Professional Documents
Culture Documents
Exercise 1 : Run the following commands and write the use of each command
Ipconfig
Ping
Options:
-t Ping the specified host until stopped.
To see statistics and continue - type Control-Br
To stop - type Control-C.
-a Resolve addresses to hostnames.
-n count Number of echo requests to send.
-l size Send buffer size.
-f Set Don't Fragment flag in packet.
-i TTL Time To Live.
-v TOS Type Of Service.
-r count Record route for count hops.
-s count Timestamp for count hops.
-j host-list Loose source route along host-list.
-k host-list Strict source route along host-list.
telnet
Microsoft (R) Windows 2000 (TM) Version 5.00 (Build 2195)
Welcome to Microsoft Telnet Client
Telnet Client Build 5.00.99206.1
Escape Character is 'CTRL+]'
Microsoft Telnet>
diskperf
C:\Documents and Settings\Administrator>diskperf
Physical Disk Performance counters on this system are currently set to start at boot.
netdiag
C:\Documents and Settings\Administrator>netdiag
'netdiag' is not recognized as an internal or external command, operable program or batc file.
netstat
Pathping
ftp
C:\Documents and Settings\Administrator>ftp
ftp>
tftp
C:\Documents and Settings\Administrator>tftp
Transfers files to and from a remote computer running the TFTP service.
TFTP [-i] host [GET | PUT] source [destination]
-i Specifies binary image transfer mode (also called octet). In binary image
mode the file is moved literally, byte by byte. Use this mode when
transferring binary files.
host Specifies the local or remote host.
GET Transfers the file destination on the remote host to the file source on the
local host.
PUT Transfers the file source on the local host to the file destination on the
remote host.
source Specifies the file to transfer.
destination Specifies where to transfer the file.
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
Sfc
nbtstat
C:\Documents and Settings\Administrator>nbtstat
Displays protocol statistics and current TCP/IP connections using NBT (NetBIOS over TCP/IP).
NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-RR] [-s] [-S] [interval] ]
-a (adapter status) Lists the remote machine's name table given its name
-A (Adapter status) Lists the remote machine's name table given its
-P printer Name of the print queue
-C class Job classification for use on the burst page
-J job Job name to print on the burst page
-o option Indicates type of the file (by default assumes a text file) Use "-o l" for
binary (e.g. postscript) files
-x Compatibility with SunOS 4.1.x and prior
-d Send data file first
nslookup
C:\Documents and Settings\Administrator>nslookup
*** Default servers are not available
Default Server: UnKnown
Address: 127.0.0.1
route
C:\Documents and Settings\Administrator>route
Manipulates network routing tables.
ROUTE [-f] [-p] [command [destination] [MASK netmask] [gateway] [METRIC metric] [IF
interface]
-f Clears the routing tables of all gateway entries. If this is used in conjunction with
one of the commands, the tables are cleared prior to running the command.
-p When used with the ADD command, makes a route persistent across boots of
the system. By default, routes are not preserved when the system is restarted.
Ignored for all other commands, which always affect the appropriate persistent
routes. This option is not supported in Windows 95. command
One of these:
PRINT Prints a route
ADD Adds a route
DELETE Deletes a route
CHANGE Modifies an existing route
destination Specifies the host.
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
MASK Specifies that the next parameter is the 'netmask' value.
netmask Specifies a subnet mask value for this route entry.
If not specified, it defaults to 255.255.255.255.
gateway Specifies gateway.
interface the interface number for the specified route.
METRIC specifies the metric, ie. cost for the destination. All symbolic names used
for destination are looked up in the network database file
NETWORKS The symbolic names for gateway are looked up in the host name database
file
HOSTS. If the command is PRINT or DELETE. Destination or gateway can be a
wildcard, (wildcard is specified as a star '*'), or the gateway argument
may be omitted. If Dest contains a * or ?, it is treated as a shell pattern,
and only matching destination routes are printed. The '*' matches any
string, and '?' matches any one char. Examples: 157.*.1, 157.*, 127.*,
*224*.
Diagnostic Notes:
Invalid MASK generates an error, that is when (DEST & MASK) != DEST.
Example> route ADD 157.0.0.0 MASK 155.0.0.0 157.55.80.1 IF 1
The route addition failed: The specified mask parameter is invalid.
(Destination & Mask ) != Destination.
Examples:
> route PRINT
> route ADD 157.0.0.0 MASK 255.0.0.0 157.55.80.1 METRIC 3 IF 2
destination^ ^mask ^gateway metric^ ^ Interface^
If IF is not given, it tries to find the best interface for a given gateway.
> route PRINT
> route PRINT 157* ....
> route DELETE 157.0.0.0
> route PRINT
Only prints those matching 157*
Lpq
net session
drivers
C:\Documents and Settings\Administrator>drivers
'drivers' is not recognized as an internal or external command, operable program or batch file.
nettime
C:\Documents and Settings\Administrator>nettime
'nettime' is not recognized as an internal or external command, operable program or batch file.
rsh
C:\Documents and Settings\Administrator>rsh
Runs commands on remote hosts running the RSH service.
chkdsk
C:\Documents and Settings\Administrator>chkdsk
hostname
C:\Documents and Settings\Administrator>hostname
Amb
net account
C:\Documents and Settings\Administrator>net account
The syntax of this command is:
NET [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP
| HELPMSG | LOCALGROUP | NAME | PAUSE | PRINT | SEND | SESSION |
SHARE | START | STATISTICS | STOP | TIME | USE | USER | VIEW ]
netsh>set interface
The following command was not found: set interface.
When you reach location #2, do the same thing, only keep the new settings to a different file:
netsh -c interface dump > c:\location2.txt
Netsh.exe can also be used to configure your NIC to automatically obtain an IP address from a
DHCP server:
netsh interface ip set address "Local Area Connection" dhcp
Would you like to configure DNS and WINS addresses from the Command Prompt?
You can. See this example for DNS:
netsh interface ip set dns "Local Area Connection" static 192.168.0.200
and this one for WINS: netsh interface ip set wins "Local Area Connection" static
192.168.0.200
Or, if you want, you can configure your NIC to dynamically obtain it's DNS settings:
netsh interface ip set dns "Local Area Connection" dhcp
Exercise 10: User winchat command and communicate with your friend sitting on
a different machine of Windows 2000.
Answer:
To Make a Chat Call
1. On the conversation menu, click Dial
2. Click the computer name, or type the computer name, for the person with whom you
want to chat, and then click OK
3. When the person with whom you want to chat answers the call, begin typing in the Chat
window. You cannot begin typing until the person you are calling answers.
4. If the person you are calling does not answer, or you want to end the call, click Hang Up
on the Conversation menu.
1. Click Start, click Control Panel click Performance and Maintenance, and then click
Administrative Tools Double-click Computer Management, double-click Services
and
2. Applications, and then double-click Services In the Details pane, click Network DDE
3. On the Action menu, click Start
To have the Network DDE service start automatically every time you start your computer:
1. Click Start, click Control Panel, click Performance and Maintenance, and then click
Administrative Tools
2 . Double-click Computer Management , double-click Services and Applications, and
then double-click Services
3. In the Details pane, click Network DDE
4. On the Action menu, click Properties.
5. On the General tab, in Startup type, select Automatic, andthen click OK.
To Hang Up
To end a call, click Hang Up on the Conversation menu. If the person with whom you are
chatting hangs up before you do, a message appears in the status bar. If you quit Chat, hang-
up occurs automatically.
You can view your chat partner's conversation with the same background color and font that
you are using by clicking by clicking Preferences on the Options menu, and then clicking
Use Own Font
.
To Change the Font
1. On the Options menu, click Font
2. In the Font dialog box, click the options you want.
By default, the pane that displays your chat partner's conversation uses the background color
and font that your chat partner has selected. You can view your chat partner's conversation with
the same background color and font that you are using by clicking by clicking Preferences on
the Optionsmenu, and then clicking Use Own Font
.
To Change Window Preferences
1. On the Options menu, click Preferences .
2. Under Window Style click the layout you prefer.
3. Under Partner's Message, click the option you want
man
Step 1 :
Step 2 :
man {section}name
Shows the full manual page entry for "name". Without a section number, "man" may give you
any or all man pages for that "name". For example, "man write" will give you the manual pages
for the write command, and "man 2 write" will give you the system call for "write" ( usually from
the C or Pascal programming language ).
pwd
Step 1 :
pwd
Shows current working directory path.
ls
Step 1 :
Step 2:
ls {directory}
Shows directory listing. If no "directory" is specified, "ls" prints the names of the files in the
current directory.
ls –a
ls –al | more
Step 1 :
Step 2 :
cd
cd {dirname}
Change current directory. Without a "dirname", it will return you to your home directory.
Otherwise, it takes you to the directory named. "cd /" will take you to the root directory.
cd ..
chmod
cat passwd
Exercise 2:Try to explore the file system, write what is there in /bin, /usr/bin,
/sbin, /tmp and /boot. Find and list the devices that are available in your system.
/bin
/tmp
/sbin
Exercise 3: Make your own subdirectories called uni and linu in your home
directory, Made? Ok, now delete the subdirectory called uni.
Exercise 4: Create a file called ignou.txt that contains the words “hello I am
student of IGNOU”. Now copy this file and paste to other directory. Copied? Can
you move the file also from one directory to another?
Exercise 6: Display the names of all files in the home directory using find. Can
you display the names of all files in the home directory that are bigger than
500KB.
Exercise 8: Use egrep to try to find out which lines in an ignou.txt file are
satisfied by the regular expression given: (^[0-9]{1,5}[a-zA-z]+$)|none and check
the result with different combinations of lines.
Exercise 9: Change your password and write down restrictions for given
password.
Exercise 10: Open ignou.txt using vi editor, go to the end of the file and type in
the following paragraph:
In 1971 Bell Labs releases the first Unix operating system. Then 1985 Richard Stallman
releases his GNU (“GNU is not Unix”) Manifesto thus starting the open sourci revolution. He
wanted to creat an open-source version of Unix Unix. Stallman’s Free Software Foundation
eventually created the GNU General Public License (GPL) which is basically an anti-copyright
also referred to as a
Now you correct spelling errors in the first three lines and remove the extra “Unix” in the 3rd line
of the paragraph. Add the words “copyleft” to the end of the paragraph. Replace the string
“GNU is not Unix” with a string “Unix is not a GNU”. Save the file and quit. Repeat the same
exercise emacs also. Write down the difference between the two editors, also write which one
you find easier and why.
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
Difference:-
• Vi was designed to write programs while emacs was designed to write text
• Vi is much smaller and loads much faster compared to emacs
• Emac is modeless while vi can work in different modes
• Vi has few feature while in emac various plugins are available
• Vi is designed for unix while emacs works on every OS.
Exercise 1 : Find the files in your home directories those name as starting with
character ‘s’ and redirect the output in to a file redirecting.txt and if your receive
an error message of an execution of command redirect into error.exe.
Exercise 2 : Execute sleep 25 in the foregound, suspend it with Ctrl-z and then
put it into the backgound with bg.show all process running in background, bring
any process back into the foreground with fg. Repeat the same exercise using kill
to terminate the process and use & for sending into backgound.
sleep 25
crtl+z
bg
ps
fg %4052
sleep 25
ctrl+z
ps
bg 4052|kill
ps
Exercise 3 : Combine the commands cat nonexistent and echo helloIGNOU using
suitable operators. Now reverse the order of the commands and try.
cat nonexistent && echo “helloIGNOU” Combination of two commands using && Operator
cat >> nonexistent Combination of two commans using append operator
Exercise 4 : Write a shell script which returns the PID of a process and accept the
name of process
ping ignou.ac.in -c 1
talk username
who|talk
Exercise 7 : Print a file ignou.txt and then send multiple files to a printer. Write
the command you will execute to remove any file from print queue.
lpr ignou.txt
lpr abc.txt
Exercise 8 : Send a mail to yourself, and include ignou.txt inside the mail. Read
the mail you have sent to yourself. Save the piece of message and file into
somefolder. Reply to yourself.
