A Site Design

As part of the design of Active Directory directory service, you should examine the network topology and determine if you need to manage network traffic between subnets or business locations. To manage network traffic related to Active Directory, you use sites, which can be used to reflect the physical topology of your network. Every Active Directory implementation has at least one site. An important part of understanding sites involves understanding Active Directory replication. Active...

Accessing Shares for Administration

As Figure 21-5 shows, administrators can view information about existing shares on a computer including the special shares by using Computer Management. In Computer Management, expand System Tools and Shared Folders, and then select Shares. Figure 21-5. Use Computer Management to access shared folders. Figure 21-5. Use Computer Management to access shared folders. If you want to work with shares on a remote computer, right-click the Computer Management node in the left pane and select Connect...

Accessing the Event Logs and Viewing Events

You can view the event logs using Event Viewer, as shown in Figure 15-9. Event Viewer is a Microsoft Management Console (MMC) snap-in that can be started from the Administrative Tools menu or by typing eventvwr at the command line. The main view shows event logs by name and also displays the current size of each log. When you select the log you want to view in the left pane, the events recorded in the log are displayed in the right pane. Figure 15-9. The main view in Event Viewer lists the...

Activation Sequence

After you install Windows Server 2003, you should configure TCP IP networking as discussed in Chapter 24, Managing TCP IP Networking. If the type of licensing you are using requires product activation after installation, you should activate Windows within 60 days of installation. You have several activation options. Managing Interactive Installations Activate Windows over the Internet Before you activate Windows over the Internet, you should change the Enhanced Security Configuration settings...

Active Directory Can Replicate Selectively

In Windows 2000, administrators can create primary DNS zones that are integrated with Active Directory (not surprisingly, these are called Active Directory-integrated primary zones). The major benefits of integrated zones are that all DNS information is stored in Active Directory and DNS information is automatically replicated with other Active Directory information to domain controllers throughout the domain. These benefits can also be detriments, however, in cases involving large numbers of...

Active Directory Data Distribution

Active Directory uses partitions to help distribute three general types of data Domain-wide data, which is data replicated to every domain controller in a domain Forest-wide data, which is data replicated to every domain controller in a forest Application data, which is data replicated to an arbitrary set of domain controllers Every domain controller stores at least one domain directory partition as well as two forest-wide data partitions the schema partition and the configuration partition....

Active Directory Logical Architecture

Active Directory's logical layer determines how you see the information contained in the data store and also controls access to that information. The logical layer does this by defining the namespaces and naming schemes used to access resources stored in the directory. This provides a consistent way to access directory-stored information regardless of type. For example, you can obtain information about a printer resource stored in the directory in much the same way that you can obtain...

Active Directory Namespaces and Partitions

Any data stored in the Active Directory database is represented logically as an object. Every object in the directory has a relative distinguished name (RDN). That is, every object has a name relative to the parent container in which it is stored. The relative name is the name of the object itself and is also referred to as an object's common name. This relative name is stored as an attribute of the object and must be unique for the container in which it is located. Following this, no two...

Adding Flat or Cdrom Images to RIS

RIPrep is very useful in that it can create complete system images, but as with unattended installations, you can also use flat or CD-ROM images that include integrated service packs. All you must do is place an I386 or Intel Architecture 64 (IA-64) folder for whichever operating system you want to install on the RIS server, and then RIS clients can use that flat image. As discussed in Chapter 5, you can integrate service packs into this distribution folder and configure optional answer files...

Adding Network Attached Printers

Network-attached printers are printers that have their own network cards. Typically, a network-attached printer is a workgroup-class printer for use by groups of users. Most network-attached printers use the RAW protocol or the LPR protocol to communicate over a standard TCP IP port. This includes network-attached printers that use TCP IP as well as those that use network devices such as Hewlett-Packard JetDirect or Intel NetPort. Note All printers configured for sharing on Windows Server 2003...

Adding Resource Records

When you create a zone in Windows Server 2003, several records are created automatically. For a forward lookup zone, these records include an SOA record, an NS record, and an A record. The SOA record contains information about how resource records in the zone should be used and cached. The NS record contains the name of the authoritative name server, which is the server on which the zone was configured. The A record is the host address record for the name server. For a reverse lookup zone,...

Analyzing NTFS Volumes by Using Chk Dsk

A Disk analysis for NTFS volumes is performed in three stages, and ChkDsk reports its progress te during each stage as shown in this sample report The type of the file system is NTFS. CHKDSK is verifying files (stage 1 of 3) CHKDSK is verifying indexes (stage 2 of 3) CHKDSK is verifying security descriptors (stage 3 of 3) Security descriptor verification completed. Correcting errors in the master file table's (MFT) BITMAP attribute. Correcting errors in the Volume Bitmap. Windows found problems...

Answer File Settings Used in Product CDBased Unattended Installations

When using the Windows Server 2003 CD for unattended installations, you should be aware of certain key answer file settings. There are four settings in the Data section that directly pertain to an automated installation from CD AutoPartition Set to 1 to disable the Tempdrive command-line parameter. MsDosInitiated Set to 0 to specify an unattended installation from a Windows Server 2003 CD. UnattendedInstall Must be set to Yes for an unattended installation from a Windows Server 2003 CD....

