Search

Ads

Saturday, March 20, 2010

enable Disk Quotas in XP

If the hard drive is formatted with NTFS, you can limit the amount of disk space a user can utilize using Disk Quotas. Disk Quotas are based on file ownership .

If you want to enable Disk Quotas in XP follow this procedure

Open My Computer and right-click the hard drive you wish to enable the feature on.Select Properties.

Now Click on the Quota tab.Check the Enable quota management checkbox.Check the Deny disk space to users exceeding their quota limit checkbox. This will cause the user to receive an insufficient disk space error their space limit is exceeded.Select the Limit disk space to radio button.Set the amount of disk space to be allocated to the user.Enter value for the Set warning level to option.Click OK.

Friday, March 19, 2010

Configuring Disk Quotas in Windows 2003

Configuring Disk Quotas in Windows 2003

What disk quotas are, when they should be used, and how to configure them in Windows 2003.
Looking for a means to manage the amount of network storage space users receive? Disk Quotas are the way to go. In this article we will look at what disk quotas are, when they should be used, and how to configure them in Windows 2003.

About Disk Quotas

Unfortunately, in Windows NT Disk Quotas didn’t exist, which was much to the disappointment of Windows Administrators. Along came Windows 2000 and with the introduction of Disk Quotas it meant Administrators had the ability to track and control user disk usage. The only problem was that they didn’t really have a sufficient way of managing disk quotas. Scripting, reporting and remote usage methods were somewhat limited and ambiguous. Windows 2003 offers better all round functionality and easier enterprise-wide disk quota manageability.

Disk quotas are used in conjunction with NTFS, Group Policy and Active Directory technology. NTFS is the file system on which disk quotas can be set, Group Policy is what is used to set disk quotas on a specific set of users and computers, and Active Directory is used to gather a list of users to which the disk quota group policy will be set. It is important to note that disk quotas can only be used with NTFS; setting them up on FAT or FAT32 drives is not possible.

Disk quotas are configured on a per volume basis and cannot be set on a file or folder level. Each volume would have its individual settings which do not affect any other volumes. You may have a single disk partitioned into two volumes (drives C and D for example) with each having their own quota settings. Disk quotas can also be configured on a per user basis and different groups of users can have different limits set. Administrators are the only ones to whom a disk quota does not apply; by default there are no limits for an Administrator.

There are numerous reasons you may wish to make use of disk quotas. Based on the requirements of your organization you might choose to configure disk quotas if you have a restricted amount of disk space on a specific server, a limited number of servers, or perhaps the need to monitor user disk space usage without actually enforcing a quota. You might be wondering why you’d want to just monitor user disk space usage. Well, let’s say you have a fileserver set up with multiple users in your organization using it everyday to store temporary files. As time goes by and perhaps people forget to delete the files from the server, the amount of available disk space will continue to decrease. If nothing is done about it then users will be denied the right to add more files on the server (until some old files are removed). By monitoring user disk space usage with Microsoft’s disk quotas, you can be notified of when space is running out and then increase the allocated space on the server accordingly or notify your users that they need to delete their files from the server. Additionally, setting a quota warning level will allow for a system event log to be written for your review.

Setting a Group Policy

The most practical means of configuring disk quotas on a large scale would be through a domain-level group policy. This will configure the settings automatically on any of the volumes you wish to have disk quotas enabled, saving you the need to have to configure each volume independently.

Open the Group Policy Object Editor (gpedit.msc) and navigate to Computer Configuration > Administrative Templates > System > Disk Quotas. On the right hand pane you will see a list of policies that can be applied. Double click the “Default Quota Limit and Warning Level Properties” setting.


Figure 1: The Default Quota Limit and Warning Level Properties Dialog

The default quota limit is the maximum amount of space assigned per default quota, whereas the warning level is the amount of space at which a warning is triggered. Normally 90-95% of the total value is a good limit to set as a warning.

Now configure any other settings you wish to be applied by selecting them from the right hand pane. To have your changes applied immediately you can enable the “Disk Quota Policy Processing” policy and choose “Process Even If The Group Policy Objects Have Not Changed” from Administrative Templates > System > Group Policy.


Figure 2: The Disk Quota Policy Processing Dialog

You may also want to manually force a group policy update using the gpupdate utility. Simply go to Start > Run and type gpupdate followed by the return key. This will refresh both the computer and user policies.

