Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Win2K server and Windows workstations

Status
Not open for further replies.
talkcity

talkcity

Technical User
Mar 6, 2003
24
0
0
US
We need help in setting up a small network. We want to clean out all our systems, since we got hit by different viruses and spyware. We want someone to guide us and tell us where we are making a mistake in this setup we have outlined:

1 – windows 2000 server
4 – windows workstations (2 windows 2000 professional & 2 windows xp professionals)

Steps for setting up our network with DSL disabled.

Backup all important files

Windows 2000 server
a) Format hard drive and clean install server O/S
b) Service Packs
c) Install DNS (any website that explains the setup, other than Microsoft.com)
d) Install DHCP
e) NAV
f) Updates
g) Norton Security
h) Create user account and give access rights (any website that explains the access rights, other than Microsoft.com)

Windows workstations
a) Format hard drives and clean install workstation O/S
b) Service Packs
c) Connect workstation to server
d) MS Office
e) Service Packs
f) NAV
g) Updates
h) Norton Security
i) Connect printers locally (usb & parallel) and share them

Router
Update firmware
Block sites

Misc:
Setup POP3 accounts in outlook
Spam (any recommendations for spam software)
Backup solution - use windows builtin backup to CD/RW
 
Sort by date Sort by votes
are you planning on making a domain, or running in a workgroup? domain will give you kerberos authentication and will help your security.

let me know that and ill tell ya what to change about your plan :)

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there :)
 
Upvote 0 Downvote
Yes we are planning on a domain.
Some of the stuff we want to implement:
Hoping to restrict website browsing for some sites thru router.
Restrict program installation thru downloads
Restrict download of Chat software

Thank you
 
Upvote 0 Downvote
ok so heres the deal:
1. DHCP should not be on the DC
2. There is no mention of dcpromo in your plan
3. there is no mention of joining the clients to the domain
4. With teh AV, make sure you either keep it disabled and only enable for weekly scans and such, or else exclude the c:\windows\sysvol and c:\windows\ntds folders (or where you put your locations)
5. on the server for step c, change that to dcpromo...dcpromo will give the option to isntall and configure dns on the computer


as far as rights...what kind? ntfs, share, directory acls (in AD)?

on the DC:
forwarders should be used to your ISPs DNS server (actually youll be better to use 4.2.2.2)
the dc (pdc emulator) should point to himself and himself only for DNS server
go into advanced tcp/ip properties on XP clients and 2003 servers and to the WINS tab, enable netbios over tcp/ip, and ensure the DNS tab stays at teh defaults on every machine


for restricting websites...there are really no applicable group policy settings or anything for this.....


you can make resitricted software policies to block chat software from running or installing (but blocking from installing can be tricky)

once your in your domain, you can make it where your users cannot install programs

just take a real good look at group policy


-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there :)
 
Upvote 0 Downvote
Brandon - he only has one server and four workstations. Putting dhcp and the domain on the same server is ok is this situation.

Talkcity - To be honest, if you don't expect to grow that fast I wouldn't even run dhcp. You can always implement it later. Also, you have a lot you are wanting to do and most of it is really easy. If you need help just ask questions as you go along.

Network Admin
A+, Network+, MCSA 2000, MCSE 2000
 
Upvote 0 Downvote
ADgod,

What is the deal with the antivirus not scanning the sysvol? What are the reprecussions? I have not set an exclusion and everything seems to be working fine. What's up?
 
Upvote 0 Downvote
Thank you everyone for all the feedback. I am helping someone setup the network, since the tech they dealt with kind of messed up everything and didn't take responsibility for it. I will post questions as I come across any issues.

I guess the network will be
(1) domain controller (machine where windows 2000 server sits. this machine will have 2 partitions, 1 for the server and the other where the files and datadase will be shared from).
(4) workstations (2 windows 2000 professionals & 2 windows xp pro)

Sharing only folder for the files and database.

Workstation will be joined to the server.

 
Upvote 0 Downvote
Make sure you have a decent firewall in place and setup correctly. Personally I would have a hardware device even if you use software firewall internally

On the wks make sure you have some anti malware resident, one of the biggest threats is malware/spyware. The MS beta is OK but conterspy is better


I have Nav setup to scan "selected files", never had anything get through, speeds up the server. Make sure you uncheck the "realtime server" and client drive type "network". Ztrek7 is concerned about excessive scanning on certain directories, with "selected file" you will not have a problem.
DHCP will not be a problem on the DC, I have much larger networks with AD,and the DHCP does not cause problems. With so few machines, you could go static addressing, the only real advantage at this point of DHCP is getting laptops coming in from the outside onto the network with minimal effort.

Good reference... Mark Minasi's Master Windows server 2003 by Seybex.
 
Upvote 0 Downvote
Sounds like you have a plan. The call on dhcp on this server is fine. You may want to look into blocking certain ports on the workstations, so they can't get to things like yahoo. Keep us informed. Good luck.

Glen A. Johnson
Johnson Computer Consulting
If you're from Northern Il, Southern Wi, feel free to join Tek-Tips in Chicago IL
 
Upvote 0 Downvote
ah didnt realize it was his only server (guess i shoulda read better)

yea its ok to run it on there

just occassional resource wrestling due to the two databases being on the same machine

you guys are correct though, with the 1 server that should be fine

with that few of clients too, there will be no contention

was just kinda telling him from the best practice perspective



-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there :)
 
Upvote 0 Downvote
Hi

How can I block ports on workstations so that they cannot use yahoo chat, AIM or msn messenger!

