Introduction
Windows Server 2019, developed by Microsoft, helps businesses manage network infrastructure, data storage, applications, and server roles. Below are some basic settings to configure for optimal performance and security.
Add Local User
Using Command Line Interface (CLI)
Step [1]Run PowerShell with Admin Privilege and Configure like follows.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
# for example, add [Bizantum] user
# [P@ssw0rd01] ⇒ the password you set (replace it you like)
# [PasswordNeverExpires] ⇒ set password never expire(if set default expiration, do not specify this option)
PS C:\Users\Administrator> New-LocalUser -Name "Bizantum" `
-FullName "Server Bizantum" `
-Description "Administrator of this Computer" `
-Password (ConvertTo-SecureString -AsPlainText "P@ssw0rd01" -Force) `
-PasswordNeverExpires `
-AccountNeverExpires
Name Enabled Description
---- ------- -----------
Bizantum True Administrator of this Computer
# add [Bizantum] user to [Administrators] group
PS C:\Users\Administrator> Add-LocalGroupMember -Group "Administrators" -Member "Bizantum"
# verify
PS C:\Users\Administrator> Get-LocalUser -Name Bizantum
Name Enabled Description
---- ------- -----------
Bizantum True Administrator of this Computer
PS C:\Users\Administrator> Get-LocalGroupMember -Group "Administrators"
ObjectClass Name PrincipalSource
----------- ---- ---------------
User RX-7\Administrator Local
User RX-7\Bizantum Local
# if remove an user, do like follows
PS C:\Users\Administrator> Remove-LocalUser -Name "Bizantum"
Using Graphical User Interface (GUI)
Step [2]Run [Server Manager] and Open [Tools] - [Computer Management].
Step [3]Right-Click [Users] under the [Local Users and Groups] on the left pane and select [New User].
Step [4]Input UserName and Password for a new user and click [Create] button. Other intems are optional to set.
Step [5]After creating normally, New user is shown on the list like follows.
Step [6]If you'd like to set administrative priviledge to the new user, Right-click the user and open [Properties].
Step [7]Move to [Member of] tab and click [Add] button.
Step [8]Specify [Administrators] group like follows.
Step [9]Make sure [Administrators] group is added on the list and click [OK] button to finish settings.
Change Admin Username
If you'd like to change Administrator Account Name for some reasons like security, it's possible to change like follows.
Using Command Line Interface (CLI)
Step [1]Run PowerShell with Admin Privilege and Configure like follows.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
# for example, change the name [Administrator] to [BizantumAdmin]
PS C:\Users\Administrator> Rename-LocalUser -Name "Administrator" -NewName "BizantumAdmin"
PS C:\Users\Administrator> Get-LocalUser
# changed
Name Enabled Description
---- ------- -----------
DefaultAccount False A user account managed by the system.
Guest False Built-in account for guest access to the computer/domain
Bizantum True Administrator of this Computer
BizantumAdmin True Built-in account for administering the computer/domain
sshd True
WDAGUtilityAccount False A user account managed and used by the system for Windows Defender Application Guard scen...
Using Graphical User Interface (GUI)
Step [2]Run [Server Manager] and Open [Tools] - [Computer Management].
Step [3]Open [Local Users and Groups] - [Users] on the left pane and and Right-click [Administrator] and select [Rename] on the right pane. Then, Change any name you like.
Step [4]Administrator Name is just changed.
Change Computer Name
The Computer Name is assigned automatically by default, so change it.
Using Command Line Interface (CLI)
Step [1]Run PowerShell with Admin Privilege and Configure like follows.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
# for example, change Computer Name to [RX-7]
PS C:\Users\Administrator> Rename-Computer -NewName RX-7 -Force -PassThru
HasSucceeded OldComputerName NewComputerName
------------ --------------- ---------------
True RX-7 RX-9
WARNING: The changes will take effect after you restart the computer RX-7.
# for example, change Primary DNS Suffix to [bizantum.local]
PS C:\Users\Administrator> Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\" –Name "NV Domain" –Value "bizantum.local" -PassThru
NV Domain : bizantum.local
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
PSChildName : Parameters
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
# restart Computer to apply changes
PS C:\Users\Administrator> Restart-Computer -Force
# verify
PS C:\Users\Administrator> (ipconfig /all)[0..9]
Windows IP Configuration
Host Name . . . . . . . . . . . . : RX-7
Primary Dns Suffix . . . . . . . : bizantum.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : bizantum.local
Using Graphical User Interface (GUI)
Step [2]Run [Server Manager] and select [Local Server] on the left pane and click [Computer Name] section on the right pane.
