Post on 10-Jan-2017
BHEL
(BHARAT HEAVY ELECTRICALS LIMITED)
PROJECT REPORT:
1. Re-designing, Prevention of Security Vulnerabilities and Session
Management in Contract Monitoring System, BHEL PSER
2. Configuring and Managing AD DS in Clustering Mode with DNS and
DHCP Server
Submitted by: Nilabja Bhattacharya
B. Tech in Information technology
Roll: 131011006039
6th Semester (2013-2017)
Jalpaiguri Government Engineering College
(Autonomous)
Submitted to: Mr. Amitava Chakrabarti
AGM (IT, SYSTEMS & MSX)
BHEL, PSER, KOLKATA
Acknowledgement
The training opportunity I had with BHEL, PSER IT department was a great chance
for learning and professional development. I am grateful for having a chance to meet
so many professionals who led me though this training period.
I express my deepest gratitude to Mr. Amitava Chakrabarti (AGM Head BHEL PSER/
IT,SYSTEMS &MSX) for allowing me to carry out the project at the esteemed
organization.
I perceive this opportunity as a big milestone in my career development. I will strive
to use gained skills and knowledge in the best possible way, and I will continue to
work on their improvement, in order to attain desired career objectives.
Sincerely,
Nilabja Bhattacharya Information Technology
6th Semester
Jalpaiguri Government Engineering College
(Autonomous)
INDEX 1. Acknowledgement
2. About BHEL
History
Operations
Research and Development
Vision of BHEL
Mission of BHEL
Values of BHEL
Informtaion Technology
3. Project Title
4. Project 1
Introduction
SQL Injection
Cross-Site Scripting
Session Management
Scope of Project
Objective of Project
Development Tools
System Specification
Software Requirement
Working Procedure
UML (Activity Diagram)
User Manual for Contract Monitoring System, BHEL,
PSER
User Manual for Admin User
User Manual for Employee User
5. Project 2
Introduction
Installing AD DS in Windows Server 2008
Setting Up PDC
Setting Up ADC
Installing DHCP Server in Windows Server 2008
Installing DNS Server in Windows 2008
System Specification
Server Specification
Client Specification
6. Conclusion
7. Bibliography
8. Annexure
Unit Testing
Vulnerability Testing
Bharat Heavy Electricals Limited (BHEL) Bharat Heavy Electricals Limited (BHEL) owned by the Government of India, is a
power plant equipment manufacturer and operates as an engineering and
manufacturing company based in New Delhi, India. Established in 1964, BHEL is
India's largest engineering and manufacturing company of its kind. The company has
been earning profits continuously since 1971-72 and paying dividends uninterruptedly
since 1976-77.
It has been granted the prestigious Maharatna (big gem) status in 2013 by Govt of
India for its outstanding performance. The elite list of maharatna contains another 6
behemoth PSU companies of India.
History BHEL was established in 1964 Heavy Electricals (India) Limited was merged with
BHEL in 1974. In 1982, it entered into power equipment, to reduce its dependence on
the power sector. It developed the capability to produce a variety of electrical,
electronic and mechanical equipments for all sectors, including transmission,
transportation, oil and gas and other allied industries.] In 1991, it was converted into a
public limited company. By the end of 1996, the company had handed over 100
Electric Locomotives to Indian Railway and installed 250 Hydro-sets across India.
Operations BHEL is engaged in the design, engineering, manufacturing, construction, testing,
commissioning and servicing of a wide range of products, systems and services for the
core sectors of the economy, viz. power, transmission, industry, transportation,
renewable energy, oil & gas and defence.
It has a network of 17 manufacturing units, 2 repair units, 4 regional offices, 8 service
centres, 8 overseas offices, 15 regional centres, 7 joint ventures, and infrastructure
allowing it to execute more than 150 projects at sites across India and abroad. The
company has established the capability to deliver 20,000 MW p.a. of power
equipment to address the growing demand for power generation equipment.
BHEL has retained its market leadership position during 2015-16 with 74% market
share in the Power Sector. An improved focus on project execution enabled BHEL
record its highest ever commissioning/synchronization of 15059 MW of power plants
in domestic and international markets in 2015-16, marking a 59% increase over 2014-
15. With the all-time high commissioning of 15000 MW in a single year FY2015-16,
BHEL has exceeded 170 GW installed base of power generating equipments.
It also has been exporting its power and industry segment products and services for
over 40 years. BHEL's global references are spread across over 76 countries across all
the six continents of the world. The cumulative overseas installed capacity of BHEL
manufactured power plants exceeds 9,000 MW across 21 countries including
Malaysia, Oman, Iraq, UAE, Bhutan, Egypt and New Zealand. Their physical exports
range from turnkey projects to after sales services.
Research and development BHEL's investment in R&D is amongst the largest in the corporate sector in India.
During the year 2012-13, the company invested about Rs. 1,252 Crore on R&D
efforts, which corresponds to nearly 2.50% of the turnover of the company, focusing
on new product and system developments and improvements in existing products for
cost competitiveness, higher reliability, efficiency, availability and quality etc. To
meet customer expectations, the company has upgraded its products to contemporary
levels through continuous in-house efforts as well as through acquisition of new
technologies from leading engineering organizations of the world. The IPR
(Intellectual Property Rights) capital of BHEL grew by 21.5% in the year, taking the
total to 2170.
The Corporate R&D division at Hyderabad leads BHEL’s research efforts in a number
of areas of importance to BHEL’s product range. Research & product development
(RPD) Groups for each product group at the manufacturing divisions play a
complementary role. BHEL has established Centres of Excellence for Simulators,
Computational Fluid Dynamics, Permanent Magnet Machines, Surface Engineering,
Machine Dynamics, Centre for Intelligent Machines and Robotics, Compressors &
Pumps, Centre for Nano Technology, Ultra High Voltage Laboratory at Corporate
R&D; Centre of Excellence for Hydro Machines at Bhopal; Power Electronics and
IGBT & Controller Technology at Electronics Division, Bengaluru, and Advanced
Fabrication Technology and Coal Research Centre at Tiruchirappalli.
BHEL has established four specialized institutes, viz., Welding Research Institute
(WRI) at Tiruchirappalli, Ceramic Technological Institute (CTI) at Bangalore, Centre
for Electric Traction (CET) at Bhopal and Pollution Control Research Institute (PCRI)
at Haridwar. Amorphous Silicon Solar Cell plant at Gurgaon pursues R&D in Photo
Voltaic applications.
Significantly, BHEL is one of the only four Indian companies and the only Indian
Public Sector Enterprise figuring in 'The Global Innovation 1000' of Booz & Co., a
list of 1,000 publicly traded companies which are the biggest spenders on R&D in the
world.
Vision of BHEL They work with a vision of becoming a Global Engineering enterprise providing
solution for a better tomorrow.
Their greatest strength is their highly skilled and committed workforce of 48,399
employees. Every employee is given an equal opportunity to develop himself/herself
and grow in his/her career. Continuous training and retraining, career planning, a
positive work culture and participative style of management – all these have
endangered development of a committed and motivated workforce setting a new
benchmark in terms of productivity, quality and responsiveness.
Mission of BHEL Providing sustainable business solutions in the field of Energy, Industry and
Infrastructure.
Values of BHEL Governance: We are stewards of our shareholders’ investments and we take that
responsibility very seriously. We are accountable and responsible for delivering
superior results that make difference in lives of people we touch.
Respect: We value the unique contribution of each individual. We believe in respect
for human dignity and we respect the need to preserve the environment around us.
Excellence: We are committed to deliver and demonstrate excellence in whatever we
do.
Loyalty: We are loyal to our customer, to our company and to each other.
Integrity: We work with highest ethical standards and demonstrate a behaviour that is
honest, decent and fair. We are dedicated to the highest levels of personal and
institutional integrity.
Commitment: We set high performance standards for ourselves as individuals and our
teams. We honour our commitment in a timely manner.
Innovation: We constantly support development of newer technologies, products
improved processes, better services and management practices.
Team Work: We work together as a team to provide best solutions and services to our
customers. Through quality relationships with all stakeholders we deliver value to our
customer.
IT,Systems & MSX BHEL PSER’s Information Technology Department is committed to Integrity,
Confidentiality, Availability and Security of its Information at all times for continuity
and efficiency of IT functions/services and serving the needs of the organisation of its
vision, mission and values while meeting all regulatory requirements for a secured,
pertinent and well established IT and communication set up for improvement in
productivity, reduction in processing time, confidentiality, integrity and business
information.
Key
Pro
cess
es o
f IT
& S
ys
IT Budgeting
Procurement of IT Equipments
Sys Admin and Database Management
Network Management
IT Facility Management
Computerised System Development and
Maintenance
ISMS
E Waste Management
Key
Pro
cess
es
of
MSX
Generation of MIRs
Preparation for Monthly Management Committee
Meeting
Corporate Reporting on Unit Performance
Project Title 1. Re-designing, Prevention of Security Vulnerabilities, and Session management
in Contract Monitoring System
2. Configuring and managing AD DS in Clustering Mode with DNS and DHCP
Server
Project 1 Introduction In computer security, a vulnerability is a weakness which allows an attacker to
reduce a system's information assurance. Vulnerability is the intersection of three
elements: a system susceptibility or flaw, attacker access to the flaw, and attacker
capability to exploit the flaw.
