Windows Server 2012 R2 Administration for Beginners

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so our first step will be setting up our environment for learning Windows Server we're gonna be setting it up on a virtual machine a virtual machine is a separate operating system that runs independently but side-by-side with your host operating system it uses your computer's hardware but any changes made within a virtual machine will not affect your host operating system to do this we're going to use a software called VMware Workstation now there is a paid version of VMware Workstation but we're going to be using the free trial in order to set this up there are other software packages out there that allow you to do the same thing like VirtualBox but we're going to be using VMware Workstation you can access VMware Workstation by going to VMware comm products workstation we're gonna select try for free and I'm running windows 64-bit and so I'm going to hit download once the download is complete we'll open up the Installer and will simply follow the prompts the default should be fine for most installations once the installation is finished we'll click finish and we'll open up VMware Workstation before we create our virtual machine and install Windows Server we need to obtain the installation media for Windows Server 2012 normally when you install Windows or Windows Server you can use a bootable cd/dvd or USB Drive for our purposes we're installing on a virtual machine so we'll require a special file called an ISO file that will allow us to install Windows Server 2012 as if we were using an installation disk to get this file we're going to obtain an evaluation copy of Windows Server 2012 to do that we're gonna head over to the Microsoft TechNet evaluation Center you can reach this at microsoft.com / en - Us / eval center click the evaluate Now button and select Windows Server 2012 r2 or release 2 in order to download our evaluation copy of Windows Server 2012 we need to have a Microsoft account so I'll go ahead and sign in and once I've signed in with my Microsoft account I'll select the type of file I want to download we need an ISO file we will hit register & continue and we'll fill in the information some of this information is not necessary for instance I can select other for my role in my company organization we're just using this as an evaluation we do not need the system center components and if you'd like to sign up for tech nuts communication emails you can check the box for subscribe we'll go ahead and click continue and our download will begin this is a larger file about four to 4.2 gigabytes so it may take a little while to download feel free to pause the video if you're following along and we'll pick back up as soon as the download is finished now that our download has completed I've gone ahead and moved the file to my desktop let's open back up VMware Workstation and we'll click create a new virtual machine we're going to use the typical configuration and we'll select installer disk image file and we'll select our Windows Server ISO that we downloaded we have the option of changing our virtual machine name and selecting a location for the files for the virtual machine now keep in mind that you'll need enough storage space to handle approximately 60 gigabytes which is the default here we can change the maximum hard disk size if you don't have enough space for the 60 gigabytes you can turn this down but it is recommended that you stay above 40 gigabytes I'm gonna leave it at the default before we start we'll uncheck the power-on virtual machine after creation and click finish now our virtual machine is setup and it's ready to install Windows Server alright we've set up our virtual machine and we've installed our ISO into the virtual CD drive of our virtual machine and now we're ready to power on and install Windows Server 2012 so go ahead and select your VM that you made and click power on this virtual machine you'll see on screen just like you would in front of a physical machine that the Installer will begin very similar to installing Windows or any other operating system we'll select our language and keyboard and then click install now now there are several different versions of Windows Server in fact there are four foundation essentials standard and data center with this evaluation that we've downloaded we have a choice between standard and data center for this tutorial we're going to stick with the standard evaluation now when you select the operating system Edition make sure you select the one that has the option server with a GUI or graphical user interface you'll be presented with the license terms for Windows Server 2012 we'll accept those and click Next we're not doing an upgrade obviously so we're going to install Windows only and you'll see that we have one virtual hard drive available to us we'll go ahead and click Next windows will begin copying Windows files getting those files ready for installation and finishing up the remainder of updating and setting up the system this process may take 5 to 15 minutes depending on the speed of your computer so we'll skip ahead to the end of the installation once the installation has finished the computer will automatically restart if you were installing us on a physical machine it would also restart installation will continue after this reboot once the computer has restarted you'll be prompted to set up the built-in administrator account I'll type in a password and click finish now that Windows has been successfully installed and I've set up my built-in administrator account I'll press ctrl Alt Delete to sign-in in VMware Workstation control delete won't work so you'll press ctrl alt insert on a physical machine you would press ctrl Delete I'll type in my password that I set up for my account and I'll be signed in the server manager window will open giving me an overview of my server from here we've successfully installed Windows Server onto a virtual machine and from here we can begin to set up our environment now that we have a working Windows Server 2012 installation our next step is to create a Windows domain well what is a Windows domain a Windows domain is a computer network where user accounts computers and resources and the security for all those things are stored and defined on one or more servers that are called domain controllers users and computers on the domain are authenticated through the domain controllers and the permissions to the resources are based on user accounts and the groups that contain user accounts so with that information in mind it's time to set up our Windows server as a domain controller and create our first domain for the remainder of this course I'm going to be using VMware Workstation in full-screen mode at the very top of the window you can see the enter full screen mode button to exit full-screen mode simply move your cursor to the top and click the full screen mode button again this will help us to be able to see what we're doing with inside the window when we first start up Windows server and login we should see the server manager utility the server manager utility allows us to get an overview of the different role and configurations that we've set up for our local server as well as servers that we've added to any groups within the domain once we've created it if you don't see the server manager window when you first log into Windows you can access it through the quick launch toolbar or through the Start menu there are some preliminary steps that we need to setup in order to make our domain controller active in working properly we can go up to configure this local server to