Group Policy Architecture

Within the Windows operating system, the components of Group Policy have separate server and client implementations (see Figure 38-2). Each Group Policy client has client-side extensions that are used to interpret and apply Group Policy settings. The client-side extensions are implemented as dynamic-link libraries (DLLs) that are installed with the operating system. The main DLL for processing Administrative Templates is Userenv.dll. Figure 38-2. Group Policy architecture. The Group Policy...

MMC Modes

MMC has two operating modes author mode and user mode. In author mode, you can create and modify a console's design by adding or removing snap-ins and setting console options. In user mode, the console design is frozen, and you cannot change it. By default, the prepackaged console tools for administration open in user mode, and this is why you are unable to make changes to these console tools. As Figure 11-2 shows, when you open a console that is in author mode, you have an extended File menu...

Upgrading the Windows Domain Controllers

The next step in the upgrade process is to use the Active Directory Installation Wizard (Dcpromo) to install Active Directory on a Windows Server 2003-based member server in the forest root domain. This creates the first Windows Server 2003 domain controller in the forest. So, if you haven't yet installed a Windows Server 2003 system in the forest root domain, you should do this now and then configure the system to be a domain controller. Afterward, you should continue the upgrade process by...

Merging Groups during Migration

To merge groups from the source domain into a group in the destination domain, run the Group Mapping and Merging Wizard on the Action menu in ADMT. The Group Mapping and Merging Wizard uses many of the same dialog boxes as the Group Account Migration Wizard thus, only the dialog boxes unique to the Group Mapping and Merging Wizard are displayed in this section. Refer to the section entitled Migrating Group Accounts earlier in the chapter to see the remaining dialog boxes. Follow these steps to...

Working with Local Group Policy

Any user that is a member of the Domain Admins or local Administrators group can work with local group policy. To work with local group policy, you use the Local Security Policy tool, which can be accessed by clicking Start, Programs or All Programs, Administrative Tools, Local Security Policy. On a domain controller, you select Domain Controller Security Policy instead. In either case, this displays a dialog box similar to the one shown in Figure 38-4. Iffl Default Domain Controller Security...

NTFS Structures

NTFS volumes have a very different structure and feature set than FAT volumes. The first area of the volume is the boot sector, which is located at sector 0 on the volume. The boot sector stores information about the disk layout, and a bootstrap program executes at startup and boots the operating system. A backup boot sector is placed at the end of the volume for redundancy and fault tolerance. Instead of a file allocation table, NTFS uses a relational database to store information about files....

Inside Out

Regedit replaces Regedt32 in Windows Server 2003 Unlike previous versions of the Windows operating system that included two versions of Registry Editor, Windows Server 2003 ships with a single version. This version, Regedit.exe, integrates all of the features of the previous Registry editors. From the original Regedit.exe it gets its core features. From Regedt32.exe, which is no longer available, it gets its security and favorites features. By using the security features, you can view and...

Analyzing the Existing Network

Before you can determine the path to your new network environment, you must determine where you are right now in terms of your existing network infrastructure. This requires determining a baseline for network and system hardware, software installation and configuration, operations, management, and security. Don't rely on what you think is the case actually verify what is in place. Microsoft Windows Server 2003 Inside Out f Project Worksheets Consolidate Information A large network environment,...

Fixing Fragmentation by Using Disk Defragmenter

Using Disk Defragmenter, you can check for and correct volume fragmentation problems on FAT, FAT32, and NTFS volumes. The areas checked for fragmentation include the volume, files, folders, the page file if one exists on the volume, and the MFT. Being able to check the MFT is a new feature for Windows Server 2003. Another new feature is the ability to defragment volumes with cluster sizes greater than 4 KB. You can run the graphical version of Disk Defragmenter using either Windows Explorer or...

Gjgg Reliability and Maintenance Enhancements

System reliability and maintenance go hand in hand. For systems to be reliable and easily maintained, faster, better, and easier ways to verify system integrity apply patches, hot fixes, and updates and undo changes are necessary. Windows Server 2003 introduces many features that can help you in these areas. For more information about reliability and maintenance enhancements, see Chapter 10, Configuring Windows Server 2003, and Chapter 11, Windows Server 2003 MMC Administration. Refer to these...

Tip Consider the license database location

Every time a client attempts to connect to a terminal server, a lookup is made to the license server database. If the client has an existing license, the terminal server to which the client is connected queries the license server about the client's license and the license server performs a lookup to validate it. If the client doesn't have an existing license, the terminal server to which the client is connected queries the availability of licenses and the license server performs a lookup to...

Sysvol Replication Using the File Replication Service

Sysvol files are replicated using the File Replication Service (FRS). Although FRS uses Active Directory replication to distribute the Sysvol files, there is a separate database for replication (see Figure 38-3). This database uses the Microsoft JET database technology. The base location of this database is SystemRoot Ntfrs Jet and the primary data file for replication, Ntfrs.jdb, is stored in this folder. The FRS storage engine uses transactional processing to manage the database. Any data...

