Miklos Cari Blog

 Hi, this article I need to thanks to Wendy Tapia, since she wrote most of it, and is a problem that maybe you will face it... the steps needed to configure a Windows 2008 child domain in a Windows 2003 Domain environment, the main problem of course will be the schema that needs to be updated, and other minor things, that I hope that you will find useful.

I am considering that you have already configured a windows 2003 domain and you just want to add a windows 2008 child domain so it is necessary follow the next steps

1.      Raise functional level

You can see the steps needed to raise the functional level in your windows 2003 domain machine. 

1.      In the Windows 2003 machine domain  Go to start and select  “Administrative tools” >”Active Directory Domains and Trusts”  

2.      Right click in the domain where the child domain will be added and select “Raise domain functional level” when the “Active Directory Domains and Trusts” window appears.  

 3.      Select “Windows server 2003”  domain functional level and click on “Raise” button 

4.      Click on “ok” button in the Warning text box message

5.      Click in “Ok” button in the information textbox message 

2.      Run Adprep /forestprep to prepare the schema

Now you can see the steps needed to prepare the schema from schema31.ldf to schema47.ldf in your windows 2003 domain machine.

1.      Load  the CD installer of “windows 2008”  

2.      Open the CD and open the “Support” folder contained in the CD installer 

3.      Copy the “adprep” folder contained in the “Support” folder to C:\ 

4.      Go to start an run cmd

5.      When the cmd window is opened set the command “cd C:\adprep”

6.      When the directory had been changed set the command “adprep32 /forestprep”

7.      Type “C” and press enter after the ADPREP WARNING message appears

8.      Wait until the message “Adprep successfully updated” appears

9.      Set the command “adprep32 /domainprep  /gpprep”     

10.   Wait until the message “Group policy object (GPO) has been updated” appears 

3.      Run DCPROMO 

When all the previous steps has been configured the windows 2008 machine is ready to be configured as a child domain. To configure the machine follow the next steps. 

1.      Go to start and run “DC PROMO” (if this is the first time you run DC PROMO in the windows 2008 machine wait until the Active Directory are being installed) 

2.      Check “use advanced mode installation” option in the welcome window in the configuration wizard and click on next in the follow window

3.      Check  the options “Existing forest ”and “Create a new domain in an existing forest” ,click on the “next” button  

4.      Fill the domain name information where the child domain will be added and set the correct credentials, click on the “Next” button. 

5.      Fill the information with FQDN of the parent domain   and the domainchild name, click on the next button. 

6.      Wait until the examining  active directory is validate (at this point no error message appears)

 

7.      Click on next in the windows where the NETBIOS name for the child domain has been generated 

8.      Change the domain functional level to “Windows 2003” and click on next

9.      Select the “Default Site name ” and click on next

10.   Uncheck the DNS option and click on next  

11.   Click on “YES” in the Warning text box message  

12.   Click on next in the “Source domain controller” window

13.   Click on next in the “location log files, active directory” window

14.   Set the credential for the Restore mode and  click on next

15.   Review the selection and click on Next in the summary window 

16.   Wait until all the component being installed  

17.   Click on finish in the completing  installation window

18.   The Child domain has been created successfully, restart the machine and you are done!!!!

Some people asked me of how to use IPSec with Windows 2008, well the IPSec has changed compared to Windows 2003 and XP, well that changed a little bit, since we now manage from another console (plus the Windows Advanced Firewall). To begin with this let’s say that you have the Machine "A", and want to use IPSec for the communication that is between port 3389, we will use the ‘non recommended procedure’, but the good thing is that you can configure this very quickly and test it in your non production environment. So let’s begin:

1. Create an IPsec Negotiation policy on Computer "A"

1.　　　 On Computer "A", click Start, click All Programs, click Administrative Tools, and then click Local Security Policy.

2.　　　 Right-click the IP Security Policies on Local Computer node, and then click Create IP Security Policy.

3.  　　 On the Welcome screen of the IP Security Policy Wizard, click Next.

4.　　　 In the Name box, type Secure3389. In the Description field, type Policy to encrypt SMB, and then click Next.

5.  　　 If you will NOT have in your environment machines earlier than Windows Vista then ensure that Activate the default response rule is not selected and go to step 7, and then click Next.

6.　　　 In the Default Response Rule Authentication Method, choose the option: Use this string to protect the key exchange (preshared key): and type $ecrET

7.  　　 In the Completing the IP Security Policy Wizard dialog box, ensure that Edit properties is selected, and then click Finish.

