Give a detailed description of the server policy. Give a detailed description of the server's policy regarding

Hello. Can't register your own account?
write to PM - vk.com/watsonshit
- We register accounts to order.
- We help with stages 1 and 2 of UCP.
- Fast and quality service.
- Guarantees, reviews. We are responsible for safety.
- Absolutely different servers with UCP registration.
Pacific Coast Project - SW Project etc.

Didn't find the answer to your question? Write in the comments and I'll give you the answer.

) What is OOC chat for?
- 1) This is a chat that does not affect the gameplay.

2) What is meant by the term role play?
- 2) A role-playing game is a type of game in which you need to play out the role I have chosen.

3) If any situation is not in your favor (murder / robbery). Your actions?
- 2) I will continue to play no matter what.

2) You received money from a cheater, what will you do?
- 4) I'll inform the server administration, unsubscribe in a special topic and add money to /charity.

3) Do you have the right to kill a police officer?
- 1) Of course, I can only kill a police officer if I have a good reason.

1) Is it allowed to pass by from the driver's seat?
- 4) No, such actions are prohibited by the rules of the server.

4) Are nicknames of celebrities and movie/series/cartoon characters allowed?
- 3) No, they are prohibited.

5) During the gunfight technically three characters were killed, but after a while these same characters were already playing their roles again. What type of murder is this?
- 2) Player Kill.

7) They shoot at you, but you don't want to die, and that's why...
- 4) You will try to escape and survive by role-playing.

2) Do you have the right to use Bunny-Hop?
- 3) Yes, I have the right to use it if I do not interfere with anyone.

7) What will you do if you have a proposal to develop the server?
- 3) I will write about it in the appropriate section on the forum.

3) Is it mandatory to unsubscribe actions when using small-sized weapons?
- 4) No.

2) You are on the server for the first time and do not know the commands at all, what will you do?
- 3) I'll ask the administration a question with the /askq command, then I'll wait for an answer.

3) What is the purpose of the /coin command?
- to resolve all disputable situations

1) What is Metagaming?
- 2) This is the use of non-role information when acting out a role.

6) The player, whose character was technically killed during a shootout, decided to take revenge on the offenders and killed one of the opponents for no role reasons. What violations are here on the part of the player?
- 3) Revenge kill.

10) Is it allowed to replenish the amount of health during a fight / skirmish?
- 4) No.

8) Is it allowed to fire on LSPD employees and what is it fraught with?
- 4) Yes, an ordinary firefight ends with PC for both sides. If this is a case file or a raid, the police are given PK, and the criminals are given SK.

6) What is the maximum amount for a robbery that does not require administration checks?
- 1) $500

9) What languages can be used on our server?
- 1) Russian.

7) After a long and careful preparation, the killer fulfilled the order - he killed. The plan was calculated to the smallest detail, as a result of this, the customer generously paid. What is the sacrifice in this case?
- 1) Character Kill.

9) Is theft of government vehicles allowed?
- 2) Yes, but you must first ask the administrator, as well as act in accordance with paragraph 9 of the game rules.

8) When can you act out sexual violence and cruelty?
- 2) Sexual violence and cruelty can only be played with the consent of all persons involved in the RP.

10) What should you do if you think that the game is not going according to the rules?
- 1) Write to /report, if the administrator is absent - write a complaint on the forum.

7) How many played hours should a player have in order to be robbed?
- 3) 8 hours.

8) Specify the correct use of the /coin command. After:
- me stopped breathing, and struck the ball, trying to throw it into the hole.

8) Specify correct use/me commands:
- /me smiled broadly, looking directly into Linda's eyes. He moved closer, then gently hugged her.

SALE OF VIRTUAL CURRENCY ON PACIFIC COAST PROJECT AND GRINCH ROLE PLAY SERVERS.
ALL INFO IN THE GROUP!
vk.com/virtongarant

GPResult Utility.exe– is a console application designed to analyze settings and diagnose group policies that are applied to a computer and/or user in an Active Directory domain. In particular, GPResult allows you to get data from the resulting set of policies (Resultant Set of Policy, RSOP), a list of applied domain policies (GPOs), their settings, and detailed information about their processing errors. The utility has been part of the Windows operating system since the days of Windows XP. The GPResult utility allows you to answer questions such as whether a particular policy applies to a computer, which GPO changed a particular Windows setting, and to figure out the reasons.

In this article, we will look at the specifics of using the GPResult command to diagnose and debug the application of group policies in an Active Directory domain.

Initially, to diagnose the application of group policies in Windows, the RSOP.msc graphical console was used, which made it possible to obtain the settings of the resulting policies (domain + local) applied to the computer and user in a graphical form similar to the GPO editor console (below, in the example of the RSOP.msc console view, you can see that the update settings are set).

However, the RSOP.msc console in modern versions of Windows is not practical to use, because it does not reflect the settings applied by various client side extensions (CSE), such as GPP (Group Policy Preferences), does not allow search, provides little diagnostic information. Therefore, on this moment it is the GPResult command that is the main tool for diagnosing the use of GPOs in Windows (in Windows 10 there is even a warning that RSOP does not give a complete report, unlike GPResult).

Using the GPResult.exe utility

GPResult command runs on the computer on which you want to test the application of group policies. The GPResult command has the following syntax:

GPRESULT ]] [(/X | /H)<имя_файла> ]

To get detailed information about the group policies that apply to a given AD object (user and computer) and other settings related to the GPO infrastructure (i.e. the resulting GPO policy settings - RsoP), run the command:

The results of the command execution are divided into 2 sections:

COMPUTER SETTINGS (Computer configuration) – the section contains information about GPO objects that affect the computer (as an Active Directory object);
USER SETTINGS – user section of policies (policies that apply to a user account in AD).

