Windows Server 2019

1. Preparations

1.1. Hyper-V

See Hyper-V - Create Virtual Machine to create a virtual machine with 4 GB of RAM, 2 processors and 100 GB disk space.
Note: Make sure to check ??? in the ??? tab in the virtual machine settings. This allows the Hyper-V feature to be fully functional and to be able to run virtual machines inside the virtualized Windows Server.

Add the following port forwarding rules.

Name    Protocol        Host IP         Host Port       Guest IP        Guest Port
----    --------        ---------       ---------       --------        ----------
RDP     TCP             127.0.0.1       33389           ???             3389
SSH     TCP             127.0.0.1       2222            ???             22

1.2. VirtualBox

See VirtualBox - Create Virtual Machine to create a virtual machine with 4 GB of RAM, 2 processors and 100 GB disk space.
Note: Make sure to check Enable Nested VT-x/AMD-V in the System > Processor tab in the virtual machine settings. This allows the Hyper-V feature to be fully functional and to be able to run virtual machines inside the virtualized Windows Server.
Note: See https://docs.oracle.com/cd/E97728_01/F12469/html/nested-virt.html.

Add the following port forwarding rules.

Name    Protocol        Host IP         Host Port       Guest IP        Guest Port
----    --------        ---------       ---------       --------        ----------
RDP     TCP             127.0.0.1       33389           10.0.2.15       3389
SSH     TCP             127.0.0.1       2222            10.0.2.15       22

1.3. VMware

See VMware - Create Virtual Machine to create a virtual machine with 4 GB of RAM, 2 processors and 100 GB disk space.
Note: Make sure to check Virtualize Intel VT-x/EPT or AMD-V/RVI in the Processors tab in the virtual machine settings. This allows the Hyper-V feature to be fully functional and to be able to run virtual machines inside the virtualized Windows Server.

Add the following port forwarding rules.

Name    Protocol        Host IP         Host Port       Guest IP        Guest Port
----    --------        ---------       ---------       --------        ----------
RDP     TCP             127.0.0.1       33389           192.168.180.15  3389
SSH     TCP             127.0.0.1       2222            192.168.180.15  22

2. Installation

Mount the en_windows_server_version_1903_x64_dvd_58ddff4b.iso file.
Note: Hyper-V Manager and Task Scheduler are only available in the 1903 version.

Boot the computer from the CD/DVD drive.

Language to install:            English (United States)
Time and currency format:       English (United States)
Keyboard or input method:       US

Press Shift+F10 to open a Command Prompt.

Enter the following commands at a Command Prompt.

wpeutil InitializeNetwork
ipconfig
net use W: \\SMRU-HyperV01\Windows$ /Persistent:No
setup.exe /unattend:W:\Unattend-x64.xml

Language to install:            English (United States)
Time and currency format:       English (United States)
Keyboard or input method:       US

Click Next.

Operating system                Architecture    Date modified
-------------------------       ------------    -------------
Windows Server Standard         x64             4/1/2019
Windows Server Datacenter       x64             4/1/2019

Select Windows Server Standard | x64 | 4/1/2019.
Click Next.
Check I accept the license terms.
Click Next.
Delete all partitions.
Select New.
Click Apply.
Click OK.
Select the Primary partition.
Select Format.
Click OK.
Select the Primary partition.
Click Next.
Wait about 10 minutes for the installation to finish.
Select Ok and press Enter.
Type Administr@t0r!@! for the new password and press Tab.
Type Administr@t0r!@! to confirm the password and press Enter.
Select Ok and press Enter.
Type sconfig.cmd and press Enter.
Select Shutdown Server.
Click Yes to confirm.
Unmount the en_windows_server_version_1903_x64_dvd_58ddff4b.iso file.

3. Configuration

3.1. Computer name

Type 2 to change the computer name and press Enter.
Type VBOX-WIN2019 for the new computer name and press Enter.
Click No to skip restarting the computer.

3.2. Static IP Address

Enter the following commands at a Command Prompt with administrative privileges.
```
ipconfig /all
control
```
Open Control Panel.
Select Network and Sharing Center.
Select Change adapter settings.
Right-click the network card and select Properties.
Select Internet Protocol Version 4 (TCP/IPv4).
Click Properties.

Choose Use the following IP address:.

                        VirtualBox              VMware
                        ----------              ------
IP address:             10.0.2.222              129.168.119.222
Subnet mask:            255.255.255.0           255.255.255.0
Default gateway:        10.0.2.2                192.168.119.2

Choose Use the following DNS server addresses.

                        VirtualBox              VMware
                        ----------              ------
Preferred DNS sever:    10.0.2.2                192.168.119.2

Click OK.
Click Close.
Close Network Connections.
Close Network and Sharing Center.

3.3. Time zone

Type 9 to change the date and time and press Enter.
Click Change time zone.
Select (UTC+07:00) Bangkok, Hanoi, Jakarta.
Click OK.
Click OK.

Select Restart Server.
Click Yes to confirm.