8.　　　 In the Secure3389 Properties dialog box, click Add.

9.  　　 In the Welcome to the Create IP Security Rule Wizard, click Next.

10.            In the Tunnel EndPoint dialog box, click This rule does not specify a tunnel. Click Next.

11.      In the Network Type dialog box, click All network connections, and then click Next.

12.            In the IP Filter List dialog box, click Add.

13.      A new dialog box called IP Filter List appears. Type Secure3389TCP, and then Add.

14.            On the Welcome screen of the IP Filter Wizard, click Next.

15.      In the Description text box, type 3389 IPsec Filter. Click Next.

16.            In the IP Traffic Source dialog box, click Any IP Address, and then click Next.

17.      In the IP Traffic Destination dialog box, click Any IP Address, and then click Next.

18.            In the IP Protocol Type dialog box, click TCP in the drop-down list, and then click Next.

19.      In the Protocol Port dialog box, select From this port, type 3389 in the text box, select To Any port, and then click Next.

20.            On the Completing the IP Filter Wizard screen, click Finish, and then click OK.

21.      In the IP Filter list, select Secure3389TCP, and then click Next.

22.            In the Filter Action dialog box, click Add.

23.      In the Filter Action Wizard dialog box, click Next.

24.            In the Filter Action Name dialog box, type Secure3389Filter, and then click Next.

25.      In the Filter Action General Options dialog box, select Negotiate Security, and then click Next.

26.            In the Communicating with computers that do not support IPsec dialog box, select Do not allow unsecured communications, and then click Next.

27.      In the IP Traffic Security dialog box, select Integrity and encryption, and then click Next.

28.           On the Completing the IP Security Filter Action Wizard screen, click Finish.

29.      In the Filter Action dialog box, select Secure3389Filter, and then click Next.

30.            In the Authentication Method dialog box, select Use this string to protect the key exchange (preshared key), type $ecrET and then click Next.

31.      On the Completing the Security Rule Wizard screen, click Finish.

32.             In the Secure3389 Properties dialog box, click OK.

Task 2: Assign the Policy

Since you already have the policy created this is still not active until you activate it, so to do it, you need to:

1.　　　 On Computer "A", click Start, click All Programs, click Administrative Tools, and then click Local Security Policy.

2.　　　 Go to the IP Security Policies on Local Computer node and in the right pane right click the Secure3389 Policy and select Assign.

You are done!, you configure IPSec under the 3389 port, now let’s see how you need to configure the clients in order to be able to communicate between them.

Windows Vista or Machine "B"

In Windows Vista client, the process is similar to the one that I presented before, so you can execute the steps 1 trough 32 and then you will be able to connect, or you can export the policy from windows 2008 and import it on Windows Vista, with this procedure:

1.　　　 In the Local Security Policy Microsoft Management Console (MMC) console, right-click IP Security Policies on Local Computer, click All Tasks, and then click Export Policies.

2.　　　 In the Save As dialog box, type C:\IPSecPolicy\IPsecurityPolicy3389.ipsec, and then click Save. (and then save that ipsec policy on a USB key)

Import the security policy to Windows Vista machine (Machine "B"):

1.　　　 On Windows Vista machine, open the local security policy. To do this, click Start, click the Start Search dialog, and then type: gpedit.msc.

2.　　　 Navigate to Computer Configuration  Windows Settings  IP Security Policies on Local Computer.

3.　　　 Right-click IP Security Policies on Local Computer, click All Tasks, and then click Import Policies.

4.  　　 Is good to Read the IP Security Import warning, after that click Yes.

5.　　　 In the Open dialog box, navigate to the USB key (where you should have the file), and then double-click IPsecurityPolicy3389.ipsec.

We finish!, of course if you have access (in a LAN) to the file you can share in a directory and copy more easily.

Now you can try, and have the 3389 communication protected under IPSec!

Another thing is the enforcement, for that you need to use the Advanced Windows Firewall and configure a Security Association with this procedure:

Configure a Security Association rule in the Windows Firewall with Advanced Security MMC

1.　　　 On Computer "A", click Start, click Administrative Tools, and then click Windows Firewall with Advanced Security.

2.　　　 Select and then right-click Connection Security Rules, and then click New Rule.

3.  　　 In the New Connection Security Rule Wizard, select Server-to-server, and then click Next.

4.　　　 In the Endpoints dialog box, select Any IP Address for both options, and then click Next.

5.　　　 In the Requirements dialog box, select Require authentication for inbound and outbo und connections, and then click Next.

