

Apart from ensuring that the resources on the system are well protected you also
have to ensure that they are available for use at all times.
In this chapter, we will be learning more about shared folder permissions,
printer sharing, and also means of sharing items you like from your own server. I
will also explain more about Active Directory Federation Services (AD FS) and
all its various roles as it deals with the protection of the documents that you are
sharing either internally or externally.

Comparing Share Security with File System Security

There is a need for you to devise means of making resources available to users
without having to give them direct access to the servers these resources are on.
Simply map a drive to the folder you have shared for your end-users, the end-
user will only see another drive and not the main drive which is a folder that is
on a server. Sharing a server can be quite confusing for you as there are two
different tabs with one dealing with securing and the other with sharing files.
You will generally have to set up more open access on the shares tab and then
cause a restriction with the use of the NTFS permission which is on the security
tab. You can see that both tabs work hand in hand and you definitely need them
both to achieve your goal. Note that the Effective Permissions tab can help check
that users are getting the correct permissions they ought to as it pertains to
sharing of files and folders.

Shared folders permission

Upon the creation of a share, you also create a universal oath convention that
allows the user to access the folder or file that has been shared. With the use of
shares, you can grant your users access to the folders without you necessarily
having to grant them access to log in to the server.
There happen to be more open permissions with the security settings that are on
shares and the restriction is fine solely on the security tab with enforcement from
the file system.

Files System Security

With adequate security on files and folders there can be prevention of
unauthorized users from gaining access to data. This option is essential for files
that are saved on the hard drive as it helps with little or zero additional
configuration.
The best practice currently used most is to have more open permissions on
shares when having to use the NTFS file system for restriction of access to the
folder. This is so because there will be no difficulty in having to set both NTFS
permission and share permissions and both will as well be kept in sync with each
other. With this, it is best to make use of NTFS permissions since they provide
more flexibility.

Effective Permissions
This can be described as a cumulative permission a user has with which he gains
access to a resource as regards his own permissions, group permissions, and also
group membership. It can also be known as permission that a user has been
granted as a result of a combination between file system permissions and share
permissions. The Effective permission user experiences while attempting to gain
access to a file or a folder is based on the various permissions that are granted to
the user either as a result of their membership with a group or expressly. There
are various rules that can be applied when there happens to be a clash between a
group and another or between a user and a group.
If a user belongs to more than one group and the groups also have various NTFS
standard File permissions on a particular file, the ability of the user to gain
access to the file both locally and also through the network can be determined as;
● The effective NTFS permission is the least restrictive and most
permissive NTFS standard permission.
● The exception to this is that the no-access permission will override every
other permission that might exist.
Also, if a user belongs to more than one group, and these groups have various
shared folder permissions on a particular shared folder, the ability of the user to
gain access to the shared folder over the network can be determined as follows;
● The effectively shared folder permission will be the least restrictive,
which means the most permissive shared folder.
● The exception to this is that the no-access permission will override every
other permission.
Lastly, when a user makes an attempt to access a folder over a network that
contains both NTFS permissions and shared folder permissions configurations
on it, the effective permission will the means the most restrictive which means
the least permissive.
Check the instructions below to get to the Effective Permissions tab and see
what the tab contains;
● Right-click on the folder whose permission you want to check and then
click on properties.
● Select the Security tab.
● Click on the Advanced option.
● Select the Effective Access tab option.
● Insert the user or group you would like to run a check on and click on
View Effectiveness Access.

Sharing Resources
There might be a need to share some other items and not just folders and files. In
the section below are some of the items you might want to share and how you
can get it done effectively.

Printer
This option is very easy as it is widely used in almost every organization.
Below are steps are taken to share a printer;
● Click on Settings and then select Devices.
● Select Printers & Scanners.
● Choose the Printer you would like to share, then select Manage.
● Select Printer Properties.
 ● Select Change Sharing Options.
● Choose the Share This Printer check box and then feel free to choose
any other option you wish to.
● Finally, click on the OK button.

Storage Media
Though on very rare occasions, there might be a need for you to share access to
a DVD drive or any external storage device linked to your system.
Get this done with ease by following the steps below;
● Launch File Explorer then select This PC.
● Right-click on the preferred storage Media you want to share and then
click on Give Access To then select the Advanced Sharing option.
● When on the Sharing tab, select the Advanced Sharing button.
● Click on the Share This Folder check box.
● Insert a well-created descriptive name.
● Select Permissions then include those you want to gain access to the drive
then click on the OK button.
● Finally, click on the OK button again.
You can also choose to share other resources and the steps in doing that should
be similar to those already covered.

Configuring Access with Federated Rights

Management
There is definitely more to share than just having to share files and folders. You
might have a need to share some credentials with some other entity such as
making use of your Active Directory on-premises to authenticate to the
Microsoft Azure portal. When you set up the Active Directory Federation
Services AD FS, this means you are offering Microsoft your credentials which
simply put means federating a trust.
There might also be a need for you to have more control over certain files even
after you must have shared them or you want to have password encrypted on
them, you can do that with the Active Directory Rights Management Services
(AD RMS)
I will be explaining more about AD FS and AD RMS and also stating how they
can be configured.
Active Directory Federation Service provides enablement for Federated Identity
and also Access Management through the provision of adequate security for
sharing digital identity and also entitlement rights across security and enterprise
boundaries. AD FS also has the ability to make use of single sign-on
functionality which is available in a single security or enterprise boundary to
internet-facing applications so as to allow customers, partners, and also suppliers
a streamlined user experience when they are accessing the web-based application
of an organization.
Setting up a trust is also the same as granting another organization access to all
of your files on your server. This in a way is also similar to sharing files and
maybe more.
Follow the steps below to have AD FS installed, and configured;
Locate the Server Manager then select the Add Roles and Features
option.
When you are on the Before You Begin screen, select Next.
When you are on the Select Installation Type screen, select Next
When on the Select Destination Server screen, select Next
On the Select Server Roles screen, choose Active Directory
Federation Services then select Next.
On the Select Features screen select Next.
On the Active Directory Federation Services screen, choose Next
On the Confirm Installation Selections screen, select Install.
Finally, click on the close button.
Now that you have installed the AD FS you should then configure it to make
it useful;
Select the flag in the Server Manager and then choose to Configure the
Federation Service on This Server option.
When you are on the Welcome screen, choose to Create the First
Federation Server in the Federation Server Farm option and then select
Next.
When on the Connect to Active Directory Domain Services screen, input
the name of a Domain Administrator then click on Next.
 When on the Specify Services Properties screen, choose the SSL
certificate you would like to use.
Insert the Federation Service Display Name then click on Next.
Right-click on the Start option and choose the Windows PowerShell
Insert the command below and tap the Enter button.
Add-kdsRoootkey. -effective time (Get-Date). AddHours (-10)
Go back to the Active Directory Federation Services Wizard then
select OK in the error box.
Choose the Create a Group Managed Service Account and insert the
name you would like to use then select Next.
Locate the Specify Configuration Database screen and choose Create a
Database on This Server Using Windows Internal Database and then
choose Next.
When on the Review Options screen, choose Next.
On the Pre-requisite Checks screen, select Configure. The installation
screen will display the installation progress and any error it runs into if
such happens. Upon completion, a message displaying " This Server was
successfully configured" will be on the screen.
Finally, click on the close button and restart the server for the
configuration to be perfected.

Working with Active Directory Rights Management

Services
AD RMS can be used in the augmentation of security strategy for your
organization through the protection of documents making use of information
rights management (IRM).
AD RMS also enables both administrators and individuals via the IRM policies
to indicate access permission to presentations, workbooks, and documents. This
helps in preventing sensitive information from being copied or forwarded by
individuals or groups that are not authorized. Upon the restriction of a file with
the use of IRM, the access and usage restrictions will then be enforced anywhere
the information might be due to the fact that the permission to a file is also
stored in the document itself.
The installation of the AD RMS is done with the use of the Server Manager
Interface.
Below are steps to have the AD RMS configured;
Locate the Server Manager then select Manage and click on Add
Roles and Features
On the Before you Begin screen, select Next
On the Select Installation Type screen, choose Next.
On the Select Destination Server screen, click on Next
On the Select Server Roles screen, choose Active Directory Rights
Management Services and then select Add Features and click Next.
On the Active Directory Rights Management Services screen, click
on Next
On the Select Role Services screen, accept default with only AD
RMS selected, and then click on the Next button.
On the Web Server Role (IIS) screen, click on Next.
On the Select Role Services screen, accept the default and choose
Next.
On the Confirmation Installation Selections screen, select Install.
Finally, click on close.
Now that you have installed the AD RMS you should then have it configured.
Follow the settings below;
Click on the flag in Server Manager and then choose the Perform
Additional Configuration link.
Locate the Active Directory Rights Management Services screen
choose Next
On the Create or Join an AD RMS Cluster screen, choose the
Create a New AD RMS Cluster option and select Next.
On the Specify Service Account screen, select specify and then
insert the username and password of the service account for AD
RMS then click on the Ok button and then click on Next.
On the Specify Cryptographic Mode Screen, choose
Cryptographic Mode 2 and then select Next.
On the Specify AD RMS Cluster Key Storage screen, choose Use
AD RMS Centrally Managed Key Storage and then click Next.
Choose the website you would like to make use of for AD RMS and
then select Next.
When on the Specify Cluster Address screen, configure the
Connection Type to Use an SSL-Encrypted Connection, name the
cluster then click on Next
On the Choose a Server Authentication Certificate screen, select
Next
On the following screen, do well to leave the default Register the SCP
Now that has been chosen and then select Next.
When you are sure all look just fine, click on install.
Upon the completion of installation, select Close.
 CHAPTER 3

CONFIGURING OPERATING SYSTEM

SECURITY
Security of a server is very key to almost anyone. When your data is secured, it
gives you that extra confidence and assurance that not just anyone can have
access to your files and folders if you do give access and even with that you are
certain if you grant access, you can have them controlled with permissions.
That being said, Windows Server offers various built-in security structures that
help you to better protect yourself and achieve much at no additional cost.
In this chapter, I will walk you through some of these structures, and briefly
describe how they work and how you can make the most out of them.