Whatever changes you make in the group policy will be reflected on the Quota properties tab of each volume you wish to configure in your domain. The options will appear grayed out and non-editable.

Configuring Disk Quotas and Disk Quota Entries

Using the Computer Management console, you can configure disk quotas for a local or remote volume from a central location. To open Computer Management, you have three choices; either right click My Computer and select Manage, type compmgmt.msc in the Run bar or select Computer Management from the Administrative Tools folder.

Select which computer you wish to manage from the root node. To select a remote machine right click the “Computer Management” node, select “Connect to another computer…” and choose the computer you wish to manage. Now, navigate to Storage > Disk Management and select the volume you want to configure from the right hand pane and open the properties dialog. Click the Quota tab and enable the options you want to be enforced.


Figure 3: The Disk Quota Properties Dialog

The traffic lights icon at the top indicate the status of the disk quota; red means quotas are disabled, orange signifies a changeover is taking place (while it rebuilds the disk information) , and green means disk quotas are enabled. A textual representation of the status is shown on the right of the image.

Check “Deny disk space to users exceeding quota limit” to have Windows restrict users from adding more data to their allocated disk space when the quota limit has been reached. Users will be unable to add more data until some space is freed up.

As you can see from Figure 3 above, the quota limit for new users is greyed out. This is because we have already set it from the group policy, which overrides any customizable settings on the quota tab of a volume. In this case we have limited the user’s disk space to 500MB and set a warning level to 450MB.

You may choose not to limit disk usage and just enable quotas to track disk space usage on a per volume basis by leaving the “Deny disk space to users exceeding quota limit” checkbox unchecked and logging a warning when a user exceeds the warning level defined as part of the quota limit. Whenever a user exceeds this limit a Warning event log will be written to the Application Event Log and shown in the Event Viewer.


Figure 4: A warning event log for disk quotas

As per http://support. microsoft. com/kb/915182 there is a known issue in the pre service pack version of Windows 2003 in that the Warning event log is incorrectly shown as an Information log in Event Viewer. In the Quota Entries application however, it is correctly displayed as a Warning.

When you press the Apply button on the Disk Quota Properties Dialog you are notified that the volume will be rescanned to update the statistics and that this operation may take several minutes. Simply press OK to continue and have disk quotas enabled on that volume.

Quota Entries

Click the Quota Entries button on the Disk Quota Properties Dialog to view a list of individual disk quota entries. From this section you can create, delete and manage quota entries for specific users or groups. If a user requires more space than others then you can set this from here.

Go to Quota > New Quota Entry and the Active Directory User Picker will appear. Choose a user from Active Directory and press OK. You will be given the option to limit disk space and set a warning level or not limit disk usage at all.


Figure 5: Adding a new quota entry

Once you have chosen your preferred settings, press OK and the user will be added to the list. You can monitor a user’s disk usage by looking at the properties of each of the columns. ‘Status’ indicates whether the user is within their limit, if a warning has been logged or if the limit has been exceeded; the icon will change accordingly.


Figure 6: Viewing a list of Quota Entries

Conclusion

This article has given you an overview of Disk Quotas in Windows 2003. We’ve looked at why they would be used and how to configure them.

Domain Controllers Security Issues

Domain Controllers Security Issues

When it comes to Windows Server 2003 Active Directory networks, one of the most important server roles which can be configured is probably the domain controllers role.

Domain controllers perform a number of important functions and control activities within a domain, including the following:

  • Contain a replica of the Active Directory directory for the domain to which it belongs, and is responsible for managing that directory
  • Provide authentication services for the network.
  • Store and distribute group policies.
  • Manage access to network resources within the domain.
  • Manage changes to user accounts and computer accounts.
  • Manage changes to passwords.
  • Track user account information through Security Identifiers (SIDs). When a user attempts to log on to the system, a request to authenticate the user is sent to each domain controller within the domain.
  • Replicates changes made to their Active Directory replica to the remainder of the domain controllers within the domain.
  • Domain controllers also integrate with network services such as DNS, DHCP, Kerberos security, and Remote Access. This in turn facilitates centralized management and security.

From the above mentioned functions of domain controllers, you can see that the domain controllersâ€TM server role is an integral server role in all Windows based networks. When configuring domain controllers, you can configure a domain controller to perform only one main function, or you can configure the domain controller to perform a number of functions. The larger the network, the more specialized the configuration of the domain controller tends to become. The domain controllers within your Windows Active Directory environment should be well protected by means of special security configurations. Any unauthorized individuals that are able to access a domain controller would be able to severely compromise security on your network.

