Windows Server 2016 & Windows 10 Administration
Windows Server OS: Windows Client OS:
Windows Server 2022 Windows 11
Windows Server 2019 Windows 10
Windows Server 2016 Windows 10
Windows Server 2012 R2 Windows 8.1
Windows Server 2012 Windows 8
Windows Server 2008 R2 Windows 7
Windows Server 2008 Windows Vista
Windows Server 2003 Windows XP
Windows Server 2000 Windows 95/98/ME
Windows Server 2016:
Editions:
> Standard: With GUI (Desktop Experience) or Without GUI (Server Core)
> Data Center: With GUI (Desktop Experience) or Without GUI (Server Core)
Windows 10:
Editions:
Home, Education, Enterprise, Pro
AD (Active Directory): A Directory Services Solution by Microsoft for
Centralized Authentication Services
AD is used for creating User Accounts, Groups, Domains, Sub-Domains, GPOs, etc...
AD Stores info about Network Objects in a Database form (Global Catalog)
> Physical NW Objects: PCs, Servers, NW Printers, ...
> Logical NW Objects: Users, Groups, Domains, Sub-Domains, OUs, GPOs, ...
DC: Windows Server in which AD is installed and a Domain is configured
(Domain Controller)
Types of DC:
> Global Catalog (GC): Primary Read-Write Database of AD
> Read-Only Domain Controller (RoDC): Secondary Read-Only Copy of AD
Forest Functional Level: Oldest Server OS in entire Forest
Domain Functional Level: Oldest Server OS in entire Domain
DNS Method of Login for Users: username@domain.com Password
NetBIOS Method of Login for Users: DOMAIN\username Password
Active Directory Users & Computers
> Builtin
> Computers
> Domain Controllers
> Users
Domain: Logical Boundary of a Company's Network
Domain Name: Looks like a URL or Website Path
All Computing Devices and Logical Objects become part of the Domain
Domain is configured in a Domain Controller (DC) Server
Sub-Domain: Domain in itself, but a child entity of a parent Domain
==============================================
Practice of the day:
** VMWare Workstation -> New VM:
-> New (for Windows Server 2016 DC Server)
Name: WinSrv16-DC-02
Version: Windows Server 2016 Standard (Desktop Experience)
Memory: 2048 MB
Hard Disk File Size: 200 GB
-> Settings
Remove Floppy of 'autoinst.flp'
Choose a disk file -> WinSrv16.iso (from C:\ISOs)
Network Adapter: Attached to: 'Custom' -> VMNet8 (NAT)
-> Start (to boot the Virtual Machine)
> Install Windows Server 2016 -> Standard (Desktop Experience) (with GUI)
> Partition Size -> 40960 MB
> Assign Administrator Password -> Admin@123
> Login as Administrator
> Initial Configuration
>> Server Manager -> Manage Menu -> Server Manager Properties
-> Tick "Do not start Server Manager automatically"
Dashboard -> Local Server
-> Enable 'Remote Desktop'
-> Modify Time Zone as per Region of Server
-> Modify Date and Time
-> Assign IP Address to the NW Adapter (ncpa.cpl)
-> Turn On Network Discovery (NW & Sharing -> Adv Sharing)
-> Change Hostname
DC Server: IPv4: 40.40.40.1/8
Hostname: ctrls-dc-02
** Install ADDS + DNS and Configure Domain in Windows Server 2016:
To make the first Server as a Domain Controller "DC", follow steps as below:
-> Login as 'Administrator' in Windows Server 2016
-> Server Manager -> Dashboard -> "Add Roles and Features"
-> Next -> Next
-> 'Roles' List -> Tick on "Active Directory Domain Services"
-> Click "Add Features" on pop up message -> Next -> Next -> Install
** -> After Role 'ADDS' is installed successfully
-> Click "Promote this Server to a Domain Controller" link
(On last stage of Wizard or in Notifications Flag beside 'Manage' Menu)
-> 'Add a new Forest' -> Root Domain Name: ctrls.com (or any other name)
-> Next -> Next -> DSRM Password: Admin@123 -> Next -> Next -> Install
After Server Restart:
-> Login as 'Domain Administration' ctrls\administrator Admin@123
** In Win10 PC:
> Login as: localadmin Password: Admin@123
-> Run -> ncpa.cpl
-> Assign IP Address to the NW Adapter: 40.40.40.51/8
-> Turn On Network Discovery (NW & Sharing -> Adv Sharing)
Open 'This PC' -> Properties
-> 'Change Settings' beside Computer Name
-> "Change" Button
-> Change Hostname: ctrls-pc-101
-> Join to Domain: ctrls.com
Authenticate with 'Domain Admin': ctrls\administrator Admin@123
** In DC Server:
-> Login as 'Domain Administration' ctrls\administrator
-> Server Manager -> Tools Menu -> Active Directory Users and Computers
-> Expand 'ctrls.com' Domain Name in left panel
-> Click 'Users' Container -> Check list of Users and Groups
-> Click 'Computers' Container -> Check list of Computers (PCs & Member Servers)
-> Click 'Domain Controllers' Container -> Check list of Domain Controllers (GC & RoDC)
-> Right-Click 'Users' Container -> New -> User
=> Create 12 or 15 User Accounts
** Domain User login to Domain Computers:
Login to Win 10 PC using any users created in Active Directory.
Sign Out and Sign In with other Domain Users in Windows 10 PC.
==============================================
Groups in Active Directory:
AD Group is a Logical Object in Active Directory for Users to become Members:
>>> To elevate privileges to perform Admin tasks in Servers & PCs
>>> To grant permissions to access data
AD Group Scopes:
> Domain Local
> Global
> Universal
==============================================
Practice of the day:
** Managing Groups in Active Directory
Open Server Manager in DC Server -> Tools -> Active Directory Users & Computers
-> Right-Click on 'Users' in left panel -> New -> Group
-> Give Name like "hrgrp", "itgrp", "nwgrp", "salesgrp", etc.
