Windows Server

Active Directory and Kerberos

Domain controllers still authenticate users, computers, and service accounts for domain-joined endpoints, file shares, SQL Server, legacy apps, and workloads that depend on Kerberos, LDAP, or NTLM compatibility.

Core network services

Windows Server commonly hosts internal DNS, DHCP, IPAM, NPS/RADIUS, certificate services, and routing-adjacent roles that keep branch offices and datacenters reachable.

File, print, and app hosting

SMB shares, DFS namespaces, print queues, scheduled tasks, IIS apps, and vendor line-of-business services often remain on Windows Server even when collaboration and endpoint management move to Microsoft 365.

Server-side patch and compliance scope

Intune manages Windows clients, not traditional Windows Server workloads. Server patching still usually depends on WSUS, ConfigMgr, Azure Update Manager, maintenance windows, or operational runbooks.

Hybrid identity and access bridge

Entra ID extends identity to cloud apps, but many tenants still sync from AD DS. Group Policy, AD sites, DNS, and domain controller placement continue to affect sign-in, device join, and application access.

Operational boundary for regulated systems

Some environments keep critical services on controlled networks for latency, data residency, vendor support, or isolation reasons. Windows Server is often the supported platform for those systems.

DNS Server

AD-integrated DNS zones, forwarders, conditional forwarders, scavenging, and secure dynamic updates directly affect authentication and application access. Test name resolution before chasing higher-level symptoms.

DHCP Server

Scope design, exclusions, reservations, relay/IP helper configuration, failover pairs, and DNS dynamic update credentials determine whether clients receive usable network configuration.

File services and SMB

SMB shares need access-based enumeration, NTFS/share permission hygiene, quota planning, shadow copies where appropriate, and clear ownership for stale data cleanup.

DFS namespaces and replication

DFS namespaces can simplify user paths, but DFSR backlog, staging size, and conflict handling need monitoring. Do not treat DFSR as a general backup system.

Print services

Print queues are still common in offices, warehouses, healthcare, and manufacturing. Driver isolation, queue naming, deployment method, and spooler hardening matter more than the role gets credit for.

Certificates, NPS, IIS, and app roles

AD CS, NPS/RADIUS, IIS, Remote Desktop Services, and vendor apps often become hidden dependencies. Record owners, ports, certificates, service accounts, and recovery steps for each.

Role-aware baselines

Domain controllers, file servers, IIS servers, SQL hosts, and jump boxes need different baselines. Apply common controls broadly, then layer role-specific policy on top.

Local admin and privileged access

Limit local Administrators membership, use Windows LAPS where supported, separate daily and privileged accounts, and alert on membership changes to privileged groups.

Firewall and service exposure

Enable Windows Firewall, restrict inbound management ports, disable unused roles and services, and document exceptions for vendor apps rather than leaving broad allow rules.

Credential and protocol hardening

Review NTLM usage, SMB signing/encryption requirements, LDAP signing/channel binding, TLS configuration, and legacy protocol dependencies before enforcing controls.

Audit policy and logging

Apply advanced audit policy for logon, account management, directory service changes, object access where needed, PowerShell logging, and process creation with command line for high-value servers.

Configuration drift

Use GPO, ConfigMgr baselines, Desired State Configuration, Azure Policy guest configuration, or scripted checks to detect drift instead of relying on one-time build hardening.

RSAT from an admin workstation

Run ADUC, DNS Manager, DHCP Manager, GPMC, Failover Cluster Manager, and Server Manager from a hardened admin workstation rather than signing into servers for routine work.

PowerShell remoting

Use PowerShell remoting and CIM sessions for repeatable server checks. Standardize modules, execution policy, transcript logging, and Just Enough Administration where appropriate.

Server Manager and Windows Admin Center

Server Manager remains useful for role visibility and multi-server tasks. Windows Admin Center gives a browser-based option for local and remote server administration.

Scheduled maintenance scripts

Automate pre-patch checks, disk cleanup reporting, service status snapshots, certificate expiry checks, and event log summaries so maintenance windows start with known state.

Least privilege workflows

Use separate admin accounts, Privileged Access Workstations where needed, role-based groups, and time-bound elevation. Avoid using Domain Admin for DNS, DHCP, file share, and print tasks.

Inventory and ownership

Maintain server role, owner, patch ring, backup policy, certificate, service account, and recovery runbook metadata. The server nobody owns becomes the incident nobody can fix.