Mcse Smart Certify Study Guide

MCSE SmartCertify Study Notes
70-210
70-210 Installing, Configuring, and Administering Microsoft Windows 2000 Professional
Microsoft Windows 2000 - Update: New Features and Architecture

• Features
• Architecture
• Intro to Active Directory
Microsoft Windows 2000 - Installation and Administration: Installation
• Windows 2000 Installation
• Advanced Installation options
• Preparing for upgrade
• Upgrading to Windows 2000
Microsoft Windows 2000 - Installation and Administration: Administration
• Basic administration
• Administrative tools
• Administrative strategies
Microsoft Windows 2000 - Installation and Administration: Users
• Creating users
• Creating multiple user accounts
• User profiles
Microsoft Windows 2000 - Installation and Administration: Groups and Terminal Services
• Groups
• Creating and administering groups
• Terminal Services
Microsoft Windows 2000 - Installation and Administration: Files and Folders
• Hard disk and file systems
• Shared folders
• NT File System
• Managing shared folders
Microsoft Windows 2000 - Installation and Administration: Advanced File and Folder Management
• Distribute file system
• Redirected and offline folders
• Web files and folders
Microsoft Windows 2000 - Installation and Administration: Hardware Configuration and Optimization
• Removable storage devices
• Display devices
• Input/Output devices
• Processors, profiles, and APM
• Optimizing and troubleshooting
Microsoft Windows 2000 - Installation and Administration: Storage and Printing
• Disk management
• Managing disk space
• Encrypting File System
• Configuring printers
• Printer management and security
Microsoft Windows 2000 - Installation and Administration: Events
• Introducing events
• Monitoring and analyzing events
• Auditing events
Microsoft Windows 2000 - Installation and Administration: Backup and Recovery
• Backing up and restoring
• Server recovery
• Active Directory recovery
Microsoft Windows 2000: Network Protocols and Remote Access
• Configuring protocols and services
• Configuring connections
• Remote access
• Remote access connections
Microsoft Windows 2000: Group Policy
• Introducing Group policy
• Group policy operation
• Managing users
• Account and security policies
• Managing software
-----------------------------------------------------------------
Microsoft Windows 1.0 in 1985 (1st release)

• Could view multiple applications at one time
• GUI extension to MS-DOS
Windows 2.0 in 1987

• Support for new 80286 Intel processors
• Support for expanded memory hardware
Windows 3.0 released in 1990

• Supports Intel 80386 processors
• Provide graphical interface
Windows 3.11 released in 1992

• Windows for Workgroups 3.11
• Extended into the networking environment
• Contained built-in protocols and NIC drivers
• Allowed administrators to build networks without servers
Windows 95 released August 1995

• Replaced Windows 3.x 16bit with 32-bit environment
• New GUI
• Support for PnP
• Improved network connectivity
• Messaging application programming interface (MAPI)
• Telephony application programming interface (TAPI)
Windows 98 released in 1998

• Support for new hardware
• Improved Internet browsing
• Support for new System Management Tools (ie. Registry Checker)
Windows NT 3.1 released in 1993

• Removed DOS from the OS; support for processors other than Intel’s
• 2-versioin (Win NT Workstation & Win NT Server)
• Building crucial networking components built into the privileged portion of the OS enhanced performance
• 6 million lines of code
• Designed to employ both binary and source-level compatibility to support MS-DOS, 16-bit Windows,
OS/2, LAN Manager, and POSIX-based applications
• Developers had five design goals:
o Portability: So that minimal recording was required to run on computers with different processors and
configurations
o Extensibility: Means OS can adapt to hardware & software changes
o Reliability: To handle code and hardware errors effectively
o Compatibility
o Performance
Windows NT 3.1 Advanced Server

• Allows admin to offer file and print sharing services to network users
Windows NT 3.5 and 3.51 released 1995
• Introduced additions to the OS, including
• Memory optimization, and
• Support for the PowerPC family of microprocessors
• IIS 1.0 Offered as standalone program that could be used as a free add-on with NT 3.51 servers to host web
sites
Windows NT 4.0 released 1996

• Same GUI found in Win 95, borrowed from Win 3.1
• No support for PnP
• 16 million lines of code
• LAN Manager improves network functionality
• Adds kernel-mode Graphical Device Interface (GDI)
• IIS 2.0, Support for OpenGL, three-dimensional graphics standard
Windows NT 5.0 Beta released

• Introduced Active Directory
• Distribute File System (DFS)
Windows 2000
• October 1998 Win NT 5.0 renamed to Windows 2000
• Desing goals for Win 2k build on the base established by Win NT:
o Reliability:
o Availability:
o Scalability:
 Memory allocation/locking procedures (eliminates processor conflicts)
 Hierarchical storage management
 Per-user disk quotas
o Reduced total cost of ownership
o Reduced, but centralized, administration
• Kerberos v5
http://www.microsoft.com/windows2000/techinfo/howitworks/security/kerberos.asp
• IIS 5.0
• Zero Administration for Windows (ZAW):
• IntelliMirror
o Allows admins to determine a user’s desktop settings from admin computer
o Gives users access to their data, settings, and applications from any workstation
o Contains Remote Installation Services (RIS) – allows admins to install OS across the network w/out
visiting each computer
• April 1999 Beta 3 of Windows 2000
• Disk defragmenter
• Enhanced NTFS file
• FAT32 file system for compatibility w/ Win 95 OSR2 and later
• File system enhancements include disk quotas, encryption and Distributed file system
• DFS – (NWLINK, IPX/SPX), Apple (AppleTalk) SNMP
• VPNs you can use either:
o Point-to-Point Tunnelling Protocol (PPTP)
o Layer Two Tunnelling Protocol (L2TP)
o Internet Protocol Security (IPSec)
• Greater Internet capability through IE 5.01, IIS 5, IPSec, IPP
• Search bar, History bar, AutoComplete, Automated Proxy, ICS
• NAT
• Microsoft Management Console (MMC
• Active Directory
• Greater # of wizards,
 Windows 2000 Professional
o 32-bit OS
o Supports up to 2 symmetric multiprocessors
o 4 GB of RAM
 Windows 2000 Server
o Win 2k Server OS introduced with first version of Win NT, called Windows NT 3.1 Advanced
Server
o Designed for small to medium-sized business
o Uses UPS feature to ensure that data and apps are protected in the event of a power failure
o Provides platform for sharing applications across a network
o Supports four-way symmetric multiprocessing
o 4GB of memory
o Host web sites and manage corporate intranets
(standard edition of win 2k server is designed for large businesses with intensive processing needs -- TRUE)
 Windows 2000 Advanced Server
o Medium-sized and large businesses
o 8-way SMP
o 8GB of RAM with Intel’s Physical Address Extantion (PAE)
o Network Load Balancing (NLB)
o Can distribute incoming IP traffic across a cluster of up to 32 nodes
o Supports Cluster Service, offering
o 2-node failover support for failure of hardware or or critical software apps
o Designed to service database-intensive applicatioins
load-balancing: enable the deployment of applications built with COM+ components, across multiple
application servers.
Network load balancing (NLB) enables you to cluster up to 32 servers running Windows 2000 AS,
thereby ensuring an even distribution of incoming traffic and a single system image to clients;
automatically reconfigures the cluster to send client requests to alternative servers.
 Windows 2000 Datacenter Server

o Supports 32-way SMP based on OEM implementation for
o 64GB of physical memory, by default set to 16-way SMP
o Network Load Balancing (NLB) across 32 nodes
o Cluster Services supporting cascading fail-over among 4 nodes
o Appcenter Server includes Component Load Balancing (CLB) clustering services, which provide
the capability to distribute an organization’s middle-tier business logic – usually implemented in
COM+ -across multiple servers.
o Combinationi of NLB, Cluster Services, and CLB provides scalable and highly available multi-
teired solutions
 Windows 2000 Appcenter Server
--------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------
Features Section:
The Zero Administration for Windows (ZAW) initiative is a group of OS technologies designed to help reduce the
(TCO) on Windows 2000 systems. Some technologies were present in Win NT 4, Win 95, and Win 98.
http://www.microsoft.com/ntworkstation/downloads/Recommended/Featured/NTZAK.asp
The software installation and maintenance feature relies on the Active Directory, Group Policy, Windows Installer, and
Add/Remove Programs.
The Active Directory is a distributed, partitioned, and replicated service that stores objects representing network
resources such as computers, users, servers, groups, folders, and printers.
 Simplifies Management
 Strengthens Security
 Extends Interoperability
 Macro-level management
 Multi-master replication
 Built in support for Kerberos, public key infrastructure (PKI) and lightweight directory
access protocol (LDAP) over secure sockets layer (SSL)
Works with IntelliMirror® management technologies to install assigned applications automatically and give users
the ability to access their own desktops regardless of the workstation they use in the network.
Active Directory Explanation: http://www.microsoft.com/windows2000/server/evaluation/features/dirlist.asp
Active Directory Glossary:
http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/glossary.asp
Active Directory Services:
http://www.microsoft.com/mspress/books/sampchap/3173.asp
Active Directory Architecture:
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/prodtechnol/ad/windows2000/deploy/projplan/adarch.asp
Applications are able to save their own and user configuration details using the Active Directory Service Interfaces
(ADSIs). This enables the collective modification of user profiles and client software and resources.
Active Directory Domains:

• Each domain includes at least one domain controller (PDC)
• Each domain consists of a logical grouping servers and resources
• Domains constitute the basic units of replication and security for Win 2k networks
• All the objects in the Active Directory are arranged in hierarchical domains; which constitute the basic units
of replication and security
• Modification to one controller is passed on to all the others within the same domain
• DNS required to locate Active Directory in DC
• Responsible for identifying existing RIS servers and client computers on the network.
• RIS needs to be located on a Windows 2000 server that has access to the Active Directory.
Group Policy Snap-in: replacement on the System Policy Editor (Win NT 4, Win 95, and Win 98); allows admins to
manage software installation, Registry based policies, folder redirection, scripts, and security settings.
• needs to be added through MMC installation
• Group Plicy Objects (GPOs) store Group Policy settings: sites, domains, and OUs
• GP can be applied to any container in the Active Directory, unlike Win NT 4
• extends the application of policies to containers other than domains
Windows Installer: Consists of an operating system-resident install service, a standardized format for component
management, and a management API. Consists of one or more Windows Installer features and comes with a package
file containing a Product Code that identifies and describes it.
--Package file (.MSI file): Replaces the INF, LST, and STF files in previous versions of Microsoft Office.
--Windows Installer feature is usually a self-contained group of components, each of which consists of a number of
files, Registry keys, and resources that form a logical grouping.
Message Queuing Services & Component Services: Provide simple interfaces through which application objects can
be configured and distributed among systems. Component Services replaces the former Transaction Services.
Remote Operating System (OS) Installation and IntelliMirror are ZAW features that provide enhanced change and
configuration management.
Remote OS Install: Remote OS Installation relies on network boot technology and server-based distribution software
to install Windows 2000 remotely on client computers, and then IntelliMirror allows administrators to manage user
data, software, and settings by means of policies. Employs (RIS), Active Directory, (DNS), (DHCP).
Remote Installation Service (RIS):

1. RIS makes it possible for a client with a Pre-Boot eXecution (PXE) boot ROM to be installed from the
network without using a floppy disk.
2. When a client device boots from the PXE boot ROM, it contacts and requests IP configuration information
from a DHCP server on the network.
3. The client makes an LDAP query to the PDC to locate an RIS server.
4. Client uses the Remote Boot Protocol to contact RIS server and begins to download the bootstrap image
from the server (files transmitted using TFTP)
To make use of remote installation:

• Create a distribution point in the Active Directory with the RIS Setup Wizard
Entails storing configuration details and source files on a server that has enough space to support multiple
installation images from where they can be distributed to clients.
• Automatic Setup: is the default option of the Client Inst. Wizard and draws exclusively upon RIS info
provided by the administrator. Allows templates be be created to offer users simplified setup.
• Custom Setup: Offers more choices like allowing the specification of alternative client names, but it needs
the input of an administrator at the clients computer during installation.
• Restart a Previous Attempt Option: Useful in cases where setup failed, because answers to questions are
saved during the first setup attempt and the setup routine will therefore not ask the questions again during the
second attempt.
• Maintenance and Troubleshooting: Enables the admin or user to access tools and programs that are not
incorporated in the setup routine.
• Directory Services Manager MMC snap-in: Manages the RIS server, you can specify various
configuration settings such as OS installation choices or the automatic client computer naming format.
Active Directory Users and Computers snap-in: Active Directoy stores RIS info as objects that can be managed w/
the Active Directory Users and Computers MMC snap-in.
Client Installation Wizard: Simplified version of Win 2k setup procedures; allows user to provide info that will assist
you in directing the installation process. Admins can specify which set of choices the CI Wizard needs to present to
users by selecting one of the following policy settings:
• Automatic Setup
• Custom Setup
• Restart a Previous Attempt
• Maintenance and Troubleshooting
Windows 2000 – New Features and Architecture:

IntelliMirror: provides follow-me functionality
Win. Manag. Instr. (WMI): Provides a standard model for the management of data
Remote OS Installation: Install Windows 2000 Pro remotely on client computers
Directory management snap-in: Manage security groups
Management Logic Layer: standard manag. tools and value-added manag. solutions
Client Installation Wizard: provides a simplified version of Win 2k setup procedures
Windows Installer format: Defines apps: products, features, and components
Group Policy: Publishing and assigning of applications; assign apps to a group or user; apps assigned or published to
users will roam with users.
IntelliMirror: Win 2k change and configuration management technology that allows admins to move away from a
situation, prevalent in Win NT and Win 98, where user roles need to be mapped to specific computers.
• Admins can now allow users to “roam” between computers while allowing them to maintain full access to
their data, applications, and customized environments, whether they work online or offline.
• Follow-me Functionality: Stores user info in specified locations on servers and on local hard drives. Makes
sure info in online and offline folders is synchronized.
• To install, configure, maintain, and repair user applications, IntelliMirror employs Group Policy, Active
Directory, Windows Installer, and Add/Remove Programs.
• Centralizes application deployment and maintenance by means of the Group Policy and Active Directory.
• Just-in-time installation: not visible to user, to ensure that apps only become fully installed when they are
needed. Each time user opens an app, the Windows Installer verifies that an app has all the required files
before allowing it to run. If needed Windows Installer will recover missing files from the distribution point
and install these.
• Allows users to specify that applications be cached automatically
• Allows the client to create local copies of the applications
• Allows users to open an app without accessing a network copy
• Auto or Manual caching of documents to achieve mirrored user data
• Manual Caching: Users are able to decide which files need to be cached locally.
Technologies needed for management of user data and settings through ZAW:
• Group Policy
• Roaming user profiles
• Offline folders
• Synchronization Manager
• Disk Quotas
Roaming Settings:
1) Administrative settings
2) User settings
These include: Personal address books, lock-downs preventing writes to system folders, and control panel items
Synchronization Manager: When a user is working online and saves a file to My Documents: The file is first saved
to the network folder and then synchronized with the local folder. Opposite occurs if user is working offline, when
online state is returned, synchronization with the network folder takes place automatically.
Document invocation: Refers to the automatic installation of a published application following a user’s attempt to
access a file that requires the published application to run.
Disk Quotas: Configure quotas per volume and assign them to individual users or groups by using Windows Explorer.
Disk space is charged against user accounts on the basis of file ownership.
quota threshold: once reached, prevents users from creating more data, or notifies user, and also an event is added to
the Event Log.
Question: IntelliMirror functionality is fully dependent on the Group Policy and Active Directory.
Answer: False
Windows 2000 Management Services layers:

• Common services layer:
• Management logic
• Presentation
Common services layer: management services; low-level OS services including the Active Directory, event
notification, (COM+), and (WMI).
Event Notification: Enables admins to track system, application, and security events and to pass them on to other
users and services.
COM+: Low-level service that provides an open architecture for cross-platform development.
WMI: Provides a standard model for the management of data regardless of source. WBEM-compliant means of
accessing and sharing management info in an enterprise network; provides a rich and consistent model of Win 2k
operation, configuration, and status; offers a COM API that provides a single point of access to management info, a
rich query language, and a flexible architecture that allows vendors to extend the model by writing WMI providers.
Provides for the following components:
• Win32
• Windows Driver Model (WDM)
• Event logs
• Registry
• Performance counter
• Windows Installer
• Simple Network Management Protocol (SNMP)
Drivers that can make use of WMI include SCSI class drivers and NDIS network adapter class drivers. WMI-enabled
drivers can record info regarding device failure, error statistics, and performance counters.
Managed Object Format (MOF): WMI-enabled drivers employ this to record info about device failure, error
statistics, and performance counters. This file defines attributes for entities in managed environments.
Web-Based Enterprise Management (WBEM): An industry initiative that establishes management infrastructure
standards and provides a way to combine info from various hardware and software management systems.
Windows Driver Model (WDM): Drivers support WMI interfaces but the drivers must be
specially written to benefit from WMI. WDM is a strategy for making driver development
simpler. WDM provides a common set of services for developers to create drivers that are
compatible across Windows operating systems for certain device classes. A WDM driver can be
source-code-compatible for Windows XP, Windows 2000, Windows Me, and Windows 98.
Writing one driver for multiple platforms means that developers can create and manage a
single source-code base rather than writing a separate driver for each platform, and this
reduces the amount of code that must be tested and debugged.
http://www.microsoft.com/whdc/hwdev/driver/WDM/default.mspx
Common Services
Management Logic Layer:
Presentation Layer: MS MMC framework, XML, and SGML developed by W3C
XML: improves on HTML links by allowing links that reference multiple documents, and guarantees that structured
data is uniformly independent of platforms, apps, and vendors and that it can be transmitted via Web-based protocols.
MMC: Program that hosts snap-in management apps for administrative tasks.
• create, open, and save admin tools in the form of MMC consoles
• MMC console consists of at least one snap-in
• MMC console consists of a hierarchical console tree
• MMC consoles are stored as files with .msc extensions and any new settings are preserved even if you open
the consoles on a different computer
Automation: Employs the Windows Scripting Host and all COM controls that present automation interfaces for the
execution of management tasks. It enables an admin to define scripted actions based on WMI events and COM events.
Distributed Security Services: need for simplified domain management, delegation of account administration, and
integration of Internet security technology with Windows security.
Active Directory Replication: Account updates can be made at any PDC. Each PDC has its own master replica of
the Active Directory and the update and synchronization of the different replicas take place automatically. Tree-wide
transitive trust simplifies the admin of trust relationships between domains. This allows users with accounts specified
in one domain to be authenticated by another domain’s servers.
-- Explicit one-way trust relationships to Win NT 4 domains and two-way transitive trust relationships between Win
2k domains.
-- allows you to delegate – to the level of OUs – admin rights concerned with the creation and management of accounts.
--domain user accounts are copied to all domain controllers within the same domain.
--Local user accounts are created only in the local security base of the user’s computer
--Domain user accounts created in an Active Directory (OU) on a DC and copied to other DCs within the same
domain; access tokens that stores a user’s info and security settings.
--Security groups: Stored in Active Directory; managed by the Directory Management snap-in. Each group is
assigned a security identifier (SID) that identifies the group and its permissions.
--Only shared folder permissions for FAT volumes. In Win 2k you can combine shared folder permissions and NTFS
permissions using an NTFS volume.
--the most restrictive permissions will overrule other permissions.
Windows 2000 Authentication: Through Kerberos Version 5 and Transport Layer Security (TLS) for distributed
security protocols. client authentication SSL 3.0 and Transport Layer Security (TLS), that map user credentials as
public-key certificates to Win NT accounts; passwords, smart cards.
-- signed ActiveX controls and IE Java Classes
Kereros: faster server authentication, transitive trust relationships for inter-domain authentication, and the delegation
of authentication for multi-tier client/server application architectures. Defines the interaction between clients and a
network Authentication Service called the Key Distribution Center (KDC).
Key Distribution Center (KDC): Implemented on each DC and Windows 2000 domains function as Kerberos
realms.
Microsoft Certificate Server: Allows companies to assign X.509 version 3 certificates to employees. Comprises
modules for public-key certificates - certificate authorities (CAs), and CryptoAPI for certificate management.
Publick-key certificates: authenticate external users w/out Win 2k accounts and map them to Windows accounts.
Private/public key pairs managed by users through interface dialogs and tools.
Personal Information Exchange: Industry-standard protocol to transmit personal security details that are stored
securely on disk.
Windows Security dialog box: Hit control-alt-delete from windows.

• View user logon info
• Change Password
• Lock workstation
• Log off
• Shutdown
• Access Task Manager
Security Configuration Editor: security configurations for groups and clients.
IP Security Policy
Account Policies: Used to configure Kerberos policies, password policies, and account lockout policies.
Local Policies: Used to configure user rights assignment, auditing, and security options.
Public Key Policies: Used to configure domain roots, encrypted data recovery agents, and trusted certificate
authorities.
System Services: Allow you to specify startup and security settings for computer services.
Registry: Used to configure security on Registry keys

File System: Used to configure file path security
Encrypting File System (EFS): resides in the kernel and supplies core file-encryption technology for storing NTFS
files encrypted on disk.
• Uses public-key encryption based on the Windows CryptoAPI architecture.
• performs encryption and decryption transparently by identifying the encrypted file and finding the particular
user’s certificate and private key.
http://www.microsoft.com/windows2000/techinfo/howitworks/security/encrypt.asp
Fibers: New kind of processing unit, which are lighter than threads. Enable Win 2000 Server to achieve higher
scalability.
Job Object API: Allows an app to manage and control dependent system resources, thereby preventing the app from
decreasing system scalability. It can establish time limits, control process priorities, and limit memory usage by a
group of related processes. Win 2k Server extends the process model by using job objects – which can be named,
shared, and secured – that enable you to manage several processes together as a single unit.
Intelligent I/O Architecture (I2O): Designed to reduce the load on system CPUs and to eliminate I/O bottlenecks. It
achieves this by letting special I/O processors (IOPs) deal with interrupt handling, buffering, and data transfer.
NTFS Offers:
• Distributed link tracking
• Per-user disk quotas
• Removal of drive letter restrictions
• Redundant storage to store data and to effect recovery
• Ability to recover from errors in critical disk sectors
Kernel memory write protection

Tasks no longer needing a reboot:
• Enlarging page file size
• Adding a new page file
• Enlarging NTFS partition size
• Adding or removing network protocols
• Installation of SQL Server 7
• Configuration of Plug and Play devices
Recovery Console:
Kernel Mode: Only dump option shortens the period needed to collect a memory dump on systems that have large
memory configurations.
Automatic System Recovery: Allows admins to retrieve destroyed systems automatically be employing info stored
on floppy disk and a complete system tape backup.
Chkdsk: Three times faster in Win 2k than Win NT 4. Automatically launched during system startup if file system
corruption is discovered.
Structured exception handling

Exception: An unexpected event – caused by hardware or software- that occurs during the execution of a program.
When an exception occurs, the program is halted and the system attempts to find an exception handler to handle the
error.
Modularity: Win 2k OS is modular, meaning it is divided into separate systems that interact independently. Each
system interacts with others through an API and each system can be removed and replaced with another without
affecting the others.
-------------------
---------------------------------------------------------------------------------------------
device object
A kernel-mode object, defined by the I/O Manager, that represents a physical, logical, or virtual device.
HID Human Interface Devices
INF file
A file that provides the operating system with information required to install and configure a device.
IRP I/O Request Packet. A data structure used to send I/O requests between the operating system and device drivers.
kernel mode
The Windows kernel manages the most basic functions of the operating system, such as sharing the processor between
different blocks of executing code. Kernel mode allows full, unprotected access to the system. A driver or thread
running in kernel mode has access to system memory and hardware.
NDIS Network Driver Interface Specification
WHQL Windows Hardware Quality Labs
---------------------------------------------------------------------------------------
---------------------------------------------------------------------------
Architecture
Components of Windows 2000 Modular OS:
Kernel mode architectural layer, or
User mode architectural layer
Environmental Subsystem:
POSIX SubSys ---- Win32 subsys ---- OS/2 subsys ---->< Integral Subsys
User mode Kernel mode Executive Services
GraphMan -- WinMan – SecRefMon –PwrMan – MemMan – IPCMan –IPCMan –ProcMan – IOMan – File
systems
Object Manager
Device Drivers ---- Microkernel
Hardware abstraction layer (HAL)
The Kernel mode layer:

• Executive
• Upper layer managers
• Device drivers
• Hardware Abstraction Layer (HAL)
• microkernel
Executive Services:
I/O Manager:
User mode:
Cache Manager:
Process Manager:
Interprocess Communication (IPC) Manager:
Local Procedure Call (LPC) and Remote Procedure Call (RPC) facilities.
The LPC facility manages communication between servers and clients on the same system and the RPC facility
manages communication between servers and clients on different systems.
Virtual Memory Manager (VMM): manages virtual memory and paging. And the Security Reference Monitor
controls security policies.
Window Manager and Graphical Device Interface (GDI): which are combined in the Win32k.sys device driver,
control the display system.
Plug and Play Manager: a component of the Executive, directs bus drivers to configure installed devices and device
drivers.
Unlike Win 95, Win 2k does not require an (APM) BIOS or a Plug and Play BIOS.
Advanced Configuration and Power Interface (ACPI) specification defines the BIOS support and system board
implementation for Plug and Play
WDM drivers are source-compatible across Win 98 and Win 2k but they are not binary-compatible.
A microkernel manages the microprocessor and coordinates both the Executive's activities and all I/O functions.
A microkernel is an operating system design that makes use of modules to implement the basic features of the kernel.
It is configurable.
The User mode provides the user and application environment.
Environment subsystems enable Windows 2000 to run applications produced for different operating systems.
The Windows 2000 32-bit Windows-based (Win32) subsystem runs Win32 applications as well as applications based
on the following operating systems:
• Microsoft MS-DOS
• Win16
The POSIX subsystem provides an environment in which POSIX-based applications can run.
And the OS/2 subsystem provides an environment for 16-bit, character-mode OS/2 applications.
-------------------------
Windows 2000 Advanced Server and Datacenter Server offer an Enterprise Memory Architecture (EMA) which will
greatly benefit large application servers.
Among the computer systems that are ready to benefit from this are the Pentium Xeon chips.
Windows 2000 Advanced Server supports up to 8GB of physical memory on Intel-based systems.
Windows 2000 Datacenter Server supports up to 64GB on Intel-based systems.

Applications running on Windows 2000 Datacenter will need to be written specifically to take advantage of the Very
Large Memory (VLM) APIs.
Merely adding another 4GB or more of physical memory will not necessarily enable applications to benefit from VLM
APIs.
Windows 2000 includes, as one of its operating system features, the Scatter/Gather I/O technology that was previously
incorporated into the Windows NT service pack to enhance SQL Server performance.
An asymmetric processing system is limited to the execution of process on the microprocessor to which it was
originally assigned. This makes it slower, because unoccupied processors cannot assist in executing the process.
SMP system can run application and operating system processes on any microprocessor that becomes available.
This decreases processing time as all processors are being utilized.
A thread is that part of a process that is executing and includes

• an identifier assigned by the system
• a Kernel-mode stack
• a User-mode stack
• register contents of the microprocessor's state
• storage space for subsystems and libraries
A program includes
• code and data
• at least one thread
• a memory address space
• system resources
Windows 2000 components with the function it performs:

IPC Manager: Manages communications between servers and clients
Server service: Enables a Win 2k OS to offer network resources
VMM: Performs paging processes
Win32 subsystem: Runs MS-DOS based apps
SMP system: Runs processes on any available microprocessor
HAL: Eliminates the need for two versions of the Executive
I/O Manager: Contains Win 2k file system
Device driver: Translates driver calls into manipulation of hardware
----------------------------------------------------------
-----------------------------------------------------------------------------
---------------------------------------------------------------------------
Active Directory: is the Windows 2000 directory service.

