Bow Valley College CTC Program

T. McLaughlin mcse, mct, a+, b-admin tom@mclaughlin.net http://tom.mclaughlin.net

Table of Contents:
...............................................................................................................................................1 Bow Valley College................................................................................................................1 CTC Program.........................................................................................................................1 ................................................................................................................................................1 Table of Contents:..................................................................................................................2 Introduction to Windows 2000................................................................................................3 Windows 2000 Directory Services.........................................................................................3 Workgroups and Domains......................................................................................................5 Trees and Trusts....................................................................................................................5 Installing Windows 2000 Server ............................................................................................7 Setting Up The Computer...................................................................................................9 Partitions in Windows 2000..............................................................................................11 Features provided only by the NTFS file system:............................................................13 Unattended Windows 2000 Server Installations..............................................................14 Disk Duplication................................................................................................................16 Upgrading a server from Microsoft Windows NT 4.0. .....................................................17 Deploy service packs........................................................................................................18 Network Services..............................................................................................................18 Switches for Windows 2000 Server Installations.............................................................18 Domain Upgrades.............................................................................................................20 Filing System Upgrades...................................................................................................21 Planning and Implementing Your Domain Upgrade.........................................................22 Troubleshooting Windows 2000 Server Installations.......................................................24 Windows 2000 Professional.................................................................................................31 Internet Explorer ..............................................................................................................34 ACPI Power Management ...............................................................................................34 Hot Docking and Undocking Services .............................................................................34 Group Policy ....................................................................................................................34 Microsoft Installer ................................................................................................................34 Intellimirror .......................................................................................................................34 Windows 2000 group types..................................................................................................36 Introduction to Windows 2000 IntelliMirror ......................................................................36 Group Policy Overview ....................................................................................................37 Configuring Your Server as a Domain Controller................................................................39 Active Directory Sample Infrastructure.............................................................................41 Populating Active Directory..............................................................................................41 To create User Accounts..................................................................................................42 To add Users to Security Groups.....................................................................................43 How to Upgrade from Windows 95 or Windows 98.............................................................44

Introduction to Windows 2000

Windows 2000 is the latest update in the Microsoft Windows family of products. It is a combination of features designed in the Windows 98 and NT 4.0. Like previous versions of Windows, it uses a Graphical User Interface (GUI) format, Plug-and-Play compatibility, and USB support. What makes Windows 2000 significantly different is the formats it is available in. There are 4 products that compose the Windows 2000 family. Windows 2000 Professional This version of Windows 2000 is equivalent to the Windows 98/NT 4.0 workstation clients. It is designed to offer basic peer-to-peer networking services and client services in a client-server network. It is designed to integrate the ease of usability of Windows 98 with the reliability and security of Windows NT 4.0. Basic improvements include a more reliable user interface, enhanced Plug-and-Play compatibility, increased power management options, and extended hardware compatibility, including direct USB and FireWire support. It also uses a new file encryption system that increases security on the network when integrated with Active Directory Services. Finally, it has a host of new application management tools that simplify and extend administrative and user control over the network. Windows 2000 Server Windows 2000 Server is a network-enhanced version of Windows 2000 Professional. It contains all the same aspects as Windows 2000 Pro, but adds network serving ability, enhanced file and print sharing services, application server technology, and Web-Server utilities. It is designed to allow small-to-mediumsized businesses network their systems efficiently at a lower cost then traditional NT 4.0 methods by stripping out un-used tools. Windows 2000 integrates Active Directory Services into several existing services such as Domain Name System (DNS), Dynamic Host Control Service (DHCP), and WINS (Windows Internet Name Service) allowing central control over management of users, groups, security, and network resources. It supports single-processor systems as well as four-way symmetric multiprocessing (SMP) systems. It supports up to 4 GB of physical memory. Windows 2000 Advanced Server Advanced server is essentially the same as Windows 2000 Server with enhanced scalability and advanced high availability required for larger enterprise servers and departmental solutions. It focuses more on application and departmental networking, with support for eight-way symmetric multiprocessing and two-way clustering. It also integrates Intel's Physical Address Extensions (PAEs) technology to allow for support for larger physical memory quantities. Is is meant for larger businesses with database-intensive requirements. Windows 2000 Datacenter Server Datacenter is a highly specialized version of Windows 2000 designed for large-scale enterprise solutions. It integrates technologies optimized for large data warehouses, econometric analysis, large-scale simulations in science and engineering, online transaction processing (OLTP) and server consolidation projects. It adds elements to enhance Internet Service Provider (ISP) support and Web Hosting services. It supports 4-way clustering, and sixteen-way Symmetric multiprocessing (Upgradeable to 32-way SMP)

Windows 2000 Directory Services

Directory services are used by an operating system to identify users and resources on a network. The directory service is what allows single log-on operation on a network, separating it from the Workgroup networking model. Windows 2000 uses Active Directory as it's directory service, which provides additional features to help ease administration of a Windows 2000 domain. Directories and Directory Services A directory is a collection of information about objects that have a relationship to each other in one form or another. A catalog from a store is a directory of merchandise sold by that store. A newspaper is a directory of current events information. A phone book is a directory of phone numbers and addresses. In all these cases, you use the directory to find out information about a particular object.

A directory service is the utility that manages the resources and users on a network. This is known as centralized resource management, and is at the core of client-server networking. Directory services give administrators control over resources and users, allows users to find resources on the network, and allow security measures to be enforced on a network. Directory and directory services differ in that directory services are a special form of directory. A normal directory in computer terms is a storage space for information. The directory service holds the information necessary to locate and manage the users and resources on a network. Because of this, a directory service is a directory, but a directory is not necessarily a directory service. Essentially, the directory service is the center point for communications on the network. It is the central authority for managing both the identities of users on the network and the resources they are allowed to use. Do to the fact that the directory service is the main service for sharing resources, it also must work integrally with the security and management tools of the operating system. By definition it is what gives the network it's ability to share resources, so it is logical that most security systems are built out of the directory service. Windows 2000 Directory Services Active Directory, the directory service for Windows 2000, is both the directory that stores the user and resource information and the service provider for administering the network. The users and resources on a network are called objects, and Active Directory provides several advancements in Windows 2000 to make it more functional. These advancements include; Simplified Administration - Active Directory uses Microsoft's Domain model for storing objects. A domain is a grouping of servers, workstations, and other resources on a single network, or under a single domain name. Each domain has at least one domain controller, which is the server that manages user access to resources, as well as authentication and log-on services. In Windows NT 4.0, there were Primary Domain Controllers and Backup Domain Controllers. This has been eliminated in Windows 2000. All domain controllers are now equal, and any changes made to a single domain controller are replicated through all the domain controllers in the domain. This means that all administrative tasks can occur from a single spot, rather then having to be at the Primary Domain Controller in order to administer objects on the network. Scalability - Scalability is referred to as the ability for an operating system or component to allow for growth over time in the size and nature of the requirements put upon that OS or component. The directory in Active Directory is actually a series of directories instead of one large directory. This allows very small organizations to upgrade their systems to very large networks without worrying about losing directory information. You can even spread the information in a directory service across several computers, making this information more fault-tolerant. Open Standards Support - Windows 2000 uses the internet concept of name space with it's directory service. This means it must be compatible with many of the internet services and standards to manage the domain efficiently. Some of these services include; Domain Name Service (DNS), Lightweight Directory Access Protocol (LDAP), and Hyper-Text Transfer Protocol. (HTTP) It is also compatible with other LDAP version 2 and 3-compatible directory services, such as Novell Directory Service. (NDS) DNS - Windows 2000 integrates DNS with Active directory, making it's domain names DNS names. This allows Windows 2000 to use Dynamic DNS (DDNS) to dynamically assign IP addresses and maintain the DNS database. This eliminates the need for the use of other internet naming services such as WINS. LDAP and HTTP - Windows 2000 also integrates the LDAP and HTTP services for information exchange and display. LDAP allows simple communications between applications and directories, while HTTP allows all directories to be viewed in the common HTML format, making it easier for users to identify with the o/s format. Standard Name Formats - Active Directory continues the Internet integration by providing several common name formats, including; RFC 822 - Name@domain Uniform Resource Locator (URL) - http://domain/location-in-directory Universal Naming Convention - \\sharedirectory\path (For naming network resources) LDAP URL - Used to define the path to the Active Directory services as well as the name of the object.

Workgroups and Domains

Microsoft re-clarifies the networking model differently then the standard peer-to-peer and client/server architecture. It uses the terms Workgroups and Domains to define networks. Although peer-to-peer networks and workgroups generally share all the same properties, we will redefine workgroup and domain in Microsoft's terms. Workgroup A workgroup is defined by Microsoft as being a logical grouping of computers on a network that share resources. They work on a peer basis, which means that there is no central log-on, file sharing, or administrative authority. Servers may be present in a workgroup, but they have no central authority over security or log-in identification. Essentially, every workstation defines it's own security. Servers on a workgroup are called stand-alone servers, and have a special installation process to meet their special needs on a network. Workgroups have several advantages over domains. They are easier to install and implement, and don't require Windows 2000 Server running, saving money. If there are only a few computers to be networked with reasonably proficient users they are cheaper and easier to use. Workgroups have several major disadvantages over domains. They are slower, less secure, and require a higher level of skill to operate each workstation. Because each workstation defines it's own security and sharing information, the users of each workstation must be trained on how these controls work. Finally, they slow down enormously without a central authority, and become useless on networks with more than 10 workstations. The biggest problem with workgroups is that they require each user on the network to have a log-in and share setting on each resource on the network. That means they must have a user account and log in separately to each workstation. The obvious tactical disadvantage is in the duplication and memorization of multiple passwords over multiple domains. Also, once a system is attached to a network, anyone with access to that system has access to all the privileges that system is authorized to, giving considerable security risks to secure-data communications and storage. Domains A domain is defined by Microsoft as a logical group of computers on a network linked to a central directory database. This means that all administrative and security services are administered by a central computer. The primary computer for controlling the security, administrative, and log-on information in a domain is called a domain controller. (As described above) You can have many domain controllers on network, but only systems with versions of the server software can act as domain controllers. Domains differ in one other feature from workgroups. Workgroups are generally a single office or floor of a building, where domains can go from small buildings to large Wide Area Network (WAN) installations. There is no physical proximity restriction on a domain as there is on a workgroup. Domains have many advantages. They are faster and more fault-tolerant than workgroups. They have a central administration, which means that only one log-on is required to access all the authorized resources on the network. They are also more scalable then workgroups, going anywhere from 5 users to millions of users. Finally, they require less knowledge of each user on the network, making training easier. The disadvantages of domains are small. They cost more because they require more physical cabling and more expensive hardware. They also require a central administration, which in large domains can be several dozen people. For most networks, these disadvantages are small, as a workgroup setting can not provide the security, data storage, application sharing, or bandwidth utilization of a workgroup setting

Trees and Trusts

In order to maintain a logical control over networks, Windows 2000 Server establishes a standard structure for domains known as a trees. Within these trees, certain policy standards are set out, known as trusts. These trees and trusts establish the logical security and access controls needed for a Windows 2000 server to maintain a network.

Trees When a network has more than a single domain, it becomes more difficult for the server in these networks to control communications in a secure yet accessible fashion. In order to simplify this process, Windows 2000 Server creates a hierarchical grouping of domains known as a tree. A tree can consist of a single domain, but is scalable to large groupings spanning multiple networks. Inside a tree all the domains share services as a single unit. They have a single directory that is shared by all domains and users, with each domain hosting the portion of the domain that has their user information. This allows a user on a domain to access resources on a connected domain as if it was a local system, as long as that user has the required permissions. By combining this user information, it is possible to create globally accessible and enforceable policies. In a network with many domains, a single tree may not be practical. In this case, a Forest is a better logical unit. Forests allow groups of domains to communicate without requiring a standard naming systems or communication path. Essentially forests are groups of trees that require communication but operate independent of each other. Trees follow a standard set of rules that make them globally accessible. All members of a tree must share a standard naming structure, or namespace. This namespace sets out the structure of the tree in a logical format. For example, a tree structure for the domains thecomputernews could include thecomputernews.com, sales.thecomputernews.com, and products.thecomputernews.com. thecomputernews.com would be the parent domain, and the products and sales domains are considered child domains. The three domains would share a common share directory, and would have their trust relationships between these directories set in each domain's share of the share directory index. All domains within a tree must also share a common Schema, which is a formal definition of all object types you can store in an Active Directory deployment. Additionally, all domains within a tree or forest must share a common global catalog, which is the central index of information about each object within the tree and/or forest. To summarize, a Tree and a Forest must have; Trees A Hierarchy of Domains A Single Standard Namespace Kerberos Transitive Trust Relationships Between Domains A Common Schema A Global Catalog Tree-Wide Trust Relationships All domains in a Tree are linked together by a common relationship, called a trust. Trusts are transparent on the network, and in Windows 2000 Server are two-way, Kerberos transitive trust relationships. This simple means that if A trusts B and B trusts C, A intuitively trusts C. By allowing these trust relationships, it allows distinct domains to share information with every other domain within their tree. To understand trusts, first you must realize how Directory Information is stored. As we stated earlier, each domain stores information about the users and groups on it's network in it's domain controller. This information is shared in a common directory for the tree, but each individual domain controller does not keep information about other domains' users and groups. Through trust relationships, Domain B will trust any request from Domain A as long as the user has the adequate permissions inside Domain A. This allows transparent sharing of resources without having to have defined groups for every domain within a tree. Windows 2000 Server uses a transitive two-way trust. This means that a domain within a tree does not need to develop trusts with each individual domain in the tree. This simplifies the trust model by eliminating the need for separate trusts for each domain, which takes up resources and bandwidth. A Hierarchy of Trees Separate Namespaces between Trees Kerberos Transitive Trust Relationships Between Trees A Common Schema A Global Catalog Forest-Wide Forests

In comparison, Windows NT 4.0 required one-way individual trusts. This required Domain A to keep track of it's trust relationship with Domain B, Domain C, and so on for each domain in the tree. Domain B was required to keep trust information on Domain A, Domain C, and so on. This made maintaining trust relationships between domains a complex task, as each Domain required information about each domain. When a domain is joined to a Windows 2000 domain tree, it automatically establishes a trust relationship between itself and the root or parent domain. This means that trusts between domains in a tree are automatically established. This saves administrative management effort by allows domains to generate their own trusts based on established user and group policies without administrator action. How Trusts Are Established Trusts are always established through the use of domain controllers. When a user account is created, the information about that user is stored on a domain controller. If there are multiple domain controllers in the domain, this information is automatically updated on each of their directories as well. By storing this information within the directory that is used throughout the tree, the user automatically gains a trust relationship with any domain in the tree. We will discuss the use of users and groups in depth in a later lesson. Sites There is one more logical grouping that Windows 2000 uses for resources. Active Directory uses the concept of sites, which are a logical grouping of IP subnet masks. This allows a range of IP addresses to be defined within the same site without being within the same domain. Or, two ranges of subnet masks over a Wide-Area Network can be within the same domain even though they are in different physical areas. The advantage of this is that the replication traffic that normally occurs within a domain can be reduced by defining sites within the same domain. It also allows users to validate logon credentials while at a different site from the domain controller where their user information is located. By comparing the subnets of the client and the user, the proper domain controller can be located in order to validate the logon.