Exercise 9 : Use telnet and ftp to get connected with other remote machine. Write
the problems you encounter during connection with remote machine.
Exercise 10 : Use the ls command and grep to display all names starting with “s”.
ls –d | grep “^s*”
Exercise 2: Execute sleep 25 in the foreground, suspend it with Ctrl-z and then
put it into the background with bg. show all process running in background,
bring any process back into the foreground with fg. Repeat the same exercise
using kill to terminate the process and use & for sending into background. (You
need to see different options of the kill command)
Ans:2
Ans 3:
Exercise 6: Send a mail to yourself, and include ignou.txt inside the mail. Read
the mail you have sent to yourself. Save the piece of message and file into some
folder. Reply to yourself.
Exercise 7: Print a file ignou.txt, and then send multiple files to printer. Write the
command you will execute to remove any file from print queue.
Ans : 8
Exercise 9: Use telnet and ftp to connected with other remote machine. Write the
problems you encounter during connection with remote machine.
Ans: 9
Only super user can change password and permissions of other users on linux system.
Exercise 3: Delete the user, which just now you have added.
Userdel user2 This will delete user2 from the user list
Exercise 4: Set the execution time of two jobs so that it can run automatically
tomorrow, one at 11:oo p.m. After this setting, how can you change the time of
execution of job?
Erontab –e This will open a file in vi editor and it will reflect to the scheduled where we can
change the time of execution and run the job
0 11 * * * || /etc > > /|| Entries edited to run the job at 11:00 a.m.
0 13 * * * mv /|| /||| Entries edited to run the job at 3:00 p.m.
Scp/tmp/jeet.txt 192.168.0.11:/home/jeet/tmp/jeetnew/.txt
This will copy or download the file from the remote machine to the
machine whose ip is 192.168.0.11
Exercise 6: Create a cron job that sends you a message after every 5 minutes.
*/5 * * * * echo “Testing” This will edit the cron job entry
~25~
Exercise 7: Restart any system daemon like the web server httpd.
Exercise 8: Write a message to inform all user “they should shut down their
machine after completing the lab exercise”
Wall “they should shut down their machine after completing the lab exercise”
Who/var/adm/wtmpx | xargs
1 #!/bin/bash
2
3 # Delete filenames in current directory containing bad characters.
4
5 for filename in *
6 do
7 badname=’echo “$filename” | sed –n /[\+\{\;\”\\\=\?~\(\)\<\>\&\*\|\$]/p’
8 # Files containing those nasties: +{ ; “ \ = ? ~ () < > & * | $
9 rm $badname 2>/dev/null #So error messages deep-sixed.
10 done
11
12 # Now, take care of files containing all manner of whitespace.
13 find. –name “* *” –exec rm –f {} \;
14 # The path name of the file that “find” finds replkaces the “{}”.
15 # The ‘\’ ensures that the ‘;’ is interpreted literally, as end of command.
16
17 exit 0
18
19 #---------------------------------------------------------------------------
20 #Commands below this will not execute because of “exit” command.
21
22 # An alternative to the above script:
23 find . –name ‘*[+{;”\\=?~()<>& ]*’ -exec rm -f ‘{}’ \;
24 exit 0
Use Computer Management to manage local or remote computers using a single, consolidated
desktop tool. It combines several Windows 2000 administration utilities into a single console
tree, providing easy access to a specific computer's administrative properties and tools. Use
Computer Management to:
Monitor system events such as logon times and application errors.
Create and manage shares.
View a list of users connected to a local or remote computer.
Start and stop system services such as the Task Scheduler and the
Spooler.
Set properties for storage devices.
View device configurations and add new device drivers.
Manage server applications and services such as the Domain Name System (DNS) service or
the Dynamic Host Configuration Protocol (DHCP) service.
The Security Settings node allows a security administrator to configure security levels assigned
to a Group Policy object or local computer policy.This can be done after or instead of importing
or applying a security template.
Event Viewer
Using the event logs in Event Viewer, you can gather information about hardware, software,
and system problems and monitor Windows 2000 security events. Windows 2000 records
events in three kinds of logs:
Services
Using Services, you can start, stop, pause, or resume services on remote and local computers,
and configure startup and recovery options. You can also enable or disable services for a
particular hardware profile.
Create an Emergency Repair Disk (ERD), which will help you repair system files in the event
they get corrupted or are accidentally erased.
Make a copy of any Remote Storage data and any data stored in mounted
drives.
Make a copy of your computer's System State, which includes such things
as the registry, the boot files, and the system files.
Back up services on servers and domain controllers, including such
things as the Active Directory service database, the Certificate
Services database, and the File Replication service SYSVOL directory.
Schedule regular backups to keep your backed up data up to date.
You can use Backup to back up and restore data on either FAT or NTFS volumes.However, if
you have backed up data from an NTFS volume used in Windows 2000,it is recommended that
you restore the data to an NTFS volume used in Windows2000, or you could lose data as well
as some file and folder features. For example, permissions, encrypting file system (EFS)
settings, disk quota information, mounted drive information, and Remote Storage information
will be lost if you back up data from an NTFS volume used in Windows 2000 and thenrestore it
to a FAT volume or an NTFS volume used in Windows NT 4.0.
Disk Defragmenter
Disk Defragmenter locates fragmented files and folders on local volumes. A fragmented file or
folder is split up into many pieces and scattered over a volume. When a volume contains a lot of
fragmented files and folders, Windows takes longer to gain access to them because it requires
several additional disk drive reads to collect the various pieces. Creating new files and folders
also takes longer because the free space available on the volume is scattered. Windows must
then save new files and folders to various locations on the volume.
Disk Defragmenter moves the pieces of each file or folder to one location on the volume, so that
each occupies a single, contiguous space on the disk drive. As a result, your system can gain
Defragmenter also consolidates your free space, making it less likely that new files will be
ragmented. The process of finding and consolidating fragmented files and folders is called
defragmentation. The amount of time that defragmentation takes depends on several factors,
including the size of the volume, the number of files on the volume, the amount of ragmentation,
and the available local system resources. You can find all of the fragmented files and folders
before defragmenting them by analyzing the volume first. You can see how many fragmented
files and folders are saved on the volume and then decide whether or not you would benefit
from defragmenting the volume.Disk Defragmenter can defragment FAT, FAT32, and NTFS
formatted volumes.For more information, see Related Topics.
System Information
System Information collects and displays your systemconfiguration information. Support
technicians require specific information about your computer when they are troubleshooting
your configuration. You can use System Information to quickly find the data they need to
resolve your system problem.
(3)CLICK THE NEXT BUTTON OF THE WELCOME SCREEN OF THE ADD PRINTER
WIZARD
(6)SELECT THE MANUFACTURER AND PRINTER AND CLICK THE NEXT BUTTON
(7)SPECIFY A NAME FOR THE PRINTER AND SETTINGS FOR USING THE PRINTER
AS A DEFAULT PRINTER IF YOU WANT TO SHARE THE PRINTER ON THE NETWORK
THEN CLICK NEXT
(9)SPECIFY THE LOCATION AND COMMENT FOR THE PRINTER AND CLICK NEXT
BUTTON
The dcpromo command is used to raise the level of the server to become an
Active Directory controller. The process takes approximately ten minutes and
is described briefly in the following.
We assume that there are no other servers in your network and therefore, we
want a controller for a new Active Directory infrastructure
Afterwards, we define whether the new AD domain is to be integrated into an existing system.
The SYSVOL folder is another specialty of the Active Directory because its
contents are replicated by all the Active Directory controllers in a domain.
This includes login scripts, group policies and other things that must be
available on other servers as well. The location of this folder can of course be changed
according to need.
Exercise 8 : Install a caching DNS server and find out how it reduces the network
traffic
Windows 2000 authentication is implemented in two steps: an interactive logon process and a
network authentication process. Typically, the same set of credentials is used by the interactive
logon process and the network authentication process. If your credentials differ, you are
If you originally set up a DNS server forinternal queries only, it's possible that the root hints in
yourserver are empty or that someone has modified them to point tointernal servers. If you now
want the DNS server to resolve queriesfor external hosts, it's important to ensure that the server
has avalid set of root hints.
To configure root hints for the server, followthese steps:
1. Ensure that you've configured the server touse an upstream DNS server capable of
resolving external hosts.
2. Open the DNS console from the AdministrativeTools folder.
3. In the left pane, right-click the server inquestion, and choose Properties.
4. On the Root Hints tab, select the firstserver in the Name Servers list, and click Edit.
5. Click Resolve to resolve the host name to itsIP address, and click OK. You can also
manually enter the IPaddress for the target server.
6. Repeat the process for the remaining rootservers, and add others if necessary.
7. When you've finished, close all dialogboxes.
In a DNS (Domain Name System) database, a zone is a subtree of the DNS database that is
administered as a single separate entity, a DNS server. This administrative unit can consist of a
single domain or a domain with subdomains. A DNS zone administrator sets up one or more
name servers for the zone.
Solution :
You can use this step by step guide to install or setup Windows 2000 Professional
on i386 machine, but you must make appropriate adjustment that suitable to your
system configuration and network configuration for your machine and network
environment. There is some part on this installation process that may require you to
consult your system administrator.
Objective:
Safety:
Upon the completion of this Windows 2000 installation project, you will be able to:
1. Install new operating system on your personal computer (PC).
2. Able to make new partition on the hard drive.
3. Able to Format the partition using NTFS file system.
4. Configure the Windows 2000 Professional operating system on personal
computer (PC).
1. Set your computer to boot from the CD-ROM drive by changing computer BIOS
Boot Sequence setting.
2. Insert Windows 2000 Professional installation CD into the CD-ROM drive and
reboot the computer so that the computer will boot from Windows 2000 Professional
installation CD-ROM that already on the CD-ROM drive.
3. After your computer boot the Windows 2000 Professional installation CD-ROM,
the Windows 2000 Setup then start checking the system configuration and loading
files driver.
4. Windows 2000 Professional Setup screen, then display the Welcome to Setup.
Press [ ENTER ] to set up Windows 2000 or press [ R ] key to repair a Windows
2000 installation or if you want to quit the installation process now, press [ F3 ] key.
5. Windows 2000 Professional Setup, detect that the hard disk is new or has been
erased, or that your computer running on operating system that is incompatible with
windows 2000.
Highlight the unpartition space then press [C] key to create a partition.
9. Windows 2000 Professional Setup screen then display the disk partition
information. To create more partition space on disk highlight the un-partition space
then, press [C] key.
To set up Windows 2000 on the desire partition, highlight the New <Unformatted> ,
make sure that this partition space is enough to put the Windows 2000 Operating
system then,
Press [ENTER] key to install Windows 2000 Professional on the selected partition.
Note: This is the last point to Quit the installation process without destroying any
data on the disk. There is no turning point after this step. To quit the installation
process without destroying any data on the disk, press [ F3 ] key.
Highlight the Format the partition using the NTFS file system, to format the
partition using NTFS file system then,
Recommended reading and digging on the different between NTFS file system
and FAT file system:
11. Windows 2000 Professional Setup screen then display that the partition is being
formatted and the progress bar show percentage of the partition being formatted.
Wait for a while, this procedure may take some time depending on the size of the
partition and the speed of the computer it self.
12. Windows 2000 Professional Setup screen then copies files to the Windows
2000 installation folder. The progress bar show percentage of the files that already
13. Windows 2000 Professional Setup screen than display that the portion of setup
has complete successfully, remove any bootable media.
Press [ENTER] key to restart the computer or you can wait for setup to restart your
computer automatically.
14. After restart, the Microsoft Windows 2000 Professional screen will be display
and starting up your Windows 2000 Professional for a first time.
Note: From this Setup Wizard screen onwards, you can start using your mouse to
click on the button instead using the keyboard.
17. Windows 2000 Professional Setup screen display Installing Devices. On this
screen, Setup detect and installing devices on the computer. Setup also inform that
the screen of the computer may flicker for a few seconds. Wait for a while for setup
to finish detecting and installing the devices on the computer.
