70-290 Notes
Domain Functional Levels
In Windows Server 2003, four domain functional levels are available: Windows
2000 mixed (default), Windows 2000 native, Windows Server 2003 interim, and
Windows Server 2003.
■ Windows 2000 mixed For supporting Microsoft Windows NT 4, Windows
2000, and Windows Server 2003 domain controllers
■ Windows 2000 native For supporting Windows 2000 and Windows
Server 2003 domain controllers
■ Windows Server 2003 interim For supporting Windows NT 4 and
Windows Server 2003 domain controllers
■ Windows Server 2003 For supporting Windows Server 2003 domain
controllers
Windows Server 2003 Versions:
In Windows Server 2003, four domain functional levels are available: Windows
2000 mixed (default), Windows 2000 native, Windows Server 2003 interim, and
Windows Server 2003.
■ Windows 2000 mixed For supporting Microsoft Windows NT 4, Windows
2000, and Windows Server 2003 domain controllers
■ Windows 2000 native For supporting Windows 2000 and Windows
Server 2003 domain controllers
■ Windows Server 2003 interim For supporting Windows NT 4 and
Windows Server 2003 domain controllers
■ Windows Server 2003 For supporting Windows Server 2003 domain
controllers
Windows Server 2003 Versions:
Web Edition
Max 2 GB of RAM
Cannot be Internet gateway, DHCP or Fax server
Cannot act as a terminal server supporting multiple concurrent connections
Can belong to a domain but not be a domain controller
Standard Edition
4 GB of RAM
Enterprise Edition
32 bit – 32 GB of RAM
64 bit – 64 GB of RAM
Datacenter Edition
32 bit – 64 GB of RAM
64 bit – 512 GB of RAM
64 bit editions do not support 16 bit applications
Windows Server 2003 retail and evaluation versions require activation
Multiple domains using a contiguous DNS name creates a tree
Example – europle.abc.com, us.abc.com
Forest – Contains all domains within that AD
Global Catalog – Provides information about objects to other domains in the forest
You can add a domain controller by using the add a server role option or dcpromo.exe
MMC Stand-Alone Snap-Ins – Snap-Ins that are only available in separate windows
MMC Extension Snap-Ins – Snap-Ins available inside of other snap-ins. For example event viewer
MMC Author Mode provides full access to add and remove snap-ins, change options mode, create windows
Remote Desktop and Terminal Servers
To connect to another machine through MMC TCP ports 135 and 445 must be opened
Remote Desktop for Administration allows only two concurrent connections.A user must be an admin on the machine or member of Remote Desktop group and windows firewall exception for remote administration must be enabled (port 3389.)
Terminal Services Configuration
Setting properties on the Terminal Server, including session, network,
client desktop, and client remote control settings
Terminal Services Manager
Sending messages to connected Terminal Server clients, disconnecting
or logging off sessions, and establishing remote control or shadowing
of sessions
Remote Desktop Client Installation Files
Installation of the Windows Server 2003 or Windows XP Remote Desktop
Client application. The 32-bit Remote Desktop client software can
be installed from %Systemroot%\System32\Clients\Tsclient\Win32 of
the Terminal Server.
Terminal Services Licensing
Configuration of licenses for client connections to a terminal server.
This tool is not applicable for environments that use only Remote
Desktop For Administration.
To enable Remote Desktop connections on a computer running Windows Server 2003,
open the System properties from Control Panel. In the Remote tab, select Allow Users
To Connect Remotely To This Computer.
If the Terminal Server is a Domain Controller, you must also configure the Group Policy
on the Domain Controller to allow connection through Terminal Services to the Remote
Desktop Users group. By default, Domain Controllers allow only members of the Administrators
group to log on using Terminal Services. Member servers will allow Terminal Services
connections by the Remote Desktop Users group by default.
You manage clientside configuration in the Remote Desktop Connection client. You configure server-side
settings using the Terminal Services Configuration console. The vast majority of serverside
settings are found within the Properties dialog box for the RDP-Tcp connection.
Any setting that conflicts between the configuration of the server and the client is
resolved using the server’s setting.
You may also establish connections for Remote Desktop For Administration using the
Remote Desktops snap-in or the Mstsc.exe command. Both of these clients support connecting
to the console session (Session 0) of a server, which is identical to the session you
would receive if you logged on interactively to the server. A console session enables you to
perform actions that are restricted in other Remote Desktop For Administration sessions
(Sessions 1 or 2).
Examine group membership if access is denied when establishing a Remote
Desktop For Administration connection. In earlier versions of Terminal Server, you had to be a
member of the Administrators group to connect to the server, although special permissions
could be established manually. Now you can be a member of the Remote Desktop Users
groups on member servers and workstations. Domain controllers require you to be a member
of the Administrators group. In the “real world,” you can grant the right to log on through Terminal
Services to any user or group through Group Policy. You cannot increase the default
limit of two concurrent connections of Remote Desktop For Administration.
Watch for questions that use Windows 2000 ICS for remote assistance from a
big, corporate help desk to a small satellite office. Because Windows 2000 ICS does not support
UPnP, Remote Assistance problems will abound.
Always use the Add/Remove Programs tool in Control Panel to install an application
on a terminal server. Add/Remove Programs will automatically switch the terminal server into installation mode prior to starting the application’s setup routine. While in
installation mode, the terminal server manages the configuration of the application
appropriately so that the application can run in multiuser mode.
Many administrators misunderstand the use of the Terminal Services Home Folder. This
setting, which can be configured as part of the user account,or through Group Policy, determines the location of a folder that is used by Terminal Services to store user-specific files for multiuser applications. It does not affect the storage
location for user data files. By default, the Terminal Services Home Folder is created as a folder called Windows in the user’s profile. To manage where user data is stored, configure the user’s standard Home Folder setting in the Profile tab of the user account, or use the best practice of redirecting the My Documents folder.Many administrators misunderstand the use of the Terminal Services Home Folder. This setting, which can be configured as part of the user account, as shown in Figure 2-11, or through Group Policy, determines the location of a folder that is used by Terminal
Services to store user-specific files for multiuser applications. It does not affect the storage
location for user data files. By default, the Terminal Services Home Folder is created
as a folder called Windows in the user’s profile. To manage where user data is
stored, configure the user’s standard Home Folder setting in the Profile tab of the user
account, or use the best practice of redirecting the My Documents folder.
After a 120-day evaluation period, connections to a computer running Terminal Server
will not be successful unless the terminal server can obtain a client license from a Terminal
Server License Server. Therefore, as part of your Terminal Server deployment,
you must install a Terminal Server License Server, preferably on a server that is not a
terminal server. Use Add/Remove Programs to install Terminal Server Licensing. You will be asked
whether the server should be an Enterprise License Server or a Domain License Server.
An Enterprise License Server is the most common configuration, and the server can
provide licenses to terminal servers in any Windows 2000 or Windows Server 2003
domain within the forest. Use a Domain License Server when you want to maintain a
separate license database for each domain or when terminal servers are running in a
workgroup or a Microsoft Windows NT 4 domain. Once installed, Terminal Server Licensing is managed with the Terminal Server Licensing console in Administrative Tools. The first task you will perform is activating the Terminal
Server License Server by right-clicking the Terminal Server License Server and choosing Activate Server.
When a user connects to a terminal server, the server will examine the Terminal Services
properties of the user’s account to determine certain settings. If Terminal Services
user accounts are stored on the terminal server, the Local Users and Groups snap-in
will expose Terminal Services settings in the Properties of user accounts. More commonly,
user accounts are in Active Directory directory service, in which case the Active
Directory Users And Computers snap-in exposes Terminal Services settings in the Environment,
Remote Control, and Terminal Services Profile tabs within the user properties
dialog box.Settings in the user account will override settings in the Remote Desktop client.
Configurations specified by GPOs will override settings in the Remote Desktop Connection client, in the user account, or on
the RDP-Tcp connections of terminal servers. Of course, those settings will apply only
to the users or computers within the scope of the organizational unit (OU) to which the GPO is linked.
Terminal Server order of command - COmputer GPO -> User GPO -> Terminal Server settings -> User account in AD -> RDP Settings
The user must have the user logon right to log on to the terminal server. Windows
Server 2003 separates the right required to log on locally to a server from the right
required to log on to a server using a remote desktop connection. The user rights
Allow Log On Through Terminal Services, as shown in Figure 2-17, and Deny Log
On Through Terminal Services can be used to manage this right, using either local
policy or Group Policy. On member servers, the local Administrators and Remote
Desktop Users groups have the right to log on through Terminal Services. On
domain controllers, only Administrators have the right by default. If a user does
not have sufficient logon rights, an error message will appear that indicates that
the policy of the terminal server does not allow logon.
