Give a detailed description of the server's policy on the relation. Give a detailed description of the server policy

GPResult Utility.exe– is a console application designed to analyze settings and diagnose group policies that are applied to a computer and/or user in an Active Directory domain. In particular, GPResult allows you to get data from the resulting set of policies (Resultant Set of Policy, RSOP), a list of applied domain policies (GPOs), their settings, and detailed information about their processing errors. The utility has been part of the Windows operating system since the days of Windows XP. The GPResult utility allows you to answer questions such as whether a particular policy applies to a computer, which GPO changed a particular Windows setting, and to figure out the reasons.

In this article, we will look at the specifics of using the GPResult command to diagnose and debug the application of group policies in an Active Directory domain.

Initially, to diagnose the application of group policies in Windows, the RSOP.msc graphical console was used, which made it possible to obtain the settings of the resulting policies (domain + local) applied to the computer and the user in a graphical form similar to the GPO editor console (below, on the example of the RSOP.msc console view, you can see that the update settings are set).

However, the RSOP.msc console in modern versions of Windows is not practical to use, because it does not reflect the settings applied by various client side extensions (CSE), such as GPP (Group Policy Preferences), does not allow search, provides little diagnostic information. Therefore, at the moment, it is the GPResult command that is the main tool for diagnosing the use of GPO in Windows (in Windows 10, there is even a warning that RSOP does not give a complete report, unlike GPResult).

Using the GPResult.exe utility

The GPResult command is run on the computer on which you want to test the application of group policies. The GPResult command has the following syntax:

GPRESULT ]] [(/X | /H)<имя_файла> ]

To get detailed information about the group policies that apply to a given AD object (user and computer) and other settings related to the GPO infrastructure (i.e. the resulting GPO policy settings - RsoP), run the command:

The results of the command execution are divided into 2 sections:

• COMPUTER SETTINGS (Computer configuration) – the section contains information about GPO objects that affect the computer (as an Active Directory object);
• USER SETTINGS – user section of policies (policies that apply to a user account in AD).

Let's briefly go over the main parameters/sections that may be of interest to us in the GPResult output:

• siteName(Site name:) - the name of the AD site in which the computer is located;
• CN– full canonical user/computer for which the RSoP data was generated;
• LasttimegroupPolicywasapplied(Last applied group policy) - the time when group policies were last applied;
• groupPolicywasappliedfrom(Group Policy was applied from) - the domain controller from which the latest version of the GPO was loaded;
• domainNameand Domaintype(Domain name, domain type) – Active Directory domain schema name and version;
• AppliedgroupPolicyObjects(Applied GPOs)– lists of active group policy objects;
• ThefollowingGPOswerenotappliedbecausetheywerefilteredout(The following GPO policies were not applied because they were filtered) - not applied (filtered) GPOs;
• Theuser/computerisapartofthefollowingsecuritygroups(The user/computer is a member of the following security groups) – Domain groups the user is a member of.

In our example, you can see that the user object is affected by 4 group policies.

• Default Domain Policy;
• Enable Windows Firewall;
• DNS Suffix Search List

If you do not want the console to display information about both user policies and computer policies at the same time, you can use the /scope option to display only the section you are interested in. Only resulting user policies:

gpresult /r /scope:user

or only applied machine policies:

gpresult /r /scope:computer

Because The Gpresult utility outputs its data directly to the command line console, which is not always convenient for subsequent analysis; its output can be redirected to the clipboard:

gpresult /r |clip

or text file:

gpresult /r > c:\gpresult.txt

To display super-detailed RSOP information, add the /z switch.

HTML RSOP report using GPResult

In addition, the GPResult utility can generate an HTML report on the applied result policies (available in Windows 7 and higher). This report will contain detailed information about all system settings that are set by group policies and the names of specific GPOs that set them (the resulting report on the structure resembles the Settings tab in the Domain Group Policy Management Console - GPMC). You can generate an HTML GPResult report using the command:

GPResult /h c:\gp-report\report.html /f

To generate a report and automatically open it in a browser, run the command:

GPResult /h GPResult.html & GPResult.html

The gpresult HTML report contains quite a lot of useful information: GPO application errors, processing time (in ms) and application of specific policies and CSE (in the Computer Details -> Component Status section) are visible. For example, in the screenshot above, you can see that the policy with the settings 24 passwords remember is applied by the Default Domain Policy (Winning GPO column). As you can see, such an HTML report is much more convenient for analyzing applied policies than the rsop.msc console.

Getting GPResult data from a remote computer

GPResult can also collect data from a remote computer, eliminating the need for an administrator to log in locally or RDP to a remote computer. The command format for collecting RSOP data from a remote computer is as follows:

GPResult /s server-ts1 /r

Similarly, you can collect data from both user policies and computer policies remotely.

username has no RSOP data

With UAC enabled, running GPResult without elevated privileges only displays the settings for the custom section of Group Policy. If you need to display both sections (USER SETTINGS and COMPUTER SETTINGS) at the same time, the command must be run. If the elevated command prompt is on a system other than the current user, the utility will issue a warning INFO: Theuser“domain\user”doesnothaveRSOPdata ( The user 'domain\user' has no RSOP data). This is because GPResult is trying to collect information for the user who ran it, but because This user has not logged on to the system and no RSOP information is available for this user. To collect RSOP information for a user with an active session, you need to specify his account:

gpresult /r /user:tn\edward

If you don't know the name of the account that is logged in on the remote computer, you can get the account like this:

qwinsta /SERVER:remotePC1

Also check the time(s) on the client. The time must match the time on the PDC (Primary Domain Controller).

The following GPO policies were not applied because they were filtered out

When troubleshooting group policies, you should also pay attention to the section: The following GPOs were not applied because they were filtered out (The following GPO policies were not applied because they were filtered out). This section displays a list of GPOs that, for one reason or another, do not apply to this object. Possible options for which the policy may not apply:

You can also understand whether the policy should be applied to a specific AD object on the Effective Permissions tab (Advanced -> Effective Access).

So, in this article, we reviewed the features of diagnosing the application of group policies using the GPResult utility and reviewed typical scenarios for its use.

Before developing a socket server, you need to create a policy server that tells Silverlight which clients are allowed to connect to the socket server.

As shown above, Silverlight does not allow content to be loaded or a web service to be called if the domain does not have a clientaccesspolicy .xml or crossdomain file. xml where these operations are explicitly allowed. A similar restriction is applied to the socket server. If you don't allow the client device to download the clientaccesspolicy .xml file that allows remote access, Silverlight will refuse to establish a connection.

Unfortunately, providing a clientaccesspolicy. cml to a socket application is more of a challenge than providing it through a website. When using a website, the web server software may provide a clientaccesspolicy .xml file, just remember to add it. At the same time, when using a socket application, you must open a socket that client applications can access with policy requests. In addition, you must manually create the code that serves the socket. To accomplish these tasks, you need to create a policy server.

In what follows, we will show that the policy server works in the same way as the message server, it just handles slightly simpler interactions. Message servers and policies can be created separately or combined in one application. In the second case, they must listen for requests on different threads. In this example, we will create a policy server and then combine it with a message server.

To create a policy server, you must first create a .NET application. Any type of .NET application can serve as a policy server. The easiest way is to use a console application. Once you've debugged your console application, you can move your code into a Windows service so that it runs in the background all the time.

Policy file

Following is the policy file provided by the policy server.

The policy file defines three rules.

Allows access to all ports from 4502 to 4532 (this is the full range of ports supported by the Silverlight add-on). To change the range of available ports, change the value of the element's port attribute.

Allows TCP access (the permission is defined in the element's protocol attribute).

Allows a call from any domain. Therefore, a Silverlight application that establishes a connection can be hosted by any website. To change this rule, you need to edit the element's uri attribute.

To make things easier, the policy rules are placed in the clientaccess-ploi.cy.xml file that is added to the project. In Visual Studio, the Copy to Output Directory parameter of the policy file must be set to Cop Always. should just find the file on the hard drive, open it, and return the contents to the client device.

PolicyServer class

The policy server functionality is based on two key classes: PolicyServer and PolicyConnection. The PolicyServer class handles waiting for connections. When it receives a connection, it passes control to a new instance of the PoicyConnection class, which passes the policy file to the client. This two-part procedure is common in network programming. You will see it more than once when working with message servers.

The PolicyServer class loads the policy file from the hard disk and stores it in the field as an array of bytes.

public class PolicyServer

private byte policy;

public PolicyServer(string policyFile) (

To start listening, the server application must call the PolicyServer. Start(). It creates a TcpListener object that listens for requests. The TcpListener object is configured to listen on port 943. In Silverlight, this port is reserved for policy servers. When making requests for policy files, the Silverlight application automatically routes them to port 943.

private TcpListener listener;

public void Start()

// Create a listener

listener = new TcpListener(IPAddress.Any, 943);

// Start listening; the Start() method returns II immediately after calling listener.Start();

// Waiting for a connection; the method returns immediately;

II waiting is done in a separate thread

To accept the offered connection, the policy server calls the BeginAcceptTcpClient() method. Like all Beginxxx() methods of the .NET framework, it returns immediately after being called, performing the necessary operations on a separate thread. For network applications, this is a very significant factor because it allows many requests for policy files to be processed at the same time.

Note. Novice network programmers often wonder how more than one request can be processed at the same time, and think that this requires several servers. However, it is not. With this approach, client applications would quickly run out of available ports. In practice, server applications process many requests through a single port. This process is invisible to applications because the built-in TCP subsystem in Windows automatically identifies messages and routes them to the appropriate objects in application code. Each connection is uniquely identified based on four parameters: client IP address, client port number, server IP address, and server port number.

On each request, the OnAcceptTcpClient() callback method is fired. It calls the BeginAcceptTcpClient O method again to start waiting for the next request on another thread, and then starts processing the current request.

public void OnAcceptTcpClient(IAsyncResult ar) (

if (isStopped) return;

Console.WriteLine("Policy request received."); // Waiting for the next connection.

listener.BeginAcceptTcpClient(OnAcceptTcpClient, null);

// Handling the current connection.

TcpClient client = listener.EndAcceptTcpClient(ar); PolicyConnection policyConnection = new PolicyConnection(client, policy); policyConnection.HandleRequest() ;

catch (Exception err) (

Each time a new connection is received, a new PolicyConnection object is created to handle it. In addition, the PolicyConnection object maintains a policy file.

The last component of the PolicyServer class is the Stop() method, which stops waiting for requests. The application calls it when it terminates.

private bool isStopped;

public void StopO(

isStopped = true;

listener. stop();

catch (Exception err) (

Console.WriteLine(err.Message);

The following code is used in the Main() method of the application server to start the policy server.

static void Main(string args) (

PolicyServer policyServer = new PolicyServer("clientaccesspolicy.xml"); policyServer.Start();

Console.WriteLine("Policy server started."); Console.WriteLine("Press the Enter key to exit.");

// Waiting for a keypress; using the // Console.ReadKey() method, you can set it to wait for a specific // line (for example, quit) or press any key Console.ReadLine();

policyServer.Stop();

Console.WriteLine("End policy server.");

PolicyConnection class

The PolicyConnection class performs a simpler task. The PolicyConnection object stores a reference to policy file data. Then, after the HandleRequest() method is called, the PolicyConnection object fetches a new connection from the network stream and attempts to read it. The client device must send a string containing text. After reading this text, the client device writes the policy data to the stream and closes the connection. Following is the code of the PolicyConnection class.

public class PolicyConnection(

private TcpClient client; private byte policy;

public PolicyConnection(TcpClient client, byte policy) (

this.client = client; this.policy = policy;

// Create a client request private static string policyRequestString = "

public void HandleRequest()(

Stream s = client.GetStream(); // Read policy query string

byte buffer = new byte;

// Wait only 5 seconds client.ReceiveTimeout = 5000;'

s.Read(buffer, 0, buffer.Length);

// Pass the policy (you can also check if the policy request has // the required content) s.Write(policy, 0, policy.Length);

// Close the connection client.Close();

Console.WriteLine("Policy file served.");

So, we have a fully operational policy server. Unfortunately, it can't be tested yet because the Silverlight add-in doesn't allow policy files to be explicitly requested. Instead, it automatically requests them when trying to use a socket application. Before you can create a client application for this socket application, you must create a server.

In the previous articles of this series, you learned how to effectively use the functionality of local security policies, which allows you to protect your organization's infrastructure to the maximum from attacks by ill-wishers from outside, as well as from most actions of incompetent employees. You already know how you can effectively set up account policies that allow you to manage the complexity of your users' passwords, set up audit policies to further analyze your users' authentication in the security log. In addition, you learned how to assign rights to your users to avoid harming your system and even computers on your intranet, and how you can effectively configure event logs, restricted groups, system services, the registry, and the file system. In this article, we will continue our study of local security policies, and you will learn about wired network security settings for your enterprise.

Microsoft's server operating systems, starting with Windows Server 2008, introduced the Wired Network Policies (IEEE 802.3) component, which provides auto-configuration for deploying wired access services with IEEE 802.1X authentication for Ethernet 802.3 network clients. To implement security settings for wired networks using group policies, operating systems use the Wired AutoConfig service (Wired AutoConfig - DOT3SVC). The current service is responsible for IEEE 802.1X authentication when connecting to Ethernet networks using compatible 802.1X switches, and also manages the profile used to configure a network client for authenticated access. It is also worth noting that if you use these policies, then it is desirable to prevent users in your domain from changing the startup mode of this service.

Configuring a wired network policy

You can set the wired network policy settings directly from the snap-in. To configure these settings, follow these steps:

1. Open the snap-in and select the node in the console tree, right-click on it and select the command from the context menu "Creating a New Wired Network Policy for Windows Vista and Later" as shown in the following illustration:

   Rice. 1. Create a wired network policy

2. In the opened dialog box "New Policy for Wired Networks Properties", on the tab "General", you can specify to use the Wired AutoConfig service to configure LAN adapters to connect to a wired network. In addition to policy settings that apply to Windows Vista and later operating systems, there are some policy settings that will only apply to Windows 7 and Windows Server 2008 R2 operating systems. On this tab, you can do the following:
   • Policy Name. In this text box, you can give a name to your wired network policy. You can see the name of the policy in the details pane of the node "Wired Network Policies (IEEE 802.3)" snap Group Policy Management Editor;
   • Description. This text box is for filling in a detailed description of the purpose of the wired network policy;
   • Use the Windows Wired AutoConfig service for clients. This option does the actual configuration and connects clients to a wired 802.3 network. If you disable this option, then the Windows operating system will not control the wired network connection and the policy settings will not take effect;
   • Prevent using shared user credentials for network authentication. This setting determines whether the user should be prevented from storing shared user credentials for network authentication. You can change this setting locally with the command netsh lan set allowexplicitcreds;
   • Enable blocking period. This setting determines whether to prevent the computer from automatically connecting to a wired network for the number of minutes you specify. The default is 20 minutes. The blocking period is adjustable from 1 to 60 minutes.

"General" wired network policies:

Rice. 2. General tab of the wired network policy settings dialog box

3. On the tab "Safety" provides configuration options for the authentication method and wired connection mode. You can configure the following security settings:
   • Enable IEEE 802.1X authentication for network access. This option is used directly to enable or disable 802.1X network access authentication. This option is enabled by default;
   • Select a network authentication method. Using this drop-down list, you can specify one of the network client authentication methods that will be applied to your wired network policy. The following two options are available for selection:
     • Microsoft: Protected EAPs (PEAP). For this authentication method, the window "Properties" contains configuration settings for the authentication method to use;
     • Microsoft: smart cards or other certificate. For this authentication method, in the window "Properties" provides configuration options that allow you to specify a smart card or certificate to connect to, as well as a list of trusted root CAs.

   Method selected by default Microsoft: Protected EAPs (PEAP);

4. Authentication Mode. This drop-down list is used to perform network authentication. The following four options are available for selection:
   • User or computer authentication. If this option is selected, security credentials will be used based on the current state of the computer. Even if no user is logged on, authentication will be performed using the computer's credentials. When a user logs in, the credentials of the logged in user will be used. Microsoft recommends using this authentication mode setting in most cases.
   • For computer only. In this case, only the computer credentials are authenticated;
   • User Authentication. Selecting this option forces user authentication only when connecting to a new 802.1X device. In all other cases, authentication is performed only for the computer;
   • Guest Authentication. This setting allows you to connect to the network based on a guest account.
5. Maximum number of authentication errors. This setting allows you to specify the maximum number of authentication errors. The default value is 1;
6. Cache user data for subsequent connections to this network. When this setting is enabled, user credentials will be stored in the system registry, and no credentials will be requested when the user logs out and then logs in.

The following illustration shows the tab "Safety" this dialog box:

Rice. 3. Security Tab of the Wired Network Policy Settings Dialog Box

Properties of authentication modes

As mentioned in the previous section, for both authentication methods there are additional settings that are called by clicking on the button "Properties". In this section, we'll cover all possible settings for authentication methods.

"Microsoft: Secure EAP (PEAP)" authentication method settings

EAP (Extensible Authentication Protocol, Extensible Authentication Protocol) is an extensible authentication infrastructure that defines the format of the package. The following options are available for configuring this authentication method:

Enable fast reconnect. This option allows users with wireless computers to quickly move between access points without re-authenticating to a new network. This switching can only work for access points that are configured as RADIUS clients. This option is enabled by default;

Enable Network Access Protection. When this option is selected, before allowing EAP supplicants to connect to the network, appropriate checks will be performed to determine the health requirements check;

Disconnect if the server does not support encrypted binding via the TLV mechanism. This option is responsible for causing connecting clients to interrupt the authentication process if the RADIUS server does not provide a cryptographic TLV binding value that enhances the security of the TLS tunnel in PEAP by combining internal and external authentication methods so that attackers cannot perform tampering attacks. a third party;

Enable privacy identity. This setting prevents clients from submitting their identity before the client has authenticated the RADIUS server, and optionally provides a place to enter an anonymous identity value.