19. Windows 2000 Professional Setup screen then display Personalize Your
Software, in this screen type in your name in the Name box and type in name of
your organization in the Organization box.
21. Windows 2000 Professional Setup screen then display Computer Name and
Administrator Password, type in the computer name in the Computer name box.
Type in an administrator password in the Administrator password box, then retype
the same administrator password again in the Confirm password box.
Administrator
password:
Confirm password:
22. Windows 2000 Professional Setup screen then display Date and Time
Settings, adjust the date & time and time zone configuration as necessary.
23. Windows 2000 Professional Setup screen then display Networking Settings,
the screen also show the progress bar on Windows installs networking components.
26. Windows 2000 Professional Setup screen then display progress bar on the
status of installing Windows 2000 components. Wait until Setup install all the
components. This process may take several minutes to finish.
27. Windows 2000 Professional Setup screen then display Performing Final
Tasks window. On this screen progress bar show the progress on Setup to
complete a final set of task.
29. Splash screen display Windows 2000 Professional is starting up on the first
boot up after installation.
31. The Network Identification Wizard window screen then prompt you the question
"who can log on on this computer?"... if you using this computer yourself or only you
the user of the computer, click on the radio button that say "Windows always
assume the following user has logged on to this computer:" then set password
for the user if needed. or
if this computer is for the use of multiple users (e.g. for public computer network)
the select "Users must enter a user name and password to use this computer".
The only user for this computer now is Administrator, this means that the
Administrator have to logon on this computer and set up the user account or join
domain to make this computer available to use for other users.
33. Now the Log On To Windows 2000 Professional screen appear, this screen
only available if we select "Users must enter a user name and password to use
this computer" option and enter the password on the above procedure (Network
Identification Wizard --> Users of This Computer).
if you select "Windows always assume the following user has logged on to this
computer:" option on above procedure (Network Identification Wizard --> Users
of This Computer) and leave the password box blank (didn't set any password) the
system will login automatically and this Log On screen will never appear.
Enter the user name and password for the user can click [OK] button to start login
to the system.
Microsoft Windows 2000, with its Active Directory Services, allows companies to
develop large, centralized directories of network resources. Managing large
numbers of users is easy due to its centralized directory architecture. Access
Gateway with Advanced Access Control 4.2 can take advantage of a company's
Active Directory infrastructure by authenticating users through the Internet
Authentication Service (IAS), Microsoft's implementation of RADIUS.
Procedure
4. Click Finish.
Once this process is complete, the RADIUS server permits the Advanced Access
Control server to query it; however, a Remote Access Policy is still required to
permit or deny access to specific users.
A remote access policy tells the IAS server to permit or deny access to a user based
on a set of credentials. It also allows for the configuration of Vendor-specific
Attributes (VSAs), a form of RADIUS extensions, which allow you to send specific
information to the Advanced Access Control server. Remote access policies can
permit access based on parameters such as a user’s group membership in Active
Directory and scheduled times or dates, among many others. Before any user can
authenticate to the IAS server, a remote access policy must be defined. In this
article, the following policy is created:
Advanced Access Control Carmel Group Policy: Permit Access to Carmel users and
return Carmel User-Group attribute
This policy permits users who are members of the Active Directory group Carmel to
authenticate to the RADIUS server. This policy will also return attributes to the
Advanced Access Control server if the user is a member of the Carmel group, so
access can be restricted to members of the Carmel group only.
1. To define a remote access policy, from the IAS console, right-click Remote
2. In the New Remote Access Policy Wizard, select Set up a custom policy
and type a policy name. Click Next.
3. Under the Policy Conditions box, click Add and then select the Windows-
Groups attribute type.
6. Click Edit Profile to edit the dial-in properties for the remote access profile.
This is where Password Authentication Protocol (PAP) or Challenge
Handshake Authentication Protocol (CHAP) authentication and VSAs are
enabled. Click the Authentication tab and clear the Microsoft Encrypted
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
Authentication check boxes. Select the Encrypted authentication (CHAP)
and Unencrypted authentication (PAP, SPAP) check boxes.
7. The RADIUS server must tell the Advanced Access Control server that users
matching this policy are members of the Carmel group in Active Directory.
This is done by sending VSAs to the Advanced Access Control server as part
of this remote access policy.
8. Click the Advanced tab and remove any attributes that are present. Click
Add.
11. Complete the wizard. A dialog box pops up warning that you have changed
settings. Click No and then click OK.
When you have finished configuring your remote access policy, it appears in the
Remote Access Policies list in the IAS console. This policy permits access and
returns the Carmel attribute to the Advanced Access Control server when users
who match these conditions authenticate.
1. From the Access Suite Console, select the farm properties node and click
2. Click New… and add the IP address or FQDN of the RADIUS server. Change
the port numbers if you changed them on the IAS server. Otherwise, the
default values work. Click OK.
4. Select the logon point you wish to use with RADIUS and click Edit logon
point under Common Tasks. On the Authentication page, select the
RADIUS profile option and then choose the RADIUS server from the list box.
8. Select the logon point you configured for RADIUS and then click
Authentication Credentials. Under RADIUS Servers, in Global secret for
all servers, enter and confirm the shared secret for the RADIUS server you
created in IAS. Click OK.
Solution :
When you run the Windows 2000 Server Setup program, you must provide
information about how to install and configure the operating system. Thorough
planning can make your installation of W2K more efficient by helping you to avoid
potential problems during installation. An understanding of the configuration options
will also help to ensure that you have properly configured your system.
I won't go into that part right now but here are some of the most important things you
should take into consideration when planning for your Windows Server 2000
installation:
After you made sure you can go on, start the installation process.
You can install Windows 2000 Server in several methods - all are valid and good, it
all depends upon your needs and your limitations.
There are other non-manual installation methods, such as using an unattended file
along with a uniqueness database file, using Sysprep, using RIS or even running
unattended installations from within the CD itself, but we won't go into that right now.
It doesn't matter how you run the setup process, but the moment it runs - all setup
methods look alike.
The setup process begins loading a blue-looking text screen (not GUI). In that
phase you will be asked to accept the EULA and choose a partition on which to
install W2K, and if that partition is new, you'll be asked to format it by using either
FAT, FAT32 or NTFS.
2. You can press F6 if you need to install additional SCSI adapters or other mass-
storage devices. If you do you will be asked to supply a floppy disk with the drivers
4. Select To Setup W2K Now. If you want, and if you have a previous installation of the
OS, you can try to fix it by pressing R. If not, just press ENTER.
5. In case your server is a new one, or it is using a new hard disk that hasn't been
partitioned yet, you'll get a warning message. Read it, and if you want to continue,
press C.
6. Read and accept the licensing agreement and press F8 if you accept it.
7. Select or create the partition on which you will install W2K. Depending upon your
existing disk configuration choose one of the following:
If the hard disk is not yet partitioned, you can create and size the partition on
which you will install Windows 2000. Press C.
If the hard disk is new and you want to create a partition that will span the entire
hard disk's size - press Enter.
Other optionsL
If the hard disk is already partitioned, but has enough unpartitioned disk space,
you can create an additional partition in the unpartitioned space.
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
If the hard disk already has a partition that is large enough, you can install
Windows 2000 on that partition. If the partition has an existing operating
system, you will overwrite that operating system if you accept the default
installation path. However, files other than the operating system files, such as
program files and data files, will not be overwritten.
If the hard disk has an existing partition, you can delete it to create more
unpartitioned space for the new partition. Deleting an existing partition erases
all data on that partition.
If you select a new partition during Setup, create and size only the partition on which
you will install Windows 2000. After installation, use Disk Management to partition
the remaining space on the hard disk.
8. Select a file system for the installation partition. After you create the partition on
which you will install W2K, you can use Setup to select the file system with which to
format the partition. W2K supports the NTFS file system in addition to the file
allocation table (FAT) and FAT32 file systems. Windows Server 2003, Windows XP
Professional, Windows 2000, and Windows NT are the only Microsoft operating
systems that you can use to gain access to data on a local hard disk that is
formatted with NTFS. If you plan to gain access to files that are on a local W2K
partition with the Microsoft Windows 95 or Windows 98 operating systems, you
should format the partition with a FAT or FAT32 file system. We will use NTFS.
9. Setup will then begin copying necessary files from the installation point (CD, local
I386 or network share).
10. Note: If you began the installation process from an MS-DOS floppy, make sure you
have and run SMARTDRV from the floppy, otherwise the copying process will
probably last more than an hour, perhaps even more. With SMARTDRV (or if setup
was run by booting from CD) the copying will probably last a few minutes, no more
than 5 max.
11. The computer will restart in graphical mode, and the installation will continue.
If your computer stops responding during this phase (the progress bar is stuck
almost half-way, and there is no disk activity) - shut down your computer and begin
removing hardware such as PCI and ISA cards. If it works for you then later try to
figure out how to make that specific piece of hardware work (it's probably not in the
HCL).
Current System Locale - Affects how programs display dates, times, currency,
and numbers. Choose the locale that matches your location, for example,
French (Canada).
Current Keyboard Layout - Accommodates the special characters and symbols
used in different languages. Your keyboard layout determines which characters
appear when you press keys on the keyboard.
If you do need to make changes press Customize and add your System Locale etc.
Note for Hebrew users: In W2K it is NOT SAFE to install Hebrew language support
at this phase!!! Trust me, do it later. If you don't listen to me, good chances are that
you'll get ???? fonts in some Office applications such as Outlook and others.
Read the Install Hebrew on Windows 2000 page for more info.
5. Type the computer name and a password for the local Administrator account. The
local Administrator account resides in the SAM of the computer, not in Active
Directory. If you will be installing in a domain, you need either a pre-assigned
computer name for which a domain account has been created, or the right to create
a computer account within the domain.
After a few seconds you will receive the Networking Settings window. BTW, if you
have a NIC that is not in the HCL (see the What's the HCL? page) and W2K cannot
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
detect it, or if you don't have a NIC at all, setup will skip this step and you will
immediately go to the final phase of the setup process.
Press Next to accept the Typical settings option if you have one of the following
situations:
Otherwise select Custom Settings and press Next to customize your network
settings.
In the General tab enter the required information. You must specify the IP address
of the computer, and if you don't know what the Subnet Mask entry should be - you
can simply place your mouse pointer over the empty area in the Subnet Mask box
and click it. The OS will automatically select the value it thinks is good for the IP
address you provided.
Lamer note: In the above screenshot I've configured the computer with a valid IP
address for MY network, along with the Default Gateway and the address of MY
DNS server. Your settings may differ.
If you don't know what these values mean, or if you don't know what to write in
them, press cancel and select the Typical Settings option. You can easily change
these values later.
8. In the Workgroup or Domain window enter the name of your workgroup or domain.
If you're a stand-alone computer, or if you don't know what to enter, or if you don't
have the sufficient rights to join a domain - leave the default entry selected and
press Next.
If you want to join a domain (NT 4.0 domain of W2K/2003 Active Directory domain)
enter the domain's name in the "Yes, make this computer a member of the following
domain" box.
The person performing the installation must have a user account in Active
Directory. This account does not need to be the domain Administrator account.
and
The computer must have an existing computer account in the Active Directory
database of the domain that the computer is joining, and the computer must be
named exactly as its domain account is named.
or
Also, you need to have connectivity to the domain's domain controllers (only to the
PDC if on an NT 4.0 domain) and a fully functional DNS server (only in AD
domains). Read the Joining a Domain in Windows XP Pro and Requirements when
Joining a Domain pages for more on this issue.
Note: If you provide a wrong domain name or do not have the correct connectivity to
the domain's DNS server you will get an error message.
A username/password window will appear. Enter the name and password of the
domain's administrator (or your own if you're the administrator on the target
domain).
Note: Providing a wrong username or password will cause this phase to fail.
9. Next the setup process will finish copying files and configuring the setup. You do not
need to do anything.
10. After the copying and configuring phase is finished, if Windows Server 2003 finds
that you have a badly configured screen resolution it will advise you to change it and
ask you if you see the new settings right.