Let's briefly go over the main parameters/sections that may be of interest to us in the GPResult output:

siteName(Site name:) - the name of the AD site in which the computer is located;
CN– full canonical user/computer for which the RSoP data was generated;
LasttimegroupPolicywasapplied(Last applied group policy) - the time when group policies were last applied;
groupPolicywasappliedfrom(Group Policy was applied from) - the domain controller from which the latest version of the GPO was loaded;
DomainNameand Domaintype(Domain name, domain type) – Active Directory domain schema name and version;
AppliedgroupPolicyObjects(Applied GPOs)– lists of active group policy objects;
ThefollowingGPOswerenotappliedbecausetheywerefilteredout(The following GPO policies were not applied because they were filtered) - not applied (filtered) GPOs;
Theuser/computerisapartofthefollowingsecuritygroups(The user/computer is a member of the following security groups) – Domain groups the user is a member of.

In our example, you can see that the user object is affected by 4 group policies.

Default Domain Policy;
Enable Windows Firewall;
DNS Suffix Search List

If you do not want the console to display information about both user policies and computer policies at the same time, you can use the /scope option to display only the section you are interested in. Only resulting user policies:

gpresult /r /scope:user

or only applied computer policies:

gpresult /r /scope:computer

Because The Gpresult utility outputs its data directly to the command line console, which is not always convenient for subsequent analysis; its output can be redirected to the clipboard:

gpresult /r |clip

or text file:

gpresult /r > c:\gpresult.txt

To display super-detailed RSOP information, add the /z switch.

HTML RSOP report using GPResult

In addition, the GPResult utility can generate an HTML report on the applied result policies (available in Windows 7 and later). This report will contain detailed information about all system settings that are set by group policies and the names of specific GPOs that set them (the resulting report on the structure resembles the Settings tab in the Domain Group Policy Management Console - GPMC). You can generate an HTML GPResult report using the command:

GPResult /h c:\gp-report\report.html /f

To generate a report and automatically open it in a browser, run the command:

GPResult /h GPResult.html & GPResult.html

The gpresult HTML report contains quite a few useful information: GPO application errors, processing time (in ms) and application of specific policies and CSE are visible (under Computer Details -> Component Status). For example, in the screenshot above, you can see that the policy with the settings 24 passwords remember is applied by the Default Domain Policy (Winning GPO column). As you can see, such an HTML report is much more convenient for analyzing applied policies than the rsop.msc console.

Getting GPResult data from a remote computer

GPResult can also collect data from a remote computer, eliminating the need for an administrator to log in locally or RDP to a remote computer. The command format for collecting RSOP data from a remote computer is as follows:

GPResult /s server-ts1 /r

Similarly, you can collect data from both user policies and computer policies remotely.

username has no RSOP data

When enabled UAC launch GPResult without elevated privileges only outputs the settings of the user group policy section. If you need to display both sections (USER SETTINGS and COMPUTER SETTINGS) at the same time, the command must be run. If the elevated command prompt is anything other than current user system, the utility will issue a warning INFO: Theuser“domain\user”doesnothaveRSOPdata ( The user 'domain\user' has no RSOP data). This is because GPResult is trying to collect information for the user who ran it, but because This user has not logged on to the system and no RSOP information is available for this user. To collect RSOP information for a user with an active session, you need to specify his account:

gpresult /r /user:tn\edward

If you do not know the name of an account that is logged in to remote computer, you can get an account like this:

qwinsta /SERVER:remotePC1

Also check the time(s) on the client. The time must match the time on the PDC (Primary Domain Controller).

The following GPO policies were not applied because they were filtered out

When troubleshooting group policies, you should also pay attention to the section: The following GPOs were not applied because they were filtered out (The following GPO policies were not applied because they were filtered out). This section displays a list of GPOs that, for one reason or another, do not apply to this object. Possible options for which the policy may not apply:

You can also understand whether the policy should be applied to a specific AD object on the Effective Permissions tab (Advanced -> Effective Access).

So, in this article, we reviewed the features of diagnosing the application of group policies using the GPResult utility and reviewed typical scenarios for its use.

Lecture 4 Network Policy Server: RADIUS Server, RADIUS Proxy, and Security Policy Server

Lecture 4

Topic: Network Policy Server: RADIUS Server, RADIUS Proxy, and Network Access Protection Policy Server

Introduction

Windows Server 2008 and Windows Server 2008 R2 are advanced Windows Server operating systems designed to power a new generation of networks, applications, and web services. With these operating systems, you can design, deliver, and manage flexible and pervasive user and application experiences, build highly secure network infrastructures, and increase technology efficiency and organization in your organization.

Network Policy Server

Network Policy Server allows you to create and enforce organization-wide network access policies to ensure client health and to authenticate and authorize connection requests. You can also use NPS as a RADIUS proxy to forward connection requests to NPS or other RADIUS servers configured in remote RADIUS server groups.

Network Policy Server allows you to centrally configure and manage client network access authentication, authorization, and health policies through the following three options:

RADIUS server. NPS centrally handles authentication, authorization, and accounting for wireless connections, authenticated switch connections, dial-up connections, and virtual private network (VPN) connections. When using NPS as a RADIUS server, network access servers such as wireless access points and VPN servers are configured as RADIUS clients on NPS. It also configures the network policies that NPS uses to authorize connection requests. In addition, you can configure RADIUS accounting so that NPS logs information to log files stored on a local hard drive or in a Microsoft database. SQL Server.