3.4. Time Server

The following is from Dean Sherwood: 2024-02-27 13:38 SMRU Active Directory Notes - Windows Server 2022

3.4.1. NTP Configuration

Steps to configure time sync on PDC Emulator (reg add commands in lieu of manually setting as per registry section below)
Set VM hosts to sync to same external time source
RAN ALL THESE COMMANDS ON SMRU-AD02

# **Run VMICTimeProvider=0 only if PDC is guest VM on Hyper-V
# was 1
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0

# was 10 so didn't run
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config /v AnnounceFlags /t reg_dword /d 10

# was 172800
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config /v MaxPosPhaseCorrection /t reg_dword /d 3600
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config /v MaxNegPhaseCorrection /t reg_dword /d 3600

# was NT5DS
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters /v Type /t reg_sz /d NTP

# was 1024
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient /v SpecialPollInterval /t reg_dword /d 900

# was 1 so didn't run
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer /v Enabled /t reg_dword /d 1

# set time servers
W32tm /config /manualpeerlist:"0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8" /syncfromflags:manual  /update

net stop w32time && net start w32time

w32tm /resync /rediscover
W32tm /query /source
w32tm /stripchart /computer:0.pool.ntp.org /samples:5 /dataonly

W32tm /query /configuration

[Configuration]

EventLogFlags: 2 (Local)
AnnounceFlags: 10 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 3600 (Local)
MaxPosPhaseCorrection: 3600 (Local)
MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)


[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 900 (Local)
Type: NTP (Local)
NtpServer: 0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8 (Local)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 0 (Local)
InputProvider: 1 (Local)

3.5. Applications

Install Delta Windows Tools.
Optional: Install VirtualBox Guest Additions.
Optional: Install VMware Tools.
Install Clink.

3.6. App Compatibility Feature On Demand

Optional: Mount the en_windows_server_version_1903_features_on_demand_x64_dvd_ccbecb0b.iso file.
Select Exit to Command Line.

Enter the following commands at a Command Prompt.

dir R:\
Dism.exe /Online /Add-Capability /CapabilityName:ServerCore.AppCompatibility~~~~0.0.1.0                         (1)
Dism.exe /Online /Add-Capability /CapabilityName:ServerCore.AppCompatibility~~~~0.0.1.0 /Source:R: /LimitAccess (2)

1	Internet connection needed. Downloads about 360 MB from Microsoft Update.
2	No Internet connection needed.

Optional: Unmount the en_windows_server_version_1903_features_on_demand_x64_dvd_ccbecb0b.iso file.
Type y to restart the computer.

Extra features provided by App Compatibility FOD:

* Device Manager                devmgmt.msc
* Event Viewer                  eventvwr.msc
* Failover Cluster Manager      cluadmin.msc
* File Explorer                 explorer.exe
* Hyper-V Manager               virtmgmt.msc            1903 version only
* Microsoft Management Console  mmc.exe
* Performance Monitor           perfmon.exe
* Resource Monitor              resmon.exe
* Task Scheduler                taskschd.exe            1903 version only
* Windows PowerShell            powershell_ise.exe

4. Usage

VirtualBox: Connect to VBOX-WIN2019 using PuTTY with localhost and port 2222.
VirtualBox: Connect to VBOX-WIN2019 using RDP with mstsc.exe /v 127.0.0.1:33389.
VMware: Connect to VBOX-WIN2019 using PuTTY with 192.168.243.128 and port 22.
VMware: Connect to VBOX-WIN2019 using RDP with mstsc.exe /v 192.168.243.128:3389.

5. Active Directory Domain Services

See https://infrasos.com/how-to-setup-active-directory-on-windows-server-2022.

Enter the following commands at a PowerShell Command Prompt with administrative privileges.

Get-WindowsFeature
Add-WindowsFeature -IncludeManagementTools -Name AD-Domain-Services
Get-WindowsFeature

Start Server Manager.
Click on the Notifications (yellow exclamation mark) icon at the top right.
Select Promote this server to a domain controller.

Choose Add a new forest.

Root domain name:		test.shoklo-unit.com
Root domain name:		vbox.shoklo-unit.com
Root domain name:		vmware.shoklo-unit.com

Click Next.

Use the Local Administrator password.

Forest functional level:        Windows Server 2016
Domain functional level:        Windows Server 2016

+ Domain Name System (DNS) server
+ Global Catalog (GC)
- Read only domain controller (RODC)

Type the Directory Services Restore Mode (DSRM) password
Password:                       ********
Confirm password:               ********
Password:                       Administr@t0r!@!
Confirm password:               Administr@t0r!@!

Click Next.
Ignore the A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found message.

Click Next.

The NetBIOS domain name:        VBOX
The NetBIOS domain name:        VMWARE

Click Next.

Database folder:                C:\Windows\NTDS
Log files folder:               C:\Windows\NTDS
SYSVOL folder:                  C:\Windows\SYSVOL

Click Next.
Click Next.
Click Install.
Optional: Click Close to restart the computer.
Optional: Close Server Manager.

6. DHCP

See https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-deploy-wps.

Remove-WindowsFeature -Name DHCP
# Restart the computer.
Get-WindowsFeature
Add-WindowsFeature -IncludeManagementTools -Name DHCP
Get-WindowsFeature

See https://www.technig.com/configure-a-dhcp-scope-in-server-2022-using-powershell.

Remove-DhcpServerV4Scope -Force -ScopeId 10.30.1.0
Add-DhcpServerv4Scope -Name "Internal LAN" -StartRange 10.30.1.1 -EndRange 10.30.1.254 -SubnetMask 255.255.255.0
Add-DhcpServerv4ExclusionRange -ScopeId 10.30.1.0 -StartRange 10.30.1.1   -EndRange 10.30.1.65
Add-DhcpServerv4ExclusionRange -ScopeId 10.30.1.0 -StartRange 10.30.1.170 -EndRange 10.30.1.170
Add-DhcpServerv4ExclusionRange -ScopeId 10.30.1.0 -StartRange 10.30.1.201 -EndRange 10.30.1.254
Set-DhcpServerv4Scope -ScopeId 10.30.1.0 -LeaseDuration 00.08:00:00
Get-DhcpServerV4Scope