The Secure EAP Properties dialog box is shown in the following illustration:

Rice. 5. Secure EAP Properties Dialog Box

Authentication method settings "Smart card or other certificate - EAP-TLS settings"

The following options are available to configure this authentication method:

• Use my smart card when connecting. If you set the radio button to this position, clients making authentication requests will present a smart card certificate for network authentication;
• When connecting, use the certificate on this computer. When this option is selected, client connection verification will use the certificate located in the current user or local computer store;
• Use simple certificate selection. This option allows the Windows operating system to filter out certificates that do not meet authentication requirements;
• Check server certificate. This option allows you to set the verification of the server certificate that is provided to client computers for a valid, not expired signature, as well as the presence of a trusted root certification authority that issued the certificate to this server
• Connect to servers. This option is identical to the option of the same name described in the previous section;
• Trusted Root Certification Authorities. Just like in the secure EAP properties dialog box, in this list you can find all the trusted root certification authorities that are installed in the user and computer certificate stores;
• Do not prompt the user to authorize new servers or trusted Certificate Authorities. By checking this option, if there is an incorrectly configured server certificate or is present in the list for the user, a dialog box will not be displayed asking you to authorize such a certificate. This option is disabled by default;
• Use a different username to connect. This setting determines whether to use a different username for authentication than the username in the certificate. When the option to use a different username is enabled, you must select at least one certificate from the list of trusted root CAs.

The dialog box for setting smart cards or other certificates is displayed in the following illustration:

Rice. 6. Dialog box for setting smart cards or other certificates

If you are not sure about the certificate you choose, then by clicking on the button "View Certificate" will be able to view all the details of the selected certificate as shown below:

Rice. 7. View a certificate from the list of trusted root certification authorities

Advanced Wired Policy Security Options

You probably noticed that on the tab "Safety" In the Wired Network Policy Settings dialog box, there are additional security options to change the behavior of network clients requesting access with 802.1X authentication. Advanced wired policy settings can be divided into two groups - IEEE 802.1X settings and single sign-on settings. Let's look at each of these groups:

In the IEEE 802.1X settings group, you can specify the characteristics of wired network requests with 802.1X authentication. The following options are available for editing:

• Apply advanced 802.1X settings. This option allows you to activate the following four settings;
• Max. EAPOL messages. EAPOL is an EAP protocol that is used before the computer has time to authenticate, and only after a successful “login” will all other traffic be able to pass through the switch port to which this computer is connected. This parameter controls the maximum number of EAPOL-Start messages sent;
• Delay period (sec). This setting controls the delay, in seconds, before the next 802.1X authentication request is made after receiving an authentication failure notification;
• Start Period (start period). This parameter controls the amount of time to wait before resending successive EAPOL-Start messages;
• Check period (sec). This parameter specifies the number of seconds between retransmission of successive initial EAPOL messages after initiating 802.1X pass-through access checking;
• EAPOL-Start message. With this parameter, you can specify the following transmission characteristics of initial EAPOL messages:
  • Do not transfer. If this option is selected, EAPOL messages will not be transmitted;
  • Transferred. If this option is selected, the client will need to manually send initial EAPOL messages;
  • IEEE 802.1X transmission. If this option is selected (default), EAPOL messages will be sent automatically, waiting for 802.1X authentication to start.

When using single sign-on, authentication must be performed based on the network security configuration during the user logon process to the operating system. The following options are available for fully configuring SSO profiles:

• Enable single sign-on for the network. Enabling this option activates single sign-on settings;
• Enable just before user login. If you check this option, then 802.1X authentication will be performed before the user completes the login;
• Enable immediately after user login. If you check this option, then 802.1X authentication will be performed after the user logs in;
• Max. connection delay. This parameter specifies the maximum time for which authentication must be completed and, accordingly, how long the user will wait before the user logon window appears;
• Allow additional dialogs to be shown in single sign-on. This setting is responsible for displaying the user's login dialog box;
• This network uses different VLANs for machine and user credential authentication. If you specify this setting, at startup, all computers will be placed in one virtual network, and after a successful user login, depending on the permissions, they will be transferred to different virtual networks. It makes sense to activate this option only if you have several VLANs in your enterprise.

The wired network policy advanced security settings dialog box is shown in the following illustration:

Rice. Figure 8. Wired Networks Policy Advanced Security Settings Dialog Box

Conclusion

In this article, you learned about all the IEE 802.1X wired network policy settings. You learned how you can create such a policy, and you learned about EAP authentication methods and authentication using smart cards or other certificates. In the next article, you will learn about the Network List Manager local security policies.

Policies in Exchange Server 2003 are designed to increase administration flexibility while reducing the burden on administrators. A policy is a set of configuration settings that apply to one or more objects of the same class in Exchange . For example, you can create a policy that affects certain settings on some or all of the Exchange servers. If you need to change these settings, then you just need to modify this policy and it will be applied to the corresponding server organization.

There are two types of policies: system policy and recipient policy. Recipient policies apply to mail access objects and specify how email addresses are generated. Recipient policies are discussed in "Creating and Managing Recipients". System policies apply to servers, mailbox stores, and public folder stores. These policies appear in the Policies container within the group responsible for administration this policy (Figure 12.10).

Rice. 12.10. System policy object

Note. Exchange Server 2003 installation does not create a default container for system policies. It must be created before building system policies. Right-click the administration group in which you want to create a policy folder, hover over New, and select System Policy Container.

Create a system policy

To create a system policy, go to the appropriate System Policies container, right-click on the container, and then select the type of policy to create: server policy, mailbox store policy, or public folder store policy.

When working with system policies, be sure to create a policy object in the group that is responsible for administering that policy. Otherwise, an error may occur in the selection of people who exercise administrative control over critical policies. Let's look at how each of the three types of policies are created, starting with server policies.

Create a server policy

The server policy defines settings for message tracking and log file maintenance. It does not apply to security settings or other settings of servers in this administration group. To create a server policy, right-click the System Policies container, point to New, and then select the Server Policy option. The New Policy dialog box, shown in Figure 1, will appear. 12.11 , which specifies the tabs that appear on the policy's property page. There is only one option for the server policy: the General tab. Check the option for this tab and then click OK. A configuration window will be displayed in which the policy will be created.

Rice. 12.11.

After that, you need to enter a name for the policy in the General tab window of the policy's properties page. As shown in Figure 12.12, there are actually two General tabs. The first tab is used to enter the name of the policy. Select a name to describe the task that this policy is intended to perform, such as Message Tracking Policy or Enable Subject Logging Policy. An appropriate name chosen at this stage will save time because it will not be necessary to open the policy's property page to determine its purpose.

The General (Policy) tab shown in fig. 12.13 contains the actual policy settings applied to the Exchange servers of the organization in question. The tab is called General (Policy) because it potentially configures the General tab of the property pages for all of the available servers. (Later in this chapter, we'll see how to apply this policy to all servers in an organization.) If you compare this tab with the General tab on a server's properties page, you'll see that the tabs are the same except for the identifying information at the top of the tab.

The General (Policy) tab enables logging and enabling subject logging and display for all existing Exchange 2003 servers. This setting works in conjunction with the Enable Message Tracking option, which allows you to track messages sent In the organisation. These options are useful for troubleshooting the source of problems that occur when some users do not receive messages from other users. It is possible to track the passage of a message through an organization to determine where there are problems with data transmission. For more information about message tracking and message subject logging, see Chapter 6, Exchange Server 2003 Functionality, Security, and Support.

Rice. 12.12.

Rice. 12.13.

Once a policy has taken effect, it cannot be changed at the local server level. The message tracking policy we used as an example was generated on server EX-SRV1 in the Arizona admin group. On the

The functionality in the Windows Server operating system is calculated and improves from version to version, there are more and more roles and components, so in today's article I will try to briefly describe description and purpose of each role in Windows Server 2016.

Before proceeding to the description of Windows Server server roles, let's find out what exactly is " Server role» on the Windows Server operating system.

What is a "Server Role" in Windows Server?

Server Role- this is a software package that ensures the performance of a certain function by the server, and this function is the main one. In other words, " Server role' is the destination of the server, i.e. what it is for. So that the server can perform its main function, i.e. certain role in Server role» includes all the necessary software for this ( programs, services).

The server can have one role if it is actively used, or several if each of them does not heavily load the server and is rarely used.

A server role can include multiple role services that provide the functionality of the role. For example, in the server role " Web server (IIS)” includes a fairly large number of services, and the role “ DNS server» does not include role services, because this role performs only one function.

Role Services can be installed all together or individually, depending on your needs. Essentially, installing a role means installing one or more of its services.

Windows Server also has " Components» server.

Server Components (Feature) are software tools that are not a server role, but extend the capabilities of one or more roles, or manage one or more roles.

Some roles cannot be installed if the server does not have required services or components that are required for the roles to function. Therefore, at the time of installation of such roles " Add Roles and Features Wizard» itself, will automatically prompt you to install the necessary, additional role services or components.

Description of Windows Server 2016 server roles

You are probably already familiar with many of the roles that are in Windows Server 2016, since they have been around for quite some time, but as I said, with each new version of Windows Server, new roles are added that you may not have worked with yet, but we would like to know what they are for, so let's start looking at them.

Note! You can read about the new features of the Windows Server 2016 operating system in the material "Installing Windows Server 2016 and an overview of new features".

Since very often the installation and administration of roles, services and components occurs using Windows PowerShell, I will indicate for each role and its service a name that can be used in PowerShell, respectively, for its installation or for management.

DHCP server

This role allows you to centrally configure dynamic IP addresses and related settings for computers and devices on your network. The DHCP Server role does not have role services.

The name for Windows PowerShell is DHCP.

DNS server

This role is intended for name resolution in TCP/IP networks. The DNS Server role provides and maintains DNS. To simplify the management of a DNS server, it is usually installed on the same server as Active Directory Domain Services. The DNS Server role does not have role services.

The role name for PowerShell is DNS.

Hyper-V

With the Hyper-V role, you can create and manage a virtualized environment. In other words, it is a tool for creating and managing virtual machines.

The role name for Windows PowerShell is Hyper-V.

Device health attestation

Role " » allows you to evaluate the health of the device based on measured indicators of security parameters, such as indicators of the state of secure boot and Bitlocker on the client.

For the functioning of this role, a lot of role services and components are required, for example: several services from the role " Web server (IIS)", component " ", component " .NET Framework 4.6 Features».

During installation, all required role services and features will be automatically selected. The role " Device health attestation» There are no role services.

The name for PowerShell is DeviceHealthAttestationService.

Web server (IIS)

Provides a reliable, manageable, and scalable web application infrastructure. Consists of a fairly large number of services (43).

The name for Windows PowerShell is Web-Server.

Includes the following role services ( in brackets I will indicate the name for Windows PowerShell):

Web server (Web-WebServer)- A group of role services that provides support for HTML websites, ASP.NET extensions, ASP, and the web server. Consists of the following services:

• Security (Web Security)- a set of services to ensure the security of the web server.
  • Request filtering (Web-Filtering) - using these tools, you can process all requests coming to the server and filter these requests based on special rules set by the web server administrator;
  • IP address and domain restrictions (Web-IP-Security) - these tools allow you to allow or deny access to content on a web server based on the IP address or domain name of the source in the request;
  • URL Authorization (Web-Url-Auth) - tools allow you to develop rules to restrict access to web content and associate them with users, groups, or HTTP header commands;
  • Digest Authentication (Web-Digest-Auth) - This authentication provides a higher level of security than basic authentication. Digest authentication for user authentication works like passing a password hash to a Windows domain controller;
  • Basic Authentication (Web-Basic-Auth) - This authentication method provides strong web browser compatibility. It is recommended to use in small internal networks. The main disadvantage of this method is that passwords transmitted over the network can be quite easily intercepted and decrypted, so use this method in combination with SSL;
  • Windows Authentication (Web-Windows-Auth) is an authentication based on Windows domain authentication. In other words, you can use Active Directory accounts to authenticate users of your Web sites;
  • Client Certificate Mapping Authentication (Web-Client-Auth) - This authentication method uses a client certificate. This type uses Active Directory services to provide certificate mapping;
  • IIS Client Certificate Mapping Authentication (Web-Cert-Auth) - This method also uses client certificates for authentication, but uses IIS to provide certificate mapping. This type provide better performance;
  • Centralized support for an SSL certificate (Web-CertProvider) - these tools allow you to centrally manage SSL server certificates, which greatly simplifies the process of managing these certificates;
• Serviceability and diagnostics (Web-Health)– a set of services for monitoring, managing and troubleshooting web servers, sites and applications:
  • http logging (Web-Http-Logging) - tools provide logging of website activity on a given server, i.e. log entry;
  • ODBC Logging (Web-ODBC-Logging) – These tools also provide logging of website activity, but they support logging that activity to an ODBC-compliant database;
  • Request Monitor (Web-Request-Monitor) is a tool that allows you to monitor the health of a web application by intercepting information about HTTP requests in the IIS worker process;
  • Custom Logging (Web-Custom-Logging) - Using these tools, you can configure logging of web server activity in a format that differs significantly from the standard IIS format. In other words, you can create your own logging module;
  • Logging tools (Web-Log-Libraries) are tools for managing web server logs and automating logging tasks;
  • Tracing (Web-Http-Tracing) is a tool for diagnosing and resolving violations in web applications.
• http Common Functions (Web-Common-Http)– a set of services that provide basic HTTP functionality:
  • Default Document (Web-Default-Doc) - This feature allows you to configure the web server to return a default document when users do not specify a specific document in the request URL, making it easier for users to access website, for example, by domain, without specifying a file;
  • Directory Browsing (Web-Dir-Browsing) - This tool can be used to configure a web server so that users can view a list of all directories and files on a website. For example, for cases where users do not specify a file in the request URL, and default documents are either disabled or not configured;
  • http errors (Web-Http-Errors) - this feature allows you to configure error messages that will be returned to users' web browsers when an error is detected by the web server. This tool is used to more easily present error messages to users;
  • Static content (Web-Static-Content) - this tool allows you to use content on a web server in the form of static file formats, such as HTML files or image files;
  • http redirect (Web-Http-Redirect) - using this feature, you can redirect a user request to a specific destination, i.e. this is Redirect;
  • WebDAV Publishing (Web-DAV-Publishing) - allows you to use WebDAV technology on the IIS WEB server. WebDAV ( Web Distributed Authoring and Versioning) is a technology that allows users to work together ( read, edit, read properties, copy, move) over files on remote web servers using the HTTP protocol.
• Performance (Web Performance)- a set of services to achieve higher web server performance, through output caching and common compression mechanisms such as Gzip and Deflate:
  • Static Content Compression (Web-Stat-Compression) is a tool to customize the compression of http static content, it allows more efficient use of bandwidth, while without unnecessary CPU load;
  • Dynamic Content Compression (Web-Dyn-Compression) is a tool for configuring HTTP dynamic content compression. This tool provides more efficient use of bandwidth, but in this case, the server CPU load associated with dynamic compression can slow down the site if the CPU load is high even without compression.
• Application Development (Web-App-Dev)- a set of services and tools for developing and hosting web applications, in other words, website development technologies:
  • ASP (Web-ASP) is an environment for supporting and developing web sites and web applications using ASP technology. At the moment, there is a newer and more advanced website development technology - ASP.NET;
  • ASP.NET 3.5 (Web-Asp-Net) is an object-oriented development environment for web sites and web applications using ASP.NET technology;
  • ASP.NET 4.6 (Web-Asp-Net45) is also an object-oriented development environment for web sites and web applications using the new version of ASP.NET;
  • CGI (Web-CGI) is the ability to use CGI to pass information from a web server to an external program. CGI is a kind of interface standard for connecting an external program to a web server. There is a drawback, the use of CGI affects performance;
  • Server Side Inclusions (SSI) (Web-Includes) is support for the SSI scripting language ( server side enable), which is used to dynamically generate HTML pages;
  • Application initialization (Web-AppInit) - this tool performs the tasks of initializing web applications before sending a web page;
  • WebSocket protocol (Web-WebSockets) - adding the ability to create server applications that communicate using the WebSocket protocol. WebSocket is a protocol that can send and receive data simultaneously between a browser and a web server over a TCP connection, a kind of extension to the HTTP protocol;
  • ISAPI extensions (Web-ISAPI-Ext) - support for dynamic development of web content using the ISAPI application programming interface. ISAPI is an API for the IIS web server. ISAPI applications are much faster than ASP files or files that call COM+ components;
  • .NET 3.5 Extensibility (Web-Net-Ext) is a .NET 3.5 extensibility feature that allows you to change, add, and extend web server functionality throughout the request processing pipeline, configuration, and user interface;
  • .NET 4.6 Extensibility (Web-Net-Ext45) is a .NET 4.6 extensibility feature that also allows you to modify, add, and extend web server functionality across the entire request processing pipeline, configuration, and user interface;
  • ISAPI Filters (Web-ISAPI-Filter) - Add support for ISAPI filters. ISAPI filters are programs that are called when a web server receives a specific HTTP request to be processed by this filter.

FTP - server (Web-Ftp-Server)– services that provide support for the FTP protocol. We talked in more detail about the FTP server in the material - "Installing and configuring an FTP server on Windows Server 2016". Contains the following services:

• FTP Service (Web-Ftp-Service) - adds support for the FTP protocol on the web server;
• FTP Extensibility (Web-Ftp-Ext) - Extends standard FTP capabilities, such as adding support for features such as custom providers, ASP.NET users, or IIS manager users.

Management Tools (Web-Mgmt-Tools) are the management tools for the IIS 10 web server. These include: the IIS user interface, command line tools, and scripts.