set some of these options first we need to give our server a name in the top left hand corner you can see that I've already set a name for my server if I click the name I can change it it'll open the system properties menu I can click Change and from here I can change my servers name once I click OK and confirm my changes I'll need to restart the server in order to save the change we'll also want to make sure that Windows updates are turned on the windows update settings when you click them will show you what your current settings are I've already turned mine on and it's always a good idea to keep your server up to date with the latest patches this prevents any vulnerabilities or any bugs from occurring that would impact user experience we'll also want to make sure that our time zone and our time are set correctly I prefer setting up an internet time server so that windows can sync with an external source there are some built-in options for time servers which you can use or you can use one of your own if you're familiar with the protocol I also want to make sure that my time zone is set correctly there are some other options on the left-hand side that we'll want to configure as well the defaults for Windows Firewall remote management and a remote desktop will be fine for now NIC teaming is an option that allows you to combine different physical network interfaces to one IP address we'll skip that for now since that's a more advanced feature we do need to configure a static IP address for this server since it's going to be a domain controller its IP address must not change if it does that could cause some problems in the future so let's go ahead and configure a static IP address now when we click our current configuration within server manager we will be presented with a list of our current Ethernet adapters this server only has one since that's what we configured as a typical configuration in vmware if i right click this and click status and then details it'll show you the current IP address and IP settings that have been given by the DHCP server built into VMware we need to change this so that this information is static and will not change so I'm going to make a quick note of my IP address my gateway as well as the DNS server now I'll go into properties open up IP protocol version 4 and instead of obtain IP address automatically I'll use the following IP address and enter that information I took from before once I've entered my settings you can click OK now we've prepared our server with the basic settings that will allow it to become a domain controller let's go back to the dashboard on the server manager and click add roles and features to add the Active Directory domain services role the add roles and features wizard will appear and we can click Next the Active Directory and domain services role is a role based and feature-based installation so that default setting is perfect if we have multiple servers in our pool which right now we only have one we can select it and install roles to different servers but we're going to install this one locally will select Active Directory domain services and then click Next we should also install group policy management as that will help us in some of the later lectures in this course then we'll click install once the rolls have been installed we'll be prompt to perform any additional steps that are necessary in activating that rolls features in this example we're setting up a domain controller and we need to take advantage of the Active Directory domain services so this server needs to be promoted to a domain controller the Active Directory domain services configuration wizard will open will first be prompted to select a deployment operation you'll see three options you can add a domain controller to an existing domain add a new domain to an existing forest or add a new forest this is a new term forest what is it a forest is simply a group of domains if you remember from the beginning of this lecture a domain is a computer network where the domain controller houses all of the user computer and resource information in a local directory a forest is simply a group of domains where there are separate groups of domain controllers and all of that information is controlled on an individual per domain basis but all belong to the same forest we don't have a forest yet so we need to create a new one we'll be prompted to enter a root domain name now when you hear the word domain name you may be thinking of something like google.com or yahoo.com in a Windows domain context domain name doesn't refer to an Internet domain name but rather a record that all the computers and all of the user accounts use to look up resources within the domain I could enter something like google.com as my root domain name however anytime somebody within the domain tried to access something with the domain name google.com the computer would think that that is a resource within the domain I can't use something that's on the Internet because then my users would not be able to access that Internet web address instead we should use a domain name that doesn't exist on the internet and isn't used anywhere else within our domain as a web resource or any other type of resource a good practice to use always using something that does not exist on the Internet and the best practice is to use something that ends in dot local because dot local addresses cannot exist on a public domain name space so I'm going to use the domain name test dot local next we'll set our forest and domain functional levels the functional level of a forest or a domain is simply a set of features that is allowed on that domain as a whole this is mainly controlled by what versions of Windows Server are active domain controllers within your domain for example if all of my servers within a domain were Windows Server 2012 r2 then I could easily set my forest and domain functional level to Windows Server 2012 r2 there are additional considerations to make if you're using older versions of Windows server your forest or domain functional level may need to be set lower since this is the only domain controller in our domain the default works just fine we're also asked to specify this domain controllers capabilities we want this domain controller to be a DNS server will describe more about DNS servers later but basically it's simply a record of all the computers and devices within the domain network and their IP addresses that are associated with them a global catalog is simply a record of all of the resources that exist on the domain controller and are advertised to all the users and computers based on their permissions the primary domain controller that we're setting up now has to be a global catalog because it's the first domain controller you'll also see that the read only domain controller is grayed out and you cannot enable it this is because the first primary domain controller is being set up and needs to be writable later you could set up a domain controller that is read-only for special purposes lastly we need to set up a directory services restore mode password D SRM is a tool that's used to recover directory services and directory information in case of a disaster so we'll set up a password for that now make sure you note this down in case you ever need it in the future when you first set up a primary domain controller in a basic domain you'll be warned that delegation for the DNS server cannot be created because of an authoritative parent zone not being able to be found this is normal and it can be ignored next we'll be asked to set the NetBIOS domain name NetBIOS is simply the first part of the root domain