A few threats to domain controllers are listed here:

  • Attempts to gain access to the security database on domain controller.
  • Attempts to copy the security database so that the database can be viewed and examined at a later stage.
  • Attempts to access domain controllers with the objective of viewing and seizing security configuration information.
  • Attempts to gain access to the security database on the domain controller to change the existing user rights, with the intent of configuring an unauthorized user with administrative access to your domain.
  • Attempts to access the domain controller to change computers belonging to the domain so that rogue computers can access the domain.

The importance of domain controllers basically forces you to implement security measures and policies that minimize the threats to domain controllers.

One of the obvious security strategies that should be implemented is to implement physical security for your domain controllers. Your domain controllers should always be physically secured in a secure location such as a data center. Physical access to the domain controllersâ€TM location should be limited to a few authorized individuals only.

You should also limit access from network connections to domain controllers. You should only configure services and applications that are needed by the domain controller server role. All services and applications that are unnecessary should be disabled or deleted.

Basic Security Measures for Securing Domain Controllers

The recommended basic security measures which you can implement to secure domain controllers are listed here:

  • Physically secure domain controllers. This should include access control to the location where domain controllers are kept.
  • The NTFS file system should be utilized to protect data on the system volume.
  • Limit membership to the following groups:
    • Domain Administrators group
    • Enterprise Administrators group
  • Strong passwords should be used on domain controllers to secure domain controllers from unauthorized access attempts.
  • All unnecessary services and applications should be deleted.
  • The syskey utility can be used to further protect the security database.
  • You can also secure domain controllers by requiring smart card access for access to domain controllers.
  • Use caution if you are delegating administrative control over the configuration of a domain controller.

How to create a system key

  1. Click Start, Run, and enter syskey. Click OK.
  2. Select Encryption Enabled.
  3. Click Update.
  4. Select the appropriate option.
  5. Click OK.

Securing Domain Controllers with Firewalls

You can use firewalls to protect domain controllers. Packet filtering features can be used to block traffic destined to and from a domain controller. You can also limit the number of ports that are opened between a domain controller and a computer. Only those ports which are needed for communication should be opened between a domain controller and computer.

The ports used by Active Directory for specific Active Directory communication are listed here:

  • For a user network logon over a firewall:
    • MS traffic; TCP port 445 and UDP port 445
    • DNS; TCP port 53 and UDP port 53.
    • Kerberos authentication protocol; TCP port 88 and UDP port 88.
    • Lightweight Directory Access Protocol (LDAP) ping; UDP port 389.
  • For a computer logon to a domain controller:
    • MS traffic; TCP port 445 and UDP port 445
    • DNS; TCP port 53 and UDP port 53.
    • Kerberos authentication protocol; TCP port 88 and UDP port 88.
    • Lightweight Directory Access Protocol (LDAP) ping; UDP port 389.
  • For verification of trust relationships between domain controllers:
    • MS traffic; TCP port 445 and UDP port 445
    • DNS; TCP port 53 and UDP port 53.
    • Kerberos authentication protocol; TCP port 88 and UDP port 88.
    • Lightweight Directory Access Protocol (LDAP); TCP port 389, for SSL TCP port 686.
    • Lightweight Directory Access Protocol (LDAP) ping; UDP port 389.
    • Netlogon.
  • For creation of a trust relationship between domain controller located in different domains:
    • MS traffic; TCP port 445 and UDP port 445
    • DNS; TCP port 53 and UDP port 53.
    • Kerberos authentication protocol; TCP port 88 and UDP port 88.
    • Lightweight Directory Access Protocol (LDAP); TCP port 389, for SSL TCP port 686.
    • Lightweight Directory Access Protocol (LDAP) ping; UDP port 389.

Domain Controller-Specific Predefined Security Templates

When a server is first promoted to the domain controller role, a security template called the DC security.inf template is applied to the domain controller. A security template can be defined as a collection of security configuration settings or parameters that can be applied to a domain controller, member server or a workstation. The settings within a security template are used to control the security configuration of a computer through both local policies and group policies.

The DC security.inf security template defines default system services settings, default security settings, and file system and Registry settings for a domain controller. The DC security template is created when a server is first promoted to the domain controller role, and basically forms the baseline security for the domain controller.