The Allow Logon To Terminal Server check box must be selected. The user
account’s Terminal Services Profile tab, as shown in Figure 2-11, indicates that the
user is allowed to log on to a terminal server. If this setting is disabled, the user
will receive an error message indicating that the interactive logon privilege has
been disabled. This error message is easy to confuse with insufficient user logon
rights; however, in that case the error message indicates that the local policy of the
server is not allowing logon.
The user account’s Connect Client Drives At Logon setting
does not affect drive redirection using the Remote Desktop Connection client; it is
meant to manage drive redirection for Citrix’s Integrated Computing Architecture
(ICA) clients.
Printer redirection will also be disabled if the Connect Client Printers At Logon setting is not enabled in the user account
properties. Selecting this option in the user account does not cause printer redirection; the client must specify redirection in the Local Resources tab. But if disabled, the user account setting will override the client setting.
For a user to successfully connect, Remote Desktop connections must be enabled
on the server, the server’s connection (for example, the RDP-Tcp connection) must
allow connections for a group to which the user belongs, the user must be in a
group that is granted the right Allow Logon Through Terminal Services, and the
user account must Allow Logon To Terminal Server. On a member server, all the
appropriate permissions are configured by default for the Remote Desktop Users
group, so you must simply enable Remote Desktop connections and add the user
to that group.
Load-Balancing Terminal Servers
In previous implementations of Terminal Services, it was difficult to load-balance terminal
servers. Windows Server 2003 Enterprise and Datacenter Editions introduce the
ability to create server clusters, which are logical groupings of terminal servers. When
a user connects to the cluster, the user is directed to one server. If the user’s session is
disconnected and the user attempts to reconnect, the terminal server receiving the connection
will check with the Session Directory to identify which terminal server is hosting
the disconnected session and will redirect the client to the appropriate server.
To configure a terminal server cluster, you need
¦ A load-balancing technology such as Network Load Balancing (NLB) or DNS
round-robin. The load-balancing solution will distribute client connections to each
of the terminal servers.
¦ A Terminal Services Session Directory. You must enable the Terminal Services Session
Directory, which is installed by default on Windows Server 2003 Enterprise and
Datacenter Editions, using the Services console in Administrative Tools. It is best
practice to enable the session directory on a server that is not running Terminal
Server. The Terminal Services Session Directory maintains a database that tracks
each user session on servers in the cluster. The computer running the session directory
creates a Session Directory Computers local group, to which you must add the
computer accounts of all servers in the cluster.
¦ Terminal server connection configuration. Finally, you must direct the cluster’s
servers to the session directory. This process involves specifying that the server is
part of a directory, the name of the session directory server, and the name for the
cluster, which can be any name you wish as long as the same name is specified for
each server in the cluster. These settings can be specified in the Server Settings
node of Terminal Server Configuration, or they can be set using a GPO applied to
an OU that contains the computer objects for the cluster’s terminal servers.
To load-balance terminal servers, you must configure a load-balancing technology
such as NLB or DNS round-robin, enable the Terminal Services Session Directory
on a server, add computer accounts for the servers to the directory server’s Session
Directory Computers local group, and configure the servers to belong to the cluster
through Terminal Server Configuration or Group Policy.
Remote Control is available only when using Terminal Server Manager within a
terminal server session. You cannot establish remote control by opening Terminal Server
Manager on your PC.
Installing a Terminal Server is done through Control Panel -> Add/Remove Programs -> Add/Remove Windows Components
User Accounts
You must be a member of the Enterprise Admins, Domain Admins, or Account
Operators groups, or you must have been delegated administrative permissions to
create user objects.
When you have multiselected user objects, a subset of properties is available for
modification.
¦ General tab Description, Office, Telephone Number, Fax, Web Page, E-mail
¦ Account tab UPN Suffix, Logon Hours, Computer Restrictions (logon workstations),
all Account Options, Account Expires
¦ Address Street, PO Box, City, State/Province, ZIP/Postal Code, Country/Region
¦ Profile Profile Path, Logon Script, and Home Folder
¦ Organization Title, Department, Company, Manager
You must be a member of the Enterprise Admins, Domain Admins, or Account
Operators groups, or you must have been delegated administrative permissions to
create user objects.
Csvde is a command-line utility that allows you to import or export objects in Active
Directory from (or to) a comma-delimited text file (also known as a comma-separated
value or CSV file), which is, of course, a common format easily read and saved using
Notepad and Microsoft Office Excel.
csvde [-i] [-f FileName] [-k]
-i : Specifies import mode. If not specified, the default mode is export.
-f FileName : Identifies the import file name.
-k : Ignores errors including “object already exists,” “constraint violation,” and “attribute
or value already exists” during the import operation and continues processing.
Csvde does not support importing or exporting user passwords.
Dsadd Adds objects to the directory.
¦ Dsget Displays (“gets”) properties of objects in the directory.
¦ Dsmod Modifies select attributes of an existing object in the directory.
¦ Dsmove Moves an object from its current container to a new location. Can also
be used to rename an object without moving it.
¦ Dsrm Removes an object, the complete subtree under an object, or both.
¦ Dsquery Queries Active Directory for objects that match a specified search criterion.
This command is often used to create a list of objects, which are then piped
to the other command-line tools for management or modification.
Domain controller and credentials used for the command
{-s Server | -d Domain} Connects to a specified remote server or domain.
-u UserName Specifies the user name with which the user logs on to a remote
server. By default, -u uses the user name with which the user
logged on. You can use any of the following formats to specify a
user name:
¦ user name (for example, Linda)
¦ domain\user name (for example, widgets\Linda)
¦ UPN (for example, Linda@widgets.microsoft.com)
-p {Password | *} Specifies to use either a password or a * to log on to a remote
Dsadd Adds objects to the directory.
■ Dsget Displays (“gets”) properties of objects in the directory.
■ Dsmod Modifies select attributes of an existing object in the directory.
■ Dsmove Moves an object from its current container to a new location. Can also
be used to rename an object without moving it.
■ Dsrm Removes an object, the complete subtree under an object, or both.
■ Dsquery Queries Active Directory for objects that match a specified search criterion.
This command is often used to create a list of objects, which are then piped
to the other command-line tools for management or modification.
By default, user profiles are stored locally on the system in the %Systemdrive% \Documents
and Settings\%Username% folder. They operate in the following manner:
■ When a user logs on to a system for the first time, the system creates a profile for
the user by copying the Default User profile. The new profile folder is named
based on the logon name specified in the user’s initial logon.
■ All changes made to the user’s desktop and software environment are stored in
the local user profile. Each user has his or her individual profiles so settings are
user-specific.
■ The user environment is extended by the All Users profile, which can include
shortcuts in the desktop or start menu, network places, and even application data.
Elements of the All Users profile are combined with the user’s profile to create the
user environment. By default, only members of the Administrators group can
modify the All Users profile.
■ The profile is truly local. If a user logs on to another system, the documents and
settings that are part of their profile do not follow the user. Instead, the new system
behaves as outlined here, generating a new
When a user with a roaming user profile logs on to a new system for the first time, the system does
not copy its Default User profile. Instead, it downloads the RUP from the network location.
When a user logs off, or when a user logs on to a system on which he or she had
worked before, the system copies only files that have changed.
To create a preconfigured default profile for a single system, replace the computer’s
Default User profile. To create a preconfigured default profile for the entire domain,
copy the preconfigured profile to the NETLOGON share into a subfolder named Default User.
The profile path is configured as a property of one or more user objects. It is not
assigned to a group object. Although the concept is that of a group profile, do not fall into the
trap of associating the profile with a group object itself.
To create a mandatory profile that does not save changes between sessions renme the ntuser.dat file to ntuser.man
Audit Policies
The following policies are located in the Computer Configuration, Windows Settings,
Security Settings, Local Policies, Audit Policy node of Group Policy Object Editor (or
the Local Security Policy snap-in). You can configure auditing for successful or failed
events.
■ Audit Account Management Configures auditing of activities, including the
creation, deletion, or modification of user, group, or computer accounts. Password
resets are also logged when account management auditing is enabled.
■ Audit Account Logon Events This policy audits each instance of user logon
that involves domain controller authentication. For domain controllers, this policy
is defined in the Default Domain Controllers GPO. Note, first, that this policy will
create a Security log entry on a domain controller each time a user logs on interactively
or over the network using a domain account. Second, remember that to
evaluate fully the results of the auditing, you must examine the Security logs on all
domain controllers because user authentication is distributed among each domain
controller in a site or domain.
■ Audit Logon Events Logon events include logon and logoff, interactively or
through network connection. Account logon events are generated on the local
computer for local accounts and on the domain controller for network accounts,
whereas logon events are generated wherever the logon occurs. If you have
enabled Audit Logon Events policy for successes on a domain controller, workstation
logons will not generate logon audits. Only interactive and network logons to
the domain controller itself generate logon events.
Keep track of the distinction between Account Logon and Logon events. When a user
logs on to his or her workstation using a domain account, the workstation registers a Logon
event and the domain controller registers an Account Logon event. When the user connects to
a network server’s shared folder, the server registers a Logon event and the domain controller
registers an Account Logon event.
Security Event Log
After you have configured auditing, the security logs will begin to fill with event messages.
You can view these messages by selecting the Security log in the Event Viewer
snap-in and then double-clicking the event.
Remember that you will need to monitor Account Logon events on each domain
controller to determine if and when a user attempts to log on using a domain account. You
must monitor Logon events on systems to determine if and when a user attempts to log on to
or connect to those systems using either a domain or local account.
The Default Domain Policy drives account policies, including the password and
lockout policies, whereas the Default Domain Controllers Policy specifies key
auditing policies for domain controllers.
Auditing for authentication generates events in each domain controller’s security
logs.
Groups
Local groups (or machine local groups) are used primarily for backward compatibility
with Windows NT 4. There are local users and groups on computers running Windows
Server 2003 that are configured as member servers. Domain controllers do not use local
groups.
■ Local groups can include members from any domain within a forest, from trusted
domains in other forests, and from trusted down-level domains.
■ A local group has only machinewide scope; it can grant resource permissions only
on the machine on which it exists.
Domain local groups are used primarily to assign access permissions to global groups
for local domain resources. Domain local groups:
■ Exist in all mixed, interim, and native functional level domains and forests.
■ Are available domainwide only in Windows 2000 native or Windows Server 2003
domain functional level domains. Domain local groups function as a local group
on the domain controllers while the domain is in mixed or interim domain functional
level.
■ Can include members from any domain in the forest, from trusted domains in
other forests, and from trusted down-level domains.
■ Have domainwide scope in Windows 2000 native and Windows Server 2003
domain functional level domains and can be used to grant resource permission on
any computer running Windows Server 2003 within, but not beyond, the domain
in which the group exists.
Global groups are used primarily to provide categorized membership in domain local
groups for individual security principals or for direct permission assignment (particularly in the case of a mixed or interim domain functional level domain). Often, global groups
are used to collect users or computers in the same domain and share the same job, role,
or function. Global groups:
■ Exist in all mixed, interim, and native functional level domains and forests
■ Can include only members from within their domain
■ Can be made a member of machine local or domain local group
■ Can be granted permission in any domain (including trusted domains in other forests
and pre–Windows 2003 domains)
■ Can contain other global groups (Windows 2000 native or Windows Server 2003
domain functional level only)
Universal groups are used primarily to grant access to resources in all trusted domains,
but universal groups can be used only as a security principal (security group type) in
a Windows 2000 native or Windows Server 2003 domain functional level domain.
■ Universal groups can include members from any domain in the forest.
■ In domains configured at the Windows 2000 native or Windows Server 2003
domain functional level, you can grant universal groups permissions in any
domain, including domains in other forests with which a trust exists.
There are also some special groups called special identities that are managed by the
operating system. Special identities cannot be created or deleted; nor can their membership
be modified by administrators. Special identities do not appear in the Active
Directory Users And Computers snap-in or in any other computer management tool,
but can be assigned permissions in an ACL. Table 4-2 details some of the special identities
in Windows Server 2003.
Groups can be nested when the domain in which they reside is set to either the
Windows 2000 native or Windows Server 2003 domain functional level. If the
domain is in mixed or interim domain functional level, which means that you are
still supporting Windows NT 4 domain controllers, no group nesting is possible.
■ Changing the type or scope of a group is only possible when the domain functional
level is Windows 2000 native or Windows Server 2003.
Both Csvde and Ldifde provide import and export capabilities, allowing large
numbers of security principals (including users or groups) to be created at once with the least
possible administrative effort. However, the Ldifde command and its file structure are
nowhere near as intuitive for administrators as the comma-delimited file supported by Csvde.
For the 70-290 certification examination, you should understand that both commands are
able to import and export objects using their respective file formats. Only Ldifde is capable of
modifying existing objects or removing objects.
The Dsget command, introduced in Chapter 3, returns specified attributes from one or
more objects. The Dsget command has a particularly useful role with groups: it can
return the list of members of a group. For example, the following command returns a
list of DNs of each member of the Sales group:
dsget group “CN=Sales,OU=Employees,DC=Contoso,DC=Com” –members
Dsquery returns a list of objects in Active Directory based on properties specified
as search criteria. It is the most common way to produce a list of DNs to pipe to another
directory service command. Dsget, however, is the only directory service command that produces
a list of DNs of members of a group.
Computer Accounts
Computers by default will be created in the 'Computers' container
Domain users can also create computer objects through an interesting, indirect
process. When a computer is joined to the domain and an account does not exist,
Active Directory creates a computer object automatically, by default, in the Computers
OU. Each user in the Authenticated Users group (which is, in effect, all users) is
allowed to join 10 computers to the domain, and can therefore create as many as 10
computer objects in this manner.
Members of the Administrators and Account Operators groups have, by default,
permission to create computer objects in Active Directory.
■ Active Directory Users And Computers, Dsadd, and Netdom can be used to create
computer accounts.
■ You must be logged on as a member of the local Administrators group to change
the domain membership of a machine.
You can allow any user or group to join a computer to a domain account by using
the property The Following User Or Group Can Join This Computer To A Domain.
Resetting a computer account resets its password but maintains all of the computer
object’s properties. With a reset password, the account becomes, in effect, “available”
for use. Any computer can then join the domain using that account, including the
upgraded system.
In fact, the computer that had previously joined the domain with that account can use
the reset account by simply rejoining the domain. This reality will be explored in more
detail in the troubleshooting lesson.
In the rare circumstance that an account or secure channel breaks down, the symptoms of
failure are generally obvious. The most common signs of computer account problems are:
■ Messages at logon indicate that a domain controller cannot be contacted, that the
computer account might be missing, that the password on the computer account
is incorrect, or that the trust (another way of saying “the secure relationship”)
between the computer and the domain has been lost.
■ Error messages or events in the event log indicating similar problems or suggesting
that passwords, trusts, secure channels, or relationships with the domain or a
domain controller have failed. One such error is NETLOGON Event ID 3210:
Failed To Authenticate, which appears in the computer’s event log.
■ A computer account is missing in Active Directory.
If one of these situations occurs, you must troubleshoot the account. You learned earlier
how to delete, disable, and reset a computer account and, at the beginning of the
chapter, how to join a machine to the domain.
The rules that govern troubleshooting a computer account are:
A. If the computer account exists in Active Directory, it must be reset.
B. If the computer account is missing in Active Directory, you must create a computer
account.
C. If the computer still belongs to the domain, it must be removed from the domain
by changing its membership to a workgroup. The name of the workgroup is irrelevant.
Best practice is to choose a workgroup name that you know is not in use.
In scenarios involving computer failure or the deployment of a new system to a
user, you accomplish this step by installing or reinstalling the operating system
using the same computer name as the previous system.
D. Rejoin the computer to the domain. Alternatively, join another computer to the
domain; but the new computer must have the same name as the computer account.
To troubleshoot any computer account problem, apply all four rules. These rules can
be addressed in any order, except that Rule D, involving rejoining the computer to the
domain, must, as always, be performed as the final step. Let’s examine two scenarios.
Files and Folders
Windows Explorer can be used only to configure shares on a local volume. This
means you must be logged on locally (interactively) to the server or using Remote
Desktop (terminal services) to use Explorer to manage shares.
■ The Shared Folders snap-in allows you to manage shares on a local or remote
computer.
■ Share permissions do not apply to local (interactive), terminal services, IIS, or
other types of access.
Understanding Effective Permissions
The rules that determine effective permissions are as follows:
■ File permissions override folder permissions. This isn’t really a rule, but it
is often presented that way in documentation, so it is worth addressing. Each
resource maintains an ACL that is solely responsible for determining resource
access. Although entries on that ACL might appear because they are inherited from
a parent folder, they are nevertheless entries on that resource’s ACL. The security
subsystem does not consult the parent folder to determine access at all. So you
might interpret this rule as: The only ACL that matters is the ACL on the resource.
■ Allow permissions are cumulative. Your level of resource access might be
determined by permissions assigned to one or more groups to which you belong.
