Selecting the Administrator Password
The first configuration task to perform after
installing Windows Server 2012 is to set an administrator password. This
must be done before you can log on the first time. The installation
process automatically creates the default administrator account called,
surprisingly enough, Administrator. This account has local
administrative privileges and enables you to manage all local
configuration settings for the server. For security reasons, it is a
good idea to rename the account after the installation.
Enter and confirm the selected administrator
password. As in earlier Windows operating systems, the password is case
sensitive and can contain up to 127 characters. As a best practice,
always use a strong password for high-privilege accounts such as this
one. A strong password should be at least eight characters long and
include a combination of uppercase and lowercase letters, numbers, and
non-alphanumeric characters.
Choose your password carefully to ensure the
security of the system. You can change both the administrator account
name and password in the Change Password dialog box, which can be opened
the Ctrl+Alt+Del menu.
Providing the Computer Name and Domain
Once the administrator password has been set,
initial configuration tasks can be executed using the Local Server view
in Server Manager, starting with the computer name and domain or
workgroup membership.
Use the current computer name and workgroup
name links to open the System Properties dialog and click the Change
button to specify a new computer name and to change your workgroup name
or join a domain. If you are joining an existing domain, you need the
logon name and password for an account with appropriate domain
permissions. Alternatively, you can have the administrator of the domain
add your computer name into the domain so that your server can connect.
If you do not know the name of the domain that the server will be a
member of, or if you do not have the administrative rights to join the
server to the domain, you can still change the computer name and you can
always join the server to a domain later.
Enabling Automatic Updating and Feedback
Next, the link next to the Windows Update
label can is used to configure how your system maintains its health and
security by automatically downloading and installing software updates.
Although you can select the default
configuration that will install updates automatically by clicking the
Turn On Automatic Updates button, server administrators click use the
Let Me Choose My Settings link to open the advanced configuration dialog
and select the desired options.
Options for deployment of important updates
include the ability to not check for updates, only check for updates and
notify the administrator, to check and download updates before
prompting the administrator to install the patches, and the final option
(the default option) is to automatically install updates. Servers are
usually configured using the second or third options to strike a balance
between timely patch deployment and administrative control.
Additional options include the ability to
include recommended updates in the automated process and, if the
automatic updates option was selected, the option to configure the
maintenance window for automated installation.
When patching enterprise environments, it is a
best practice to control software updates via a patching solution, such
as System Center Configuration Manager 2012 or Windows Server Update
Services (WSUS).
Downloading and Installing Updates
Even though you might have selected the option
in the previous steps to automatically configure server updates, it is
still possible to download and install updates manually by clicking the
links next to Last Installed Updates and Last Checked for Updated. When
these are clicked, the server connects to the Microsoft Windows Update
site. Before configuring roles or features or making your server
available to users on the network, it is a best practice to install the
latest updates and patches from Microsoft. If your environment uses an
automated tool such as WSUS, tested and approved patches might already
be installed by your update and patching infrastructure if the system
was joined to the domain and is configured to do so.
Note
When selecting the install links for the very
first time, if updates are not being installed automatically, you are
prompted with the option to turn on automatic updates. In addition, it
is possible to click the Find Out More link to obtain updates for other
Microsoft products installed on the server.
Configuring Windows Firewall
By default, Windows Firewall is turned on when
the base OS is first installed. Although the firewall only protects the
server from inbound and outbound access (as opposed to compromises from
within the OS, such as a virus or other malware), this is usually adequate
protection on a newly built machine until the system is patched and
loaded with antivirus software or any other protective systems.
Unless you configure exceptions to the
firewall, users cannot access resources or services on the server.
Exceptions to this are roles and features installed using Server Manager
or PowerShell. Many roles and features automatically create the
required exceptions for their own workload, enabling you to leave the
firewall on while allowing access to specific functions on the server,
if desired. With Windows Server 2012, it is possible to configure
incoming and outgoing firewall rules on each network connection using
the Windows Firewall with Advanced Security console available from the
tools menu in Server Manager.
Enabling Remote Management and Remote Desktop
The links for Remote Management and Remote
Desktop provide a quick way to configure the server for remote
administration. Remote Management allows remote connections to the
server using tools such as Server Manager, PowerShell, and Windows
Management Instrumentation (WMI).
By enabling Remote Desktop, you can connect to
the server using a remote desktop (or Remote Desktop Protocol [RDP])
session. An important security option is configured when the component
is enabled. The two choices for allowing Remote Desktop access are Allow
Connections from Computers Running Any Version of Remote Desktop (Less
Secure) and Allow Connections from Computers Running Remote Desktop with
Network Level Authentication (More Secure).