Vulnerability management is the cyclical practice of identifying, classifying,
remediating, and mitigating vulnerabilities. This practice generally refers to software
vulnerabilities in computing systems.
A security risk may be classified as a vulnerability. The use of vulnerability with the
same meaning of risk can lead to confusion. The risk is tied to the potential of a
significant loss. Then there are vulnerabilities without risk: for example when the
affected asset has no value. A vulnerability with one or more known instances of
working and fully implemented attacks is classified as an exploitable vulnerability —
a vulnerability for which an exploit exists. The window of vulnerability is the time
from when the security hole was introduced or manifested in deployed software, to
when access was removed, a security fix was available/ deployed, or the attacker was
disabled.
A resource (either physical or logical) may have one or more vulnerabilities that can
be exploited by a threat agent in a threat action. The result can potentially compromise
the confidentiality, integrity or availability of resources (not necessarily the vulnerable
one) belonging to an organization and/or others parties involved (customers,
suppliers).The so-called CIA triad is the basis of Information Security.
An attack can be active when it attempts to alter system resources or affect their
operation, compromising integrity or availability. A "passive attack" attempts to learn
or make use of information from the system but does not affect system resources,
compromising confidentiality.
OWASP depicts the same phenomenon in slightly different terms: a threat agent
through an attack vector exploits a weakness (vulnerability) of the system and the
related security controls, causing a technical impact on an IT resource (asset)
connected to a business impact.
The overall picture represents the risk factors of the risk scenario
Common types of software flaws that lead to vulnerabilities include:
Memory safety violations
Buffer overflows and over-reads
Dangling pointers
Input validation errors, such as:
o Format string attacks
o SQL injection
o Cross-site scripting
o Directory traversal
Cross-site scripting in web applications
HTTP header injection
HTTP response splitting
Race conditions, such as:
o Time-of-check-to-time-of-use bugs
o Symlink races
Privilege-confusion bugs:
Cross-site request forgery in web applications
Clickjacking
FTP bounce attack
Privilege escalation
User interface failures:
Warning fatigue or user conditioning.
Blaming the Victim Prompting a user to make a security decision without
giving the user enough information to answer it.
Race Condition.
Our project deals with prevention of SQL Injection, prevention of Cross-Site
Scripting, and Session Management in Contract Monitoring System of BHEL PSER.
SQL Injection A SQL injection attack consists of insertion or "injection" of a SQL query via the
input data from the client to the application. A successful SQL injection exploit can
read sensitive data from the database, modify database data (Insert/Update/Delete),
execute administration operations on the database (such as shutdown the DBMS),
recover the content of a given file present on the DBMS file system and in some cases
issue commands to the operating system. SQL injection attacks are a type of injection
attack, in which SQL commands are injected into data-plane input in order to effect
the execution of predefined SQL commands.
Threat Modeling
SQL injection attacks allow attackers to spoof identity, tamper with existing data,
cause repudiation issues such as voiding transactions or changing balances, allow the
complete disclosure of all data on the system, destroy the data or make it otherwise
unavailable, and become administrators of the database server.
SQL Injection is very common with PHP and ASP applications due to the prevalence
of older functional interfaces. Due to the nature of programmatic interfaces available,
J2EE and ASP.NET applications are less likely to have easily exploited SQL
injections.
The severity of SQL Injection attacks is limited by the attacker’s skill and
imagination, and to a lesser extent, defense in depth countermeasures, such as low
privilege connections to the database server and so on. In general, consider SQL
Injection a high impact severity.
SQL Injection attacks are unfortunately very common, and this is due to two factors:
The significant prevalence of SQL Injection vulnerabilities
The attractiveness of the target (i.e., the database typically contains all the
interesting/critical data for your application).
SQL Injection flaws are introduced when software developers create dynamic
database queries that include user supplied input. To avoid SQL injection flaws is
simple. Developers need to either: a) stop writing dynamic queries; and/or b) prevent
user supplied input which contains malicious SQL from affecting the logic of the
executed query.
Defenses against SQL injection are:
Primary Defenses:
Option #1: Use of Prepared Statements (Parameterized Queries)
Option #2: Use of Stored Procedures
Option #3: Escaping all User Supplied Input
Additional Defenses:
Also Enforce: Least Privilege
Also Perform: White List Input Validation
Cross-Site Scripting Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts
are injected into otherwise benign and trusted web sites. XSS attacks occur when an
attacker uses a web application to send malicious code, generally in the form of a
browser side script, to a different end user. Flaws that allow these attacks to succeed
are quite widespread and occur anywhere a web application uses input from a user
within the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end
user’s browser has no way to know that the script should not be trusted, and will
execute the script. Because it thinks the script came from a trusted source, the
malicious script can access any cookies, session tokens, or other sensitive information
retained by the browser and used with that site. These scripts can even rewrite the
content of the HTML page.
Cross-Site Scripting (XSS) attacks occur when:
Data enters a Web application through an untrusted source, most frequently a
web request.
The data is included in dynamic content that is sent to a web user without being
validated for malicious content.
The malicious content sent to the web browser often takes the form of a
segment of JavaScript, but may also include HTML, Flash, or any other type of
code that the browser may execute. The variety of attacks based on XSS is
almost limitless, but they commonly include transmitting private data, like
cookies or other session information, to the attacker, redirecting the victim to
web content controlled by the attacker, or performing other malicious
operations on the user's machine under the guise of the vulnerable site.
XSS Prevention
XSS can be prevented in JSP by using JSTL <c:out> tag or fn:escapeXml() EL
function when (re)displaying user-controlled input. This includes request headers,
cookies, URL, body, parameters, etc, the whole request. Also the user-controlled input
which is stored in a database needs to be escaped during redisplaying.
For example:
<p><c:out value="$bean.userControlledValue"></p>
<p><input name="foo" value="$fn:escapeXml(param.foo)"></p>
This will escape characters which may malform the rendered HTML such as <, >, ", '
and & into HTML/XML entities such as <, >, ", ' and &.
Session Management HTTP protocol and Web Servers are stateless, what it means is that for web server
every request is a new request to process and they can’t identify if it’s coming from
client that has been sending request previously.
But sometimes in web applications, we should know who the client is and process the
request accordingly. For example, a shopping cart application should know who is
sending the request to add an item and in which cart the item has to be added or who
is sending checkout request so that it can charge the amount to correct client.
Session is a conversional state between client and server and it can consist of multiple
request and response between client and server. Since HTTP and Web Server both are
stateless, the only way to maintain a session is when some unique information about
the session (session id) is passed between server and client in every request and
response.
There are several ways through which we can provide unique identifier in request and
response.
User Authentication – This is the very common way where we user can provide
authentication credentials from the login page and then we can pass the
authentication information between server and client to maintain the session.
This is not very effective method because it won’t work if the same user is
logged in from different browsers.
HTML Hidden Field – We can create a unique hidden field in the HTML and
when user starts navigating, we can set its value unique to the user and keep
track of the session. This method can’t be used with links because it needs the
form to be submitted every time request is made from client to server with the
hidden field. Also it’s not secure because we can get the hidden field value
from the HTML source and use it to hack the session.
URL Rewriting – We can append a session identifier parameter with every
request and response to keep track of the session. This is very tedious because
we need to keep track of this parameter in every response and make sure it’s
not clashing with other parameters.
Cookies – Cookies are small piece of information that is sent by web server in
response header and gets stored in the browser cookies. When client make
further request, it adds the cookie to the request header and we can utilize it to
keep track of the session. We can maintain a session with cookies but if the
client disables the cookies, then it won’t work.
Session Management API – Session Management API is built on top of above
methods for session tracking.
Some of the major disadvantages of all the above methods are:
Most of the time we don’t want to only track the session, we have to store some
data into the session that we can use in future requests. This will require a lot of
effort if we try to implement this.
All the above methods are not complete in themselves, all of them won’t work
in a particular scenario. So we need a solution that can utilize these methods of
session tracking to provide session management in all cases.
Session in Java Servlet – HttpSession
Servlet API provides Session management through HttpSession interface. We can get
session from HttpServletRequest object using following methods. HttpSession allows
us to set objects as attributes that can be retrieved in future requests.
HttpSession getSession() – This method always returns a HttpSession object. It
returns the session object attached with the request, if the request has no session
attached, then it creates a new session and return it.
HttpSession getSession(boolean flag) – This method returns HttpSession object if
request has session else it returns null.
JSESSIONID Cookie
When we use HttpServletRequest getSession() method and it creates a new request, it
creates the new HttpSession object and also add a Cookie to the response object with
name JSESSIONID and value as session id. This cookie is used to identify the
HttpSession object in further requests from client. If the cookies are disabled at client
side and we are using URL re-writing then this method uses the jsessionid value from
the request URL to find the corresponding session. JSESSIONID cookie is used for
session tracking, so we should not use it for our application purposes to avoid any
session related issues.
SCOPE Project 1 aims at Developing a Secured Contract Monitoring System using
SQL Injection Prevention
Cross Site Scripting (XSS) Prevention
Session Management
Redesigning the Contract Monitoring System in order to make is more
presentable and accessible.
Objective Objective of the project is to design and develop a Secured Contract Monitoring
System that aims at providing
SQL Injection Prevention using PreparedStaments within code
Cross-Site Scripting (XSS) prevention using fn:escapeXml() EL function when
(re)displaying user-controlled input
Session Mangement to bind the objects on HttpSession instance and get the
objects by using setAttribute and getAttribute methods.
