Converting basic disks to dynamic

Upgrading a basic disk to dynamic takes only a few steps 1. Start by backing up all data on any disks you intend to upgrade (even though the operation is nondestructive). 2. Launch the Microsoft Management Console by typing MMC.EXE from the command prompt or select Start O Run. Select Add Remove Snap-in from the File menu, click the Add button from Add Remove Snap-in, and choose the Disk Management option from the list. You will be prompted for the target computer, so pick the local one or type...

How Group Policy is processed

Group Policy is almost entirely processed from the client side. The only service using GP that processes entirely from the server is the Remote Installation Service, and that's because a client-side OS does not yet exist to process policy. A group of DLLs called client-side GP extensions performs client-side processing after first making a call to a DC for a GPO list. The processing order is obtained from the GPO list. The rule of precedence in processing is that computer configuration gets...

Configuring EAP

Configuring a client to use EAP takes a little more effort. Select the option Use Extensible Authentication Protocol (EAP), and then select either MD5-Challenge or Smart Card or Other Certificate from the associated drop-down list. If you select Other Smart Card or Other Certificate, click Properties to display the Smart Card or Other Certificate dialog box. Select options using the following list as a guide Use my smart card. Select this option if you have a smart card reader attached to your...

The DC and GC locator services

You may have been wondering, with all this superficial discussion of DCs and GCs, how a user locates the correct DC to log on, and how the user locates a GC to search. After all, you might imagine that you at least need an IP address or some means of locating the domain, because NetBEUI or other NetBIOS services are no longer a requirement on a Windows Server 2003 network. The answer is simple, but the architecture is a little arcane and thus may be difficult to understand initially. On a very...

Info

'* Logon Peimitled f Logo Denied '* Logon Peimitled f Logo Denied Figure 13-9 The Logon Hours controls To set logon hours, follow these steps 1. On the Properties dialog box, select the Account tab and click the Logon Hours button. The Logon Hours dialog box opens. 2. To enable a user to log on at certain hours, click the rectangle on the days and hours for which you want to deny or permit a user logon time. The blue boxes denote logon times that are permitted, while the white boxes denote...

Kernel mode

The Windows 2003 kernel mode is the layer that has access to system data and hardware. It comprises several components (refer to Figure 1-1). The Executive is the collective noun for all executive services. It houses much of the I O routines in the OS and performs the key object-management functions, especially security. The Executive also contains the systems services components (which are accessible to both OS modes) and the internal kernel mode routines (which are not accessible to any code...

Figure The MFT is a relational database that maintains the data on an NTFS volume

As a file increases in size or becomes fragmented, however, it requires multiple records to store its data. The primary record in the MFT for a file that spans multiple records is called the base file record. The base file record serves as the starting point in the file's data chain. NTFS creates additional areas called runs on the disk to store the additional file data. With volumes that have a cluster size of 2K or smaller, the runs are 2K in size. Volumes with 4K or larger clusters use...

Administration of Enterprise Service Servers

Enterprise Servers identified according to the major role the server plays (such as Exchange, SQL Server, ISA Server, IIS, Certificate Services, and so on) will have administrative groups assigned to them that do not have membership in the domain global administrative groups, such as Domain Admins. Naturally, a member of a < Server Role> Admin might also have membership in another administrative group, which would give the engineer more privileges (or further restrict the engineer). This is...

Using Radius accounting

You configure RADIUS accounting through the Security tab of the RRAS server's properties. Open the RRAS console, right-click the server, choose Properties, and click the Security tab. Select RADIUS Accounting from the Accounting Provider drop-down list, and then click Configure. In the RADIUS Accounting dialog box, click Add to add a RADIUS accounting server and configure its properties. The following list explains the options Server name. Specify the FQDN or IP address of the RADIUS server....

Activating and deactivating a superscope

Windows Server 2003 automatically activates the superscope if one or more scopes in the superscope are active when you create the superscope. If not, you can activate individual scopes in the superscope, and then activate the superscope itself. To activate individual scopes, right-click the scope and choose Activate. If the superscope contains only one scope, Windows Server 2003 activates the superscope as well. Otherwise, right-click the superscope and choose Activate. You can deactivate an...

Commandline utilities

You can perform a number of Terminal Server administrative tasks by using command-line utilities. This approach may prove useful if you manage your server through a Telnet session or if you want to automate management via custom batch files. The following list describes a few examples of the command-line utilities that you can use Change logon disable. Temporarily disables all Remote Desktop logons. This does not affect existing sessions. Change logon enable. Restores Terminal Server...

Ipx

The IPX protocol is used primarily in environments where Novell NetWare clients or servers are used. Support for IPX enables a Windows Server 2003 RAS server to coexist with NetWare servers, and enables clients to access NetWare resources through the RAS connection. A Windows Server 2003 RAS server hosting IPX also serves as an IPX router, handling RIP, SAP, and NetBIOS traffic between the local network and the remote client. In addition to using the IPX protocol, the remote client must run a...

Establishing Sanity Checks

You must always establish milestones and checkpoints along the way to take sanity checks, to establish proof of concept, and to obtain approval from reviewers. Although we have made sanity checks a component of Phase 3, described in the section Implementing in Phases, earlier in this chapter, sanity checks should start at the beginning of the project. After you have listed all the tests that you plan to perform, you can establish checkpoints after each step or after each project or group of...