Step [3]Move to [Computer Name] tab and click [Change] button.
Step [4]Input any Computer Name you like in [Computer Name] field and next, click [More...] button.
Step [5]Input Domain name this Computer is in.
Step [6]Restarting Computer is required for applying changes.
Step [7]Computer Name is changed normally.
Setting Static IP Address
IP address is assigned by DHCP by default, so set Static IP address for Server usage. This example shows to set only IPv4 address.
Using Command Line Interface (CLI)
Step [1]Run PowerShell with Admin Privilege and Configure like follows.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
# make sure network interfaces
PS C:\Users\Administrator> Get-NetIPInterface -AddressFamily IPv4
ifIndex InterfaceAlias AddressFamily NlMtu(Bytes) InterfaceMetric Dhcp ConnectionState PolicyStore
------- -------------- ------------- ------------ --------------- ---- --------------- -----------
6 Ethernet IPv4 1500 15 Enabled Connected ActiveStore
1 Loopback Pseudo-Interface 1 IPv4 4294967295 75 Disabled Connected ActiveStore
# set DHCP off (replace InterfaceIndex number to your own environment (ifIndex above))
PS C:\Users\Administrator> Set-NetIPInterface -InterfaceIndex 6 -Dhcp Disabled
# for example, set IP address [10.0.0.101/24], gateway [10.0.0.1]
PS C:\Users\Administrator> New-NetIPAddress -InterfaceIndex 6 -AddressFamily IPv4 -IPAddress "10.0.0.101" -PrefixLength 24 -DefaultGateway "10.0.0.1"
IPAddress : 10.0.0.101
InterfaceIndex : 6
InterfaceAlias : Ethernet
AddressFamily : IPv4
Type : Unicast
PrefixLength : 24
PrefixOrigin : Manual
SuffixOrigin : Manual
AddressState : Tentative
ValidLifetime : Infinite ([TimeSpan]::MaxValue)
PreferredLifetime : Infinite ([TimeSpan]::MaxValue)
SkipAsSource : False
PolicyStore : ActiveStore
# for example, set DNS [10.0.0.10]
PS C:\Users\Administrator> Set-DnsClientServerAddress -InterfaceIndex 6 -ServerAddresses "10.0.0.10" -PassThru
InterfaceAlias Interface Address ServerAddresses
Index Family
-------------- --------- ------- ---------------
Ethernet 6 IPv4 {10.0.0.10}
Ethernet 6 IPv6 {}
# confirm settings
PS C:\Users\Administrator> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : RX-7
Primary Dns Suffix . . . . . . . : bizantum.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : bizantum.local
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Red Hat VirtIO Ethernet Adapter
Physical Address. . . . . . . . . : 52-54-00-07-22-41
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::b547:c48c:6151:2fcf%6(Preferred)
IPv4 Address. . . . . . . . . . . : 10.0.0.101(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.0.1
DNS Servers . . . . . . . . . . . : 10.0.0.10
NetBIOS over Tcpip. . . . . . . . : Enabled
Using Graphical User Interface (GUI)
Step [2]Run [Server Manager] and select [Local Server] on the left pane and click [Ethernet] section on the right pane.
Step [3]Right-Click [Ethernet] icon and open [Properties].
Step [4]Select [Internet Protocol Version 4] and click [Properties] button.
Step [5]Set Static IP address and Gateway and others for your local network.
Step [6]After setting static IP address, changes are enabled on Server Manager.
Windows Update
Step [1]Open [Run] and run [gpedit.msc] like follows.
Step [2]Select [Computer Configuration] - [Administrative Template] - [Windows Components] - [Windows Update] on the left pane and click [Configure Automatic Updates] to open on the right pane.
Step [3]Configure Windows Update settings you'd like to.
Allow ICMP Echo Reply
The default setting of Windows Firewall blocks ICMP, so the Server will never reply from other Hosts with ping command. If you'd like to allow ICMP, Set like follows.
Using Command Line Interface (CLI)
Step [1]Run PowerShell with Admin Privilege and Configure like follows.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
# allow ICMPv4
PS C:\Users\Administrator> New-NetFirewallRule `
-Name 'ICMPv4' `
-DisplayName 'ICMPv4' `
-Description 'Allow ICMPv4' `
-Profile Any `
-Direction Inbound `
-Action Allow `
-Protocol ICMPv4 `
-Program Any `
-LocalAddress Any `
-RemoteAddress Any
# confirm setting
PS C:\Users\Administrator> Get-NetFirewallRule | Where-Object Name -Like 'ICMPv4'
Name : ICMPv4
DisplayName : ICMPv4
Description : Allow ICMPv4
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
Using Graphical User Interface (GUI)
Step [2]Run [Server Manager] and open [Tools] - [Windows Defender Firewall with Advanced Security].