Installing Windows 2000 Server

Performing an attended installation of Windows 2000 Server. There are four operating systems in Microsoft Windows 2000 products family -- Windows 2000 Professional, Windows 2000 Server, Windows 2000 Advanced Server and Windows 2000 Datacenter. Except the processor number that supported, there is not much difference among Windows 2000 Server, Windows 2000 Advanced Server and Windows Datacenter. Windows 2000 Professional supports up to 2 processors. Windows 2000 Server supports up to 4 processors. Windows 2000 Advanced Server supports up to 8 processors. Windows 2000 Datacenter supports up to 16 processors. Pentium 133MHz microprocessor, 64M memory and 850M hard disk space are the minim installation requirements for a Windows 2000 Server. The following table lists the hardware requirements for Windows 2000. Windows 2000 Professional CPU Pentium 133MHz or higher Windows 2000 Professional supports up to 2 processors. Windows 2000 Server supports up to 4 processors. Windows 2000 Advanced Server supports up to 8 processors. Windows 2000 Datacenter supports up to 16 processors. Minimum: 32MB Recommended: 64 MB Maximum: 4GB 2 GB with a minimum of 650MB free space Minimum: 64MB (up to 5 clients) Recommended: 128MB or higher Maximum: 4GB 2 GB with a minimum of 850MB free space Windows 2000 Server

Memory

Hard disk

For most of us, the installation of a new operating system isn't all that difficult. You simply run the setup program and follow the instructions. The installation program handles most of the details, and the hardest part is the wait for the program to finish. Installing Windows 2000 Server, or any server software, requires a little more work. Before you even begin there are several decisions you must make that are vitally important to getting the best performance out of your server. This week's lesson will deal strictly with what you should know before you start installing the server software. Decisions, Decisions, Decisions... The most obvious task you must perform is the Hardware Compatibility check. Windows 2000 Server will work with most current equipment, but it does have some minimum requirements in order to work. This includes a Pentium-class processor with a minimum speed of 133MHz, a minimum of 2GB of hard drive space, 64MB or RAM, and a 12x CD-ROM drive. Again, these are the minimum requirements to run Windows 2000 Server, and you should never try running a Server on a computer that just barely meets these requirements. Next you must come up with a hard drive partitioning plan. Simply installing the operating system without thinking about how to divvy up the drive space can lead to problems later on. Always give Windows 2000 Server its own dedicated hard drive partition with at least 2GB of space available. By giving the server software its own space, you avoid fragmentation problems and can use more virtual memory. Filing Systems The next decision is extremely important. You must choose the filing system you wish to use. Your choices are FAT32 and NTFS. If Windows 2000 is the only operating system that will be run on the server, choose NTFS. It has better security options and allows for greater use of the integration of the Active Desktop. If you are going to use multiple operating systems, you should install a FAT-compatible filing system. If you plan to use Active Directory or use the server as a domain controller, you must install NTFS. Licensing The choice of licensing methods should be determined by the size and growth expectations of your network. Per-Server licensing is good for small networks that are single-server, and don't expect much growth. This licenses the server rather than the client. Per-Seat licensing is better for larger networks or networks that expect growth in the near future. Per-Seat licenses the client rather than the server. Also remember that you can change from Per-Seat to Per-Server at any time, but not Per-Server to Per-Seat. (Microsoft recommends Per-Seat licensing in almost every case, as it is easier to administer and is more cost-effective.) Per-Server Licenses In a Per Server Licensing scenario, you pay according to the number of clients that will access that server. In other words, the Server must maintain enough licenses to cover every computer that has access to the basic networking functions of the server. The Client Access Licenses (CAL) are maintained on the server itself. This is fine for small networks with limited numbers of users. It gets significantly harder to maintain on multi-server networks, and is not recommended for larger networks Per-Seat Licenses In a Per Sear Licensing scenario, each client keeps it's own CAL, which allows it to access any server on the network. This is more economical for larger networks with multiple domains and/or servers, as a CAL for each machine does not need to be kept on each server. If you plan on using terminal services, you should use Per Seat. Client Access Licenses As discussed previously, CALs are the licenses that allow for access to servers. Each client accessing a server must have it's own CAL, either stored locally or on the server. CALs are NOT required for connections through an Internet Information Server (IIS) or Web-server that provides HTTP or HTML file access, Telenet access, or FTP connections.

Server Formats Another important piece of information you need is the type of Server you are going to install. In a Workgroup model, the server is installed as a Stand-Along server. In the Domain model, it is installed as a regular server. You can not change a Stand-Alone server to a Domain server without formatting the hard drive, so be sure you know which type of network you're going to be setting up. If you're installing into a domain, make sure you have the proper domain name and computer account name, as you can't connect to the network without them. Lastly, you should know the components you intend to install for your server. Most networking services can be added later, but you can save yourself some time by installing them with the initial installation. Setting Up The Computer Beyond the decisions you must make, there are several important pieces of information you must know in order to properly set up Windows 2000 Server. They include; The Domain Name System (DNS) name for the network you are joining If you are upgrading a Windows NT system, make sure you have the existing computer name, domain or workgroup name, IP address (if DHCP is not installed), the DHCP server (if installed), and the type of previous operating system installed. Ensure you have Disk Compression turned off, Disk Mirroring disabled, and all your files backed up. Windows 2000 can not upgrade on a computer using DoubleSpace or DriveSpace compression. Only drives compressed under NTFS's compression utility can be upgraded while still compressed. Windows 2000 is also unable to upgrade while Disk Mirroring is turned on. Disconnect any UPS equipment connected the the computer. (UPS equipment can cause the autodetect process to fail) Turn off any Virus software working on the computer. (Virus software often see operating system installs as virus activity and do not let the install occur.) Create a Windows 2000 boot disk. You can do this by running the file makedisk.bat on the Windows 2000 Server CD at \valueadd\3rdparty\ca_antiv. After creating this disk, boot the computer with the boot disk inserted, as it will perform a boot sector virus check. Lesson #6 - Installing Windows 2000 Server Part 2

There are two ways to install Windows 2000 Server; Upgrading a Windows NT 4.0 or 3.51 server or NT 4.0 Terminal server, and a Clean Install. Because most of the install process will look the same regardless of your install method, we will deal with upgrades and clean installs in one area.. Upgrading Windows NT Notes There are several issues regarding upgrades of Windows 2000 server that you must be aware of. First off, you can upgrade Windows NT 4.0 Server Enterprise Edition to Windows 2000 Advanced Server, but not Windows 2000 Server. If you have a version of Windows NT Server prior to 3.51, you can not upgrade directly to Windows 2000. Windows NT Workstation and Windows 2000 Professional can not be upgraded to Windows 2000 server. Installation Methods You can install Windows 2000 Server onto a computer using one of three methods; Using a set-up boot disk, the bootable CD-ROM, or over the network. Set-Up Boot Disks Upon purchasing Windows 2000 Server, you receive a CD-ROM and four set-up floppy disks. If your system can not boot from the CD-ROM drive (Some early Pentiums still did not have this ability, but it is standard now) you will have to use the setup disks in order to install the operating system. If you don't have the setup disks handy, you can make your own by running the Makeboot.exe or makebt32.exe files from the Windows 2000 installation CD-ROM in the \Bootdisk directory. Each of the four disks has a separate set of files that it loads onto the computer in order to allow setup to install Windows 2000 Server.

Disk 1 contains the Setupldr.bin file, which inspects and detects all the information the operating system requires to setup the software. The text mode portion of Windows 2000 Setup is loaded, and the file Ntkrnlmp.exe is loaded into the Executive. Disk 2 loads the HAL, all the device drivers that are required, locale-specific data, controllers, configuration tools, and all the fonts for the system Disk 3 loads the Compaq Drive array and disk controller drivers. During this process, the system sources all the drivers that are required for the system and loads the dynamic volume support (dmboot1) Disk 4 loads the the SCSI CD-ROM, floppy, and fixed disk drivers, as well as the file system drivers. (FAT, NTFS, and CDFS) At this point Windows 2000 loads and setup is controller through Windows 2000 itself. All files added beyond this point are added from the CD-ROM, previous versions of Windows are detected, and Windows 2000 takes you through the partitioning phase of the install, where you can detect, erase, and create partitions. You will be required to choose a filing system (NTFS or FAT), and the partitions are formatted. File copy takes place, and the system reboots. Bootable CD-ROM For clean installs of Windows 2000 Server through a bootable CD-ROM drive, you merely must have the Windows 2000 Server CD in the drive with the CD-ROM drive set in the BIOS as bootable. The process is pretty much the same as above, but the files accessed are all from within the CD itself. You will be required to remove the CD upon re-boot, as the setup program will re-run if you have the CD in the drive that is still bootable. To upgrade a Windows-based compatible operating system, simply place the CD in the drive while the existing operating system is running. The autoplay will run, and you will be asked if you wish to install the Windows 2000 operating system over top of your existing OS. Simply follow the prompts as above. Over-The-Network In order to install Windows 2000 Server over the network, you must have the system files available on the network. To do this, copy the Windows 2000 Server CD files to a shared directory on the server. Upgrading from another version of windows requires you to run the Winnt32.exe file located in the I386 directory of the CD copy that you made. You will have to choice to upgrade your current system, or create a dual-boot operating system that will allow you to retain your existing installation. To upgrade, use the Upgrade Windows NT Server option. To dual-boot, use the Install Windows 2000 Server option. New installations over the net require an existing operating system to be installed. If you don't want to install Windows 9x before installing the server, install a copy of MS-DOS and an MS-DOS network client. Connect to the network share you installed the CD files into, and run Winnt.exe. (In order to run the installation program, you will need Emm386.exe running and 500KB of conventional memory free. Also, if you don't install Smartdrv.exe, installation times can vary from 3 to 16 hours.) Installing Components There are 13 component included that you can choose to install that add functionality to your Windows 2000 server. You can add these functions later through the Add/Remove Windows Components option in the Control Panel, and you shouldn't add more components than you need. The more components added, the more resources required to run the operating system. Windows 2000 server requires 2 GB with a minimum of 850MB free space. If your computer only has a 1GB hard disk with 1GB free space, it meets the minimum free space requirement but does not satisfy the hard disk requirement. You still cannot install Windows 2000 on your computer. If you have less than 5 clients in your network, you can have Windows 2000 server installed on a computer with 64MB memory. However, if your network consists more than 6 client computers, 128MB memory is required. From the above table, you will see that the minimum memory requirements for Windows 2000 Professional and Windows 2000 Server are different. But why the maximum supported memory for Windows 2000 Professional and Windows 2000 Server is the same? 4GB.

10

The reason is quite simple, Windows 2000 is a 32-bit operating system. 2^32 = 4GB. Among those Microsoft operating systems, MS-DOS and Windows 3.1 are 16-bit operating systems. Windows 95, Windows 98, Windows NT and Windows 2000 are 32-bit operating system. Some people might have no idea about the 16bit or 32-bit operating system. In fact, xxx-bit means the address space is xxx-bit. For example, 0x1101111111111111 has 16 bits and we call it a 16-bit number. Because of the same reason, 0x10111111111111111111111111011111 is a 32-bit number. MS-DOS is a 16-bit operating system because it handles data in 16 bits unit. Windows 95 and Windows NT are 32-bit operating systems because they handle data in 32 bits unit. Some Unix system such as TrueUnix from Compaq is a 64-bit operating system. Some people have a wrong impression that 16-bit operating system cannot handle 32-bit numbers. In fact, the 16-bit operating system can merge two 16-bit numbers into a 32-bit number. Compared to a 32-bit operating system, a 16-bit operating system requires extra operations such as borrowing bit to process 32-bit numbers. Windows 2000 is a 32-bit operating system. Like all other 32-bit operating systems, Windows 2000 has a memory limitation to 4GB, which is quite bigger compared that we usually only have 64MB or 128MB in our system. In a 32-bit operating system, you can only have numbers ranging from 0x00000000000000000000000000000000 to 0x11111111111111111111111111111111, which gives you totally 4G numbers. Partitions in Windows 2000 If you have multiple partitions in your computer, the boot partition must have at least 850MB free disk space to install Windows 2000 Server. Boot Partition contains the Windows operating system files (i.e. \winnt) and its support files (i.e. \winnt\system32). To check which drive is your boot partition, you need to go to Command Prompt (From Start -> Run, and type CMD) and type echo %systemroot% The System Partition is the volume that has the hardware-specific files (i.e., NTLDR or OSLOADER.EXE, BOOT.INI, etc.) needed to load Windows NT. On x86 based computers, it must be a primary partition that has been marked active for startup purposes. The user should be careful not to change the drive letter of the system partition because many MS-DOS and Windows programs make reference to the C: drive. The system partition can be (but does not have to be) the same partition as the boot partition. Some people might mix the System partition with Boot Partition because they thought the system partition contains system files. Please remember the following two sentences for the Windows 2000 exams. 1. The System Partition includes the files to boot Windows 2000. 2. The Boot Partition includes the System files. It is recommended to have a network interface card (NIC) installed in your computer to prepare Windows 2000 exams. However some of the home PCs only have modem while not have NIC installed. Because most networking components such as active directory, TCP/IP protocols can not be installed without a NIC in your system. You can install Microsoft loopback adapter to solve this problem. To install Microsoft loopback adapter, go to Start -> Settings -> Control Panel and click Add/Remove Hardware applet. Add/Remove Hardware Wizard will be popped up.

