Top 3 Products & Services
Dated: Aug. 11, 2004
Related CategoriesMicrosoft Certifications
- Windows 2000 Professional Installation and Deployment
- Installation Requirements
- Pre-Installation Activities
- Running Setup
- Starting Windows 2000
- Understanding Advanced Setup Options
- Unattended Installation
- Answer Files
- The Sysdiff Utility
- Using Sysprep
- Winnt command line installation options:
- Winnt32 command line installation options:
- Software Distribution
- Keeping Your Operating System Up-to-date
- The Windows 2000 Professional Configuration Environment
- Managing Hardware and Devices
- Hardware Overview
- Plug and Play versus Non Plug and Play devices
- DVD and CDROM Devices
- Removable Media
- Display Devices
- Using Plug and Play with ACPI Hardware
- Power Options Overview
- Card Services
- Wireless Devices
- USB Devices
- Scanners and Cameras
- Fax Support
- Device Drivers
- Driver Signing
- Troubleshooting Devices
- Managing Windows 2000 Services
- Managing Hardware and Devices
- Account Management
- Windows 2000 Groups
- User Rights
- User Profiles
- Hardware Profiles
- Mobile Users Overview
- Windows 2000 Security
- Understanding Windows 2000 Printing
- Managing Windows 2000 Network Connections
- Network Protocols and Services
- Remote Access Services
- Internet Connection Sharing
- Remote Access Policies
- Windows 2000 Optimization and Tuning
- System Performance Monitoring
- Ways to View Statistics
- Objects and Counters
- Paging File
- Managing Processes
- Starting and Recovering Your System
Windows 2000 is fast becoming the most widely deployed network operating system in the corporate world and as the computer network industry advances in both technology and size, the need for proven skills and expertise is of prime significance. Microsoft has already realized the need of the situation and thus revised its Microsoft Certified Professional (MCP) program to give us appropriate credentials to demonstrate our expertise of Microsoft Windows 2000 family of products and services.
Windows 2000 actually consists of several different flavors including Windows 2000 Server/Advanced Server, Data Center Server, and Windows 2000 Professional depending upon the client server environment requirements.
Microsoft Windows 2000 Professional is the premier desktop operating system for businesses and organizations. Windows 2000 provides faster performance, greater reliability, improved security, and a more manageable desktop. With its broader support for hardware and applications, Windows 2000 is the best platform for running the latest software and hardware
This study guide provides an overview what you need to pass the exam 70-210 Installing, Configuring and Administering MS Windows 2000 Professional and summarize the skills required to install, configure and troubleshoot Windows 2000 Professional as a desktop operating system in a generic network-operating environment.
Windows 2000 Professional Installation and Deployment
- 133 MHz or higher Pentium compatible CPU
- 64 MB RAM minimum and recommended
- 2 GB hard disk with a minimum of 650 MB of free space.
- Network Adapter Card
- Video display adapter and monitor with VGA or higher resolution.
Pre-Installation ActivitiesWhen you set up Windows 2000, you have to provide information about how you want to install the operating system. To ensure a successful installation, you should complete the following tasks:
- Make sure your hardware components meet the minimum requirements.
- Obtain Windows 2000-compatible hardware and software, such as upgrade packs, new drivers, and so on.
- Obtain network information.
- Back up your current files before upgrading, in case you need to restore your current operating system.
- Determine whether you want to perform an upgrade or install a new copy of Windows.
- If you're installing a new copy, identify and plan for any advanced Setup options you might want.
Running SetupThe Setup wizard gathers information, including regional settings, names, and passwords. Setup then copies the appropriate files to your hard disk, checks the hardware, and configures your installation. When the installation is complete, you're ready to log on to Windows 2000.
Starting Windows 2000After gathering information, the Setup wizard completes the installation. The computer restarts several times, and then the logon prompt for Windows 2000 appears. After you log on, you can register your copy of Windows 2000, create user accounts, and reconfigure any settings that you entered in Setup.
Understanding Advanced Setup Options
File SystemsBefore you install Windows 2000, you should decide which file system you should use. A file system is the method by which information is stored on a hard disk.
NTFSThe NTFS file system is the recommended file system for use with Windows 2000. NTFS has all of the basic capabilities of FAT, and it provides the following advantages over the FAT and FAT 32 file systems:
- Better file security.
- Better disk compression.
- Support for large hard disks, up to 2 terabytes (TB)
If you're using a dual-boot configuration (using both Windows 2000 and another operating system on the same computer), you may not be able to gain access to files on NTFS partitions from the other operating system on your computer. For this reason, you should probably use FAT32 or FAT if you want a dual-boot configuration.
FAT and FAT32FAT32 is an enhanced version of the FAT file system that can be used on drives from 512 megabytes (MB) to 2 TB in size. FAT and FAT32 offer compatibility with operating systems other than Windows 2000. If you're setting up a dual-boot configuration, you should probably use FAT or FAT32.
Disk PartitionsDisk partitioning is a way of dividing your hard disk so that each section functions as a separate unit. You can create a partition to organize information, for example, to back up data, or to dual boot with another operating system. When you create partitions on a disk, you divide the disk into one or more areas that can be formatted for use by a file system, such as FAT or NTFS.
If you're performing a new installation, Windows 2000 Setup automatically selects an appropriate disk partition--unless you click Advanced Options during Setup and specify otherwise. A hard disk can contain up to four partitions.
Converting vs. Reformatting Existing Disk PartitionsBefore you run Setup, decide whether you want to keep, convert, or reformat an existing partition. The default option for an existing partition is to keep the existing file system intact, thus preserving all files on that partition.
If you decide to convert or reformat, you need to select an appropriate file system (NTFS, FAT, or FAT32).You can convert an existing partition to NTFS during Setup to make use of Windows 2000 security. You can also convert file systems from FAT to NTFS at any time after Setup by using Convert.exe from the command prompt.
Dual-Boot ConfigurationIf you use a dual-boot configuration on your computer, you can choose between operating systems (or between versions of the same operating system) every time you start your computer.
Windows 2000 supports dual booting with the following operating systems:
- Windows NT 3.51, Windows NT 4.0
- Windows 95, Windows 98
- Windows 3.1, Windows for Workgroups 3.11
Unattended InstallationAn unattended install is simply a method of providing the answers for the setup questions before they are asked in order to automate the installation process. By unattended installs numerous hours can be spared if for instance there are 100 workstations to install.In unattended Setup mode, no user intervention is required during Setup because the answer file contains all of the information that Setup requires, including acceptance of the license agreement, computer name, and network adapter. Answer files can help you quickly install Windows 2000 on multiple computers.
The Winnt.exe and Winnt32.exe programs can be used for this purpose. Two types of files are required:
- Answer files - Files requires to answer the system queries during an unattended installation normally sent to the monitor during an attended installation.
- Uniqueness Database Files (UDF) - Used to insert the User name, organization, and computer name in the [UserData] section of the unattend.txt file.
To set up unattended installation answer file on Windows 2000 Setup Manager wizard can be installed from the resource kit on the CDROM by running\Support\Reskit\Setup.exe.Options are
- Create a new answer file.
- Create an answer file that duplicates this computer's configuration.
- Modify an existing answer file.
Answer file types are:
- Unattend.txt for Windows 2000 Professional.
- Unattend.txt for Windows 2000 Server.
- Remboot.sif for remote installation services.
- Sysprep.inf for the system preparation tool.
