|
MCSE Study Notes
Exam 70-210: Installing,
Configuring, and Administering Microsoft Windows 2000 Professional
© 2001 Mark Dabrowski, All Rights Reserved
September 16, 2001
Implementing and
Administering Resources, Users, and Groups.
1
Sharing.
1
Offline Files.
1
Local Users and Groups.
1
Domain Users.
2
Logon Process
(Authentication)
2
ACLs (Access control
lists)
3
Moving & Copying Files.
3
Compression.
3
Permissions.
3
Ownership.
3
Auditing.
3
EFS (Encrypting File
System)
4
Web Server Resources.
4
Printers.
4
Active Directory.
4
Policy.
4
User Experience / System
Services.
5
User Profiles.
5
Windows Installer
5
Multiple Locations&
Languages.
5
Accessibility Options.
6
Accessibility Tools.
6
Fax.
6
Installing Windows 2000
Professional
6
Attended Installation.
6
Automatic Installation.
6
Setup Manager
6
Remote Installation
Service.
6
Hardware Devices and
Drivers.
7
Disk Drives and Volumes.
7
Network Protocols and
Services.
8
Monitoring and Optimizing
Performance and Reliability.
8
Terms.
10
MMC Snap-ins.
10
·
Only Administrators and Power
Users can create shared network folders.
·
Windows 2000 Professional
allows maximum 10 concurrent connections per share.
·
Administrative shares (c$, admin$, ipc$) are
re-created
every
time the machine is restarted or
the server service restarted. They
only can be disabled permanently by modifying the registry.
·
Admin$ share shares the
systemroot (c:\winnt) folder.
·
IPC$ is user for Inter Process
Communications.- communication between objects running on different machines on
the network
·
The share permissions are only
available for backward compatibility or when sharing resources on non-NTFS
drive.
·
You can make network files
available offline by storing shared files on your computer so they are
accessible when you are not connected to the network.
·
When
sharing files
you can enable caching with 3 options (after enabling “allow caching of files in this folder” in the CACHE dialog box):
o
Automatic Caching for Documents
- caches all files opened from this share on local workstation
o
Automatic Caching for Programs
o
Manual
Caching for Documents (Default) – user needs to
specify the file to be cached on the client machine
·
By default files with
following extensions are NOT cached: SLM,
LDB,
MDW, MDB,
PST,
DB. Configured through Group Policy.
·
Synchronization Manager is
used to control which network device is used for file synchronization.
·
Offline Files is also referred
to as CSC (Client Side Caching).
·
The default location for
cached files on workstation is SystemRoot\CSC (c:\winnt\csc). This can be
changed using Resource Kit utility
CACHEMOV.EXE. This utility moves cached folder to the root of drive
specified (\CSC).
·
User and group accounts are
stored in one of two locations: local
security database and Active
Directory
·
BUILT-IN LOCAL USERS (2) - There are two built-in users installed by default:
Administrator and Guest (disabled)
o
Administrator:
§
Cannot be disabled, locked out, deleted
§
Cannot be removed from Administrators group
§
Can be renamed
o
Guest:
§
Can be disabled (Disabled by default)
§
Can be locked out
§
Cannot be deleted
§
Can be renamed
§
Does
not save user preferences or settings
·
BUILT-IN LOCAL GROUPS (6) are installed by default with following rights (privileges):
o
Administrators
§
Have ALL built-in system privileges assigned
(full control to the system)
§
When system is added to domain the Domain
Administrators group is added to local Administrators group.
§
Only Administrators can
format a hard drive partition.
§
Can create shared folders and printers.
o
Backup Operators
§
Can backup and restore files & folders
regardless of their permissions
§
Can log-on or shut down system
§
Cannot change security settings
o
Guests
§
Have limited privileges - no specific rights
or permissions on objects.
§
Can logon to system and shut it down
§
Can’t make permanent UI changes
§
If machine joins domain, the Domain Guests
group becomes automatically member of the local Guests group
o
Power Users
§
Can add and change local accounts (change
only users they created)
§
Can create shared folders and printers.
§
Cannot take ownership of files,
backup/restore, install system drivers, or manage security and auditing logs
o
Replicator
§
Supports file replication within domain
context (NT only – not used in Win 2000 domains)
o
Users
§
Can perform tasks only after administrator
granted them rights to do so.
§
New user is automatically added to the Users
group.
§
Can logon, shutdown system
§
Cannot create local shared folders or
printers.
§
If machine joins domain, the Domain Users
group automatically becomes member of the local Users group.
·
BUILT-IN SYSTEM GROUPS (7) installed by default. Membership of this groups changes
depending how the system is accessed.
o
Everyone
§
All users who access the computer (Including
guest account). Best practice to avoid using this group.
o
Authenticated Users
§
Have valid account on local system or
domain. Use this group instead of anyone to prevent anonymous users.
o
Creator Owner
§
User becomes member of this group by
creating or taking ownership of a resource. When member of Administrators group
creates resource Administrators group becomes member of this group rather than
actual user.
o
Network
§
All accounts connecting from remote
computers.
o
Interactive
§
locally logged in users
o
Anonymous Logon
§
Users that were not validated or authorized.
o
Dialup
§
Users connected via DialUp networking.
