Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
70-210
Windows 2000
• October 1998 Win NT 5.0 renamed to Windows 2000
• Desing goals for Win 2k build on the base established by Win NT:
o Reliability:
o Availability:
o Scalability:
Memory allocation/locking procedures (eliminates processor conflicts)
Hierarchical storage management
Per-user disk quotas
o Reduced total cost of ownership
o Reduced, but centralized, administration
• Kerberos v5
http://www.microsoft.com/windows2000/techinfo/howitworks/security/kerberos.asp
• IIS 5.0
• Zero Administration for Windows (ZAW):
• IntelliMirror
o Allows admins to determine a user’s desktop settings from admin computer
o Gives users access to their data, settings, and applications from any workstation
o Contains Remote Installation Services (RIS) – allows admins to install OS across the network w/out
visiting each computer
• April 1999 Beta 3 of Windows 2000
• Disk defragmenter
• Enhanced NTFS file
• FAT32 file system for compatibility w/ Win 95 OSR2 and later
• File system enhancements include disk quotas, encryption and Distributed file system
• DFS – (NWLINK, IPX/SPX), Apple (AppleTalk) SNMP
• VPNs you can use either:
o Point-to-Point Tunnelling Protocol (PPTP)
o Layer Two Tunnelling Protocol (L2TP)
o Internet Protocol Security (IPSec)
• Greater Internet capability through IE 5.01, IIS 5, IPSec, IPP
• Search bar, History bar, AutoComplete, Automated Proxy, ICS
• NAT
• Microsoft Management Console (MMC
• Active Directory
• Greater # of wizards,
Windows 2000 Professional
o 32-bit OS
o Supports up to 2 symmetric multiprocessors
o 4 GB of RAM
Windows 2000 Server
o Win 2k Server OS introduced with first version of Win NT, called Windows NT 3.1 Advanced
Server
o Designed for small to medium-sized business
o Uses UPS feature to ensure that data and apps are protected in the event of a power failure
o Provides platform for sharing applications across a network
o Supports four-way symmetric multiprocessing
o 4GB of memory
o Host web sites and manage corporate intranets
(standard edition of win 2k server is designed for large businesses with intensive processing needs -- TRUE)
Windows 2000 Advanced Server
o Medium-sized and large businesses
o 8-way SMP
o 8GB of RAM with Intel’s Physical Address Extantion (PAE)
o Network Load Balancing (NLB)
o Can distribute incoming IP traffic across a cluster of up to 32 nodes
o Supports Cluster Service, offering
o 2-node failover support for failure of hardware or or critical software apps
o Designed to service database-intensive applicatioins
load-balancing: enable the deployment of applications built with COM+ components, across multiple
application servers.
Network load balancing (NLB) enables you to cluster up to 32 servers running Windows 2000 AS,
thereby ensuring an even distribution of incoming traffic and a single system image to clients;
automatically reconfigures the cluster to send client requests to alternative servers.
--------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------
Features Section:
The Zero Administration for Windows (ZAW) initiative is a group of OS technologies designed to help reduce the
(TCO) on Windows 2000 systems. Some technologies were present in Win NT 4, Win 95, and Win 98.
http://www.microsoft.com/ntworkstation/downloads/Recommended/Featured/NTZAK.asp
The software installation and maintenance feature relies on the Active Directory, Group Policy, Windows Installer, and
Add/Remove Programs.
The Active Directory is a distributed, partitioned, and replicated service that stores objects representing network
resources such as computers, users, servers, groups, folders, and printers.
Simplifies Management
Strengthens Security
Extends Interoperability
Macro-level management
Multi-master replication
Built in support for Kerberos, public key infrastructure (PKI) and lightweight directory
access protocol (LDAP) over secure sockets layer (SSL)
Works with IntelliMirror® management technologies to install assigned applications automatically and give users
the ability to access their own desktops regardless of the workstation they use in the network.
Active Directory Explanation: http://www.microsoft.com/windows2000/server/evaluation/features/dirlist.asp
Active Directory Glossary:
http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/glossary.asp
Active Directory Services:
http://www.microsoft.com/mspress/books/sampchap/3173.asp
Active Directory Architecture:
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/prodtechnol/ad/windows2000/deploy/projplan/adarch.asp
Applications are able to save their own and user configuration details using the Active Directory Service Interfaces
(ADSIs). This enables the collective modification of user profiles and client software and resources.
Group Policy Snap-in: replacement on the System Policy Editor (Win NT 4, Win 95, and Win 98); allows admins to
manage software installation, Registry based policies, folder redirection, scripts, and security settings.
• needs to be added through MMC installation
• Group Plicy Objects (GPOs) store Group Policy settings: sites, domains, and OUs
• GP can be applied to any container in the Active Directory, unlike Win NT 4
• extends the application of policies to containers other than domains
Windows Installer: Consists of an operating system-resident install service, a standardized format for component
management, and a management API. Consists of one or more Windows Installer features and comes with a package
file containing a Product Code that identifies and describes it.
--Package file (.MSI file): Replaces the INF, LST, and STF files in previous versions of Microsoft Office.
--Windows Installer feature is usually a self-contained group of components, each of which consists of a number of
files, Registry keys, and resources that form a logical grouping.
Message Queuing Services & Component Services: Provide simple interfaces through which application objects can
be configured and distributed among systems. Component Services replaces the former Transaction Services.
Remote Operating System (OS) Installation and IntelliMirror are ZAW features that provide enhanced change and
configuration management.
Remote OS Install: Remote OS Installation relies on network boot technology and server-based distribution software
to install Windows 2000 remotely on client computers, and then IntelliMirror allows administrators to manage user
data, software, and settings by means of policies. Employs (RIS), Active Directory, (DNS), (DHCP).
Active Directory Users and Computers snap-in: Active Directoy stores RIS info as objects that can be managed w/
the Active Directory Users and Computers MMC snap-in.
Client Installation Wizard: Simplified version of Win 2k setup procedures; allows user to provide info that will assist
you in directing the installation process. Admins can specify which set of choices the CI Wizard needs to present to
users by selecting one of the following policy settings:
• Automatic Setup
• Custom Setup
• Restart a Previous Attempt
• Maintenance and Troubleshooting
IntelliMirror: Win 2k change and configuration management technology that allows admins to move away from a
situation, prevalent in Win NT and Win 98, where user roles need to be mapped to specific computers.
• Admins can now allow users to “roam” between computers while allowing them to maintain full access to
their data, applications, and customized environments, whether they work online or offline.
• Follow-me Functionality: Stores user info in specified locations on servers and on local hard drives. Makes
sure info in online and offline folders is synchronized.
• To install, configure, maintain, and repair user applications, IntelliMirror employs Group Policy, Active
Directory, Windows Installer, and Add/Remove Programs.
• Centralizes application deployment and maintenance by means of the Group Policy and Active Directory.
• Just-in-time installation: not visible to user, to ensure that apps only become fully installed when they are
needed. Each time user opens an app, the Windows Installer verifies that an app has all the required files
before allowing it to run. If needed Windows Installer will recover missing files from the distribution point
and install these.
• Allows users to specify that applications be cached automatically
• Allows the client to create local copies of the applications
• Allows users to open an app without accessing a network copy
• Auto or Manual caching of documents to achieve mirrored user data
• Manual Caching: Users are able to decide which files need to be cached locally.
Technologies needed for management of user data and settings through ZAW:
• Active Directory
• Group Policy
• Roaming user profiles
• Offline folders
• Synchronization Manager
• Disk Quotas
Roaming Settings:
1) Administrative settings
2) User settings
These include: Personal address books, lock-downs preventing writes to system folders, and control panel items
Synchronization Manager: When a user is working online and saves a file to My Documents: The file is first saved
to the network folder and then synchronized with the local folder. Opposite occurs if user is working offline, when
online state is returned, synchronization with the network folder takes place automatically.
Document invocation: Refers to the automatic installation of a published application following a user’s attempt to
access a file that requires the published application to run.
Disk Quotas: Configure quotas per volume and assign them to individual users or groups by using Windows Explorer.
Disk space is charged against user accounts on the basis of file ownership.
quota threshold: once reached, prevents users from creating more data, or notifies user, and also an event is added to
the Event Log.
Question: IntelliMirror functionality is fully dependent on the Group Policy and Active Directory.
Answer: False
Common services layer: management services; low-level OS services including the Active Directory, event
notification, (COM+), and (WMI).
Event Notification: Enables admins to track system, application, and security events and to pass them on to other
users and services.
COM+: Low-level service that provides an open architecture for cross-platform development.
WMI: Provides a standard model for the management of data regardless of source. WBEM-compliant means of
accessing and sharing management info in an enterprise network; provides a rich and consistent model of Win 2k
operation, configuration, and status; offers a COM API that provides a single point of access to management info, a
rich query language, and a flexible architecture that allows vendors to extend the model by writing WMI providers.
Provides for the following components:
• Win32
• Windows Driver Model (WDM)
• Event logs
• Registry
• Performance counter
• Active Directory
• Windows Installer
• Simple Network Management Protocol (SNMP)
Drivers that can make use of WMI include SCSI class drivers and NDIS network adapter class drivers. WMI-enabled
drivers can record info regarding device failure, error statistics, and performance counters.
Managed Object Format (MOF): WMI-enabled drivers employ this to record info about device failure, error
statistics, and performance counters. This file defines attributes for entities in managed environments.
