MCSE Study Notes
Exam 70-215: Installing, Configuring, and Administering Microsoft Windows 2000
Server
© 2001-2002 Mark Dabrowski, All Rights Reserved
November 17, 2001 – February 3, 2002
Windows 2000 Server Installation.
1
Hardware Devices and Drivers, System Optimization.
2
Active Directory.
3
Concepts.
3
Users and Groups.
4
Group Policy Objects (GPO)
5
Security.
5
Windows 2000 Networking.
6
Storage.
8
Files and Folders.
8
Printers.
10
Internet Information Services.
10
Network Resources.
11
Backup, Recovery and Troubleshooting.
12
Appendixes.
14
Appendix 1 - Exam 70-215 - Skills being measured.
14
·
Minimum Win2K
Server
requirements:
P133Mhz,
128MB RAM, 2GB HDD (1GB Free)
·
Maximum Win2K Server requirements: 4GB RAM, 4CPU
·
Maximum Win2K Advanced Server requirements: 8GB RAM, 8CPU
·
Maximum Win2K Datacenter Server requirements: 64GB RAM, 32CPU
·
Four (4) ways to install Win2K Server: CD-ROM, Network, Automatic
(Setup Manager), Automatic (disk replication)
·
CD-ROM installation:
·
Create four (4) setup boot floppy disks using
\bootdisk\makeboot.exe or
\booktdisk\makebt32.exe command on
CD.
·
Press F5 during partition setup part of setup to specify custom
HAL.
·
Network installation requires shared location on remote server with i386
directory available. (use Winnt.exe or winnt32.exe to start)
·
Automatic installation (Setup Manager)
·
Setup Manager is a GUI program creates scripting files (answer
files) that install Win2K automatically
·
Install Setup Manager (setupmgr.exe) from Win2K CD-ROM (location
d:\support\tools\deploy.cab)
·
unattend.txt
-
answer file (provides answers to all dialog boxes requiring using input during
install)
·
unattend.udf – supplemental
information to the UDF[1] unattend.txt file with
unique information for particular computer installed
·
winnt.sif
– answer file
placed on floppy when installing from
bootable CD-ROM
·
Disk replication installation (Sysprep)
·
Run sysprep to prepare computer before using disk replication to
image it. Sysprep removes the SID (Security Identifiers) and other
computer-specific information.
·
When computer restarts setupcl.exe regenerates new SIDs and starts
Mini-Setup Wizard.
·
Network or CD installation - you can start the installation using
winnt.exe or winnt32.exe programs in the i386 directory.
·
Winnt32.exe (use when starting from Win95,98,ME,NT3.51,NT4,2000)
|
/checkupgradeonly
|
Checks your computer for upgrade compatibility with Windows 2000
|
|
/copydir:folde
|
Specifies additional folder to be copied to hard drive – folder remains
after setup completes
|
|
/cmd:command
|
Specifies command (batch file) to be execute at the end of the GUI
Setup
|
|
/cmdcons
|
Installs recovery console
|
|
/debug(0-4):file
|
Debugs installation at specified level (0-4) and logs to specified log
file
|
|
/s:source
|
Path to the source files (i386 directory)
|
|
/syspart:drive
|
Specifies that you can copy Setup startup files to a hard disk, mark
the disk as active, and then install the disk into another computer so that when
it reboots it starts in Setup mode.
|
|
/tempdrive:drive
|
Drive to place temporary files
|
|
/unattend:file
|
Location of answers file used for unattended setup
|
|
/udf:id, udf file
|
Location of UDF file with unique configuration
|
·
Winnt.exe
(use from 16-bit
OS)
|
/a
|
Installs accessibility options
|
|
/e:command
|
Specifies command (batch file) to be execute at the end of the GUI
Setup
|
|
/r:folder
|
Specifies additional folder to be copied to hard drive – folder remains
after setup completes
|
|
/rx:folder
|
Specifies additional folder to be copied to hard drive – folder is
deleted after setup completes
|
|
/s:source
|
Path to the source files (i386 directory)
|
|
/t:drive
|
Drive to place temporary files
|
|
/u:file
|
Location of answers file used for unattended setup
|
|
/udf:file
|
Location of UDF file with unique configuration
|
·
Optional setup components selected during GUI portion of the setup
(at later time can be added/removed using Add/Remove Windows Components through
Control Panel).
|
Accessories and Utilities
|
Includes accessibility options, various accessories, communication
tools, games, multimedia.
|
|
Certificate Services
|
Public key CA (certificate authority)
|
|
Cluster Server
|
(Advanced Server only) Server availability options
|
|
Indexing Service
|
Full-text searching
|
|
IIS
|
Web, FTP, SMTP, NNTP, and FrontPage services
|
|
Management and Monitoring Tools
|
Tools for monitoring and improving network performance
|
|
Message Queuing Service
|
Loosely-coupled network communication service
|
|
Networking Services
|
Network related services and protocols (COM Proxy, DNS, DHCP, Internet
Authentication, QOS, TCP/IP, SiteServer ILS, WINS)
|
|
Network File and Print Services
|
File and print services for Mac, and print services for Unix
|
|
RIS (Remote Installation)
|
Allows installation of Windows over network
|
|
Remote Storage
|
Store infrequently used files on backup tapes or offline media
|
|
Script Debugger
|
Identifies errors in scripts
|
|
Terminal Services
|
Allows logging in and having sessions from remote computers
|
|
Terminal Services Licensing
|
Licensing service for terminal service users
|
|
Windows Media Services
|
Allows to stream multimedia files from this computer
|
·
DCPROMO – promotes Win2K
member server to
a domain controller
(running it again on domain controller demotes it back to member server)
·
DNS server
that supports
SRV (Service Resource Records) must be on the network.
·
One volume must be NTFS formatted for Active Directory
·
Only Administrator (with rights to add domain controller) can run
DCPROMO.
·
Upgrading existing network:
·
First upgrade PDC to Windows 2000 – after existing BDCs (at any
later time)
·
Keep pre-win2k BDC in case to fall back to NT4 domain database
(just promote BDC to PDC).