Commonsense disk quota management

Disk quotas can help you manage disk space utilization, but they can also make common, otherwise straightforward, tasks more difficult. The following suggestions should help you make your quota management more efficient When assigning quotas, leave some extra disk space unassigned. This will be useful if you need to customize quotas on a per-user basis. This extra space will also be used by NTFS metadata (taking roughly 64KB per file) that is not counted toward a user's quota limits. Make users...

Mixed mode versus native mode

Your domains must be in native mode to use the advanced group features in Windows Server 2003. Specifically, you cannot create a Universal security group in mixed mode. (You can create only a universal distribution list, which is not a security principal.) You also cannot nest security groups in mixed mode, nor convert groups from one scope to another. This is a severe limitation, and you may want to consider promoting the scope as soon as doing so is feasible. Mixed-mode domains support...

Configuring modems and ports

One of the first steps to take in setting up a Windows Server 2003 RAS server is to install and configure the hardware and ports that will handle the incoming calls. You configure a standard modem through the Control Panel. If the modem is not already installed, open the Control Panel and double-click the Phone and Modem Options icon. Click the Modems tab, and then click Add to start the Add Remove Hardware wizard. You have the option of selecting the modem manually or letting Windows Server...

Configure Your Server Wizard

Windows 2003, like Windows 2000 Server before it, provides a Configure Your Server Wizard to help you configure the server for specific uses. For example, you might want to configure a server as a file or print server. The wizard helps simplify the process. Where the wizard is most useful, however, is for setting up a server to perform more advanced functions, such as to act as a domain controller. You'll find the Configure Your Server Wizard in the Administrative Tools folder. Within the...

Figure The hierarchical model

The hierarchical model to be implemented for this architecture consists of a tree of CAs (not unlike a tree in DNS, except that it does not represent a namespace). The root CA sits at the top of the hierarchy. It is the authorizing principal CA and the only component of the PKI authorized to sign its own certificate. The self-signed root certificate means that it is impossible for anyone to pretend to be the root CA unless he or she gains access to the root CA private key. In other words, only...

A

Butlickay toketr t03f5t7t1 1 d50a3a Butlickay toketr t03f5t7t1 1 d50a3a Figure 4-8 The .NET Framework Configuration console enables users to choose an existing assembly. The assembly name is shown along with its version and hash. These three items indicate how the .NET Framework distinguishes assemblies and enables them to operate side by side. Choose any one of these assemblies and click Open. You can instruct the assembly to operate with only certain versions of other assemblies that it may...

Windows Server Add Ospf

OSPF offers an efficient means of handling routing for very large networks such as the Internet. OSPF uses an algorithm to calculate the shortest path between the router and adjacent networks. OSPF routers maintain a link state database that maps the inter-network. The link state database changes as each network topology change occurs. Adjacent OSPF routers synchronize their link state databases and recalculate their routing tables accordingly. Because of its scalability, OSPF is geared toward...

Anycast addresses

Anycast addresses use the same physical structure as unicast addresses. Unlike unicast addresses, however, anycast addresses are assigned to multiple nodes. Currently, only routers can use anycast addresses. A router that needs to send a packet to an anycast address uses a neighbor discovery mechanism to locate the nearest node that owns the specified address. The router then sends the packet to that node. Note See the following section to learn how you can assign IPv6 addresses in Windows...

Disk Management Service

The Windows Server 2003 DMS handles two types of storage basic and dynamic. Basic disks are practically identical to (and compatible with) those used in previous versions of Microsoft operating systems. Dynamic disks, conversely, are more technologically advanced, scalable, and robust they were introduced in Windows 2000 and are supported only in Windows 2000, XP Professional, and Windows Server 2003 Server. Management of dynamic disks and their volumes is handled by Logical Disk Manager (LDM)....

Setting up an NFS gateway server

Server for NFS enables Unix and other NFS clients to access files shared on a Windows Server 2003 computer. To provide bi-directional NFS support between your clients, you also need to install and use Gateway for NFS, which is also included with SFU. Gateway for NFS enables Windows clients to access NFS shares on remote NFS servers as if those shares were located on the Windows Server 2003. The Windows Server handles the necessary translation and authentication and to the client, the folders...

Static entries

By entering static mappings, you ensure that WINS clients can resolve the IP addresses of non-WINS clients. Non-WINS clients include machines running under other operating systems, networks, network devices, domains, and so on. You can even insert a static IP address for another WINS server, if the connection to that WINS server is unreliable and you cannot afford to have the server lose a lease and not be capable of renewing it. To create a static mapping, open the WINS console as explained in...

Creating and Using Superscopes

As Windows 2000 Server does, Windows Server 2003 supports a DHCP feature called super-scopes, an administrative feature that enables you to create and manage multiple scopes as a single entity. You can use superscopes to allocate IP addresses to clients on a multinet, which is a physical network segment containing multiple logical IP networks (a logical IP network is a cohesive range of IP addresses). For example, you might support three different class C logical IP networks on a physical...

