Sunday, January 6, 2008

Initial Setup

Alright. So now that I have some free time, it's the first technical post: Initial Setup.

My Setup:
Currently under my control are three working computers:
Rescate - A computer given to me by a friend of mine.
SweikataServ1 - My Domain Controller
Leviathan - My computer.

Outside of my current workspace is a laptop, Glitch, and two as of yet unnamed unassembled computers. These two currently have no plans, and aren't powerful enough to really handle anything I have in mind for the future.

When I obtained Rescate, I knew I finally had the opportunity (and reason) to build my domain. So, let's begin with what I've accomplished so far:

SweikataServ1 is the primary domain controller. Windows Server 2003 requires at least 512mb of RAM to run, so make sure your hardware meets this requirement.

Installation of Server 2003 was marked as complete when the computer was updated to all available Microsoft Updates. To actually create a domain, under 'Run' type the command "dcpromo". This begins the Domain Controller Promotion, crafty eh?

Since this is my first domain creation, after reading some documents on how it should be done, I know I've done a lot of things incorrectly. So, to properly do it, I'm linking you to this.

Since I didn't follow these steps, my system is currently flawed. However, my situation is flawed: I'm not in control of my network, nor do I own the domain name So, in essence, I've created just an internal domain. There isn't anything particularly wrong with this mind you, I'll just have to reconfigure some things when I do have control of the network (network referring to the physical topology, DHCP, etc.).

With my domain's inception, the first step I went for was creating a user account--not everything can be run as Administrator. Under Administrative Tools, you'll find Active Directory Users and Computers. From here, as long as you have Domain Privileges, you can control any objects in the domain.

Since my domain isn't that expansive, I'll keep everything under the root of, however if I learn of more security procedures that dictate otherwise, I'll move it. I created an Organizational Unit (or OU for short) called User Accounts. From here, I've created all the accounts I feel necessary. Depending on your mindset on creating accounts, I opted for standard naming conventions for user names: lastname+first_initial+number. This guarantees standardization as well as keeping objects straight. I absolutely cannot stand user accounts like "smithj", proceeded by "smithjo", then by "smithjoe". It looks abhorrent.

So, the first account: Michael Sweikata (account name sweikatam1). And here I run into my first error: "Windows cannot set the password for (username) because: The password does not meet the password policy requirements. Check the minimum password length, password complexity, and password history requirements."

Well shit. I haven't set those yet. So, before creating the account, we must first define the parameters of the account. This is done under the Group Policy Editor. Back under Administrative Tools, I've altered the Default Domain Controller Security Settings. As we define and edit them further, we'll revist them. Each option explains what it's purpose is, and gives you a default value. Set them accordingly as you like, I left the maximum password age to be 42 days, with the minimum to be 1 day. The password length is to be 7 characters, and 0 passwords are remembered under the Enforce password history. The final step is to enable the option for complexity requirements. After this is complete, I can now create accounts.

Aside from standard naming accounts, I also created a test account that will not be a member of any AD Groups. It's meant for testing security.

No comments: