70-215: Installing, Configuring and Administering Windows 2000 Server

Home | Contact | Sitemap

Top 3 Products & Services

1.
2.
3.

Dated: Aug. 11, 2004

Related Categories

Microsoft Certifications

Introduction
Microsoft Active Directory Concepts
Windows 2000 Server Installation and Deployment
Managing Hardware and Devices
Managing Files,Folders and Shared Folders
Understanding Windows 2000 Storage
Understanding Windows 2000 Printing
Web Management
Managing Windows 2000 Network Connections
Terminal Services
Windows 2000 Optimization and System Recovery
Security in a Windows 2000 Environment

Introduction

Windows 2000 is fast becoming the most widely deployed network operating system in the corporate world and as the computer network industry advances in both technology and size, the need for proven skills and expertise is of prime significance. Microsoft has already realized the need of the situation and thus revised its Microsoft Certified Professional (MCP) program to give us appropriate credentials to demonstrate our expertise of Microsoft Windows 2000 family of products and services.

Windows 2000 actually consists of several different flavors including Windows 2000 Server/Advanced Server, Data Center Server, and Windows 2000 Professional depending upon the client server environment requirements.

Windows 2000 Server is an enterprise wide server based operating system through which Microsoft tried its best to provide improved networking infrastructure, more scalable security options, more powerful file sharing, freedom from disk drive letters, more flexible online storage and most important of all introduction of Active Directory- a modified MS Access database engine integrated in the Windows 2000 operating system acting as a repository of all necessary user and network objects information. This study guide provides an overview what you need to pass the exam 70-215 Installing, Configuring and Administering MS Windows 2000 Server and summarize the skills required to install and configure Windows 2000 Server to participate as a member server of a domain in an Active directory environment.

Microsoft Active Directory Concepts

As stated earlier Active Directory is a modified MS Access database engine integrated in the Windows 2000 operating system acting as a repository of all necessary user and network objects information. The buzz surrounding Active Directory (AD) hails the directory service as the most important new feature of the windows 2000 server. It has been touted as a complex, fast; reliable resource management system that-if properly configured and maintained- will provide the backbone for windows 2000. Before going to the technical concepts and terminologies relating to AD, we first try to clarify what a directory and a directory service are. A directory is basically a repository the primary function of which to provide a listing whether it is of any objects, organizations, people like phone directories. In an operating system the file that contains user as well as network objects information along with the program involved in its management together named as the directory service. Thus AD has been designed to centralize all of the user, group, application, printer, and computer information on your network in one central repository.AD uses TCP/IP as its network protocol. All windows 2000 computers can use AD by default.Non -Win 2000 computers can still log on but cannot use AD features.They must use a Directory service add on client (DSCLIENT.EXE)

Domains A domain is used to manage a large group of computers. It is used to control resource access for users.

Namespace Microsoft uses the term namespace to refer to any collection of domainswith a common DNS root name.Examples of items within the same namespace include support.microsoft.com,developer.microsoft.com, and marketing.Microsoft.com.

Trees AD trees consists of a group of domains that share the same configuration. Domains in a directory tree all have a contiguous namespace.

Domains in earlier versions of NT made up the entire manageable collection of users, printers, servers and workstations on your network. In Windows 2000, domains are merely a subset of larger tree. A single domain tree consists of a parent domain and all of its child domains. Domains are named in accordance with the internetâ€™s Domain name system standard. If the parent (root) domain is called global.com, a child domain may be called support.global.com.

Forests A forest contains one or more sets of trees that donâ€™t form a contiguous namespace.

Sites When designing the tree, Microsoft allows you break the trees down into sites. A site is a collection of workstations and servers along subnets with fast connections. Within a site, NT replicates information after a regularly defined time. Between sites NT replicates data only at selected times or events to minimize WAN traffic.

Donâ€™t confuse trees, forests or sites. Trees and forests are used to manage administration and security in an organization. Sites reflect geographical boundaries. You may choose to arrange a siteâ€™s trees and forests using a geographical or an organizational approach but doing so doesnâ€™t affect the sites of the domains.

Global Catalog To speed tree-wide searches, AD creates a separate index file called the global catalog. The global catalog contains a list of all the objects from all the domains in the entire AD tree. It also contains a few of the properties from each object. This global catalog is then distributed to all servers in the AD.

Organizational Units Within the domain, you can create organizational units (OUs). These are the containers that hold objects like users, groups, and printers in the Active directory. You can organize OU s into a logical structure that matches the way you work and organize your business. Additionally you can delegate administration based on permissions assigned to the organizational unit. Therefore it would be wise to use OU s to divide the domain into functional units such as accounting, human resources, and information systems. Using organizational units reduces the number of domains needed to manage the tree.

User Accounts and Groups A user account is the userâ€™s unique credential that allows the user to access resources and groups are special type of accounts which are collection of user/machine accounts that share similar needs. By organizing accounts into groups you can greatly simplify administration tasks, you can use groups to assign permissions or you can for instance deny access to a particular directory to any one in a given group.

Group Policies Group policy is the way through which we can accomplish different kinds of controls in an Active Directory. Through group policies we can set userâ€™s rights, deploy software, restrict userâ€™s desktop settings, control system settings, simplify and restrict programs etc.

Windows 2000 Server Installation and Deployment

Installation Requirements

133 MHz or higher Pentium compatible CPU
128 MB RAM minimum (4 GB maximum), 256 MB recommended
2 GB hard disk with a minimum of 1 GB of free space. Additional free hard disk space is required if you are installing over a network.
Network Adapter Card
Video display adapter and monitor with VGA or higher resolution.
Support for up to 4 processors.

Pre- Installation Tasks

Prior to installing Windows 2000, the following tasks must be performed

Hardware requirements and HCL: Ensure that all hardware requirements are met as well as the hardware must be in the Hardware Compatibility List (HCL).
BIOS Configuration: Check your machineâ€™s BIOS configuration for instance your boot device order if you are installing from a bootable CD-ROM, BIOS plug and play configuration and interrupt reservations in case you have to add older, non plug and play components into your plug and play system.
Upgrade/New install: Decide whether to upgrade from your existing operating system or perform a new installation. Upgrading is replacing a version of Windows NT with Windows 2000 Server. Installing, in contrast with upgrading, means wiping out the previous operating system, or installing Windows 2000 Server on a disk or disk partition with no previous operating system.
Upgrading

If you upgrade, Setup automatically installs Windows 2000 Server into the same folder as the currently installed operating system. You can upgrade from the following versions of Windows:
Windows NT version 3.51 Server (excluding installations with Citrix software)
Windows NT version 4.0 Server
Windows NT version 4.0 Terminal Server
If you have Windows NT 4.0 Server Enterprise Edition, you can upgrade to Windows 2000 Advanced Server, but not Windows 2000 Server. If you have a version of Windows NT Server earlier than 3.51, you cannot upgrade directly to Windows 2000 Server from it. You must first upgrade to Windows NT Server 3.51 or 4.0. For checking upgrade compatibility you can run Windows 2000 Upgrade Compatibility Verification Tool.
Disk partitioning: Determine how you will partition your hard disk where Windows 2000 will be installed. It depends solely upon your organization and application requirements as well as the type of server you are installing.
File Systems: A file system describes a disk format used by the operating system to store files. You should choose a file system for the installation partition prior to installation. Standard choices in case of Windows 2000 are FAT,FAT32,and NTFS. Choose FAT if you are planning to keep your machine in a dual boot format with windows 3.x, windows 95 or windows 98, windows NT 4.0 and want those operating systems to be able to access data on the partitions. Choose FAT32 if you are planning to dual boot Windows 2000 and Windows 98 second edition. If you want your system to be more secure for administrative purposes, or you are planning to dual boot Windows 2000 and Windows NT 4.0, choose NTFS.
Choosing a licensing mode: Windows 2000 Server supports two licensing modes: Per seat and Per server. If you choose the Per seat mode, each computer that accesses a Windows 2000 server requires a separate Client Access License (CAL). With one CAL, a particular client computer can connect to any number of Windows 2000 servers. This is the most commonly used licensing method for companies with more than one Windows 2000 server.
In contrast, Per server licensing means that each concurrent connection to this server requires a separate CAL. This means that at any one time, this Windows 2000 server can support a fixed number of connections. For example, if you selected the Per server client licensing mode and five concurrent connections, this Windows 2000 server could have five computers (clients) connected at any one time. Those computers would not need any additional licenses.