Products that can be installed with answer files include:
- Windows 2000 Unattended Installation
- Sysprep Install - System preparation utility located on the CDROM in the \SUPPORT\TOOLS\Deploy. cab file. Works on non-domain controller windows 2000 computers. This utility allows a Windows 2000 hard drive to be copied to other computers.
- Remote Installation Services
User interaction levels can be set at:
- Provide defaults - The answer file provides default answers.
- Fully automated - No user interaction.
- Hide pages - There is some interaction by the user with pages hidden that have answers provided by the answer file.
- Read only - The setup screens are displayed, but the user cannot make selections.
- GUI attended - The text part of the installation is automated and the user responds to the graphical part of the installation.
A distribution folder is created to do an installation over the network.An unattend.txt answer file and a unattend.bat file, for starting the installation, is created by the Setup Manager.
Booting from the network involves:
1.Have a network card in the computer the installation is to be done on.
2.Format the hard drive.
3.Boot a computer with DOS client for Microsoft Networks on it (Comes With Windows NT Server).
4.Map the shared distribution folder to a network drive, and from that drive run "unattend" or "unattend computer"
Answer FilesThere is a sample answer file on the install CD-ROM called UNATTEND.TXT. These files contain categories of information defined by the [ and ] symbols. Some categories are:
- DetectedMassStorage - Mass storage devices that Setup should recognize, whether they are available at installation time or not.
- Display - Display settings.
- DisplayDrivers - Display drivers.
- GuiUnattended - Defines the setup program behavior during graphical mode setup.
- KeyboardDrivers - Specifies keyboard drivers.
- LicenseFilePrintData - Used for servers only.
- MassStorageDrivers - Specifies SCSI drivers.
- Modem - Determines if a modem is to be installed.
- Network - Network settings, with adapters and protocols.
- OEM_Ads - The bitmap information to be displayed when the graphical user mode is starting.
- OEMBootFiles- The files required for system boot must be listed here.
- PointingDeviceDrivers - Specifies any pointing devices.
- Unattended - This section defines setup program behavior during text mode setup.
- UserData - User or computer information.
The Sysdiff UtilityUsed to customize Windows 2000 or NT installation to one or more computers over the network. It records the differences between installation files that have been added to an installation and a normal installation that has not had additions added. Functions:
- Snap - Takes a snapshot of the state of files, directories, and the registry.
- Diff - Records differences between a current system and a previous snapshot.
- Apply - Apply data in a differences file to an installation.
- Inf - Create an inf file from a diff file. The .inf file allows differences to be automatically applied to installations of NT from the server based share.
- Dump - Allows review of the contents of a diff file.
Using SysprepSysprep is used to prepare a Windows 2000 system hard disk for duplication. Sysprep can't be used on domain controllers. Duplication requirements that both the master and duplicated computers must have in common:
- Identical type hard drive controllers.
- Identical size hard drives.
- The same HAL must be used.
- Peripheral cards such as modems and video cards do not need to be identical, but drivers must be available for all computers.
Sysprep will remove any user specific information on the prepared hard drive. It strips the Security Identifiers (SIDs) from the disk before capturing the disk image. Once duplicated, the system that gets a copy of the disk generates its own SIDs for its objects.
Sysprep switches include:
- -quiet - No user interaction.
- -pnp - Detect PNP devices on systems the information is being sent to.
- -reboot - The new system will restart rather than shutdown.
- -nosidgen - NO security identifier (SID) is created on the new system
Winnt command line installation options:
- /? - to see options
- /a - Turn on accessibility options.
- /E:command - Will execute the command specified after the install.
- /I:inf_file - The name of the setup information file without path information. If this option is not used dosnet.inf is the default.
- R - An optional directory to be created is specified.
- /RX - An optional directory to be copied is specified.
- /S:sourcepath - Windows 2000 or NT set files' location
- /T:drive_letter - Setup will put temporary setup files on the drive specified.
- /U:answer_file - Specifies an unattended install and an answer file location which is required for unattended installation. Use the /s option to specify the location of source files.
- /UDF:id [,UDF_file] - Specifies the UDF file used to identify the computer.
Winnt32 command line installation options:
- /? - to see options
- /checkupgradeonly - The computer is checked for compatibility with Windows 2000 and an upgrade report is prepared.
- /copydir:directory - An additional directory is copied into the system root directory on the hard disk.
- /copysource:directory - An additional directory to be copied to the hard disk in the system root directory during installation. It is removed when the installation is done.
- /cmd:command - A command to be executed after the system setup is complete.
- /cmdcons - The recovery console is installed and included in the start menu.
- /debug[level]:filename - Debug log is created with detail level from 1 to 4 specified.
- /makelocalsource - Source files are copied to the hard drive.
- /S:sourcepath - Windows 2000 or NT installation files location
- /syspart:drive - Source files are copied to the hard drive and the drive is marked as active.
- /tempdrive:drive_letter - Setup will put temporary setup files on the drive specified.
- /unattend - Specifies an unattended install and settings are taken from an existing operating system.
- /unattend[num]:answer_file - Specifies an unattended install and an answer file location which is required for unattended installation. Use the /s option to specify the location of source files. Num specifies the number of seconds to wait before rebooting after files are copied.
- /UDF:id [,UDF_file] - Specifies the UDF file used to identify the computer. The data from the UDF file is applied to some sections in the answer file. The install program will ask for a disk containing a unique UDF file if the UDF is not specified on the command line.
Software PackagesSoftware may be packaged for Windows systems in Windows installer files which have an extension of ".msi". The Windows Installer utilities can be used to package applications into Windows installer packages if they are not already in these packages. Other packages include:
- Transform files - Files have a ".mst" extension and are used to customize applications. Complements the ".msi" Windows installer files.
- Patch files - Files have a ".msp" extension and are used to apply software fixes (patches) to applications. Complements the ".msi" Windows installer files.
- ZAP files - Applications that don't use the ".msi" file format for the Windows Installer Service can be set up for distribution by creating a text file with a ".zap" file extension. This method is not as flexible as the ".msi" package files.
Software Installation Utilities
- Windows Installer Service - On Windows 95, 98, Me, NT, and 2000 systems. The service installs package files with the ".msi" extension. This sservice is used by the client computer.
- Windows 2000 IntelliMirror utility can be used to manage software from anywhere on the organization's network.
- Microsoft Management Console software installation snap-in can be used to assign applications to computers, organizational units, or users by using group policies.
- Add/Remove Programs Control Panel applet - Applications can be placed on an Active Directory distribution location (published) where users can get applications. The Add/Remove Programs Control Panel applet can then be used by the user to install the software.
- WinInstall - Written by Veritas software, it is included on the Windows 2000 Server CD. It is used to edit, view, and create application installation package files.
Ways to Distribute Software
- Assignment - This method is not by the user choice and can be assigned to the following:
- Computer - The software is installed when the computer boots.
- User - A shortcut for the software is placed on the user's desktop when the user logs into the domain. The software is installed when the user clicks on the shortcut to run the application.
- Publication - The software can be installed by using the Add/Remove Programs Control Panel applet. The software will be available on the list of available programs in the "Add New Programs" dialog box.
Software Distribution Methods
- Push Model - Microsoft's System Management Service (SMS) uses this model. SMS works for Windows 95, 98, ME, NT, and 2000 client systems. Software is deployed to selected users and computers based on the administrators' choices. This model helps control software licensing, use of network bandwidth, and can determine whether clients have sufficient system hardware to support the application.