Understanding and Using User Account Control

The User Account Control (UAC) is an integral part of Windows internal
Security. It serves a lot of purposes and you almost cannot do without it.

Using User Account Control to protect the server

User Account Control helps with the prevention of various malicious programs
also known as malware from causing harm to a computer it also helps the
organization in the deployment of a much better-managed computer. With the
use of UAC, tasks and various applications execute in the security context of a
non-administrator account with the exception of an administrator specifically
authorizing administrator-level access to the system. UAC also has the right to
block any automatic Installation of applications that are not authorized and also
helps with the prevention of inadvertent changes to the settings of the system.
You can also choose to ignore the UAC or have it disabled permanently. I will
however not ask that you permanently disable the UAC; you can choose to
reduce the rate at which it operates with users and also administrators. Its work
is to protect your system, it's best you let it do just that.
If you would like to turn the User Account Control off permanently, you can do
that with the use of the User Accounts applet via the control panel. See
instructions below;
Open the Control Panel and select User Accounts.
Select User Accounts again
Choose the Change User Account Control settings option
When in the User Account Control settings box, choose your
preferred setting

Managing User Password

In today's world almost all the systems are being managed by the Active
Directory though you don't need this if you are not in a big organization where
there are lots of computers, if you are in a small work environment your
password can be configured locally.
With the use of the Credential Manager, Windows Server 2022 can save your
web and Windows credentials.
Gaining access to the credential manager is quite easy.
Locate the Control Panel
Click on User Account
Click on Credential Manager

With this tool, saving credentials becomes much easier and you can also backup
and restore credentials also and also include certificate-based credentials and
also Windows credentials.

Understanding Credential Guard

Credential Guard can be described as a technology that makes use of
virtualization-based security to help prevent attackers or hackers from stealing
credentials that can be used to pass the hash attacks. It helps with the protection
of anything that can be considered to be a credential on a Windows Server which
includes NT LAN Manager (NTLM) password hashes, Tickets Granting Tickets
(TGT) which is used in making requests to gain access to resources, Kerberos
which offers a very strong encryption capability and also credentials that are
saved by applications as domain credentials.
Kerberos, NTLM, and credential managers help with the isolation of secrets
through the use of virtualization-based security. Past versions of Windows have
had their secrets stored in the Local Security Authority (LSA). Before the
introduction of Windows 10, the LSA had secrets saved with the use of the
operating system in its process memory. With the enablement of the Windows
Defender Credential Guard, the LSA process within the operating system
reaches out to another component known as the isolated LSA process that helps
with storing and protecting secrets. Various data that are stored with the use of
the LSA process are being protected by making use of virtualization-based
security and it cannot be accessed by the rest of the operating system. LSA
makes use of remote procedure calls to reach out to isolated LSA processes.
Due to reasons that pertain to security, the isolated LSA process does not play
host to any device drivers. Rather, it simply hosts a very small subset of
operating system binaries that are really needed for security’s sake and nothing
else. Note that all of these binaries are duly signed with a certificate trusted by
virtualization-based security and all of these signatures are also validated before
the launching of the file in the protected environment.
Note that credential Guard was not built to protect credentials that are saved in
Active Directory or the Security Accounts Manager (SAM). It was designed
strictly for the protection of secrets while they are in use this way, they will not
be stored in memory so they can be stolen.
Below are basic requirements for your system to support Credential Guard.
A 64-bit CPU
Hardware must offer support for virtualization-based security
CPU must provide support for virtualization extensions (Intel VT-x or
AMD-V) and also extended page tables (SLAT)
TPM version 1.2 or 2.0
Hardware should offer support for secure boot.
UEFI lock is often preferable, though not needed. It helps with the
prevention of an attack by having a Credential Guard with a registry
change disabled.
The UEFI firmware on the server should offer support for secure boot
 and should also be on firmware version 2.3.1.c or one that is higher.
There are various methods by which Credential Guard can be enabled. I will
explain the use of registry and Group Policy.

Group Policy
This is a very simple method due to the very few numbers of steps it has.
Check out the steps below;
Locate Server Manager and then click on Tools then click on Group
Policy Management.
Have Forest and Domains expanded, then expand the domain you
would like to add Credential Guard to?
Right-click on the Group Policy Objects and then choose New.
Give your Policy a name and then click on the OK button.
Have Group Policy Objects expanded; if you have not done that
before then choose the new policy to select it.
Right-click on the chosen Policy and click on Edit.
Move through Computer Configuration then policies then
Administrative Templates then system and then Device Guard.
Click twice on Turn on Virtualization Based Security then choose
the Enabled option.
Underneath the Select Platform Security Level, select Secure Boot.
In the Credential Guard Configuration box, choose Enabled with
UEFI lock.
Check all and if your settings fit, click on the OK button.

Registry
There are certain systems on which Group Policy cannot be applied. The section
below will take you through the registry method.

Enabling Virtualization Based Security

This first step is only needed if your system is running an older version but
if you are on Windows Server 2016 and newer, you do not need this step.
Have the Registry Editor opened by clicking on the Start Menu then
 enter regedit.exe then tap the Enter key?
Move to
HEKY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard
Add the following DWORDs to the DeviceGuard key through right-
clicking DeviceGuard and then selecting New and then choosing
DWORD (32-bit) Value.
With the DWORDs created, you can then turn on the Credential Guard.

Enable Credential Guard

This is basically the second and final step. Follow the steps below to have
credential Guard enabled;
● Open Registry Editor and move to
○
HEKY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.
● Add a new DWORD by the name LsaCfgFlags and then set the value to 1
in order to enable Credential Guard Lock with UEFI lock.
● Finally, have the registry editor closed.

Configuring Startup and Recovery Options

This option can be completed via the Advanced System dialog box in Windows
Server 2022. With the use of the Startup and Recovery dialog box, you can make
your choice of settings of the particular OS you would like the system, to begin
with, the amount of time to display recovery options, and also the time needed to
display the list of the operating system. You can also choose to set the system to
create a memory dump or Configure System failure automatically.
Follow the steps below;
● Choose Start and then click on the settings icon that has the shape of a
gear.
● Select System then click on About.
● Move downwards to the lower part of the screen.
● Select the Advanced System Sharing option.
● Select the Advanced tab then choose the Settings button that can be
found in the Startup and Recovery section.
If you have more than one operating system installed on the same server you can
choose the operating system you would like to boot in the Startup and Recovery
dialog box. As earlier discussed, you can also choose to set by default the
creation of a memory dump if peradventure the system encounters a failure. You
can use the memory dump afterward to detect the actual cause of the system
failure.

Hardening Your Server

There have been some major improvements with the strength of the
cryptographic protocols and cipher suites in Windows Server 2022. Are you
quite new to the above-mentioned terms? Let's take a look at what they are;

Cipher Protocol
This protocol is used to make sure that data has a secure connection. It tells us
exactly what a connection should have.

Cipher Suites
This can be defined as a set of instructions that states how transmitted data
should be encrypted. Recent versions of cipher suites make use of Transport
Layer Security (TLS), and the much older versions make use of Secure Socket
Layer (SSL)
Some parts of the cipher string include;
● ECDHE: a key exchange used in the protection of various information
needed in the creation of shared keys.
● ECDSA: a digital signature mostly used to sign things online such as
email messages.
● SHA256: a hashing algorithm that can be used in the validation of the
integrity of either a file or a message.
 CHAPTER4

WORKING WITH THE INTERNET

There are a number of things that are key to security than just ensuring that the
bad things that can cause damage are out and just the good things that are
malware-free are allowed into the system. The method by which you choose to
state the forms of both inbound and outbound traffic that is acceptable can be
done with the use of the Windows Defender Firewall.
In this chapter, I will be discussing the Windows Defender Firewall, what it is
and how you can make the best use of it.

Firewall Basics
The Windows Firewall Defender can be defined as a stateful firewall that is
custom installed on almost all modern versions of Windows. On Windows
Server 2022, the firewall is enabled by default, helping to block out most of the
poets that can cause so much damage in Windows systems that are somewhat
unprotected.
The Windows Firewall on virtual servers makes sure that only the services that
are deemed necessary for the function that has been chosen are exposed; the
firewall will configure itself automatically for new server roles when some
server applications are newly installed.
The Windows Defender Firewall just like all other firewalls works on the basis
of default denial for connections that are inbound. Basically, if there is no stated
rule that allows traffic to come in, such traffic will be blocked. Outbound
connections are allowed by default.
The Windows Defender Firewall has some basic profiles which are used in the
description of trust levels of network traffic. These profiles can be set to some
network adapters and there is enablement for all the profiles for each network
adapter.
The three profiles of the Windows Defender Firewall are;
 ● Domain: this profile is used with networks whose host system can
authenticate to the controller of a domain.
● Private: this is a user-assigned profile and is used in the designation of
private or home networks.
● Public: this is used in the designation of public networks like Wi-Fi
hotspots at airports, banks, and other locations.
Windows Firewall offers public APIs that can be used in the acquisition of the
current profile and also in the enablement of firewall rule groups on particular
profiles. These APIs should also be used by all installers for the provision of the
best user experience and stress-free integration.
It is best if you create your own rule for all of the three profiles but enable only
the firewall rule groups on the profiles that befit your own scenario. For
instance, if you are to install a home media sharing application that can be used
only on a private network then the creation of firewall rules on all of the three
profiles is the best thing to do, just ensure you have the firewall rule groups
containing rules on the private profile enabled.
If the profile currently in use is not one of the profiles that apply to any of your
scenarios, it's best to inform the user that the firewall rules are not enabled for
the current profile. The user should also be notified that the application will not
function optimally until the user moves to a network that has one of the profiles
that applies to either the scenario or the current network.
Windows Defender Firewall basically helps with the prevention of malicious
software and hackers from having access to the system either through the
internet or network. However, you can choose to enable or disable the Windows
Defender Firewall if you feel you have some other antivirus software installed
on your system that can perform much better than the Windows Defender
Firewall. There are basically three methods of enabling or disabling the
Windows Defender Firewall and they are through the graphical user interface
(GUI), the command prompt, and PowerShell.