Web-Based Enterprise Management (WBEM): An industry initiative that establishes management infrastructure
standards and provides a way to combine info from various hardware and software management systems.
Windows Driver Model (WDM): Drivers support WMI interfaces but the drivers must be
specially written to benefit from WMI. WDM is a strategy for making driver development
simpler. WDM provides a common set of services for developers to create drivers that are
compatible across Windows operating systems for certain device classes. A WDM driver can be
source-code-compatible for Windows XP, Windows 2000, Windows Me, and Windows 98.
Writing one driver for multiple platforms means that developers can create and manage a
single source-code base rather than writing a separate driver for each platform, and this
reduces the amount of code that must be tested and debugged.
http://www.microsoft.com/whdc/hwdev/driver/WDM/default.mspx
Common Services
XML: improves on HTML links by allowing links that reference multiple documents, and guarantees that structured
data is uniformly independent of platforms, apps, and vendors and that it can be transmitted via Web-based protocols.
MMC: Program that hosts snap-in management apps for administrative tasks.
• create, open, and save admin tools in the form of MMC consoles
• MMC console consists of at least one snap-in
• MMC console consists of a hierarchical console tree
• MMC consoles are stored as files with .msc extensions and any new settings are preserved even if you open
the consoles on a different computer
Automation: Employs the Windows Scripting Host and all COM controls that present automation interfaces for the
execution of management tasks. It enables an admin to define scripted actions based on WMI events and COM events.
Distributed Security Services: need for simplified domain management, delegation of account administration, and
integration of Internet security technology with Windows security.
Active Directory Replication: Account updates can be made at any PDC. Each PDC has its own master replica of
the Active Directory and the update and synchronization of the different replicas take place automatically. Tree-wide
transitive trust simplifies the admin of trust relationships between domains. This allows users with accounts specified
in one domain to be authenticated by another domain’s servers.
-- Explicit one-way trust relationships to Win NT 4 domains and two-way transitive trust relationships between Win
2k domains.
-- allows you to delegate – to the level of OUs – admin rights concerned with the creation and management of accounts.
--domain user accounts are copied to all domain controllers within the same domain.
--Local user accounts are created only in the local security base of the user’s computer
--Domain user accounts created in an Active Directory (OU) on a DC and copied to other DCs within the same
domain; access tokens that stores a user’s info and security settings.
--Security groups: Stored in Active Directory; managed by the Directory Management snap-in. Each group is
assigned a security identifier (SID) that identifies the group and its permissions.
--Only shared folder permissions for FAT volumes. In Win 2k you can combine shared folder permissions and NTFS
permissions using an NTFS volume.
--the most restrictive permissions will overrule other permissions.
Windows 2000 Authentication: Through Kerberos Version 5 and Transport Layer Security (TLS) for distributed
security protocols. client authentication SSL 3.0 and Transport Layer Security (TLS), that map user credentials as
public-key certificates to Win NT accounts; passwords, smart cards.
-- signed ActiveX controls and IE Java Classes
Kereros: faster server authentication, transitive trust relationships for inter-domain authentication, and the delegation
of authentication for multi-tier client/server application architectures. Defines the interaction between clients and a
network Authentication Service called the Key Distribution Center (KDC).
Key Distribution Center (KDC): Implemented on each DC and Windows 2000 domains function as Kerberos
realms.
Microsoft Certificate Server: Allows companies to assign X.509 version 3 certificates to employees. Comprises
modules for public-key certificates - certificate authorities (CAs), and CryptoAPI for certificate management.
Publick-key certificates: authenticate external users w/out Win 2k accounts and map them to Windows accounts.
Private/public key pairs managed by users through interface dialogs and tools.
Personal Information Exchange: Industry-standard protocol to transmit personal security details that are stored
securely on disk.
IP Security Policy
Account Policies: Used to configure Kerberos policies, password policies, and account lockout policies.
Local Policies: Used to configure user rights assignment, auditing, and security options.
Public Key Policies: Used to configure domain roots, encrypted data recovery agents, and trusted certificate
authorities.
System Services: Allow you to specify startup and security settings for computer services.
Encrypting File System (EFS): resides in the kernel and supplies core file-encryption technology for storing NTFS
files encrypted on disk.
• Uses public-key encryption based on the Windows CryptoAPI architecture.
• performs encryption and decryption transparently by identifying the encrypted file and finding the particular
user’s certificate and private key.
http://www.microsoft.com/windows2000/techinfo/howitworks/security/encrypt.asp
Fibers: New kind of processing unit, which are lighter than threads. Enable Win 2000 Server to achieve higher
scalability.
Job Object API: Allows an app to manage and control dependent system resources, thereby preventing the app from
decreasing system scalability. It can establish time limits, control process priorities, and limit memory usage by a
group of related processes. Win 2k Server extends the process model by using job objects – which can be named,
shared, and secured – that enable you to manage several processes together as a single unit.
Intelligent I/O Architecture (I2O): Designed to reduce the load on system CPUs and to eliminate I/O bottlenecks. It
achieves this by letting special I/O processors (IOPs) deal with interrupt handling, buffering, and data transfer.
NTFS Offers:
• Distributed link tracking
• Per-user disk quotas
• Removal of drive letter restrictions
• Redundant storage to store data and to effect recovery
• Ability to recover from errors in critical disk sectors
Recovery Console:
Kernel Mode: Only dump option shortens the period needed to collect a memory dump on systems that have large
memory configurations.
Automatic System Recovery: Allows admins to retrieve destroyed systems automatically be employing info stored
on floppy disk and a complete system tape backup.
Chkdsk: Three times faster in Win 2k than Win NT 4. Automatically launched during system startup if file system
corruption is discovered.
Modularity: Win 2k OS is modular, meaning it is divided into separate systems that interact independently. Each
system interacts with others through an API and each system can be removed and replaced with another without
affecting the others.
-------------------
---------------------------------------------------------------------------------------------
device object
A kernel-mode object, defined by the I/O Manager, that represents a physical, logical, or virtual device.
HID Human Interface Devices
INF file
A file that provides the operating system with information required to install and configure a device.
IRP I/O Request Packet. A data structure used to send I/O requests between the operating system and device drivers.
kernel mode
The Windows kernel manages the most basic functions of the operating system, such as sharing the processor between
different blocks of executing code. Kernel mode allows full, unprotected access to the system. A driver or thread
running in kernel mode has access to system memory and hardware.
NDIS Network Driver Interface Specification
WHQL Windows Hardware Quality Labs
---------------------------------------------------------------------------------------
---------------------------------------------------------------------------
Architecture
Components of Windows 2000 Modular OS:
Kernel mode architectural layer, or
User mode architectural layer
Environmental Subsystem:
POSIX SubSys ---- Win32 subsys ---- OS/2 subsys ---->< Integral Subsys
User mode Kernel mode Executive Services
GraphMan -- WinMan – SecRefMon –PwrMan – MemMan – IPCMan –IPCMan –ProcMan – IOMan – File
systems
Object Manager
Device Drivers ---- Microkernel
Hardware abstraction layer (HAL)
Executive Services:
I/O Manager:
User mode:
Cache Manager:
Process Manager:
Interprocess Communication (IPC) Manager:
Local Procedure Call (LPC) and Remote Procedure Call (RPC) facilities.
The LPC facility manages communication between servers and clients on the same system and the RPC facility
manages communication between servers and clients on different systems.
Virtual Memory Manager (VMM): manages virtual memory and paging. And the Security Reference Monitor
controls security policies.
Window Manager and Graphical Device Interface (GDI): which are combined in the Win32k.sys device driver,
control the display system.
Plug and Play Manager: a component of the Executive, directs bus drivers to configure installed devices and device
drivers.
Unlike Win 95, Win 2k does not require an (APM) BIOS or a Plug and Play BIOS.
Advanced Configuration and Power Interface (ACPI) specification defines the BIOS support and system board
implementation for Plug and Play
WDM drivers are source-compatible across Win 98 and Win 2k but they are not binary-compatible.
A microkernel manages the microprocessor and coordinates both the Executive's activities and all I/O functions.
A microkernel is an operating system design that makes use of modules to implement the basic features of the kernel.
It is configurable.
Environment subsystems enable Windows 2000 to run applications produced for different operating systems.
The Windows 2000 32-bit Windows-based (Win32) subsystem runs Win32 applications as well as applications based
on the following operating systems:
• Microsoft MS-DOS
• Win16
The POSIX subsystem provides an environment in which POSIX-based applications can run.
And the OS/2 subsystem provides an environment for 16-bit, character-mode OS/2 applications.
-------------------------
Windows 2000 Advanced Server and Datacenter Server offer an Enterprise Memory Architecture (EMA) which will
greatly benefit large application servers.
Among the computer systems that are ready to benefit from this are the Pentium Xeon chips.
Windows 2000 Advanced Server supports up to 8GB of physical memory on Intel-based systems.
Merely adding another 4GB or more of physical memory will not necessarily enable applications to benefit from VLM
APIs.
Windows 2000 includes, as one of its operating system features, the Scatter/Gather I/O technology that was previously
incorporated into the Windows NT service pack to enhance SQL Server performance.
An asymmetric processing system is limited to the execution of process on the microprocessor to which it was
originally assigned. This makes it slower, because unoccupied processors cannot assist in executing the process.
SMP system can run application and operating system processes on any microprocessor that becomes available.
This decreases processing time as all processors are being utilized.
A program includes
• code and data
• at least one thread
• a memory address space
• system resources
Directory objects: May include users, groups, computers, printers, shared folders, and containers such as domains and
OUs.