Administering Terminal Services

Two standard administrative tools are used to manage or administer Terminal Services the Terminal Services Manager and the Terminal Services Configuration. The Terminal Server Licensing program is used specifically to control licensing settings. In addition, numerous aspects of Terminal Server management can be handled by using Terminal Services Group Policies, Active Directory Users and Computers, the Terminal Server Extensions to Local Users and Groups MMC snap-in, several command-line...

The grandfather of the modern directory The X specification

The directory service as we know it began with an interconnection model proposed by the International Organization for Standardization (ISO) little more than 20 years ago. This model is popularly known as OSI, which stands for open-systems interconnection. In the late 1980s, OSI was given a huge boost by big business and government and quickly became the foundation for the information revolution we are experiencing today. The OSI model and its seven layers lie at the root of modern information...

Creating DC sites

To begin creating DC sites, take your list of segments and locations and the topological plan 1. Create a DC site for each network segment, location, or collections of locations that are part of your so-called reliable WAN or intranet, and assign each location a DC site name. In our case, our first DC site name is zero-based and called GEN00-R. Formulate a naming convention for your sites and for your servers and resources (see Chapter 5). The R in our name means reliable. You may notice that...

Terminal Services Configuration

The Terminal Services Configuration utility, shown in Figure 30-3, enables you to manage connection protocols and settings on a local server. This MMC-based snap-in is located in the Administrative Tools menu. The console-tree pane contains two folders Connections and Server Settings. Figure 30-3 The Terminal Services Configuration utility Figure 30-3 The Terminal Services Configuration utility glUse temporary folders per session Yes S f Permission Compatfclity Full Security Restrict each user...

Configuring NAT

As described earlier, you might typically assign a private address range to an internal network in a small company and use NAT to connect your network to the Internet. Armed with the IP addresses of your internal hosts and the IP addresses assigned to you by your ISP, run the RRAS Setup Wizard to configure the server for NAT (right-click the server in the RRAS console and select Configure and Enable Routing and Remote Access). Select the option Network Address Translation, click Next, and...

Managing replication

You can use the DFS Management console to configure and manage replication for the namespace and folders. Bear in mind when planning your DFS infrastructure that replication requires a domain-based namespace and member servers or domain controllers as namespace servers. When you add a second folder target to a namespace for a given folder, DFS Management asks if you want to set up replication for the folders. You can do so at that point or put it off until later. If you choose Yes, DFS...

Understanding the NET Initiative

A clear definition of what the .NET initiative is has been somewhat of a mystery. The .NET Framework is obviously a framework for application development, but what about Server 2003 It doesn't mean that Windows Server 2003 is meant for .NET development, but one distinct characteristic of the Windows Server 2003 operating system is that it comes with the .NET Framework already integrated into the operating system you have no need to install it. Before we move on with a discussion of the .NET...

Deleting and disabling user accounts

Common sense tells you not to delete accounts at will. After an account is deleted, you can never get it back. The SID can be tracked, but it can never be resurrected. You have no undelete feature, and the account and SID are lost forever as active objects. If you want to render an account unusable, disable it. If you are an experienced administrator of Windows NT, this practice is not new to you, and disabling an account in Active Directory is easy. Just select the account in Active Directory...

Defining a domainwide recovery policy

After you set up a CA, and the designated recovery agents have their certificates exported to CER files, set up the domainwide recovery policy. You do so by adding the recovery agents and their respective certificates to the default domain policy. The presence of the certificates in the Security Settings Public Key Policies Encrypted Data Recovery Agents container implicitly defines the domain recovery policy. Follow these steps to define the domain recovery policy Set up a CA and a Recovery...

Pointto Point Multilink Protocol and BAP

The Point-to-Point Multilink Protocol (PPMP, or simply Multilink) enables multiple PPP lines to be combined to provide an aggregate bandwidth. For example, you might use Multilink to combine two analog 56 Kbps modems to give you an aggregate bandwidth roughly equivalent to 112 Kbps. Or, you might combine both B channels of an ISDN Basic Rate Interface (BRI) connection to provide double the bandwidth you would otherwise get from a single channel. The Bandwidth Allocation Protocol (BAP) works in...

Vendor classes

In many respects, a vendor class is really just a container object that groups together custom DHCP options. You name the vendor class and assign to it new scope options not otherwise defined by the standard options. To create a vendor class, you specify a display name for the vendor class, a description, and an ID. The display name and description are primarily for convenience and identification within the DHCP console. The ID uniquely identifies the vendor class. To create, modify, or remove...

My active directory

Of extreme importance to domain administrators is the ability to program against Active Directory. Custom access to account information has always been a limitation in Windows NT 4.0. Microsoft provided no easy way to access the SAM for customized administrative functions. Every organization has a particular need that cannot be satisfied by the base functionality alone A good example is the need to find out which Windows NT accounts have dial-in access enabled, and who has used this privilege...

Certificate Revocation Architecture

CRLs are objects that list the certificates that have been revoked by a CA. They can be read by PKI-enabled applications (such as the certificate manager on Windows XP). CRLs are critical for maintaining security. If a PKI application has no way of verifying the validity of a certificate, then it either cannot operate or cannot continue with the processing of an application. The CA has no way of knowing whether a certificate it has issued has been compromised. If a CA issues a certificate and...