Disabling through the graphical user interface

This method is the longest of the three methods as it cannot be done at once as in
a switch or used in a button rather you have to turn it off for each of the profiles
one after the other.
For the Domain profile, follow the steps below;
● Right-click on the Start Menu and then choose the gear icon to gain
access to the Settings menu.
● Choose Update & Security then click on Windows Security.
● Beneath Protection areas, choose Firewall & Network Protection
● Choose Domain Network.
If you want to have the Windows Defender Firewall disabled, select each of the
profiles you want to have disabled and choose the Windows Defender Firewall
toggle switch which should be on currently; slide it off. If you have a change of
mind and would like to enable it again, make use of the toggle switch again and
slide back to on.

Disabling/ enabling through PowerShell

This is a very simple method as it has to do with the use of an online command
to turn it off for all of the Windows Defender Firewall profiles at once.
Below is the command to disable the firewall for all of the profiles;
Set-NetFirewallProfile-Profile Domain, Public, Private-Enabled False
If you would like to re-enable, make use of the command below;
Set-NetFirewallProfile- Profile Domain, Public, Private-Enabled True.
To enable or disable just one of the three profiles, insert the name of that profile
instead of having to type Domain, Public, or Private. It can just be Public.

Disabling/enabling through the use of command

prompt
This is also a one-lime command prompt that works for all of the three profiles
also just like that of PowerShell.
Below is the command that can be used to disable the firewall for all of the
profiles;
netsh ad firewall set allprofiles state off
If you want to re-enable the firewall for all of the profiles makes use of the
following;
netsh ad firewall set allprofiles state on
If you want to disable or enable just one of the profiles instead of typing "set
allprofiles" simply insert the name of the profile.

Configuring Windows Defender Firewall with

Advanced Security
There is a need to have the Windows Defender Firewall configured and this can
only be done in the Advanced Settings.

Follow the settings below to get this done;

● Right-click on the Start Menu and then click on the gear icon to gain
access to the Settings menu.
● Choose Update & Security then click on Windows Security.
● Beneath Protection Areas, choose Firewall & Network Protection.
● Move downwards and choose the Advanced Settings option.

Profile Settings
There are various profile Settings you can choose to make changes to in
order to personalize your Windows Defender Firewall.
● Locate the Advanced Settings screen
● Right-click Windows Defender Firewall with Advanced Security and
choose properties.
There are various tabs for each of the profiles, customize them to how it best fits
you.
There are some settings I will be talking about in the sections below;
● Firewall State: You can either choose to enable or disable this. It is based
on the specific profile you are on.
● Inbound connections: There are three options here:
 ○ Block: this option will not permit anything that is not allowed by
the rule.
○ Block All: This option blocks everything totally without
considering the rule.
○ Allow: gives room for traffic without considering what the rule
says.

● Outbound Connections: There are basically two options here;

○ Block: blocks all that is not allowed by the rule.
○ Allow: allows all without giving consideration to the rule.
● Protected Network Connections: When you choose this button, you will
be able to click on the very network adapter you would like the profile to
be applied to.
● Logging: this button helps with the changing of the firewall logs, fixes
the size of the logs, and also determines if dropped packets should be
logged or successful connections only.

Creating a Custom rule

There are already prebuilt rules in the Windows Defender Firewall but you can
choose to create yours if you have some other settings, you would have preferred
to have.
Follow the steps below to create a rule;
● Click on Inbound rules then choose the new rule option.
● When on the Rule Type screen, choose Port and then click on Next.
● On the Protocols and Ports screen, leave the TCP chosen and insert the
port number based on the domain you are trying to create into the box
and then choose Next.
● On the Action screen, choose the Allow the Connection then choose
Next.
● On the profile screen, leave the Domain checked but be sure to uncheck
both Private and Public then click on Next.
● On the Name screen, be sure to give it a nice name and then click on the
 finish button.
There are about eight tabs that you can use to actually customize the settings of
your Windows Firewall.

These tabs are;

● General tab: this helps to change the name of the rule and also indicate if
you want to enable or you would like to block or allow traffic.
● Remote Computers: here you can choose to allow connections from
only computers that are specified.
● Programs and Services: you can choose the services you would like the
Windows Defender Firewall to allow to pass through.
● Scope: with the scope tab you can determine those with whom you would
like to gain a connection.
● Advanced: you can choose the profile you want the rule to be applied to
and also the network adapter you want the rule applied to.
● Remote Users: this tab offers you the opportunity to set the remote users
you would like to connect through the rule.
● Protocols and Ports: when the port has been chosen this tab helps with
the provision of more depth.
 CHAPTER 5

UNDERSTANDING DIGITAL CERTIFICATES

Certificates are known generally to be very good but most people don't
understand how it works. Most websites use HTTPS which is a communication
channel but have you wondered what this means? It simply means Hyper-Text
Transfer Protocol over SSL. Note this communication channel is secured by a
certificate.
In this chapter, I will be explaining certificates generally and also the role of
Active Directory Certificate Services (AD CS)

Certificates in Windows Server 2022

Windows Server 2022 offers AD CS, which is a Windows server that is created
to give digital certificates. Certificates have over the years proven to be more
secure and a lot easier to use than passwords. Microsoft took note of this and
decided to deploy AD CS in order to help Microsoft environments take
advantage of the benefits accrued with certificates. With the AD CS, you can
stand up your own public key infrastructure (PKI) which enables you to give out
certificates to users and also internal systems that you trust.
Certificates from third parties can still be installed especially if the certificate is
one that secures a resource for those outside your organization to access.
Furthermore, if there is a likelihood for a resource to be accessed only by those
within your organization, it is then a prime candidate for an internal certificate
issued by your organization's public key infrastructure.

Cryptography
This can be described as a study of securing communications from various
outside observers. The original message is taken up by an encryption algorithm
and it is then converted into a ciphertext that cannot be understood. The key
enables the user to be able to decrypt the message, hence making sure that they
can read the message. The strength and randomness of encryption are also
studied and this makes it quite hard for anyone to take a guess on the key or
input of the algorithm. With the use of cryptography, you will be able to get
more secure and larger connections in order to have privacy elevated.
Advancement in cryptography makes it extremely difficult to have encryption
broken in order for files, folders, or other network connections that are encrypted
to be accessible by authorized users only.
There are basically two types of cryptography and they are;
● Symmetric and Secret Key Cryptography: this type of cryptography
encrypts data with the use of a single key. Both encryption and
decryption in symmetric cryptography make use of the same key, thus it
becomes the easiest form of cryptography. The cryptographic algorithm
makes use of the key in a cipher to have the data encrypted and also to
know when the data should be accessed again. Anyone entrusted with the
secret key will be able to decrypt data. Secret Key Cryptography can also
be used on both in-transit and at-rest data but it is most commonly used
on at rest-data, just as sending the secret to the receiver of the message
can also lead to a compromise.
Example: AES, DES, Caesar Cipher.
● Asymmetric cryptography: which is also known as public-key
cryptography can be said to be an encryption scheme wherein data is
encrypted by one key and then decrypted by another key. The keys are
linked in a mathematical manner and will only work with one another.
The mathematical relation is such that the private key will not be able to
be gotten from the public key, but the public key can be gotten from the
private key. The private key should necessarily not be distributed and it
should also remain with the owner alone. The public key can then be
given to any other entity. Examples are ECC, Diffie-Hellman, and DSS.
Asymmetric cryptography can also be described as what is being used in
public key infrastructure. (PKI).
When there is a need for you to design a certificate, you will generate a key and
then a certificate signing request (CSR), which can be said to be an encoded
representation of your public key. The CSR is then given to a certificate
authority, external or internal, and then the certificate will also be created from
there. The private key is always with you.
There are some concepts that are basically concerned with certificates, they
are;
● CRL: this is the Certificate Revocation List that helps in keeping track of
various certificates that have already been revoked which makes them
invalid. By default, the base CRL will be updated every seven days, and
the delta CRL will also be updated just once a day.
● OCSP: this is the Online Certificate Status Protocol that gives real-time
revocation information on various certificates. It can also be said to be an
improvement over using just CRLs since CRLs are not updated all the
time.
● FQDN: known as a fully qualified domain name is the hostname and also
the domain name.
● CN: this is known as the common name and it is always on certificates
and it is also going to be the same as the FQDN.
● SAN: known as subject alternative names, it enables you to include more
names to a certificate than just including the common names. This can
be quite useful where there is a need for you to support shirt names and
IP addresses most especially for the sake of development. You can also
choose to add some other FQDNs also and make the certificates very
useful when there is a need to avoid wildcard certificates.