name that we set we want this to be the same so the default is perfect next we'll be asked to specify the location of the ad DS database or the Active Directory domain services database the log files and the sysvol folder the defaults for these folders are fine but in more advanced lessons you can learn to modify the locations of these to suit your purposes we'll leave them by default for now we're then given an option to review all of our selections and to make sure that everything looks correct when we click Next Windows server will begin checking to make sure that all of the prerequisites for becoming a domain controller are met it will give you warnings in case anything needs to be brought attention the first item is a warning about security there is a setting in Windows 2012 domain controllers by default that is turned on that allows compatibility in cryptography with older Windows Server systems this is a potential security risk because older cryptography algorithms are sometimes weaker and subject to vulnerability we'll ignore this for now but is a good thing to read up on the different vulnerabilities that might exist when you're warmed about them we'll also see that the warning we got earlier about DNS server is showing up as well as before this morning can be ignored we'll see that all of our prerequisite checks have been completed and they have all passed successfully we're ready to upgrade this server and promote it to a domain controller once the server has successfully installed Active Directory domain services and upgraded to a domain controller we'll be warned that we're about to be signed out and the computer will restart once our server has restarted it is now a primary domain controller on the test domain we can now log in as our administrator account and the server manager window will open from here we can configure our domain services and add other roles and features onto our domain controller at the very bottom of your server manager you'll see that ad DS has been installed as well as DNS and file and storage services in the next few lectures you'll learn how to configure these services as well as add others so now that our server is now a domain controller and we've installed Active Directory domain services we now have to configure Active Directory well what is Active Directory it is the foundation of the Windows domain it's essentially a catalog of all the registered objects in the domain and it provides authentication services and security principles that allow those users and computers to access the resources that they've been granted permissions to so we're going to start with a real-world scenario we're going to provide some realistic examples of how Active Directory might be set up and we're can go through and actually configure it as if we were starting fresh for a real business so we're going to be working with the imaginary Carmack's dealership it has one headquarter location and two sales locations the headquarters has an administrative department accounting and HR and then the two locations have sales staff mechanic staff and management so we're going to go into Active Directory set up these different objects and go from there so back on our server with the server manager window open we'll go up into the top right hand corner to tools then we'll click Active Directory users and computers to open that snappin on the left-hand side of a duck or Active Directory users and computers you'll see our test dot local domain if we expand that we'll see some of the built-in oh use or organizational units that come by default now when we're structuring Active Directory my rule of thumb is always to start with the biggest organizational unit I can think of and then work my way smaller so with our example business we want to start with the biggest division or biggest organizational structure unit that we can think of and then work smaller so for our business we'll start with our three locations we've got a headquarters and two sales locations so with our domain selected we'll right-click in the middle of the screen then click new organizational unit and we'll give it a name for instance headquarters and we'll repeat that step for the other two locations now before I click new I have the headquarters oh you selected so right now I'm creating new objects within the so you if I want to create a know you inside the root domain I'll have to click that first so I'll create two more organizational units and we'll call our two sales locations Carmack's east and Carmack's west from here following our rule we'll go to the next largest group of objects that we're gonna put into Active Directory personally I like to take each owe you and separate them into users and computers since that's going to be the most common object in our Active Directory structure so for each location I'm going to select it and creating new öyou for computers make sure you name each one individually so when you're looking at it on an individual basis you know which one it is so with this structure I can put my users into headquarters and the computers at headquarters into the computers - headquarters oh you I'll repeat this for the next two organizational units so now I have three OU's our headquarters location and our two sales locations and a sub o U for each one for the computers at that location I'll put the users and the user groups in each location so starting with headquarters we want to create our next smallest item now here's where we can set up our departments for each location now when we're talking about departments or small groups of users like that we need to consider what kind of things those people are going to need to access when we're talking about security principles like that whether it's accessing a file share or access to a printer we want to base that on a user basis and a group basis commonly in businesses accounting and administrative people have access to different sets of resources so in our headquarters location we're going to set up a user group for each of our departments in our headquarters group selected we'll right-click and then create a new group oops new group we'll give the group a name we'll make sure that the security group type is enabled and we'll make sure that it is a global group then click OK we'll repeat this step for the other two departments that we have at our headquarters location accounting and HR so now our headquarters location has a place for computers a place for users and separate groups of users that correspond to the different departments at that location now we also need to create our departments for our sales locations now keep in mind within a domain you can't have two groups with the same name even if they're in different organizational units so it's best practice like with our computers group that we have or the computers oh you under each location to also append an individual or unique name to a group if it's specific to this oh you so will do sales at cm East make sure that it's a security group and a global group and we'll repeat that for the other two so now I have three user groups at that sales location and since none of them have just the management mechanics or sales name I can create the other three groups with CM West so there's no conflicts so now we have our basic Active Directory structure created the only thing that we're missing is some users so we'll put in some dummy users and you can use whatever user names that you'd like or whatever names you'd like as long as you remember to create one user that you'll want to use when you log in under an Active Directory account so in headquarters I'm going to create one user new