6.　　　 In the Authentication Method dialog box, select PreShared key, type $ecrET in the text box, and then click Next.

7.　　　 On the Profile page, verify that the Domain, Private, and Public options are selected, and then click Next.

8.　　　 In the Name box, type SecureServerAuthenticationRule, and then click Finish.

9.  　　 Perform steps 1 through 8 on Computer "B".

And now you are completely done… enjoy your IPsec connection between them

Starting today (monday June 1st) is on the air the www.bing.com, the improvement of Live Search!, and yeah is very very cool, is not as simple as google, but the results and the way to perform searches is really very interesting and useful so go there and try it!,anyway remember that this is still in Beta but I am sure that you will be impressed.

Another question that I got is what steps is required to Install and Configure the ADCS role on Windows 2008, in fact the steps are very straightforward, and I will explain very detailed here, remember that this is done just for test and purpose and I dont' pretend that you run the same steps on a production environment without a further analysis of course. So let's begin

1.    On the machine that you want to install the ADCS Role, click Start, point to Administrative Tools, and then click Server Manager.

2.    In Server Manager, right-click Roles, and then click Add Roles from the context menu.

3.    In the Add Roles Wizard window, click Next.

4.    On the Server Roles option, select Active Directory Certificate Services, and then click Next.

5.    On the Introduction to Active Directory Certificate Services page, click Next.

6.    On the Select Role Services page, click Next.

7.    On the Specify Setup Type page, click Next (we will be creating the Enterprise type).

8.    On the Specify CA Type page, click Next.

9.    On the Set Up Private Key page, click Next.

10. On the Configure Cryptography for CA page, click Next.

11. On the Configure CA Name page, you can specify your own CA name for example: Enterprise-CA, and then click Next.

12. On the Set Validity Period page, choose the default and click Next.

13. On the Configure Certificate Database page, click Next.

14. On the Confirm Installation Selections page, click Install (remember that after this step you can't change the name of this server), now just wait a couple of minutes until the configuration is done.

15. On the Installation Results page, click Close.

16. Close Server Manager.

At this point you are done, you finish to configure the ADCS!

Yes, finally was released the Service Pack 2 for Windows Server 2008 and Windows Vista. As usual it includes all the fixes that are post SP1 and in addition SP2 support new types of hardware and for several emerging standards. However right now is just available for TechNET or MSDN Subscribers and for the public will be available in the upcoming weeks. For more information check the springboard blog.

Yeah, now we have the Windows 2008 SP2 and Vista SP2 in RC version, if you are an MSDN suscriber or Technet Plus, you will be able to download it!, in any case check all the changes in: http://windowsteamblog.com/blogs/windowsvista/pages/notable-changes-in-sp2-rc-for-windows-vista-and-windows-server-2008.aspx

To install just be sure that you have the SP1 installed before (remember that for Windows 2008 is already 'included').

And these are the notable changes on the RC:

• Application Compatibility improvements: they improve even better the compatibility of applications, meaning that we should have less problems!
• Hardware ecosystem support and enhancements, if you follow the Windows 7 improvements, then one feature will be familiar, since SP2 improves performance for Wi-Fi connections after resuming from sleep mode, also it includes updates to the RSS feeds sidebar for improved performance and responsiveness (finally!!!!), there are another improvemets, support to record data to Blu-Ray media, support for 64-bit CPU for VIA, includes Bluetooth 2.1 and WCN (Windows Connect Now)
• Operating system experience updates, includes Windows Search 4.0, improves the Windows Media Center and make a tweak on the registry for application compatibility.
• Enterprise improvements, SP2 provides the Hyper-V virtualization environment that doesn't mean that you can run Virtual machines there, but that you can manage all the Hyper-V environment, that is very different!, it also improves power management (now you can manage via GPOs!), increases the authentication options for WebDAV redirector and improves backwards compatibility for Terminal Server license keys.
• Setup and deployment improvements, is a single installer for Vista or Windows 2008!, includes better error handling (yeah!), and others, but the cool thing is that it includes a tool called Service Pack Clean-up (Compcln.exe) which helps recover the hard disk space by permanently deleting previous file versions (RTM and SP1) that are being serviced by SP2.

Finally remember that the RTM right now is planned for the second quarter of the 2009!.. so plan accordingly!