RADIUS proxy. If NPS is used as a RADIUS proxy, you must configure connection request policies that determine which connection requests NPS will forward to other RADIUS servers, and which specific RADIUS servers will forward those requests. NPS can also be configured to redirect credentials to be stored on one or more computers in a remote RADIUS server group.

Network Access Protection (NAP) policy server. When NPS is configured as a NAP policy server, NPS evaluates the health states sent by NAP-enabled client computers that attempt to connect to the network. A Network Policy Server configured with Network Access Protection acts as a RADIUS server, authenticating and authorizing connection requests. Network Policy Server allows you to configure Network Access Protection policies and settings, including System Health Checkers, Health Policy, and Update Server groups, which ensure that client computers are updated in accordance with the organization's network policy.

You can configure any combination of the features listed above on Network Policy Server. For example, NPS can act as a NAP policy server using one or more enforcement methods, while acting as a RADIUS server for dial-up connections and a RADIUS proxy to forward some connection requests to a group of remote RADIUS servers, which allows authentication and authorization in a different domain.

RADIUS server and RADIUS proxy

NPS can be used as a RADIUS server, a RADIUS proxy, or both.

RADIUS server

Microsoft NPS is implemented in accordance with the RADIUS standard described in IETF RFC 2865 and RFC 2866. As a RADIUS server, NPS centrally performs authentication, authorization, and connection accounting for various types of network access, including wireless access, switching with authentication, dial-up and VPN access, and connections between routers.

Network Policy Server allows you to use a heterogeneous set of equipment for wireless access, remote access, VPN networks, and switching. Network Policy Server can be used with the Routing and Remote Access service that is available on operating systems Microsoft Windows 2000 Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition and Windows Server 2003 Datacenter Edition.

If the NPS computer is a member of an Active Directory® domain, NPS uses that directory service as its user account database and is part of the single sign-on solution. The same set of credentials is used to control network access (authenticate and authorize network access) and to log on to an Active Directory domain.

ISPs and organizations that provide network access face the more complex challenges of managing all types of networks from a single point of administration, regardless of the network access equipment used. The RADIUS standard supports this functionality in both homogeneous and heterogeneous environments. The RADIUS protocol is a client/server protocol that allows network access equipment (acting as RADIUS clients) to send authentication and accounting requests to a RADIUS server.

The RADIUS server has access to user account information and can validate credentials when authenticating to grant network access. If the user's credentials are authentic and the connection attempt is authorized, the RADIUS server authorizes that user's access based on the specified conditions and logs the connection information. Using the RADIUS protocol allows authentication, authorization, and accounting information to be collected and maintained in a single location instead of having to be performed on each access server.

RADIUS proxy

As a RADIUS proxy, NPS forwards authentication and accounting messages to other RADIUS servers.

With NPS, organizations can outsource their remote access infrastructure to a service provider while maintaining control over user authentication, authorization, and accounting.

NPS configurations can be created for the following scenarios:

Wireless access

A dial-up or virtual private network connection in an organization.

Remote access or wireless access provided by an external organization

Internet access

Authenticated access to external network resources for business partners

RADIUS Server and RADIUS Proxy Configuration Examples

The following configuration examples demonstrate how to configure NPS as a RADIUS server and RADIUS proxy.

NPS as a RADIUS server. In this example, NPS is configured as a RADIUS server, the only policy configured is the default connection request policy, and all connection requests are handled by the local NPS. NPS can authenticate and authorize users whose accounts are in the server's domain or in trusted domains.

NPS as a RADIUS proxy. In this example, NPS is configured as a RADIUS proxy that forwards connection requests to groups of remote RADIUS servers in two different untrusted domains. The default connection request policy is removed and replaced with two new connection request policies that redirect requests to each of the two untrusted domains. In this example, NPS does not process connection requests on the local server.

NPS as both RADIUS server and RADIUS proxy. In addition to the default connection request policy, which handles requests locally, a new connection request policy is created to redirect them to NPS or another RADIUS server in an untrusted domain. The second policy is named Proxy. In this example, the Proxy policy appears first in the ordered list of policies. If the connection request matches the "Proxy" policy, given request on the connection is redirected to the RADIUS server in the remote RADIUS server group. If a connection request does not match the Proxy policy but does match the default connection request policy, NPS processes the connection request on the local server. If a connection request does not match any of these policies, it is rejected.

NPS as a RADIUS server with remote accounting servers. In this example, the local NPS is not configured for accounting, and the default connection request policy is changed so that RADIUS accounting messages are forwarded to NPS or another RADIUS server in the remote RADIUS server group. Although accounting messages are forwarded, authentication and authorization messages are not forwarded, and the appropriate functionality for the local domain and all trusted domains is handled by the local NPS.

NPS with remote RADIUS to Windows user mapping. In this example, NPS acts as both a RADIUS server and a RADIUS proxy for every single connection request, redirecting the authentication request to a remote RADIUS server while authorizing using a local Windows user account. This configuration is implemented by setting the Remote RADIUS Server Mapping to Windows user attribute as a condition of the connection request policy. (In addition, you must create a local user account on the RADIUS server with the same name as the remote account that the remote RADIUS server will authenticate against.)

Network Access Protection Policy Server

Network Access Protection is included in Windows Vista®, Windows® 7, Windows Server® 2008, and Windows Server® 2008 R2. It helps protect access to private networks by ensuring that client computers comply with health policies in force on the organization's network when allowing these clients to access network resources. In addition, compliance of a client computer with an administrator-defined health policy is monitored by Network Access Protection while the client computer is connected to the network. With the ability to auto-update Network Access Protection, non-compliant computers can be automatically updated according to the health policy so that they can later be granted access to the network.