·
In NT/Win2K users and groups
participate in one of two security contexts: Workgroup security and Domain
security.
o
Workgroups are logical groupings of computers that do not share centrally
managed user and group database
o
Domain is a logical grouping of computers that share centrally
managed database of users and groups.
·
Active Directory database is
physically stored on domain controller computers. It is replicated and
synchronized with other domain controllers. In NT Domain group memberships can
travel between domains provided that trusts are enabled. In Active Directory
domains group memberships travel throughout entire forest.
·
User accounts must be
unique, are
recognized only to 20th
character although name itself can be longer, and are
NOT case sensitive.
·
User passwords are
case sensitive and can be up to
127 characters
(NT4, 9x supports only 14)
·
Local groups
can contain only local accounts, when machine is in domain
also may contain domain accounts.
·
When renaming an account SID
does not change – it is good practice to rename account when you want to give
someone who left same access (replace account).
·
Administrator account cannot
be disabled and only Administrators can enable the Guest account.
·
It is recommended to disable
accounts rather than deleting – deleting destroys the SID therefore you loose
log for that account.
·
You cannot copy
local user accounts
·
All domain controllers in
Windows 2000 can make changes to the Active Directory database.
·
All users have two logon
names:
o
UPN is used for logon to Win2K domain
(consists of username + @ + domain name (DNS))
o
Pre-Windows 2000 logon name for
authentication to NT, Win9x. (it is the username part)
·
When adding domain account to
local group, the group’s Members property must be used. The domain users Member
Of property displays only domain groups.
·
You can copy domain
user accounts
·
You can create a
template account by disabling it and
then copying it.
·
Two authentication types:
o
Interactive logon is when user physically logs in to the machine
o
Network logon (remote logon) is when user is authenticated on remote server
·
Winlogon process (runs as service) takes logon info (through
security dialog), and passes to the LSA sub-system (Local Security
Authority)
o
Logging locally – LSA validates logon information against local security
database of the system
o
Logging to domain – LSA forwards logon information to Netlogon process,
which then locates then locates domain controller computer against which the
logon credentials are checked.
·
Once user is authenticated an
access token is generated that is carried with the user wherever he goes.
The access token contains admission tickets which contain information
about objects and resources user can access.
o
Rights (privileges)
determine what privileges user has to interact with the Operating System
o
Permissions
determine
what user can do to objects.
·
ACL (Access Control List) is a property associated with every
object. It contains information about specific users and groups that have been
granted access to this object, along with particular security permissions.
·
ACL Permissions
are broken down into two groups:
o
5 Basic Permissions
(for files – 6 for folders) actually consist of advanced
permissions grouped together
§
Full Control
§
Modify
§
Read & Execute
§
Read
§
Write
§
List Folder Contents
(folders only)
o
17 Advanced
are the building blocks for basic permissions – allow
detailed control over what access user may have on objects.
§
Traverse Folder/Execute File
§
Execute File
§
List Folder/Read Data
§
Read Data
§
Read Attributes
§
Read Extended Attributes
§
Create Files/Write Data
§
Write Data
§
Write Attributes
§
Write Extended Attributes
§
Delete Subfolders and Files
§
Delete
§
Read Permissions
§
Change Permissions
§
Take Ownership
§
Create Folders/Append Data
§
Append Data
·
By default NTFS permissions
are inherited from an object’s parent.
·
NTFS permissions are
cumulative, but DENY always overwrites ALLOW.
·
By default all NTFS drives are
assigned Allow Full Control permission to the Everyone group for the root of
each drive.
·
NTFS permission conflicts: if
group and user permissions are in conflict the most liberal permissions
take precedence, however
Deny always takes precedence
over Allow, and
explicit permissions always
override inherited permissions.
Golden rule:
Moving file or folder on
the same volume retains - everything else inherits.
|
Original File or Folder
|
Action
|
Destination Folder
|
Result
|
|
Compressed
|
Move
|
Uncompressed
|
Compressed (retains)
|
|
|
Copy
|
Uncompressed
|
Uncompressed (inherits)
|
|
Uncompressed
|
Move
|
Compressed
|
Uncompressed (retains)
|
|
|
Copy
|
Compressed
|
Compressed (inherits)
|
|
Uncompressed (other volume or non-NTFS drive)
|
Move
|
Compressed
|
Compressed (inherits)
|
|
Action
|
Destination
|
Result
|
|
Move
|
Same NTFS volume
|
Retains original from
source
|
|
Move
|
Different NTFS volume
|
Inherits from destination
|
|
Copy
|
Same NTFS volume
|
Inherits from destination
|
|
Copy
|
Different NTFS volume
|
Inherits from destination
|
·
The xcopy.exe utility
–O and –X switches allow to retain permissions when copying (-X retains auditing
settings) – in addition to inheriting from destination.
·
The scopy.exe or
robocopy.exe (from Res Kit) allow retaining permissions without inheriting
from destination.