The Per server-licensing mode is often preferred by small companies with only one Windows 2000 server. It is also useful for Internet or remote access servers where the client computers might not be licensed as Windows 2000 network clients. You can specify a maximum number of concurrent server connections and reject any additional logons.

If you are unsure which mode to use, choose Per server since you can change once from Per server to Per seat at no cost.
Networking: Decide how to handle networking, IP addresses, and TCP/IP name resolution.
Overview of networking and TCP/IP

TCP/IP is the network protocol that provides Internet access. It is the protocol used by most servers, although you can use additional or different network adapters and their associated protocols on your servers. To use TCP/IP, make sure that each server is provided with an IP address, either a dynamic or automatic address provided through software, or a static address that you obtain and set. Because these addresses are numbers and therefore hard to remember, you will also have to provide users with names that are easier to use. Mapping this type of name to an IP address is called name resolution, and can be accomplished by various methods, primarily the Domain Name System (DNS) and Windows Internet Name Service (WINS)

Name resolution for TCP/IP

Name resolution is a process that provides users with easy-to-remember server names, instead of requiring them to use the numerical IP addresses by which servers identify themselves on the TCP/IP network. The name-resolution services are the DNS and WINS.

Domain Name System (DNS)

DNS is a hierarchical naming system used for locating computers on the Internet and private TCP/IP networks. One or more DNS servers are needed in most installations. DNS is required for Internet e-mail; Web browsing, and Active Directory. DNS is also required in domains with clients running Windows 2000. DNS is installed automatically when you create a domain controller (or promote a server to become a domain controller), unless the Windows 2000 software detects that a DNS server already exists for that domain. (Alternatively, you can explicitly select DNS as a component to install during or after Setup.)

If you are installing DNS on a server, you will need to specify a static IP address on that server. In addition, you will need to configure the DNS clients so that they recognize that IP address

Windows Internet Name Service (WINS)

Provides name resolution for clients running Windows NT and earlier versions of Microsoft operating systems. With name resolution, users can access servers by name, instead of having to use IP addresses that are difficult to recognize and remember. If you provide support for clients running Windows NT or any earlier Microsoft operating system, you will need to install Windows Internet Name Service (WINS) on one or more servers in the domain.
Deciding between workgroups and domains: Decide whether to place your servers in a workgroup or a domain. A workgroup is the network in which member servers are administered on an individual-by-individual basis there is no central domain controller.

Issues relating to Upgrading

With Windows 2000, servers can have one of three roles in relation to domains:

Domain controllers contain matching copies of the user accounts and other Active Directory data in a given domain.
Member servers belong to a domain but do not contain a copy of the Active Directory data.
Stand-alone servers belong to a workgroup rather than a domain

A domain must have at least one domain controller. For resilience, a domain should have multiple domain controllers to support the handling of logon requests and directory updates.

There are several important points to remember about upgrading an existing Windows NT domain to run with Windows 2000:

You must use the NTFS file system on domain controllers. In addition, any servers that have any partition formatted with FAT or FAT32 will lack many security features. For example, on FAT or FAT32 partitions, a shared folder can be protected only by the permissions set on the share, not on individual files, and there is no software protection against local access to the partition.
You can upgrade member servers before or after upgrading domain controllers. However, when you upgrade the domain controllers in a Windows NT domain to Windows 2000, you must upgrade the primary domain controller first.

When you begin upgrading domain controllers, if you have a remote access server that is a member server, it is recommended that you upgrade it before the last domain controller is upgraded.

The roles of the servers in a domain are named somewhat differently with Windows 2000 Server as compared to Windows NT Server. With Windows NT Server, the possible roles were primary domain controller (limited to one per domain), backup domain controller, member server, or stand-alone server. Windows 2000 has only one kind of domain controller (without a "primary" or "backup" designation), and also includes the roles of member server and stand-alone server. When you upgrade, Windows 2000 Setup assigns server roles as follows:

Role in Windows NT domain	Role in Windows 2000 domain
Primary domain controller	Domain controller
Backup domain controller	Your choice of domain controller or member server
Member server	Member server
Stand-alone server	Stand-alone server

When you have completely upgraded all domain controllers to Windows 2000 domain controllers, you have the option of changing the domain from mixed mode (where Windows NT domain controllers can exist in the domain) to native mode (where only Windows 2000 domain controllers can exist in the domain). This is an important decision, because you cannot revert to mixed mode after changing to native mode.

Starting an Attended Installation

To start Setup from the CD on a computer running Windows, Insert the CD-ROM in the drive. For a computer running any version of Windows other than Windows 3.x, wait for Setup to display a dialog box. For a computer running Windows 3.x, use File Manager to change to the CD-ROM drive and change to I386 directory. Then double-click Winnt. Follow the Setup instructions.
To start Setup from a network. On a network server, share the installation files, either by inserting the CD-ROM and sharing the CD-ROM drive, or by copying the files from the I386 folder on the CD-ROM to a shared folder. On the computer on which you want to install Windows 2000, connect to the shared Setup files. Find and run the appropriate file on the I386 directory of the CD-ROM or in the shared folder. From a computer running MS-DOS or Windows 3.x, run Winnt. From a computer running Windows 95, Windows 98, Windows NT 3.51, Windows NT 4.0, or a version of Windows 2000, run Winnt32. Follow the Setup instructions.
To start Setup for a new installation by starting the computer from floppy disks, continue only if you want to perform a new installation. Locate both the Windows 2000 Setup floppy disks and the Windows 2000 CD-ROM. To make boot floppies, type MAKEBOOT A: in the \bootdisk directory of the installation CD.With your computer turned off, insert the first Setup disk into drive A of your computer. Turn on your computer. Follow the Setup instructions.
To start Setup for a new installation by starting the computer from the CD, Determine whether the computer on which you want to start Setup can be started from the CD-ROM drive, and whether you want to perform a new installation (not an upgrade) Continue only if both are true. With the computer turned off, insert the CD-ROM in the drive Start the computer and wait for Setup to display a dialog box. Follow the Setup instructions.
To start Setup and provide a mass storage driver or a HAL file, determine whether you need to supply Setup with a special file (a mass storage driver or a HAL file) supplied by your hardware manufacturer If you determine that you need a driver or HAL file supplied by your hardware manufacturer, before beginning Setup, locate the floppy disk containing the file. During the early part of Setup to supply the driver for a mass storage controller to Setup, press F6. To supply a HAL file to Setup, press F5 Follow further prompts for guidance in supplying the driver file to Setup so that it can gain access to the mass storage controller.

Mechanism of Attended Installation

When setup program starts initially it launches text based setup in which Windows 2000 partition is created and formatted and then the setup files are copied into the hard disk after that computer restarts and graphical phase of the setup comes into play in which basic installation information such as product key is collected which is then switched over by the installation of windows 2000 networking which includes detection of network cards, installation of network protocols and services and joining of server to a workgroup or domain. After that file copying process starts, then system configuration begins.

Unattended Installation

An unattended install is simply a method of providing the answers for the setup questions before they are asked in order to automate the installation process. By unattended installs numerous hours can be spared if for instance there are 40 servers to install. The Winnt and Winnt32 programs can be used for this purpose. Two types of files are required:

Answer files - Files requires to answer the system queries during an unattended installation normally sent to the monitor during an attended installation.
Uniqueness Database Files (UDF) - Used to insert the User name, organization, and computer name in the [UserData] section of the unattend.txt file.
To set up unattended installation answer file on Windows 2000 Setup Manager wizard can be installed from the resource kit on the CDROM by running \Support\Reskit\Setup. Options are
Create a new answer file.
Create an answer file that duplicates this computer's configuration.
Modify an existing answer file.