• The IIS Management Console (Web-Mgmt-Console) is the user interface for managing IIS;
• Character sets and IIS management tools (Web-Scripting-Tools) are tools and scripts for managing IIS using the command line or scripts. They can be used, for example, to automate control;
• Management Service (Web-Mgmt-Service) - this service adds the ability to manage a web server remotely from another computer using IIS Manager;
• IIS 6 Compatibility Management (Web-Mgmt-Compat) - Provides compatibility for applications and scripts that use the two IIS APIs. The existing IIS 6 scripts can be used to manage the IIS 10 web server:
  • IIS 6 Compatibility Metabase (Web-Metabase) is a compatibility tool that allows you to run applications and character sets that have been migrated from earlier versions of IIS;
  • IIS 6 Scripting Tools (Web-Lgcy-Scripting) - These tools allow you to use the same IIS 6 Scripting Services that were created to manage IIS 6 in IIS 10;
  • IIS 6 Management Console (Web-Lgcy-Mgmt-Console) is a tool for administering remote IIS 6.0 servers;
  • IIS 6 WMI Compatibility (Web-WMI) are Windows Management Instrumentation (WMI) scripting interfaces for programmatically controlling and automating IIS 10.0 web server tasks using a set of scripts created in a WMI provider.

Active Directory Domain Services

Role " Active Directory Domain Services» (AD DS) provides a distributed database that stores and processes information about network resources. This role is used to organize network elements such as users, computers, and other devices into a hierarchical containment structure. The hierarchical structure includes forests, domains within a forest, and organizational units (OUs) within each domain. The server running AD DS is called a domain controller.

The role name for Windows PowerShell is AD-Domain-Services.

Windows Server Essentials Mode

This role is a computer infrastructure and provides convenient and efficient functions, for example: storing client data in a centralized location and protecting this data by backing up the server and client computers, remote web access, which allows you to access data from virtually any device. This role requires several role services and features, for example: BranchCache Features, Windows Server Backup, Group Policy Management, Role Service " DFS Namespaces».

The name for PowerShell is ServerEssentialsRole.

Network Controller

Introduced in Windows Server 2016, this role provides a single point of automation for managing, monitoring, and diagnosing the physical and virtual network infrastructure in the datacenter. Using this role, you can configure IP subnets, VLANs, physical network adapters of Hyper-V hosts from one point, manage virtual switches, physical routers, firewall settings, and VPN gateways.

The name for Windows PowerShell is NetworkController.

Node Guardian Service

This is the Hosted Guardian Service (HGS) server role and provides attestation and key protection services that allow protected hosts to run shielded virtual machines. For the functioning of this role, several additional roles and components are required, for example: Active Directory Domain Services, Web Server (IIS), the " Failover Clustering" and others.

The name for PowerShell is HostGuardianServiceRole.

Active Directory Lightweight Directory Services

Role " Active Directory Lightweight Directory Services» (AD LDS) is a lightweight version of AD DS that has less functionality but does not require the deployment of domains or domain controllers, and does not have the dependencies and domain restrictions required by AD DS. AD LDS runs over the LDAP protocol ( Lightweight Directory Access Protocol). You can deploy multiple AD LDS instances on the same server with independently managed schemas.

The name for PowerShell is ADLDS.

MultiPoint Services

It's also a new role that's new in Windows Server 2016. MultiPoint Services (MPS) provides basic remote desktop functionality that allows multiple users to work simultaneously and independently on the same computer. To install and operate this role, you need to install several additional services and components, for example: Print Server, Windows Search Service, XPS Viewer, and others, all of which will be automatically selected during MPS installation.

The name of the role for PowerShell is MultiPointServerRole.

Windows Server Update Services

With this role (WSUS), system administrators can manage Microsoft updates. For example, create separate groups of computers for different sets of updates, as well as receive reports on the compliance of computers with the requirements and updates that need to be installed. For functioning" Windows Server Update Services» You need such role services and components as: Web Server (IIS), Windows Internal Database, Windows Process Activation Service.

The name for Windows PowerShell is UpdateServices.

• WID Connectivity (UpdateServices-WidDB) - set to WID ( Windows Internal Database) database used by WSUS. In other words, WSUS will store its service data in WID;
• WSUS Services (UpdateServices-Services) is the WSUS role services such as Update Service, Reporting Web Service, API Remoting Web Service, Client Web Service, Web Simple Authentication Web Service, Server Synchronization Service and DSS Authentication Web Service;
• SQL Server Connectivity (UpdateServices-DB) is a component installation that allows the WSUS service to connect to a Microsoft SQL Server database. This option provides for the storage of service data in a Microsoft SQL Server database. In this case, you must already have at least one instance of SQL Server installed.

Volume License Activation Services

This server role automates, simplifies, and manages volume licenses for software from Microsoft.

The name for PowerShell is VolumeActivation.

Print and Document Services

This server role is designed to share printers and scanners on a network, to centrally configure and manage print and scan servers, and to manage network printers and scanners. Print and Document Services also allows you to send scanned documents via email, to network shares, or to Windows SharePoint Services sites.

The name for PowerShell is Print-Services.

• Print Server (Print-Server) - This role service includes the " Print Management”, which is used to manage printers or print servers, as well as to migrate printers and other print servers;
• Printing over the Internet (Print-Internet) - To implement printing over the Internet, a website is created through which users can manage print jobs on the server. For this service to work, as you understand, you need to install " Web server (IIS)". All required components will be selected automatically when you check this box during the installation process of the role service " Internet Printing»;
• The Distributed Scan Server (Print-Scan-Server) is a service that allows you to receive scanned documents from network scanners and send them to a destination. This service also contains the " Scan Management”, which is used to manage network scanners and to configure scanning;
• LPD Service (Print-LPD-Service) - LPD service ( Line Printer Daemon) allows UNIX-based computers and other computers using the Line Printer Remote (LPR) service to print to the server's shared printers.

Network Policy and Access Services

Role " » (NPAS) allows Network Policy Server (NPS) to set and enforce network access, authentication and authorization, and client health policies, in other words, to secure the network.

The name for Windows PowerShell is NPAS.

Windows Deployment Services

With this role, you can remotely install the Windows operating system over a network.

The role name for PowerShell is WDS.

• Deployment Server (WDS-Deployment) - this role service is designed for remote deployment and configuration of Windows operating systems. It also allows you to create and customize images for reuse;
• Transport Server (WDS-Transport) - This service contains the basic network components with which you can transfer data by multicasting on a stand-alone server.

Active Directory Certificate Services

This role is intended to create certificate authorities and related role services that allow you to issue and manage certificates for various applications.

The name for Windows PowerShell is AD-Certificate.

Includes the following role services:

• Certification Authority (ADCS-Cert-Authority) - using this role service, you can issue certificates to users, computers, and services, as well as manage the validity of the certificate;
• Certificate Enrollment Policy Web Service (ADCS-Enroll-Web-Pol) - This service allows users and computers to obtain certificate enrollment policy information from a web browser, even if the computer is not a member of a domain. For its functioning it is necessary Web server (IIS)»;
• Certificate Enrollment Web Service (ADCS-Enroll-Web-Svc) - This service allows users and computers to enroll and renew certificates using a web browser over HTTPS, even if the computer is not a member of a domain. It also needs to function Web server (IIS)»;
• Online Responder (ADCS-Online-Cert) - The service is designed to check the revocation of a certificate for clients. In other words, it accepts a revocation status request for specific certificates, evaluates the status of those certificates, and sends back a signed response with information about the status. For the service to function, it is necessary Web server (IIS)»;
• Certificate Authority Web Enrollment Service (ADCS-Web-Enrollment) - This service provides a web interface for users to perform tasks such as requesting and renewing certificates, obtaining CRLs, and enrolling smart card certificates. For the service to function, it is necessary Web server (IIS)»;
• Network Device Enrollment Service (ADCS-Device-Enrollment)—Using this service, you can issue and manage certificates for routers and other network devices that do not have network accounts. For the service to function, it is necessary Web server (IIS)».

Remote Desktop Services

A server role that can be used to provide access to virtual desktops, session-based desktops, and RemoteApps.

The role name for Windows PowerShell is Remote-Desktop-Services.

Consists of the following services:

• Remote Desktop Web Access (RDS-Web-Access) - This role service allows users to access remote desktops and RemoteApp applications through the " Start» or using a web browser;
• Remote Desktop Licensing (RDS-Licensing) - The service is designed to manage licenses that are required to connect to a Remote Desktop Session Host server or a virtual desktop. It can be used to install, issue licenses, and track their availability. This service requires " Web server (IIS)»;
• Remote Desktop Connection Broker (RDS-Connection-Broker) is a role service that provides the following capabilities: reconnecting a user to an existing virtual desktop, RemoteApp application, and session-based desktop, as well as load balancing between remote session host servers desktops or between pooled virtual desktops. This service requires the " »;
• Remote Desktop Virtualization Host (DS-Virtualization) - The service allows users to connect to virtual desktops using RemoteApp and Desktop Connection. This service works in conjunction with Hyper-V, i.e. this role must be installed;
• Remote Desktop Session Host (RDS-RD-Server) - This service can host RemoteApp applications and session-based desktops on a server. Access is through the Remote Desktop Connection client or RemoteApps;
• Remote Desktop Gateway (RDS-Gateway) - The service allows authorized remote users to connect to virtual desktops, RemoteApps, and session-based desktops on a corporate network or over the Internet. This service requires the following additional services and components: Web server (IIS)», « Network Policy and Access Services», « RPC over HTTP proxy».

AD RMS

This is a server role that will allow you to protect information from unauthorized use. It validates user identities and grants licenses to authorized users to access protected data. This role requires additional services and components: Web server (IIS)», « Windows Process Activation Service», « .NET Framework 4.6 Features».

The name for Windows PowerShell is ADRMS.

• Active Directory Rights Management Server (ADRMS-Server) - the main role service, required for installation;
• Identity Federation Support (ADRMS-Identity) is an optional role service that enables federated identities to consume protected content using Active Directory Federation Services.

AD FS

This role provides simplified and secure identity federation and single sign-on (SSO) functionality to websites using a browser.

The name for PowerShell is ADFS-Federation.

Remote access

This role provides connectivity through DirectAccess, VPN, and Web Application Proxy. Also the role Remote access"provides traditional routing capabilities, including network address translation (NAT) and other connection options. This role requires additional services and features: Web server (IIS)», « Windows Internal Database».

The role name for Windows PowerShell is RemoteAccess.

• DirectAccess and VPN (RAS) (DirectAccess-VPN) - the service allows users to connect to the corporate network at any time with Internet access via DirectAccess, as well as organize VPN connections in combination with tunneling and data encryption technologies;
• Routing (Routing) - the service provides support for NAT routers, LAN routers with BGP protocols, RIP and routers with multicast support (IGMP proxy);
• Web Application Proxy (Web-Application-Proxy) - The service allows you to publish applications based on the HTTP and HTTPS protocols from the corporate network to client devices that are outside the corporate network.

File and storage services

This is a server role that can be used to share files and folders, manage and control shares, replicate files, provide fast file searches, and grant access to UNIX client computers. We looked at file services in more detail, and in particular the file server, in the material "Installing a file server (File Server) on Windows Server 2016".

The name for Windows PowerShell is FileAndStorage-Services.

Storage Services- This service provides storage management functionality that is always installed and cannot be removed.

File Services and iSCSI Services (File-Services)- These are technologies that simplify the management of file servers and storages, save disk space, provide replication and caching of files in branches, and also provide file sharing via the NFS protocol. Includes the following role services:

• File Server (FS-FileServer) - a role service that manages shared folders and provides users with access to files on this computer over the network;
• Data Deduplication (FS-Data-Deduplication) - this service saves disk space by storing only one copy of identical data on a volume;
• File Server Resource Manager (FS-Resource-Manager) - using this service, you can manage files and folders on a file server, create storage reports, classify files and folders, configure folder quotas and define file blocking policies;
• iSCSI Target Storage Provider (VDS and VSS Hardware Providers) (iSCSITarget-VSS-VDS) - Service allows applications on a server connected to an iSCSI target to shadow copy volumes on iSCSI virtual disks;
• DFS namespaces (FS-DFS-Namespace) - using this service, you can group shared folders hosted on different servers into one or more logically structured namespaces;
• Work folders (FS-SyncShareService) - the service allows you to use work files on different computers, including work and personal. You can store your files in Work Folders, synchronize them, and access them from your local network or the Internet. For the service to function, the component " IIS In-Process Web Core»;
• DFS Replication (FS-DFS-Replication) is a data replication engine between multiple servers that allows you to synchronize folders over a LAN or WAN connection. This technology uses the Remote Differential Compression (RDC) protocol to update only the portion of files that have changed since the last replication. DFS Replication can be used with or without DFS Namespaces;
• Server for NFS (FS-NFS-Service) - The service allows this computer to share files with UNIX-based computers and other computers that use the Network File System (NFS) protocol;
• iSCSI Target Server (FS-iSCSITarget-Server) - provides services and management for iSCSI targets;
• BranchCache Service for Network Files (FS-BranchCache) - The service provides BranchCache support on this file server;
• File Server VSS Agent Service (FS-VSS-Agent) - The service allows you to perform volume shadow copies for applications that store data files on this file server.

fax server

The role sends and receives faxes, and allows you to manage fax resources such as jobs, settings, reports, and fax devices on this computer or network. Required for work Print Server».

The role name for Windows PowerShell is Fax.

This completes the review of Windows Server 2016 server roles, I hope the material was useful to you, for now!

Applying Group Policies (Part 3)

Typically, GPOs are assigned to a container (domain, site, or OU) and apply to all objects in that container. With a well-organized domain structure, this is quite enough, but sometimes it is necessary to further restrict the application of policies to a specific group of objects. Two types of filters can be used for this.

Security filters

Security filters allow you to restrict the application of policies to a specific security group. For example, let's take GPO2, which is used to centrally configure the Start menu on workstations with Windows 8.1\Windows 10. GPO2 is assigned to the Employees OU and applies to all users without exception.

Now let's go to the "Scope" tab, where in the "Security Filtering" section, the groups to which this GPO can be applied are indicated. By default, the Authenticated Users group is specified here. This means that the policy can be applied to anyone a user or computer that has successfully authenticated to the domain.

In fact, each GPO has its own access list, which can be seen on the Delegation tab.

To apply the policy, the object must have the rights to read (Read) and apply (Apply group policy), which the Authenticated Users group has. Accordingly, in order for the policy to be applied not to everyone, but only to a specific group, it is necessary to remove Authenticated Users from the list, then add the desired group and give it the appropriate rights.

So in our example, the policy can only be applied to the Accounting group.

WMI filters

Windows Management Instrumentation (WMI) is one of the most powerful tools for managing the Windows operating system. WMI contains a huge number of classes with which you can describe almost any user and computer settings. You can view all available WMI classes as a list using PowerShell by running the command:

Get-WmiObject -List

For example, take the class Win32_OperatingSystem, which is responsible for operating system properties. Suppose you want to filter all operating systems except Windows 10. We go to a computer with Window 10 installed, open the PowerShell console and display the name, version and type of the operating system using the command:

Get-WmiObject -Class Win32_OperatingSystem | fl Name, Version, ProductType

For the filter, we use the OS version and type. The version is the same for client and server OS and is defined as follows:

Windows Server 2016\Windows 10 - 10.0
Windows Server 2012 R2\Windows 8.1 - 6.3
Windows Server 2012\Windows 8 - 6.2
Windows Server 2008 R2\Windows 7 - 6.1
Windows Server 2008\Windows Vista - 6.0

The product type is responsible for the purpose of the computer and can have 3 values:

1 - workstation;
2 - domain controller;
3 - server.

Now let's move on to creating a filter. To do this, open the Group Policy Management snap-in and go to the WMI Filters section. Right-click on it and select New from the context menu.

In the window that opens, give the filter a name and description. Then we press the "Add" button and in the "Query" field we enter the WQL query, which is the basis of the WMI filter. We need to select OS version 10.0 with type 1, so the request will look like this:

SELECT * FROM Win32_OperatingSystem WHERE Version LIKE ″10.0%″ AND ProductType = ″1″

Note. Windows Query Language (WQL) - WMI query language. You can learn more about it on MSDN.

Save the resulting filter.

Now all that's left is to assign the WMI filter to a GPO, such as GPO3. Go to the properties of the GPO, open the "Scope" tab and in the "WMI Filtering" field, select the desired filter from the list.

Analysis of the application of group policies

With so many GPO filtering methods, it is necessary to be able to diagnose and analyze their application. The easiest way to check the effect of group policies on a computer is to use the command line utility gpresult.

For example, let's go to the wks2 computer, which has Windows 7 installed, and check if the WMI filter worked. To do this, open the cmd console with administrator rights and execute the command gpresult /r, which displays summary information about group policies applied to the user and computer.

Note. The gpresult utility has many settings, which can be viewed with the command gpresult /?.

As you can see from the received data, the GPO3 policy was not applied to the computer because it was filtered by the WMI filter.

You can also check the GPO action from the Group Policy Management snap-in, using a special wizard. To launch the wizard, right-click on the "Group Policy Results" section and select the "Group Policy Results Wizard" item in the menu that opens.

Specify the name of the computer for which the report will be generated. If you only want to view user-specific Group Policy settings, you can choose not to collect settings for the computer. To do this, check the box below (display user policy settings only).

Then we select the user name for which data will be collected, or you can specify not to include group policy settings for the user in the report (display computer policy settings only).

We check the selected settings, click "Next" and wait while the data is collected and the report is generated.

The report contains comprehensive data about the GPOs applied (or not applied) to the user and computer, as well as the filters used.

For example, let's create reports for two different users and compare them. Let's open the report for user Kirill first and go to the user settings section. As you can see, the GPO2 policy was not applied to this user, because he does not have rights to apply it (Reason Denied - Inaсcessible).

