Windows Server – Beginner Friendly Notes

What is Windows Server?

Windows Server is a specialized operating system developed by
Microsoft, designed specifically for servers, not for personal use like
Windows 10 or 11. It is used primarily in enterprise, corporate, and IT
environments to handle centralized management, networking, and
security tasks.
Why It Matters in Tech:
• If you work in IT, cybersecurity, DevOps, or system admin, you'll
likely interact with Windows Server.
• Understanding it is crucial for:
o Managing users and permissions
o Investigating incidents and logs
o Securing enterprise networks
o Setting up infrastructure for apps or services

Windows Domains
Imagine managing a small business with just five computers and
employees. You can set up each computer individually, create user
accounts, and fix problems on-site easily.
Now, imagine the business grows to 157 computers and 320 users across
four offices. Managing each computer separately becomes nearly
impossible.
To solve this, businesses use a Windows domain, a group of users and
computers managed centrally.
The core of a Windows domain is Active Directory (AD), a central database
that stores user and computer information.
The server running AD is called a Domain Controller (DC).
Benefits of a Windows Domain

• Centralized user management: Manage all users from one place

(Active Directory).
• Security policies: Apply security settings and rules across all
computers and users easily.

Real-World Example
You’ve probably used a Windows domain at school or work. You get one
username and password that works on any computer there.
When you log in, the computer checks your credentials with the Domain
Controller (Active Directory). Your credentials aren’t stored on each
machine but are available across the network.
Active Directory also lets schools or companies restrict what users can do,
like preventing access to control panels or system settings.

What is Active Directory?

Active Directory (AD) is a service used in Windows networks to manage
everything and everyone from users, computers, groups, and more. Think of
it as a phonebook or directory for your organization’s network.
At the heart of it is Active Directory Domain Services (AD DS), which
keeps track of all the "objects" (users, computers, printers, etc.) on the
network.

Key Object Types in Active Directory

1. Users
• A user is someone (like an employee) who logs into the network.
• Users are called security principals, this means they can log in and
be given permissions.
 • There are two kinds:
o People (e.g., workers who log in daily).
o Services (e.g., special accounts that allow software to run, like
a database or a web server).
2. Machines (Computers)
• Every computer that joins the AD network becomes an object too.
• Computers also get accounts and passwords like users.
• Their names usually end with a $ sign (e.g., PC01$).
• These accounts help computers securely connect to the network.
3. Security Groups
• Groups let you manage multiple users or computers at once.
• Example: Instead of giving access to a folder to 20 people, just add
them all to a group and give the group access.
• A user or computer can be in many groups, and even groups inside
groups are allowed.

Important Default Groups

Group Name What It Can Do

Domain Admins Full control over everything in the domain.

Manage servers (like Domain Controllers), but not

Server Operators
full admin.

Backup Can access all files to back them up, even

Operators protected ones.

Account
Can create or edit user accounts.
Operators
Group Name What It Can Do

Domain Users Every regular user belongs to this by default.

Domain
All computers in the domain.
Computers

Domain
All Domain Controller machines.
Controllers

What is a Domain Controller (DC)

These are the brains of AD.
• A Domain Controller is a server that stores and manages the AD
database.
• It handles logins, checks passwords, and applies security rules.
• If the DC is offline, users might not be able to log in or access shared
resources.

Objects in AD
Everything in AD is treated as an object. The most common ones are:
• Users (employees)
• Groups (collections of users)
• Computers (workstations, servers)
• OUs (Organizational Units — used to organize other objects)
Each object has attributes, like a user having a name, email, and
department.
Active Directory Users and Computers (ADUC)
• A tool to view and manage users, computers, and groups.
• Found on the Domain Controller under the Start Menu.
• Everything is organized into folders called Organizational Units
(OUs).

Organizational Units (OUs)

• OUs help organize users and computers based on structure (like
departments).
• Example: You might have OUs like IT, Marketing, Sales, etc.
• OUs let you apply different policies to different groups.
• A user can only belong to one OU at a time.

Common Default Containers

Container Purpose

Default groups every Windows machine

Builtin
knows.

Computers New machines go here by default.

Domain Controllers Holds all your Domain Controllers.

Users Default users and groups that come with AD.

Managed Service
Used for special service-related accounts.
Accounts
Security Groups vs Organizational Units

Security Groups Organizational Units (OUs)

Used to give access to resources (files, Used to apply

printers). settings/policies.

A user can be in many groups. A user can only be in one OU.