11. Setup finishes and displays the finish window. Unfortunately, you must press Finish
in order to reboot..
12. Windows 2000 reboots and you should get the CTRL-ALT-DEL window.
Solution : The easiest way to connect and manage network printers is through
Active Directory. You can also use Group Policy to change the default behavior of
the printing environment and to provide computers and users a standard set of
preferences.
Some of the most common tasks are publishing a printer in Active Directory ,
remotely managing printers , setting Group Policy for printers , and setting or
removing permissions for a printer . You can also manage network printers from the
Managing printing from the command line .
Important
• If you want to set policies that apply only to computers, expand the
Computer Configuration node, and then expand Administrative
In the Windows Components Wizard, click Next to start Setup. Insert the
Windows Server 2003 CD-ROM into the computer's CD-ROM or DVD-ROM
5.
drive if you are prompted to do so. Setup copies the DHCP server and tool
files to your computer.
In the console tree, right-click the DHCP server on which you want to create
2.
the new DHCP scope, and then click New Scope.
In the New Scope Wizard, click Next, and then type a name and description
for the scope. This can be any name that you want, but it should be
3. descriptive enough so that you can identify the purpose of the scope on your
network (for example, you can use a name such as "Administration Building
Client Addresses"). Click Next.
Type the range of addresses that can be leased as part of this scope (for
example, use a range of IP addresses from a starting IP address of
192.168.100.1 to an ending address of 192.168.100.100). Because these
4.
addresses are given to clients, they must all be valid addresses for your
network and not currently in use. If you want to use a different subnet mask,
type the new subnet mask. Click Next.
Type any IP addresses that you want to exclude from the range that you
5. entered. This includes any addresses in the range described in step 4 that
may have already been statically assigned to various computers in your
organization. Typically, domain controllers, Web servers, DHCP servers,
Type the number of days, hours, and minutes before an IP address lease
from this scope expires. This determines how long a client can hold a leased
6. address without renewing it. Click Next, and then click Yes, I want to
configure these options now to extend the wizard to include settings for
the most common DHCP options. Click Next.
Type the IP address for the default gateway that should be used by clients
7. that obtain an IP address from this scope. Click Add to add the default
gateway address in the list, and then click Next.
If you are using DNS servers on your network, type your organization's
domain name in the Parent domain box. Type the name of your DNS
server, and then click Resolve to make sure that your DHCP server can
contact the DNS server and determine its address. Click Add to include that
8.
server in the list of DNS servers that are assigned to the DHCP clients. Click
Next, and then follow the same steps if you are using a Windows Internet
Naming Service (WINS) server, by adding its name and IP address. Click
Next.
Click Yes, I want to activate this scope now to activate the scope and
9.
allow clients to obtain leases from it, and then click Next.
In the console tree, click the server name, and then click Authorize on the
11.
Action menu.
Exercise 5: Configure Windows 2000 Client to use DHCP, DNS, and WINS.
Once the DHCP server is configured, each client must be configured to use DHCP.
The following information describes the steps to configure your Windows (R) and
OS/2(R) clients to request their configuration information from the DHCP server. In
addition, it describes how the clients can view their own DHCP lease information.
1. On the Start Menu, select and Settings --> Network and Dial-up
Connections.
2. Right-click the appropriate connection name and select Properties.
3. Select TCP/IP Protocol and select Properties.
Windows NT and Windows 2000 clients also have a utility that displays the client's
MAC address and DHCP lease information. To check the DHCP lease for a
Windows NT and Windows 2000 client:
Note: This utility does not dynamically update the displayed information, so it will
be necessary to re-run the utility to view updated status. You can use the same
utility with different parameters to release and renew a lease (IPCONFIG
/RELEASE and IPCONFIG /RENEW). Run IPCONFIG /? from an MS-DOS
Command Prompt to see all of the possible parameters for the command.
Windows 2000 DHCP clients need to be configured if you want the DHCP server to
update DNS A records on behalf of the client. You may want to delegate updates
to the DHCP server if your network has standard legacy Microsoft (R) Windows
clients like Windows 95 and NT, since these clients currently do not update DNS A
records. This may simplify your DNS administration because DNS updates will
originate from the DHCP server for all clients, rather than having some clients
update their own records.
To disable DNS dynamic updates from the client perform the following steps:
1. On the Start Menu, select Settings --> Network and Dial-up Connections.
2. Right-click the appropriate connection name and select Properties.
3. Select TCP/IP Protocol and select Properties.
4. Select Advanced.
5. On the DNS tab, deselect the "Register this connection's addresses in DNS"
and "Use this connections DNS suffix in DNS registration" options.
6. Select OK.
This should be done for all connections that you want to have the DNS
records update delegated to the DHCP server.
How to Configure DNS Dynamic Update on a Windows 2000 DNS Client
Computer
To configure DNS dynamic update on a Windows 2000 DNS client computer:
Click Start, point to Settings, and then click Network and Dial-up
1.
Connections.
Right-click the network connection that you want to configure, and then click
2.
Properties.
3. Click either the General tab (for the local area connection) or the Networking
tab (for all other connections), click Internet Protocol (TCP/IP), and then click
To use DNS dynamic update to register both the IP addresses for this
connection and the full computer name of the computer, click to select the
5.
Register this connection's addresses in DNS check box. This check box is
selected by default.
To configure a connection-specific DNS suffix, type the DNS suffix in the DNS
6.
suffix for this connection box.
To use DNS dynamic update to register the IP addresses and the connection-
specific domain name for this connection, click to select the Use this
7.
connection's DNS suffix in DNS registration check box. This check box is
selected by default.
Installation
To disable WINS/NetBT name resolution:
Click Start, point to Settings, and then click Network and Dial-up
1.
Connections.
Click the local area connection that you want to be statically configured, and
2.
then click Properties on the File menu.
NOTE: Optionally, you can select the Use NetBIOS setting from the DHCP server if
you are using a DHCP server that can selectively enable and disable NetBIOS
configurations through DHCP option types. NetBIOS over TCP/IP can also be
disabled for computers that are running Windows 2000 by using DHCP option
types that are supported by the Windows 2000 DHCP Server service.
Solution :
The following page details the steps necessary to create a WindowsXP VPN
Connection to a Server
If prompted, select whether or not you need to dial to the Internet before
9.
establishing a VPN connection.
To make browsing work a little easier, you might want to edit the HOSTS and
LMHOSTS files on the VPN Client.
2.
These are in the C:\Windows\System32\drivers\etc directory for XP.
5. Also, make sure the workgroup name is the same on all computers.
The default Client TCP/IP setting might interfere with your ability to access the
Internet while having a VPN connection. To correct this:
1. Go to the properties for your VPN connection
It is important to understand the new concepts that are part of DFS. Below is an
definition of each of them.
Dfs link: A link is another share somewhere on the network that goes under the
root. When a user opens this link they will be redirected to a shared folder.
Dfs target (or replica): This can be referred to as either a root or a link. If you have
two identical shares, normally stored on different servers, you can group them
together as Dfs Targets under the same link.
The image below shows the actual folder structure of what the user sees when
using DFS and load balancing.
Windows 2003 offers a revamped version of the Distributed File System found in
Windows 2000, which has been improved to better performance and add additional
fault tolerance, load balancing and reduced use of network bandwidth. It also comes
with a powerful set of command-line scripting tools which can be used to make
administrative backup and restoration tasks of the DFS namespaces easier. The
client windows operating system consists of a DFS client which provides additional
features as well as caching.
The Distributed File System console is installed by default with Windows 2003 and
can be found in the administrative tools folder. To open, press Start > Programs >
Administrative Tools > Distributed File System or in the Control Panel, open the
Administrative Tools folder and click on the Distributed File System icon. This will
open the management console where all the configuration takes place.
The first thing you need to do is create a root. To do this, right click the node and
select New Root.
Press next on the first window to be brought to the screen where you will have to
make the choice of creating either a stand alone or domain root. A domain root will
publish itself in Active Directory and supports replication, whereas a stand alone
root does not. If you have an AD Domain Controller set up on your machine, I
recommend choosing the domain root.
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
Note: The root would be the top level of the hierarchy. It is the main Active Directory
container that holds Dfs links to shared folders in a domain. Windows 2003 allows
your server to have more than one root - which wasn't the case in Windows 2000.
The next screen is the one where you have to select which trusted domains will be
hosted. Since I only have one domain in my network, only domain.com is visible.
Once this is done you have to select a server on that domain - in my example it is
netserv. The FQDN (Fully Qualified Domain Name) of this host server is
netserv.domain.com.
The following screen allows you to specify the root name of your primary DFS root.
You should give it something which will accurately define the contents of that share.
In my example I have called this root "Company" - which would be a real name of an
ogranization. You can change this to anything you want. You might wish to have a
root called "Documents" - which would clearly state that one can expect to find
anything related or specific to documents, and documentation in that root.
You will now have to select the location of a folder in which all the files will be
stored.
Tip: for added security, when selecting a folder, try to choose one that is located on
a partition other than that of the operating system.
Your DFS root is now configured and visible in the configuration console. Right click
the root target and press Status to check if it is online or not.
To add a new link, right click the root for which you want the link to be created, and
select New Link.
In the "New Link" screen, enter a name and path for the link and click OK. Repeat
this for as many links as you need to create.
Links are visible right under the node. Below is a screenshot displaying the three
links I have created for the COMPANY root.
To do this right click the desired dfs root, select Properties and go to the Publish tab.
Enter the appropriate details in each box and press OK.
In the keywords section you can specify certain words that will help locate the dfs
root when it is being searched for.
The first three refer to network topologies and the last allows you to specify an
advanced method of replication, which can be tuned to your needs.
Advantages - client caching, integration with IIS, easy to administer and setup.
The Microsoft Certificate Server (MCS) enables you to install the Certificate Server
service as either its own Root Certificate Authority (Root CA) or as a service that will
use an external (public) Certificate Authority (non-Root CA). These two
configurations require very different configuration processes, and are mutually
exclusive. Your Certificate Server can be either a Root CA or a non-Root CA, but
not both.
Before you install the MCS on your server, you need to evaluate how you are going
to use it. For example, if your use of the MCS is to provide your corporate intranet
users with secure communications, then you would want to install the MCS as a
Root CA, and issue your own self-signed certificates to your servers and users.
However, if you intend to use the MCS on your Internet server to provide your
Internet users with secure communications so they can safely provide confidential
purchasing information (such as credit card numbers), then you would want to install
the MCS as a non-Root CA and obtain a validating certificate from an external CA
such as VeriSign.
Because of the differences between installing the MCS for external (non-Root CA)
and internal (Root-CA) use, we have described each of these uses separately later
in this chapter, following the section on installation.
To install the Microsoft Certificate Server, you must install the Windows NT 4.0
Option Pack using the Custom option, and select the Certificate Server for
installation. You have two distinct options for installing Certificate Server:
During the installation of the Windows NT 4.0 Option Pack, you are prompted with
several dialog boxes to configure the Certificate Server settings.
The following list walks you through the dialog boxes used in installing Certificate
Server:
1. Following the installation dialog boxes for SMTP, NNTP, and MSMQ (if
selected), the Windows NT 4.0 Option Pack installation process switches to
installing the Certificate Server, and you are prompted with several dialog
boxes to configure Certificate Server settings. The first Certificate Server
installation dialog box is shown in Figure 17-1.
You must set the following options in the Microsoft Certificate Server Setup
dialog box:
The Configuration Data Storage Location must be set to a local
directory that is shared on the network, so users can access and install
certificates. The local pathname for this shared directory must be
specified in full, including the drive letter (for example, D:\CertFile).
The Database Location folder defaults to the %systemroot%\system32\
CertLog directory, but it can be modified by clicking Browse and
selecting a different directory.
The Log Location folder also defaults to the %systemroot%\system32\
CertLog directory, and may be changed by clicking Browse and
selecting a different directory.