·
Member servers can be upgraded at any time (before or after PDB)
·
Windows NT 3.51 servers can be upgraded to Win2K but are not
recommended on Windows 2000 network
·
Windows NT 3.1 or 3.5 needs to be upgraded to NT 3.51 or NT4 server
first, then to Windows 2000
·
Mixed mode – means Windows NT4 and Windows 2000 domain controllers
are on the same network.
·
Native mode – all domain controllers are Windows 2000 – members
servers or clients can be any version and any supported OS.
·
Native mode adds extra security features (example: nested groups
and new Universal Group)
·
Switching from native to mixed mode cannot be reversed (one way).
·
Plug and play - automatic
detection, installation and loading of correct drivers for a device.
·
Use
Add/Remove Hardware
(control panel) to add and
delete
drivers for non plug and play devices (must be member of Administrators group)
·
IRQ[2] – signal sent by a
device to get the attention of the processor when the device is ready to accept
or send information.
·
Each device sends its interrupt requests over a specific hardware
line, from 0 to 15. Each device must be assigned a unique IRQ number.
·
BIOS[3] – initial software
that tests hardware and transfers data to hardware devices.
·
If using ISA device (not supported by plug and play) set BIOS to
reserve IRQ used by this device.
·
Use
Device
Manager to view
information about devices, their
status, change
configuration, and update
drivers.
·
Hardware profile includes list of devices to load. Multiple
hardware profiles for different HW configurations.
·
Win2K supports up to 10 monitors. Requires separate PCI or AGP
video cards. (ISA video cards not supported)
·
Driver is software that binds device to OS.
·
Operating System Settings – control how system starts, performs,
displays and organizes information.
|
Settings
|
Where to find
|
Description
|
|
Performance Options
|
System Properties / Advanced
|
Optimize memory performance for applications or background services and
configure virtual memory settings.
|
|
Environment Variables
|
System Properties / Advanced
|
Set user and system variables
|
|
Start-up and Recovery
|
System Properties / Advanced
|
Configuration how to start the system and what to do in case of errors
|
|
Regional Options
|
Control Panel
|
Settings for display of languages, numbers, times, and dates
|
|
Accessibility Options
|
Control Panel
|
Customizes accessibility features
|
|
Power Options
|
Control Panel
|
Energy saving settings for the computer
|
|
Display Options
|
Control Panel
|
Desktop display settings and screen saver.
|
·
Digital signatures
ensure that the
drivers and system files have been tested by Microsoft and are in original
condition.
·
Customize how unsigned (no digital signatures) drivers are dealt
with: Ignore – install them, Warn – prompt for action, Block – do not install.
·
Windows File Protection prevents system
files from being replaced by files that are not digitally signed. If bad files
are installed it replaces them with original files from either Dllcache or
CD-Rom. Works only with .sys, .dll, .ocx, .ttf, .fon,
and .exe files.
·
System File
Checker-
SFC.EXE – detects incorrect protected file versions and replaces them with
copies from Dllcache.
·
File Signature
Verisication
– SIGVERIF.EXE – scans Win2k and reports
which files are not signed (or signed)
·
Performance tool (PERFMON) –
monitors,
collects, and stores information
about server performance.
·
Performance tool consists of
System Monitor – which keeps track of performance counters in real time and
charts them, Counter Logs – allows
recording of data about specified counters to the file,
Trace Logs – collects data about the
operating system and programs, and Alerts
– notify the administrator when selected counters exceed or fall below selected
thresholds.
·
Log files generated by Performance tool can be exported to
spreadsheet (either as CSV or TSV).
·
Objects represent
different components of a server such as cache, memory, paging file, disk,
processes, processor, threads, etc.
·
Counters is specific data
associated with object’s performance.
·
In order to track disk performance
DISKPERF command needs to be run (and
server restarted) (-YD physical disk,
-YV logical,
-Y both).
·
Task Manager monitors programs and processes, and tracks system
performance. Can be used to stop processes and assign them with different CPU
priorities: Realtime,
High,
AboveNormal,
Normal
(Default), BelowNormal,
Low.
·
Monitor different counters depending on the function of the server:
·
Application
Server:
Monitor processor and
memory
·
Web Server:
Monitor memory and
network performance (and for busy
web servers processor and
disk)
·
File and Print
Server:
Monitor memory and
disk.
Concepts
·
Directory
database in AD is made up of objects
·
All objects
contain attributes that define the object
·
Containers
group objects
together (contain other objects) – but cannot have group policies assigned to them.
·
Domain controller participates in "multiple masters replication"
·
X.500 - naming standard
allows different directory services to communicate using common naming
conventions
·
LDAP
- protocol standard used for
querying a directory service (Lightweight Directory Access Protocol)
·
Logical structure of a domain
– is the way
domain is configured for administrative purposes
·
Object
is an item
representing user, group, printer, computer, etc and has attributes that define
that object
·
Computer
– represents computers that are members of domain (in NT called
computer account)
·
Contact – represents user information without an actual security account
·
Group – can contain users, computers, and other groups.
·
Printer – represents network printer published in the directory (pointer
to the printer share)
·
User – security principal in the directory.
·
Shared Folder
– pointer to network share published in the directory.
·
OU is a
container that can have GPO (Group
Policy) assigned to it.
·
Domain
is a group of
computers that share a common security and user database.
·
Tree
is a logical
structure that has more than one domain but shares contiguous naming hierarchy.
·
Forest is a two or more trees that do not share the same domain namespace
·
Policies
restrict users
from certain actions –
permissions restrict access to
resources
·
Distinguished
Name
(DN) - interpreted by X.500 and LDAP identifies the location of an
object in a domain (ex: CN=JohnDoe,CN=Users,DC=domain,DC=com)
·
Relative
Distinguished Name (RDN) refers to
the object in a DN (ex: DN=JohnDoe) when LDAP already narrowed the criteria to
certain domain.
·
User Principle
Name
(UPN) is the users logon name (ex: johndoe@domain.com)
·
Downlevel Login
Name
(for compatibility) (ex: domain\JohnDoe)
·
The schema – set of rules for objects and attributes.
It defines fields that are available for the object. Used every time new object
is added to domain.
·
Physical structure of a domain
– is defined by location of computers and network connections.
Defines network traffic and how it is configured and managed.
·
Site consists of a combination of one or more IP subnets connected by a
high-speed link.
·
Logon first tries to logon to DC of local site.