And now let's open the report for the user Oleg. This user is a member of the Accounting group, so the policy was successfully applied to him. This means that the security filter completed successfully.

On this, perhaps, I will finish the ″fascinating″ story about the application of group policies. I hope this information will be useful and help you in the difficult task of system administration 🙂

When you install Windows, most of the non-essential subsystems are not activated or installed. This is done for security reasons. Because the system is secure by default, system administrators can focus on designing a system that does what it does, and nothing else. To help you enable the features you want, Windows prompts you to select a Server Role.

Roles

A server role is a set of programs that, when properly installed and configured, enable a computer to perform a specific function for multiple users or other computers on a network. In general, all roles have the following characteristics.

• They define the main function, purpose or purpose of using a computer. You can designate a computer to play one role that is heavily used in the enterprise, or to play multiple roles where each role is used only occasionally.
• Roles give users throughout the organization access to resources that are managed by other computers, such as websites, printers, or files stored on different computers.
• They usually have their own databases that queue user or computer requests or record information about network users and computers associated with a role. For example, Active Directory Domain Services contains a database for storing the names and hierarchical relationships of all computers on a network.
• Once properly installed and configured, roles function automatically. This allows the computers on which they are installed to perform assigned tasks with limited user interaction.

Role Services

Role services are programs that provide the functionality of a role. When you install a role, you can choose which services it provides to other users and computers in the enterprise. Some roles, such as the DNS server, perform only one function, so there are no role services for them. Other roles, such as Remote Desktop Services, have several services that you can install based on your enterprise's remote access needs. A role can be thought of as a collection of closely related, complementary role services. In most cases, installing a role means installing one or more of its services.

Components

Components are programs that are not directly part of roles, but support or extend the functionality of one or more roles, or an entire server, regardless of which roles are installed. For example, the Failover Cluster Tool extends the functionality of other roles such as File Services and DHCP Server by allowing them to join server clusters, which provides increased redundancy and performance. The other component, the Telnet Client, allows remote communication with the Telnet server over a network connection. This feature enhances the communication options for the server.

When Windows Server is running in Server Core mode, the following server roles are supported:

• Active Directory Certificate Services;
• Active Directory Domain Services;
• DHCP server
• DNS server;
• file services (including the file server resource manager);
• Active Directory Lightweight Directory Services;
• Hyper-V
• printing and document services;
• streaming media services;
• web server (including a subset of ASP.NET);
• Windows Server Update Server;
• Active Directory rights management server;
• Routing and Remote Access Server and the following subordinate roles:
  • Remote Desktop Connection Broker;
  • licensing;
  • virtualization.

When Windows Server is running in Server Core mode, the following server features are supported:

• Microsoft .NET Framework 3.5;
• Microsoft .NET Framework 4.5;
• Windows PowerShell;
• Background Intelligent Transfer Service (BITS);
• BitLocker Drive Encryption;
• BitLocker Network Unlock;
• BranchCache
• data center bridge;
• Enhanced Storage;
• failover clustering;
• Multipath I/O;
• network load balancing;
• PNRP protocol;
• qWave;
• remote differential compression;
• simple TCP/IP services;
• RPC over HTTP proxy;
• SMTP server;
• SNMP service;
• Telnet client;
• telnet server;
• TFTP client;
• Windows internal database;
• Windows PowerShell Web Access;
• Windows Activation Service;
• standardized Windows storage management;
• IIS WinRM extension;
• WINS server;
• WoW64 support.

Installing server roles using Server Manager

To add, open Server Manager, and in the Manage menu, click Add Roles and features:

The Add Roles and Features Wizard opens. Click Next

Installation Type, select Role-based or feature-based installation. Next:

Server Selection - select our server. Click Next Server Roles - Select roles if needed, select role services and click Next to select components. During this procedure, the Add Roles and Features Wizard automatically informs you of conflicts on the destination server that may prevent the installation or normal operation of the selected roles or features. You are also prompted to add the roles, role services, and features required by the selected roles or features.

Installing roles with PowerShell

Open Windows PowerShell Enter the Get-WindowsFeature command to view the list of available and installed roles and features on the local server. The output of this cmdlet contains the command names for the roles and features that are installed and available for installation.

Type Get-Help Install-WindowsFeature to view the syntax and valid parameters for the Install-WindowsFeature (MAN) cmdlet.

Enter the following command (-Restart will restart the server if the role installation requires a restart).

Install-WindowsFeature –Name -Restart

Description of roles and role services

All roles and role services are described below. Let's look at advanced settings for the most common Web Server Role and Remote Desktop Services in our practice.

Detailed description of IIS

• Common HTTP Features - Basic HTTP Components
  • Default Document - allows you to set the index page for the site.
  • Directory Browsing - Allows users to view the contents of a directory on a web server. Use Directory Browsing to automatically generate a list of all directories and files in a directory when users don't specify a file in the URL and the index page is disabled or not configured
  • HTTP Errors - allows you to customize the error messages returned to clients in the browser.
  • Static Content - allows you to post static content, such as images or html files.
  • HTTP Redirection - Provides support for redirecting user requests.
  • WebDAV Publishing allows you to publish files from a web server using the HTTP protocol.
• Health and Diagnostics Features - Diagnostic components
  • HTTP Logging provides logging of website activity for a given server.
  • Custom Logging provides support for creating custom logs that are different from "traditional" logs.
  • Logging Tools provides a framework for managing web server logs and automating common logging tasks.
  • ODBC Logging provides a framework that supports logging of web server activity to an ODBC-compliant database.
  • Request Monitor provides a framework for monitoring the state of web applications by collecting information about HTTP requests in an IIS worker process.
  • Tracing provides a framework for diagnosing and troubleshooting web applications. By using failed request tracing, you can track hard-to-find events such as poor performance or authentication failures.
• Performance components to increase the performance of the web server.
  • Static Content Compression provides a framework for configuring HTTP compression of static content
  • Dynamic Content Compression provides a framework for configuring HTTP compression of dynamic content.
• Security components
  • Request Filtering allows you to capture all incoming requests and filter them based on rules set by the administrator.
  • Basic Authentication allows you to set additional authorization
  • Centralized SSL Certificate Support is a feature that allows you to store certificates in a central location, like a file share.
  • Client Certificate Mapping Authentication uses client certificates to authenticate users.
  • Digest Authentication works by sending a password hash to a Windows domain controller to authenticate users. If you need more security than basic authentication, consider using Digest authentication
  • IIS Client Certificate Mapping Authentication uses client certificates to authenticate users. The client certificate is a digital ID obtained from a trusted source.
  • IP and Domain Restrictions allows you to allow/deny access based on the requested IP address or domain name.
  • URL Authorization allows you to create rules that restrict access to web content.
  • Windows Authentication This authentication scheme allows Windows domain administrators to take advantage of the domain infrastructure for user authentication.
• Application Development Features
• FTP Server
  • FTP Service Enables FTP publishing to a web server.
  • FTP Extensibility Enables support for FTP features that extend the functionality of
• Management Tools
  • The IIS Management Console installs the IIS Manager, which allows you to manage the Web Server through a GUI
  • IIS 6.0 Management Compatibility provides forward compatibility for applications and scripts that use the Admin Base Object (ABO) and the Directory Service Interface (ADSI) Active Directory API. This allows existing IIS 6.0 scripts to be used by the IIS 8.0 web server
  • IIS Management Scripts and Tools provide the infrastructure for managing the IIS web server programmatically, by using commands in a command prompt window, or by running scripts.
  • The Management Service provides the infrastructure for customizing the user interface, IIS Manager.

Detailed description of RDS

• Remote Desktop Connection Broker - Provides client device reconnection to programs based on desktop and virtual desktop sessions.
• Remote Desktop Gateway - Allows authorized users to connect to virtual desktops, RemoteApp programs, and session-based desktops on a corporate network or over the Internet.
• Remote Desktop Licensing - RDP License Management Tool
• Remote Desktop Session Host - Includes a server to host RemoteApp programs or a desktop-based session.
• Remote Desktop Virtualization Host - allows you to configure RDP on virtual machines
• Remote Desktop WebAccess - Allows users to connect to desktop resources using the Start menu or web browser.

Consider installing and configuring a terminal license server. The above describes how to install roles, installing RDS is no different from installing other roles, in Role Services we need to select Remote Desktop Licensing and Remote Desktop Session Host. After installation, the Terminal Services item will appear in Server Manager-Tools. There are two items in Terminal Services RD Licensing Diagnoser, this is a tool for diagnosing the operation of remote desktop licensing, and Remote Desktop Licensing Manager, this is a license management tool.

Run RD Licensing Diagnoser

Here we can see that there are no licenses available yet because the licensing mode is not set for the RD Session Host server. The license server is specified in local group policies. To launch the editor, run the gpedit.msc command. The Local Group Policy Editor opens. In the tree on the left, expand the tabs:

• Computer Configuration
• Administrative Templates
• Windows Components
• Remote Desktop Services
• Remote Desktop Session Host
• "Licensing" (Licensing)

Open the parameters Use the specified Remote Desktop license servers

In the policy settings editing window, enable the licensing server (Enabled). Next, you must define a license server for Remote Desktop Services. In my example, the license server is located on the same physical server. Specify the network name or IP address of the license server and click OK. If the server name, the license server will change in the future, you will need to change it in the same section.

After that, in the RD Licensing Diagnoser, you can see that the terminal license server is configured, but not enabled. To enable, run Remote Desktop Licensing Manager

Select the licensing server, with the status Not Activated . To activate, right-click on it and select Activate Server. The Server Activation Wizard will start. On the Connection Method tab, select Automatic Connection. Next, fill in the information about the organization, after that the license server is activated.

Active Directory Certificate Services

AD CS provides configurable services for issuing and managing digital certificates that are used in software security systems that use public key technologies. Digital certificates provided by AD CS can be used to encrypt and digitally sign electronic documents and messages. These digital certificates can be used to authenticate computer, user, and device accounts on the network. Digital certificates are used to provide:

• privacy through encryption;
• integrity through digital signatures;
• authentication by linking certificate keys to computer, user, and device accounts on the network.

AD CS can be used to improve security by binding the identity of a user, device, or service to the corresponding private key. Applications supported by AD CS include Secure Multipurpose Internet Mail Standard Extensions (S/MIME), secure wireless networks, virtual private networks (VPNs), IPsec, Encrypting File System (EFS), smart card logon, security and transport layer security protocol (SSL/TLS) and digital signatures.

Active Directory Domain Services

Using the Active Directory Domain Services (AD DS) server role, you can create a scalable, secure, and manageable infrastructure for managing users and resources; you can also provide directory-enabled applications such as Microsoft Exchange Server. AD DS provides a distributed database that stores and manages information about network resources and directory-enabled application data. The server that is running AD DS is called a domain controller. Administrators can use AD DS to organize network elements such as users, computers, and other devices into a hierarchical nested structure. The hierarchical nested structure includes the Active Directory forest, the domains in the forest, and the organizational units in each domain. Security features are integrated into AD DS in the form of authentication and access control to resources in the directory. With single sign-on, administrators can manage directory information and organization over the network. Authorized network users can also use network single sign-on to access resources located anywhere on the network. Active Directory Domain Services provides the following additional features.

• A set of rules is a schema that defines the classes of objects and attributes that are contained in a directory, the restrictions and limits on instances of those objects, and the format of their names.
• A global catalog containing information about each object in the catalog. Users and administrators can use the global catalog to search for catalog data, regardless of which domain in the catalog actually contains the searched data.
• A query and indexing mechanism through which objects and their properties can be published and located by network users and applications.
• A replication service that distributes directory data across a network. All writable domain controllers in the domain participate in replication and contain a complete copy of all directory data for their domain. Any changes to directory data are replicated in the domain to all domain controllers.
• Operations master roles (also known as flexible single master operations, or FSMOs). Domain controllers that act as masters of operations are designed to perform special tasks to ensure data consistency and avoid conflicting directory entries.

Active Directory Federation Services

AD FS provides end users who need access to applications in an AD FS-secured enterprise, in federation partner organizations, or in the cloud with simplified and secure identity federation and web-based single sign-on (SSO) services. Windows Server AD FS includes a role service Federation Service acting as an identity provider (authenticates users to provide security tokens to applications that trust AD FS) or as a federation provider (applies tokens from other identity providers and then provides security tokens to applications that trust AD FS).

Active Directory Lightweight Directory Services

Active Directory Lightweight Directory Services (AD LDS) is an LDAP protocol that provides flexible support for directory applications without the dependencies and domain-specific restrictions of Active Directory Domain Services. AD LDS can be run on member or standalone servers. You can run multiple instances of AD LDS with independently managed schemas on the same server. With the AD LDS service role, you can provide directory services to directory-enabled applications without using domain and forest service data and without requiring a single forest-wide schema.

Active Directory Rights Management Services

You can use AD RMS to extend your organization's security strategy by securing documents using Information Rights Management (IRM). AD RMS allows users and administrators to assign access permissions to documents, workbooks, and presentations using IRM policies. This allows you to protect confidential information from being printed, forwarded, or copied by unauthorized users. Once a file's permissions are restricted using IRM, access and usage restrictions apply regardless of the location of the information, because the file's permission is stored in the document file itself. With AD RMS and IRM, individual users can apply their own preferences regarding the transfer of personal and confidential information. They will also help an organization enforce corporate policies to control the use and distribution of sensitive and personal information. The IRM solutions supported by AD RMS are used to provide the following capabilities.

• Persistent usage policies that stay with information whether it is moved, sent, or forwarded.
• An additional layer of privacy to protect sensitive data - such as reports, product specifications, customer information, and email messages - from intentionally or accidentally falling into the wrong hands.
• Prevent unauthorized sending, copying, editing, printing, faxing, or pasting of restricted content by authorized recipients.
• Prevent copying of restricted content using the PRINT SCREEN feature in Microsoft Windows.
• Support for file expiration, preventing document content from being viewed after a specified period of time.
• Implement corporate policies that govern the use and distribution of content within the organization

Application Server

Application Server provides an integrated environment for deploying and running custom server-based business applications.

DHCP Server

DHCP is a client-server technology that allows DHCP servers to assign or lease IP addresses to computers and other devices that are DHCP clients. Deploying DHCP servers on a network automatically provides client computers and other network devices based on IPv4 and IPv6 valid IP addresses and additional configuration settings required by these clients and devices. The DHCP Server service in Windows Server includes support for policy-based assignments and DHCP failover.

DNS Server

The DNS service is a hierarchical distributed database containing mappings of DNS domain names to various types of data such as IP addresses. The DNS service allows you to use friendly names such as www.microsoft.com to help locate computers and other resources on TCP/IP-based networks. The DNS service in Windows Server provides further enhanced support for DNS Security Modules (DNSSEC), including network registration and automated settings management.

FAX Server

Fax Server sends and receives faxes, and allows you to manage fax resources such as jobs, settings, reports, and fax devices on your fax server.

File and Storage Services

Administrators can use the File and Storage Services role to set up multiple file servers and their storages, and to manage those servers using Server Manager or Windows PowerShell. Some specific applications include the following features.

• working folders. Use to allow users to store and access work files on personal computers and devices other than corporate PCs. Users get a convenient place to store work files and access them from anywhere. Organizations control corporate data by storing files on centrally managed file servers and optionally setting user device policies (such as encryption and screen lock passwords).
• Data deduplication. Use to reduce disk space requirements for storing files, saving money on storage.
• iSCSI target server. Use to create centralized, software and device-independent iSCSI disk subsystems in storage area networks (SANs).
• Disk spaces. Use to deploy storage that is highly available, resilient, and scalable with cost-effective, industry-standard drives.
• Server Manager. Use to remotely manage multiple file servers from a single window.
• Windows PowerShell. Use to automate the management of most file server administration tasks.

Hyper-V

The Hyper-V role allows you to create and manage a virtualized computing environment using the virtualization technology built into Windows Server. Installing the Hyper-V role installs prerequisites and optional management tools. Prerequisites include the Windows hypervisor, Hyper-V Virtual Machine Management Service, WMI virtualization provider, and virtualization components such as VMbus, Virtualization Service Provider (VSP), and Virtual Infrastructure Driver (VID).

Network Policy and Access Services

Network Policy and Access Services provides the following network connectivity solutions:

• Network Access Protection is a technology for creating, enforcing, and remediating client health policies. With Network Access Protection, system administrators can set and automatically enforce health policies that include requirements for software, security updates, and other settings. For client computers that do not comply with the health policy, you can restrict access to the network until their configuration is updated to comply with the policy requirements.
• If 802.1X-enabled wireless access points are deployed, you can use Network Policy Server (NPS) to deploy certificate-based authentication methods that are more secure than password-based authentication. Deploying 802.1X-enabled hardware with an NPS server allows intranet users to be authenticated before they can connect to the network or obtain an IP address from a DHCP server.
• Instead of configuring a network access policy on each network access server, you can centrally create all policies that will define all aspects of network connection requests (who can connect, when a connection is allowed, the security level that must be used to connect to the network ).

Print and Document Services

Print and Document Services allows you to centralize print server and network printer tasks. This role also allows you to receive scanned documents from network scanners and upload documents to network shares - to a Windows SharePoint Services site or via email.

remote access

The Remote Access Server role is a logical grouping of the following network access technologies.

• Direct Access
• Routing and remote access
• Web Application Proxy

These technologies are role services remote access server role. When you install the Remote Access Server role, you can install one or more role services by running the Add Roles and Features Wizard.

On Windows Server, the Remote Access Server role provides the ability to centrally administer, configure, and monitor DirectAccess and VPN with Routing and Remote Access Service (RRAS) remote access services. DirectAccess and RRAS can be deployed on the same Edge Server and managed using Windows PowerShell commands and Remote Access Management Console (MMC).