Types of Certificates in Active Directory Certificate

Services
There are various types of certificates in AD CS. There are always more
certificate authorities in a domain-joined Enterprise certificate authority (CA).
Below are the types of certificates;

User certificates
Just as the name implies, they are all about users. They are basically used for the
establishment of the identity of a user.
The most common type of Users certificate that you might run into are:
● User: which is a template used basically for the traditional authentication-
style certificate. Most of the time, it is used with two-factor
 authentication solutions as the second factor of authentication right after
username and password.
● EFS Recovery Agent: this certificate can also be used in conjunction
with EFS, but basically it is used in the decryption of data that has been
decrypted with the use of EFS. The deletion might even be accidental. By
default, all of the members of the Domain Admins and Enterprise
Admins groups can be enrolled in this certificate.
● Key Recovery Agent: this certificate is used in the recovery of private
keys with the assumption that the CA has already been configured to
archive and also gives room for the recovery of the private key that is
associated with the public key. This template is meant to be used just
once in a while since it gives the user with the certificate the ability to get
back the private keys and also by extension the ability to decrypt data
that is encrypted by the certificates to which the private key belongs.

Computer
Computer certificates are quite similar to user certificates as regards the fact that
they are verifying identity. The only difference is that they are used in the
verification of the identity of a machine rather than the identity of a user.
Below are some of the more common Computer certificate templates and
what they are used for;
● Computer: this template can be used for workstations and also for
servers. It is most often used for VPNs the determination whether a
system is authorized or not and it can also be used for the purpose of
encryption. By default, the name is obtained from Active Directory
though it can be made a manual process.
● Domain Controller: this template is used basically for both client and
server authentication and also the use of smart card login support. The
difference between it and the computer template is designed in order to
help with the facilitation of secure replication between domain
controllers.
 CHAPTER 6

INSTALLING AND CONFIGURING AD CS

You will definitely have a need to work with certificates someday. If you are in
charge of your own Windows Public Key Infrastructure (PKI), there is every
possibility you will be making use of Active Directory Certificate Services (AD
CS). Recall that certificates are used to prove identity or in the encryption of
data. Since certificates from third-party organizations can be very costly, most
organizations prefer to design their own.
In this chapter, I will be talking specifically about AD CS. I will also talk more
about certificate authority and how you can install and also have them
configured.

Introducing Certificate Authority Architecture

There is always a need to create a plan for whatever you want to do. The same
goes for building a PKI. The PKI you build should meet the needs of your
organization from allowing encryption of credentials to having replication
secured and a lot more.
Important decisions like the root CA being either an offline CA or an enterprise
CA and also the number of issuing CA that is needed and also if you should have
a different policy CA.
I will be describing some of the CA roles you might have a need for and why
you might need them.

Root certificate authorities

This is known as the first level of trust for almost all of the certificates. When it
has to do with validation, it is the highest level in the certificate trust chain. It is
also basically the only CA that has a self-signed certificate.
A root CA shouldn't be used in the issuance of a daily certificate. It is best to
have just one root CA and also one issuing CA at the barest minimum. The root
CA should be saddled with the responsibility of issuing a subordinate CA
certificate to the issuing CA.
Note that if the root CA is offline, it can be saved from being attacked. It is
known to be the most secure type of root CA. With this, the root CA will then be
brought online to issue certificates based on the subordinate template for issuing
CAs. Once the certificate has been issued, the certificate revocation lists (CRLs)
will have been updated and they will then be turned off again.
Though offline root certificates are the most secured option, the downside to it is
that its certificate has to be distributed through the Group Policy and also have
the CRLs manually published.
If you don't have very strict regulatory requirements as regards safeguarding
your KPI an enterprise root CA is definitely the best option. It can publish its
own CRLs and certificates automatically since it is attached to the Active
Directory. It is also known to be the simplest method of deployment because it
requires very little work to be done manually.

Policy certificate authorities

This is a very special certificate and it is mostly seen in enterprises that are very
large enterprises. Policy CAs are used in the creation and enforcement of
policies and procedures that have to do with validation of identity as regards
certificate holders and also have CAs in the CA architecture secured.

Installing a Certificate Authority

This is the next step after you must have planned out how you want your PKI
architecture to look. I will be discussing all the steps in installing a certificate
authority;

Creating the CAPolicy.inf file

For the certificate authority you would like to build, it is best you make use of
the CAPOlicy.inf file. This fixes a lot of the basic parameters which include the
date of renewal as well as validity length. It can also be used for the renewal of
the CA and not the renewal of other certificates.
The creation of this file is very simple, there is a lot of configurations that can
also be done with the CAPolicy.inf file it's best you do your research well to
fully determine what the settings in the file should be. Be sure to take note of the
validity periods also, the certificate authority should not be extremely long and
at the same time, it should not be too short. Issued certificates shouldn't have a
longer validity period than the CA they were issued on.

Installing the root certificate authority

This is the first step that should be taken in the establishment of your KPI. You
can do this with the use of the Active Directory Certificate Services (AD CS).
The installation process of both the offline root and the root CAs is quite similar.
Below are steps to take to install them;

Offline root certificate authority

As earlier said, this is the most secured form of root CA though it also needs
some manual work to be done.
Follow the steps below to have this installed;
● Locate Server Manager, choose Manage then select the Add Roles and
Features option.
● When on the Before You Begin screen, click on Next.
● On the Select Installation Type screen choose Next.
● On the Select Server Roles screen select Active Directory Certificate
Services then click on Add Features and click on Next.
● On the Active Directory Certificate Services screen, choose Next.
● On the Confirm Installation Selections screen, select Install.
● Upon the completion of the installation, click on the Close button.
● Choose the flag at the top of the Server Manager and choose Configure
Active Directory Certificate Services on the destination service.
● On the Credentials screen, input an account that can be found in the
Local Administrators group on the server then click on Next.
Certification Authority
● On the Roles Services screen, click on Next.
● On the Setup Type Screen, choose Standalone CA then click on Next.
● On the CA Type Screen, choose Root CA then click on Next.
 ● On the Private Key screen, choose the Create a New Private Key option
and then click Next.
● When on the Cryptography for CA screen, make sure that the length of
your key is a minimum of 2048 then choose SHA256 for certificate
signing.
● On the CA Name Screen, make changes to the Common Name to any
name of your choice then select Next.
● When in the Validity Period screen, make use of the 5 years default and
click Next.
● On the CA Database screen, choose Next.
● When on the Confirmation screen, choose the Configure option.
● Click on the close option.

Enterprise root certificate authority

The Enterprise root certificate authority is always fused into the Windows
domain and it is also left powered on. It publishes CRLs automatically via the
Active Directory.
Got through the steps below to install it
● From the above section make use of the same set of instructions from the
1st to the 13th step.
● When on the Setup Type screen, choose Enterprise CA then click on
Next.
● On the Private Key screen, choose Create a New Private Key option
and then click on the Next button.
● On the Cryptography for CA screen, make sure the length is also of a
minimum of 2048 then choose SHA256 for certificate signing.
● When on the CA Name screen, alter the Common Name to the name you
prefer and click on the Next.
● On the Validity, the Period screen makes sure you accept the default 5
years period then select Next.
● On the Confirmation screen, choose Configure.
● Finally, choose the Close option.

Installing the issuing certificate authority

Once you have created your root CA, you have done the most important thing.
Next, you need an issuing CA that will basically issue you certificates.
Follow the steps below if you have created your root CA;
● Same as above, follow the steps from the 1st to the 13th.
● On the Setup Type screen, choose Enterprise CA and click Next.
● On the CA Type screen, choose Subordinate CA then choose Next.
● On the Private Key screen, choose Create a New Private Key, then
select Next.
● On the Cryptography for CA screen, make sure the length is a
minimum of 2948 then choose SHA256 for certificate signing.
● On the CA Name screen choose a common name for your certificate
authority then click on Next.
● When you are on the Certificate Request screen, choose Send a
Certificate Request Toca Parent CA then choose the Select button
option and click on the root CA and then click on the OK button.
● On the Certificate Request screen choose Next.
● On the CA Database screen, choose Next.
● On the Confirmation screen, click Configure.
● Finally, click on the Close button.
With the use of enterprise CA, you can choose to enroll in certificates from any
machine you might be on. With the use of the web enrollment interface, you can
have certificate issues with just a certificate signing request (CSR) which you
must have generated before. You can have a web enrollment piece included in
your enterprise issuing CA.
Follow the steps below to do that;
● Locate the Server Manager and choose Manage then click on Add
Roles and Features.
● On the Before You Begin screen click on Next.
● On the Select Installation Type screen choose Next.
● On the Select Destination Server screen choose Next.
● On the Select Server Roles screen, have the Active Directory Certificate
Services expanded.
● Choose Certificate Authority Web Enrollment.
● Click on Add Features and click Next.
 ● On the Select Features screen, click on Next.
● On the Web Server Role (IIS) screen, select Next.
● On the Select Role Services screen click on Next.
● On the Confirm Installation Selections screen select Next.
● Upon completion of installation, click on the Configure Active
Directory Certificate Services on the Destination Server link.
● On the Credentials screen, make sure there are credentials for someone
in the admin group then click Next.
● Click the checkbox for the Certification Authority Web Enrollment and
then click on Next.
● On the Confirmation screen choose the Configure option.
● On the Results screen, choose the Close option.