·
Member server is a Windows 2000 server that belongs to domain
·
Domain controller holds copy of the Active Directory database.
·
Global Catalog
Server is a domain controller that maintains a global catalog. Main role
of the GCS is to allow universal logon authentication.
·
Each site should have at least one GCS (recommended two for
redundancy)
·
Operation Masters (only one per domain or forest)
·
Forest Wide:
·
Schema Master responsible
for maintaining and distributing schema to rest of forest
·
Domain Naming Master records additions and deletions of domains to the forest
·
Domain Wide:
·
Relative Identifier Master (RID) assigns blocks of RIDs to all DCs in domain.
·
Primary Domain Controller Emulator (PDC) emulates NT4.0 domain controller
·
Infrastructure Master records changes made concerning objects in a domain. All changes
are reported to the Infrastructure Master first who then updates other DCs.
·
Trust agreement between domains allows them access and permissions
each other’s resources.
·
Two-Way Transitive Trusts are default in Windows 2000 – trusts
carry from domain to domain within the forest
·
One-Way
Nontransitive Trusts are for compatibility with NT 4 domains.
·
Replication
·
Inter-site
replication
(replication
between sites) by
default is set to
3 hours (can
be between 15 mins and 7 days)
·
Intra-site
replication
(replication
between DCs within the site) by
default is set to
5 minutes (can be between
?? and
??)
·
Replication traffic between sites is compressed, replication
traffic within sites is uncompressed.
·
There are two
domain modes:
- switch from mixed to native is one way!
·
Mixed mode –
(default) supports both Win2000 and
pre-Win2000 domain controllers
·
Native mode – supports only
Win2000 domain controllers
·
Administration
·
Administration
of AD is done using “Active Directory Users and Computers” MMC snap-in.
·
Install AD
administrative tools from Adminpack.msi
file in i386 directory on Win2K CD-ROM (for computers that do not have AD
locally)
·
You can
export AD information to comma or tab separated text file (right-clicking
container, choose Export List)
·
Default
OU containers
- By default the following OU
containers are installed in AD (go to View /
Advanced Features to see advanced containers) :
·
Builtin
– contains built-in security groups
·
Computers
– contains computer account objects
(usually upgraded from pre-win2k domain, since normally you place them into OUs)
·
Domain Controllers
– OU with domain controllers
·
ForeignSecurityPrincipals
– contains SIDs associated with objects
from other trusted domains
·
LostAndFound – contains orphaned objects (Advanced)
·
System
– container with system settings such as
policies, file replication, IP security, DNS, RAS and other settings. (Advanced)
·
Users – contains user accounts and groups (again,
usually either upgraded or default since normally you place them into organized
OUs)
·
Delegation of Control Wizard
- can be used to assign permissions to users
and groups to manage selected OUs in AD without giving them administrator rights
to the whole domain.
·
Windows 95/98/NT
can install
Active Directory Client
to authenticate in the domain (the client is on Win2K CD in
\clients\win9x\dsclient.exe)
·
Default
location of Active Directory database
store: C:\WINNT\NTDS
·
Administrators can create OUs anywhere in domain.
·
Default
Users
(placed
in Users container)
|
Name
|
Default
State
|
Description / Properties
|
|
Administrator
|
Enabled
|
Default account to administer local computer and domain.
·Cannot be disabled
·Cannot be deleted
|
|
Guest
|
Disabled
|
Default account used for Guest access – limited access to the system
·Cannot be deleted
|
|
IUSR_<ComputerName>
|
Enabled
|
Anonymous access account used by IIS. Requests to IIS are impersonated under
this account.
·Installed only if IIS is installed
|
|
IWAM_<ComputerName>
|
Enabled
|
Used by IIS to run out of process applications.
·Installed only if IIS is installed
|
|
Krbtgt
|
Disabled
|
Account used by the Key Distribution Service to run.
|
|
TsInternetUser
|
Enabled
|
Account used by the Terminal Services Internet Connector License. If Internet
Licensing is enabled, clients are not prompted with a logon dialog box; they are
logged on automatically with the TsInternetUser account.
|
·
The
following tabs are available when editing properties for a user:
·
General – name, description, telephone number,
email address, etc
·
Address – postal address
·
Account – user account information as well as
different account options (such as restricting password changes, logon hours,
etc).
·
Profile – profile attributes such as location of
the profile, logon script, home directory.
·
Telephones – different telephone numbers for the user
·
Organization
– organization information such as title,
department, company, etc.
·
Published Certificates – X.509 certificates assigned to this user
·
Member Of – list of security groups this user belongs
to
·
Dial-in – remote access options
·
Object – contains information about user’s AD
object (Advanced only)
·
Security –
security permissions for this user’s
object (Advanced only)
·
Environment – options to configure start-up programs
and logon settings
·
Sessions
– Terminal Services timeout and
reconnection settings
·
Remote Control –
configure Terminal Services remote control
settings
·
Terminal Services Profile –
configure Terminal Services user profile –
settings here apply only when user is logged in via TS.
·
User Profiles
–collection
of folders and data that stores your current desktop environment and application
settings as well as personal data
·
Local user profile – is stored locally (in
c:\documents and settings\<username> folder, or if system upgraded from NT4 in
c:\winnt\profiles)
·
Roaming user profile – is stores on network server and can be
accessed from any computer in domain (user maintains all settings regardless of
which computer logs in to)
·
To make
local profile roaming, copy it to
network share using User Profiles tab
in System Properties, and then in
User properties Profile tab point to
that location.
·
Mandatory profile – same as roaming but read only – user
always gets same settings. Copy NTUSER.DAT
to
NTUSER.MAN
to make one.
·
Types of Groups –
A group is a collection of user
accounts. Two types of groups:
·
Security Groups – are used to simplify management and
assignment of permissions.
·
Distribution Groups
– used for email distribution
·
Group Scopes (three scopes)
·
Domain Local – can include
members from
ANY DOMAIN. Can access
only
LOCAL DOMAIN
resources.
·
Global – can include
members from
LOCAL DOMAIN only. Can
access resources in
ANY DOMAIN.
·
Universal – (only
in native mode) can include
members from
ANY DOMAIN. Can access
resources in
ANY DOMAIN.
·
Built-in
Local Security
Groups (placed in builtin
container):
·
Account Operators
- can administer domain user and group
accounts.