Running Server Clusters

Cluster Administrator (Cluadmin.exe) provides the graphical interface for managing, monitoring, and configuring server clusters. Its command-line counterpart is Cluster.exe. Both tools use the Cluster API to manage the Cluster service. The Cluster Service and Cluster Objects The Cluster service is responsible for all aspects of server cluster operation and also maintains the cluster database. The Cluster service uses objects to control the physical and logical units within the cluster. Many...

Configuring Printer Sharing and Publishing

When you set up a printer, you are given the chance to share it. If you share a printer, it is published in Active Directory automatically. Published printers can be searched for by users in a variety of ways, including when a user is attempting to connect to a network printer using the Add Printer Wizard. You can check or change the printer sharing and publishing options using the Sharing tab of the printer's Properties dialog box. In the Printers And Faxes window, right-click the printer, and...

NTLM and Kerberos Authentication

Windows NT 4 uses a form of authentication known as NT LAN Manager (NTLM). With NTLM, an encrypted challenge response is used to authenticate a user without sending the user's password over the network. The system requesting authentication must perform a calculation that proves it has access to the secured NTLM credentials. It does this by sending a one-way hash of the user's password that can be verified. NTLM authentication has interactive and non-interactive authentication processes....

Getting a Quick Start

To install Windows Server 2003, you can boot from the Windows CD, run Setup from within your current Windows operating system, perform a command-line installation, or use one of the automated installation options. You can also use network installations, which allow installation from a shared distribution point on your network. You should know about a few changes and enhancements in the setup processes as well. For security reasons, most network services are not installed by default, and, unlike...

Account Is Disabled

Create in cpandl.com Engineering W User must change password at next logon Figure 37-6. Set the user's password and account options. 6 Click Next, and then click Finish. If you use a password that doesn't meet the complexity requirements of group policy, you'll see an error and you'll have to click Back to change the user's password before you can continue. Viewing and Setting User Account Properties If you double-click a user account in Active Directory Users And Computers, a Properties...

Disk issues when upgrading to Windows Server

When you install Windows Server 2003 on a new system with unpartitioned disks, disks are initialized as basic disks. When you upgrade to Windows Server 2003, disks with partitions are initialized as basic disks. Windows 2000 had limited support for the fault-tolerant features found in Windows NT 4. In Windows 2000, you can use basic disks to maintain existing spanning, mirroring, and striping configurations and to delete these configurations. You cannot, however, create new combined or...

NTFS Compression

Windows allows you to enable compression when you format a volume using NTFS. When a drive is compressed, all files and folders stored on the drive are automatically compressed when they are created. This compression is transparent to users, who can open and work with compressed files and folders just as they do with regular files and folders. Behind the scenes, Windows decompresses the file or folder when it is opened and compresses it again when it is closed. Although this can decrease a...

Component Load Balancing Architecture

Unlike Server cluster and Network Load Balancing, which are built into the Enterprise Edition and Datacenter Edition of Windows Server 2003, Component Load Balancing is a feature of Microsoft Application Center and is designed to provide high availability and scalability for transactional components. Component Load Balancing is scalable on up to eight servers and is ideally suited to building distributed solutions. Using Component Load Balancing Clusters Component Load Balancing makes use of...

Customizing Quota Entries for Individual Users

Once you enable disk quotas, the configuration is set for and applies to all users who store data on the volume. The only exception, as noted previously, is for members of the Administrators group. The default disk quotas don't apply to these users. If you want to set a specific quota limit or warning level for an administrator, you can do this by creating a custom quota entry for that particular user account. You can also create custom quota entries for users who have special needs,...

Step Creating the Console

The first step in building a custom console tool is to create the console that you'll use as the framework. To get started, open a blank MMC in author mode. Click Start, select Run, type mmc in the Open box, and then click OK. This opens a blank console titled Console1 that has a default console root as shown in Figure 11-5. Figure 11-5. A blank console with the default console root. Figure 11-5. A blank console with the default console root. If you want your custom tool to be based on an...

Resolving Memory Bottlenecks

Windows applications use a lot of memory. If you install a server with the minimum amount of memory required, it isn't going to perform at its optimal level. The server cannot perform at its optimal level when you install the recommended amount of memory either. The reason for this is that a server's memory requirements depend on many factors, including the services, components, and applications that are installed on the server as well as the server's configuration. Computers use both physical...

F Step Adding Snap Ins to the Console

1 While you are thinking about the organization of the tool and the possibility of using additional views of the console root, you should also consider the types of snap-ins that you want to add to the console. Each of the tools listed in Table 11-1 is available as a stand-alone snap-in that you can add to the console. If you've installed any third-party tools on the computer, these tools might have stand-alone snap-ins that you can use. Many other snap-ins are available from Microsoft as well....

CBacking Up and Recovering Your Data

Pp Windows Server 2003 includes a backup utility called Backup that was developed by Veritas 3 Software Corporation. Backup is a versatile utility designed to perform backups of individual i systems. You use Backup to perform the following tasks Create backup archives of files and folders Create backups of the System State Create Automated System Recovery backups Access media pools reserved for Backup Restore archived files and folders You can also use Backup to schedule recurring backups....