The Allow permissions that are assigned to any of the user, group, or computer
IDs in your security access token will apply to you, so your effective permissions
are fundamentally the sum of those Allow permissions. If the Sales Reps group is
allowed Read & Execute and Write permissions to a folder, and the Sales Managers
group is allowed Read & Execute and Delete permissions, a user who belongs to
both groups will have effective permissions equivalent to the Modify permissions
template: Read & Execute, Write and Delete.
■ Deny permissions take precedence over Allow permissions. A permission
that is denied will override a permission entry that allows the same access. Extending
the example above, if the Temporary Employees group is denied Read permission,
and a user is a temporary sales representative, belonging to both Sales Reps
and Temporary Employees, that user will not be able to read the folder.
■ Explicit permissions take precedence over inherited permissions. A permission
entry that is explicitly defined for a resource will override a conflicting
inherited permission entry. This follows common-sense design principles: A parent
folder sets a “rule” through its inheritable permissions. A child object requires
access that is an exception to the rule and so an explicit permission is added to its
ACL. The explicit permission takes precedence.
A result of this dynamic is that an explicit Allow permission will override an inherited
Deny permission.
Ownership of a file:
■ Administrators can take ownership. A user who belongs to the Administrators
group of a system, or who has otherwise been granted the Take Ownership
user right on a system, can take ownership of any object on that system.
■ Users can take ownership if they are allowed Take Ownership permission.
The special permission Take Ownership can be granted to any user
or group. A user with an Allow Take Ownership permission can take ownership
of the resource and then, as owner, modify the ACL to grant himself or herself
sufficient permissions.
■ Administrators can facilitate the transfer of ownership. An administrator
can take ownership of any file or folder. Then, as owner, the administrator can
change permissions on the resource to grant Allow Take Ownership permission to
the new owner, who then can take ownership of the resource.
■ Restore Files And Directories user right enables the transfer of ownership.
A user with the Restore Files And Directories rights may transfer ownership
of a file from one user to another. If you have been assigned the Restore Files
And Directories right, you can click Other Users Or Groups and select the new
owner. This capability is new in Windows Server 2003 and makes it possible for
administrators and backup operators to manage and transfer resource ownership
without requiring user intervention.
■ Audit entries are contained in the security descriptor of files and folders on NTFS
volumes. They are configured using Windows Explorer, from the properties of a
file or folder, using the Advanced Security Settings dialog box.
■ Audit entries alone do not generate audit logs. You must also enable the Audit
Object Access policy from Local Security Policy, the Domain Controller Security
Policy, or a GPO.
■ The Security log, viewable with the Event Viewer snap-in, allows you to locate
and examine object access events.
IIS
IIS is not installed by default. It must be added using the Add/Remove Windows Components Wizard from
Add Or Remove Programs, located in Control Panel. Select Application Server, click
Details, and then select Internet Information Services (IIS).
The fundamental processes that take place as a client accesses a resource from IIS are
■ The client enters a URL (Universal Resource Locator) in either of the following
forms:
❑ http://dns.domain.name/virtualdirectory/page.htm
❑ ftp://dns.domain.name/virtualdirectory
■ Domain Name System (DNS) resolves the name to an IP address and returns the
address to the client.
■ The client connects to the server’s IP address, using a port that is specific to the
service (typically, port 80 for HTTP and port 21 for FTP).
■ The URL does not represent the physical path to the resource on the server, but a
virtualization of the path. The server translates the incoming request into the physical
path and produces appropriate resources to the client. For example, the server
Remember that a browser’s request to a Web server is directed at the server’s IP
address, which was resolved from the URL by DNS. The request includes the URL, and
the URL often includes only the site name (www.microsoft.com, for example). How
does the server produce the home page? If you examine the Web Site tab of the Default
Web Site Properties, as shown in Figure 6-17, you see that the site is assigned to All
Unassigned IP addresses on port 80. So the request from the browser hits port 80 on
the server, which then identifies that it is the Default Web Site that should be served.
If the URL includes only the site name (for example, www.microsoft.com or server01.contoso.com), then the
page that will be returned is fetched from the home directory. The Home Directory tab,typically
c:\inetpub\wwwroot. Which file, exactly, should be returned to the client? That is defined in the Documents
tab.
To create a Web site, right-click the Web Sites node or an existing Web site in IIS Manager
and choose New Web Site. To configure a Web site, open its Properties. You can
configure the IP address of the site. If a server has multiple IP addresses, each IP
address can represent a separate Web site. You can also configure the path to the directory
that is used as the home directory. And you can modify the list or order of documents
that can be fetched as the default content page.
Often, a server will host multiple sites on a single IP address. You can do this by assigning
a unique port to each site. If, for example, a Web site is created and assigned to
port 8080, the port must be specified in the URL submitted by clients—for example:
http://server.contoso.com:8080.
Alternatively, you can host multiple sites on a single IP address by configuring host
headers. The client browser must support host headers, and all contemporary browsers,
including Internet Explorer and Mozilla Firefox, support host headers. The client
browser includes the URL—http://www.contoso.com, for example—in its HTTP
request. The server then uses the host header to identify which Web site to serve to the
client. Ensure that each Web site has a unique DNS entry pointing to the same IP
address. Then configure each site with host headers.
A URL can also include more complex path information, such as http: //www.microsoft
.com/windowsserver2003. This URL is not requesting a specific page; there is no
extension such as .htm or .asp on the end of the URL. Instead, it is requesting information
from the windowsserver2003 directory. The server evaluates this additional
component of the URL as a virtual directory. The folder that contains the files
referred to as windowsserver2003 can reside anywhere; they do not have to be
located on the IIS server.
To create a virtual directory, right-click a Web site and choose New Virtual Directory.
The wizard will prompt you for the alias, which becomes the folder name used in the
URL, and the physical path to the resource, which can be on a local volume or remote
server.
To manually back up the IIS configuration, complete the following steps:
1. Right-click the server node in IIS Manager and, from the All Tasks menu, choose
Backup/Restore Configuration. Click Create Backup. When prompted, enter a
name for the backup and click OK.
The metabase and schema are backed up to the directory %Windir%\System32
\Inetsrv\Metaback.
2. Use any backup procedure to back up the contents of the Metaback directory.
You may configure the following authentication methods in the Directory Security tab
of the server, a Web (or FTP) site, a virtual directory, or a file:
Web Authentication Options
■ Anonymous authentication Users may access the public areas of your Web
site without a user name or password.
■ Basic authentication Requires that a user have a local or domain user account.
Credentials are transmitted in clear text.
■ Digest authentication Offers the same functionality as Basic authentication
while providing enhanced security in the way that a user’s credentials are sent
across the network. Digest authentication relies on the HTTP 1.1 protocol.
■ Advanced Digest authentication Works only when the user account is part of
Active Directory. Collects user credentials and stores them on the domain controller.
Advanced Digest authentication requires the user to be using Internet Explorer
5 or later and the HTTP 1.1 protocol.
■ Integrated Windows authentication Collects information through a secure
form of authentication (sometimes referred to as Windows NT Challenge/
Response authentication) where the user name and password are hashed before
being sent across the network.
■ Certificate authentication Adds Secure Sockets Layer (SSL) security through
client or server certificates, or both. This option is available only if you have Certificate
Services installed and configured.
■ .NET Passport authentication Provides a single sign-in service through SSL,
HTTP redirects, cookies, Microsoft JScript, and strong symmetric key encryption.
You must disable Anonymous authentication and configure at least one of the other
authentication options for NTFS permissions to be effective. If users accessing the site are
authenticating anonymously, authorization using NTFS permissions is not possible.
If IIS permissions and NTFS permissions are both in place, the effective permissions
will be the more restrictive.
Backing Up Data
The backup utility in Windows Server 2003, commonly referred to by its executable
name, Ntbackup, can be opened by clicking Backup in the Accessories–System Tools
program group in the Start menu. Alternatively, it can be launched by typing
ntbackup.exe in the Run dialog box.
There are two important limitations of the Backup Utility. First, it does not support
writable DVD and CD formats. To work around this limitation, back up to a file, then
transfer the file to CD or DVD. Second, backing up to any destination except a file
requires that the target media be in a device physically attached to the system. This
means, for example, that you cannot back up data to a tape drive attached to a
remote server.
Normal Backups
All selected files and folders are backed up. The archive attribute is cleared. A Normal
backup does not use the archive attribute to determine which files to back up; all
selected items are transferred to the destination media. Every backup strategy begins with
a Normal backup that essentially creates a baseline, capturing all files in the backup job.
Normal backups are the most time-consuming and require the most storage capacity of
any backup type. However, because they generate a complete backup, normal backups
are the most efficient type from which to restore a system. You do not need to
restore multiple jobs. Normal backups clear the archive attribute from all selected files.