·
Administrators
– complete access to computer and domain
·
Backup Operators
– can override security restrictions to
backup or restore files
·
Guests – limited access group.
·
Pre-Windows 2000 Compatible Access
– allows read access on all users and
groups in the domain
·
Print Operators
– members can administer printers
·
Replicator
– support file replication in domain
·
Server Operators
– can administer domain servers
·
Users
– regular access group – members are
prevented from making accidental system-wide changes.
·
Default
Domain Local
groups:
·
DHCP Administrators
(installed only if DHCP installed) –
members can administer DHCP service
·
DHCP Users
(installed only if DHCP installed) --
members can view DHCP service
configuration
·
DnsAdmins
–
(installed only if DNS installed) members can administer DNS service
·
RAS and IAS Servers
– members can access remote access
properties of users
·
Default
Global groups:
·
Cert Publishers
– members can issue and renew client
certificates
·
DnsUpdateProxy - DNS clients who are permitted to perform
dynamic updates on behalf of some other clients (such as DHCP servers).
·
Domain Admins – members can administer the domain
·
Domain Computers – all workstations and servers joined to
the domain
·
Domain Controllers – domain controllers in the domain
·
Domain Guests – guest users
·
Domain Users – regular access to the domain
·
Group Policy Creator Owners - can modify group policy for the domain
·
Default
Universal groups:
·
Enterprise
Admins – members of this group
have administrative authority in every domain in the forest
·
Schema Admins – members are the only administrators who
have capability to make any modifications to the AD schema.
·
Group
Policy is feature of AD that enables to centrally manage and control desktops
and user experience.
·
Collection
of Group Policy settings are saved in a GPO.
·
GPOs can be
applied to following objects (and are applied in that order):
Local Computer,
Site,
Domain, OU -- (LSDOU)
·
Group
Policies replace System Policy Editor from Windows NT
·
To apply
GPO to computer use Group Policy MMC.
·
To apply
GPO to site use Active Directory Sites and
Services MMC
·
To apply
GPO to domain or OU use
Active Directory Users and Computers
MMC
·
GPOs are
inherited from parent OUs – the inheritance can be blocked per OU.
·
Lower GPOs
override previous GPOs – the
override can be disabled per each
GPO.
·
Each GPO
has two sections: computer configuration and user
configuration (they can be disabled per each GPO)
·
Computer configuration
applies to every computer object in the OU
(is applied
first)
·
User configuration
applies to every user object in the OU
·
Multiple
GPOs per OU are applied in the order they appear in the Group Policy tab.
·
To limit the scope of group policy from
being applied to certain users or groups use the
Security tab in
Properties box for a GPO. The following permissions must be set to true in order
for the GPO to be applied to that object:
Read and Apply Group Policy
·
GPOs are
applied when: Computer is booted,
user logs in,
user or application requests update (using:
secedit /refreshpolicy
<name> command), policy
interval has been reached (parameter in Computer Configuration section of
the policy – not
implemented by default)
·
Site Policy
is stored in the root domain. Consider traffic required for each child domain to
go to the root domain to retrieve the site policy.
·
You must be
member of Enterprise Admins group to apply site policy.
·
Local Security
Policy – used to secure local computer.
o
Configure and apply Local Security Policy using
Local Security Policy MMC
o
There are four (4) sections in local policy:
§
Account Policies
– used to control security settings associated with currently
logged in user – password settings, account lockouts etc.
·
Password Policy
– used to determine minimum and maximum password length, when users
need to change passwords, etc.
·
Account Lockout
Policy
– used to
determine settings related to locking out user for unsuccessful login attempts
·
Kerberos Policy – kerberos specific settings (enabled only if machine is a member
server or domain controller)
§
Local Policies
– system security settings including:
·
Audit Policy – used to
determine which security events are logged in the Event Viewer
·
User Rights
Assignment – used to determine the
tasks user can perform on the local system
·
Security Options – used to
determine how to protect local system from intrusion
§
Public Key Policies
– settings related to data encryption (including default recovery
agent certificate)
§
IP Security Policies
– IPSec configuration for the local sysytem
·
Domain Security
Policy - used to secure all computers in a domain.
o
Configure and apply using
Domain Security Policy MMC
o
In addition to same four (4) sections as in Local Security Policy (Account
Policies, Local Policies, Public Key, IP Security) it adds the following five
(5) sections:
§
Event Log
– configures
how logs are maintained
§
Restricted Groups – defines members of restricted groups
§
System Services – allows to specify which serves should be started or stopped on a
system
§
Registry – enables
security to be set on registry keys
§
File System – security on
the local file system
·
Security
Configuration and Analysis (MMC Snap-In or SECEDIT.EXE – command
line) snap-in allows to capture security settings of a system as a database
which can be re-applied when configuration changes and exported to other systems
or saved as a template – High Security template can be applied)
o
There are 13 default templates stored in
WINNT\SECURITY\TEMPLATES directory. Here are some examples:
§
BASICDC.INF
– Default Security Settings for Windows 2000 Domain
Controllers
§
BASICSV.INF – Default
Security Settings. User Rights\Restricted Groups not included. (Windows 2000
Server)
§
HISECDC.INF – Assumes clean-install NTFS file\reg
ACLs. Includes SecureDC settings with Windows 2000-only enhancements. Empties
Power Users group.
o
Use
Security Templates
MMC snap-in to configure and manage security templates.
·
NTFS File
Security
– only NTFS file system supports security.
o
Auditing
§
By default auditing is turned off
§
Local auditing is configured through the Local Security
Settings MMC snap-in or Domain
Security Policy
§
Five 5 types of events can be audited:
·
File and folder access
·
Logons and logoffs
·
Systems shutdowns and restarts
·
Changes to user and group
accounts
·
Changes on Active Directory
objects (if workstation belongs to AD)
§
To enable auditing of file/folder access first local policy
need to be modified to enable this, then individual files or folders need to be
configured using the Advanced access settings and adding which users and actions
to audit.
§
Use Event Viewer
to display audited events (when auditing is enabled). The auditing events are
reported under Security log.
o
EFS (Encrypting File
System)
§
EFS uses public/private key based cryptography (you can
access the key through Certificates
MMC snap-in)
§
You can compress or encrypt file, but
cannot do both.