Set-DhcpServerv4OptionValue -ScopeId 10.30.1.0 -DnsServer 10.30.1.1 -DnsDomain "test.shoklo-unit.com"
Set-DhcpServerv4OptionValue -ScopeId 10.30.1.0 -Router 10.30.1.170
Set-DhcpServerv4OptionValue -ScopeId 10.30.1.0 -OptionId 46 -Value "0x8"
Get-DhcpServerv4OptionValue -ScopeId 10.30.1.0

Remove-DhcpServerv4Reservation -ScopeId 10.30.1.0
Remove-DhcpServerv4Lease -ScopeId 10.30.1.0

Add-DhcpServerv4Reservation -ScopeId 10.30.1.0 -Name SMRU-PRT-TST.test.shoklo-unit.com -IPAddress 10.30.1.47 -ClientId "8C-DC-D4-5B-3D-FB" -Description "HP LaserJet 400 M401n"
Get-DhcpServerv4Binding
Get-DhcpServerv4Lease -IPAddress 10.30.1.47
Get-DhcpServerv4Lease -ScopeId 10.30.1.0

7. Group Policy Management

7.1. TEST Proxy Settings

Right-click Forest: test.shoklo-unit.com > Domains > test.shoklo-unit.com and select Create a GPO in this domain, and Link it here.
Type TEST Proxy Settings in the Name field.
Click OK.
Right-click Forest: test.shoklo-unit.com > Domains > test.shoklo-unit.com > TEST Proxy Settings and select Edit.
Right-click User Configuration > Preferences > Control Panel Settings > Internet Settings and select New > Internet Explorer 10.
Select Connections tab.
Choose Never dial a connection.
Click LAN settings.
Check Use a proxy server your LAN (Thise settings will not apply to dial-up or VPN connections).
Click Advanced.
Type 10.30.1.170 in the HTTP Proxy address to use field.
Type 8080 in the HTTP Port field.
Type 10.30.1.170 in the Secure Proxy address to use field.
Type 8080 in the Secure Port field.
Type 10.30.1.* in the Do not use proxy servers for addresses beginning with field.
Click OK.
Click OK.
Check Bypass proxy server for local addresses.
Click OK.
Click Apply.
Click OK.

To Force User: Do the following.
- Select User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel.
- Right-click Disable the Connections page and select Edit.
- Choose Enabled.
- Click Apply.
- Click OK.

8. Active Directory

Note: Needed for Network Printers.

Start Active Directory Users and Computers.
Right-click test.shoklo-unit.com > TEST and select New > Organizational Unit.
Type groups in the Name field.
Click OK.
Right-click test.shoklo-unit.com > TEST > groups and select New > Group.
Type Network-Printers in the Group name field.
Choose Global for the Group scope.
Choose Security for the Group type.
Click OK.

Right-click test.shoklo-unit.com > TEST > users and select New > User.
Type <Printer host name> in the First name field.
Type <Printer host name> in the User logon name field.
Click Next.
Type the SMRU AD Network Printer Password stored in the KeePass Password Manager in the Password field.
Type the SMRU AD Network Printer Password stored in the KeePass Password Manager in the Confirm password field.
Uncheck User must change password at next logon.
Check User cannot change password.
Check Password never expires.
Uncheck Account is disabled.
Click Next.
Click Finish.

Select test.shoklo-unit.com > TEST > users.
Right-click <Printer host name> user and select Properties.
Select Member Of tab.
Click Add.
Type Network-Printers.
Click Check Names.
Click OK.
Select Dial-in tab.
Choose Allow access for the Network Access Permission.
Click Apply.
Click OK.

Close Active Directory Users and Computers.

9. Certification Authority (CA)

See https://learn.microsoft.com/en-us/powershell/module/adcsdeployment/install-adcscertificationauthority?view=windowsserver2022-ps.

CLI

Enter the following commands at a PowerShell Command Prompt with administrative privileges.

Get-WindowsFeature
Remove-WindowsFeature -Name AD-Certificate
Remove-WindowsFeature -Name Web-Server
Get-WindowsFeature

Enter the following commands at a PowerShell Command Prompt with administrative privileges.

Get-WindowsFeature
Add-WindowsFeature -IncludeManagementTools -Name Web-Server
Add-WindowsFeature -IncludeManagementTools -Name AD-Certificate
Add-WindowsFeature -IncludeManagementTools -Name ADCS-Enroll-Web-Pol
Add-WindowsFeature -IncludeManagementTools -Name ADCS-Enroll-Web-Svc
Add-WindowsFeature -IncludeManagementTools -Name ADCS-Web-Enrollment
Get-WindowsFeature

Install-AdcsCertificationAuthority -Force
Install-AdcsWebEnrollment -Force
Install-AdcsEnrollmentWebService -Force
Install-AdcsEnrollmentPolicyWebService -Force

GUI

Perform the following sections.

9.1. Requirements

9.1.1. Service Account

Start Active Directory Users and Computers.
Select test.shoklo-unit.com > Users.
Double-click Administrator.
Select Member Of tab.
Click Add.
Type IIS_IUSRS in the Enter the object names to select field.
Click Check Names.
Click OK.
Click Apply.
Click OK.
Close Active Directory Users and Computers.

9.1.2. Web Server (IIS)

Start Server Manager.
Select Dashboard.
Click Add roles and features.
Click Next.
Choose Role-based or feature-based installation.
Click Next.
Choose Select a server from the server pool.
Select SMRU-SRV-TST.
Click Next.
Check Web Server (IIS).
- Check Include management tools (if applicable).
- Click Add Features
Click Next.
Click Next.
Click Next.
Click Next.
Click Install.
Click Close.