user give them a name and create a user name or a user logon name it's best to always have a naming convention for both computers users and as we've created Oh using groups I like to use first initial last name but you can use whatever you want we'll set a password for our user and since we have the user must change password at next logon when this user first logs on with the password that you set they'll be prompted to create a new one now our John Jones user that we've created is a member of the administrative department so we need to add him to that group we'll right-click select add to group and the select groups window will open whenever we see this window all we're doing is we're selecting the name of the object that we want to add to we selected John Jones and we clicked add to group so right now we're looking for groups within the test dot local domain that we want to add John Jones or whichever users we've selected to so we're gonna enter administrative and we're gonna click check names looks like it found the group because it underlined it and we'll click OK the Abdul group operation is completed and if we open our administrative group by right-clicking and hitting properties we can go to members to see that John Jones has been added the purpose of groups of course is to give permissions to a group of users without having to go into each individual user and modifying their permissions if I gave the administrative group access to a resource John Jones gets access because he is a member of administrative now let's practice adding one more user to a group but this time let's do it at one of the sales locations so remember we're putting our users in the root oh you of the location we'll right-click go to new and then select new user we'll give the user a name and following our naming convention we'll give them a user name we'll set a password and click Next now we'll add Mike Jones to the mechanics group of CM east so we'll right-click Mike Jones add to group and this time we'll just search mechanics click check names and you'll see that there are multiple matches because remember we have a mechanic's group at CM east and CM west well Mike is mechanic at CM east so we'll select the CM east mechanics group we'll select ok the operation completed and we can go into mechanics to check to make sure that he is properly added there's another way to add users to a group and that's by going through the group itself let's say Mike Jones is also a member of the sales department so we'll right-click the sales department click properties click members and then click Add this window looks familiar instead of searching for groups were searching for users in the test that local domain which user do we want to add we want to add Mike Jones now we can search by his name or his user name I know his name so whilst I pin Mike check names and it looks like it found our Mike Jones we'll click OK and then we'll click apply that's the other way of adding a user to a group next we'll go over moving disabling and deleting Active Directory users and other objects so let's work with our Mike Jones user let's say that Mike Jones got moved to headquarters because he got promoted we're gonna move him by right-clicking his a user account clicking move and then selecting the container that we want to move him to we're gonna move into the headquarters oh you so you'll see that Mike's account is gone from the CM East oh you and has been moved to the headquarters of you now when we move user accounts or groups they still retain their group membership so if we go into Mike Jones's account even though we've moved him to a new O you he is still a member of mechanics and sales at CM East so we need to remove him from these groups now that he is at the headquarters of you we're gonna select CM East and we can hold down the shift or control key to select the two groups we can select remove and click yes to remove them from those groups with user accounts we also have the ability to disable them this has multiple uses in the real world but for example let's say Mike goes on an extended vacation we need to disable his account for security reasons while he's away we can right-click his account then click disable and it will confirm that we've disabled the account on the left hand side we can see that his account has a downward facing arrow indicating that his account has been disabled when an account is disabled that user will not be able to access any resources and if they're connected to the domain network they will not be able to login we can enable Mike's account by right clicking then clicking enable where the disabled button used to be when you need to delete a user or a group or any other Active Directory object you can simply right-click the object then click delete it will confirm your selection and the object will be deleted lastly we'll go over several more options we have with modifying users and several of the actions that we can take with their accounts if we look at our John Jones user we can right click and we get some several options we haven't gone over yet for instance we can copy which copies John Jones's account and all of its settings into a new account allowing you to rename that new account and model a new user after John Jones we can reset John's password enabling him to change it again after he logs on the next time if we go into the properties page of a user we have several tabs where we can edit the user's information like address account settings profile options as well as a variety of other settings the most commonly used tab in the user account properties page is the account tab here we can change the users user name or a user logon name we can unlock or lock the account and we can make some changes to the account options we can also set an expiration on the user account if it's a temporary account here we can also set logon hours when the user is permitted to log on in the next lecture we'll be going over DNS I hope to see you there in this lecture we're going to be going over Group Policy group policy is a tool that allows you to create and deploy policies and settings for the users and computers within your domain now I'm not going to be able to cover the entirety of group policy and all that you can do with it in this lecture and the reason for that is because there are literally thousands of potential policies that you could push out instead what we'll do is we'll use some common examples and ones that would fit within the context of our imaginary business that we're setting up so first we need to make sure that group policy management is installed and if you remember back when when we installed ad domain services we checked the box for group policy management so that we wouldn't have to do it around here at this time but we can still make sure it's installed if we go to add roles and features within the server manager and group policy is a feature so we'll skip ahead down to the features section and we'll see the group policy management is already installed and if it wasn't weak it'll go ahead and check the box hit next and install that and to open group policy management we'll go to the top right hand corner to tools and we'll click group policy management and the snap-in will open in the top left-hand corner you'll see our forest test dot local and then you'll see domains and then you'll see our domain that we've created test that local now when we talk about group policy in terms of structure we need to realize that everything that you do in group pal see is oh you baste a lot like Active Directory so you'll see our Active Directory OU's on the left-hand side cm east-west