Select Add/Troubleshoot a device. Windows will search for the new plug and play devices. After that select Add a new device and click Next button. Choose No, I want to select the hardware from a list in the next screen. Select Network adapters and click Next button. Choose Microsoft as the Manufactures and select Microsoft Loopback Adapter in the above diagram.

After you have Microsoft Loopback Adapter installed in your computer, you can have all the networking related components installed in your system although they do not generate any real network traffic.

11

Disk partitioning can be used to divide your physical disk into separate unit. When you create partitions on a disk, you divide the disk into one or more areas that can be formatted for use by a file system, such as FAT or NTFS. Windows 2000 supports FAT, FAT32 and NTFS three file systems. However, you might encounter other file systems such as HPFS on the Windows 2000 exam. Therefore, let's study the definitions of these file systems first: FAT (File Allocation Table) is a table maintained by some operating systems such as MS-DOS, Windows 95, Windows NT as well as OS/2 to keep track of the status of various segments of disk space used for file storage. FAT is also called the FAT file system. FAT is the only file system that is supported by all the Microsoft operating systems. Because MS-DOS can only support FAT file system, if you want to dual boot MS-DOS with Windows 2000, you must implement FAT file system. On a Windows 95 or DOS system, FAT is limited to 2 GB hard drives. Some people may have found that when they purchased a 6GB hard disk, they had to partition the disk to three 2GB disks using the fdisk command and ended up with (c:, d: and e: three disk drives in their system. This is because of he 2GB limitation of the FAT file system. A dual boot is a configuration that you have multiple operating systems installed on your computer. You can choose which operating systems you want to start each time you reboot the computer. FAT32 is the 32-bit version of FAT. Although FAT is a 16-bit file system, we usually dont call FAT FAT16. FAT32 was available on Windows 95 since late 1996 and it increased the drive limitation to 2TB. FAT32 is supported on Windows 95, Windows 98 and Windows 2000 while not MS-DOS and Windows NT. Therefore, if you want to dual boot Windows 2000 with Windows 98, you can either use FAT or FAT32 file system. However, if you want to dual boot Windows 2000 with MS-DOS, you can only use FAT. NTFS (NT File System) is an advanced file system that was designed for use specifically within the Windows NT operating system. NTFS supports file system recovery, extremely large storage media, long filenames, and various features for the POSIX subsystem. It also supports object-oriented applications by treating all files as objects with user-defined and system-defined attributes. Suppose we have two hard disks in the system. We format C: to FAT and D: to NTFS. When you open the Properties of C: and D: drivers, you will see the following diagram:

Fat 16 Win98 view | NTFS Win2000 View

12

In the above diagram, you will find that D: drive has three more tabs called Hardware, security and disk quota. Hence, you can implement more security issues with NTFS. In fact, when you logon to a Windows NT computer locally, anybody can access the folders on the FAT file system. There is no way to prevent anyone from accessing these FAT folders if he can login locally. Thats the reason why Microsoft suggests people use NTFS on Windows 2000. For the drives using NTFS, user-level security can be implemented on different folders and you can prevent users from accessing local system files. Features provided only by the NTFS file system: You can assign permissions to individual files and folders, so you can specify who is allowed various kinds of access to a file or folder. The NTFS file system offers more permission than the FAT file system and you can set permissions for individual users or groups of users. You can compress individual files and folders on an NTFS volume. NTFS compression enables you to read and write the files while they are compressed, without having to use a program to uncompress them. You can also use NTFS to control disk usage on a per-user basis and encrypt the file data. Disk quota and file encryption are two new features on Windows 2000. NTFS on Windows NT does not support disk quota and file encryption. The NTFS file system uses a binary tree structure for all directories. This structure minimizes the number of disk accesses required to find a file, which means that the NTFS file system should be faster for larger directories. The FAT file system is best used on smaller volumes than approximately 400 - 500 MB. Thats because the FAT file system starts out with very little overhead. However, the FAT file system is very inefficient for the volumes large that 1 Gigabyte (GB). Because Windows 2000 requires a 2GB hard disk, youd better always implement NTFS instead of FAT except that you need to dual boot the system with Windows 95/98 and MSDOS. HPFS (High Performance File System) from IBM is the file system introduced with OS/2 that handles large disks (2TB volumes; 2GB files) and long file names (256 bytes). It coexists with the existing FAT system. Please note that HPFS has nothing to do with HP Corporation but is an IBM product. As far as Microsoft Products go HPFS is compatible only with Windows NT 3.5. To reduce the system overhead, Windows NT 4.0 and Windows 2000 no longer supports HPFS. It is easy to understand that when not many people use Microsofts products, Microsoft needs to support as many file systems as possible. After Microsoft acquires the market share, Microsoft is focusing more on its operating systems performance. Supporting more file systems will definitely increase the systems overhead. The following table lists the supported file system on MS-DOS, Windows 3.1, Windows 95/98, Windows NT as well as Windows 2000. CDFS is used on a CD-ROM driver. It is read-only and when the files on CD-ROM are copied to the Windows 2000 system, it converts the file to FAT, FAT32 or NTFS depending on where the file is copied to. Windows 2000 Server supports two Client Access License (CAL) licensing modes: Per Seat or Per Server. 1. Per Seat. Requires a separate CAL for each client computer that accesses a Windows 2000 Server. If you have 15 client computers, you need to purchase 15 Per Seat CALs. 2. Per Server. Requires a CAL for each concurrent connection to the server. If your network maximally has 16 connections, you need to purchase 16 Per Server CALs. To setup the licensing setting, go to Control Panel and open the Licensing applet.

13

If you click Per seat radio button, the system will prompt the following dialogue box. If you are not quite sure which mode to use, choose Per Server because you can change from Per Server to Per Seat once at no cost. You cannot convert from Per Seat to Per Server. Microsoft does not CALs for the anonymous access to your web server, FTP server as well as TELNET server installed on your Windows 2000 server. Thats because it could be hundreds of connections to your web server and you really cannot control how many people connecting to your web site. To create the Setup disks, run the Makeboot.exe (in bootdisk folder on Windows 2000 CD) program from another Windows 2000 computer. Run makeboot.exe in Command Prompt - you will see that Windows 2000 requires four floppies to start the system. Compared to Windows NT, it only requires three floppy disks to boot the system. Unattended Windows 2000 Server Installations Like Windows NT 4.0, Windows 2000 Server provides tools to allow you to install the operating system unattended and from remote locations. This can save you time as an administrator by cutting the amount of time you have to spend on each machine, and by allowing you to set up computers that aren't in the same physical location. The primary key to unattended installations is the Answer File. Besides unattend.txt, you can also use winnt.sif and sysprep.inf for the unattended installation. Winnt.sif is used when you install Windows 2000 from a bootable CD-ROM drive and sysprep.inf can be used to create a disk image of your Windows 2000 computer installation. The UDF contains information that is unique to computer on the network, such as the network settings and computer name. A sample UDF could be as following: [UniqueIds] mcse1 = 123 mcse2 = 456 mcse3 = 789 [123:Identification] JoinDomain = MCSE1 [456:Identification] JoinDomain = MCSE2 [789:Identification] JoinDomain = MCSE3 Suppose the UDF name is unattend.udf, you can run the following command to let a computer automatically join domain MCSE2. Winnt32 /unattend:Unattend.txt /udf:mcse2,Unattend.udf WinNT[32] /s:<install source> /u:<answer file> /udf: id [.UDF_file] Where <answer file> contains the information to automate the installation process and <install source> specifies the source location of the Windows NT installation files, for example, i386 directory in Windows 2000 retail CD. You can also copy all files in i386 directory to the hard disk and specify the corresponding location in the hard drive. People usually use unatted.txt as the <Answer file>. However, you can use any name you like as long as you specify it after the /u switch. The answer file specifies general information that is consistent to all of the servers. Because different hardware requires different unattend.txt file, if you want to install Windows NT on both the laptop and the desktop computers, at least two unattend.txt files are required. For example, if you have 500 computers in your network, 250 are identical notebooks, 250 are identical desktops, totally you need 2 answer files for the unattended installation.

14

Answer File The answer file is a script file that tells Windows 2000 the answers to several questions that are asked during installation. This includes the setup directory, the use of temporary files, and the location of files on a remote server. This information allows Windows 2000 to be installed without any button clicks to answer standard questions that Windows 2000 asks during installation. The answer file is generally saved as a text (.txt) file, and is called during the initial SETUP.EXE command used to install Windows 2000. One exception to this text rule is when you are installing Windows 2000 from a bootable CD-ROM drive. You must name this file Winnt.sif in order for Windows 2000 to access the file. There is a sample answer file on the Windows 2000 Server CD called Unattended.txt that can be used either as is or modified to fit your needs. All the keys you use in your answer file must have a value associated with them. Some keys are optional and do not need to be included. Some have default values that SETUP will use in the absence of a key value. Keys are not case-sensitive, and can be in either upper or lower case. The Answer file has a specific format that you must follow in order for Windows 2000 to be able to understand the file. The sample Unattended.txt file is presented here; [Unattended] Unattendmode = FullUnattended OemPreinstall = NO TargetPath = WINNT FileSystem = LeaveAlong [UserData] FullName = "Your Full Name" OrgName = "Your Organization Name" ComputerName = "Computer_Name" [GuiUnattended] Sets the Timezone to the Pacific Northwest Sets the Admin Password to NULL Turn AutoLogon ON and login once TimeZone = "004" AdminPassword = * AutoLogon = Yes AutoLogonCount = 1 Fir Server installs [LicenseFilePrintData] AutoMode = "PerServer" AutoUsers = "5" Setup Manager In order to make creating answer files easier, there is a utility included with Windows 2000 called Setup Manager. This utility allows you to set the settings you want for your answer file without having to directly modify the text file itself. To find Setup Manager, look in the SUPPORT\TOOLS\Deploy.cab file. There are some settings that Setup Manager can not add to an answer file. This includes optional component settings, the ability to create subdirectories in your distribution folder, and some answer file settings not normally used. If you have special requirements for your answer file, finish the normal Setup Manager tasks and add the extra tasks with a text editor. For more information on how to modify the Unattended.txt file and on using Setup Manager, extract the Readme.txt file from within the Deploy.cab file. This information will probably not show up on your test, but can be useful for creating answer files in real-life situations. Setup Manager provides a graphical interface with which you can create and modify answer files and Uniqueness Database Files (UDFs). You can find Setup Manager under \support\tools folder of Windows [GuiRunOnce] List the programs that you want to launch when the machine is logged on to for the first time [Display] BitPerPel = 8 XResolution = 800 YResolution = 600 VRefresh = 70 [Networking] When set to YES, setup will install default networking components. The components are TCP/IP, File and Print Sharing, and the Client for Microsoft Networks. InstallDefaultComponents = YES [Identification] JoinWorkGroup = Workgroup

15

2000 installation CD-ROM. You can use Windows Explorer to extract Deploy.cab file to a new folder in your computer. After that, double click the setupmgr.exe to start the Setup Manager. After you run setup Manager, you will see that you can create three kinds of answer files for Windows 2000 unattended installation, sysprep install as well as Remote Installation Services.

If you choose Windows 2000 unattended installation, the Setup Manager wizard will create an Unattend.txt file. If you choose Sysprep install, it will create a file called sysprep.inf. If Remote Installation Services is selected, remboot.sif file will be created. Disk Duplication Disk duplication is the most efficient installation method by creating a disk image of a Windows 2000 installation, and copying that image onto multiple destination computers. To perform the disk duplication, you need to use the tool called sysprep.exe. Some people might have a wrong impression that sysprep.exe can be used for disk duplication so it can be used to copy all contends from one hard disk to another. Take a look at the name sysprep, sysprep means system preparation. Therefore, sysprep.exe can only prepare the master computers hard disk to be duplicated and sysprep itself cannot be used to duplicate the hard disk. You can install Windows 2000 and all the applications on a computer. After that, run sysprep.exe on that computer. Reboot the computer and use third party disk image-copying tool (not sysprep.exe) to create a master disk image. When you start the destination computers, the Mini-Setup program will prompt the user for computer-specific variables, such as the administrator password and the computer name. If you have use Setup Manager to create a Sysprep.inf on your system, the Mini-Setup program will be bypassed and the system will load Windows 2000 without users intervention. Syspart can be used to for the installation of the computer that has similiar installation and operating system while dissimilar hardware. Syspart switch is only available on winnt32.exe while not winnt.exe. You can use syspart to copy Setup startup files to a hard disk, mark the disk as active, and then install the disk into another computer. When you start that computer, it automatically starts with the next phase of the Setup . You must always use the /tempdrive parameter with the /syspart parameter. Remote Installation Services (RIS) allows you to install new client computers remotely without having to visit each client. Please note that RIS is used to install client computers. Therefore, you can only use RIS install Windows 2000 professional while not Windows 2000 Server. To install RIS in your system, double click the Add/Remove Programs icon in the Control Panel. After that, you can use Remote Installation Services Setup wizard to configure the RIS settings. The DNS server, DHCP server and Active directory must be available before you perform the remote installation.