System administrators define network health policies and create these policies using NAP components that are available from NPS or supplied by other companies (depending on NAP implementation).

Health policies can have characteristics such as software requirements, security update requirements, and configuration settings requirements. Network Access Protection enforces health policies by checking and evaluating the health of client computers, restricting network access to non-compliant computers, and correcting the inconsistency to provide unrestricted network access.

When you install Windows, most of the non-essential subsystems are not activated or installed. This is done for security reasons. Since the system is secure by default, system administrators can focus on designing a system that will perform only the functions assigned to it and nothing more. For help turning on desired functions, Windows prompts you to select a Server Role.

Roles

A server role is a set of programs that, when properly installed and configured, enable a computer to perform a specific function for multiple users or other computers on a network. In general, all roles have the following characteristics.

They define the main function, purpose or purpose of using a computer. You can designate a computer to play one role that is heavily used in the enterprise, or to play multiple roles where each role is used only occasionally.
Roles give users throughout the organization access to resources that are managed by other computers, such as websites, printers, or files stored on different computers.
They usually have their own databases that queue user or computer requests or record information about network users and computers associated with a role. For example, Active Directory Domain Services contains a database for storing the names and hierarchical relationships of all computers on a network.
Once properly installed and configured, roles function automatically. This allows the computers on which they are installed to perform assigned tasks with limited user interaction.

Role Services

Role Services are programs that provide functionality roles. When you install a role, you can choose which services it provides to other users and computers in the enterprise. Some roles, such as the DNS server, perform only one function, so there are no role services for them. Other roles, such as Remote Desktop Services, have several services that you can install based on your enterprise's remote access needs. A role can be thought of as a collection of closely related, complementary role services. In most cases, installing a role means installing one or more of its services.

Components

Components are programs that are not directly part of roles, but support or extend the functionality of one or more roles or the entire server, regardless of which roles are installed. For example, the Failover Cluster Tool extends other roles, such as File Services and DHCP Server, by allowing them to join server clusters, which provides increased redundancy and performance. The other component, the Telnet Client, allows remote communication with the Telnet server over a network connection. This feature enhances the communication options for the server.

When Windows Server is running in Server Core mode, the following server roles are supported:

Active Directory Certificate Services;
Active Directory Domain Services;
DHCP server
DNS server;
file services (including the file server resource manager);
Active Directory Lightweight Directory Services;
Hyper-V
printing and document services;
streaming media services;
web server (including a subset of ASP.NET);
Windows Server Update Server;
Active Directory rights management server;
Routing and Remote Access Server and the following subordinate roles:
- Remote Desktop Connection Broker;
- licensing;
- virtualization.

When Windows Server is running in Server Core mode, the following server features are supported:

Microsoft .NET Framework 3.5;
Microsoft .NET Framework 4.5;
Windows PowerShell;
Background Intelligent Transfer Service (BITS);
BitLocker Drive Encryption;
BitLocker Network Unlock;
BranchCache
data center bridge;
Enhanced Storage;
failover clustering;
Multipath I/O;
network load balancing;
PNRP protocol;
qWave;
remote differential compression;
simple TCP/IP services;
RPC over HTTP proxy;
SMTP server;
SNMP service;
Telnet client;
telnet server;
TFTP client;
Windows internal database;
Windows PowerShell Web Access;
Windows Activation Service;
standardized Windows storage management;
IIS WinRM extension;
WINS server;
WoW64 support.

Installing server roles using Server Manager

To add, open Server Manager, and in the Manage menu, click Add Roles and features:

The Add Roles and Features Wizard opens. Click Next

Installation Type, select Role-based or feature-based installation. Next:

Server Selection - select our server. Click Next Server Roles - Select roles if needed, select role services and click Next to select components. During this procedure, the Add Roles and Features Wizard automatically informs you of conflicts on the destination server that may prevent the installation or normal operation of the selected roles or features. You are also prompted to add the roles, role services, and features required by the selected roles or features.

Installing roles with PowerShell

Open Windows PowerShell Enter the Get-WindowsFeature command to view the list of available and installed roles and features on the local server. The output of this cmdlet contains the command names for the roles and features that are installed and available for installation.

Type Get-Help Install-WindowsFeature to see the syntax and allowed parameters Install-WindowsFeature (MAN) cmdlet.

Enter the following command (-Restart will restart the server if the role installation requires a restart).

Install-WindowsFeature –Name -Restart

Description of roles and role services

All roles and role services are described below. Let's look at advanced settings for the most common Web Server Role and Remote Desktop Services in our practice.