§
Files remain encrypted even when renamed, moved, copied or
backed up as long as they reside on NTFS drive volumes.
§
Cipher.exe is command line utility to encrypt or
decrypt files. Most important cipher.exe parameters:
·
/e –encrypt /d –decrypt
/k –generate new private key /h
–include hidden files
§
Only user who encrypted file or DRA (Data Recovery Agent) can
decrypt the file. Default DRAs are:
·
Local Administrator account
(non domain server computer)
·
Domain Administrator accounts
(for domain member servers or workstations)
§
Encrypted files moved or copied to another NTFS folder remain
encrypted with the private key of the owner. Moved or copied to non-NTFS drive
or floppy become decrypted.
§
Users who did not encrypt the file get access denied when
trying to move or copy to non-NTFS volume or to different NTFS volume. They
cannot copy at all (even to the same volume), but can move fine in the same
volume.
§
Encrypted files can be available offline but are not
encrypted in the offline cache
·
IPSec policy engine provides a very effective
means to secure a network interface and enable secure communication between
computers.
§
Supports: IP filtering (permitting only specific ports,
protocols, or ip addresses), private key encryption.
§
Configure
IPSec rules using “IP Security Policies” MMC snap-in
·
W2K network architecture based on the
OSI model (Open
Systems Interconnection) – although
does not directly map to every layer of OSI.
·
OSI consists of 7 layers: 7-Application, 6-Presentation, 5-Session, 4-Transport, 3-Network, 2-Data
Link, 1-Physical
·
W2K network architecture consists of
3 layers divided by
2 boundary layers.
·
Network
Application Interfaces (DHCP, DNS, WINS, Server & Workstation services, etc)
·
Transport Driver Interface (TDI)
ß
Boundary layer
·
Core Transport
Protocols Stack (TCP/IP, IPX/SPX, NETBEUI, VPN,
PPTP, L2TP, IPSec, etc.)
·
Network Device Interface Specification (NDIS)
ß
Boundary layer
·
Network Adapters
and Drivers
(Ethernet, Token Ring, Frame Relay, X.25, ATM, etc)
·
Adapter (NIC or
modem) is a device that allows
communication with other hosts on the network.
·
Driver allows OS to communicate with the hardware device.
·
Protocol is a standard how information is exchanged on the network.
·
TCP/IP –installed by
default- main network protocol in W2K
·
Great site with clear explanation of TCP/IP protocol addressing: -
http://www.learntosubnet.com/
·
IP Address is used by TCP/IP
to send and receive network traffic. Each machine on the network needs a unique
IP address. IP address is a 32-bit number identifying each computer.
·
Subnet Mask is a 32-bit number
that identifies which network segment the computer is on. Computers on the same
network segment can communicate without default gateway.
·
Default Gateway is an IP address
of a router that (through a routing table or other network protocols) knows how
to communicate with computers or hosts on other networks. Router routes TCP/IP
traffic between networks (subnets).
·
IP addresses are grouped in blocks to form address classes.
·
Class A
– addresses
that start from 1-126 (default subnet
mask is 255.0.0.0)
·
Class B
– addresses
that start from 128-191 (default
subnet mask is 255.255.0.0)
·
Class C
– addresses
that start from 192-223 (default
subnet mask is 255.255.255.0)
·
Special private
IP networks:
o
10.0.0.0 - 10.255.255.255
o
169.254.0.0 – 169.254.255.255
(APIPA – Automatic Private IP Addressing)
o
172.16.0.0 -
172.31.255.255
o
192.168.0.0 - 192.168.255.255
o
Addresses that start with 127 are not valid - with exception of
127.0.0.1 reserved as a loopback address for local network card.
·
Troubleshoot
TCP/IP
by using
IPCONFIG /ALL
command to display configuration and
PING command
to check connectivity (first ping
localhost, than IP Address of the local PC, then another host on the same subnet, then default gateway, and finally some remote computer on other network).
·
NWLink – used to
communicate with Novell servers using IPX/SPC protocol
·
Frame type
– is the
format how packets are sent/received. To communicate with each other systems
need to have same frame type. NWLink supports Ethernet 802.2, Ethernet 802.3,
Ethernet II, and Ethernet SNAP.
·
Network number – is the number
that identifies each network. (similar to subnet in TCP/IP)
·
Internal network
number
– unique 8 digit hex ID that identifies each server.
·
NWLink automatically detects network number and frame type.
·
To install NWLink add
“NWLink IPX/SPX/NetBIOS Compatible
Transport Protocol” to the specified interface.
“NWLink NetBIOS” protocol will be
added automatically.
·
AppleTalk
·
SLC
·
NetBEUI
·
Client Service
is the software
for specific protocol that helps computers to communicate with each other. The
following services can be installed through
“Add/Remove Windows Components” in the
Control Panel.
·
Client for
Microsoft Networks
–installed by default
·
File and Printer
Sharing for Microsoft Networks
–installed by default
·
COM Internet
Proxy
– allows DCOM to use HTTP protocol when executing remote objects
·
DNS (Domain Name
System) – allows resolution of names to IP addresses.
·
W2K DNS server
supports SRV (Service) records (required
for Active Directory). SRV Records allows use several servers for a
single DNS domain, DNS clients that use SRV-type query ask for a specific TCP/IP
service and protocol mapped to a specific DNS domain and receive the names of
any available servers. (RFC 2052)
·
W2K DNS server
supports dynamic DNS updates. When new client computer obtains IP address from DHCP server, DNS is automatically
updated with appropriate entry resolving to the new IP address.
·
Active Directory
integrated zones allow replication of SND information throughout the domain.
·
DNSCMD.EXE
command line
utility to perform DNS administration (install from
\SUPPORT\TOOLS\SUPPORT.CAB on the CD-ROM)
·
DHCP (Dynamic Host
Configuration protocol) – allows automatic assignment of IP addresses to
computers on the network.
·
Scope is a range of IP
addresses configured through DHCP MMC snap-in which are assigned automatically
to the computers.
·
Each scope can have different options: DNS, WINS server address,
default gateway address, etc.
·
Client computer obtains IP: 1) DHCP, if not available 2) APIPA, 3)
then every 5 minutes checks for DHCP
·
After configuring DHCP scope you have to activate it.
