How to Install and Configure Windows Server 2008 DHCP Server

Installing Windows Server 2008 DHCP Server

Installing Windows Server 2008 DCHP Server is easy. DHCP Server is now a "role" of Windows Server 2008 – not a windows component as it was in the past.

To do this, you will need a Windows Server 2008 system already installed and configured with a static IP address. You will need to know your network's IP address range, the range of IP addresses you will want to hand out to your PC clients, your DNS server IP addresses, and your default gateway. Additionally, you will want to have a plan for all subnets involved, what scopes you will want to define, and what exclusions you will want to create.

To start the DHCP installation process, you can click Add Roles from the Initial Configuration Tasks window or from Server Manager à Roles à Add Roles.

Figure 1: Adding a new Role in Windows Server 2008

When the Add Roles Wizard comes up, you can click Next on that screen.

Next, select that you want to add the DHCP Server Role, and click Next.

Figure 2: Selecting the DHCP Server Role

If you do not have a static IP address assigned on your server, you will get a warning that you should not install DHCP with a dynamic IP address.

At this point, you will begin being prompted for IP network information, scope information, and DNS information. If you only want to install DHCP server with no configured scopes or settings, you can just click Next through these questions and proceed with the installation.

On the other hand, you can optionally configure your DHCP Server during this part of the installation.

In my case, I chose to take this opportunity to configure some basic IP settings and configure my first DHCP Scope.

I was shown my network connection binding and asked to verify it, like this:

Figure 3: Network connection binding

What the wizard is asking is, "what interface do you want to provide DHCP services on?" I took the default and clicked Next.

Next, I entered my Parent Domain, Primary DNS Server, and Alternate DNS Server (as you see below) and clicked Next.

Figure 4: Entering domain and DNS information

I opted NOT to use WINS on my network and I clicked Next.

Then, I was promoted to configure a DHCP scope for the new DHCP Server. I have opted to configure an IP address range of 192.168.1.50-100 to cover the 25+ PC Clients on my local network. To do this, I clicked Add to add a new scope. As you see below, I named the Scope WBC-Local, configured the starting and ending IP addresses of 192.168.1.50-192.168.1.100, subnet mask of 255.255.255.0, default gateway of 192.168.1.1, type of subnet (wired), and activated the scope.

Figure 5: Adding a new DHCP Scope

Back in the Add Scope screen, I clicked Next to add the new scope (once the DHCP Server is installed).

I chose to Disable DHCPv6 stateless mode for this server and clicked Next.

Then, I confirmed my DHCP Installation Selections (on the screen below) and clicked Install.

Figure 6: Confirm Installation Selections

After only a few seconds, the DHCP Server was installed and I saw the window, below:

Figure 7: Windows Server 2008 DHCP Server Installation succeeded

I clicked Close to close the installer window, then moved on to how to manage my new DHCP Server.

How to Manage your new Windows Server 2008 DHCP Server

Like the installation, managing Windows Server 2008 DHCP Server is also easy. Back in my Windows Server 2008 Server Manager, under Roles, I clicked on the new DHCP Server entry.

Figure 8: DHCP Server management in Server Manager

While I cannot manage the DHCP Server scopes and clients from here, what I can do is to manage what events, services, and resources are related to the DHCP Server installation. Thus, this is a good place to go to check the status of the DHCP Server and what events have happened around it.

However, to really configure the DHCP Server and see what clients have obtained IP addresses, I need to go to the DHCP Server MMC. To do this, I went to Start à Administrative Tools à DHCP Server, like this:

Figure 9: Starting the DHCP Server MMC

When expanded out, the MMC offers a lot of features. Here is what it looks like:

Figure 10: The Windows Server 2008 DHCP Server MMC

The DHCP Server MMC offers IPv4 & IPv6 DHCP Server info including all scopes, pools, leases, reservations, scope options, and server options.

If I go into the address pool and the scope options, I can see that the configuration we made when we installed the DHCP Server did, indeed, work. The scope IP address range is there, and so are the DNS Server & default gateway.

Figure 11: DHCP Server Address Pool

Figure 12: DHCP Server Scope Options

So how do we know that this really works if we do not test it? The answer is that we do not. Now, let's test to make sure it works.

How do we test our Windows Server 2008 DHCP Server?

To test this, I have a Windows Vista PC Client on the same network segment as the Windows Server 2008 DHCP server. To be safe, I have no other devices on this network segment.