9.2. Installation

Start Server Manager.
Select Dashboard.
Click Add roles and features.
Click Next.
Choose Role-based or feature-based installation.
Click Next.
Choose Select a server from the server pool.
Select SMRU-SRV-TST.
Click Next.
Check Active Directory Certificate Services.
- Check Include management tools (if applicable).
- Click Add Features
Click Next.
Click Next.
Click Next.
Check Certification Authority.
Click Next.
Click Install.
Wait for the installation to finish.
Click Close.

9.3. Configuration

Click the notification icon on Server Manager.
Click Configure Active Directory Certificate Services on the destination server.
Click Next.
Check Certification Authority.
Click Next.
Choose Enterprise CA.
Click Next.
Choose Root CA.
Click Next.
Choose Create a new private key.
Click Next.
Select RSA#Microsoft Software Key Storage Provider for the Select a cryptographic provider.
Select 2048 for the Key length.
Select SHA256 for the Select the hash algorithm for signing certificates issued by this CA.
Uncheck Allow administrator interaction when the private key is accessed by the CA.
Click Next.
Click Next.
Click Next.
Click Next.
Click Configure.
Click Close.

Start Server Manager.
Select Dashboard.
Click Add roles and features.
Click Next.
Choose Role-based or feature-based installation.
Click Next.
Choose Select a server from the server pool.
Select SMRU-SRV-TST.
Click Next.
Expand Active Directory Certificate Services.
Check Certificate Enrollment Policy Web Service.
- Check Include management tools (if applicable).
- Click Add Features
Check Certificate Enrollment Web Service.
Check Certification Authority Web Enrollment.
- Check Include management tools (if applicable).
- Click Add Features
Click Next.
Click Next.
Click Install.
Wait for the installation to finish.
Click Close.
Close Server Manager.

Restart the computer.

Click the notification icon on Server Manager.
Click Configure Active Directory Certificate Services on the destination server.
Click Next.
Check Certification Authority Web Enrollment.
Check Certificate Enrollment Web Service.
Check Certificate Enrollment Policy Web Service.
Click Next.
Choose CA name.
Click Next.
Choose Windows integrated authentication.
Click Next.
Choose Specify service account (recommended).
Click Select.
Type Administrator in the User name field.
Type the Administrator password in the Password field.
Click OK.
Click Next.
Choose Windows integrated authentication.
Click Next.
Choose Choose an existing certificate for SSL encryption (recommended).
Select test-SMRU-SRV-TST-CA.
Select vmware-VMWARE-WIN2025-CA.
Click Next.
Click Configure.
Click Close.
Close Server Manager.

9.4. Certificate Templates

Start Tools > Certification Authority.
Select test-SMRU-SRV-TST-CA > Certificate Templates.
Right-click test-SMRU-SRV-TST-CA > Certificate Templates and select Manage.
Right-click Workstation Authentication and select Duplicate Template.
Select General tab.
Type TEST-GPO-Computers-Authentication in the Template display name.
Check Publish certificate in Active Directory.
Select Security tab.
Select Domain Computers group.
Check Read | Allow.
Check Write | Allow.
Check Enroll | Allow.
Check Autoenroll | Allow.
Click Add.
Type Domain Controllers in the Enter the object names to select field.
Click Check Names.
Click OK.
Select Domain Controllers group.
Check Read | Allow.
Check Write | Allow.
Check Enroll | Allow.
Check Autoenroll | Allow.
Select Extensions tab.
Click Edit.
Click Add.
Select Server Authentication.
Click OK.
Click OK.
Click Apply.
Click OK.
Close Certificate Templates Console.
Right-click Certificate Templates and select New > Certificate Template to Issue.
Select TEST-GPO-Computers-Authentication.
Click OK.
Close Certification Authority.

9.5. Troubleshooting

If cannot request the certificate run the following commands in command line.

certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc & net start certsvc

10. Network Policy Server (NPS)

Note: For Windows Server 2019 make sure to modify the service account security identifier of the Network Policy Server service to detect and allow RADIUS traffic. This is needed for wired ethernet connections. It is not needed for wireless wifi connections.
See https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-firewalls-configure.

Enter the following commands at a Command Prompt with administrative privileges.

rem Internet Authentication Service (listed as Network Policy Server under services.msc).
sc.exe query ias
sc.exe qsidtype ias
sc.exe sidtype IAS unrestricted
sc.exe qsidtype ias
powershell.exe restart-service -DisplayName 'Network Policy Server'

Information: See https://learn.microsoft.com/en-us/answers/questions/428098/setup-microsoft-nps-as-radius-server-for-multi-for.html?childToView=428436#comment-428436.
If you use EAP-TLS or PEAP-TLS with certificates as your authentication method, you must use a RADIUS proxy for authentication across forests.

See https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/802-1x-authentication-issues-troubleshooting.

auditpol.exe /get /subcategory:"Network Policy Server"
auditpol.exe /set /subcategory:"Network Policy Server" /success:enable /failure:enable
auditpol.exe /get /subcategory:"Network Policy Server"

10.1. Installation

CLI

Get-WindowsFeature
Add-WindowsFeature -IncludeManagementTools -Name NPAS
Get-WindowsFeature

GUI

Start Server Manager.
Select Dashboard.
Click Add roles and features.
Click Next.
Choose Role-based or feature-based installation.
Click Next.
Choose Select a server from the server pool.
Select LAB1-AD01.
Click Next.
Check Network Policy and Access Services.
- Check Include management tools (if applicable).
- Click Add Features
Click Next.
Click Next.
Click Next.
Uncheck Restart the destination server automatically if requred.
Click Install.
Close Server Manager.

10.2. Configuration

Start Network Policy Server.
Right-click NPS (Local) and select Register server in Active Directory.

Click OK to confirm.

This computer is now authorized to read users' dial-in properties from domain smru-lab.com.

To authorize this computer to read users' dial-in properties from other domains,
you must register this computer to be a member of the RAS/NPS Servers Group in that domain.