Incremental Backups
Selected files with the archive attribute set are backed up to the destination media. The
archive attribute is cleared. If you perform an incremental backup one day after a normal
backup has been performed, the job will contain only the files that were created
or changed during that day. Similarly, if you perform an incremental backup one day
after another incremental backup, the job will contain only the files that were created
or changed during that day. Incremental backups are the fastest and smallest type of backup. However, they are
less efficient as a restore set because you must restore the normal backup and then
restore, in order of creation, each subsequent incremental backup.
Differential Backups
Selected files with the archive attribute set are backed up. The archive attribute is not
cleared. Because a differential backup uses the archive attribute, the job includes only
files that have been created or changed since the last normal or incremental backup. A
differential backup does not clear the archive attribute; therefore, if you perform differential
backups two days in a row, the second job will include all the files in the first differential
backup, as well as any files that were created or changed during the second
day. As a result, differential backups tend to be larger and more time-consuming than
incremental backups, but less so than normal backups.
Differential backups are significantly more efficient than incremental backups as a
restore set, however. To fully restore a system, you would restore the normal backup
and the most recent differential backup.
Copy Backups
All selected files and folders are backed up. Copy neither uses nor clears the archive
attribute. Copy backups are not used for typical or scheduled backups. Instead, copy
backups are useful to move data between systems or to create an archival copy of data
at a point in time without disrupting standard backup procedures.
Daily Backups
All selected files and folders that have changed during the day are backed up based on
the files’ modify date. The archive attribute is neither used nor cleared. If you want to
back up all files and folders that change during the day without affecting a backup
schedule, use a daily backup.
Restoring Files
You are also asked to specify the restore location. For this option, you have three
choices:
■ Original location Files and folders will be restored to the location from which
they were backed up. The original folder structure will be maintained or, if folders
were deleted, re-created.
■ Alternate location Files and folders will be restored to a folder you designate
in the Alternate Location box. The original folder structure is preserved and created
beneath that folder, where the designated alternate location is equivalent to
the root (volume) of the backed-up data. So, for example, if you backed up a
folder C:\Data\Finance and you restored the folder to C:\Restore, you would find
the Finance folder in C:\Restore\Data\Finance.
Restore Options:
■ Do Not Replace The File On My Computer. This option, the default, causes
the Restore utility to skip files that are already in the target location. A common
scenario leading to this choice is one in which some, but not all, files have been
deleted from the restore location. This option will restore such missing files with
the backed-up files.
■ Replace The File On Disk Only If The File On Disk Is Older. This option
directs the restore process to overwrite existing files unless those files are more
recent than the files in the backup set. The theory is that if a file in the target location
is more recent than the backed-up copy, it is possible that the newer file contains
information that you do not want to overwrite.
■ Always Replace The File On My Computer. Under this restore option, all files
are overwritten by their backed-up versions, regardless of whether the file is more
recent than the backup. You will lose data in files that were modified since the
backup date. Any files in the target location that are not in the backup set will
remain, however.
Before confirming the restore, you can configure how the restore operation will treat
security settings on the backed-up files by clicking Advanced in the Confirm Restore
dialog box and selecting the Restore Security option. If data was backed up from, and
is being restored to, an NTFS file system (NTFS) volume, the default setting will restore
permissions, audit settings, and ownership information. Deselecting this option will
restore the data without its security descriptors, and all restored files will inherit the
permissions of the target restore volume or folder.
■ Single folder Files are restored to the folder you designate, but the folder structure
is not maintained. All files are restored to a single folder.
You must have the Backup Files And Directories user right, or NTFS Read permission,
to back up a file. Similarly, you must have the Restore Files And Directories user right,
or NTFS Write permission to the target destination, to restore a file. Privileges are
assigned to both the Administrators and Backup Operators groups, so it is possible to
enable a user, a group, or a service account to back up and restore by nesting the
account in the Backup Operators group on the server.
There are four media pools related to backup:
■ Unrecognized Tape media that are completely blank or in a foreign format are
contained in the Unrecognized pool until they are formatted.
■ Free This pool contains newly formatted tape media, as well as tapes that have
been specifically marked as free by an administrator. Free media can be moved
into the backup media pool by writing a backup set to them.
■ Backup This pool contains media that have been written to by the Backup Utility.
The Backup Utility will write only to media in the Free media pool (and it will
label the tape with the name you enter just before starting the backup) and to
media, specified by name, in the Backup media pool.
■ Import This pool contains tape media that are not cataloged on the local disk
drive. Cataloging such a tape will move the tape into the backup media pool.
Catalogs
When the Backup Utility creates a backup set, it also creates a catalog listing files and
folders included in the backup set. That catalog is stored on the disk of the server (the
local or on-disk catalog) and in the backup set itself (the on-media catalog). The local
catalog facilitates quick location of files and folders to restore. The Backup Utility can
display the catalog immediately rather than load the catalog from the typically slower
backup media. The on-media catalog is critical if the drive containing the local catalog
has failed or if you transfer the files to another system. In those cases, Windows can recreate
the local catalog from the on-media catalog.
The Restore And Manage Media page of the Backup Utility allows you to manage catalogs,
as follows:
■ Delete Catalog Right-click a backup set and choose Delete Catalog if you have
lost or damaged the backup media or if you are transferring files to another system
and no longer require its local catalog. The on-media catalog is not affected by this
command.
■ Catalog A tape from a foreign system that is not cataloged on the local machine
will appear in the import media pool. Right-click the media and choose the Catalog
command. Windows will generate a local catalog from the tape or file. This
does not create or modify the on-media catalog.
VSS allows the backup of locked and open files. If this option is selected, some files that are open or in use might be skipped.
The Shadow Copies feature for shared folders is not enabled by default. To enable the
feature, open the Properties dialog box of a drive volume from Windows Explorer or
the Disk Management snap-in.
The Previous Versions page will not be available if Shadow Copies is not enabled on
the server, or if there are no previous versions stored on the server. It will also be
unavailable if the shadow copy client has not been installed on your system. This file
is located in the %Systemroot%\System32\Clients\Twclient\x86 folder of a Windows
Server 2003 system. The Windows Installer (.msi) file can be deployed using Group
Policy, Systems Management Server (SMS), or an e-mail message. Finally, the Previous
Versions page is available only when accessing a file’s properties through a shared folder.
If the file is stored on the local hard drive, you will not see the Previous Versions tab,
even if the file is shared and VSS is enabled.
Printers
A local printer is a logical printer that supports a printer attached directly to the server or a stand-alone, network-attached printer. When you direct the Add Printer Wizard to create a local printer by clicking Local Printer Attached To This Computer, the server can share the printer to other clients on the network. A network printer, on the other hand, is a logical printer that connects to a printer directly attached to another computer or to a printer managed by another
print server. The user interface can be misleading, so remember that, in the common print server implementation, the print server will host local printers (whether the printer hardware is attached to the computer or is network-attached), and workstations will create network printers connecting to the server’s shared logical printer.
On the Sharing tab of the Properties dialog box, click Additional Drivers to configure
the print server to host drivers for computers running versions of Windows prior to
Windows 2000. When you select an earlier version of Windows, the server will prompt
you for the drivers for the appropriate platform and printer. Those drivers will be available
from the printer’s manufacturer or sometimes on the original CD-ROM of the earlier
version of Windows.
By default, the Print permission is assigned to the Everyone group. Choosing this permission
allows all users to send documents to the printer. To restrict printer usage,
remove this permission and assign Allow Print permission to other groups or individual
users. Alternatively, you can deny Print permission to groups or users. As with file system
ACLs, denied permissions override allowed permissions. Also, like file system
ACLs, it is best practice to restrict access by assigning allow permissions to a more
restricted group of users rather than by granting permissions to a broader group and
then having to manage access by assigning additional deny permissions.
The Manage Documents permission provides the ability to cancel, pause, resume, or
restart a print job. The Creator Owner group is allowed Manage Documents permission.
Because a permission assigned to Creator Owner is inherited by the user who creates
an object, this permission enables a user to cancel, pause, resume, or restart a print
job that he or she has created. The Administrators, Print Operators, and Server Operators
groups are also allowed the Manage Documents permission, which means they
can cancel, pause, resume, or restart any document in the print queue. Those three
groups are also assigned the Allow Manage Printers permission, which enables them to
modify printer settings and configuration, including the ACL itself.
A printer pool is one logical printer that supports multiple physical printers, attached to
the server, attached to the network, or a combination thereof. When you create a printer
pool, users’ documents are sent to the first available printer—the logical printer representing
the pool automatically checks for an available port.Printer pooling is configured from the Ports tab of the printer’s Properties dialog box. To set up printer pooling, select the Enable Printer Pooling check box, and then select
or add the ports containing print devices that will be part of the pool.