- Pull Model - When users need the software, they pull it from its stored location. Windows 2000 distribution features are compliant with group policies. The administrators must be sure licensing is done properly when this method is used. This model can overuse valuable network bandwidth, and can't determine if clients have sufficient hardware to run the software.
- Windows 2000 Remote Installation Service (RIS) - Windows 2000 Professional can be installed on computers that can boot to the network using a BIOS program running from their network card. This is called Pre-boot Execution Environment (PXE). A Windows 2000 Professional image with desired applications can be created using the RIPREP utility.
Group Policy Software SettingsIn the Microsoft Management Console (MMC) Group Policy snap-in, one of the settings, in both computer and user configuration is software settings. This is used to set the policy for deploying applications.
Keeping Your Operating System Up-to-date
Windows UpdateThe Windows Update utility connects your computer to Microsoft’s web and checks your files to make sure that you have all of the latest and greatest updates.
Windows Service PacksMicrosoft issues service packs as necessary to update the operating system with new bug fixes and new features. Windows 2000 offers a new technology for service packs called slipstream through which service packs are applied once and they are not overwritten as new services are added to the computer. Use WINVER command to determine if any service packs have been installed on your computer.
The Windows 2000 Professional Configuration Environment
Managing Hardware Devices and Drivers
Hardware overviewHardware includes any physical device that is connected to your computer and is controlled by your computer's microprocessor. This includes equipment that was connected to your computer when it was manufactured, as well as peripheral equipment that you added later. Modems, disk drives, CD-ROM drives, printers, network adapters, keyboards, and display adapter cards are all examples of devices.
Devices can be connected to your computer in several ways. Some devices, like network adapters and sound cards, are connected to expansion slots inside your computer. Other devices, like printers and scanners, are connected to ports on the outside of your computer. Some devices, known as PC Cards, connect only to PC Card slots on a portable computer.
For a device to work properly with Windows 2000, software known as a device driver must be loaded onto the computer. Each device has its own unique device driver, which is typically supplied by the device manufacturer. However, some device drivers are included with Windows 2000.
Plug and Play versus Non Plug and Play devicesPlug and play technology uses a combination of hardware and software that allows the operating system to automatically recognize and configure new hardware without any user intervention. Windows 2000 also supports older or legacy devices, which are non plug and play in which we have to manually configure the hardware devices resources such as I/O port address, memory address and Direct Memory Access (DMA) settings after that you have to use Add/Remove Hardware utility in Control Panel to add the new device to Windows 2000 and install the device driver.
DVD and CDROM DevicesDVDs and CDROMs are listed together under DVD/CD-ROM Drives in the Device Manager through which you can configure various options such as volume, play back settings and it lists information such as device type, manufacturer, location, currently loaded driver as well as the buttons that allows you to see the driver details, uninstall or update the driver.
Removable MediaRemovable devices are devices such as tape drives and zip drives. They are listed under Disk Drives in Device Manager and can be managed through it.
Display DevicesYou can configure video adapters through the display properties dialog box in the control panel such as video adapter color depth,resolution,display font size,monitor properties such as refresh frequency,monitor color profiles. Windows 2000 allows you to extend your desktop across a maximum of 10 monitors such that applications can be spread across multiple monitors.
Using Plug and Play with ACPI hardwareTo take full advantage of Plug and Play, you must use an Advanced Configuration and Power Interface (ACPI) (open industry specification that defines power management on a wide range of mobile, desktop, and server computers and peripherals). ACPI is the foundation for the OnNow industry initiative that allows system manufacturers to deliver computers that will start at the touch of a keyboard. ACPI design is essential to take full advantage of power management and Plug and Play in Windows 2000. Computer, running in ACPI mode, and the hardware devices must be Plug and Play. In an ACPI computer, the operating system, not the hardware, configures and monitors the computer.
The Windows 2000 operating system determines which programs are active and manages all of the power requirements for your computer subsystems and peripherals. ACPI lets the operating system direct power to devices as they need it, preventing unnecessary power demands on your system.
Power Options overviewUsing Power Options in Control Panel, you can reduce the power consumption of any number of your computer devices or of your entire system. You do this by choosing a power scheme, which is a collection of settings that manages the power usage by your computer. You can create your own power schemes or use the ones provided with Windows 2000.
You can also adjust the individual settings in a power scheme. For example, depending on your hardware, you can:
- Turn off your monitor and hard disks automatically to save power.
- Put the computer on standby when it is idle. While on standby, your entire computer switches to a low power state where devices, such as the monitor and hard disks, turn off and your computer uses less power. When you want to use the computer again, it comes out of standby quickly, and your desktop is restored exactly as you left it. Standby is particularly useful for conserving battery power in portable computers. Because Standby does not save your desktop state to disk, a power failure while on Standby can cause you to lose unsaved information.
- Put your computer in hibernation. The hibernate feature saves everything in memory on disk, turns off your monitor and hard disk, and then turns off your computer. When you restart your computer, your desktop is restored exactly as you left it. It takes longer to bring your computer out of hibernation than out of standby.
Card ServicesIn order to add devices to a laptop computer special credit card sized devices are used called PCMCIA(Personal Computer Memory Card International Association) cards which you can view and manage through device manager.
Wireless DevicesWindows 2000 uses Infrared Data Association(IrDA) and Radio Frequency technologies for wireless transmission. In IrDA data is transmitted through infrared light waves. In RF data is transmitted through radio waves.
USB DevicesUSB supports transfer rates up to 12 Mbps. A single USB port can support up to 127 devices. Examples of USB devices are modems,printers ,keyboards. USB Controller is listed in Device Manager and can be configured through it, if your computer supports USB and it is enabled in the BIOS.
Scanners and CamerasScanners and Cameras appears in the Control Panel when you install your first scanner or digital camera. Then you can use the Scanners and Cameras feature to install other scanners, digital still cameras, digital video cameras, and image-capturing devices.
After a device is installed, Scanners and Cameras can link it to a program on your computer. For example, when you push Scan on your scanner, you can have the scanned picture automatically open in the program you want.
Fax SupportWindows 2000 Professional ships with built-in fax support with a single user license. Faxing is managed via the Fax Service Management tool which will be installed when a fax device is installed on the computer. The "virtual" fax machine will appear as an icon in the printers folder. In order for faxes to be sent, the user must have appropriate permissions to send them. These permissions can be viewed by finding the fax icon in the printer folder and viewing the Security tab in the properties. In order to receive faxes, the "Enable to Receive" must be selected.
Device DriversManaging device drivers involves updating them and deciding how to handle drivers that may not have been properly tested.
Driver SigningMicrosoft provides driver signing as a way of ensuring that drivers are properly tested before they are released to the public. Thus Windows 2000 response can be specified if you select to install an unsigned driver through the Driver Signing Options dialog box in the Device Manager box. These three options are
- Ignore - Install all files, regardless of file signature.
- Warn - Display a message before installing an unsigned file. (default setting)
- Block - Prevent installation of unsigned files.
Troubleshooting DevicesWhen Device manager does not properly recognize a device it reports the problem by displaying an exclamation mark icon next to the device. To troubleshoot a device that is not working properly double click the device to open its Properties dialog box. If a device connected to your computer does not appear in Device Manager, you can use Troubleshoot Wizard to get some hints on troubleshooting.