This means that you organize directory objects in logical groups on the network instead of using the folders and files
of the physical structure.
The physical structure of the directory is invisible to the user, who identifies an object by its logical name rather than
its network location.
The physical structure of the Active Directory consists of sites and domain controllers.
A Site: consists of one or more IP subnets connected by high-speed access links. Sites usually have similar boundaries
to a LAN.
The physical structure of your directory is used to manage network traffic and to determine where users log on and
where directory replication occurs.
Windows 2000 uses the physical structure of the directory to determine the most reliable and efficient links between
domain controllers and the schedules for replication and logon.
Access control lists (ACLs) in each domain contain the permissions for all the objects in the domain. This includes
the users who have access to domain objects and the type of access they are allowed, for example read-only access.
Domain controller: is a Windows 2000 server that stores directory data and manages user logon and authentication
procedures and directory searches.
Domain Modes: In a Windows 2000 network, there are 2 domain modes - mixed mode and native mode.
Mixed mode is the default domain mode and allows for some domain controllers on the network to be running
Windows NT 4.0. You can run your servers in this mode indefinitely.
• Once all the domain controllers on the network are running Windows 2000, you can convert your network to
native mode.
• The client computers on the network do not need to run Windows 2000 for the native mode to be employed.
• Until your network is in native mode, directory functions such as group nesting, and some security functions
in the Active Directory will not be able to function properly.
• Once you have converted your network from mixed mode to native mode, you cannot convert it back to
mixed mode.
Domains: Consist of network objects and their related attributes.
Organizational units (OUs): are container objects that contain other OUs and network objects.
Network objects may include user accounts, user groups, or network computers.
OUs form a logical hierarchy based on the structure of the organization in which the network is deployed.
Domain structures are independent of each other so each domain can implement its own OU hierarchy according to its
own rules.
Different domains may also contain OUs with the same name.
You may want to create more than one domain on your network if
• it contains a large number of objects
• your network contains multiple Internet domain names
• your network spans more than one organization
• you want to decentralize your network
• you want to extend data replication on the network
--When there are a number of domains on a network, all of which share a contiguous namespace, they are referred to as
a tree.
--When you add a domain to an existing tree, you need to add it as a child of an existing (parent) domain.
--The name of the child is added to the name of the parent to give the child domain a unique DNS name.
--The first domain on a network is referred to as the root domain and all subsequent domains are added to the root as
branches, which form the directory tree.
A forest: A group of trees that do not share a contiguous namespace.
For example, interswift.com and brocadero.com domain trees do not share a contiguous namespace but when the
brocadero.com tree is joined to the interswift.com tree, a forest is created.
But they do share the same configuration, schema, and global catalog.
The schema: summarizes the structure of the Active Directory, including all the object classes and their attributes.
It is stored in the global catalog, which is a central repository that stores the attributes of network objects most often
used in searches.
There are two types of trust relationship that can be formed between domains in Windows 2000:
• one-way, nontransitive trusts
• two-way, transitive trusts
In a one-way, nontransitive trust relationship the Interswift.com domain, for example, may trust the Brocadero.com
domain.
But Interswift.com does not automatically trust other domains that are trusted by Brocadero.com.
One-way, nontransitive trust relationships are available in Windows 2000 to accommodate the Windows NT network
structure. So if you want to create one-way trust relationships between Active Directory domains, you can do so.
In a two-way, transitive trust relationship, Interswift.com trusts any domain that is trusted by Brocadero.com
because it trusts Brocadero.com.
Two-way, transitive relationships are the default trust between Windows 2000 domains.
A two-way trust does not automatically grant users in the indirect trust relationship permissions to access your domain.
You need to grant permissions to users and groups from a domain outside of the direct trust relationship in order for
them to be able to access your domain.
The Active Directory uses Domain Name System (DNS) to name and locate domains on the network.
And it uses Dynamic DNS (DDNS) on its servers so that clients can register directly with a server and the server can
dynamically update its DNS table to include these clients.
The use of DDNS makes the use of any other naming service, for example WINS, unnecessary in an exclusively
Windows 2000 environment.
A distinguished name (DN) is unique to a particular object and is used to identify the object itself.
It includes the domain name for the object as well as the directory path to the object.
For example, the user AnnaH located in the Users sub-OU of the Sales Parent OU in the HQ child domain of the
InterSwift parent domain would have the following distinguished name:
/O=Internet/DC=com/DC=InterSwift/DC=HQ/CN=Users/CN=AnnaH
If a DN is unknown or has changed, you can use the relative distinguished name (RDN) to find an object.
The RDN is a part of the DN that does not change because it is a unique attribute of the object itself.
For example, the RDN of the user object AnnaH is AnnaH and cannot change, even if the object is moved to another
OU.
You may not create duplicate RDNs in the same OU but you can have the same RDN in two different OUs because the
object has different DNs in the two OUs.
A globally unique identifier (GUID) is a 128-bit number that is assigned to an object when it is created.
The GUID does not change, even when you rename or move the object.
The GUID can therefore be used to find an object when its DN has changed.
It includes the DNS name for the user account object and the user account name, for example AnnaH@interswift.com.
User Principal Names (UPNs) should be unique within a domain.
---------
Domain Controllers:
multimaster replication.
The ring structure ensures that there are two paths to every controller.
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=3712&type=2
END OF:
MS WINDOWS 2000 – UPDATE: NEW FEATURES AND ARCHITECTURE
---------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
---------
BEGIN
Microsoft Windows 2000 - Installation and Administration: Installation
• Windows 2000 Installation
• Advanced Installation options
• Preparing for upgrade
• Upgrading to Windows 2000
Win 2k Server:
Pentium 133MHz
Min 128RAM, 2GB HD w/ 1GB free.
VGA monitor
Client access license (CAL): Required for each client accessing server and network server.
Workgroup: Security and administration are decentralized in a workgroup because each computer maintains its own
list of users and security settings.
Domain is a grouping of networked computers that share a centralized administrative model via a replicated directory
database.
makeboot.exe from the \makeboot folder on the Windows 2000 installation CD-ROM.
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=14091&type=2
------------------------------------
--------------------------
------------------------------------------
BEGIN
Microsoft Windows 2000 - Installation and Administration: Installation
• Windows 2000 Installation
• Advanced Installation options
• Preparing for upgrade
• Upgrading to Windows 2000
System Preparation (Sysprep) Tool allows you to perform multiple clean installations of Windows 2000 across a
network.
allows you to preconfigure the operating system on a master computer's hard disk and then clone this configuration to a
number of other computers.
The Sysprep Tool prepares a system disk image to be copied to another system by
• run sysprep.exe on a pre-configured Windows 2000 computer
• restart the computer and run a third-party disk image copying tool to create the image
Cloning, also known as disk duplication, refers to the process of duplicating an image from a computer and copying it
to multiple computers.
Sysprep.inf To limit user intervention, you can create a sysprep.inf answer file that automatically answers the
questions for the user during mini-setup.
Sysprep can be run also from the Tools folder in the Windows 2000 Resource Kit.
The Resource Kit is installed by running the command:
<driveletter>\support\reskit\deploy\setup.exe
Setupcl runs when the master computer - or any hard drive duplicated from the master computer - starts.
Once you have copied the image onto a client machine, the Sysprep Tool allows the mini Setup Wizard to run
interactively with the user.
sysdiff.exe in conjunction with the Setup Manager to install applications on remote machines at the same time as a
remote Windows 2000 installation.
Sysdiff is a substitute for cloning that operates without Sysprep.
Sysdiff doesn’t require identical hardware configurations on the master and target computers..
Computer that are PC98-compliant contain a PXE Remote Boot ROM. PC98 is an annual guide for hardware
developers, co-authored by MS and Intel and including contributions from other hardware manufacturers.
create a boot installation disk by running the Win 2k Remote Boot Disk Generator, rbfg.exe, from the
\remoteinstall\admin\i386 folder on the RIS server
A RIS server is a DC or a member server in a Windows 2000 domain that acts as the source of a remote client
installation.
provides the network installation of Windows 2000 Professional or a preconfigured Remote Installation Preparation
(RIPrep) desktop image.
RIPrep is a disk cloning utility used with RIS; it doesn’t require identical hardware configurations in the master
computer and client computers.
The recommended specifications for RIS server: Pentium I/II 200 MHz and between 128MB and 4GB of RAM,
recommended minimum of 256MB.
Before you can use RIS on your network, you need to configure the following network services:
• DNS Server
• DHCP Server
• Active Directory
Bootstrap image
Once RIS is installed, the following services are activated:
• Boot Information Negotiations Layer (BINL)
• Trivial File Transfer Protocol Daemon (TFTPD)
• Single Instance Store (SIS)
BINL listens for client network service requests and ensures that the client computer is registered in the Active
Directory and that it receives the correct files from the RIS server.
TFTPD enables the RIS server to download the files needed for remote installation - Startrom.com or OSChooser.
SIS drivers scan the RIS volume for duplicate files and store them in a separate location to reduce the amount of disk
space used by RIPrep images on the RIS volume.
Automatic Setup policy setting uses only the information provided by the administrator and allows you to create
templates for simplified setup procedures.
Custom Setup allows, for example, the specification of alternative client names but still requires the input of an
administrator at the client computer during installation.
Restart Startup setting saves answers to questions during setup and reuses these answers during a second attempt if
setup fails.