This “directory model” makes use of the Internet DNS namespace for object naming. (ie. accounting.domain.com)
The Active Directory supports Lightweight Directory Access Protocol (LDAP) versions 2 and 3 and HyperText
Transfer Protocol (HTTP).
The Active Directory supports the RFC 822 naming convention for Internet e-mail addresses, for example
AnnaH@interswift.com. It also supports the HTTP Uniform Resource Locators (URLs) convention for web browsing.
It also supports the LDAP URL and it supports a draft to RFC 1779 to specify network servers and objects.
LDAP is the Internet standard for directory access.
HTTP is the standard protocol for displaying pages on the World Wide Web.
The Active Directory uses the Uniform Naming Convention (UNC) to refer to shared volumes, printers, and files on a
Windows 2000 Server network.
A Windows 2000 UNC may include domain names as part of its name, for example
\\interswift.com\sales\results\quarterly.xls.
Directory objects: May include users, groups, computers, printers, shared folders, and containers such as domains and
OUs.
This means that you organize directory objects in logical groups on the network instead of using the folders and files
of the physical structure.
The physical structure of the directory is invisible to the user, who identifies an object by its logical name rather than
its network location.
The physical structure of the Active Directory consists of sites and domain controllers.
A Site: consists of one or more IP subnets connected by high-speed access links. Sites usually have similar boundaries
to a LAN.
The physical structure of your directory is used to manage network traffic and to determine where users log on and
where directory replication occurs.
Windows 2000 uses the physical structure of the directory to determine the most reliable and efficient links between
domain controllers and the schedules for replication and logon.
Logical Structure: The logical structure of the Active Directory contains

• domains
• organizational units
• trees
• forests
The Active Directory domain

• a security boundary that forms the central unit of network control
• The computers within a domain share a common directory database having its own set of security policies,
and they have security relationships with other domains.
Access control lists (ACLs) in each domain contain the permissions for all the objects in the domain. This includes
the users who have access to domain objects and the type of access they are allowed, for example read-only access.
Domain controller: is a Windows 2000 server that stores directory data and manages user logon and authentication
procedures and directory searches.
Domain Modes: In a Windows 2000 network, there are 2 domain modes - mixed mode and native mode.
Mixed mode is the default domain mode and allows for some domain controllers on the network to be running
Windows NT 4.0. You can run your servers in this mode indefinitely.
• Once all the domain controllers on the network are running Windows 2000, you can convert your network to
native mode.
• The client computers on the network do not need to run Windows 2000 for the native mode to be employed.
• Until your network is in native mode, directory functions such as group nesting, and some security functions
in the Active Directory will not be able to function properly.
• Once you have converted your network from mixed mode to native mode, you cannot convert it back to
mixed mode.
Domains: Consist of network objects and their related attributes.
Organizational units (OUs): are container objects that contain other OUs and network objects.
Network objects may include user accounts, user groups, or network computers.
OUs form a logical hierarchy based on the structure of the organization in which the network is deployed.
Domain structures are independent of each other so each domain can implement its own OU hierarchy according to its
own rules.
Different domains may also contain OUs with the same name.
You may want to create more than one domain on your network if
• it contains a large number of objects
• your network contains multiple Internet domain names
• your network spans more than one organization
• you want to decentralize your network
• you want to extend data replication on the network
--When there are a number of domains on a network, all of which share a contiguous namespace, they are referred to as
a tree.
--When you add a domain to an existing tree, you need to add it as a child of an existing (parent) domain.
--The name of the child is added to the name of the parent to give the child domain a unique DNS name.
--The first domain on a network is referred to as the root domain and all subsequent domains are added to the root as
branches, which form the directory tree.
A forest: A group of trees that do not share a contiguous namespace.
For example, interswift.com and brocadero.com domain trees do not share a contiguous namespace but when the
brocadero.com tree is joined to the interswift.com tree, a forest is created.
But they do share the same configuration, schema, and global catalog.
The schema: summarizes the structure of the Active Directory, including all the object classes and their attributes.
It is stored in the global catalog, which is a central repository that stores the attributes of network objects most often
used in searches.
There are two types of trust relationship that can be formed between domains in Windows 2000:
• one-way, nontransitive trusts
• two-way, transitive trusts
In a one-way, nontransitive trust relationship the Interswift.com domain, for example, may trust the Brocadero.com
domain.
But Interswift.com does not automatically trust other domains that are trusted by Brocadero.com.
One-way, nontransitive trust relationships are available in Windows 2000 to accommodate the Windows NT network
structure. So if you want to create one-way trust relationships between Active Directory domains, you can do so.
In a two-way, transitive trust relationship, Interswift.com trusts any domain that is trusted by Brocadero.com
because it trusts Brocadero.com.
Two-way, transitive relationships are the default trust between Windows 2000 domains.
A two-way trust does not automatically grant users in the indirect trust relationship permissions to access your domain.
You need to grant permissions to users and groups from a domain outside of the direct trust relationship in order for
them to be able to access your domain.
The Active Directory is a namespace.

This means that it is an area in which a name can be interpreted as a particular object or set of characteristics.
A namespace is a bounded area in which a name can be resolved.
The Active Directory uses Domain Name System (DNS) to name and locate domains on the network.
And it uses Dynamic DNS (DDNS) on its servers so that clients can register directly with a server and the server can
dynamically update its DNS table to include these clients.
The use of DDNS makes the use of any other naming service, for example WINS, unnecessary in an exclusively
Windows 2000 environment.
There are two types of Namespace in the Active Directory –

• contiguous namespaces and
• disjointed namespaces.
Contiguous Namespace, for example an Active Directory tree, objects share a common root domain.
Disjointed Namespace, for example an Active Directory forest, means that objects in a different Active Directory trees
do not share a common root. It includes the domain name for the object as well as the directory path to the object.
The Active Directory uses the following naming conventions:

• distinguished names
• relative distinguished names
• globally unique identifiers
• user principal names
A distinguished name (DN) is unique to a particular object and is used to identify the object itself.
It includes the domain name for the object as well as the directory path to the object.
For example, the user AnnaH located in the Users sub-OU of the Sales Parent OU in the HQ child domain of the
InterSwift parent domain would have the following distinguished name:
/O=Internet/DC=com/DC=InterSwift/DC=HQ/CN=Users/CN=AnnaH
In this example the abbreviations represent the

• Organization (O), the
• Domain Component (DC)
• Common Names (CN) or objects
If a DN is unknown or has changed, you can use the relative distinguished name (RDN) to find an object.
The RDN is a part of the DN that does not change because it is a unique attribute of the object itself.
For example, the RDN of the user object AnnaH is AnnaH and cannot change, even if the object is moved to another
OU.
You may not create duplicate RDNs in the same OU but you can have the same RDN in two different OUs because the
object has different DNs in the two OUs.
A globally unique identifier (GUID) is a 128-bit number that is assigned to an object when it is created.
The GUID does not change, even when you rename or move the object.
The GUID can therefore be used to find an object when its DN has changed.
The user principal name (UPN) is a shortened version of a user's DN.
It includes the DNS name for the user account object and the user account name, for example AnnaH@interswift.com.
User Principal Names (UPNs) should be unique within a domain.
---------
Domain Controllers:
multimaster replication.
The ring structure ensures that there are two paths to every controller.
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp?
link_id=3712&type=2
END OF:
MS WINDOWS 2000 – UPDATE: NEW FEATURES AND ARCHITECTURE
---------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
---------
BEGIN
Windows 2000 Professional:

Pentium 133MHz CPU
64MB of RAM
2GB HD w/ 650MB of free space.
VGA Monitor
Win 2k Server:
Pentium 133MHz
Min 128RAM, 2GB HD w/ 1GB free.
VGA monitor
*A network installation requires an extra 100-200MB of free disk space.

MS recommends that you add 2MB of disk space for each MB of RAM in computer
NT File System (NTFS):

• Security at file and folder level
• File encryption
• Disk quotas
• Disk compression
File Allocation Table (FAT):
• Less secure; permissions only applied at share level
• Diff. transactional recovery support
• Doesn’t offer EFS or compression
• Should only be used for a dual boot system (MS recommends not dual booting a server)
Client access license (CAL): Required for each client accessing server and network server.
Licensing modes: per seat or per server

Per seat licensing: You need a separate CAL for each client that accesses the Windows 2000 Server.
Per server licensing: CALs are assigned directly to the server based on the number of expected client connections.
Workgroup: Security and administration are decentralized in a workgroup because each computer maintains its own
list of users and security settings.
Domain is a grouping of networked computers that share a centralized administrative model via a replicated directory
database.
makeboot.exe from the \makeboot folder on the Windows 2000 installation CD-ROM.
winnt.exe if the target computer is running MS-DOS or Windows 3.x.

And you run winnt32.exe if the target computer is running Windows 95/98 or NT 4.0 workstation.
The winnt.exe command and its parameters for automated installation are shown here
C:\>winnt [/S[:sourcepath]][/T[:tempdrive]][/U[:answer_file]][/R[x]:folder][/E:command]
link_id=14091&type=2
------------------------------------
--------------------------
------------------------------------------
BEGIN
System Preparation (Sysprep) Tool allows you to perform multiple clean installations of Windows 2000 across a
network.
allows you to preconfigure the operating system on a master computer's hard disk and then clone this configuration to a
number of other computers.
The Sysprep Tool prepares a system disk image to be copied to another system by
• run sysprep.exe on a pre-configured Windows 2000 computer
• restart the computer and run a third-party disk image copying tool to create the image
Cloning, also known as disk duplication, refers to the process of duplicating an image from a computer and copying it
to multiple computers.
Cloning is carried out by a third-party disk duplication tool.
Sysprep.inf To limit user intervention, you can create a sysprep.inf answer file that automatically answers the
questions for the user during mini-setup.
Sysprep can be run also from the Tools folder in the Windows 2000 Resource Kit.
The Resource Kit is installed by running the command:
<driveletter>\support\reskit\deploy\setup.exe
Setupcl runs when the master computer - or any hard drive duplicated from the master computer - starts.
Once you have copied the image onto a client machine, the Sysprep Tool allows the mini Setup Wizard to run
interactively with the user.
Screen 3 of 15 shows how to use Sysprep Tool with screen shot

Under c:\Sysprep_Update\Tools\
Double-click on sysprep.exe
Once copied the master computer’s HD (ie. proclient.gho image), you copy the image into a network shared foler or
onto a compact disc. Boot the target computer using a network boot disk or the CD you have created. And you can
copy the disk image onto the target computer using the disk image copying software.
use the Setup Manager to create or import universal disk format (UDF) files that you use to apply unique desktop
settings.
use the Setup Manager to include components like device drivers.
sysdiff.exe in conjunction with the Setup Manager to install applications on remote machines at the same time as a
remote Windows 2000 installation.
Sysdiff is a substitute for cloning that operates without Sysprep.
Sysdiff doesn’t require identical hardware configurations on the master and target computers..
To run the Setup Manager:

setupmgr.exe
On the Product to install page of the wizard you indicate the type of answer file:
o Windows 2000 Unattended Installation: To create a text file that enables setup to run unattended, you
select this radio button
o Sysprep Install option: generates an INF file that is saved onto your computer’s system disk and allows the
file to use Sysprep to prepare the disk for duplication
o Remote Installation Services: Option creates a SIF file instead of a text file.
* administration tools on the Win 2000 installation CD to enable the SIF file
Create a new distribution folder:

C:\win2000dist
Share as:
\\NTSERVER1\config1
Select the default mass storage drivers

Select extra files to be copied
Setup manager
Choose a location and name for the answer file to save:
Copy the files from cd, or
Copy the files from this location
The Setup Manager Wizard successfully completed, creating the following files:
C:\win2000dist\unattend.txt
C:\win2000dist\unattend.udf
C:\win2000dist\unattend.bat
--
Remote Installation Services (RIS)
install Windows 2000 Professional on multiple network workstations using Pre-Boot Execution Environment (PXE)
remote boot technology and server-based distribution software.
Computer that are PC98-compliant contain a PXE Remote Boot ROM. PC98 is an annual guide for hardware
developers, co-authored by MS and Intel and including contributions from other hardware manufacturers.
The client computer requires one of the following:

• Net PC specification
• Network adapter with a Pre-Boot Execution Environment (PXE)
• supported network adapter card and a remote installation boot disk
create a boot installation disk by running the Win 2k Remote Boot Disk Generator, rbfg.exe, from the
\remoteinstall\admin\i386 folder on the RIS server
A RIS server is a DC or a member server in a Windows 2000 domain that acts as the source of a remote client
installation.
provides the network installation of Windows 2000 Professional or a preconfigured Remote Installation Preparation
(RIPrep) desktop image.
RIPrep is a disk cloning utility used with RIS; it doesn’t require identical hardware configurations in the master
computer and client computers.
The recommended specifications for RIS server: Pentium I/II 200 MHz and between 128MB and 4GB of RAM,
recommended minimum of 256MB.
Before you can use RIS on your network, you need to configure the following network services:
• DNS Server
• DHCP Server
Bootstrap image
Once RIS is installed, the following services are activated:
• Boot Information Negotiations Layer (BINL)
• Trivial File Transfer Protocol Daemon (TFTPD)
• Single Instance Store (SIS)
BINL listens for client network service requests and ensures that the client computer is registered in the Active
Directory and that it receives the correct files from the RIS server.
TFTPD enables the RIS server to download the files needed for remote installation - Startrom.com or OSChooser.
SIS drivers scan the RIS volume for duplicate files and store them in a separate location to reduce the amount of disk
space used by RIPrep images on the RIS volume.
Automatic Setup policy setting uses only the information provided by the administrator and allows you to create
templates for simplified setup procedures.
Custom Setup allows, for example, the specification of alternative client names but still requires the input of an
administrator at the client computer during installation.
Restart Startup setting saves answers to questions during setup and reuses these answers during a second attempt if
setup fails.
Steps if you have RIS on a server on your network and now want to install Windows 2000 Pro from a remote
client machine:
Boot the clinet using a PXE NIC or a remote boot floppy disk
To create a remote boot floppy:
Double-click on rbfg.exe in i386 folder  Images  win2000.pro 
Or,
You can also run it, from a folder called “reminst” conataing a version of Windows 2000 client that was copied, using
RIS, from another client computer on network.
Rmote Boot Disk Generator:
Rbcfg boot disk: The procedure is not MS-DOS based. Instead it simulates the PXE boot ROM with all the necessary
network adapters on the disk. (only works with supported NICs)
BINL service needs to be started on the server:
Boot Information Negotiation Layer
Then the computer reboots, and starts The Client Installation Wizard
Prompted to enter the username and password that you have authorized to configure RIS
(you need to authorize users to configure RIS using the RIS server’s properties dialog box in its Active Directory Users
and Computers MMC before you try to perform a remote installation)
Select the customized client install you created
Services console.
Scenario:
Suppose you generated a remote installation disk image using the Sysprep Tool.
But you run setup on a client computer, and discover that command settings are not being processed during an
unattended installation.
To solve, you may need to adjust the syntax of the system information (SIF) file.
What may be wrong with the SIF file?
A: It may not contain the path to the oem directory.
The SIF file may not contain the name of the directory from which it is meant to extract preinstallation information -
the oem directory, by default.
To correct this problem, you change the directory information in the file in the way shown here.
\\RemoteInstall\Setup\applicable_language\Images\applicable_name\$oem$
------------------------------------
--------------------------
------------------------------------------
BEGIN Questions
• Dynamic Host Configuration Protocol (DHCP)

• Point to Point Tunneling Protocol (PPTP)
• Internet Protocol Helper Application Programming Interface (IPHAPI)
• Telephony Application Programming Interface (TAPI)
And it contains patches for various operating systems such as Windows
Emergency Repair Disk (ERD).