·
NTFS allocates space based on
uncompressed size (cannot move compressed file which when uncompressed is bigger
than available disk space)
·
Compression is not supported
on volumes with cluster sizes larger than 4KB
·
Administrators can take ownership of any object, and can grant users
ability to take ownership.
·
Object ownership cannot be assigned to others, a user must have
permission to take ownership of an object.
·
By default auditing is turned
off
·
Local auditing is configured
through the Local Security Settings MMC snap-in.
·
Five 5 types of events
can be audited:
o
File and folder access
o
Logons and logoffs
o
Systems shutdowns and restarts
o
Changes to user and group accounts
o
Changes on Active Directory objects
(if workstation belongs to AD)
·
To enable auditing of
file/folder access first local policy need to be modified to enable this, then
individual files or folders need to be configured using the Advanced access
settings and adding which users and actions to audit.
·
EFS uses public/private key
based cryptography
·
You can compress or encrypt
file, but cannot do both.
·
Files remain encrypted even
when renamed, moved, copied or backed up as long as they reside on NTFS drive
volumes.
·
Cipher.exe is command line utility to encrypt or decrypt files.
·
Only user who encrypted file
or DRA (Data Recovery Agent) can decrypt the file. Default DRAs are:
o
Local Administrator account (non
domain server computer)
o
Domain Administrator accounts (for
domain member servers or workstations)
·
Encrypted files moved or
copied to another NTFS folder remain encrypted. Moved or copied to non-NTFS
drive or floppy become decrypted.
·
Users who did not encrypt the
file get access denied when trying to move or copy to non-NTFS volume or to
different NTFS volume. They cannot copy at all (even to the same volume), but
can move fine in the same volume.
·
Encrypted files can be
available offline but are not encrypted in the offline cache
·
Windows 2000 Pro does not
install IIS by default
·
TCP/IP protocol is
required for IIS, valid DNS server recommended.
·
HOSTS file maps DNS names to IPs
·
LMHOSTS file maps NetBIOS names to Ips
·
Printer terminology:
o
Printer is a software interface between OS and printer device, directs
jobs to one or more print devices.
o
Print device is hardware that produces physical documents
o
Printer port – a software interface through which print jobs get directed
to locally or network attached print devices.
o
Print server
– a host pc for printers
o
Printer driver
– software specific to each print device – translates
printing commands to printer language codes specific to each print device.
o
Print job
– document to be printer with print processing commands
o
Print resolution
– specifies quality and smoothness of printed document
o
Print spooler
– service that initiates, processes and distributes print
jobs.
o
Print queue – logical waiting are for print jobs.
o
Print Pooling
allows installing two identical printers as one logical printer.
·
You can use net use
command to connect to remote printers:
o
Net use lptx:
\\print_server\printer_share
(lpt1, lpt2, or lpt3)
·
Windows 2000 print server
computers automatically download correct print drivers to client computers
running win9x, NT, 2K as long as the drivers have been installed on the print
servers.
·
You can configure printer
properties using the properties tab. The following tabs are available: General,
Sharing, Ports, Advanced, Security, and Device Settings.
·
The following groups can
manage print jobs in print queues: Printer Owners, Print Operators, Print Job
Owners.
·
Users can manage other users’
print jobs if they have “Manage Documents”
permission.
·
To take ownership of a printer
you need “Manage Printers” permission
·
IPP (Internet Printing
Protocol) gives ability to print over Internet connection. To connect to the
printers folder over Internet use
http://printserver/printers address. To connect to specific printer (shared)
use
http://printserver/printer_share_name.
·
Change
directory of printer
spooler (Advanced Print Server properties)
·
Printer ports supported:
LPT,
COM, USB,
Firewire (IEEE 1394),
UNC path.
·
Win2K Pro provides
print services only to
Win & Unix clients. Server required for Apple & Novell clients.
·
IPP (Internet Printing
Protocol) requires Win2K Srv / IIS or Win2K Pro / PWS
·
Printer priority is configured
through Advanced tab
·
AD stores objects that
represent enterprise resources (e.g. users, groups, computers, printers,
folders, applications, connections, security, and configuration settings, etc).
·
In Win2K domain controller is
not created when OS installed – rather it is promoted to domain controller
afterwards. It then obtains copy of active directory and starts necessary
services.
·
There is no primary controller
– all domain controllers can write to the directory; changes are replicated to
all other controllers – AD uses multi-master replication model.
·
The AD domain is specified by
two names: NetBIOS name and DNS name. (DNS is primary name resolution in Windows
2000)
Policy based administration provides single list of
configurable settings in one tool.
·
Local Policy (4)
o
Security
Configuration and Analysis (MMC Snap-In or SECEDIT.EXE –
command line) snap-in allows to capture security settings of a system as a
database which can be re-applied when configuration changes and exported to
other systems or saved as a template – High Security template can be applied)
§
Default templates are stored in
WINNT\SECURITY\TEMPLATES directory.
·
BASICWK.INF – use to reverse
changes by other templates – except user rights
·
COMPATWS.INF – allows users to
have the same relaxed privileges as power users to run NT4 compatible apps.