Steps if you have RIS on a server on your network and now want to install Windows 2000 Pro from a remote
client machine:
Boot the clinet using a PXE NIC or a remote boot floppy disk
To create a remote boot floppy:
Double-click on rbfg.exe in i386 folder Images win2000.pro
Or,
You can also run it, from a folder called “reminst” conataing a version of Windows 2000 client that was copied, using
RIS, from another client computer on network.
Rmote Boot Disk Generator:
Rbcfg boot disk: The procedure is not MS-DOS based. Instead it simulates the PXE boot ROM with all the necessary
network adapters on the disk. (only works with supported NICs)
BINL service needs to be started on the server:
Boot Information Negotiation Layer
Then the computer reboots, and starts The Client Installation Wizard
Prompted to enter the username and password that you have authorized to configure RIS
(you need to authorize users to configure RIS using the RIS server’s properties dialog box in its Active Directory Users
and Computers MMC before you try to perform a remote installation)
Select the customized client install you created
Services console.
Scenario:
Suppose you generated a remote installation disk image using the Sysprep Tool.
But you run setup on a client computer, and discover that command settings are not being processed during an
unattended installation.
To solve, you may need to adjust the syntax of the system information (SIF) file.
What may be wrong with the SIF file?
A: It may not contain the path to the oem directory.
The SIF file may not contain the name of the directory from which it is meant to extract preinstallation information -
the oem directory, by default.
To correct this problem, you change the directory information in the file in the way shown here.
\\RemoteInstall\Setup\applicable_language\Images\applicable_name\$oem$
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=14096&type=2
------------------------------------
--------------------------
------------------------------------------
BEGIN Questions
Microsoft Windows 2000 - Installation and Administration: Installation
• Windows 2000 Installation
• Advanced Installation options
• Preparing for upgrade
• Upgrading to Windows 2000
The Security Configuration Manager (SCM) available in the security configuration tool set in Service Pack 4 and
later; allows for more flexible centralized network security administration; can group and automate configuration tasks
and it can help you to analyze security parameters for deviations from their baseline configuration.
SCM includes an updated Access Control List (ACL) editor that is similar to the ACL editor included in Windows
2000.
http://weblinks.smartforce.com/courseware/links.asp?course=msw01se&link=11
Post-installation scripts can be used to automate configuration settings not covered in the disk copy process.
These configuration settings are dependent on the organizational setup.
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=14099&type=2
Scenario:
You need to update Win NT 4.0 domain with 95/98 clients to Win 2k Domain?
• Streamline directory services
• Remove non-critical protocols
• Install SP 4 or later
• Plan subnets
• Backup user info from Win 95/98 workstations
• Check hardware compatibility
• Setup roaming user profiles
• Convert to DNS naming convenstions
------------------------------------
--------------------------
------------------------------------------
BEGIN STUDY SECTION
Microsoft Windows 2000 - Installation and Administration: Installation
• Windows 2000 Installation
• Advanced Installation options
• Preparing for upgrade
• Upgrading to Windows 2000
Win 2000 Compatibility Tool: generates a compatibility report that identifies hardware/software conflict. The
Windows 2000 Compatibility Tool generates a compatibility report that identifies whether or not there are any
hardware or software compatibility problems.
To generate a HW/SW compatibility report,
run x:\I386\Chkupgrd.bat where x represents the CD-ROM drive.
This runs the initial portion of the Setup program and checks the system for Windows 2000 compatibility issues.
Identifies the modifications you need to perform to ensure that the system is ready for upgrade. The text file
documenting the compatibility check - compat.txt - can be stored on the system volume.
Windows 95, 98, and Windows Workstation NT 3.51, or higher, can be upgraded directly to Windows 2000.
To auto start Windows update from CD-ROM, type:
Start – run: x:\i286\winnt32
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=14101&type=2
Scenario: Let's say that you are upgrading an NT 4.0 PDC to Windows 2000 and putting it into an existing Windows
2000 domain tree as a child domain.
You can choose between using a Windows 2000 Server CD for the upgrade or running Winnt32.exe from a shared
network folder containing the installation files.
In this case you choose to use the CD.
During the final reboot, the Setup program automatically logs on as the Administrator.
And the Active Directory Installation Wizard opens.
You can continue configuring the server environment at this point or postpone running the wizard.
The Active Directory Installation Wizard completes the upgrade to Windows 2000 Server.
It also installs the Active Directory service on your domain controller.
Scenario: Suppose you have upgraded from NT 4.0 to Windows 2000 and you need to place the upgraded PDC into an
existing domain tree as a child domain.
The existing domain tree is the interswift.com domain, which is located in New York.
Your updated child domain is Marketing, which is located in Chicago.
Select the option (radio button) that allows you to add the server to an existing tree:
• Create a new child domain in an existing domain tree
(if you want the new domain to be a child of an existing domain select this option. For example you could
create a new domain named headquarters.example.microsoft.com as a child domain of the domain
example.microsoft.com.
Specify the full DNS name of the parent domain (ie. interswift.com)
Then enter the name of the child domain (ie. marketing)
Complete DNS name of new domain:
marketing.interswift.com
Specify a NetBIOS domain name (ie. MARKETING)
On the Database and Log Locations page, you specify the location of the Active Directory database and the database
log.
Microsoft recommends that you store the database and log on separate hard disks in order to optimize performance and
recoverability.
You decide to store the database in the locations shown and you click Next.
To verify that a user is authenticated in the Active Directory, you log on in a domain and select Start - Search - For
People.
The Active Directory Migration Tool (ADMT) is a tool to assist network administrators with migration from
Windows NT to the Windows 2000 Active Directory service.
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=38548&type=2
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=14102&type=2
In order to add a security ID (SID) history, you enter a username and password that has administrative rights in the
InterSwift domain and then you click Next to continue.
Options you can specify for user in migration process:
• If user rights should be updated
• If accounts should be renamed
• If associated user groups should also be migrated
Conflicting account: you can choose to prefix the migrating account with some letters (ie. MK), and click next. You
can view log when completed.
The Reporting Wizard helps you to create reports about migration operations you have carried out.
------------------------------------
--------------------------
------------------------------------------
BEGIN STUDY SECTION
Microsoft Windows 2000 - Installation and Administration: Administration
• Basic administration
• Administrative tools
• Administrative strategies
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=14992&type=2
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=14993&type=2
My Network Places:Provides a view of the network resources available to the logged on user:
• Add Network Place
o Add shared folders
o Web folders
o FTP sites as network places
• Entire Network
o Microsoft Windows Network Icon: View available domains and computers
oDirectory Icon: Access objects in the Active Directory
• Computers Near Me
o View the computers in your workgroup or domain
Language - International
Input local indicator: Allows you to enable other language fonts that have been installed.
The input locale changes the keyboard layout or input method depending on the language that you choose to insert.
You can set individual applications to use different inpu locales.
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=14995&type=2
Accessibility:
Microsoft Magnifier: Uses a portion of the screen to magnify the area in which the cursor or mouse pointer is located.
Ability to save the accessibility settings in a separate file.
Utility manager: Allows you to adjust desktop settings without using the Accessibility Wizard.
Accessibility menu:
o Magnifier
o Narrator: Provides text to speech translation for those who are visually impaired. Allows the user to
customize how screen contents are read.
o On-Screen Keyboard
When logging on, users provide their names and case-sensitive passwords.
The username may be the standard name, LisaJ, or the UPN name, LisaJ@marketing.interswift.com.
Users who employ their UPN names need not supply a domain to which they want to connect because the UPN defines
their location in the Active Directory.
Standby mode: Useful for battery-power computers. Windows removes the power from devices such as monitors and
hard disks to conserve energy.
Restarting: Closes all applications removes polices profiles and scripts and unload the OS.
The MMC has no management functionality of its own, but it provides a consistent interface for management
applications known as MMC snap-ins.
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=14997&type=2
The Distributed File System (Dfs) enables you to group several storage areas on the network so that they appear as
one location and file system to the user.
The Dfs manager allows you to create file trees and manage users' access to them.
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=14998&type=2
Offline files cache network data to the local machines so that users can access the data when they are disconnected
from the network.
You can publish resources, such as printers and shared folders, at a central location on the network so that users can
gain access to them from anywhere on the network.
You can delegate administrative control in the Active Directory by assigning permissions to administrators to
• modify specific OUs
• modify specific object attributes in an OU
• perform a specific task in all the OUs in a domain
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=15000&type=2
A taskpad is a simplified interface that contains one or more tasks that are shortcuts to commands or administrative
tasks in an MMC snap-in; create easy-to-use customized tools for users who perform a limited number of
administrative tasks.
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=15001&type=2
access token contains the user’s SID and universal, global, and domain local group memberships. It determines which
resources the user may access on the network.
You can activate the Secondary Logon service on your computer by
• selecting Run as from a shortcut menu
• using the runas command from the DOS prompt
You can include the runas command in a batch file to run an application automatically with a particular user account
logon.
create a shortcut that uses the runas command.
run applications automatically at logon; do this if you often need to run a single applicatoion with specific set of
privileges.
--
Suppose you want to create a shortcut to the Secondary Logon service so that you can use it to access an application.
To do this, you right-click the application you want to access, for example Licensing.
And you select Properties.
On the Shortcut tabbed page you select the Run as different user checkbox.
Then you click OK.
To execute the run as command, you right-click Licensing and you select Run as from the shortcut menu.
In some cases you may have to hold down the Shift key while right-clicking the applicaton.