16

DNS: Domain Name System provides the user-friendly name for the TCP/IP addresses. A DNS server maintains a database of domain names (host names) and their corresponding IP addresses. Try the following command in DOS command when you are connecting the Internet. C:\ Ping tom.mclaughlin.net DHCP (Dynamic Host Configuration Protocol) offers dynamic configuration of IP addresses for the client computers. A DHCP server can only be implemented in a Windows 2000 server. However, DHCP clients can be implemented in almost all the Microsoft networking operating systems including Windows 2000 server, Windows 2000 professional, Windows NT server, Windows NT workstation, Windows 95/98, Windows for Workgroup or even the DOS with LAN manager installed. You can always manually assign IP address to a computer. It works fine if you don't have many computers within your network. However if you have hundreds of computers in your network, manually assigning IP address will dramatically burden system administrator's administration and management work. Using DHCP to configure IP addresses will solve the above problem. Active Directory services is the directory service included with Windows 2000 Server. Active Directory supports single logon and the network users can access to the permitted resources anywhere on the network. It provides network administrators a single point of administration for all network objects. For the RIS installation, at server end, you need to install RIS and copy the Windows 2000 Professional installation files to the server. Client computers that support remote installation must have one of the following configurations: 1. A configuration meeting the Network PC (Net PC) specification. 2. A network adapter with a Pre-Boot Execution Environment (PXE) boot ROM or basic input/output system (BIOS) support for starting from the PXE boot ROM. The PXE is an industry standard network card that can request an IP address. If no operating system exists, the card starts up a minimal operating system that contacts a RIS server and then brings up a menu so the user can select the operating system they want. 3. A supported network adapter and a remote installation Startup disk. To create a remote installation Startup disk, you need to run Windows 2000 Remote Boot Disk Generator, or Rbfg.exe. Upgrading a server from Microsoft Windows NT 4.0. Upgrading can keep the existing settings on your users, settings, groups, rights, and permissions. Moreover, you do not need to reinstall files and applications if you perform an upgrade instead of the fresh new installation. When you upgrade a system, you need to keep the %systemroot% as the original system. Domain Controller (DC) is a computer running Windows 2000 Server that manages user access to a network, which includes logging on, authentication, and access to the directory and shared resources. Microsoft eliminates the concepts PDC(Primary Domain Control) and BDC(Backup Domain Controller) in Windows NT 4.0. In Windows 2000 domain, you only have one type of domain controller. You can implement multiple domain controllers in your network and all domain controllers are peers. Same as in Windows NT, you can only install domain controller on Windows 2000 server while not Windows 2000 professional. If you have a PDC or BDC running Windows NT 3.51 or 4.0 server, you can just upgrade it to a domain controller running Windows 2000 server. If you have a member server of Windows NT 3.51 or 4.0 server, you can upgrade it to a member server running Windows 2000 server. In Windows NT 4.0, you cannot switch from a domain controller to a member server without reinstallation. However in Windows 2000, you can use dcpromo command to promote a member server to a domain controller or demote a domain controller to a member server. This is very convenient for your computer configuration. If your computer still runs Windows NT Server 3.1 or Windows NT Server 3.5, you need to upgrade it to Windows NT Server 3.5.1 or 4.0 first, and then upgrade to Windows 2000 Server.

17

It is always correct that you can only upgrade from a workstation product to a workstation product and upgrade from a server product to a server product. You can never upgrade from a Windows NT workstation to a Windows 2000 server. Before upgrading to Windows 2000, you need to backup the critical data such as registry and drivers on Windows NT 4.0. You also need to remove any virus scanners, third-party network services, or client software and disconnect serial cables to UPS. If you receive an error message INACCESSIBLE_BOOT_DEVICE when you perform an upgrade, it might because you did not reserve IRQs (interrupt requests) for non-Plug and Play ISA devices. To solve this problem, you need to set your system BIOS (basic input/output system) to reserve all IRQs currently in use by non-Plug and Play ISA devices. Deploy service packs. Service Pack is a software patch that is applied to an installed application. Service pack is mainly used to fix the bugs in the software. In Windows NT, Windows 95 and Windows 98, services packs are installed separately after the operating system is installed. Windows 2000 supports service pack slipstreaming, which means you can install service pack during your Windows 2000 installation. If you want to install service pack one on Windows 98, you must install Windows 98 first, then manually install the service pack thereafter. It is OK if you only have one or several computers in your network. However, it will be annoyed if you deploy hundreds of computers in your network. When Windows 2000 is installed, the appropriate files from the service pack are installed without your intervention. Windows 2000 also eliminates the need to reinstall the previously installed components. To apply a new service pack, run update.exe /slip in Command Prompt. Network Services Network services consist of 8 services you can install to add functionality to your system. They are listed together because they are installed as a package rather than one by one. They include;

1. COM Internet Services Proxy - Supports distributed applications that use HTTP to communicate
through IIS

2. Domain Name System (DNS) - Provides name resolution services 3. Dynamic Host Configurations Protocol (DHCP) - Allows for dynamic IP addressing 4. Internet Authentication Service - Supports authentication for Dial-in users 5. QoS Admission Control Service - Allows control over network bandwidth 6. Simple TCP/IP Services - Character generator, daytime discard, Echo, and Quote of the Day 7. Site Server ILS Support - Supports telephony applications 8. Windows Internet Naming Service (WINS) - Provides NetBIOS over TCP/IP name resolution for
legacy Windows products. Switches for Windows 2000 Server Installations Because Windows 2000 server can be installed in several methods, there are also several switches you can use to install different options. Whether you're upgrading a 16 bit or 32 bit operating system, installing from DOS or Windows, or any other possible install, you need to know the switches that can help automate the process. Although knowing every switch is difficult, it is important to know as many as possible for the exam, as you will be questioned on the proper switches. Switches are modifiers to a command in DOS that allow you to change how a program behaves. For examine, typing dir at a DOS prompt will bring up a directory of the current folder. Typing dir /w/p will create several rows of listings, and stop when the screen is full. the /w/p switches modify the dir command to give it more usability.

18

Winnt.exe Switches There are 8 switches used for the installation of Win2K server setup files from a 16bit platform. They are: Switch /s Usage /s: {source path} Description States the location of the Windows 2000 setup files. This allows you to state the file location if it is not being installed from the standard CD Directory. Allows you to set the location of the temporary file directory. This also sets the install drive that Windows 2000 Server will use. An answer file allows automated installation of Windows 2000 Server. The answer file contains answers to the standard questions that Win2K Server asks during the install process, allowing unattended/remote installation. The /u command requires the /s command. The UDF files allows Win2K installation to choose modified answers to the answer file. This allows you to state information such as the computer name without modifications to the answer file. The {id} variable states which ID file number to use. States a folder which setup copies from the source location during installation to the installation folder. Same as above, but the folder is deleted upon completion of the setup. States a command that is executed at the end of the Graphical User Interface (GUI) mode setup. If standard software is to be installed, the command to run this software can be placed here to start that installation. Enables accessibility options.

/t

/t: {temp drive}

/u

/u: {answer file}

/udf:id

/udf:{id}, {UDF file}

/r /rx

/r: {folder} /rx: {folder}

/e

/e: {command}

/a

/a

A complete switched winnt.exe install command would look like this: winnt /s{source path} /t{temp drive} /u{answer file} /udf:id,{UDF file} /r{folder} /rx{folder} /e:{command} /a Winnt32.exe Switches The 32bit installation of Win2K Server setup files has many of the same switches as the 16bit version, plus a few 32bit specific switches. You must install using the Command Prompt or Start Menu in order to use these Switch /s Usage /s: {source path} Description States the location of the Windows 2000 setup files. This allows you to state the file location if it is not being installed from the standard CD Directory. Allows you to set the location of the temporary file directory. This also sets the install drive that Windows 2000 Server will use. Automates the installation program using all the previous installation defaults from the current operating system.

/tempdrive /unattend /u

/tempdrive:{drive letter} /u or /unattend

/unattend{num}

Performs an automated installation using the files found in the answer file. The {Num} variable is the number of seconds Win2K /unattend{num}:{answer setup waits between copying the files and rebooting the file} computer. You must use the /s switch to specify a source location. /copydir:{folder name} States a folder which setup copies from the source location during installation to the installation folder.

/copydir

19

/copysource

/copysource:{folder name} /cmd:{command}

Copies a directory within the source location that contains information used by the GUI mode set-up to the folder where NT is installed. Upon completion of the install, the folder is deleted. Tells setup to issue a command after the second re-boot and after the the configuration information is detected. Creates a debugging log in the specified file name. The {level} variable states which level of debugging is used. 1= errors, 2= warnings, 3= information, and 4= detailed information. Each level contains the level below it as well. The UDF files allows Win2K installation to choose modified answers to the answer file. This allows you to state information such as the computer name without modifications to the answer file. The {id} variable states which ID file number to use. Allows you to copy the Setup files to a hard disk, make the disk active, and install the disk into another computer. This allows you to copy the source files from a computer onto a hard drive to install them on another computer. This type of install will only work from NT and 2000 format operating systems. Checks to see if the computer is compatible with a Win2K installation. Win 9x information is stored in the Upgrade.txt file, while NT information is stored in the Winnt32.log file. Adds the Recovery Console option to the operating system. Allows you to have a second default directory in cases where files may be spread in different areas. Setup will check this directory first, and default to the other directory if the files aren't found. Copies all the installation files to the hard drive. Tells setup not to restart after the file copy phase of Winnt32 so that additional commands can be entered. Upon manual reboot, the computer will continue the installation.

/cmd

/debug

/debug{level}:{file name}

/udf

/udf:id.{UDF file}

/syspart

/syspart:{drive letter}

/checkupgradeonly /checkupgradeonly /cmdcons /cmdcons

/m

/m:{folder name}

/makelocalsource /makelocalsource /noreboot /noreboot

Step-By-Step Through the Installation Process There are 5 stages to a Win2K Server installation. They are the Pre-Copy phase, the Text Mode phase, the Information Collection phase, the Network Component Installation phase, and the Final Set-up phase Domain Upgrades Although many times you might be required to perform a clean install of Windows 2000, there are also many instances where an upgrade of an existing server will be required. Where a clean install lets you start from scratch, an upgrade keeps many of the existing server settings, meaning it will be easier to bring your machine back on-line In my own experience, upgrading operating systems never works perfectly. From the original Windows 3.1to-Windows 95 upgrade and above, upgrading an operating system has always been a challenge at best. Because you are allowing the operating system to keep many of it's existing settings, you are also allowing it to keep many of it's existing problems. There are situations where a clean install (also called a virgin install) is not possible. Large networks with huge numbers of clients may require that you keep your existing settings for easy of configuration. Other times you may have to upgrade an operating system to protect data. (Although your back-up plan should avoid this problem) My personal suggestion is that you always do a clean install from a fresh format for all operating system upgrades where ever possible, with only the above exceptions. Microsoft recommends upgrades in many cases, so you must be aware of the format for upgrading for the exams.

20

Filing System Upgrades When you insert the Windows 2000 Server CD-ROM in the drive, it will auto-boot and ask you if you wish to upgrade your current operating system. The first question that you will see after this is about your filing system. If you are upgrading a computer that has FAT16 or FAT32, you will need to decide whether or not to convert to the NT filing system. (NTFS) If you wish to use Active Directory with TCP/IP, you MUST upgrade to NTFS. Windows 2000 Server also has certain security and directory functions that will not work without an NTFS filing system. You also will be given the opportunity to dual-boot your computer. This option allows you to have two operating systems running on the computer, and each time you boot you choose the operating system you wish to use. This will also affect your choice of filing system, as only Windows NT and Windows 2000 operating systems can run on an NTFS format. In order to dual-boot with NTFS installed, you must have a separate partition available for Windows 2000. Upgrade Functions After the initial upgrade choices, Windows 2000 Server setup will examine your computer for several pieces of information. It searches the boot.ini file for previous installations of the software. This allows you to recover damaged installations that have previously failed. It then searches the directories System32, System32\Drivers, and System32\Config for setup information. It uses the Ntoskrnl.exe and ntdll.dll files to determine existing software and hardware setups in order to maintain these setups after the installation is complete. Finally, the registry is accessed to determine the existing type of NT installation, build number, and version number. If it finds versions other than Windows NT Server 3.51 or 4.0, it will cancel the upgrade. After determining what operating systems are compatible with the Windows 2000 Server upgrade, a menu will be shown asking you to choose which installation you wish to upgrade. If the version of Windows that you wish to upgrade is not present, it didn't meet the requirements for a Windows 2000 Server upgrade. You can press F3 to escape this installation without affecting the previous installations. Domain Properties Windows 2000 Server can upgrade an existing server into one of three formats. It can become a Domain Controller, which use Active Directory services to replicate domain user accounts and control logons. It can also be a member server, which offers member services without having domain logon control. Finally, it can become a Stand-Alone server, which are installed onto workgroups instead of domains. Most Windows 2000 Server installations are Domain Controllers, as they provide fault-tolerance to a domain with little processor overhead. You must have at least one domain controller in each domain in order for the domain to function. Having multiple domain controllers allows the duties involved with user authentication to be split among servers, avoiding bottlenecks in the system. You should NOT upgrade a computer with extremely high network traffic or processing duties into a domain controller, as these duties will cut into it's other functions. In order for domain controllers to function, they MUST have NTFS filing systems. Domain controllers in Windows 2000 rely solely on Active Directory, and this requires an NTFS partition. In Windows NT 4.0 domains with Primary and backup domain controllers, you MUST upgrade the Primary domain controller first. Lastly, any partitions on the hard drives of the server not formatted with NTFS will lose certain security features that Active Directory allows, such as shared file permissions and local access protection. As discussed previously, there are several differences between Windows 2000 and Windows NT 4.0 Server in regards to Domain Controllers. In Windows NT 4.0, There were Primary Domain Controllers (PDC) that carried out all the authentication functions, and Backup Domain Controllers (BDC) that acted as back-ups to the PDC. Windows 2000 only uses Domain Controllers, allowing all DC's to share authentication tasks. Because of this, you must choose roles for your existing Domain Controllers carefully. PDC's MUST become domain controllers, and must be upgraded first. They carry the most up-to-date domain information, so their upgrade is imperative for retaining your existing domain information. BDC's can be upgraded to Domain Controllers or member servers, but not until the PDC is upgraded.

