• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

Configuring 2k3 server

Recommended Posts

sc302    1,733

if it is not business related, that should stay at home and blocked. even at home I have a pc for torrents that can get fked up if they are infected, if it gets infected it is really no big deal as a reboot can clear any infection. I also try to go into the install with winrar to see if there are any other files in the exe, sometimes there are and sometimes they are coded better that the only way to find out is to go into the temp folder to see what gets extracted. Once you see what is extracted (usually the exe for the program and malware, you can take the exe or msi out and run that cleanly on any computer). Unfortuantly with keygens, there is no temp they just run as the exe and are coded better than the installs are. A lot of the keygens have malware embedded, so again I can run it on my safe pc get the key I need for whatever, reboot and all issues are gone.

microsoft steadystate for windows xp and vista, faronics deepfreeze for everything else.

Share this post


Link to post
Share on other sites
anderground    0

here i am.

now i see, the isp dns is put for the dns server, i have set it a couple of days ago for testing and forgot too remove it.

ok, it explains why do i have internet, but why do i have IP address (still .10) if my server is OFF.

IP address is set to Automatically ! :wacko:

(router dhcp is disabled)

edit:

i use sandboxie for such things ;)

Share this post


Link to post
Share on other sites
+BudMan    3,536

"IP address is set to Automatically "

And what did it say your dhcp server was? Or was it a APIPA 169.254.x.10??

.10 does not give a lot of info to work off -- post up ipconfig /all so we can tell you what happened..

it it got an address from a dhcp server it will tell what IP the dhcp server was. And how long the lease was, etc. etc.

If it got an valid IP from a dhcp server -- then its clear there is one running ;)

Share this post


Link to post
Share on other sites
anderground    0

ok i'll do it, but before that, theres another weird thing about win firewall on the server.

when it is ON, the client doesnt have access to dns server ??

that moment when i turn it OFF, my client gets internet ...

it seems that i have to add another exception ...

edit:

as for dhcp, theres no difference in ipconfig/all whether the server is ON or OFF.

it shows dhcp server is 192.168.1.2

at the moment my server machine is off, but my client (after restart, even the server is off) got the first ip address from the dhcp pool (i set .10-.50), ie 192.168.1.10.

whats more, yesterday i noticed (while the server was OFF) that about at the same time as the day before the client suddenly lost its IP.

its obviously that client itself canceled its ip address when the lease was expired (i set it to 1 day).

does it mean that server just gives the information of ip address and lease duration to a client, and from then on the client maintains its ip and cancels it when it expires.

Share this post


Link to post
Share on other sites
sc302    1,733

At full shut down/power off the pc should release its ip address. At power up it should request a new lease from the server. At reboot, the pc should retain the ip address.

Your firewall config sounds messed up. I would stop using it.

Share this post


Link to post
Share on other sites
+BudMan    3,536

"and from then on the client maintains its ip and cancels it when it expires. "

Kind of -- the client will attempt to renew the lease from the server when it hits 50% of the lease time, and then will continue to try and renew it until it expires.. Then yeah if the server it obtained the lease from will not renew, then yeah it expires it has to give it up.. You can set the length of the lease to whatever you want - 24 is pretty short and would only be used when your scope is pretty full and you need to turn over IPs quickly. But once the lease has been obtain -- no the server does not have to be around for it to use that lease.

As to your firewall settings... Im just not understanding what you don't get about a firewall.. You say you need it, but then you don't understand that you have to allow for the traffic you want to serve up.. Be it DNS, be dhcp, be it ftp, www, etc. etc. etc.

And before you go looking it up and not bothering to look at what dns uses other than its port -- it can use both UDP and TCP, so on your rule you need to allow for both udp and tcp on 53

Share this post


Link to post
Share on other sites
anderground    0

thanks for the explanation of leases.

As to your firewall settings... Im just not understanding what you don't get about a firewall.. You say you need it, but then you don't understand that you have to allow for the traffic you want to serve up.. Be it DNS, be dhcp, be it ftp, www, etc. etc. etc.

but you said windows built-in firewall is predefined to allow dhcp and dns and i dont need to add any exception..

im not sure did you understand what firewall im talking about.

im having the problem with built-in windows firewall on the server, not with the one /pctools/ on the client machine.

Share this post


Link to post
Share on other sites
+BudMan    3,536

"but you said windows built-in firewall is predefined to allow dhcp and dns and i dont need to add any exception.."

You don't -- Ah, been a while since I had to setup a 2k3 box with the firewall running.. It does do it auto for you -- if you run the WIZARD ;)

After you add a role, or setup the server the first time and are going to be running the firewall on it -- then you need to run the Security Wizard. My Bad I forget how nobody RTFM. Right in the first page on help in installing roles on your server -- which I would of thought anyone setting up a server for the first time would atleast breeze over ;)

Security Configuration Wizard

After you configure roles for your server, you can use the Security Configuration Wizard to create or apply a security policy to the server. For more information, see Security Configuration Wizard.