I did an IPCONFIG /RELEASE then an IPCONFIG /RENEW and verified that I received an IP address from the new DHCP server, as you can see below:

Figure 13: Vista client received IP address from new DHCP Server

Also, I went to my Windows 2008 Server and verified that the new Vista client was listed as a client on the DHCP server. This did indeed check out, as you can see below:

Figure 14: Win 2008 DHCP Server has the Vista client listed under Address Leases

With that, I knew that I had a working configuration and we are done!

IIS 7.0 - FTP Publishing Service – Part 3: Securing an FTP site

Configure a secure FTP site using a commercial SSL

Below I will describe how to secure an existing FTP site using a SSL certificate. The certificate issued and used below will be created on an internal Certificate Authority made for testing purpose only, but the certificate enrollment process on the server is the same as when ordering a certificate from a third party certificate provider such as Verisign or Godaddy. It is also possible to create a self-signed certificate directly from within IIS, this process will be described later in the article.

Make sure you have the FTP site running and that you are able to log in to the FTP site. The FTP site used as example in this article ftp.example.com as illustrated below.

1. Start the IIS Manager found at Start – Administrative Tools – Internet Information Service (IIS) Manager
2. In IIS Manager click the FTP server and mark the server and choose Server Certificates:

Figure A: Server Certificates

3. In the actions pane, choose Create Certificate Request:

Figure B: Server Certificates - Actions

4. In the dialog windows that pops up, fill out the required information for the certificate and click Next:

Figure C: Self-signed Certificate - Name

5. Choose the default cryptographic service provider and click Next:

Figure D: Cryptographic Service Provider

6. Save the request to a file and click Finish:

Figure E: Save Certificate request

The certificate request has now been done and is pending in IIS. The request is now ready to be sent off to a commercial 3rd party certificate provider (e.g. Verisign, Godaddy etc.).

Import Certificate request

When the certificate request gets back from the certificate provider, it needs to be imported into IIS to work.

1. In IIS Manager click the FTP server and choose Server Certificates:

Figure F: IIS Manager – Server Certificates

2. Choose Complete Certificate Request…:

Figure G: Server Certificates – Complete Certificate Request

3. Select the Certificate request, that came back from the certificate provider and enter the common name of the site and click OK:

Figure H: Complete Certificate Request

4. The certificate is now displayed in the IIS Manager and ready for use:

Figure I: Server Certificates

Enable the commercial certificate on the FTP site

When imported the SSL certificate can be enabled and applied to an FTP site. Go to the FTP site, which you want to apply the certificate to.

1. In IIS Manager select the FTP site and click FTP SSL Settings:

Figure J: FTP site – FTP SSL Settings

2. Select the certificate and the SSL policy (Allow or Required SSL) settings and click Apply:

Figure K: FTP SSL Settings

3. The SSL certificate has now been applied to the FTP site:

Figure L: FTP SSL Settings

The FTP site is now secured and requires the connection to the FTP site to be FTP-S, using a FTP client which supports FTP-S.

Configure a secure FTP site using a self-signed SSL

As described previously it is also possible to generate a self-signed SSL certificate, directly from within the Internet Information Services (IIS) Manager. This process is quicker, than compared to requesting a commercial certificate. Self-signed certificates are great for testing FTP sites or maybe internal use, but not recommended for production use.

1. Start the IIS Manager found at Start – Administrative Tools – Internet Information Service (IIS) Manager
2. In IIS Manager click the FTP server and choose Server Certificates:

Figure M: Server Certificates

3. In the actions pane, choose Create Self-Signed Certificate:

Figure N: Server Certificates - Actions

4. In the dialog windows that pops up, give the certificate a friendly name and click OK:

Figure O: Self-signed Certificate - Name

5. The certificate is now generated and ready for use:

Figure P: Server Certificates – Generated certificates

Next step is to apply and enable this new certificate on an existing FTP site.

6. Select the FTP site (in this example: ftp.example.com) and click on FTP SSL Settings:

Figure Q: FTP site – FTP SSL Settings

7. Choose the certificate and select the settings needed (Require SSL Connections) and click apply:

Figure R: FTP site – FTP SSL Settings

The FTP site is now ready to be used and all traffic will be encrypted. An FTP client that supports FTPs is now required to connect to the new FTP site.