Configuring a Certificate Auto-Enrollment

There might be a need for you to have auto-enrollment enabled on some of the
certificates you have. A common example is most times for user certificates if
they are needed by the users for a virtual private network. I will explain how you
can set up the user certificate template to ensure it auto-enrolls.
To complete this process, you have to begin with setting up the certificate
template itself.
Follow the steps below to set up a template to auto-enroll the Domain Users
group.
● Locate the Server Manager then click on Tools then Certification
Authority.
● Click twice on the CA Name in order to have it expanded.
● Right-click Certificate Templates and then choose the Manage option.
● Choose the User certificate template then right-click it and select
Duplicate Template.
● When on the Compatibility tab, ensure you make changes to the
Certification Authority drop down and set it at the lowest server/desktop
version you have.
● Choose the option of the General tab and then ensure you give the
template a meaningful name.
● Choose the Security tab.
● Choose Domain Users and then ensure you check Read and Auto-
enroll.
● Click on the OK button.
● Leave the Certificate Templates Console by clicking on the X button
located in the upper right corner of the screen.
● Right-click Certificate Templates again then choose New then Certificate
Templates to Issue.
● Choose your new VPN User Cert then click OK.
 CHAPTER 7

SECURING YOUR DNS INFRASTRUCTURE

The DNS (Domain Name System) is a basic requirement of the Active Directory
and it is also what ensures that working with the network is easier. Amazingly
so, with the use of DNS, there is no need for you to have to remember the IP
addresses, if you can recall the names alone that will be just fine.
This chapter will explain more about how to have your DNS Infrastructure
secured with the use of DNS Security Extensions (DNSSEC) and also the DNS-
based Authentication of Named Entities (DANE).

Understanding DNSSEC
DNSSEC helps with the strengthening of authentication in DNS with the use of
digital signatures that are simply based on public-key cryptography. With the use
of DNSSEC, not just DNS queries and responses are cryptographically signed
but rather than that, but the DNS data is signed by the owner of the data.
DNSSEC was designed to help prevent attackers from taking control of the DNS
lookup process and also aid in the protection of users from being allocated
addresses to malicious servers.
When you digitally sign in the root zone in your DNS Infrastructure, users can
be given assurance that their systems are receiving responses from DNS servers
that are valid.

There are two basic keys you need to be aware of as regards the DNSSEC.
They are;
● Key Signing Key (KSK): known as a long-term key, it is used in the
signing of ZSKs and also the validation of DNSKEY records.
● Zone Signing Key: this on the other hand is a short-term key that is used
 in the signing of the actual DNS records.
The DNSSEC comes with the introduction of new record types for it to work
with and it also contains the new cryptographic features.
Below are some of the records you can make use of;
● DNSKEY: this record can either contain the record key of the ZSK or the
KSK.
● DS: known as the Delegation Signer, this record enables the transfer of
trust from a parent zone to a child zone, which also gives room for the
child zone to be DNSSEC enabled.
● NSCE: In this record, the old DNS sends back an empty space if there
happens to be no match. The only problem with that is the fact that there
is no provision for an authenticated response. The NSEC records will
then give back authenticated feedback with the next secure record that is
available.
To make use of the DNSSEC, you need to have it enabled and then configured.
Begin with the singing in of the DNS zone. To do this, your system must have
the DNS Manager Administrative tool installed.
Follow the steps below;
● Locate Server Manager then choose Tools then DNs.
● Have your server and Forward Lookup Zones expanded, then choose the
preferred domain on which you would like to have the DNSSEC enabled.
● Right-click on the domain then click DNSSEC and then Sign the zone
● Choose Next.
● When on the Signing Options screen, choose Customize Zone Signing
Parameters then click on Next.
● On the Key Master Screen, choose the DNS Server and then click Next.
● On the Key Signing Key Screen, click on Next
● On the second Key Signing Key Screen, click Add.
● Accept the default KSK settings then click on the OK button.
● Click Next.
● On the Zone Signing Key Screen, click on Next.
● On the second Zone Signing Key Screen, choose Add.
● Have the length field of the key changed to 2048 then click OK.
● Select Next.
 ● On the Next Secure (NSEC) screen, choose Use NSEC3 then click on
Next.
● On the Trust Anchors screen, choose the Enable the Distribution of
Trust Anchors for This Zone check box, ensure the other check box are
left checked then click on Next.
● On the Signing and Polling Parameters screen, have the DS record
generation algorithm to just SHA-256
● Click on Next
● When on the final screen, choose Next
● Once it has been signed, click on the Finish button.

Understanding DANE
DANE is a security protocol that is beyond the standard HTTPS protocol in
securing the trust chain that can be found between the server, Authority,
Certificate, and User.
Dane works only when the DNSSEC has been activated. DANE allows the
browser to check the TLSA record for a public fingerprint of a certificate that
has been marked safe by the user. This also can be the intermediate of the CA
that issued the certificate on the server but it also could be the fingerprint of the
certificate itself.
DANE provides an extra layer by enabling the Administrator of a domain name
to indicate the certificate authority that is allowed to issue certificates for the
domain of their organization, which includes the provision of a medium to
authenticate client and server certificates with the authority of a certificate. With
this, an attacker is See prevented from issuing a certificate from the certificate
authority and it will then try to pass it off as its own. The DNSSEC is required to
have this process completed.
To make use of DANE you have to configure it and configuration consists of
two parts which are generating the TLSA record and then installing it.
Follow the steps below to have TSLA generated;
● Open a browser and go to the site you would like to protect
● Select the padlock icon in the URL bar and then choose View
Certificates.
 ● When the certificate properties screen comes up, choose the Details tab.
● Select the Copy to File button.
● On the Welcome to the Certificate Export Wizard screen, choose
Next.
● On the Export File Format screen, choose Base-64 encoded then click
on Next.
● On the File to Export screen, choose Browse and then choose a name
and location you prefer for the file then click OK.
● Click on Next.
● On the Completing the Certificate Export Wizard Screen, click on the
finish button
● Have a browser opened and insert the address https:// www.
Huque.com/bin/gentsla
● In the first three fields displayed, accept the default selections
● Select the start menu then click on Windows Accessories then click on
Notepad.
● Have the certificate that you must have exported with the Notepad
opened by selecting File then Open, then choose the exported
certificate file option.
● Copy the text from the file, start with the: BEGIN CERTIFICATE and
also close with the: END CERTIFICATE.
● Return to the TSLA Generator page then have the test pastes into the
Enter/Paste PEM Format X.509 Certificate Here box.
● For port number, insert whatever is applicable.
● Insert the transport protocol and the name of the domain.
● Finally, click on the Generate button
Upon the completion of the configuration process, you should then be ready to
Install.
Follow the steps below to have TSLA installed seamlessly;
● Right-click on the start menu and choose Windows PowerShell
(Admin)
● Insert the command below into the PowerShell window:
○ Add-DnsServerResourceRecord-TSLA-
CertificateAssociationData"9933c1848f2f492f4715abff9e79f74025fdd219a2
CertificateUsage DomainIssuedCertificate-Matching Type
 Sha256Hash-Selextor Fullcertificate-ZoneName(insert the site
you protected above)
● With the above step, the TSLA is now installed.

Protecting DNS Traffic with DNS-over-HTTPS

Recall that DNS stands for Domain Name System and its task is to help various
computer networks attach various information to each of the web domains.
Basically, they are said to be the fundamental internet address book.
DNS over HTTPS (DoH) can be defined as an internet security protocol that
helps with the communication of the domain name server information in an
encrypted manner over HTTPS connections.
Below are steps to have DoH enabled in Windows Server 2022
● Select the Start Menu then choose settings.
● Choose Network & Internet then choose Ethernet.
● Choose your preferred network adapter on which you want to have the
DoH enabled.
● Move downwards to DNS settings then choose the Edit option.
● Beneath DNS Encryption, select your preferred option.
● Finally, click on the Save button.
You can also choose to make use of the Group Policy in enabling DoH. Go
through the settings below;
● Launch the Server Manager
● Select Tools then choose Group Policy Management
● Right-click on Default Domain Policy and select Edit.
● Go to Computer
Configuration\Policies\Administrative\Templates\Network\DNS\Client
then click twice on Configure DNS-over-HTTPS(DoH) Name
Resolution.
● Select the Enabled option then click on your preferred option for DoH
● Finally, click on the OK button.
 INDEX

.
.NET, 23, 90
.NET Core applications, 23

A
Access Control List, 253
Accessing local resources, 203
Account Control (UAC) settings, 160
Activating Windows, 189
Active Directory, 22, 23, 36, 56, 82, 84, 95, 122, 124, 132, 133, 135, 136, 137, 142, 143, 145, 153, 161,
163, 169, 180, 181, 182, 183, 184, 185, 186, 187, 188, 204, 230, 231, 234, 235, 242, 243, 260, 264, 265,
266, 267, 270, 272, 284, 287, 288, 289, 290, 291, 292, 293, 294, 295, 297
Active Directory domain, 22, 122
Active Directory Domain, 23, 82, 84, 95, 132, 133, 135, 136, 142, 143, 235, 265
Active Directory Domain Services, 82, 84, 95, 132, 135, 136, 142, 143, 235, 265
Active Directory Server, 180
Active Directory., 56, 84, 124, 133, 161, 180, 181, 290, 293
AD CS, 284, 287, 289, 291
AD site Links, 185
AD sites, 184, 185
Adding groups, 126
ADDomain, 136
Admin Center, 19, 25, 26, 28, 189, 204
administration tools, 153
Administrative PowerShell Window, 215
Administrative Templates, 69, 167, 168, 273
Administrative Tools, 153, 154
administrator credentials., 41
Advanced Boot, 31, 32, 37
Advanced button, 179, 255
ADVANCED NETWORK TASKS, 242
Advanced Settings screen, 281
Allocation drop-down box, 108
allprofiles, 280
Antivirus, 61, 258
App & Browser Control, 258
Apps, 55, 120, 158, 193, 194
Apps radio button, 55
area networks, 87, 104
Assigned button, 166
Asymmetric cryptography, 285
Asynchronous replication, 110
Audit Account Logon Events, 165
Authenticated Users group, 163
Autoconfigured, 240
Automanage, 19, 27
Automatic, 37, 60, 69, 70, 157
Automatic updates, 69, 70
Automating Diagnostic Task, 200
Azpilicueta’s system, 123
Azure Arc, 19, 27
Azure cloud, 15, 21, 27
Azure Edition, 21, 27
Azure Extended Network, 21
Azure hybrid capabilities, 19