Managing Windows 2000 ServicesA service is a program, routine or process that performs a specific function within windows 2000 operating system. The services on the computer can be managed through the Computer Management utility or the MMC. To manage a service, open the Services window in one of the utilities and double click on the service to manage. The service properties dialog box will open.
Windows 2000 Professional Desktop SettingsThe desktop appears after a user has logged onto a windows 2000 computer. Users can configure their desktops to suit their personal preferences and to make their work more efficient. As an administrator, you may need to troubleshoot an improperly configured desktop. You can configure the desktop by customizing the taskbar and start menu, adding shortcuts and setting display properties.
Multilanguage Support and Regional SettingsMultilanguage support in Windows 2000 consists of Multilingual editing and viewing which supports multiple languages while a user is viewing, editing and printing documents. Secondly Multilanguage user interfaces, which allow the windows 2000 user interface to be presented in different languages. You can add languages using the Regional Settings control panel applet. You can switch between the languages using the system tray icon.
You can also configure locale settings for numbers, currency, time and date and input locales which allows you to select the input language you will use. These settings can also be made through Regional Setting Control panel applet.
Accessibility for People with DisabilitiesWindows 2000 includes many accessibility features that can improve display, sound, mouse, and keyboard settings for users who are blind, have motion disabilities, or are deaf or hard of hearing. Many accessibility features are also useful to people without disabilities.
- Magnifier. Enlarges a portion of your screen in a separate window for easier viewing.
- Narrator. Reads information on your screen, including dialog box names, menus, entered text, and so on.
- On-Screen Keyboard. Displays a virtual keyboard so you can enter information by using a pointing device, such as a mouse or a switch input device.
Windows 2000 also offers customizable options for users who are blind, have motion disabilities, or are deaf or hard of hearing:
- High-contrast desktop color schemes. Provide more ways to change the colors and font sizes on your screen.
- Sound schemes. Give useful audio feedback for important on-screen events, such as the opening and closing of windows.
- High-visibility mouse pointer schemes. Give you more options to visually help you keep track of the pointer.
Setting Up Accessibility OptionsAccessibility features are installed on your computer by default.You can quickly set up your accessibility options by using the Accessibility wizard. The Accessibility wizard asks you questions about your accessibility needs and automatically configures settings for you. Or, you can open Accessibility Options in Control Panel to directly customize keyboard, display, and mouse functions.
- Local - For local computer access.
- Domain - For access to network resources in the domain.
Administrators and power users can create and modify accounts in the domain. Administrators on local computers can create and modify accounts locally. Windows Scripting Host (WSH) assists administrators in creating many users and groups quickly.
Account Creation and Modification
- Local account: - Use the "Local Users and Groups" tool. To modify the user properties, right click on the user and select "Properties".
- Remote account: - Use the "Active Directory Users and Computers" tool.To modify the user properties, right click on the user and select "Properties".
PermissionsThe permissions on Windows 2000 systems are all selectable with two boxes which are:
- Allow - Grant the permission.
- Deny - Any denied permission for a group or user will override any allow permission, even if the user is in a group that is granted that permission.
If neither box is checked, the permission is not granted for the user or group, but if the user is in another group that has the permission, it will not be denied. Normally, if a user is a member of several groups that have different levels of permissions to an object, the least restrictive permissions apply unless the user, or one of their groups have the no access box checked for that permission.
Standard File and Folder Permissions
- Read(R) - View attributes, contents, and permissions. Can synchronize.
- Write(W) - Can change attributes, and file contents. Can create files or folders. Can synchronize.
- Read(R) and Execute(E) - Can change sub folders, perform read operations, and execute a file.
- List Folder Contents - Can perform read and execute permissions on folders. Can view folder contents, attributes, and permissions. Can synchronize and change to subfolders.
- Modify - Perform Read, Execute, and Write permissions along with ability to delete.
- Full Control - Can perform Modify functions (above), take ownership, and modify permissions.
Permissions assigned to directories are inherited (default) by all files and subdirectories that are contained in the directory. The inheritance option, selected by default, may be deselected. Each file or directory has an Access Control List (ACL). To set permissions for additional users or groups, they are added to the ACL of the file or directory.
File or Folder Creation, Copying and Permissions
- Created Files or folders - Inherit permissions of the folder they are created in.
- Moved or copied files or folders in the same NTFS volume - Keep their own original permissions.
- Moved or copied files or folders in a different NTFS volume - Inherit the NTFS permissions of the destination folder.
- Movement to any FAT volume - All permissions are lost.
Moving FilesWhen permissions are changed on a folder, by default, permissions are replaced on files in the folder, but not on subdirectories. This may be changed using the provided checkboxes such as "Replace Permissions on Subdirectories". When files are moved on NTFS partitions, if they are moved from one partition to another, it is as though they were copied. If files are moved to another folder, they retain their normal attributes including compression attribute reguardless of the attributes of the parent folder they are being moved to. When files are copied to another folder, they will adopt the attribute s of the folder they are being copied to.
NTFS File and Share PermissionsWhen these permissions are different, the most restrictive permissions are applied. The share and NTFS file permissions must overlap in order for the user to have the permission. That means to read a file, the user must have both read share and read NTFS permission.
When a user has full control permission for a folder, the permissions will apply to the files in the folder even though permission for an individual file in the folder may be set to NO ACCESS for that user. When a file or folder is moved, it retains its current permissions, but when it is copied, it inherits the permission of the parent folder or partition it is being copied to.
If the owner's user is a member of the administrators group, the owner is the administrators group. Administrators do not have access to all resources, but they may take ownership of any resource. Once ownership is taken, it cannot be given back. Also taking ownership of resources changes all existing permissions for that resource.
Delegated PermissionsPermissions that can be delegated include:
- Create, delete, and manage user groups.
- Create, delete, and manage user accounts.
- Manage group policy links - Group policies assigned by organizational unit may be modified.
- Modify group membership.
- Read all user information.
- Read user account passwords.
Disk QuotasDisk quotas are used to track the use of disk space for each user. They are normally disabled and are only supported on NTFS file systems. Quotas are tracked per partition and per user using ownership information to account for resource use. Compressed file sizes are measured according to the uncompressed file size.
Disk quotas may be viewed and administered by using the "Disk Management" tool to select the properties dialog box of the disk or volume. The "Quota" tab contains quota information and management functions. Quota management must be enabled. Warning levels may be set and hard limits may also be set. Disk space may be denied to users who exceed their quota limit. The events may be logged when the user exceeds their warning and/or quota limit. Windows Explorer can be used to setup and monitor disk quotas.
Windows 2000 GroupsGroup Accounts are the collections of user accounts that share similar needs.By this organization one can greatly simplify administrative tasks.
Types of Group Accounts
- Local group - Has local computer permissions and rights only.
- Global group - The group’s permissions and rights exist in the group's domain and domains that have a trust relationship with the group's domain. Global groups may be given rights and permissions of local groups. Only NT Server can create global groups.
- Domain Local group - Created on Active Directory controllers and are used manage access to resources in the domain.
- Universal group - Users from multiple domains that perform similar tasks or share resources across the domains. Any group or user in any domain can be a member of the universal group. The universal group is however, not available in Active Directory mixed mode.
Local groups can include global groups. They will not include other local groups. Local groups are created in the User Manager. Created groups may be deleted with the User Manager, but built in system groups may not be deleted. When a domain is joined the domain administrators group is added to the local administrators group and the domain users group is added to the local users group on the computer that joins the domain.