Connecting to an FTP site

Use an FTP client which supports FTP-S to connect to the FTP site and test the connectivity. In the example below FileZilla is used. It is important to configure the FTP server setting in FileZilla to connect using FTPs, with FileZilla the settings would be "FTPES - FTP over explicit TLS/SSL".

Figure S: FileZilla – FTPS Settings

The first time you logon to an FTP site running with a self-signed certificate, the FTP client (FileZilla) will prompt and tell you that the root of the certificate is not known. If you want to trust it and import it, click OK.

The FTP site is now ready to be used in a secure manner.

Summary

IIS 7.0 - FTP Publishing Service – Part 2: Configuration

This article covers different configuration scenarios of the new FTP Publishing Service for IIS 7.0. The prerequisites of this article is that the FTP Publishing Service is already installed on Windows Server 2008. Part 1 of this article series covered how to download and install the new version of the FTP Publishing Service. This article will consist of two main configuration topics each divided into its own section:

• How to configure a new FTP site
• How to add FTP Publishing to an existing website

Both topics will cover configuring FTP using the GUI and the command line management tools.

The use of FTP can be different depending on the usage and the requirement for FTP in the organization. Therefore this article will cover some different scenarios.

Configure a new FTP site

There are numerous of ways to configure a new FTP site with IIS 7.0 and the new FTP Publishing Service, it is now possible to change or add an ftp site directly in the configuration xml files or by using scripting.

The first part of this section will cover configuring FTP "the GUI way" using IIS Manager and in the end I will cover configuring FTP using the command line interface. Both ways have the same end result, which is a new FTP site.

Creating a new folder

A folder needs to be prepared for FTP Publishing. It is easier to create the folder now, before continuing with the FTP configuration. Make sure the folder is configured with the correct permissions. The folder used in this example is: "D:\Inetpub\ftproot\ftp.iis-digest.com".

1. Create the folder D:\Inetpub\ftproot\ftp.iis-digest.com
2. Set folder permissions using calcs through a commandprompt:

CACLS "C:\inetpub\ftproot\ftp.iis-digest.com" /G IUSR:R /T /E

FIGURE A: Command prompt and cacls command

The above command changes the permissions on the ftp.ii-digest.com folder and add read and execute permissions to the IUSR account.

The IUSR user is the new built-in account on Windows Server 2008 used for IIS 7.0, replacing the old IUSR_machinename account found previously in Windows Server 2003 and IIS 6.0.

Configuring FTP

1. Start the IIS Manager found at Start – Administrative Tools – Internet Information Service (IIS) Manager.
2. In IIS Manager under Sites, click Add FTP Site…

FIGURE B: Add FTP Site…

3. The Add FTP Site Wizard starts and at the first dialog box, enter the name of the FTP Site and the physical path, created previously:

FIGURE C: Add FTP Site Wizard – Enter site information

FIGURE D: Add FTP Site Wizard – Enter Binding and SSL Settings

4. Enter the IP address information for the FTP Site and binding on port, use default FTP port 21. In case you know what you are doing and if your application might need to use another port than the default one, you can change it here.
5. As something new with FTP Publishing Service, it now support virtual host naming, which is the same as using host headers on website. A Virtual Host name like e.g. ftp.iis-digest.com means that it is now possible to have multiple FTP Sites configured on one IP address and no conflicting bindings on the port.
6. SSL is also a new feature supported by FTP Publishing Service, by combining SSL and FTP, the server is providing FTPS support. By selecting a SSL certificate during configuration, the FTP Site is made available as a secure site, so all traffic will be encrypted. In the above example it should be "Allow SSL", since there is no SSL certificate for this ftp site.
7. Set the Authentication to anonymous to provide anonymous access to the new ftp site used as example in this article.

FIGURE E: Add FTP Site Wizard – Set Authentication and Authorization Information

8. Add the Authorization settings used for the ftp site, set it to "Anonymous users" and Read (only) permissions.

9. The new ftp site has been configured and can been seen in the IIS Manager

FIGURE F: IIS Manager – view of the new ftp site

10. Test the new FTP site: In this example we login to the test site ftp.iis-digest.com with an anonymous user. With FTP 7 using virtual headers, login needs to be formatted like this: "ftp.iis-digest.com|anonymous":

FIGURE G: Command prompt – test the ftp connection

There are numerous ways of configuring the users for an ftp site in a secure way and it is not recommended to use anonymous level of authentication for production. Securing FTP will be covered in my next article.