The variables you can use with the runas command are
• /profile
• /env
• /netonly
• /user
• program
The variable /profile is used to add user profiles, while /env specifies that the current environment must be used instead
of the user's environment.
The /netonly variable is used when the specified credentials pertain only to remote access.
The variable /user specifies the username, and program is a command line for executables.
The user name should be represented in the form USER@DOMAIN or DOMAIN\USER
C:\> runas /user:johnnarus@zoetronics.com “mmc diskmgmt.msc”
Enter password for johnnarus@zoetronics.com: XXXX
Attempting to start “mmc diskmgmt.msc” as user “johnnarus@zoetronics.com”...
User principal name (UPN): combination of the user logon name and a domain name. By default, the UPN suffix is
the DNS name of the domain in which you are creating the account. logonname@domainname.com
User cannot change password option: Ensures only Admins and members of the Account Operators group can change
the user’s password.
http://weblinks.smartforce.com/courseware/links.asp?course=msw12se&link=1
* User names not case sensitive, but windows 2000 preserve case for reference.
* User logon names can be no longer than 20 characters: userlogonname@domainname.com
* Reserved special characters: “ / \ [ ] : ; | = , + * ? < >
* Pre-Windows 2000 logon name: used for pre-Windows 2000 comptuers: ZOETRONICS\userlogonname
* Passwords: between 8 and 128 characters, lowercase, uppercaser, letters, numbers, and valid symbols. Valid
symbols for passwords: “ / [ ] : ; ! = , + ? < >
* User cannot change password checkbox: can be used when more than one person has access to a domain user
account; only administrators and members of the Account Operators group can change the user’s password.
* Password never expires checkbox: can be used for accounts that may be affected by the normal password
expiration process, for example accounts used to run Windows 2000 services or programs.
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=14948&type=2
Properties can be used when you search for objects in the Active Directory. 15 properties tabs exist for each user.
Security, Published Certificates, and Objects tab will not be listed if you haven’t selected Advanced Features in the
View menu of the Active Directory.
*Advanced Featrues in the View menu of the Act Dir Usr & Comp Console:
Enables all 15 properties tabs in user properties dialog box
Account options:
Account is trusted for delegation
Account is sensitive and cannot be delegated
Use DES encryption types for this accoutn
Do not user Kerberos preauthentication
User profiles and Home folders used when a computer is used by more than one user, to allow each user to create
custom settings and specific applications on the computer.
Profile Path: used to configure the user’s environment, including desktop settings and peripheral devices; default
folder to open documents from and save documents to; can be stored on local computers or on a central server.
Profile path: \\sales\sales1\shared01\SimoneA
Logon script: \\sales\sales1\logonuser\SimoneA
Home folder
Connect G: To: \homes\SimoneA
Published Certificates tabbed page: Allows you to view or add certificates issued to or by the user.
Home Directory or folder: Win 2k addition to a user’s profile that is an alternative to , but not a replacement of, the
My Documents folder.
“Object” Tabbed page: Contains the path to the user account object in the domain.
Unique Sequence Number (USN): Used for replication purposes; indicates how many times changes have been made
to the account; Domain controllers use it to determine the correct version of a user account in their databases.
Security Tabbed page: Allows you to assign permissions to the user’s account object; contains a list of the groups or
user accounts that presently have permissions to the object, as well as a list of the permissions granted to each of them;
access advanced options from this page to configure permissions and auditing settings for the object and to view details
about the object’s owner.
Environment tabbed page: Allows you to configure the user’s environment when a Terminal Services session is
established; ensure a particular program starts up when the user initiates a session; supply the name of the program file
and specify the location (directory) it should run from; determine whether network drives and printers and the client’s
default printer are automatically connected at logon.
Sessions tabbed page: Set the timeout and reconnection settings for Terminal Services; time to end a disconnected
session; active session limit; idle session limit; allow reconnection.
Terminal Services Profile tabbed page: Allows you to set the user profile and home directory that are used when
establishing a Terminal session.
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=14949&type=2
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=14950&type=2
*Built in Administrator account cannot be deleted, but can be renamed for security.
Guest account disabled by default
Organization tab:
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=14950&type=2
Troubleshooting user account problems:
User profiles may become corrupted, causing a variety of problems.
A HW error may prevent users from accessing resources on the network.
May find problems if another network administrator changes user configuration without your knowledge.
Unauthorized users who have excessive rights are changing system configurations.
A virus has entered your network, corrupting resources.
Good idea to create a user account for yourself with no special rights, which you can use for non-administrative tasks to
ensure you do not user your administrative account incorrectly.
------------------------------------
--------------------------
------------------------------------------
BEGIN STUDY SECTION
Microsoft Windows 2000 - Installation and Administration: Users
• Creating users
• Creating multiple user accounts
• User profiles
Bulk import: Create multiple user accounts simultaneously by importing data to the Active Directory from a file;
import file is a text file formatted in comma-delimited format (comma-separated value format).
Attribute line:
DN,objectClass,samAccountName,userPrincipalName,displayName,userAccoutnControl
“cn=Anna Herrera,
ou=SalesManagers,dc=Washington,dc=interswift,dc=com”,user,AnnaH,AnnaH@interswift.com,”Anna Herrera”,512
Downlevel logon name (user account name): AnnaH ; used to connect to a network resourcewith a different logon
name to the one with which you are presently logged in under; or used from a pre-Windows 2000 client.
User principal name: used to log on from a Windows 2000 client computer.
An imported file needs to contain this name because it is used to log on to a domain.
The file also needs to show whether the user account is enabled or disabled.
Attribute line (properties line): The first line of a user's file, and it provides the attribute names you want to specify in
the user account. You place the attributes in the order in which you want them to appear and you separate them with
commas; Active Directory schema defnies attribute names; if a value is missing, leave it blank but include the commas
in the user account line.
DN (distinguished name: identifies the path to the object’s location in the Active Directory tree.
Cn=Ana Smith,ou=Marketing,dc=Washington, cd=domainname,dc=com
objectClass = user
samAccountName = Ana Smith
userPrincipleName= AnaS@domainname.com
display name= Ana Smith
userAccountControl=512 (means account is enabled) 514 (disabled)
CSVDE command: used to import usr accounts from an Access database on the network.
C:\>csvde –i –f C:\Newusers.txt –s server1
-i (specifies you are importing from a file)
-f (indicates that the next parameter in the command in the name of the file to import)
-s (indicates the server name of the server to which the file is being imported)
LDAP Data Interchange Format (LDIF): Internet standard file format that can be used on directories that conform
to LDAP standards.
• Import/Export data
• Modify/Delete/Create objects
LDIFDE utility: batch operations performed with LDIF. (can be used instead of CSVDE)
dn: CN=Bob Smith,OU=Sales,DC=Wahington,CD=domainname,DC=com
changetype: add
cn: Tom Hanks
objectClass: user
samAccoutnName: JohnN
givenName: John
sn: Narus
Active Directory Services Interfaces (ADSI): used with Widnows Scripts Host to create batch operations in
VBScript or Java; used to import/export a file and to create/delete/modify an AD object.
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=14951&type=2
Task:
Use DOS command prompt to import the file Newusers.txt from the C drive of your computer and save it on the
brocadero1 server.
csvde –i –f C:\Newusers.txt –s brocadero1
User profile: user’s desktop and application settings, personal data, and network connections; includes
Start menu items and mapped connections to network servers or mapped drives.
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp
?link_id=14952&type=2
Mandatory user profiles: Mandatory user profiles are created by an administrator to enforce standard
desktop settings for users or groups of users; only an administrator can make changes to these profiles and
copies only changed files; local copy of profile used, if server containing roaming profile in unavailable.
Mandatory roaming profiles: enforce standard desktop settings for users regardless of the computer they
use to log on; Users are unable to make changes to these profiles; read-only user profile.
To create, change ntuser.dat to ntuser.man making it read-only; done on server where the mandatory
roaming profile is stored.
Ntuser.dat file: contains config settings for Windows 2000 Registry, Windows Explorer, My Documents,
mapped network drives; hidden file.
Network default user profile: create a user profile with the desired settings and store it in the Netlogon
share of each domain controller on the network.
<systemroot>\SYSVOL\sysvol\domain\scripts
When users log on for the 1st time, their local profiles are copied from the default user profile into the
Documents and Settings\<User> folder.
My Documents: the default storage location for the Save As and File Open commands.
Control Panel System: allows you to view the user profiles stored on your computer.
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp
?link_id=14953&type=2
Groups: Active Directory or local computer objects that include other objects.
Rights: user or computer account-based actions; authorize users to perform specific actions, for example logging on to
a system or backing up files and folders.
Nesting: When you add a group to an existing group, it inherits the permissions of the group to which it was added;
advisable not to nest more than three levels deep.
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=15268&type=2
Native mode: A domain is in this mode when all the domain controllers on the network are running Windows 2000.
*a change from Mixed mode to Native mode is irreversible.
Mixed mode: Domain used to accommodate Windows NT 4.0 directory service; limits the # of features available in a
domain (i.e. universal group scope and group type conversion not supported).
Security “Group Scope”: Each security group has a scope; the scope of a security group determines whether you can
add members only from the domain on which it was created or from any domain; also determines whether you can
assign members permissions to resources on other domains within the forest.
• Global
• Domain local
• Universal
“Global” security group scope: Members may be selected only from the domain or subdomain on which the group is
created. But you may assign them access to resources on any domain or subdomain in the domain tree or forest; useful
for assigning permissions to users who require access to resources in other domains.