Development Tools Platform (OS): Windows 10 Home Edition
Database: Oracle 12c
Database Connection: JDBC
Vulnerability Testing Tool: OWASP Zed Attack Proxy
Software Used:
Notepad++
Apache Tomcat 7.0
JDK 1.8 and JRE 8
System Specification In hardware requirements, we require all those components which will provide the
configuration for development of the project. Minimum Hardware requirement for
development of this project are:
Hard Disk: Minimum: 5 GB
Processor: Intel Core Dual Core
RAM: 128 MB
OS: Windows 98 or Linux
A Steady Internet Connection
These are the minimum hardware requirement required for our project. We want the
project to be used in any type of computer therefore we have taken minimum
configurations. 128 MB RAM and 5 GB Hard Disk space is used so that we can
execute and store project in least possible space.
Software Requirement Software can be defined as an interface between the user and a Computer. Software’s
needed for the development of this project are:
Operating System: Any platform with Internet enabled web browser
Apache Tomcat: Apache Tomcat, often referred to as Tomcat, is an open-
source web server developed by the Apache Software Foundation (ASF).
Tomcat implements several Java EE specifications including Java Servlet,
JavaServer Pages (JSP), Java EL, and WebSocket, and provides a "pure Java"
HTTP web server environment in which Java code can run.
Working Procedure
UML(Activity Diagram) of Contract Monitoring System
User Manual of Contract Monitoring System User Guide for Admin User of BHEL 1. Steps to Enter New WO_Nos
1. Open the Website of BHEL Contract Monitoring System.
2. Enter STAFF NUMBER and PASSWORD
3. Where You see a list of items with the first option being EDIT/ENTER
WO_Nos, Click on it.
4. A second list appears, with two options, Click on Enter New WO_No.
5. Fill Up required information and Save the details using Save button.
6. Where You have options to enter next data or sign out.
2. Steps to Enter Contract with existing WO_Nos
1. Open the Website of BHEL Contract Monitoring System.
2. Enter STAFF NUMBER and PASSWORD
3. Where You see a list of items with the first option being EDIT/ENTER
WO_Nos, Click on it.
4. A second list appears, with two options, Click on Enter Contract with Existing
WO_No.
5. Select the Vendor and P_NO.
6. Fill Up required information and Save the details using Save button.
7. Where You have options to enter next data or sign out.
3. Enter HOD Information
1. Open the Website of BHEL Contract Monitoring System.
2. Enter STAFF NUMBER and PASSWORD
3. Click on EDIT/ENTER HOD information
4. Click on Enter HOD Information
5. Click on Insert to insert HOD details then Press Save to save the Details.
4. Enter HOD Information
1. Open the Website of BHEL Contract Monitoring System.
2. Enter STAFF NUMBER and PASSWORD
3. Click on EDIT/ENTER HOD information
4. Click on Enter HOD Information
5. Click on Select Department
6. Click on Select Site Name
7. Click on UPDATE HOD details or DELETE to delete HOD information
5. To Delete Data.
1. Open the Website of BHEL Contract Monitoring System.
2. Enter STAFF NUMBER and PASSWORD
3. Click on Delete Data option
4. Choose Vendor Name
5. Select PO_NO
6. Fill Up details and then click DELETE to delete the information.
7. Click DELETE NEXT DATA to delete next Data or Sign Out
6. To View SITE WISE VIEW REPORT
1. Open the Website of BHEL Contract Monitoring System.
2. Enter STAFF NUMBER and PASSWORD
3. Click on VIEW REPORT
4. Click on Site wise view Report
7. To View HOD INFORMATION
1. Open the Website of BHEL Contract Monitoring System.
2. Enter STAFF NUMBER and PASSWORD
3. Click on VIEW REPORT
4. Click on VIEW HOD Information
8. To View Vendor Wise Report
1. Open the Website of BHEL Contract Monitoring System.
2. Enter STAFF NUMBER and PASSWORD
3. Click on VIEW REPORT
4. Click on View Vendor Wise
5. Select the Vendor and click SUBMIT
9. To View Project Wise Report
1. Open the Website of BHEL Contract Monitoring System.
2. Enter STAFF NUMBER and PASSWORD
3. Click on VIEW REPORT
4. Click on View Project Wise
5. Select the Project site and click SUBMIT
10. To View Specific Date Wise Report
1. Open the Website of BHEL Contract Monitoring System.
2. Enter STAFF NUMBER and PASSWORD
3. Click on VIEW REPORT
4. Click on View Specific Wise
5. Select start and end dates and click SUBMIT
11. To View Project and Department Wise Report
1. Open the Website of BHEL Contract Monitoring System.
2. Enter STAFF NUMBER and PASSWORD
3. Click on VIEW REPORT
4. Click on View Project and Department Wise
5. Select Project Site Name and Department Name and click SUBMIT
12. To View Vendor Wise EMAIL Information
1. Open the Website of BHEL Contract Monitoring System.
2. Enter STAFF NUMBER and PASSWORD
3. Click on VIEW REPORT
4. Click on Total Email Reminder Report
User Guide for Employee
1. To View SITE WISE VIEW REPORT
1. Open the Website of BHEL Contract Monitoring System.
2. Enter STAFF NUMBER and PASSWORD
3. Click on VIEW REPORT
4. Click on Site wise view Report
2.To View HOD INFORMATION
1. Open the Website of BHEL Contract Monitoring System.
2. Enter STAFF NUMBER and PASSWORD
3. Click on VIEW REPORT
4. Click on VIEW HOD Information
3.To View Vendor Wise Report
1. Open the Website of BHEL Contract Monitoring System.
2. Enter STAFF NUMBER and PASSWORD
3. Click on VIEW REPORT
4. Click on View Vendor Wise
5. Select the Vendor and click SUBMIT
4. To View Project Wise Report
1. Open the Website of BHEL Contract Monitoring System.
2. Enter STAFF NUMBER and PASSWORD
3. Click on VIEW REPORT
4. Click on View Project Wise
5. Select the Project site and click SUBMIT
5. To View Specific Date Wise Report
1. Open the Website of BHEL Contract Monitoring System.
2. Enter STAFF NUMBER and PASSWORD
3. Click on VIEW REPORT
4. Click on View Specific Wise
5. Select start and end dates and click SUBMIT
6. To View Project and Department Wise Report
1. Open the Website of BHEL Contract Monitoring System.
2. Enter STAFF NUMBER and PASSWORD
3. Click on VIEW REPORT
4. Click on View Project and Department Wise
5. Select Project Site Name and Department Name and click SUBMIT
7. To View Vendor Wise EMAIL Information
1. Open the Website of BHEL Contract Monitoring System.
2. Enter STAFF NUMBER and PASSWORD
3. Click on VIEW REPORT
4. Click on Total Email Reminder Report
Project 2 Introduction Active Directory Domain Services Collection (AD DS) Active Directory Domain Services ﴾AD DS﴿ directory service is the distributed
directory service that is included with Microsoft Windows Server operating systems.
AD DS enables centralized, secure management of an entire network, which might
span a building, a city, or multiple locations throughout the world.
AD DS includes the following:
AD DS on a Windows Server Network
Active Directory Lightweight Directory Services ﴾AD LDS﴿
Structure and Storage Technologies
Domain Controller Roles
Replication Technologies
Search and Publication Technologies
Installation, Upgrade, and Migration Technologies
In distributed computing environments, networked computers and other devices
communicate over remote connections to accomplish tasks through client/server
applications. Distributed environments require a central repository of information and
integrated services that provide the means to manage network users, services, devices,
and additional information that administrators want to store. Organizations operating a
distributed environment need to have a way to manage network resources and
services. As the organization grows, the need for a secure and centralized management
system becomes more critical. A directory service provides a centralized location to
store information in a distributed environment about networked devices and services
and the people who use them. A directory service also implements the services that
make this information available to users, computers, and applications. A directory
service is both a database storage system ﴾directory store﴿ and a set of services that
provide the means to securely add, modify, delete, and locate data in the directory
store.
AD DS is typically used for one of three purposes:
Internal directory. Used within the corporate network for publishing
information about users and resources within the enterprise. A company’s
internal directory may be accessible to employees when they are outside the
company network using a secure connection such as a virtual private network
﴾VPN﴿ connection, but it is not accessible to non‐employees.
External directory. These are directories typically located on servers in the
perimeter network or demilitarized zone ﴾DMZ﴿ at the boundary between the
corporate local area network ﴾LAN﴿ and the public Internet. External
directories are typically used to store information about customers, clients, and
business partners who access external applications or services. They are also
made available to customers, clients, and business partners to provide them
with selected business information such as catalogs and so on.
Application directory. Application directories store “private” directory data that
is relevant only to the application in a local directory, perhaps on the same
server as the application, without requiring any additional configuration to
Active Directory. The personalization data, which is only interesting to the
portal application and does not need to be widely replicated, can be stored
solely in the directory associated with the application. This solution reduces
replication traffic on the network between domain controllers.
AD DS on a Windows Server Network
AD DS is the information hub of the operating system. The following figure shows
AD DS as the focal point of the Windows Server network used to manage identities
and broker relationships between distributed resources so they can work together.