Using Remote Desktop to manage systems greatly
eases administration of servers but does open another door into each
system; therefore, consider restricting access via Remote Desktop to
users who have a need to access those systems. Access to RDP sessions is
controlled using the membership of the Remote Desktop Users group.
Configuring Networking
Windows Server 2012 introduces network
interface card (NIC) teaming as part of the operating system. Click the
Network Adapter Teaming link to open the NIC Teaming configuration
dialog, from where you can create and manage teams on local and remote
servers.
Links for each network connection are
available to configure network settings. By default, Windows Server
2012, as with earlier versions of Windows, installs Client for Microsoft
Networks, File and Printer Sharing for Microsoft Networks, and
TCP/IPv4. In addition, Windows Server 2012 installs Microsoft Network
Monitor 3 Driver, QoS Packet Scheduler, Internet Protocol version 6
(TCP/IPv6), Link-Layer Topology Discovery Mapper I/O Driver, and
Link-Layer Topology Discovery Responder.
The client, service, and protocols that are
installed by default will meet most companies’ needs and require little
manual configuration. You will, however, likely want to change the
TCP/IPv4 and TCP/IPv6 settings and assign a static address for the
server.
Sending Feedback to Microsoft
Two core configuration options configure the
ability to participate in Microsoft programs designed to improve Windows
Server product. Although it is easy to dismiss these features, the
tools do provide you an easy way to submit your experience with
Microsoft products with very little or no effort. Anonymous information
gathered from users shapes Microsoft products and technologies, so if
you don’t have corporate policies that prohibit sharing technical
information outside of your organization, give some thought to
participating. If selected, the following options can be configured:
• Windows Error Reporting—Windows
Error Reporting, by default, prompts you to send detailed information
to Microsoft when errors occur on your server. You can turn this
function off or configure it to automatically send the error information
to Microsoft. You can further configure whether detailed or summary
reports are sent. Reports contain information that is most useful for
diagnosing and solving the problem that has occurred.
• Customer Experience Improvement Program—The
Customer Experience Improvement Program (CEIP) gathers anonymous
information and periodically sends it to Microsoft. CEIP reports
generally include information about the features and general tasks
performed by a user as well as any problems encountered when using the
Microsoft product.
Configuring Browser Security
Internet Explorer Enhanced Security
Configuration (IE ESC) is a default application configuration on servers
that greatly reduces the potential for the server to be infected with
malware when browsing the web. This is accomplished by disabling many
components and interfaces in Internet Explorer, which makes the browser
experience more secure and extremely limited. Because the best practice
is to avoid browsing websites directly on a server, this is a welcome
protection layer that should be maintained.
Certain server workloads, most typically
Remote Desktop Services, might require disabling IE ESC for users. Even
in those environments, it is still recommended to keep the setting
enabled for administrators as a security precaution.
Setting the Time Zone
The Time Zone link is used to open the Date
and Time dialog box. On the Date and Time tab, set the time zone where
the server will operate by clicking the Change Date and Time button. In
addition, click the Change Time Zone button to configure the time zone
for the server. The next tab, Additional Clocks, as displayed in Figure 4,
should be utilized if there is a need to display the time in another
time zone. Up to two clocks can be configured on this tab.
Figure 4. Configuring additional clocks.
Activate Windows
The last link, labeled Product ID, opens the
Windows Activation Wizard. As with other Microsoft operating systems,
Windows Server 2012 must be activated within a set number of days. In
the Windows Activation dialog box, enter the product key, which will be
validated once complete. Click Activate to complete the activation.
Adding Roles
Once the basic configuration steps are
completed, you can install server roles from the Manage menu, such as
Active Directory Domain Services, Active Directory Rights Management
Services, DNS Server, and much more to your server. The process also
adds dependent services and components as needed (alerting you along the
way). This ensures that as you are setting up your system, all the
necessary components are installed—alleviating the need to use multiple
tools to install, secure, and manage a given server role—and that the
roles are set up securely, meaning that only the required components and
configurations are implemented and nothing more. Although it’s critical
to understand dependencies for whatever role or function the server
might hold, getting the system set up quickly, efficiently, and
accurately is always paramount, and these setup tools help accomplish
just that.
Adding Features
Features are added from the same wizard as
roles, using the Manage menu. Features are secondary to roles but
contain powerful and useful tools that can be installed on the server.
Features such as RPC over HTTP Proxy (for Exchange), Multipath I/O, .NET
Framework 3.5 features, Background Intelligent Transfer Service (BITS),
and SMTP Server can be installed and configured. Backup and other
management tools can also be installed using this tool.