Ndex s

Server clusters (continued) requirements hardware compatibility, 817 IP addressing, 818-819 network connections, 819-820 partitions, 818 storage, 817-818 2, 4, 8, and n-way clusters, 816 versions, 816 troubleshooting logs, 837-838 network connectivity failures, 839 quorum-related failures, 838-839 Server Operators privileges, 433 security group, 386 server service subsystem, 7 service level performance management, 787 problem detection, 787 SLM model, 788-790 Microsoft Operations Manager,...

T

BOOTP folder, 565 database, 36-37 GPT described, 683 disks, 685-686 MBR, advantages over, 883 primary partitions, 688 remote access control, 949 link, 38 MFT, 886-887 root directory, 884 schema, 38 tape 8mm Digital Audiotape, 744 4mm Digital Audiotape, 744 LTO technology, 745-746 targets, 900, 905-906 Task Manager, 793-794 task-oriented workers, 455 taskpads creating, 191-192 described, 190-191 modifying, 192 tasks, creating, 192 TCO (Total Cost of Ownership). See also ZAW initiative...

Digital Linear Tape

Digital Linear Tape (DLT) and now SuperDLT has become one of the most popular tape formats in high-end server operations for several reasons. It is fast, reliable, hardy, and you can store a lot of data on a single high-end version of the format. DLT is a Quantum format, which was introduced mostly to compete against DAT in the mainframe, midrange, and Unix platform arena. The adoption of DLT in the Windows and NetWare server environments has accelerated the success of the media. DLT comes in...

Architecture

The following site architecture will be implemented A site must be defined for each physical site that contains a domain controller. Hub sites and regional sites will initially represent candidates for sites. A site must be defined according to its subnet and the IP subnets of other regional sites or centers. When it is determined that there is no need to replicate DC data to and from a site, it is considered to be a center. A user in a center will be authenticated by the DC in his or her site...

Active Directory everywhere

Microsoft also set out to ensure that Active Directory was highly scalable and would become pervasive as quickly as resources permitted. Active Directory is easy to install and set up on a simple server. It is also easy to set up and install Active Directory as a single-user repository, and it carries virtually no noticeable overhead on the simplest configuration (we discuss Active Directory configuration in Part III). In other words, when Active Directory needs to be small, it can be small,...

Managing the Distributed File System

Windows Server 2003 includes an extremely useful feature called the Distributed File System (DFS) that enables you to simplify a user's view of the LAN and its resources. In essence, DFS enables you to bring local volumes, network shares, and entire multiple servers under a common file system namespace. Rather than require users to browse several different servers on the network for resources, those resources can all appear under the same namespace (such as a single drive letter). In other...

Media pools

A relatively new term in the Windows operating system is the media pool. If you are planning to do a lot of backing up or have been delegated the job of backup operator or administrator, you can expect to interact with media pools in your future backup-restore career. A media pool, in the general sense of the term, is a collection of media organized as a logical unit. Conceptually speaking, the media pool contains media that belong to any defined storage or backup device, format, or technology...

Another NTBackup backup script

Although Backup is a greatly improved application over its predecessor, at times you still need to run a backup from a script. Remember that you can run the script only against a local tape or backup device. Ensure that you meet all the previously discussed parameters to perform backups and gain access to shares and drives, such as a capable user ID and login password. You can use the Administrator account, although we don't recommend it, or you can use an account that is a member of the...

Managing Windows Firewall from a console

In many situations, you'll find it useful to be able to manage Windows Firewall settings from a console, whether for a local or remote server. The netsh console command has been modified in SP1 to allow Windows Firewall configuration. The commands available in netsh for firewall management include the following Add. Add programs or ports to the exceptions list and specify scope for the new rule. Delete. Remove programs or ports from the exceptions list. Dump. Dump the current configuration to a...

SLM and Windows Server

Key to meeting the objective of SLM is the acquisition of SL tools and technology. This is where Windows Server 2003 comes in. While clustering and load balancing are included in Advanced Server and Datacenter Server, the performance and system monitoring tools and disaster recovery tools are available to all versions of the OS. These tools are essential to SL. Acquired independently of the operating systems, they can cost an arm and a leg, and they might not integrate at the same level. These...

SLM by design

SLM combines tools and metrics or analysis to meet the objectives of SL and service level agreements. The SLM model is a three-legged stool, as illustrated in Figure 24-1. Figure 24-1 The SLM model is a three-legged stool. Figure 24-1 The SLM model is a three-legged stool. The availability leg supports the model by guaranteeing the availability of critical systems. The administration leg ensures 24-7 operations and administrative housekeeping. The performance leg supports the model by ensuring...

PDC Primary Domain Controller Emulator

There is one PDC Emulator role holder in a Windows Server 2003 domain. This DC retains the following functions It receives the password changes that are directed to other DCs in the domain. You can thus submit password changes directly to the PDC Emulator. If authentication failures occur at a certain DC in a domain because of an incorrect password, they are forwarded to the PDC Emulator. This takes places before a bad password failure message is reported to the user. All account lockouts are...