Answer file types are:

Unattend.txt for Windows 2000 Professional.
Unattend.txt for Windows 2000 Server.
Remboot.sif for remote installation services.
Sysprep.inf for the system preparation tool.
Products that can be installed with answer files include:
Windows 2000 Unattended Installation
Sysprep Install - System preparation utility located on the CDROM in the \SUPPORT\TOOLS\Deploy. cab file. Works on non-domain controller windows 2000 computers. This utility allows a Windows 2000 hard drive to be copied to other computers.
Remote Installation Services
User interaction levels can be set at:
Provide defaults - The answer file provides default answers.
Fully automated - No user interaction.
Hide pages - There is some interaction by the user with pages hidden that have answers provided by the answer file.
Read only - The setup screens are displayed, but the user cannot make selections.
GUI attended - The text part of the installation is automated and the user responds to the graphical part of the installation.
A distribution folder is created to do an installation over the network.An unattend.txt answer file and a unattend.bat file, for starting the installation, is created by the Setup Manager.

Booting from the network involves:

1.Have a network card in the computer the installation is to be done on.
2.Format the hard drive.
3.Boot a computer with DOS client for Microsoft Networks on it (Comes With Windows NT Server).
4.Map the shared distribution folder to a network drive, and from that drive run "unattend" or "unattend computer"

One UDF file is required for installing to various types of computers. There must be a different answer file for each type or configuration of computer.

Answer Files

There is a sample answer file on the install CD-ROM called UNATTEND.TXT. These files contain categories of information defined by the [ and ] symbols. Some categories are:

DetectedMassStorage - Mass storage devices that Setup should recognize, whether they are available at installation time or not.
Display - Display settings.
DisplayDrivers - Display drivers.
GuiUnattended - Defines the setup program behavior during graphical mode setup.
KeyboardDrivers - Specifies keyboard drivers.
LicenseFilePrintData - Used for servers only.
MassStorageDrivers - Specifies SCSI drivers.
Modem - Determines if a modem is to be installed.
Network - Network settings, with adapters and protocols.
OEM_Ads - The bitmap information to be displayed when the graphical user mode is starting.
OEMBootFiles- The files required for system boot must be listed here.
PointingDeviceDrivers - Specifies any pointing devices.
Unattended - This section defines setup program behavior during text mode setup.
UserData - User or computer information.

The Sysdiff Utility

Used to customize Windows 2000 or NT installation to one or more computers over the network. It records the differences between installation files that have been added to an installation and a normal installation that has not had additions added. Functions:

Snap - Takes a snapshot of the state of files, directories, and the registry.
Diff - Records differences between a current system and a previous snapshot.
Apply - Apply data in a differences file to an installation.
Inf - Create an inf file from a diff file. The .inf file allows differences to be automatically applied to installations of NT from the server based share.
Dump - Allows review of the contents of a diff file.

Using Sysprep

Sysprep is used to prepare a Windows 2000 system hard disk for duplication. Sysprep can't be used on domain controllers. Duplication requirements that both the master and duplicated computers must have in common:

Identical type hard drive controllers.
Identical size hard drives.
The same HAL must be used.
Peripheral cards such as modems and video cards do not need to be identical, but drivers must be available for all computers.

Sysprep will remove any user specific information on the prepared hard drive. It strips the Security Identifiers (SIDs) from the disk before capturing the disk image. Once duplicated, the system that gets a copy of the disk generates its own SIDs for its objects.

Sysprep switches include:

-quiet - No user interaction.
-pnp - Detect PNP devices on systems the information is being sent to.
-reboot - The new system will restart rather than shutdown.
-nosidgen - NO security identifier (SID) is created on the new system

Remote Installation Service (RIS)

RIS can be used to deploy Windows 2000 operating systems. It can install the operating system with applications. It provides the following additional capabilities:

Other technical personnel that are not administrators may install Windows 2000 Professional.
It provides an extra way to fix failed networked computers.
Specific hardware images do not need to be provided since Windows 2000 supports plug and play devices.

A Windows 2000 computer can have remote installation files for Windows 2000 Professional computers then send those files out to the appropriate computers and provide a unique security identifier for the new computer. The "Add/Remove Programs" applet in the control panel is used to install RIS. It is installed as a "Component" and is called "Remote Installation Services".

Winnt command line installation options:

/? - to see options
/a - Turn on accessibility options.
/E:command - Will execute the command specified after the install.
/I:inf_file - The name of the setup information file without path information. If this option is not used dosnet.inf is the default.
R - An optional directory to be created is specified.
/RX - An optional directory to be copied is specified.
/S:sourcepath - Windows 2000 or NT set files' location
/T:drive_letter - Setup will put temporary setup files on the drive specified.
/U:answer_file - Specifies an unattended install and an answer file location which is required for unattended installation. Use the /s option to specify the location of source files.
/UDF:id [,UDF_file] - Specifies the UDF file used to identify the computer.

Winnt32 command line installation options:

/? - to see options
/checkupgradeonly - The computer is checked for compatibility with Windows 2000 and an upgrade report is prepared.
/copydir:directory - An additional directory is copied into the system root directory on the hard disk.
/copysource:directory - An additional directory to be copied to the hard disk in the system root directory during installation. It is removed when the installation is done.
/cmd:command - A command to be executed after the system setup is complete.
/cmdcons - The recovery console is installed and included in the start menu.
/debug[level]:filename - Debug log is created with detail level from 1 to 4 specified.
/makelocalsource - Source files are copied to the hard drive.
/S:sourcepath - Windows 2000 or NT installation files location
/syspart:drive - Source files are copied to the hard drive and the drive is marked as active.
/tempdrive:drive_letter - Setup will put temporary setup files on the drive specified.
/unattend - Specifies an unattended install and settings are taken from an existing operating system.
/unattend[num]:answer_file - Specifies an unattended install and an answer file location which is required for unattended installation. Use the /s option to specify the location of source files. Num specifies the number of seconds to wait before rebooting after files are copied.
/UDF:id [,UDF_file] - Specifies the UDF file used to identify the computer. The data from the UDF file is applied to some sections in the answer file. The install program will ask for a disk containing a unique UDF file if the UDF is not specified on the command line.

Keeping Your Operating System Up-to-date

Windows Update

The Windows Update utility connects your computer to Microsoftâ€™s web and checks your files to make sure that you have all of the latest and greatest updates.

Windows Service Packs

Microsoft issues service packs as necessary to update the operating system with new bug fixes and new features. Windows 2000 offers a new technology for service packs called slipstream through which service packs are applied once and they are not overwritten as new services are added to the computer. Use WINVER command to determine if any service packs have been installed on your computer.

Managing Hardware Devices and Drivers

Plug and Play versus Non Plug and Play devices

Plug and play technology uses a combination of hardware and software that allows the operating system to automatically recognize and configure new hardware without any user intervention. Windows 2000 also supports older or legacy devices, which are non plug and play in which we have to manually configure the hardware devices resources such as I/O port address, memory address and Direct Memory Access (DMA) settings after that you have to use Add/Remove Hardware utility in Control Panel to add the new device to Windows 2000 and install the device driver.

Removable Media

Removable devices are devices such as tape drives and zip drives. They are listed under Disk Drives in Device Manager and can be managed through it.

Display Devices

You can configure video adapters through the display properties dialog box in the control panel such as video adapter color depth, resolution, display font size, monitor properties such as refresh frequency, monitor color profiles. Windows 2000 allows you to extend your desktop across a maximum of 10 monitors such that applications can be spread across multiple monitors.

Wireless Devices

Windows 2000 uses Infrared Data Association(IrDA) and Radio Frequency technologies for wireless transmission. In IrDA data is transmitted through infrared light waves.In RF data is transmitted through radio waves.

USB Devices

USB supports transfer rates up to 12 Mbps. A single USB port can support up to 127 devices.Examples of USB devices are modems,printers ,keyboards.USB Controller is listed in Device Manager and can be configured through it,if your computer supports USB and it is enabled in the BIOS.

Device Drivers

Managing device drivers involves updating them and deciding how to handle drivers that may not have been properly tested.

Driver Signing

Microsoft provides driver signing as a way of ensuring that drivers are properly tested before they are released to the public. Thus Windows 2000 response can be specified if you select to install an unsigned driver through the Driver Signing Options dialog box in the Device Manager box. These three options are

Ignore - Install all files, regardless of file signature.
Warn- Display a message before installing an unsigned file. (default setting)
Block- Prevent installation of unsigned files.

