Before you start
Objectives: learn about common server roles which can be used in Windows environment.
Prerequisites: no prerequisites.
Key terms: network, server, proxy, services, web, segment, firewall, internet, applications, gateway, router
What are Server Roles
Role is a set of features and services that are required to perform a specific function on the server and in that way in our environment. Software components in Windows Server system are separated, and that allows us to install only certain portions of the operating system. Those portions can be grouped into, what we call, roles. Different roles will then have different role services. Role services are specific programs that provide the function of the role. Together with roles we can also use different features of the operating system as an add-on to roles. Feature programs are not directly related to a role. They often add functionality to the whole server. Examples of roles include DNS server, DHCP server, File Server, and Print Server. Some roles, like DNS, have a single role service. Other roles, like Print Server, have multiple role services such as the LPD Service for Unix printing and Internet Printing. Features include management tools, communication protocols or clients, and clustering support.
The first role that we will talk about is providing services. In this role our server provides services to clients on the network. These services include Active Directory, File, Print, DNS, DHCP and Web (IIS) services. If we can save a file to a server or if we can send a print job to a server, then that server is running some software that is enabling us to do those actions on the server. The same thing is if we have a web server. We request a web page and the server returns the requested web page. If we use Active Directory services, our computer will act as a Domain Controller (DC). All those scenarios are very common in server environments.
Active Directory (AD) is a database that stores information about network users, computers and printers. It helps administrators to mange all those resources, and it is required for Exchange Server implementation and Domain Group Policy. We should differentiate Active Directory Domain Services (ADDS) and Active Directory Certificate Services (ADCS). We can use ADCS to create manage public key certificates. Administrators can use ADCS to bind the identity of a person, device or service to a specific private key.
DNS is used to map IP addresses to logical names. With Server 2008 we also have support for IPv6 addresses. DHCP (Dynamic Host Configuration Protocol) service can be used to provide IP configuration information for hosts on our network including local IP address, default gateway, DNS server, etc. Print services allows us to manage printers on servers and to publish printers in Active Directory.
With File Services we can manage network file sharing. We can use Distributed File Service to store copies of shared folders on multiple servers. We can also manage quotas for users by using File Server Resource Manager (FSRM). We can also provide access to files by using NFS protocol which is often used on Linux machines.
Starting from Windows Server 2008 version, we also have Windows SharePoint services, Network Access Protection, improved Terminal Services, and Windows Deployment Services (WDS). Windows Sharepoint provides collaboration tools. Network Access Protection can be used to restrict access on our network for certain computers which are not compliant with our security policies. Terminal Services can be used to access server desktop over network or to run applications on terminal server. Windows Deployment Service can be used to deploy and install various Windows operating systems over network.
Active Driectory (AD) Server Roles
There are several commonly used Active Driectory Server Roles:
- Active Directory Domain Services (AD DS) – AD DS is a distributed database that stores and manages information about network resources, such as users, computers, and printers. This helps administrators to securely manage information, resource sharing and collaboration between users.
- Active Directory Lightweight Directory Service (AD LDS) – AD LDS, formerly known as Active Directory Application Mode (ADAM), is an LDAP directory service that can be used to create a directory store (database) for use by directory-enabled applications. It is similar to Active Directory Domain Services (AD DS), but is customizable and can be much smaller than an AD DS database.
- Active Directory Federation Services (AD FS) – AD FS is a feature which enables secure access to web applications outside of a user’s home domain or forest. It provides Web Single-Sign-On (SSO) technologies to authenticate a user to multiple Web applications using a single user account. It securely federates (shares) user identities and access rights in the form of digital claims between partner organizations.
- Active Directory Rights Management Service (AD RMS) – AD RMS is a feature which safeguards digital information from unauthorized use. It can define exactly how a recipient can use information, specifying who can open, modify, print, forward, and/or take other actions. It allows organizations to create custom usage rights templates (such as “Confidential – Read Only”) that can be applied directly to information such as financial reports, e-mail messages, etc.
- Active Directory Certificate Services (AD CS) – AD CS is an identity and access control feature that creates and manages public key certificates used in software security systems. It provides customizable services for creating and managing public key certificates, and enhances security by binding the identity of a person, device, or service to a corresponding private key. It includes features that allow us to manage certificate enrollment and revocation in a variety of scalable environments. AD CS supports digital signatures, encrypting File System (EFS), Internet Protocol security (IPsec), Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Socket Layer/Transport Layer Security (SSL/TLS), Secure wireless networks, Smart card logon, and
Virtual Private Networks (VPN).
Not all roles are supported on all versions of Windows Server OS. For example, when it comes to Windows Server 2008, AD FS is only supported in DataCenter or Enterprise editions of Windows Server 2008.
When the server is configured as application server, the server will provide certain network applications that can be accessed by users. For example, the server can have a database software installed that the users on the network can use to store or query data. When we talk about the client/server model, database servers can be programs that provide database services or they can be computers that are dedicated to running database programs.
Another example of applications on our server would be web-based applications. Web applications are not static web pages. Web application can be any web site that provides dynamic data or services to users. For example, web applications are web calendars, online spreadsheets, chat rooms, online CRM software, etc. There are different technologies which can be used to write web applications, but some of the most popular ones are PHP and ASP.NET.