Configure a new FTP site using command line or scripting

With IIS 7.0 and the new FTP 7, it is now possible to script and automate a lot of management of IIS and FTP. This section will describe how to accomplish creating and configuring the same new FTP site as above, just using command line and scripting instead.

Using the new command line tool AppCMD.exe, the command and parameters for creating a new FTP site are:

appcmd add site /name:"ftp.iis-digest.com ftpsite" /bindings:ftp://ftp.iis-digest.com:21 /physicalpath:"c:\inetpub\ftproot\ftp.iis-digest.com /ftpServer.security.ssl.dataChannelPolicy:SslAllow"

FIGURE H: Command prompt – using the appcmd management tool

The same can be archived using PowerShell and the new PowerShell Provider for IIS 7.0. It is an requirement that PowerShell 1.0 is installed on the Windows Server 2008 along with the new PowerShell Provider for IIS 7.0. The PowerShell Provider can be downloaded from www.iis.net. Both needs to be installed to provide the connection and commands for managing IIS 7.0 and FTP 7 using PowerShell.

There is also another more programmatic interface for managing IIS 7.0, which is Microsoft.Web.Administration, more information about this interface can be found on the official IIS website (www.iis.net). The interface will not covered in this article.

Add FTP Publishing to an existing website

With IIS 7.0 and the new FTP Publishing Service it is now possible to add FTP to an existing website, directly from within the IIS Manager. This is a great new feature, not previously seen in IIS. This means that in e.g. hosting environments it is now a lot easier to add FTP access to a website already running on the web server.

With the new FTP Publishing Service it is easy to publish a FTP to an already existing website and this can be done directly within the IIS Manager. In the example below an FTP site will be added to the default website.

1. Expand "Sites" and find the website, which you want to add FTP functionality to, in this example the site name is "Default Web Site"
2. Mark the web site (Default Web Site) and right click or from the Action Pane choose "Add FTP Publishing…":

FIGURE I: IIS Manager – Choose Add FTP Publishing…

3. A dialog with the Add FTP Publishing Wizard appears, first page "Binding and SSL Settings":

FIGURE J: Add FTP Site Wizard – Enter Binding and SSL Settings

4. IP Address: Choose the IP address for your new FTP site, this can be either "All Unassigned" or you can enter the IP address or chose from the pull down menu. In this example "All Unassigned" are used

5. Port: The default FTP port is TCP Port 21, which will also be used in this example

6. Virtual Name: It is now possible to use host header for a FTP site, as we know from host headers on web sites and from my first example above. In this example it will be left blank, which means that it will respond to the IP address

7. Select "Allow SSL" since there is no SSL certificate to add to the ftp site

FIGURE K: Add FTP Site Wizard – Enter Authentication and Authorization

8. Select Basic or Anonymous authentication method for your ftp site, it is not recommended to use anonymous. In this example we use anonymous since it is a test site

FTP has now been added to the existing Default web site. Test the ftp connection by connecting to the server IP address or on the server using localhost.

FIGURE L: Testing the FTP connection

IIS 7.0 - FTP Publishing Service – Part 1: Installation

It is no big secret that Microsoft has never had the best FTP server product, compared to the general competition in the FTP Server market. Although Microsoft has always included an FTP Server in almost all of the previous versions of IIS and Windows Server, it lacked a lot of the more enhanced FTP server features. Microsoft has overcome much of this, with the new version of FTP Publishing Service which was released at the official Windows Server 2008 launch. The new FTP Publishing Service has been completely rewritten, just like IIS 7.0 and it is available only for IIS 7.0.

There are actually two FTP Services available for IIS 7.0, the first one comes with the binaries of Windows Server 2008 or Windows Vista and the second one is available for download only.

Why two FTP servers and what is the difference you might ask?

• The first one is actually just a minor upgrade and quite similar to the FTP Service that was a part of IIS 6.0.
• The second FTP Service is the new improved version, available as a download and for IIS 7.0.

This article will focus on the new and improved version of the FTP Publishing Service.

The new FTP Service has many new features which will enable web authors to more easily publish content and it offers more security and deployment options for administrators. It is available for Windows Server 2008 in 32-bit and 64-bit versions.