B
Background Intelligent Transfer Service, 90
Backing Up, 197
BASIC NETWORK TASKS, 235
BCDEdit, 77
Bitlocker, 91, 92
BitLocker, 18, 49, 85, 91, 92, 111, 160
blank space close, 165
Block section, 151
Boot Diagnostics, 29
BOOT DIAGNOSTICS, 29
boot loop mode, 29
boot tab, 158
boot.wim file, 56
boot.wim files, 57
bootcfg,exe, 77
bootrec, 30
BranchCache, 92, 93
BranchCache-enabled, 93
Browse button, 167

C
CA, 287, 289, 290, 291, 292, 293, 294, 295, 299
Cache, 40
Caesar Cipher, 285
CAPolicy.inf file, 291
Catalog server, 231
central management, 81, 146
Central processing unit, 45
central processing unit (CPU)., 36, 194
Centralized management, 26
Certificate Authority, 289, 291, 294
Certificate Authority Architecture, 289
Certificate Auto-Enrollment, 295
Change Adapter Options, 227, 235, 247
Changing the font, 209
Cipher Protocol, 275
Cipher Suites, 275
Clean Install, 50
Cluster management, 26
cmd, 214
CMPXCHG16b, 46
Code Integrity, 85
Color tab, 218
command line, 22, 23, 189, 190, 207, 210, 213
COMMAND LINE, 207
command parameter -ipk, 190
Comments, 221
Computer Information, 63
Computer Management console, 130
computer-specific GPOs, 161
Configuration, 23, 35, 48, 56, 57, 62, 63, 69, 77, 83, 95, 114, 136, 139, 141, 143, 146, 157, 164, 165, 166,
167, 168, 198, 235, 248, 254, 266, 267, 273, 302
CONFIGURATION TASKS, 58
Configure Server Discovery, 149
Configuring Startup, 77, 274
Configuring TCP/IP, 228
Containers, 93
continue button, 31
Control Panel, 117, 206, 270
Coreinfo, 47
CPU, 20, 36, 45, 46, 47, 82, 94, 147, 194, 195, 196, 272
CPU cores, 20
Creating users, 127, 186
Credential Guard, 271, 272, 273, 274
Credential Manager, 270
CRL, 286
Cryptography, 285, 292, 293, 294
CurrentControlSet, 177, 273, 274
Cursor colors, 210
Cursor Colors, 219
Cursor shape, 209
Cursor Shape, 219
Cursor Size, 216
Custom rule, 282

D
DANE, 297, 299, 300
Data, 37, 46, 87, 124, 149, 173, 174, 175, 196, 252, 259
Data Deduplication, 87
Data signatures, 37
database objects, 132
Datacenter, 20, 21, 27, 45, 51, 54, 87, 90, 106, 110
Debug, 78
Debugging Mode, 36
Default Domain Policy, 163, 302
Default Settings, 58
Default-First-Site-Link, 185
Defragment and Optimize Drives, 156
Desktop Experience, 22, 23, 44, 45, 47, 48, 51, 55, 58, 63, 69, 70, 72, 75, 93
Desktop Protocol (RDP), 24, 203, 242
Destination Server screen, 113, 140, 142, 196, 244, 265, 267, 294
Device Guard., 273
Device Health Attestation, 84
Device Manager, 96, 97, 98, 99, 100, 101
Device Security, 259
Devices, 97, 99, 100, 112, 118, 263
devmgmt.msc, 100
DHCP, 56, 59, 66, 92, 136, 139, 140, 141, 144, 145, 146, 147, 150, 151, 224, 229, 230, 231, 234, 235, 248
DHCP installed, 136
DHCP server, 139, 229
Diagnostics, 39, 82, 246, 247
dialog box, 64, 65, 66, 68, 73, 126, 127, 128, 129, 130, 138, 140, 142, 178, 179, 187, 190, 216, 236, 239,
240, 241, 255, 256, 274, 275
Dial-up, 228, 238
dial-up connection, 118, 237, 238
dial-up service, 238
Diffie-Hellman, 286
DIGITAL CERTIFICATES, 284
Directory Services Restore Mode (DSRM), 35
Disable Automatic Restart, 37
Disable Driver Signature Enforcement, 37
Disabled, 62, 73, 157, 179, 201
Discretionary Access Control, 253
Disk Cleanup, 154
disk drive, 156
disk management, 153
Disk Mirroring, 104
diskpart, 30
DNS, 18, 67, 85, 131, 136, 137, 138, 141, 143, 145, 146, 147, 150, 151, 224, 229, 230, 231, 232, 233, 234,
235, 240, 241, 297, 298, 299, 301, 302
DnsAdmins, 144
DNSKEY, 298
DNS-over-HTTPS, 19, 301, 302
DNSSEC, 297, 298, 299, 300
DockerHub, 24
Document Services, 88, 113
DoH, 19, 302
Domain Controller, 142, 143, 288
DOMAIN CONTROLLER, 132
Domain functional level, 135, 136
Domain local, 181
Domain Name System, 18, 85, 131, 136, 137, 138, 139, 146, 164, 229, 231, 232, 235, 247, 297, 301
Domain Name System (DNS) security, 18
Domain policies, 161
domain trust, 183
Domains, 133, 135, 163, 181, 183, 272
Drive Encryption, 85, 91
driver-query, 41
Driverquery, 41
Drivers, 101
drives, 97, 102, 104, 106, 112, 194, 203
DSRM, 35, 36
DSS. Asymmetric cryptography, 286
DVD, 29, 30, 48, 50, 263
DVD drive, 29, 48, 263
DVDs, 48
DWORDs, 274
Dynamic, 56, 136, 139, 146, 234, 235, 248
dynamic disk, 103
Dynamic Update screen, 139

E
Early -launch anti-malware (ELAM), 85
Early Launch Anti-Malware Driver, 38
ECDHE, 275
ECDSA, 275
Edge browser, 19
eDirectory, 182
Effective Permissions, 257, 260, 261, 262
Enable Boot Logging, 34
Enable Line Wrapping Selection, 217
Enable-PSRemoting, 76
Environmental Variables, 210, 220
Error Correcting Code (ECC), 47
Ethernet, 66, 68, 105, 106, 224, 227, 235, 302
Event Catalog, 151
Event Viewer, 151, 154, 247, 253
Execution Environment, 48, 56
ExpandableStringValue, 174
Exporting Registry elements, 172
Exporting Registry Elements, 171
Extensible Firmware Interface (UEFI), 49
External, 182
External Trust, 182

F
Fax Server, 85
fiber Channel, 105
fiber Channel., 106
File Explorer, 144, 190, 191, 263
Files and Folders, 255
Filters, 155
Finding Registry Elements, 173
Finish button, 129, 139, 142, 184, 245, 299
firewall, 24, 56, 63, 73, 74, 79, 120, 178, 227, 237, 248, 257, 258, 277, 278, 279, 280, 282
Firewall, 60, 74, 77, 248, 257, 258, 277, 278, 279, 280, 281, 282, 283
Firmware, 30, 49
firmware version 2.3.1.c, 272
flagship server operating system, 18
flash drives, 48, 112
Folder redirection, 86
Folder Redirection button, 167
folder security, 255
Folder Wizard, 128
Font tab, 218
Fonts, 116, 192
Forest functional level, 136
Forest trust, 182
Forests, 133, 182
FQDN, 286
Framework 5.1, 26
FTP services, 89
Full Control, 256
Functional Levels, 135

G
gateway addresses, 248
General tab, 191, 201, 283, 296
Get Forest button, 149
Get-ADForest, 136
Get-ChildItem Env, 220
Get-NetFirewallRule, 77
Global, 181, 231
gpedit,msc, 69
gpedit.msc, 161
GPO linked, 160, 164
GpoprefixName, 149
graphical representation, 96, 225
graphical user interface, 22, 63, 142, 189, 279
Group Policy, 22, 23, 112, 148, 155, 160, 161, 162, 163, 164, 165, 166, 167, 168, 254, 258, 272, 273, 290,
302
Group Policy design complex., 160
Group sharing, 124
Group Sharing, 124
GUI, 22, 63, 75, 142, 279

H
Hard Disk Drive, 102
Hard-drive, 102
Hard-Drive Related Tasks, 102
hardware, 15, 18, 32, 38, 41, 44, 82, 87, 96, 97, 101, 102, 154, 155, 170, 175, 195, 204, 206, 246
Hardware, 101, 272
Hardware Wizard, 101
hardware/firmware., 15
HardwareProfiles, 177
HDD, 102, 156
hive, 173, 175, 177, 178, 179
HKEY_CURRENT_CONFIG, 176, 177
HKEY_CURRENT_USER, 175, 176, 177
HKEY_LOCAL_MACHINE, 176, 177
HKEY_USERS, 175, 176, 177, 178
Host Guardian Hyper- V support, 21
Host Guardian Service, 87
Hotpatch, 19, 27
Hotpatching, 22
HTTPS, 19, 26, 252, 284, 299, 302
Hyper -V containers, 21
Hyper- V virtual machines, 21
hyperlink, 64, 65, 66, 70, 73, 189
HyperText, 284
Hyper-v, 87
Hyper-V, 21, 46, 87, 93, 106, 111
Hypervisor, 259
hypervisors, 21