21

Existing member servers can either remain member servers or change to stand-alone servers. Stand-Alone servers also have this one-time opportunity to be upgraded to member servers, or remain stand-alone servers. Planning and Implementing Your Domain Upgrade When preparing a domain for an upgrade, there are several important factors that you must take into consideration. Most upgrades done on Windows NT domains are done haphazardly with no forethought. This can lead to confusion, errors, data loss, and cost over runs. Some simple planning can make upgrading your domain simple and cost-effective. Choosing Your Domain The first element to planning your upgrade is choosing the DNS structure for your domain. You must devise a plan for the root network domain on each tree in your forest, and develop the naming structure for the subdomains below. This creates a cohesive structure that allows domains to be added and Active Directory to implement the necessary replication services. The next element is planning out the organizational units within domains. This can mean shuffling objects within domains, or consolidation or create of new domains to fit your business's current physical and logical make-up. This can also help balance out the administrative tasks involved with the network by changing domain areas that are too large, too small, or that don't function properly in your network scheme. Finally, you must re-visit your user accounts and determine where the fit in to your organizational units. Having a plan on dealing with user accounts is important for maintaining good group permissions and for keeping security on your network functioning. Before you Upgrade The most common function that every network administrator must do before performing a major change on a server is back up the data on that server. The Microsoft handbook also suggests disconnecting a single BDC from the network while you are upgrading. This will give you a back-up of your Domain Controller information in the event that the installation fails. If the installation should fail, you can promote the disconnected BDC to a PDC and resume normal network operations until the installation can be repaired. Another important element of a Windows 2000 domain controller upgrade is the size of the accounts database it contains. The Windows NT 4.0 accounts database is significantly smaller than the Windows 2000 Server database. You should make sure that you have plenty of hard drive space for this database upgrade to take place. Lastly, before you can start the upgrade you must disable WINS, as the conversion process requires the WINS database to be converted during the upgrade. You also must disable DCHP for the same reasons. Microsoft also recommends setting up test user accounts and groups to verify the upgrade upon completion. Microsoft suggest you create two or three groups and user accounts with varying properties in order to determine whether the groups and users database upgrades correctly. Upgrading PDC's As stated last week, the Primary Domain Controller must be upgraded first. Start with the PDC on the root network, and perform the upgrade. You will be given the choice of creating a new domain or a child domain, and a new forest or a domain tree in an existing forest. If your domain is going to be suitably large enough (over 5 servers), create a new forest and a new domain. There are three important files that you can choose the location of on a partition. The User Accounts database and Active Directory data can stay on any FAT or NTFS partition. The log file can also remain on any FAT or NTFS partition, but the System Volume FIle (SYSVOL) must be placed on an NTFS format. Upon completion of the upgrade, the Windows 2000 domain controller will emulate a PDC in the Windows NT 4.0 environment. This means that if you have multiple servers in your environment, you can upgrade them one-by-one without fear of losing networking ability. this makes Windows 2000 fully backwards compatible. Upgrading BDC's

22

After testing the new domain controller to make sure your user account settings are functioning and the installation was complete, you can begin upgrading the BDC's in the same fashion. The Active Directory database files are a template for each BDC installation, so each BDC becomes an exact replica of the domain controller. Test each upgrade before proceeding to the next BDC, and never upgrade more than one BDC at a time. If you run into a problem, it is easy to fix one BDC and less likely to cause network disturbances if you only have one down server at a time. Make sure each new domain controller is functioning properly in every way before starting on the next server. Mixed and Native Modes As each domain controller is added to the network, it runs in a Mixed Mode setting that allows it to communicate with other Windows NT servers on the domain. This allows the emulation that makes Windows 2000 Server backward compatible. All Windows 2000 Server upgrades start in Mixed Mode. When the last Windows NT Domain Controller is upgraded, you have the choice to change your servers into Native Mode. Native Mode removes all the emulation for Windows NT in a Windows 2000 environment to reduce overhead. It also uses the Kerebos transitive trust model throughout the network, making permissions and groups easier to manage. Once you choose to upgrade to Native Mode, you can not go back to Mixed Mode. Mixed Mode is necessary for the upgrade process to be successful. Previous versions of Windows are not compatible with the Active Directory's current configuration, especially when it comes to groups and trusts. It is important that all BDC's be upgraded to Windows 2000 before you turn to Native Mode, as they will cease to be able to communicate with the other servers if they are still using Windows NT, nor will they be able to upgrade to a domain controller. (The information needed to become a domain controller can not be transmitted to a Windows NT server in Native Mode. Re-Working Your Domains As discussed early, upgrading to Windows 2000 Servers gives your network the perfect opportunity to adjust some of it's user settings. This is not a requirement of a Windows 2000 upgrade, but will give you greater ability to utilize the services within Windows 2000 Active Directory. Consolidating domains and arranging your Organization Units within Active Directory will give you more administrative control and reduce network overhead. These changes can be extremely disruptive and time consuming, and must be planned out early in order to avoid deleting users and services from the network during normal network usage. Because Windows 2000 Server can handle a larger number of user accounts, domain consolidation can also reduce the need for certain services within a network. It can also reduce the amount of network traffic created by Active Directory by reducing the number of master domain account trust relationships that must be maintained. When moves user accounts between domains, it is possible to transfer single user accounts among domains to maintain their groups and permissions statuses. (All domains in the tree use the same schema, and therefore share the same groups and permissions settings. See the Active Directory tutorial for more.) Although the Security Identity (SID) is transferred, the password for that user is not. Windows 2000 has several features that make domain consolidations easier to manage. First, users and groups can be moved across domain boundaries while still maintaining their previous security identity. Secondly, Windows 2000 allows domain controllers to be demoted to member servers if they are not required to be domain controllers in the new domain. Computers can also be moved using remote administration tools. This allows the administrator to make changes in the logical features of the domain without having to be present at the domain. Windows 2000 also provides tools to update access rights to reflect the changes in the network and the business. Lastly, security policies can be defined centrally, and have the ability to grow to meet the needs of the network. As new computers join the domain, they automatically pick up the security policies already in effect in the new domain.

23

Troubleshooting Windows 2000 Server Installations There are many problems that can occur with a standard Windows 2000 Server installation. These problems can range from simple hardware incompatibilities to hard disk and file system errors. Below is a list of the most common Windows 2000 Server installation errors; Problem Description and Solution

If you are attempting to install from a CD-ROM drive and keep receiving media errors, it is possible you have a defective CD. Clean the CD, or attempt to load it in another CD-ROM CD-ROM Errors drive. If it will not run, request a replacement Windows 2000 Server Installation CD from Microsoft or your software vendor. This error will occur when the partition you wish to install Windows 2000 Server on does Insufficient Disk not have the required amount of free space that Setup uses for temporary files and Space installation files. You must free up enough space by deleting files from the desired partition, format a partition, or choose a different partition to install Windows 2000 on. Windows 2000 Server Setup comes with utilities to support many different CD-ROM drive types during setup. This doesn't mean that it can support every CD-ROM drive. If your Unsupported CDCD-ROM drive won't run under Setup, either install a different CD-ROM drive or use a boot ROM Drive disk with the proper CD-ROM drivers installed to copy the files from the Windows 2000 Server Installation CD. Failure Of If you are installing Windows 2000 Server, you must ensure that you have the correct Dependency network settings in order for the computer to be seen on the network. This includes the Service To Start proper hardware settings, protocols, clients, and computer identification properties. If you are attempting to connect to a Domain Controller and can not gain access, you will see this error. It is most commonly an error with the Domain Name setup you used, but Unable To Connect can also be caused by bad network settings. Make sure your protocols, domain names, To Domain and network adapter settings are correct, and that you have the right clients installed. If all Controller else fails, delete the computer account and re-create it, as corrupt computer accounts could cause the inability to connect. If you can't get it to connect, install in workgroup mode and troubleshoot the domain afterwards. Most of the time, these errors are caused by hardware faults. Either the drivers installed during installation conflict or do not operate with Windows 2000 Server. You should start the computer in safe mode and install the newest drivers from the hardware vendor to see if this fixes the boot problems. Ensure that the hardware you installed is on the Microsoft HCL.

Failures in Windows 2000 Server To Start After Installation Is Also verify that Windows 2000 properly detected all components when installing. It is Complete common for modems, scanners, and other equipment not to install during the setup process, and cause errors upon boot.

As we have learnt before, Windows 2000 supports quite few installation methods. Therefore, if one method fails, you can try another way for the installation. For example, if your CD-ROM is broken or not in the HCL (Hardware Compatible List), you can try RIS or network installation. If you see the failure of dependency service when you start the Windows 2000, you need to check the network settings in your computer and make sure the local computer name is unique on the network. The most common problem for the Windows 2000 installation is unable to connect to the domain controller. If you think that domain name you specified is correct, you need to make sure both domain controller and DNS Server are online. If your computer is already networked and have a DNS for the Internet connection, you also need to add the DNS for your Windows 2000 domain at your network configuration.

24

NTFS Permissions This chapter discusses resource security using NTFS permissions. It specifically discusses security on files and folders within the NT File System (NFTS). The chapter covers NTFS file and folder permissions, access control lists, using NTFS permissions, planning NTFS permission, using special access permission, copying and moving data with NTFS permissions assigned, and troubleshooting NTFS permission problems. This chapter also introduces you to the next generation of NTFS, NTFS 5.0, which Windows 2000 touts as its standard file system. In addition, this chapter outlines all of the components of using NTFS permissions on a NTFS 5.0 file system effectively on a Windows 2000 network. Defining Special Access Permissions There are fourteen Special Access Permissions, and they provide the finite level of security to resources on a Windows 2000 network that some administrators require. I will use three tables to explain the Special Access Permissions and how they relate to NTFS file and folder permissions. Table 4 lists the Special Access Permissions and provides a description of the kind of access they allow or deny. Permission Traverse Folder/Execute File List Folder/Read Data Read Attributes Read Extended Attributes Create Files/Write Data Create Folders/Append Data Write Attributes Write Extended Attributes Delete Subfolders and Files Delete Description This allows or denies a user to browse through a folder's subfolders and files where he would otherwise not have access. In addition, it allows or denies the user the ability to run programs within that folder. This allows or denies the user to view subfolders and fill names in the parent folder. In addition, it allows or denies the user to view the data within the files in the parent folder or subfolders of that parent. This allows or denies a user to view the standard NTFS attributes of a file or folder. This allows or denies the user to view the extended attributes of a file or folder, which can vary due to the fact that they are defined by the programs themselves. This allows or denies the user the right to create new files in the parent folder. In addition, it allows or denies the user to modify or overwrite existing data in a file. This allows or denies the user to create new folders in the parent folder. In addition, it allows or denies the user the right to add data to the end of files. This does not include making changes to any existing data within a file. This allows or denies the ability to change the attributes of a files or folder, such as Read-Only and Hidden. This allows or denies a user the ability to change the extended attributes of a file or folder. These attributes are defined by programs and may vary. This allows or denies the deleting of files and subfolder within the parent folder. It also true that if this permission is assigned files and subfolders can be deleted even if the Delete special access permission has not been granted. This allows or denies the deleting of files and folders. If the user does not have this permission assigned but does have the Delete Subfolders and Files permission, she can still delete.

Read Permissions This allows or denies the user the ability to read the standard NTFS permissions of a file or folder. Change Permissions Take Ownership This allows or denies the user the ability to change the standard NTFS permissions of a files or folder. This allows or denies a user the ability to take ownership of a file or folder. The

25

owner of a file or folder can change the permissions on the files and folders she owns, regardless of any other permission that might be in place. Synchronize This allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that may signal it. This permission applies to only multithreaded, multiprocessing programs.

NOTE: Some of the Special Access Permissions have two parts, as shown in Table 4. The first applies to folders and the second only to files. Remember this when referring to these tables. Now let's look at how these new special access permissions are related to the standard NTFS file permissions. Table 5 displays a cross-reference chart of NTFS file permissions and special access permissions. You will see that the each of the standard NTFS file permissions is actually a group made up of special access permissions. Notice also how the Write NTFS permission is made up of six special access permissions. The Write NTFS permission is actually made up of the Create Files/Write Data, Create Folders/Append Data, Write Attributes, Write Extended Attributes, Read Permissions, and Synchronize special access permissions. You will find that having these reference tables will be very helpful when deciding which special access permissions to use in your organization. Table 6 displays the same list of special access permissions but shows how they interrelate to the NTFS folder permissions. Change Permissions Two of the special access permissions are particularly useful in application. We discuss here the first one, the Change Permissions special access permission. When using special access permissions it is no longer necessary to assign a user or Windows 2000 administrator the Full Control NTFS permission so that they have the allowed right to change permissions. Using the Change Permissions special access permission a user or Windows 2000 administrator can change permissions to a file or folder. However, they do not have access to delete any files or subfolders. That way the user or Windows 2000 administrator can control the access to the data but not delete any of the data itself. Take Ownership The second particularly useful special access permission is Take Ownership. All files and folders on a nNTFS volume have an owner. By default, the owner is the person installing the volume and formatting it with the NTFS file system. This is usually a Windows 2000 Administrator. File and folder ownership can be transfer to another user or group. You can grant a user account or a user group the ability to take ownership of a file or folder. As an administrator, you have the ability to take control of any files or folders on the NTFS volume. Two hard-and-fast rules apply here. Remember these when thinking about granting someone the ability to take ownership of a file or folder. 1. The owner of a file or folder or any user with the Full Control NTFS permission to a file or folder can assign the Full Control standard NTFS permission or the Take Ownership special access permission, which allows taking control of that file or folder. For instance, if User A has the Full Control standard NTFS permission to D:\Apps and assigns the Take Ownership special access permission to User A, User A can now take ownership of any files or folders in D:\Apps. 2. A Windows 2000 administrator can take ownership of a file or folder at any time. This is one of the inherited rights that administrators have. Administrators can then assign the Take Ownership special access permission to another user or group, so that they can take control of the files and folders in a parent folder. For instance, if User A leaves the organization for another position, a Windows 2000 administrator can assign the Take Ownership special access permission to the former employee's

26

manager for the former employee's files and folders. The manager can then take ownership of those files and folders. NOTE: The Take Ownership special access permission can be assigned to a user account or group. The receiving user account or group can then take ownership of the respected resources. You cannot, however, give ownership of a file or folder to a user account or group. Using Special Access Permissions Special access permissions provide a more finite level of security than the standard NTFS permissions. I suggest learning how to use them in you own environment. This subtopic will give you a quick glance at how to assign special access permissions to an NTFS volume.