·
SECUREWS.INF – secure configuration –
except files, folders, and registry keys
·
HISECWS.INF – very secure – only win2K
to win2K communication (encryption)
o
Local policies – configured through
Local Security Policy MMC Snap-In
o
Account Policies control the
password requirements
and how the system responds to
invalid logon
attempts.
§
Maximum password age
§
Minimum password length
§
Passwords must meet complexity requirements
§
Enforce password history
§
Minimum password age
§
Account lockout threshold
§
Reset account lockout counter after
§
Account lockout duration
o
Audit Policies specify what
events are logged to
Security Log, which can be viewed only by administrators.
§
Logon events
§
Account management
§
Object access
§
Privilege use
o
User Rights Assignment (privileges) allows user or group to
perform system functions.
They override object permissions if the two are in conflict.
o
Security Options
are
miscellaneous security settings (often found in other configuration apps)
that can be compiled and applied together.
§
Disable Ctrl+Alt+Delete requirement for
logon
§
Clear the virtual memory pagefile when the
system shuts down
§
Do not display last username in logon screen
o
Individual machine can have only one
local policy
·
Group Policy
is like local policy, but can
be linked or
applied to
domain,
OU, or
site.
o
To work with group policy for a
site, use Active Directory Sites and Services MMC console.
o
To work with group policy for domain
or OU, use Active Directory Users and Computers console.
o
SDOU can have multiple policies.
o
GPO (Group Policy Objects) are
divided into Computer Settings and User Settings (computer settings are applied
first)
§
Computer Settings apply to every computer in
SDOU and by default to all child OUs.
§
User settings apply to every user in the
SDOU
o
Policies are applied in the following
order (LSDOU):
§
Local
§
Site
§
Domain
§
OU
o
If there is conflict in particular
configuration setting the last setting applied takes effect.
o
If an OU contains users or computers
that require different policies, it is recommended to split OU into one or more
OUs.
·
User profile is the look and
feel of user’s desktop environment
o
Consists of folders, data, shortcuts,
application settings & Personal data
o
Local profile is stored on computer
it was created
o
Roaming profile is stored on network
server – local copy is also stored on client computer
o
Local Settings
– Folder in profile that is local to the machine
o
My Documents
– Default location where files are saved. This folder roams.
·
Logon script is executed after
user logins. Scripts are stored in SYSTEM ROOT\sysvol\domain\scripts
·
Home Folder
– central location on network server where users can store
their files
·
Microsoft suggests users store
their data in My Documents folder instead of home directories.
·
Roaming profile – when user logs on to computer first time roaming profile is
copied from server. On subsequent logins local profile is compared with server
and if no changes are made local profile is used. If there are changes only
changes are replicated.
·
To enable roaming profile enter UNC path to the user’s profile in the account
properties.
·
If %username% variable is used
to create roaming profile, by default Administrators group and the user is
assigned Full control to this folder.
·
NTUSER.DAT contains all the
desktop settings. You can make profile read only if you rename it to NTUSER.MAN
(mandatory profile)
·
Documents and Settings contains
the profile folder on a clean Windows
2000 installation and upgrades from
Windows 95 and 98
·
Windows Installer Service
installs software from MSI files. Checks for missing program files and
reinstalls them if they are damaged or deleted.
·
Helps resolving DLL conflicts
·
Can uninstall programs
completely.
·
WinInstall LE can create MSI
file by monitoring installation of a program from standard SETUP.EXE file
·
ZAP file can be used to
install non-MSI software (exe files). (text file with .zap extension with info
how to launch setup)
·
You can Publish or
Assign applications through Group Policy.
Published applications are installed through Add/Remove programs. Assigned apps
have shortcuts in Start menu that launch installation on first use.
·
Two areas of language
configuration: Locales and Language Groups.
·
Both are configured through
Regional Settings control panel.
o
Locales
§
Locale is a
collection of information about user’s language:
·
Currency symbol
·
Format of date, time, and
numbers
·
Localized calendar settings
·
Character encoding
·
Country abbreviation
§
User locale
is maintained for each user – when is changed all regional
settings are applied
§
Input locale has language associated with input method.
§
Locales are configured through
Regional Options
control panel – changes take effect immediately
o
Language Groups
§
When text needs to be displayed in different
language additional language can be added to the system (only administrators can
add language support)
§
Reboot required after language is added.
·
Multilanguage Version of
Windows 2000
o
Allows additional languages to be
installed on top of default English installation
o
The user interface language
configuration is established on per user basis.
·
Configured from
Accessibility Options in
Control Panel
·
Keyboard options
o
Sticky Keys – use Shift, Ctrl, Alt by
pressing one key at time (SHIFT)
o
FilterKeys – ignore brief or repeated
keystrokes (Risght SHIFT)
o
ToggleKeys – beeps when pressing Caps
Lock, Num Lock or Scroll Lock (NUM LOCK)
·
Sound options
o
SoundSentry – generates visual
warning when windows makes a sound
o
ShowSounds – displays captions when
for speech and sounds they make
·
Display Options
o
High Contrast
·
Mouse Options
o
MouseKeys
o
SerialKey
·
Mouse wizard can configure
user preferences and save settings into .acw file which can be deployed on other
machines
·
Utility Manager allows to start
any of the below as well as configure each to start with Windows.