System Soft Card Wizard
Tnsc001 D:\Winnt40\Sp6a\I386\Sp6ai386
MS SQL Server Service Pack 2

For MS SQL Server 7.0
And MS Data Engine (MSDE) 1.0
The Security Configuration Manager (SCM) available in the security configuration tool set in Service Pack 4 and
later; allows for more flexible centralized network security administration; can group and automate configuration tasks
and it can help you to analyze security parameters for deviations from their baseline configuration.
SCM includes an updated Access Control List (ACL) editor that is similar to the ACL editor included in Windows
2000.
streamlining the directory service,.

AGLP (Accounts, Global Groups, Local Groups, Permissions) group strategy for consolidating groups.
http://weblinks.smartforce.com/courseware/links.asp?course=msw01se&link=11
Other disk image copying tools include:

PowerQuest.com
Symantec.com
Microhouse.com
Altiris.com
Post-installation scripts can be used to automate configuration settings not covered in the disk copy process.
These configuration settings are dependent on the organizational setup.
Windows 2000 operating system before the migration.

Scenario:
You need to update Win NT 4.0 domain with 95/98 clients to Win 2k Domain?
• Streamline directory services
• Remove non-critical protocols
• Install SP 4 or later
• Plan subnets
• Backup user info from Win 95/98 workstations
• Check hardware compatibility
• Setup roaming user profiles
• Convert to DNS naming convenstions
END STUDY SECTION

------------------------------------
--------------------------
------------------------------------------
BEGIN STUDY SECTION
Win 2000 Compatibility Tool: generates a compatibility report that identifies hardware/software conflict. The
Windows 2000 Compatibility Tool generates a compatibility report that identifies whether or not there are any
hardware or software compatibility problems.
To generate a HW/SW compatibility report,
run x:\I386\Chkupgrd.bat where x represents the CD-ROM drive.
This runs the initial portion of the Setup program and checks the system for Windows 2000 compatibility issues.
Identifies the modifications you need to perform to ensure that the system is ready for upgrade. The text file
documenting the compatibility check - compat.txt - can be stored on the system volume.
Windows 95, 98, and Windows Workstation NT 3.51, or higher, can be upgraded directly to Windows 2000.
To auto start Windows update from CD-ROM, type:
Start – run: x:\i286\winnt32
The following MS and third-party tools assist in the reorganization of domains:

NETDOM, ClonePrincipal, the Active Directory Migration Tool (ADMT), Entevo’s DirectMigrate, or Fastlane’s DM
Suite.
Scenario: Let's say that you are upgrading an NT 4.0 PDC to Windows 2000 and putting it into an existing Windows
2000 domain tree as a child domain.
You can choose between using a Windows 2000 Server CD for the upgrade or running Winnt32.exe from a shared
network folder containing the installation files.
In this case you choose to use the CD.
During the final reboot, the Setup program automatically logs on as the Administrator.
And the Active Directory Installation Wizard opens.
You can continue configuring the server environment at this point or postpone running the wizard.
The Active Directory Installation Wizard completes the upgrade to Windows 2000 Server.
It also installs the Active Directory service on your domain controller.
Scenario: Suppose you have upgraded from NT 4.0 to Windows 2000 and you need to place the upgraded PDC into an
existing domain tree as a child domain.
The existing domain tree is the interswift.com domain, which is located in New York.
Your updated child domain is Marketing, which is located in Chicago.
Select the option (radio button) that allows you to add the server to an existing tree:
• Create a new child domain in an existing domain tree
(if you want the new domain to be a child of an existing domain select this option. For example you could
create a new domain named headquarters.example.microsoft.com as a child domain of the domain
example.microsoft.com.
Specify the full DNS name of the parent domain (ie. interswift.com)
Then enter the name of the child domain (ie. marketing)
Complete DNS name of new domain:
marketing.interswift.com
Specify a NetBIOS domain name (ie. MARKETING)
On the Database and Log Locations page, you specify the location of the Active Directory database and the database
log.
Microsoft recommends that you store the database and log on separate hard disks in order to optimize performance and
recoverability.
You decide to store the database in the locations shown and you click Next.
You specify where the system volume (Sysvol) folder is to be stored.

You type the location you have chosen and you click Next.
The system volume folder must be stored on an NTFS 5.0 volume.
On the Permissions page, specify the level of access allowed to information on the domain. Select the option that
allows you to restrict access to programs that run on Windows 2000 servers.
Once Active Directory is installed, the server reboots and the Configure Your Server screen is displayed. You can
downgrade a domain controller to a member server or configure it as a file, print, or web server.
Static Disk vs. Dynamic Disk:
After upgrading a server, you should perform the following tasks:

• verify that the Active Directory was successfully installed
• install administrative tools
• change domains from mixed mode to native mode
To verify that a user is authenticated in the Active Directory, you log on in a domain and select Start - Search - For
People.
Windows 2000 Professional administrator tools:

\i386\AdminPak.msi file on Win 2k Server CD-ROM
The Active Directory Migration Tool (ADMT) is a tool to assist network administrators with migration from
Windows NT to the Windows 2000 Active Directory service.
Objects that can be migrated using the Migration Tool include

• computer accounts
• user accounts
• security enabled groups
Start – Programs – Administrative Tools – Active Directory Migration Tool
In order to add a security ID (SID) history, you enter a username and password that has administrative rights in the
InterSwift domain and then you click Next to continue.
Options you can specify for user in migration process:
• If user rights should be updated
• If accounts should be renamed
• If associated user groups should also be migrated
Conflicting account: you can choose to prefix the migrating account with some letters (ie. MK), and click next. You
can view log when completed.
The Reporting Wizard helps you to create reports about migration operations you have carried out.
END STUDY SECTION

------------------------------------
--------------------------
------------------------------------------
BEGIN STUDY SECTION
The hardware components of a network include

• servers and workstations
• other peripherals, such as scanners and printers
• cabling
• modems
• routers and hubs
My Network Places:Provides a view of the network resources available to the logged on user:
• Add Network Place
o Add shared folders
o Web folders
o FTP sites as network places
• Entire Network
o Microsoft Windows Network Icon: View available domains and computers
oDirectory Icon: Access objects in the Active Directory
• Computers Near Me
o View the computers in your workgroup or domain
Folders button: displays directory structure of computer

History: To locate files that you have used previously
Search: Use to search for files, folders, computers users printers and Internet locations
Language - International
Input local indicator: Allows you to enable other language fonts that have been installed.
The input locale changes the keyboard layout or input method depending on the language that you choose to insert.
You can set individual applications to use different inpu locales.
Accessibility:
Microsoft Magnifier: Uses a portion of the screen to magnify the area in which the cursor or mouse pointer is located.
Ability to save the accessibility settings in a separate file.
Utility manager: Allows you to adjust desktop settings without using the Accessibility Wizard.
Accessibility menu:
o Magnifier
o Narrator: Provides text to speech translation for those who are visually impaired. Allows the user to
customize how screen contents are read.
o On-Screen Keyboard
options for visually impaired users:

• StickyKeys to enable multiple keystrokes using one key
• FilterKeys to adjust the response of the keyboard
• ToggleKeys to emit sounds when certain keys are pressed
• MouseKeys to enable the keyboard to act as a mouse
• SerialKeys to allow for alternative input devices
SoundSentry provides visual warnings for system sounds.

ShowSounds which enables programs to show captions for program speech and sound.
When logging on, users provide their names and case-sensitive passwords.
The username may be the standard name, LisaJ, or the UPN name, LisaJ@marketing.interswift.com.
Users who employ their UPN names need not supply a domain to which they want to connect because the UPN defines
their location in the Active Directory.
Ctrl+Alt+Delete key combination:

displays the Windows Security dialog box:
o Lock computer
o Log off
o Shut down
o Change passwords
o Task manager
o Cancel
o name of the user who is logged on to the computer.
Standby mode: Useful for battery-power computers. Windows removes the power from devices such as monitors and
hard disks to conserve energy.
Restarting: Closes all applications removes polices profiles and scripts and unload the OS.
END STUDY SECTION

------------------------------------
--------------------------
------------------------------------------
BEGIN STUDY SECTION
The MMC has no management functionality of its own, but it provides a consistent interface for management
applications known as MMC snap-ins.
Microsoft's design goal for the MMC:

• hosts the main administrative tools for clients and servers
• is task oriented
• relies on delegation
• integrates different tools
The two types of snap-in are

• standalone snap-ins, called snap-ins
• extension snap-ins, called extensions
The functionality of snap-ins is enhanced by extensions.

For example, the Event Viewer and Device Manager extensions provide increased functionality to the Computer
Management snap-in.
The MMC can be used in

• User mode to work with snap-ins
• Author mode to create consoles or modify existing ones
Console Tree User mode:

full access users have access to the entire Console Tree and allow them to open snap-ins in new windows.
limited access/multiple window users have full access to only part of the Console Tree
limited access/single window users view a single window in the Console Tree.
Console Tree Author mode, you

• have full access to the Console Tree
• can add or remove snap-ins
• can save new consoles.
On a domain controller, the most commonly used tools are typically

• Active Directory Users and Computers
• Computer Management
• DFS manager
• DNS manager
• Services
The Distributed File System (Dfs) enables you to group several storage areas on the network so that they appear as
one location and file system to the user.
The Dfs manager allows you to create file trees and manage users' access to them.
log file associated with a scheduled task.

Notify Me of Missed Tasks option from the Advanced menu..
END STUDY SECTION

------------------------------------
--------------------------
------------------------------------------
BEGIN STUDY SECTION
• Administrative strategies.
You use group policy to

• control computer services on the network
• control users' desktop environments
• determine users' permissions on the network
• determine the applications and tools available to users
• allow users to access data from anywhere on the network
Any group policy applied to an Active Directory container is applied to all objects within the container.
Offline files cache network data to the local machines so that users can access the data when they are disconnected
from the network.
You can publish resources, such as printers and shared folders, at a central location on the network so that users can
gain access to them from anywhere on the network.
Windows 2000 uses the Distributed File System (Dfs)

You can delegate administrative control in the Active Directory by assigning permissions to administrators to
• modify specific OUs
• modify specific object attributes in an OU
• perform a specific task in all the OUs in a domain
(DACLs) - to control access to Active Directory objects.

A DACL contains the permissions and the level of access granted to users for an object.
Each entry in a DACL is called an access control entry (ACE)..
All resources in Windows 2000 have DACLs for
• files and folders on NTFS volumes
• Active Directory objects
• printer objects
A taskpad is a simplified interface that contains one or more tasks that are shortcuts to commands or administrative
tasks in an MMC snap-in; create easy-to-use customized tools for users who perform a limited number of
administrative tasks.
access token contains the user’s SID and universal, global, and domain local group memberships. It determines which
resources the user may access on the network.
You can activate the Secondary Logon service on your computer by
• selecting Run as from a shortcut menu
• using the runas command from the DOS prompt
You can include the runas command in a batch file to run an application automatically with a particular user account
logon.
create a shortcut that uses the runas command.
run applications automatically at logon; do this if you often need to run a single applicatoion with specific set of
privileges.
--
Suppose you want to create a shortcut to the Secondary Logon service so that you can use it to access an application.
To do this, you right-click the application you want to access, for example Licensing.
And you select Properties.
On the Shortcut tabbed page you select the Run as different user checkbox.
Then you click OK.
To execute the run as command, you right-click Licensing and you select Run as from the shortcut menu.
In some cases you may have to hold down the Shift key while right-clicking the applicaton.
In the DOS window you type the command shown.
The variables you can use with the runas command are
• /profile
• /env
• /netonly
• /user
• program
The variable /profile is used to add user profiles, while /env specifies that the current environment must be used instead
of the user's environment.
The /netonly variable is used when the specified credentials pertain only to remote access.
The variable /user specifies the username, and program is a command line for executables.
The user name should be represented in the form USER@DOMAIN or DOMAIN\USER
C:\> runas /user:johnnarus@zoetronics.com “mmc diskmgmt.msc”
Enter password for johnnarus@zoetronics.com: XXXX
Attempting to start “mmc diskmgmt.msc” as user “johnnarus@zoetronics.com”...
The Disk Management MMC now appears.