Delegation of Control
Delegation means giving specific users permission to manage parts of AD
without being full admins.
Example:
• Gordy (IT support) should be able to reset passwords for users in:
o Sales
o Marketing
o Management

How to Delegate:
1. Right-click the OU (e.g., Sales).
2. Click Delegate Control.
3. Follow the wizard to give Gordy the needed permissions (like
resetting passwords).
Managing Computers in Active Directory
By default, any device that joins the domain (except Domain Controllers) is
placed in the "Computers" container.
When checking this container, you might see:
• Servers
• Laptops
• Personal computers used by employees
Don't Use the “Computers” Container
By default, new computers get dumped into the Computers container,
which isn’t easy to manage.
Best practice is to move them into OUs you create (like “Workstations” or
“Servers”) so you can apply GPOs and organize them better.
Why This Is Not Ideal
Having all machines in one place makes it difficult to manage them
properly.
Usually, you want different settings (Group Policies) for servers and for
regular user devices.
Recommended Structure
A good starting point is to organize devices by type or function. Typically,
you’d separate them into:
1. Workstations
o Used by regular users for daily tasks
o No privileged accounts should sign in to these machines
2. Servers
o Provide services to users or other systems
3. Domain Controllers (DCs)
o Manage the domain and contain sensitive information like
hashed user passwords
o These are already placed in a special OU by default

Group Policies (GPOs)

Why We Use OUs
Organizing users and computers in OUs isn’t just for structure — it allows
you to apply different settings (policies) to each OU. This helps enforce
security and configuration rules based on department or device type.
What is a GPO?
• Group Policy Object (GPO) = A collection of settings.
• Can apply to users or computers.
• Linked to specific OUs to enforce policies only on the items within
that OU (and its sub-OUs).

Tool to Manage GPOs

• Use Group Policy Management (search it in Start Menu).
• You’ll see your OU structure inside.
• You can create a GPO, then link it to any OU.

Default GPOs You May See

• Default Domain Policy – applies to the entire domain.
• Default Domain Controllers Policy – applies only to Domain
Controllers OU.
• Other custom policies like RDP Policy may exist.
Note: GPOs apply to the OU and all sub-OUs under it.

GPO Structure
Each GPO has:
• Scope Tab – shows where it’s linked.
• Settings Tab – shows what configurations it contains.
• GPOs can apply to:
o Computer Configuration
o User Configuration
Example:
The Default Domain Policy often includes password and lockout settings
and applies to all users/computers unless filtered.

Security Filtering
By default, GPOs apply to Authenticated Users (everyone).
You can limit it to specific users/groups using Security Filtering.
Authentication in Windows Domains
When someone logs into a Windows computer that's part of a domain (like
in a company), Windows needs to check if the username and password
are correct.
This is done by contacting the Domain Controller (DC), which stores all
usernames and password info.
There are two main ways Windows can do this:

1. Kerberos (Default and secure)

Kerberos is like a "ticket system" for logging in and using things on the
network.
Imagine this:
You check in at a hotel and get a main ticket from the front desk. Then, if
you want to use the gym or the pool, you show your ticket, and they give
you access passes for each area, without asking for your ID again.
That’s how Kerberos works.
Step-by-step:
1. Logging in:
Your computer sends your username and some encrypted info to the
Domain Controller’s Key Distribution Center (KDC).
 2. Getting a main ticket (TGT):
If the login is correct, you get a TGT (Ticket Granting Ticket) and a
session key.
This TGT is your proof that you’re a trusted user.
3. Asking to use a service (like a shared folder):
You give your TGT to the KDC again, and it gives you a special ticket
(called TGS) just for that service.
4. Accessing the service:
You show the TGS to the service. The service checks it, and if it’s
valid, you’re in.

You only log in once, and then use tickets to access everything else.
Password is never sent over the network after login.

2. NetNTLM (Older and less secure)

NetNTLM is an older method that uses a challenge-response process. It’s
still used in some places for compatibility.
Think of it like this:
Instead of showing a ticket, the server gives you a puzzle (challenge) to
solve.
You use your password (or more accurately, a hash of it) to solve the puzzle
and send the answer back.
If your answer is correct, you’re allowed in.
Step-by-step:
1. You try to log in to a server.
2. The server sends you a random number (challenge).
3. Your computer combines the challenge with your password hash
to create a response.
4. The server sends your response to the Domain Controller.
5. The Domain Controller checks if the response is correct.
 6. If it is — you’re logged in.

Password is never sent directly

But NetNTLM is weaker and can be abused in some attacks (like pass-
the-hash or relay attacks)

Summary (Simple Comparison)

Feature Kerberos NetNTLM

No (only for older

Used by default? Yes (modern Windows)
systems/tools)

Secure? Yes Less secure

Sends password on
No No
network?