Gjgg Managing Network Load Balancing Clusters

Network Load Balancing Manager (Nlbmgr.exe) is a new tool for Windows Server 2003. It provides the graphical interface for managing, monitoring, and configuring Network Load Balancing clusters. Its command-line counterpart is Nlb.exe. Both tools use the NLB application programming interface (API) to manage Network Load Balancing. Creating a New Network Load Balancing Cluster You create Network Load Balancing clusters using the Network Load Balancing Manager (see Figure 18-4). Start Network Load...

Defragmenting Disks

As files are created, modified, and moved, fragmentation can occur both within the volume's allocation table and on the volume itself. This happens because files are written to clusters on disk as they are used. The file system uses the first clusters available when writing new data, so as you modify files, different parts of files can end up in different areas of the disk. If you delete a file, an area of the disk is made available, but it might not be big enough to store the next file that is...

Using Shadow Copies of Shared Folders

Shadow copies of shared folders are designed to help recover files that were accidentally deleted, corrupted, or inappropriately edited. Once you configure shadow copies on a server, the server creates and maintains previous versions of all files and folders created on the volumes you've specified. It does this by creating snapshots of shared folders at predetermined intervals and storing these images in shadow copy storage in such a way that users and administrators can easily access the data...

Other Microsoft Migration Tools

In addition to ADMT, Microsoft provides several other tools that can assist in certain migration scenarios. These tools include User State Migration Tool (USMT), File Settings and Transfer Wizard, migration scripts, and the Movetree utility. You can automate the migration of user settings and data by using USMT, an administrative wizard designed to assist in the deployment of Microsoft Windows XP clients in an enterprise network environment, specifically in the migration of user settings. This...

Marking disks for checking on startup

Check Disk can't get exclusive access to a volume if it has open file handles. As a result, you must either use the command-line version and dismount the volume or schedule Check Disk to run the next time the system is started. When you schedule Check Disk to run, the operating system marks the disk as dirty, which means it needs to be checked and repaired. You can mark a disk as dirty using the FSUTIL DIRTY command. Type fsutil dirty set followed by the drive designator, such as fsutil dirty...

Controlling When Operations Are Deleted

By default, completed, canceled, and failed operations are deleted from the work queue after 72 hours. You can control when operations are deleted by using one of the following methods Deleting individual operations You can delete operations individually by right-clicking them and then selecting Delete. Deleting all operations To delete all completed, canceled, and failed operations, right-click Work Queue, select Properties, then click Delete All Now. Reconfiguring automatic deletion times To...

Assessing Project Goals

Carefully identifying the goals behind moving to Windows Server 2003 is an important part of the planning process. Without a clear list of objectives, you are unlikely to achieve them. Even with a clear set of goals in mind, it is unlikely you will accomplish them all. Most large business projects involve some compromise, and the process of deploying Windows Server 2003 is unlikely to be an exception. Although deploying a new operating system is ultimately an IT task, most of the reasons behind...

Auditing Registry Access

Access to the Registry can be audited as can access to files and other areas of the operating system. Auditing allows you to track which users access the Registry and what they're doing. All the permissions listed previously in Table 14-1 can be audited. However, you usually limit what you audit to only the essentials to reduce the amount of data that is written to the security logs and to reduce the resource burden on the affected server. Before you can enable auditing of the Registry, you...

Viewing Applicable GPOs and Last Refresh

In the Group Policy Management console, you can view all of the GPOs that apply to a computer as well as the user logged on to that computer. You can also view the last time the applicable GPOs were processed (refreshed). To do this, you run the Group Policy Results Wizard. To start the Group Policy Results Wizard and view applicable GPOs and the last refresh, follow these steps 1 Start the Group Policy Management console. Right-click Group Policy Results, and then select Group Policy Results...

Tgjg Modeling GPOs for Planning

In the Group Policy Management console, you can test different scenarios for modifying Computer Configuration and User Configuration settings. For example, you can model the effect of a slow link or the use of loopback processing. You can also model the effect of moving a user or computer to another container in Active Directory or adding the user or computer to an additional security group. To do this, you run the Group Policy Modeling Wizard. To start the Group Policy Modeling Wizard and test...

Analyzing NTFS Structure

If you want to examine the structure of a volume formatted using NFTS, you can use the FSUTIL FSINFO command to do this. Type fsutil fsinfo ntfsinfo DriveDesignator at the command prompt, where DriveDesignator is the drive letter of the volume followed by a colon. For example, if you want to obtain information on the C drive, you'd type The output would be similar to the following NTFS Volume Serial Number Version Number Sectors Total Clusters Free Clusters Total Reserved Bytes Per Sector Bytes...

Running the User Account Migration Wizard

To migrate user accounts, run the User Account Migration Wizard on the Action menu in ADMT. This wizard uses many of the same dialog boxes as the Group Account Migration Wizard thus, only dialog boxes unique to the User Account Migration Wizard are shown in this section. Refer to the section entitled Migrating Group Accounts earlier in this chapter to see the remaining dialog boxes. Follow these steps to migrate user accounts 1 Choose to test only or migrate When the User Account Migration...