The Show Advanced Configuration checkbox, by default, is not
selected, and the defaults for MCS specify that it will install as a Root
CA. This default is acceptable only if you are going to use the MCS as
a Root CA on your intranet. If you want to employ this installation of
MCS on an Internet server, you will likely want to setup MCS as a non-
Root CA and obtain a server certificate from a public CA source (such
as VeriSign).
Note: This option is very important in the installation of MCS, because you cannot
change from a Root CA to a non-Root CA without reinstalling.
The Show Advanced Configuration checkbox enables you to set up MCS as a non-
Root CA or to modify any other Advanced option. If you want to configure MCS as a
non-Root CA, in its subsequent dialog box select the Non-Root CA option.
Once you have selected the desired directories and enabled the Show Advanced
Configuration option (if needed), click Next to continue.
Note: As indicated by the README.TXT for Service Pack 4, do not use the HMAC
hashing algorithm, or the MCS installation will fail.
Once you have selected the desired options, click Next to continue.
After you install the Certificate Server configuration settings, the Windows NT 4.0
Option Pack installation will continue.
You must install Certificate Server and select the Root CA option which will
install the self-signed Root CA certificate on your server.
Once the prerequisites are met, you will be able to use your browser to connect to
the site. The site now requires an SSL connection (the URL must be prefaced with
HTTPS://). You may receive a message telling you that the certificate issuer is
unknown. If you click Yes when you receive this message, you will be connected to
the site anyway. To avoid the unknown issuer message, have users download the
CA certificate and add it to their browser.
In order to use certificates in support of SSL sessions, you must first create the
encryption key pair. A key pair consists of a public key and a private key, which are
used to negotiate a secured SSL connection between the Web server and client
browser. The Key Manager is used to create the pair of keys that are required to
create a server certificate.
Using the MCS as a Root CA, you can create the key pair and automatically submit
the certificate request to the MCS, which generates the server certificate containing
the server’s public key. You then bind the server certificate to the IP address and
SSL port of your Web site, which enables users to create SSL connections to the
site.
Exercise 9 : Install the Network Monitor Driver and show how to capture data with
network monitor.
Notes
• To save a range of frames, in the From box, type the beginning frame
number, and in the To box, type the ending frame number.
• To save only the frames that appear when the current display filter is in
use, select the Filtered check box.
11. Click Save.
Exercise 10: Implement different kind of servers like File Server, Print Server,
and Application Server. Learn different routine administration tasks for each
kind of server.
The File Server feature for Microsoft® Windows® CE .NET enables clients to
access files and other resources over the network. The File Server feature uses
the Common Internet File System (CIFS), which is an extension of the Server
Message Block (SMB) file sharing protocol. CIFS enables a network-enabled
application to access and manipulate files and directories on a remote server in
Exercise 2: Show how you can enhance the feature and strength of file and
print servers with Active Directory.
Being on network computer files and printer sharing is a must. To enable the
files and folder sharing in Windows XP Professional 2000 and Windows 2000 do the
following.
1) Right Click on the folder name you want to share.
2) Click on the properties.
3) Click Sharing.
4) Click on Share this computer on the network.
5) Assign a shared computer name.
Exercise 3: Install the routing and remote access services for IP Routing.
Installing Routing and Remote Access Service
During Routing and Remote Access Service Setup, you can install the Routing and
Remote Access Service files on the same computer on which you downloaded the
files, or you can download the files and then install Routing and Remote Access
Service on another computer.
To set up Routing and Remote Access Service by downloading from the Web, see
"Downloading and Installing Routing and Remote Access Service from the Web."
To set up Routing and Remote Access Service on another computer, see "Installing
Routing and Remote Access Service by Using a Network Connection to the Setup
Files."
Downloading and Installing Routing and Remote Access Service from the
Web
To download and install Routing and Remote Access Service from the Web, you
need to follow the steps outlined in the following sections:
Download the Routing and Remote Access Service files
Install Routing and Remote Access Service options
Finish installation if you install a RAS Server
Download the Routing and Remote Access Service Files
1) In your Web browser, go to Routing and Remote Access Service Update for
Windows NT Server 4.0 .
2) Follow the instructions on the screen to download the Routing and Remote
Access Service installation files to your computer.
Specify the path and directory where you want to put the Routing and Remote
Access Service installation files. These files are kept on your computer for
future configuration or installations.
After copying the files to a directory on your computer, you can then continue Setup
and install Routing and Remote Access Service, or you can exit Setup to install
Routing and Remote Access Service at a later time or on another computer.
LAN routing Installs support for LAN-to-LAN routing (including WAN cards
that support LAN emulation).
Demand-dial Installs support for routing over WANs and dial-up media, such
routing as ISDN and PPTP.
The second option for operation mode is Periodic Update Mode. When you enable
this option, RIP automatically generates RIP announcements at a predefined
interval (configured through the Periodic Announcement Interval on the Advanced
property page). Any routes added using this mode are handled as RIP routes and
are flushed when the router is rebooted. They must be added again through RIP
advertisements. Periodic Update Mode is the default mode for LAN interfaces.
The Incoming Packet Protocol property specifies the protocol the router uses for
incoming packets. Select an option based on the capabilities of the adjacent routers.
Or select Ignore Incoming Packets if you want the router to ignore RIP
announcements from adjacent routers. This option places the router in Announce-
Only Mode.
Use the Added Cost For Routes property to modify the cost for the route. You would
increase this number to increase the cost of the route and direct traffic through
other, less costly routes when possible. Keep in mind that RIP is limited to a
maximum of 15 hops, and routes with an effective cost of more than 15 are
considered unreachable.
The Tag For Announced Routes property lets you assign a tag number to be
included with all RIP announcements. Inclusion of a tag number is applicable only to
RIP v2. The tag is used to mark specific routes for administrative purposes and is
generally not required.
Advanced options
The Advanced property page for a RIP interface, shown inFigure B, offers several
options. I’ll look at each of these options.
If you know the name of the printer to which you want to connect, type the
address of the printer using the following format, where print_server is the
name of the print server and printer is the name of the printer:
http://print_server/printer/
For example, if you want to go directly to the page of a printer that is
named "Laser" that is shared from a server that is named
"MyPrintServer," type the following address:
http://MyPrintServer/Laser/
3) To connect to the printer, click Connect under Printer Actions.
When you connect to the printer, the print server downloads the appropriate printer
driver to your computer. After the installation is complete, the printer's icon is added
Exercise 7: Create a Remote Access Policy. Show how you can change the
Remote Access Logging setting.
Exercise 8: Install the routing and remote access services as VPN server.
Create a VPN Remote Access policy also.
For Windows 2000-based VPN servers, the IP addresses assigned to VPN clients
are obtained through DHCP by default. You can also configure a static IP address
pool. The VPN server must also be configured with name resolution servers,
typically DNS and WINS server addresses, to assign to the VPN client during IPCP
negotiation.
How to Manage Access
Configure the dial-in properties on user accounts and remote access policies to
manage access for dial-up networking and VPN connections.
CAUTION: After you delete the default policy, a dial-up client that does not match at
least one of the policy configurations you create will be denied access.
If the VPN server is also allowing dial-up remote access services, do not delete the
default policy, but move it so that it is the last policy to be evaluated.
If the VPN server also allows dial-up networking remote access services, do not
delete the default policy; instead move it so that it is the last policy to be evaluated.
How to Configure a VPN Connection from a Client Computer
To set up a connection to a VPN:
1) On the client computer, confirm that the connection to the Internet is correctly
configured.
2) Click Start, point to Settings, and then click Network And Dial-Up
Connections.
3) Double-click Make New Connection.
4) Click Next, and then click Connect To A Private Network Through The
Internet, and then click Next.
5) Do one of the following:
If you use a dial-up connection to connect to the Internet, click
Automatically Dial This Initial Connection and then select your dial-
up Internet connection from the list.
If you use a full-time connection (such as a cable modem), click Do
Not Dial The Initial Connection.
6) Click Next.
7) Type the host name (for example, Microsoft.com) or the IP address (for
example, 123.123.123.123) of the computer to which you want to connect,
and then click Next.
8) Click to select For All Users if you want the connection to be available to
anyone who logs on to the computer, or click to select Only For Myself to
make it available only when you log onto the computer, and then click Next.
9) Type a descriptive name for the connection, and then click Finish.
10) Click Start, point to Settings, and then click Network And Dial-Up
Connections.
11) Double-click the new connection.
12) Click Properties to further configure options for the connection:
If you are connecting to a domain, click the Options tab, and then click
to select the Include Windows logon domain check box to specify
whether to request Windows 2000 logon domain information before
attempting to connect.
If you want the connection to be redialed if the line is dropped, click the
Options tab, and then click to select the Redial if line is dropped
check box.
To use the connection:
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
1) Click Start, point to Settings, and then click Network And Dial-Up
Connections.
2) Double-click the new connection.
3) If you do not currently have a connection to the Internet, Windows offers to
connect to the Internet.
4) Once the connection to the Internet is made, the VPN server prompts you for
your user name and password. Enter your user name and password, click
Connect, and your network resources should be available to you in the same
way they are when you connect directly to the network.NOTE: To disconnect
from the VPN, right-click the connection's icon, and then click Disconnect.
This prevents the Web site from consuming too much processor time to the
detriment of other computer processes.
Exercise 10: Create two global groups and configure so that users from both
groups should be able to access some command folders.
tab : Services
tab : ICMP
Advanced Setup:
In case you have the Internet
Information Server
(maybe including the FTP-server)
installed and you
like to allow access from the
Internet, then you
need to place the Check-marks
(you are prompted
to confirm the system allowed to
be accessed)
tab: ICMP
Note that you cannot block ICMP messages, even if you select Permit Only
in the IP Protocols column and you do not include IP protocol 1. TCP/IP
Filtering can filter only inbound traffic. This feature does not affect outbound
traffic or response ports that are created to accept responses from outbound
requests. Use IPSec Policies or packet filtering if you require more control
over outbound access.
Router# mstat source [destination] Display IP multicast packet rate and loss
[group] information.
Exercise 5: Customize and configure IPsec policy and rules for transport mode on
the local computer.
Exercise 6: Configure IPsec for tunnel mode. (Note: You need separate computers
to which you have administrative access)
How to configure a policy for IPSec tunnel mode
IPSec tunnel mode can be used to provide security for WAN and VPN connections
that use the Internet as the connection medium. With tunneling, the data contained
in a packet is encapsulated inside an additional packet. The new packet is then sent
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
over the network. In tunnel mode, IPSec encrypts the IP header and the IP payload.
Tunnel mode is typically used for server to server, server to gateway, and gateway
to gateway configurations.
To configure an IPSec policy for IPSec tunnel mode
1. Open the IP Security Policy Management console.
2. Right-click the IP Security Policies On Local Computer node and select
Create IP Security Policy from the shortcut menu.
3. When the IP Security Policy Wizard initiates. click Next on the IP Security
Policy Wizard Welcome page.
4. Provide a name and a description for the new IPSec policy, and then click
Next.
5. On the Requests for Secure Communication page, disable the Activate the
default response rule option, and then click Next.
6. On the Completing the IP Security Policy Wizard page, select the Edit
properties option, and then click Finish
7. The Tunnel To Properties dialog box opens.
8. Click Add on the Rules tab.
9. The Create IP Security Rule Wizard starts.
10. Click Next on the Create IP Security Rule Wizard Welcome page.
11. On the Tunnel Endpoint page, select The Tunnel Endpoint Is Specified By
The Following IP Address option, and then enter the IP address of the other
machine. Click Next.
12. On the Network Type page, select the Local Area Network (LAN) option and
then click Next.
13. Specify the All IP Traffic option and then click Next.
14. On the Filter Action page, specify the Request Security (Optional) option and
then click Next.
15. On the Authentication Method page, specify the Active Directory Default
(Kerberos V5 protocol) option and then click Next.
16. Click Finish and then click OK.
17. Repeat the process on the other machine
Exercise 7: Audit the IPsec logon activities and event. (Note: you can use two IP
capable computers that are able to communicate to each other with there
administrative access)
1. Before you attempt to ping from a computer on one subnet to the other (NetA
or NetB), type ipconfig at a command prompt. The network interfaces that
are initialized in the TCP/IP stack are displayed.