Active Directory on a Windows Server Network
Structure and Storage Technologies
AD DS uses domains and forests to represent the logical structure of the directory
hierarchy. Domains are used to manage the various populations of users, computers,
and network resources in your enterprise. The forest represents the security boundary
for AD DS. Within domains you can create organizational units to subdivide the
various divisions of administration.
The logical structure of AD DS includes a two‐dimensional definition that can be
viewed as a hierarchy, even though the objects themselves are stored in a flat database
file. In addition to its own name, each object stores the name of the container directly
above it in the hierarchy. That container object stores the name of its superior
container, and so on, up to the root container. In this way, a logical structure is
imposed that can be viewed by using AD DS tools as a tree of containers. By virtue of
a hierarchical naming system, the objects in the tree appear to be nested inside
﴾contained by﴿ other objects.
The AD DS schema defines the types of objects that are available to the directory
service. The schema is stored in the schema partition, which is also defined as an
object in the directory. The attributes and classes in AD DS are stored in the schema
partition as directory objects called schema objects. It is possible for Administrators to
add their own classes or attributes to an existing object type. However, the default
schema provides all of the classes and attributes that AD DS needs to function.
AD DS uses objects to store and reference data in the directory. The AD DS database
file ﴾Ntds.dit﴿ provides the physical storage of all AD DS objects for a single forest.
Although there is a single directory, some directory data is stored within domains
while other data is distributed throughout the forest, without regard for domain
boundaries. Beginning with Windows Server 2003, data can also be distributed to
domain controllers according to applications that use the data, where the scope of
distribution can be set according to the needs of the application.
Any updates made to data in the directory are automatically distributed to the
appropriate domain controllers by means of AD DS replication. By replicating data
according to directory partitions, AD DS provides a data repository that is logically
centralized ﴾maintains a single point of administration﴿ but physically distributed ﴾is
synchronized on multiple domain controllers throughout the network﴿.
Replication Technologies
Objects in the directory are distributed among the domain controllers in a forest, and
all domain controllers can be updated directly. AD DS replication is the process by
which the changes that are made on one domain controller are automatically
synchronized with other domain controllers. Data integrity is maintained by tracking
changes on each domain controller and updating other domain controllers in a
systematic way. By default, AD DS replication uses a connection topology that is
created automatically. This replication topology makes optimal use of physical
network connections and frees administrators from having to determine which domain
controllers replicate with one another. The replication topology can also be created
manually. AD DS replication is designed to maximize directory consistency and
minimize the impact to network traffic.
Domain Controller Roles
A domain controller is a server that has the AD DS server role installed.
When you install Windows Server on a computer, you can choose to configure a
server role for that computer. When you want to create a new forest, a new domain, or
an additional domain controller in an existing domain, you configure the server as a
domain controller by installing AD DS.
By default, a domain controller stores one domain directory partition consisting of
information about the domain in which it is located, plus the schema and configuration
directory partitions for the entire forest. A domain controller can also store one or
more application directory partitions.
Whereas every domain controller stores the objects for only one domain, a domain
controller that is designated as a global catalog server stores the objects from all
domains in the forest. For each object that is not in the domain for which the global
catalog server is authoritative as a domain controller, a limited set of attributes is
stored in a partial replica of a corresponding domain. The partial replicas on a global
catalog server are not writable — you cannot update an object in a partial replica on a
global catalog server, but only on a domain controller that stores a full replica. Thus a
global catalog server stores its own full, writable domain replica ﴾all objects and all
attributes﴿ plus a partial, read‐only replica of every other domain in the forest. The
attributes that are replicated to the global catalog servers are the attributes that are
most likely to be used to search for the object in AD DS. These attributes are
identified by default in the schema as being included in the partial attribute set of the
global catalog.
The global catalog makes it possible for clients to search AD DS without having to be
referred from server to server until the domain controller that has the domain that
stores the requested object is found. By default, AD DS searches are directed to global
catalog servers. The first domain controller in a forest is automatically created as a
global catalog server. Thereafter, you can designate other domain controllers to be
global catalog servers if they are needed.
All domain controllers can receive updates to any writable object that they store ﴾with
the exception of schema updates, which can be made only on the one domain
controller in the forest that has the role of schema master﴿. The day‐to‐day operations
that are associated with managing users, groups, and computers are typically
multimaster operations — that is, changes to these objects can be made on any domain
controller. When a client application updates an object on a domain controller, the
domain controller automatically replicates the change to all other domain controllers
in the same domain if the change is a domain change or to all other domain controllers
in the forest if the change is a configuration or schema change.
There are some operations, however, that are not performed as multimaster operations
because they must occur at only one place and time. For these operations, there are
specially designated domain controllers that manage the operations singly. Some
master operations, required at the forest level, include the schema master and the
domain naming master. Others, required at the domain level, include the PDC
emulator, RID master and infrastructure master. Domain controllers that hold these
special roles are called operations masters.
Search and Publication Technologies
Successful operation of an AD DS forest depends on clients and services being able to
locate domain controllers. The success of domain controller location depends on the
registration of information in DNS and the availability of that information. AD DS
uses DNS to locate networked computers by resolving computer names to IP
addresses. The Net Logon service on domain clients and domain controllers interacts
with Windows server application programming interfaces ﴾APIs﴿ and DNS to provide
a domain controller locator service ﴾Locator﴿. Locator finds requested service‐specific
and site‐specific domain controllers.
After a domain controller has been located, LDAP is used to retrieve information from
the directory. AD DS stores objects that provide information about the real objects
that exist in an organization’s network and that are associated with one or more
domains, such as users, specific groups of users, computers, applications, services,
files, and distribution lists. AD DS makes this information available to administrators,
network users, and applications throughout the organization through LDAP. LDAP
enables clients to query, create, update, and delete information stored in a directory
service. The LDAP protocol is the AD DS core protocol, and is the preferred and most
common way of interacting with AD DS.
The creation, storage, and maintenance of information in AD DS is called service
publication. Directory‐enabled services and applications can publish globally useful
information, such as service availability and properties, in AD DS. This allows client
processes to find and connect to any directory‐enabled service as needed, and network
clients and administrators to find, connect to, and manage services.
Installation, Upgrade, and Migration Technologies
The installation or removal of AD DS is performed by the Active Directory
Installation Wizard. Before installing AD DS on a server, the wizard will verify that
the server is eligible to run AD DS. After the prerequisites have been met, a user
interface is used to gather information specific to the environment in which AD DS
will be installed. Finally, the wizard configures the directory service, making the
server a domain controller.
Part of the directory configuration process includes configuring the AD DS schema.
The schema contains a master list of all classes ﴾object types﴿ and attributes that can
be used in the directory. The Active Directory Preparation Tool ﴾ADPrep﴿ is used to
prepare an AD DS forest and domain for a newer version of the directory service. One
of several tasks accomplished by ADPrep is updating the AD DS schema. If you do
not prepare your AD DS infrastructure, the upgrade will fail.
After installing or upgrading AD DS, you can enable the appropriate domain or forest
functional level based on an assessment of your current environment. The functional
level of a domain or forest defines the set of advanced AD DS features that are
available in that domain or forest. The functional level of a domain or forest also
defines the set of Windows operating systems that can run on the domain controllers
in that domain or forest. Functional levels provide configuration support for the AD
DS features and ensure compatibility with domain controllers running earlier
operating systems.
Depending on the design of your environment, you might opt to restructure it instead
of upgrading. For example, if your Windows NT 4.0 environment consists of multiple
domains, rather than upgrading each domain it might be more productive to
restructure the environment by consolidating some of those domains. Or if your
Windows 2000 environment was poorly designed and you are upgrading your
environment to Windows Server 2003, it might benefit you to restructure your
existing environment before or after the upgrade takes place. You can perform either
of these tasks by using the Active Directory Migration Tool ﴾ADMT﴿. ADMT
includes wizards that automate migration tasks such as copying users, groups, and
service accounts; moving computers; migrating trusts; and performing security
translation. When you use ADMT to restructure Windows NT 4.0 domains, ADMT
copies the accounts that are migrated, so that when the accounts are created in the
target domain, they continue to exist in the source domain. The primary security
identifiers ﴾SIDs﴿ for the accounts can be migrated to the SID history in the target
domain. SID history maintains resource permissions when you migrate accounts, thus
enabling access to resources in the source domain.
Another method for restructuring an AD DS environment is to rename a domain. You
can use the domain rename process to change the names of your domains, and you can
also use it to change the structure of the domain trees in your forest. This process
involves updating the Domain Name System ﴾DNS﴿ and trust infrastructures as well as
Group Policy and service principal names ﴾SPNs﴿.
The ability to rename domains provides you with the flexibility to make important
name changes and forest structural changes as the needs of your organization change.
Using domain rename, you can not only change the name of a domain, but you can
change the structure of the domain hierarchy and change the parent of a domain or
move a domain located in one domain tree to another domain tree.
Operations Masters
Domain controllers that hold operations master roles are designated to perform
specific tasks to ensure consistency and to eliminate the potential for conflicting
entries in the Active Directory database. AD DS defines five operations master roles:
the schema master, domain naming master, relative identifier ﴾RID﴿ master, primary
domain controller ﴾PDC﴿ emulator, and infrastructure master.