Remote Desktop Services

Remote Desktop Services accelerates and expands the deployment of desktops and applications on any device, making the remote worker more efficient while securing critical intellectual property and simplifying compliance. Remote Desktop Services includes Virtual Desktop Infrastructure (VDI), session-based desktops, and applications, giving users the ability to work from anywhere.

Volume Activation Services

Volume License Activation Services is a server role in Windows Server starting with Windows Server 2012 that automates and simplifies the issuance and management of volume licenses for Microsoft software in various scenarios and environments. Together with Volume License Activation Services, you can install and configure the Key Management Service (KMS) and Active Directory activation.

Web Server (IIS)

The Web Server (IIS) role in Windows Server provides a platform for hosting Web sites, services, and applications. Using a web server provides access to information to users on the Internet, intranet, and extranet. Administrators can use the Web Server (IIS) role to set up and manage multiple websites, web applications, and FTP sites. Special features include the following.

• Use Internet Information Services (IIS) Manager to configure IIS components and administer websites.
• Using the FTP protocol to allow website owners to upload and download files.
• Using website isolation to prevent one website on the server from affecting others.
• Customization of web applications developed using various technologies such as Classic ASP, ASP.NET and PHP.
• Use Windows PowerShell to automatically manage most web server administration tasks.
• Consolidate multiple web servers into a server farm that can be managed using IIS.

Windows Deployment Services

Windows Deployment Services allows you to deploy Windows operating systems over a network, which means you don't have to install each operating system directly from a CD or DVD.

Windows Server Essentials Experience

This role allows you to perform the following tasks:

• protect server and client data by backing up the server and all client computers on the network;
• manage users and user groups through a simplified server dashboard. In addition, integration with Windows Azure Active Directory* provides users with easy access to online Microsoft Online Services (such as Office 365, Exchange Online, and SharePoint Online) using their domain credentials;
• store company data in a centralized location;
• integrate the server with Microsoft Online Services (such as Office 365, Exchange Online, SharePoint Online, and Windows Intune):
• use ubiquitous access features on the server (such as remote web access and virtual private networks) to access the server, network computers, and data from highly secure remote locations;
• access data from anywhere and from any device using the organization's own web portal (through remote web access);
• manage the mobile devices that access your organization's email with Office 365 via the Active Sync protocol from the dashboard;
• monitor network health and receive customizable health reports; reports can be generated on demand, customized, and emailed to specific recipients.

Windows Server Update Services

The WSUS server provides the components that administrators need to manage and distribute updates through the management console. In addition, the WSUS server can be the source of updates for other WSUS servers in the organization. When implementing WSUS, at least one WSUS server on the network must be connected to Microsoft Update to receive information about available updates. Depending on the network's security and configuration, an administrator can determine how many other servers are directly connected to Microsoft Update.

Introduction

With the increase in the number of computers in the enterprise, the question of the cost of its management and maintenance becomes more and more acute. Manual configuration of computers takes a lot of time from the staff and forces, with an increase in the number of computers, to increase the staff serving them. In addition, with a large number of machines, it becomes increasingly difficult to monitor compliance with the standards adopted by the enterprise. Group Policy (Group Policy) is a comprehensive tool for centralized management of computers running Windows 2000 and higher in an Active Directory domain. Group policies are not applied to computers running Windows NT4/9x: they are controlled by System Policy, which will not be discussed in this article.

GPOs

All settings that you create within Group Policies will be stored in Group Policy Objects (GPOs). GPOs are of two types: local GPO and Active Directory GPOs. The local GPO is available on computers running Windows 2000 and later. There can only be one, and it is the only GPO that can be on a non-domain machine.

A GPO is the general name for a set of files, directories, and entries in the Active Directory database (if it is not a local object) that store your settings and determine what other settings you can change using Group Policies. By creating a policy, you are actually creating and modifying a GPO. The local GPO is stored in %SystemRoot%\System32\GroupPolicy. Active Directory GPOs are stored on a domain controller and can be associated with a site, domain, or OU (Organizational Unit, organizational unit, or organizational unit). An object's binding defines its scope. By default, two GPOs are created in a domain: Default Domain Policy and Default Domain Controller Policy. The first defines the default policy for passwords and accounts in the domain. The second communicates with OU Domain Controllers and increases security settings for domain controllers.

Create a GPO

In order to create a policy (that is, actually create a new GPO), open Active Directory Users & Computers and choose where to create a new object. You can only create and link a GPO to a site, domain, or OU object.

Rice. 1. Create a GPO.

To create a GPO and link it to, for example, OU testers, right-click on this OU and select properties from the context menu. In the properties window that opens, open the Group Policy tab and click New.

Rice. 2. Create a GPO.

We give the name to the GP object, after which the object is created, and you can start configuring the policy. Double-click on the created object or press the Edit button, the GPO editor window will open, where you can configure specific parameters of the object.

Rice. 3. Description of settings in the Extended tab.

Most of the main settings are intuitive (they also have a description if you open the Extended tab), and we will not dwell on each one in detail. As can be seen from fig. 3, the GPO consists of two sections: Computer Configuration and User Configuration. The settings in the first section are applied at Windows boot time to computers in this container and below (unless inheritance is overridden) and is independent of which user is logged on. The settings of the second section are applied during user login.

Order of applying GPOs

When the computer starts, the following actions take place:

1. The registry is read and it is determined which site the computer belongs to. A query is made to the DNS server in order to obtain the IP addresses of the domain controllers located in this site.
2. Having received the addresses, the computer connects to the domain controller.
3. The client requests a list of GP objects from the domain controller and applies them. The latter sends a list of GP objects in the order in which they should be applied.
4. When the user logs in, the computer again requests a list of GP objects to be applied to the user, retrieves and applies them.

Group policies are applied when the OC boots and when the user logs in. They are then applied every 90 minutes, with a 30-minute variation to avoid overloading the domain controller if a large number of clients are requesting at the same time. For domain controllers, the update interval is 5 minutes. You can change this behavior in Computer Configuration\Administrative Templates\System\Group Policy. A GPO can only act on the Computer and User objects. The policy only applies to objects located in the directory object (site, domain, organizational unit) with which the GPO is associated and further down the tree (unless inheritance is disabled). For example: A GPO is created in OU testers (as we did above).

Rice. 4. Inheritance of settings.

All settings made in this GPO will affect only users and computers located in OU testers and OU InTesters. Let's take a look at how policies are applied using an example. The user test, located in the OU testers, logs on to the computer comp, located in the OU compOU (see Figure 5).

Rice. 5. Order of application of policies.

There are four GPOs in the domain:

1. SitePolicy associated with the site container;
2. Default Domain Policy associated with the domain container;
3. Policy1 associated with OU testers;
4. Policy2 associated with OU compOU.

When booting Windows on a comp workstation, the settings defined in the Computer Configuration sections are applied in this order:

1. Local GPO settings;
2. GPO SitePolicy settings;

4. GPO Policy2 settings.

When the test user logs on to the comp computer, the parameters defined in the User Configuration sections are:

1. Local GPO settings;
2. GPO SitePolicy settings;
3. GPO Default Domain Policy settings;
4. GPO Policy1 settings.

That is, the GPOs are applied in this order: local policies, site-level policies, domain-level policies, OU-level policies.

Group policies are applied asynchronously to Windows XP clients and synchronously to Windows 2000 clients, meaning that the user logon screen appears only after all computer policies have been applied, and user policies are applied before the desktop appears. Asynchronous policy enforcement means that the user's login screen appears before all of the computer's policies have applied, and the desktop appears before all of the user's policies have applied, resulting in faster user loading and login.
The behavior described above changes in two cases. First, the client computer detected a slow network connection. By default, only security settings and administrative templates are applied in this case. A connection with a bandwidth of less than 500 Kb/s is considered slow. You can change this value in Computer Configuration\Administrative Templates\System\Group Policy\Group Policy slow link detection. Also in the Computer Configuration\Administrative Templates\System\Group Policy section, you can configure some other policy settings so that they are also processed over a slow connection. The second way to change the order in which policies are applied is the User Group policy loopback processing option. This option changes the order in which default policies are applied, where user policies are applied after computer policies and override the latter. You can set the loopback option to apply computer policies after user policies and overwrite any user policies that conflict with computer policies. The loopback parameter has 2 modes:

1. Merge (to connect) - at first the computer policy is applied, then user and again computer. In this case, the computer policy replaces the settings of the user policy that contradict it with its own.
2. Replace (replace) - the user policy is not processed.

To illustrate the use of the User Group policy loopback processing option, for example, on a public computer, on which you need to have the same limited settings, regardless of which user uses it.

Precedence, Inheritance, and Conflict Resolution

As you have already noticed, at all levels, GPOs contain the same settings, and the same setting can be defined differently at several levels. In this case, the last applied value will be the effective value (the order in which GPOs are applied was discussed above). This rule applies to all settings except those defined as not configured. For these settings, Windows takes no action. But there is one exception: all account and password settings can only be defined at the domain level, at other levels these settings will be ignored.

Rice. 6. Active Directory Users and Computers.

If there are multiple GPOs at the same level, they are applied from the bottom up. By changing the position of the policy object in the list (using the Up and Down buttons), you can select the desired application order.

Rice. 7. Order of application of policies.

Sometimes you want a specific OU not to receive policy settings from GPOs associated with upstream containers. In this case, you must disable policy inheritance by checking the Block Policy inheritance checkbox. All inherited policy settings are blocked, and there is no way to block individual settings. Domain-level settings that define password policy and account policy cannot be locked out.

Rice. 9. Blocking policy inheritance.

If you want certain settings in a given GPO not to be overwritten, select the desired GPO, press the Options button, and select No Override. This option forces GPO settings to be applied where policy inheritance is blocked. No Override is set at the location where the GPO is associated with the directory object, not at the GPO itself. If the GPO is linked to multiple containers in a domain, then this setting will not be automatically configured for the rest of the links. If the No Override setting is configured for multiple links at the same level, the settings of the GPO at the top of the list will take precedence (and effect). If No Override settings are configured for multiple GPOs at different levels, the GPO settings higher in the directory hierarchy will take effect. That is, if the No override settings are configured to link a GPO to a domain object and to link to a GPO to an OU, the settings defined at the domain level will be in effect. The Disabled checkbox cancels the effect of this GPO on this container.

Rice. 10. Options No Override and Disabled.

As mentioned above, policies only affect users and computers. The question often arises: “how to make a certain policy affect all users included in a certain security group?”. To do this, the GPO is bound to a domain object (or any container located above the containers or OU in which all user objects from the desired group are located) and access settings are configured. Click Properties, on the Security tab, delete the Authenticated Users group and add the required group with Read and Apply Group Policy rights.

Determining the settings that affect the user's computer

To determine the final configuration and identify problems, you need to know which policy settings are currently in effect for a given user or computer. To do this, there is a tool Resultant Set of Policy (the resulting set of policies, RSoP). RSoP can operate in both registration mode and scheduling mode. In order to invoke RSoP, right-click on the "user" or "computer" object and select All Tasks.

Rice. 11. Calling the Resultant Set of Policy tool.

Upon launch (in logging mode), you will be asked to select which computer and user to define the result set for, and a result settings window will appear indicating which GPO applied which setting.

Rice. 12. Resultant Set of Policy.

Other Group Policy Management Tools

GPResult is a command line tool that provides some of the RSoP functionality. GPResult is available by default on all computers running Windows XP and Windows Server 2003.

GPUpdate forces the application of group policies - both local and Active Directory based. In Windows XP/2003, it replaced the /refreshpolicy option in the secedit tool for Windows 2000.

A description of the command syntax is available when you run them with the /? key.

Instead of a conclusion

This article does not aim to explain all aspects of working with group policies, it is not aimed at experienced system administrators. All of the above, in my opinion, should only somehow help to understand the basic principles of working with politicians for those who have never worked with them, or are just starting to master them.

GPResult Utility.exe– is a console application designed to analyze settings and diagnose group policies that are applied to a computer and/or user in an Active Directory domain. In particular, GPResult allows you to get data from the resulting set of policies (Resultant Set of Policy, RSOP), a list of applied domain policies (GPOs), their settings, and detailed information about their processing errors. The utility has been part of the Windows operating system since the days of Windows XP. The GPResult utility allows you to answer questions such as whether a particular policy applies to a computer, which GPO changed a particular Windows setting, and to figure out the reasons.

In this article, we will look at the specifics of using the GPResult command to diagnose and debug the application of group policies in an Active Directory domain.

Initially, to diagnose the application of group policies in Windows, the RSOP.msc graphical console was used, which made it possible to obtain the settings of the resulting policies (domain + local) applied to the computer and the user in a graphical form similar to the GPO editor console (below, on the example of the RSOP.msc console view, you can see that the update settings are set).

However, the RSOP.msc console in modern versions of Windows is not practical to use, because it does not reflect the settings applied by various client side extensions (CSE), such as GPP (Group Policy Preferences), does not allow searching, provides little diagnostic information. Therefore, at the moment, it is the GPResult command that is the main tool for diagnosing the use of GPO in Windows (in Windows 10, there is even a warning that RSOP does not give a complete report, unlike GPResult).

Using the GPResult.exe utility

The GPResult command is run on the computer on which you want to test the application of group policies. The GPResult command has the following syntax:

GPRESULT ]] [(/X | /H) ]

To get detailed information about the group policies that apply to a given AD object (user and computer) and other settings related to the GPO infrastructure (i.e. the resulting GPO policy settings - RsoP), run the command:

The results of the command execution are divided into 2 sections:

• COMPUTER SETTINGS (Computer configuration) – the section contains information about GPO objects that affect the computer (as an Active Directory object);
• USER SETTINGS – user section of policies (policies that apply to a user account in AD).

Let's briefly go over the main parameters/sections that may be of interest to us in the GPResult output:

• siteName(Site name:) - the name of the AD site in which the computer is located;
• CN– full canonical user/computer for which the RSoP data was generated;
• LasttimegroupPolicywasapplied(Last applied group policy) - the time when group policies were last applied;
• groupPolicywasappliedfrom(Group Policy was applied from) - the domain controller from which the latest version of the GPO was loaded;
• domainNameand Domaintype(Domain name, domain type) – Active Directory domain schema name and version;
• AppliedgroupPolicyObjects(Applied GPOs)– lists of active group policy objects;
• ThefollowingGPOswerenotappliedbecausetheywerefilteredout(The following GPO policies were not applied because they were filtered) - not applied (filtered) GPOs;
• Theuser/computerisapartofthefollowingsecuritygroups(The user/computer is a member of the following security groups) – Domain groups the user is a member of.

In our example, you can see that the user object is affected by 4 group policies.

• Default Domain Policy;
• Enable Windows Firewall;
• DNS Suffix Search List

If you do not want the console to display information about both user policies and computer policies at the same time, you can use the /scope option to display only the section you are interested in. Only resulting user policies:

gpresult /r /scope:user

or only applied machine policies:

gpresult /r /scope:computer

Because The Gpresult utility outputs its data directly to the command line console, which is not always convenient for subsequent analysis; its output can be redirected to the clipboard:

gpresult /r |clip

or text file:

gpresult /r > c:\gpresult.txt

To display super-detailed RSOP information, add the /z switch.

HTML RSOP report using GPResult

In addition, the GPResult utility can generate an HTML report on the applied result policies (available in Windows 7 and higher). This report will contain detailed information about all system settings that are set by group policies and the names of specific GPOs that set them (the resulting report on the structure resembles the Settings tab in the Domain Group Policy Management Console - GPMC). You can generate an HTML GPResult report using the command:

GPResult /h c:\gp-report\report.html /f

To generate a report and automatically open it in a browser, run the command:

GPResult /h GPResult.html & GPResult.html

The gpresult HTML report contains quite a lot of useful information: GPO application errors, processing time (in ms) and application of specific policies and CSE (in the Computer Details -> Component Status section) are visible. For example, in the screenshot above, you can see that the policy with the settings 24 passwords remember is applied by the Default Domain Policy (Winning GPO column). As you can see, such an HTML report is much more convenient for analyzing applied policies than the rsop.msc console.

Getting GPResult data from a remote computer

GPResult can also collect data from a remote computer, eliminating the need for an administrator to log in locally or RDP to a remote computer. The command format for collecting RSOP data from a remote computer is as follows:

GPResult /s server-ts1 /r

Similarly, you can collect data from both user policies and computer policies remotely.

username has no RSOP data

With UAC enabled, running GPResult without elevated privileges only displays the settings for the custom section of Group Policy. If you need to display both sections (USER SETTINGS and COMPUTER SETTINGS) at the same time, the command must be run. If the elevated command prompt is on a system other than the current user, the utility will issue a warning INFO: Theuser“domain\user”doesnothaveRSOPdata ( The user 'domain\user' has no RSOP data). This is because GPResult is trying to collect information for the user who ran it, but because This user has not logged on to the system and no RSOP information is available for this user. To collect RSOP information for a user with an active session, you need to specify his account:

gpresult /r /user:tn\edward

If you don't know the name of the account that is logged in on the remote computer, you can get the account like this:

qwinsta /SERVER:remotePC1

Also check the time(s) on the client. The time must match the time on the PDC (Primary Domain Controller).

The following GPO policies were not applied because they were filtered out

When troubleshooting group policies, you should also pay attention to the section: The following GPOs were not applied because they were filtered out (The following GPO policies were not applied because they were filtered out). This section displays a list of GPOs that, for one reason or another, do not apply to this object. Possible options for which the policy may not apply:

You can also understand whether the policy should be applied to a specific AD object on the Effective Permissions tab (Advanced -> Effective Access).

So, in this article, we reviewed the features of diagnosing the application of group policies using the GPResult utility and reviewed typical scenarios for its use.

The functionality in the Windows Server operating system is calculated and improves from version to version, there are more and more roles and components, so in today's article I will try to briefly describe description and purpose of each role in Windows Server 2016.