For example, a global group in the sales.interswift.com subdomain can include members only from the
sales.interswift.com subdomain.
* You can grant global groups on any domain in a forest access to resources on any other forest domain.
Grant members of this group permissions to resources located in the following domains or subdomains:
• Interswift.com
• Sales.interswift.com
• Marketing.interswift.com
• Shipping interswift.com
You can grant global groups on any domain in a forest access to resources on any other forest domain.
“Domain local” security group scope: members may include user accounts from any Windows 2000 or Windows NT
domain; you can add domain local groups as members, provided they are from the same domain; global groups and
universal groups can be nested within domain local groups.
Local groups cannot be created on domain controllers because the security database of a domain controller cannot be
independent of the Active Directory.
Although local groups can contain local user accounts, global groups, and universal groups from any domain as
members, they can only be members of local groups.
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=15268&type=2
Administrator's user accounts are assigned to the Enterprise Admins group automatically.
However, you can alter the default membership of this group to determine which users can administer the full network.
Enterprise Admins: built-in group, members can be added only from the same domain, unless you alter the group.
Account Operators can create, delete, and modify user accounts and groups, but they cannot modify the
Administrators or Operators groups.
Print Operators can set up and manage network printers on a domain controller.
Administrators can carry out all administrative tasks on all domain controllers and on the domain itself.
Server Operators can share disk space and back up and restore data on local domain controllers.
And Backup Operators can use Windows 2000 Backup to back up and restore all domain controllers.
You assign permissions for specific network resources using the Users and Guests domain local groups.
The Domain Users global group is a default member of the Users domain local group.
The Domain Guests global group automatically has as its member the domain's default user account group and by
default is a member of the Guests local group in the same domain.
Windows 2000 creates the following built-in local groups on member servers, standalone servers, and computers
running Windows 2000 Professional:
• Users
• Administrators
• Guests
• Backup Operators
• Power Users
• Replicators
Windows 2000 creates built-in system groups, also referred to as special identities, on all local computers.
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=15269&type=2
*Keep membership of universal groups static; changes need to be replicated to a large # of DCs on the network.
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=20070&type=2
------------------------------------
--------------------------
------------------------------------------
BEGIN STUDY SECTION
Microsoft Windows 2000 - Installation and Administration: Groups and Terminal Services
• Groups
• Creating and administering groups
• Terminal Services
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=15271&type=2
Terminal Services: Optional Windows 2000 Server component; enables users to access centralized
applications from remote locations; allows users of diverse clients and hardware to access a standard view
of applications; (TCO) by allowing legacy clients - without the minimum HW requirements for the OS - to
use Windows 2000.
- Helps administrators to monitor, configure, and manage the network and server from remote locations.
- After a client computer initiates a Terminal Services session, all user input, program execution, data
processing, and data storage tasks occur on the server; provides only the Terminal Services interface - an
image of the server's desktop; can be a thin client.
Support 32-bit and 16-bit Windows-based apps DOS-based apps and handheld PCs.
Remote Desktop Protocol (RDP): Used by Terminal Services to create the communication link between
client and server; manage multiple independent user logons and Terminal Services sessions.
a single user can conduct multiple Terminal Services sessions on the server at once, provided that each
session runs a different application.
A user can disconnect from a Terminal Services session without logging off; enables the user to re-establish
the session at another time or on another machine; it is possible for one user to have multiple sessions with
unique desktops open on several machines.
Network load balancing [Win2k Advanced Server and Datacenter Server]: allows Terminal Services
clients to connect to a pool of servers running Terminal Services; provides a server load balancing facility
during terminal sessions and eliminates a single point of failure on the network.
TSs supports the Distributed file system (Dfs), which means that admins can host shares on a Terminal
server; Dfs support also allows Terminal server users to connect to a Dfs share on the Terminal Server.
Terminal Services Licensing: Restricts user access to applications on the Terminal server.
Terminal Services Client Access License
On a per seat basis only; The Terminal Server Internet Connector license is an exception to this rule
Licenses allow an admin to restrict access to specific apps on the Terminal server to improve network
security and efficiency
- need to back up the licensing service on the Terminal server regularly
Mac and UNIX workstations require third-party software (Citrix, Metaframe) for Terminal Services.
*doesn’t support serial, parallel, or sound ports integrated with the client desktop.
Network TS Install:
C:\WINNT\System32\Clients (folder must be shared)
You can configure the following user settings for terminal services:
• user profiles
• home directories
• client installation
tsshutdn command (notifies users that the server is about to shut down)
*once apps have been installed on a Terminal, they may malfunction if TS is switched off.
HD: several stacked metalized platters; heads read the magnetic orientation of tiny section of the disk; low-
level/physical format to give physical structure (tracks, cylinders, and sectors); track (ring on disk where data is
stored), cylinder (single track location on all platters), sector (512byte unit of physical disk).
Cluster: fundamental storage unit on a disk; min allocation unit; consist of a # of sectors; increased cluster size allows
disk sizes to be larger – results in wasted space for partially used cluster.
Basic disk: Default Wind 2000 storage type; supports primary and extended partitions; can convert to dynamic disk.
Dynamic disk: Consists of one large partition and several disk divisions called volumes.
EFS: includes mandatory recovery policy to recover encrypted data when its security certificates have been lost (i.e. a
disk fails); designates users as recovery agents; certificate defines the scope of that agent’s recovery abilities.
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=15888&type=2
The Distributed File System (Dfs): logical, distributed file system type built on top of other file systems such as
NTFS; used to create a logical tree of storage locations that is independent of the physical locations of the drives, files,
or folders; a Dfs tree provides users with a single namespace (UNC): \\<servername>\<sharename>
UDF: successor to CDFS used by CD-ROM and DVD devices; supports access control lists, long filenames, reading
and writing, and bootability.
Dual-Boot: allocate a volume to each OS and apps on same volume; NTFS, FAT, FAT32; each OS needs unique
network name.
Admin shares default $: each volume’s root, CD-ROM, system root folder, and print drivers folder.
FAT/FAT 32 file system only allows permissions at the shared folder level.
NTFS: allows permission at folder and file level as well as at the share level.
Shared folder objects in Active Directory can be assigned NTFS permissions only.
Administrators and Server Operators groups can share folders on any computer in the domain.
Power Users group: (a local group) can share folders only on the local computer
Effective permission: assigned by virtue of group membership
Access Control Entries (ACEs): Used to store NTFS file and folder permissions in the ACLs.
Access Control Lists (ACLs) – each file and folder on an NTFS volume has an associated ACL; contains all the user
and group accounts that have access to the file or folder and the type of access permitted.
Permissions are:
• Permissions are cumulative
• File permissions override folder permissions
• A denied permission overrides all other permissions
Advanced permissions:
• Standard write: combination of Create Files/Write Data, Write Attributes, Write Extended Attributes
• Create Files/Write Data: allows or denies the right to create files within a folder and modify content.
• Write Attributes: allows or denies the right to change the attributes of a file or folder.
• Traverse Folder/Execute File: allows/denies the right to move through folders to access files in a particular
folder even fi you do not have permissions for the traversed folders.
• List Folder/Read Data: Allows or denies you the right to view the contents of a folder and to read the
contents of files
• Read Attributes: allow/denies you the right to view the attributes of a file or folder
• Read Extended Attributes: allows/denies the right to view the extended attributes of a file that may be
defined by particular applications.
• Create Folders/Append Data: allows/denies the right to create folders within a folder and append data to
the end of a file, without overwriting existing content.
• Delete: allows/denies the right to delete folders and their contents.
• Delete Subfolders and Files: allows/denies the right to delete subfolders and files in a folder - even if the
delete permission has not been granted for the folder.
• Read: allows/denies the right to view the permissions for a file or folder.
• Synchronize: allows/denies different threads for multithreaded programs waiting on the handle for a file or
folder.
• Change: allows/denies the right to change the permissions associated with a file or folder
• Take Ownership: allows/denies right to take ownership
Objectives:
Configure the Distributed File System (Dfs)
Create and replicate root and child nodes
Create a root node and a child node in a Dfs tree
The Distributed File System (Dfs): allows you to organize and manage multiple network shares in a logical
namespace; uses a tree-topology to represent a single logical hierarch; easier to back up resources; easier to manage
virus scans.
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=15126&type=2
*if fault-tol Dfs tree fails, you redefine the location of the tree and its shared folders, users can still use same Dfs path
*do not force replication manually once configured Dfs fro automatic replication
*you need to provide the name of the server on which the standalone Dfs root must be located (i.e.
sales1.sales.domainname.com)
Offline Files
Server Message Block-based (SMB) file and printer sharing: SMB is a message format MS_DOS and Windows uses
when files, folders, and devices are shared (Win 95/98/NT)
*shared network files available offline, are stored in the root directory of your hard disk by default (10% of disk space
by default)
Offline Files Cache Mover (cachemove.exe): Win 2k Pro Resource Kit
The Synchronization Manager allows you to save network and user computer versions of an offline file if both
versions have been modified.
IIS 5.0 and Windows 2000: web sites, intranets, extranets, e-commerce sites
• News bulletin boards NNTP
• E-mail services SMTP
• Web page creation
• File sharing on the Internet
Web Distributed Authoring and Versioning (WebDAV): Extension of HTTP 1.1; allows multiple users to
collaborate on docs; offline editing, conflict resolution.