The other predefined security templates which you can specify for a domain controller are:

  • securedc.inf template: This predefined security template contains security settings for domain controllers that enhance security ona domain controller while at the same time maintaining compatibility with most functions and applications. The securedc template includes enhanced security options and auditing policies. It also includes restrictions for anonymous users. The impact on applications is minimized, and computers are configured to LAN Manager responses.
  • hisecdc.inf template: This highly secure template contains security settings for domain controllers. The hisecdc template is considered a stronger, more secure setting than the securedc template. The hisecdc template provides improved security for NTLM (NTLM version 2), and applies both Registry and file security. The hisecdc template also disables all additional services and removes all members from the Power Users group. It is recommended that you use the hisecdc.inf template on domain controllers (if feasible).

Backing Up and Restoring Domain Controllers

A domain controller contains system state data that includes Active Directory and the SYSVOL directory. System state data consists of the Registry, system boot files, COM+ Class Registration database, Certificate Services database, and files under Windows File Protection. Backing up system state data backs up all system state data associated with the local computer. A domain controller can also contain applications or files that are specific to that particular domain controller. All these components have to be included when you back up the domain controller.

When you restore system state data and Active Directory to a domain controller, you have to decide on the method of restore to perform. System state data can be restored on the domain controller through either of the following methods:

  • Nonauthoritative restore: When a nonauthoritative restore is performed, Active Directory is restored from backup media on the domain controller. This information is then updated during replication from the other domain controllers. The nonauthoritative restore method is the default method to restore system state data to a domain controller.
  • Authoritative restore: In an authoritative restore, Active Directory is installed to the point of the last backup job. This method is typically used to recover Active Directory objects that were deleted in error. An authoritative restore is performed by first performing a nonauthoritative restore, and then running the Ntdsutil utility prior to restarting the server. You use the Ntdsutil utility to indicate those items that are authoritative. Items that are marked as authoritative are not updated when the other domain controllers replicate to the particular domain controller.

How to back up a domain controller

  1. Log on to the domain.
  2. Click Start, All Programs, Accessories, System Tools, and then click Backup.
  3. When the Welcome To The Backup Or Restore Wizard page opens, click Next.
  4. In the Backup Or Restore page, choose the Backup Files And Settings option. Click Next.
  5. When the What To Back Up page opens, choose the Let Me Choose What To Back Up option. Click Next.
  6. In the Items To Back Up page, select System State. Click Next.
  7. When the Backup Type, Destination, And Name page opens, select the appropriate option in the Select The Backup Type box.
  8. Choose the location for the backup in the Choose A Place To Save Your Backup box.
  9. Enter a name for the backup job in the Type A Name For This Backup box. Click Next.
  10. Click the Advanced button on the Completing The Backup Or Restore Wizard page.
  11. When the Type Of Backup page opens, choose the Normal option for the backup type, and then click Next.
  12. In the How To Back Up page, it is recommended to select the Verify Data After Backup option.
  13. If hardware compression is supported, and you are using a tape mechanism, click the Use Hardware Compression, If Available option. Click Next.
  14. When the Backup Options page opens, choose Replace The Existing Backups, an choose Allow Only The Owner And The Administrator Access To The Backup Data And To Any Backups Appended To This Medium. Click Next.
  15. Select the Now option in the When To Back Up page. Click Next.
  16. Click Finish.
  17. Click the Report button on the Backup Progress page to view a report on the backup job just completed.

How to restore system state data on a domain controller (nonauthoritative restore)

  1. Restart the local computer.
  2. During startup, press F8 to access the Windows Advanced Options.
  3. Proceed to select Directory Services Restore Mode. Press Enter
  4. Choose the operating system that should be started at the Please Select The Operating System To Start prompt. Press Enter.
  5. Log on to the domain using an account with Administrator privileges.
  6. Click OK when a message appears stating that Windows is running in safe mode.
  7. Click Start, All Programs, Accessories, System Tools, and then click Backup.
  8. When the Welcome To The Backup Or Restore Wizard page opens, click Next.
  9. In the Backup Or Restore page, choose the Restore Files And Settings option. Click Next.
  10. On the What To Restore page, choose the data that should be restored. Click Next.
  11. Verify that the media that contains the backup file is in place.
  12. Click Finish to start the nonauthoritative restore.
  13. Click OK when a message appears stating that the restore will overwrite existing system state data.
  14. When the restore process completes, restart the computer.