The driver used by the printer pool must be compatible with all printers to which
the pool directs print jobs.
Printer location tracking is a feature, disabled by default, that significantly eases a user’s
search for a printer in a large enterprise by pre-populating the Location box of the Find
Printers dialog box, so that the result set will automatically be filtered to list printers in
geographic proximity to the user. To prepare for printer location tracking, you must have one or more sites or one or
more subnets. Site and subnet objects are created and maintained using the Active
Directory Sites And Services MMC or snap-in. You must also configure the Location tab
of the site or subnet Properties dialog box using a naming convention that creates a
hierarchy of locations, separated by slashes. For example, the location USA/NYC/
1802Americas/42/B might refer to a building at 1802 Avenue of the Americas in Manhattan,
on the 42nd floor in Area B. A location may span more than one subnet or more
than one site. You must then enable printer location tracking using the Pre-Populate Printer Search
Location Text policy.
Internet printing is available for installation when you install IIS. To install
Internet printing, perform the following steps:
1. Open Add/Remove Programs in Control Panel and click Add/Remove Windows Components.
2. Select Application Server and click Details.
3. Select Internet Information Services (IIS) and click Details.
4. Select Internet Printing.
Once IIS and Internet printing are installed, you can disable or enable the feature using
the IIS snap-in or console. Expand the server’s node and click Web Service Extensions.
In the details pane, select Internet Printing, and click Prohibit or Allow.
You can connect to http://printserver/printers to view all printers on the print server.
After locating the desired printer and clicking it, a Web page for that printer is displayed.
Redirecting Print Jobs
If a printer is malfunctioning, you can send documents in the queue for that printer to
another printer connected to a local port on the computer or attached to the network.
This is called redirecting print jobs. It allows users to continue sending jobs to the logical
printer and prevents users with documents in the queue from having to resubmit
the jobs.
To redirect a printer, open the printer’s Properties dialog box and click the Ports tab.
Select an existing port or add a port. The check box of the port of the malfunctioning
printer is immediately cleared unless printer pooling is enabled, in which case you
must manually clear the check box.
Because print jobs have already been prepared for the former printer, the printer on
the new port must be compatible with the driver used in the logical printer. All print
jobs are now redirected to the new port. You cannot redirect individual documents. In
addition, any documents currently printing cannot be redirected.
The System Monitor and Performance Logs And Alerts snap-ins, both of which are
included in the Performance MMC, allow you to observe real-time performance of printers,
log metrics for later analysis, or set alert levels and actions. After selecting Print Queue as the performance object, a list of all available performance counters is provided.
Using System Log
Using Event Viewer, you can examine the System log as a source of information
regarding spooler and printer activity. By default, the spooler registers events regarding
printer creation, deletion, and modification. You will also find events containing information
about printer traffic, hard disk space, spooler errors, and other maintenance issues.
To control or modify spooler event logging, open the Printers And Faxes folder and
choose Server Properties from the File menu. Click the Advanced tab to access the
properties as shown in Figure 8-9. From this page, you can control printer event log
entries and print job notifications. This is also the tab that enables you to move the
print spooler folder—an important task when configuring an active print server or
when an existing print spool folder’s disk volume becomes full.
Verify That the Print Server’s Services Are Running
Using the Services MMC, check that services required for the printer are working properly.
For example, confirm that the remote procedure call (RPC) service is running on
the print server. RPC is required for standard network connections to shared printers.
Confirm also that the print spooler service is running on the print server.
The Net Stop Spooler command and Net Start Spooler command can be executed from
the command prompt to restart the print spooler service. If you restart the spooler using command-
line or user interface methods, all documents in all printer queues on the server are
deleted.
WSUS
Updates are revisions to the code of a platform, server, or application.
Microsoft categorizes updates as security updates, nonsecurity-related patches
simply called “updates,” enhancements to functionality called “feature packs,”
fixes to highly specific issues called “hotfixes,” and collections of updates called
“cumulative updates,” “rollups,” or “service packs.” The lines between these categories
are sometimes blurry; however, two points are important to highlight. First,
security updates warrant your immediate and focused attention with the goal of
evaluating updates for deployment to appropriate systems as quickly as reasonably
possible. To facilitate your analysis, Microsoft rates security updates as “Critical,” “Important,” “Moderate,” and “Low.” Second, hotfixes, which are highly
specific and have not been regression tested, should be applied only to systems
that are encountering the issue addressed by the hotfix. Other categories of
updates fall between these two extremes.
Updates consist of two elements: the update file itself, which is downloaded and
installed by the client, and information about the update, such as its release date,
the technologies to which the update applies, and whether the update supersedes
a previous update. The information about the update is called metadata.
You can install WSUS and SQL Server on separate servers. The WSUS deployment
guide, which you can download from Microsoft’s WSUS Web site, contains step-by-step
instructions. However, more than one WSUS server cannot “share” a SQL server. You must
have one SQL server or WMSDE server for each WSUS server.
Mirror Update Settings This page of the Microsoft Windows Server Update
Services Setup Wizard allows you to create a replica WSUS
server, which replicates updates, approvals, group definitions, and configuration
settings from another WSUS server. It is possible to configure a replica only at this
point in the setup process: select the This Server Should Inherit Settings From The
Following Server check box and enter the Server Name and TCP Port. After installation
is complete, you cannot configure an existing stand-alone server as a replica,
nor can you configure a replica to act as a standalone server. This page of the
Setup Wizard is misleading for many administrators who attempt to create a downstream
server during setup. Downstream servers, which download update files
from an upstream server but maintain independent approvals, group definitions,
and many settings, are configured after setup.
You use the Update Source frame to configure the server as a true stand-alone server that synchronizes
from Microsoft Update or to synchronize from an upstream server. If you select
Synchronize From An Upstream Windows Server Update Services Server, you create
a hierarchical model. The upstream server manages approvals at a “global”
level. A downstream server will synchronize only those updates that have been
approved upstream. An administrator of the downstream server can then approve
one or more of those updates. Remember, this model differs from a replica model
in that a replica synchronizes all approvals and settings from its source. Approvals
and many settings on a downstream server are independently managed. A replica
must be created during installation of WSUS.
■ Service packs can be extracted using the -x switch.
■ Group Policy can deploy service packs by assigning Update.msi through the computer
configuration’s software settings policy.
I usually explain the differences to my students as that you
can assign (or better known as "force") a package on users or computers, but
you can only publish packages to users. THis is because with publishing, it
is not forced, rather that a user can pick and choose which app they want to
install from the "available software on the network" list in Add/Remove,
whereas a computer cannot "pick and choose."
There are two types of CALs: Windows Device CALs, which allow a device to connect
to a server regardless of the number of users who might use that device; and Windows
User CALs, which allow a user to connect to a server from a number of devices.
Windows Device CALs are advantageous for an organization with multiple users per
device, such as shift workers. Windows User CALs make most sense for an organization
with employees that access the network from multiple or unknown devices.
The License Logging service, which runs on each computer running Windows Server
2003, assigns and tracks licenses when server resources are accessed. To ensure compliance,
licensing information is replicated to a centralized licensing database on a
server in the site. This server is called the site license server. A site administrator, or an
administrator for the site license server, can then use the Microsoft Licensing tool in
Administrative Tools program group to view and manage licensing for the entire site.
This new license tracking and management capability incorporates licenses not just for
file and print services, but for IIS, for Terminal Services, and for BackOffice products
such as Exchange or SQL Server.
The site license server is typically the first domain controller created in a site. To find
out what server is the license server for a site, open Active Directory Sites And Services,
expand to select the Site node, and then right-click Licensing Site Settings and choose
Properties.
To assign the site license server role to another server or domain controller, click
Change and select the desired computer. To retain the licensing history for your enterprise,
you must, immediately after transferring the role, stop the License Logging service
on the new license server, then copy the following files from the old to the new
licensing server:
■ %Systemroot%\System32\Cpl.cfg contains the purchase history for your organization.
■ %Systemroot%\Lls\Llsuser.lls contains user information about the number of
connections.
■ %Systemroot%\Lls\Llsmap.lls contains license group information.
After all files have been copied, restart the License Logging service.
A license group is a collection of users who collectively share one or more CALs. When
a user connects to the server product, the License Logging service tracks the user by
name but assigns a CAL from the allocation assigned to the license group. The concept
is easiest to understand with examples:
■ 10 users share a single handheld device for taking inventory A license
group is created with the 10 users as members. The license group is assigned one
CAL, representing the single device they share.
■ 100 students occasionally use a computer lab with 10 computers A license
group is created with the 100 students as members, and is allocated 10 CALs.