Click OK.
Close Network Policy Server.

RADIUS Clients

Start Tools > Network Policy Server.
RADIUS local: Right-click RADIUS Clients and Servers > RADIUS Clients and select New.
- Check Enable this RADIUS client.
- Type TBHF-ANC-TST in the Friendly name field.
- Type 10.30.1.2 in the Address (IP or DNS) field.
- Choose Manual for the Shared Secret.
- Type the shared secret in the Shared secret field.
- Type the shared secret in the Confirm shared secret field.
- Click OK.
- Close Network Policy Server.
RADIUS proxy: Right-click RADIUS Clients and Servers > RADIUS Clients and select New.
- Check Enable this RADIUS client.
- BHF: Type SMRU-LAB-AD01 in the Friendly name field.
- SMRU: Type TBHF-AD01 in the Friendly name field.
- BHF: Type 10.20.2.1 in the Address (IP or DNS) field.
- SMRU: Type 10.20.1.1 in the Address (IP or DNS) field.
- Choose Manual for the Shared Secret.
- Type the secret in the Shared secret field.
- Type the secret in the Confirm shared secret field.
- Click OK.
- Close Network Policy Server.

Remote RADIUS Server

Note: RADIUS server is needed for RADIUS proxy.
Right-click RADIUS Clients and Servers > Remote RADIUS Server and select New.
Select Address tab.
BHF: Type SMRU in the Group name field.
SMRU: Type BHF in the Group name field.
Click Add.
BHF: Type 10.20.1.1 in the Server field.
SMRU: Type 10.20.2.1 in the Server field.
Click Verify.
Click Resolve.
Click OK.
Select Authentication/Accounting tab.
Type the secret in the Shared secret field.
Type the secret in the Confirm shared secret field.
Select Load Balancing tab.
Type 100 in the Weight field.
Click Apply.
Click OK.
Click OK.

Connection Request Policies

RADIUS local

Right-click Policies > Connection Request Policies and select New.
BHF: Type BHF Secure Wired Connections for the Policy name.
BHF: Type BHF Secure Wireless Connections for the Policy name.
SMRU: Type SMRU Secure Wired Connections for the Policy name.
SMRU: Type SMRU Secure Wireless Connections for the Policy name.
TEST: Type TEST Secure Wired Connections for the Policy name.
Click Next.
Click Add.
Select NAS Port Type.
Click Add.
Ethernet: Check Ethernet for the Common 802.1X connection tunnel types.
Wireless: Check Wireless for the Common 802.1X connection tunnel types.
Click OK.

Click Add.
Select User Name.
Click Add.
BHF: Type bhf.bhf-th.org*.bhf-th.com in the User name field.
SMRU: Type smru.shoklo-unit.com in the User name field.
TEST: Type test.shoklo-unit.com in the User name field.
Click OK.
Click Next.
Click Next.
Click Next.
Click Next.
Click Finish.

RADIUS proxy

Right-click Policies > Connection Request Policies and select New.
BHF: Type BHF Secure Wired Connections for the Policy name.
BHF: Type BHF Secure Wireless Connections for the Policy name.
SMRU: Type SMRU Secure Wired Connections for the Policy name.
SMRU: Type SMRU Secure Wireless Connections for the Policy name.
Click Next.
Click Add.
Select NAS Port Type.
Click Add.
Ethernet: Check Ethernet for the Common 802.1X connection tunnel types.
Wireless: Check Wireless for the Common 802.1X connection tunnel types.
Click OK.

Click Add.
Select User Name.
Click Add.
BHF: Type bhf.bhf-th.org*.bhf-th.com in the User name field.
SMRU: Type smru.shoklo-unit.com in the User name field.
Click OK.
Click Next.
Select Authentication.
Choose Forward requests to the following remote RADIUS server group for authentication.
BHF: Select SMRU.
SMRU: Select BHF.
Click Next.
Click Next.
Click Finish.

Network Policies

Domain clients (Windows wired)

Right-click Policies > Network Policies and select New.
BHF: Type BHF Computers Secure Wired Connections for the Policy name.
BHF: Type BHF Computers Secure Wireless Connections for the Policy name.
SMRU: Type SMRU Computers Secure Wired Connections for the Policy name.
SMRU: Type SMRU Computers Secure Wireless Connections for the Policy name.
TEST: Type TEST Computers Secure Wired Connections for the Policy name.
Click Next.
Click Add.
Select Machine Groups.
Click Add.
Click Add Groups.
Type Domain Computers.
Click Check Names.
Click OK.
Click OK.

Click Add.
Select NAS Port Type.
Click Add.
Ethernet: Check Ethernet for the Common 802.1X connection tunnel types.
Click OK.

Click Next.
Choose Access granted.
Click Next.
Uncheck all Less secure authentication methods.
Click Add.
Select Microsoft: Smart Card or other certificate.
Click OK.
Click Next.
Click Next.
Optional: Select Framed-Protocol on Attributes.
- Click Remove.
Optional: Select Service-Type on Attributes.
- Click Remove.
VLAN:
- Click Add.
- Select Tunnel-Type on Attributes.
- Click Add.
- Click Add.
- Choose Commonly used for 802.1x.
- Click OK.
- Click OK.
- Select Tunnel-Pvt-Group-ID on Attributes.
- Click Add.
- Click Add.
- Choose String.
- SMRU: Type 2 for VLAN ID in Enter the attribute value in field.
- BHF: Type 3 for VLAN ID in Enter the attribute value in field.
- Click OK.
- Click OK.
- Select Tunnel-Medium-Type on Attributes.
- Click Add.
- Click Add.
- Choose Choose Commonly used for 802.1x.
- Click OK.
- Click OK.
- Click Close.
Click Next.
Click Finish.