What's New

The new FTP Publishing Server includes a wide range of new features and improvements. Below I will highlight the major new topics and describe each of these new enhancements.

• Integration with IIS 7.0
  The new FTP service is tightly integrated with the brand-new administration interface and configuration store of IIS 7.0
• Support for new Internet standards
  The new FTP service supports FTP over SSL, also known as FTPS or FTP/SSL and uses a public key certificate (SSL/TLS). It should not be confused with SFTP or FTP over SSH, which is another standard currently not support by Microsoft FTP Publishing Service. It also supports other improvements such as UTF8 and IPv6.
• Shared hosting
  The new FTP service is improved and is fully integrated into IIS 7.0, it is possible to host FTP and web content from the same site by adding an FTP binding to an existing website. The FTP service also has virtual hostname support, which makes it possible to host multiple FTP sites on the same IP address. It has improved user isolation, making it possible to isolate users through per-user virtual directories.
• Extensibility
  The new FTP service supports developer (API) extensibility, which makes it easier for software vendors to write custom providers for FTP authentication.
• Logging
  FTP logging has been improved and enhanced to include all FTP traffic in the log files.
• Improved troubleshooting features
  IIS 7.0 has new improved troubleshooting features, such as Event Tracing for Windows (ETW), the FTP service support this feature along with providing detailed error responses and messages for local users, also a new option of IIS 7.0.

Installation prerequisites

The new FTP Publishing Service is available for free as a downloadable module from IIS.net DownloadCenter.

There are some prerequisites that need to be in place before continuing with the installation of the FTP Publishing Service.

• You must be using Windows Server 2008,
• IIS 7.0 must be installed,
• If you want to manage the new FTP services using the new IIS 7.0 interface, the IIS Management Console must be installed,
• You must be an logged in as an administrator,
• IIS 7.0 Shared configuration must be disabled on each node in a web farm scenario, before installing the new FTP service, it can be re-enabled after the FTP service has been installed,
• The FTP service which is shipped with the Windows Server 2008 binaries must be uninstalled before installing the new FTP service.

Installation

In this step-by-step installation guide I will go through the installation of the FTP service on a newly installed Windows Server 2008 server. I will only cover the FTP installation and not any of the other IIS 7.0 services.

• Download the new FTP Service version from the link above
• Run the downloaded program as "Run as Administrator" to install or install using one of these two commands:
  - x86 version: msiexec /i ftp7_x86_rtw.msi
  - x64 version: msiexec /i ftp7_x64_rtw.msi
  
  These steps are needed because of User Account Control (UAC) which otherwise prevents you from accessing the applicationHost.config file.
  
  
• When the installation program starts, click Next:

Figure A: Installation start

• Accept the EULA and click Next:

Figure B: EULA

• Select the options you want to install and click Next:

Figure C: Selecting installation features

Installation features described:

• Common files
  Provides common files for Microsoft FTP Service for IIS 7.0, such as the FTP configuration schema file, the common files are required on all FTP servers using shared configuration mode.
• FTP Publishing Service
  The FTP Publishing Service, the core component required for FTP to work and requires that the Process Model from the Windows Process Activation Service feature is installed.
• Managed Code Support
  Support for managed code features. This feature is required when managed code features, such as ASP.NET users or IIS Manager Users, will be used with FTP. This feature is optional and will not work when running Windows Server 2008 in Server Core mode.
• Administration Features
  Supports administration by using IIS Manager, the user interface (UI). This feature requires that the IIS Manager and the .NET 2.0 Framework are installed.
• Begin the installation, click Install:

Figure D: Begin installation

• Click Read notes to view the readme and click Finish:

Figure E: Finished install

Confirm that the FTP Service is installed by checking that the Microsoft FTP Service is running and/or in IIS Manager check the new FTP section, with all the management components for the FTP Service.

Figure F: FTP section in IIS Manager

By default the FTP Server is locked down and does not accept any FTP requests.

From within the IIS Manager it is quite easy to either publish a new FTP site or add FTP Publishing to an existing website.

For user security the FTP Service supports anonymous, which is not recommended, and there are also two ways of authenticating your FTP users:

• Windows Authentication
  Users are located in the Active Directory or local user store on the dedicated FTP server.
• IIS Manager Authentication
  This is the new feature, where IIS Manager is used for user administration and all users are added using IIS Manager and authentication is handled by the new "IISManagerAuth" provider.