Configuring Disk Quotas

By default, disk quotas are disabled. If you want to use disk quotas, you must enable quota management for each volume on which you want to use disk quotas. You can enable disk quotas on any NTFS volume that has a drive letter or a mount point. Before you configure disk quotas, think carefully about the limit and warning level. Set values that make the most sense given the number of users that store data on the volume and the size of the volume. For optimal performance of the volume, you won't...

Mirroring Boot and System Volumes

Disk mirroring is often used to mirror boot and system volumes. Mirroring these volumes ensures that you'll be able to boot the server in case of a single drive failure. Mirroring Boot and System Volumes on MBR Disks When you want to mirror boot or system volumes on MBR disks, the process is fairly straightforward. You start with two disks, which I'll call Disk 0 and Disk 1, where Disk 0 has the system files and Disk 1 is a new disk. Because Setup won't let you install Windows Server 2003 on a...

Permission Inheritance for Files and Folders

By default, when you add a folder or file to an existing folder, the folder or file inherits the permissions of the existing folder. For example, if the Domain Users group has access to a folder and you add a file to this folder, members of the Domain Users group will be able to access the file. Inherited permissions are automatically assigned when files and folders are created. When you assign new permissions to a folder, the permissions propagate down and are inherited by all subfolders and...

Monitoring Performance from the Command Line

Windows Server 2003 includes a command-line utility called Typeperf for writing performance data to the command line. You can use it to monitor the performance of both local and remote computers. The available parameters for Typeperf are summarized in Table 16-2. Specifies a file containing a list of performance counters Specifies the settings file containing command options. Sets the output file format. The default is .csv for comma Sets the path of an output file or SQL database. Lists...

Modifying the Registry

When you want to work with keys and values in the Registry, you typically are working with subkeys of a particular key. This allows you to add a subkey and define its values and to remove subkeys and their values. You cannot, however, add or remove root keys or insert keys 3 at the root node of the Registry. Default security settings within some subkeys might also prohibit you from working with their keys and values. For example, by default you cannot J2 create, modify, or remove keys or values...

Active Directory Site Administration

Managing Sites and Subnets 1327 Monitoring and Troubleshooting Managing Site Links and In this chapter, I discuss administration of sites, subnets, site links, and related components. Active Directory sites are used to control directory replication traffic and isolate logon authentication traffic between physical network locations. Every site has one or more subnets associated with it. Ideally, each subnet that is part of a site should be connected by reliable, high-speed links. Any physical...

Configuring File and Folder Permissions

On NTFS volumes, you can assign access permissions to files and folders. These permissions h grant or deny access to users and groups. er In Windows Explorer you can view basic permissions by right-clicking the file or folder you want to work with, selecting Properties on the shortcut menu, and then in the Properties dialog box selecting the Security tab, as shown in Figure 21-20. The Group Or User Names list shows groups and users with assigned permissions. If you select a group or user in...

Monitoring Performance Remotely

Monitoring performance on the computer for which you are trying to establish a baseline can skew the results. The reason for this is that Performance Monitor uses resources when it is running, particularly when you are graphing performance information, taking frequent samples, or tracking many performance counters. To remove the resource burden (or at least most of it), you should consider monitoring performance remotely. Here, you use one computer to monitor the performance of another...

Using the Active Directory Installation Wizard with Backup Media

Whenever you install an additional domain controller in an existing domain, you should consider whether you want to restore a backup of Active Directory from media rather than creating the domain controller from scratch. Doing so allows the Active Directory Installation Wizard to get the initial data for the Configuration, Schema, and Domain directory partitions from backup media rather than performing a full synchronization over the network. Not only does this reduce the amount of network...

Creating Server Clusters

After you finish the cluster planning and set up the server hardware, you can create the cluster. You create the cluster using Cluster Administrator, which can be started from the Administrative Tools menu or by typing cluadmin at the command prompt. Before you do this, however, you should ensure that all the nodes in the system have the same default language and country or region selected. Start the Regional And Language Options utility in Control Panel, and then select the options for...

Task Manager and Process Resource Monitor Essentials

By using Task Manager, you can track running applications and processes and determine resource usage. This can help you understand how a server is performing and whether there are any problems, such as applications that aren't running or processes that are hogging system resources. Task Manager is available on both workstations and servers by pressing Ctrl+Alt+End. To work with Task Manager, the key issue you must understand is the distinction between an application, an image name, and a...

Understanding Windows Server Print Services

In a perfect world, the printers used by an organization would be selected after careful planning. You'd select the best printer for the job based on the expected use of the printer and the features required. The reality is that in many organizations printers are purchased separately by departments and individuals without much thought given to how the printer will be used. Someone sees that a printer is needed and one is purchased. The result is that many organizations have a hodgepodge of...

Enabling and Joining the Session Directory Service

When you are using a load-balanced terminal server farm, you need to configure a Session Directory server and configure Terminal Services to join the Session Directory. As discussed previously, the Session Directory server can be a member of the load-balanced farm or it can be a separate server. If you use a separate Session Directory server, it probably doesn't need to be a high-end server. The session management workload on the Session Directory server typically is very light, but depends on...