Domain clients (Windows wireless)

Right-click Policies > Network Policies and select New.
BHF: Type BHF Computers Secure Wireless Connections for the Policy name.
SMRU: Type SMRU Computers Secure Wireless Connections for the Policy name.
TEST: Type TEST Computers Secure Wireless Connections for the Policy name.
Click Next.
Click Add.
Select Machine Groups.
Click Add.
Click Add Groups.
Type Domain Computers.
Click Check Names.
Click OK.
Click OK.

Click Add.
Select NAS Port Type.
Click Add.
Check Wireless - IEEE 802.11 for the Common 802.1X connection tunnel types.
Click OK.

Click Next.
Choose Access granted.
Click Next.
Uncheck all Less secure authentication methods.
Click Add.
Select Microsoft: Smart Card or other certificate.
Click OK.
Click Next.
Click Next.
Optional: Select Framed-Protocol on Attributes.
- Click Remove.
Optional: Select Service-Type on Attributes.
- Click Remove.
VLAN:
- Click Add.
- Select Tunnel-Type on Attributes.
- Click Add.
- Click Add.
- Choose Commonly used for 802.1x.
- Click OK.
- Click OK.
- Select Tunnel-Pvt-Group-ID on Attributes.
- Click Add.
- Click Add.
- Choose String.
- SMRU: Type 2 for VLAN ID in Enter the attribute value in field.
- BHF: Type 3 for VLAN ID in Enter the attribute value in field.
- Click OK.
- Click OK.
- Select Tunnel-Medium-Type on Attributes.
- Click Add.
- Click Add.
- Choose Choose Commonly used for 802.1x.
- Click OK.
- Click OK.
- Click Close.
Click Next.
Click Finish.

Network Printers

Right-click Policies > Network Policies and select New.
Type SMRU Secure Wired Connections (Network Printers) for the Policy name.
Click Next.
Click Add.
Select NAS Port Type.
Click Add.
Check Ethernet for the Common 802.1X connection tunnel types.
Click OK.

Click Add.
Select User Groups.
Click Add.
Click Add Groups.
Type Network-Printers.
Click Check Names.
Click OK.
Click OK.

Click Next.
Choose Access granted.
Click Next.
Uncheck all Less secure authentication methods.
Click Add.
Select Microsoft: Smart Card or other certificate.
Click OK.
Select Microsoft: Smart Card or other certificate.
Click Edit.
Select NPS-2019.nps.com (CA server) for the Certificate issued to.
Select SMRU-SRV-TST.test.shoklo-unit.com (CA server) for the Certificate issued to.
Click OK.
Click Next.
Click Next.
Select Framed-Protocol on Attributes.
Click Remove.
Select Service-Type on Attributes.
Click Remove.
Click Next.
Click Finish.

11. Issued Certificates

11.1. Group Policy

For domain clients Windows.

Start Tools > Group Policy Management.
Right-click Forest: test.shoklo-unit.com > Domains > test.shoklo-unit.com > Default Domain Policy and select Edit.
Select Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
Double-click Certificate Services Client - Auto-Enrollment.
Select Enabled for the Configuration Model.
Check Renew expired certificates, update pending certificates, and remove revoked certificates.
Check Update certificates that use certificate templates.
Click Apply.
Click OK.
Close Group Policy Management Editor.
Close Group Policy Management.

11.2. Manual

For Network Printers.

Type certtmpl.msc and press Enter in the Command Prompt.
Select Certificate Templates (<server name>.<domain name>).
Right-click Web Server and select Duplicate Template.
Select General tab.
Type SMRU Network Printers in the Template display name field.
Type 10 in the Validity period field.
Uncheck Publish certificate in Active Directory.
Select Request Handling tab.
Select Signature and encryption for the Purpose.
Check Allow private key to be exported.
Select Extensions tab.
Select Application Policies.
Click Edit.
Click Add.
Select Client Authentication.
Click OK.
Click OK.
Click Apply.
Click OK.
Close Microsoft Management Console.

Start Certification Authority.
Right-click Certificate Templates and select New > Certificate Template to Issue.
Select SMRU Network Printers.
Click OK.
Close Certification Authority.

Browse to https://<CA-server-IP-address>/certsrv.
Sign in as Administrator.
Click Download a CA certificate, certificate chain, or CRL.
Select Current [<CA certificate name>] for the CA certificate.
Choose DER for the Encoding method.
Click Download CA certificate and name the file <Server name>-CA.cer.
Rename the certnew.cer file to <Server name>-CA.cer.

12. Supplicant

12.1. Windows Wired

12.1.1. GPO

Start Tools > Group Policy Management.
Right-click Forest: test.shoklo-unit.com > Domains > test.shoklo-unit.com > Default Domain Policy and select Edit.
Select Computer Configuration > Policies > Windows Settings > Security Settings > System Services.
Double-click Wired AutoConfig.
Check Define this policy setting.
Choose Automatic.
Click Apply.
Click OK.

Right-click Computer Configuration > Policies > Windows Settings > Security Settings > Wired Network (IEEE 802.3) Policies and select Create A New Wired Network Policy for Windows Vista and Later Releases.
Select General tab.
Type TEST-Computers-Secure-Wired-Connections in the Policy Name field.
Check Use Windows Wired Auto Config service for clients.
Select Security tab.
Check Enable use of IEEE 802.1X authentication for network access.
Select Microsoft: Smart Card or other certificate for the Select a network authentication method.
Click Properties.
Check test-SMRU-SRV-TST-CA for the Trusted Root Certification Authorities.
Click OK.
Select Computer only for the Authentication Mode.
Type 1 for the Mac Authentication Failures.
Check Cache user information for subsequent connections to this network.
Click Apply.
Click OK.
Close Group Policy Management Editor.
Close Group Policy Management.