END STUDY SECTION

------------------------------------
--------------------------
------------------------------------------
BEGIN STUDY SECTION
• Creating users
• User profiles
User principal name (UPN): combination of the user logon name and a domain name. By default, the UPN suffix is
the DNS name of the domain in which you are creating the account. logonname@domainname.com
User cannot change password option: Ensures only Admins and members of the Account Operators group can change
the user’s password.
http://weblinks.smartforce.com/courseware/links.asp?course=msw12se&link=1
* User names not case sensitive, but windows 2000 preserve case for reference.
* User logon names can be no longer than 20 characters: userlogonname@domainname.com
* Reserved special characters: “ / \ [ ] : ; | = , + * ? < >
* Pre-Windows 2000 logon name: used for pre-Windows 2000 comptuers: ZOETRONICS\userlogonname
* Passwords: between 8 and 128 characters, lowercase, uppercaser, letters, numbers, and valid symbols. Valid
symbols for passwords: “ / [ ] : ; ! = , + ? < >
* User cannot change password checkbox: can be used when more than one person has access to a domain user
account; only administrators and members of the Account Operators group can change the user’s password.
* Password never expires checkbox: can be used for accounts that may be affected by the normal password
expiration process, for example accounts used to run Windows 2000 services or programs.
Properties can be used when you search for objects in the Active Directory. 15 properties tabs exist for each user.
Security, Published Certificates, and Objects tab will not be listed if you haven’t selected Advanced Features in the
View menu of the Active Directory.
*Advanced Featrues in the View menu of the Act Dir Usr & Comp Console:
Enables all 15 properties tabs in user properties dialog box
Account options:
Account is trusted for delegation
Account is sensitive and cannot be delegated
Use DES encryption types for this accoutn
Do not user Kerberos preauthentication
User profiles and Home folders used when a computer is used by more than one user, to allow each user to create
custom settings and specific applications on the computer.
Profile Path: used to configure the user’s environment, including desktop settings and peripheral devices; default
folder to open documents from and save documents to; can be stored on local computers or on a central server.
Profile path: \\sales\sales1\shared01\SimoneA
Logon script: \\sales\sales1\logonuser\SimoneA
Home folder 
Connect G: To: \homes\SimoneA
Published Certificates tabbed page: Allows you to view or add certificates issued to or by the user.
Home Directory or folder: Win 2k addition to a user’s profile that is an alternative to , but not a replacement of, the
My Documents folder.
Planning domain user accounts:

• Naming conventions
• Domain membership
• Password options
*Active Directory Users and Computers Microsoft Management Console (MMC)

*User logon name has to be unique within the container, domain, or local computer on which you create the account.
*full name: displayed by the Active Directory as the user account name and is completed automatically using
information from the First and Last name text boxes.
Routing and Remote Access Service (RRAS): To use the dial-up connection, a user has to dial in to a computer
running RRAS. You can configure a static IP address for the dial-in access or use predefined static routes.
“Object” Tabbed page: Contains the path to the user account object in the domain.
Unique Sequence Number (USN): Used for replication purposes; indicates how many times changes have been made
to the account; Domain controllers use it to determine the correct version of a user account in their databases.
Security Tabbed page: Allows you to assign permissions to the user’s account object; contains a list of the groups or
user accounts that presently have permissions to the object, as well as a list of the permissions granted to each of them;
access advanced options from this page to configure permissions and auditing settings for the object and to view details
about the object’s owner.
Environment tabbed page: Allows you to configure the user’s environment when a Terminal Services session is
established; ensure a particular program starts up when the user initiates a session; supply the name of the program file
and specify the location (directory) it should run from; determine whether network drives and printers and the client’s
default printer are automatically connected at logon.
Sessions tabbed page: Set the timeout and reconnection settings for Terminal Services; time to end a disconnected
session; active session limit; idle session limit; allow reconnection.
Remote Control Tab

Terminal Services Profile tab: set the user profile and home directory when establishing a Terminal session; allow the
user to control the level of access you have to the session.
Interact with the session checkbox: allows you to take control of the user’s session with the keyboard and mouse.
Terminal Services Profile tabbed page: Allows you to set the user profile and home directory that are used when
establishing a Terminal session.
Organization tab: Title, Department, Company, Manager, Direct reports.
*Built in Administrator account cannot be deleted, but can be renamed for security.
Guest account disabled by default
Logon Hours.. (restrict logon hours)

Log On To. (restricts computers to which the account has logon access)
Organization tab:
Troubleshooting user account problems:
User profiles may become corrupted, causing a variety of problems.
A HW error may prevent users from accessing resources on the network.
May find problems if another network administrator changes user configuration without your knowledge.
Unauthorized users who have excessive rights are changing system configurations.
A virus has entered your network, corrupting resources.
Good idea to create a user account for yourself with no special rights, which you can use for non-administrative tasks to
ensure you do not user your administrative account incorrectly.
END STUDY SECTION

• Creating users
• User profiles
------------------------------------
--------------------------
------------------------------------------
BEGIN STUDY SECTION
• Creating users
• User profiles
Bulk import: Create multiple user accounts simultaneously by importing data to the Active Directory from a file;
import file is a text file formatted in comma-delimited format (comma-separated value format).
The imported file needs to contain several items of information, including

• the path to the user account in the Active Directory
• the object type - that is, user account
• the downlevel logon name
• a user principal name
Before import you need to ensure that it contains:
• an attribute line
• a user account line
Attribute line:
DN,objectClass,samAccountName,userPrincipalName,displayName,userAccoutnControl
“cn=Anna Herrera,
ou=SalesManagers,dc=Washington,dc=interswift,dc=com”,user,AnnaH,AnnaH@interswift.com,”Anna Herrera”,512
Downlevel logon name (user account name): AnnaH ; used to connect to a network resourcewith a different logon
name to the one with which you are presently logged in under; or used from a pre-Windows 2000 client.
User principal name: used to log on from a Windows 2000 client computer.
An imported file needs to contain this name because it is used to log on to a domain.
The file also needs to show whether the user account is enabled or disabled.
Attribute line (properties line): The first line of a user's file, and it provides the attribute names you want to specify in
the user account. You place the attributes in the order in which you want them to appear and you separate them with
commas; Active Directory schema defnies attribute names; if a value is missing, leave it blank but include the commas
in the user account line.
DN (distinguished name: identifies the path to the object’s location in the Active Directory tree.
Cn=Ana Smith,ou=Marketing,dc=Washington, cd=domainname,dc=com
objectClass = user
samAccountName = Ana Smith
userPrincipleName= AnaS@domainname.com
display name= Ana Smith
userAccountControl=512 (means account is enabled) 514 (disabled)
CSVDE command: used to import usr accounts from an Access database on the network.
C:\>csvde –i –f C:\Newusers.txt –s server1
-i (specifies you are importing from a file)
-f (indicates that the next parameter in the command in the name of the file to import)
-s (indicates the server name of the server to which the file is being imported)
LDAP Data Interchange Format (LDIF): Internet standard file format that can be used on directories that conform
to LDAP standards.
• Import/Export data
• Modify/Delete/Create objects
VBScript to perform batch operations

adduser.vbs command
LDIFDE utility: batch operations performed with LDIF. (can be used instead of CSVDE)
dn: CN=Bob Smith,OU=Sales,DC=Wahington,CD=domainname,DC=com
changetype: add
cn: Tom Hanks
objectClass: user
samAccoutnName: JohnN
givenName: John
sn: Narus
Active Directory Services Interfaces (ADSI): used with Widnows Scripts Host to create batch operations in
VBScript or Java; used to import/export a file and to create/delete/modify an AD object.
Task:
Use DOS command prompt to import the file Newusers.txt from the C drive of your computer and save it on the
brocadero1 server.
csvde –i –f C:\Newusers.txt –s brocadero1
END STUDY SECTION

• Creating users
• User profiles
------------------------------------
--------------------------
------------------------------------------
BEGIN STUDY SECTION
• Creating users
• User profiles
User profile: user’s desktop and application settings, personal data, and network connections; includes
Start menu items and mapped connections to network servers or mapped drives.
http://www.smartforce.com/learning_community/applications/course_resources/login_course_resources.asp
?link_id=14952&type=2
Three types of profiles:

• Local user
• Roaming user
• Mandatory user
Roaming user profiles: created by the administrator and are stored on a network server; changes made to
the profile are updated on the server and take effect for subsequent user logon from any computer.
The next time a roaming user logs on to the same computer, Windows 2000 compares the copied files on
the computer with the profile files saved on the server.
1) Create “Roamer” shared folder in DocsSettings on member server
2) Set profile path for user account (if you don’t want to use a specific username, you can
substitute it with the variable %username%) [appears as unknown account unser System
if user hasn’t logged on yet]
Using a users profile as a template for a roaming user profile:

Start  Settings  Control panel  System 
Select the profile (MarioL) to use as template, and then choose “Copy To” \\sales1\winprofile\marioe
Now hit “Change” to select user to assign profile to
*new roaming user profile does not appear immediately in the System Properties dialog box
Mandatory user profiles: Mandatory user profiles are created by an administrator to enforce standard
desktop settings for users or groups of users; only an administrator can make changes to these profiles and
copies only changed files; local copy of profile used, if server containing roaming profile in unavailable.
Mandatory roaming profiles: enforce standard desktop settings for users regardless of the computer they
use to log on; Users are unable to make changes to these profiles; read-only user profile.
To create, change ntuser.dat to ntuser.man making it read-only; done on server where the mandatory
roaming profile is stored.
Ntuser.dat file: contains config settings for Windows 2000 Registry, Windows Explorer, My Documents,
mapped network drives; hidden file.
Network default user profile: create a user profile with the desired settings and store it in the Netlogon
share of each domain controller on the network.
<systemroot>\SYSVOL\sysvol\domain\scripts
When users log on for the 1st time, their local profiles are copied from the default user profile into the
Documents and Settings\<User> folder.
My Documents: the default storage location for the Save As and File Open commands.
Control Panel  System: allows you to view the user profiles stored on your computer.
END STUDY SECTION

• Creating users
• User profiles
------------------------------------
--------------------------
------------------------------------------
BEGIN STUDY SECTION
• Groups
Groups: Active Directory or local computer objects that include other objects.
Rights: user or computer account-based actions; authorize users to perform specific actions, for example logging on to
a system or backing up files and folders.
Permissions: Determine the type of access granted to an object or user.

Acess Control Entry (ACE): Assignment of permissions to a user or group; are also stored in an objects’s system
access control entry (SACL), which determines the security events to be audited for a user or group.
Discretionary access control list (DACL): Permission entries are stored in here.
Nesting: When you add a group to an existing group, it inherits the permissions of the group to which it was added;
advisable not to nest more than three levels deep.
Two principal types of groups:

• Security: used to assign permissions to objects and resources; other groups, computers, and user accounts
receive rights and permissions as security group members.
• Distribution: used for nonsecurity purposes, such as sending e-mail messages to group members; can only
function on program that are designed to work with the Active Directory; cannot be used to assign rights and
permissions.
Native mode: A domain is in this mode when all the domain controllers on the network are running Windows 2000.
*a change from Mixed mode to Native mode is irreversible.
Mixed mode: Domain used to accommodate Windows NT 4.0 directory service; limits the # of features available in a
domain (i.e. universal group scope and group type conversion not supported).
Security “Group Scope”: Each security group has a scope; the scope of a security group determines whether you can
add members only from the domain on which it was created or from any domain; also determines whether you can
assign members permissions to resources on other domains within the forest.
• Global
• Domain local
• Universal
“Global” security group scope: Members may be selected only from the domain or subdomain on which the group is
created. But you may assign them access to resources on any domain or subdomain in the domain tree or forest; useful
for assigning permissions to users who require access to resources in other domains.
For example, a global group in the sales.interswift.com subdomain can include members only from the
sales.interswift.com subdomain.
* You can grant global groups on any domain in a forest access to resources on any other forest domain.
Grant members of this group permissions to resources located in the following domains or subdomains:
• Interswift.com
• Sales.interswift.com
• Marketing.interswift.com
• Shipping interswift.com
You can grant global groups on any domain in a forest access to resources on any other forest domain.
“Domain local” security group scope: members may include user accounts from any Windows 2000 or Windows NT
domain; you can add domain local groups as members, provided they are from the same domain; global groups and
universal groups can be nested within domain local groups.
Domain local groups: Groups with a domain local scope.
Universal security group scope:

* Groups with a universal scope are referred to as universal groups
* Universal groups can only be created in trees or forests running in Native mode.
* You cannot include groups from Windows NT 4.o domains
* use to allow members from different domains access to related resources
* You can grant these users access to the required resources using a single UG
Local groups cannot be created on domain controllers because the security database of a domain controller cannot be
independent of the Active Directory.
Although local groups can contain local user accounts, global groups, and universal groups from any domain as
members, they can only be members of local groups.
Windows 2000 built-in global groups:

• Domain Users
• Domain Admins
• Domain Guests
• Enterprise Admins
Domain Users are the users who have access to a domain.

Domain Admins is the group of users who have administrative rights and so includes administrators.
Domain Guests is a group of users who are not allowed to effect changes to the network.
Administrator's user accounts are assigned to the Enterprise Admins group automatically.
However, you can alter the default membership of this group to determine which users can administer the full network.
Enterprise Admins: built-in group, members can be added only from the same domain, unless you alter the group.
Windows 2000 built-in domain local groups:

• Account Operators
• Print Operators
• Server Operators
• Backup Operators
• Administrators
• Users
• Guests
Account Operators can create, delete, and modify user accounts and groups, but they cannot modify the
Administrators or Operators groups.
Print Operators can set up and manage network printers on a domain controller.
Administrators can carry out all administrative tasks on all domain controllers and on the domain itself.
Server Operators can share disk space and back up and restore data on local domain controllers.
And Backup Operators can use Windows 2000 Backup to back up and restore all domain controllers.
You assign permissions for specific network resources using the Users and Guests domain local groups.
The Domain Users global group is a default member of the Users domain local group.
The Domain Guests global group automatically has as its member the domain's default user account group and by
default is a member of the Guests local group in the same domain.
Windows 2000 creates the following built-in local groups on member servers, standalone servers, and computers
running Windows 2000 Professional:
• Users
• Administrators
• Guests
• Backup Operators
• Power Users
• Replicators
Windows 2000 creates built-in system groups, also referred to as special identities, on all local computers.
These system groups include

• Everyone
• Authenticated Users
• Creator Owner
• Network
• Interactive
*Keep membership of universal groups static; changes need to be replicated to a large # of DCs on the network.
END STUDY SECTION

• Groups
------------------------------------
--------------------------
------------------------------------------
BEGIN STUDY SECTION
• Groups
To create groups you need to determine:

• That you have the permissions you need to create the group
• The required group scope
• The name of the group
• The container in which you want to create the group
• The group members
• The resources the group needs to access and the accompanying permissions
END STUDY SECTION

• Groups
------------------------------------
--------------------------
------------------------------------------
BEGIN STUDY SECTION
• Groups
Terminal Services: Optional Windows 2000 Server component; enables users to access centralized
applications from remote locations; allows users of diverse clients and hardware to access a standard view
of applications; (TCO) by allowing legacy clients - without the minimum HW requirements for the OS - to
use Windows 2000.
- Helps administrators to monitor, configure, and manage the network and server from remote locations.
- After a client computer initiates a Terminal Services session, all user input, program execution, data
processing, and data storage tasks occur on the server; provides only the Terminal Services interface - an
image of the server's desktop; can be a thin client.
Provides servers with typical Windows 2000 security, including:

• Data encryption at different levels between the client and the server
• A limit on the # of logon attempts a user can make
• Storage of apps and data on a secured server rather than on a client
Support 32-bit and 16-bit Windows-based apps DOS-based apps and handheld PCs.
Remote Desktop Protocol (RDP): Used by Terminal Services to create the communication link between
client and server; manage multiple independent user logons and Terminal Services sessions.
a single user can conduct multiple Terminal Services sessions on the server at once, provided that each
session runs a different application.
A user can disconnect from a Terminal Services session without logging off; enables the user to re-establish
the session at another time or on another machine; it is possible for one user to have multiple sessions with
unique desktops open on several machines.
Network load balancing [Win2k Advanced Server and Datacenter Server]: allows Terminal Services
clients to connect to a pool of servers running Terminal Services; provides a server load balancing facility
during terminal sessions and eliminates a single point of failure on the network.
TSs supports the Distributed file system (Dfs), which means that admins can host shares on a Terminal
server; Dfs support also allows Terminal server users to connect to a Dfs share on the Terminal Server.
Server Performance Monitor:
Terminal Services Licensing: Restricts user access to applications on the Terminal server.
Terminal Services Client Access License
On a per seat basis only; The Terminal Server Internet Connector license is an exception to this rule
Licenses allow an admin to restrict access to specific apps on the Terminal server to improve network
security and efficiency
- need to back up the licensing service on the Terminal server regularly
32-bit versionTerminal Services:

• Win 2k, Win NT, Win 98, Win 95
16-bit version of Terminal Services:

• Windows for Workgroups
Mac and UNIX workstations require third-party software (Citrix, Metaframe) for Terminal Services.
A Terminal Service License server manages the following license types:

• Terminal Service Client Access licenses
• Terminal Services Internet Connector licenses
• Built-in licenses
• Temporary licenses
*doesn’t support serial, parallel, or sound ports integrated with the client desktop.
Terminal Services Client Creator: Create client installation disk.