To set special access permissions to a folder take the following steps: 1. On your Windows 2000 desktop, right-click My Computer. 2. Click Explore. This will start the Windows Explorer. 3. Click the plus sign to the left of an NTFS volume that you would like to view. 4. Find a folder and right-click on that folder. 5. Click the Properties option on the list. 6. Use Alt-Tab to switch to the Securities tab, or select it by clicking on it. 7. Now click Advanced to view the Access Control properties dialog box, as shown in Figure 5. 8. Now click on Add. 9. This opens up the Select User, Compute, or Group dialog box as shown in Figure 6. 10. After you select the object that you would like to add the special access permissions to, click OK. 11. This displays the Permission Entry dialog box, as shown in Figure 7. Now we see that all of the special access permissions are listed in the permissions list box. This is where all special access permission are assigned and denied. Let's discuss the options for a moment. Table 7 lists the options and their descriptions. Permission Name Description This is the user use account or group name that will be affected by the special access permissions. Clicking on the Change command button can change the user account or group affected. This dropdown list box lists the level of the folder hierarchy at which the special access permissions being assigned will be applied. This is a list of all the special access permissions. To allow a special access permission click the check box in the Allow column to the right of the permission. In addition, to deny a special access permission click the check box in the Deny column to the right of the special access permission. This allows or denies permission inheritance for the parent folder. To allow permission inheritance for the special access permissions being assigned select this check box, otherwise clear the check box. This clears all of the check boxes in the Allow and Deny columns in the permissions list box.

Apply onto Permissions

Apply these permissions to objects and/or containers within this container only Clear All

Taking Ownership of Secure Resources A Windows 2000 administrator working with NTFS file and folder permissions should know how to take ownership of a resource. This doesn't mean walking down to the local parts shop and picking up a new hard disk. I am talking about using the Take Ownership special access permission.

27

To take control of a file or folder the user or group member must have the Take Ownership permission assigned to them for that file or folder. Then they must explicitly take ownership of that file or folder. The following is a list of the steps that you would take: 1. On your Windows 2000 desktop, right-click My Computer. 2. Click Explore. This will start the Windows Explorer. 3. Click the plus sign to the left of an NTFS volume that you would like to view. 4. Find a folder and right-click on that folder. 5. Click the Properties option on the list. 6. Use <Alt><Tab> to switch to the Securities tab, or select it by clicking on it. 7. Click Advanced to view the Access Control Settings dialog box. 8. In the Access Control Settings dialog box use <Alt><Tab> to switch to the Owner tab or select it by clicking on it. 9. Select your name in the Change owner to list box. This specifies that you are going to take ownership of the resource. 10. Check the Replace owners on sub containers and objects check box, and click Ok. That is all for special access permissions and how they relate to the standard NTFS permissions. Now you can assign NTFS permissions with ease on your Windows 2000 network, confident that you have the knowledge to do so.

COPYING AND MOVING DATA Copying and moving data is something that every administrator does, usually on a pretty frequent basis. When copying files and folders with NTFS permissions assigned to them you need to folder certain guidelines. The NTFS permissions sometimes change as the file and folders are moved or copied. It is important to know these guidelines before you start shuffling data around your Windows 2000 network. This discussion outlines these rules and explains what happens to the NTFS permissions when files and folders are moved or copied. Copying Files and Folders When files and folders on a NTFS volume are copied to another volume, the permissions change. For instance, if you copy a file from one NTFS volume to another NTFS volume, the following things happen if the right criteria are met. The receiving NTFS volume treats the file as a new file. Like any new file, it gains the permissions of the folder it is created in. The user account used to copy the file must have the Write NTFS permission in the destination folder on the receiving volume. The user account used to copy the file becomes the Creator Owner of that file. This means that any permissions assigned to that file before it is copied are lost during the copy itself. If you want to keep those same permissions, they will have to be reassigned at the destination folder. When files and folders are copied from an NTFS volume to a FAT partition, the permissions are lost. This happens because FAT partitions do not support NTFS permissions. Moving Files and Folders When files or folders are copied from an NTFS volume, the permissions change. Now when files or folders are moved from an NTFS volume, the permissions might or might not change. This depends entirely on where the destination folder lies. We can safely assume that when files or folders are moved to a FAT partition, the permissions are lost. That is correct, and for same reason that NTFS permissions are lost when copying files and folders from a NTFS volume to a FAT partition. There are in fact two other cases worth pointing out when moving files and folders from an NTFS volume: moving files and folders within a NTFS volume and moving files and folder to another separate NTFS volume. When moving files and folders within a single NTFS volume, these rules are followed: 1. The files and folders keep the original permissions assigned to them. 2. The user account moving the files and folders must have the Write NTFS permission to the destination folder.

28

3. The user account moving the file must have either the Modify standard NTFS permission or the Delete special access permission assigned. This is because during a file or folder move, the files and folders are deleted from the source directory after they have been copied to the destination folder. 4. The user account used to move the files and folders becomes the Creator Owner of those files and folders. When moving files and folders from one NTFS volume to a separate NTFS volume, these are the rules followed: 1. The files and folders being moved inherit the permissions of the destination folder. For example, if you move a file from a folder that has Everyone with Read permission into a folder on another partition that has permissions only allowing Domain Admins Read access, the file will now carry the latter security settings. 2. The user account moving the files and folders must have the Write NTFS permission to the destination folder, since a move is really a combination copy/delete. 3. The user account moving the file must have either the Modify standard NTFS permission or the Delete special access permission assigned. This is because during a file or folder move, the files and folders are deleted from the source directory after they have been copied to the destination folder. 4. The user account used to move the files and folders becomes the Creator Owner of those files and folders. TROUBLESHOOTING PERMISSIONS PROBLEMS The number one goal of a Windows 2000 administrator should be making sure that resources are always available to the users. This includes many things, but I'm talking here about the secure data on the network. If users cannot access the data they need to do their job, production slows. Now your boss is breathing down you neck, asking why the users can't get to their data, and how long will it take for you to fix the NTFS permission problem. This discussion will lay down some rules on NTFS permission problems. The topics include avoiding NTFS permission problems and troubleshooting NTFS permission problems. Avoiding NTFS Permission Problems Avoiding permission problems involves following some basic guidelines. Below is a list of do's and don'ts when assigning NTFS permissions on a NTFS 5.0 file system. Use this list as a reference when assigning NTFS permissions on your Windows 2000 network. When assigning NTFS permissions, try to assign only enough access for a user or group of users to perform their job. Try not to assign any NTFS permissions at the file level. This increases the complexity of managing the permissions. Assign the NTFS permissions at the folder level only. If several files require the same access, move them to a common folder and assign the permissions to that folder. Application executables should have Read & Execute and Change assigned to the Administrators group. The Users group, on the other hand, should have only Read & Execute. This will prevent users or a virus from modifying the files. When an administrator wants to update the application executables, he or she can temporarily assign himself or herself Full Control to perform the task. Assign Full Control to the Creator Owner of public folders and the Read and Write NTFS permissions to the Everyone group. This way users have full access to the files that they create, but the members of the Everyone group can only read and create files in the folder. Try not to deny any NTFS permissions. If you have to do this to a user or group, document it well and state that this is a special case. Instead of denying access to a resource by denying NTFS permissions, don't assign the permissions to gain access. Troubleshooting NTFS Permissions This topic is designed to help you troubleshoot the most common NTFS permission problems. Table 8 lists the most common ones and solutions. Problem A user or group cannot access a file or folder. Solution Check the permissions assigned to the user or group. Permissions may not be assigned for the selected resource, or permission could be denied. In addition, the permissions could have been changed if the file or folder has been copied or moved.

29

The administrator assigns access to a group for a selected file or folder, but the users of that group still cannot access the file or folder.

Ask the user to log off and then log back on. When the user logs back on, his NTFS permission are updated to include the new group that they were added to. Another way to update a user's permissions is to ask them to disconnect the network drive on which the file or folder resides and then reconnect it. This forces the permissions to update on the reconnect of the network drive.

A user with Full Control to file Open the Permission Entry box for that folder and remove the has deleted some files in a Delete Subfolders and Files special access permission for that folder, and you want to prevent user. them from doing it again. With a little perseverance any NTFS permission problem can be solved, and I hope that this table provides a starting point for the resolution. CHAPTER SUMMARY We discussed the many faces of NT File System (NTFS) permissions being utilized on a Windows 2000 network. Now we know that the standard file system for Windows 2000 is NTFS 5.0, and that NTFS permissions can be assigned only on an NTFS formatted volume. We learned the effects of assigning multiple permissions to a single resource and how to use permission inheritance effectively. For administrators in need of a more granular level of security on file and folder resources, we now know that special access permissions are available. When possible, permissions should be applied at the folder level rather than the file level for ease of administration. Also, it is important to remember that a permission of No Access will always override any other permissions assigned. Use this setting sparingly; it is usually better to simply omit a user account from the Access Control Lists (ACL) than to explicitly list the account with No Access specified.

30

Windows 2000 Professional

Windows 2000 Professional Overview To make an informed choice between the two operating systems, users should consider a number of factors, including the types of application programs they need to run; their networking environment; and their overall manageability, reliability, and security requirements. In general, the features available in Windows 2000 Professional are targeted at the corporate and institutional computer user, while the home networking, multimedia, and gaming features built into Windows Me are aimed at the consumer market. Key Features of Windows 2000 Professional Windows 2000 Professional is the follow-on to Windows NT 4.0. It is based on the Windows NT architecture and includes many architectural refinements that improve overall operating system stability and reliability. Windows 2000 Professional is part of the larger Windows 2000 product family that includes Windows 2000 Server, Windows 2000 Advanced Server, and Windows 2000 Datacenter. This article focuses primarily on Windows 2000 Professional. Although Windows 2000 Professional can be used with stand-alone computers, it is only in conjunction with a Windows 2000 Active Directory domain that the complete array of Windows 2000 Professional's powerful security, system management, networking, and other features can be fully utilized. Some of the key features of Windows 2000 Professional are described in the following sections. Enhanced Security Windows 2000 Professional provides a number of security features for local and network applications. Encrypting File System (EFS) The EFS component permits encryption of folders and files. When a folder or file is encrypted, an encryption certificate and a private key are generated that are used later to perform the decryption. EFS is a particularly valuable feature for mobile systems where confidential data may be at risk should the computer be lost or stolen. EFS can be used whether the computer operates as a stand-alone system or participates on a network as a member of an Active Directory domain. Public Key Infrastructure (PKI) Public key cryptography is an important security mechanism for protecting Internet, intranet, and ecommerce data. Windows 2000 Professional includes native PKI support that can take full advantage of public key cryptography. PKI provides an integrated set of tools and services for support of public key-based applications. Standard Network Authentication Protocols Windows 2000 Professional supports a number of network authentication protocols including: Kerberos 5, the default network authentication program for computers running Windows 2000 Professional. Windows NT LAN Manager version 2 (NTLMv2), which provides enhanced authentication and session security over the previous NTLM implementation included with Windows NT 4.0 and Windows 9x operating systems. Extensible Authentication Protocol (EAP), a new programming interface that allows third-party security protocols to be installed and used. Smart Card Support Smart cards are credit card-sized electronic cards that can provide tamper-resistant, highly portable storage for digital identification and credentials. Smart card support is integrated into Windows 2000 Professional. Virtual Private Networks (VPNs) VPNs allow Windows 2000 Professional clients to use the Internet to create secure paths or pipelines over the Internet to their corporate local area networks (LANs). VPN technology is especially useful in mobile computer applications because it enables users to dial into most local Internet Service Providers (ISPs) and set up a secure VPN session with their corporate LAN over the Internet. This can significantly reduce long-distance dial-up charges.

31

Windows 2000 supports key VPN tunneling protocols including the Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (L2TP), and Internet Protocol Security (IPSec). Manageability Windows 2000 Professional includes manageability features that make it easier for IT professionals to deploy, support, and update the OS over the network. The management tools and services described in this section are used in conjunction with Windows 2000 Server management services. Microsoft Management Console (MMC) Designed for system managers running Windows 2000 clients, MMC is an extensible console framework that provides a common environment for specialized management applications called snap-ins. Snap-ins are ActiveX controls that provide system management functions or behaviors that system and network administrators can combine to create many types of administration tools. As the primary management host for Windows 2000 Professional, MMC provides a single interface for many client and server management tools. Synchronization Manager The Synchronization Manager lets users synchronize various resources. From the Items to Synchronize window, users can set the Synchronization Manager to automatically synchronize files, folders, e-mail, and off-line Web pages every time they log on or off of the network. Synchronization Manager synchronizes only the resources that have changed or have been updated since the last synchronization process.

Stability and Reliability Like Windows NT Workstation, the 32-bit Windows 2000 Professional OS protects itself against the failure of nonnative 16-bit Windows and 16-bit MS-DOS programs by running those programs in a protected subsystem that has its own separate memory space. This protected kernel-mode architecture makes Windows NT Workstation and Windows 2000 Professional more stable and reliable. Windows 2000 Professional has added a number of new improvements in core-system file integrity, driver signing and authentication, reduced boot scenarios, and others, which make it more robust than previous Windows operating systems. The following sections describe several of the operating system's stability and reliability features. Windows File Protection (WFP) The WFP feature (also available in Windows Me as System File Protection [SFP]), safeguards against coresystem file corruption during application program installations. It prevents the replacement, corruption, or deletion of protected system files by verifying the source and version of a system file before it is installed. Digital signature technology is also used to verify the correct version of the file(s) to be installed. Driver Signing and Authentication Driver authentication is an integrated process in Windows 2000 Professional. All device drivers are required to pass rigorous tests for stability before they can be issued a signature. Users can specify strict validation policies to prevent the installation of unsigned drivers or drivers whose validity cannot be authenticated. Reduced Reboot Scenarios Windows 2000 Professional requires fewer planned and unplanned system restarts than Windows NT 4.0. To improve the operating system's stability and reliability, Microsoft eliminated more than 75 scenarios in Windows NT 4.0 (such as adding a network protocol or installing a new device) that required a system reboot. Microsoft has reduced the number of reboot scenarios in Windows 2000 Professional to fewer than 10. Microsoft has also reduced the total number of reboot scenarios in Windows Me. Multiple User Profiles Windows 2000 Professional supports multiple user profiles on the same machine. This feature protects one user's data from being viewed by an unauthorized user. In a work environment, administrators can configure computers such that users have their own protected sets of data, application programs, and preferences. Internet Connectivity

32

Network configuration tools are built into both Windows 2000 Professional and Windows Me, making it easier for users to establish Internet and other network connections. The following features help improve Internet connectivity. Network Connection Wizard The Network Connection Wizard guides users through the process of establishing access to the Internet and other networks. It also simplifies the setup procedures required for file, printer, and other device sharing across the network.