12.1.2. Manual

Services

Start Services.
Right-click Wired AutoConfig and select Properties.
Select Automatic for the Startup type.
Click Start to start the Wired AutoConfig service.
Click Apply.
Click OK.
Close Services.

Network Adapter

Start Network and Sharing Center.
Click Change adapter settings.
Right-click Ethernet and select Properties.
Select Authentication tab.
Check Enable IEEE 802.1X authentication.
Select Microsoft: Protected EAP (PEAP) for the Choose a network authentication method.
Click Settings.
Check Verify the server’s identity by validating the certificate.
Check test-SMRU-SRV-TST-CA for the Trusted Root Certification Authorities.
Select Tell user if the server name or root certificate isn’t specified for the Notifications before connecting.
Select Smart Card or other certificate for the Select Authentication Method.
Click Configure.
Choose Use a certificate on this computer.
Check Use simple certificate selection (Recommended).
Check Verify the server’s identity by validating the certificate.
Uncheck Connect to these servers.
Check test-SMRU-SRV-TST-CA for the Trusted Root Certification Authorities.
Uncheck Don’t prompt user to authorize new servers or trusted certification authorities.
Uncheck Use a different user name for the connection.
Click OK.
Check Enable Fast Reconnect.
Click OK.
Check Remember my credentials for this connection each tme I’m logged on.
Check Fallback to unauthorized network access.
Click Additional Settings.
Check Specify authentication mode.
Select Computer authentication.
Click OK.
Click OK.
Close Network and Sharing Center.

12.2. Windows Wireless

12.2.1. GPO

Start Tools > Group Policy Management.
Right-click Forest: test.shoklo-unit.com > Domains > test.shoklo-unit.com > Default Domain Policy and select Edit.
Right-click Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies and select Create A New Wireless Network Policy for Windows Vista and Later Releases.
Type TEST-Computers-Secure-Wireless-Connections in the Policy Name field.
Check Use Windows WLAN AutoConfig service for clients.
Click Add.
Select Connection tab.
Type TEST-DOT1X in the Profile Name field.
Type TEST-DOT1X in the Network Name(s)(SSID) field.
Click Add.
Check Connect automatically when this network is in range.
Uncheck Connect to a more preferred network if available.
Uncheck Connect even if the network is not broadcasting.
Select Security tab.
Select WPA2-Enterprise for the Authentication.
Select AIS-CCMP for the Encryption.
Select Microsoft: Smart Card or other certificate for the Select a network authentication method.
Click Properties
Check test-SMRU-SRV-TST-CA for the Trusted Root Certification Authorities.
Click OK.
Select Computer authentication for the Authentication Mode.
Click OK.
Click Apply.
Click OK.

12.2.2. Manual

Start Network and sharing Center.
Select Set up a new connection or network.
Select Manually connect to a wireless network.
Click Next.
Type TEST-DOT1X in the Network name field.
Select WPA2-Enterprise for the Security type.
Check Start this connection automatically.
Click Next.
Select Change connection settings.
Select Connection tab.
Check Connect automatically when this network is in range
Select Security tab.
Select WPA2-Enterprise for the Security type.
Select AIS for the Encryption.
Select Microsoft: Smart Card or other certificate for the Choose a network authentication method.
Click Settings.
Check test-SMRU-SRV-TST-CA for the Trusted Root Certification Authorities.
Click OK.
Check Remember my credentials for this connection each time I’m Logged on.
Click Advanced settings.
Select 802.1X settings tab.
Check Specify authentication mode.
Select Computer authentication for the Specify authentication mode.
Click OK.
Click OK.
Click Close.

12.3. Network Printer

Browse to https://<Printer-IP-address>.
Sign in as admin.
Select Networking tab.
Select Security > Certificates.
Click Configure for the Printer Certificate.
Choose Create a Certificate Request.
Click Next.
Type <Printer host name>.<domain> in the Common Name field.
Type Shoklo Malaria Research Unit in the Organization field.
Type SMRU in the Organization Unit field.
Click Next.
Wait for the certificate to be created.
Click Save.
Click OK.
Rename the Certificate.cer file to <Printer host name>-request.cer.

Browse to https://<CA-server-IP-address>/certsrv.
Sign in as Administrator.
Select Request a certificate.
Select advanced certificate request.
Copy the content in the <Printer host name>-request.cer file and paste it in the Saved Request field.
Select SMRU Network Printers for the Certificate Template.
Click Submit.
Choose DER encoded.
Click Download certificate.
Rename the certnew.cer file to <Printer host name>.cer.

Browse to https://<Printer-IP-address>.
Sign in as admin.
Select Networking tab.
Select Security > Certificates.
Click Configure for the Printer Certificate.
Choose Install a Certificate.
Click Next.
Click Choose File.
Select the <Printer host name>.cer file and click Open.
Uncheck Mark private key as exportable.
Click Finish.
Click OK on the The printer certificate has been updated message.

Browse to https://<Printer-IP-address>.
Select Networking tab.
Select Security > Certificates.
Click Configure for the CA Certificate.
Choose Install a CA Certificate.
Click Next.
Click Choose File.
Select the <Server name>-CA.cer file and click Open.
Click Finish.
Click OK on the The CA certificate has been installed message.

Browse to https://<Printer-IP-address>.
Select Networking tab.
Select Security > 802.1X Authentication.
Check EAP-TLS.
Type <Printer host name> in the Username field.
Type the SMRU AD Network Printer Password stored in the KeePass Password Manager in the Password field.
Type the SMRU AD Network Printer Password stored in the KeePass Password Manager in the Confirm password field.
Select Low (DES-56-bit, RC4-128-bit or 3DES-168-bit) for the Encryption Strength.
Select Connect Anyway (802.1X Fail-over) for the On Authentication Failure.
Click Apply.