domain controllers headquarters and the first thing that we need to talk about when we're creating policies that we're gonna apply is that when we create a policy we're not only working within the context of which users or computers am I going to apply this policy too we also need to pay attention as to where we are linking those policies as to the OU's that they're placed in when we create a policy let's say we create a policy in the headquarters oh you regardless of what users or computers that we apply the policy to they must be within the headquarters oh you in Active Directory in order for that policy to apply if I created a policy in headquarters and applied it to a user that was in cm West that policy would not apply I have to make sure that when I create a policy in the headquarters of you or any other oh you I'm applying that to users and computers that I want to be applied that are in the headquarters of you so pay attention to the structure when you're setting up domain or group policies and always keep in mind that when you place it in a no you you're only applying that to the users and computers that you set that exist within that you so in the top you'll see a default domain group policy object this one comes built-in when you install group policy management and if we go into the settings we can see some of the settings that exist within this particular policy by default it sets a password policy and account lockout policy or Kerberos policy security encrypting file systems we're not going to grow go over every single one of these but the most common that we're gonna set up is these top two the password policy in the account lockout policy the password policy that is simply a policy that applies to the characteristics of a user's password when do they need to reset their password does the password need to be a certain length or have a certain amount of complexity how many how many passwords can they reuse or can they reuse any so that's a policy that we would set up for the entire domain in most cases we also want to set an account lockout policy basically when a person enters an incorrect password a certain number of times they'll get locked out of their account that is where we set that setting so with this default domain policy we're gonna go ahead and edit this now since this policy is not in a no you it's right underneath the domain this is what we would call a global or a global domain policy it applies to all the OU's if you place a group policy object within a nowyou it only applies to that oh you but if we have a policy like the default one that's placed outside of all the OU's it will apply to the entire domain so we'll right-click this and hit edit and then the group policy management editor will open this is this is where we can edit this particular group policy object you can see it's name right here at the top so if you ever don't know which or if you ever forget which one you're working with that will be the name of the policy you're working with now if we step back for a moment and we look at the settings for this group policy object you'll see that there are two sections one is the computer configuration and one is the user configuration and we can see that also in the group policy management editor for this particular group policy object you'll see a section for computer and user and the difference between the two is that there are certain policies that apply to users certain policies that apply to computers and as you get more familiar with group policy you'll you'll start to remember where things are located certain policies would only apply to that user account or certain policies would apply to the whole computer and there are even some policies that you could apply to either because of the way that that policy gets applied now we're not going to go into depth as to which policies are where cuz that's something that would take a little while to go over and again there are many many policies that we could we could cover but for right now we're primarily going to be covering computer policy the reason for that is because they affect every user that logs onto that computer and we're mainly setting up security policies for the users that log in so if we just follow this the hierarchy that it's got listed in here we can go into policies under computer configuration windows settings and then security settings and looks like we're going under account policies password policies there's account policy password policy so there it is this is where we can change the settings that are in here and you can see what's currently set so let's go over just some of the basics now when we're editing a group policy here these are a policy and a policy setting if i double click this i can change the setting now in most built-in group policy options that you have the ability to change you can if you don't know what it does you can always click this explain tab and it will tell you in detail what what this setting will do what options you have to change and what will happen when you change that either if it's a true or false or if it's a number that you need to set what will changing that do so always read over the explanation if you don't know what you're changing or what you're doing this will always give you some good insight as to what we're doing but with a secure policy setting this is a enforced password history so when a user changes their password they can't use that old password again until a certain amount of password changes so let's set this to something like 12 so a user will need to change their password 12 times before they can you reuse an old password and you can set this as low or as high as you want to or you can set it to zero to turn it completely off so we're gonna hit set it as 12 and hit apply and then the maximum password age and if we hit explain this will tell us what that does and basically what this setting is is how old can the password be before the user needs to change it so after 42 days the user will need to change their password when they go and login they will be forced to change it now they can not they will also get a warning that hey your your password is coming up for expiration do you want to change it now and that counter will reset so let's change that to something like three weeks let's set that for 21 days a lot of businesses do this about a month I'll do it for three weeks just as an example and the minimum password age that is usually not doesn't need to be set that can be used in specific use cases we'll leave that as one day minimum password length that's pretty self-explanatory how long does their password need to be doesn't matter if it's letters and numbers that it's not talking about that it's just talking about how many characters long is it we'll leave it at seven that's good password must meet complexity requirements now by default Windows domain doesn't really allow you to say I need this many numbers this many character or this many special characters that sort of thing they just have an honor off does the password need to be complex or can it be simple and what they mean by complex is and needs to have these particular requirements so it needs to be six characters in length and contain characters from three of the four these four categories got to have uppercase lowercase numbers and special characters so it is a good idea to leave this enabled that greatly enhances the security in your network you definitely don't want somebody being able to guess or brute force their way in so we'll leave that on the last option is whether or not this the passwords for users are stored on the domain controller using a method