Troubleshooting Devices

When Device manager does not properly recognize a device it reports the problem by displaying an exclamation mark icon next to the device. To troubleshoot a device that is not working properly double click the device to open its Properties dialog box. If a device connected to your computer does not appear in Device Manager, you can use Troubleshoot Wizard to get some hints on troubleshooting.

Managing Files, Folders and Shared Folders

Understanding Shares

Shares are directories that are shared over the network. All subdirectories and files in the shared folder are shared with users who have the correct permissions. Users that can share directories are:

On Windows 2000 domain controllers:
- Local Administrators
- Local server operators
- Global Domain Admins group since they are automatically a member of the Administrators local group on all computers in the domain.
On Windows 2000 computers that are not domain controllers:
- Local Administrators
- Local power users
- Global Domain Admins group since they are automatically a member of the Administrators local group on all computers in the domain.
Computer Management can be used to share directories on local and remote computers. Windows Explorer can be used to share folders on local computers. Share name length supported by operating systems:
MS-DOS - 8 characters plus 3 letter extension.
Windows 95 and Windows 98 - 12 characters
Windows NT and Windows 2000 - 80 characters

Share permissions:

Read - Users can see contents of files and directories.
Change - Users can create, change and delete files and directories.
Full Control - Allows Change benefits and ability to change permissions and take ownership of directories and files.

These permissions are set as allowed or denied to users or groups. If permission is denied for a particular permission to a particular user or group, then that user or group is denied that permission, even if another group they are in has permission for that permission.

Share Modifications:

Changing share names - Remove the share, and then re-create the share.
Assign multiple names to a share - Create a new share for the same directory as a previous share, and set up share permissions.

Administrative shares

Administrators may view administrative shares from the Control panel server applet by selecting the "Shares" button. The Server Manager may be used on NT server. Adding a $ to the end of a share will make them hidden and you must know the share name thereafter to use the share. The registry may be modified to prevent the creation of hidden shares in "/HKEY_LOCAL_MACHINE/CurrentControlSet/Services/lanmanserver". Set or create the double word value "AutoShareServer"on Windows 2000 server respectively. Set the value to 0.

Admin$ - This is where the system files were installed, usually C:\WINNT40. Users that can use these shares remotely are administrators, backup operators, and server operators.
drive$ - Every partition's root directory followed by a $. Users that can use these shares remotely are administrators, backup operators, and server operators.
IPC$ - Named pipes to be used to communicate between systems and programs. It is used to access resources on other computers.
NETLOGON/SYSVOL - The Netlogon share is used on Windows NT domain controllers to authenticate users. In Windows 2000, the SYSVOL share carries out these functions. The SYSVOL share includes group policy information which is replicated to all local domain controllers.
Print$ - Provides shared printer support.
REPL$ - Used on an NT server for directory replication.

Understanding Distributed File System (DFS)

The DFS allows files and directories in various places to be combined into one directory tree. Only Windows 2000 Servers can contain DFS root directories and they can have only one.

DFS Characteristics

The permissions of shared folders that are part of the DFS are still the same.
Shares with important information can be replicated to several servers providing fault tolerance.
The DFS root must be created first.

DFS Components

DFS root - A shared directory that can contain other shared directories, files, DFS links, and other DFS roots. One root is allowed per server. Types of DFS roots:
- Stand alone DFS root - Not published in Active Directory, cannot be replicated, and can be on any Windows 2000 Server. This provides no fault tolerance with the DFS topology stored on one computer. A DFS can be accessed using the following syntax:
  
  \\Server\DFSname
- Domain DFS root - It is published in Active Directory, can be replicated, and can be on any Windows 2000 Server. Files and directories must be manually replicated to other servers or Windows 2000 must be configured to replicate files and directories. Configure the domain DFS root, then the replicas when configuring automatic replication. Links are automatically replicated. There may be up to 31 replicas. Domain DFS root directories can be accessed using the following syntax:
  
  \\domain\DFSname
DFS link - A pointer to another shared directory. There can be up to 1000 DFS links for a DFS root.

DFS administration is done on the Administrative Tool, "Distributed File System". This tool is on all Windows 2000 Server computers, and Windows 2000 Professional computers that have the ADMINPAK installed.

Client Computers

Windows 2000 Server
Windows 2000 Professional
Windows NT 4.0 or later Server and Workstation
Windows 95 and Windows 98 with DFS client software. (No access to DFS links on NetWare servers).

Replication

The File Replication Service (FRS) can used to replicate DFS shares automatically.

Encrypting File System

If a user encrypts files, then leaves, the administrator is an EFS recovery agent and can decrypt the file. An EFS recovery agent has a certificate allowing them to unencrypt files. The user that is a recovery agent can have their certificate removed and stored on a floppy until needed. This prevents accidental viewing of secure files by unauthorized persons, even the administrator.

A recovery agent certificate can be requested using the MMC Certificate snap-in command line utility by typing "mmc" on the command line and selecting "Certificates" after selecting "Console", "Add/Remove snap-in", and "Add". A user may be made a recovery agent using this snap-in.
The administrative tool, "Active Directory Users and Computers" is used to designate recovery agents.
The control panel "Internet Options" applet is used to remove EFS recovery agent certificates.

Understanding Windows 2000 Storage

Hard Drive Partitions

A hard drive may be split into partitions. NT uses two main partitions. There can be up to 4 primary partitions and only one extended partition which may include several logical drives. A logical drive is assigned its own drive letter and uses part of or all the space in an extended partition. Only one partition may be extended and an extended partition may not be marked as active which means operating systems cannot be booted from it. Only one partition on a disk may be active at a time. On IBM compatible computers, only a primary partition may be a system partition, which is where the NT boot loader must reside.

Windows 2000 Logical Partitions

Windows 2000 logical partitions include:

System - Stores system files for booting such as NTLDR, BOOT.INI, and NTDETECT.COM.
Boot - WINNT_Root partition where system files are.

These partitions may be on the same or on separate physical hard drive partitions. The file system containing the boot files is referred to as the system partition and the partition that contains the WINNT40 directory is the boot partition.

Windows Disk Types

Windows uses the below two terms to refer to disks in a computer.

Basic Disks - A standard disk with standard partitions (primary and extended).
Dynamic Disks - Disks that have dynamic mounting capability to add additional local or remote partitions or directories to a disk drive. These are called dynamic volumes. This is new with the Windows 2000 operating system and is not supported by any other operating systems. Any volume that is on more than one hard drive must be created with dynamic disks. A disk can only be converted from dynamic to basic by first deleting all the volumes in the dynamic disk.

Windows NT Volume Sets

A Windows NT volume may span several partitions and includes:

The disk directory area also called the root directory.
Allocation tables to track used disk space.

Characteristics and limitations:

A volume may contain 1 to 32 disk areas and can be formatted as FAT or NTFS.
These combined areas cannot be split or one part of a volume can't be deleted without destroying the entire volume.
They may contain disk areas from various drive types such as IDE or SCSI.
NT system and boot partitions cannot be part of a volume set. Windows 95 and DOS don't recognize volume sets.

Volume sets (which are on basic disks) created with Windows NT are supported by Windows 2000 but may not be created with Windows 2000.

Windows 2000 supports the following types of volumes which can only be created on dynamic disks:

Simple Volumes - Formatted partition on a hard drive. Has no fault tolerance.
Spanned Volumes - Formatted partition or disk space on more than one partition or hard drive that appears as one volume. In Windows NT, this is called a volume set. Has no fault tolerance. The system or boot partitions cannot be included in a spanned volume. FAT, FAT32 and NTFS file systems may be included. Space from two to thirty two dynamic disks can be included. If one disk on the spanned volume fails, all data is lost, and no part of a spanned volume may be removed without destroying the entire volume.
Striped Volumes - Also called disk striping or a striped set in Windows NT, it is when two areas of disk space which are identical in size have half the information written on one area and the other half written on the second area. This effectively doubles the disk access speed, but provides no fault tolerance. In Windows NT, this is called a stripe set which is created on a basic disk.
Mirrored Volumes - Also known as RAID 1 or a mirror set on Windows NT, this is a fault tolerance method where data is stored on two volumes (that appear as one) rather than a single volume. This costs access time, but is fault tolerant.
RAID-5 Volumes - Require three or more areas of formatted drive space. Generating parity information can cost processor time.