Detailed description of IIS

Common HTTP Features - Basic HTTP Components
- Default Document - allows you to set the index page for the site.
- Directory Browsing - Allows users to view the contents of a directory on a web server. Use Directory Browsing to automatically generate a list of all directories and files in a directory when users don't specify a file in the URL and the index page is disabled or not configured
- HTTP Errors - allows you to customize the error messages returned to clients in the browser.
- Static Content - allows you to post static content, such as images or html files.
- HTTP Redirection - Provides support for redirecting user requests.
- WebDAV Publishing allows you to publish files from a web server using the HTTP protocol.
Health and Diagnostics Features - Diagnostic components
- HTTP Logging provides logging of website activity for a given server.
- Custom Logging provides support for creating custom logs that are different from "traditional" logs.
- Logging Tools provides a framework for managing web server logs and automating common logging tasks.
- ODBC Logging provides a framework that supports logging of web server activity to an ODBC-compliant database.
- Request Monitor provides a framework for monitoring the state of web applications by collecting information about HTTP requests in an IIS worker process.
- Tracing provides a framework for diagnosing and troubleshooting web applications. By using failed request tracing, you can track hard-to-find events such as poor performance or authentication failures.
Performance components to increase the performance of the web server.
- Static Content Compression provides a framework for configuring HTTP compression of static content
- Dynamic Content Compression provides a framework for configuring HTTP compression of dynamic content.
Security components
- Request Filtering allows you to capture all incoming requests and filter them based on rules set by the administrator.
- Basic Authentication allows you to set additional authorization
- Centralized SSL Certificate Support is a feature that allows you to store certificates in a central location, like a file share.
- Client Certificate Mapping Authentication uses client certificates to authenticate users.
- Digest Authentication works by sending a password hash to a Windows domain controller to authenticate users. If you need more security than basic authentication, consider using Digest authentication
- IIS Client Certificate Mapping Authentication uses client certificates to authenticate users. The client certificate is a digital ID obtained from a trusted source.
- IP and Domain Restrictions allows you to allow/deny access based on the requested IP address or domain name.
- URL Authorization allows you to create rules that restrict access to web content.
- Windows Authentication This authentication scheme allows Windows domain administrators to take advantage of the domain infrastructure for user authentication.
Application Development Features
FTP Server
- FTP Service Enables FTP publishing to a web server.
- FTP Extensibility Enables support for FTP features that extend the functionality of
Management Tools
- The IIS Management Console installs the IIS Manager, which allows you to manage the Web Server through a GUI
- IIS 6.0 Management Compatibility provides forward compatibility for applications and scripts that use the Admin Base Object (ABO) and the Directory Service Interface (ADSI) Active Directory API. This allows existing IIS 6.0 scripts to be used by the IIS 8.0 web server
- IIS Management Scripts and Tools provide the infrastructure for managing the IIS web server programmatically, by using commands in a command prompt window, or by running scripts.
- The Management Service provides the infrastructure for customizing the user interface, IIS Manager.

Detailed description of RDS

Remote Desktop Connection Broker - Provides client device reconnection to programs based on desktop and virtual desktop sessions.
Remote Desktop Gateway - Allows authorized users to connect to virtual desktops, RemoteApp programs, and session-based desktops on a corporate network or over the Internet.
Remote Desktop Licensing - RDP License Management Tool
Remote Desktop Session Host - Includes a server to host RemoteApp programs or a desktop-based session.
Remote Desktop Virtualization Host - allows you to configure RDP on virtual machines
Remote Desktop WebAccess - Allows users to connect to desktop resources using the Start menu or web browser.

Consider installing and configuring a terminal license server. The above describes how to install roles, installing RDS is no different from installing other roles, in Role Services we need to select Remote Desktop Licensing and Remote Desktop Session Host. After installation, the Terminal Services item will appear in Server Manager-Tools. There are two items in Terminal Services RD Licensing Diagnoser, this is a tool for diagnosing the operation of remote desktop licensing, and Remote Desktop Licensing Manager, this is a license management tool.

Run RD Licensing Diagnoser

Here we can see that there are no licenses available yet because the licensing mode is not set for the RD Session Host server. The license server is specified in local group policies. To launch the editor, run the gpedit.msc command. The Local Group Policy Editor opens. In the tree on the left, expand the tabs:

Computer Configuration
Administrative Templates
Windows Components
Remote Desktop Services
Remote Desktop Session Host
"Licensing" (Licensing)

Open the parameters Use the specified Remote Desktop license servers

In the policy settings editing window, enable the licensing server (Enabled). Next, you must define a license server for Remote Desktop Services. In my example, the license server is located on the same physical server. Specify the network name or IP address of the license server and click OK. If the server name, the license server will change in the future, you will need to change it in the same section.

After that, in the RD Licensing Diagnoser, you can see that the terminal license server is configured, but not enabled. To enable, run Remote Desktop Licensing Manager

Select the licensing server, with the status Not Activated . To activate, right-click on it and select Activate Server. The Server Activation Wizard will start. On the Connection Method tab, select Automatic Connection. Next, fill in the information about the organization, after that the license server is activated.

Active Directory Certificate Services

AD CS provides configurable services for issuing and managing digital certificates that are used in software security systems that use public key technologies. Digital certificates provided by AD CS can be used to encrypt and digitally sign electronic documents and messages. These digital certificates can be used to authenticate computer, user, and device accounts on a network. Digital certificates are used to provide:

privacy through encryption;
integrity through digital signatures;
authentication by linking certificate keys to computer, user, and device accounts on the network.

AD CS can be used to improve security by binding the identity of a user, device, or service to the corresponding private key. Uses supported by AD CS include secure multi-purpose Internet Mail Standard Extensions (S/MIME) protected wireless network, virtual private networks (VPNs), IPsec, Encrypting File System (EFS), smart card login, Data Transfer Security and Transport Layer Security (SSL/TLS), and digital signatures.

Active Directory Domain Services

Using the Active Directory Domain Services (AD DS) server role, you can create a scalable, secure, and manageable infrastructure for managing users and resources; you can also provide directory-enabled applications such as Microsoft Exchange Server. Active Directory Domain Services provides a distributed database that stores information about network resources and directory-enabled application data, and manage this information. The server that is running AD DS is called a domain controller. Administrators can use AD DS to organize network elements such as users, computers, and other devices into a hierarchical nested structure. The hierarchical nested structure includes the Active Directory forest, the domains in the forest, and the organizational units in each domain. Security features are integrated into AD DS in the form of authentication and access control to resources in the directory. With single sign-on, administrators can manage directory information and organization over the network. Authorized network users can also use network single sign-on to access resources located anywhere on the network. Active Directory Domain Services provides the following additional features.