Setting Up DHCP Servers

The approach you use to set up DHCP servers depends on many factors, including the number of clients on the network, the network configuration, and the Windows domain implementation you are using. From a physical server perspective, the DHCP Server service doesn't use a lot of system resources and can run on just about any system configured with Windows Server 2003. The DHCP Server service is in fact often installed as an additional service on an existing infrastructure server or on an older...

Understanding IP Addressing

The most important thing IP gives us is the IP address. It is the existence of IP addresses that allows information to be routed from point A to point B over a network. An IP address is a 32-bit logical address that has two components a network address and a node address. Typically, IP addresses are divided into four 8-bit values called octets and written as four separate decimal values delimited by a period (referred to as a dot). The binary values are converted to decimal equivalents by...

Troubleshooting

You might be surprised at how common it is for incompatible RAM or CPUs to present problems, especially when installing enterprise-class servers. We had a problem once when we ordered all the components from a single hardware vendor that had verified the compatibility of every element down to the last detail only to find that the wrong processors and RAM were shipped for the systems ordered. The result was that every time we added the additional processors and RAM modules, the server wouldn't...

Dynamic disks have limitations

You can't use dynamic disks on portable computers or with removable media. You can only configure disks for portable computers and removable media as basic disks with primary partitions. For computers that are multibooted, keep in mind that only Windows 2000 or later versions of the Windows operating system can use dynamic disks. Microsoft Windows Server 2003 Inside Out Using and Converting Basic and Dynamic Disks a Basic disks and dynamic disks are managed in different ways. For basic disks,...

Designating Replication Attributes

The contents of the global catalog are determined by the attributes that are replicated for each object class. Common object classes you'll work with include the following Computer Represents a computer account in the domain or forest Contact Represents a contact in the domain or forest Group Represents a group account in the domain or forest InetOrgPerson Represents a special type of user account, which typically has been migrated from another directory service PrintQueue Represents a logical...

Analyzing FAT Volumes by Using Chk Dsk

When you run ChkDsk, you can get an analysis report. For FAT volumes, a disk analysis report looks like this Volume DATA3 created 2 19 2004 5 58 PM Windows is verifying files and folders File and folder verification is complete. Windows has checked the file system and found no problems. 209,489,920 bytes total disk space. 24,576 bytes in 6 hidden files. 12,288 bytes in 3 folders. 200,679,936 bytes in 279 files. 8,773,120 bytes available on disk. 4,096 bytes in each allocation unit. 51,145 total...

Examine Zones and Zone Records

DNSCMD provides several useful commands for helping you pinpoint problems with records. To get started, list the available zones by typing dnscmd ServerName enumzones, where ServerName is the name or IP address of the DNS server you want to check. The output shows a list of the zones that are configured as follows The zone names you can work with are listed in the first column. The other values tell you the type of zone and the way it is configured as summarized in Table 27-2. Table 27-2. Zone...

Examining Answer Files

The answer file that Setup Manager generates is different depending on the type of answer file you are creating and your answers. The answer file generated for an unattended installation (Unattend.txt) looks something like this UnattendMode FullUnattended OemSkipEula Yes OemPreinstall Yes TargetPath WINDOWS FullName City Power and Light User OrgName City Power and Light ComputerName * LicenseFilePrintData AutoMode PerSeat TapiLocation CountryCode 1 Dialing Tone AreaCode 206 RegionalSettings...

Managing Site Links and Intersite Replication

Site links are used to connect two or more sites together for the purpose of replication. When you install Active Directory in a new forest, a new site link called the DEFAULTIPSITELINK is created. As you add additional sites to the forest, these sites are included in the default site link unless you have configured other site links. If all of the network connections between sites are the same speed and priority, the default configuration can work. In this case, the intersite replication...

Installing Windows Using RIS

A Windows OS installation by RIS simplifies deployment of remote systems. The RIS installation process is straightforward, as reflected in the following steps 1 The process of remote installation begins when the target computer is booted from a floppy disk (or PXE-enabled ROM BIOS). The target system boots using either PXE boot ROM or RIS boot disk, detects the NIC, loads the NIC drivers, and then displays the MAC address of the network adapter. 2 The system then contacts a DHCP server (using...

Checking Active Registrations and Scavenging Records

Using the WINS console, you can view the active registrations in the WINS database by expanding the server entry, right-clicking Active Registrations, and choosing Display Records. In the Display Records dialog box, click Find Now without making any selections to see all the available records or use the filter options to specify the types of records you want to view, and then click Find Now. To tombstone a record manually, right-click it, and then select Delete. This deletes it from the current...

Monitoring and Troubleshooting Replication

Two helpful tools for monitoring and troubleshooting replication issues are provided in the Support Tools. The first tool is the Replication Administrator (RepAdmin), which is a command-line utility. The second tool is the Replication Monitor (ReplMon), which is a graphical user interface (GUI) utility. Both tools provide similar functionality, albeit one from the command line and one from the GUI. You run the Replication Administrator from the command line. Most command-line parameters accept...