2. Run the IP Security Monitor tool.
3. Load Network Monitor, click Capture/Network, and then click the W2KextIP
interface (you can start a capture by clicking Capture/Start).
4. Attempt to ping the computer. The first ICMP echo packets may timeout while
the IPSec tunnel is being built. If the ping attempt is not successful, check the
security and system logs.
5. If the ping attempt is successful, stop the Network Monitor capture and see if
the ICMP traffic went on the clear or if you just see the ISAKMP and IPSec
protocol packets. Check IP Security Monitor to see if an SA was created
using the NetA to NetB filter you created. Also check the security log. You
should see Event ID 541 (IKE security association established).
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
6. Type ipconfig at a command prompt again so you see that there is no
additional TCP/IP interface while the tunnel is up. This is because IPSec is
actually protecting the traffic going through the physical interface (W2KextIP).
Exercise 8: Install the network monitor application. Show the use of capture filter
and display filter with the help of your own examples.
1. CAPTURE FILTERS
Protocol:
Values: ether, fddi, ip, arp, rarp,
decnet, lat, sca, moprc, mopdl,
tcp and udp.
If no protocol is specified, all the
protocols are used.
Direction:
Values: src, dst, src and dst, src
or dst
If no source or destination is
specified, the "src or dst" keywords are applied.
Host(s):
Values: net, port, host, portrange.
If no host(s) is specified, the "host" keyword is used.
For example, "src 10.1.1.1" is equivalent to "src host 10.1.1.1".
Logical Operations:
Values: not, and, or.
Negation ("not") has highest precedence. Alternation ("or") and concatenation
("and") have equal precedence and associate left to right.
For example,
"not tcp port 3128 and tcp port 23" is equivalent to "(not tcp port 3128) and tcp port
23".
"not tcp port 3128 and tcp port 23" is NOT equivalent to "not (tcp port 3128 and tcp
port 23)".
2. DISPLAY FILTERS:
The display filter is used to search inside captured data obtained with a capture
filter.
Its search capabilities are more extended than those of the capture filter and it is
not necessary to restart the capture when you need to change your filter.
Protocol:
A large number of protocols, located between layers two and seven of the OSI model, is
available. They can be seen when you click on
the
"Ex
pre
ssio
n..."
butt
on
in
the
main screen.
Some examples are: IP,TCP,DNS,SSH
How to Configure PPTP Filters to Allow Traffic for PPTP VPN Clients
PPTP is a popular VPN protocol because it is very secure and easy to set up. You
can deploy PPTP easily in both Microsoft-only and mixed environments. You can
configure your Windows 2000-based Routing and Remote Access service VPN
server to drop non-PPTP packets by using packet filters.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
2. Depending upon whether you want to create or delete, use one of the
following procedures:
o Create
Create
1. In the console tree, right-click Group Policy Objects in the forest and
domain in which you want to create a Group Policy object (GPO).
Where?
2. Click New.
3. In the New GPO dialog box, specify a name for the new GPO, and then click
OK.
1. In the console tree, right-click the domain name in the forest in which you
want to create and link a Group Policy object (GPO).
Where?
3. In the New GPO dialog box, specify a name for the new GPO, and then click
OK.
Notes
To delete a GPO, you must have Edit Settings, Delete, Modify Security
permissions for the GPO.
When you use this procedure to create a GPO, no links are created to the
GPO, but you can add links within the same forest by right-clicking any
domain, site, or organizational unit, and then clicking Link Existing GPO.
Alternatively, you can both create and link a GPO by right-clicking any
domain or organizational unit and then clicking Create and Link a GPO
Here.
When you delete a GPO, Group Policy Management attempts to delete all
links to that GPO in the domain of the GPO. However, to delete a link to a
GPO, you must have permission to link Group Policy objects for the
organizational unit or domain. If you do not have rights to delete a link, the
GPO will be deleted, but the link will remain. Links from other domains and
sites are not deleted. The link to a deleted GPO appears in Group Policy
Management as Not Found. To delete Not Found links, you must either
have permission on the site, domain or organizational unit containing the link,
or ask someone with sufficient rights to delete it.
Group Policy objects are distinguished in the Active Directory by GUID, and it
is theoretically possible for more than one GPO to have the same friendly
name. The Group Policy Management snap-in prevents the creation of Group
Policy objects with duplicate friendly names, but the Group Policy
infrastructure does not enforce uniqueness of friendly names. Therefore, it is
possible for duplication of friendly names to occur if you use legacy tools to
create Group Policy objects, if replication is slow, or if you use a script to
perform operations on Group Policy objects.
You cannot delete the Default Domain Controllers policy or the Default
Domain policy.
Before deleting a GPO, you can check for cross-domain links by navigating to
the Scope tab of the GPO you want to delete and, in the Display links in
this location box, selecting Entire Forest. You can then select all links, right
click the selection, and click Delete link. This procedure ensures that cross-
domain links are deleted before you delete the GPO.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
2. In the console tree, double-click the forest containing the domain that you
want to search for a Group Policy object (GPO), double-click Domains, right-
click the domain, and then click Search.
3. In the Search for Group Policy Objects dialog box, in the Search for GPOs
in this domain box, select a domain or All domains shown in this forest.
4. In the Search item box, select the type of object on which you want to base
your search.
If you select Security Group, the Select User, Computer, or Group dialog
box appears. Specify the appropriate object type, location of the object, and
object name, and then click OK.
You can choose GPO-links on the Search item dropdown menu to find
unlinked GPOs and GPOs linked across domains.
5. In the Condition box, select the condition that you want to use in the search.
6. In the Value box, select or specify the value that you want to use to filter the
search, and then click Add.
7. Repeat steps 4 through 6 until you complete the definition of all search
criteria, and then click Search.
o To save the search results, click Save results and then, in the Save
GPO Search Results dialog box, specify the file name for the saved
results, and then click Save.
9. Repeat steps 3 through 8 until you have completed all required searches, and
then click Close.
Notes
You can also open the search dialog box by by right-clicking a forest and then
clicking Search. In this case, the Search for GPOs in this domain box defaults
to All domains shown in this forest.
Understanding Libraries
Managing Media
Summary
Exercise 4: Setup the filter options for Advanced Users and Groups.
Introduction
Prerequisites
Before beginning this guide, please build the common infrastructure, which specifies
a particular hardware and software configuration. If you are not using the common
infrastructure, you need to make the appropriate changes to this instruction set.
You can run the Administrative Tools from the server, or you can run the tools from
a computer running Windows 2000 Professional. The Administrative Tools are
installed by default on all Windows 2000 domain controllers.
You must be logged on as a user with administrative privileges to run through the
procedures in this document.
If you are working on a domain controller, the Active Directory Schema snap-in
might not be installed. To install it:
1. Click Start, point to Settings, click Control Panel, and then click Change or
Remove Programs.
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
2. When prompted, reinstall all the Administrative Tools.
Creating a Group
1. Right-click the Engineering OU, click New, and then click Group.
2. In the Name of New Group text box, type: Tools
Select the appropriate Group type and Group scope and then click OK.
The Group type indicates whether the group can be used to assign
permissions to other network resources, such as files and printers. Both
security and distribution groups can be used for e-mail distribution lists.
The Group scope determines the visibility of the group and what type of
objects can be contained within the group.
Note: You can select multiple users or groups in this dialog by pressing
the CTRL key as you click them. You can also type the name directly. If the name is
ambiguous, a further list is displayed to confirm your selection.
Alternatively, you can select the users from the results pane, right click then
click Add members to a Group. Or you can click Add the selected objects to a
group you specify on the snap-in toolbar. This may be more efficient for adding
large numbers of members to a group.
Top of page
Any shared network folder, including a Distributed File System (Dfs) folder, can be
published in Active Directory. Creating a Shared folder object in the directory does
not automatically share the folder. This is a two-step process: you must first share
the folder, and then publish it in Active Directory.
The Windows name and OS version of the restore target must match the
original system.
The OS on the restore target must be installed to the path as the original
system. WINDOWS (XP, 2003) or WINNT (NT, 2000) are the default names
for the %SYSTEMROOT% path.
All of the latest OS service packs must be applied to the restore target.
4.
5.
6.
Fig. 1 - Loaded set in the File Viewer, OS partition, System State, and Active
Directory selected.
7.
11.
Fig. 2 - Restore Options
3. Type in the text "restore database" at the Authoritative Restore prompt and
press "Enter", to make the full Active Directory restore Authoritative. This
command will be used in most cases.
5.
6. NTDSUTIL will return the number of records that need updating, as well as
the number of records updated.
7.
Fig. 4 - NTDSUTIL from a DOS prompt.
10. Reboot.
Exercise 6. : Protect Data By Using Encrypting File System (EFS) And Recover
Encrypted Data With a Data Recovery Agent.
Introduction
In many businesses, users share desktop computers. Some users travel with
portable computers that they use outside the physical protection of the business, in
customer facilities, airports, hotels, and at home. This means that valuable data is
often beyond the control of the business. An unauthorized user might try to read
data stored on a desktop computer. A portable computer can be stolen. In all of
these scenarios, malevolent parties can gain access to sensitive company data.
Encrypting File System certificates. This type of certificate allows the holder
to use EFS to encrypt and decrypt data, and is often called simply an EFS
certificate. Ordinary EFS users get this type of certificate. The Enhanced Key
Usage field for this type of certificate (visible in the Enrollment no:-
115043695Certificates Microsoft Management Console snap-in) has the
value Encrypting File System (1.3.6.1.4.1.311.10.3.4).
File Recovery certificates. This type of certificate allows the holder to recover
encrypted files and folders throughout a domain or other scope, no matter who
encrypted them. Only domain admins or very trusted designated persons
called data recovery agents should get this. The Enhanced Key Usage field for
this type of certificate (visible in the Certificates Microsoft Management
Console snap-in) has the value File Recovery (1.3.6.1.4.1.311.10.3.4.1).
These are often called EFS DRA certificates.
Requirements
2. Right-click the domain whose recovery policy you want to change, and
then click Properties.
3. Click the Group Policy tab.
6. In the details pane (on the right), right-click, and then click Create Data
Recovery Agent.
Note: The Create Recovery Agent Wizard prompts you to add a user as
a recovery agent either from a file or from Active Directory. When you
add a recovery agent from a file, the user is identified as
USER_UNKNOWN. This is because the user name is not stored in the
file.
Add and
Edit Read
Access Access Result
No No Administrators cannot view the users in
the Editable groups.
Overview
The Registry is a database used to store settings and options for the 32 bit versions
of Microsoft Windows including Windows 95, 98, ME and NT/2000. It contains
information and settings for all the hardware, software, users, and preferences of
the PC. Whenever a user makes changes to a Control Panel settings, or File
Associations, System Policies, or installed software, the changes are reflected and
stored in the Registry.
The physical files that make up the registry are stored differently depending on your
version of Windows; under Windows 95 & 98 it is contained in two hidden files in
your Windows directory, called USER.DAT and SYSTEM.DAT, for Windows Me
there is an additional CLASSES.DAT file, while under Windows NT/2000 the files
are contained seperately in the %SystemRoot%\System32\Config directory. You
can not edit these files directly, you must use a tool commonly known as a "Registry
Editor" to make any changes (using registry editors will be discussed later in the
article).
The Registry has a hierarchal structure, although it looks complicated the structure
is similar to the directory structure on your hard disk, with Regedit being similar to
Windows Explorer.
There are six main branches, each containing a specific portion of the information
stored in the Registry. They are as follows:
Overview
The Registry is a database used to store settings and options for the 32 bit
versions of Microsoft Windows including Windows 95, 98, ME and NT/2000. It
contains information and settings for all the hardware, software, users, and
preferences of the PC. Whenever a user makes changes to a Control Panel
settings, or File Associations, System Policies, or installed software, the changes
The physical files that make up the registry are stored differently depending on
your version of Windows; under Windows 95 & 98 it is contained in two hidden
files in your Windows directory, called USER.DAT and SYSTEM.DAT, for
Windows Me there is an additional CLASSES.DAT file, while under Windows
NT/2000 the files are contained seperately in the
%SystemRoot%\System32\Config directory. You can not edit these files directly,
you must use a tool commonly known as a "Registry Editor" to make any changes
(using registry editors will be discussed later in the article).