Windows Firewall Changes for MMC Tools

Before you learn about specific MMC tools included with Windows Server 2003, you should understand some limitations imposed by the Windows Firewall changes in Windows Server 2003 Service Pack 1. These changes affect the capability to remotely manage a Windows Server 2003 computer with many of the MMC tools. Here's why. Windows Firewall in SP1 by default blocks incoming traffic on port 445. This port is used by many of the administrative tools for remote management. If you receive one of the...

NFS overview

You have two options for authentication with NFS use Server for NFS Authentication, or allow anonymous access to the shares. Using anonymous access is fine if you have no critical data or have no security concerns about allowing anonymous access to the NFS shares and their contents. However, it's more likely that you will want to control access, so we'll take that approach in this chapter. Authentication is explained in more detail in the next section. Unix systems have different filename...

CLB cluster concepts

To get familiar with the concept of component load balancing, you should first understand the technologies that led to its inception, such as COM, DCOM, and COM+. Microsoft designed the Component Object Model (COM) as a software development framework. This framework included a set of rules that enabled software components created by independent developers to interact with each other. This way, new applications could be written faster and without duplication of effort, by taking advantage of...

Using Windows accounting

By default, Windows Server 2003 RRAS does not log remote sessions, but you can enable logging for security and troubleshooting. To use Windows accounting, open the RRAS console, right-click the server, choose Properties, and click the Security tab. Select Windows Accounting from the Accounting Provider drop-down list, and then click OK to close the property sheet. In the RRAS console, open the Remote Access Logging branch. You'll find an item in the right pane labeled Local File. Double-click...

Ipconfig

Use the ipconfig command to display configured TCP IP properties for all adapters, set certain properties, renew or release address leases, and update host records through dynamic DNS. The ipconfig command is useful for determining TCP IP settings on any system, but is most helpful for determining settings on systems that obtain settings through DHCP. Knowing your address and related settings is the first step in troubleshooting any connectivity problem. In addition, you can use ipconfig to...

Upgrade plan

Upgrading from Windows 2000 to Windows Server 2003 enables you to take full advantage of the new features without restructuring your network configuration. Your existing directory service remains intact and provides you with improved group replication, application directory partitions, forest trust relationships, group caching, and an improved intersite replication-topology generator. The three main tasks that you need to document in preparing your upgrade plan to Windows Server 2003 are...

RAID Faulttolerant striping with parity

RAID-5 is similar to a nonredundant stripe set, but additional parity information is calculated and written across the disks to provide fault tolerance. To set up a RAID-5 configuration, first evaluate your storage requirements then determine how many disks will be needed to satisfy your needs. Remember the following three rules Each of the striped areas across all disks has to be the same size. The redundant data will occupy up to (1 n)th of the total space, where n is the number of striped...

The Hardware Compatibility List HCL

Before you go buy parts, review the Hardware Compatibility List (HCL) at www.microsoft.com whdc hcl . The Designed for Windows logo identifies software and hardware products that have been designed for and work well with Microsoft products. Software and hardware products displaying the logo must pass rigorous testing to ensure that they provide ease of use and stability and that they take advantage of the new features in Windows products. Software is tested by an independent testing lab named...

Ipcs

The root of every volume on a Windows Server 2003 (and even on Windows 2000, NT 4.0, and earlier servers) is shared. If you can map to the share, you can access the entire volume. This share is the system root, the Windows Server 2003 system folder hierarchy. To map to this share, simply use This share is created as you install the first shared printer on the server. The share is established at SERVERNAME SPOOL DRIVERS, and its purpose is to enable clients to remotely pull printer drivers for...

Copying moving or renaming encrypted files

As with compression, a folder's encryption attribute also has an effect on the files that you copy or move between encrypted and non-encrypted folders or files and folders that you rename. The following list summarizes the effect of the encryption attribute in copying, moving, and renaming objects Copying and moving encrypted folders or files to unencrypted folders (NTFS volumes). The copies are encrypted regardless of the encryption attribute of the destination folder. If you are copying to...

The open files dilemma

Open files have always been the backup administrator's nightmare on Windows NT Server, and this is still very much the case on Windows 2000 and Windows Server 2003 volumes and Windows Server volumes. What are these open files Any resource file on a system needs to be opened for exclusive or shared use by a user or device that is exploiting or updating its contents. Backup software, backup schemes and rotations, and backup administrators hate open files for the following reasons Open files...

Mb

Note You need al least 100MB free space to create a shadow copy. Note The default schedule creates two shadow copies per day. Avoid creating shadow copes more frequent 1 then cffrcc . hail. Figure 20-10 The Settings dialog box for configuring shadow copies You can now configure Shadow Copy properties to suit your needs. The Storage Volume option is for specifying where to store the shadow copies of the selected volume. The default is to use the same volume. Microsoft recommends that you use a...

Windows Server user accounts

A Windows Server 2003 user account can be a domain account or a local account. As you first install any version of Windows Server 2003 or promote a server to a domain controller, a number of domain and local accounts are automatically created. If you install Active Directory on a server that is, if you promote it to a domain controller the local accounts are disabled. Domain accounts or network accounts are User account objects that are stored in Active Directory and that are exposed to the...

