Windows Server 2003 for Home Network

[GimpyFuzznut]

I'm taking some MSCE tests later on this summer and wanted to build a Server 2003 network in my home. I have a PC to use and I have a copy (6 month trial) of Windows to install. Now, what I was wondering and curious about is the ideal method to setup the network for ideal security. I had a similiar setup previously working with Linux but want to learn the ins and outs of MS.

I currently have a wireless router like most people that handles DHCP, firewall, etc and other functions. Would it make more sense and make for a more ideal network to have the Server 2003 machine handle these functions? Would it be better to just plug the Server machine into the router and leave the router handling those functions?

My idea is to allow the Server machine to do the bulk of the networking work and plug my cable connection into one network card. The Server would then handle firewall (maybe try to install some better firewall software here as well), DHCP, DNS and all that other stuff. Then a second network card with internet connection sharing would feed into the wireless router, which would have the DHCP and now unnessecary features disabled. Would this option make more sense? Would this have adverse effects on the router? I plan on still leaving the router firewall enabled for safety's sake.

 

[RebateMonger]

First, if you are studying for MCSE, buy or download a trial copy of either Virtual PC 2004 (which is what I've been using), or Virtual Server 2005 (free).

Then, load trial versions of Windows Server 2003 into multiple Virtual PC windows. This will allow you to set up virtual networks, with multiple servers, on your desktop PC. It's MUCH easier and faster than building real servers, and behaves identically. The only thing you can't do is multiple-server clusters.

Install Microsoft's Loopback Adaper on your local PC. This allows you to create virtual network cards within Virtual PC that allow the various virtual PCs to talk to each other without interfering with your real network. You can add up to 3 virtual network cards for each virtual PC.

If you actually want a Virtual Server to be on your network (maybe connected to your router), you can do that by using a "real" NIC on your PC within Virtual PC. It'll have a different IP address than your "real" PC and can function on your home network just like another PC.

 

[TG2]

From what he described, I thought he had another PC to use for this, although I also suggest using a virtual OS app (VMWare Server, VM Player, etc)

Id turn off the DHCP on the router, and setup the server to do DNS and DHCP in the least, esp if your going to be learning and active directory lives on DNS, might as well have it running my 2003 so its integraated.
- leave the router to do the firewall function, just make the router a static IP and in the DHCP in the server, make sure to enter the routers IP in the settings so everything on the LAN gets the correct IP of the router (gateway)

 

[mechBgon]

RebateMonger is much more qualified than I am, but I'll throw some ideas out there for critique anyway To start with, I wouldn't plug WS2003 right into the Internet unless you know what you're doing. Having the server sit between your PCs and the Internet is what ISA Server is for.

If you do actually install onto a real server, then it would make sense to install WS2003 while the computer is fully un-networked, no wired, no wireless. Then patch it to SP1 level offline using the full SP1 installer from a CD, still isolated from any sort of network. While still offline, install antivirus software and fully configure it, enable DEP completely, and switch on the Windows Firewall with no exceptions allowed, to start you off somewhat secure. Key concept: don't expose the darn thing to potential sources of attack until you're good and ready, and be as ready as practical when you finally do.

Now hook it up to the router, update antivirus & reboot, update Windows & reboot, and if possible, make an Automated System Recovery backup onto a spare HDD that has nothing else on it at all (assuming you don't have a tape drive).

After that, burn it all down :evil: by reformatting the boot drive, and then see if you can recover from the ASR backup Key concept: in the real world, a recovery plan has to work, so learn how.

Once you got that skill down, now run the Configure Your Server Wizard that keeps hassling you at bootup, and make it into a domain controller, file server, DHCP server and the stuff that comes along with those roles. After that's done, run the Security Configuration Wizard to batten the hatches, and then make another ASR backup and begin goofing around and trying the stuff in your training materials.

Also slap WSUS on there and learn how to use it. Make some Group Policies and practice deploying, redeploying, removing and configuring software with them, as well as Windows and its components. Practice your backup & recovery. Break stuff, figure it out, burn it down, do an ASR recovery while you have pizza, try it again


Also (duh) follow your training coursework step-by-step.

 

[GimpyFuzznut]

That is some great information there. Thanks for the tips! I was thinking about the virtualization route but I figure, what the hell, I might as well put the extra PC to use.