33

Internet Explorer Microsoft's Internet Explorer 5 is included with Windows 2000 Professional. The browser allows close integration of the Internet into the user's desktop environment. The browser includes AutoComplete and AutoCorrect features, which help reduce the need to repeatedly enter information into the browser. A consolidated search capability makes it easier to perform highly targeted and refined searching. For each remote network connection profile, such as a dial-up or VPN connection, Internet Explorer version 5 allows a user to specify different proxy configuration information. This is useful for mobile users who, while traveling, must connect to multiple remote networks with varying proxy configurations. Internet Connection Sharing (ICS) This feature allows multiple PCs in home networks or small office networks to share a single dial-up or broadband connection to the Internet. A single Windows 2000 Professional client connected to the Internet can provide Internet connectivity for up to 10 additional Transmission Control Protocol/Internet Protocol (TCP/IP) clients, regardless of the operating system they are running. ACPI Power Management Windows 2000 Professional supports the latest Advanced Configuration and Power Interface (ACPI) power management functions. ACPI provides user-defined, low-power standby modes that conserve energy while not shutting the computer down entirely. ACPI power management modes include: Standy mode In standby mode, the computer is put into a low-power state. Devices such as the monitor and hard disks are switched off, consuming less power. When the computer is returned to full operation, the desktop is restored to its previous state. Standby mode is particularly useful for conserving battery power in portable computers. However, because standby mode does not save the desktop state to disk, a power failure while on standby can result in the loss of unsaved information. Hibernate mode Hibernate mode saves everything that is in system memory to disk, then switches off the monitor and hard-disk drive and shuts the computer down. On restart, the system is restored to its previous state. An enhanced version of the ACPI power management utility that also supports fast boot capabilities is available in Windows Me. Both Windows 2000 Professional and Windows Me also support the earlier Advanced Power Management (APM) initiative. Hot Docking and Undocking Services This feature enables users to dock and undock portable computers without rebooting or changing the computer's hardware configuration. When docking, new hardware is automatically detected and installed. This feature also allows open application programs and documents to continue to run even as the computer is moved from one location to another. In contrast to the business-related features offered in Windows 2000 Professional, the majority of Windows Me features are targeted at the consumer market Group Policy Group Policy is a Windows 2000 Server utility that enables system administrators to customize and define rules for many aspects of a client computer user's environment. By defining security settings, software installation options, desktop settings, and other resources, system administrators can create standard system configurations for specialized groupings of users and computers. Benefits for client systems include time and cost savings associated with system uniformity and automated software installation and updates. Microsoft Installer Microsoft Installer technology helps eliminate problems caused by application program installation or uninstallation errors. The operating system can recognize and repair such problems. For example, a newly installed application that has a Dynamic Link Library (DLL) with the identical name of another application's DLL would cause a conflict. The Installer can fix this problem automatically by storing the DLLs in different folders. Microsoft Installer works with the Windows Installer Service provided in the Windows 2000 Server operating system. Intellimirror IntelliMirror management technologies are a collection of features on a Windows 2000-based server that permits Windows 2000 Professional clients to mirror user data, transparently install or repair application

34

programs, and store customized OS settings on Windows 2000 servers. IntelliMirror has the following main features. User Data Management This "roaming" feature allows Windows 2000 Professional users to store their My Documents folder on the server and replicate it to an off-line files cache on the client system. With the files in an off-line files cache, users can disconnect from their network and still access the files in their My Documents folder, even though these files are normally accessed over the network. If User settings management is also enabled, users can roam to other Windows 2000 Professional-based clients on the corporate network and access their data. When the client reconnects or logs off of the network, the My Documents folder is synchronized with the mirrored copy stored on the network. This feature is particularly useful for users who have a need to frequently disconnect their portable computer from the network. User settings management Similar to the roaming "My Documents" feature, the user settings management feature stores users' desktop settings such as Start Menu configurations, Internet shortcuts, and other user preferences in a directory structure on the server. The profiles are replicated to the local client's hard-disk drive each time the user logs into the domain. The profile is mirrored on the user's local hard-disk drive so that if the user doesn't have access to the network, the client can still boot with the locally stored copy of the profile. Software installation and maintenance This feature allows deployment and management of policybased application software throughout a Windows 2000 Active Directory domain. Group policy options specify the software that is to be installed, upgraded, or removed, and Windows Installer Service lets system administrators automate the software installation and configuration of client systems. Once programs are installed on the client, the Windows Installer Service tracks versions of shared components and performs routine checks to ensure that program components are still intact. The automatic repair function of applications installed via the Windows Installer Service allows a corrupt application to repair itself automatically, instantly, and without any interaction on the part of a user or system administrator. This policy-based installation and maintenance capability reduces client-side management costs by providing centralized application management and by removing some of the most common issues that require technician visits to users' systems.

35

Windows 2000 group types.

Windows NT 4.0 has Global and Local groups, which are considered to be Security groups. Windows 2000 has two types of groups, Security, which controls access and can be used as e-mail distribution lists, and Distribution, which are used for e-mail distribution and others administrative grouping, but they are not security enabled. Windows 2000 has 3 scopes, Universal, Global, and Domain Local. NOTE: In Native-mode domains, group types can be altered, but are fixed at creation in Mixed-mode domains. Universal groups are only available in Native-mode and can be used anywhere within same forest. They can be nested, have users directly assigned, and can be used with ACLs. Universal groups are stored in the Global Catalog (GC) and incur a replication load. If used on a WAN, they should be relatively static. Global groups are the primary scope into which users are placed in Mixed-mode domains. Since they are domain-centric, they can not be the only mechanism to restrict/allow access to an object from a different domain, and they do not impose GC replication loads. In Native-mode domains, Global groups can be nested. Domain Local groups can be used for the direct assignment of access policies on objects that are NOT directly stored in the Active Directory (AD), as parts of the AD are replicated to other domains. Introduction to Windows 2000 IntelliMirror IntelliMirror management technologies are a set of powerful features native to Windows 2000 for desktop Change and Configuration Management that combines the advantages of centralized computing with the performance and flexibility of distributed computing. IntelliMirror uses different features in both the server and client, and enables the users' data, applications, and personal settings to follow them to any desktop on the network. All users have data and settings that are specific to each of them. IntelliMirror increases the availability of the user's computer and computing environment by intelligently storing information, settings, and applications, based on policy definitions. IntelliMirror is able to recover, restore, or replace users' data, applications, and personal settings in a Windows 2000-based environment. Therefore, users have constant access to all their information and applications, whether or not they are connected to the network, with the assurance that their data is safely maintained and available from the server. At the core of IntelliMirror are three features: User Data Management Software Installation and Maintenance User Settings Management Administrators can use these IntelliMirror features either separately or together, depending on the requirements of the environment. When fully deployed, IntelliMirror uses the Active Directory directory service in Windows 2000 Server and Group Policy to provide policy-based management of users' desktops. Through centrally defined policies based on the users' business roles, group memberships, and location, Windows 2000 Professional desktops automatically reconfigure to meet a specific user's requirements each time that user logs onto the network.

36

Group Policy Overview In Windows NT4.0, you used the System Policy Editor tool to configure user and computer configurations stored in the Windows NT registry database. Using System Policy Editor, you could create a system policy to control user work environment and actions and to enforce system configuration settings for all computers running Windows NT Workstation and Windows NT Server. System policies are registry settings that define the behavior of various components of the desktop environment. Windows 2000 introduces the Group Policy MMC snap-in, a tool that extends the functionality of System Policy Editor and provides enhanced capabilities for specifying user and computer configurations for groups of computers and users. The Group Policy snap-in is a Microsoft Management Console snap-in that includes native features for setting Group Policy. Group Policies define the various components of the user's environment that system administrators need to manage, such as policy settings for registry-based policies, security options, software deployment options, scripts, and redirection of folders. In Windows 2000, you use Group Policies to define user and computer configurations for groups of users and computers. You create a specific desktop configuration for a particular group of users and computers by using the Group Policy Microsoft Management Console1 (MMC) snap-in. The Group Policy settings that you create are contained in a Group Policy Object (GPO), which is in turn associated with selected Active Directory objects, such as sites, domains, or organizational units (OUs). You use the Group Policy MMC snap-in and its extensions to define Group Policy options for managed desktop configurations for groups of computers and users. With the Group Policy snap-in you can specify policy settings for the following: Registry-based policiesIncludes Group Policy for the Windows 2000 operating system and its components, and for applications. To manage these settings, use the Administrative Templates node of the Group Policy snap-in. Security optionsIncludes options for local computer, domain, and network security settings. Software installation and maintenance optionsUsed to centrally manage application installation, updates, and removal. Scripts optionsIncludes scripts for computer startup and shutdown, and user logon and logoff. Folder redirection optionsAllows administrators to redirect users' special folders to the network. Using Group Policy, you can define the state of users' work environment once and rely on the system to enforce the policies you define. Group Policy provides the following advantages: Capitalizes on the Windows 2000 Active Directory services Group Policy allows for centralized or decentralized management of policy options. Offers flexibility and scalability Group Policy handles a wide range of implementation scenarios that can be applied to both small businesses and large corporations. Provides an integrated tool for managing policy The Group Policy MMC snap-in extends other Active Directory administrative tools, such as the Active Directory Users and Computers and Active Directory Site and Services Manager snap-ins. Administrators can delegate control of Group Policy Objects. Has a clear interface and is easy to use Provides slow link detection and straightforward, unobtrusive feedback. Provides reliability and security After you define Group Policy for groups of users and computers, you can rely on the system to enforce those policy settings. Group Policy extends and takes advantage of the Active Directory service. Group Policy settings are contained in Group Policy Objects that are in turn associated with the following Active Directory containers: sites, domains, or organizational units (OUs). For example, you can specify Group Policy for a site, domain, OU, or OUs within an OU.

37

You can filter Group Policy by using membership in Security Groups and setting Discretionary Access Control List (DACL) permissions. Doing so enables fast processing of Group Policy Objects and allows Group Policy to be applied to Security Groups. By using ACLs and Security Groups, you can modify the scope of Group Policy Objects. For example, when you use Security Groups to filter Group Policy, you can provide finer granularity of policy than just to OUs; that is, you can modify the application of policy for specific users within an OU. To set Group Policy for a selected Active Directory object, you must have a Windows 2000 domain controller installed, and you must have read and write permission to access the system volume of domain controllers (Sysvol folder) and modify rights to the currently selected directory object. The system volume folder is automatically created when you install a Windows 2000 domain controller (or promote a server to domain controller). By default, Group Policy affects all computers and users in a selected Active Directory container. However, you can filter the effects of Group Policy based on users' or computers' membership in a Windows 2000 Security Group. To filter Group Policy, you use the Security tab on a Group Policy Object's Properties page to specify Discretionary Access Control List (DACL) permissions. To delegate the use of the Group Policy snap-in tool, you use DACL permissions. The following graphic illustrates a Group Policy and Active Directory scenario:

At the root of the Group Policy snap-in namespace are two parent nodes: Computer Configuration and User Configuration. These are the parent folders you use to configure specific desktop environments and to enforce policy settings on groups of computers and users on the network. Computer Configuration This includes all computer-related policies that specify operating system behavior, desktop behavior, application settings, security settings, assigned applications options, and computer startup and shutdown scripts. Computer-related policy settings are applied when the operating system initializes. User Configuration This includes all user-related policies that specify operating system behavior, desktop settings, application settings, security settings, assigned and published applications options, user logon and logoff scripts, and folder redirection options. User-related policy settings are applied when users log on to the computer. To set User Configuration per computer, in the Group Policy MMC console, select Computer Configuration, navigate to Administrative Templates, System, Group Policy, and set the option for Loopback Policy.

38

The Group Policy snap-in includes several snap-in extensions. A Group Policy snap-in extension may extend either or both of the User or Computer Configuration nodes in either the Windows Settings node or the Software Settings node. Most snap-ins extend both of these nodes, but frequently with different options. The following is a list and brief description of the Group Policy snap-in extensions that are included in Windows 2000: Administrative TemplatesIncludes registry-based policy settings, which you use to mandate registry settings that govern the behavior and appearance of the desktop, including the operating system components and applications. The Administrative Templates snap-in extension also includes functionality for managing Disk Quotas and Remote Installation options. Security SettingsYou use the Security Settings extension to define security configuration for computers within a GPO. You can define local computer, domain, and network security settings. Software InstallationYou use the Software Installation extension to centrally manage software distribution in your organization. You can install, assign, publish, update, repair, and remove software for groups of users and computers. ScriptsYou can use scripts to automate computer startup and shutdown, and user logon and logoff. For these purposes, you can use Windows Scripting Host2 to include Visual Basic, Scripting Edition (VBScript), and Jscript type scripts. Folder RedirectionAllows you to redirect special folders to the network. For more detailed information on Group Policy, see the technical paper entitled Windows 2000 Group Policy, available at: http://www.microsoft.com/windows/server/Technical/management. For the latest information on Windows 2000, check out Microsoft TechNet or see the Web site at http://www.microsoft.com/ntserver/ and the Windows NT Server Forum on MSN, The Microsoft Network online service (GO WORD: MSNTS).