Figure SMTP processing incoming messages

For local recipients, delivery ends when the message is placed in the Drop folder. The process for remote delivery is different. SMTP attempts to connect to the receiving mail server. If the server can't be reached or a communications error occurs, SMTP places the message in the queue for later delivery at intervals you designate for the server in its Delivery property page (discussed later in this chapter). Once the receiving server acknowledges the message receipt, SMTP removes the message...

Chap

This option enables the server to use Message Digest 5 Challenge Handshake Authentication Protocol (MD-5 CHAP, or simply CHAP). CHAP uses a standard mechanism for encrypting the authentication response and is supported by several non-Microsoft remote access clients. As such, CHAP provides a means of supporting remote clients that do not support MS-CHAP or EAP (while still providing some level of encryption and security). The first step to enable remote clients to authenticate on a Windows...

Mapping out the DFS namespace for users

As Chapter 26 demonstrates, one of the wonders of Windows Server 2003 is the Distributed File System (DFS) namespace. A DFS is a good idea for a company of any size, and living without one is hard after you apply it to a distributed company with file servers in many cities or even across multiple campuses. The main hub for the mcity.us organization also supports a site in another town that has a busy file server, so we decided to build a DFS file system that spans both sites and provides a...

The AD replication schedule and notification

Active Directory intrasite replication topology is automatically configured by the KCC. This is how it works When changes are made at a DC, a timer begins a countdown from five minutes before peer domain controllers in the site are notified of the changes. As soon as notification goes out, the notified domain controllers immediately begin to pull changes from the source DC. This is the default topology created by the KCC. It will be accepted for intrasite replication and should not be changed....

Eap

Extensible Authentication Protocol (EAP) enables the client and server (or IAS, if used for RAS authentication) to negotiate an authentication method from a pool of methods supported by the server. Windows Server 2003 EAP provides support for two EAP types EAP-MD5 CHAP and EAP-TLS. Both the client and authentication server must support the same EAP type for authentication through EAP, and you can install additional EAP types from third parties on a Windows Server 2003. EAP-MD5 CHAP functions...

Creating a custom replication topology

If the default ring, hub and spoke, or full mesh topologies don't suit your needs, you can create a custom topology. For example, you might use a mix of hub spoke and full mesh to achieve the results you need. To create a custom replication topology, first run the Configure Replication Wizard and choose Custom as the topology type. After the wizard completes, right-click the target and choose Properties, and then click the Replication tab (see Figure 26-16). T o modfy Ihe replication schedule...

Enabling or disabling routing

On occasion, you might need to enable or disable a router, such as taking the router down for maintenance. You can stop or pause the RRAS service to stop routing on all interfaces, or you can take down a specific interface. To stop, pause, or restart RRAS, open the RRAS console, right-click the server you want to manage, and choose the task you want to perform (stop, start, and so on) from the All Tasks menu. To take down a specific interface, open the RRAS console and then open the IP Routing...

Configuring authentication

As mentioned earlier in this chapter, Windows Server 2003 RRAS supports several authentication standards. You can configure RRAS to accept multiple authentication methods, and the server will attempt authentication using the selected protocols in order of decreasing security. For example, RRAS attempts EAP first if EAP is enabled, then MS-CHAP version 2, then MS-CHAP, and so on. You configure the authentication methods for RRAS through the Security page of the RRAS server's properties (accessed...

Internet Options applet

The Internet Options applet offers several property pages that enable you to configure settings for Internet Explorer and related programs such as Outlook Express and NetMeeting General. Set the default home page, delete cached files, clear the URL history, and set general properties such as fonts, colors, languages, and accessibility features. Security. Use the Security page to configure security level for various zones. A zone is a group of Web sites that share a common security level. Click...

Backup batch files and Backup scripts

Backup is accessible at the command line just as its predecessors on Windows 2000 and Windows NT were, and if running backup from the command line does not solicit a response from the server, try NTbackup. You still call the software by using NTBackup, so your Windows 2000 and NT 4.0 backup scripts can be easily ported however, not all commands are supported by NTBackup on Windows 2003 Server. You can type the command-line parameters and switches at the command line or prompt, and the OS loads...

Configuring multiple addresses on a DNS server

By default, the DNS service responds on all IP addresses bound to the server. You face no real performance penalty in enabling the DNS service to respond on all bound IP addresses, but in some situations, you may want to reduce the addresses to only those that you specifically want associated with the DNS service. You might allocate two addresses that are always used for DNS, but, in effect, reserve the other IP addresses on the server for other uses. Assume, for example, that you have the...

Fixing RAID redundancy failures

If the status of any volume reports Failed Redundancy, Failed Redundancy (At Risk), or just Failed, use one of the following procedures to fully recover it Procedure 1 To reactivate a volume in Failed Redundancy state, try the following 1. In the Disk Management snap-in, switch to Graphical View by selecting View O Bottom O Graphical View. 2. If a disk hosting the volume is listed in Missing, Offline, or Online (Errors) state, right-click it and select Reactivate Disk. If the reactivation...