- Local group - Open the "Computer Management" dialog box by clicking on "My Computer", and "Manage". Click + next to "Local Users and Groups", highlight "Groups", select "Action", and "New Groups".
- Global group - The Administrative Tool, "Active Directory Users and Computers" is used to create and manage these groups.
Active Directory GroupsThere are two types of Active Directory groups, each with a different purpose. These are:
- Security principal groups. These groups can be assigned permissions. Their scope can be:
- Domain local
- Distribution groups - Used to group users for applications such as email.
Adding AccountsThe "Local Users and Groups" tool is used to create user and group accounts locally and the "Active Directory Users and Computers" tool is used to create users remotely. They are also used to with managed functional user rights, security auditing, and account policies. Functional user rights determine what programs the user can run or what system capabilities they have. Passwords are case sensitive, but user names are not. Both can contain spaces. Two methods of adding user accounts:
- Make a copy of an existing account.
User rights are divided into:
- Logon rights
- User privileges
Setting User Rights
- Organizational Units - In Administrative Tools, select "Active Directory Users and Computers".
- Domain - In Administrative Tools, select "Domain Security Policy". The ADMINPAK must be installed on the computer
- Domain controllers - In Administrative Tools, select "Domain Controller Security Policy". The ADMINPAK must be installed on the computer.
- Local computers - From the Control Panel, "Administrative Tools" applet, double click "Local Security Policy".
Auditing in Microsoft Windows 2000 is the process of tracking both user activities and Windows 2000 events. You can specify that Windows 2000 writes a record of an event to the security log. The security log maintains a record of valid and invalid logon attempts and events related to creating, opening, or deleting files or other objects. Auditing can be enabled by clicking Start, Program, Administrative Tools, Local Security Policy. In the Local Security Settings window, double-click Local Policies and then click Audit Policy. Highlight the event you want to audit and on the Action menu, click Security. Set the properties for each object as desired then restart computer for new policies to take effect.
The following user events may be audited:
- File and Object Access - Logs user access to directories, files, or printers.
- Logon/Logoff - Local and remote logon and logoff connections may be audited.
- Process Tracking - Logs events about the running of programs.
- Restart, Shutdown, System - Logs when the system is shutdown or started.
- Security Policy Changes - Logs changes to User Rights and Account Policies.
- Use of User Rights - Logs when a user exercised a user right.
- User and Group Management - Logs user and group management events.
The user's profile allows the user's environment to be configured. The User Manager administration tool allows user profiles to be modified when "user properties", then "profile" are selected. The user profile contains:
- Desktop settings - screen colors, wallpaper, screen saver
- Persistent network and printer connections
- Mouse settings and cursor settings
- Recently edited documents
- Start-up programs, shortcuts, and personal groups
- Settings for Windows applications - Notepad, Paint, Windows Explorer, Calculator, Clock, and more
- Start menu settings - Programs that can be selected from the start menu
- Local profile - Stored in the C:\Documents and Settings\username folder. The profiles file is NTUSER.DAT in the directory called by the user's name. A mandatory profile, which discards any changes the user makes to their profile at logoff time, can be implemented by modifying the name of the user profile file from NTUSER.DAT to NTUSER.MAN. The ntuser.ini file is used to set up the user roaming profile components that are not copied to the server. The ntuser.dat.LOG file is used for NTUSER.DAT file recovery in the case of an error.
- Roaming - Stored on an NT server and downloaded to the computer that the user logs onto. This way the same user's profile can be available on any machine.
- For local users - If no user profile exists when the user logs on, the contents of the Default User profile folder are copied to the C:\Documents and Settings\username folder.
- For domain users - The NETLOGON share on the domain controller is checked for a default user profile. If one does not exist, it copies the contents of the local Default User profile folder to the local computer NETLOGON\username directory.
The default user settings are used to create a new user's profile when the new user logs on the first time. The administrator may modify the contents of the Default User profile directory to change the settings for first time users of the system. The Control Panel, System applet is used to copy user profiles. The "User Profiles" tab is used. The System applet is also used to delete user profiles. Shortcuts may be added to the Default User profile directory using Windows Explorer.
All Users ProfileAdministrators may install applications and place shortcuts in the All Users Profile directory. All users will have access to these shortcuts and applications. These applications appear on users' desktops. The All Users Profile is not available on a domain wide basis.
Roaming ProfilesRoaming and local profiles may be mandatory which will not allow the user to modify them. Roaming profiles are profiles that have been placed on a central server. When the user logs onto the domain, the roaming profile is copied to the local computer the user logged on from. If the user makes changes to the profile, they are saved to the local computer and the central server. When the user logs on from another computer the most recent of the local or server stored profile is used. If a user's profile is a mandatory profile and that profile is not available when the user attempts to log on, the logon attempt will fail.
A hardware profile is a set of instructions that tells Windows 2000 which devices to start when you start your computer or what settings to use for each device. When you first install Windows 2000, a hardware profile called Profile 1 (for laptops, the profiles would be Docked Profile or Undocked Profile) is created. By default, every device that is installed on your computer at the time you install Windows 2000 is enabled in the Profile 1 hardware profile.
Hardware profiles are especially useful if you have a portable computer. Most portable computers are used in a variety of locations, and hardware profiles will let you change which devices your computer uses when you move it from location to location.
You can manage hardware profiles by double-clicking System in Control Panel, clicking the Hardware tab, and clicking Hardware Profiles. If there is more than one hardware profile, you can designate a default profile that will be used every time you start your computer. You can also have Windows 2000 ask you which profile to use every time you start your computer. Once you create a hardware profile, you can use Device Manager to disable and enable devices that are in the profile. When you disable a device in a hardware profile, the device drivers for the device are not loaded when you start your computer.
Mobile users overview
Using Windows 2000, you can make network files available while working offline (for example, while working on a portable computer). Any shared network files or folders, including program files and Web pages, can be made available offline. By first setting up your computer to use Offline Files and then making your files available for offline use, you can disconnect your computer from the network and the files will still be available for use on your computer just as though you were still connected.
When you return your portable computer to its docking station, or when your network connection is restored, changes you made to files on your computer while you were disconnected are synchronized with those on the network.
Working offlineOffline Files notifies you if the status of your network connection changes. When the status of your network connection changes, an Offline Files icon appears in the status area, and an informational balloon is displayed over the status area to notify you of the change. If the informational balloon notifies you that you are offline, you can continue to work with your files as you normally do, or you can click the Offline Files icon in the status area for more information about the status of your connection.
If you are working offline (either because you are disconnected from the network or because you undocked your portable computer), you can still browse network drives and shared folders in My Computer or My Network Places. A red X appears over any disconnected network drives. You will be able to see only those files that you made available offline and any files that you created after the network connection was lost.
Your permissions on the network files and folders remain the same whether you are connected to the network or working offline. For example, a read-only document on a mapped network drive would remain read-only if you were disconnected from the network.
When you are disconnected from the network, you can print to local printers, but you cannot print to shared printers on the network. Instead, the file is spooled and prints to your local printer when you are reconnected to the network.
Windows 2000 Security
Windows 2000 Policies
Types of Policies
- Account policy - Determines how passwords are validated and how unsuccessful login attempts are handled. Account policies can be set for Organizational Units, domain, domain controllers, and local computers.Three types of account policies:
- Password policy - Determines how often the user must change passwords and various password requirements.