A set of rules is a schema that defines the classes of objects and attributes that are contained in a directory, the restrictions and limits on instances of those objects, and the format of their names.
A global catalog containing information about each object in the catalog. Users and administrators can use the global catalog to search for catalog data, regardless of which domain in the catalog actually contains the searched data.
A query and indexing mechanism through which objects and their properties can be published and located network users and applications.
A replication service that distributes directory data across a network. All writable domain controllers in the domain participate in replication and contain a complete copy of all directory data for their domain. Any changes to directory data are replicated in the domain to all domain controllers.
Operations master roles (also known as flexible single master operations, or FSMOs). Domain controllers that act as masters of operations are designed to perform special tasks to ensure data consistency and avoid conflicting directory entries.

Active Directory Federation Services

AD FS provides end users who need access to applications in an AD FS-secured enterprise, in federation partner organizations, or in the cloud with simplified and secure identity federation and single sign-on (SSO) web services. Windows Server AD FS includes a role service Federation Service acting as an identity provider (authenticates users to provide security tokens to applications that trust AD FS) or as a federation provider (applies tokens from other identity providers and then provides security tokens to applications that trust AD FS).

Active Directory Lightweight Directory Services

Active Directory Lightweight Directory Services (AD LDS) is an LDAP protocol that provides flexible support for directory applications without the dependencies and domain-specific restrictions of Active Directory Domain Services. AD LDS can be run on member or standalone servers. You can run multiple instances of AD LDS with independently managed schemas on the same server. With the AD LDS service role, you can provide directory services to directory-enabled applications without using domain and forest service data and without requiring a single forest-wide schema.

Active Directory Rights Management Services

You can use AD RMS to extend your organization's security strategy by securing documents using Information Rights Management (IRM). AD RMS allows users and administrators to assign access permissions to documents, workbooks, and presentations using IRM policies. This allows you to protect confidential information from being printed, forwarded, or copied by unauthorized users. Once a file's permissions are restricted using IRM, access and usage restrictions apply regardless of the location of the information, because the file's permission is stored in the document file itself. With AD RMS and IRM, individual users can apply their own preferences regarding the transfer of personal and confidential information. They will also help an organization enforce corporate policies to control the use and distribution of sensitive and personal information. The IRM solutions supported by AD RMS are used to provide the following capabilities.

Persistent usage policies that stay with information whether it is moved, sent, or forwarded.
An additional layer of privacy to protect sensitive data - such as reports, product specifications, customer information, and email messages - from intentionally or accidentally falling into the wrong hands.
Prevent unauthorized sending, copying, editing, printing, faxing, or pasting of restricted content by authorized recipients.
Prevent copying of restricted content using the PRINT SCREEN feature in Microsoft Windows.
Support for file expiration, preventing document content from being viewed after a specified period of time.
Implement corporate policies that govern the use and distribution of content within the organization

Application Server

Application Server provides an integrated environment for deploying and running custom server-based business applications.

DHCP Server

DHCP is a client-server technology that allows DHCP servers to assign or lease IP addresses to computers and other devices that are DHCP clients. Deploying DHCP servers on a network automatically provides client computers and other network devices with based on IPv4 and IPv6 valid IP addresses and additional configuration settings required by these clients and devices. The DHCP Server service in Windows Server includes support for policy-based assignments and DHCP failover.

DNS Server

The DNS service is a hierarchical distributed database containing mappings of DNS domain names to various types of data such as IP addresses. DNS allows you to use friendly names such as www.microsoft.com to help locate computers and other resources on TCP/IP-based networks. The DNS service in Windows Server provides further enhanced support for DNS Security Modules (DNSSEC), including network registration and automated settings management.

FAX Server

Fax Server sends and receives faxes, and allows you to manage fax resources such as jobs, settings, reports, and fax devices on your fax server.

File and Storage Services

Administrators can use the File and Storage Services role to set up multiple file servers and their storages, and to manage those servers using Server Manager or Windows PowerShell. Some specific applications include the following features.

working folders. Use to allow users to store and access work files on personal computers and devices other than corporate PCs. Users get a convenient place to store work files and access them from anywhere. Organizations control corporate data by storing files on centrally managed file servers and optionally setting user device policies (such as encryption and screen lock passwords).
Data deduplication. Use to reduce disk space requirements for storing files, saving money on storage.
iSCSI target server. Use to create centralized, software and device-independent iSCSI disk subsystems in storage area networks (SANs).
Disk spaces. Use to deploy storage that is highly available, resilient, and scalable with cost-effective, industry-standard drives.
Server Manager. Use for remote control multiple file servers from one window.
Windows PowerShell. Use to automate the management of most file server administration tasks.

Hyper-V

The Hyper-V role allows you to create and manage a virtualized computing environment using the virtualization technology built into Windows Server. Installing the Hyper-V role installs prerequisites and optional management tools. Required components include the Windows hypervisor, virtualization management service, Hyper-V machines, WMI virtualization provider, and virtualization components such as VMbus, Virtualization Service Provider (VSP), and Virtual Infrastructure Driver (VID).