Once again thanks to everyone for all the help.
 
Upvote 0 Downvote
Upvote 0 Downvote
well theres a problem with tcp/ip port filtering to make you aware of, as it is very very administratively intensive if you elect to use filtering. you can only allow all ports, or else you can choose allow only...problem with that is you need to ensure you open all ports necessary for domain authentication, ports for email, ports for http and https, and any app specific ports you may need.

so all in all, just domain authentication will cause you to open 53, 123, 135, 88, 1024-5000, 80, 663, and some others

review kb179442 (just google it and itll be one of the top links) and pay attention to the Win2000 portion...you should not need to worry about NT4 ports, but since we are talking about port filtering on the NIC, you can add those too.....ICMP is also very very important, because as stupid as it is, group policy application relies on the ability to ping the DC for application...if i remember right that is port 7, and is not mentioned in 179442 (I'm gonna have to submit a change request for that come to think of it)

a word of warning: you will probably be on the phone with me before too too long running this configuration
it is NOT a good idea to filter your clients like that.

if you have a hardware firewall, you need to use that if you want to eliminate future expenses

another option is of course to use the windows firewall to block teh necessary ports...that is a better solution, however, you will still be requried to make all necessary exceptions to allow all the same items (just like port filtering, except windows firewall will give a checkbox for most well known ports which makes it much much easier)

anotehr idea would be the content advisor in IE....this is a pain in the butt though...it will lock all sites until explicitly allowed. The 2 easiest routes for you are either all teh steps below, or steps 3-4 will do teh trick for you as well....
1. install all messenger programs, 1 at a time
2. Start a netmon trace (or netcap if on XP) and start the messenger programs 1 at a time, stoppign teh trace after disconnecting...this will give you the ports and protocols to block for each chat program...easiest to read will eb individual traces per chat program
3. after that, review the install path of the program
4. create a software restriction policy to block the chat program exectuable from running...you can take this further and restrict teh key it writes too as well (these will all be found under HKLM\Software most likely). Do this for each chat program, it will keep them from running at all, and then you have no ports to worry about.


-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there :)
 
Upvote 0 Downvote
true true...4 clients definitely do not consititute the cost of a hardware firewall...i keep forgetting how small an environment it is....too used to big ones I guess



ok so alternative 2....norton internet security
trust your internal network IP scheme
disable all ports necessary

everything we went over before

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there :)
 
Upvote 0 Downvote
Hello All:

I just wanted to know if we have the steps right for the installation:

Windows 2K server as a domain controller
1 Install O/S
2 Install DNS
3 Install Active Directory
4 Install DHCP
5 Create share folder (where can I find information on setting up user rights)
6 Create computer names
7 Create user accounts

Once again:

1 server
4 workstations (2 windows 2000 pro & 2 windows xp pro)
1 laptop (maybe)

Thanks for all support before everyone
 
Upvote 0 Downvote
sounds good...but in addition:

1. Be sure teh DC points to himself for DNS ,as well as all clients
2. Be sure in teh advanced tcp/ip properties, you have all defaults on the DNS tab, and enable netbios over tcp/ip on the WINS tab
3. Installing DNS is unnecessary as a precursor, as the dcpromo process will prompt you on whether or not to install DNS...just select 'install and configure dns on this computer'..the process will take care of teh rest for you
4. when setting up your dhcp zone, be sure to NOT put the FQDN for your domain when asked...this is actually a trick in DHCP that causes an additional DNS suffix that is unneeded...typically not a problem..but I have seen many grnaular problems with apps and such connecting (occasioanlly authentication but not normally a prob in that aspect)


-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there :)
 
Upvote 0 Downvote
Thank you for the help.

What does FQDN stand for and what is it for!
 
Upvote 0 Downvote
fqdn=fully qualified domain name

it is your computer name + the name of the domain, it is in the form of computer.domain.com

MAKE SURE YOU NAME YOUR DOMAIN WITH A DOMAIN.COM FORMAT FOR THE FQDN
if not...expect stuff to break

ZTREC7-
the reason for not scanning sysvol or the NTDS directory is because if file replication happens to occur at the time teh AV is scannign contents of sysvol, file replication will fail with a SHARING_VIOLATION error, which I believe can be seen through setting the debug level to 4 in the registry, but a replication tool such as UltraSound or FRSDiag should also tell you...as far as the NTDS directory.....this contains the AD database ntds.dit...its always in use on a DC...cant remember any exact errors off the top of my head

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there :)
 
Upvote 0 Downvote
For a firewall, I would recommend smoothwall ( It runs on any old box and provides all the protection you will ever need. Adding on the features like Advanced Web Proxy, IPSec VPN, DansGuardian and ClamAV and you are laughing all the way to the bank.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
121
Aquiles Vidal
Aquiles Vidal
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
146
suncit
suncit
MaioMaio
  • Question
Server Remote Desktop License
Replies
0
Views
106
MaioMaio
MaioMaio
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
104
antonio_dsanchez
antonio_dsanchez
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
147
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top