Terminal Services Configuration
Network TS Install:
C:\WINNT\System32\Clients (folder must be shared)
You can configure the following user settings for terminal services:
• user profiles
• home directories
• client installation
Environment tab allows you to start a program

Client Connection Manager: Wizard to create connection settings for you client connection.
Enable data compression: checkbox for slow network connections
Cache bitmaps to disk: If you want Windows to refresh the screen from the local cache and so improve
network performance.
Compatibility script: applies minor changes to the installed app so that it will function more effectively in a
multi-user environment; allows the Graphical Identification Authentication (GINA) component to be modified
so that users can customize their Terminal Services desktop settings.
*Idle limit for TS sessions to shut down the session after a specified time
tsshutdn command (notifies users that the server is about to shut down)
*once apps have been installed on a Terminal, they may malfunction if TS is switched off.
END STUDY SECTION

• Groups
------------------------------------
--------------------------
------------------------------------------
BEGIN STUDY SECTION
• Shared folders
• NT File System
HD: several stacked metalized platters; heads read the magnetic orientation of tiny section of the disk; low-
level/physical format to give physical structure (tracks, cylinders, and sectors); track (ring on disk where data is
stored), cylinder (single track location on all platters), sector (512byte unit of physical disk).
Cluster: fundamental storage unit on a disk; min allocation unit; consist of a # of sectors; increased cluster size allows
disk sizes to be larger – results in wasted space for partially used cluster.
Basic disk: Default Wind 2000 storage type; supports primary and extended partitions; can convert to dynamic disk.
Dynamic disk: Consists of one large partition and several disk divisions called volumes.
High-Level Format: Initialization with a file system

File System: logical structures and software routines, to control access to the stored data.
Windows 2000 supports the following file systems:
• (FAT): table that contains pointers to physical disk locations (16bit addressess); 512 to 64Kb cluster sizes; max file
size 2GB; max 4GB disk space
• (FAT32): introduced with Win 95 OSR2 (95b); 512 to 64Kb cluster sizes; max file size 4GB; max volume of 32 GB;
max 2TB disk space; supports smaller cluster sized for larger partitions (i.e. 4kb cluster size for partitions of up to
8GB); more fault tolerant – maintain two copies of the file allocation table and a backup of critical data structures in the
boot record.
• Compact disk file system (CDFS)
• Universal disk format (UDF)
• Windows NT file system (NTFS): 5.0 Win 2000 native file system; 2TB disk capacity; cluster sizes 512bytes to
64Kb; EFS C2 security; disk quotas
EFS: includes mandatory recovery policy to recover encrypted data when its security certificates have been lost (i.e. a
disk fails); designates users as recovery agents; certificate defines the scope of that agent’s recovery abilities.
The Distributed File System (Dfs): logical, distributed file system type built on top of other file systems such as
NTFS; used to create a logical tree of storage locations that is independent of the physical locations of the drives, files,
or folders; a Dfs tree provides users with a single namespace (UNC): \\<servername>\<sharename>
UDF: successor to CDFS used by CD-ROM and DVD devices; supports access control lists, long filenames, reading
and writing, and bootability.
Dual-Boot: allocate a volume to each OS and apps on same volume; NTFS, FAT, FAT32; each OS needs unique
network name.
C:\>convert e: /fs:ntfs (converts drive e: to ntfs file system and formats)
Admin shares default $: each volume’s root, CD-ROM, system root folder, and print drivers folder.
NET SHARE <sharename>=<path>
Max # of simultaneous connections for Windows 2000 Professional = 10
Manual Caching: user specifies the data files to be cached.

Automatic Caching for Programs: Offline access to read-only and app files.
Automatic Caching for Documents: Caches only open data files for each user.
FAT/FAT 32 file system only allows permissions at the shared folder level.
NTFS: allows permission at folder and file level as well as at the share level.
Shared folder objects in Active Directory can be assigned NTFS permissions only.
Shared Folder Permissions:

• Read: read data or run apps from a shared folder.
• Change: incorporates read; allows create, modiry, delete file and folders.
• Full Control: default permission for everyone group; full admin permissions
Administrators and Server Operators groups can share folders on any computer in the domain.
Power Users group: (a local group) can share folders only on the local computer
Effective permission: assigned by virtue of group membership
NTFS Folder Permissions:

• Read: view files and folders, folder attributes (read only, encrypted, ready for archiving, or compressed),
memberships, permissions
• Write: create files and subfolders, set permissions and ownership, change attributes within a folder.
• List Folder Contents: see all the files and subfolder in a folder.
• Read and Execute: allows user to perform actions allowed by the Read and the List Folder Content
permissions;
• Modify: perform actions associated with the Write and Read and Execute permissions; delete folders.
• Full Control: actions allowed by all the other folder permissions; change permissions, take ownership, delete
files and subfolders.
NTFS File Permissions:

• Read: read it, see its attributes, and view the ownership rights and permissions.
• Write: change its attributes, view it’s ownership and permissions, overwrite it.
• Read and Execute: can perform all the actions associated with the Read permission and run an executable
app or batch file.
• Modify: modify or delete files; perform actions allowed by Read and Execute and the Write permissions.
• Full Control:
Access Control Entries (ACEs): Used to store NTFS file and folder permissions in the ACLs.
Access Control Lists (ACLs) – each file and folder on an NTFS volume has an associated ACL; contains all the user
and group accounts that have access to the file or folder and the type of access permitted.
Permissions are:
• Permissions are cumulative
• File permissions override folder permissions
• A denied permission overrides all other permissions
*folders that users do not have permissions to are invisible to them
Advanced permissions:
• Standard write: combination of Create Files/Write Data, Write Attributes, Write Extended Attributes
• Create Files/Write Data: allows or denies the right to create files within a folder and modify content.
• Write Attributes: allows or denies the right to change the attributes of a file or folder.
• Traverse Folder/Execute File: allows/denies the right to move through folders to access files in a particular
folder even fi you do not have permissions for the traversed folders.
• List Folder/Read Data: Allows or denies you the right to view the contents of a folder and to read the
contents of files
• Read Attributes: allow/denies you the right to view the attributes of a file or folder
• Read Extended Attributes: allows/denies the right to view the extended attributes of a file that may be
defined by particular applications.
• Create Folders/Append Data: allows/denies the right to create folders within a folder and append data to
the end of a file, without overwriting existing content.
• Delete: allows/denies the right to delete folders and their contents.
• Delete Subfolders and Files: allows/denies the right to delete subfolders and files in a folder - even if the
delete permission has not been granted for the folder.
• Read: allows/denies the right to view the permissions for a file or folder.
• Synchronize: allows/denies different threads for multithreaded programs waiting on the handle for a file or
folder.
• Change: allows/denies the right to change the permissions associated with a file or folder
• Take Ownership: allows/denies right to take ownership
To administer shared folders on Win 2k Pro: Administrators or Power Users

To administer shared folder on Win 2k Server: Administrators or Server Operators
net send command
END STUDY SECTION

• Shared folders
• NT File System
------------------------------------
--------------------------
------------------------------------------
BEGIN STUDY SECTION
Objectives:
Configure the Distributed File System (Dfs)
Create and replicate root and child nodes
Create a root node and a child node in a Dfs tree
The Distributed File System (Dfs): allows you to organize and manage multiple network shares in a logical
namespace; uses a tree-topology to represent a single logical hierarch; easier to back up resources; easier to manage
virus scans.
You should use Dfs when:

• users who access shared folders are distributed across sites
• users require access to multiple folders on different servers
• users require uninterrupted access to folders
*use Dfs to distribute shared folders between servers to improve server load balancing.
*users do not need to know the name of the server on which a shared folder is located
*standalone Dfs tree can be hosted on only one server (not fault tolerant)
*fault-tolerant Dfs stored in the Active Directory –
• DNS
• Multiple level of child volumes
• File replication (to every Dfs root server)
• FAT(non-fault-tol)/NTFS(fault-tol)
Create Dfs tree = Dfs root + Dfs links (child nodes)

Branch node = subsequent child nodes
*you use the UNC name of the tree
\\shipping1\Salesfiles
*if fault-tol Dfs tree fails, you redefine the location of the tree and its shared folders, users can still use same Dfs path
*do not force replication manually once configured Dfs fro automatic replication
*you need to provide the name of the server on which the standalone Dfs root must be located (i.e.
sales1.sales.domainname.com)
Folder Redirection extension in Group Policy

users’ security group membership (allows you redirect multiple groups)
Target folder location: \\Headquarters1\My Docs\%username%\My Documents
| Grant the user exclusive rights to My Documents checkbox
| Move the contents of My Documents to the new location checkbox
| Leave the folder in the new location when policy is removed radial button, or
| Redirect the folder back to the local userprofile location when policy is removed radial button
| Make My Pictures a subfolder of My Documents, or
| DO not specify administratve policy for My Pictures
Offline Files
Server Message Block-based (SMB) file and printer sharing: SMB is a message format MS_DOS and Windows uses
when files, folders, and devices are shared (Win 95/98/NT)
*shared network files available offline, are stored in the root directory of your hard disk by default (10% of disk space
by default)
Offline Files Cache Mover (cachemove.exe): Win 2k Pro Resource Kit
Manual  Quick synchronization
The Synchronization Manager allows you to save network and user computer versions of an offline file if both
versions have been modified.
IIS 5.0: complies with HTTP 1.1

• Customize HTTP error messages
• Support cutom HTTP headers
• Use specialized functions such as the PUT and DELETE commands
• HTTP compression
• FTP to publish to web server
FTP Restart facility
IIS 5.0 and Windows 2000: web sites, intranets, extranets, e-commerce sites
• News bulletin boards NNTP
• E-mail services SMTP
• Web page creation
• File sharing on the Internet
Web Distributed Authoring and Versioning (WebDAV): Extension of HTTP 1.1; allows multiple users to
collaborate on docs; offline editing, conflict resolution.
FrontPage Server Extensons
Platform for Internet Content Selection (PICS): Provides audience ratings for web pages. (i.e. for mature content)
Web folders: used to navigate WebDAV-compliant Internet servers
Active Server Pages (ASP): Scripting tool for complex HTML coding.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wiaaut/wia/wiax/overviews/gettingstartedsamples.asp
each Site has an individual host header and operates as a separate user domain
you cannot place a WebDAV directory under the Wwwroot directory because this directory has special DACLs that are
not advisable to user for your own directories.
Windows 2000 Kerberos version 5 replaces the NT Lan Manger as the primary security protocol for resource access:
• the Digest Authentication protocol: W3C standard
• the Server-Gated Cryptography (SGC) protocol: Extension of the Secure Sockets Layer (SSL); 128 bit
encryption
• the Fortezza protocol: US gov’t security standard; complies with Defense Message System security
architecture
hashing password
instead of Digest Authentication, you can use Anonymous HTTP Basic, Intregrated windows Authentication, or NT
Lan Manager protocols
Transport Layer Security (TLS)

Windows CryptoAPI storage
You can restrict the following from access to parts of your web site?
• Individual computers
• Remote users
• Whole domains
• Computer groups
Certificate Trust List (CTL): create trusted certification authorities for a web site.
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=166D3102-F5A8-49A2-B779-
153B7F59BCD3
Script Source Access permission: allows users to change the source code of a web page; only allowed if Read and
Write access are allowed.
Log visits
To allow users to view or write to files without changing their properties, you grant them the following NTFS
permissions:
• List Folder Contents - to view a list of a folder's contents
• Read or Write access - to view or write to a file
• Read and Execute - to run executable files such as scripts
To allow users to change the properties of a file or folder, you grant them the following NTFS permissions:
• Full Control - to control files, directories, and their properties
• Modify - to add, delete, or change files and their properties
And to deny access altogether, you use the No Access permission.
Discretionary Access Control List (DACL): permissions for files or directories to assign NTFS permissions for your
web site.
You can deny individual computers, groups of computers, or entire networks access by denying access to their IP
address ranges in your web server’s permissions.
403 Access Forbidden error message: if IP address or user account authentication fails.
401 Access Denied error message: If NTFS permissions fail.
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/WINDOWS2000/techinfo/reskit/en-
us/iisbook/c09_iis_5.0_security_checklist.asp
Proxy Errors: http://support.microsoft.com/default.aspx?scid=fh;EN-US;GSSTOPICERR&style=error
If certain web pages cannot be visited by certain users, this may be because the browscap.ini file on your server hasn’t
been update with the latest browser versions.
Configuring IISADMPWD Pages for Different Ports
END STUDY SECTION

------------------------------------
--------------------------
------------------------------------------
BEGIN STUDY SECTION
• Display devices
IDE Port: two devices

Smartcertify link:
http://www.oreillynet.com/search/
Windows 2000 supports DVD devices using the Win32 Driver Model (WDM) and DirectShow
WDM: provides a driver interface for the multimedia functions of the DVD device.
DirectShow: framework for data exchange with the DVD device itself
Region 1 coding: US
Type RPC1: only one region change is permitted
Type RPC2: change up to five times
DMA required for DVD device;
right-click Primary IDE Channel  Properties  Advanced Settings  Set Transfer Mode: DMA if available
AGP bandwidth = 533 MBps
.drv extension = drivers extension
http://www.pcworld.com/howto/article/0,aid,103793,00.asp
http://www.smartforce.com/learning_community/applications/course_resources/login1.asp
Device Management: http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?