There are six main branches, each containing a specific portion of the information
stored in the Registry. They are as follows:
o REG_BINARY - This type stores the value as raw binary data. Most
hardware component information is stored as binary data, and can
be displayed in an editor in hexadecimal format.
o REG_DWORD - This type represents the data by a four byte number
and is commonly used for boolean values, such as "0" is disabled
and "1" is enabled. Additionally many parameters for device driver
and services are this type, and can be displayed in REGEDT32 in
binary, hexadecimal and decimal format, or in REGEDIT in
hexadecimal and decimal format.
o REG_EXPAND_SZ - This type is an expandable data string that is
string containing a variable to be replaced when called by an
application. For example, for the following value, the string
"%SystemRoot%" will replaced by the actual location of the directory
containing the Windows NT system files. (This type is only available
using an advanced registry editor such as REGEDT32)
o REG_MULTI_SZ - This type is a multiple string used to represent
values that contain lists or multiple values, each entry is separated
by a NULL character. (This type is only available using an advanced
registry editor such as REGEDT32)
o REG_SZ - This type is a standard string, used to represent human
readable text values.
Other data types not available through the standard registry editors include:
1. Insert the Windows 2000 Server Setup Disk 1 floppy disk into your disk drive,
or, if you have a
bootable CD-ROM drive, you can instead insert the Windows 2000 Server CD-
ROM into your
CD-ROM drive.
2. Restart your computer.
3. Follow the directions that are displayed on the screen. If you are using the
Setup disks, you are
prompted to insert the other Setup disks into the disk drive. It may take several
minutes to load
files. Select the appropriate options to repair your Windows 2000 installation and
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
to start the
Recovery Console.
4. Once in the Recover Console, type HELP, and then press ENTER to see a list
of commands.
Use a text editor (such as Notepad) to open the Boot.ini file, and then remove
the entry for the
Recovery Console. The entry should look similar to this entry:
C:\cmdcons\bootsect.dat="Microsoft Windows 2000 Recovery Console"
/cmdcons
Save the file and close it.
1. While Windows is running, insert the Windows 2000 Professional CD-ROM into
your CD-ROM drive.
2. When you are prompted to upgrade to Windows 2000, click No.
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
3. At the command prompt, switch to your CD-ROM drive, type \i386\winnt32.exe
/cmdcons, and then press ENTER.
4. Follow the instructions on the screen. To use the Windows 2000 Recovery
Console, restart your computer, and then select Windows 2000 Recovery console
from the Startup menu.
Note that the repair process relies on information that is saved in the
SystemRoot\Repair folder. You must not change or delete this folder. If you also
back up the registry to the Repair folder, you can save your current registry files in a
folder within your SystemRoot\Repair folder. This is useful if you must recover your
system in the event that your hard disk fails.
1. Click Start, point to Programs, point to Accessories, point to System Tools, and
then click Backup.
2. On the Tools menu, click Create an Emergency Repair Disk.
3. Follow the instructions that appear on your screen.
For information about how to configure and how to verify the correct BIOS settings
for the computer, see the computer documentation or contact the manufacturer of
the computer. For information about how to contact your computer manufacturer,
click the appropriate article number in the following list to view the article in the
Microsoft Knowledge Base:
65416 Hardware and software vendor contact information, A-K
1. Create a Windows 2000 boot disk that contains the following files:
Ntldr
Ntdetect.com
Boot.ini
Ntbootdd.sys
For more information about how to create a boot disk, click the following article
numbers to
view the articles in the Microsoft Knowledge Base:
301680 How to create a boot disk for an NTFS or FAT partition in Windows
101668 How to use a Windows boot disk to prevent boot failure
2. Modify the Boot.ini file to point to the correct hard disk controller and to the
correct volume for
your Windows installation. For more information about how to create a boot disk,
click the
following article number to view the article in the Microsoft Knowledge Base:
311578 How to edit the Boot.ini file in Windows 2000
3. Insert the boot disk into the computer's floppy disk drive, and then restart the
computer.
4. Copy the Ntldr file, the Ntdetect.com file, and the Boot.ini file from the boot disk
to the system
partition of the local hard disk.
NOTE: In these commands, there is a space between the ntldr and c:\, and
between
ntdetect.com and c:\.
8. Type the following command, and then press ENTER:
type c:\Boot.ini
A list similar to the following list appears:
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000
Professional" /fastdetect
If you receive the following message, the Boot.ini file may be missing or
damaged:
The system cannot find the file or directory specified.
9. If the Boot.ini file is missing or damaged, create a new one. To do so, follow
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
these steps:
1. Use a text editor, such as Notepad or Edit.com, to create a boot loader file
similar to the following boot loader file:
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000
Professional" /fastdetect
For more information, click the following article number to view the article in
the
Microsoft Knowledge Base:
102873 Boot.ini and ARC path naming conventions and usage
301680 How to create a boot disk for an NTFS or FAT partition in Windows
2. Save the file to a floppy disk as Boot.ini.
NOTE: If you used Notepad to create the file, make sure that the .txt
extension is not
appended to the Boot.ini file name.
3. Type the following command at the Recovery Console command prompt to
copy the
Boot.ini file from the floppy disk to the computer:
copy a:\Boot.ini c:\
10. Type exit, and then press ENTER. The computer restarts.
1. Insert the Windows 2000 CD-ROM into the computer's CD-ROM drive or DVD-
ROM drive, and start Windows 2000 Setup.
2. On the Welcome to Setup page, press R.
3. On the Windows 2000 Repair Options page, press R.
4. When you are prompted to select one of the repair options, press M.
5. Press the UP ARROW, press the UP ARROW again, to select Verify Windows
2000 system files, and
then press ENTER to clear the selection.
6. Press the DOWN ARROW to select Continue (perform selected tasks), and
then press ENTER. The
following message appears:
You need an Emergency Repair disk for the Windows 2000
installation you want to repair.
7. Do one of the following, as appropriate to your situation:
* If you have an Emergency Repair Disk, follow these steps:
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
1. Press ENTER.
2. Insert the Emergency Repair Disk into the computer's floppy disk drive,
and then
press ENTER.
3. Follow the instructions to repair the installation, and then restart the
computer.
-or-
* If you do not have an Emergency Repair Disk, follow these steps:
1. Press L. You receive a message similar to the following:
Setup has found Windows 2000 in the following folder:
drive:\WINNT "Microsoft Windows 2000"
2. Press ENTER.
Setup examines the disks, and then completes the repair process.
For more information about the emergency repair feature, click the following
article number to
view the article in the Microsoft Knowledge Base:
231777 How to create an Emergency Repair Disk in Windows 2000
[boot loader]
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\TEMPWIN
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\TEMPWIN="Microsoft Windows 2000
Professional" /fastdetect
11. Replace all instances of TEMPWIN with WINNT. The Boot.ini file that appears
is similar to the
following file:
[boot loader]
timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000
Professional" /fastdetect
For more information about how to perform a parallel installation of Windows 2000,
click the following article number to view the article in the Microsoft Knowledge
Base:
266465 How to perform a parallel installation of Windows 2000 or Windows Server
2003
Exercise 3 :What you should do when you find that th drive letter
(e.g.c:/drive,A:/drive changes after yopu restart your computer.
If your computer has one hard disk and a CD-ROM:
1. Install one of the versions of Windows that is listed earlier in this article. For
information about
how to install an operating system, view the documentation that is included
with your
operating System.
2. Start your computer normally, and then change the CD-ROM drive letter to T:
1. Click Start, point to Settings, click Control Panel, and then double-click
System.
2. Click the Device Manager tab, and then double-click the CD-ROM branch to
expand it.
3. Click your CD-ROM, click Properties, and then click the Settings tab.
4. Click T in the Start drive letter box, and then click T in the End drive letter
box.
5. Click OK, click Close, and then click Yes when you are prompted to restart
your computer.
255867 How to Use Fdisk and Format to Partition/Repartition a Hard Disk
If you want to add a removable media drive such as a CD-ROM, DVD, or CD-RW
drive and prevent drive letters from changing, read the "Notes" section of this article
before you install any programs.
Back to the top
Computer Has Two or More Hard Disks and a CD-ROM
If your computer has two or more hard disks and a CD-ROM:
1. Before you install an operating system or any programs, set your first hard disk
to use a primary
position, and all other hard disks should be set to use an extended partition. After
you create
partitions on your hard disks, format them.For additional information about how
to partition and
format a hard disk, click the article number below to view the article in the
Microsoft Knowledge
Base:
255867 How to Use Fdisk and Format to Partition/Repartition a Hard Disk
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
2. Install one of the versions of Windows that is listed earlier in this article. For
information about
how to install an operating system, view the documentation that is included with
your operating
system.
IMPORTANT: After you install your operating system, do not install any other
programs. Instead,
continue to the next step.
3. Start your computer normally, and then change the CD-ROM drive letter to T:
1. Click Start, point to Settings, click Control Panel, and then double-click
System.
2. Click the Device Manager tab, and then double-click the CD-ROM branch to
expand it.
3. Click your CD-ROM, click Properties, and then click the Settings tab.
4. Click T in the Start drive letter box, and then click T in the End drive letter
box.
5. Click OK, click Close, and then click Yes when you are prompted to restart
your computer.
Exercise 4 : Backup the recovery agent Encrypting File System (EFS) private
key.
To export the recovery agent’s private key from a computer that is a member of a
workgroup, follow these steps:
1. Log on to the computer by using the recovery agent’s local user account.
2. Click Start, click Run, type mmc, and then click OK.
3. On the File menu, click Add/Remove Snap-in, and then click Add.
4. Under Available Standalone Snap-ins, click Certificates, and then click Add.
5. Click My user account, and then click Finish.
6. Click Close, and then click OK.
7. Double-click Certificates - Current User, double-click Personal, and then
double-click Certificates.
8. Locate the certificate that displays the words "File Recovery" (without the
quotation marks) in the
Intended Purposes column.
9. Right-click the certificate that you located in step 8, point to All Tasks, and then
click Export. The
Certificate Export Wizard starts.
10. Click Next.
11. Click Yes, export the private key, and then click Next.
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
12. Click Personal Information Exchange – PKCS #12 (.PFX).
Note We strongly recommend that you also click to select the Enable strong
protection (requires
IE 5.0, NT 4.0 SP4 or above check box to protect your private key from
unauthorized access.
If you click to select the Delete the private key if the export is successful check
box, the private
key is removed from the computer and you will not be able to decrypt any
encrypted files.
13. Click Next.
14. Specify a password, and then click Next.
15. Specify a file name and location where you want to export the certificate and
the private key, and
then click Next.
Note We recommend that you back up the file to a disk or to a removable media
device, and
then store the backup in a location where you can confirm the physical security
of the backup.
16. Verify the settings that are displayed on the Completing the Certificate Export
Wizard page, and
then click Finish.
To locate the Encrypted Data Recovery policy, open the Default Domain Policy in
the Group Policy Object Editor snap-in, expand Computer Configuration, expand
Windows Settings, expand Security Settings, and then expand Public Key Policies.
To export the domain recovery agent's private key, follow these steps:
1. Locate the first domain controler that was promoted in the domain.
2. Log on to the domain controller by using the built-in Administrator account.
3. Click Start, click Run, type mmc, and then click OK.
4. On the File menu, click Add/Remove Snap-in, and then click Add.
5. Under Available Standalone Snap-ins, click Certificates, and then click Add.
6. Click My user account, and then click Finish.
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
7. Click Close, and then click OK.
8. Double-click Certificates - Current User, double-click Personal, and then
double-click Certificates.
9. Locate the certificate that displays the words "File Recovery" (without the
quotation marks) in the
Intended Purposes column.