Architecting DNS Infrastructure

The Domain Name System (DNS) is an Internet Engineering Task Force (IETF) standard name service. Its basic design is described in Request for Comments (RFCs) 1034 and 1035, and it has been implemented on many operating systems including UNIX and Microsoft Windows. All versions of Windows automatically install a DNS client as part of Transmission Control Protocol Internet Protocol (TCP IP). To get the server component, you must install the DNS Server service. All...

Architecture Architecture

Active Directory is an extensible directory service that enables you to manage network resources efficiently. A directory service does this by storing detailed information about each network resource, which makes it easier to provide basic lookup and authentication. Being able to store large amounts of information is a key objective of a directory service, but the information must be also organized so that it is easily searched and retrieved. Active Directory provides for authenticated search...

Archiving Event Logs

In most cases, you'll want to have several months' worth of log data available in case you must h go back through the logs and troubleshoot. One way to do this, of course, is to set the log size t so that it is large enough to accommodate this. However, this usually isn't practical because individual logs can grow quite large. So, as part of your routine, you might want to archive 5 the log files on critical systems periodically, such as for domain controllers or application To create a log...

Associating an Answer File with a RIS Image

To automate a RIS installation, you must associate an answer file with the specific operating system image. To associate a remote boot .sif file with a RIS installation image, follow these steps 1 Locate the server running RIS in Active Directory Users and Computers. 2 Double-click the computer account entry, then click Advanced Settings in the Remote Install tab. 3 In the Images tab of the Advanced Settings dialog box, click Add. 4 Select Associate A New Answer File To An Existing Image, then...

Auditing Printer Access

Auditing printer access can help you track who is accessing printers and what they are doing. You configure auditing policies on a per-printer basis. In Printers And Faxes, right-click the printer to be audited, and then select Properties. In the Properties dialog box, select the Security tab, and then click Advanced. In the Advanced Security Settings dialog box, select the Auditing tab, shown in Figure 29-25. Figure 29-25. Specify to which users and groups auditing should apply. Figure 29-25....

Auditing Terminal Services Access

Auditing Terminal Services access can help you track who is accessing Terminal Services and what they are doing. You configure auditing policies per server. Click the Terminal Services Configuration tool, select Connections, and then, in the details pane, right-click the connection you want to work with and select Properties. In the Properties dialog box, select the Permissions tab, and then click Advanced. In the Advanced Security Settings dialog box, select the Auditing tab, shown in Figure...

Authentication and Trusts Across Forest Boundaries

Authentication and trusts can be established across forest boundaries as well. As discussed in Chapter 32, while you are upgrading your network to implement Active Directory, you can establish external trusts to Windows NT domains to ensure that Windows NT domains continue to be available to users. One-way external trusts, such as the one depicted in Figure 33-9, are nontransitive. This means that if, as in the example, a trust is established between domain H and domain L only, a user in any...

Backup and Recovery

Developing Backup Strategies Backing Up and Recovering Your Data 1370 Troubleshooting Startup and Shutdown In this chapter, I look at backup and recovery. Every Microsoft Windows Server 2003 system on your network represents a major investment in time, resources, and money. It requires a great deal of planning and effort to deploy a new server successfully. It requires just as much planning and effort if not more to ensure that you can restore a server when disaster strikes. Why Because you not...

Basic Disks Disks

This chapter introduces Microsoft Windows Server 2003 storage management. Data is stored throughout the enterprise on a variety of systems and storage devices, the most common of which are hard disk drives but also can include storage management devices and removable media devices. Managing and maintaining the myriad of systems and storage devices is the responsibility of administrators. If a storage device fails, runs out of space, or encounters other problems, serious negative consequences...

Booting from SANs and Using SANs with Clusters

Windows Server 2003 supports booting from a SAN, having multiple clusters attached to the same SAN, and having a mix of clusters and stand-alone servers attached to the same SAN. To boot from a SAN, the external storage devices and the host bus adapters of each server must be configured appropriately to allow booting from the SAN. When multiple servers must boot from the same external storage device, either the SAN must be configured in a switched environment or it must be directly attached...

Canonical Name Cname RecordsI

Canonical Name (CNAME) records create aliases for host names. This allows a host to be referred to by multiple names in DNS. The most common use is when a host provides a common service, such as World Wide Web (WWW) or File Transfer Protocol (FTP) service, and you want it to have a friendly name rather than a complex name. For example, you might want www.cpandl.com to be an alias for the host dc06.cpandl.com. To create an alias for a host name in the DNS console, expand the node for the primary...

Changing Standard Tcpip Port Monitor Settings

The standard TCP IP port monitor settings determine how a print server connects to a network-attached printer. As discussed previously, most network-attached printers use the RAW protocol or the LPR protocol to communicate over a standard TCP IP port. If the Add TCP IP Port Wizard had problems detecting a network-attached printer, the chances are good the printer was set up to use the LPR protocol rather than the RAW protocol. Unfortunately, most current printers use the RAW protocol, including...