·
To pass DHCP requests through router DHCP/BOOTP Relay Agent must be
running on the router.
·
Internet
Authentication Service – allows
authentication and accounting for VPN and dial-in users through RADIUS and other
protocols.
·
QoS Admission
Control Service – allows to
prioritize network traffic to ensure quality of service
·
Simple TCP/IP
Services – installs
following services: Character Generator, Daytime, Discard, Echo, and Quote of
the Day
·
Site Server ILS
Service – updates user
directories with latest user information on a TCP/IP network
·
WINS
(Windows Internet
Name Service) – allows resolution of Windows names to IP addresses
·
File Services for
Macintosh – allows Mac users to access W2K file shares
·
Print Services
for Macintosh – allows Mac users to print to W2K printers
·
Print Services
for UNIX – allows UNIX
computers to print to W2K printers
·
NWLink
protocol specific
Client Services:
·
Client Services
for NetWare (CSNW) – allows client to access file and print shares on Novell NetWare servers. If user
is accessing NetWare server often install this service locally.
·
Gateway Services
for NetWare(GSNW) – allows other client computers to access Netware file and print shares through
server running GSNW (this computer acts as a gateway). Use if you have many
clients accessing NetWare resources rarely.
·
GSNW installs CSNW and NWLink protocol automatically.
·
GSNW adds control panel icon that allows configuring “Gateway”
account which is used to access NetWare server on client’s behalf.
·
Troubleshoot GSNW using
NET VIEW /NETWORK:NW
comment to see if GSNW is installed.
·
Win2K uses plug-and-play to automatically install drivers and
configure settings when new network adapter is installed.
·
Server service
fulfils requests for the system’s resources
·
Workstation
service
manages process
of requesting resources.
·
Modem is a network device used to connect to other machines over
the dialup line.
·
Use
Disk Management MMC to configure storage and drives
·
Two disk configuration types:
basic storage
(default for new drives) and
dynamic storage.
·
Basic
storage has
primary and
extended
partitions. Max 4 partitions (only
1 can be extended partition) – you
can create multiple logical partitions
in extended partition.
o
Basic disks store partition information in
MBR stored on the first sector of each disk.
o
Limited support for spanned, striped and
mirrored logical volumes originally created on NT systems
·
Dynamic
storage does not use
multiple partitions. Contains only one
partition divided in separate volumes (no limit on volumes).
o
All dynamic disks in computer belong to disk
group, each disk stores replicas of the same configuration data in 1MB region at
the end of each dynamic disk.
o
Only Win2K machines can access dynamic
disks.
o
Dynamic disks can be
repaired,
regenerated, and resynchronized.
o
Five (5) types of dynamic volumes
(only 3 in Win2K PRO):
§
Simple – disk space on single disk (single are or multiple areas
linked together)
·
Can be FAT, FAT32, or NTFS
·
Expanded to another disk
becomes spanned
§
Spanned – disk space on multiple disks (min 2 -
max 32)
·
Can be FAT, FAT32, or NTFS
·
Cannot be mirrored or stripped
·
Extend only if no file system or NTFS
·
No portions of spanned volume
can be deleted without deleting entire volume.
·
You can extend only if volume
was originally created on dynamic disk – cannot extend if volume was upgraded
from basic to dynamic.
·
You cannot extend system or
boot volume.
§
Striped (RAID0) – stores data evenly
distributed in stripes on 2 or more disks - improves access speed. (min2 –
max 32)
·
Requires at least 2
dynamic disks.
·
If one disk fails all data is
lost, cannot be repaired
§
Mirrored (RAID1) – stores data on two drives (duplicate data on each drive).
·
Can only be created on
dynamic
disk. On basic disk can be upgraded from NT4.
·
50% disk overhead since data
has to be written twice.
·
If one disk fails data is
recovered from the second disk.
·
Cannot be extended
·
Repair procedure: click
Offline,
Missing, or Errors disk and select
Reactivate Disk.
o
If does not help, highlight
volume and select
Remove Mirror and then replace the disk
§
Click Add Mirror
to add new disk to the mirror.
·
Breaking mirror does not loose
the data.
§
Striped with parity (RAID-5) – stores data evenly distributed on
drives in an array but parity information is stored for fault tolerance. Parity
contains calculations used to recover data if one disk fails.
·
Requires at least
3 dynamic drives
·
Repair procedure: click
Offline,
Missing, or Errors disk and select
Reactivate Disk.
o
If does not help,
replace bad disk, highlight
volume and select
Repair Volume, choose replacement disk
§
If on basic disk, once replaced with another basic disk click on volume (set) and
Regenerate Parity.
·
Troubleshooting table:
|
Configuration
|
Dynamic Disk
|
Basic Disk
|
|
Mirror volume / set
|
Reactivate Disk,
replace disk, Remove Mirror, Add Mirror
|
Repair Volume (choose new disk), Resynchronize Mirror
|
|
RAID 5 volume / set
|
Reactivate Disk, Repair Volume (choose new disk)
|
Repair Volume (choose new disk), Regenerate Parity
|
·
You can convert basic disk to
dynamic (requires 1MB unallocated space) – but reverting to basic will delete
all partition information.
·
Win2K cannot be installed on
dynamic disk unless it has partition table (ex upgraded from basic)
·
You can mount new volume to
existing empty directory on another volume.
·
When adding drive from another
system the drive may come up with Foreign
status: Right click that drive and select
Import Foreign Disk.
o
Incomplete Volume – error when imported disk is
incomplete part of spanned, or striped volume.
Data cannot be accessed.
o
Failed Redundancy – error when imported disk is
incomplete part of mirrored or RAID5 volume.
Data can be accessed but no redundancy.
·
Error-Checking tools for
checking for errors (all files must be closed).