This auto sets up the rules for you for dns, dhcp, everything that would need to be open after setting up a server or changing its roles -- does everything automatic for you.. You don't have to create specific exceptions for everything.

post-14624-12742213272511.jpg

It sees what roles you have installed - lets you tweak the policy if you want, etc

post-14624-1274221343439.jpg

And creates the rules for the firewall for you

post-14624-12742213799294.jpg

My bad for sure -- should of been more clear on that.. But to be honest I had forgotten about it -- its been awhile since played with 2k3 and running a firewall on it.. Just remembered that the rules were set automatically for you - you did not have to individually create each exception, etc.

Run the wizard -- if not installed, add it under windows components under add remove programs. But again -- and I think sc302 will agree with me, you have little use for the firewall in the first place on secure private network.

Share this post


Link to post
Share on other sites
sc302    1,733

Absolutely useless comes to mind.

Share this post


Link to post
Share on other sites
+BudMan    3,536

hehehe -- I would concur..

Run the wizard on your AD box, look at all the ports it opens up -- all the ports the box is listening on pretty much. No point in firewalling a port your not listening on anyway -- there is nothing listening to exploit!

Are you going to restrict any of these ports to only specific machines? Or pretty much your going to trust your whole private network? Are there ANY machines that you need to firewall against?? If so your going to have to configure the rules to only allow the specific IPs you want to talk this box. Thats a bit of pain in the ass now isn't it! Be much easier to just not allow untrusted machines onto your trusted network.. Ie the thread about policy of personal machines on a business network comes to mind.

Or I have to setup rules to only allow my trusted machines in my firewall rules -- now how to run a dhcp server, but firewall it to only allow trusted machines?? hmmmm -- **** once I give a machine a IP on my trusted network -- I have to now go around to every single machines firewall and allow this IP to talk to it??? Or again do you just trust the network??

Firewalls are run at the border of your trust.. If you only trust your machine -- then sure run a software firewall on your machine and then you can limit what IPs can talk through your trust border.. But when you expand that trust border to a network, ie your NAT router -- the border between your private secure network with machines you manage on it and the nasty public internet.. Where do you think the firewall should be?? On every single machine on this trusted network -- which all need to be configured to allow the trusted traffic you want, or at the border where you configure the traffic that can enter and leave your trusted network once?

In a company you manage -- where should you put the firewalls?? At every single desktop so you can setup up every single ACL to which IPs can talk to it or which IPs it can talk too -- or do you at the borders of the segments between machine types, departments, business units, use rules to allow which type of traffic can flow between segments?? Well if its me managing it -- guess where its going.. Where I only have to do the rules once -- not every single device on the network.

Again firewalls are placed at your trust border -- if your trust border is your machine, fine for you -- but when you have multiple machines you manage -- its a pain in the ass to manage all those rules on every device.. Why not just extend your trust border and then limit access -- like your NAT router does for you.

Share this post


Link to post
Share on other sites
anderground    0

sorry.. i had some work to do..

well instead of running the wizzard i added an exception for dns port and it is ok now.

as for configuring firewalls on client machines, i didnt have to do that.

when its been installed, comodo firewall (which is on all clients) detects (new) local network and offers a few options.

dont remember exactly of the other ones, but i always choose "fully accessible local area network" or somth. like that. you have to do it only once, and dont have to bother with ip's.

so i consider my lan as a trusted network, but want to protect every particular client from trojans.

i have some experience with trojan infections (as i mentioned) and found local firewalls pretty useful for that purpose.

and, yes i've realized that 2k3 inbound firewall and router's inbound firewall are actually redundant. :)

youre right, the border would be router.

Share this post


Link to post
Share on other sites
sc302    1,733

:no:

Share this post


Link to post
Share on other sites
anderground    0

:no:

i suppose its because of trojans :rolleyes:

edit:

in p2p network this setup works ok, but maybe there would be problems in a server network ..

Share this post


Link to post
Share on other sites
sc302    1,733

In 2004-2005 I would deal with trojaned/spywared/virused up pcs 3-6 times a day. thats right 3-6 pcs a day full of the crap. I have over 1000 invoices for that time period. I stopped dealing with home users at that point. even though the software firewall stopped them from connecting to the sites that they wanted, they were still infected slowing the pc's down, so much so that some would take 45 min to boot. I would clean all but a hand full out, mainly because I was getting tired of the tedious crap same stuff day in and day out. I do it now as a hobby and don't charge because I don't need the money and I want to help people out. I get about 1 a week now. You may have dealt with 1 or two in your past, but I can pretty much guarantee that your software firewall is useless.

Believe what you want.

Share this post


Link to post
Share on other sites
+BudMan    3,536

So instead of letting the wizard actually open all the ports needed by a windows server to function correctly on a windows network, file sharing, Active directory, etc. your just going to open up 53..

I would suggest you read

http://support.microsoft.com/kb/832017

Service overview and network port requirements for the Windows Server system

So you have 2k3, why in the world would you not move to a AD setup vs workgroup p2p setup???