Managing Windows Server Networking and Print Services

Understanding IP Unicast IP Multicast IP Broadcast IP Special IP Addressing Using Subnets and Subnet Subnet Network Prefix Getting and Using IP Understanding Name Domain Name Windows Internet Naming Service (WINS) 792 Configuring TCP IP Preparing for Installation of TCP IP Networking 793 Installing TCP IP Configuring Static IP Configuring Dynamic IP Configuring Automatic Private IP Addressing 798 Configuring Advanced TCP IP Settings 800 DHCP DHCP Security Planning DHCP DHCP Messages and Relay...

Managing Sites and Subnets

When you install the Active Directory directory service in a new forest, a new site called the Default-First-Site-Name is created. As you add additional domains and domain controllers to the forest, these domains and domain controllers are added to this site as they are installed unless you have configured other sites and associated subnets with those sites as necessary. Administration of sites and subnets involves determining the sites and subnets you need and creating those sites and subnets....

Planning DHCP Implementations

Tt Planning a new DHCP implementation or revamping your existing DHCP implementa- tion requires a good understanding of how DHCP works. You need to know the following How DHCP messages are sent and received How DHCP relay agents are used How multiple servers should be configured When a DHCP client is started, it uses network broadcasts to obtain or renew a lease from a DHCP server. These broadcasts are in the form of DHCP messages. A client obtains its initial lease as shown in Figure 25-1....

Active Directory Domains Trees and Forests

Within the directory, objects are organized using a hierarchical tree structure called a directory tree. The structure of the hierarchy is derived from the schema and is used to define the parent-child relationships of objects stored in the directory. A logical grouping of objects that allows central management of those objects is called a domain. In the directory tree, a domain is itself represented as an object. It is in fact the parent object of all the objects it contains. Unlike Windows NT...

DNS Setup

You can install the DNS Server service using the Add or Remove Programs utility or the Configure Your Server Wizard. Follow these steps for using the Add or Remove Programs utility to do this 1 In Control Panel, double-click Add Or Remove Programs. Then in the Add Or Remove Programs dialog box, click Add Windows Components to start the Windows Components Wizard. 2 On the Windows Components page, select Networking Services, and then click Details. 3 In the Networking Services dialog box, shown...

Tip Test the separator page

After you select a separator page, you should print a test document to ensure printing works as expected. To do this, click Print Test Page in the General tab of the printer's Properties dialog box. If there's any printing error, you've chosen an incompatible separator page and will need to try a different one. Installing and Maintaining Print Services Customizing Separator Pages You can customize separator pages for your organization. Although PCL, PostScript, and other types of separator...

Backing Up and Restoring Active Directory

To back up Active Directory, all you need to do is back up the System State on a domain controller. However, recovery of Active Directory is different from recovery for other types of network services. A key reason for this involves the way Active Directory data is replicated and restored. Because of this, let's look at backup and recovery strategies for Active Directory, and then look at various restore techniques. Backup and Recovery Strategies for Active...

Customizing RIS

You can also configure the RIS server by double-clicking its computer account in Active Directory Users and Computers and then selecting the Remote Install tab, as shown below. The following options are displayed Respond To Client Computers Requesting Services This instructs the RIS services to respond to client requests, effectively making the RIS server available to RIS clients on the network. Do Not Respond To Unknown Client Computers If you select this option, the RIS server will disregard...

Using the Windows Installer Zapper

The Windows Installer Zapper (Msizap.exe) is a command-line utility for removing Registry settings for applications that were installed using the Windows Installer. Like the Windows Installer CleanUp Utility, it can be used to clean up Registry settings for applications that were partially uninstalled or for which the uninstall failed, as well as applications that can't be uninstalled or reinstalled because of partial or damaged settings in the Registry. Additionally, it can be used to remove...

Configuring the RIS Server

There are several tools used to set up and configure RIS as well as the operating systems that the RIS server will deploy. These tools include the following RISetup.exe The primary RIS setup program, RISetup, is used to perform the initial configuration of the RIS server and designate the location of the distribution folder that will contain the operating system images. RISetup also lets you specify the source location of the uninstalled product files, associate answer files with images, and...

Configuring Tcpip Networking

As you've seen, computers use IP addresses to communicate over TCP IP and are also assigned names to make it easier for people to work with networked computers. Although name resolution can be performed using DNS, WINS, or a combination of both, the preferred technique on Windows Server 2003 domains is DNS. IP addresses can be static or dynamic. A static IP address is an IP address that is assigned manually and is fixed once it is assigned. A dynamic IP address is assigned automatically at...

Host Address A and Pointer PTR Records

Host Address (A) records contain the name of a host and its IPv4 address. Any computer that has multiple network interfaces or IP addresses should have multiple address records. Pointer (PTR) records enable reverse lookups by creating a pointer that maps an IP address to a host name. You do not need to create A and PTR records for hosts that use dynamic DNS. These records are created automatically. For hosts that don't use dynamic DNS, you can create a new host entry with A and PTR records by...

Using Network Load Balancing

Each server in a Network Load Balancing cluster is referred to as a node. Network Load Balancing nodes work together to provide availability for critical IP-based resources, which can h include TCP, UDP, and GRE traffic requests. rpte Using Network Load Balancing Clusters Network Load Balancing provides failover support for IP-based applications and services that require high scalability and availability. You can use Network Load Balancing to build groups of up to 32 clustered computers,...