·
Disk Management status showing
At Risk means disk has error – to return to healthy by reactivating the disk
·
Disk
Defragmenter rearranges files on hard drive
·
Win2K
supports 3 file systems: FAT, FAT32, and NTFS
·
FAT (File Allocation Table) – 16bit
·
Maximum
volume
4 GB (only
Win2K can support higher than 2 GB)
·
Maximum
file
2 GB
·
Supported
by DOS, Windows (all versions), and Win NT/2000
·
No file
security
·
FAT32 (File Allocation Table) – 32bit
·
Maximum
volume
32 GB
·
Maximum
file 4 GB
·
Supported
by Win 95 SR2, 98, NT4, 2000
·
No file
security
·
NTFS (NT File System)
·
Maximum
volume
2 TB (minimum
10 MB)
·
Maximum
file unlimited
·
File
security and data encryption
·
Cannot
format disks with NTFS
·
Is required
for Domain Controllers and Active Directory
·
Disk quotas
to restrict storage
·
Use
convert.exe d: /fs:ntfs
to convert from FAT to NTFS (one way operation).
·
Offline files
enable access to files when machine is
disconnected from the network.
·
When
sharing files you
can enable caching with 3 options (after enabling “allow caching of files in this folder” in the CACHE dialog box):
·
Automatic Caching for Documents
- caches all files opened from this share on local workstation
·
Automatic Caching for Programs
·
Manual
Caching for Documents (Default) – user needs to
specify the file to be cached on the client machine
·
By default files with
following extensions are NOT cached: SLM,
LDB,
MDW, MDB,
PST,
DB. Configured through Group Policy.
·
Permissions (ACL)
by default are inherited from parent
folders.
·
Explicit permissions
are applied directly to file, folder, or
OU (in AD).
·
Inherited permissions
are propagated from parent folder or OU.
·
Remove
“Allow Inheritable Permissions From Parent
to Propagate to This Object” option to disable inheritance.
·
ACL (Access Control List) is a property associated with every
object. It contains information about specific users and groups that have been
granted access to this object, along with particular security permissions.
·
ACL Permissions
are broken down into two groups:
o
5 Basic Permissions
(for files – 6 for folders) actually consist of advanced
permissions grouped together
§
Full Control
§
Modify
§
Read & Execute
§
Read
§
Write
§
List Folder Contents
(folders only)
o
17 Advanced
are the building blocks for basic permissions – allow
detailed control over what access user may have on objects.
§
Traverse Folder/Execute
File
§
Execute File
§
List Folder/Read Data
§
Read Data
§
Read Attributes
§
Read Extended Attributes
§
Create Files/Write Data
§
Write Data
§
Write Attributes
§
Write Extended Attributes
§
Delete Subfolders and Files
§
Delete
§
Read Permissions
§
Change Permissions
§
Take Ownership
§
Create Folders/Append Data
§
Append Data
·
By default NTFS permissions
are inherited from an object’s parent.
·
NTFS permissions are
cumulative, but DENY always overwrites ALLOW.
·
By default all NTFS drives are
assigned Allow Full Control permission to the Everyone group for the root of
each drive.
·
NTFS permission conflicts: if
group and user permissions are in conflict the most liberal permissions
take precedence, however
Deny always takes precedence
over Allow, and
explicit permissions always
override inherited permissions.
·
Share Permissions
are enforcing access via network only and
are applied on top of existing NTFS permissions
o
Share permissions
can be Full Control,
Change, and
Read.
o
When
share permissions conflict with file
/ folder permissions
the most restrictive
permissions takes precedence
·
Ownership of objects
o
Administrators can take ownership of
any object, and can grant users ability to take ownership.
o
Object ownership cannot be assigned
to others, a user must have permission to take ownership of an object.
·
Copying and
moving of files and folders
o
ONLY
MOVE ON THE SAME NTFS VOLUME
RETAINS
PERMISSIONS AND COMPRESSION
|
Operation
|
Same NTFS Volume
|
Other NTFS Volume
|
|
Copy
|
Inherits
|
Inherits
|
|
Move
|
Retains
|
Inherits
|
·
Compact.exe displays status of compression as well as allows compression
(switch /c) and decompression (switch
/u)
·
Disk quotas track / control disk usage on
per user and
per volume basis (only NTFS)
o
Only
Administrators can change quota settings
o
Disk quotas do not use compression to
measure disk space taken
o
Quotas are based on file / folder
ownership
o
Use
Disk Quota tab to enable quotas and set restrictions
o
Use
Quota Entries screen (accessible from Disk Quota tab) to see individual user’s
quota status and limits
o
Use
Event Viewer to see errors associated with disk quotas
o
Troubleshooting:
§
Ensure
Enable Quota Management checkbox is
selected
§
Ensure
Deny Disk Space To Users Exceeding Quota
Limits checkbox is selected
§
Disk Quota tab is only visible from
Properties for volume, not folder or file.
·
Printer terminology:
o
Printer is a software interface between OS and printer device, directs
jobs to one or more print devices.
o
Print device is hardware that produces physical documents
o
Printer port – a software interface through which print jobs get directed
to locally or network attached print devices.
o
Print server
– a host pc for printers
o
Printer driver
– software specific to each print device – translates
printing commands to printer language codes specific to each print device.
o
Print job
– document to be printer with print processing commands
o
Print resolution
– specifies quality and smoothness of printed document
o
Print spooler
– service that initiates, processes and distributes print
jobs.
o
Print queue – logical waiting are for print jobs.
o
Print Pooling allows installing two identical printers as one logical
printer.
·
To connect to a
Network Printer you must “Create a new port” option in Add Printer Wizard, and
select
Standard
TCP/IP
Port and supply IP address.
·
Win2K supports 6
different port types:
o
Local
Port – LPT port most common
§
Local printer ports supported:
LPT,
COM,
USB, Firewire (IEEE 1394),
UNC path.
o
TCP/IP
Port – to connect to network printer
o
AppleTalk
Port – Uses AppleTalk protocol
o
HP Network Port – old HP
Printers – the new HP printers use
TCP/IP
Port
o
LPR
Port – print device on Unix host
o
Port For NetWare – requires
NWLink and CSNW – allows printing to NetWare printers.
·
Printing on Unix
printers:
o
LPR – Line Printer
Remote – command for sending print job to print device on Unix print server
o
LPD – Line Printer
Daemon – service installed that redirects the document to the printing device
o
LPQ – Line Printer
Queue – queue of documents waiting to be printed.
·
You can use net use
command to connect to remote printers:
o
Net use lptx:
\\print_server\printer_share
(lpt1, lpt2, or lpt3)
·
Windows 2000 print server
computers automatically download correct print drivers to client computers
running win9x, NT, 2K as long as the drivers have been installed on the print
servers.