·
Narrator
·
Magnifier
·
On-Screen Keyboard
·
General user fax settings can
be configured through the Fax Control Panel.
·
To manage Fax service use Fax
Service Management MMC console (accessible to Administrators and Power Users
only)
·
winnt\setupapi.log – logs an
entry each time a line from an .inf file is parsed – including errors.
·
Minimum system requirements:
133Mhz,
64MB,
650MB HDD
(2GB),
VGA,
Keyboard,
Mouse,
CD-ROM
·
Three attend install ways:
CD-ROM,
Setup Disks,
and network.
·
Boot from CD – BIOS
needs to support this option – disk needs to be
El-Torito compatible
·
Boot from floppies – use
makeboot.exe or
makebt32.exe to create setup floppies – this replaces the NT4’s
winn32.exe /ox switch which is no longer supported.
·
The
\Support folder on the Windows 2000 Professional CD contains the Hardware
Compatibility List (HCL.TXT).
|
Winnt32.exe
|
Windows 95, Windows 98, or Windows NT 4.0
|
|
Winnt.exe
|
DOS, Windows 3.1 or other 16-bit OS
|
·
UNATTEND.TXT – script for automatic installation containing answers to the
setup prompts
·
WINNT.SIF – file with answers for the CD-ROM based installation – must
be placed on a floppy – this file is exactly same format as unattend.txt.
·
UNATTEND.UDF - UDF
(Uniqueness Database File) – provides answers
unique to a computer – overwrites entries in unattend.txt file
Winnt.exe / winnt32.exe –
Command line switches
|
WINNT
|
WINNT32
|
|
|
/s:source path
|
|
Path to Windows 2000 installation files
|
|
/u:answer file
|
/unnatend:answer file
|
Specifies location of the answer file
|
|
/udf:id, location of udf file
|
|
ID number for entry in UDF file and location of the UDF file
|
|
/a
|
|
Enable accessibility options
|
|
/r:folder
|
/copydir:folder
|
Copies folder to location – folder remains after setup
|
|
/rx:folder
|
/copysource:folder
|
Copies folder – then removes
|
|
|
/checkupgradeonly
|
Checks computer for upgrade compatibility (same as running
chkupgrd.exe)
|
|
/T:DRIVELETTER
|
|
Specifies the temporary drive and target drive for Windows
installation
|
|
/E:COMMAND
|
|
Specifies a command to be executed at the end of GUI-mode
Setup.
|
Example: winnt32.exe /s:\\server\win2000dist
/unattend:unattend.txt /udf:pc1,unattend.udf
·
System Preparation Tool
(SYSPREP.EXE)
- used to prepare system for imaging – removes all unique parameters from pc and
then shuts down the pc so it can be imaged.
o
SYSPREP.INF – File with answers to the
prompts from Mini-Setup Wizard which runs after sysprep.exe reboots the system.
Needs to be in
\SYSPREP folder or on a
floppy.
·
Wizard that creates the
following answer files.
SETUPMGR.EXE
can be found in
DEPLOY.CAB in
Support\Tools directory on the Win2K Pro CD
o
unattend.txt and
unattend.udf for unattended
installation
o
sysprep.inf for Mini-Setup
Wizard
o
ristndrd.sif for RIS Mini-Setup
Wizard.
·
Server pre-requisites:
o
DHCP Server
o
Active Directory / DNS
Server
o
Dedicated
partition (other
than system partition)
·
remboot.sif – RIS answer file for Mini-Setup
Wizard. (RISTANDARD.SIF – sample) - Name don’t matter as you associate
name with image from GUI
RISETUP.EXE –
RIS Setup Wizard – used to create initial Windows 2000 Pro image and configure
the service
·
RBFG.EXE – Creates RIS network boot disk
·
RIPREP.EXE – allows to create image of OS
and installed applications for RIS distribution
o
Can only make image of C: partition
o
When applied to a machine all
partitions are deleted only c: created.
o
You can either boot from
PXE-compliant network card or using RIS network boot disk
·
Configure devices using
Add/Remove Hardware
Wizard or Device Manager
(MMC)
·
View device configuration using
System Information
(MMC) – troubleshoot resource I/O conflicts
·
Only
Administrators
can add,
configure, and remove devices (if
drivers are not installed)
·
Using
Plug and Play driver to install non PnP device may provide
some PnP support (allocating
resources)
·
Driver.cab file on CD-ROM contains all shipping drivers – file copied to
%SystemRoot%\Driver Cache\i386
·
Location of driver.cab in registry:
HKLM\Software\Microsoft\Windows\Current Version\Setup\DriverCachePath
·
Update drivers using
Device Manager – Drivers tab - Update
Driver button
·
Only Add/Remove Hardware
deletes all drivers –
Device Manager only disables it.
·
Driver
Verifier tool (verifier.exe) –
troubleshoot and isolate driver problems – not enabled by default
·
Only
Administrators
can complete
Windows Update.
·
Windows 2000 shares IRQ9 among
multiple devices on laptops.