The following operations masters perform operations that must occur on only one
domain controller in the forest:
Schema master
Domain naming master
The following operations masters perform operations that must occur on only one
domain controller in a domain:
Primary Domain Controller ﴾PDC﴿ emulator
Infrastructure master
Relative ID ﴾RID﴿ master
A Primary Domain Controller (PDC) is a server computer in a Windows domain. A
domain is a network of logically grouped computers to which access is controlled by
the PDC. Various account types exist in the domain, the most basic is the "guest" or
"anonymous login" account. The PDC has an administration account which has
overall total control of the domain resources.
Flexible Single Master Operation Roles (FSMO) Active Directory has five special roles which are vital for the smooth running of AD
as a multimaster system. Some functions of AD require there is an authoritative
master to which all Domain Controllers can refer to. These roles are installed
automatically and there is normally very little reason to move them, however if you
de-commission a DC and DCPROMO fails to run correctly or have a catastrophic
failure of a DC you will need to know about these roles to recover or transfer them to
another DC.
The forest wide roles must appear once per forest, the domain wide roles must appear
once per domain.
The Roles There are five FSMO roles, two per forest, three in every Domain. A brief
summary of the role is below.
Forest Wide Roles:
Schema Master
The schema is shared between every Tree and Domain in a forest and must
be consistent between all objects. The schema master controls all updates
and modifications to the schema.
Domain Naming
When a new Domain is added to a forest the name must be unique within
the forest. The Domain naming master must be available when adding or
removing a Domain in a forest.
Domain Wide Roles:
Relative ID (RID) Master
Allocates RIDs to DCs within a Domain. When an object such as a user,
group or computer is created in AD it is given a SID. The SID consists of a
Domain SID (which is the same for all SIDs created in the domain) and a
RID which is unique to the Domain.
When moving objects between domains you must start the move on the
DC which is the RID master of the domain that currently holds the object.
PDC Emulator
The PDC emulator acts as a Windows NT PDC for backwards
compatibility, it can process updates to a BDC.
It is also responsible for time synchronising within a domain.
It is also the password master (for want of a better term) for a domain. Any
password change is replicated to the PDC emulator as soon as is practical.
If a logon request fails due to a bad password the logon request is passed to
the PDC emulator to check the password before rejecting the login request.
Infrastructure Master
The infrastructure master is responsible for updating references from
objects in its domain to objects in other domains. The global catalogue is
used to compare data as it receives regular updates for all objects in all
domains.
Any change to user-group references are updated by the infrastructure
master. For example if you rename or move a group member and the
member is in a different domain from the group the group will temporarily
appear not to contain that member.
Viewing and Transferring Roles The roles can be viewed and transferred in the GUI or from the command line.
GUI View
Schema Master
To view the schema you must first register the schema master dll with Windows. To
do this enter the following in the RUN dialog of the start menu.
regsvr32 schmmgmt.dll
Once you have done this the schema master mmc snap-in will be available.
Active Directory Domains and Trusts
The Domain naming master can be viewed and transferred from here.
Active Directory User and Computers
The RID, PDC emulator and Infrastructure master roles can be viewed and transferred
from here.
NTDSUTIL
NTDSUTIL provides FSMO maintenance and the option to seize a role (covered in
the FSMO Role Failure section below).
To transfer a role using ntdsutil use the example below as a template for all the roles.
Open a command prompt
Enter in ntdsutil
At the ntdsutil command prompt enter in roles
At the fsmo maintenance prompt enter in connection
At the server connections prompt enter in connect to domancontrollername
At the server connections prompt enter in quit
At the fsmo maintenance prompt enter in transfer schema master
Quit from the console
FSMO Role Failure Some of the operations master roles are essential for AD functionality, others can be
unavailable for a while before their absence will be noticed. Normally it is not the
failure of the role, but rather the failure of the DC on which the role is running.
If a DC fails which is a role holder you can seize the role on another DC, but you
should always try and transfer the role first.
Before seizing a role you need to asses the duration of the outage of the DC which is
holding the role. If it is likely to be a short outage due to a temporary power or
network issue then you would probably want to wait rather than seize the role.
Schema Master Failure
In most cases the loss of the schema master will not affect network users and
only affect Admins if modifications to the schema are required. You should
however only seize this role when the failure of the existing holder is
considered permanent.
Domain Naming Master Failure
Temporary loss of this role holder will not be noticeable to network users.
Domain Admins will only notice the loss if they try and add or remove a
domain in the forest. You should however only seize this role when the failure
of the existing holder is considered permanent.
RID Master Failure
Temporary loss of this role holder will not be noticeable to network users.
Domain Admins will only notice the loss if a domain they are creating objects
in runs out of relative IDS (RIDs). You should however only seize this role
when the failure of the existing holder is considered permanent.
PDC Emulator Master Failure
Network users will notice the loss of the PDC emulator. If the DC with this role
fails you may need to immediately seize this role. Only pre Windows 2000
clients and NT4 BDCs will be affected.
If you seize the role and return the original DC to the network you can transfer
the role back.
Infrastructure Master Failure
Temporary loss of this role holder will not be noticeable to network users.
Administrators will not notice the role loss unless they are or have recently
moved or renamed large numbers of accounts.
If you are required to seize the role do not seize it to a DC which is a global
catalogue server unless all DCs are global catalogue servers.
If you seize the role and return the original DC to the network you can transfer
the role back.
Dynamic Host Control Protocol(DHCP) Dynamic Host Configuration Protocol ﴾DHCP﴿ is a client/server protocol that
automatically provides an Internet Protocol ﴾IP﴿ host with its IP address and other
related configuration information such as the subnet mask and default gateway. RFCs
2131 and 2132 define DHCP as an Internet Engineering Task Force ﴾IETF﴿ standard
based on Bootstrap Protocol (BOOTP), a protocol with which DHCP shares many
implementation details. DHCP allows hosts to obtain required TCP/IP configuration
information from a DHCP server.
Why use DHCP?
Every device on a TCP/IP‐based network must have a unique unicast IP address to
access the network and its resources. Without DHCP, IP addresses for new computers
or computers that are moved from one subnet to another must be configured manually;
IP addresses for computers that are removed from the network must be manually
reclaimed.
With DHCP, this entire process is automated and managed centrally. The DHCP
server maintains a pool of IP addresses and leases an address to any DHCP enabled
client when it starts up on the network. Because the IP addresses are dynamic ﴾leased﴿
rather than static ﴾permanently assigned﴿, addresses no longer in use are automatically
returned to the pool for reallocation.
The network administrator establishes DHCP servers that maintain TCP/IP
configuration information and provide address configuration to DHCP‐enabled clients
in the form of a lease offer. The DHCP server stores the configuration information in a
database that includes:
Valid TCP/IP configuration parameters for all clients on the network.
Valid IP addresses, maintained in a pool for assignment to clients, as well as
excluded addresses.
Reserved IP addresses associated with particular DHCP clients. This allows
consistent assignment of a single IP address to a single DHCP client.
The lease duration, or the length of time for which the IP address can be used
before a lease renewal is required.
A DHCP‐enabled client, upon accepting a lease offer, receives:
A valid IP address for the subnet to which it is connecting.
Requested DHCP options, which are additional parameters that a DHCP server
is configured to assign to clients. Some examples of DHCP options are
Router ﴾default gateway﴿, DNS Servers, and DNS Domain Name
Benefits of DHCP
In Windows Server 2008, the DHCP Server service provides the following benefits:
Reliable IP address configuration. DHCP minimizes configuration errors
caused by manual IP address configuration, such as typographical errors, or
address conflicts caused by the assignment of an IP address to more than one
computer at the same time.
Reduced network administration. DHCP includes the following features to
reduce network administration:
o Centralized and automated TCP/IP configuration.
o The ability to define TCP/IP configurations from a central location.
o The ability to assign a full range of additional TCP/IP configuration
values by means of DHCP options.
o The efficient handling of IP address changes for clients that must be
updated frequently, such as those for portable computers that move to
o different locations on a wireless network.
o The forwarding of initial DHCP messages by using a DHCP relay agent,
which eliminates the need for a DHCP server on every subnet.
Domain Name System (DNS) The Domain Name System (DNS) is a hierarchical decentralized naming system for
computers, services, or any resource connected to the Internet or a private network. It
associates various information with domain names assigned to each of the
participating entities. Most prominently, it translates more readily memorized domain
names to the numerical IP addresses needed for the purpose of locating and
identifying computer services and devices with the underlying network protocols. By
providing a worldwide, distributed directory service, the Domain Name System is an
essential component of the functionality of the Internet.
The Domain Name System delegates the responsibility of assigning domain names
and mapping those names to Internet resources by designating authoritative name
servers for each domain. Network administrators may delegate authority over
subdomains of their allocated name space to other name servers. This mechanism
provides distributed and fault tolerant service and was designed to avoid a single large
central database.
The Domain Name System also specifies the technical functionality of the database
service which is at its core.
It defines the DNS protocol, a detailed specification of the data structures and data
communication exchanges used in the DNS, as part of the Internet Protocol Suite.
Historically, other directory services preceding DNS were not scalable to large or
global directories as they were originally based on text files, prominently the
HOSTS.TXT resolver. The Domain Name System has been in use since the 1980s.
The Internet maintains two principal namespaces, the domain name hierarchy and the
Internet Protocol (IP) address spaces. The Domain Name System maintains the
domain name hierarchy and provides translation services between it and the address
spaces. Internet name servers and a communication protocol implement the Domain
Name System. A DNS name server is a server that stores the DNS records for a
domain; a DNS name server responds with answers to queries against its database.