·
The following groups can
manage print jobs in print queues: Printer Owners, Print Operators, Print Job
Owners.
·
Three printer related
permissions: Print,
Manage
Documents and Manage
Printers
·
Users can manage other users’
print jobs if they have “Manage Documents”
permission.
·
To take ownership of a printer
you need “Manage Printers” permission
·
Default security setting:
Everyone group has rights to
Print
·
IPP (Internet Printing
Protocol) gives ability to print over Internet connection. To connect to the
printers folder over Internet use
http://printserver/printers address. To connect to specific printer (shared)
use
http://printserver/printer_share_name.
·
Print Server Properties –
accessible from File /
Server Properties in the Printers
folder
o
Change
directory of printer spooler
(Advanced
Print Server properties) (default is
\WINNT\system32\spool\printers)
o
To improve performance move printer
spooler directory to other drive than system root.
·
Printer Properties configure
specific printer:
o
You can configure printer properties
using the properties tab. The following tabs are available:
General,
Sharing, Ports,
Advanced,
Security, and Device
Settings.
·
IPP (Internet Printing
Protocol) requires IIS to be enabled
·
Printer priority is configured
through Advanced tab
·
Print
pooling allows multiple
print devices to be associated with one printer.
o
Enable through
Ports tab (printer properties) and
select “Enable Printer Pooling”
o
When printing to pooled printer the
job is sent to the first available print device in the pool.
·
Printer
priority specifies
priority for the printer – documents entering the queue through this printer
will have this priority:
o
Configure through Advanced
properties. Priority can be: 1 lowest
to 99 highest
·
To list printer in Active
Directory when sharing ensure “List in the Directory” option is enabled.
·
Web
Services are installed as part of IIS (Internet Information Services). IIS
includes:
o
FTP (File Transfer Protocol) Server
o
NNTP (Network News Transfer Protocol) Service
o
SMTP (Simple Mail Transfer Protocol) Service
o
WWW (World Wide Web) Server
·
Install any of the IIS services by going to
Add/Remove Programs in Control Panel and then
Add/Remove Windows
Components
·
TCP/IP Protocol and static
IP Address are required for IIS installation.
·
IIS adds
two new user accounts to the system:
o
IUSR_computername
– anonymous web page requests are served under this account
o
IWAM_computername
– under this account out of process ASP applications are started
·
The default
directory for Web documents is c:\inetpub\wwwroot
·
Internet
Service Manager (MMC Snap-in) is used to configure IIS services.
·
By default
two web sites are created: “Default Web Site” and “Administration Web Site”
·
Each web
site can be configured through properties. The following properties tabs are
available:
o
Web Site
– configure IP address and port this web site listens on, number of supported
connections, and logging options.
o
Operators – configure users with administrative access to this web site
o
Performance – miscellaneous performance options
o
ISAPI Filters – allows installation and
management of filters
o
Home Directory – allows to specify location of
root directory, access permissions, and ASP application settings
o
Documents – configure default documents to display when directory is accessed
o
Directory Security – access control settings:
anonymous user, basic authentication, NTLM authentication, IP address
authentication and certificate based authentication
o
HTTP Headers – content expiration, rating, and
MIME settings
o
Custom Errors – edit and customize default
errors
o
Server Extensions – if FrontPage Server
extensions are installed you can configure them through this tab.
·
Six
different authentication options are available:
o
Anonymous Access – allows all requests to be served
under Anonymous account (default IUSR_computername). No authentication is
presented to the browser.
o
Basic Authentication – transmits username and
password in clear text. Supported by most of the browser since basic
authentication is built into HTTP protocol. It is recommended to install SSL
(Secure Sockets Layer) encryption when using basic authentication.
o
Digest Authentication – converts password into a
numeric value – only Internet Explorer 5.5 supports it, and it works only on
Windows 2000 domain controller (because only DC has access to user’s password).
o
Integrated Windows
Authentication – uses Windows logon authentication. Supported by Internet
Explorer only. Ideal for intranet web servers.
o
IP Address Authentication – restricts access based on the client
computer’s IP address or DNS Domain name
o
Certificate Authentication – allows mapping of client certificates to Windows user
accounts. Requires SSL.
·
IIS saves
logging
information in c:\winnt\system32\logifiles directory.
·
Windows
Installer
o
Windows Installer Service installs software
from MSI files. Checks for missing program files and reinstalls them if they are
damaged or deleted.
o
Helps resolving DLL conflicts
o
Can uninstall programs completely.
o
WinInstall LE can create MSI file by
monitoring installation of a program from standard SETUP.EXE file
o
ZAP file can be used to install non-MSI
software (exe files). (text file with .zap extension with info how to launch
setup)
o
You can Publish or
Assign applications through Group Policy.
Published applications are manually
installed by user through Add/Remove programs.
Assigned apps have shortcuts in Start menu that launch installation on first
use.
o
When application is
assigned
to
computer (rather than user) it is installed first time computer reboots.
·
Distributed
File System (Dfs)
o
Dfs allows to create one logical view of
different physical network shares hosted on different computers.
o
Two types of Dfs:
standalone and
domain
o
First shared resource is called
Dfs root. Additional network shares
added to the Dfs root are called Dfs
links.
o
Domain Dfs is published into Active Directory and can provide
redundancy (users can be re-directed to replicas)
o
Only Windows clients can access Dfs (Win98, NT, 2000). Windows 95
requires additional client software.
·
Terminal Services
o
Terminal Services allows remote computers to access Windows 2000
Server desktop over network connection
o
TS can be configured in two modes:
Remote Administration and
Application
Server
§
Remote Administration – allows
up to two concurrent connections – primarily used for system administration. Low
performance impact.
§
Application Server
– allows many concurrent users to use server resources to run
applications. Requires Terminal Services Licensing server to allocate CALs.
o
Client configuration: Four (4) user properties tabs in both “Active Directory User and Computers”
and in “Local Users and Groups”
control Terminal Services: Environment,
Sessions, Remote Control, and
Terminal Services Profile.
o
Server configuration: Manage Terminal Services through:
§
Terminal Services Configuration
– configure
network connections and server settings
§
Terminal Services Manager
– allows
monitoring of server, users, etc.