Uses tickets? Yes No

Login once, then reuse Solve a challenge every

Login process
tickets time

Sometimes (for
Still used? Yes
compatibility)

Trees, Forests and Trusts

1. Single Domain – One Big Office
Imagine a company that works in just one country and has one main office.
Everyone works under one roof, with one team managing all the computers,
users, and servers. That’s like having one domain — simple and easy to
manage at first.
2. Trees – Branching into Countries
Now imagine the company opens a new office in another country. This new
branch needs its own rules, IT staff, and systems. Instead of keeping
everything in the same office, you create a new office for that country but
still connect it to the main company.
This is like creating a Tree in Active Directory:
• The main company is shya.local
• The UK office is uk.shya.local
• The US office is us.shya.local
Each office (domain) has its own team and computers, but they’re all part
of the same larger company (the tree). IT teams can manage their own
areas without interfering with others. This makes everything more
organized.
3. Forest – Merging with Another Company
Later, your company buys a different company, like MHT Inc. They already
have their own setup: their own IT team, systems, and a different domain
name like mht.local.
To link both companies together, you create a Forest. A forest is like putting
both company trees in the same digital "ecosystem" so they can work
together when needed — even though they have different names.
4. Trust Relationships – Giving Permission
Now, imagine someone in the UK office of shya.local needs to access a file
from mht.asia.
For that to happen, there needs to be trust between the offices. That’s
called a trust relationship.
• One-way trust: Only one office allows the other in. For example, if
shya.uk trusts mht.asia, then a user in MHT can access Shya UK's
resources (if allowed), but not the other way around.
 • Two-way trust: Both offices trust each other, so users can access
each other's shared resources — again, only if permission is given.
Trust doesn’t mean automatic access — it just makes it possible to give
access.
Quick Summary
• Domain = One office (shya.local)
• Tree = Offices in different countries, all under the same company
(uk.shya.local, us.shya.local)
• Forest = Two or more different companies working together
(shya.local and mht.local)
• Trusts = Agreements that let people from one office use another’s
resources (if allowed)

DNS is Critical
AD relies on DNS (Domain Name System) to work properly.
• If DNS is not working, users might not be able to log in or find
services.
• Always make sure your Domain Controllers have a working DNS
configuration.

Kerberos Golden Ticket Attack

What is it?
A Golden Ticket attack is a powerful cyberattack where an attacker forges
a valid Kerberos Ticket Granting Ticket (TGT). This fake ticket lets them
impersonate any user including Domain Admins and gain unrestricted
access to resources across the entire domain.
How does it happen?
• Kerberos authentication relies on a special account called krbtgt.
• The krbtgt account has a secret password hash used to encrypt and
sign all Kerberos tickets.
• If an attacker manages to steal the krbtgt account’s password hash
(for example, by compromising a Domain Controller), they can use it
to create fake TGTs.
• These forged TGTs are the “Golden Tickets.”
• With a Golden Ticket, attackers don’t need to know actual user
passwords — they can create tickets that appear fully legitimate to
the network.

Why is it dangerous?
• The attacker can impersonate any user, including Domain Admins.
• They gain persistent and stealthy access to almost everything in the
domain.
• Detection is hard because the tickets appear valid to security
systems.

How to protect and detect?

• Protect the krbtgt account:
o Change the krbtgt password regularly (twice, with a waiting
period between changes).
o Limit the number of Domain Controllers and secure them
strongly.
• Monitor suspicious Kerberos activity:
o Look for unusual TGT requests or abnormal ticket lifetimes.
o Use security tools that detect Golden Ticket patterns.
 • Limit administrative privileges and follow the principle of least
privilege.

LDAP (Lightweight Directory Access Protocol)

What is LDAP?
LDAP is the protocol that Active Directory uses to store, query, and
manage directory information — like users, groups, computers, and
permissions.

How does it work?

• LDAP is like a language or method computers use to talk to AD and
ask questions such as:
o “Who is user John?”
o “What groups does user Jane belong to?”
o “What is the email address of this user?”
• It organizes data in a tree-like structure, matching AD’s organization.
• When you search or update directory info (e.g., adding a user,
changing a password), LDAP is the protocol behind it.

Why is LDAP important?

• Most applications that integrate with AD use LDAP to authenticate
users or retrieve info.
• Tools like Microsoft Outlook, SharePoint, or custom apps rely on
LDAP queries to get user details.
• LDAP allows centralized management of network resources.
Security considerations:
• LDAP communication by default is not encrypted, which means
credentials or data could be intercepted.
• LDAPS (LDAP over SSL/TLS) is used to secure LDAP traffic.
• Proper permissions on LDAP queries help avoid exposing sensitive
info.