- Account lockout policy - Determines when accounts are locked when failed logon attempts occur.
- Kerberos policy - Windows 2000 domain controller computers are key distribution centers (KDC) for the Kerberos security protocol which us used for authentication.
- User Rights policy - Determines what users and groups can perform specific actions on the system.
- Audit policy - Determines the amount and type of security logging that Windows NT performs.
- System policy - Helps Administrators manage users that are using Windows 95, 98, or NTcomputers. It can be used to provide a uniform environment for large numbers of users.
- Group policy - This policy, which is new with Windows 2000, applies to all members of the group they are set for, unless the member has an individual policy. Groups are listed by priority in the System Policy Editor's, Group Priority dialog box. When a user is in multiple groups, the highest priority group's policy applies. Applies to only Windows 2000 computers and/or their users, or both.
Account Policy and Lockout optionsThe three main groupings are "Password restrictions", "Account lockout", and "Kerberos". The first four items below are under "Password restrictions" Account policy changes become effective when the user logs off and back on again.
Group PoliciesGroup policies are used by administrators to configure and control user environment settings. Group Policy Objects (GPOs) are used to configure group policies which are applied to sites, domains, and organizational units (OUs). Group policy may be blocked or set so it cannot be overridden. The default is for sub objects to inherit the policy of their parents. There is a maximum of 1000 applicable group policies.
Group policies are linked to domains, organizational units, or sites in Active Directory. A policy must be linked to a container object in Active Directory to be effective. They are stored in any domain for storage but can be linked to other domains to make them effective there also. The policy must be linked to the container (site, domain, or OU) that it is stored in to be effective in that container. One policy object can be linked to several containers. Several policy objects can be linked to one container.
EFS (Encrypting File System)File and folder encryption support provided by Windows 2000. NTFS version 5 (Windows 2000 version) must be used on the partition in order to support encryption.
Two ways to set the encryption attribute on a file or folder are:
1. Use Windows Explorer
2. Run Cipher.exe at the command line
To encrypt a file or folder, go to its properties and select: General tab\Advanced button\Advanced Properties dialog box\Encrypt Contents to Secure Data check box.
If you move an encrypted file or folder to a FAT or NTFS version 4 partition, it will revert to an unencrypted state.
Security TemplatesThese template files have the .inf extension and contain security configuration settings. They help ease the burden of the complex task of security settings configuration.
Understanding Windows 2000 Printing
Windows uses one driver to support printing for all applications. Operating systems of the past required each application to support printing independently which required a print driver for each application or print functionality built into each application.
Windows 2000 Printing Terminology
- Printer - In Windows, it refers to the printer driver software which interacts with the print device to be sure the print job is formatted for that print device. Provides the interface to view and modify print jobs. This is also known as the print queue.
- Print device - The device that physically prints on paper.
- Print job - The print job is the request to print.
- EMF - Enhanced metafile format is a journal file print job. It is smaller than a RAW print file and can be produced faster.
When a shared print device made available as a remote printer, the printer is actually shared, not the print device. Therefore, one print device may have several printers associated with it. This allows various priorities and characteristics to be set up for different users on the same print device.
Two additional utilities called LPR.EXE and LPQ.EXE are provided on Windows NT for managing print jobs destined for Unix hosted printers. LPR is used to print files and LPQ is used to manage the print queue.
NT remote print driversClients that are attempting to print on remote computers do not need a local print driver installed. When the print request is made to the print server computer, the client will check to see if a print driver exists. If not or its print driver is older than the print driver on the server, the print server sends a copy of its print driver to the client computer which keeps it until the session ends.
Adding PrintersThe "Add Printer Wizard" in the "Printers" folder is used to add printers. Users who do this must be an Administrator or Power User. Windows 2000 will detect USB plug and play printers, but a parallel printer must be added manually. To add TCP/IP printers, use the "Add Printer Wizard" to add the printer, select "Create a new port" and select "Standard TCP/IP Port". You'll enter the printer name or its IP address.
To add UNIX printers, the "Add/Remove Programs" applet in the Control Panel can be used to install "Print Services for Unix". Use the "Add Printer Wizard" to add the printer, select "Create a new port" and select "LPR Port". You'll enter the printer name or its IP address and the name of the print queue for the print device.
Old HP print devices may use the DCL protocol rather than TCP/IP. If you connect to one of these printers, use the "Control Panel", "Network and Dial-up Connections" applet to add the DLC protocol, then use the "Add Printer Wizard" to add the printer. You must "Create a new port" and select "Hewlett-Packard Network Port" and enter the MAC address of the printer card that the printer uses. Choose "Job Based" connection if more than one computer is using this printer. Choose "Continuous" connection if this is the only computer to use the printer.
To add an AppleTalk printer, use the "Control Panel", "Network and Dial-up Connections" applet to add the AppleTalk protocol. Use the "Add Printer Wizard" to add the printer, select "Create a new port" and select "AppleTalk Printing Devices". Select the divice from the list. If you capture the print device, this will be the only computer that can use the print device.
Printer SharingTo share a printer, right click on the printer, select "Properties", click the "Sharing" tab, click the "Shared as:" radio button and enter the name you want to call the printer. To list it in Active Directory, click the "List in the Directory" checkbox.
Managing PrintersThe Add Printer Wizard is used to create or add new printers (print drivers). The Add Printer Wizard may be started by selecting, "Start", "Settings", and "Printers" or by selecting "Printers" in "My Computer". Printer drivers that support other operating systems such as Windows 95 may be installed on the computer that is hosting the printer. This way if a client computer with that operating system tries to use the print device and does not have a print driver, it can still print since the print driver will be available from the print server.
Print PriorityWhen printing starts relative to spooling or whether to spool at all, hours of availability for the print device decides by print priority. Scheduling priority can be set from 1 to 99 with 99 being the highest priority. To make scheduling priority effective, more than one printer driver with different priorities may be associated with one print device.
Print PoolsMultiple print devices may support one printer (driver) with a print pool. Print jobs are sent to the next available print device. All print devices must be of the same type, however, since the printer (driver) must be able to interface to all print devices in the print pool. Windows for workgroups (WFW) cannot spool to an NT printer pool, but Windows 95 through NT4.0 can.
Managing Print JobsPrint jobs are managed by double clicking on the desired printer in the printers folder.Print jobs may be paused (pause), resumed (resume), restarted(restart), or canceled (cancel). Sharing and permissions may be changed and etc
Printer registry entriesHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers - To change the location of the spool folder for all printers, change the value of Default Spool Directory to reflect the new spool location. This affects all printers installed on the computer. You can also change the spool location of each of the printers installed on the computer individually by modifying the Spool Directory value of their key entry.
- Remember that the computer spooling the print job must have sufficient space to queue the print job.
- To test, you can print to a file. If you copy the file to the printer port and it prints, either the print spooler is not working or the data is not being transmitted to the printer.
Internet PrinterThe Windows 2000 Server system that shares a printer as an Internet printer must have the following installed:
- Internet Information Services (IIS)
Internet Printing Protocol (IPP) is used to support printing from Internet Explorer (IE) across the internet. This provides the ability for clients using IE to print to Universal Resource Locations (URLs), view printer information, and download printer drivers. Internet Explorer or the Printers folder can be used to manage these printers. Internet Explorer or the Add Printer Wizard can be used to connect to Internet printers.