The most common types of records stored in the DNS database are for Start of
Authority (SOA), IP addresses (A and AAAA), SMTP mail exchangers (MX), name
servers (NS), pointers for reverse DNS lookups (PTR), and domain name aliases
(CNAME). Although not intended to be a general purpose database, DNS can store
records for other types of data for either automatic lookups, such as DNSSEC records,
or for human queries such as responsible person (RP) records. As a general purpose
database, the DNS has also been used in combating unsolicited email (spam) by
storing a realtime blackhole list. The DNS database is traditionally stored in a
structured zone file.
Function
An often used analogy to explain the Domain Name System is that it serves as the
phone book for the Internet by translating human friendly
computer hostnames into IP addresses. For example, the domain name
www.example.com translates to the addresses 93.184.216.119 (IPv4) and
2606:2800:220:6d:26bf:1447:1097:aa7 (IPv6). Unlike a phone book, DNS can be
quickly updated, allowing a service's location on the network to change without
affecting the end users, who continue to use the same host
name. Users take advantage of this when they use meaningful Uniform Resource
Locators (URLs), and email addresses without having to know how the computer
actually locates the services.
Additionally, DNS reflects administrative partitioning. For zones operated by a
registry, also known as public suffix zones, administrative information is often
complemented by the registry's RDAP and WHOIS services. That data can be used to
gain insight on, and track responsibility for, a given host on the Internet.
An important and ubiquitous function of DNS is its central role in distributed Internet
services such as cloud services and content delivery networks. When a user accesses a
distributed Internet service using a URL, the domain name of the URL is translated to
the IP address of a server that is proximal to the user. The key functionality of DNS
exploited here is that different users can simultaneously receive different translations
for the same domain name, a key point of divergence from a traditional "phone book"
view of DNS. This process
of using DNS to assign proximal servers to users is key to providing faster response
times on the Internet and is widely used by most major Internet services today.
Setting Up Your Primary Domain Controller(PDC) With Windows
Server 2008 1. If you have set up a domain controller previously with Windows 2000 Server,
or Windows Server 2003, then you would be familiar with
thedcpromo.exe command, it will also be used to set up a Domain Controller
on Windows Server 2008. To use the command, click on Start > Run >
and then write dcpromo > Click OK
2. The system will start checking if Active Directory Domain Services ( AD DS)
binaries are installed, then will start installing them. The binaries could be
installed if you had run the dcpromo command previously and then canceled
the operation after the binaries were installed.
3. The Active Directory Domain Services Installation Wizard will start, either
enable the checkbox beside Use Advanced mode installation and Click Next
, or keep it unselected and click on Next
The following table lists the additional wizard pages that appear for each
deployment configuration when you select the Use advanced mode
installation check box.
Deployment
configuration
Advanced mode installation
wizard pages
New forest Domain NetBIOS name
New domain in an
existing forest
On the Choose a Deployment
Configuration page, the option
to create a new domain tree
appears only in advanced mode
installation.
Domain NetBIOS name Source
Domain Controller
Additional domain
controller in an existing
domain
Install from Media Source
Domain Controller
Specify Password Replication
Policy (for RODC installation
only)
Create an account for a
read-only domain
controller (RODC)
installation
Specify Password Replication
Policy
Attach a server to an
account for an RODC
installation
Install from Media Source
Domain Controller
4. The Operating System Compatibility page will be displayed, take a moment
to read it and click Next
5. Choose Create a new domain in a new forest, Click Next
6. Enter the Fully Qualified Domain Name of the forest root domain inside the
textbox, click Next
7. If you selected Use advanced mode installation on the Welcome page,
the Domain NetBIOS Name page appears. On this page, type the NetBIOS
name of the domain if necessary or accept the default name and then
click Next.
8. Select the Forest Functional Level, choose the level you desire and click
on Next. Make sure to read the description of each functional level to
understand the difference between each one.
9. In the previous step, If you have selected any Forest Functional Level other
than Windows Server 2008 and clicked on Next , you would then get a page to
select the Domain Functional Level. Select it and then click on Next
10. In the Additional Domain Controller Options page, you can select to install
the Domain Name Service to your server. Note that the First domain
controller in a forest must be a Global Catalog that's why the checkbox beside
Global Catalog is selected and it cannot be cleared. The checkbox is also
selected by default when you install an additional domain controller in an
existing domain, however you can clear this checkbox if you do not want the
additional domain controller to be a global catalog server. The first domain
controller in a new forest or in a new domain can not be a Read Only Domain
Controller (RODC), you can later add a RODC but you must have at least one
Windows Server 2008 Domain Controller.
I want to set my DC as a DNS Server as well, so I will keep the checkbox
beside DNS Server selected and click on Next
11. If the wizard cannot create a delegation for the DNS server, it displays a
message to indicate that you can create the delegation manually. To continue,
click Yes
12. Now you will have the location where the domain controller database, log files
and SYSVOL are stored on the server.
The database stores information about the users, computers and other objects
on the network. the log files record activities that are related to AD DS, such
information about an object being updated. SYSVOL stores Group Policy
objects and scripts. By default, SYSVOL is part of the operating system files in
the Windows directory
Either type or browse to the volume and folder where you want to store each,
or accept the defaults and click on Next
13. In the Directory Services Restore Mode Administrator Password (DSRM)
page, write a password and confirm it. This password is used when the domain
controller is started in Directory Services Restore Mode, which might be
because Active Directory Domain Services is not running, or for tasks that
must be performed offline.
Make sure that you memorize this password when you need it. I know many
administrators forgot it when they most needed it.
Make sure the password meet the password complexity requirements of the
password policy, that is a password that contains a combination of uppercase
and lowercase letters, numbers, and symbols. else you will receive the
following message :
14. Summary page will be displayed showing you all the setting that you have set
. It gives you the option to export the setting you have setup into an answer file
for use with other unattended operations, if you wish to have such file, click on
the Export settings button and save the file.
15. DNS Installation will start
16. Followed by installing Group Policy Management Console, the system will
check first if it is installed or not.
17. Configuring the local computer to host active directory Domain Services and
other operations will take place setting up this server as a Domain Controller
18. Active Directory Domain Services installation will be completed,
click Finish, then click on Restart Now to restart your server for the changes to
take effect.
19. Once the server is booted and you logon to it, click on Start > Administrative
Tools , will notice that following have been installed :
Active Directory Domains and Trusts
Active Directory Sites and Services
Active Directory Users and Computers
ADSI Edit
DNS
Group Policy Management
Summary Setting up a Domain Controller in Windows Server 2008 to install Active Directory
Domain Services is performed by running the dcpromo command. It has some new
options like using Advanced Mode Installation, and exporting settings to an answer
file . In my next articles, I will show you how to perform an unattended installation to
set up your domain controller, and also how to set up an additional domain controller
using Windows Server 2008.
Setting Up an Additional Domain Controller (ADC) with Windows
Server 2008 To set up an Additional Domain Controller, I will use the dcpromo.exe command.
1. To use the command, click on Start > Run > and then write dcpromo >
Click OK
2. The system will start checking if Active Directory Domain Services ( AD DS)
binaries are installed, then will start installing them. The binaries could be
installed if you had run the dcpromo command previously and then canceled
the operation after the binaries were installed.
3. The Active Directory Domain Services Installation Wizard will start, either
enable the checkbox beside Use Advanced mode installation and
Click Next, or keep it unselected and click on Next
The following table lists the additional wizard pages that appear for each
deployment configuration when you select the Use advanced mode
installation check box.
Deployment configuration Advanced mode installation wizard
pages
New forest Domain NetBIOS name
New domain in an existing
forest
On the Choose a Deployment
Configuration page, the option to create
a new domain tree appears only in
advanced mode installation.
Domain NetBIOS name
Source Domain Controller
Additional domain controller
in an existing domain
Install from Media
Source Domain Controller
Specify Password Replication
Policy (for RODC installation only)
Create an account for a read-
only domain controller
(RODC) installation Specify Password Replication Policy
Attach a server to an account
for an RODC installation Install from Media
Source Domain Controller
4. The Operating System Compatibility page will be displayed, take a moment
to read it and click Next
5. On the Choose a Deployment Configuration page, click Existing forest,
click Add a domain controller to an existing domain, and then click Next.
6. On the Network Credentials page, type your domain name, my domain name
is elmajdal.net (was set in the previous article) , so I will type elmajdal.net.
7. To set up an Additional Domain Controller, you will need an account that must
be either a member of the Enterprise Admins group or the Domain Admins
group. We have two options:
My Current logged on credentials (DomainName\Username or
MachineName\Username)
Alternate credentials
If you have previously joined this server to the domain and you are currently
logged in to it with an Enterprise Admin/Domain Admin user, then you can
use the first option (My current logged on credentials) . As you can see this
option is grayed here, and the reason for this is below it. It is because I'm
currently logged in with a local user, the machine is not a domain member. I'm
left out with the second option: Alternate credentials
8. To enter the Alternate credentials, click Set. In the Windows Security dialog
box, enter the user name and password for an account that must be either a
member of the Enterprise Admins group or the Domain Admins group > then
click Next.
If you have entered a wrong username/password, you will receive the
following error message
9. On the Select a Domain page, select the domain of the Additional Domain
Controller, and then click Next, as I already have only one domain, then it will
be selected by default.