Stripe Sets

A stripe set is established using free space from between 2 and 32 physical hard drives. The free space on each drive must be the same capacity. Data is written is 64k blocks simultaneously on each drive in the stripe set which increases disk drive read and write access speed.

NT system and boot partitions cannot be part of a stripe set.

Other Windows 2000 fault tolerant options include:

RAID 5 or stripe sets with a parity drive.
Disk mirroring
Sector hot fixing
Other Windows 2000 file and file system characteristics that enhance file storage:
Confirmation that hard drive write requests were done.
Disk cache is used to store data going to or from the disk to speed up access time. This is referred to as lazy writing.
Hard links are used to tie file physical location to multiple file names

Configuring Data Compression

Compact is the command-line version of the real-time compression functionality used in Windows Explorer. It can be used to display or alter the compression attributes of files or folders on NTFS volumes (does NOT work on FAT or FAT32 volumes).

Configuring Disk Quotas

Disk quotas are used to track the use of disk space for each user. They are normally disabled and are only supported on NTFS file systems. Quotas are tracked per partition and per user using ownership information to account for resource use. Compressed file sizes are measured according to the uncompressed file size.

Disk quotas may be viewed and administered by using the "Disk Management" tool to select the properties dialog box of the disk or volume. The "Quota" tab contains quota information and management functions. Quota management must be enabled. Warning levels may be set and hard limits may also be set. Disk space may be denied to users who exceed their quota limit. The events may be logged when the user exceeds their warning and/or quota limit. Windows Explorer can be used to setup and monitor disk quotas.

Understanding Windows 2000 Printing

Windows uses one driver to support printing for all applications. Operating systems of the past required each application to support printing independently which required a print driver for each application or print functionality built into each application.

Windows 2000 Printing Terminology

Printer - In Windows, it refers to the printer driver software which interacts with the print device to be sure the print job is formatted for that print device. Provides the interface to view and modify print jobs. This is also known as the print queue.
Print device - The device that physically prints on paper.
Print job - The print job is the request to print.
EMF - Enhanced metafile format is a journal file print job. It is smaller than a RAW print file and can be produced faster.

When a shared print device made available as a remote printer, the printer is actually shared, not the print device. Therefore, one print device may have several printers associated with it. This allows various priorities and characteristics to be set up for different users on the same print device.

Two additional utilities called LPR.EXE and LPQ.EXE are provided on Windows NT for managing print jobs destined for Unix hosted printers. LPR is used to print files and LPQ is used to manage the print queue.

NT remote print drivers

Clients that are attempting to print on remote computers do not need a local print driver installed. When the print request is made to the print server computer, the client will check to see if a print driver exists. If not or its print driver is older than the print driver on the server, the print server sends a copy of its print driver to the client computer which keeps it until the session ends.

Adding Printers

The "Add Printer Wizard" in the "Printers" folder is used to add printers. Users who do this must be an Administrator or Power User. Windows 2000 will detect USB plug and play printers, but a parallel printer must be added manually. To add TCP/IP printers, use the "Add Printer Wizard" to add the printer, select "Create a new port" and select "Standard TCP/IP Port". You'll enter the printer name or its IP address

To add UNIX printers, the "Add/Remove Programs" applet in the Control Panel can be used to install "Print Services for Unix". Use the "Add Printer Wizard" to add the printer, select "Create a new port" and select "LPR Port". You'll enter the printer name or its IP address and the name of the print queue for the print device.

Old HP print devices may use the DCL protocol rather than TCP/IP. If you connect to one of these printers, use the "Control Panel", "Network and Dial-up Connections" applet to add the DLC protocol, then use the "Add Printer Wizard" to add the printer. You must "Create a new port" and select "Hewlett-Packard Network Port" and enter the MAC address of the printer card that the printer uses. Choose "Job Based" connection if more than one computer is using this printer. Choose "Continuous" connection if this is the only computer to use the printer.

To add an AppleTalk printer, use the "Control Panel", "Network and Dial-up Connections" applet to add the AppleTalk protocol. Use the "Add Printer Wizard" to add the printer, select "Create a new port" and select "AppleTalk Printing Devices". Select the divice from the list. If you capture the print device, this will be the only computer that can use the print device.

Printer Sharing

To share a printer, right click on the printer, select "Properties", click the "Sharing" tab, click the "Shared as:" radio button and enter the name you want to call the printer. To list it in Active Directory, click the "List in the Directory" checkbox.

Managing Printers

The Add Printer Wizard is used to create or add new printers (print drivers). The Add Printer Wizard may be started by selecting, "Start", "Settings", and "Printers" or by selecting "Printers" in "My Computer". Printer drivers that support other operating systems such as Windows 95 may be installed on the computer that is hosting the printer. This way if a client computer with that operating system tries to use the print device and does not have a print driver, it can still print since the print driver will be available from the print server.

Print Priority

When printing starts relative to spooling or whether to spool at all, hours of availability for the print device decides by print priority. Scheduling priority can be set from 1 to 99 with 99 being the highest priority. To make scheduling priority effective, more than one printer driver with different priorities may be associated with one print device.

Print Pools

Multiple print devices may support one printer (driver) with a print pool. Print jobs are sent to the next available print device. All print devices must be of the same type, however, since the printer (driver) must be able to interface to all print devices in the print pool. Windows for workgroups (WFW) cannot spool to an NT printer pool, but Windows 95 through NT4.0 can.

Managing Print Jobs

Print jobs are managed by double clicking on the desired printer in the printers folder.Print jobs may be paused (pause), resumed (resume), restarted(restart), or canceled (cancel). Sharing and permissions may be changed and etc

Printer registry entries

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers - To change the location of the spool folder for all printers, change the value of Default Spool Directory to reflect the new spool location. This affects all printers installed on the computer. You can also change the spool location of each of the printers installed on the computer individually by modifying the Spool Directory value of their key entry.

Remember that the computer spooling the print job must have sufficient space to queue the print job.
To test, you can print to a file. If you copy the file to the printer port and it prints, either the print spooler is not working or the data is not being transmitted to the printer.

Internet Printer

The Windows 2000 Server system that shares a printer as an Internet printer must have the following installed:

TCP/IP
Internet Information Services (IIS)

Internet Printing Protocol (IPP) is used to support printing from Internet Explorer(IE) across the internet. This provides the ability for clients using IE to print to Universal Resource Locations (URLs), view printer information, and download printer drivers. Internet Explorer or the Printers folder can be used to manage these printers. Internet Explorer or the Add Printer Wizard can be used to connect to Internet printers.

Web Management

Internet Information Services

Internet Information Server is one of the most widely implemented web servers around provided by Microsoft. Most IIS components are installed when Windows 2000 is installed. Default Web Site located in c:\Inetpub\wwwroot has also been created at this time. The "Add/Remove Programs" applet in the control panel may be used to add any additional IIS components.

Web Site Management

The "Internet Services Manager" is used to manage web sites on the computer. This can be done locally or remotely. The Web Site Properties dialog box can be displayed by starting the "Internet Services Manager", click on the + next to the server to be configured, then right click the web site to configure, and select "Properties".

Publication Methods

Copy web pages into the default web site's home folder in c:\Inetpub\wwwroot.
Virtual Directories - Causes directories on other servers to appear as though they are on your server. The Web Services Manager or Windows Explorer can be used to create virtual directories
Virtual Servers - A single server is made to appear as though it is more than one server.

Requirements:
1. One of:
- An IP address is required for the primary server and each virtual server. IP addresses must be on one NIC. Multiple IP addresses can be assigned to one NIC using the "Network Dial-up Connections" folder.
- A different TCP port number to be used.
- A different FQDN to be used to access the new site in the Host Header for this site: text box.
2. A home directory must be assigned to each IP address using the directories tab.