Managing Windows 2000 Network Connections
Network Protocols and Services
ProtocolsA protocol is a set of rules and conventions for sending information over a network. Windows 2000 relies on TCP/IP for logon, file and print services, and replication of information between domain controllers, and other common functions. Primary network protocols that Windows 2000 supports include:
- Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX)
- Data Link Control (DLC)
- Net BIOS Enhanced User Interface (NetBEUI)
TCP/IP protocolA Routable protocol installed by default in Windows 2000 which can be used to connect heterogeneous networks. Each Computer on the network can be identified by a 32-bit IP address, which can be entered manually or provided automatically by a DHCP server
Troubleshooting TCP/IP Connections
- Incorrect subnet masks and gateways cause common TCP/IP problems.
- Check DNS settings if an IP address works but a hostname won’t.
- The Ping command tests connections and verifies configurations.
- The Tracert command checks a route to a remote system.
- Use IPConfig and IPConfig /all to display current TCP/IP configuration.
- Use NetStat to display statistics and connections for TCP/IP protocol.
- Use NBTStat to display statistics for connections using NetBIOS over TCP/IP
Unix InteroperabilityIf you install Windows 2000 Professional on a UNIX network you will also need to install the following:
- TCP/IP - TCP/IP is necessary to provide allow the UNIX computers to connect to the Windows 2000 Professional computers on the network.
- SNMP Service - SNMP is your Simple Network Management Platform.
- Print Services for UNIX - Print Services for UNIX allows computers on the network to connect to UNIX controlled printers.
NWLink (IPX/SPX) and NetWare InteroperabilityGateway Services for NetWare can be implemented on your NT Server to provide an MS client system to access your NetWare server by using the NT Server as a gateway. Frame types for the NWLink protocol must match the computer that the NT system is trying to connect with. Mismatching frame types will cause connectivity problems between the two systems. NetWare 3 servers uses Bindery Emulation (Preferred Server in CSNW). NetWare 4.x and higher servers use NDS (Default Tree and Context). NWLink is used by NT to allow NetWare systems to access its resources.
To allow file and print sharing between NT and a NetWare server, CSNW (Client Service for NetWare) must be installed on the NT system. In a NetWare 5 environment, the Microsoft client does not support connection to a NetWare Server over TCP/IP. You will have to use IPX/SPX or install the Novell NetWare client.
Apple TalkAppleTalk must be installed to allow Windows 2000 Professional to communicate with Apple printers. File and Print Services for Macintosh allows Apple Clients to use resources on a Microsoft Network.
DLCIt is a special-purpose, non-routable protocol used by Windows 2000 to talk with IBM mainframes, AS400s and Hewlett Packard printers.
NetBEUIIt is used solely by Microsoft operating systems and is non-routable.
Remote Access ServicesRemote Access Service (RAS) is considered to be a Wide Area Network (WAN) connection.
Protocols Supported By RAS
- Point to Point Protocol (PPP) - Point to Point Protocol is a form of serial line data encapsulation that is an improvement over SLIP which provides serial bi-directional communication. Packets are delivered in the order they were sent.
- Serial Line Interface Protocol (SLIP) - This protocol places data packets into data frames in preparation for transport across network hardware media. This protocol is used for sending data across serial lines. There is no error correction, addressing, compression, or packet identification. There is no authentication or negotiation capabilities with SLIP. SLIP will only support transport of IP packets.
- Point to Point Multilink Protocol - Combines bandwidth from several physical connections into one logical connection.
- Microsoft RAS
VPN Protocols Support
Overview of Virtual Private NetworkA Virtual Private Network allows you to run a secure,private network over an unsecured public network.You can use virtual private networking to get clients connected to your network over the Internet and do it securely,even though the Internet is inherently unsecured network.
- Point to Point Tunneling Protocol (PPTP) - Point-to-Point Tunneling Protocol (RFC 2637) works at the Data link layer. No encryption or key management included in specifications. A VPN tunneling Protocol used to send secure communications from point to point. It is used to access a network through the network using the speed of a modem. It uses PPP encryption or Microsoft Point to Point Encryption (MPPE) over TCP as a transport protocol.
- Layer Two Tunneling Protocol (L2TP) - Layer2 Tunneling Protocol. (RFC 2661) combines features of L2F and PPTP and works at the Data link layer.
- IPSec - Internet protocol security, developed by IETF, implemented at layer 3. it is a collection of security measures that address data privacy, integrity, authentication, and key management, in addition to tunneling.
Authentication Protocols Supported
- CHAP - Challenge Handshake Authentication Protocol - encrypts user names and passwords, but not session data. Works with non-Microsoft clients.
- EAP - Extensible Authentication Protocol. Allows for an arbitrary authentication mechanism to validate a dial-in connection. Uses generic token cards, MD5-CHAP and TLS.
- EAP-TLS - Transport Level Security. Primarily used for digital certificates and smart cards.
- MS-CHAP (V1 and 2) - Microsoft Challenge Handshake Authentication Protocol. Encrypts entire session, not just username and password. V2 is supported in Windows 2000 and NT 4.0 and Win 95/98 (with DUN 1.3 upgrade) for VPN connections.
- PAP - Password Authentication Protocol. Sends username and password in clear text.
- RADIUS - Remote Authentication Dial-in User Service. Provides authentication and accounting services for distributed dial-up networking.
- SPAP - Shiva Password Authentication Protocol. Used by Shiva LAN Rover clients. Encrypts password, but not data.
Internet Connection SharingWindows 98 supported Internet Connections Sharing(ICS) which is now also supported in Windows 2000. ICS allows multiple PCs to share a single connection with the aid of Network Address Translation(NAT) and is intended for small office/home office(SOHO) environments. When you enable ICS, the network adapter connected to the network is given a new static IP address configuration. Existing TCP/IP connections on the computer are lost and need to be re-established.
Remote Access PoliciesWith Remote Access Policies you define rules with conditions that the system evaluates to see whether a particular user can connect or not.
You can have any number of policies in a native Windows 2000 domain. When a caller connects,the policy conditions are evaluated one by one to see whether the caller gets in or not.All of the conditions in the policy must match for the user to gain access.If there are multiple policies,they are evaluated according to an order you specify.The three components of a remote access policy are its conditions, permissions and profile:
- Conditions - List of parameters (time of day, user groups, IP addresses or Caller Ids) that are matched to the parameters of the client connecting to the server. The first policy that matches the parameters of the inbound connection is processed for access permissions and configuration.
- Profile - Settings (authentication and encryption protocols) which are applied to the connection. If connection settings do not match the user’s dial-in settings, the connection is denied.
- Permissions - Connections are allowed based on a combination of the dial-in properties of a user’s account and remote access policies. The permission setting on the remote access policy works with the user’s dial-in permissions in Active Directory providing a wide range of flexibility when assigning remote access permissions.
Windows 2000 Optimization and Tuning
System Performance MonitoringThe System Monitor Windows 2000 tool is used for system performance monitoring. System Monitor uses:
- Objects - A part of the computer system or operating system such as the processor, logical disk, memory, thread and other objects.
- Instances - When there are more than one occurrence of an object such as threads.
- Counters - Used to measure some characteristic of an object. Specific counters are available for specific objects to measure their performance or use.
System Monitor can be used to do:
- Create a baseline after system installation to compare system performance over time.
- Monitor system resource use.
- Find any performance problems.
- Determine bottlenecks to performance.
