First 10 Steps: A new Win Server ON the net
Installing a new server using one of the old IGM PC 300GL and two NICs. Want to try putting this thing right ON the net.
1. Install – This being an R2 version install of WinSrv2003 (thought the Build is still 3790 Service Pack 1) it asks for a 2nd disk to be inserted after you’ve logged in as administrator for the first time. I permitted this.
2. Update – There is then a window that informs you to download updates, then turn on automatic updates. Done. It then reported that any ports would be opened. Hmm.
Let’s go check Windows Firewall. Interesting is is OFF BY DEFAULT and states “Windows Firewall can’t run because … ICS is not running.” It then suggests you turn it on. I did.
Now I’ll go down an plug it directly onto the internet. First I’ll setup the NIC for DHCP. I did this and received an IP of 65.26.xx.xx/24.
Looks good so far. Now let’ kill the extra control over IE.
Now let’s go online to GRC.com and check for file sharing over the net and open ports. It reported 100% STEALTH. Great!
Now to setup DHCP on the other NIC. I plugged it into a switch with no other computers plugged in. I setup that other NIC for a static 172.16.1.1/24.
I did not setup a gateway or DNS. I renamed the NICs RED and GREEN to make it clear.
And went into the Advanced tab of Windows firewall to kill the firewall on the internal NIC.
3. Optimize Page file – I went and setup the swap file on drive C: which is another disk (an XP install is on it)
5. Update – changed CD/ROM drive to drive letter Z:
4. i386 on disk – Tried to copy the i386 folder to drive E: but it failed at about 90% because it is only 512MB So, I ended up putting it on D:.
5. Config server – Whoa, I then went to setup DHCP and it want to do the whole thing for me. Hmmmm? I could / should have skipped most of step 2 above.
I’d like to do it all on my own, but I guess I should see what happens when I let it.
This means I didn’t need to do that Firewall setup. Here goes. I chose the first option.
I decided to give this the name risky.local:
Let her rip. But holdon, I get a message from RRAS saying I’ve got to turn off the Firewall. Yikes, it turns out almost ALL of the above would have been done automatically. Not sure why they would have you plug your computer in to the ISP in the meantime without ANY firewall. I tried to keep the NIC unplugged, but of course it wanted it to be “up.” Hmm. Hope this goes fast. I guess I could have kept it plugged into the router that would have provided the DHCP for a time. Oh well.
(1/27/2007 6:42:56 AM)
Configurations for Your First Server
The Routing and Remote Access Setup wizard completed successfully.
Preferred DNS server: 172.16.1.1
DHCP installed successfully.
This server has been successfully set up as a domain controller.
Install Active Directory and DNS
Full domain name: risky.local
NetBIOS domain name: RISKY
DNS installed successfully.
DHCP Server successfully authorized.
TAPI directory successfully set up.
An Application Naming Context was successfully set up in Active Directory on this domain controller for use by TAPI client applications. If you later need to demote this machine from being a domain controller, this Application Naming Context should be removed with the TAPICFG utility. The Application Naming Context has the following DNS name: redboot68.risky.local.
So what did this automatic install do? Here are some of the things I found:
I tried to get to Windows Firewall and could not.
I think this is due to RRAS being installed. YES, I found it as the last column:
Ran grc.com’s Shields Up again and all looks okay.
It also setup the default DNS server on GREEN and RED to be 127.0.0.1. Good.
Began setup of an XP client PC to be connected only to this server.
6. File server – Setup on drive E: a RiskyShare folder and share with Full Control SMB permissions and Modify NTFS permissions.
7. Centralized logs – Setup on drive E: a RiskyLogs folder for future use, should I decide to isolate all logs into one spot.
8. Raise Level – A bit later, Raised Domain Functional Level to native 2003
9. Set Default Domain Security Settings – Password Policy – This is stringent by default and I changed minimum aged to 0 so I could change a password immediately.
10. Add OUs and users – I setup an OU RiskyIT, RITUsers and RITCptrs all passwords will be xxxxxxxx