Before proceeding to the description of Windows Server server roles, let's find out what exactly is " Server role» on the Windows Server operating system.

What is a "Server Role" in Windows Server?

Server Role- this is a software package that ensures the performance of a certain function by the server, and this function is the main one. In other words, " Server role' is the destination of the server, i.e. what it is for. So that the server can perform its main function, i.e. certain role in Server role» includes all the necessary software for this ( programs, services).

The server can have one role if it is actively used, or several if each of them does not heavily load the server and is rarely used.

A server role can include multiple role services that provide the functionality of the role. For example, in the server role " Web server (IIS)” includes a fairly large number of services, and the role “ DNS server» does not include role services, because this role performs only one function.

Role Services can be installed all together or individually, depending on your needs. Essentially, installing a role means installing one or more of its services.

Windows Server also has " Components» server.

Server Components (Feature) are software tools that are not a server role, but extend the capabilities of one or more roles, or manage one or more roles.

Some roles cannot be installed if the server does not have required services or components that are required for the roles to function. Therefore, at the time of installation of such roles " Add Roles and Features Wizard» itself, will automatically prompt you to install the necessary, additional role services or components.

Description of Windows Server 2016 server roles

You are probably already familiar with many of the roles that are in Windows Server 2016, since they have been around for quite some time, but as I said, with each new version of Windows Server, new roles are added that you may not have worked with yet, but we would like to know what they are for, so let's start looking at them.

Note! You can read about the new features of the Windows Server 2016 operating system in the material "Installing Windows Server 2016 and an overview of new features".

Since very often the installation and administration of roles, services and components occurs using Windows PowerShell, I will indicate for each role and its service a name that can be used in PowerShell, respectively, for its installation or for management.

DHCP server

This role allows you to centrally configure dynamic IP addresses and related settings for computers and devices on your network. The DHCP Server role does not have role services.

The name for Windows PowerShell is DHCP.

DNS server

This role is intended for name resolution in TCP/IP networks. The DNS Server role provides and maintains DNS. To simplify the management of a DNS server, it is usually installed on the same server as Active Directory Domain Services. The DNS Server role does not have role services.

The role name for PowerShell is DNS.

Hyper-V

With the Hyper-V role, you can create and manage a virtualized environment. In other words, it is a tool for creating and managing virtual machines.

The role name for Windows PowerShell is Hyper-V.

Device health attestation

Role " » allows you to evaluate the health of the device based on measured indicators of security parameters, such as indicators of the state of secure boot and Bitlocker on the client.

For the functioning of this role, a lot of role services and components are required, for example: several services from the role " Web server (IIS)", component " ", component " .NET Framework 4.6 Features».

During installation, all required role services and features will be automatically selected. The role " Device health attestation» There are no role services.

The name for PowerShell is DeviceHealthAttestationService.

Web server (IIS)

Provides a reliable, manageable, and scalable web application infrastructure. Consists of a fairly large number of services (43).

The name for Windows PowerShell is Web-Server.

Includes the following role services ( in brackets I will indicate the name for Windows PowerShell):

Web server (Web-WebServer)- A group of role services that provides support for HTML websites, ASP.NET extensions, ASP, and the web server. Consists of the following services:

• Security (Web Security)- a set of services to ensure the security of the web server.
  • Request filtering (Web-Filtering) - using these tools, you can process all requests coming to the server and filter these requests based on special rules set by the web server administrator;
  • IP address and domain restrictions (Web-IP-Security) - these tools allow you to allow or deny access to content on a web server based on the IP address or domain name of the source in the request;
  • URL Authorization (Web-Url-Auth) - tools allow you to develop rules to restrict access to web content and associate them with users, groups, or HTTP header commands;
  • Digest Authentication (Web-Digest-Auth) - This authentication provides a higher level of security than basic authentication. Digest authentication for user authentication works like passing a password hash to a Windows domain controller;
  • Basic Authentication (Web-Basic-Auth) - This authentication method provides strong web browser compatibility. It is recommended to use in small internal networks. The main disadvantage of this method is that passwords transmitted over the network can be quite easily intercepted and decrypted, so use this method in combination with SSL;
  • Windows Authentication (Web-Windows-Auth) is an authentication based on Windows domain authentication. In other words, you can use Active Directory accounts to authenticate users of your Web sites;
  • Client Certificate Mapping Authentication (Web-Client-Auth) - This authentication method uses a client certificate. This type uses Active Directory services to provide certificate mapping;
  • IIS Client Certificate Mapping Authentication (Web-Cert-Auth) - This method also uses client certificates for authentication, but uses IIS to provide certificate mapping. This type provide better performance;
  • Centralized support for an SSL certificate (Web-CertProvider) - these tools allow you to centrally manage SSL server certificates, which greatly simplifies the process of managing these certificates;
• Serviceability and diagnostics (Web-Health)– a set of services for monitoring, managing and troubleshooting web servers, sites and applications:
  • http logging (Web-Http-Logging) - tools provide logging of website activity on a given server, i.e. log entry;
  • ODBC Logging (Web-ODBC-Logging) – These tools also provide logging of website activity, but they support logging that activity to an ODBC-compliant database;
  • Request Monitor (Web-Request-Monitor) is a tool that allows you to monitor the health of a web application by intercepting information about HTTP requests in the IIS worker process;
  • Custom Logging (Web-Custom-Logging) - Using these tools, you can configure logging of web server activity in a format that differs significantly from the standard IIS format. In other words, you can create your own logging module;
  • Logging tools (Web-Log-Libraries) are tools for managing web server logs and automating logging tasks;
  • Tracing (Web-Http-Tracing) is a tool for diagnosing and resolving violations in web applications.
• http Common Functions (Web-Common-Http)– a set of services that provide basic HTTP functionality:
  • Default Document (Web-Default-Doc) - This feature allows you to configure the web server to return a default document when users do not specify a specific document in the request URL, making it easier for users to access website, for example, by domain, without specifying a file;
  • Directory Browsing (Web-Dir-Browsing) - This tool can be used to configure a web server so that users can view a list of all directories and files on a website. For example, for cases where users do not specify a file in the request URL, and default documents are either disabled or not configured;
  • http errors (Web-Http-Errors) - this feature allows you to configure error messages that will be returned to users' web browsers when an error is detected by the web server. This tool is used to more easily present error messages to users;
  • Static content (Web-Static-Content) - this tool allows you to use content on a web server in the form of static file formats, such as HTML files or image files;
  • http redirect (Web-Http-Redirect) - using this feature, you can redirect a user request to a specific destination, i.e. this is Redirect;
  • WebDAV Publishing (Web-DAV-Publishing) - allows you to use WebDAV technology on the IIS WEB server. WebDAV ( Web Distributed Authoring and Versioning) is a technology that allows users to work together ( read, edit, read properties, copy, move) over files on remote web servers using the HTTP protocol.
• Performance (Web Performance)- a set of services to achieve higher web server performance, through output caching and common compression mechanisms such as Gzip and Deflate:
  • Static Content Compression (Web-Stat-Compression) is a tool to customize the compression of http static content, it allows more efficient use of bandwidth, while without unnecessary CPU load;
  • Dynamic Content Compression (Web-Dyn-Compression) is a tool for configuring HTTP dynamic content compression. This tool provides more efficient use of bandwidth, but in this case, the server CPU load associated with dynamic compression can slow down the site if the CPU load is high even without compression.
• Application Development (Web-App-Dev)- a set of services and tools for developing and hosting web applications, in other words, website development technologies:
  • ASP (Web-ASP) is an environment for supporting and developing web sites and web applications using ASP technology. At the moment, there is a newer and more advanced website development technology - ASP.NET;
  • ASP.NET 3.5 (Web-Asp-Net) is an object-oriented development environment for web sites and web applications using ASP.NET technology;
  • ASP.NET 4.6 (Web-Asp-Net45) is also an object-oriented development environment for web sites and web applications using the new version of ASP.NET;
  • CGI (Web-CGI) is the ability to use CGI to pass information from a web server to an external program. CGI is a kind of interface standard for connecting an external program to a web server. There is a drawback, the use of CGI affects performance;
  • Server Side Inclusions (SSI) (Web-Includes) is support for the SSI scripting language ( server side enable), which is used to dynamically generate HTML pages;
  • Application initialization (Web-AppInit) - this tool performs the tasks of initializing web applications before sending a web page;
  • WebSocket protocol (Web-WebSockets) - adding the ability to create server applications that communicate using the WebSocket protocol. WebSocket is a protocol that can send and receive data simultaneously between a browser and a web server over a TCP connection, a kind of extension to the HTTP protocol;
  • ISAPI extensions (Web-ISAPI-Ext) - support for dynamic development of web content using the ISAPI application programming interface. ISAPI is an API for the IIS web server. ISAPI applications are much faster than ASP files or files that call COM+ components;
  • .NET 3.5 Extensibility (Web-Net-Ext) is a .NET 3.5 extensibility feature that allows you to change, add, and extend web server functionality throughout the request processing pipeline, configuration, and user interface;
  • .NET 4.6 Extensibility (Web-Net-Ext45) is a .NET 4.6 extensibility feature that also allows you to modify, add, and extend web server functionality across the entire request processing pipeline, configuration, and user interface;
  • ISAPI Filters (Web-ISAPI-Filter) - Add support for ISAPI filters. ISAPI filters are programs that are called when a web server receives a specific HTTP request to be processed by this filter.

FTP - server (Web-Ftp-Server)– services that provide support for the FTP protocol. We talked in more detail about the FTP server in the material - "Installing and configuring an FTP server on Windows Server 2016". Contains the following services:

• FTP Service (Web-Ftp-Service) - adds support for the FTP protocol on the web server;
• FTP Extensibility (Web-Ftp-Ext) - Extends standard FTP capabilities, such as adding support for features such as custom providers, ASP.NET users, or IIS manager users.

Management Tools (Web-Mgmt-Tools) are the management tools for the IIS 10 web server. These include: the IIS user interface, command line tools, and scripts.

• The IIS Management Console (Web-Mgmt-Console) is the user interface for managing IIS;
• Character sets and IIS management tools (Web-Scripting-Tools) are tools and scripts for managing IIS using the command line or scripts. They can be used, for example, to automate control;
• Management Service (Web-Mgmt-Service) - this service adds the ability to manage a web server remotely from another computer using IIS Manager;
• IIS 6 Compatibility Management (Web-Mgmt-Compat) - Provides compatibility for applications and scripts that use the two IIS APIs. The existing IIS 6 scripts can be used to manage the IIS 10 web server:
  • IIS 6 Compatibility Metabase (Web-Metabase) is a compatibility tool that allows you to run applications and character sets that have been migrated from earlier versions of IIS;
  • IIS 6 Scripting Tools (Web-Lgcy-Scripting) - These tools allow you to use the same IIS 6 Scripting Services that were created to manage IIS 6 in IIS 10;
  • IIS 6 Management Console (Web-Lgcy-Mgmt-Console) is a tool for administering remote IIS 6.0 servers;
  • IIS 6 WMI Compatibility (Web-WMI) are Windows Management Instrumentation (WMI) scripting interfaces for programmatically controlling and automating IIS 10.0 web server tasks using a set of scripts created in a WMI provider.

Active Directory Domain Services

Role " Active Directory Domain Services» (AD DS) provides a distributed database that stores and processes information about network resources. This role is used to organize network elements such as users, computers, and other devices into a hierarchical containment structure. The hierarchical structure includes forests, domains within a forest, and organizational units (OUs) within each domain. The server running AD DS is called a domain controller.

The role name for Windows PowerShell is AD-Domain-Services.

Windows Server Essentials Mode

This role is a computer infrastructure and provides convenient and efficient functions, for example: storing client data in a centralized location and protecting this data by backing up the server and client computers, remote web access, which allows you to access data from virtually any device. This role requires several role services and features, for example: BranchCache Features, Windows Server Backup, Group Policy Management, Role Service " DFS Namespaces».

The name for PowerShell is ServerEssentialsRole.

Network Controller

Introduced in Windows Server 2016, this role provides a single point of automation for managing, monitoring, and diagnosing the physical and virtual network infrastructure in the datacenter. Using this role, you can configure IP subnets, VLANs, physical network adapters of Hyper-V hosts from one point, manage virtual switches, physical routers, firewall settings, and VPN gateways.

The name for Windows PowerShell is NetworkController.

Node Guardian Service

This is the Hosted Guardian Service (HGS) server role and provides attestation and key protection services that allow protected hosts to run shielded virtual machines. For the functioning of this role, several additional roles and components are required, for example: Active Directory Domain Services, Web Server (IIS), the " Failover Clustering" and others.

The name for PowerShell is HostGuardianServiceRole.

Active Directory Lightweight Directory Services

Role " Active Directory Lightweight Directory Services» (AD LDS) is a lightweight version of AD DS that has less functionality but does not require the deployment of domains or domain controllers, and does not have the dependencies and domain restrictions required by AD DS. AD LDS runs over the LDAP protocol ( Lightweight Directory Access Protocol). You can deploy multiple AD LDS instances on the same server with independently managed schemas.

The name for PowerShell is ADLDS.

MultiPoint Services

It's also a new role that's new in Windows Server 2016. MultiPoint Services (MPS) provides basic remote desktop functionality that allows multiple users to work simultaneously and independently on the same computer. To install and operate this role, you need to install several additional services and components, for example: Print Server, Windows Search Service, XPS Viewer, and others, all of which will be automatically selected during MPS installation.

The name of the role for PowerShell is MultiPointServerRole.

Windows Server Update Services

With this role (WSUS), system administrators can manage Microsoft updates. For example, create separate groups of computers for different sets of updates, as well as receive reports on the compliance of computers with the requirements and updates that need to be installed. For functioning" Windows Server Update Services» You need such role services and components as: Web Server (IIS), Windows Internal Database, Windows Process Activation Service.

The name for Windows PowerShell is UpdateServices.

• WID Connectivity (UpdateServices-WidDB) - set to WID ( Windows Internal Database) database used by WSUS. In other words, WSUS will store its service data in WID;
• WSUS Services (UpdateServices-Services) is the WSUS role services such as Update Service, Reporting Web Service, API Remoting Web Service, Client Web Service, Web Simple Authentication Web Service, Server Synchronization Service and DSS Authentication Web Service;
• SQL Server Connectivity (UpdateServices-DB) is a component installation that allows the WSUS service to connect to a Microsoft SQL Server database. This option provides for the storage of service data in a Microsoft SQL Server database. In this case, you must already have at least one instance of SQL Server installed.

Volume License Activation Services

This server role automates, simplifies, and manages volume licenses for software from Microsoft.

The name for PowerShell is VolumeActivation.

Print and Document Services

This server role is designed to share printers and scanners on a network, to centrally configure and manage print and scan servers, and to manage network printers and scanners. Print and Document Services also allows you to send scanned documents via email, to network shares, or to Windows SharePoint Services sites.

The name for PowerShell is Print-Services.

• Print Server (Print-Server) - This role service includes the " Print Management”, which is used to manage printers or print servers, as well as to migrate printers and other print servers;
• Printing over the Internet (Print-Internet) - To implement printing over the Internet, a website is created through which users can manage print jobs on the server. For this service to work, as you understand, you need to install " Web server (IIS)". All required components will be selected automatically when you check this box during the installation process of the role service " Internet Printing»;
• The Distributed Scan Server (Print-Scan-Server) is a service that allows you to receive scanned documents from network scanners and send them to a destination. This service also contains the " Scan Management”, which is used to manage network scanners and to configure scanning;
• LPD Service (Print-LPD-Service) - LPD service ( Line Printer Daemon) allows UNIX-based computers and other computers using the Line Printer Remote (LPR) service to print to the server's shared printers.

Network Policy and Access Services

Role " » (NPAS) allows Network Policy Server (NPS) to set and enforce network access, authentication and authorization, and client health policies, in other words, to secure the network.

The name for Windows PowerShell is NPAS.

Windows Deployment Services

With this role, you can remotely install the Windows operating system over a network.

The role name for PowerShell is WDS.

• Deployment Server (WDS-Deployment) - this role service is designed for remote deployment and configuration of Windows operating systems. It also allows you to create and customize images for reuse;
• Transport Server (WDS-Transport) - This service contains the basic network components with which you can transfer data by multicasting on a stand-alone server.

Active Directory Certificate Services

This role is intended to create certificate authorities and related role services that allow you to issue and manage certificates for various applications.

The name for Windows PowerShell is AD-Certificate.

Includes the following role services:

• Certification Authority (ADCS-Cert-Authority) - using this role service, you can issue certificates to users, computers, and services, as well as manage the validity of the certificate;
• Certificate Enrollment Policy Web Service (ADCS-Enroll-Web-Pol) - This service allows users and computers to obtain certificate enrollment policy information from a web browser, even if the computer is not a member of a domain. For its functioning it is necessary Web server (IIS)»;
• Certificate Enrollment Web Service (ADCS-Enroll-Web-Svc) - This service allows users and computers to enroll and renew certificates using a web browser over HTTPS, even if the computer is not a member of a domain. It also needs to function Web server (IIS)»;
• Online Responder (ADCS-Online-Cert) - The service is designed to check the revocation of a certificate for clients. In other words, it accepts a revocation status request for specific certificates, evaluates the status of those certificates, and sends back a signed response with information about the status. For the service to function, it is necessary Web server (IIS)»;
• Certificate Authority Web Enrollment Service (ADCS-Web-Enrollment) - This service provides a web interface for users to perform tasks such as requesting and renewing certificates, obtaining CRLs, and enrolling smart card certificates. For the service to function, it is necessary Web server (IIS)»;
• Network Device Enrollment Service (ADCS-Device-Enrollment)—Using this service, you can issue and manage certificates for routers and other network devices that do not have network accounts. For the service to function, it is necessary Web server (IIS)».

Remote Desktop Services

A server role that can be used to provide access to virtual desktops, session-based desktops, and RemoteApps.

