Lab Server Core & Remote Administrator Tools - Hsanokklis/2023-2024-Tech-journal GitHub Wiki

Reader beware: this lab documentation is rather extensive because there was a lot of troubleshooting that had to be done.

Objectives

• Setup a Windows 2019 Server Core machine to act as a file server. Use the command line to perform usual local tasks (change the IP, change the server name, etc).

• Connect to the new server FS01 from AD02 using RSAT and add File Services.

FS01 Requirements

• hostname = FS01-hannelore
• Domain = hannelore.local (FQDN = fs01-firstname.yourdomain.local)
• IP = 10.0.5.8
• Gateway & DNS IP’s
• Join the server to your AD domain, after new OS is configured as previous OS’s
• Connect to new server from ad02 using RSAT and add the File Services Role
• Create a security group

---

Login Prompt

You will be prompted to setup a username and password. This is the Local Administrator for this server (and not the AD Domain Admin, since it is not joined to your AD Domain yet). Note: be sure to document the userid and password you create.

password is 4Hannelore for administrator

Go into server configuration with sconfig

we want to change the computer name to fs01-hannelore

here is the changed name, the machine had to restart to apply the name change

Change the network settings

• Select option 1 for the network adapter

Change the DNS server to 10.0.5.6

Change the Static Ip, Default Gateway and Subnet mask

This is the successfully changed network settings

reboot the server and then join your Active Directory Domain

reboot with option 13 in the sconfig menu

using sconfig's Domain/Workgroup option

LOOK AT THE NETWORK ADPATER - CHECK YOURSELF BEFORE YOU WRECK YOURSELF

I could not join my domain even when I knew my domain password. I went back and checked my ad02 machine to make sure I had the right username and I did, so then I checked my network adapter and it was still set to WAN so that is why it was not working

here is the fs01 server joined to the hannelore.local domain

Log in to your AD Domain using -adm account via the Other user option

TROUBLESHOOTING: My admin credentials were not working at all for this lab. I tried every iteration I could think of and many troubleshooting steps, including talking to the professor. Even he didn't know what happened as I was able to join the hannelore.local domain, but was not able to sign in as the authorized user.

Here are the steps I took to troubleshoot and be able to fix the lab:

• Checked the ad02-hannelore server to make sure I was typing in the correct admin username (which was hannelore.sanokklis-adm)
• Checked to makes sure the fs01-hannelore server was added to the computers section of the domain (it was)
• Double and triple checked the IP address configs
• Changed the password for hannelore.sanokklis-adm like 100 times (it never worked, regardless of the password I made) pinged the firewall, and the dns server (both were successful)
• signed out of the local admin account on the ad02-hanneloremachine and tried signing into the admin credentials on the box (to no avail)
• created a new user called feet on the ad02-hannelore server but when I logged out and tried to log in, I was met with a message telling me I did not have permission to sign in with that account.

I did not add the feet account to the Admin Group in the ad02-hannelore server. This is why I was getting the error saying that I could not sign in.

From now on my admin user will be feet

Deliverable 1: Show the sconfig cmd after setting the network, computer name, update settings, and joining the AD domain. (example below)

_sconfig showing that the fs01-hannelore box is joined to the hannelore.local domain.

Network adapter with correct IP address 10.0.5.8

Network settings with the subnet mask, DNS server and default gateway configured

Use RSAT to Manage FS01 via AD02

On AD02, within the Remote Server Administration Tools (RSAT) Feature (which is not a Role), add File Service Tools and File Server Resource Manager Tools.

Make sure you are logged on to ad02 as your AD Domain named -adm user

Go to Add roles and features wizard

Add FS01 to All Servers

• go to All Servers --> add server

• add the fs01-hannelore server

Deliverable 2. Provide a screenshot that shows that from AD02, you have access to FS01 and AD02

On AD02, create the following OU Structure:

• Create a new Global security group (Sales-Users) in the Groups OU.
• Create two users (Bob and Alice) as standard domain users, in the new SYS255\Users OU
• Add Alice to the Sales-Users group

Make a SYS-255 OU

Include these OUs within the SYS-255 Folder:

• Computers
• Users
• Groups

Create two users (Bob and Alice) as standard domain users, in the new SYS255\Users OU

• user: bob
• pw: H@nnelore1123581321

• user: alice
• H@nnelore1123581321

Successful creation of users Bob and Alice in the Users OU.