·
Signature
Verification tool (sigverif.exe)
– checks for unsigned drivers or system files
·
Three settings under
Driver Signing in
Group Policy
control installation of unsigned drivers:
Ignore, Warn (default), and
Block.
·
For
unattended installation you can add DriverSigningPolicy=Ignore/Warn/Block line.
·
EAP (Extensible Authentication Protocol) – Extension to PPP that
allows
certificate based
authentication.
·
Win2K Pro machine
connecting to RAS
using smartcard and
certificate needs to use
EAP &
MSCHAP or MSCHAP v2 (Challenge Handshake Authentication Protocol).
·
First
connection always uses
standard authentication – once
certificate obtained EAP or IPSec used.
·
Multilink is two modem devices
dialing one server – you and remote server needs to have multilink enabled.
·
Create network connection or
connect directly using IrDA. Transfer files using
Wireless Link
app.
·
Only internal IrDA devices are detected during Win2K setup or at boot.
·
View
USB power or bandwidth
allocations using Device
Manager (entries under USB Controllers section)
·
Multiple
monitor support
o
Up to 10 monitors are supported
connected to PCI or AGP adapters
o
BIOS selects primary monitor based on
PCI slot order (change later thorough Display Properties – “Use This Display As
Primary Monitor” option)
o
Windows Setup will disable video
adapters other than the one that is built in –install windows first than add
secondary adapter.
o
Logon screen and most programs
initially displayed on primary display
o
Dos programs may need color settings
for both adapters at 256 and shortcut properties to run in full screen mode.
·
Hardware
profile stores config settings for collection of
devices and services.
·
Enable or disable devices for
current profile through their properties in Device Manager snap-in.
·
Win2K Pro (only) supports
APM 1.2 –
only installed if computer has APM-compliant BIOS
·
ACPI is
fully supported– OS configures and monitors
devices.
·
Win2K
supports SMP and
processor affinity – but you need to
use Device Manager to upgrade HAL from single processor HAL to multi
processor HAL.
·
Two disk configuration types:
basic storage
and
dynamic storage.
·
Basic
storage has
primary and
extended
partitions. Max 4 partitions (only
1 can be extended partition) – you
can create multiple logical partitions
in extended partition.
o
Basic disks store partition
information in MBR stored on the first sector of each disk.
o
Limited support for spanned and
striped logical volumes
·
Dynamic
storage does not use
multiple partitions. Contains only one
partition divided in separate volumes.
o
All dynamic disks in computer belong
to disk group, each disk stores replicas of the same configuration data in 1MB
region at the end of each dynamic disk.
o
Only Win2K machines can access
dynamic disks.
o
Five (5)
types of dynamic volumes (only 3 in Win2K PRO):
§
Simple – disk space on single disk (single are or multiple areas
linked together)
·
Expanded to another disk
becomes spanned
§
Spanned – disk space on multiple disks (min 2 -
max 32)
·
Cannot be mirrored or stripped
·
Extend only if no file system or NTFS
·
No portions of spanned volume
can be deleted without deleting entire volume.
·
You can extend only if volume
was originally created on dynamic disk – cannot extend if volume was upgraded
from basic to dynamic.
·
You cannot extend system or
boot volume.
§
Striped – stores data in stripes on 2 or more disks - improves access
speed. (min2 – max 32)
·
Requires at least 2
dynamic disks.
§
Mirrored –
Win2K Server Only
§
RAID-5 – Win2K Server Only
·
You can convert basic disk to
dynamic – but reverting to basic will delete all partition information.
·
Win2K cannot be installed on
dynamic disk unless it has partition table (ex upgraded from basic)
·
Use the
Performance
tool to monitor disk performance (System Monitor
snap in)
o
DISKPERF.EXE determines
which counters to collect: physical (default), logical, or
both
§
Diskperf.exe switches (-Y/N enable/disable
all, -(Y/N)D physical, -(Y/N)V logical)
·
Error-Checking tools for
checking for errors (all files must be closed).
·
Disk Management status showing
At Risk means disk has error – to return to healthy by reactivating the disk
·
Disk
Defragmenter rearranges files on hard drive – NTFS
stores file system info in (master file table) this cannot be defragmented..
·
Disk
Cleanup cleans temporary files
·
Win2K supports FAT, FAT32, NTFS, and CDFS on both
basic and dynamic volumes
·
Support in
FAT32 for existing
127GB
partitions, create new up to
32GB
·
Win2K native file system is
NTFS 5. When
Win2K installed from NT existing partitions are upgraded to NTFS 5. ---
NT4 supports
NTFS 5 only with
Service Pack 4
·
CONVERT.EXE
d: /fs:ntfs converts
drive to NTFS (but does not apply default
NTFS permissions)
·
Use
SECEDIT.EXE
to reapply default permissions
through a security template.
·
Mount points let you mount
remote network share to a local path (empty directory) – on both basic or
dynamic disks
·
Disk quotas track / control disk usage on
per user and
per volume basis (only NTFS)
o
Only
Administrators can change quota
settings
o
Disk quotas do not use compression to
measure disk space taken
·
PATHPING utility for detecting network
problems or congestion on the network
·
TCP/IP Addresses are actually
32-bit binary numbers,
displayed in dotted
decimal format.