The role name for Windows PowerShell is Remote-Desktop-Services.

Consists of the following services:

• Remote Desktop Web Access (RDS-Web-Access) - This role service allows users to access remote desktops and RemoteApp applications through the " Start» or using a web browser;
• Remote Desktop Licensing (RDS-Licensing) - The service is designed to manage licenses that are required to connect to a Remote Desktop Session Host server or a virtual desktop. It can be used to install, issue licenses, and track their availability. This service requires " Web server (IIS)»;
• Remote Desktop Connection Broker (RDS-Connection-Broker) is a role service that provides the following capabilities: reconnecting a user to an existing virtual desktop, RemoteApp application, and session-based desktop, as well as load balancing between remote session host servers desktops or between pooled virtual desktops. This service requires the " »;
• Remote Desktop Virtualization Host (DS-Virtualization) - The service allows users to connect to virtual desktops using RemoteApp and Desktop Connection. This service works in conjunction with Hyper-V, i.e. this role must be installed;
• Remote Desktop Session Host (RDS-RD-Server) - This service can host RemoteApp applications and session-based desktops on a server. Access is through the Remote Desktop Connection client or RemoteApps;
• Remote Desktop Gateway (RDS-Gateway) - The service allows authorized remote users to connect to virtual desktops, RemoteApps, and session-based desktops on a corporate network or over the Internet. This service requires the following additional services and components: Web server (IIS)», « Network Policy and Access Services», « RPC over HTTP proxy».

AD RMS

This is a server role that will allow you to protect information from unauthorized use. It validates user identities and grants licenses to authorized users to access protected data. This role requires additional services and components: Web server (IIS)», « Windows Process Activation Service», « .NET Framework 4.6 Features».

The name for Windows PowerShell is ADRMS.

• Active Directory Rights Management Server (ADRMS-Server) - the main role service, required for installation;
• Identity Federation Support (ADRMS-Identity) is an optional role service that enables federated identities to consume protected content using Active Directory Federation Services.

AD FS

This role provides simplified and secure identity federation and single sign-on (SSO) functionality to websites using a browser.

The name for PowerShell is ADFS-Federation.

Remote access

This role provides connectivity through DirectAccess, VPN, and Web Application Proxy. Also the role Remote access"provides traditional routing capabilities, including network address translation (NAT) and other connection options. This role requires additional services and features: Web server (IIS)», « Windows Internal Database».

The role name for Windows PowerShell is RemoteAccess.

• DirectAccess and VPN (RAS) (DirectAccess-VPN) - the service allows users to connect to the corporate network at any time with Internet access via DirectAccess, as well as organize VPN connections in combination with tunneling and data encryption technologies;
• Routing (Routing) - the service provides support for NAT routers, LAN routers with BGP protocols, RIP and routers with multicast support (IGMP proxy);
• Web Application Proxy (Web-Application-Proxy) - The service allows you to publish applications based on the HTTP and HTTPS protocols from the corporate network to client devices that are outside the corporate network.

File and storage services

This is a server role that can be used to share files and folders, manage and control shares, replicate files, provide fast file searches, and grant access to UNIX client computers. We looked at file services in more detail, and in particular the file server, in the material "Installing a file server (File Server) on Windows Server 2016".

The name for Windows PowerShell is FileAndStorage-Services.

Storage Services- This service provides storage management functionality that is always installed and cannot be removed.

File Services and iSCSI Services (File-Services)- These are technologies that simplify the management of file servers and storages, save disk space, provide replication and caching of files in branches, and also provide file sharing via the NFS protocol. Includes the following role services:

• File Server (FS-FileServer) - a role service that manages shared folders and provides users with access to files on this computer over the network;
• Data Deduplication (FS-Data-Deduplication) - this service saves disk space by storing only one copy of identical data on a volume;
• File Server Resource Manager (FS-Resource-Manager) - using this service, you can manage files and folders on a file server, create storage reports, classify files and folders, configure folder quotas and define file blocking policies;
• iSCSI Target Storage Provider (VDS and VSS Hardware Providers) (iSCSITarget-VSS-VDS) - Service allows applications on a server connected to an iSCSI target to shadow copy volumes on iSCSI virtual disks;
• DFS namespaces (FS-DFS-Namespace) - using this service, you can group shared folders hosted on different servers into one or more logically structured namespaces;
• Work folders (FS-SyncShareService) - the service allows you to use work files on different computers, including work and personal. You can store your files in Work Folders, synchronize them, and access them from your local network or the Internet. For the service to function, the component " IIS In-Process Web Core»;
• DFS Replication (FS-DFS-Replication) is a data replication engine between multiple servers that allows you to synchronize folders over a LAN or WAN connection. This technology uses the Remote Differential Compression (RDC) protocol to update only the portion of files that have changed since the last replication. DFS Replication can be used with or without DFS Namespaces;
• Server for NFS (FS-NFS-Service) - The service allows this computer to share files with UNIX-based computers and other computers that use the Network File System (NFS) protocol;
• iSCSI Target Server (FS-iSCSITarget-Server) - provides services and management for iSCSI targets;
• BranchCache Service for Network Files (FS-BranchCache) - The service provides BranchCache support on this file server;
• File Server VSS Agent Service (FS-VSS-Agent) - The service allows you to perform volume shadow copies for applications that store data files on this file server.

fax server

The role sends and receives faxes, and allows you to manage fax resources such as jobs, settings, reports, and fax devices on this computer or network. Required for work Print Server».

The role name for Windows PowerShell is Fax.

This completes the review of Windows Server 2016 server roles, I hope the material was useful to you, for now!

Before developing a socket server, you need to create a policy server that tells Silverlight which clients are allowed to connect to the socket server.

As shown above, Silverlight does not allow content to be loaded or a web service to be called if the domain does not have a clientaccesspolicy .xml or crossdomain file. xml where these operations are explicitly allowed. A similar restriction is applied to the socket server. If you don't allow the client device to download the clientaccesspolicy .xml file that allows remote access, Silverlight will refuse to establish a connection.

Unfortunately, providing a clientaccesspolicy. cml to a socket application is more of a challenge than providing it through a website. When using a website, the web server software may provide a clientaccesspolicy .xml file, just remember to add it. At the same time, when using a socket application, you must open a socket that client applications can access with policy requests. In addition, you must manually create the code that serves the socket. To accomplish these tasks, you need to create a policy server.

In what follows, we will show that the policy server works in the same way as the message server, it just handles slightly simpler interactions. Message servers and policies can be created separately or combined in one application. In the second case, they must listen for requests on different threads. In this example, we will create a policy server and then combine it with a message server.

To create a policy server, you must first create a .NET application. Any type of .NET application can serve as a policy server. The easiest way is to use a console application. Once you've debugged your console application, you can move your code into a Windows service so that it runs in the background all the time.

Policy file

Following is the policy file provided by the policy server.

The policy file defines three rules.

Allows access to all ports from 4502 to 4532 (this is the full range of ports supported by the Silverlight add-on). To change the range of available ports, change the value of the element's port attribute.

Allows TCP access (the permission is defined in the element's protocol attribute).

Allows a call from any domain. Therefore, a Silverlight application that establishes a connection can be hosted by any website. To change this rule, you need to edit the element's uri attribute.

To make things easier, the policy rules are placed in the clientaccess-ploi.cy.xml file that is added to the project. In Visual Studio, the Copy to Output Directory parameter of the policy file must be set to Cop Always. should just find the file on the hard drive, open it, and return the contents to the client device.

PolicyServer class

The policy server functionality is based on two key classes: PolicyServer and PolicyConnection. The PolicyServer class handles waiting for connections. When it receives a connection, it passes control to a new instance of the PoicyConnection class, which passes the policy file to the client. This two-part procedure is common in network programming. You will see it more than once when working with message servers.

The PolicyServer class loads the policy file from the hard disk and stores it in the field as an array of bytes.

public class PolicyServer

private byte policy;

public PolicyServer(string policyFile) (

To start listening, the server application must call the PolicyServer. Start(). It creates a TcpListener object that listens for requests. The TcpListener object is configured to listen on port 943. In Silverlight, this port is reserved for policy servers. When making requests for policy files, the Silverlight application automatically routes them to port 943.

private TcpListener listener;

public void Start()

// Create a listener

listener = new TcpListener(IPAddress.Any, 943);

// Start listening; the Start() method returns II immediately after calling listener.Start();

// Waiting for a connection; the method returns immediately;

II waiting is done in a separate thread

To accept the offered connection, the policy server calls the BeginAcceptTcpClient() method. Like all Beginxxx() methods of the .NET framework, it returns immediately after being called, performing the necessary operations on a separate thread. For network applications, this is a very significant factor because it allows many requests for policy files to be processed at the same time.

Note. Novice network programmers often wonder how more than one request can be processed at the same time, and think that this requires several servers. However, it is not. With this approach, client applications would quickly run out of available ports. In practice, server applications process many requests through a single port. This process is invisible to applications because the built-in TCP subsystem in Windows automatically identifies messages and routes them to the appropriate objects in application code. Each connection is uniquely identified based on four parameters: client IP address, client port number, server IP address, and server port number.

On each request, the OnAcceptTcpClient() callback method is fired. It calls the BeginAcceptTcpClient O method again to start waiting for the next request on another thread, and then starts processing the current request.

public void OnAcceptTcpClient(IAsyncResult ar) (

if (isStopped) return;

Console.WriteLine("Policy request received."); // Waiting for the next connection.

listener.BeginAcceptTcpClient(OnAcceptTcpClient, null);

// Handling the current connection.

TcpClient client = listener.EndAcceptTcpClient(ar); PolicyConnection policyConnection = new PolicyConnection(client, policy); policyConnection.HandleRequest() ;

catch (Exception err) (

Each time a new connection is received, a new PolicyConnection object is created to handle it. In addition, the PolicyConnection object maintains a policy file.

The last component of the PolicyServer class is the Stop() method, which stops waiting for requests. The application calls it when it terminates.

private bool isStopped;

public void StopO(

isStopped = true;

listener. stop();

catch (Exception err) (

Console.WriteLine(err.Message);

The following code is used in the Main() method of the application server to start the policy server.

static void Main(string args) (

PolicyServer policyServer = new PolicyServer("clientaccesspolicy.xml"); policyServer.Start();

Console.WriteLine("Policy server started."); Console.WriteLine("Press the Enter key to exit.");

// Waiting for a keypress; using the // Console.ReadKey() method, you can set it to wait for a specific // line (for example, quit) or press any key Console.ReadLine();

policyServer.Stop();

Console.WriteLine("End policy server.");

PolicyConnection class

The PolicyConnection class performs a simpler task. The PolicyConnection object stores a reference to policy file data. Then, after the HandleRequest() method is called, the PolicyConnection object fetches a new connection from the network stream and attempts to read it. The client device must send a string containing text. After reading this text, the client device writes the policy data to the stream and closes the connection. Following is the code of the PolicyConnection class.

public class PolicyConnection(

private TcpClient client; private byte policy;

public PolicyConnection(TcpClient client, byte policy) (

this.client = client; this.policy = policy;

// Create a client request private static string policyRequestString = "

public void HandleRequest()(

Stream s = client.GetStream(); // Read policy query string

byte buffer = new byte;

// Wait only 5 seconds client.ReceiveTimeout = 5000;'

s.Read(buffer, 0, buffer.Length);

// Pass the policy (you can also check if the policy request has // the required content) s.Write(policy, 0, policy.Length);

// Close the connection client.Close();

Console.WriteLine("Policy file served.");

So, we have a fully operational policy server. Unfortunately, it can't be tested yet because the Silverlight add-in doesn't allow policy files to be explicitly requested. Instead, it automatically requests them when trying to use a socket application. Before you can create a client application for this socket application, you must create a server.

Continuing the topic:

New Articles

/

When you install Windows, most of the non-essential subsystems are not activated or installed. This is done for security reasons. Because the system is secure by default, system administrators can focus on designing a system that does what it does, and nothing else. To help you enable the features you want, Windows prompts you to select a Server Role.

Roles

A server role is a set of programs that, when properly installed and configured, enable a computer to perform a specific function for multiple users or other computers on a network. In general, all roles have the following characteristics.

• They define the main function, purpose or purpose of using a computer. You can designate a computer to play one role that is heavily used in the enterprise, or to play multiple roles where each role is used only occasionally.
• Roles give users throughout the organization access to resources that are managed by other computers, such as websites, printers, or files stored on different computers.
• They usually have their own databases that queue user or computer requests or record information about network users and computers associated with a role. For example, Active Directory Domain Services contains a database for storing the names and hierarchical relationships of all computers on a network.
• Once properly installed and configured, roles function automatically. This allows the computers on which they are installed to perform assigned tasks with limited user interaction.

Role Services

Role services are programs that provide the functionality of a role. When you install a role, you can choose which services it provides to other users and computers in the enterprise. Some roles, such as the DNS server, perform only one function, so there are no role services for them. Other roles, such as Remote Desktop Services, have several services that you can install based on your enterprise's remote access needs. A role can be thought of as a collection of closely related, complementary role services. In most cases, installing a role means installing one or more of its services.

Components

Components are programs that are not directly part of roles, but support or extend the functionality of one or more roles, or an entire server, regardless of which roles are installed. For example, the Failover Cluster Tool extends the functionality of other roles such as File Services and DHCP Server by allowing them to join server clusters, which provides increased redundancy and performance. The other component, the Telnet Client, allows remote communication with the Telnet server over a network connection. This feature enhances the communication options for the server.

When Windows Server is running in Server Core mode, the following server roles are supported:

• Active Directory Certificate Services;
• Active Directory Domain Services;
• DHCP server
• DNS server;
• file services (including the file server resource manager);
• Active Directory Lightweight Directory Services;
• Hyper-V
• printing and document services;
• streaming media services;
• web server (including a subset of ASP.NET);
• Windows Server Update Server;
• Active Directory rights management server;
• Routing and Remote Access Server and the following subordinate roles:
  • Remote Desktop Connection Broker;
  • licensing;
  • virtualization.

When Windows Server is running in Server Core mode, the following server features are supported:

• Microsoft .NET Framework 3.5;
• Microsoft .NET Framework 4.5;
• Windows PowerShell;
• Background Intelligent Transfer Service (BITS);
• BitLocker Drive Encryption;
• BitLocker Network Unlock;
• BranchCache
• data center bridge;
• Enhanced Storage;
• failover clustering;
• Multipath I/O;
• network load balancing;
• PNRP protocol;
• qWave;
• remote differential compression;
• simple TCP/IP services;
• RPC over HTTP proxy;
• SMTP server;
• SNMP service;
• Telnet client;
• telnet server;
• TFTP client;
• Windows internal database;
• Windows PowerShell Web Access;
• Windows Activation Service;
• standardized Windows storage management;
• IIS WinRM extension;
• WINS server;
• WoW64 support.

Installing server roles using Server Manager

To add, open Server Manager, and in the Manage menu, click Add Roles and features:

The Add Roles and Features Wizard opens. Click Next

Installation Type, select Role-based or feature-based installation. Next:

Server Selection - select our server. Click Next Server Roles - Select roles if needed, select role services and click Next to select components. During this procedure, the Add Roles and Features Wizard automatically informs you of conflicts on the destination server that may prevent the installation or normal operation of the selected roles or features. You are also prompted to add the roles, role services, and features required by the selected roles or features.

Installing roles with PowerShell

Open Windows PowerShell Enter the Get-WindowsFeature command to view the list of available and installed roles and features on the local server. The output of this cmdlet contains the command names for the roles and features that are installed and available for installation.

Type Get-Help Install-WindowsFeature to view the syntax and valid parameters for the Install-WindowsFeature (MAN) cmdlet.

Enter the following command (-Restart will restart the server if the role installation requires a restart).

Install-WindowsFeature –Name -Restart

Description of roles and role services

All roles and role services are described below. Let's look at advanced settings for the most common Web Server Role and Remote Desktop Services in our practice.

Detailed description of IIS

• Common HTTP Features - Basic HTTP Components
  • Default Document - allows you to set the index page for the site.
  • Directory Browsing - Allows users to view the contents of a directory on a web server. Use Directory Browsing to automatically generate a list of all directories and files in a directory when users don't specify a file in the URL and the index page is disabled or not configured
  • HTTP Errors - allows you to customize the error messages returned to clients in the browser.
  • Static Content - allows you to post static content, such as images or html files.
  • HTTP Redirection - Provides support for redirecting user requests.
  • WebDAV Publishing allows you to publish files from a web server using the HTTP protocol.
• Health and Diagnostics Features - Diagnostic components
  • HTTP Logging provides logging of website activity for a given server.
  • Custom Logging provides support for creating custom logs that are different from "traditional" logs.
  • Logging Tools provides a framework for managing web server logs and automating common logging tasks.
  • ODBC Logging provides a framework that supports logging of web server activity to an ODBC-compliant database.
  • Request Monitor provides a framework for monitoring the state of web applications by collecting information about HTTP requests in an IIS worker process.
  • Tracing provides a framework for diagnosing and troubleshooting web applications. By using failed request tracing, you can track hard-to-find events such as poor performance or authentication failures.
• Performance components to increase the performance of the web server.
  • Static Content Compression provides a framework for configuring HTTP compression of static content
  • Dynamic Content Compression provides a framework for configuring HTTP compression of dynamic content.
• Security components
  • Request Filtering allows you to capture all incoming requests and filter them based on rules set by the administrator.
  • Basic Authentication allows you to set additional authorization
  • Centralized SSL Certificate Support is a feature that allows you to store certificates in a central location, like a file share.
  • Client Certificate Mapping Authentication uses client certificates to authenticate users.
  • Digest Authentication works by sending a password hash to a Windows domain controller to authenticate users. If you need more security than basic authentication, consider using Digest authentication
  • IIS Client Certificate Mapping Authentication uses client certificates to authenticate users. The client certificate is a digital ID obtained from a trusted source.
  • IP and Domain Restrictions allows you to allow/deny access based on the requested IP address or domain name.
  • URL Authorization allows you to create rules that restrict access to web content.
  • Windows Authentication This authentication scheme allows Windows domain administrators to take advantage of the domain infrastructure for user authentication.
• Application Development Features
• FTP Server
  • FTP Service Enables FTP publishing to a web server.
  • FTP Extensibility Enables support for FTP features that extend the functionality of
• Management Tools
  • The IIS Management Console installs the IIS Manager, which allows you to manage the Web Server through a GUI
  • IIS 6.0 Management Compatibility provides forward compatibility for applications and scripts that use the Admin Base Object (ABO) and the Directory Service Interface (ADSI) Active Directory API. This allows existing IIS 6.0 scripts to be used by the IIS 8.0 web server
  • IIS Management Scripts and Tools provide the infrastructure for managing the IIS web server programmatically, by using commands in a command prompt window, or by running scripts.
  • The Management Service provides the infrastructure for customizing the user interface, IIS Manager.