Check the Clients Resolver Cache

If you don't see a problem with the client's DNS configuration, you will want to check the client's DNS resolver cache. All systems running Windows 2000 or later have a built-in DNS resolver cache that caches resource records from query responses that the DNS Client service receives. When performing lookups, the DNS client first looks in the cache. Records remain in the cache until one of the following events occurs Their Time to Live (TTL) expires. The system or the DNS Client service is...

Check the Clients Tcpip Configuration

If the problem has to do with the client making lookups, start by checking the DNS servers configured for the client to use. You can display this information by typing netsh interface ip show config. The output will show you the basic TCP IP configuration including the primary DNS server for the client. If the DNS server is configured through DHCP, the output will look similar to the following 7 Configuration for interface Local Area Connection InterfaceMetric 0 DNS servers configured through...

Chicago FirstSite

I've used dashes instead of spaces, following the style Active Directory uses for the default site. I've named the sites City-First-Site rather than City-Site to allow for easy revision of the site architecture to include additional sites at each location. Now, if a location receives additional sites, the naming convention is very clear, and it is also very clear that if you have a Seattle-First-Site, Seattle-Second-Site, and Seattle-Third-Site, these are all different sites at the Seattle...

Choosing Domain and Forest Functional Levels

In evaluating the upgrade or migration path, determine the forest and domain functional levels needed for your network environment (functional levels determine the types of domain controllers and features supported). Table 7-2 shows the types of domain controllers supported by each functional level. Table 7-2. Domain Controllers and Functional Levels Table 7-2. Domain Controllers and Functional Levels Types of Domain Controllers on Network Windows NT 4, Windows 2000, Windows Server 2003...

Choosing Views and Controlling the Display

System Monitor can present counter statistics in several different ways. By default, it graphs the statistics. A graph is useful when you are tracking a limited number of counters because you can view historical data for each counter that you are working with. By default, System Monitor samples the counters once every second and updates the graph. This means at any given time there can be up to 100 seconds worth of data on the graph. If you increase the sample interval, you can get more...

Compressed Zipped Folders

Compressed (zipped) folders are another option for compressing files and folders. When you o compress data using this technique, you use Zip compression technology to reduce the number of bits and bytes in files and folders so that they use less space on a disk. Compressed (zipped) folders are identified with a zipper on the folder icon and are saved with the .zip file extension. Note At the time of this writing, compressed (zipped) folders were not available on 64-bit editions of Windows...

Configuring Account Options

Every user account created in Active Directory has account options that control logon hours, the computers to which a user can log on, account expiration, and so on. To manage these settings for a user, double-click the user account in Active Directory Users And Computers, and then select the Account tab, as shown in Figure 37-8. Figure 37-8. Display of logon settings in the User Account Properties dialog box. Below the general account name fields, the account options areas are divided into...

Configuring DHCP Audit Logging

Auditing logging is enabled by default for the DHCP Server service and is used to track DHCP processes and requests in log files. The DHCP logs are stored in the SystemRoot System32 DHCP folder by default. In this folder you'll find a different log file for each day of the week. For example, the log file for Monday is named DhcpSrvLog-Mon.log. When you start the DHCP Server service or a new day arrives, a header message is written to the log file. As shown in Listing 25-1, the header provides a...

Configuring Drive Letters

P Each primary partition, logical drive, or volume on a disk can have one drive letter and one or more drive paths associated with it. You can assign, change, or remove driver letters and 9 mount points at any time without having to restart the computer. Windows Server 2003 also allows you to change the drive letter associated with CD DVD-ROM drives. You cannot, however, change or remove the drive letter of a system volume, boot volume, or any volume that contains a paging file. Additionally,...

Configuring Forwarders and Conditional Forwarding

In a normal configuration, if a DNS name server can't resolve a request, it forwards the request for resolution. A server to which DNS queries are forwarded is referred to as a forwarder. You can specifically designate forwarders that should be used by your internal DNS servers. For example, if you designate your ISP's primary and secondary name servers as forwarders, queries that your internal name servers can't resolve will be forwarded to these servers. Forwarding still takes place, however,...

Configuring Printer Permissions

To view or manage the permissions of a printer, right-click the printer in the Printers And Faxes folder, and then select Properties. In the Properties dialog box, select the Security tab, shown in Figure 29-22. You can now view the users and groups that have printer permissions and the type of permissions they have. General Sharing Ports Advanced Color Management Security Device Settings Settings Consumables General Sharing Ports Advanced Color Management Security Device Settings Settings...

Configuring RAID Disk Mirroring

For RAID 1, disk mirroring, you configure two volumes on two drives identically. Data is written to both drives. If one drive fails, there is no data loss because the other drive contains the data. After you repair or replace the failed drive, you can restore full mirroring so that the volume is once again fault tolerant. By using disk mirroring, you gain the advantage of redundancy. Because disk mirroring doesn't write parity information, mirrored volumes can usually offer better write...