Because of the type of information stored on domain controllers, you should audit all backup and restore events which are performed on your domain controllers. It is recommended that you enable the Local Policies | Security Options | Audit: Audit the use of Backup and Restore privilege option so that you can detect when backups are being performed dishonestly.

Digitally Encrypting and Signing Authentication Traffic

Computer accounts are used to manage and authenticate computers within a domain. Computer accounts are stored in Active Directory, and can be managed using the Active Directory Users And Computers management tool. A computer has to belong to a domain in order for you to log on to it using a domain user account. Computer accounts are automatically created for computers running Windows NT, Windows 2000, Windows XP Professional or Windows Server 2003 when joining a domain. Computer accounts contain a name, password, and security identifier (SID). Computer properties are included in the computer object in Active Directory. Active Directory automatically creates a computer object in the Computers OU when a computer joins a domain, and no computer account exists for the computer.

For a computer to access and communicate with a domain controller within the domain, the computer has to be authenticated.

There are three GPO settings that determine whether authentication traffic is signed and encrypted:

  • Domain member Digitally encrypt or sign secure channel data (always): Here, the computer will only use secure channel data to communicate with the domain controller. Before you can use this option, domain controllers have to minimally be upgraded to Windows NT 4.0 SP6a. Enabling the Digitally encrypt or sign secure channel data (always) option assist in preventing the following attacks when computers and domain controllers communicate:
    • Replay attacks
    • Man-in-the middle attacks
  • Domain member Digitally encrypt secure channel data (when possible): This option should be enabled and used if any down-level domain controllers or clients prevent you from using the former option. When this option, and the option below are enabled, the best possible security which can be used, is used.
  • Domain member Digitally sign secure channel data (when possible): This option should be enabled and used if down-level domain controllers or clients prevent ou from using the Digitally encrypt or sign secure channel data (always) option.

Configuring Audit Policies and Event Log Policies for Domain Controllers

When Active Directory is installed on a computer and a new Active Directory domain is created, the computer object of the domain controller is stored in the Domain Controllers organizational unit (OU). A Group Policy Object (GPO) that is linked to the Domain Controllers OU is also created.

The Domain Controllers OU contains the following audit policies which you can customize:

  • Audit Account Logon Events, Audit Account Management, Audit Directory Service Access, Audit Logon Events, Audit Policy Change, and Audit System Events

You might also need to modify the policy settings of the Event Log to suit your auditing strategy.

Limiting User Rights

The Domain Controllers OU GPO by default grants the Allow Log On Locally user right to these groups:

  • Account Operators
  • Administrators
  • Backup Operators
  • Print Operators
  • Server Operators

For the Print Operators and Account Operators built-in groups, it is recommended that you remove the Allow Log On Locally user rights.

It is also recommended that you limit which individuals are allowed to shut down domain controllers. The Domain Controllers OU GPO by default grants the right to shut down domain controllers to these built-in groups:

  • Administrators
  • Backup Operators
  • Print Operators
  • Server Operators

For the Print Operators and Backup Operators built-in groups, it is recommended that you remove the right to shut down domain controllers.

Limiting Anonymous Access

Anonymous authentication is an authentication method that actually allows a user and network client to be authenticated with the user/client furnishing no user credentials. However, if you are running Windows Server 2003, the user will not be authorized to access network resources. With the earlier Windows operating systems, this was not the case. Anonymous authentication is typically used to supply backward compatibility with systems prior to Windows 2000, for the following scenarios.

  • Windows NT 4.0 could possibly use anonymous access to obtain information from domain controllers.
  • Remote Access Server (RAS) servers on Windows NT 4.0 utilizes anonymous access for ascertaining dial-in permissions
  • Older operating systems could also use anonymous access to change passwords (Pre "Windows 2000"compatible access group) in Active Directory.

To enable anonymous authentication, activate one of the following security policy settings:

  • Network Access: Share That Can Be Accessed Anonymously: Use this security policy setting to define specific shares which can be accessed.
  • Network Access: Let Everyone Permissions Apply To Anonymous Users: When enabled, anonymous users are added to the Everyone group.

A better method of enabling anonymous access is to include the Anonymous Logon security principal in the specific access control list (ACL) that needs access.

