Understanding Server Roles
As I mention earlier, a role is something that we want the server to do. By installing roles, you make servers useful. Maybe you’re building out an Active Directory infrastructure, or maybe you’re creating a robust virtualization platform. Regardless of what you’re trying to accomplish, you’ll most likely start by installing a role.
Let’s take a look at the roles that are part of Windows Server 2022.
Active Directory Certificate Services
Active Directory Certificate Services (AD CS) is a role that allows you to create a public key infrastructure (PKI) in your organization that will allow you to issue your own internal certificates. This may include certificates for your domain controllers so they can support Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL), or certificates for internal web servers, or even code-signing certificates for scripts that will run on your organization’s systems. You can install certificate authorities (CAs) and provide additional services like Online Certificate Status Protocol (OCSP), which provides lookups for certificate revocation information, and Network Device Enrollment Service (NDES), which allows network devices to enroll for certificates without domain credentials.
AD CS has a lot of moving pieces. If you’re interested in learning more about AD CS, including how to install and configure it, check out Book 5, Chapter 6.
Active Directory Domain Services
Active Directory Domain Services (AD DS) gives you the ability to store information about users and other network objects in a directory service. You can organize these objects in a hierarchical structure with forests, domains, and organizational units (OUs).
Active Directory contains a global catalog, which contains information about every single object in the directory, and is required for successful logon to the domain. With Active Directory, it’s simple to search for and locate specific objects if you know a little information about them.
If you’re interested in AD DS, you can learn more about installing and configuring AD DS in Book 2, Chapter 5.
Active Directory Federation Services
Active Directory Federation Services (AD FS) can provide single sign-on capabilities to organizations that are utilizing AD DS. It allows those with an Active Directory account to use that account on applications that are outside the boundaries of their Active Directory (for example, a web application hosted by a business partner), or applications that don’t rely on Active Directory accounts for authentication at all. By creating a federation (the sharing of identity information), the user can be authenticated via his company’s Active Directory and can then be authenticated to the business partner’s web application with a claim. The business partner simply has to configure their web application to trust the incoming claims.
Active Directory Lightweight Directory Services
Active Directory Lightweight Directory Services (AD LDS) is a Lightweight Directory Access Protocol (LDAP)–based directory service similar to AD DS. It’s designed to be used with directory-enabled applications, and it’s especially handy for an organization that may want to establish a directory of customer accounts, but keep that directory separate from the organization’s AD DS infrastructure.
It can be used as an identity provider with AD FS for both authentication and the generation of claims to web applications that are configured to understand federation.
Active Directory Rights Management Services
Active Directory Rights Management Services (AD RMS) allows businesses to create and enforce policies to protect their data. The rules are created on the AD RMS server but continue to protect documents even if they leave the premises. For example, you can set the policy to allow documents to only be accessible for a brief amount of time, after which the recipient can no longer open them. You can take away the ability to print the document or copy text out of it with copy/paste.
AD RMS is not perfect. It won’t prevent someone from taking a screenshot of the data in a sensitive document (there aren’t many rights management products that can prevent this activity). Plus, the applications on the client side must support RMS. The functionality exists in the Microsoft Office suite of applications, SharePoint, and Exchange Server. You can also make Internet Explorer compatible with an add-on.
Device Health Attestation
The Device Health Attestation role was added in Windows Server 2016. It gives administrators a way to verify that a device is healthy as it boots. It can measure several different settings and is configured with whichever settings the system administrator or network administrator wants to track. This role is often used for systems to validate that they’re safe before they’re allowed to connect through remote access services like DirectAccess or other virtual private network (VPN) services.
The settings Device Health Attestation can validate include the following:
Is BitLocker enabled?
Is Early Launch Anti-Malware (ELAM) enabled?
Is Secure Boot enabled?
Is Code Integrity enabled?
Dynamic Host Configuration Protocol
Dynamic Host Configuration Protocol (DHCP) is a system administrator’s best friend for sure. Without DHCP, you had to manually assign an IP address and track which IP addresses were assigned. DHCP automates that process. It can automatically assign IP addresses out to systems on a lease-based system. When the lease has gotten to 50 percent of the configured lease duration time, the client will request that the IP address be renewed. If a system needs to keep the same IP address, you can set a reservation for that IP address. For as long as the system in question has the same network interface card, it will get the same IP address. As an additional bonus, you can set DHCP options for each scope that is defined. These options may tell the systems in the scope where they can find their gateway server, their DNS servers, where an imaging server might reside, and so on.
If you’re interested in finding out more about DHCP, check out Book 2, Chapter 5, where I cover installing DNS and DHCP. Be sure to also check out Book 2, Chapter 6.
Domain Name System
Domain Name System (DNS) is a very useful service that helps map hostnames to IP addresses. It’s because of DNS that you can type www.dummies.com in your web browser, which is really easy to remember, instead of having to remember an IP address like 13.32.254.23. Let’s face it, the human brain remembers words and phrases better than numbers.
DNS can resolve hostnames to IP addresses and also can do reverse