Configuring Your Server as a Domain Controller

Dynamic Host Configuration Protocol (DHCP), Domain Name Service (DNS), and DCPromo (the commandline tool that creates DNS and Active Directory) can be installed manually or by using the Windows 2000 Configure Your Server Wizard. This guide uses the wizard; the manual procedures are not covered here. 1. Press Ctrl-Alt-Del and log on to the server as administrator. Leave the password blank. 2. When the Windows 2000 Configure Your Server page appears, select This is the only server in my network and click Next. 3. Click Next to configure the server as a domain controller and set up Active Directory, DHCP, and DNS. 4. On the What do you want to name your domain page, type Reskit. 5. In the Domain name box, type com. Click on the screen outside of the textbox to see the Preview of the Active Directory domain name. Click Next. Note: As shown in Figure 2 below, the combined name appears as reskit.com in the Preview of Active Directory domain name box. The wizard puts the dot (.) into the name.

39

Figure 2. Configure Your Server Wizard Click Next to run the wizard. When prompted, insert the Windows 2000 Server CD-ROM. When the wizard is finished, the machine reboots.

6.

The Configure Your Server Wizard installs DNS and DHCP and configures DNS, DHCP, and Active Directory. The default values set by the wizard are: DHCP Scope: Preferred DNS Server: IP address: Subnet mask: 10.0.0.3-10.0.0.254 127.0.0.1 10.10.1.1 255.0.0.0

Reskit.com is the Active Directory domain and DNS name, and reskit is the down-level domain name. Format the Second Disk Drive or Partition Warning: Formatting the partition destroys any data on the partition. Make sure you do this only if necessary, and that you select the correct partition. 1. Log on to the server as the Administrator. 2. Clear the Show this screen at start-up check box in the Configure Your Server Wizard, and close the wizard. 3. Click Start, point to Programs, then point to Administrative Tools, and click Computer Management. The Computer Management snap-in appears. 4. Click the + next to Storage if the folder is not already expanded. 5. Click the Disk Management folder. 6. Right-click unallocated disk space and click Create partition. 7. The Welcome to the Create Partition wizard appears. Click Next. 8. Select Extended Partition, and click Next. 9. Accept the specified partition size by clicking Next, and then click Finish. 10. Right-click Free space and then click Create logical drive. 11. The Welcome to the Create Partition wizard appears. Click Next. 12. Select Logical drive, and click Next. 13. Accept the specified partition size by clicking Next. 14. Accept the default drive letter by clicking Next. 15. On the Format Partition page, accept the defaults for File system to use (NTFS format and the entire size of the partition), Allocation unit size, and Volume label. Click Next and then click Finish. The drive or partition will be formatted. This may take some time depending on the size of the disk and the speed of the computer. At the end, your window should look similar to Figure 3 below.

Figure 3. Disk Management Snap-In Window

40

Note: You might get an error message saying Volume is open or in use. Request cannot be completed. This is a timing error because you just created the partition. If you receive this message, click OK, then right-click the partition again and click Format. Accept all defaults and click OK. You receive a warning that continuing the format will erase all data. Click OK. 16. After the disk or partition has been formatted, close the Disk management snap-in.

Active Directory Sample Infrastructure

The common infrastructure is based on the fictitious company Reskit. has the DNS name reskit.com that was configured using the Configure Your Server Wizard in the preceding section. Figure 4 below illustrates the sample Active Directory structure.

Figure 4. Sample Active Directory Structure Of most interest here are the Domain (reskit.com), and the Accounts, Headquarters, Production, Marketing, Groups, Resources, Desktops, Laptops, and Servers organizational units (OUs). These are represented by circles in Figure 4. OUs exist for the delegation of administration and for the application of Group Policy and not to simply mirror a business organization Populating Active Directory To create Organizational Units and Groups 1. Click Start, point to Programs, then point to Administrative Tools, and click Active Directory Users and Computers. 2. Click the + next to Reskit.com to expand it. Click Reskit.com to show its contents in the right pane. 3. In the left pane, right-click Reskit.com, point to New, and click Organizational Unit. 4. Type Accounts in the name box, and click OK. 5. Repeat steps 3 & 4 to create Groups and Resources OUs. These 3 OUs show up in the right pane. 6. Click Accounts in the left pane. Its contents now display in the right pane (it is empty to start). 7. Right-click Accounts, point to New, and click Organizational Unit. 8. Type Headquarters, and click OK. 9. Repeat steps 6 and 7 to create the Production and Marketing OUs under Accounts. When you have finished, the OU structure should look like Figure 5 below:

41

Figure 5. Create Organizational Units 10. In the same way, create Desktops, Laptops, and Servers under the Resources OU. 11. Create the two security groups by right-clicking Groups, then pointing to New, then clicking Group. The two groups to add are Management and Non-management. The settings for each group should be Global and Security. Click OK to create each group. To create User Accounts

1. 2.

In the left-hand screen, click the + next to the Accounts folder to expand it. Click Headquarters (under Accounts) in the left-hand screen. Its contents now display in the right pane (it is empty at the beginning of this procedure). 3. Right-click Headquarters, point to New, and click User. 4. Type Teresa for the first name and Atkinson for the last name. (Note that the full name is automatically filled in at the full name box.) 5. Type Teresa for the User logon name. The window will look like Figure 6 below:

Figure 6. Adding a User Click Next. Click Next on the Password page to accept the defaults. Click Finish. Teresa Atkinson now displays on the right-hand screen, as a user under Reskit.com/Accounts/Headquarters. 9. Repeat steps 2 through 7, adding the names listed in Appendix A for the Headquarters OU. When you are finished, the Headquarters OU screen appears as illustrated in Figure 7 below.

6. 7. 8.

42

10.

Figure 7. User listing in the Headquarters OU Repeat steps 1 through 8 to create the users in the Production and Marketing OUs.

To add Users to Security Groups 1. In the left pane, click Groups. 2. In the right pane, double-click the group Management. 3. Click the Members tab and then click Add. 4. Select the users in the upper pane as shown in Figure 8 below by holding down the ctrl key while clicking each name; click Add to add them all at once. (The users who should be members of this security group are listed in Appendix A.) Their names will display in the bottom pane. Click OK to accept.

5. 6.

Figure 8. The members of the Management group are drawn from three OUs. Repeat steps 2 through 4 to add members to the Non-management group. Close the Active Directory Users and Computers snap-in.

Important Notes The example company, organization, products, people, and events depicted in this step-by-step guide are fictitious. No association with any real company, organization, product, person, or event is intended or should be inferred.

43

How to Upgrade from Windows 95 or Windows 98

If you are running either the Windows 95 or the Windows 98 operating systems, you can upgrade to Windows 2000 Professional. The steps listed below help you prepare for your upgrade, and then instruct you on how to get the Setup program underway, whether you are using the Windows 2000 Professional CD-ROM or upgrading from a network server. Additional upgrade resources are listed at the end of this document. Make sure that Windows 2000 is appropriate for your needs. Built on Windows NT technology, the Windows 2000 operating system offers business users reliability, manageability, strong Internet support, and support for new hardware devices. For home computer users running Windows 98 or Windows 95, Microsoft recommends waiting for the next consumer-oriented operating system from Microsoft, Windows Millennium Edition. For further information, please see Choosing the Right Client. Make sure your computer can run Windows 2000. Check your hardware specifications to see if they meet the system requirements for Windows 2000. Make sure your hardware and software are compatible with Windows 2000. Go to the Hardware and Software Compatibility search area to find out if your hardware and software are compatible with Windows 2000. Setup generates a list of known incompatibility issues, but the tools available in the compatibility area will help you determine if you need BIOS (basic input/output system) or driver updates before upgrading. Microsoft also recommends that you test your configurations and applications prior to upgrading production systems. Read the release notes. Read the release notes in the root directory of the Windows 2000 Server CD-ROM: the Read1st.txt file, as well as the Readme.doc, which has an "Application Notes" section with information about programs that need to be disabled or removed before running Setup. Additional Windows 95 and Windows 98 Compatibility Issues Determine whether you need to do an upgrade or a new installation. In certain situations, even if you are currently running Windows 95 or Windows 98, you may prefer to do a new installation (or "clean install"), rather than an upgrade to Windows 2000. By installing the operating system from scratch, you place the operating system in a known state and avoid migrating any problems that may have existed in the previous configuration. However, a new installation requires reformatting your hard disk, so you must back up your data, install Windows 2000, reinstall your applications, and then reload your data from backup. You should upgrade if all of the following are true: Youre already using a previous version of Windows that supports upgrading. You want to replace your previous Windows operating system with Windows 2000. You want to maintain your existing user settings and files. You should perform a new installation if any of the following are true: Your hard drive is blank (that is, you have no operating system installed on it). Your current operating system does not support an upgrade to Windows 2000. You have two partitions and want to create a dual-boot configuration with Windows 2000 and your current operating system. (Be sure to install Windows 2000 on a different partition than your current operating system.) Typically, dual-boot configurations are suitable for testing and evaluation; however, they are not recommended for long-term production use. If you determine that you can and want to do an upgrade, proceed with the remaining steps listed below. Obtain your network information. If your computer is connected to a network, make sure you know your network information (if you wont be connected to a network, skip this step): Name of your computer (you may need to consult with your administrator about using a computer name that conforms to the naming conventions of your network). Name of your workgroup or domain. TCP/IP address, if your network doesnt have a Dynamic Host Configuration Protocol (DHCP) server.

44

Choose a file system. During Setup, Windows 2000 gives you the choice of using the Windows NT file system (NTFS) or one of the file allocation table file systems (FAT or FAT32). NTFS is the recommended file system for use with Windows 2000. It offers: Better reliability. Better file security, including the Encrypting File System (EFS) which protects data on your hard drive by encrypting each file with a randomly generated key. Better disk compression. Better support for large hard disks (up to two terabytes). The maximum drive size for NTFS is much greater than for FAT, and as drive size increases, performance with NTFS will not degrade as it does with FAT systems. The conversion to NTFS is one-way. You will not be able to convert your drive back to FAT if you choose to upgrade your drive. If you decide to switch to NTFS, you can do so during Setup or after Windows 2000 is installed. Know your IP address. If you plan to connect to the Internet, you may need to provide an IP address during Setup. An IP address is assigned by your Internet Service Provider for your e-mail and Internet accounts. If you haven't established an e-mail or Internet account yet, you can easily add your IP address later. Plan ahead for rolling back. Windows 2000 Professional does not provide an uninstall feature. You will not be able to return to your previous version of Windows after installing Windows 2000 unless you completely reinstall your older version of Windows and all of your programs. Install hardware and software updates, if necessary. Review your current system information and then obtain hardware and software updates (drivers, BIOS, and so forth) from your hardware or software manufacturer. Check the Hardware and Software Compatibility area for tools to help you determine if you need updates. It is particularly important to make sure you have the latest BIOS (basic input/output system) available from your computer manufacturer. Back up your files. Back up your files to a disk, a tape drive, or another computer on your network. Scan for viruses. Use anti-virus software to scan for and eradicate any viruses on your hard disk. Uncompress drives. Uncompress any DriveSpace or DoubleSpace volumes before upgrading to Windows 2000. Do not upgrade to Windows 2000 on a compressed drive unless the drive was compressed with the Windows NT file system (NTFS) compression feature. Uninstall power management or disk management tools. If you are running power management or disk management tools provided by your computer manufacturer, you should uninstall these programs before you upgrade.

45

Disk quota management arrives at last Jason Perlow, ZDNet Business & Technology Even though today's enterprise file servers offer more and more disk space, users still find ways to fill all the storage you give them. I'm sure you all have storage hogs, who despite constant prodding by your network managers, still keep the last four years of their personal e-mail on the server (replete with scores of 50MB PowerPoint file attachments) and those who feel that your $30,000 box with 100GB of RAID-5 or SAN storage is their personal Napster service. Since NT was first released in 1992, Microsoft never gave NT administrators a way to regulate user storage quotas. Other network operating systems, such as NetWare, had storage quota management built into the system for years. Even when NT tipped the scales and gained dominance, the OS still lacked storage quota capabilities. This left the market open for products like NTP Software's Quota Manager, W. Quinn's QuotaAdvisor, Advanced Toolware's Spaceguard and NORTHERN Software's Quota Server. Products like these use policy-based management through administrator-definable access control lists and file system device drivers to set limitations on user storage. Unfortunately, at several hundred dollars per copy, the per-server licensing costs kept these add-on administrative products from becoming de rigueur at small to moderate-sized IT shops. While upper management mandated the use of other add-on products, such as network virus scanners, only administrators clamored for storage quota management. Stu Sjouwerman, president of Sunbelt Software, a leading distributor of third-party tools for Windows NT, tells me that only 15 to 20 percent of NT shops use third-party quota management tools, which leaves most NT admins in the unpleasant position of having to handle storage issues in a reactive rather than a proactive mode. The quota management renaissance Fortunately, Microsoft finally implemented quota management as one of the base features of the NTFS 5 file system in Windows 2000. With Quota Management, you can set default user storage limits on a per-volume basis and override these defaults on a per-user basis. To turn Quota Management on, double-click the My Computer icon on your server's desktop. Right-click on the disk volume you wish to enable quotas on, and select Properties from the pop-up menu. Click on the Quota tab to get to the Quota panel, and in Quota Properties, select Enable Quota Management. In addition to enabling Quota Management on a volume-wide basis, you can set quota values for all users by default. To assign default quota values for users, insert a value in the "Limit Disk Space To" option. You can use numeric or decimal values such as 1.8MB, 3GB, or 500KB. Click OK when finished. You can further customize quota options to deny disk space to users exceeding the quota limit, log events when users exceed quota limits, and log events when users exceed warning levels. You can override the default values and create volume quota entries for specific users by clicking on the Quota Entries button in the Quota panel. You can use the Quota Entries applet to export and import quota rules to and from other servers and volumes, as well as generate usage reports per user. What the built-in tools can't do While the built-in quota management of NTFS 5 is a vast improvement over the complete absence of such tools in previous versions, it's still not as robust as most third-party tools. For example, the built-in tools work on a per-volume and per-server basis, but can't apply quota policy across your Windows 2000 network. The tools can only make exceptions on a per-user basis, as opposed to applying policy to groups of users, or applying different policies to different share points and directories. The built-in tools can't notify users of their disk usage based on definable threshold levels; users receive a single "disk full" error when they hit their limit.

46