To create a license group, click the Options menu and, from the Advanced menu,
choose New License Group. Enter the group name and allocate one license for each
client device used to access the server. The number of licenses allocated to a group
should correspond to the number of devices used by members of the group.
The Wait After System Startup policy is used to reschedule a scheduled installation
that was missed, typically when a machine was turned off at the scheduled date and
time.
Properly configured devices are listed by category. Detected
devices that are not configurable, either because of a lack of an
appropriate driver or an irresolvable resource conflict, are indicated
by a yellow icon with an exclamation point. Devices that
Windows Server 2003 cannot identify are indicated by a yellow
question mark icon in the Other Devices category.
You can use Device Manager to manage devices on only the local computer.
When you are viewing a remote computer using Device Manager, it operates in read-only
mode. To manage devices on a remote system, connect to the system using Remote Desktop
and then open Device Manager.
To produce a list of devices, drivers, and system configuration, you can use the Print
command on the Action menu, described above, or use the Driverquery command to
output a comma-separated values (CSV) file.
As with most installation tasks, administrators have the ability to install any device and
its associated drivers. Users, on the other hand, have very limited ability to install
devices on a computer. By default, users can install only PnP devices, with the following
considerations:
■ The device driver is already on the computer.
■ The device driver has a digital signature.
■ Driver installation does not require Windows to display a user interface.
If any of these conditions is not met, the user cannot install the device unless delegated
additional administrative authority.
If a PnP device requires no additional user interaction for installation, and a
signed driver is already on the computer, any user can connect and use the device. This
applies to any USB, parallel, or IEEE 1394 device, including printers. The Load And Unload
Device Drivers user right, configurable through Group Policy, does not apply to PnP drivers and
need not be enabled for a user to install a PnP device.
The Sigverif.exe utility creates a log file of all unsigned drivers.
If you choose to uninstall a PnP device, Windows Server 2003 removes the device from
the configuration even if the device is still connected to the computer. To reactivate the
device, you must scan for hardware changes using Device Manager. Select the root
node in the Device Manager tree—the computer—and then open the Action menu and
choose Scan For Hardware Changes. Alternatively, use the Add Hardware Wizard in
Control Panel to detect and reinstall the device. If you uninstall a non-PnP device, you
must reinstall the device to reenable it.
A disabled device appears with a red “x” in Device Manager.
Manual configuration of system resources is possible for some devices, but you
should do it only when there is a conflict with other resources on the computer.
Manual configuration should be kept to a minimum to allow Windows Server 2003
the greatest amount of flexibility in automatically allocating resources to all
devices.
One of the most useful settings for a network card is its mode: most
10/100 network interface cards (NICs) should be set to Full Duplex for optimized
performance.
Disk Storage
A logical volume is the basic unit of disk storage that you configure and manage. A
logical volume may include space on more than one physical disk. Logical volumes
(also called logical disks in the context of performance monitoring) are physically
distinct storage units, allowing the separation of different types of information such
as the operating system, applications, and user data. Logical volumes have traditionally
been represented by a single drive letter.
Primary partition Each primary partition maintains one logical volume on a
basic disk. If a basic disk is used to start the operating system, one and only one
primary partition on the disk must also be marked as active.
Extended partition A basic disk may also contain an extended partition. Unlike
primary partitions, extended partitions are not formatted or assigned drive letters.
Instead, extended partitions are further divided into logical drives. Logical drives
are logical volumes on a basic disk.
Because Microsoft Windows NT, Windows 2000, Windows XP, and Windows Server 2003 can access all
partitions on a disk, you need only an extended partition if you want more than four
logical drives on a single disk.
¦ Simple volume The equivalent to a basic disk partition is a dynamic disk simple
volume. Simple volumes use space on a single physical disk and correspond to a
single logical volume. Simple volumes can be extended by appending unallocated
space on other regions of the same disk, allowing you to adjust a volume’s capacity
with the growth of data stored in that volume. Because simple volumes exist on
only one physical disk, they are not fault-tolerant.
¦ Spanned volume A spanned volume includes space on more than one physical
disk. Up to 32 physical disks can participate in a spanned volume, and the amount
of space used on each disk can be different. Data is written to the volume beginning
with the space on the first disk in the volume. When the space on the first
disk fills, the second disk is written to, and so on. Spanned volumes provide an
option for increasing drive capacity. If a simple or spanned volume is filling up,
you can extend the volume onto additional new storage capacity.
But spanned volumes are not fault-tolerant and cannot participate in any faulttolerant
configurations. Because their size tends to be greater, and because multiple
physical disks are involved, the risk for failure increases. If any one disk in
a spanned volume is corrupted or lost, data on the entire volume is lost as well.
For these reasons, Windows Server 2003 will not allow the installation of the
operating system on a spanned volume, nor can you extend or span the system
volume. Spanned volumes are recommended only as a stop-gap measure when
an existing volume fills to capacity or in situations where tolerance for failure is
high—for example, a large library of read-only data that can easily be restored
from tape backup in the event of failure.
¦ Striped volume A striped volume (RAID-0) combines areas of free space from
multiple hard disks into one logical volume. Unlike a spanned volume, however,
data is written to all physical disks in the volume at the same rate. Because multiple
spindles are in use, read and write performance is increased significantly as
additional physical disks are added to the stripe. But like extended simple volumes
and spanned volumes, if a disk in a striped volume fails, the data in the
entire volume is lost.
¦ Mirrored volume A mirrored volume (also known as RAID Level 1, or RAID-1)
consists of two identical copies of a simple volume, each on a separate hard disk.
Mirrored volumes provide fault tolerance in the event that one physical disk fails.
¦ RAID-5 volume A RAID-5 volume is a fault-tolerant striped volume. Space on
three or more physical disks is unified as a single volume. Data is written to all
physical disks at the same rate, but unlike a striped volume, the data is interlaced
with checksum information, called parity. Should a single disk in the volume fail,
the data on that disk can be regenerated through calculations involving the
remaining data and the checksum information. It is an interesting technical note
that parity is distributed among all volumes in the RAID-5 set.
There is a stand-alone Disk Management console, but it is not visible in your Administrative
Tools folder. Click Start, choose Run, and type diskmgmt.msc to open the standalone
console.
Configuring storage entails the following steps:
1. Physically installing the disk(s)
2. Initializing the disk
3. On a basic disk, creating partitions and (if an extended partition) logical drives or,
on a dynamic disk, creating volumes
4. Formatting the volumes
5. Assigning drive letters to the volumes, or mounting the volumes to empty folders
on existing NTFS volumes
You must be a member of the Administrators or Backup Operators group, or have been
otherwise delegated
A physical disk that has not been initialized will display
Unknown in the Type column and Not Initialized in the Status column in the Disk Management
snap-in. To initialize a disk manually using Disk Management, right-click the
disk’s status box and choose Initialize Disk.
Basic disk partitions can be extended only to immediately contiguous space on
the same physical disk. Dynamic disk volumes can be extended to any unallocated space on
any physical disk. You cannot extend partitions or volumes that contain the operating system
or boot files.
Some important notes about moving physical disks:
¦ If an imported disk contains volumes that span to other physical disks, you must
attach and import all physical disks before the volumes can be accessed.
¦ If you move drives from several computers to a single computer, move all drives
from one computer before beginning to move drives from the next computer.
¦ A basic volume that is moved to a new computer receives the next available drive
letter. Dynamic volumes retain the drive letter they had on the original computer.
If a dynamic volume did not have a drive letter on the previous computer, it does
not receive a drive letter when moved to another computer. If the drive letter is
already used on the computer where they are moved, the volume receives the
next available drive letter.
¦ Use the Mountvol /n or the Diskpart automount commands to prevent new volumes
from being automatically mounted and assigned a drive letter. If these commands
have been used, when you add a new disk, you must manually mount the
volumes and assign drive letters or paths.
Do not convert basic disks to dynamic disks if they contain multiple operating systems
(for example, the disk is set up to dual-boot with another operating system). After the disk is
converted to dynamic, you can start the operating system that you used to convert the disk,
but you will not be able to start the other operating systems on the disk.
Then you must delete all existing volumes on the dynamic disk before right-clicking
the disk’s status box in Disk Management and choosing Convert To Basic Disk.
Quotas are supported only on NTFS volumes.
If you want to deny users who have exceeded their limit of the ability to write additional files to the volume,
select Deny Disk Space To Users Exceeding Quota Limit. If this box is not selected, users can continue
to write to the volume.
Administrators have No Limit configured as their quota entry. That enables
administrators to install the operating system, services, applications, and data without
exceeding a quota.
Remember that Windows Server 2003 SP1 implements quotas on a per-volume,
per-user basis. You cannot configure quotas on a folder within a volume, nor can you configure
a single quota for a group; you must configure the quota for each member of the group.