Step [3]Select [Inbound Rules] on the left pane and click [New Rule] on the right pane.
Step [4]Select [Custom].
Step [5]Select [All programs].
Step [6]Select [ICMPv4] on the [Protocol Type].
Step [7]Specify the range of network for allow ICMP.
Step [8]Select [Allow the connection].
Step [9]Select the network profiles which you'd like to allow ICMP.
Step [10]Input any name for [Name] field. It's OK all, your Server will reply to ping command from other Hosts.
Configure Remote Desktop
Enable Remote Desktop to connect to the Server from other Computers. This exmaple shows to enable single session function of Remote Desktop which Windows Client OS also has.
Step [1]Run Server Manager and Select [Local Server] on the left Pane, then click [Disabled] for [Remote Desktop] section.
Step [2]Check a box [Allow remote connections to this computer].
Step [3]The message that Firewall exception for Remote desktop is enabled, click [OK] button.
Step [4]Remote Desktop function has turned to [Enabled].
Configure SSH Server
OpenSSH has been supported on Windows Server 2019. It's easy to setup OpenSSH Server now. (OpenSSH Client is installed by default OS Installation)
Using Command Line Interface (CLI)
Step [1]Run PowerShell with Admin Privilege and Configure SSH Server.
PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
# get available name of OpenSSH
PS C:\Users\Administrator> Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'
Name : OpenSSH.Client~~~~0.0.1.0
State : Installed
Name : OpenSSH.Server~~~~0.0.1.0
State : NotPresent
# Install OpenSSH Server
PS C:\Users\Administrator> Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Path :
Online : True
RestartNeeded : False
# start sshd service
PS C:\Users\Administrator> Start-Service -Name "sshd"
# set [Automatic] for Startup
PS C:\Users\Administrator> Set-Service -Name "sshd" -StartupType Automatic
# verify
PS C:\Users\Administrator> Get-Service -Name "sshd" | Select-Object *
Name : sshd
RequiredServices : {}
CanPauseAndContinue : False
CanShutdown : False
CanStop : True
DisplayName : OpenSSH SSH Server
DependentServices : {}
MachineName : .
ServiceName : sshd
ServicesDependedOn : {}
ServiceHandle : SafeServiceHandle
Status : Running
ServiceType : Win32OwnProcess
StartType : Automatic
Site :
Container :
# if Windows Firewall is running, allow 22/TCP
PS C:\Users\Administrator> New-NetFirewallRule -Name "SSH" `
-DisplayName "SSH" `
-Description "Allow SSH" `
-Profile Any `
-Direction Inbound `
-Action Allow `
-Protocol TCP `
-Program Any `
-LocalAddress Any `
-RemoteAddress Any `
-LocalPort 22 `
-RemotePort Any
Name : SSH
DisplayName : SSH
Description : Allow SSH
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
Using Graphical User Interface (GUI)
Step [2]Open [Start] - [Settings].
Step [3]Click [Apps].
Step [4]Click [Manage optional features].
Step [5]Click [Add a feature].
Step [6]Select [OpenSSH Server] and click [Install] button.
Step [7]After finishing installation, [OpenSSH Server] has beed added in services. Start it and also change [Startup] to [Automatic].
Step [8]If Windows Firewall is running, allow SSH service port. (22/TCP). That's OK to setup OpenSSH Server.
Configure NTP Server
What
An NTP Server (Network Time Protocol Server) is a server that uses the NTP protocol to synchronize the clocks of various devices on a computer network. The main goal of NTP is to ensure that all devices have a consistent and accurate time.
