Need some advice on learning networking

Re: Need some advice on learning networking

rthonpm,


I need to draw on your vast pool of knowledge before I get too far out over my skis.

My server is in the very back of the building in the server room and I wanted to access it from another PC so I set up Remote Desktop Services. Is there any downside to this and/or is there a better way?


Also, I want to be able to access the server off site. What's the best way to do that?

Thanks.

Re: Need some advice on learning networking

Remote services, or Remote Desktop? There is a big difference between the two. Internally all you really need is remote desktop enabled on the server and accessible only by an administrator account. Best practise in any domain is to have a separate admin account that's used just for management tasks. In my company domain I actually have three user accounts: standard user, workstation and server admin account, and domain admin account. Taking it even further, instead of logging into the server for management tasks, just install the optional RSAT features available through Windows to manage the server. Available features on demand | Microsoft Docs If nothing else, you want to install Server Manager. Using those, I rarely, if ever have to log into a server directly (especially since most of mine are Server Core installs). You may also want to consider setting up another VM to host a server instance of Windows Admin Center, which is a web app that allows you to manage servers and workstations and will likely be the tool that Microsoft moves towards using and improving over RSAT. Windows Admin Center Overview | Microsoft Docs

I use both as there are some features easier to do in one than in the other.

For remote access to the server(s), do NOT, DO NOT, I repeat: DO NOT open RDP over the internet through port forwarding or some other method. The only way to securely allow a connection from outside your network is going to be a VPN. People will recommend TeamViewer or other software, which is just going to open up a potential hole to be exploited. Set up a VPN that grants you access to your internal LAN and then access the servers that way: it's much more work that some download off the internet, but do you really want your servers just sitting there waiting for a connection?

Re: Need some advice on learning networking

My daughter is a Computer Science Professor at the local Cal State University. They had some work scheduled to be done Monday morning. Their in house, Computer Science and Engineering, IT is currently visiting with his parents in Canada and came in remotely Sunday to sequence all their servers down. No problems with the shutdown.

Re: Need some advice on learning networking

I installed Remote DESKTOP Services. I went back and changed it in my orginal post. Sorry for the confusion.

That tells me what I need to know. Now I just need to figure out how to set up a VPN. Are there any ports that I need to open?

Re: Need some advice on learning networking

You can remove the Remote Desktop Services feature as you don't need it: all you're looking for is just plain old fashioned Remote Desktop, which shows up when you open Server Manager. Make sure it's enabled, as well as Remote Management, which will enable most of the rules you need to manage a server remotely.

Screenshot 2021-12-29 123442.png

As for any ports to open for a VPN, it's going to depend on what ports it uses on the WAN side as you want to enable access to your entire LAN from the VPN when connected, so essentially the VPN will all but be another subnet to your network. This is all stuff I generally farm out since I have enough time keeping up with servers, workstations, and MFP's.

Re: Need some advice on learning networking


Got it. I'll report back...well...when I have something to report.


On another note, I'm gonna geek out for just a second.

The world of networking and Windows Server are vastly different, but there's a beautiful marriage between the two. I first witnessed this when I was integrating the Cisco Wireless Lan Controller and Radius.

Setting up a VPN sounds like it's along those same lines.

I love Window Server and everything Cisco...or routing and switches. It's a lot of work, but the payoff is worth it.

PS - The reason I wanted to access the server on an internal PC is because I need to practice implementing Group Policy and I didn't want to hang out in the server room all day.

PSS - I want to be able to access remotely just because I want to know how to do it.

Re: Need some advice on learning networking

Definitely install the RSAT Group Policy Tools, which will allow you to manage GPO's from any computer on the same network as your DC. Best practise is to have a dedicated management system with RSAT or other management applications installed, that way you can either better audit access, or ensure that you're using a 'safe' machine for management. Early on, there isn't a need for this but if your environment gets larger then it's something to look into. For the most part though, I don't want to have to log into a server directly to manage it, and it is the 21st century.

One easy thing to make sure you don't break anything: never edit the default Group Policy object, always create a new one so that you can always disable a policy object to roll back without having to blow up the entire domain.

