Adding and Configuring Roles in Windows Server

Windows Servers can have various roles and features that define the server’s primary functions and responsibilities. By default, the majority of roles on a Windows Server are disabled. By keeping roles disabled by default, Windows Server minimizes the system’s attack surface. Each role adds specific services and open ports that could be exploited if not properly configured and secured. You reduce the risk of unauthorized access and attacks by only enabling the roles necessary for your environment. It also ensures that the Windows Server’s performance is optimized since unnecessary roles enabled may consume additional system resources.

Roles on a Windows Server are specific software components that provide particular functionalities or services to other computers within a network. When you install a role on a Windows Server, you’re configuring the server to perform specific tasks, often to support or manage network resources. Here are some of the key roles that we will be configuring in this blog post:

• Active Directory Domain Services (AD DS): This role is critical for managing a network of computers that are part of a domain. It allows for creating and managing a domain, providing authentication and authorization for all users and computers within that domain.
• Active Directory Certificate Services (AD CS): The Active Directory Certificate Services (AD CS) role on Windows Server provides a customizable framework for creating, managing, and distributing digital certificates to secure communications and establish trust within an organization. It enables the implementation of public key infrastructure (PKI) to support scenarios such as secure email, network authentication, and encryption.
• DNS Server: The DNS (Domain Name System) Server role provides name resolution services, translating human-readable domain names into IP addresses that computers use to communicate. It plays a fundamental role in network connectivity and internet access and allows internal resources to access each other using human-readable names.
• DHCP Server: The DHCP (Dynamic Host Configuration Protocol) Server role automates the assignment of IP addresses to devices on the network, ensuring that each device gets a unique IP address without manual configuration.
• Web Server (IIS): The Internet Information Services (IIS) role turns the server into a powerful web server capable of hosting websites, web applications, and services. It supports HTTP, HTTPS, FTP, and other protocols. This role will be automatically added during our Certificate Services configuration.

After we sign into our Windows Server, we will open up the Server Manager. On the Dashboard, we will click on the Add roles and features link.

From the Add Roles and Features Wizard, we will click Next until we reach the Server Roles options. On this Window, we will check the box next to Active Directory Domain Services option.

We will click Next until we are at the point of installing the roles. Usually, I check the Restart the Destination Server automatically if required box before clicking Install.

After the installation is completed, we will navigate back to the Server Manager dashboard and click on AD DS on the left-hand panel.

We will need to configure the Active Directory role. To do so, we will click on More…  in the yellow Configuration required warning.

A pop-up will give us an option. We will click the Promote this server to a domain controller link.

On the Active Directory Domain Services Configuration Wizard window, we will choose the radio button for the Add a new forest option and then choose the name of the domain that we would like to create. Typically, we would want it to be something that isn’t internet reachable. For my lab in this example, I chose the domain name of securitydemo.net.

After clicking Next, we will configure the DSRM password on the next screen. The Directory Services Restore Mode (DSRM) password in Active Directory is a special administrator password used to log into a Windows Server running Active Directory when the server is booted into DSRM, a special boot mode for performing maintenance and recovery tasks on the AD database. This password is critical for restoring backups, repairing corrupted data, or performing authoritative restores of deleted objects in Active Directory. The password you set here should be securely stored, as it is essential for recovering the domain controller in case of failure. After setting the DSRM password, we will click Next again.

We will keep clicking Next until we reach the page to install the DNS role. Even though we haven’t added the DNS role yet, it will automatically add the role as part of the setup and create DNS pointers for AD. We will click Next until we reach the Prerequisites page, then click Install.

After the installation is complete, the server should restart. After it restarts, we will open the Start menu and navigate to Active Directory Users and Computers. From here, we can create a new user or use our Administrator account. We will pick one (a new account or using the default Administrator account) and add it to the IIS_IUSRS group. This will be important for the IIS services needed for our Certificate Services later.

We will then open the Server Manager again and click on Add Roles and Features. We will choose the check box next to Active Directory Certificate Services this time.

When we get to the Role Services options, we will check the box for every role service available for Active Directory Certificate Services and then click Next. 

When we finally reach the end of the wizard, I recommend again checking the Restart the destination server automatically option and then clicking Install.