Configuring a Small Network Using the Configure A Dns Server Wizard

For a small network, you can use the wizard to set up your forward lookup zone and query forwarding to your ISP or other DNS servers. You can also choose to configure this zone as a primary or secondary zone. You use the primary zone option if your organization maintains its own zone. You use the secondary zone if your ISP maintains your zone. This gives you a read-only copy of the zone that can be used by internal clients. Because small network don't normally need reverse lookup zones, these...

Authentication and Trusts Across Domain Boundaries

Active Directory uses Kerberos security for server-to-server authentication and the establishment of trusts, while allowing older clients and servers on the network to use NTLM if necessary. Figure 33-6 shows a one-way trust in which one domain is the trusted domain and the other domain is the trusting domain. In Windows NT 4, you typically implemented one-way trusts when you had separate account and resource domains. The establishment of the trust allowed users in the account domain to access...

Working with the Registry from the Command Line

If you want to work with the Registry from the command line, you can do so using the REG command. REG is run using the permissions of the current user and can be used to access the Registry on both local and remote systems. As with Registry Editor, you can work only with HKEY_LOCAL_MACHINE and HKEY_USERS on remote computers. These keys are, of course, used to build all the logical root keys used on a system, so you can in fact work with any area of the Registry on a remote computer. REG has...

Configuring the Taskbar

The taskbar is one of those areas of the desktop that most people take for granted. It's sort of like people think, Hey, there's the taskbar, what can I click when they should be thinking, Hey, there's a taskbar. It tracks all the running programs for quick access and I can customize it to work the way I want it to. Beyond the Start button, the taskbar has three main areas Quick Launch Provides quick access to the desktop and commonly used applications. Technically, it is a type of toolbar, and...

Importing and Exporting Registry Data

Sometimes you might find that it is necessary or useful to copy all or part of the Registry to a file. For example, if you've installed a service or component that requires extensive configuration, you might want to use it on another computer without having to go through the whole configuration process again. So, instead, you would install the service or component baseline on the new computer, then export the application's Registry settings from the previous computer, copy them over to the...

Loading and Unloading Hive Files

Just as you sometimes must import or export Registry data, you'll sometimes need to work with individual hive files. The most common reason for doing this, as discussed previously, is when you must modify a user's profile to correct an issue that prevents the user from accessing or using a system. Here, you would load the user's Ntuser.dat file into Registry Editor and then make the necessary changes. Another reason for doing this would be to change a particular part of the Registry on a remote...

Replication Rings and Directory Partitions

Domain Replication

The knowledge consistency checker KCC is responsible for generating the intrasite replication topology, and the ISTG uses the KCC to generate the intersite replication topology. The KCC always configures the replication topology so that each domain controller in a site has at least two incoming connections if possible, as already discussed. The KCC also always configures intrasite replication so that each domain controller is no more than three hops from any other domain controller. This also...

Intersite Replication Essentials

While intrasite replication is focused on speed, intersite replication is focused on efficiency. The primary goal of intersite replication is to transfer replication information between sites while making the most efficient use of the available resources. With efficiency as a goal, intersite replication traffic uses designated bridgehead servers and a default configuration that is scheduled rather than automatic, and compressed rather than uncompressed. With designated bridgehead servers, the...

RIS Answer Files

RIS answer files are highly similar to Unattend.txt files, with just a few additional or changed entries. During the RIS image creation processes, default answer files are created for each OS image RISetup creates a default answer file called Ristndrd.sif. RIPrep creates its own answer file named Riprep.sif by default. The easiest way to create an optional answer file Remboot.sif by default for RIS is by using the Setup Manager Wizard Setupmgr.exe in Deploy.cab located in the Support Tools...

Configuring User Logon and Logoff Scripts

You can assign logon and logoff scripts as part of a group policy. In this way, all users in a site, domain, or OU run scripts automatically when they log on or log off. To configure a script that should be executed when a user logs on or logs off, complete the following steps 1 For easy management, copy the scripts you want to use to the User Scripts Logon or the User Scripts Logoff folder for the related policy. By default, policies are stored in the SystemRoot Sysvol Domain Policies folder...

Migrating Global Groups

Migrating groups prior to migrating users from one domain to another is a good idea. Global groups are restricted to having members that exist within the current domain. As a result, if you migrate users from a source domain to a destination domain and groups have not yet been migrated, the migrated users cannot be part of a group that is in the source domain. They can be part of a group only in the destination domain thus, they cannot be part of their original group. Once the groups are...

Rolling Back a Driver

Occasionally, you'll find that an updated driver doesn't work as expected. It could cause problems, such as device failure or system instability. In most cases, this should occur only when you've installed unsigned device drivers as a last resort or beta versions of new drivers that might have improved performance or some other benefit that outweighs their potential to crash the system. However, it can sometimes occur with signed device drivers even those published through Windows Update. If...

Tip Use Locations to access user accounts from other domains

By default, the Select Users dialog box is set to work with users from your logon domain. If you want to add a user account from another domain, click Locations to display the Locations dialog box. Then either select the entire directory or the specific domain in which the account is located, and click OK. Enter the object names to select fexamples Figure 20-13. Type the name of the user account or part of the name, and click Check Names. In the Quota Entries dialog box, there are a couple of...