Roles that we mentioned up to now are designed to provide services to users. However, there other roles which are related to network infrastructure. Those roles are the Gateway or Router, Bridge, Firewall or Proxy.
Gateway or Router
Technically, gateway and router are two different things. However, often the Gateway and Router are sometimes used interchangeably. That’s because we often implement a Gateway when we implement a Router and vice versa. Gateways and Routers are similar in that they connect two distinct logical networks. To set the server to function as Gateway or Router, the server has to have two (or more) network interfaces installed. One network interface is connected to one network segment and the second interface is connected to another network segment. This alone will not make our server to route packets between those two network segments. We also have to have routing software installed. Operating systems like Windows, Linux and NetWare have this software. Hosts on different network segments will have different logical addresses (IPs) assigned. Our server (now router) will use IP addresses to route packets from one segment to another. If host on one network segment needs to send some data to a host on another network segment, it will first send data to a Default gateway. Default gateway will know on which network segment the destination host resides, so it will route data to that network segment. We can actually configure multiple routers to cover many different networks. That’s how the Internet actually works.
This role is not used often any more, but it was common in the old days. As we said, with Router we connect two different logical network segments. Now, with Bridge we connect to different physical network segments. With Bridge, those two physical networks are still one logical network segment. Bridge uses MAC (physical) addresses to isolate traffic from one physical network segment from another. So, the Bridge memorizes which host is on which physical network segment using the Mac address.
Firewall role is often implemented on servers. The Firewall separates our internal computer network from the public network, which is usually the Internet. We want to allow some traffic from the Internet, but we also want to block some traffic from the Internet. Most operating systems have firewall software in them, like Linux and Windows. By using Firewall we can configure set of rules in which we define what and which type of network traffic is allowed to enter (or exit) our private network and which is not allowed. So, we can configure inbound and outbound rules. All traffic going between our local network inside and the public network outside has to go through the Firewall. The Firewall analyzes all that trafficking and based on the defined rules, decides to allow or deny specific traffic.
Most operating systems also have a proxy feature which can be enabled. With proxy server we separate and hide our private network from the Internet, and we also have a degree of control which resources on the Internet are being accessed. A server running as a firewall can also run as a proxy or a separate proxy server can be set up. All hosts on the network are connected to our proxy server. If some host on our private network wants to go the Internet, it has to go trough our proxy server. The proxy server takes a look at all requests and decides to allow or deny the request based on the configured rules. If the request is allowed, the servers send it out on the Internet and retrieve the resource requested (or its gets it from its cache). Then it forwards the results back to the original workstation. When we use a proxy server the address of the proxy server is the only address available to the public network.
As we mentioned earlier, we can also use many features to improve services on our server machine. For example, we can use BitLocker. We can also set up Remote Assistance service, SMTP, Telnet server or Telnet client feature. We also have Failover Clustering, Network Load Balancing (NLB), WINS, Windows Backup and Powershell, Windows Backup and Powershell.
BitLocker is used to encrypt the entire hard disk on the server and in that way protect data on it. Remote Assistance is used to offer assistance to users on their computers and to correct problems over network. Simple Mail Transfer Protocol (SMTP) is used to transfer e-mail between systems and clients. For example, we can add SMTP feature to add e-mail support to IIS. With Telnet feature we can use a command line to manage remote servers. Telnet Server allows us to accept incoming connections, while Telnet Client allows us to initiate connections. Failover Clustering is used to increase the fault tolerance of network servers by sharing storage resources. In that way if one server fails, the available server will respond to the requests. Network Load Balancing feature is used to disperse workload between multiple servers to optimize performance and response time. This also provides fault tolerance. WINS server is used to map NetBIOS names and IP addresses. WINS database is used to resolve NetBIOS names. It is only used if we need to support legacy clients which can’t use DNS for name resolution (DNS replaced WINS). Windows Server Backup can be used to backup and recover content from Windows Server machine. Powershell is a command line scripting program which can be used to manage Windows Server.
Server 2003 vs Server 2008
To manage all those roles and features, in Windows Server 2003 OS we often used Computer Management MMC console. In Server 2008 we don’t have Computer Management, and in place of that we have a new MMC console called Server Manager. Server Manager console allows us to add or remove roles, customize roles and work with additional features. Installation of roles in Server 2003 was similar to using Add/Remove Windows Components in Control Panel. In Windows Server 2008 the only way to add roles is trough Server Manager console.
Server Core Editions
Server core is a minimal server installation option available on Windows Server 2008 and newer Windows Server versions. It has limited GUI support, so most tasks are performed from a command prompt. The thing is, server core will only be able to run limited set of server roles, so be sure to check the documentation for the Windows Server version you are using or run oclist to see a list of roles, role services, and features that can be installed on server core. Run start /w ocsetup to add server roles to the server core system. Switches for the role or service must be typed exactly as they are listed, and role names are case-sensitive.
Common network services are File, Print, and Web services. Application servers runs applications that can be accessed by users on the network. Database Server is a program or a dedicated computer that runs database program. Gateways and routers connect two or more logical networks. With Proxy server we hide our private network from the Internet and we can also filter traffic based on our rules.