Create a new Global security group (Sales-Users) in the Groups OU

• Go to groups OU
• Create new group

Creating Global security group Sales-Users

Successful creation of Sales-Users Group

Add Alice to the Sales-Users group

Use RSAT to add to FS01 and create a Sales Users share

On AD02, use the Add Roles and Features option on FS01

Run the following Net Shell (netsh) command on fs01 to open the firewall for managing the File Server:

netsh advfirewall firewall set rule group=”Remote File Server Resource Manager Management” new enable=yes

On AD02, Connect to FS01 using File Server Resource Manager to test the command just ran above. Make sure to select Files and Storage Services -> Servers.

Deliverable 3: Take a screenshot of the FSRM and VM banner similar to that below:

Create a new share on FS01 using Server Manager

Choose the SMB Quick Share option.

Choose the fs01 server, and leave the Select by volume options alone.

Create a share named Sales, & take note of the Local and Remote paths to the share:

Next and Finish Configuring the Settings

For Customized Permissions, assign the Sales-Users Group created earlier with Full Control Custom Permissions to the share. Remove "Everyone access to the Share".

Remove that everyone can access the share

Add Full control for the Sales-Users group

Test access for Bob and Alice

Deliverable 4: Test access to the \fs01-yourname\Sales while alternately logged into WSK02 as Bob and as Alice. Provide screenshots showing that Alice can write and read from \fs01\Sales and that Bob cannot.

signed into fs01-hannelore as alice

cat alice is able to view the file in the directory from the fs01-hannelore machine

Hi from alice in the ad02-hannelore CMD

alices text file in ad02-hannelore

echo

Bobs cannot not read to sales

Bob cannot write to sales

TROUBLESHOOTING:

As I was trying to sign into my workstation with my bob and alice accounts I kept getting this message:

We troubleshooted and determined that there was a problem with reaching the domain so the ad02-hannelore machine rather then network connectivity, since the network adapter was correct.

• DNS records

So it turns out I had put my reverse lookup zone ip address wrong in my DNS manager. I put it was 10.0.5.105 instead of 10.0.5.150

Before I deleted the PTR and AA records, I sshed into DHCP to try and check what the IP address of the wk02-hannelore actually should have been by checking the logs

• when I checked the logs by going into \var\messages sudo cat messages | grep wks nothing came up in the log.
• I did systemctl status dhcpd to check to see if the dhcp server was even active and it was not

• I then did systemctl start dhcpd to start the dhcp server and then checked the status again to make sure it was up and running again.

• The lease for the IP was also expired you can see that it renewded the lease

Once the DHCP server was started again, when I greped for wks02-hannelore there were actually entries

• Now that there are logs for windows I was able to see the IP address for the wks02-hannelore which is 10.0.5.150

After figuring this out, I went back to my DNS manager and deleted my forward/reverse lookup zones for my workstation and remade them with the correct IP address. After doing this I was able to sign into workstation with my admin account and the problem was fixed!

Continuing with alice and bob accessing the sales shares folder

TROUBELSHOOTING:

I could not figure out how to view the "hifromalice.txt" in file manager, when I would try and type in the path \\fs01-hannelore\sales I was not able to access anything.

• This is because network discovery is turned off, so I am not able to look in the share.

• If you right click on the windows tab and then run, you can open paths through the file explorer.

• I am now able to see the file

Alice is able to read and write to the sales group

Bob is not able to read or write to the sales group

Deliverable 5. Research and Create a Group Policy to Map the S:\ drive to the \FS01\Sales share for all users in the the Sales-Users group, and then document this process in your tech-journal.

Provide:

• Screenshot showing your successful gpresults
• Screenshot of the mapped drive
• Link to your tech-journal article exploring some of this lab’s topics further

Link used: https://activedirectorypro.com/map-network-drives-with-group-policy/

• Go to Group Policy Management
• Create a new GPO in SYS-255 --> Users

• Edit the new GPO

• Go to mapped drives

• Click new ---> mapped drive

• Create drive for \fs01-hannelore\sales

• apply the drive in the context of the users

• add targeting

here is the mapped drive

logged on as alice, viewing the sales drive!

logged on as bob, he cannot access the drive!