Configuring Server Roles

The next step in the installation process is to install the networking services that are needed for the server. To install the networking services, you can use either of a couple of different approaches use wizards or manually add services. In Windows Server 2003, Microsoft has added a set of wizards that allow you to configure the server to support different roles, such as an Application Server with Internet Information Server (IIS) or a Domain Controller with Active Directory. The wizards...

Configuring Storage

When you install disks, you must configure them for use by choosing a partition style and a storage type to use. After you configure drives, you prepare them to store data by partitioning them and creating file systems in the partitions. Partitions are sections of physical drives that function as if they were separate units. This allows you to configure multiple logical disk units even if a system has only one physical drive and to apportion disks appropriately to meet the needs of your...

Configuring Subdomains and Delegating Authority

Your organization's domain structure is separate from its zone configuration. If you create subdomains of a parent domain, you can add these subdomains to the parent domain's zone or create separate zones for the subdomains. When you create separate zones, you must tell DNS about the other servers that have authority over a particular subdomain. You do this by telling the primary name server for the parent domain that you've delegated authority for a subdomain. When you add subdomains of a...

Configuring Tcpip Options

The messages clients and servers broadcast to each other allow you to set TCP IP options that clients can obtain by default when they obtain a lease or can request if they need additional g information. It is important to note, however, that the types of information you can add to DHCP messages is limited in several ways DHCP messages are transmitted using User Datagram Protocol (UDP), and the entire DHCP message must fit into the UDP datagram. On Ethernet with 1500-byte datagrams, this leaves...

Configuring the CIW

The Client Installation Wizard (CIW) is the first user interface (UI) displayed on the target computer during RIS-based installation. The CIW, also called OSChooser, is a text-based tool that guides the user through the initial steps of the installation process. Administrators can configure the CIW to provide a customized list of available operating systems. When a client connects to the RIS server, the service sends a startup boot file to the target computer (by default, Startrom.com stored in...

Configuring Zone Transfers

Zone transfers are used to send a read-only copy of zone information to secondary DNS servers, which can be located in the same domain or in other domains. Windows Server 2003 supports three zone transfer methods Standard zone transfers in which a secondary server requests a full copy of a zone from a primary server. Incremental zone transfers in which a secondary server requests only the changes that it needs to synchronize its copy of the zone information with the primary server's copy....

Connecting Users to Shared Printers

Once a printer is configured and shared, users on client machines can connect to it. The technique is similar for all versions of Windows. Accessing Shared Printers on Windows 95, Windows 98, or Windows NT 4 For Windows 95, Windows 98, or Windows NT 4 clients, you install a printer by completing the following steps 1 With the user logged on, double-click the Printers icon in Control Panel or select Set- gj tings in the Start menu, and then choose the Printers option. 2 Double-click the Add...

Copying File Share Permissions

Whether you are setting up a new file share with the same permissions as an existing file share or configuring a new file server with the same file shares as a server you are decommissioning, you can use PermCopy to help you out. PermCopy is a tool that you can use to copy share permissions from one file share to another. Not only will this save you time, but this will also ensure that share permissions are exact something that is often hard to do if you have a complicated permission set or a...

Copying the Administrator Profile

Okay, you logged on as the administrator and optimized the configuration, which is a good c thing. Now you want the configuration settings to be available to other users, and to do this, p you must copy the Administrator profile. The problem is you can't copy the Administrator profile while logged on as the administrator. Resolve this problem by creating a new local 05 user on the computer and then logging on as this user so that you can copy the profile. To create a new user account on the...

Create Manual Snapshots from the Command Line

When you enable shadow copying, snapshots of shared folders are created automatically according to the default run schedule. If you ever want to make a snapshot manually, you can do this using the CREATE SHADOW command. Type vssadmin create shadow for ForVolumeSpec, where ForVolumeSpec is the local volume for which you are creating the snapshot. Consider the following example e Here, you create a snapshot of shared folders on the E volume.

Creating a Site Design

Dedicated 128-Kbps or 256-Kbps links. Larger organizations with 250 or more users at branch locations may need to scale up. Following the previous example, the Chicago-based company would probably be best served by having separate sites at each network location. With this in mind, the site-to-network mapping would be as shown in Figure 35-11. By creating the additional sites at the other network locations, you help control replication over the slow links, which can significantly improve the...

Creating an OU

You can create OUs in Active Directory Users And Computers. As long as you use an account that is a member of the Administrators group, you'll be able to create OUs anywhere in the a domain. The only exception is that you cannot create OUs within the default containers cre Note Note that you can create OUs within the Domain Controllers container. This is possible because this container is created as an OU. Creating OUs within Domain Controllers is useful if you want to organize domain...

Creating and Managing Taskpads

Any console tool that has at least one snap-in can have an associated taskpad. To create a task-pad, you must open the console in author mode, then follow these steps 1 Right-click the console item that you want the taskpad to manage, and choose New Taskpad View to start the New Taskpad View Wizard. Keep in mind that a single task-pad can be used to manage multiple console items, and in this case, you are simply designating the object that should have initial focus when working with the...