Common LDAP operations:

Operation Description

Bind Authenticate and establish a session

Search Find objects in the directory

Modify Change object attributes

Add/Delete Create or remove objects

Summary:
LDAP is the foundation for how AD stores and shares directory data.
Understanding LDAP is key to managing AD, integrating applications, and
securing directory services.

Account Lockout Policies

What they are:
Account lockout policies are security settings in Windows Server (usually
applied through Group Policy) that automatically lock a user account
after a set number of failed login attempts. This is mainly to prevent brute-
force attacks, where attackers try to guess passwords by repeatedly
attempting logins.
Why They Matter:
• Stops attackers from repeatedly trying to guess passwords.
• Protects user accounts, especially those with weak passwords.
• Helps detect suspicious activity — sudden lockouts can signal a
brute-force attack.

Main Settings in the Policy:

1. Account Lockout Threshold
– The number of failed logon attempts before the account is locked.
– Example: 5 attempts.
2. Account Lockout Duration
– How long the account stays locked before it’s automatically
unlocked.
– Example: 15 minutes. (Or 0 = stays locked until admin manually
unlocks it.)
3. Reset Account Lockout Counter After
– How long after a failed attempt the count resets back to zero if there
are no more failures.
– Example: 10 minutes.

Security Tip – Balance is Key:

• If the settings are too strict, legitimate users might get locked out for
simple typos or bad Wi-Fi.
• If they’re too lenient, attackers can try thousands of passwords
without being stopped.
• Best practice: Choose values that slow attackers down but don’t
frustrate users.
Real-World Example:
• A company sets the policy:
o Threshold: 5 attempts
o Duration: 15 minutes
o Reset time: 10 minutes
• If a user types the wrong password 5 times, their account locks.
After 15 minutes, it unlocks automatically.
Meanwhile, the security team can investigate if they see a lot of lockouts
for multiple users — it could mean someone is trying to guess passwords.

What Are NTFS Permissions?

NTFS (New Technology File System) permissions are set directly on a file
or folder on the disk. They control what a user can do when they're on the
computer itself or accessing the file through a shared folder.

Set Where?
Right-click a folder > Properties > Security tab

Common NTFS permissions:

• Read: View contents of a file or folder
• Write: Modify or add files
• Modify: Read, write, delete
• Full Control: Everything, including changing permissions

Best For:
Detailed control over users/groups, even inside nested folders.
What Are Share Permissions?
Share permissions apply only when a folder is accessed over the
network (like from another computer). You set them when you decide to
share a folder.

Set Where?
Right-click > Properties > Sharing tab > Advanced Sharing

Common Share permissions:

• Read: View files, but can’t change them
• Change: View, add, modify, delete files
• Full Control: Same as Change, plus can change permissions

Best For:
Quick, general control over shared folders on a network.

BitLocker for Servers

What it does:
BitLocker encrypts the entire hard drive on a Windows Server. This means
all the data on the drive is locked and can only be accessed with a special
key.
Why it matters:
If someone physically steals the server or removes the hard drive, they
won’t be able to read any of the data without the encryption key. This helps
protect sensitive information from being exposed.
When to use it:
BitLocker is especially useful for:
• Servers in less secure physical environments (like branch offices or
shared spaces)
• Portable servers or backup drives
 • Any situation where someone could get physical access to the
hardware
Extra tip:
Make sure you safely store the recovery keys. Without them, you could lose
access to the server data.

Event Viewer
What it is:
Event Viewer is a built-in Windows Server tool that lets you view system
logs. These logs are records of what’s happening on the server—both good
and bad.
What you can see with it:
• User login attempts (successful and failed)
• Service crashes or failures
• Application errors and warnings
• System startup and shutdown logs
• Security events (like permission changes or account lockouts)
Why it matters:
Event Viewer is essential for:
• Troubleshooting problems (like why a service won’t start)
• Auditing user activity (checking who logged in and when)
• Investigating potential security issues
Knowing how to navigate and understand logs in Event Viewer is a core skill
for any Windows Server admin.
Hyper-V Role
What it is:
Hyper-V is Microsoft’s built-in virtualization feature in Windows Server. It
lets you create and run multiple virtual machines (VMs) on a single physical
server.
What it does:
Each VM acts like a separate computer, with its own operating system,
files, and settings—while all running on the same hardware.
Why it matters:
• Saves money and space by reducing the need for multiple physical
servers
• Lets you run different operating systems (e.g., Windows, Linux) for
testing or development
• Useful for creating isolated environments for training, labs, or
production systems
• Easier to back up and recover entire machines
Hyper-V is a critical tool in modern IT environments, especially in
organizations that need flexibility and scalability.

Best of luck on your learning journey. Keep pushing

forward, stay curious, and don’t get discouraged by
challenges, every step brings you closer to your goals.