Share this post


Link to post
Share on other sites
anderground    0

hi

i really appreciate all your suggestions.

i have lots of obligations and issues lately, so im not responding really quickly.

got some 2k3 video tutorial and expect your support when i get stuck somewhere. :)

as for the question why im still running p2p network (actually 3 of them)..

this 2k3 box, i installed only at my house for testing. i dont need server in the firm yet, because the network (1 of them) has 10 lan connections. as i said my first goal is to be able to set up a network with more than 10 connections.

BudMan thanks for the link, i wasnt aware that so many ports have to be open :o, so it seems i have to run the wizard though.

Share this post


Link to post
Share on other sites
anderground    0

im reading some texts about subnetting, and i think that 2 sites are in contradiction to each other regarding the number of available subnets:

the both as an example used a C class ip address (the first one used 192.168.90.36 address with subnet mask 255.255.255.224 and the second one used 204.17.5.0 network also with 255.255.255.224 sub mask)

but they came to different available number of subnets (??)

first one said it is 6, with the following explanation:

"The result of 2N (or 2 'raised to the power of' N) is 8, but why do we subtract 2? because the hosts part can not be all one's or all zero's, so these two possibilities are subtracted from the outcome. This leaves us with the number 6, which is the total of the available number of subnets."

the host part indeed cannot be all one's or all zero's, but i dont understand why they substract it from the SUBNET PART?

however, on the second one, for the number of subnets stays 8, which is imho correct.

they also listed out all 8 possible subnets.

1) http://www.subnetonline.com/pages/tutorials/step-4-subnetting-backwards.php

2) http://www.amteva.org/en/US/tech/tk365/technologies_tech_note09186a00800a67f5.shtml#ustand_subnet

can you clear up this situation?

thanks

Share this post


Link to post
Share on other sites
p858snake    1

Some sites don't class the first true subnet (0) because some of the older OSes/Routers couldn't accept it, but then the difference should of only been one...

Share this post


Link to post
Share on other sites
+BudMan    3,536

Not sure how this is still around to not use subnet 0 or 1.. The subnetting RFC clearly states it fine.

http://www.faqs.org/rfcs/rfc1878.html

For the sake of completeness within this memo, tables 2-1 and 2-2

illistrate some options for subnet/host partions within selected

block sizes using calculations which exclude all-zeros and all-ones

subnets [2]. Many vendors only support subnetting based upon this

premise. This practice is obsolete! Modern software will be able to

utilize all definable networks.

This dated 1995 -- 15 years ago!! So how is it that not being able to use 0 and 1 are still around?? It was a discouragement only, not that that it couldn't be used - even back then. It was just that it was thought to be confusing to have a network and subnet with the same address..

Share this post


Link to post
Share on other sites
anderground    0

i looked at the RFC link and have just one question.

*Subnet all zeroes and all ones excluded. (Obsolete)
- OK
*Host all zeroes and all ones excluded. (Obsolete)
- ??

can hosts have all one's or zeros ?

if so where are the following addresses in 3-bit subnets gone (on RFC and amteva sites):

x.x.x.32, 63, 95, etc (these are the cases when host has all one's).

thanks

Share this post


Link to post
Share on other sites
anderground    0

hi

i tried remote computer management via AD users & computers snap-in -> Computers -> Manage.

i succeeded to open all parts of Computer Management except Disk Management (on the client machine).

when i try to open it (even though i turned OFF both firewalls) i get "The RPC server is unavailable".

:blink:

Share this post


Link to post
Share on other sites
+BudMan    3,536

And what account are you authing with?

This question has come up a few times -- if your firewalls are off or correctly configured on both machines, and no antivirus blocking it - it comes down to permission issues.

Share this post


Link to post
Share on other sites
anderground    0

And what account are you authing with?

i have just 1 account on 2k3 - administrator.

i also did what's suggested here:

http://www.tomshardware.com/forum/138472-45-enabling-disk-managment-remote-administration

but to no avail. :shiftyninja:

i'd have a question about netdom command line utility.

i've tried netdom add /d:domainname computername

in order to remotely join the xp machine (which was in workgroup) to the domain.

however, AD included that machine in Users and Computers snap-in, but nothing happened on the client side.. this comp remained a member of workgroup. :no:

Share this post


Link to post
Share on other sites
+BudMan    3,536

Ok -- lets get some details here on what your connecting from..

Cuz I just fired up my 2k3r2 test domain box.. My win 7 box is not even a member of the domain - but there is a domain admin account that machines my username and password Im logged into on the win7 box

Click click -- Im looking at the remote disk manager the 2k3r2 dc box.

post-14624-12752597074632.jpg

now not running firewall on that 2k3r2 box, nor my win7 machine -- are you having the issue only from xp? What account are you using?

Share this post


Link to post
Share on other sites
anderground    0

w2k3 (admin) -----> win xpp domain memeber (admin)

no firewalls

post-240644-12753570810653.jpg

post-240644-12753570984753.jpg

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.