Examples
| Corporate Networks | In large companies, NTP Servers are used to ensure that all computers, servers, and network devices have consistent time, which is crucial for log files and security. |
| Data Centers | In data centers, NTP Servers ensure that all servers have accurate time for database synchronization and transactions. |
| IoT Devices | Internet of Things (IoT) devices use NTP Servers to synchronize time among devices for coordinated operations. |
How
An NTP Server functions by providing accurate time to clients (other devices on the network) through the computer network. The synchronization process works as follows:
| Request and Response | Clients send a time request to the NTP Server. |
| Timestamp | The NTP Server responds with an accurate timestamp. |
| Time Difference Calculation | Clients calculate the time difference between themselves and the server. |
| Time Adjustment | Clients adjust their local clocks based on the time from the NTP Server to ensure accurate synchronization. |
Step [1]Configure NTP Server to provide time synchronization service to Clients. Run PowerShell with Admin Privilege and Configure.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
# confirm current setting (follows are default settings)
PS C:\Users\Administrator> Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpServer"
InputProvider : 0
AllowNonstandardModeCombinations : 1
EventLogFlags : 0
ChainEntryTimeout : 16
ChainMaxEntries : 128
ChainMaxHostEntries : 4
ChainDisable : 0
ChainLoggingRate : 30
RequireSecureTimeSyncRequests : 0
DllName : C:\Windows\SYSTEM32\w32time.DLL
Enabled : 0
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpServer
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders
PSChildName : NtpServer
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
# enable NTP Server feature
PS C:\Users\Administrator> Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpServer" -Name "Enabled" -Value 1
# set [AnnounceFlags] to 5
# number means
# 0x00 : Not a time server
# 0x01 : Always time server
# 0x02 : Automatic time server
# 0x04 : Always reliable time server
# 0x08 : Automatic reliable time server
PS C:\Users\Administrator> Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\services\W32Time\Config" -Name "AnnounceFlags" -Value 5
# restart Windows Time service
PS C:\Users\Administrator> Restart-Service w32Time
# if Windows Firewall is running, allow NTP port
PS C:\Users\Administrator> New-NetFirewallRule `
-Name "NTP Server Port" `
-DisplayName "NTP Server Port" `
-Description 'Allow NTP Server Port' `
-Profile Any `
-Direction Inbound `
-Action Allow `
-Protocol UDP `
-Program Any `
-LocalAddress Any `
-LocalPort 123
Step [2]NTP Server Host also needs to synchronize time with other Hosts as an NTP Client. Refer to here to Configure NTP Client.
Configure NTP Client
NTP Client setting is configured with NTP Server [time.windows.com] by Windows default, so If Internet connected environment computer, time and date is already synchronizing. Furthermore, if computers are in Active Directory Domain, NTP Client setting is also configured like follows, so generally it does not need to change settings.
- Domain Controlers synchronizes time with PDC in the Domain.
- PDC in a Domain synchronizes time with PDC that is in Parent Domain or synchronizes time with other Domain Controlers.
- Client Computers synchronizes time with Domain Controler that Clients now logons.
In WorkGroup Environment Computers, it's possbile to change default NTP Server to others like follows.
Step [1]Configure NTP Client to synchronize time with NTP Server. Run PowerShell with Admin Privilege and Configure.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
# confirm current synchronization NTP Server
PS C:\Users\Administrator> w32tm /query /source
time.windows.com,0x8
# change target NTP Server (replace to your timezone server)
# number means
# 0x01 : SpecialInterval
# 0x02 : UseAsFallbackOnly
# 0x04 : SymmetricActive
# 0x08 : NTP request in Client mode
PS C:\Users\Administrator> Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\w32time\Parameters" -Name "NtpServer" -Value "ntp.nict.jp,0x8"
# restart Windows Time service
PS C:\Users\Administrator> Restart-Service w32Time
# re-sync manually
PS C:\Users\Administrator> w32tm /resync
Sending resync command to local computer
The command completed successfully.
# verify status
PS C:\Users\Administrator> w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 4 (secondary reference - syncd by (S)NTP)
Precision: -23 (119.209ns per tick)
Root Delay: 0.0252246s
Root Dispersion: 0.0824040s
ReferenceId: 0x85F3EEF3 (source IP: 133.243.238.243)
Last Successful Sync Time: 9/23/2019 10:15:33 PM
Source: ntp.nict.jp,0x8
Poll Interval: 8 (256s)
Step [2]If a Computer is in Active Directory Domain Environment and he is a Forrest Root, synchronization target is often configured to [Local CMOS Clock] (Hardware Clock), then, if you'd like to change settings from [Local CMOS Clock] to other network NTP server, set like follows.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
# in AD Domain Environment, [Type] is set to [NT5DS]
PS C:\Users\Administrator> (Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\w32time\Parameters").GetValue("Type")
NT5DS
# if target is [Local CMOS Clock] but you'd like to change it, change [Type] to [NTP] first
# next, change to NTP server with the same way in [1] section
PS C:\Users\Administrator> Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\w32time\Parameters" -Name "Type" -Value "NTP"
AffanBaihaqi_
Bizantum
Posts
Comments
Post a Comment
Thank you for your comment! We appreciate your feedback, feel free to check out more of our articles.
Best regards, Bizantum Blog Team.