url=/WINDOWS2000/techinfo/reskit/en-us/prork/prdh_dmt_xgcg.asp
http://www.microsoft.com/windows2000/en/professional/help/default.asp?
url=/WINDOWS2000/en/professional/help/wgs_gs_01023.htm
Input Locales
Extensible Authentication Protocol (EAP): use smart cards as authentication; allows for the encryption of
data across a network eonncetion
Configure Smart Card:

Start  Settings  Network and Dial-Up Connections  Virtual Private Network  Properties
Trusted certificate authority
Message Digest 5 Challenge Handshake Authentication Protocol (EAP-MD5 CHAP)

Transport Layer Security (EAP-TLS)
Switch box: works with keyboard and mouse, not supported by BIOS version earlier than 1.9.0 or Windows
2000
Compaq Keyboards: following need drivers – LK411, LK450, LK451
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?
url=/WINDOWS2000/techinfo/reskit/en-us/prork/prdk_tel_myqt.asp
Modems:
url=/WINDOWS2000/en/professional/help/sag_MODEconcepts_111.htm
Protocols and standards:

url=/WINDOWS2000/en/professional/help/sag_MODEconcepts_112.htm
Infrared Data Association (IrDA): speeds = 115,000 (IrDA-SIR Async Serial Trans) or 4 Mbps; must be
enabled in BIOS.
IrLPT
IrTran-P: allows computer to receive images from digital cameras but it cannot initiate a connection.
Infrared noise: caused by illumination and sunlight
IfDA-FIR: half-duplex transmission at up to 4Mbps; most common on laptops.
Wireless Link icon in Control Panel
Multiprocessor
ACPI: Defines how OS and HW use power between one another so that the OS manages all power
distribution within the system.
Intel(R) MultiProcessor Specification

http://developer.intel.com/design/intarch/manuals/242016.htm
Task Manager: use to end apps or processes or set priority of running apps.
Affinity: Assign a process or application to one processor only.
Threads can be assigned to processors for a more granular optimization.
Affinity mask: process of assigning threads to processors.
Soft Affinity: Threads will be run on the last processor that processed them; if unavailable, 2nd processor
will share workload.
Hard Affinity: Restricts the number of processors that are not configured in the affinity mask. May prevent
other program threads from using the least busy processor.
DPC - Software Interrupt Partitioning: to improve performance; allows you to set processor affinity in the
case of dedicated servers with heavy network load by assigning software interrupts generated by disk or
network adapters to specific processors.
Interrupt Filter Tool: Utility to manage processor affinity.
System Monitor in Performance Console: Monitor processor performance.
Performance Object: Logical collection of performance counters that applies to a resource or service that
you can monitor, and a performance counter represents a value corresponding to a specific aspect of the
performance defined for the performance object.
Processor Bottleneck:
%Processor Time counter for the Processor object (if exceeds 80%)
%Processor Queue Length counter for the System object. (if exceeds 2)
%User Time and %Privileged Time counters for the Processor object.
Processor(_Total)\Interrupts/sec
System\Context Switches/sec counters
Analyzing Processor Activity

MS Windows 2000 Resource Kits
url=/WINDOWS2000/techinfo/reskit/en-us/core/fned_ana_esrs.asp
Add 2nd Processor:

Device Manager  Computer  MPS Uniprocessor PC or Standard PC  Properties  Driver  Update
Driver (Opens Update Hardware Device Drivers Wizard)  Choices:
• ACPI Multiprocessor PC
• ACPI Uniprocessor PC
• Advanced Configuration and Power Ineterface (ACPI)
• MPS Multiprocessor PC
• MPS Uniprocessor PC
• Standard PC
Now check installation: Right-click taskbar  Task Manager  Performance  Two graphs should be
displayed in the CPU History section
To assign an application’s process to a 2nd processor:

Task Manager  Processes tab  Right-click on a process  choose Set Affinity…  deselect CPU 0 and
select CPU 1.
To understand how applications work on a system, examine the processes of individual applications and
how they affect overall processing time; examine threads to learn about how they use the system's
resources; evaluate the priority of the threads to see how they interact with one another.
Thread Priority Idle is used by screen savers and other processes that update the display from time to
time.
Thread Priority Normal is the default class for all processes.
Thread Priority High is used by processes that are assigned the most processor time and Real Time is
used by kernel-mode system processes.
To establish baselines for the performance of processors, you should use the following system monitor
counters:
• Processor% Processor Time: measures percentage of busy time, when proc is executing non-Idle
threads.
• System/Processor Queue Length
Processor queue: One or more threads that are ready but unable to run on the processor.
The Processor Queue Length counter: measures the number of ready threads in the processor queue.
Sustained processor queue with more than two threads generally indicates that there is processor
congestion.
Driver Signing
Filter action of the systems’ response to driver upgrade of unsigned files:
• Ignore – Install all files, regardless of file signature
• Warn – Display a message before installing an unsigned file
• Block – Prevent installation of unsigned files
MS: How to Download Drivers

http://www.microsoft.com/windows2000/server/howtobuy/upgrading/compat/driverinfo.asp
Windows 2000's Power Manager dynamically handles the interaction of the operating system with
hardware devices to conserve power.
Power management is particularly important on portable computers, where CPU and disk activity quickly
consume battery power.
Windows Hardware and Driver Central:

ACPI / Power Management - Architecture and Driver Support
http://www.microsoft.com/whdc/hwdev/tech/onnow/default.mspx
Two standards for Plug and Play hardware –

Advanced Power Management (APM)
Advanced Configuration and Power Interface (ACPI).
APM is a simple standard devised by Intel and Microsoft to define power management for the BIOS;
comprises one or more hardware-independent software layers that control power-manageable hardware
devices. (Supported in Win 2k, not Server, AS, Datacenter)
ACPI enables the operating system to direct power management on a wide range of mobile, desktop, and
server computers and peripherals; provides a policy-based hardware interface for Windows 2000 to handle
the power management resources.
Power Management in Windows 2000
Microsoft Knowledge Base Article - 244806
Overview of Power Management in Windows 2000
http://support.microsoft.com/default.aspx?
scid=http://support.microsoft.com:80/support/kb/articles/q244/8/06.asp&NoWebContent=1
Power Options  Advanced -> prompt for password when computer goes off standby
Hibernate: Saves all data in memory to disk, turns off the monitor and hard disk, and then turns off the
computer. Upon restart pre-hibernation desktop settings are restored. Requires enough HD space to hold
contents of memory.
Standby: Switches the computer to a low power state and turns dvices off, without saving system memory
to disk.
Card services allow you to add or remove card devices without needing to reboot your ACPI-based
computer.
Each card device contains information - called the card information structure (CIS) - that Windows 2000
uses to enable Plug and Play functionality for the device.
PnP recommended drivers should be NDIS version 5.x compliant for network adapters and SCSI interface
cards.
Dock/Undock laptop computers:

• Cold docking/undocking requires the laptop to be shut down before docking or undocking is
performed.
• Warm docking/undocking occurs while the computer is in standby mode.
• Hot docking/undocking occurs when the laptop computer is inserted into or taken out of the
docking station while it is running.
The Unplug/Eject PC option on the Start menu can be configured to warm docking or undocking if warm
docking is supported by the BIOS.
Or Control Panel  Add/Remove Hardware
You cannot modify the docking option for a portable computer once Windows has started?
Create hw profile by copying an existing profile and renaming it
Disabling a device for a hardware profile, prevents the drivers from being loaded
Windows 2000 Professional Documentation

url=/WINDOWS2000/en/professional/help/sysdm_hardware_profile_copyrename.htm
For both network client and a file server, bottlenecks tend to occur with network, disk, and memory
resources before they occur in the processors.
Windows 2000 Performance Tuning

http://www.microsoft.com/windows2000/server/evaluation/performance/reports/perftune.asp
System Monitor: uses performance counters (350 different ones) to form performance objects; combined
with an ActiveX control (Sysmon.ocx) to display data in other applications; create HTML pages from the
collected data and display the data in a web browser; use a spreadsheet or word processor to display or
print the data, using filters and sorts to organize the information
Counter logs: measure data about hardware resources and system services based on performance objects
and counters.
Trace logs: collect event traces that measure performance statistics associated with events such as disk
I/O and page faults.
Alerts: notify you when a particular activity exceeds or falls below a specified value.
Circular logs: which record data until they achieve a specified size and then start again.
As each new log is recorded, the oldest entry in the log is deleted.
sequential logs: which collect data according to parameters you define, such as the length of time to run.
Counter Logs  New Log Settings…  Name New Log  General Tab (Add) 

Creating Performance Alerts in Windows 2000
scid=http://support.microsoft.com:80/support/kb/articles/Q244/6/40.asp&NoWebContent=1
file system cahce: depends on hard disk space available

memory buffer allocation
File and Printer Sharing for Microsoft Network Properties (not available in Win 2k server):
Paging file (Pagefile.sys): holds parts of programs and data files that do not fit in physical memory
Hard Page Faults: Occur when a process requires code or data that is not in its working set or elsewhere
in physical memory, and must be retrieved from disk.
Memory\Pages/sec counter: greater than 20 page faults per second – amt of avail memory is falling
Paging File\%Usage(_Total) counter: total % of the page file in use; keep from reaching 100% by
increasing the page file.
Memory\Available Bytes counter: amt of physical memory available to processes running on the
computer to determine memory availability.
A paging file improves RAM availability, but can limit the operation of the file system.
Which memory-related areas do you think you need to investigate if the baselines indicate memory
problems?
• Disk paging
• Memory leaks
• Memory shortages
• The cache
You should measure memory shortages using these System Monitor counters:
• Memory\Available Bytes
• Process\Working Set: measures the number of bytes in the working set pages currently belonging to this
process.
• Process\Private Bytes: measures the number of bytes allocated to this process that cannot be shared
with other processes.
• Memory\Pages/sec
• Memory\Cache Bytes: the sum of several cache-related counters that measure the amount of cache
available.
Private Bytes counter: measures the number of un-shareable bytes allocated to a process
To confirm hard page faulting, you should use these counters in System Monitor:
• Memory\Pages/sec: the sum of the Memory\Pages Input/sec and Memory\Pages Output/sec counters
and displays the number requested of pages not available in RAM. Acceptable ranges from range from 150
per second for new disk systems to 40 per second for older laptops.
• Process\Working Set
• Memory\Pages Input/sec
• Memory\Pages Output/sec: When there is plenty of memory, this value will probably be low because it is
not necessary to free changed pages and write that data to disk.
Determine how page faulting affects the disk; how many disk operations occur as a result of disk paging.
Monitor the impact of page faulting using these System Monitor counters:
• Memory\Page Reads/sec
• PhysicalDisk\Disk Reads/sec
• PhysicalDisk\Disk Read Bytes/sec
A high ratio of reads to faults indicates that a large number of pages are not found in RAM and have to be
retrieved from disk.
You can use these System Monitor counters to monitor memory leaks:
• Memory\Available Bytes
• Memory\Committed Bytes
• Process\Private Bytes(process_name)
• Process\Working Set(process_name)
• Process\Page Faults/sec(process_name)
Network Windows & .NET Magazine

Finding and Fixing NT Memory Leaks
http://www.winntmag.com/Articles/print.cfm?ArticleID=4754
RAID 5
SCSI Termination, IDs
To establish baselines for the performance of disks, you can use the following counters:
• LogicalDisk\% Free Space: measures the amount of unallocated disk space on a logical volume as a
percentage.
• PhysicalDisk\Disk Reads/sec: measures the rate of read operations on the disk, while the Disk
Writes/sec counter measures the rate of write operations on the disk.
• PhysicalDisk\Disk Writes/sec
• Disk Bytes/sec: the primary measure of disk throughput, displays the rate at which bytes are transferred.
for the PhysicalDisk and LogicalDisk objects
• PhysicalDisk\Avg. Disk Queue Length
The Avg. Disk Queue Length:r measures the average number of read and write requests that are queued;
value should remain below a value calculated by adding two to the number of disk spindles.
TCP\Segments Received/sec
TCP\Segments Sent/sec
IP\Datagrams Forwarded/sec
IP\Datagrams Received/sec
IP\Datagrams Sent/sec
16-bit application performance can be impeded because these applications run as separate threads in a
single multithreaded process - the NT Virtual DOS Machine (NTVDM).
You can counteract the performance problems by running 16-bit applications in their own separate NTVDM
processes with their own address spaces.
L2 cache stores memory that is external to the microprocessor, residing on a different chip to the
microprocessor chip.
Load balancing enables two or more servers to share processing tasks.
cluster is a group of independent computers which appears as an independent system to clients and
applications.
PerfMon: High Number of Pages/Sec Not Necessarily Low Memory

http://support.microsoft.com/default.aspx?scid=kb;en-us;139609
ISAPI
ASP
GCI
HTTP Monitroing Tool, Web Application Stress tool
END STUDY SECTION

• Display devices
------------------------------------
--------------------------
------------------------------------------
END STUDY SECTION
• Disk management
System partition: active partition that holds the hardware-specific files needed to load the operating system.
Boot partition: primary or extended partition in which operating system files are installed.
Can be the same partition - if it is an active partition.
Dynamic disks:
Windows 2000 Server Documentation:
http://www.microsoft.com/windows2000/en/server/help/default.asp?
url=/WINDOWS2000/en/server/help/sag_DISKconcepts_04A.htm
Simple Volumes
• Contain disk space from a single disk
• Unlimited number of them on a single disk
Fault tolerance
Spanned volume 2-32 disks into one logical unit
Striped volumes: 64k units; cannot be extended; contain areas of free space from between 2 to 32 disks; write data
evenly to all disks at the same rate; not fault-tolerant; cannot contain system or boot volumes.
Working with MMC console:fileshttp://www.microsoft.com/windows2000/en/professional/help/default.asp?

url=/WINDOWS2000/en/professional/help/open_mmc_consoles.htm
Extend volume
Convert to NTFS
e: /fs:ntfs
RAID-5 and mirrored volumes support:

• FAT32, FAT, and NTFS
RAID Theory and Practice:

http://www.cs.utexas.edu/users/chaput/raid.html
Add Mirror: to an existing volume provides data redundancy by maintaining multiple copies of a volume’s data.
If a mirrored or RAID-5 disk fails, you can try a number of methods to rectify the error before getting a new disk.
The method that you choose is dependent on whether an online or offline error has occurred.
offline error is indicated, you should check that the drive is connected and powered up.
Then you right-click the disk and select Reactivate Disk.
online error occurs and the disk does not reactivate, you need to replace the disk.
For mirrored drives, you need to break the mirror if possible before you remove a mirrored volume by using the
Remove Mirror option on the shortcut menu.
If a disk containing a mirrored volume is faulty, you remove the mirror, replace the disk, and recreate the mirror by
using the Reactivate Volume option on the shortcut menu.
The reactivation process is successful if the volumes are regenerated and resynchronized automatically.
Fdisk
Ntdsutil
Scandisk
CHKDSK command in the Recovery Console as an additional step to ensure that a drive is without errors.
To install or access the Recovery Console, you need to insert the Windows 2000 CD and type d:\i386\winnt32
/cmdcons in the Run dialog box, where d is the drive letter of your CD-ROM drive.
If an online error occurs with a RAID volume, you select Repair Volume from the shortcut menu.
And if this does not fix the problem, you should replace the disk and then try to repair the volume in the same way.
Chapter 1 - Disk Concepts and Troubleshooting

http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/serverop/part1/sopch01.mspx
Win NT 4.0 convert to Windows 200:

stripe sets  spanned volumes
mirror sets  striped volumes
spanned volumes  mirrored volumes
RAID-5 volumes share data and parity across disks by using an “exclusive OR” (XOR) method. Allows reconstruction
of missing data on a failed disk by using the parity information from the good disks in the array.
Disk Quota Best Practices

url=/WINDOWS2000/en/professional/help/sag_DQbest_practices.htm
New Quota Entry

Troubleshooting Disk Quotas
Disk Defrag:
scid=http://support.microsoft.com:80/support/kb/articles/Q227/4/63.ASP&NoWebContent=1
EFS uses a randomly generated key that is independent of the user’s public or private key pari and so is not vulnerable
to cryptanalysis-based intervention.
When you access an encrypted file, EFS locates an appropriate user certificate and associated private key. The private
key is then applied to the Data Decryption Field (DDF), which is stored in the file header, and you can work with
encrypted files as you would with any other type of file.
Data Recovery Field (DRF)
CIPHER.EXE command line utility to manage encryption
You can use wildcards in the command line along with the following switches:
• /e encrypts specified folders
• /d decrypts specified folders
• /s carries out the command on all folders and subfolders within the given folder
You can configure encryption using the following cipher.exe switches:

• /i forces cipher.exe to continue through errors
• /f forces encryption on files already encrypted
• /a carries out the command on files as well as directories
cipher/? Displays a complete list of switches
C:\>cipher /e /s:c:\MonthlySales /a /q
You enter the cipher command using

•/e to indicate that the specified directory is to be encrypted
•/s to indicate that encryption applies to subdirectories within the specified directory
•/a to indicate that the files contained in the directory and subdirectory must also be encrypted
•/q to indicate that the utility is to report essential information
Windows 2000 Recover Policy – network recovery agent; activated upon 1st administrator login (domain recovery
agent); remains active when the computer is offline.
When no Certificate Authority (CA) is available, EFS automatically issues recovery agents with self-signed
certificates.
Enterprise root CA: Most trusted CA in an enterprise. Should be installed before any other CA. Requires Active
Directory.
Enterprise subordinate CA
Stand-alone root CA
Stand-alone subordinate CA
Cryptographic service provider (CSP): generates a private and public key pair
Public Key Policy Tab
Viewing Stored Certificates:

http://www.microsoft.com/technet/404/default.mspx
Windows 2000 printing features include

• Active Directory/printer integration
• remote printing administration
• Plug and Play for local print devices
• Internet/intranet printing
• Image Color Management (ICM) 2.0
• transparent fail-over for print servers
Clustering services, transparent fail-over
File & Print Services Features
http://www.microsoft.com/windows2000/server/evaluation/features/fileprint.asp
1) print device, 2) printer, 3) print driver
local port types for physical connections:

• LPT
• COM
• IR
• File
Local port types when printer not physically installed:

• File
• UNC
• NUL
NUL: tests the printer connection by sending a job to the printer w/out actually printing it
Data Link Control protocol (DLC): for printers using HP JetDireect NICs; low-level protocol used to identify NICs.
UNIX printers require you to specify an LPR port in Win 2k config
NetWare printer: need to install

Gateway (and client) Services for NetWare (GSNW) and
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol (NWLink)
Win 2k printer datatypes:

• (EMF) Enhanced Meta File
• RAW
• TEXT
EMF:
• Lets users regain control of their computers relatively fast after printing
• It supports scalable fonts
• It is the default datatypes for Printer Control Language (PCL) printers
File & Print Services Features

http://www.microsoft.com/windows2000/techinfo/howitworks/fileandprint/fileprint.asp
IPP: Requires IE 4.0 or higher.
Connect to a print server using the following URL format:

http://<server_name>/printers/<share_name>/printer
You can reference each print queue on the print server directly as http://<server_name>/<share_name>.
The share_name is the name of the print queue as defined in the printer's property page.
When you access a printer from a browser, Windows first attempts to connect to the printer with RPC, which is faster
than IPP.
RPC is a protocol that programs on a client computer use to communicate with programs on a server computer.
Peer Web Services (PWS): part of IIS; administered with the Personal Web Manager and you need to install this as a
additional administrative tool using the Windows Components Wizard.
RFC-2568
http://www.faqs.org/rfcs/rfc2568.html
Print Permissions allow users to:

• To use the restart, cancel, pause, or resume functions
• To connect to printers and print documents
Assigning printer permissions

url=/WINDOWS2000/en/server/help/sag_PRINTconcepts_12.htm
Auditing Printer Usage:

http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-
us/core/fnbe_prn_sjis.asp
Anonymous access:
Uses a dedicated local user account that acts on behalf of the browser
PCL and PostScript
Best printing practices:

url=/WINDOWS2000/en/server/help/sag_PRINTconcepts_17A.htm
Managing Resources with the Latest File & Print Technologies

http://www.microsoft.com/windows2000/server/evaluation/business/fileandprint.asp
Printer pool: prints to next available printer in pool
Integrated Windows authentication

Digest authentication
Basic authentication
BEGIN STUDY SECTION

• Disk management
------------------------------------
--------------------------
------------------------------------------
• Auditing events
Using event logs to troubleshoot problems

url=/WINDOWS2000/en/professional/help/els_use_logs_troubleshoot.htm
To search for specific types of events
url=/WINDOWS2000/en/professional/help/nt_findevent_how_ev.htm
Event Viewer Log Files

Save Log File As
Export list (alt format): .txt, .csv, .txt, .csv
Text (Comma Delimited) (*.csv): allows you to add the information from the log files to a spreadsheet or database.
Open Log File

Haulting a computer when …
url=/WINDOWS2000/en/server/help/els_halt_computer_howto.htm
Troubleshooting Tools and Strategies

url=/windows2000/techinfo/reskit/en-us/prork/pref_tts_juhe.asp
Event Header:
url=/WINDOWS2000/en/server/help/SAG_EVmonevents_4.htm
View successful object access event by Username using Find feature.

View  Find  Event Source: Security  Category: Privelege Use 
Check Success audit, Warning, Eror  User: Username  Find Next
Managing Audio Policy:

Object tracking
Track applications
Audit resource access for the Everyone group
Default access control settings:

http://www.microsoft.com/windows2000/techinfo/planning/security/secdefs.asp
Auditing File and Folder access:

command for Group policy propagation from the domain

c:\>secedit /RefreshPolicy MACHINE_POLICY
Auditing Settings on Objects:

http://www.microsoft.com/windows2000/en/advanced/help/default.asp?
url=/WINDOWS2000/en/advanced/help/sag_SEconceptsImpAud.htm
The Manage Documents option records whether a user

• changes the job settings for a document
• pauses and restarts a document
• moves or deletes a document
The Print option records a user's attempts to print a file.
The Read Permissions option records a user's attempts to view the printer permissions.
END STUDY SECTION

• Auditing events
-----------------------------------------------
--------------------------------------
---------------------------------------------------
END STUDY SECTION
• Server recovery
Restoring the registry:

http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/fndc/fndc_rec_kkaw.asp
Schedule unattended backups:

.bkf file created by Windows Backup utility
Data protection and restoration:

http://web.archive.org/web/20020203080735/http://www.markencom.com/docs/backup/01mtn12.htm
Backup Tips:
Removable Storage Management (RSM)

Stored in systemroot\system32\Ntmsdata
Fast Repair
Manual Repair
Backups:
http://web.archive.org/web/20000821015633/http://www.elementkjournals.com/w95/9704/w959741.htm
Drivers.exe
Troubleshoting Backup:
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/drivers-o.asp
Recovery Console
http://www.smartforce.com/learning_community/applications/course_resources/login1.asp
Using Recovery Console:

http://www.microsoft.com/technet/404/default.mspx
d:\I386>winnt32/cmdcons
cd system32\drivers
copy d:\i386 \kbdclass.sy_kbdclass.sys
exit
On a Windows 2000 client, the System State data includes

• the system startup files
• the Registry
• the Component Services (CS) class registration database
• performance counters
Direcory Services Restore Mode
BEGIN STUDY SECTION

• Server recovery
-----------------------------------------------
--------------------------------------
---------------------------------------------------
BEGIN STUDY SECTION
• Remote access
Common networking protocols include

• TCP/IP
• NWLink
• NetBEUI
• DLC
• AppleTalk
Other network protocols: ATM, NetWare’s IPX/SPX
Supported network standards:

http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/WINDOWS2000/techinfo/reskit/en-
us/ierk/Ch04_b.asp
Network Places  Advnaced  advanced settings…  change bidning order
To troubleshoot TCP/IP, you

• use Ipconfig to test the TCP/IP configuration
• ping the localhost address
• ping the IP address of the local computer
• ping the IP address of the default gateway
• ping the IP address of the remote host
Service control manager (SCM)

Remote Procedure Call (RPC)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Network Services:
http://www.microsoft.com/windows2000/server/evaluation/business/communications.asp
Remote access for windows 2000:

http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-
us/intwork/inad_ntr_jfqh.asp
The ICS computer

• provides network address translation
• allocates IP addresses
• resolves names
But the branch computers must be configured for automatic addressing for the ICS computer to provide these services.
ICS: http://www.microsoft.com/windows2000/en/professional/help/default.asp?
url=/WINDOWS2000/en/professional/help/HowTo_share_conn.htm
Compatible Hardware Devices:

http://www.microsoft.com/windows2000/server/howtobuy/upgrading/compat/search/devices.asp
remote access server administration:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rras/rras/about_remote_access_service.asp
Multilink protocol: ebnables multiple physical connections on single logical connection
Bandwidth Allocation Protocol (BAP)

BNandwidth Allocation Control Protocol (BACP)
PPTP
L2TP
Remote Access Policies:

VPN overview:
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/vpnoverview.asp
http://web.archive.org/web/20030604073007/http://ns1.pikusa.com/multi.html
To reduce this risk factor, Windows 2000 remote access supports several security features:
• secure authentication
• secure callback
• caller ID
• data encryption
• remote access account lockout
Secure authentication over the remote access connection can use one of several protocols that integrate with PPP.
These protocols include
• Extensible Authentication Protocol (EAP)
• Challenge Handshake Authentication Protocol (CHAP)
• Microsoft CHAP (MS-CHAP)
• Shiva Password Authentication Protocol (SPAP)
Account Lockout:
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/WINDOWS2000/en/server/help/sag_RRAS-
Ch1_74.htm
The most frequently encountered difficulties with remote access and VPNs are the
• Rejection of connection attempts
• Acceptance of unwanted connection attempts
• Inability to reach locations beyond the remote access server
• Inability to create a VPN tunnel
END STUDY SECTION

• Remote access
-----------------------------------------------
--------------------------------------
---------------------------------------------------
END STUDY SECTION
• Managing users
Published
assigned
Advanced published or assinged
END STUDY SECTION

• Managing users
-----------------------------------------------
--------------------------------------
---------------------------------------------------

Mcse Smart Certify Study Guide

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Mcse Smart Certify Study Guide

Caricato da

Copyright:

Formati disponibili

MCSE SmartCertify Study Notes

70-210 Installing, Configuring, and Administering Microsoft Windows 2000 Professional

Microsoft Windows 2000 - Update: New Features and Architecture

Microsoft Windows 1.0 in 1985 (1st release)

Windows 2.0 in 1987

Windows 3.0 released in 1990

Windows 3.11 released in 1992

Windows 95 released August 1995

Windows 98 released in 1998

Windows NT 3.1 released in 1993

Windows NT 3.1 Advanced Server

Windows NT 4.0 released 1996

Windows NT 5.0 Beta released

 Windows 2000 Datacenter Server

Active Directory Domains:

Remote Installation Service (RIS):

To make use of remote installation:

Windows 2000 – New Features and Architecture:

Windows 2000 Management Services layers:

Management Logic Layer:

Presentation Layer: MS MMC framework, XML, and SGML developed by W3C

Windows Security dialog box: Hit control-alt-delete from windows.

Security Configuration Editor: security configurations for groups and clients.

Registry: Used to configure security on Registry keys

Kernel memory write protection

Structured exception handling

The Kernel mode layer:

The User mode provides the user and application environment.

Windows 2000 Datacenter Server supports up to 64GB on Intel-based systems.

A thread is that part of a process that is executing and includes

Windows 2000 components with the function it performs:

Active Directory: is the Windows 2000 directory service.

Logical Structure: The logical structure of the Active Directory contains

The Active Directory domain

The Active Directory is a namespace.

There are two types of Namespace in the Active Directory –

The Active Directory uses the following naming conventions:

In this example the abbreviations represent the

The user principal name (UPN) is a shortened version of a user's DN.

Windows 2000 Professional:

*A network installation requires an extra 100-200MB of free disk space.

NT File System (NTFS):

Licensing modes: per seat or per server

winnt.exe if the target computer is running MS-DOS or Windows 3.x.

Cloning is carried out by a third-party disk duplication tool.

Screen 3 of 15 shows how to use Sysprep Tool with screen shot

To run the Setup Manager:

Create a new distribution folder:

Select the default mass storage drivers

The client computer requires one of the following:

• Dynamic Host Configuration Protocol (DHCP)

Emergency Repair Disk (ERD).

MS SQL Server Service Pack 2

streamlining the directory service,.

Other disk image copying tools include:

Windows 2000 operating system before the migration.

END STUDY SECTION

The following MS and third-party tools assist in the reorganization of domains:

You specify where the system volume (Sysvol) folder is to be stored.

Static Disk vs. Dynamic Disk:

After upgrading a server, you should perform the following tasks:

Windows 2000 Professional administrator tools:

Objects that can be migrated using the Migration Tool include