Network Policy and Access Services

Network Policy and Access Services provides the following network connectivity solutions:

Network Access Protection is a technology for creating, enforcing, and remediating client health policies. With Network Access Protection, system administrators can set and automatically enforce health policies that include requirements for software, security updates, and other settings. For client computers that do not comply with the health policy, you can restrict access to the network until their configuration is updated to comply with the requirements of the policy.
If 802.1X-enabled wireless access points are deployed, you can use Network Policy Server (NPS) to deploy certificate-based authentication methods that are more secure than password-based authentication. Deploying 802.1X-enabled hardware with an NPS server allows intranet users to be authenticated before they can connect to the network or obtain an IP address from a DHCP server.
Instead of configuring a network access policy on each network access server, you can centrally create all policies that define all aspects of network connection requests (who can connect, when a connection is allowed, the security level that must be used to connect to the network ).

Print and Document Services

Print and Document Services allows you to centralize print server and network printer tasks. This role also allows you to receive scanned documents from network scanners and upload documents to network shares - a Windows SharePoint Services site or e-mail.

remote access

The Remote Access Server role is a logical grouping of the following network access technologies.

Direct Access
Routing and remote access
Web Application Proxy

These technologies are role services remote access server role. When you install the Remote Access Server role, you can install one or more role services by running the Add Roles and Features Wizard.

On Windows Server, the Remote Access Server role provides the ability to centrally administer, configure, and monitor DirectAccess and VPN with Routing and Remote Access Service (RRAS) remote access services. DirectAccess and RRAS can be deployed on the same Edge Server and managed through Windows commands PowerShell and Remote Access Management Console (MMC).

Remote Desktop Services

Remote Desktop Services accelerates and expands the deployment of desktops and applications on any device, making the remote worker more efficient while securing critical intellectual property and simplifying compliance. Remote Desktop Services includes Virtual Desktop Infrastructure (VDI), session-based desktops, and applications, giving users the ability to work from anywhere.

Volume Activation Services

Volume License Activation Services is a server role in Windows Server starting with Windows Server 2012 that automates and simplifies the issuance and management of volume licenses for Microsoft software in various scenarios and environments. Together with Volume License Activation Services, you can install and configure the Key Management Service (KMS) and Active Directory activation.

Web Server (IIS)

The Web Server (IIS) role in Windows Server provides a platform for hosting Web sites, services, and applications. Using a web server provides access to information to users on the Internet, intranet, and extranet. Administrators can use the Web Server (IIS) role to set up and manage multiple websites, web applications, and FTP sites. Special features include the following.

Use Internet Information Services (IIS) Manager to configure IIS components and administer websites.
Using the FTP protocol to allow website owners to upload and download files.
Using website isolation to prevent one website on the server from affecting others.
Customization of web applications developed using various technologies such as Classic ASP, ASP.NET and PHP.
Use Windows PowerShell to automatically manage most web server administration tasks.
Consolidate multiple web servers into a server farm that can be managed using IIS.

Windows Deployment Services

Windows Deployment Services allows you to deploy Windows operating systems over a network, which means you don't have to install each operating system directly from a CD or DVD.

Windows Server Essentials Experience

This role allows you to perform the following tasks:

protect server and client data by backing up the server and all client computers on the network;
manage users and user groups through a simplified server dashboard. In addition, integration with Windows Azure Active Directory* provides users with easy access to online Microsoft Online Services (such as Office 365, Exchange Online, and SharePoint Online) using their domain credentials;
store company data in a centralized location;
integrate the server with Microsoft Online Services (such as Office 365, Exchange Online, SharePoint Online, and Windows Intune):
use ubiquitous access features on the server (such as remote web access and virtual private networks) to access the server, network computers, and data from highly secure remote locations;
access data from anywhere and from any device using the organization's own web portal (through remote web access);
manage mobile devices The ones that access your organization's email with Office 365 using the Active Sync protocol from the dashboard.
monitor network health and receive customizable health reports; reports can be generated on demand, customized, and emailed to specific recipients.

Windows Server Update Services

The WSUS server provides the components that administrators need to manage and distribute updates through the management console. In addition, the WSUS server can be the source of updates for other WSUS servers in the organization. When implementing WSUS, at least one WSUS server on the network must be connected to Microsoft Update to receive information about available updates. Depending on the network's security and configuration, an administrator can determine how many other servers are directly connected to Microsoft Update.

When you install Windows, most of the non-essential subsystems are not activated or installed. This is done for security reasons. Because the system is secure by default, system administrators can focus on designing a system that does what it does, and nothing else. To help you enable the features you want, Windows prompts you to select a Server Role.

Roles

They define the main function, purpose or purpose of using a computer. You can designate a computer to play one role that is heavily used in the enterprise, or to play multiple roles where each role is used only occasionally.
Roles give users throughout the organization access to resources that are managed by other computers, such as websites, printers, or files stored on different computers.
They usually have their own databases that queue user or computer requests or record information about network users and computers associated with a role. For example, Active Directory Domain Services contains a database for storing the names and hierarchical relationships of all computers on a network.
Once properly installed and configured, roles function automatically. This allows the computers on which they are installed to perform assigned tasks with limited user interaction.

Role Services

Role services are programs that provide the functionality of a role. When you install a role, you can choose which services it provides to other users and computers in the enterprise. Some roles, such as the DNS server, perform only one function, so there are no role services for them. Other roles, such as Remote Desktop Services, have several services that you can install based on your enterprise's remote access needs. A role can be thought of as a collection of closely related, complementary role services. In most cases, installing a role means installing one or more of its services.

Components

When Windows Server is running in Server Core mode, the following server roles are supported:

Active Directory Certificate Services;
Active Directory Domain Services;
DHCP server
DNS server;
file services (including the file server resource manager);
Active Directory Lightweight Directory Services;
Hyper-V
printing and document services;
streaming media services;
web server (including a subset of ASP.NET);
Windows Server Update Server;
Active Directory rights management server;
Routing and Remote Access Server and the following subordinate roles:
- Remote Desktop Connection Broker;
- licensing;
- virtualization.