Refresher Clientserver computing model

Popularity of the client server computing model is probably best exemplified by the phenomenon of the Internet. Clients connect to it and request information and services, typically in the form of news, e-mail, or files. Web servers handle almost all the data processing the clients handle the rendering of the images and the user interface. By placing the majority of the workload on a server, the client does not require any significant amount of processing power, services, memory, or storage. In...

SAM and LSA authentication

The Windows Server 2003 SAM is inherited from the Windows 2000 SAM and works the same. It no longer, however, plays a part in network domain management. Standalone and member servers use the Windows Server 2003 SAM to authenticate or validate users that have local accounts, including autonomous processes. The SAM is still buried in the registry and plays an important role in Windows Server 2003, and it is an integral part of the Local Security Authority (LSA). LSA authentication exists for...

Netstat

The netstat command provides three primary functions monitoring connections to remote hosts, viewing protocol statistics for a connection, and extracting the IP address of a host to which you've connected using domain names (or determining domain name if connected by address). The syntax for netstat is as follows netstat -a -enos -p protocol -r interval Table 15-15 describes the options you can use with netstat. Table 15-15 netstat Command Switches -a Displays all connections Show all...

Bandwidth Allocation Protocol and Bandwidth Allocation Control Protocol

The Bandwidth Allocation Protocol (BAP) and Bandwidth Allocation Control Protocol (BACP) enable Windows Server 2003 RAS to dynamically add or remove links in a multilink PPP connection as bandwidth requirements for the connection change. When bandwidth utilization becomes heavy, RAS can add links to accommodate the increased load and enhance performance. When bandwidth utilization decreases, RAS can remove links to make the connection more cost efficient. You configure BAP policies through a...

DHCP relay agent

A DHCP relay agent (BOOTP relay agent) functions as a sort of DHCP proxy, enabling DHCP clients on a given IP subnet to acquire IP leases from DHCP servers on other subnets. The DHCP relay agent relays messages between DHCP clients and DHCP servers. The DHCP relay agent component provided with Windows Server 2003 RRAS serves that function. Figure 18-8 illustrates a Windows Server 2003 functioning as a DHCP relay agent. Note The DHCP relay agent can't run on a Windows Server 2003 that also is...

Administrator account abuse

Domain Administrator accounts are the first accounts a forest founder uses to establish both the root domain and child domains. Usage of the Administrator account in all domains should be discontinued as soon as the domains are created and administrative accounts are set up (see the following section, Using admin accounts). In earlier implementations of Active Directory and the Windows operating system, the Administrator account was often hidden and renamed, and provided a very long and complex...

Setting up a multicast forwarder

The first step in configuring a multicast forwarder is to add the IGMP protocol to the router. In the RRAS console, open the IP Routing branch of the designated server, right-click General, and choose New Routing Protocol. Select IGMP from the list and click OK to add it to the IP Routing branch. Next, add at least one interface for IGMP. Right-click IGMP in the left pane and choose New Interface. Alternately, select IGMP in the left pane and right-click anywhere in the right pane and choose...

Forcing EFS use

In some situations, particularly with notebook computers that contain sensitive data, you may want to force the use of EFS. Because encryption and decryption happen transparently to the user, forcing the use of EFS doesn't affect the user in any way and ensures that if a notebook is stolen, then the files on it are relatively safe from compromise. To force EFS use, format the drives on the computer by using NTFS. Apply object permissions to folders to prevent the user from storing documents in...

Group Policy refresh rate

The default refresh rate is every 90 minutes. Thus, any changes made to the GP that apply to a particular user or computer become effective only during this default period. You can change the default by using the GP setting in Administrative Templates. A setting of zero forces the refresh to kick off every seven seconds. You would configure a narrower refresh interval for tighter security application or for a specialized processing situation. The default refresh rate seems long and can be...

Windows memory management

Windows 2003's handling of memory is almost identical to that of Windows 2000 Server in that it has been vastly improved over Windows NT 4.0. It consists of a memory model based on a flat, linear, albeit still 32-bit, address space. Two types of memory are used in the Windows 2003 operating system. First is physical memory, which includes the memory in the RAM chips installed on the system motherboards, typically in the form of SDRam, DDRam or RAMBus RAM. Second is virtual memory, which is a...

Configuring LTP over IPSec filters

Unlike PPTP, which uses Microsoft Point-to-Point Encryption (MPPE), L2TP relies on IP Security (IPSec) to provide encryption to secure the VPN connection. You therefore need to configure IPSec filters accordingly on the RRAS server's public interface to restrict all but L2TP traffic. This will ensure that only secure L2TP traffic moves through the RRAS server. To configure the filters, first note the IP address of the RRAS server's public interface (the one connected to the Internet). Then,...

Creating a user account

In the example in this section, we're creating user accounts for the Driver Compensation Program (DCP) in Millennium City. They exist in the DCP OU, which resides in the CITYHALL domain. Let's assume you have created the DCP OU. Select the domain, right-click the DCP OU, and choose New O User from the pop-up menu. The New Object - User dialog box opens, as shown in Figure 13-5. The most important information that you need here is either the old SAM account name of the user who is connecting or...