To make Users as Group Members:
*** Method 1:
-> Right-Click on any Group Name -> Properties -> 'Members' tab
-> 'Add' button -> Give one or more User Names -> 'Check Names' button -> OK
*** Method 2:
-> Right-Click on any User Account -> Properties -> 'Member Of' tab
-> 'Add' button -> Give one or more Group Names -> 'Check Names' button -> OK
*** Method 3:
-> Right-Click on any User Account -> Add to a group...
-> Give one or more Group Names -> 'Check Names' button -> OK
** Elevate Privileges of Domain Users to Domain Admin:
-> Make the Users as Members of Privileged Groups:
-> "Administrators"
-> "Domain Admins"
-> "Enterprise Admins"
-> "Schema Admins"
** Elevate Privileges of Domain Users in Local PC for Admin rights:
Login to PC with any local admin user:
PC-Hostname\LocalAdminUserName
Ex: ctrls-pc-241\localadmin
-> Control Panel -> 'User Accounts' -> Again 'User Accounts'
-> 'Manage User Accounts' -> Add Domain Users as 'Administrator' -> Finish
-> Logout from localadmin
-> Login as Domain User for whom Admin rights are given
-> Test by clicking any 'Blue-Yellow Shield' icons
==============================================
Organizational Units (OU) in Active Directory:
> Logical Object in AD to act like a container to segregate, manage and maintain:
Users, Groups & Computers based on Location, Project, Section, Dept, etc...
> OUs are also used for applying GPOs
Group Policies:
'Group Policy' is a set of policies to modify behaviour of Member Server OS or Client PC OS.
Group Policies are configured in the DC Server using GPM Tool by creating GPOs.
Group Policy Objects (GPOs) are a list of such selected Group Policies under two categories:
> Computer Configuration: Impacts Computers in the OU where the GPO is linked
whoever may login to that Computers
> User Configuration: Impacts Users in the OU where the GPO is linked
where ever these Users login
Group Policies are of two types:
Allow (and all its synonyms)
Disallow (and all its synonyms)
GPOs can be linked to OUs, Domains & Sites
GPOs cannot be linked to Users & Computers directly
GPOs do not affect Groups in AD at all
Solving conflicts in Group Policies
GP Conflicts:
> Same Level Conflict:
Which ever policy is applied first, will prevail
> Different Level Conflict
Preference Order: L S D OU
(Local) (Site) (Domain) (OrgUnit)
(OS default)
Starter GPOs
A Starter GPO is a Template for creating new GPOs with pre-selected Group Policies
commonly needed in other GPOs.
Starter GPOs cannot be linked to Domains and OUs.
After the GPO is created using a Starter GPO, both GPO and Starter GPO will be separate.
==============================================
Practice of the day:
** Managing Organizational Units:
** In DC Server:
-> Login as 'Domain Administration' ctrls\administrator
-> Open Server Manager in DC Server -> Tools -> Active Directory Users & Computers
-> Right-Click on Domain Name in left panel -> New -> Organizational Unit
-> Give Name like "HRTeam", "ITTeam", "Hyd", "Chennai", "Mumbai", etc.
-> Right-Click existing OU like "Chennai" -> New -> Organizational Unit
-> Give Name like "Chennai-NWTeam", "Mumbai-DBTeam", etc.
-> Move existing Users and Groups from 'Users' container
-> Move Domain-joined Computers to new OUs from 'Computers' container to new OUs
-> Create New Users and Groups in new OUs
** Managing Group Policies:
> Open Server Manager in DC Server -> Tools -> Group Policy Management
-> Expand Forest -> Expand 'Domains' -> Expand Domain Name "ctrls.com"
-> Expand all OUs and folder 'Group Policy Objects'
-> Right-Click on folder 'Group Policy Objects' -> New -> Give Name to a GPO
-> Right-Click on new GPO -> Edit
-> In 'GPM Editor' Window
-> Expand 'Computer Configuration' -> Policies -> Admin Templates -> All Settings
-> Open necessary policy settings and select 'Enabled' or 'Disabled' as needed
Ex: "All Removable Storage classes: Deny all access" -> Enabled
-> Expand 'User Configuration' -> Policies -> Admin Templates -> All Settings
-> Open necessary policy settings and select 'Enabled' or 'Disabled' as needed
Ex: "Do not allow Snipping Tool to run" -> Enabled
-> Close 'GPM Editor' Window
-> In 'Group Policy Management' Window -> Click Green 'Refresh' button under top menu
-> In 'Group Policy Management' Window -> Right-Click any OU -> Link an existing GPO
-> Select the new GPO and click 'OK'
-> Restart Win 10 PC and login with any Domain User of the OU where new GPO is linked
-> Test the working of the policy 'Enabled' or 'Disabled' in the GPO linked to the OU
** In Win10 PC which is in the OU where a GPO is linked:
-> Login as any 'Domain User' of the OU where the GPO is linked
-> 'Run' -> cmd -> gpupdate /force
Note: The above command is to pull Group Policies from Active Directory,
which is a cumulative list of all GPOs linked to the OU of the User
and the OU of the Computer in which that User logs in.
** IP Address Settings in Win10 PC:
** In Win10 PC:
-> Login to Win10 PC as 'localadmin'
-> Run Tool -> "ncpa.cpl" -> Right-Click NIC -> 'Properties' -> Select 'IPv4 Properties'
-> Test by giving different IPv4 Addresses from Class A, B or C and notice Subnet Mask
-> Try assigning invalid range of IPv4 Address and understand error message displayed
==============================================