Archive for the ‘IPv6’ Category

Hardening guide for Windows 2008 R2 Domain Controller and DNS Server

This guide explains how to install and configure Domain Controller and DNS server based on Windows 2008 R2 platform, for a new forest in a new domain.

Installation phase

  1. Install Windows 2008 R2 server (either standard of enterprise edition).
  2. Important note: The first domain controller in the forest root domain must be installed on physical hardware and not as a virtual server.

  3. Login for the first time to the new server, using administrator account.
  4. Start -> Run -> dcpromo.exe
  5. Click Next twice -> select “Create a new domain in a new forest” -> click Next -> specify the FQDN of the new forest root domain -> click Next -> on the forest functional level, choose “Windows Server 2008 R2” -> click Next -> leave “DNS server” select and click Next -> click “Yes” on the warning message -> choose a location for the database, logs and sysvol folders -> click Next -> specify complex password for the Directory Services Restore Mode administrator password (and document the password) -> click Next twice -> select “Reboot on completion”.
  6. Allow the server to restart when the installation process completes.
  7. Login to the new domain controller for the first time using domain administrator account.
  8. Start -> Run -> cmd.exe
  9. Write the commands bellow to synchronize the PDC emulator with external reliable time source:
    w32tm /config /computer:<> /manualpeerlist:time.windows.com /syncfromflags:manual /update

    exit

  10. Start -> Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.
  11. Write the commands bellow to protect all OUs in the domain from accidental deletion:
    import-module activedirectory

    Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

    exit

  12. Server Manager -> right click on Features -> Add Features -> select “Windows Server Backup Features” -> click Next -> click Install -> click Close.
  13. Start -> Administrative Tools -> Windows Server Backup -> from the Actions pane, click on “Backup Schedule” -> click Next -> choose “Full server” -> Specify a backup time -> click Next -> click the check box for your destination disk -> click Next -> click Yes to confirm that the destination disk will be reformatted -> verify the label for the destination disk -> click Next -> verify the information on the Summary page -> click Finish -> On the Confirmation page -> click Close.
  14. Server Manager -> expand Roles -> expand DNS Server -> expand DNS -> expand the server name -> right click on “Reverse Lookup Zones” -> New Zone -> click Next -> choose “Primary zone” -> leave “Store the zone in Active Directory” checked -> click Next -> select “To all DNS Servers running on domain controllers in this forest” -> click Next -> choose “IPv4 Reverse Lookup Zone” -> click Next -> on the “Network ID” field, put the first 3 octats of the network segment the Domain controller resides in -> click Next -> select “Allow only secure dynamic updates” -> click Next -> click Finish.
  15. Perform the above step for all other network segments reside in your organization.
  16. From the left pane, expand the server name -> expand “Forward Lookup Zones” -> right click on each zone name -> Properties -> Name Servers tab -> make sure all Windows 2008 R2 DNS servers appear on this list (assuming you have installed more Windows 2008 R2 domain controllers with DNS service) -> Zone Transfers tab -> select “Allow zone transfers” -> select “Only to servers listed on the Name Servers tab” -> click OK.
  17. Perform the above step for all other “Forward Lookup zones” and “Reverse Lookup zones” in your forest.

IPv6 DNS settings

  1. In-order to configure IPv6 address for the DNS server, start -> Control Panel -> under “Network and Internet”, click on “View network status and tasks” -> click “Change adapter settings” -> right click on the relevant “Local Area Connection” icon -> Properties -> click on “Internet Protocol Version 6 (TCP/IPv6) -> Properties -> select “Use the following IPv6 address” -> if you are not familiar with IP addressing, you can use 2001:0db8:29cd:1a0f:857b:455b:b4ec:7403 -> enter a Subnet prefix length of 64 -> click OK -> click close.
  2. Server Manager -> expand Roles -> expand DNS Server -> expand DNS -> expand the server name -> expand “Reverse Lookup Zones” -> right click on “Reverse Lookup Zones” -> New Zone -> click Next -> choose “Primary Zone” -> click Next -> choose “To all DNS servers running on domain controllers in this forest” -> click Next -> choose “IPv6 Reverse Lookup Zone” -> click Next -> on the “IPv6 Address Prefix” field type the IPv6 subnet prefix (in this example: 2001:0db8:29cd:1a0f::/64) -> click Next -> select “Allow only secure dynamic updates” -> click Next -> click Finish.
  3. Right click on the new “Reverse Lookup Zone” -> properties -> Zone Transfers tab -> select “Allow zone transfers” -> select “Only to servers listed on the Name Servers tab” -> click OK.
Print Friendly, PDF & Email