Site link bridge

A site link bridge creates transitivity between a set of site links. If a site link over a slow WAN connects City Hall to DITT (CH-DITT) and a slow link connects One-Police-Plaza to Parks and Recreation (OPP-PRKS), then a site link bridge called CH-PRKS connects City Hall to Parks and Recreation. The bridge thus allows the domain controllers in the City Hall hub to create replication connections with the domain controllers in the One Police Plaza hub. In other words, the site link bridge...

Configuring a client to use class IDs

You can assign multiple class IDs to Windows 2000 and Windows XP clients, although only the last one assigned is actually used to retrieve DHCP data. Each client, by default, assumes the class ID Default BOOTP Class, which enables Windows 2000 XP clients that require bootp to retrieve settings from the DHCP server. If you assign any other class IDs, however, the class ID assigned last takes precedence and the client takes on all global scope options plus the scope options assigned to that last...

Architecting Group Policy

An architecture for GP creation and application is outlined in the following sections. First, you must consider the base policies to be implemented, and these are listed in Table 14-4. Notice the naming convention that we have chosen to use here. Later we will focus on one policy in particular as an example of application. FirstDomainControllersPolicy SecondDomainControllersPolicy Defines the base and required security, account, and audit policy for the domain. This policy is created for...

Creating and deleting DFS roots

You can create a standalone or domain-based root using the DFS console. You can create either type on a member server or domain controller. You are not restricted to creating domain-based DFS roots only on domain controllers. In addition, you can use the DFS console to create a DFS root on any appropriate target server in the network you are not restricted to creating a DFS root only on the local computer. You can create multiple DFS roots on a server. To create a DFS root, open the DFS...

Motherboards

The motherboard is, in many ways, the most important component in your computer (not the processor, although the processor gets much more attention). If the processor is the brain of the computer, the motherboard and its major components (the chipset, BIOS, cache, and so on) are the major systems that this brain uses to control the rest of the computer. Having a good understanding of how the motherboard works is probably the most critical part of understanding the PC. The motherboard plays an...

How EFS works

Processus Efs

EFS employs public-key encryption and the CryptoAPI architecture to encrypt and protect files. Windows Server 2003 encrypts each file with a unique, randomly generated file-encryption key. These keys are independent of the user's public private-key pair. By using a different key for each file, Windows Server 2003 provides a very secure encryption method that is difficult to compromise at all, much less on a widespread basis (decrypting an entire volume of encrypted files, for example). The...

Delegating printer and document administration

Delegating responsibility for the management of print jobs and printers is important, especially in large organizations. Instead of sending all the problems that users have with printers to one person, you should set up two printer groups per OU and assign people from the OU to deal with the OU's printer problems and needs, assuming you have the staff. The following list is a suggestion for the two groups Print Job Admins. Members of this group can manage print jobs, including pause, restart,...

How replication works

Replication has been well designed because it is so important to Active Directory infrastructure, and Microsoft has gone to great lengths to ensure that the most up-to-date changes are distributed as efficiently and effectively as possible, without placing undue stress on already overloaded networks. In this regard, the following three crucial duties are performed by the replication algorithms Identifying which changes must be replicated Preventing unnecessary replication The DC replication...

Maintaining terminal sessions across clusters

Even though the Terminal Services installation is supported on a Windows Server 2003 server cluster (which was not the case on the Windows 2000 platform), Terminal Services in such a configuration is neither load balanced nor highly available. Load balancing, however, can be accomplished by setting up Terminal Services as part of an NLB cluster (or by using other network load-balancing solutions). One of the problems that must be solved in this case is the capability to gracefully handle...

Deploying DHCP servers

DHCP (Dynamic Host Configuration Protocol) is used to provide DHCP clients with IP configuration details. IP configuration details include IP address, subnet mask, default gateway, primary and secondary DNS (Domain Naming Service) servers, primary and secondary WINS servers, domain name and NetBIOS node type, and so forth. DHCP configuration provides the primary and alternate DNS server configuration for all dynamically addressed computers. If a dynamically addressed client cannot access DNS...

Loading and unloading hives

Regedit provides the capability to load and unload individual hives, which is useful for managing individual hives from another system or managing user registries. For example, you might use Regedit to edit the hive of a system that won't boot, repairing the damage so you can replace the hive on the target system and get it running again. You also can load a user's copy of Ntuser.dat to modify the user's registry settings. Loading a hive affects only the HKLM or HKU keys, so you must first...

Wins

Chapter 7 Configuring Windows Server 2003 185 Using the Microsoft Management Console 185 Understanding the function of the MMC 185 Opening the Using Getting to know Other add-in Customizing MMC to suit your needs 193 Control Panel versus Windows Firewall Changes for MMC Tools 195 Getting to Know the MMC Certification Cluster Component Services Computer Event Monitoring Server Configure Your Server Using the Security Configuration Wizard 215 Manage Your Server Working with Data Sources Defining...

Setting root hints

Root hints direct a name server to the root servers for domains at a higher level or in different subtrees of the DNS namespace, and, in effect, provide a road map for a DNS server to resolve queries for domains outside of its area of authority. For DNS servers connected to the Internet, the root hints should point to the Internet root name servers. For DNS servers that provide services only to a private network, the root hints should point to the root server(s) for your domain or organization....