Start Active Directory Users and Computers.
Check View > Advanced Features to make Name Mappings available in the popup menu.
Select test.shoklo-unit.com > TEST > users.
Right-click <Printer host name> user and select Name Mappings.
Select X.509 Certificates tab.
Click Add.
Select the <Printer host name>.cer file and click Open.
Check Use Issuer for alternate security identity.
Check Use Subject for alternate security identity.
Click OK.
Click Apply.
Click OK.
Close Active Directory Users and Computers.

13. Hyper-V

Enter the following commands at a PowerShell Command Prompt with administrative privileges.

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -NoRestart
Install-WindowsFeature -Name RSAT-Hyper-V-Tools
Install-WindowsFeature -Name RSAT-Clustering -IncludeAllSubFeature
Install-WindowsFeature -Name Multipath-IO -IncludeAllSubFeature
Restart-Computer

14. Update

Enter the following commands at a Command Prompt.
```
sconfig.cmd
```

Enter the following commands at a PowerShell Command Prompt.

Install-Module PSWindowsUpdate
Get-WindowsUpdate
Install-WindowsUpdate

15. Print Server

15.1. Installation

Start Server manager.
Select Dashboard.
Select Add roles and features.
Click Next.
Choose Role-based or feature-based installation.
Click Next.
Choose Select a server from the server pool.
Select <Server> in the Server Pool.
Click Next.
Check Print and Document Services.
- Check Include management tools (if applicable).
- Click Add Features.
Click Next.
Click Next.
Click Next.
Check Print Server.
Click Next.
Check Restart the destination server automatically if required.
Click Install.
Wait less than 1 minute for the installation to finish.
Click Close.

15.2. Configuration

Start Server manager.
Select Tools > Print Management.
Expand Print Servers.
Right-click <Server> (local) and select Add Printer.
Choose Add a TCP/IP or Web Services Printer by IP address or hostname.
Click Next.
Select TCP/IP Device for the Type of Device.
Type <Network Printer IP> in the Host name and IP address field.
Optional: Type <Network Printer IP> in the Port name field.
Uncheck Auto detect the printer driver to use.
Click Next.
Choose Install a new driver.
Click Next.
Click Have Disk.
Click Browse.
Select <Network Printer Driver> folder.
Click Open.
Click OK.
Select <Network Printer>.
Click Next.
Type the <Network Printer Name> you preferred in the Printer Name field.
Check Share this printer.
Type the <Network Printer Name> you preferred in the Share Name field.
Click Next.
Click Next.
Uncheck Print test page.
Uncheck Add another printer.
Click Finish.

16. Domain Trust

16.1. DNS

Start Server manager.
Select Tools > DNS.
Right-click <DNS server name> > Forward Lookup Zones > <Domain name> and select Properties.
Select Zone Transfers tab.
Check Allow zone transfers.
Option 1: Choose To any server.
Option 2: Choose Only to the following servers.
- Add the remote Domain Controller DNS entry.
- Dah to continue:.
Click Apply.
Click OK.

Right-click Forward Lookup Zones and select New Zone.
Click Next.
Choose Secondary zone.
Click Next.
Type bhf.com (remote domain controller domain) in the Zone name field.
Click Next.
Type 10.20.2.1 (remote domain controller IP address) in the Click here to add an IP Address or DNS name field.
Press Enter.
Click Next.
Click Finish.

16.2. Active Directory Domains and Trusts

Start Server manager.
Select Tools > Active Directory Domains and Trusts.
Right-click smru-lab.com (local domain controller domain) and select Properties.
Select Trusts tab.
Click New Trust.
Click Next.
Type bhf.com (remote domain controller domain) in the Name field.
Click Next.
Choose Forest trust.
Click Next.
Choose Two-way.
Click Next.
Choose This domain only.
Click Next.
Choose Forest-wide authentication.
Click Next.
Type password4BS for the Trust password.
Type password4BS for the Confirm trust password.
Click Next.
Click Next.
Click Next.
Choose Yes, confirm the outgoing trust.
Click Next.
Choose Yes, confirm the incoming trust.
2nd DC: Type the 1st DC administrator user name and password.
Click Next.
Click Finish.

Windows Server 2019

Home

1. Preparations

1.1. Hyper-V

1.2. VirtualBox

1.3. VMware

2. Installation

3. Configuration

3.1. Computer name

3.2. Static IP Address

3.3. Time zone

3.4. Time Server

3.4.1. NTP Configuration

3.5. Applications

3.6. App Compatibility Feature On Demand

4. Usage

5. Active Directory Domain Services

6. DHCP

7. Group Policy Management

7.1. TEST Proxy Settings

8. Active Directory

9. Certification Authority (CA)

9.1. Requirements

9.1.1. Service Account

9.1.2. Web Server (IIS)

9.2. Installation

9.3. Configuration

9.4. Certificate Templates

9.5. Troubleshooting

10. Network Policy Server (NPS)

10.1. Installation

10.2. Configuration

11. Issued Certificates

11.1. Group Policy

11.2. Manual

12. Supplicant

12.1. Windows Wired

12.1.1. GPO

12.1.2. Manual

12.2. Windows Wireless

12.2.1. GPO

12.2.2. Manual

12.3. Network Printer

13. Hyper-V

14. Update

15. Print Server

15.1. Installation

15.2. Configuration

16. Domain Trust

16.1. DNS

16.2. Active Directory Domains and Trusts

16.3. DNS Conditional Forwarder