Creating and Managing Tasks

You create tasks by using the New Task Wizard. By default, this wizard starts automatically when you finish creating a taskpad view. You can start the wizard using the taskpad Properties dialog box as well. Right-click the item where you defined the taskpad, and then select Edit Taskpad View from the shortcut menu. In the Tasks tab, click New. Once the New Task Wizard is started, click Next, and then select the command type as follows Choose Menu Command to run the standard menu options of...

Creating Forward Lookup Zones

To create the initial forward lookup zone or additional forward lookup zones on a server, follow these steps 1 In the DNS console, expand the node for the server you want to work with. Right-click the Forward Lookup Zone entry, and then choose New Zone. Afterward, in the New Zone Wizard, click Next. 2 Select the zone type. Choose one of the following options, and then click Next Primary Zone Use this option to create a primary zone and designate this server to be authoritative for the zone....

Creating Performance Alerts

You can use performance alerts to notify you and others when certain events occur or when certain performance thresholds are reached. You can also use performance alerts to generate events that are logged in the Application event log and to start applications and performance logs. After you select the Alerts node in the left pane of Performance Monitor, you should see a list of current alerts (if any) in the right pane. A green log symbol next to an alert, as shown in the following screen,...

Creating Run As Shortcuts for Secondary Logons

You want it to be as easy as possible to use the secondary logon. If you don't, you'll probably be tempted to use the account with Administrator privileges all the time rather than only when needed. With this in mind, one way to make it easier to work with the secondary logon is to create Run As shortcuts for commonly used tools. You can also modify the menu to use Run As shortcuts instead of running tools directly. Creating Run As Shortcuts on the Desktop To create Run As shortcuts on the...

Creating Shares by Using Computer Management

By using Computer Management, you can share the folders of any computer to which you can connect on the network. This is handy for when you are sitting at your desk and don't want to have to log on locally to share a server's folders. After you start Computer Management, you can connect to the computer you want to work with by right-clicking Computer Management in the console tree and then selecting Connect To Another Computer. Use the Select Computer dialog box to choose the computer you want...

Creating Shares by Using Windows Explorer

By using Windows Explorer, you can share folders on the computer to which you are logged on. In Windows Explorer, right-click the folder you want to share, and select Sharing And Security. This displays the folder's Properties dialog box with the Sharing tab selected. Select Share This Folder, as shown in Figure 20-6. Figure 21-6. Configuring sharing using the folder's Sharing tab. Figure 21-6. Configuring sharing using the folder's Sharing tab. In the Share Name field, type a name for the...

Customizing the Desktop and the Taskbar

By default the only items on the Windows Server 2003 desktop are the Recycle Bin and the taskbar. That's it. Everything else has been cleared away to allow you to customize the desktop anyway you want. The problem is that some of the missing items, such as My Computer, My Network Places, and Internet Explorer, were pretty useful, or at least most of us have grown so accustomed to having the items on the desktop that we expect them to be there. So, if you're like me, the first thing you'll want...

Defining Objectives and Scope

A key aspect of planning any large-scale IT deployment of an operating system is determining the overall objectives for the deployment and the scope of users, computers, networks, and organization divisions that are affected. The fundamental question of scope is What can you realistically expect to accomplish in the given time within existing project constraints, such as staffing and budget Some of the objectives that you identified in the early stages of the project are likely to change as...

Defining the New Network Environment

Once you have determined the overall scope of your Windows deployment project and the associated network changes, you must develop the technical specifications for the project, detailing server configuration, changes to the network infrastructure, and so on. As much as possible, describe the process of transitioning to the new configuration. Care should be taken while developing this document because it will serve as the road map for the actual transition, much of which is likely to be done by...

Delegated Authentication Essentials

In Windows 2000, this functionality is provided using Kerberos authentication, either using proxy tickets or using forwarded tickets With proxy tickets, the client sends a session ticket request to a domain controller acting as a KDC, asking for access to the back-end server. The KDC grants the session ticket request and sends the client a session ticket with a PROXIABLE flag set. The client can then send this ticket to the front-end server, and the front-end server in turn uses this ticket to...

Deleting User Accounts

Each user account created in the domain has a unique security identifier (SID) and that SID is never reused. If you delete an account, you cannot create an account with the same name and regain all the same permissions and settings. The SID for the new account will be different than the old one, and you will have to redefine all the necessary permissions and settings. Because of this, you should delete accounts only when you know they are not going to be used again. If you are unsure, disable...

Design Considerations for Active

Directory Replication 1106 Design Considerations for Active Directory Search and Global Design Considerations for Active Directory Authentication and Trusts . .1118 Delegating Authentication 1136 Design Considerations for Active Directory Operations Masters 1140 As you learned in the previous chapter, the physical structure of Active Directory is tightly integrated with the security architecture of the Microsoft Windows operating system. At a high level, Active Directory provides interfaces to...

Determining Effective Permissions

Navigating the complex maze of permissions can be daunting even for the best administrators. Sometimes it won't be clear how a particular permission set will be applied to a particular user or group. If you ever want to know exactly how the current permissions will be applied to a particular user or group, you can use a handy tool called Effective Permissions. Effective Permissions applies only to file and folder permissions not share permissions and is an option of the Advanced Security...