FrontPage Server Extensons
Platform for Internet Content Selection (PICS): Provides audience ratings for web pages. (i.e. for mature content)
Active Server Pages (ASP): Scripting tool for complex HTML coding.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wiaaut/wia/wiax/overviews/gettingstartedsamples.asp
each Site has an individual host header and operates as a separate user domain
you cannot place a WebDAV directory under the Wwwroot directory because this directory has special DACLs that are
not advisable to user for your own directories.
Windows 2000 Kerberos version 5 replaces the NT Lan Manger as the primary security protocol for resource access:
• the Digest Authentication protocol: W3C standard
• the Server-Gated Cryptography (SGC) protocol: Extension of the Secure Sockets Layer (SSL); 128 bit
encryption
• the Fortezza protocol: US gov’t security standard; complies with Defense Message System security
architecture
hashing password
instead of Digest Authentication, you can use Anonymous HTTP Basic, Intregrated windows Authentication, or NT
Lan Manager protocols
Certificate Trust List (CTL): create trusted certification authorities for a web site.
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=166D3102-F5A8-49A2-B779-
153B7F59BCD3
Script Source Access permission: allows users to change the source code of a web page; only allowed if Read and
Write access are allowed.
Log visits
To allow users to view or write to files without changing their properties, you grant them the following NTFS
permissions:
• List Folder Contents - to view a list of a folder's contents
• Read or Write access - to view or write to a file
• Read and Execute - to run executable files such as scripts
To allow users to change the properties of a file or folder, you grant them the following NTFS permissions:
• Full Control - to control files, directories, and their properties
• Modify - to add, delete, or change files and their properties
And to deny access altogether, you use the No Access permission.
Discretionary Access Control List (DACL): permissions for files or directories to assign NTFS permissions for your
web site.
You can deny individual computers, groups of computers, or entire networks access by denying access to their IP
address ranges in your web server’s permissions.
403 Access Forbidden error message: if IP address or user account authentication fails.
401 Access Denied error message: If NTFS permissions fail.
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/WINDOWS2000/techinfo/reskit/en-
us/iisbook/c09_iis_5.0_security_checklist.asp
If certain web pages cannot be visited by certain users, this may be because the browscap.ini file on your server hasn’t
been update with the latest browser versions.
http://www.oreillynet.com/search/
Windows 2000 supports DVD devices using the Win32 Driver Model (WDM) and DirectShow
WDM: provides a driver interface for the multimedia functions of the DVD device.
DirectShow: framework for data exchange with the DVD device itself
Region 1 coding: US
Type RPC1: only one region change is permitted
Type RPC2: change up to five times
DMA required for DVD device;
right-click Primary IDE Channel Properties Advanced Settings Set Transfer Mode: DMA if available
http://www.pcworld.com/howto/article/0,aid,103793,00.asp
http://www.smartforce.com/learning_community/applications/course_resources/login1.asp
http://www.microsoft.com/windows2000/en/professional/help/default.asp?
url=/WINDOWS2000/en/professional/help/wgs_gs_01023.htm
Input Locales
Extensible Authentication Protocol (EAP): use smart cards as authentication; allows for the encryption of
data across a network eonncetion
Switch box: works with keyboard and mouse, not supported by BIOS version earlier than 1.9.0 or Windows
2000
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?
url=/WINDOWS2000/techinfo/reskit/en-us/prork/prdk_tel_myqt.asp
Modems:
http://www.microsoft.com/windows2000/en/professional/help/default.asp?
url=/WINDOWS2000/en/professional/help/sag_MODEconcepts_111.htm
Infrared Data Association (IrDA): speeds = 115,000 (IrDA-SIR Async Serial Trans) or 4 Mbps; must be
enabled in BIOS.
IrLPT
IrTran-P: allows computer to receive images from digital cameras but it cannot initiate a connection.
Infrared noise: caused by illumination and sunlight
IfDA-FIR: half-duplex transmission at up to 4Mbps; most common on laptops.
Multiprocessor
ACPI: Defines how OS and HW use power between one another so that the OS manages all power
distribution within the system.
Task Manager: use to end apps or processes or set priority of running apps.
Affinity: Assign a process or application to one processor only.
Threads can be assigned to processors for a more granular optimization.
Affinity mask: process of assigning threads to processors.
Soft Affinity: Threads will be run on the last processor that processed them; if unavailable, 2nd processor
will share workload.
Hard Affinity: Restricts the number of processors that are not configured in the affinity mask. May prevent
other program threads from using the least busy processor.
DPC - Software Interrupt Partitioning: to improve performance; allows you to set processor affinity in the
case of dedicated servers with heavy network load by assigning software interrupts generated by disk or
network adapters to specific processors.
Interrupt Filter Tool: Utility to manage processor affinity.
System Monitor in Performance Console: Monitor processor performance.
Performance Object: Logical collection of performance counters that applies to a resource or service that
you can monitor, and a performance counter represents a value corresponding to a specific aspect of the
performance defined for the performance object.
Processor Bottleneck:
%Processor Time counter for the Processor object (if exceeds 80%)
%Processor Queue Length counter for the System object. (if exceeds 2)
%User Time and %Privileged Time counters for the Processor object.
Processor(_Total)\Interrupts/sec
System\Context Switches/sec counters
To understand how applications work on a system, examine the processes of individual applications and
how they affect overall processing time; examine threads to learn about how they use the system's
resources; evaluate the priority of the threads to see how they interact with one another.
Thread Priority Idle is used by screen savers and other processes that update the display from time to
time.
Thread Priority Normal is the default class for all processes.
Thread Priority High is used by processes that are assigned the most processor time and Real Time is
used by kernel-mode system processes.
To establish baselines for the performance of processors, you should use the following system monitor
counters:
• Processor% Processor Time: measures percentage of busy time, when proc is executing non-Idle
threads.
• System/Processor Queue Length
Processor queue: One or more threads that are ready but unable to run on the processor.
The Processor Queue Length counter: measures the number of ready threads in the processor queue.
Sustained processor queue with more than two threads generally indicates that there is processor
congestion.
Driver Signing
Filter action of the systems’ response to driver upgrade of unsigned files:
• Ignore – Install all files, regardless of file signature
• Warn – Display a message before installing an unsigned file
• Block – Prevent installation of unsigned files
Windows 2000's Power Manager dynamically handles the interaction of the operating system with
hardware devices to conserve power.
Power management is particularly important on portable computers, where CPU and disk activity quickly
consume battery power.
APM is a simple standard devised by Intel and Microsoft to define power management for the BIOS;
comprises one or more hardware-independent software layers that control power-manageable hardware
devices. (Supported in Win 2k, not Server, AS, Datacenter)
ACPI enables the operating system to direct power management on a wide range of mobile, desktop, and
server computers and peripherals; provides a policy-based hardware interface for Windows 2000 to handle
the power management resources.
Power Management in Windows 2000
Microsoft Knowledge Base Article - 244806
Overview of Power Management in Windows 2000
http://support.microsoft.com/default.aspx?
scid=http://support.microsoft.com:80/support/kb/articles/q244/8/06.asp&NoWebContent=1
Power Options Advanced -> prompt for password when computer goes off standby
Hibernate: Saves all data in memory to disk, turns off the monitor and hard disk, and then turns off the
computer. Upon restart pre-hibernation desktop settings are restored. Requires enough HD space to hold
contents of memory.
Standby: Switches the computer to a low power state and turns dvices off, without saving system memory
to disk.
Card services allow you to add or remove card devices without needing to reboot your ACPI-based
computer.
Each card device contains information - called the card information structure (CIS) - that Windows 2000
uses to enable Plug and Play functionality for the device.
PnP recommended drivers should be NDIS version 5.x compliant for network adapters and SCSI interface
cards.
The Unplug/Eject PC option on the Start menu can be configured to warm docking or undocking if warm
docking is supported by the BIOS.
Or Control Panel Add/Remove Hardware
You cannot modify the docking option for a portable computer once Windows has started?
Create hw profile by copying an existing profile and renaming it
Disabling a device for a hardware profile, prevents the drivers from being loaded
For both network client and a file server, bottlenecks tend to occur with network, disk, and memory
resources before they occur in the processors.
System Monitor: uses performance counters (350 different ones) to form performance objects; combined
with an ActiveX control (Sysmon.ocx) to display data in other applications; create HTML pages from the
collected data and display the data in a web browser; use a spreadsheet or word processor to display or
print the data, using filters and sorts to organize the information
Counter logs: measure data about hardware resources and system services based on performance objects
and counters.
Trace logs: collect event traces that measure performance statistics associated with events such as disk
I/O and page faults.
Alerts: notify you when a particular activity exceeds or falls below a specified value.
Circular logs: which record data until they achieve a specified size and then start again.
As each new log is recorded, the oldest entry in the log is deleted.
sequential logs: which collect data according to parameters you define, such as the length of time to run.
Counter Logs New Log Settings… Name New Log General Tab (Add)
Hard Page Faults: Occur when a process requires code or data that is not in its working set or elsewhere
in physical memory, and must be retrieved from disk.
Memory\Pages/sec counter: greater than 20 page faults per second – amt of avail memory is falling
Paging File\%Usage(_Total) counter: total % of the page file in use; keep from reaching 100% by
increasing the page file.
Memory\Available Bytes counter: amt of physical memory available to processes running on the
computer to determine memory availability.
A paging file improves RAM availability, but can limit the operation of the file system.
Which memory-related areas do you think you need to investigate if the baselines indicate memory
problems?