Indexing Service

This service indexes web site content by creating two databases of words, one based on web server HTML files and the other based on other document types. The database take about 40% of the amount of room the original data takes. The Indexing Service works on all Windows 2000 operating systems and must be configured to start automatically if desired.

Certificate Services

Used to manage and issue security certificates, which are used for providing secure web connections between the web client and the web server. The "Add/Remove Programs" applet in the control panel may be used to add Certificate Services.Terms used are

Certificate Authority (CA) - An organization that is trusted to issue certificates.
- Enterprise root CA - The first and most trusted CA on the network requires the use of Active Directory.
- Enterprise subordinate CA - Subordinate to the enterprise root CA requires the use of Active Directory.
- Stand-alone root CA - A root for the certificate hierarchy and does not require Active Directory.
- Stand-alone subordinate CA - Subordinate to the stand-alone root CA and does not require Active Directory.
Public Key Infrastructure (PKI) - Implemented when certificates are used.
Public Key
Private Key

Managing Windows 2000 Network Connections

Network Protocols and Services

Protocols

A protocol is a set of rules and conventions for sending information over a network. Windows 2000 relies on TCP/IP for logon, file and print services, and replication of information between domain controllers, and other common functions. Primary network protocols that Windows 2000 supports include:

TCP/IP
AppleTalk.
Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX)
Data Link Control (DLC)
Net BIOS Enhanced User Interface (NetBEUI)

TCP/IP protocol

A Routable protocol installed by default in Windows 2000 which can be used to connect heterogeneous networks. Each Computer on the network can be identified by a 32-bit IP address, which can be entered manually or provided automatically by a DHCP server

Automatic IP Address Assignment

DHCP

Dynamic host configuration protocol is used to automatically assign TCP/IP addresses to clients. You can synchronize DHCP server according to DNS updates.

Configuring DHCP to Allow Dynamic Updates

You must configure the DHCP server to perform dynamic updates. To do so, on the DNS tab of the Properties dialog box for a DHCP server, select Automatically Update DHCP Client Information In DNS. You must also specify; Update DNS Only If DHCP Client Requests, or Always Update DNS. Additional options include Discard Forward Lookups When Lease Expires, and Enable Updates For DNS Client That Do Not Support Dynamic Update.

Automatic Private IP Addressing

When â€œObtain an IP Address Automaticallyâ€? is enabled, but the client cannot obtain an IP address, Automatic Private IP addressing takes this responsibility. IP address is generated in the form of 169.254.x.y (x.y is the computerâ€™s identifier) and a 16-bit subnet mask (255.255.0.0). The 169.254.0.0 - 169.254.255.255 range has been set-aside for this purpose by the Internet Assigned Numbers Authority.

Troubleshooting TCP/IP Connections

Incorrect subnet masks and gateways cause common TCP/IP problems.
Check DNS settings if an IP address works but a hostname wonâ€™t.
The Ping command tests connections and verifies configurations.
The Tracert command checks a route to a remote system.
Use IPConfig and IPConfig /all to display current TCP/IP configuration.
Use NetStat to display statistics and connections for TCP/IP protocol.
Use NBTStat to display statistics for connections using NetBIOS over TCP/IP

NWLink (IPX/SPX) and NetWare Interoperability

Gateway Services for NetWare can be implemented on your NT Server to provide an MS client system to access your NetWare server by using the NT Server as a gateway. Frame types for the NWLink protocol must match the computer that the NT system is trying to connect with. Mismatching frame types will cause connectivity problems between the two systems. NetWare 3 servers uses Bindery Emulation (Preferred Server in CSNW). NetWare 4.x and higher servers use NDS (Default Tree and Context.) NWLink is used by NT to allow NetWare systems to access its resources.

To allow file and print sharing between NT and a NetWare server, CSNW (Client Service for NetWare) must be installed on the NT system. In a NetWare 5 environment, the Microsoft client does not support connection to a NetWare Server over TCP/IP. You will have to use IPX/SPX or install the Novell NetWare client.

When NWLink is set to auto-detect the frame type, it will only detect one type and will go in this order: 802.2, 802.3, ETHERNET II and 802.5 (Token Ring).

Apple Talk

AppleTalk must be installed to allow Windows 2000 Professional to communicate with Apple printers. File and Print Services for Macintosh allows Apple Clients to use resources on a Microsoft Network.

DLC

It is a special-purpose, non-routable protocol used by Windows 2000 to talk with IBM mainframes, AS400s and Hewlett Packard printers.

NetBEUI

It is used solely by Microsoft operating systems and is non-routable.

Remote Access Services

Remote Access Service (RAS) is considered to be a Wide Area Network (WAN) connection.

Protocols Supported By RAS

Connection Protocols

Point to Point Protocol (PPP) - Point to Point Protocol is a form of serial line data encapsulation that is an improvement over SLIP which provides serial bi-directional communication. Packets are delivered in the order they were sent.
Serial Line Interface Protocol (SLIP) - This protocol places data packets into data frames in preparation for transport across network hardware media. This protocol is used for sending data across serial lines. There is no error correction, addressing, compression, or packet identification. There is no authentication or negotiation capabilities with SLIP. SLIP will only support transport of IP packets.
Point to Point Multilink Protocol - Combines bandwidth from several physical connections into one logical connection.
Microsoft RAS

VPN Protocols Support

Overview of Virtual Private Network

A Virtual Private Network allows you to run a secure,private network over an unsecured public network.You can use virtual private networking to get clients connected to your network over the Internet and do it securely,even though the Internet is inherently unsecured network.

VPN protocols

Point to Point Tunneling Protocol (PPTP) - Point-to-Point Tunneling Protocol (RFC 2637) works at the Data link layer. No encryption or key management included in specifications. A VPN tunneling Protocol used to send secure communications from point to point. It is used to access a network through the network using the speed of a modem. It uses PPP encryption or Microsoft Point to Point Encryption (MPPE) over TCP as a transport protocol.
Layer Two Tunneling Protocol (L2TP) - Layer2 Tunneling Protocol. (RFC 2661) combines features of L2F and PPTP and works at the Data link layer.
IPSec - Internet protocol security, developed by IETF, implemented at layer 3. it is a collection of security measures that address data privacy, integrity, authentication, and key management, in addition to tunneling.

Authentication Protocols Supported

CHAP - Challenge Handshake Authentication Protocol - encrypts user names and passwords, but not session data. Works with non-Microsoft clients.
EAP - Extensible Authentication Protocol. Allows for an arbitrary authentication mechanism to validate a dial-in connection. Uses generic token cards, MD5-CHAP and TLS.
EAP-TLS - Transport Level Security. Primarily used for digital certificates and smart cards.
MS-CHAP (V1 and 2) - Microsoft Challenge Handshake Authentication Protocol. Encrypts entire session, not just username and password. V2 is supported in Windows 2000 and NT 4.0 and Win 95/98 (with DUN 1.3 upgrade) for VPN connections.
PAP - Password Authentication Protocol. Sends username and password in clear text.
RADIUS - Remote Authentication Dial-in User Service. Provides authentication and accounting services for distributed dial-up networking.
SPAP - Shiva Password Authentication Protocol. Used by Shiva LAN Rover clients. Encrypts password, but not data.

Remote Access Policies

With Remote Access Policies you define rules with conditions that the system evaluates to see whether a particular user can connect or not.

You can have any number of policies in a native Windows 2000 domain. When a caller connects,the policy conditions are evaluated one by one to see whether the caller gets in or not.All of the conditions in the policy must match for the user to gain access.If there are multiple policies,they are evaluated according to an order you specify.The three components of a remote access policy are its conditions, permissions and profile:

Conditions- List of parameters (time of day, user groups, IP addresses or Caller Ids) that are matched to the parameters of the client connecting to the server. The first policy that matches the parameters of the inbound connection is processed for access permissions and configuration.
Profile Settings (authentication and encryption protocols) which are applied to the connection. If connection settings do not match the userâ€™s dial-in settings, the connection is denied.
Permissions Connections are allowed based on a combination of the dial-in properties of a userâ€™s account and remote access policies. The permission setting on the remote access policy works with the userâ€™s dial-in permissions in Active Directory providing a wide range of flexibility when assigning remote access permissions.