of encryption that's reversible and what that means is when a password is set on a user that is stored in such a way that the password cannot be decrypted very easily and so we want to keep that disabled we want to make sure that our passwords aren't easy to get to so that's it for the password policy let's go to the next one account lockout policy that's just below that so account lockout duration now what this is is how long is the user locked out if they get their password incorrect so many times so we're going to define this if we check the box and now normally it's undefined and what that means is that the policy is simply turned off so we'll go ahead and define this policy and let's say we'll lock them out for 30 minutes that sounds fine now it's going to give us a warning these other two need to be enabled and configured in order for that policy we just changed to be changed successfully so it's going to put some defaults in there we'll go ahead and change those after the fact so we'll apply that hit ok count lockout threshold how many times does the user enter their password incorrectly before it locks them out five that sounds just fine and reset account lockout after how many minutes so they'll get locked out for 30 minutes and after that 30 minutes is up they'll account will be re unlocked so to speak will leave that enabled that's fine so that's it for our two most common policies and we're applying this again to a computer configuration and since it's directly underneath our domain it's not in any oh use it's going to get applied to all of the computers within that domain but we need to make sure first that our scope is applied correctly so we're gonna close this and next we're going to click the scope tab now in our default domain policy you'll see that is a it's applying to this domain test that local and it's filtered to these objects and the object that it's filtering to is authenticated users now may be confusing we've got a policy that's being applied to the entire domain but there's only computer policies in it yet we're filtering it down to authenticated users it really doesn't matter if you're applying a policy to users or computers you generally want to only apply it to user objects when you're talking about security filtering so the fact that this says authenticated users that's perfect we want that to always be the users that we want to apply that policy to because when that user logs in that computer policy will apply to that computer as long as it is a computer within the domain since we've applied this policy here so what I'd like to do next is create a policy for the financial folks that work at the headquarters at our imaginary car dealership now the financial people are probably working on important accounting stuff and they probably have some sensitive information on their computers and we want to make sure that their computers lock if they get up and walk away for a certain amount of time that's so that nobody can just walk up and start messing around and look at things that they shouldn't see so we're going to create a policy in the headquarters oh you will go ahead and click that and then right click and click create a GPO in this domain and link it here we're gonna name this GPO so we're gonna say screen timeout and now you'll see that that GPO is applied if we expand headquarters we'll see that that's been applied and by default it automatically puts our authenticated users and that's fine so we're gonna go ahead and edit this policy and right click it click edit so we're gonna set up an inactivity lock after the machine isn't active for so much time the computer will automatically lock this policy is located under computer configuration policies windows settings security settings local policies and then security options so the policy we're looking for is under interactive logon and it's called machine inactivity limit we're gonna double click that we're gonna check the box to define the setting and we'll set that to something like five minutes look notice that it's asking for it in seconds again we can always click explain if we want to get a definition of that policy so now once we click apply and click OK you'll see that the policies been defined it's been set at 300 seconds and if we exit the group policy editor and then click settings for this group policy will see that the interactive logon policy has been set to 300 seconds so now when a computer is within the headquarters oh you and a user logs on to it once that computer has been inactive for 300 seconds or five minutes that computer will automatically go to the screensaver and then lock so when that user comes back they'll need to sign back in in order to unlock the computer now we need to make sure that this policy is applying to the particular users we don't want it to apply to right now we've got this group policy object or GPO in the headquarters of you so we know that it's only going to apply with two things that are in that headquarters of you so we know that we've got the location right but now we're gonna go to scope and we'll see that security filtering is set to authenticated users and what that means is users that have been authenticated and logged on to the computer in the domain network but we don't want to just apply this to authenticated users to all of them we want to apply it to only the financial folks so if we go back into Active Directory and again we can go to server manager tools Active Directory users and computers and if we go to the headquarters will see that we set up a accounting group now when we're creating this group policy when we're setting up filtering we can apply it to groups users and computers so perfect we have a group that applies to this particular GPO that we want to push this GPO out to so we'll click remove on authenticated users and we'll click Add and then we'll type our accounting group we'll see it underlined so it found it hit OK and so now we've got that group set up this GPO will apply to users that are in the accounting group as long as those members are in the headquarters oh you so we've successfully set up our GPO it's going to apply to our users that we want to apply it to so that's the basics of setting up a group policy object and again when we're setting up group policy keep in mind that there are literally thousands of policies that we could set up for computers for users we can set up scripts that run when the user starts the computer or logs on or logs off there are many many options in terms of setting up the computers in your network the way that you want through group policy a really good resource to use is tech next website and I've included a link within the lecture resources that will take you to basically a list of all of the group policies and what they do of course you can always use that that tool within group policy to get an explanation but TechNet is a really good resource to look at some of the more common group policy objects and what's common practice in terms of keeping your domains secure as well as the workstations and user accounts within your domain next we're going to go over file sharing and permissions and from there we'll move on to print services [Music] next we're going to quickly go over print services which allows you to share network printers with users and deploy them in a way where they don't need to add a printer individually onto their computer the basics of it is that you set up a printer within your network and you set up Windows server to be a print server and that provides the drivers and the print queue on the server to be available for users to use so first we need to install that