10. On the Select a Site page, either enable the checkbox beside Use the site that
corresponds to the IP address of this computer, this will install the domain
controller in the site that corresponds to its IP address, or select a site from the
list and then click Next. If you only have one domain controller and one site,
then you will have the first option grayed and the site will be selected by
default as shown in the following image
11. On the Additional Domain Controller Options page, By default, the DNS
Server and Global Catalog checkboxes are selected. You can also select your
additional domain controller to be a Read-only Domain Controller (RODC) by
selecting the checkbox beside it.
My primary domain controller is a DNS Server is well, and this can be verified
by reading the additional information written in the below image, that there is
currently 1 DNS server that is registered as an authoritative name server for
this domain. I do want my Additional DC to be a DNS server and a Global
catalog, so I will keep the checkboxes selected. Click Next
12. If you select the option to install DNS server in the previous step, then you
will receive a message that indicates a DNS delegation for the DNS server
could not be created and that you should manually create a DNS delegation to
the DNS server to ensure reliable name resolution. If you are installing an
additional domain controller in either the forest root domain (or a tree root
domain), you do not need to create the DNS delegation. In this case, you can
safely ignore the message and click Yes.
13. In the Install from Media page (will be displayed if you have selected Use
advanced mode installation on the Welcome page, if you didn't select it, then
skip to step # 15), you can choose to either replicate data over the network
from an existing domain controller, or specify the location of installation
media to be used to create the domain controller and configure AD DS. I want
to replicate data over the network, so I will choose the first option > click Next
14. On the Source Domain Controller page of the Active Directory Domain
Services Installation Wizard, you can select which domain controller will be
used as a source for data that must be replicated during installation, or you can
have the wizard select which domain controller will be used as the source for
this data. You have two options:
Let the wizard choose an appropriate domain controller
Use this specific domain controller
If you want to choose from the list, any domain controller can be the
installation partner. However, the following restrictions apply to the domain
controllers that can be used as an installation partner in other situations:
o A read-only domain controller (RODC) can never be an installation
partner.
o If you are installing an RODC, only a writable domain controller that
runs Windows Server 2008 can be an installation partner.
o If you are installing an additional domain controller for an existing
domain, only a domain controller for that domain can be an installation
partner.
15. Now you will have to specify the location where the domain controller
database, log files and SYSVOL are stored on the server.
The database stores information about the users, computers and other objects
on the network. the log files record activities that are related to AD DS, such
information about an object being updated. SYSVOL stores Group Policy
objects and scripts. By default, SYSVOL is part of the operating system files
in the Windows directory
Either type or browse to the volume and folder where you want to store each,
or accept the defaults and click on Next
Note: Windows Server Backup backs up the directory service by volume. For
backup and recovery efficiency, store these files on separate volumes that do
not contain applications or other nondirectory files.
16. In the Directory Services Restore Mode Administrator Password (DSRM)
page, write a password and confirm it. This password is used when the domain
controller is started in Directory Services Restore Mode, which might be
because Active Directory Domain Services is not running, or for tasks that
must be performed offline.
Make sure the password meets the password complexity requirements of the
password policy, that is a password that contains a combination of uppercase
and lowercase letters, numbers, and symbols. else you will receive the
following message:
17. Summary page will be displayed showing you all the setting that you have
set. It gives you the option to export the setting you have setup into an answer
file for use to automate subsequent AD DS operations, if you wish to have
such file, click on the Export settings button and save the file. Then
click Next to begin AD DS installation
18. Active Directory Domain Services installation will be completed,
click Finish, then click on Restart Now to restart your server for the changes
to take effect.
Open Active Directory Users & Computers, and then click on the Domain
Controllers Organizational Unit, and you will see your Additional Domain
Controller along with your Primary Domain Controller.
Summary
Additional domain controllers improve the performance of authentication requests and
global catalog server lookups. They also help Active Directory Domain Services
(AD DS) overcome hardware, software, or administrator errors. When you add a
domain controller, information is replicated over the network.
Installing DHCP Server in Windows Server 2008 Installing Windows Server 2008 DCHP Server is easy. DHCP Server is now a “role”
of Windows Server 2008 – not a windows component as it was in the past.
To do this, you will need a Windows Server 2008 system already installed and
configured with a static IP address. You will need to know your network’s IP address
range, the range of IP addresses you will want to hand out to your PC clients, your
DNS server IP addresses, and your default gateway. Additionally, you will want to
have a plan for all subnets involved, what scopes you will want to define, and what
exclusions you will want to create.
To start the DHCP installation process, click Add Roles from the Initial
Configuration Tasks window or from Server Manager à Roles à Add Roles.
Figure 1: Adding a new Role in Windows Server 2008
When the Add Roles Wizard comes up, you can click Next on that screen.
Next, select that you want to add the DHCP Server Role, and click Next.
Figure 2: Selecting the DHCP Server Role
If you do not have a static IP address assigned on your server, you will get a warning
that you should not install DHCP with a dynamic IP address.
At this point, you will begin being prompted for IP network information, scope
information, and DNS information. If you only want to install DHCP server with no
configured scopes or settings, you can just click Next through these questions and
proceed with the installation. On the other hand, you can optionally configure your
DHCP Server during this part of the installation. In my case, I chose to take this
opportunity to configure some basic IP settings and configure my first DHCP Scope. I
was shown my network connection binding and asked to verify it, like this:
Figure 3: Network connection binding
What the wizard is asking is, “what interface do you want to provide DHCP services
on?” I took the default and clicked Next.
Next, I entered my Parent Domain, Primary DNS Server, and Alternate DNS
Server (as you see below) and clicked Next.
Figure 4: Entering domain and DNS information
I opted NOT to use WINS on my network and I clicked Next.
Then, I was promoted to configure a DHCP scope for the new DHCP Server. I have
opted to configure an IP address range of 192.168.1.50-100 to cover the 25+ PC
Clients on my local network. To do this, I clicked Add to add a new scope. As you see
below, I named the Scope bhel, configured the starting and ending IP addresses of
192.168.1.50-192.168.1.100, subnet mask of 255.255.255.0, default gateway of
192.168.1.1, type of subnet (wired), and activated the scope.
Figure 5: Adding a new DHCP Scope
Back in the Add Scope screen, I clicked Next to add the new scope (once the DHCP
Server is installed).
I chose to Disable DHCPv6 stateless mode for this server and clicked Next.
Then, I confirmed my DHCP Installation Selections (on the screen below) and
clicked Install.
Figure 6: Confirm Installation Selections
After only a few seconds, the DHCP Server was installed and I saw the window,
below:
Figure 7: Windows Server 2008 DHCP Server Installation succeeded
I clicked Close to close the installer window, then moved on to how to manage my
new DHCP Server.
How to Manage your new Windows Server 2008 DHCP Server
Like the installation, managing Windows Server 2008 DHCP Server is also easy.
Back in my Windows Server 2008Server Manager, under Roles, I clicked on the
new DHCP Server entry.
Figure 8: DHCP Server management in Server Manager
While I cannot manage the DHCP Server scopes and clients from here, what I can do
is to manage what events, services, and resources are related to the DHCP Server
installation. Thus, this is a good place to go to check the status of the DHCP Server
and what events have happened around it.
However, to really configure the DHCP Server and see what clients have obtained IP
addresses, I need to go to the DHCP Server MMC. To do this, I went to Start à
Administrative Tools à DHCP Server, like this:
Figure 9: Starting the DHCP Server MMC
When expanded out, the MMC offers a lot of features. Here is what it looks like:
Figure 10: The Windows Server 2008 DHCP Server MMC
The DHCP Server MMC offers IPv4 & IPv6 DHCP Server info including all scopes,
pools, leases, reservations, scope options, and server options.
If I go into the address pool and the scope options, I can see that the configuration we
made when we installed the DHCP Server did, indeed, work. The scope IP address
range is there, and so are the DNS Server & default gateway.
Figure 11: DHCP Server Address Pool
So how do we know that this really works if we do not test it? The answer is that we
do not. Now, let’s test to make sure it works.
How do we test our Windows Server 2008 DHCP Server?
To test this, I have a Windows Vista PC Client on the same network segment as the
Windows Server 2008 DHCP server. To be safe, I have no other devices on this
network segment.
I did an IPCONFIG /RELEASE then an IPCONFIG /RENEW and verified that I
received an IP address from the new DHCP server, as you can see below:
Figure 13: Vista client received IP address from new DHCP Server
Also, I went to my Windows 2008 Server and verified that the new Vista client was
listed as a client on the DHCP server. This did indeed check out, as you can see
below:
Figure 14: Win 2008 DHCP Server has the Vista client listed under Address Leases
With that, I knew that I had a working configuration and we are done
Install and configure DNS Server in Windows Server 2008 Launch Server Manager by clicking Start > Administrative Tools > Server
Manager. Click Roles and then Add Roles.
Select DNS Server from the list and then click Next button.
A little introduction to DNS Server and a few useful links for further details as
shown in below image. Click Next to move on.
Click Install button.
DNS Server has been installed successfully as per below snapshot. Click Close to
finish the Add Roles Wizard.
Creating Forward Lookup Zone
Launch DNS Manager by clicking Start > Administrative Tools > DNS or type
dnsmgmt.msc in Run window (Press Windows Key + R) and press Enter.
Expand Server (e.g. WIN2008) > Right click Forward Lookup Zones > New
Zonewhich will launch New Zone wizard.