·
Subnet mask is a
filter that gets applied to IP address.
·
Private IP Addresses:
o
10.0.0.0 - 10.255.255.255
o
172.16.0.0 -
172.31.255.255
o
192.168.0.0 - 192.168.255.255
·
TCP/IP is the default network
protocol in Win2K
·
APIPA (Auto Private IP Addressing) – assigns automatically range
169.254.x.x / 255.255.0.0
·
DNS, DHCP, WINS, APIPA, SLIP,
PPP,
PPTP, L2TP,
IPSec,
WWW, FTP,
SMTP
·
Win2K supports following
authentication protocols for remote access:
o
From NT4:
PAP,
CHAP,
MSCHAP, SPAP,
PPTP.
o
New in Win2K:
IPSec,
L2TP, EAP,
RADIUS,
BAP
·
IPSec is a suite of security
related protocols and cryptographic functions.
o
IPSec clients establish SA (Security
Association) used as private key for encrypting data
o
IPSec is configured through
IP Security Policy MMC snap-in and can
be managed on User, Group, Application, Domain, Site, or Global level.
o
IPSec negotiates encryption settings
between the client and server to encrypt both passwords and data before an L2TP
session is created.
·
PPTP – originally only
tunneling in Win NT4. Uses TCP port 1723 for control connection
·
L2TP is like PPTP but provides
encrypted tunnel to pass through unencrypted data.
o
Uses UDP port 1701 for connection
o
Provides header compression
o
Offers tunnel authentication (IPSec
has its own tunnel authentication though)
o
Does not need IP for transport – can
use UDP, Frame Relay, ATM, etc.
·
EAP (Extensible Authentication
Protocol) – extension of PPP – supports negotiated authentication where
authentication type is determined between client and server. Supports:
o
MD5-CHAP – encrypts username /
password using proprietary MD5 algorythm
o
Generic token cards
o
TLS (Transport Level Security)
for use with smart cards
·
RADIUS (Remote Authentication
Dial-In User Service) provides accounting and authentication services for
distributed dial-up connections.
o
Win2K can act as a RADIUS server,
client, or both.
o
Client forward authentication (or
accounting) requests to RADIUS server
o
RADIUS server validates
authentication requests from RADIUS clients.
·
BAP (Bandwidth Allocation
Protocol) works together with Bandwidth Allocation Control Protocol (BACP).
o
Allows dynamically adding or dropping
of lines for multilinked devices
o
Configure BAP using remote access
policies.
·
VPN
o
To enable connection to corporate
network from “Log On To Windows” dialog box make sure the connection is
configured “For All Users” when creating the connection.
·
ICS uses
DHCP Allocator service to assign dynamic IP addresses from range
192.168.0.2 – 254. Also enables the
DNS Proxy service.
·
NTBACKUP starts the Windows
Backup application
·
Read permission needed to
backup files
–
write
permission to
restore
·
Backup Files and Directories
permission (by default Administrators
and Backup Operators have it) allows
backing up of any file
·
Restore Files and Directories
allows restore of any file.
·
Archive flag is also called
backup marker, is set when file is
modified.
·
Backup types:
|
|
Backups files
|
Sets flag
|
Performance
|
|
Normal
|
ALL
|
YES
|
Long to backup
|
|
Copy
|
ALL
|
NO
|
|
|
Differential
|
CHANGED
|
NO
|
|
|
Incremental
|
CHANGED
|
YES
|
Long to recover
|
|
Daily
|
CHANGED (today)
|
NO
|
|
·
System
State backup includes
the following (cannot select individual components):
o
Registry
o
COM+ class registration
database
o
System
startup files
o
Certificate Services database (Servers only running Cert Services)
o
AD – DC Only
o
Sysvol folder – DC Only
·
Three ways to repair system:
o
Safe Mode (F8)
·
Starts system with minimal set
of drivers and services (standard VGA, monitor, mouse, etc)
·
Creates a boot log file
·
Does not work if system files
are corrupted, or hard drive failed.
·
Safe modes available:
·
Safe mode
with networking loads
all drivers and services necessary for network access
·
Safe mode
with the command prompt
·
Enable Boot
Logging – logs all drivers and services to
C:\WINNT\NTBTLOG.TXT file
·
Enable VGA
Mode – uses extremely
stable VGA driver
·
Last known
good configuration –
starts using registry configuration that was set during last successful logon.
·
Debugging
mode – sends debugging information to a console
through serial cable
·
Remote
Installation Options – available if Win installed
using RIS
·
o
Recovery
Console
·
Command line interface allows
you to start and stop services, read and write data on local disk, format
drives, repair corrupted MBR, etc.
·
Try Recovery Console before
resorting to emergency repair disk.
·
RC can be installed from Win2K
CD – WINNT /CMDCONS (requires 7MB
disk space)
·
RC can be launched from boot
cd – selecting repair option and then console.
·
Allows access only
to root of drive,
\WINNT folder
and subdirectories, and
\CMDCONS
folder (if exists). Also allows access to cd-rom and floppy drives.