With Windows Server 2003, the Anonymous account is restricted by default. If you need to enable it for systems that require Anonymous access, use these recommendations to enable the Anonymous account so that you do not reduce security unnecessary:

  • To prevent intruders from using the using Anonymous logon to calculate accounts on a computer, you should use the Do not allow anonymous enumeration of SAM accounts and shares policy Group Policy Object. This option can be used if you are running Windows 2000 or later Windows operating system versions.
  • One of the most secure methods of enabling Anonymous logon or access is to edit the ACLs of resources that need to allow Anonymous logon. This is though a manually intensive process.
  • For clients that are running preWindows 2000 operating systems, you can add Everyone and Anonymous to the pre-Windows 2000 compatible access group if users need to be able change their passwords.
  • While it is not strongly recommended, you can use the Let Everyone permissions apply to anonymous users GPO to change the security configuration back to the Windows NT model.

Guide for Windows Server 2008 Domain Controller and DNS Server Setup

Step By Step Guide for Windows Server 2008 Domain Controller and DNS Server Setup


This tutorial will explain how to setup Windows Server 2008 Domain Controller and DNS
Server.

Click on Start > Run


Now type dcpromo > Click OK

The system will start checking if Active Directory Domain Services ( AD DS) binaries are installed, then will start installing them. The binaries could be installed if you had run the dcpromo command previously and then canceled the operation after the binaries were installed.

The Active Directory Domain Services Installation Wizard will start, either enable the checkbox beside Use Advanced mode installation and Click Next , or keep it unselected and click on Next

The Operating System Compatibility page will be displayed, take a moment to read it and click Next

Choose Create a new domain in a new forest, Click Next

Enter the Fully Qualified Domain Name of the forest root domain inside the textbox, click Next

If you selected Use advanced mode installation on the Welcome page, the Domain NetBIOS Name page appears. On this page, type the NetBIOS name of the domain if necessary or accept the default name and then click Next.

Select the Forest Functional Level, choose the level you desire and click on Next.

Make sure to read the description of each functional level to understand the difference between each one.

In the previous step, If you have selected any Forest Functional Level other than windows Server 2008 and clicked on Next , you would then get a page to select the domain Functional Level. Select it and then click on Next

In the Additional Domain Controller Options page, you can select to install the domain Name Service to your server. Note that the First domain controller in a forest must be a Global Catalog that’s why the checkbox beside Global Catalog is selected and it cannot be cleared. The checkbox is also selected by default when you install an additional domain controller in an existing domain, however you can clear this checkbox if you do not want the additional domain controller to be a global catalog server. The first domain controller in a new forest or in a new domain can not be a Read Only Domain Controller (RODC), you can later add a RODC but you must have at least one Windows Server 2008 Domain Controller.

I want to set my DC as a DNS Server as well, so I will keep the checkbox beside DNS server selected and click on Next

If you don’t have static ip assigned to your server you will see similar to the following screen now you need to assign static ip and start the above process.

If the wizard cannot create a delegation for the DNS server, it displays a message to indicate that you can create the delegation manually. To continue, click Yes

Now you will have the location where the domain controller database, log files and SYSVOL are stored on the server.

The database stores information about the users, computers and other objects on the network. the log files record activities that are related to AD DS, such information about an object being updated. SYSVOL stores Group Policy objects and scripts. By default, SYSVOL is part of the operating system files in the Windows directory either type or browse to the volume and folder where you want to store each, or accept the defaults and click on Next

In the Directory Services Restore Mode Administrator Password (DSRM) page, write a password and confirm it. This password is used when the domain controller is started in Directory Services Restore Mode, which might be because Active Directory Domain services is not running, or for tasks that must be performed offline.Make sure that you memorize this password when you need it.

Summary page will be displayed showing you all the setting that you have set . It gives you the option to export the setting you have setup into an answer file for use with other unattended operations, if you wish to have such file, click on the Export settings button and save the file.

DNS Installation will start

Followed by installing Group Policy Management Console, the system will check first if it is installed or not.

Configuring the local computer to host active directory Domain Services and other operations will take place setting up this server as a Domain Controller active Directory Domain Services installation will be completed, click Finish.

Click on Restart Now to restart your server for the changes to take effect.

Once the server is booted and you logon to it, click on Start > Administrative Tools
you will notice that following have been installed :
Active Directory Domains and Trusts
Active Directory Sites and Services
Active Directory Users and Computers
ADSI Edit
DNS
Group Policy Management

That’s it now your new win server 2008 domain controller with dns server setup was completed.