IPv6 – Problem and some solutions

The Internet is about to face one of its most serious issues in its history: experts have warned that the Internet is running out of addresses, and may run out by 2011. At issue is slow adoption of a new system intended to vastly increase the available pool, further complicating matters.
Currently, the web uses IPv4 (Internet Protocol version 4). 32-bit numbers are used; meaning about 4 billion addresses are available. About 94 percent of them have already been allocated. There is a new system, however, called IPv6. That uses 128-bit numbers, and the number of available addresses skyrocket.
It is time to start migration from IPv4 to IPv6.

Here is couple of articles about the problem:
http://www.betanews.com/article/Internet-has-less-than-a-years-worth-of-IP-addresses-left-say-experts/1279816984

http://www.neowin.net/news/iana-ipv4-addresses-will-dry-up-in-a-year

I have searched the web, and found articles about support and configuration of IPv6 on popular operating systems and applications:

Microsoft Announces IPv6 Technical Preview for Windows 2000:
http://www.microsoft.com/presspass/press/2000/Mar00/IPv6PR.mspx

Installing IPv6 on Windows XP
http://forums.techarena.in/networking-security/1098260.htm

How IIS 6.0 Supports IPv6 (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1ecff3af-36c2-41b5-957a-8bcc6fac8abc.mspx?mfr=true

Changes to IPv6 in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878121.aspx

Next Generation TCP/IP Stack in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878108.aspx

DNS Enhancements in Windows Server 2008
http://technet.microsoft.com/en-us/magazine/2008.01.cableguy.aspx

Support for IPv6 in Windows Server 2008 R2 and Windows 7
http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx

Using IPv6 with IIS7
http://blogs.iis.net/nazim/archive/2008/05/03/using-ipv6-with-iis7.aspx

IPv6 Support in Exchange 2007 SP1 and SP2
http://technet.microsoft.com/en-us/library/bb629624(EXCHG.80).aspx

Red Hat / CentOS IPv6 Network Configuration
http://www.cyberciti.biz/faq/rhel-redhat-fedora-centos-ipv6-network-configuration/

IPv6 on Fedora Core mini-HOWTO
http://linux.yyz.us/ipv6-fc2-howto.html

Adding IPv6 to Ubuntu systems
http://knowledgelayer.softlayer.com/questions/468/Adding+IPv6+to+Ubuntu+systems

Enabling IPv6 on a Network (Solaris 10)
http://docs.sun.com/app/docs/doc/819-3000/ipv6-config-tasks-1?a=view

Building a Linux IPv6 DNS Server
http://www.linuxjournal.com/article/6541

Networking IPv6 User Guide for J2SDK/JRE 1.4
http://download.oracle.com/docs/cd/E17476_01/javase/1.4.2/docs/guide/net/ipv6_guide/index.html

Networking IPv6 User Guide for JDK/JRE 5.0
http://download.oracle.com/docs/cd/E17476_01/javase/1.5.0/docs/guide/net/ipv6_guide/index.html

Apache Talking IPv6
http://www.linuxjournal.com/article/5451

How-to IPv6 in Globus Toolkit 3
http://www.cs.ucl.ac.uk/staff/sjiang/webpage/how-to-IPv6-Globus.htm

Enabling IPv6 Support in Nginx
http://kovyrin.net/2010/01/16/enabling-ipv6-support-in-nginx/

IPv6 Support in iOS 4
http://isc.sans.edu/diary.html?storyid=9058

IPv6 – Cisco Systems
http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.html

Cisco – IP version 6 Introduction
http://ciscosystems.com/en/US/tech/tk872/tk373/tsd_technology_support_sub-protocol_home.html

Hewlett-Packard Next Generation Internet Protocol version 6 (IPv6) web sites
http://h10026.www1.hp.com/netipv6/Ipv6.htm

EMC Product Support for IPv6
http://india.emc.com/products/interoperability/ipv6.htm

Nokia IPv6 How To
http://www.nokia.com/NOKIA_COM_1/About_Nokia/Press/White_Papers/pdf_files/techwhitepaper_ipv6_howto.pdf

Print Friendly, PDF & Email
Search This Blog
NetworkedBlogs