role so we go back to add roles and features and this is a Rolfe installation so we'll go to server roles and we'll select print and document services we'll check that and it lets us know that it's also going to install the administration tools for that role so we'll click add features it gives us a little overview of print and document services and what that does and there's also some other features that come along with that we can do a distributed scan we can do internet printing LPD right now we're just going to do a basic print server we'll go ahead and click install and the installation will start once the installation is finished we can click close and you'll see that the print services role has been installed so now to access the tool for print management we can go up to tools and scroll down to print management in print management and the snap-in will see that we have some filters available to view what we have installed so under all printers we'll see that we have the built-in XPS document writer and under drivers we'll see that we have some drivers available to use so what we need to do is we need to install a network printer and then we're going to check to make sure that that a printer is available to use on the network for users so what we'll do is we'll go to print servers we only have the ones that will expand our server and then we'll go down to printers now this is a similar view to what we did above but within this menu we can right click and select add printer now if you've ever installed a network printer on Windows or Windows 7 8 10 it's fairly simple what we can do is do it by IP address since I have a static IP address set up on my printer but you can also search for the network printer use an existing port if it's a attached printer directly to the server or we could manually create a new port we're gonna do that by the IP address since I have a static IP on my printer so we'll type in the IP address of our printer it's going to contact the printer and try to grab the most relevant drivers for that printer looks like it found the printer and we're gonna make sure that we turn on sharing now what that does is it makes that printer available on the network for other people to use we'll give it a friendly name and we probably want to fill in the location let's say that this printer is at the headquarters and it's at the front office we can also add a comment the users will see if they open up the properties tab of that printer so we'll select next it'll give us a summary of our settings and it will begin to install the printer once the printer installation is succeeded we could actually go ahead and try to print a test page just to make sure that the server's connection to the printer is working or we can add another printer if we have multiples that we need to add but we'll go ahead and click finish and we'll see that in the queue this printer is ready to print now there are multiple options in deploying this printer in a way that the users can access it we could list it in the directory in Active Directory so that when a user goes to install a printer they can look it up and install it themselves or we could deploy that printer with group policy it's going to be different in every case if you have a printer that everybody in the company uses or everybody in the building uses it might be appropriate to use group policy so that all the people in the business have access to that printer already installed ready for them even new users that might not be familiar with installing a printer if your users are fairly familiar with installing printers over the network or you can teach them how to do that it's a lot simpler to list it in the directory so we're going to do both so that we get a good handle on how to do each type of deployment so listing in the directory is quite simple all we do is right-click the printer and select list in directory now that printer is listed in the directory and if a user wanted to install it they would simply open up Devices and Printers on their PC select add a printer and that printer would be listed if they can't find it or if it's not showing up we can select find a printer in the directory and we'll see that our printer is listed along with the location and the model now if we want to deploy a printer over group policy it's a little more complicated we'll right-click our printer and select deploy with group policy now in order for us to be able to deploy a printer over group policy we need to have a group policy object in place for the policy to reside now I could go ahead and manually configure that I could go into group policy and set up the policy and deploy the printer by manually selecting all of those things but this wizard within print management allows me to create a group policy automatically without having to do it all manually so what we'll do is we'll click browse and if I already had a policy that I wanted to add this printer to I could just go ahead and select it and the wizard would would take care of adding those settings but I don't have a policy for printing yet so I'm going to create one I'm gonna create one within the headquarters oh you and it might be practical to do it for each of you because there might be different printers at each location so I'll double click the headquarters oh you and now within that I'm going to create a new group policy object and I'm simply going to name that printers so with the printers policy that we just created we'll click OK and we'll deploy this printer connection to the following either per user or per machine do we want this printer to be available for all of the users within the headquarters or do we want it to be available for all of the computers well it really doesn't matter because more than likely all of the computers that are in the headquarters are you oh you are going to be used by users within that oh you you can customize that if you have a user coming from a different oh you using a computer at a different location you might want to make it permanent that oh you they automatically have the printer in that oh you based on this group policy so we can configure that independently if we want to I'm gonna do it per user because I want the this printer to be available only to the people who normally work within headquarters but I could also do per machine if I wanted so once I have that selected I'll click Add and now I have the printer name the GPO that it's going to apply to and it's going to go per user I'll go ahead and click OK printer deployment or removal operations succeeded and I can see the details on that if I need to and just to make sure that I've deployed it ok I can go back into server manager and I open up group policy management under tools and I can go into the headquarters and select printers and if I go under settings I can see my printer connection there so when that user logs in if they belong to the HQ oh you they're going to automatically get that printer connection one thing to consider when you're setting up a print server is that when users go to install a printer that they don't have drivers for the server will try to advertise drivers to that computer then the user will have the choice to accept the drivers that the server is presenting to their computer the one thing that we have to keep in mind is in order to install drivers that user must be an administrator so there are two options of dealing with that issue you can either simply have the user get in touch with us with a network administrator and have them enter their credentials to install the drivers and there's also a policy in group policy that allows users to install printers on