Determining the Approach to Migration

You can use a variety of approaches when migrating the systems on your network. These g, approaches can be categorized as manual, scripted, automated, and user-driven. ter Manual Migration The manual migration approach uses USMT and includes the 1 Acquire the user state information (by using Scanstate.exe). 2 Deploy the new operating system. 3 Load the new operating system with the user state information (by using Loadstate.exe). Tip Manual migration is Information Technology (IT)...

Determining the Method of Automation

Although it is technically possible to install all of the computers interactively from a CD-ROM, for most firms (except perhaps for the very smallest) this sort of installation is not very practical. For most companies, automating the installation process is a necessary approach and is implemented using one of three methods p Creating an Unattend.txt file When you create an Unattend.txt file, you create a file that contains answers to all the questions that Setup asks. You can then run the...

Developing a Forest Plan

Forest planning involves developing a plan for the namespace and administration needs of the organization as a whole. As part of this planning, you should decide who are the owners of the forest or forests implemented. From an administration standpoint, the owners of a forest are the users who are the members of the Schema Admins and Enterprise Admins groups of the forest as well as users who are members of the Domains Admins group in the root o domain of the forest. Although these users have...

DHCP Essentials

DHCP also provides a way to assign a lease on an address permanently. To do this, you can h create a reservation by specifying the IP address to reserve and the Media Access Control tt (MAC) address of the computer that will hold the IP address. The reservation thereafter 2 ensures the client computer with the specified MAC address always gets the designated IP Note MAC addresses are tied to the network interface card (NIC) of a computer. If you remove a NIC or install an additional NIC on a...

DHCP Security Considerations

Anyone with access to the network can perform malicious actions that could cause problems for other clients trying to obtain IP addresses. A user could in Initiate a denial of service (DoS) attack by requesting all available IP addresses or by using large numbers of IP addresses, either of which could make it impossible for other users to obtain IP addresses. Initiate an attack on DNS by performing a large number of dynamic updates through DHCP. Use the information...

Disabling a Computer Account

Security issues, such as malicious viral attacks or rogue user actions may require you to tem- porarily disable a computer account. Perhaps a critical software bug has caused an individual g. computer to repeatedly try to receive authentication from a domain controller. You disable a o computer account to prevent it from authenticating until you fix the problem. You disable a computer account by right-clicking it in Active Directory Users And Computers and selecting Disable Account. This...

Distribution Folder on CD

An advantage to creating a distribution folder is that you can customize it and modify it as new security patches and service packs are added and as supported hardware or applications change. In some cases, however, using CD media for unattended installations is necessary. This could occur because of a lack of adequate network connectivity, for instance, or extreme network congestion. However, using CD media for installation requires that CDs and DVDs containing a copy of your distribution...

DNS Dynamic Updates and Security

Windows Server 2003 fully supports DNS dynamic updates. Dynamic updates are used in conjunction with DHCP to allow a client to update its A record if its IP address changes and allow the DHCP server to update the PTR record for the client on the DNS server. DHCP servers can also be configured to update both the A and PTR records on the client's behalf. Dynamic DNS is also supported for IPv6 AAAA records, which allows for dynamic updating of host addresses on systems that use IPv6 and DHCP. If...

DNS Queries and Security

A client that makes a query trusts that an authoritative DNS name server gives it the right information. In most environments, this works fine. Users or administrators specify the initial DNS name servers to which DNS queries should be forwarded in a computer's TCP IP configuration. In some environments where security is a major concern, administrators might be worried about DNS clients getting invalid information from DNS name servers. Here, administrators might want to look at the DNS...

Establishing External Shortcut Realm and Cross Forest Trusts

All trusts, regardless of type, are established in the same way. For all trusts there are two sides an incoming trust and an outgoing trust. To configure both sides of the trust, keep the following in mind For domain trusts, you need to use two accounts one that is a member of the Domain Admins group in the first domain and one that is a member of the Domain Admins group in the second domain. If you don't have appropriate accounts in both domains, you can establish one side of the trust and...

Establishing Performance Baselines

One of the key reasons for tracking performance information is to establish a baseline for a computer that allows you to compare past performance with current performance. There are several types of baselines you can use, including the following Postinstallation baselines A postinstallation baseline is a performance level that is meant to represent the way a computer performs after installing all the system components, services, and applications that will be used on the system. Typical usage...

Exchange Server and Windows Server

You should be aware of a number of critical issues if you are running Exchange 2000 Server and are planning to install Windows Server 2003 domain controllers. Although you can work around all of the issues, you must plan for Windows Server 2003 with Exchange 2000 Server in mind. Some of the problems and their solutions are simple Exchange 2000 Server won't run on Windows Server 2003. The solution is easy Keep enough servers running Windows 2000 to host Exchange 2000 Server, or upgrade to...