Using the Regional and Language Options Utility

Regional and Language Options is used to set country-specific standards and formats, as shown in the following screen. In different countries, the unit of measurement, currency, and date formatting can be different. To change the settings, simply select a country or region in the Standards And Formats area. By choosing a region, you choose all the appropriate settings for numbers, currency, dates, and times. Examples of the formatting standards for the selected region are displayed in the...

Service Location SRV Records

Service Location SRV records make it possible to find a server providing a specific service. Active Directory uses SRV records to locate domain controllers, global catalog servers, LDAP servers, and Kerberos servers. SRV records are created automatically. For example, Active Directory creates an SRV record when you promote a domain controller. LDAP servers can add an SRV to indicate they are available to handle LDAP requests in a particular zone. In the forest root zone, SOA, NS, CNAME, and SRV...

Examine the Configuration of the DNS Server

Server name version DS container forest name domain name builtin domain partition builtin forest partition last scavenge cycle ForestDnsZones.cpandl.com DomainDnsZones.cpandl.com not since restart 0 DefaultNoRefreshlnterval 168 ServerAddresses Addr Count 1 Addr 0 gt 192.168.1.50 ListenAddresses Table 27-1 summarizes section by section the output from DNSCMD Info. Using DNSCMD Config, you can configure most of these options. The actual subcommand to use is indicated in parentheses in the first...

Creating a Simple or Spanned Volume

You create simple and spanned volumes in much the same way. The difference between the two is that a simple volume uses free space from a single disk to create a volume, while a g. spanned volume is used to combine the disk space on multiple disks to create the appearance o of a single volume. If you later need more space, you can extend either volume type by using Disk Management. Here, you select an area of free space on any available disk and add it to the volume. When you extend a simple...

Tracking and Logging File Share Permissions by Using Srv Check

SrvCheck is a handy tool for helping you track file share and print share permissions on both local and remote systems. You can use it to display a list of shares and who has access. If you redirect the output of SrvCheck, you can save the share configuration and access information to a file, and this file can become a log that helps you track share permission changes over a. To run SrvCheck, type srvcheck ComputerName, where ComputerName is the domain name or IP address of the computer whose...

Resolve problems with the quorum resource

You can start the Cluster service from the command line as well. This is useful if there are problems with the quorum resource and you want to try to repair them. In this case, stop the Cluster service by selecting File, Stop Cluster Service. Then, at the command line, type clussvc debug fixquorum. Only one node can be started at a time using this approach. The server will start the Cluster service but won't bring any resources online. You can then try to bring the quorum resource online...

Indexing Service

Remote Installation Services RIS Domain controllers and any other computer in the domain that uses these services rely heavily on the change journal. The change journal allows these services to be very efficient at determining when files, folders, and other NTFS objects have been modified. Rather than checking time stamps and registering for file notifications, these services perform direct lookups in the change journal to determine all the modifications made to a set of files. Not only is...

Quick Look Using Event Comb

EventComb, shown in Figure 15-13, is a Windows Server 2003 Resource Kit tool used for searching the event logs on multiple systems. If you've installed the Resource Kit as discussed in Chapter 1, Introducing Windows Server 2003, you can start EventComb by typing eventcombmt at the command line. Figure 15-13. EventComb let's you search multiple systems in a domain for events by event ID, source, and search text. Figure 15-13. EventComb let's you search multiple systems in a domain for events by...

Configuring Delegated Authentication

Windows Server 2003 Account Options

To use delegated authentication, the user account, as well as the service or computer account acting on the user's behalf, must be configured to support delegated authentication. Configuring the Delegated User Account For the user account, you must ensure that the account option Account Is Sensitive And Cannot Be Delegated is not selected, which by default it isn't. If you want to check this option, use Active Directory Users And Computers, as shown in the following screen. Double-click the...

Windows Server 2008 Add Drive Letter To Spanned Drive

R The real value of mount points, however, lies in how they allow you the capability to create 9 the appearance of a single file system from multiple hard disk drives without having to use spanned volumes. Consider the following scenario A department file server has four data drives drive 1, drive 2, drive 3, and drive 4. Rather than mount the drives as D, E, F, and G, you decide it'd be easier for users to work with the drives if they were all mounted as folders of the system drive, C Data....

Windows 2003 Add Printer

Windows 2003 Add New Printer

When you have computers running classic Mac OS, you might need to use a Windows server as the print server. To do this, you must install Print Services For Macintosh and then configure the print server to communicate with the AppleTalk printer. It is important to note that Print Services For Macintosh isn't available for 64-bit versions of Windows Server 2003. It is also important to note that once you set up a Windows computer as the print server for an AppleTalk printer, the print service can...

Modifying Group Policy Processing

You can modify Group Policy processing by disabling a policy in whole or in part. Disabling a policy is useful if you no longer need a policy but might need to use that policy again in the future. Disabling part of a policy is useful so that the policy applies only to either users or computers but not both. In the Group Policy Management console, you can enable and disable policies partially or entirely by completing the following steps 1 Select the policy in a container to which it is linked...