When Windows Server is running in Server Core mode, the following server features are supported:

Microsoft .NET Framework 3.5;
Microsoft .NET Framework 4.5;
Windows PowerShell;
Background Intelligent Transfer Service (BITS);
BitLocker Drive Encryption;
BitLocker Network Unlock;
BranchCache
data center bridge;
Enhanced Storage;
failover clustering;
Multipath I/O;
network load balancing;
PNRP protocol;
qWave;
remote differential compression;
simple TCP/IP services;
RPC over HTTP proxy;
SMTP server;
SNMP service;
Telnet client;
telnet server;
TFTP client;
Windows internal database;
Windows PowerShell Web Access;
Windows Activation Service;
standardized Windows storage management;
IIS WinRM extension;
WINS server;
WoW64 support.

Installing server roles using Server Manager

To add, open Server Manager, and in the Manage menu, click Add Roles and features:

The Add Roles and Features Wizard opens. Click Next

Installation Type, select Role-based or feature-based installation. Next:

Installing roles with PowerShell

Type Get-Help Install-WindowsFeature to view the syntax and valid parameters for the Install-WindowsFeature (MAN) cmdlet.

Enter the following command (-Restart will restart the server if the role installation requires a restart).

Install-WindowsFeature –Name -Restart

Description of roles and role services

All roles and role services are described below. Let's look at advanced settings for the most common Web Server Role and Remote Desktop Services in our practice.

Detailed description of IIS

Common HTTP Features - Basic HTTP Components
- Default Document - allows you to set the index page for the site.
- Directory Browsing - Allows users to view the contents of a directory on a web server. Use Directory Browsing to automatically generate a list of all directories and files in a directory when users don't specify a file in the URL and the index page is disabled or not configured
- HTTP Errors - allows you to customize the error messages returned to clients in the browser.
- Static Content - allows you to post static content, such as images or html files.
- HTTP Redirection - Provides support for redirecting user requests.
- WebDAV Publishing allows you to publish files from a web server using the HTTP protocol.
Health and Diagnostics Features - Diagnostic components
- HTTP Logging provides logging of website activity for a given server.
- Custom Logging provides support for creating custom logs that are different from "traditional" logs.
- Logging Tools provides a framework for managing web server logs and automating common logging tasks.
- ODBC Logging provides a framework that supports logging of web server activity to an ODBC-compliant database.
- Request Monitor provides a framework for monitoring the state of web applications by collecting information about HTTP requests in an IIS worker process.
- Tracing provides a framework for diagnosing and troubleshooting web applications. By using failed request tracing, you can track hard-to-find events such as poor performance or authentication failures.
Performance components to increase the performance of the web server.
- Static Content Compression provides a framework for configuring HTTP compression of static content
- Dynamic Content Compression provides a framework for configuring HTTP compression of dynamic content.
Security components
- Request Filtering allows you to capture all incoming requests and filter them based on rules set by the administrator.
- Basic Authentication allows you to set additional authorization
- Centralized SSL Certificate Support is a feature that allows you to store certificates in a central location, like a file share.
- Client Certificate Mapping Authentication uses client certificates to authenticate users.
- Digest Authentication works by sending a password hash to a Windows domain controller to authenticate users. If you need more security than basic authentication, consider using Digest authentication
- IIS Client Certificate Mapping Authentication uses client certificates to authenticate users. The client certificate is a digital ID obtained from a trusted source.
- IP and Domain Restrictions allows you to allow/deny access based on the requested IP address or domain name.
- URL Authorization allows you to create rules that restrict access to web content.
- Windows Authentication This authentication scheme allows Windows domain administrators to take advantage of the domain infrastructure for user authentication.
Application Development Features
FTP Server
- FTP Service Enables FTP publishing to a web server.
- FTP Extensibility Enables support for FTP features that extend the functionality of
Management Tools
- The IIS Management Console installs the IIS Manager, which allows you to manage the Web Server through a GUI
- IIS 6.0 Management Compatibility provides forward compatibility for applications and scripts that use the Admin Base Object (ABO) and the Directory Service Interface (ADSI) Active Directory API. This allows existing IIS 6.0 scripts to be used by the IIS 8.0 web server
- IIS Management Scripts and Tools provide the infrastructure for managing the IIS web server programmatically, by using commands in a command prompt window, or by running scripts.
- The Management Service provides the infrastructure for customizing the user interface, IIS Manager.

Detailed description of RDS

Remote Desktop Connection Broker - Provides client device reconnection to programs based on desktop and virtual desktop sessions.
Remote Desktop Gateway - Allows authorized users to connect to virtual desktops, RemoteApp programs, and session-based desktops on a corporate network or over the Internet.
Remote Desktop Licensing - RDP License Management Tool
Remote Desktop Session Host - Includes a server to host RemoteApp programs or a desktop-based session.
Remote Desktop Virtualization Host - allows you to configure RDP on virtual machines
Remote Desktop WebAccess - Allows users to connect to desktop resources using the Start menu or web browser.

Run RD Licensing Diagnoser

Computer Configuration
Administrative Templates
Windows Components
Remote Desktop Services
Remote Desktop Session Host
"Licensing" (Licensing)

Open the parameters Use the specified Remote Desktop license servers

After that, in the RD Licensing Diagnoser, you can see that the terminal license server is configured, but not enabled. To enable, run Remote Desktop Licensing Manager