Exporting and Importing Quota Entries

If you want to use the same quotas on more than one NTFS volume, you can do this by exporting the quota entries from one volume and importing them on another volume. When you import quota entries, if there isn't a quota entry for the user already, a quota entry will be created. If a user already has a quota entry on the volume, you'll be asked if you want to overwrite it. To export and import quota entries, access Disk Management, right-click the volume on which you want to enable quotas, and...

Extending a Simple or Spanned Volume

Unlike mirrors, striped, and RAID-5 volumes, which cannot be extended after they are created, both simple and spanned volumes can be extended. When you extend a simple or spanned volume, you add areas of free space either from the current disk or disks being used o or from other disks to create a single volume. Before you can extend a volume, the volume must be formatted as NTFS. You can convert 9 FAT and FAT32 volumes to NTFS by using the CONVERT command discussed in the section entitled...

Figure A hierarchy of domains

Regardless of whether your forest uses a single namespace or multiple namespaces, additional domains in the same forest have the following characteristics Share a common schema All domain controllers in the forest have the same schema and a single schema master is designated for the forest. Share a common configuration directory partition All domain controllers share the same configuration container, and it stores the default configuration and policy information. Share a common trust...

Figure A oneway transitive trust between forests

In this situation, the users in the organization's Engineering department need access to resources in other departments, but for security reasons they should be isolated from the rest of the organization. Here the organization has implemented two forests a main organizational forest and a separate Engineering forest. Using a one-way cross-forest trust from the main forest to the Engineering department forest, the organization allows Engineering users to access other resources, but ensures that...

Figure A twoway transitive trust between forests

When you connect two or more forests using cross-forest trusts, the implementation is referred to as a federated forest design. The federated forest design is most useful when you need to join two separate Active Directory structures, for example, when two companies merge, when one company acquires another, or when an organization has a major restructuring. Consider the case in which two companies merge, and, rather than migrate their separate Active Directory structures into a single directory...

Figure Select the partition type

3 Use the Assign Drive Letter Or Path page to assign a drive letter or path. You can also choose Do Not Assign A Drive Letter Or Drive Path To if you want to create the partition without assigning a drive letter or path. Click Next. 4 Using the Format Partition page to set the formatting options or opt not to format the partition at this time. Click Next. 5 The final page shows you the options you've selected. If the options are correct, click Finish. The wizard then creates the logical drive...

Figure View or set printer permissions

You can grant or deny printer permissions by following these steps 1 In Printers And Faxes, right-click the printer, and then select Properties. In the printer Properties dialog box, select the Security tab. 2 In the Security tab, choose Add. This opens the Select Users, Computers, Or Groups dialog box, as shown in Figure 29-23. Users, Groups, or Built-in security principals Enter the obiect names to select fexamolesl Figure 29-23. Specify the users or groups to add. Figure 29-23. Specify the...

Figure View or set share permissions

In this example, members of the Domain Admins group have Full Control over the share and members of the Domain Users group have Change access. The group Everyone was removed to enhance security as discussed in the sidebar Changes Might Be Needed to Enhance Security earlier in this chapter. You can grant or deny permission to access a share by following these steps 1 In Computer Management, right-click the share, and then select Properties. In the share Properties dialog box, select the Share...

File Allocation Table Structure

Disks formatted using FAT are organized as shown in Figure 20-1. They have a boot sector that stores information about the disk type, starting and ending sectors, the active partition, and a bootstrap program that executes at startup and boots the operating system. This is followed by a reserve area that can be one or more sectors in length. Figure 20-1. An overview of FAT16 volume structure. Figure 20-1. An overview of FAT16 volume structure. The reserve area is followed by the primary file...

File and Folder Ownership

Before working with file and folder permissions, you should understand the concept of ownership as it applies to files and folders. In Windows Server 2003, the file or folder owner isn't necessarily the file or folder's creator. Instead, the file or folder owner is the person who has direct control over the file or folder. File or folder owners can grant access permissions and give other users permission to take ownership of a file or folder. The way ownership is assigned initially depends on...

Filtering Group Policy Application

By default, GPOs apply to all users and computers in the container to which the GPO is linked. The GPO applies to all users and computers in this way because of the security settings on the GPO, which specify that Authenticated Users have Read permission as well as Apply Group Policy permission. Thus, all users and computers with accounts in the domain are affected by the policy. Permissions are also assigned to administrators and the operating system. All members of the Enterprise Admins and...

Fixing File System Errors by Using Check Disk

Using Check Disk, you can check for and correct any of the common disk errors discussed previously. Check Disk works on FAT, FAT32, and NTFS volumes and primarily looks for inconsistencies in the file system and its related metadata. It locates errors by comparing the Managing Windows Server 2003 File Systems volume bitmap to the disk sectors assigned to files. For files, Check Disk looks at structural integrity, but won't check for or attempt to repair corrupted data within files that appear...

Forest Namespace

The top structure in any Active Directory implementation is the forest root domain. The forest root domain is established when you install Active Directory on the first domain controller in a new forest. Any time you add a new domain that is part of a different namespace to an existing forest, you establish a root domain for a new tree. The name given to a root domain either the forest root domain itself or the root domain of a new tree in a forest acts as the base name for all domains later...