With Windows Server 2003 implementations of RAID, there is no fault tolerance following
a failure until the fault is repaired. If a second fault occurs before the data lost from
the first fault is regenerated, you can recover the data only by restoring it from a backup.
Mirrored volumes:
After correcting the cause of the I/O error—perhaps a bad cable connection or power
supply—right-click the volume on the problematic disk and choose Reactivate Volume
or right-click the disk and choose Reactivate Disk. Reactivating brings the disk or volume
back online. The mirror will then resynchronize automatically.
If you want to stop mirroring, you have three choices, depending on what you want
the outcome to be:
¦ Delete the volume If you delete the volume, the volume and all the information
it contains is removed. The resulting unallocated space is then available for new
volumes.
¦ Remove the mirror If you remove the mirror, the mirror is broken, and the
space on one of the disks becomes unallocated. The other disk maintains a copy of
the data that had been mirrored, but that data is, of course, no longer fault-tolerant.
¦ Break the mirror If you break the mirror, the mirror is broken but both disks
maintain copies of the data. The portion of the mirror that you select when you
choose Break Mirror maintains the original mirrored volume’s drive letter, shared
folders, paging file, and reparse points. The secondary drive is given the next
available drive letter.
Knowing that information, how do you suppose you would replace a failed disk—a
member of the mirrored volume that simply died? Well, after physically replacing the
disk, you will need to open Disk Management to rescan, initialize the disk, and convert
it to dynamic. After all that work, you will find that you can’t remirror a mirrored volume,
even though half of it doesn’t exist. So far as the remaining disk is concerned, the
mirrored volume still exists—its partner in redundancy is just out to lunch. You must
remove the mirror to break the mirror. Right-click the mirror and choose Remove Mirror.
In the Remove Mirror dialog box, it is important to select the half of the volume
that is missing; the volume you select will be deleted when you click Remove Mirror.
The volume you did not select will become a simple volume. Once the operation is
complete, right-click the healthy, simple volume and choose Add Mirror. Select the
new disk and the mirror will be created again.
The formula for calculating the effective storage capacity of a RAID-5 volume is
the size of the stripe on one volume times the number of volumes minus one, or size x (volumes
– 1). For example, if unallocated space of 500 GB on each of four dynamic disks is
used to create a RAID-5 volume, parity will occupy 500 GB, so the effective storage capacity
of the volume is 1500 GB.
If the drive is returned to service, you might need to rescan, and then you will need to
right-click the volume and choose Reactivate Volume. The system will then rebuild
missing data, and the volume will be fully functional again.If the drive does not offer a Reactivate option, or if you have
had to replace the disk, you might need to rescan, initialize the disk, convert it to dynamic, and then right-click
the volume and choose Repair Volume. You will be asked to select the disk where the
missing volume member should be re-created. Select the new disk and the system will
regenerate the missing data.
As with a mirrored volume, the first step in troubleshooting a failed RAID-5 volume
should be to reactivate the volume. This operation is nondestructive and attempts to
bring the failed volume online as Healthy.
The only option for creating fault tolerance for the system, without buying hardware
RAID, is thus to mirror the system volume.
Event Viewer
■ System Contains information about events generated by Windows Server 2003
components such as services and device drivers. For example, a failure of a service
to start or a driver to load during system startup is recorded in the System log.
The types of events recorded in this log are preconfigured by the operating system
and cannot be changed. This is the primary Windows Server 2003 log; when you
are looking for information about system problems, you should always view this
log first.
■ Security Can contain information about security-related events such as failed
logons, attempts to access protected resources (such as printers, files, and folders),
and success or failure of audited events. In its default configuration, Windows
Server 2003 does not record information in the Security log. The events recorded
in this log are determined by audit policies, which you can enable using either
local computer policies or group policies. By default, only members of the Administrators
group can view this log.
Computers running Windows Server 2003 filling the role of a domain controller contain
two additional logs:
■ Directory Service Contains information about Active Directory directory service
such as irreconcilable object replications or other significant events in the
directory.
■ File Replication Service Contains information about the success or failure of
the replication activities that occur between Active Directory domain controllers.
Last, a computer running Windows Server 2003 filling the role of a Domain Name System
(DNS) server will contain one additional log:
■ DNS Server Contains information about the status and operations of the DNS
System service.
■ Overwrite Events As Needed (default) The log erases the oldest individual
entries as needed once the log file has reached the specified maximum size.
■ Overwrite Events Older Than X Days The log retains all entries for the number
of days (from 1 to 365) specified by this option and overwrites older entries as
needed. If the log reaches its specified maximum size and there are no entries
older than the number of days specified, the system stops writing new events to
the log.
■ Do Not Overwrite Events (Clear Log Manually) The system retains all log
entries until an administrator manually erases them. Once the log reaches its specified
maximum size, the system stops writing new events to the log.
With System Monitor, you can collect and view data by configuring counters that report
hardware, application, and service activity for any computer on your network. Three
configurations must be made for the data you wish to collect.
■ Type of data You can specify one or more counter instances of performance
monitor objects for which you want data to be reported.
■ Source of data Either local or remote computer data can be collected by a
counter. You must be a local administrator or a member of the Performance Log
Users group on the computer from which you wish to collect data.
■ Sampling intervals Data can be recorded manually in real time or set to a periodic
interval that you specify.
object - device being tested example - hdd
counter - what on the device is being tested - bytes written per second
instance - hdd 1 of 3
Remember that “_Total” represents the combined data from multiple instances
of a counter when multiple instances are available.
With the Performance Logs And Alerts snap-in, you collect data from the same performance
objects and counters as the System Monitor from local or remote computers and
save that data to a log.
Recovering From System Failure
Microsoft Windows 2000 and Windows Server 2003 introduced the concept of System
State to the backup process. System State data contains critical elements of a system’s
configuration including
■ The system’s registry
■ The COM+ Class Registration Database
■ The boot files, which include boot.ini, ntdetect.com, ntldr, bootsect.dos, and
ntbootdd.sys
■ System files that are protected by the Windows File Protection service
In addition, the following are included in the System State when the corresponding services
have been installed on the system:
■ Certificate Services database on a certificate server
■ Active Directory directory service and the Sysvol folder on a domain controller
■ Cluster service information on a cluster server
■ Internet Information Services (IIS) metabase on a server with IIS installed
To back up the System State in the Backup Utility, include the System State node as
part of the backup selection.
To restore the System State on a domain controller, you must restart the computer,
press F8 to select startup options, and select Directory Services Restore Mode.In Directory Services
Restore Mode, the domain controller boots but does not start Active Directory services.
You can log on to the computer only as the local Administrator, using the Directory
Services Restore Mode password that was specified when Dcpromo was used to promote
the server to a domain controller.
When restoring the System State on a domain controller, you must choose whether to
perform a nonauthoritative (normal) or authoritative restore of the Active Directory and
Sysvol folder. After restoring the System State using the Backup Utility, you complete a
nonauthoritative restore by restarting the domain controller into normal operational
status. Because older data was restored, the domain controller must update its replica
of Active Directory and Sysvol, which it does automatically through standard replication
mechanisms from its replication partners.
There might be occasions, however, when you do not want the restored domain controller
to become consistent with other functioning domain controllers and instead
want all domain controllers to have the same state as the restored replica. If, for example,
objects have been deleted from Active Directory, you can restore one domain controller
with a backup set that was created prior to the deletion of the objects. You must
then perform an authoritative restore, which marks selected objects as authoritative
and causes those objects to be replicated from the restored domain controllers to its
replication partners.
What is most important to remember for the 70-290 exam is that the System
State can be restored only on a domain controller by restarting the domain controller in Directory
Services Restore Mode, and that Ntdsutil is used to recover deleted objects in Active
Directory by marking those objects as authoritative, following a normal, or nonauthoritative,
restore of the System State with the Backup Utility.
Automated System Recovery relies on a catalog of system files stored on the ASR
floppy disk to restore files from the Windows Server 2003 CD-ROM and a comprehensive
ASR backup. You prepare the ASR backup set and floppy using the ASR
Wizard in the Backup Utility. To perform an Automated System Recovery, restart
with the Windows Server 2003 CD and press F2 when prompted.
When you perform an Automated System Recovery, you will need
■ The Windows Server 2003 setup CD-ROM
■ The ASR backup set
■ The ASR floppy disk created at the same time as the ASR backup set
The Recovery Console is a text-mode command interpreter that allows you access to
the hard disk of a computer running Windows Server 2003 for basic troubleshooting
and system maintenance. It is particularly useful when the operating system cannot be
started because the Recovery Console can be used to run diagnostics, disable drivers
and services, replace files, and perform other targeted recovery procedures.