After the installation has been completed, we will open Server Manager and navigate to AD CS on the left-hand pane. Similar to our Active Directory configuration, we will click the More… option to start configuring the Certificate Services.

From the All Servers Task Details window that pops up, we will click on the Configure Active Directory Certificates link. This will open the wizard for the AD CS Configuration.

On the wizard’s first page, we will be asked to specify an account to install the role services. The account must be in the local Administrator and the Active Directory Enterprise Admins groups. If we are logged into Windows Server as the built-in administrator, that account will be pre-populated in this field. We will then click Next.

When we get to the Role Services page of the wizard, we will check the boxes for the first three options only. In my experience, it was best to configure the first three role services (Certificate Authority, Certificate Authority Web Enrollment, and Online Responder) first and then configure the next three after. I often ran into issues later when I tried to configure all six role services simultaneously, so I would recommend doing this exactly as I am demonstrating here.

We will click Next.

On the Setup Type page, we will choose the Enterprise CA option and then click Next.

On the CA Type page, we will choose the Root CA option and then click Next.

For the Private Key page, we will select the Create a new private key option.

Then we will click Next until we reach the Confirmation page. Once we are on this page, we will click Configure.

After the configuration has been completed, we should be presented with a pop-up box that states Do you want to configure additional role servers? We will choose Yes.

Now, we will complete the configuration of the remaining role services by checking the boxes for the Network Device Enrollment Service, Certificate Enrollment Web Server, and Certificate Enrollment Policy Web Server. Then, we will click Next.

On the Service Account for NDES page, we need to choose a service account for NDES. This could either be the Active Directory user you previously added to the IIS_USR group. In the example below, I previously added the built-in Administrator account to the IIS_USR group, so I used that account for NDES service.

We will continue through the wizard until we reach the Service Account for CES configuration. We will choose the same account we used for the NDES service and continue through the wizard. We can keep all the options as their pre-configured default until we get to the Server Certificate configuration.

We will highlight the existing SSL certificate on the Server Certificate configuration and click Next.

Note: This certificate was created in the first round of adding roles to the Certificate Services. We opted to create a certificate during that process, but you could import a separate certificate in production if you wish.

We should be on the Confirmation page. We will verify our configuration and click the Configure button to finish the configuration.

Note: We configured the CA (Certificate Authority) Root on the same server as our Active Directory and DNS in this walkthrough. This is not best practice by any means. The best practice for a Private Key Infrastructure (PKI) is to deploy a separate Root CA, create subordinate Certificate Authorities to issue the certificates from that Root CA, and then take the Root CA offline. Why is this important? If someone were to compromise your Root CA, your entire PKI would be compromised – not just an Intermediate CA – which would be catastrophic for an enterprise.

I have seen too many production PKI environments that have been deployed with the Root CA online at all times and I would kick myself if I didn’t at least mention the dangers of doing so. To learn more about designing and implementing PKI, check out this article.

The DHCP (Dynamic Host Configuration Protocol) role on Windows Server is responsible for automatically assigning IP addresses and other network configuration details, such as subnet masks, default gateways, and DNS servers, to devices on a network. By managing and distributing IP addresses dynamically, the DHCP server ensures that each device receives a unique IP address, preventing conflicts and simplifying network management. This role is essential for large networks, as it reduces the administrative overhead of manually configuring IP settings on each device and allows for more efficient use of available IP address space.

In this section, we will add and configure the DHCP role. We will navigate back to the Server Manager and click on Add roles and features.

Under the Server Roles page of the Add Roles and Features Wizard, check the box next to the DHCP Server role and click Next.

We will click Next until we reach the Configuration page. I would recommend checking the Restart the destination server automatically if required option, and then we click the Install button.

After the role is added, we will navigate to the Server Manager dashboard and choose DHCP from the left-hand bar.

We will then click the More… link on the Configuration Required warning to configure the DHCP services.

The All Servers Task Window will pop up. We will click on the Complete DHCP configuration link under the Post-deployment Configuration task.

We will then go through the DHCP Post-Install configuration wizard. We will click Next to the Authorization page. Here, we will specify the credentials to authorize this DHCP server in AD DS. In this example, I used the default administrator account. After selecting the account, we will click the Commit button and then close the configuration wizard.