Detailed description of RDS

• Remote Desktop Connection Broker - Provides client device reconnection to programs based on desktop and virtual desktop sessions.
• Remote Desktop Gateway - Allows authorized users to connect to virtual desktops, RemoteApp programs, and session-based desktops on a corporate network or over the Internet.
• Remote Desktop Licensing - RDP License Management Tool
• Remote Desktop Session Host - Includes a server to host RemoteApp programs or a desktop-based session.
• Remote Desktop Virtualization Host - allows you to configure RDP on virtual machines
• Remote Desktop WebAccess - Allows users to connect to desktop resources using the Start menu or web browser.

Consider installing and configuring a terminal license server. The above describes how to install roles, installing RDS is no different from installing other roles, in Role Services we need to select Remote Desktop Licensing and Remote Desktop Session Host. After installation, the Terminal Services item will appear in Server Manager-Tools. There are two items in Terminal Services RD Licensing Diagnoser, this is a tool for diagnosing the operation of remote desktop licensing, and Remote Desktop Licensing Manager, this is a license management tool.

Run RD Licensing Diagnoser

Here we can see that there are no licenses available yet because the licensing mode is not set for the RD Session Host server. The license server is specified in local group policies. To launch the editor, run the gpedit.msc command. The Local Group Policy Editor opens. In the tree on the left, expand the tabs:

• Computer Configuration
• Administrative Templates
• Windows Components
• Remote Desktop Services
• Remote Desktop Session Host
• "Licensing" (Licensing)

Open the parameters Use the specified Remote Desktop license servers

In the policy settings editing window, enable the licensing server (Enabled). Next, you must define a license server for Remote Desktop Services. In my example, the license server is located on the same physical server. Specify the network name or IP address of the license server and click OK. If the server name, the license server will change in the future, you will need to change it in the same section.

After that, in the RD Licensing Diagnoser, you can see that the terminal license server is configured, but not enabled. To enable, run Remote Desktop Licensing Manager

Select the licensing server, with the status Not Activated . To activate, right-click on it and select Activate Server. The Server Activation Wizard will start. On the Connection Method tab, select Automatic Connection. Next, fill in the information about the organization, after that the license server is activated.

Active Directory Certificate Services

AD CS provides configurable services for issuing and managing digital certificates that are used in software security systems that use public key technologies. Digital certificates provided by AD CS can be used to encrypt and digitally sign electronic documents and messages. These digital certificates can be used to authenticate computer, user, and device accounts on the network. Digital certificates are used to provide:

• privacy through encryption;
• integrity through digital signatures;
• authentication by linking certificate keys to computer, user, and device accounts on the network.

AD CS can be used to improve security by binding the identity of a user, device, or service to the corresponding private key. Applications supported by AD CS include Secure Multipurpose Internet Mail Standard Extensions (S/MIME), secure wireless networks, virtual private networks (VPNs), IPsec, Encrypting File System (EFS), smart card logon, security and transport layer security protocol (SSL/TLS) and digital signatures.

Active Directory Domain Services

Using the Active Directory Domain Services (AD DS) server role, you can create a scalable, secure, and manageable infrastructure for managing users and resources; you can also provide directory-enabled applications such as Microsoft Exchange Server. AD DS provides a distributed database that stores and manages information about network resources and directory-enabled application data. The server that is running AD DS is called a domain controller. Administrators can use AD DS to organize network elements such as users, computers, and other devices into a hierarchical nested structure. The hierarchical nested structure includes the Active Directory forest, the domains in the forest, and the organizational units in each domain. Security features are integrated into AD DS in the form of authentication and access control to resources in the directory. With single sign-on, administrators can manage directory information and organization over the network. Authorized network users can also use network single sign-on to access resources located anywhere on the network. Active Directory Domain Services provides the following additional features.

• A set of rules is a schema that defines the classes of objects and attributes that are contained in a directory, the restrictions and limits on instances of those objects, and the format of their names.
• A global catalog containing information about each object in the catalog. Users and administrators can use the global catalog to search for catalog data, regardless of which domain in the catalog actually contains the searched data.
• A query and indexing mechanism through which objects and their properties can be published and located by network users and applications.
• A replication service that distributes directory data across a network. All writable domain controllers in the domain participate in replication and contain a complete copy of all directory data for their domain. Any changes to directory data are replicated in the domain to all domain controllers.
• Operations master roles (also known as flexible single master operations, or FSMOs). Domain controllers that act as masters of operations are designed to perform special tasks to ensure data consistency and avoid conflicting directory entries.

Active Directory Federation Services

AD FS provides end users who need access to applications in an AD FS-secured enterprise, in federation partner organizations, or in the cloud with simplified and secure identity federation and web-based single sign-on (SSO) services. Windows Server AD FS includes a role service Federation Service acting as an identity provider (authenticates users to provide security tokens to applications that trust AD FS) or as a federation provider (applies tokens from other identity providers and then provides security tokens to applications that trust AD FS).

Active Directory Lightweight Directory Services

Active Directory Lightweight Directory Services (AD LDS) is an LDAP protocol that provides flexible support for directory applications without the dependencies and domain-specific restrictions of Active Directory Domain Services. AD LDS can be run on member or standalone servers. You can run multiple instances of AD LDS with independently managed schemas on the same server. With the AD LDS service role, you can provide directory services to directory-enabled applications without using domain and forest service data and without requiring a single forest-wide schema.

Active Directory Rights Management Services

You can use AD RMS to extend your organization's security strategy by securing documents using Information Rights Management (IRM). AD RMS allows users and administrators to assign access permissions to documents, workbooks, and presentations using IRM policies. This allows you to protect confidential information from being printed, forwarded, or copied by unauthorized users. Once a file's permissions are restricted using IRM, access and usage restrictions apply regardless of the location of the information, because the file's permission is stored in the document file itself. With AD RMS and IRM, individual users can apply their own preferences regarding the transfer of personal and confidential information. They will also help an organization enforce corporate policies to control the use and distribution of sensitive and personal information. The IRM solutions supported by AD RMS are used to provide the following capabilities.

• Persistent usage policies that stay with information whether it is moved, sent, or forwarded.
• An additional layer of privacy to protect sensitive data - such as reports, product specifications, customer information, and email messages - from intentionally or accidentally falling into the wrong hands.
• Prevent unauthorized sending, copying, editing, printing, faxing, or pasting of restricted content by authorized recipients.
• Prevent copying of restricted content using the PRINT SCREEN feature in Microsoft Windows.
• Support for file expiration, preventing document content from being viewed after a specified period of time.
• Implement corporate policies that govern the use and distribution of content within the organization

Application Server

Application Server provides an integrated environment for deploying and running custom server-based business applications.

DHCP Server

DHCP is a client-server technology that allows DHCP servers to assign or lease IP addresses to computers and other devices that are DHCP clients. Deploying DHCP servers on a network automatically provides client computers and other network devices based on IPv4 and IPv6 valid IP addresses and additional configuration settings required by these clients and devices. The DHCP Server service in Windows Server includes support for policy-based assignments and DHCP failover.

DNS Server

The DNS service is a hierarchical distributed database containing mappings of DNS domain names to various types of data such as IP addresses. The DNS service allows you to use friendly names such as www.microsoft.com to help locate computers and other resources on TCP/IP-based networks. The DNS service in Windows Server provides further enhanced support for DNS Security Modules (DNSSEC), including network registration and automated settings management.

FAX Server

Fax Server sends and receives faxes, and allows you to manage fax resources such as jobs, settings, reports, and fax devices on your fax server.

File and Storage Services

Administrators can use the File and Storage Services role to set up multiple file servers and their storages, and to manage those servers using Server Manager or Windows PowerShell. Some specific applications include the following features.

• working folders. Use to allow users to store and access work files on personal computers and devices other than corporate PCs. Users get a convenient place to store work files and access them from anywhere. Organizations control corporate data by storing files on centrally managed file servers and optionally setting user device policies (such as encryption and screen lock passwords).
• Data deduplication. Use to reduce disk space requirements for storing files, saving money on storage.
• iSCSI target server. Use to create centralized, software and device-independent iSCSI disk subsystems in storage area networks (SANs).
• Disk spaces. Use to deploy storage that is highly available, resilient, and scalable with cost-effective, industry-standard drives.
• Server Manager. Use to remotely manage multiple file servers from a single window.
• Windows PowerShell. Use to automate the management of most file server administration tasks.

Hyper-V

The Hyper-V role allows you to create and manage a virtualized computing environment using the virtualization technology built into Windows Server. Installing the Hyper-V role installs prerequisites and optional management tools. Prerequisites include the Windows hypervisor, Hyper-V Virtual Machine Management Service, WMI virtualization provider, and virtualization components such as VMbus, Virtualization Service Provider (VSP), and Virtual Infrastructure Driver (VID).

Network Policy and Access Services

Network Policy and Access Services provides the following network connectivity solutions:

• Network Access Protection is a technology for creating, enforcing, and remediating client health policies. With Network Access Protection, system administrators can set and automatically enforce health policies that include requirements for software, security updates, and other settings. For client computers that do not comply with the health policy, you can restrict access to the network until their configuration is updated to comply with the policy requirements.
• If 802.1X-enabled wireless access points are deployed, you can use Network Policy Server (NPS) to deploy certificate-based authentication methods that are more secure than password-based authentication. Deploying 802.1X-enabled hardware with an NPS server allows intranet users to be authenticated before they can connect to the network or obtain an IP address from a DHCP server.
• Instead of configuring a network access policy on each network access server, you can centrally create all policies that will define all aspects of network connection requests (who can connect, when a connection is allowed, the security level that must be used to connect to the network ).

Print and Document Services

Print and Document Services allows you to centralize print server and network printer tasks. This role also allows you to receive scanned documents from network scanners and upload documents to network shares - to a Windows SharePoint Services site or via email.

remote access

The Remote Access Server role is a logical grouping of the following network access technologies.

• Direct Access
• Routing and remote access
• Web Application Proxy

These technologies are role services remote access server role. When you install the Remote Access Server role, you can install one or more role services by running the Add Roles and Features Wizard.

On Windows Server, the Remote Access Server role provides the ability to centrally administer, configure, and monitor DirectAccess and VPN with Routing and Remote Access Service (RRAS) remote access services. DirectAccess and RRAS can be deployed on the same Edge Server and managed using Windows PowerShell commands and Remote Access Management Console (MMC).

Remote Desktop Services

Remote Desktop Services accelerates and expands the deployment of desktops and applications on any device, making the remote worker more efficient while securing critical intellectual property and simplifying compliance. Remote Desktop Services includes Virtual Desktop Infrastructure (VDI), session-based desktops, and applications, giving users the ability to work from anywhere.

Volume Activation Services

Volume License Activation Services is a server role in Windows Server starting with Windows Server 2012 that automates and simplifies the issuance and management of volume licenses for Microsoft software in various scenarios and environments. Together with Volume License Activation Services, you can install and configure the Key Management Service (KMS) and Active Directory activation.

Web Server (IIS)

The Web Server (IIS) role in Windows Server provides a platform for hosting Web sites, services, and applications. Using a web server provides access to information to users on the Internet, intranet, and extranet. Administrators can use the Web Server (IIS) role to set up and manage multiple websites, web applications, and FTP sites. Special features include the following.

• Use Internet Information Services (IIS) Manager to configure IIS components and administer websites.
• Using the FTP protocol to allow website owners to upload and download files.
• Using website isolation to prevent one website on the server from affecting others.
• Customization of web applications developed using various technologies such as Classic ASP, ASP.NET and PHP.
• Use Windows PowerShell to automatically manage most web server administration tasks.
• Consolidate multiple web servers into a server farm that can be managed using IIS.

Windows Deployment Services

Windows Deployment Services allows you to deploy Windows operating systems over a network, which means you don't have to install each operating system directly from a CD or DVD.

Windows Server Essentials Experience

This role allows you to perform the following tasks:

• protect server and client data by backing up the server and all client computers on the network;
• manage users and user groups through a simplified server dashboard. In addition, integration with Windows Azure Active Directory* provides users with easy access to online Microsoft Online Services (such as Office 365, Exchange Online, and SharePoint Online) using their domain credentials;
• store company data in a centralized location;
• integrate the server with Microsoft Online Services (such as Office 365, Exchange Online, SharePoint Online, and Windows Intune):
• use ubiquitous access features on the server (such as remote web access and virtual private networks) to access the server, network computers, and data from highly secure remote locations;
• access data from anywhere and from any device using the organization's own web portal (through remote web access);
• manage the mobile devices that access your organization's email with Office 365 via the Active Sync protocol from the dashboard;
• monitor network health and receive customizable health reports; reports can be generated on demand, customized, and emailed to specific recipients.

Windows Server Update Services

The WSUS server provides the components that administrators need to manage and distribute updates through the management console. In addition, the WSUS server can be the source of updates for other WSUS servers in the organization. When implementing WSUS, at least one WSUS server on the network must be connected to Microsoft Update to receive information about available updates. Depending on the network's security and configuration, an administrator can determine how many other servers are directly connected to Microsoft Update.

Hello. Can't register your own account?
write to PM - vk.com/watsonshit
- We register accounts to order.
- We help with stages 1 and 2 of UCP.
- Fast and quality service.
- Guarantees, reviews. We are responsible for safety.
- Absolutely different servers with UCP registration.
Pacific Coast Project - SW Project etc.

Didn't find the answer to your question? Write in the comments and I'll give you the answer.

) What is OOC chat for?
- 1) This is a chat that does not affect the gameplay.

2) What is meant by the term role play?
- 2) A role-playing game is a type of game in which you need to play out the role I have chosen.

3) If any situation is not in your favor (murder / robbery). Your actions?
- 2) I will continue to play no matter what.

2) You received money from a cheater, what will you do?
- 4) I'll inform the server administration, unsubscribe in a special topic and add money to /charity.

3) Do you have the right to kill a police officer?
- 1) Of course, I can only kill a police officer if I have a good reason.

1) Is it allowed to pass by from the driver's seat?
- 4) No, such actions are prohibited by the rules of the server.

4) Are nicknames of celebrities and movie/series/cartoon characters allowed?
- 3) No, they are prohibited.

5) During the shootout technically three characters were killed, but after a while these same characters were already playing their roles again. What type of murder is this?
- 2) Player Kill.

7) They shoot at you, but you don't want to die, and that's why...
- 4) You will try to escape and survive by role-playing.

2) Do you have the right to use Bunny-Hop?
- 3) Yes, I have the right to use it if I do not interfere with anyone.

7) What will you do if you have a proposal to develop the server?
- 3) I will write about it in the appropriate section on the forum.

3) Is it mandatory to unsubscribe actions when using small-sized weapons?
- 4) No.

2) You are on the server for the first time and do not know the commands at all, what will you do?
- 3) I'll ask the administration a question with the /askq command, then I'll wait for an answer.

3) What is the purpose of the /coin command?
- to resolve all disputable situations

1) What is Metagaming?
- 2) This is the use of non-role information when acting out a role.

6) The player, whose character was technically killed during a shootout, decided to take revenge on the offenders and killed one of the opponents for no role-related reasons. What violations are here on the part of the player?
- 3) Revenge kill.

10) Is it allowed to replenish the amount of health during a fight / skirmish?
- 4) No.

8) Is it allowed to fire on LSPD employees and what is it fraught with?
- 4) Yes, an ordinary firefight ends with PC for both sides. If this is a case file or a raid, the police are given PK, and the criminals are given SK.

6) What is the maximum amount for a robbery that does not require administration checks?
- 1) $500

9) What languages ​​can be used on our server?
- 1) Russian.

7) After a long and careful preparation, the killer fulfilled the order - he killed. The plan was calculated to the smallest detail, as a result of this, the customer generously paid. What is the sacrifice in this case?
- 1) Character Kill.

9) Is theft of government vehicles allowed?
- 2) Yes, but you must first ask the administrator, as well as act in accordance with paragraph 9 of the game rules.

8) When can you act out sexual violence and cruelty?
- 2) Sexual violence and cruelty can only be played with the consent of all persons involved in the RP.

10) What should you do if you think that the game is not going according to the rules?
- 1) Write to /report, if the administrator is absent - write a complaint on the forum.

7) How many played hours should a player have in order to be robbed?
- 3) 8 hours.

8) Specify the correct use of the /coin command. After:
- me stopped breathing, and struck the ball, trying to throw it into the hole.

8) Specify the correct use of the /me command:
- /me smiled broadly, looking directly into Linda's eyes. He moved closer, then gently hugged her.

SALE OF VIRTUAL CURRENCY ON PACIFIC COAST PROJECT AND GRINCH ROLE PLAY SERVERS.
ALL INFO IN THE GROUP!
vk.com/virtongarant