Terminal Services

Terminal services can allow remote computers to run desktops and applications on a server as though it is running locally. This is similar to the functionality provided by X on UNIX and Linux platforms. Keystrokes and mouse action information is sent from the client to the server over the network and visual display information is sent back to the client from the server.

Modes

Remote administration - The terminal server may be remotely managed, but applications cannot be run remotely.
Application server - The terminal server may be remotely managed, and applications can be run remotely.

Licensing

No license is required for remote administration mode, but licensing is required for application server mode. The application server mode will run for 90 days without a license. Licensing is done on a per seat basis, which means there must be a license for each computer that will access the terminal server. To set up licensing:
1.Use the "Add/Remove Programs" control panel applet to install "Terminal Services Licensing". It contacts the Microsoft Clearinghouse database to verify licensing.
2.Select either "Your entire enterprise" or "Your domain or workgroup" for the license option.

Required licenses:

Windows 2000 Server license
Windows 2000 Server client access license for each computer to connect.
Windows 2000 Professional license or Windows 2000 Terminal Services Client Access License (TSCAL) for each client.

Additional licenses that may be purchased:

Windows 2000 terminal Services Internet Connector License - For up to 200 users to connect over the Internet.
Work at Home Terminal Services Client Access License - For each user using the Terminal Services to work from home.

Terminal Services licensing uses the Microsoft Clearinghouse database to verify licensing.

Installation

The control panel "Add/Remove Programs" applet is used to install terminal services. Select "Add/Remove Windows Components", and select "terminal Services". Set up terminal services in remote administration mode or application server mode during installation. Another option is to make permissions compatible with Windows 2000 users or make permissions compatible with Terminal Server 4.0 users. The former setting is more secure, but most legacy applications won't run with that setting. If running in application server mode, the recommended server hardware includes:

600Mhz or faster microprocessor
512MB or more RAM
Large hard drive

Additional Administrative Tools

Terminal Services Client Creator - Used to create terminal services client boot disks.
Terminal Services Configuration - Allows management of terminal services setup.
Terminal Services Licensing - Management of client access licenses (CALs).
Terminal Services Manager - Allows session and process monitoring.

Installing Applications

Applications to be used with terminal services must be installed after terminal services are installed. The applications must be installed in a multi-user format and on an NTFS partition. Terminal Services must be in "Install Mode" when an application is being installed. Once applications are installed, to run applications from terminals, Terminal Services must be in "Execute Mode". The control panel "Add/Remove Programs" applet is used to install the applications.

The Change User command prompt command can also be used to install applications, but should be used to set up or confirm multi-user access capability for the application.

Client Configuration

The Terminal Services Client uses Remote Desktop Protocol (RDP) to connect to the server. Supported client systems:

Windows 2000
Windows 95, 98, Me
Windows NT 3.51 or 4.0
Windows for Workgroups 3.11

The Terminal Services Client creator was installed with the Terminal Services. This can be used to create a floppy disk for Win32 or Win16 systems to get the Terminal Services Client to the client machines. Another method is to share the terminal services directory in SystemRoot\system32\clients\tsclient\net\Win32 or Win16 and access the software across the network. The Windows for Workgroups system must use the Win16 folder.

Terminal Services Command line utilities

change logon Used to disable, enable, or check the status of logons
change port Modify DOS com ports or query for the status of ports.
change user Change .ini file mapping for the current user. Applicable change user parameters are install, execute, and query.
cprofile Remove user's profile file associations.
Dbgtrace Enable or disable debug tracing
Flattemp Enable or disable temporary flat directories
Logoff End a client session
msg Send a message to a client
query process Display terminal services session information
query termserverDisplay terminal server list
query user Display logged on user list with information. Like "who" in UNIX.
register Register a program
reset session Reset or delete a terminal session.
shadow Monitor or remotely control a Terminal Service session
tscon Start a Terminal Services session
tsdiscon End a Terminal Services session
tskill Terminate a Terminal Server process
tsprof Change a user profile path or copy user information
tsshutdn Shut down a terminal server.

Terminal Services Manager

The Terminal Services Manager is a graphical based administrative tool used to manage terminal services. It is used on the terminal server or on a client during a session. It will perform the same functions as the command set listed above. The most important functions include using remote control and monitoring and managing terminal services usage. The remote control ability will allow the administrator to take over a user's session. The user's remote control tab of the user's properties dialog box in "Active Directory Users and Computers" determines if the administrator can remotely control a user's session. Additionally it allows:

Finding a terminal services server remotely.
Making, managing, controlling, and ending sessions.
Connecting to another session.
Posting messages to sessions.

Terminal Services can be used to remotely administer the server computer, but Microsoft recommends setting the following parameters:

Disconnected or idle sessions end after five minutes.
Override user settings so the session must end when the session limit is reached.
Disable wallpaper to save memory.
Set the encryption level to high
Set the maximum number of connections to 1.
Change the registry value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server to 0.
Disable print mapping, clipboard mapping, and LPT port mapping.

Windows 2000 Optimization and System Recovery

System Performance Monitoring

The System Monitor Windows 2000 tool is used for system performance monitoring. System Monitor uses:

Objects - A part of the computer system or operating system such as the processor, logical disk, memory, thread and other objects.
Instances - When there are more than one occurrence of an object such as threads.
Counters - Used to measure some characteristic of an object. Specific counters are available for specific objects to measure their performance or use.

System Monitor can be used to do:

Create a baseline after system installation to compare system performance over time.
Monitor system resource use.
Find any performance problems.
Determine bottlenecks to performance.
Monitor changes in performance over time.

To start System Monitor select "Performance" in administrative tools. This tool runs on Windows 2000 Professional and Windows 2000 servers.

Ways to View Statistics

Alerts - The administrator can be notified when a counter exceeds or falls below a preset value. Saved as *.pma file. The computer for the alert along with object, counter, and threshold value must be specified. A specified program may be run if an alert is triggered.
Chart - The default view. Graphs and histograms (vertical bar charts) are used. To switch to histograms, use the menu item "Options", "Chart" selection. The Gallery section has Graph and Histogram radio button selections. Graphs display data every second and display 100 seconds worth of data. Chart file saved as *.pmc. A particular counter may be highlighted by clicking on the counter and pressing the backspace key.
Log - Used to create data in log files for future analysis. Data can be acquitted from several systems in one log file. Log files can be used to create charts, reports, or alerts by sending them back through performance monitor. Saved as *.pml. This information may be exported to a spreadsheet or database.
Report - Used to show a large number of objects and counters at one time. It is a list of counters and their average values. Saved as *.pmr.

Objects and Counters

Cache - Level 2 cache. Data Map Hits %
Logical Disk - % Free Space
Memory - Counters:
- Pages/Sec - How much RAM and virtual memory on the hard drive are being swapped. If above 5 or 6 on average, more RAM is needed.
Network interface - Counters:
- Bytes Total/sec
Objects - Process and thread counts
Paging file - Virtual memory. Counters:
- % Usage - The amount of the paging file being used. Create a larger paging file or add RAM if the number is near 100%.
Physical disk - Counters:
- Disk Queue Length - The number of disk reads and writes in queue to be done. - If above 4 or 5 on average, a faster hard drive is needed.
- Average disk Sec/Transfer
- % disk time - The percent of time the disk is busy doing reads or writes. A high number near 100% indicates a disk or drive controller bottleneck.
Process - Currently running programs. Counters:
- % Processor Time - The percent of time the processor is used by this process object including all its threads.
Processor - Counters:
- % Processor Time - A number close to 100% indicates the processor is a bottleneck.
Redirector
Server - Counters:
- Bytes Total/Sec - The total number of bytes sent through or received through all network cards on a computer by the server service.
System - NT Performance. File Read or Write Operations/Sec
Thread - Thread performance. Counters:
- % Processor Time - The percent of time the processor is used by this thread object.

Managing Processes

Process Priority Setting

Process priority may be set to a value from 1 to 31. Priorities are categorized as follows:

0-7 - Low user
7-15 - High user
15-23 - Real Time
23-31 - Administration only
Base thread priority is 8. Threads inherit the base priority of their parent process. The NT operating system can vary priorities higher or lower by a value of two in order to remain responsive.