• Disk paging
• Memory leaks
• Memory shortages
• The cache
You should measure memory shortages using these System Monitor counters:
• Memory\Available Bytes
• Process\Working Set: measures the number of bytes in the working set pages currently belonging to this
process.
• Process\Private Bytes: measures the number of bytes allocated to this process that cannot be shared
with other processes.
• Memory\Pages/sec
• Memory\Cache Bytes: the sum of several cache-related counters that measure the amount of cache
available.
Private Bytes counter: measures the number of un-shareable bytes allocated to a process
To confirm hard page faulting, you should use these counters in System Monitor:
• Memory\Pages/sec: the sum of the Memory\Pages Input/sec and Memory\Pages Output/sec counters
and displays the number requested of pages not available in RAM. Acceptable ranges from range from 150
per second for new disk systems to 40 per second for older laptops.
• Process\Working Set
• Memory\Pages Input/sec
• Memory\Pages Output/sec: When there is plenty of memory, this value will probably be low because it is
not necessary to free changed pages and write that data to disk.
Determine how page faulting affects the disk; how many disk operations occur as a result of disk paging.
Monitor the impact of page faulting using these System Monitor counters:
• Memory\Page Reads/sec
• PhysicalDisk\Disk Reads/sec
• PhysicalDisk\Disk Read Bytes/sec
A high ratio of reads to faults indicates that a large number of pages are not found in RAM and have to be
retrieved from disk.
You can use these System Monitor counters to monitor memory leaks:
• Memory\Available Bytes
• Memory\Committed Bytes
• Process\Private Bytes(process_name)
• Process\Working Set(process_name)
• Process\Page Faults/sec(process_name)
RAID 5
SCSI Termination, IDs
To establish baselines for the performance of disks, you can use the following counters:
• LogicalDisk\% Free Space: measures the amount of unallocated disk space on a logical volume as a
percentage.
• PhysicalDisk\Disk Reads/sec: measures the rate of read operations on the disk, while the Disk
Writes/sec counter measures the rate of write operations on the disk.
• PhysicalDisk\Disk Writes/sec
• Disk Bytes/sec: the primary measure of disk throughput, displays the rate at which bytes are transferred.
for the PhysicalDisk and LogicalDisk objects
• PhysicalDisk\Avg. Disk Queue Length
The Avg. Disk Queue Length:r measures the average number of read and write requests that are queued;
value should remain below a value calculated by adding two to the number of disk spindles.
TCP\Segments Received/sec
TCP\Segments Sent/sec
IP\Datagrams Forwarded/sec
IP\Datagrams Received/sec
IP\Datagrams Sent/sec
16-bit application performance can be impeded because these applications run as separate threads in a
single multithreaded process - the NT Virtual DOS Machine (NTVDM).
You can counteract the performance problems by running 16-bit applications in their own separate NTVDM
processes with their own address spaces.
L2 cache stores memory that is external to the microprocessor, residing on a different chip to the
microprocessor chip.
Load balancing enables two or more servers to share processing tasks.
cluster is a group of independent computers which appears as an independent system to clients and
applications.
ISAPI
ASP
GCI
System partition: active partition that holds the hardware-specific files needed to load the operating system.
Boot partition: primary or extended partition in which operating system files are installed.
Can be the same partition - if it is an active partition.
Dynamic disks:
Windows 2000 Server Documentation:
http://www.microsoft.com/windows2000/en/server/help/default.asp?
url=/WINDOWS2000/en/server/help/sag_DISKconcepts_04A.htm
Simple Volumes
• Contain disk space from a single disk
• Unlimited number of them on a single disk
Fault tolerance
Spanned volume 2-32 disks into one logical unit
Striped volumes: 64k units; cannot be extended; contain areas of free space from between 2 to 32 disks; write data
evenly to all disks at the same rate; not fault-tolerant; cannot contain system or boot volumes.
Extend volume
Convert to NTFS
e: /fs:ntfs
Add Mirror: to an existing volume provides data redundancy by maintaining multiple copies of a volume’s data.
If a mirrored or RAID-5 disk fails, you can try a number of methods to rectify the error before getting a new disk.
The method that you choose is dependent on whether an online or offline error has occurred.
offline error is indicated, you should check that the drive is connected and powered up.
Then you right-click the disk and select Reactivate Disk.
online error occurs and the disk does not reactivate, you need to replace the disk.
For mirrored drives, you need to break the mirror if possible before you remove a mirrored volume by using the
Remove Mirror option on the shortcut menu.
If a disk containing a mirrored volume is faulty, you remove the mirror, replace the disk, and recreate the mirror by
using the Reactivate Volume option on the shortcut menu.
The reactivation process is successful if the volumes are regenerated and resynchronized automatically.
Fdisk
Ntdsutil
Scandisk
CHKDSK command in the Recovery Console as an additional step to ensure that a drive is without errors.
To install or access the Recovery Console, you need to insert the Windows 2000 CD and type d:\i386\winnt32
/cmdcons in the Run dialog box, where d is the drive letter of your CD-ROM drive.
If an online error occurs with a RAID volume, you select Repair Volume from the shortcut menu.
And if this does not fix the problem, you should replace the disk and then try to repair the volume in the same way.
Disk Defrag:
http://support.microsoft.com/default.aspx?
scid=http://support.microsoft.com:80/support/kb/articles/Q227/4/63.ASP&NoWebContent=1
EFS uses a randomly generated key that is independent of the user’s public or private key pari and so is not vulnerable
to cryptanalysis-based intervention.
When you access an encrypted file, EFS locates an appropriate user certificate and associated private key. The private
key is then applied to the Data Decryption Field (DDF), which is stored in the file header, and you can work with
encrypted files as you would with any other type of file.
Data Recovery Field (DRF)
You can use wildcards in the command line along with the following switches:
• /e encrypts specified folders
• /d decrypts specified folders
• /s carries out the command on all folders and subfolders within the given folder
C:\>cipher /e /s:c:\MonthlySales /a /q
Windows 2000 Recover Policy – network recovery agent; activated upon 1st administrator login (domain recovery
agent); remains active when the computer is offline.
When no Certificate Authority (CA) is available, EFS automatically issues recovery agents with self-signed
certificates.
Enterprise root CA: Most trusted CA in an enterprise. Should be installed before any other CA. Requires Active
Directory.
Enterprise subordinate CA
Stand-alone root CA
Stand-alone subordinate CA
Cryptographic service provider (CSP): generates a private and public key pair
http://www.microsoft.com/windows2000/server/evaluation/features/fileprint.asp
NUL: tests the printer connection by sending a job to the printer w/out actually printing it
Data Link Control protocol (DLC): for printers using HP JetDireect NICs; low-level protocol used to identify NICs.
EMF:
• Lets users regain control of their computers relatively fast after printing
• It supports scalable fonts
• It is the default datatypes for Printer Control Language (PCL) printers
You can reference each print queue on the print server directly as http://<server_name>/<share_name>.
The share_name is the name of the print queue as defined in the printer's property page.
When you access a printer from a browser, Windows first attempts to connect to the printer with RPC, which is faster
than IPP.
RPC is a protocol that programs on a client computer use to communicate with programs on a server computer.
Peer Web Services (PWS): part of IIS; administered with the Personal Web Manager and you need to install this as a
additional administrative tool using the Windows Components Wizard.
RFC-2568
http://www.faqs.org/rfcs/rfc2568.html
Anonymous access:
Uses a dedicated local user account that acts on behalf of the browser
Text (Comma Delimited) (*.csv): allows you to add the information from the log files to a spreadsheet or database.
Event Header:
http://www.microsoft.com/windows2000/en/server/help/default.asp?
url=/WINDOWS2000/en/server/help/SAG_EVmonevents_4.htm
Object tracking
Track applications
Audit resource access for the Everyone group
Fast Repair
Manual Repair
Backups:
http://web.archive.org/web/20000821015633/http://www.elementkjournals.com/w95/9704/w959741.htm
Drivers.exe
Troubleshoting Backup:
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/drivers-o.asp
Recovery Console
http://www.smartforce.com/learning_community/applications/course_resources/login1.asp
d:\I386>winnt32/cmdcons
cd system32\drivers
copy d:\i386 \kbdclass.sy_kbdclass.sys
exit
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Network Services:
http://www.microsoft.com/windows2000/server/evaluation/business/communications.asp
ICS: http://www.microsoft.com/windows2000/en/professional/help/default.asp?
url=/WINDOWS2000/en/professional/help/HowTo_share_conn.htm
PPTP
L2TP
VPN overview:
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/vpnoverview.asp
http://web.archive.org/web/20030604073007/http://ns1.pikusa.com/multi.html
To reduce this risk factor, Windows 2000 remote access supports several security features:
• secure authentication
• secure callback
• caller ID
• data encryption
• remote access account lockout
Secure authentication over the remote access connection can use one of several protocols that integrate with PPP.
These protocols include
• Extensible Authentication Protocol (EAP)
• Challenge Handshake Authentication Protocol (CHAP)
• Microsoft CHAP (MS-CHAP)
• Shiva Password Authentication Protocol (SPAP)
Account Lockout:
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/WINDOWS2000/en/server/help/sag_RRAS-
Ch1_74.htm
The most frequently encountered difficulties with remote access and VPNs are the
• Rejection of connection attempts
• Acceptance of unwanted connection attempts
• Inability to reach locations beyond the remote access server
• Inability to create a VPN tunnel
Published
assigned
Advanced published or assinged