I
IIS Extension, 94
Importing Registry elements, 171
Inbound rules, 282
INFRASTRUCTURE, 297
Insert Mode, 208, 216
Install button, 143, 148, 196, 244
install.wim, 56
Installation, 72, 113, 137, 138, 140, 142, 147, 165, 166, 168, 196, 243, 244, 265, 267, 269, 292, 294, 295
installed apps, 120
installing updates, 70, 71
interface card, 89
Internal, 95, 237, 266
INTERNET, 277
Internet Explorer Maintenance, 166, 168
Internet Information Services, 89
Internet Protocol, 67, 227, 229, 239, 240
Internet Protocol Version 4, 67, 229
IP address, 56, 58, 59, 66, 67, 83, 85, 114, 137, 139, 140, 141, 145, 228, 229, 230, 231, 232, 233, 235, 237,
239, 240, 241, 247, 248
IP Address, 59, 67, 141, 146, 148, 150, 151, 240, 241
IP ADDRESS MANAGEMENT, 146
IP addresses, 59, 67, 85, 137, 140, 145, 146, 150, 185, 229, 230, 232, 234, 237, 239, 248, 286, 297
IP settings, 239
IPAM, 146, 147, 148, 149, 150, 151
IPAMGpoProvisioning, 149
ISCSI, 87, 105, 106
ISCSI Target Server, 87

J
James' system, 123

K
Kerberos, 182, 271
kernel memory, 36
Keyboard, 30, 50, 115
Keyboard and mouse, 50
KVM, 49, 50

L
LAHF/SAHF, 46
Language, 115, 118, 192
Layout tab, 218
Legacy Console, 209
License Terms box, 52
Linux, 22, 147, 214
Loading and Unloading Hives, 177
Local Area Network (LAN)., 112
Local Security Policy, 155
Local Server, 64, 65, 66, 70, 73, 74, 81, 83, 125, 189
Locate settings, 112
Logging, 168, 282
Logical disk, 108
Low-Resolution Video, 35

M
Maintenance Tasks, 192
Malware, 38
Management, 26, 58, 62, 76, 77, 94, 95, 114, 127, 128, 130, 146, 148, 150, 156, 162, 163, 164, 165, 166,
167, 168, 169, 189, 199, 204, 254, 264, 266, 267, 272, 302
management server, 204
management tools, 25, 26, 82, 162
Managing disks, 200
Managing Network Connections, 239
Managing storage, 199
Managing Workgroups, 129
Manual, 157, 228
Memory, 38, 39, 98, 195
Memory Diagnostics Tool., 39
Memory Test, 38
Microsoft, 15, 18, 19, 21, 23, 24, 25, 26, 27, 29, 37, 38, 44, 47, 48, 57, 58, 60, 61, 63, 69, 70, 74, 77, 90,
117, 131, 132, 146, 147, 169, 214, 215, 246, 248, 251, 258, 264, 284
Microsoft Azure, 21, 264
Microsoft Deployment Toolkit, 57
Microsoft Server operating system systems, 18
MMC snap-ins., 25
mo data, 110
Modifying computer settings, 164
Modifying computer software settings, 165
Monitor, 49, 82, 99, 194, 195
motherboards, 49
Mounts’ system, 123
Mouse, 114
Moving data, 19
multinational corporation, 133
 N
Nano, 21, 23, 24
Nano server, 21, 24
nanose, 24
Nested Page Table, 46
NetFirewallProfile, 279, 280
netsh, 247, 280
network, 19, 25, 33, 36, 44, 48, 56, 63, 66, 67, 79, 82, 84, 85, 86, 88, 89, 90, 91, 92, 93, 97, 104, 105, 110,
112, 118, 122, 123, 124, 125, 130, 131, 132, 133, 139, 140, 141, 142, 146, 147, 178, 184, 194, 195, 196,
224, 225, 226, 227, 228, 229, 232, 234, 235, 236, 238, 239, 241, 242, 244, 245, 246, 247, 248, 249, 258,
262, 277, 278, 282, 283, 285, 295, 297, 302
Network & Internet, 237, 238, 246, 247, 302
Network adapter, 48, 236
Network and Internet, 118, 227, 228, 235
NETWORK CONNECTION PROBLEMS, 246
Network Connection Tools, 226
Network controller, 21
Network Controller, 88
Network details, 225
Network ID, 139
network interface card, 33, 48, 56, 235, 246
Network Performance, 19
Network Properties, 235
Network Protection, 227, 257, 258, 279, 281
Network Registries, 178
NetworkTrafficAnalyzer, 249
New Package, 165, 166
New Share option, 128
New Zone option., 138, 139, 234
New Zone Wizard, 138, 139, 234
Next button, 30, 50, 53, 102, 108, 109, 113, 114, 128, 138, 139, 140, 141, 143, 144, 147, 148, 183, 184,
186, 189, 197, 198, 199, 243, 267, 293
non-transitive, 182
Non-transitive trust, 182
Northbound interface API, 88
NSCE, 298
NT LAN Manager (NTLM), 271
NTFS, 255, 256, 257, 260, 261, 262
NTUSER.DAT, 178

O
OCSP, 286
Offer immense support, 21
offline package, 90
one-time backup, 197
One-way trust, 182
OPERATING SYSTEM SECURITY, 269
operating system., 18, 20, 23, 24, 33, 34, 54, 56, 63, 87, 95, 170, 191, 271, 274
Optimizing performance, 203
organizational unit, 168, 180
Organizational Units, 133
OU policies, 161
OU. Systems, 160
Outbound Connections, 282
Out-File, 111

P
Pac file., 237
Password policies, 160
PC option, 145
Peer Name Resolution Protocol, 130
performing disk encryption, 49
Performing Printer-Related Tasks, 112
Personalization, 116, 118, 191
Personalization option, 116
PKI, 84, 284, 286, 289, 291
PNRP, 131
Policy certificate authorities, 290
Policy-based QoS, 166
PowerShell, 15, 22, 23, 24, 27, 62, 64, 70, 71, 72, 75, 76, 83, 88, 94, 100, 136, 204, 214, 215, 216, 217,
218, 219, 220, 221, 223, 245, 279, 280, 301
POWERSHELL, 214
PowerShell cmdlet, 215
PowerShell Remoting, 204
Preboot, 56
Pre-boot Execution Environment (PXE)., 48
preferred color, 218
PrefetchW, 46
Preinstallation Environment (WinPE)., 56
pre-Windows Vista, 77
Print Server role, 113, 114
Print Server Role, 113
Printer, 112, 114, 263
Printer Install Wizard, 112
Printers, 112, 263
Private, 60, 74, 225, 240, 278, 279, 280, 282, 292, 293, 294
private data stored, 124
Private-Enabled False, 279
product key, 63, 64, 120, 189, 190
Profile Domain, 279, 280
Profile Script, 219
Profile Settings, 281
Profile tab, 243
proper management, 146, 185
Protected Network Connections, 282
Protocols and Ports, 282, 283
Proxy, 228, 237
proxy connections, 118
public-key cryptography, 285, 297

Q
QUIC protocol, 19
Quick Edit Mode, 208, 217

R
radio button, 66, 102, 128, 148, 218, 234
Raid 5, 104
RAMS, 47
Random Access Memory, 47, 98
random-access memory (RAM)., 20, 45
randomstring, 59
Realm trust, 182
Recovery Drive screen, 206
regedit.exe, 171, 273
Registry, 35, 155, 156, 170, 171, 172, 173, 174, 175, 177, 178, 179, 273, 274
REGISTRY, 170
Registry editor, 155
Reliable Multicast Protocol, 241
Remote Access, 89
remote administration, 63, 72, 73, 76, 178
Remote Computers, 283
Remote Desktop, 24, 62, 72, 73, 202, 203, 206, 242, 243
Remote Registry Service, 178
Remote Server Administration, 153, 158, 163, 203
Remote Server Administration Tools, 153, 158, 163, 203
remote servers, 24, 25
Remote Users, 283
RemoteAPPs, 242
Restart Now, 31, 66, 126
Restart option, 32
Resultant Set of Policy, 168, 169
Reverse Lookup Zone, 139
Reverse Lookup Zones, 139
Roaming User Profiles, 86
Root certificate authorities, 290
root domain name, 143
RSAT, 158, 159, 163, 204, 243
RSoP, 168, 169
RSoP queries, 169
RSoP snap-in, 169