·
Special commands (other than
standard DOS commands):
·
Enable /
disable – enables or disables service
·
Diskpart – disk partitioning
·
Fixboot – writes a new
partition boot sector
·
Fixmbr – repairs the master
boot record
·
Logon – logons to windows
installation (if more than one OS)
·
Map – displays drive mappings
o
Emergency
Repair Disk (ERD)
·
Emergency repair process
enables to restore corrupted system files and configuration.
·
You can still use the repair
process if ERD was not created but many changes including service packs will be
lost.
·
Step1 – Start with a Win2k
boot disk
·
Step2 – Choose the repair
option “R”.
·
Step3 – Type of repair
·
Fast: registry, system files,
partition boot sector, startup environment
·
Manual: system files,
partition boot sector, startup environment
·
Registry is only available
from Fast repair and it looks for backup in repair directory \WINNT\REPAIR
·
Step4 – Start repair process
·
Step5 – Reboot computer
·
System failure options (My
Computer / Properties / Advanced / Startup and Recovery)
o
Write an event to system log
(requires 2MB free space on boot drive) – enabled on Win2K Srv
o
Send Administrative alert
(requires 2MB free space on boot drive)
o
Write debugging information
(requires swapfile size to hold ram + 1 MB)
·
Service failure options
(Services / Properties / Recovery)
·
System
Monitor is a node in Performance MMC console
·
Performance
Logs and Alerts is a node in the Performance MMC
as well – collect and save performance data and generate alerts based on
pre-defined thresholds. Logs can be viewed using System Monitor or Excel (.csv
or tsv.) but default format is binary (.blg)
o
Alerts – trigger alerts
o
Counter Logs collect and store
performance counters
o
Trace logs – collect
performance data when event (process creation, disk I/O,, or page fault) occurs
o
Logs are stored by default in
C:\PERFLOGS folder
·
Managing
performance – important
objects to monitor:
o
Cache – physical memory to
store recently accessed disk data
o
Memory – most important
counters: pages/sec (problem over
20/sec), available bytes (swapping
under 4MB)
o
Paging
file – VMM (Virtual Memory Manager)
moves less active data from RAM to paging file in 4KB pages (blocks).
Optimization tips:
·
Remove paging file from the
system and boot partition
·
Configure the paging file to
reside on multiple physical disks, and configure the initial and maximum size
identically for all drives
·
Configure the paging file to
reside on fast, less active drives
·
Before moving the paging file,
defragment the volumes on which you will put the paging file.
·
Set the initial size to be
sufficient for the system’s paging requirements, and set the maximum size to the
same size.
o
Disk performance
of
physical and
logical
disks – counters:
·
Disk time (problem close to
100%) amount of time disk servicing requests
·
Disk Queue Length (problem over
2) read / write requests that are pending and being services.
o
Network – only basic counters
available – use Network Monitor for more advance troubleshooting
o
Processor – most important
counters:
·
%Processor time (problem close
to 100%)
·
Interrupts/sec – how many
interrupts hardware device sends to the processor
·
System:Processor Queue Length –
(problem over 2) threads baking up
·
Process:%ProcessorTime – how
much processor time specified process takes
o
If Processor Queue Length is low and
%Processor Time is above 80% means single threaded application is keeping the
processor busy – add faster processor – but – if Processor Queue Length is high
probably adding second processor is better.
·
Create
performance baseline (capture counters over
extended period under normal working conditions)
·
Managing application performance
o
Each process runs at different
priority 0-31 – higher the more priority
o
START parameter /LOW, /BELOWNORMAL, /NORMAL (default), /ABOVENORMAL, /HIGH, /REALTIME can be used from command
line.
OnNow
APM (Advanced Power Management)
ACPI (Advanced Configuration and Power Interface)
HAL – Hardware Abstraction Layer
WDM – Win32 Driver Model
IEE1394 – serial bus interface that compliments USB
USB – Universal Serial Bus
HID – Human Interface Device
IrDA – Infrared Data Association
IrLPT – Infrared printing support
IrTran-P – Infrared image transfer
|
ACL
|
Access Control List
|
|
CSC
|
Client-Side Caching (Offline Files)
|
|
DRA
|
Data Recovery Agent
|
|
EFS
|
Encrypting File System
|
|
GPO
|
Group Policy Object
|
|
IPC
|
Inter Process Communications
|
|
IPP
|
Internet Printing Protocol
|
|
LSA
|
Local Security Authority
|
|
SDOU
|
Site, Domain, or OU
|
|
SID
|
Security Identifier
|
|
UPN
|
User Principal Name
|
|
Computer Management
|
managing local computer settings
|
|
System Tools
|
|
|
Shared Folders
|
folder sharing options
|
|
Group Policy (Site, Domain, OU, or Local)
|
|
|
Security Settings
|
modify rights for users and auditing settings
|
|
Security Configuration and Analysis
|
allows to capture security configuration as database
|
|
Active Directory Sites and Services
|
·
Work with group policy for
site
|
|
Active Directory Users and Computers
|
·
Work with group policy for
domain or OU
|
|