About virtualization - the question I was wondering and that was also holding me back - it may seem kind of silly. If I were to setup a virtual server on this XP machine for example and I wanted to a have a domain created on my virtual server. Let's say I reboot my machine that is hosting the guest server OS and I then want to logon onto my domain - won't the virtual OS be down until I can actually log back into Windows and start it up? Or do virtualized OSes run seperately from the host OS - ie, they would both simulatenously but seperately and I would therefore be able to logon to my server domain (the guest OS) from my client machine (the host of the guest OS) if I were to reboot my machine or whatever? Sorry if this sounds confusing but I hope someone is following what I am saying.

As for the connecting the Server 2003 box directly to the Internet - I figure this would be a good idea (after everything is configured like you said) so I could install a network firewall (perhaps ISA if there is evaluation versions) across the board similiar to what I was doing previously with a Clark Connect server. I'm guessing there are network firewall alternatives to ISA? So by your suggestion, its a better idea to just plug the Server into the router and just let the router handle firewall? Is there any way I can get the best of both worlds?

 

[RebateMonger]

Originally posted by: TG2
From what he described, I thought he had another PC to use for this, although I also suggest using a virtual OS app (VMWare Server, VM Player, etc)

Yeah, but to work on an MCSE, one Windows Server won't be enough. Many of the exercises in the MS Certification texts, for instance, require two servers PLUS an XP client. So you STILL need some virtual servers, unless you want to have two or three extra computers laying around. It's SO much easier when you go virtual.

My Virtual PC 2004 right now has two Server 2003 virtual servers (180-day trial editions), one Server 2000 virtual server, one Windows 98, and one XP Professional. The problem with XP is that you can only use it for 30 days without activating it or re-installing it. Or you can just dedicate an XP license to a virtual machine and go ahead and activate it. You can always use your own XP box as a client to your virtual servers.

 

[RebateMonger]

Originally posted by: GimpyFuzznut
About virtualization - the question I was wondering and that was also holding me back - it may seem kind of silly. If I were to setup a virtual server on this XP machine for example and I wanted to a have a domain created on my virtual server. Let's say I reboot my machine that is hosting the guest server OS and I then want to logon onto my domain - won't the virtual OS be down until I can actually log back into Windows and start it up?

No, you won't be able to join a virtual Domain that's on your own XP box. You can only use your local XP computer as a workstation on your virtual Domain. That's why you'll probably want to just create a virtual XP window. THAT one can join your virtual Domain.

You can't start Virtual PC (and its virtual servers) until AFTER you've logged into your host XP computer.

 

[GimpyFuzznut]

That's what I figured. But as you said, I might need more than one server so I might as well try to mix and match. I can have my domain on the dedicated box and the rest going from virtualized servers. Man, this whole virtualization thing is really cool. Really revolutionizing things.

Originally posted by: GimpyFuzznut
As for the connecting the Server 2003 box directly to the Internet - I figure this would be a good idea (after everything is configured like you said) so I could install a network firewall (perhaps ISA if there is evaluation versions) across the board similiar to what I was doing previously with a Clark Connect server. I'm guessing there are network firewall alternatives to ISA? So by your suggestion, its a better idea to just plug the Server into the router and just let the router handle firewall? Is there any way I can get the best of both worlds?

So what is your recomendation on this? Thanks again for the great info - I can go back into my hole after I figure out this last thing.

 

[RebateMonger]

Originally posted by: mechBgon
RebateMonger is much more qualified than I am.

LOL. If only that was true.

All of the comments here are good advice and answer some of your questions that I didn't address.

 

[RebateMonger]

Your idea of having a single, permanent, Wndows Server and then virtualizing the rest should work just fine. I recommend using two NICs in the hardware server, connecting one to your hardware router and connecting the second to a switch, where all the rest of your PCs (both real and virtual) connect. This allows your main Server to control all Internet traffic, allowing ISA to fully function.

The only disadvantage to using a "real" server is that if you screw up the configuration (which you probably will several times in your learning process, your PCs will be off the Internet until you fix the problem, or until you rewire. When you use virtual servers, you just get one working like you want (DC, DNS, DHCP, etc. all functional), then copy the .VHD file. If you mess up your virtual server beyond repair, you just delete the messed-up .VHD file and use the good-as-new copy.

Regarding an external hardware router, you can keep it if you want. You just port foward any needed ports to the Server's IP address. The Server (or ISA) won't know the difference, as long as you forward all needed ports to your Server.

 

[mechBgon]

Originally posted by: RebateMonger

Originally posted by: mechBgon
RebateMonger is much more qualified than I am.

LOL. If only that was true.

You are too kind I'm a former bicycle mechanic, the unfortunate custodian of a WinNT 4.0 / Exchange 5.5 setup, and self-trained in what little I do know, so I think it's probably correct as stated