Don't put all of your policies into a single GPO, rather build a generic one for settings that will apply to all of your domain members and then create more in-depth policies for specific types of devices or for specific system roles. I mentioned before having firewall rules applied by Group Policy for my servers. Those are located in a policy that only applies to my Server OU. I even have policies that only apply to specific user OU's: for example, the separate admin accounts in our company can't open a browser, email application, or several other applications to prevent them from accessing anything outside the local network (it also ensures that the accounts are only used for their intended purposes). Even better: have your OU's in Active Directory line up as much as possible to your GPO's so that you know how adding a device to an OU will affect it, or what type of policies are applied to a specific type of unit.

Re: Need some advice on learning networking

Man, you have your stuff down pat. These are some great nuggets that you're dropping. It's really helping me progress. Thanks.

Re: Need some advice on learning networking

I've been studying up on group policy. It's important to get your OU's set up correctly. I want to keep it as simple as possible but I also want to understand how to make it as granular as needed for larger organizations.


In my office, I have a server room in the very back of the building and that's where my core (layer 3) switch is located. I have another switch in the front of the building where I have my security system and some other equipment. I have a trunk line run from the core switch to the access switch in the front. The reason I need the trunk line is for the transmission of vlan tags from one switch to the other.

When vlans are created, you must be careful of what port you're plugging into on the switch or you'll end up on the wrong vlan. It's not so critical in my case because I have inter-vlan routing. Still, it's best to label everything...and I have.

Re: Need some advice on learning networking

My company's first domain was built on a 32-bit Server 2003 install. A nasty name change and several upgrades and virtual moves later, still going strong. At this point you're getting the benefit of all my issues and hassles.

The main things to keep in mind for an Active Directory environment:

Don't name your domain the same as your external sites, it messes up DNS. Your external domain for the web can be company.com, but your internal one should be something different like ad.company.com or local.company.com or hq.company.com.

Make sure your GPO's are clean and organised. Don't mash everything into a single one, but also don't create dozens of them that will apply to everything. Try to organise them by what they control (global settings, servers, workstations, special permissions, etc). Once you get the hang of the built in GPO's, you can try adding ADMX templates for third-party software like Chrome, Firefox, or Acrobat which allows you to manage them by group policy. Also make sure you have the latest ADMX templates from Microsoft: Download ADMX Templates for Windows 11 October 2021 Update [21H2] from Official Microsoft Download Center that way you have the latest and greatest in terms of available policies.

Make sure your naming conventions are flexible enough to account for the odd and unexpected: your user naming convention should be able to account for people with the same first and last name without a drastic change: say a father and son, or just coincidence. Your device naming convention should allow you to know what a device is just from the name, but don't use locations or departments if possible: that's where your OU's come into play, use something that's immutable to the device so that if it's re-purposed down the line the name still applies to it.

In large environments, don't add printers to AD. They don't really exist in it anyway since they're not bound or processing any policies or users, this is especially if users don't have printers automatically installed by GPO.

There's plenty more, but for the initial stages you're looking at, this is the best advice to give.

Re: Need some advice on learning networking

I just worked on firewall rules via GPO for a good 1.5 hours. It's powerful stuff. I'm under no illusion that I have arrived when it comes to Windows Server but I am making progress. It helps that my head isn't spinning anymore from CCNA and it really helps that rthonpm is guiding me.

I need more practice, though.

Re: Need some advice on learning networking

Consider yourself lucky lucky man. KYO_OEM and rthonpm plus blackcat it's dream team to learn from

Re: Need some advice on learning networking



I can't say enough good things about all 3. They've all gone out of their way to help me. I don't see KYO around here too often anymore. I miss reading his posts.

I can't even begin to tell you how much blackcat has helped me. rthon is a real pro on Windows Server. I'm surprised more aren't soaking up his knowledge. Or maybe they are.

Re: Need some advice on learning networking

You are doing well Billy. It's hard enough job for me to learn proper from one single master.

Re: Need some advice on learning networking

I'm getting better a Group Policy. Every once in a while I'll get screwed up between user and computer policy.

It's like being the King of small colony. Whatever I say, goes. I control any and everything. lol.