10. Right-click the certificate that you located in step 9, point to All Tasks, and then
click Export. The
Certificate Export Wizard starts.
11. Click Next.
12. Click Yes, export the private key, and then click Next.
13. Click Personal Information Exchange – PKCS #12 (.PFX).
Note We strongly recommend that you click to select the Enable strong
protection (requires IE
5.0, NT 4.0 SP4 or abovecheck box to protect your private key from
unauthorized access.
If you click to select the Delete the private key if the export is successful check
box, the private
key is removed from the domain controller. As a best practice, we recommend
that you use this
option. Install the recovery agent's private key only in situations when you need
it to recover
files. At all other times, export, and then store the recovery agent's private key
offline to help
maintain its security.
14. Click Next.
15. Specify a password, and then click Next.
16. Specify a file name and location where you want to export the certificate and
the private key, and
then click Next.
Note We recommend that you back up the file to a disk or to a removable media
device, and
then store the backup in a location where you can confirm the physical security
of the backup.
17. Verify the settings that are displayed on the Completing the Certificate Export
Wizard page, and
then click Finish.
1. Connect to the server that contains the files or folders that you want to encrypt.
2. Right-click the file or folder that you want to encrypt, and then click Properties.
3. On the General tab, click Advanced.
4. Click to select the Encrypt contents to secure data check box, click OK, and
then click OK.
Note that if you encrypt a folder, you are prompted to confirm how you want to
apply the
attributes. Click either of the following options, and then click OK:
* Apply to this folder only
* Apply changes to this folder, subfolders and files
5. Repeat steps 2 through 4 for each file or folder that you want to encrypt.
Note that if you decrypt a folder, you are prompted to confirm how you want to
apply the
attributes. Click either of the following options, and then click OK:
* Apply to this folder only
* Apply changes to this folder, subfolders and files
5. Repeat steps 2 through 4 for each file or folder that you want to decrypt.
Exercise 6 :If you cannot print to a network printer after adding Internet
Connection Sharing,how will you resolve it?
You will need to designate a Windows XP computer as the host. This computer
must have two network adapters, one for your internal network and one for the
Internet connection. Before attempting to enable ICS, verify that the host computer
has a working connection to the Internet through the network card connected to the
cable modem or DSL line, or on the network connection associated with the modem.
The easiest way to enable ICS is to use the Network Setup Wizard, by following
these steps:
Turning on ICS manually is almost as easy as using the wizard except that you
need to create the bridge for multiple network cards before enabling ICS. (See an
earlier column, Building Network Bridges for more information on how to use the
bridging capability in Windows XP.) Then take these steps:
1.
In Control Panel, click Network and Internet Connections and then click Network
Connections.
2.
Click the local area network (LAN) connection or the dial-up networking connection
that you want to share (that is, the one that connects to the Internet), and then,
under Network Tasks, click Change settings of this connection.
3.
Disable Client for Microsoft Networks and File and Print Sharing for Microsoft
Networks by clearing the check boxes shown in Figure 1. This step is extremely
important. Never leave these items enabled for any network card that is directly
connected to the Internet (see sitting duck, above).
Figure 1
Figure 1
4.
Click the Advanced tab, and select the Allow other network users to connect through
Figure 2
5.
You can enable or disable the allowing of other users to control the connection—
users don't need to be able to control the connection to use it.
6.
Under Internet Connection Firewall, select the Protect my computer and network by
limiting or preventing access to this computer from the Internet check box for this
network card, unless you have another firewall between the computer and the
Internet. This is very important.
7.
Click OK, and Internet Connection Sharing will be enabled.
Troubleshooting ICS
If you have a problem with ICS, the best place to start is the Internet Connection
Sharing Troubleshooter. You start the Troubleshooter with the following steps:
1.
Click Start, and then click Help and Support.
2.
Under Pick a Help Topic, click Fixing a problem.
3.
In the left pane, click Networking problems.
4.
In the right pane, click Internet Connection Sharing Troubleshooter and follow the
instructions.
Internet Connection Sharing (ICS) automates the IP numbering task for the ICS
clients on your network with the Dynamic Host Configuration Protocol (DHCP)
service. The DHCP service enables the ICS host computer to assign IP addresses
to its clients automatically. By default, when ICS is installed, the DHCP service
begins supplying addresses to computers on the network.
Cannot Print to a Network Printer after Adding ICS
After you add Internet Connection Sharing (ICS), you discover that you can't print.
This can happen because ICS uses a Class C subnet with an address range of
198.168.0.x. To solve the problem, give the printer an IP address to match the
subnet of the client computers.
Computers on the Network Can't Connect to the Host
As part of the process of enabling ICS, the network adapter for the internal network
on the host computer is set to a fixed IP address of 192.168.0.1 and a special
DHCP server is enabled on that connection.
If computers on your network can't see the ICS host, it may be because they are not
enabled to use DHCP. Check to see if DHCP is enabled on the client computer:
1.In Control Panel, click Network and Internet Connections, and then click Network
Connections.
2.Right-click the connection icon, and then click Properties.
3.Highlight Internet Protocol (TCP/IP), and then click Properties.
4.On the General tab, if an IP address is specified, select the option Obtain an IP
address automatically.
If a client computer has DHCP enabled and still can't see the host computer, try
rebooting the client. Make sure that there are no other DHCP providers on the
network, such as an Internet gateway device. Any such device should be on the
outside segment of the network—between the host computer and the Internet, not
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
between the host computer and the internal network
If you use Windows XP at home or in a small business, and you have a topic you'd
like to see covered in a future column, feel free to write me at:
sharoncrawford@mvps.org. I'd be glad to receive ideas and suggestions.
Sharon Crawford is a former editor now engaged in writing books and magazine
articles. Since 1993, she has written or co-written two dozen books on computer
topics. Her books include Windows 2000 Pro: The Missing Manual, Windows 98: No
Experience Required, and Windows 2000 Professional for Dummies (with Andy
Rathbone).
Exercise 8 :If you are having trouble getting a dial-up connection and you
want to change the modem speed or you want to check the modem's
response how you will check to do it.if you are having noisy channel and you
are not ab le to connect write down the series of steps you will be following to
detect and correct it.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
To change the maximum modem port speed
1. Open Phone and Modem Options in Control Panel.
2. On the Modems tab, click the modem that you want to configure, then click
Properties.
3. On the Modem tab, in the Maximum Port Speed list, click the speed for the
modem.
Exercise 9 : When you use a dial up remote access service (RAS) connection
to browse the internet or to a private network,your computer may hang and
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
return a stop error:'' Stop 0x0000000A''.resolve this problem.
Use the Windows Error Reporting tool
You can use the Windows Error Reporting tool to send information about the error to
us and to obtain information about any available fix or workaround. Follow these
steps to use the Windows Error Reporting Tool:
1. When the Windows Error Reporting window pops up on your computer, click
Send Error Report to
send the error report to us.
2. In the confirmation window that appears after you send the error report to us,
click More
Information. This helps you find any available fixes for the problem or information
about how to
work around the issue.
3. If a fix or a workaround is not available, you can use the "Advanced
Troubleshooting" section to
try to resolve this issue. If you are not comfortable with advanced
troubleshooting, you might
want to contact Support. For information about how to contact Support, visit the
following
Microsoft Web site:
Advanced troubleshooting
Use the following methods in the order in which they are presented.
Method 1: Make sure that you have sufficient hard disk space
First, make sure that you have sufficient hard disk space. The Stop error can be
caused by insufficient hard disk space.
If you can use safe mode or the Recovery Console to start the computer, delete any
unnecessary temporary files, Internet cache files, program backup files, and files
that contain saved file fragments from disk scans (.chk files). You can also install
Windows XP on another hard disk that has more free space.
If you cannot start the computer, go to the next method to update the computer
BIOS.
For more information about safe mode or the Recovery Console, click the following
article numbers to view the articles in the Microsoft Knowledge Base:
315222 A description of the Safe Boot Mode options in Windows XP
314058 Description of the Windows XP Recovery Console
Method 2: Update the computer BIOS
If freeing space on your hard disk did not resolve the problem, the BIOS might have
to be updated. Use the hardware and software vendor contact information articles
that are listed in the "References" section to contact the computer manufacturer to
obtain the most recent BIOS update.
1. If a driver is listed by name in the Stop error message, disable or remove that
driver.
* If the error occurs during the startup sequence and the system partition uses
the NTFS file
system, you might be able to use safe mode to rename or to delete the faulty
driver.
* If the driver is used as part of the system startup process in safe mode, you
must use the
Recovery Console to start the computer.
2. If the Stop error message does not indicate a specific driver, update the video
adapter drivers to
the latest versions.
3. Disable or remove any drivers or services that you recently added.
4. Check the Microsoft Hardware Compatibility List (HCL) to determine whether
the PCI devices in
the computer are compatible with Windows XP. For information about the HCL,
visit the following
Microsoft Web site:
1. Use the Recovery Console to start the computer, or start the computer from a
different
installation of Windows if you have performed a parallel Windows installation.
2. Create a temporary folder to hold the driver files. For example, you could create
c:\DriverTemp.
3. Move all files that do not have a creation date for Windows XP of 8/13/2001
from the
%Windir%\System32\Drivers folder into the temporary folder that you created in
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
step 2. Caution If the computer relies on third-party IDE or SCSI controller drivers
for correct operation,
you must identify those driver files and then leave them in the
%Windir%\System32\Drivers
folder.
4. Restart the computer.
5. Continue the Windows Setup program. You can add the driver files back to the
computer one at a
time to identify the faulty driver.
Exercise 10 : When you attempt to view a web page and receive an error
message ''Not accepting coockies'',how will you resolve it?
Method 1
Enable the option to accept cookies in Internet Explorer. To do so, follow
these steps:
1. In Internet Explorer, click Internet Options on the Tools menu (or View menu in
Internet Explorer
version 4.x).
2. In Internet Explorer 5, click the Security tab, and then click Custom Level. Click
Enable or Prompt
under Allow cookies that are stored on your computer.
In Internet Explorer 4.x, click the Advanced tab, and then click Prompt Before
Accepting Cookies
or Always Accept Cookies.
3. Click OK until you return to Internet Explorer.
4. Connect to the Web address from which you received the "Not accepting
cookies" error message
to verify that you are able to gain access to the Web page.
If you select the Prompt Before Accepting Cookies option and you still cannot
access the Web page, follow the steps in method 1 again and select the Always
Accept Cookies option (the Enable option in Internet Explorer 5).
Method 2
Rename the cookie file in the Windows\Cookies folder for the Web page from which
you received the "Not accepting cookies" error message. To rename the cookie file,
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
follow these steps:
Method 3
Change the cookies option to try to update the registry correctly. To do so, use the
appropriate steps.
Internet Explorer 5
In Internet Explorer, click Internet Options on the Tools menu, click the Security tab,
choose a lower security level for the Internet zone, and then click OK.
Internet Explorer 4.x
Method 4
Important This section, method, or task contains steps that tell you how to modify
the registry. However, serious problems might occur if you modify the registry
incorrectly. Therefore, make sure that you follow these steps carefully. For added
protection, back up the registry before you modify it. Then, you can restore the
registry if a problem occurs. For more information about how to back up and restore
the registry, click the following article number to view the article in the Microsoft
Knowledge Base:
SHIVKUMAR SHARMA 126338778 BCSL-063 LAB MANUAL
322756 How to back up and restore the registry in Windows
Internet Explorer 5
1. Use Registry Editor to change the "1A02" value under the appropriate key in:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSetti
ngs\Zones
Values:
1 = Local intranet
2 = Trusted sites
3 = Internet
4 = Restricted sites
2. Connect to the Web page from which you received the "Not accepting cookies"
error message to
verify that you are able to access the Web address.
1. Use Registry Editor to change the "AllowCookies" value in the following registry
key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSetti
ngs
Use one of the following values for the "AllowCookies" value:
Meaning Value
---------------------------------------
Prompt before accepting cookies 0
Always accept cookies 1
Disable all cookie use 2