their own without administrative credentials that's a little advanced in terms of setting that up but you want to keep in mind that the user will need to have the rights to install drivers on their machine in order to start printing that's it for print management next we're going to go over file sharing over a Windows domain network this last lecture will be on file and storage services this allows you to share files on the network so that users can access them modify them and share them amongst each other we need to make sure that the file and services role is installed and you can see that it's installed and if we didn't have it installed we could go to add roles and features and then go to server roles we would check the box or file and storage services and then install it in order to give access to files on the server to users in our domain we need to create a share to do that we won't go through tools because there is no snap indirectly related to file and storage services instead we can directly click on the role and on the left side we'll see some options that we can use to create file and storage services for our users on the left hand side you'll see that we have disks as well as volumes and these are places in which we can create files to share with users will also see shares on the left hand side and this is where we will create shares of files and folders for our users you'll see three built in shares and these shares are built-in into Windows domain and they shouldn't be modified instead we can right-click and select new share to open the new share wizard there are several profiles available to create shares on the Windows Server and you'll see that there's basically two types there's NFS shares and SMB shares SMB shares or server message block shares our standard Windows shares NFS is meant for linux unix or mac OS operating systems since we have Windows users in our domain we're gonna do an SMB share and we're going to use the quick profile we'll select the server where we want to create the share as well as select the volume where we want the share to be created if we had more than one hard drive or more than one volume on a hard drive we would be able to select that and change the location where the share is located will be prompted to give the share a name and in this case I'm going to create a public share that all the users will have the ability to access we can enter a share description that users will see if they hover over that share or access the properties page and then we can select the local path this is where the actual files will be stored on the server we can change this path if we want but we'll leave it as default for now the remote path to share is the path that the users will enter in order to access this share the default will work fine in other settings we have some more advanced settings we can configure access based enumeration is probably the most important access-based enumeration this allows a user from seeing files or folders that they do not have access to most administrators typically leave this setting turned off and the reason for that is because if a user can't see a file or folder they may think that it doesn't exist in most cases it's better to let users see a file and be prompted that they don't have access to it so that they can contact an administrator have that resolved so we'll leave that setting turned off for now and the other two settings here we can cover in more advanced courses next we'll specify the permissions to control access and we'll see that we have some built-in permissions already configured the creator and owner of the file has full control and that's me the users have special and read and execute privileges the administrators have full control and the built in system account also has full control we're setting up a share that everyone will have full control on the share by default this is already set up so we'll leave this as default well then get a page that shows our selections so that we can confirm our settings and then we'll click create we'll see that the share was successfully created and in the server manager will see that our share is listed to test this we can open up a file browser navigate using double backslash our server name and then the share name we have access to the public share and in here since I have permissions as an administrator I can add files delete them read them and change permissions on those folders since I have permissions to do so we're going to create one more share and this one will be restricted to certain users so we'll right-click and select new share once again we'll use the quick profile we'll use our standard server and volume and we're going to create a share for the accounting users the default local path and remote paths are fine we'll leave the other settings as default now we need to make it so that only the accounting users can have access to this particular share in order to do that we have to take several steps to change the default share permissions in the new share wizard so we'll go to customize permissions and in here we'll notice that we have an option to disable inheritance basically what this means is that these permissions are being inherited from their parent folder in order to set explicit permissions and give only particular groups access we need to turn off this inheritance and create explicit permissions so we'll click disable inheritance and will convert the inherited permissions into explicit permissions we're going to remove our users permissions and we're going to add permissions for the accounting group we'll select a principle of accounting the type is allow and we'll apply it to this folder and all of the subfolders and files in the share we're going to give our accounting group full control and select ok now we can see that our permissions have been changed so that only accounting and administrators have access to the share we'll click OK click Next and then click create we'll see that our share has been successfully created and it's now in the share list to test it we can open up our server name again with a double backslash and open the accounting share now if we go back to our server right-click the accounting share and click properties in the security tab we'll see that the accounting group has access as well as administrators and no other user groups are listed so that's the basics of setting up a share on Windows server and configuring permissions so that users can access them so we've reached the end of the course on Windows Server 2012 administration for beginners I'd like to thank you for participating and I would love to hear your feedback on the course if you look in the top left-hand corner of your screen you'll see some resources that are gonna be really beneficial to you as you're getting familiar with some of the things we went over and just to recap we've set up a Windows server from scratch we've created a domain and set up some of the basic domain services and in the future courses that I'll be putting out we'll be getting into some of the more intermediate and advanced setups that you can do within a Windows domain and so I look forward to seeing you there once again please leave me feedback I'd love to hear back from you whether positive or negative and take
Info
Channel: CB TECH Channel
Views: 29,604
Rating: 4.9511003 out of 5
Keywords: Windows Server 2012 R2 Administration for Beginners, windows server 2012, server 2012, system administration, 2012 server, sysytem admin
Id: 6L-yuDVTn9o
Channel Id: undefined
Length: 75min 26sec (4526 seconds)
Published: Tue Oct 15 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.