Forest Root Domain Design Configurations

The forest root domain can be either a dedicated root or a non-dedicated root. A dedicated root, also referred to as an empty root, is used as a placeholder to start the directory. No user or group accounts are associated with it other than accounts created when the forest root is installed and accounts that are needed to manage the forest. Because no additional user or group accounts are associated with it, a dedicated root domain is not used to assign access to resources. A non-dedicated root...

Forestto Forest Trusts

I've already mentioned Active Directory forests, and I've also mentioned that in Windows 2000 forests were fairly inflexible. This might have got you wondering whether Windows Server 2003 improves the way forests work at all. The good news is that it does. You might also have wondered what the point of a forest is. In brief, you combine Active Directory domains into a forest to gain the advantages of transitive trusts and universal group caching. For automatic transitive trusts in Active...

Generating Migration Reports

To review migration status information, you can produce reports on migrated user and computer accounts, account references, name conflicts, and expired accounts by using the Report Wizard. This wizard uses many of the same dialog boxes as the Group Account Migration Wizard therefore, only the dialog boxes that are unique to the Report Wizard are displayed in this section. Refer to the section entitled Migrating Group Accounts earlier in this chapter to see the remaining dialog boxes. Follow...

Getting and Using IP Addresses

As discussed previously, there are two categories of IP addresses Public Public addresses are assigned by Network Solutions (formerly this was Inter-NIC) and can be purchased as well from IANA. Most organizations don't need to purchase their IP addresses directly, however. Instead, they get the IP addresses they need from their Internet service provider (ISP). Private Private addresses are reserved for Class A, B, and C networks and can be used without specific assignment. Most organizations...

Getting Information on Running Applications

The Applications Tab in Task Manager, shown in Figure 15-5, lists applications being run by users on the computer along with status details that show whether the applications are running or not responding. If an application has an open file, such as a Microsoft Word document, the name of the file is shown as well. Applications J Processes Performance Networking Users Applications J Processes Performance Networking Users ( Active Directory Users and Computers Processes 47 CPU Usage 0 Commit...

Getting Network Usage Information

As Figure 15-7 shows, the Networking tab in Task Manager displays current network usage for each of the system's connections to the network. Figure 15-7. Use the Networking tab to track network activity. Figure 15-7. Use the Networking tab to track network activity. You can use the information provided to determine the following quickly The number of network adapters installed on the computer The percentage of utilization of each network adapter The link speed of each network adapter The state...

Getting Processor and Memory Usage for Troubleshooting

The Performance tab in Task Manager, shown in Figure 15-3, should be the first tab you check if you suspect a performance issue with a system. It shows current processor and memory usage and also graphs some historical usage statistics based on data collected since you started Task Manager. Figure 15-3. The Performance tab provides a summary of current processor and memory m usage as well as some historical usage statistics based on data collected since you started Some of the performance data...

Getting Started with Taskpads

Basically, taskpads let you create a page of tasks that you can perform quickly by clicking the associated shortcut links rather than using the existing menu or interface provided by snap-ins. You can create multiple taskpads in a console, each of which is accessed as a taskpad view. If you've worked with Windows XP, you've probably seen the Simple Control Panel, which is a taskpad view of the Control Panel. As with most taskpads, the Simple Control Panel has two purposes It provides direct...

Group Policy Processing

Group Policy settings are divided into two categories Computer Configuration settings Policies that apply to computer accounts only User Configuration settings Policies that apply to user accounts only Normally, Computer Configuration settings are applied during startup of the operating system and User Configuration settings are applied when a user logs on to a computer. The sequence of events is often important in troubleshooting system behavior. The events that take place during startup and...

H Deleting Snapshot Images from the Command Line

If you want to delete individual snapshots on a volume, you can use the DELETE SHADOWS 2 command to do this. You can delete the oldest snapshot on the specified volume by typing vssadmin delete shadows for ForVolumeSpec oldest, where for ForVolumeSpec specifies the local volume for which the snapshot is used. For example, if you configured shadow copying on the C volume and want to delete the oldest snapshot on this volume, you'd enter the command vssadmin delete shadows for c oldest When...

H Hkeylocalmachine

HKEY_LOCAL_MACHINE, abbreviated as HKLM, contains all the settings that pertain to 4 the hardware currently installed on a system. It includes settings for memory, device drivers, installed hardware, and startup. Applications are supposed to store settings in HKLM only if the related data pertains to everyone who uses the computer. As Figure 14-2 shows, HKLM contains the following major subkeys These subkeys are discussed in the sections that follow. Figure 14-2. Accessing HKEY_LOCAL_MACHINE...

Hkeyclassesroot

HKEY_CLASSES_ROOT, abbreviated as HKCR, stores all file associations that tell the computer which document file types are associated with which applications, as well as which action to take for various tasks, such as open, edit, close, or play, based on a specified document type. For example, if you double-click a .doc file, the document typically is opened for editing in Microsoft Office Word. This file association is added to HKCR when you install Microsoft Office. If Microsoft Office isn't...