S
Safe Mode, 32, 33, 34, 35
Scale-Out-File Server, 111
scheduled backup, 197, 198
sconfig, 23, 58, 70, 71
Screen Buffer Size, 218
SCSI block data, 105
Search tabs, 191
Secured-core server, 18
Security Accounts Manager (SAM)., 272
security auditing policy, 155
Security descriptors, 253
security settings, 163, 164, 261
Security settings, 166, 254
server, 15, 18, 19, 20, 22, 24, 25, 26, 28, 29, 31, 36, 38, 40, 42, 44, 45, 46, 47, 48, 49, 50, 54, 55, 56, 58, 59,
60, 61, 62, 63, 64, 65, 66, 68, 69, 70, 72, 74, 76, 77, 81, 82, 83, 84, 85, 86, 87, 88, 89, 92, 93, 94, 95, 96,
97, 100, 102, 103, 104, 106, 109, 111, 112, 113, 114, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125,
126, 130, 131, 132, 134, 135, 136, 137, 138, 139, 140, 141, 142, 148, 149, 150, 151, 153, 154, 155, 157,
158, 159, 162, 167, 171, 179, 180, 189, 192, 193, 194, 196, 197, 198, 200, 202, 203, 204, 205, 206, 212,
224, 228, 229, 231, 232, 233, 234, 235, 236, 239, 242, 243, 244, 246, 248, 251, 253, 254, 255, 259, 260,
261, 265, 266, 269, 272, 275, 277, 284, 288, 292, 296, 298, 299, 300, 302
Server Core, 22, 23, 34, 44, 45, 47, 48, 58, 70, 71, 75, 77
Server Core Experience, 22
Server Features, 90
server manager, 64, 72, 113, 171, 204, 243, 244, 254
Server manager, 130
Server Manager, 24, 25, 58, 65, 66, 70, 72, 73, 74, 76, 81, 82, 83, 86, 88, 107, 114, 125, 127, 128, 137, 138,
140, 141, 142, 143, 147, 148, 149, 153, 159, 162, 172, 173, 178, 179, 183, 185, 186, 187, 189, 196, 197,
198, 199, 200, 201, 204, 205, 231, 234, 243, 244, 247,265, 267, 272, 292, 294, 295, 298, 302
SERVER MANAGER, 153
Server Message Block (SMB), 15, 19
Server2022-DC, 159
Services, 35, 81, 83, 84, 86, 88, 95, 107, 113, 142, 156, 169, 179, 185, 199, 200, 242, 243, 244, 247, 260,
264, 265, 266, 267, 283, 284, 287, 289, 291, 292, 294, 295
Setting display configuration, 203
Setting file, 255
SETTING GROUP POLICY, 160
Setting Registry Security, 179
settings icon, 31, 167, 274
Settings menu, 114, 115, 116, 117, 238, 279, 281
SETTINGS MENU, 117
Settings Menu Items, 117
Sever Groups, 151
SHA256, 276, 292, 293, 294
Share Permission, 256
Shared folders permission, 261
Sharing and discovery, 226
Sharing Resources, 263
Shielded support for VM, 22
Shortcut trust, 182
Site policies, 161
SMB encryption, 19
SMB over QUIC, 22
SMB security, 19
SMRemoting, 76
software, 21, 32, 34, 38, 85, 87, 101, 106, 154, 165, 166, 195, 197, 230, 246, 252, 257, 259, 278
Software, 21, 165, 166, 168, 176
Software settings, 166
Software-defined networking, 21
SolarWinds, 249
SolarWindsipMonitor, 249
Solid State Disk, 103
Sound, 115
Spanned, 104
SSD, 103, 156
Standard, 20, 39, 45, 51, 54, 55, 87, 91, 110, 158, 189, 194
Start menu, 31, 102, 117, 130, 153, 159, 171, 192, 194, 206, 207, 237, 238, 247
Start menu option, 117
Start Performance Counters, 204
Starter GPO, 164
Starting Registry Editor, 171
Startup settings, 32
static IP address, 59, 66, 137
Status, 149, 226, 228, 236, 246, 247, 286
Status page, 226, 246, 247
Storage, 19, 21, 47, 81, 83, 86, 104, 106, 107, 109, 110, 111, 199, 200, 263, 268
Storage improvements, 19
Storage Migration Service, 19
Storage Replica, 21, 109, 110
Storage Services role, 82, 86
storage Spaces Direct, 21
Storage Spaces Direct, 19, 20, 106, 109
straightforward task, 183
Subdomain, 232
Subnets, 185
Supports Data Execution Prevention, 46
Supports No Execute (NX, 46
Synchronous replication, 110
System, 30, 37, 41, 47, 48, 49, 63, 66, 82, 109, 119, 126, 154, 157, 176, 198, 202, 206, 207, 218, 220, 247,
253, 254, 255, 260, 261, 273, 274
system administration, 15
system administrator, 15, 25, 27, 31, 36, 84, 89, 98, 117, 124, 170, 172, 189, 194, 214, 215
system Center Virtual Machine Manager, 87
System Failure, 37
System Image Recovery, 30
System Information, 82
system’s registry, 156

T
tabs, 100, 157, 190, 191, 195, 216, 218, 236, 254, 260, 281, 282, 283
Task Manager, 42, 194, 195, 196
Task scheduler, 200
Task Scheduler, 156, 158, 200, 201
taskbar, 118, 196
TCP/IPv6 protocol addresses, 185
Terminal colors, 209
Terminal Colors, 219
Terminal Colors section, 219
Terminal Scrolling, 210, 219
Test Mix, 39
Test-NetConnection, 245
Test-NetConnection cmdlet, 245
Text Colors, 209
Text Selection, 217
Third-Party Boot Utilities, 42
Tickets Granting Tickets (TGT), 271
time zone, 62, 63, 65, 119
Time Zone, 65
TOOLS MENU, 153
top-level object, 133
TPM, 18, 49, 91, 92, 111, 259, 272
traceroute, 245
Transitive trust, 182
Transmission Control Protocol (TCP), 19
Transport Layer Security (TLS, 19, 275
Trivial File Transfer Protocol (TFTP), 56
Troubleshoot, 30, 31, 226
Troubleshoot button, 31
troubleshooting, 29, 30, 33, 36, 38, 40, 77, 88, 97, 115, 120, 147, 151, 153, 154, 155, 168, 230, 245, 246,
249
Trusted Platform Module, 18, 49, 91
Trusted Platform Modules, 111
Two-way trust, 181

U
UAC, 160, 192, 193, 269, 270
UEFI firmware, 272
UEFI lock, 272, 273, 274
UEFI-based firmware, 49
Understanding Domains, 132
Understanding the Hives, 175
Unified Extensible Firmware (UEFI)., 30
Uninstall Device, 101
Universal, 181
UnixDirectory, 182
Update and Security, 31, 120
Updates link, 55
Upgrading Windows, 53
URL, 26, 300
USB flash drive, 29, 30
user account applet, 129
User Account applet, 129, 130
User Account Control, 160, 192, 269, 270
User Account Control (UAC), 160, 192, 269
User Account window, 129
User certificates, 287
User rights assignments, 160
user. Logging mode, 168

V
virtual machine, 21
Virtual Machine, 87
virtual private network, 118
Virtualization, 273
Virus & Threat Protection, 258
Volume, 109
VPN, 85, 89, 228, 238, 239, 296

W
WAN, 92, 203, 224
WDS, 56, 89
Web Application Proxy, 89
Web Services, 89, 214
website, 26, 29, 47, 102, 120, 268
Wi-Fi connections, 118
Wim files, 89
Window Position, 218
Window Size, 218
Windows 10 client system, 159
Windows Admin Center, 19, 25, 26, 204, 205, 206
Windows containers, 21
Windows Deployment Services, 44, 48, 56, 89
Windows Firewall, 74, 77, 227, 247, 248, 258, 277, 278, 282
Windows Internal Database, 95, 266
Windows Internet, 229
Windows Management Instrumentation, 62, 168
Windows OS, 120
Windows PowerShell, 25, 83, 86, 94, 102, 149, 171, 215, 216, 217, 219, 220, 221, 231, 266, 301
Windows Recovery Drive, 206
Windows Search Service, 94
Windows Security, 257, 279, 281
Windows Server, 15, 18, 19, 20, 21, 22, 23, 24, 25, 27, 28, 29, 33, 38, 44, 45, 46, 47, 48, 49, 50, 51, 53, 54,
55, 56, 57, 58, 59, 62, 63, 68, 69, 70, 71, 72, 75, 76, 77, 83, 84, 87, 88, 90, 91, 92, 93, 94, 95, 96, 106,
109, 110, 116, 171, 190, 191, 194, 196, 197, 198,199, 201, 202, 204, 207, 209, 213, 215, 235, 242, 251,
269, 270, 271, 273, 274, 275, 277, 284, 302
Windows Server 2016, 54, 84, 87, 88, 93, 94, 106, 273
Windows Server 2019, 54, 94
Windows Server 2022, 15, 18, 19, 20, 21, 22, 24, 25, 27, 29, 38, 44, 45, 46, 47, 48, 49, 50, 51, 53, 54, 55,
56, 58, 59, 62, 63, 68, 69, 70, 71, 72, 75, 76, 83, 90, 91, 93, 94, 106, 110, 171, 191, 194, 196, 197, 199,
201, 207, 209, 215, 235, 242, 251, 270, 274, 275, 277, 284, 302
WINDOWS SERVER 2022, 17, 18, 80, 152, 224, 225, 250, 251
Windows Server 2022 Datacenter, 21, 51
Windows Server 2022., 15, 19, 24, 50, 53, 54, 76, 83, 90, 171, 199, 201, 207, 235, 274, 275
Windows settings, 166, 254
Windows Settings, 165, 166
Windows system, 34, 42, 95, 214
WindowsFeature, 76
WinRM, 76, 77, 94
winrm quickconfig, 76
Winrm quickconfig, 76
WINS Secerns screen, 141
Wireless LAN Service, 93
Wireshark, 249
Wizard screen, 139, 142, 234, 300
Work Folders, 86
WORKGROUP, 59, 60, 122, 125, 126
WORKGROUPS, 122
WoW64 Support, 93
Wrapping Things Up, 145

X
XPS Viewer, 93

Z
Zone Name screen, 138, 139, 234