Click Next on Welcome to the New Zone wizard.
Since this is our primary DNS Server for the zone select Primary zone. Then
move on by clicking Next button.
Enter the domain name for which you want to create the zone for e.g.
gopalthorve.com. Say you want to build up DNS Server for your own Windows
Server 2008 based hosting server then enter your registered domain name here
otherwise if it is for intranet only it can be anything (domain naming conventions
must be followed). The zone can also be created for subdomain e.g.
us.gopalthorve.com.
Zone File Options:
Create a new file with this file name: Enter the physical zone file name where
all zone information will be stored for this domain/subdomain. This file will be
created under %systemroot%\system32\dns. Follow standard zone file naming
convention e.g. gopalthorve.com.dns.
Use this existing file: If you already have a zone file for this domain/subdomain
then select this option and specify zone file name here. You need to put this
zone file under %systemroot%\system32\dns folder
Dynamic Update: Here you can specify if this DNS zone will accept secure,
nonsecure or no dynamic updates from client.
Allow only secure dynamic updates (recommended for Active Directory): This
is available only for Active Directory integrated zones. This setting allows
Active Directory client machines to register their name as resource records
pointing towards their dynamic/static IP address.
Allow both nonsecure and secure dynamic updates: This should never be
enabled because it allows all clients secure and nonsecure both to update from
all clients.
Do not allow dynamic updates: This should be the preferred setting if you are
setting up this zone for your own hosting server. This denies dynamic updates to
zone resource records from all client and you will need to change them manually
whenever required. We will choose this option and then move on.
Forward lookup zone has been created successfully for gopalthorve.com and
shows the summary as in below image. Click Finish to close the New Zone Wizard.
Configure Forward Lookup Zone
Right click on gopalthorve.com (forward lookup zone recently created) and then
click Properties.
Name Servers: Here we can configure nameservers for the zone gopalthorve.com.
Remove the default entry from the list.
Click Add… button to add new nameserver record.
Tye fully qualified domain name (FQDN) of the nameserver for your domain. I
am configuring my own live DNS Server and hence I entered
ns1.gopalthorve.com.
Enter the IP addresses to which ns1.gopalthorve.com will resolve to. I am
entering private IP address of my computer here for example purpose only.
Please replace it by your Public IP Address allotted by your ISP or dedicated or
VPS hosting provider.
Similarly create another nameserver record. I created it as ns2.gopalthorve.com
pointing to 192.168.0.99 (Please replace it by your Public IP Address allotted by
your ISP or dedicated or VPS hosting provider.). Second nameserver record is
required because your domain name registrar will require atleast two
nameservers for pointing your domain to the DNS server we are configuring.
We are configuring both nameservers pointing to the same DNS Server
configured with multiple IP Addresses. (ns1.gopalthorve.com >> 192.168.0.98
and ns2.gopalthorve.com >> 192.168.0.99).
Click Apply to save changes.
Start of Authority (SOA)
Serial number: This is the serial number for the zone. This should be set to
YYYYMMDDNN where YYYY is the year, MM is the month, DD is the day
and NN is the count is the count indiciating how many times the zone modified
on that particular day. Whenever you change zone data occurs this serial number
must be incremented by one. When slave nameserver contacts master for zone
data it compares its own serial number with master’s serial number and its less
than masters serial number then slave nameserver updates its zone data from
master.
Primary server: This is the FQDN of nameserver which you want to set as
primary nameserver for this zone. In my case its ns1.gopalthorve.com.
Responsible person: Specify the email address of the administrator who is
responsible for maintaining this zone. Here email address must be specified in
dotted format e.g. hostmaster@gopalthorve.com must be specified as
hostmaster.gopalthorve.com. This is required when other webmasters wants to
contact the maintainer of the zone in case of any issues.
Refresh interval: This value instructs the slave nameserver how often to check
that the data for this zone is up to date. Set this to 1 day if zone doesn’t change
frequently. For the DNS server for hosting purpose 1 day is idle.
Retry interval: In case slave nameserver failed to connect to master after Refresh
interval (in case master is down or unreachable), slave tries to connect to master
every interval specified here. Generally Retry interval is shorter than Refresh
interval but its not compulsory. Enter 2 hours here.
Expires after: If the slave fails to connect master for this much time, the slave
expires the zone. Expiring the zone means it slave stops responding to queries
for this zone because the zone data that slave is having is very old. Enter 7 days
here.
Minimum (default) TTL: TTL stands for Time To Leave. This applies to all
negative responses from the authoratative nameservers. Enter 1 day here.
TTL for this record: TTL for SOA record.
Click Apply to save changes.
Zone Transfers: Zone transfer is the process of transferring entire zone to the
requesting server/client. The best practice is to not allow every one to connect and
transfer the zones. You can allow only specific server for zone transfers i.e. the
slave nameserver for the zone. We can setup to notify the servers if any zone
updates happen on this zone.
Allow zone transfers: Enables/disables zone transfers.
To any server: All server/clients will be allowed to transfer zones. Not
recommended.
Only to servers listed on the Name Servers tab: Zone transfers will only be
allowed to the nameservers specified under Name Servers tab
(ns1.gopalthorve.com, ns2.gopalthorve.com). Highly recommended for DNS
Servers for web hosting servers.
Only to the following servers: If you want to enter IP/FQDN to which zone
transfers will be allowed select this option and then click on Edit button and
list all IP/FQDN allowed for zone transfers.
Notify…:
Automatically notify: Enables/disables automatic notification of zone
changes to either nameserver listed on Nameservers tab or specified IP
addresses/FQDN names.
Servers listed on the Name Servers tab: Selecting this will only zone update
notification will only be sent to nameservers listed under Name Servers tab.
This is the recommended setting.
The following servers: You can specify list of other name servers to whom
you want to send automatic notification of zone updates.
Configure DNS Server Properties
Open DNS Manager by clicking Start > Administrative Tools > DNS.
Right Click on the DNS Server for which you want to configure Properties for and
click Properties.
Interfaces: You can configure DNS Server to listen on specific interfaces/IP
Addresses or all IP addresses. If the server has multiple interfaces then you can
configure DNS Server to listen on specific interface. If the server is having only
single interface with multiple IP addresses configured then you can configure it to
listen on specific IP addresses. By default it is configured to listen on all interfaces
and all IP addresses.
Forwarders: You can add other DNS Servers provided by your ISP to forward
DNS queries to in case this server doesn’t hold zones for the domains. These
forwarder addresses are only used recursion is enabled. Forwarders are required if
you are having an intranet/extranet DNS server serving a few zones and want to
allow same server to resolve other DNS queries too.
Advanced: You can configure some advanced aspects of DNS Server here. A very
important options I want to discuss here is Disable recursion (also disables
forwarders). If you are setting up this DNS server to serve zones for domains
hosted on your DNS server (dedicated server, VPS Server, Cloud VPS Server) then
enable “Disable recursion” which also disables forwarders, doing this will only
allow the zones hosted on this server to be served.
Root Hints: This is the list of root name servers.
Debug Logging: For debugging purpose the debug logs can be enabled from here.
Event Logging: DNS Server events can be enabled for troubleshooting purpose.
DNS Server listens on TCP and UDP port 53, so make sure to allow traffic on these
ports in Windows Firewall. Also make sure that if you are having any router or
firewall device and DNS server is behind any of these device, do necessary
configuration to allow connection to DNS Server.
Register Name Servers at Domain Name Registrar
If you have a registered domain name and want to host DNS services for the domain
on the DNS Server you recently configured then you have to create child name server
at your Domain Name Registrar. If you have administrative control of your domain
you can do this with the help of your domain name registrar otherwise ask them to do
this for you. Create child name server like this:
ns1.gopalthorve.com >> 192.168.0.98
ns2.gopalthorve.com >> 192.168.0.99
Replace private IP addresses with public IP addresses on which DNS Server will
listen on.
Update Name Servers at Domain Name Registrar
After creating child name servers you have to update name servers for your domain at
Domain Name Registrar. If you have administrative control of your domain you can
do this with the help of your domain name registrar otherwise ask them to do this for
you. Update name servers as below:
Name Server 1: ns1.gopalthorve.com
Name Server 2: ns2.gopalthorve.com
System Specification System specification refers to the specification of the server and client in which we
Configured and Managed AD DS, DHCP and DNS Server.
Server System Specification:
Hard Disk: 200 Gb
RAM: 4 Gb
OS: Windows Server 2008 R2 x86
Processor: Intel Core i5-2400 CPU @ 3.10 GHz
Client System Specification:
Hard Disk: 500 Gb
RAM: 4 Gb
OS: Windows 8.1 x64
Processor: Intel Core i3-4005U CPU @ 1.70GHz
Conclusion This training has been an excellent and rewarding experience. One main thing that I
have learnt through this training is time management skills as well as self-motivation.
From this training I have learnt how to complete project within stipulated time period.
The objective behind this internship were:
To gain exposure to actual working environment in an organisation
To understand web development procedure
To understand the vulnerabilities that may exist in a web application and
procedure to get rid of them
To be comfortable with Apache Tomcat, SQL, JSP and HTML/CSS.
To be familiar with Networking setup and Server Environment
Bibliography www.google.com
www.stackexchange.com
www.stackoverflow.com
www.owasp.org
en.wikipedia.org
www.oracle.com
www.w3schools.com
www.quora.com
www.apache.org