Setting Priority of foreground tasks

To modify foreground task priority use the system applet in the control panel. Selecting the performance tab will allow three foreground task settings to be set. If set to none on the left, foreground tasks are not boosted in priority, On the middle setting foreground tasks get a priority increase of 1. On the right on the maximum setting, foreground tasks get a priority increase of two.

Task Manager

Can be used to start and stop applications, change process priority, and monitor performance statistics. It can be used to change the priority of a process, by right clicking on the process and selecting "Set Priority".

Backups

Backup Permissions

Users with the "Backup files and directories" or "Restore files and directories" permission can backup or restore files. On Windows 2000 computers Administrators and Server Operators can backup and restore data. NT server, users who are members of the Server Operators group can back up files. On NT workstation, other users who can backup any files include Administrators and Users who are in the local Backup Operators group.

Microsoft Backup Strategy

When choosing backup strategy consider what data requires backup, whether it is stored in a central location or if it resides on several computers, and how often the data should be backed up. The registry and the SAM on the domain controller should be backed up daily.

Data Types

System data - Important operating system files, databases, and directories. It may include:
- The registry
- System startup files
- Component services data class registration database
- Active Directory (Windows 2000 Servers only)
- Certificate server database (Windows 2000 Servers only)
- SYSVOL folder (Windows 2000 Servers only)
User data - Applications installed by the user along with other data created by the users.

Types of Backups

Normal - Saves files and folders and shows they were backed up by clearing the archive bit.
Copy - Saves files and folders without clearing the archive bit.
Incremental - Saves files and folders that have been modified since the last backup. The archive bit is cleared.
Differential - Saves files and folders that have been modified since the last backup. The archive bit is not cleared.
Daily - Saves files and folders that have been changed that day. The archive bit is not cleared.

Scheduling the Backup

The AT command may be used to schedule backups from the command line interface. The most common way to schedule a back is to use the Windows 2000 "Backup Utility"by selecting "Backup" in the "Administrative Tools" section of the start menu. Select the "Backup" tab and click the "Schedule" button to set a schedule. A user name and password will be required to run the backup.

Configuration Files

On Intel based machines:

NTLDR - The boot loader
BOOT.INI - Contains the boot menu with selections the user can boot from.
BOOTSECT.DOS - A boot sector file for DOS for booting DOS or Windows 3.1 or 95.
NTDETECT.COM - Detects the hardware for the NTLDR program.
NTOSKRNL.EXE - The NT kernel.
NTBOOTDD.SYS - Used for booting SCSI devices when no SCSI BIOS is available.

On RISC based machines:

OSLOADER.EXE - The RISC boot loader
NTOSKRNL.EXE - The kernel
NTBOOTDD.SYS - Used for booting SCSI devices when no SCSI BIOS is available.

BOOT.INI

BOOT.INI is stored in the root directory of the computers primary boot partition and contains the menu of operating systems that may be booted. Has two sections:

1.[Boot Loader]

Timeout - The number of seconds the boot loader waits for the user to select an operating system other than the default.
Default - The path of the default operating system that is booted if the user makes no selection.

2.[Operating Systems] - Lists the operating systems that may be booted and their paths using the Advanced RISC Computer (ARC) naming convention which is:

scsi(n) or multi(n) - The option scsi(n) is used for SCSI adapters that do not include BIOS support or have it enabled on their adapter. The multi(n) term is used for all other types of hard drives. The value of n indicates the number of the hardware adapter to use.
disk(n) - The value of n is 0 if the multi option is used, above, but for SCSI, the value indicates the SCSI bus number.
rdisk(n) - The SCSI LUN number. If scsi is used above, this value will be 0, "rdisk(0)". Otherwise this value is 0 for primary or 1 for secondary.
partition(n) - The partition with the system files. This starts with 1 for the first partition. It does not use 0 to indicate the first partition.
\path - The directory with the operating system files with the default being \Winnt.

Boot Option configuration

The system applet in the control panel may be used to select the default operating system to boot and modify the boot.ini timeout value. The Startup/Shutdown tab supports this function. However it will not allow renaming of the bootable systems. Boot options are not configurable from the registry since it is not loaded at the time the boot selection is made. Most boot option changes are done by editing the boot.ini file directly.

System Failure

Tools used to recover from a system failure:

Safe Mode/Startup Options
Emergency Repair disk
Recovery Console

Safe Mode/Startup Options

Safe mode is used to start the system with minimal programs and drivers in case some of them may be adversely affecting the system. When the system is booting, press F8 to get the option (advanced options menu) to enter safe mode. There are also other startup options, which can be used in the case of video problems or if more information about a boot problem is required. These options are:

Safe Mode
Safe mode with Networking
Safe mode with command prompt - The desktop is not run, but a command prompt is used to run the system.
Enable Boot Logging - Logs the results of each attempt to load a driver. This is saved in a file on C:\WINNT\Ntbtlog.txt.
Enable VGA Mode
Last Known Good Configuration
Directory Services Restore Mode
Debugging Mode - A serial connection between two machines can be made and information from the server having the problem is sent to the second computer for analysis.

Last Known Good Configuration

When the system is booting, press F8 to get the advanced options menu and select "Last Known Good". The last configuration that was used to successfully boot is used to perform the boot.

Emergency Repair disk

Can be used to restore corrupted or missing system files on a system that will not boot. Only the Backup program can be used to create an emergency repair disk after system installation.

Recovery Console

Used to:

Repair the master boot record (MBR) of a disk
Manually copy files to the hard drive
Stop or start a service.

Security In a Windows 2000 Environment

Security Configuration and template

The Security Configuration and Analysis snap-in can be used to directly configure and troubleshootlocal system security. You can import security templates created with the Security Templates snap-in, and apply these templates to the group policy object (GPO) for the local computer.

A security template is a physical representation of a security configuration; it is a file where a group of security settings may be stored. Windows 2000 includes a set of security templates, each based on the role of a computer. The templates range from security settings for low security domain clients to highly secure domain controllers. They can be used as provided, modified, or serve as a basis for creating custom security templates.

Policies

System Policies are a collection of user environment settings that are enforced by the operating system and cannot be modified by the user. User profiles refer to the environment settings that users can change.

System Policy Editor (POLEDIT.EXE) - Windows NT 4, Windows 95 and Windows 98 all use the System Policy Editor (POLEDIT.EXE) to specify user and computer configuration that is stored in the registry but Group Policy snap-in (GPEDIT.MSC) in windows 2000 has priority over it.Group policies are more secure and flexible than System policies.

Auditing

Auditing in Microsoft Windows 2000 is the process of tracking both user activities and Windows 2000 events. You can specify that Windows 2000 writes a record of an event to the security log. The security log maintains a record of valid and invalid logon attempts and events related to creating, opening, or deleting files or other objects. Auditing can be enabled by clicking Start, Program, Administrative Tools, Local Security Policy. In the Local Security Settings window, double-click Local Policies and then click Audit Policy. Highlight the event you want to audit and on the Action menu, click Security. Set the properties for each object as desired then restart computer for new policies to take effect.

Audit Policy

These policies are set using the administrative tool "Domain Security Policy". The following event successes or failures may be logged:

Account logon events - User logs onto the domain.
Account management - Account created, modified, renamed, or deleted.
Directory service access - An active directory object was accessed. The active directory object must have auditing on.
Logon events -A user logs on or off a Windows 2000 computer.
Object access -An object was accessed. The object must have auditing on.
Policy change - A user right, security policy, or other policy was changed
Privilege use - A user right other than access to a computer or log on locally was used.
Process tracking - A process was started.
System events - System was shutdown, restarted, or security event happened.

The "Active Directory Users and Computers" administrative tool is used to configure auditing for active directory objects.

Now that you've gotten free know-how on this topic, try to grow your skills even faster with online video training. Then finally, put these skills to the test and make a name for yourself by offering these skills to others by becoming a freelancer. There are literally 2000+ new projects that are posted every single freakin' day, no lie!

Previous Article

Next Article


Privacy \| Sitemap \| Advertise \| Contact	Copyright Â© 2017 Houston Websites, Inc.