- Monitor changes in performance over time.
Ways to View Statistics
- Alerts - The administrator can be notified when a counter exceeds or falls below a preset value. Saved as *.pma file. The computer for the alert along with object, counter, and threshold value must be specified. A specified program may be run if an alert is triggered.
- Chart - The default view. Graphs and histograms (vertical bar charts) are used. To switch to histograms, use the menu item "Options", "Chart" selection. The Gallery section has Graph and Histogram radio button selections. Graphs display data every second and display 100 seconds worth of data. Chart file saved as *.pmc. A particular counter may be highlighted by clicking on the counter and pressing the backspace key.
- Log - Used to create data in log files for future analysis. Data can be acquitted from several systems in one log file. Log files can be used to create charts, reports, or alerts by sending them back through performance monitor. Saved as *.pml. This information may be exported to a spreadsheet or database.
- Report - Used to show a large number of objects and counters at one time. It is a list of counters and their average values. Saved as *.pmr.
Objects and Counters
- Cache - Level 2 cache. Data Map Hits %
- Logical Disk - % Free Space
- Memory - Counters:
- Pages/Sec - How much RAM and virtual memory on the hard drive are being swapped. If above 5 or 6 on average, more RAM is needed.
- Network interface - Counters:
- Bytes Total/sec
- Objects - Process and thread counts
- Paging file - Virtual memory. Counters:
- % Usage - The amount of the paging file being used. Create a larger paging file or add RAM if the number is near 100%.
- Physical disk - Counters:
- Disk Queue Length - The number of disk reads and writes in queue to be done. - If above 4 or 5 on average, a faster hard drive is needed.
- Average disk Sec/Transfer
- % disk time - The percent of time the disk is busy doing reads or writes. A high number near 100% indicates a disk or drive controller bottleneck.
- Process - Currently running programs. Counters:
- % Processor Time - The percent of time the processor is used by this process object including all its threads.
- Processor - Counters:
- % Processor Time - A number close to 100% indicates the processor is a bottleneck.
- Server - Counters:
- Bytes Total/Sec - The total number of bytes sent through or received through all network cards on a computer by the server service.
- System - NT Performance. File Read or Write Operations/Sec
- Thread - Thread performance. Counters:
- % Processor Time - The percent of time the processor is used by this thread object.
Paging FileA paging file(pagefile.sys) is responsible for managing virtual memory and stores data that is not resident in RAM. There is a lot of conflicting information on Microsoft's website regarding the recommended size of the paging file and we are not sure which is correct. Some references say that it should be 1.5x the amount of physical RAM and others say that it should be physical RAM +12mb as in NT 4.0.
Process Priority SettingProcess priority may be set to a value from 1 to 31. Priorities are categorized as follows:
- 0-7 - Low user
- 7-15 - High user
- 15-23 - Real Time
- 23-31 - Administration only
- Base thread priority is 8. Threads inherit the base priority of their parent process. The NT operating system can vary priorities higher or lower by a value of two in order to remain responsive.
Setting Priority of foreground tasksTo modify foreground task priority use the system applet in the control panel. Selecting the performance tab will allow three foreground task settings to be set. If set to none on the left, foreground tasks are not boosted in priority, On the middle setting foreground tasks get a priority increase of 1. On the right on the maximum setting, foreground tasks get a priority increase of two.
Task ManagerCan be used to start and stop applications, change process priority, and monitor performance statistics. It can be used to change the priority of a process, by right clicking on the process and selecting "Set Priority".
Types of Backups
- Normal - Saves files and folders and shows they were backed up by clearing the archive bit.
- Copy - Saves files and folders without clearing the archive bit.
- Incremental - Saves files and folders that have been modified since the last backup. The archive bit is cleared.
- Differential - Saves files and folders that have been modified since the last backup. The archive bit is not cleared.
- Daily - Saves files and folders that have been changed that day. The archive bit is not cleared.
Scheduling the BackupThe AT command may be used to schedule backups from the command line interface. The most common way to schedule a back is to use the Windows 2000 "Backup Utility"by selecting "Backup" in the "Administrative Tools" section of the start menu. Select the "Backup" tab and click the "Schedule" button to set a schedule. A user name and password will be required to run the backup.
Starting and Recovering Your System
Using Advanced Startup OptionsIf your computer doesn't start correctly, you can use advanced startup options to run Windows 2000 so you can troubleshoot your problem.
Safe ModeEven if your computer won't start normally, you might be able to start your computer in diagnostic mode, also known as safe mode. When you start your computer in any of the safe modes, only the minimal services are loaded and a boot log is created. This log lists the services and devices that did or did not load. After you start your computer in safe mode, you can change computer settings. For example, using safe mode, you can remove or reconfigure newly installed software that might be causing a problem. There are three safe mode options:
- Safe Mode starts Windows 2000 by using only basic files and drivers (mouse, monitor, keyboard, mass storage, basic video and default system services), without network support.
- Safe Mode with Networking starts Windows 2000 by using only basic files and drivers (see Safe Mode, above), but with network support. It does not provide network support for PCMCIA devices.
- Safe Mode with Command Prompt starts Windows 2000 by using only basic files and drivers. After the log on, the command prompt appears instead of Windows 2000.
Last Known Good ConfigurationThe Last Known Good Configuration option is used only when a device is incorrectly configured. When you choose this option, Windows 2000 restores the registry settings that it saved at the last shutdown. For example, if you can't start Windows 2000 after you've installed a new driver or changed a driver configuration, you can use Last Known Good Configuration. When you use this option, you lose any system changes you made since the last successful shutdown.
Using Recovery ConsoleRecovery Console provides a command line during startup from which you can make system changes when Windows 2000 doesn't start.
You can use Recovery Console to perform many tasks without starting Windows 2000, including: starting and stopping services, reading and writing information on a local disk drive (including NTFS file system drives), formatting drives, and so on. Recovery Console is particularly useful if you need to repair your system by copying a file from a floppy disk or CD-ROM to your hard drive or if you need to modify a service that prevents your computer from starting properly.
There are two ways to start the Recovery Console:
- If you are unable to start your computer, you can run the Recovery Console from your Windows 2000 Setup disks.
- As an alternative, you can install the Recovery Console on your computer to make it available in case you are unable to restart Windows 2000. You can then choose the Windows 2000 Recovery Console option from the boot menu.
After you start the Recovery Console, you choose which drive you want to log on to (if you have a dual-boot computer) and you log on with your administrator password.
Using the Emergency Repair DiskThe Emergency Repair Disk (ERD) can help you to repair or recover a system that can't load Windows 2000. The ERD helps you repair problems with system files and the partition boot sector. This situation occurs when your hard disk fails or when some of your system files are corrupted or accidentally deleted. System files are the files Windows 2000 uses to load, configure, and run the operating system. If some system files are missing or corrupted, you can use the ERD to repair those files.
The partition boot sector contains information about the file system structure and instructions for loading the operating system. If you have a dual-boot system, the ERD contains information about the settings that specify which operating system to start and how to start it.
You should regularly update your ERD in order to record your latest system settings. The ERD is designed for restarting your computer or repairing system files -- it doesn't back up any of your files or programs.
Now that you've gotten free know-how on this topic, try to grow your skills even faster with online video training. Then finally, put these skills to the test and make a name for yourself by offering these skills to others by becoming a freelancer. There are literally 2000+ new projects that are posted every single freakin' day, no lie!