After closing the window, we will open the Start Menu and type in mmc to open a Microsoft Management Console (MMC). This will allow us to manage the DHCP services.

We will navigate to the File menu of the MMC and select Add/Remove Snap-in…

We will then select DHCP from the Add or Remove Snap-ins window and click Add. After adding the snap-in, we will click OK.

After adding the snap-in, we can configure a DHCP scope for IPv4 or IPv6 here. A DHCP scope is a range of IP addresses that a DHCP server is configured to distribute to clients on a specific subnet. It defines the pool of available IP addresses and associated network configuration options, such as the subnet mask, default gateway, and DNS servers, that the DHCP server can assign to devices requesting an IP address.

We will expand IPv4 to see the following options:

• Server Options – DHCP options are additional configuration settings that a DHCP server can provide to clients along with their IP address assignments. These options can include important network details such as the default gateway, DNS server addresses, domain name, and more, allowing the server to deliver all the necessary network information that clients need to function properly within the network.
• Policies – This allows us to distribute configurable settings (IP address, DHCP options) to clients based on certain conditions (e.g. vendor class, user class, MAC address, etc). We will not be configuring this in this blog post.
• Filters – If we wanted to create an allow or deny list of MAC addresses of clients to provide DHCP services to, we would do so here. We will not be configuring this in this blog post. By default, this is not configured.

We will right-click IPv4 on the left-hand pane and choose the New Scope… option.

This will bring up the New Scope Wizard.

We can give this scope a name and description to help us remember what this scope is being used for. Then we will click Next

We will then configure the address range of our DHCP scope and the subnet mask.

Note: The address range we configure does not need to be the entire subnet. We could choose a smaller range such as 10.10.10.10-10.10.10.100 and still configure it as a /24 subnet.

After configuring the range, click Next.

Next, we can configure the DHCP exclusions. These are the specific addresses or range of addresses not distributed by the server. Certain devices and servers on the subnet might have static IP addresses, such as the default gateway, file servers, etc. We would not want to hand out the same IP addresses via DHCP under any circumstances for those devices.

In the below example, I added 10.10.10.1-10 and 10.10.10.240-10.10.10.254 as my exclusion ranges and clicked Next.

Next, we will be asked to configure the lease duration for the IP address that DHCP assigns. The default is 8 hours. However, depending on what the subnet is used for, you might want to increase or decrease that time. For example, it might be optimal to tune the lease time down for a subnet used for guest wireless with a large number of visitors who dwell for a short period.

We are going to keep the default lease time and click Next.

The New Scope Wizard will ask us if we want to configure additional options. The default is set to Yes, I want to configure these options now. We will click Next without changing this option.

We then may configure the default gateway for the DHCP scope. In the below example, I added 10.10.10.254 as the default gateway and clicked Next.

The next option we can configure is to set the domain name and DNS servers the client can use. After adding our DNS server, we will click Next.

Note: If we add a new DNS server, the DHCP server must verify that the DNS server is resolving. This may take a few minutes.

If a WINS server must be configured, we can configure it next. We will click Next without configuring a WINS server.

At the end of the wizard, we will be offered the option to activate the scope immediately. This means that the DHCP server will start to serve IP addresses to clients as soon as it is activated. We will activate the scope and finish the wizard.

One last thing we should discuss: DHCP Reservations. A DHCP reservation allows a specific device to always receive the same IP address from the DHCP server. This is done by mapping the device’s MAC address to a specific IP address within the DHCP scope, ensuring that the device consistently uses the reserved IP address whenever it connects to the network.

In the MMC, we will expand our new DHCP scope to see the container for Reservations. We will right-click Reservations and choose New Reservation… from the menu.

Configuring a reservation is very simple: We add the device’s MAC address and the IP address we always want to assign to it. After adding this reservation, the DHCP client with this MAC address will always be given the same IP address every time they send a DHCP request from this location.

With these steps, you’ve successfully configured the essential roles on your Windows Server. We have set the foundation for our Windows Server environment and will refine it further in later posts. By tailoring these roles to your organization’s specific needs, you can efficiently manage and optimize your server environment.